Support priority keyword, add priority to alert-fastlog.

src/Makefile.am

@@ -33,6 +33,7 @@ detect-within.c detect-within.h \
 detect-distance.c detect-distance.h \
 detect-offset.c detect-offset.h \
 detect-sid.c detect-sid.h \
+detect-priority.c detect-priority.h \
 detect-rev.c detect-rev.h \
 detect-classtype.c detect-classtype.h \
 detect-reference.c detect-reference.h \

src/alert-fastlog.c

@@ -8,7 +8,6 @@
  * TODO
  * - Print the protocol as a string
  * - Support classifications
- * - Support priorities
  * - Support more than just IPv4/IPv4 TCP/UDP.
  * - Print [drop] as well if appropriate
  */
@@ -97,8 +96,8 @@ int AlertFastlogIPv4(ThreadVars *tv, Packet *p, void *data)
         inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
         inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
 
-        fprintf(aft->fp, "%s  [**] [%u:%u:%u] %s [**] [Classification: fixme] [Priority: 1] {%u} %s:%u -> %s:%u\n",
-            timebuf, pa->gid, pa->sid, pa->rev, pa->msg, IPV4_GET_IPPROTO(p), srcip, p->sp, dstip, p->dp);
+        fprintf(aft->fp, "%s  [**] [%u:%u:%u] %s [**] [Classification: fixme] [Priority: %u] {%u} %s:%u -> %s:%u\n",
+            timebuf, pa->gid, pa->sid, pa->rev, pa->msg, pa->prio, IPV4_GET_IPPROTO(p), srcip, p->sp, dstip, p->dp);
         fflush(aft->fp);
     }
     return 0;
@@ -122,8 +121,8 @@ int AlertFastlogIPv6(ThreadVars *tv, Packet *p, void *data)
         inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
         inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
 
-        fprintf(aft->fp, "%s  [**] [%u:%u:%u] %s [**] [Classification: fixme] [Priority: 1] {%u} %s:%u -> %s:%u\n",
-            timebuf, pa->gid, pa->sid, pa->rev, pa->msg, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp);
+        fprintf(aft->fp, "%s  [**] [%u:%u:%u] %s [**] [Classification: fixme] [Priority: %u] {%u} %s:%u -> %s:%u\n",
+            timebuf, pa->gid, pa->sid, pa->rev, pa->msg, pa->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp);
         fflush(aft->fp);
     }
 

src/detect-priority.c

@@ -0,0 +1,34 @@
+/* PRIORITY part of the detection engine. */
+
+#include "decode.h"
+#include "detect.h"
+#include "flow-var.h"
+
+int DetectPrioritySetup (Signature *s, SigMatch *m, char *sidstr);
+
+void DetectPriorityRegister (void) {
+    sigmatch_table[DETECT_PRIORITY].name = "priority";
+    sigmatch_table[DETECT_PRIORITY].Match = NULL;
+    sigmatch_table[DETECT_PRIORITY].Setup = DetectPrioritySetup;
+    sigmatch_table[DETECT_PRIORITY].Free = NULL;
+    sigmatch_table[DETECT_PRIORITY].RegisterTests = NULL;
+}
+
+int DetectPrioritySetup (Signature *s, SigMatch *m, char *rawstr)
+{
+    char *str = rawstr;
+    char dubbed = 0;
+
+    /* strip "'s */
+    if (rawstr[0] == '\"' && rawstr[strlen(rawstr)-1] == '\"') {
+        str = strdup(rawstr+1);
+        str[strlen(rawstr)-2] = '\0';
+        dubbed = 1;
+    }
+
+    s->prio = (u_int32_t)atoi(str);
+
+    if (dubbed) free(str);
+    return 0;
+}
+

src/detect-priority.h

@@ -0,0 +1,8 @@
+#ifndef __DETECT_PRIORITY_H__
+#define __DETECT_PRIORITY_H__
+
+/* prototypes */
+void DetectPriorityRegister (void);
+
+#endif /* __DETECT_PRIORITY_H__ */
+

src/detect.c

@@ -22,6 +22,7 @@
 #include "detect-distance.h"
 #include "detect-offset.h"
 #include "detect-sid.h"
+#include "detect-priority.h"
 #include "detect-classtype.h"
 #include "detect-reference.h"
 #include "detect-threshold.h"
@@ -207,13 +208,14 @@ int PacketAlertCheck(Packet *p, u_int32_t sid)
     return match;
 }
 
-int PacketAlertAppend(Packet *p, u_int8_t gid, u_int32_t sid, u_int8_t rev, char *msg)
+int PacketAlertAppend(Packet *p, u_int8_t gid, u_int32_t sid, u_int8_t rev, u_int8_t prio, char *msg)
 {
     /* XXX overflow check? */
 
     p->alerts.alerts[p->alerts.cnt].gid = gid;
     p->alerts.alerts[p->alerts.cnt].sid = sid;
     p->alerts.alerts[p->alerts.cnt].rev = rev;
+    p->alerts.alerts[p->alerts.cnt].prio = prio;
     p->alerts.alerts[p->alerts.cnt].msg = msg;
     p->alerts.cnt++;
 
@@ -278,7 +280,7 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p)
                         if (sm == NULL) {
                             /* only add once */
                             if (rmatch == 0) {
-                                PacketAlertAppend(p, 1, s->id, s->rev, s->msg);
+                                PacketAlertAppend(p, 1, s->id, s->rev, s->prio, s->msg);
 
                                 /* set verdict on packet */
                                 p->action = s->action;
@@ -310,7 +312,7 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p)
                         //printf("Signature %u matched: %s\n", s->id, s->msg ? s->msg : "");
                         fmatch = 1;
 
-                        PacketAlertAppend(p, 1, s->id, s->rev, s->msg);
+                        PacketAlertAppend(p, 1, s->id, s->rev, s->prio, s->msg);
 
                         /* set verdict on packet */
                         p->action = s->action;
@@ -1325,6 +1327,7 @@ void SigTableSetup(void) {
     memset(sigmatch_table, 0, sizeof(sigmatch_table));
 
     DetectSidRegister();
+    DetectPriorityRegister();
     DetectRevRegister();
     DetectClasstypeRegister();
     DetectReferenceRegister();

src/detect.h

@@ -39,6 +39,7 @@ typedef Address SigAddress;
 typedef struct _Signature {
     u_int32_t id;
     u_int8_t rev;
+    u_int8_t prio;
     char *msg;
     u_int8_t flags;
     u_int8_t action; 
@@ -129,6 +130,7 @@ void SigTableSetup(void);
 
 enum {
     DETECT_SID,
+    DETECT_PRIORITY,
     DETECT_REV,
     DETECT_CLASSTYPE,
     DETECT_THRESHOLD,