Add noalert keyword for use with sigs that are used for capturing only.

src/Makefile.am

@@ -42,6 +42,7 @@ detect-metadata.c detect-metadata.h \
 detect-msg.c detect-msg.h \
 detect-flow.c detect-flow.h \
 detect-dsize.c detect-dsize.h \
+detect-noalert.c detect-noalert.h \
 detect-address.c detect-address.h \
 detect-address-ipv4.c detect-address-ipv4.h \
 detect-address-ipv6.c detect-address-ipv6.h \

src/detect-noalert.c

@@ -0,0 +1,31 @@
+/* NOALERT part of the detection engine. */
+
+#include "decode.h"
+#include "detect.h"
+#include "flow-var.h"
+
+#include <pcre.h>
+
+int DetectNoalertSetup (Signature *, SigMatch *, char *);
+
+void DetectNoalertRegister (void) {
+    sigmatch_table[DETECT_NOALERT].name = "noalert";
+    sigmatch_table[DETECT_NOALERT].Match = NULL;
+    sigmatch_table[DETECT_NOALERT].Setup = DetectNoalertSetup;
+    sigmatch_table[DETECT_NOALERT].Free  = NULL;
+    sigmatch_table[DETECT_NOALERT].RegisterTests = NULL;
+
+    sigmatch_table[DETECT_NOALERT].flags |= SIGMATCH_NOOPT;
+}
+
+int DetectNoalertSetup (Signature *s, SigMatch *m, char *nullstr)
+{
+    if (nullstr != NULL) {
+        printf("DetectNoalertSetup: nocase has no value\n");
+        return -1;
+    }
+
+    s->flags |= SIG_FLAG_NOALERT;
+    return 0;
+}
+

src/detect-noalert.h

@@ -0,0 +1,8 @@
+#ifndef __DETECT_NOALERT_H__
+#define __DETECT_NOALERT_H__
+
+/* prototypes */
+void DetectNoalertRegister (void);
+
+#endif /* __DETECT_NOALERT_H__ */
+

src/detect-parse.c

@@ -215,7 +215,8 @@ int SigParseAddress(Signature *s, const char *addrstr, char flag) {
     char *addr = NULL;
 
     if (strcmp(addrstr,"$HOME_NET") == 0) {
-        addr = "192.168.0.0/16";
+        addr = "10.8.0.0/24";
+        //addr = "192.168.0.0/16";
     } else if (strcmp(addrstr,"$EXTERNAL_NET") == 0) {
         addr = "!192.168.0.0/16";
     } else if (strcmp(addrstr,"$HTTP_SERVERS") == 0) {

src/detect.c

@@ -32,6 +32,7 @@
 #include "detect-flow.h"
 #include "detect-dsize.h"
 #include "detect-flowvar.h"
+#include "detect-noalert.h"
 
 #include "action-globals.h"
 #include "detect-mpm.h"
@@ -62,7 +63,7 @@ void SigLoadSignatures (void)
 {
     Signature *prevsig = NULL, *sig;
 
-    sig = SigInit("alert tcp any any -> any any (msg:\"HTTP URI cap\"; flow:to_server; content:\"GET \"; depth:4; pcre:\"/^GET (?P<http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; depth:400; sid:1;)");
+    sig = SigInit("alert tcp any any -> any any (msg:\"HTTP URI cap\"; flow:to_server; content:\"GET \"; depth:4; pcre:\"/^GET (?P<http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; depth:400; noalert; sid:1;)");
     if (sig) {
         prevsig = sig;
         sig_list = sig;
@@ -163,7 +164,7 @@ void SigLoadSignatures (void)
     //FILE *fp = fopen("/home/victor/rules/vips-http.sigs", "r");
     //FILE *fp = fopen("/home/victor/rules/vips-all.sigs", "r");
     //FILE *fp = fopen("/home/victor/rules/all.rules", "r");
-    //FILE *fp = fopen("/home/victor/rules/eml.rules", "r");
+    //FILE *fp = fopen("/etc/vips/rules/zango.rules", "r");
     //FILE *fp = fopen("/home/victor/rules/vips-vrt-all.sigs", "r");
     if (fp == NULL) {
         printf("ERROR, could not open sigs file\n");
@@ -278,12 +279,14 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p)
 
                         /* only if the last matched as well, we have a hit */
                         if (sm == NULL) {
-                            /* only add once */
+                            if (!(s->flags & SIG_FLAG_NOALERT)) {
-                            if (rmatch == 0) {
+                                /* only add once */
-                                PacketAlertAppend(p, 1, s->id, s->rev, s->prio, s->msg);
+                                if (rmatch == 0) {
+                                    PacketAlertAppend(p, 1, s->id, s->rev, s->prio, s->msg);
 
-                                /* set verdict on packet */
+                                    /* set verdict on packet */
-                                p->action = s->action;
+                                    p->action = s->action;
+                                }
                             }
                             rmatch = fmatch = 1;
                             pmt->pkt_cnt++;
@@ -312,10 +315,12 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p)
                         //printf("Signature %u matched: %s\n", s->id, s->msg ? s->msg : "");
                         fmatch = 1;
 
-                        PacketAlertAppend(p, 1, s->id, s->rev, s->prio, s->msg);
+                        if (!(s->flags & SIG_FLAG_NOALERT)) {
+                            PacketAlertAppend(p, 1, s->id, s->rev, s->prio, s->msg);
 
-                        /* set verdict on packet */
+                            /* set verdict on packet */
-                        p->action = s->action;
+                            p->action = s->action;
+                        }
                     }
                 } else {
                     /* done with this sig */
@@ -1348,6 +1353,7 @@ void SigTableSetup(void) {
     DetectDsizeRegister();
     DetectFlowvarRegister();
     DetectAddressRegister();
+    DetectNoalertRegister();
 
     u_int8_t i = 0;
     for (i = 0; i < DETECT_TBLSIZE; i++) {

src/detect.h

@@ -6,6 +6,7 @@
 #define SIG_FLAG_RECURSIVE 0x01
 #define SIG_FLAG_SP_ANY    0x02
 #define SIG_FLAG_DP_ANY    0x04
+#define SIG_FLAG_NOALERT   0x08
 
 typedef struct _PatternMatcherThread {
     /* detection engine variables */
@@ -151,6 +152,7 @@ enum {
     DETECT_DSIZE,
     DETECT_FLOWVAR,
     DETECT_ADDRESS,
+    DETECT_NOALERT,
 
     /* make sure this stays last */
     DETECT_TBLSIZE,