suricata
detect-engine-alert.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2026 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "suricata-common.h"
19 #include "suricata.h"
20 
21 #include "detect.h"
22 #include "detect-parse.h"
23 #include "detect-engine-alert.h"
25 #include "detect-engine-tag.h"
26 
27 #include "decode.h"
28 #include "packet.h"
29 
30 #include "flow.h"
31 #include "flow-private.h"
32 
33 #ifdef QA_SIMULATION
34 #include "util-exception-policy.h"
35 #endif
36 
37 #include "util-profiling.h"
38 #include "util-validate.h"
39 
40 #include "action-globals.h"
41 #include "capture-hooks.h"
42 
43 /** tag signature we use for tag alerts */
44 static Signature g_tag_signature;
45 /** tag packet alert structure for tag alerts */
46 static PacketAlert g_tag_pa;
47 
49 {
50  memset(&g_tag_signature, 0x00, sizeof(g_tag_signature));
51 
52  g_tag_signature.id = TAG_SIG_ID;
53  g_tag_signature.gid = TAG_SIG_GEN;
54  g_tag_signature.iid = TAG_SIG_ID;
55  g_tag_signature.rev = 1;
56  g_tag_signature.prio = 2;
57 
58  memset(&g_tag_pa, 0x00, sizeof(g_tag_pa));
59 
60  g_tag_pa.action = ACTION_ALERT;
61  g_tag_pa.s = &g_tag_signature;
62 }
63 
64 /**
65  * \brief Handle a packet and check if needs a threshold logic
66  * Also apply rule action if necessary.
67  *
68  * \param de_ctx Detection Context
69  * \param sig Signature pointer
70  * \param p Packet structure
71  *
72  * \retval 1 alert is not suppressed
73  * \retval 0 alert is suppressed
74  */
75 static int PacketAlertHandle(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
76  const Signature *s, Packet *p, PacketAlert *pa)
77 {
78  SCEnter();
79  int ret = 1;
80  const DetectThresholdData *td = NULL;
81  const SigMatchData *smd;
82 
83  if (!(PacketIsIPv4(p) || PacketIsIPv6(p))) {
84  SCReturnInt(1);
85  }
86 
87  /* handle suppressions first */
88  if (s->sm_arrays[DETECT_SM_LIST_SUPPRESS] != NULL) {
90  smd = NULL;
91  do {
93  if (td != NULL) {
94  SCLogDebug("td %p", td);
95 
96  /* PacketAlertThreshold returns 2 if the alert is suppressed but
97  * we do need to apply rule actions to the packet. */
99  ret = PacketAlertThreshold(de_ctx, det_ctx, td, p, s, pa);
100  if (ret == 0 || ret == 2) {
102  /* It doesn't match threshold, remove it */
103  SCReturnInt(ret);
104  }
106  }
107  } while (smd != NULL);
108  }
109 
110  /* if we're still here, consider thresholding */
111  if (s->sm_arrays[DETECT_SM_LIST_THRESHOLD] != NULL) {
113  smd = NULL;
114  do {
116  if (td != NULL) {
117  SCLogDebug("td %p", td);
118 
119  /* PacketAlertThreshold returns 2 if the alert is suppressed but
120  * we do need to apply rule actions to the packet. */
122  ret = PacketAlertThreshold(de_ctx, det_ctx, td, p, s, pa);
123  if (ret == 0 || ret == 2) {
125  /* It doesn't match threshold, remove it */
126  SCReturnInt(ret);
127  }
129  }
130  } while (smd != NULL);
131  }
132  SCReturnInt(1);
133 }
134 
135 #ifdef UNITTESTS
136 /**
137  * \brief Check if a certain sid alerted, this is used in the test functions
138  *
139  * \param p Packet on which we want to check if the signature alerted or not
140  * \param sid Signature id of the signature that has to be checked for a match
141  *
142  * \retval match A value > 0 on a match; 0 on no match
143  */
144 int PacketAlertCheck(Packet *p, uint32_t sid)
145 {
146  int match = 0;
147 
148  for (uint16_t i = 0; i < p->alerts.cnt; i++) {
149  BUG_ON(p->alerts.alerts[i].s == NULL);
150  if (p->alerts.alerts[i].s->id == sid)
151  match++;
152  }
153 
154  return match;
155 }
156 #endif
157 
158 static inline void RuleActionToFlow(const uint8_t action, Flow *f, const bool fw_rule)
159 {
160  if (action & ACTION_ACCEPT) {
161  DEBUG_VALIDATE_BUG_ON(!fw_rule);
163  SCLogDebug("setting flow action accept");
164  }
165 
166  /* pass:flow can be set if accept:flow is present */
167  if (action & ACTION_PASS) {
168  if (f->flags & (FLOW_ACTION_DROP | FLOW_ACTION_PASS)) {
169  /* drop or pass already set. First to set wins. */
170  SCLogDebug("not setting %s flow already set to %s",
171  (action & ACTION_PASS) ? "pass" : "drop",
172  (f->flags & FLOW_ACTION_DROP) ? "drop" : "pass");
173  } else {
174  f->flags |= FLOW_ACTION_PASS;
175  SCLogDebug("setting flow action pass");
176  }
177 
178  // TODO firewall drop:flow should override FLOW_ACTION_PASS
179  } else if (action & (ACTION_DROP | ACTION_REJECT_ANY)) {
180  /* drop:flow from TD rules will override a accept:flow from
181  * firewall rules. */
182  if (f->flags & FLOW_ACTION_ACCEPT) {
184  f->flags |= FLOW_ACTION_DROP;
185  if (fw_rule)
187  SCLogDebug("replaced FLOW_ACTION_ACCEPT with FLOW_ACTION_DROP");
188  }
189  if (f->flags & (FLOW_ACTION_DROP | FLOW_ACTION_PASS)) {
190  /* drop or pass already set. First to set wins. */
191  SCLogDebug("not setting %s flow already set to %s",
192  (action & ACTION_PASS) ? "pass" : "drop",
193  (f->flags & FLOW_ACTION_DROP) ? "drop" : "pass");
194  } else {
195  f->flags |= FLOW_ACTION_DROP;
196  SCLogDebug("setting flow action drop");
197  }
198  }
199 
200  if (fw_rule) {
202  }
203 }
204 
205 /** \brief Apply action(s) and Set 'drop' sig info,
206  * if applicable
207  * \param p packet
208  * \param s signature -- for id, sig pointer, not actions
209  * \param pa packet alert struct -- match, including actions after thresholding (rate_filter) */
210 static void PacketApplySignatureActions(Packet *p, const Signature *s, const PacketAlert *pa)
211 {
212  SCLogDebug("packet %" PRIu64 ", sid %u: action %02x alert_flags %02x", PcapPacketCntGet(p),
213  s->id, pa->action, pa->flags);
214 
215  const bool is_fw_rule = s->flags & SIG_FLAG_FIREWALL ? true : false;
216  /* REJECT also sets ACTION_DROP, just make it more visible with this check */
217  if (pa->action & ACTION_DROP_REJECT) {
218  uint8_t drop_reason = is_fw_rule ? PKT_DROP_REASON_FW_RULES : PKT_DROP_REASON_RULES;
219  if (is_fw_rule) {
222  } else if (s->detect_table == DETECT_TABLE_PACKET_PRE_FLOW) {
223  drop_reason = PKT_DROP_REASON_FW_FLOW_PRE_HOOK;
224  }
225  }
226  /* PacketDrop will update the packet action, too */
227  PacketDrop(p, pa->action,
230  : drop_reason);
231  SCLogDebug("[packet %p][DROP sid %u]", p, s->id);
232 
233  if (p->alerts.drop.action == 0) {
234  p->alerts.drop.iid = s->iid;
235  p->alerts.drop.action = pa->action;
236  p->alerts.drop.s = (Signature *)s;
237  }
238  if ((p->flow != NULL) && (pa->flags & PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW)) {
239  RuleActionToFlow(pa->action, p->flow, is_fw_rule);
240  }
241 
243  } else {
244  if (pa->action & ACTION_ACCEPT) {
245  const enum ActionScope as = pa->s->action_scope;
246  SCLogDebug("packet %" PRIu64 ": ACCEPT %u as:%u flags:%02x", PcapPacketCntGet(p), s->id,
247  as, pa->flags);
248  if (as == ACTION_SCOPE_PACKET || as == ACTION_SCOPE_FLOW ||
250  SCLogDebug("packet %" PRIu64 ": sid:%u ACCEPT", PcapPacketCntGet(p), s->id);
251  p->action |= ACTION_ACCEPT;
252  }
253  } else if (pa->action & (ACTION_ALERT | ACTION_CONFIG)) {
254  // nothing to set in the packet
255  } else if (pa->action & ACTION_PASS) {
256  SCLogDebug("[packet %p][PASS sid %u]", p, s->id);
257  // nothing to set in the packet
258  } else if (pa->action != 0) {
259  DEBUG_VALIDATE_BUG_ON(1); // should be unreachable
260  }
261 
262  if ((pa->action & (ACTION_PASS | ACTION_ACCEPT)) && (p->flow != NULL) &&
264  RuleActionToFlow(pa->action, p->flow, is_fw_rule);
265  }
266  }
267 }
268 
270 {
271  det_ctx->alert_queue_size = 0;
272  det_ctx->alert_queue = SCCalloc(packet_alert_max, sizeof(PacketAlert));
273  if (det_ctx->alert_queue == NULL) {
274  FatalError("failed to allocate %" PRIu64 " bytes for the alert queue",
275  (uint64_t)(packet_alert_max * sizeof(PacketAlert)));
276  }
278  SCLogDebug("alert queue initialized to %u elements (%" PRIu64 " bytes)", packet_alert_max,
279  (uint64_t)(packet_alert_max * sizeof(PacketAlert)));
280 }
281 
283 {
284  SCFree(det_ctx->alert_queue);
285  det_ctx->alert_queue_capacity = 0;
286 }
287 
288 static inline uint16_t AlertQueueExpandDo(DetectEngineThreadCtx *det_ctx, uint16_t new_cap)
289 {
290  DEBUG_VALIDATE_BUG_ON(det_ctx->alert_queue_capacity >= new_cap);
291 
292  void *tmp_queue = SCRealloc(det_ctx->alert_queue, new_cap * sizeof(PacketAlert));
293  if (unlikely(tmp_queue == NULL)) {
294  /* queue capacity didn't change */
295  return det_ctx->alert_queue_capacity;
296  }
297  det_ctx->alert_queue = tmp_queue;
298  det_ctx->alert_queue_capacity = new_cap;
299  SCLogDebug("Alert queue size expanded: %u elements, bytes: %" PRIuMAX "",
300  det_ctx->alert_queue_capacity, (uintmax_t)(new_cap * sizeof(PacketAlert)));
301  return new_cap;
302 }
303 
304 /** \internal
305  * \retval the new capacity
306  */
307 static uint16_t AlertQueueExpand(DetectEngineThreadCtx *det_ctx)
308 {
309 #ifdef QA_SIMULATION
310  if (unlikely(g_eps_is_alert_queue_fail_mode))
311  return det_ctx->alert_queue_capacity;
312 #endif
313  if (det_ctx->alert_queue_capacity == UINT16_MAX) {
314  return det_ctx->alert_queue_capacity;
315  }
316 
317  uint16_t new_cap;
318  if (det_ctx->alert_queue_capacity > (UINT16_MAX / 2)) {
319  new_cap = UINT16_MAX;
320  } else {
321  new_cap = det_ctx->alert_queue_capacity * 2;
322  }
323  return AlertQueueExpandDo(det_ctx, new_cap);
324 }
325 
326 static inline int PacketAlertSetContext(
327  DetectEngineThreadCtx *det_ctx, PacketAlert *pa, const Signature *s)
328 {
329  pa->json_info = NULL;
330  if (det_ctx->json_content_len) {
331  /* We have some JSON attached in the current detection so let's try
332  to see if some need to be used for current signature. */
333  struct PacketContextData *current_json = NULL;
334  for (uint8_t i = 0; i < det_ctx->json_content_len; i++) {
335  if (s == det_ctx->json_content[i].id) {
336  SCLogDebug("signature %p, content index %u", s, i);
337  if (current_json == NULL) {
338  /* Allocate the first one */
339  current_json = SCCalloc(1, sizeof(struct PacketContextData));
340  if (current_json == NULL) {
341  /* Allocation error, let's return now */
342  return -1;
343  }
344  if (pa->json_info == NULL) {
345  /* If this is the first one, set it */
346  pa->json_info = current_json;
347  }
348  current_json->next = NULL;
349  } else {
350  /* Allocate the next one */
351  struct PacketContextData *next_json =
352  SCCalloc(1, sizeof(struct PacketContextData));
353  if (next_json) {
354  current_json->next = next_json;
355  current_json = next_json;
356  current_json->next = NULL;
357  } else {
358  /* Allocation error, let's return now */
359  return -1;
360  }
361  }
362  current_json->json_string = SCStrdup(det_ctx->json_content[i].json_content);
363  if (current_json->json_string == NULL) {
364  return -1;
365  }
366  SCLogDebug("json content %u, value '%s' (%p)", (unsigned int)i,
367  current_json->json_string, s);
368  }
369  }
370  }
371 
372  return 0;
373 }
374 
375 /** \internal
376  */
377 static inline PacketAlert PacketAlertSet(
378  DetectEngineThreadCtx *det_ctx, const Signature *s, uint64_t tx_id, uint8_t alert_flags)
379 {
380  PacketAlert pa;
381  pa.iid = s->iid;
382  pa.action = s->action;
383  pa.s = (Signature *)s;
384  pa.flags = alert_flags;
385  /* Set tx_id if the frame has it */
386  pa.tx_id = tx_id;
387  pa.frame_id = (alert_flags & PACKET_ALERT_FLAG_FRAME) ? det_ctx->frame_id : 0;
388  PacketAlertSetContext(det_ctx, &pa, s);
389  return pa;
390 }
391 
392 /**
393  * \brief Append signature to local packet alert queue for later preprocessing
394  */
395 static void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p,
396  uint64_t tx_id, uint8_t alert_flags)
397 {
398  /* first time we see a drop action signature, set that in the packet */
399  /* we do that even before inserting into the queue, so we save it even if appending fails */
400  if (p->alerts.drop.action == 0 && s->action & ACTION_DROP) {
401  p->alerts.drop = PacketAlertSet(det_ctx, s, tx_id, alert_flags);
402  SCLogDebug("sid %u: set PacketAlert drop action. s->iid %" PRIu32 "", s->id, s->iid);
403  }
404 
405  uint16_t pos = det_ctx->alert_queue_size;
406  if (pos == det_ctx->alert_queue_capacity) {
407  /* we must grow the alert queue */
408  if (pos == AlertQueueExpand(det_ctx)) {
409  /* this means we failed to expand the queue */
410  p->alerts.discarded++;
411  return;
412  }
413  }
414  det_ctx->alert_queue[pos] = PacketAlertSet(det_ctx, s, tx_id, alert_flags);
415 
416  SCLogDebug("packet %" PRIu64 ": appending sid %" PRIu32 ", s->iid %" PRIu32 " to alert queue",
417  PcapPacketCntGet(p), s->id, s->iid);
418  det_ctx->alert_queue_size++;
419 }
420 
421 /**
422  * \brief Append signature to local packet alert queue for later preprocessing
423  */
425  uint64_t tx_id, uint8_t alert_flags)
426 {
428  return AlertQueueAppend(det_ctx, s, p, tx_id, alert_flags);
429 }
430 
431 /**
432  * \brief Append signature to local packet alert queue for later preprocessing
433  * This does not automatically set PACKET_ALERT_FLAG_STATE_MATCH as this
434  * comes from the packet alert path.
435  */
437  uint64_t tx_id, uint8_t alert_flags)
438 {
439  alert_flags |= PACKET_ALERT_FLAG_TX;
440  return AlertQueueAppend(det_ctx, s, p, tx_id, alert_flags);
441 }
442 
443 /**
444  * \brief Append signature to local packet alert queue for later preprocessing
445  */
447  DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint8_t alert_flags)
448 {
449  return AlertQueueAppend(det_ctx, s, p, PACKET_ALERT_NOTX, alert_flags);
450 }
451 
452 /** \internal
453  * \brief sort helper for sorting alerts by priority
454  *
455  * Sorting is done first based on num and then using tx_id, if nums are equal.
456  * The Signature::num field is set based on internal priority. Higher priority
457  * rules have lower nums.
458  */
459 static int AlertQueueSortHelperFirewall(const void *a, const void *b)
460 {
461  const PacketAlert *pa0 = a;
462  const PacketAlert *pa1 = b;
463  if (pa0->s->detect_table == pa1->s->detect_table) {
464  if (pa1->iid == pa0->iid) {
465  if (pa1->tx_id == PACKET_ALERT_NOTX) {
466  return -1;
467  } else if (pa0->tx_id == PACKET_ALERT_NOTX) {
468  return 1;
469  }
470  return pa0->tx_id < pa1->tx_id ? 1 : -1;
471  } else {
472  return pa0->iid < pa1->iid ? -1 : 1;
473  }
474  }
475  return pa0->s->detect_table < pa1->s->detect_table ? -1 : 1;
476 }
477 
478 static int AlertQueueSortHelper(const void *a, const void *b)
479 {
480  const PacketAlert *pa0 = a;
481  const PacketAlert *pa1 = b;
482  if (pa1->iid == pa0->iid) {
483  if (pa1->tx_id == PACKET_ALERT_NOTX) {
484  return -1;
485  } else if (pa0->tx_id == PACKET_ALERT_NOTX) {
486  return 1;
487  }
488  return pa0->tx_id < pa1->tx_id ? 1 : -1;
489  } else {
490  return pa0->iid < pa1->iid ? -1 : 1;
491  }
492 }
493 
494 /** \internal
495  * \brief Check if Signature action should be applied to flow and apply
496  *
497  */
498 static inline void FlowApplySignatureActions(
499  Packet *p, PacketAlert *pa, const Signature *s, uint8_t alert_flags)
500 {
501  /* For DROP and PASS sigs we need to apply the action to the flow if
502  * - sig is IP or PD only
503  * - match is in applayer
504  * - match is in stream */
505  if (pa->action & (ACTION_DROP | ACTION_PASS | ACTION_ACCEPT)) {
508 
509  if (s->action_scope == ACTION_SCOPE_FLOW) {
511  } else if (s->action_scope == ACTION_SCOPE_AUTO) {
512  enum SignaturePropertyFlowAction flow_action =
514  if (flow_action == SIG_PROP_FLOW_ACTION_FLOW) {
516  } else if (flow_action == SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL) {
519  }
520  }
521  }
522 
524  SCLogDebug("packet %" PRIu64 " sid %u action %02x alert_flags %02x (set "
525  "PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW)",
526  PcapPacketCntGet(p), s->id, s->action, pa->flags);
527  }
528  }
529 }
530 
531 /** \internal
532  * \brief handle immediate actions for a firewall rule match
533  *
534  * Delayed action (accept) is handled after TD has also run, as TD drop
535  * can overrule a FW accept. So returning `accept` here means "will accept if TD agrees".
536  *
537  * \retval pol firewall policy with action that is (drop) or should possibly be (accept)
538  * applied to the packet and flow.
539  */
540 static struct DetectFirewallPolicy HandleFirewallRule(
542 {
543  const Signature *s = pa->s;
544  struct DetectFirewallPolicy pol = { .action = 0, .action_scope = 0 };
545  int res = PacketAlertHandle(de_ctx, det_ctx, s, p, pa);
546  SCLogDebug("packet %" PRIu64 ": fw sid %u: res %d", PcapPacketCntGet(p), s->id, res);
547  if (res > 0) {
548  /* Now, if we have an alert, we have to check if we want
549  * to tag this session or src/dst host */
550  if (s->sm_arrays[DETECT_SM_LIST_TMATCH] != NULL) {
553  while (1) {
554  /* tags are set only for alerts */
556  sigmatch_table[smd->type].Match(det_ctx, p, (Signature *)s, smd->ctx);
557  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
558  if (smd->is_last)
559  break;
560  smd++;
561  }
562  }
563  /* if this is a terminating action, pass the action to the caller. */
564  if (s->action_scope != ACTION_SCOPE_HOOK ||
566  pol.action = s->action;
567  pol.action_scope = s->action_scope;
568  if (pol.action & ACTION_DROP) {
569  uint8_t drop_reason = PKT_DROP_REASON_FW_RULES;
572  } else if (s->detect_table == DETECT_TABLE_PACKET_PRE_FLOW) {
573  drop_reason = PKT_DROP_REASON_FW_FLOW_PRE_HOOK;
574  }
575  PacketDrop(p, pol.action, drop_reason);
576  if (p->flow && pol.action_scope == ACTION_SCOPE_FLOW) {
578  SCLogDebug("packet %" PRIu64 ": FLOW_ACTION_DROP set by firewall by sid %u",
579  PcapPacketCntGet(p), s->id);
580  }
581  }
582  if (pol.action & ACTION_PASS) {
583  if (p->flow && pol.action_scope == ACTION_SCOPE_FLOW) {
585  SCLogDebug("packet %" PRIu64 ": FLOW_ACTION_PASS set by firewall by sid %u",
586  PcapPacketCntGet(p), s->id);
587  }
588  }
589  }
590  /* add the alert for logging if required. */
591  if (s->action & ACTION_ALERT) {
592  if (p->alerts.cnt < packet_alert_max) {
593  p->alerts.alerts[p->alerts.cnt++] = *pa;
594  } else {
596  }
597  }
598  }
599  return pol;
600 }
601 
602 /*
603  * Queue order after sorting:
604  *
605  * Firewall use case: rules are sorted by Signature::detect_table, Signature::iid (which reflects
606  * order in the rule file(s)) This means:
607  * - pre_flow
608  * - pre_stream
609  * - packet:filter (firewall)
610  * - packet:td (IDS/IPS rules)
611  * - app:filter (firewall)
612  * - app:td (IDS/IPS rules)
613  *
614  * Firewall DROPs are immediate.
615  * Firewall ACCEPTs depend on TD not dropping.
616  * Firewall rules are not affected by PASS.
617  * TD rules are affected by PASS, both set by Firewall and TD rules.
618  *
619  * Non-Firewall use case: rules are sorted by Signature::iid (which reflect order based on flowbits,
620  * action-order, priority, etc)
621  */
622 static inline void PacketAlertFinalizeProcessQueue(
624 {
625  const bool have_fw_rules = EngineModeIsFirewall();
626 
627  if (det_ctx->alert_queue_size > 1) {
628  /* sort the alert queue before thresholding and appending to Packet */
629  qsort(det_ctx->alert_queue, det_ctx->alert_queue_size, sizeof(PacketAlert),
630  have_fw_rules ? AlertQueueSortHelperFirewall : AlertQueueSortHelper);
631  }
632 
633  bool alerted = false;
634  bool dropped = false;
635  bool skip_td = false;
636  bool skip_fw = false;
637  bool fw_accept_packet = false; // same as skip_fw?
638  bool fw_accept_flow = false;
639 
640 #ifdef DEBUG
641  SCLogDebug("packet %" PRIu64 ": starting alert event queue", PcapPacketCntGet(p));
642  for (uint16_t x = 0; x < det_ctx->alert_queue_size; x++) {
643  const PacketAlert *pa = &det_ctx->alert_queue[x];
644  const Signature *s = pa->s;
645  SCLogDebug("(list) %s sid %u: action %02x scope %u iid %u detect_table %u",
646  (s->flags & SIG_FLAG_FIREWALL) ? "fw" : "td", s->id, s->action, s->action_scope,
647  s->iid, s->detect_table);
648  }
649 #endif /* DEBUG */
650  uint8_t skip_table_id = 0;
651  bool skip_table = false;
652  for (uint16_t i = 0; i < det_ctx->alert_queue_size; i++) {
653  PacketAlert *pa = &det_ctx->alert_queue[i];
654  const Signature *s = pa->s;
655 
656  if (s->flags & SIG_FLAG_FIREWALL) {
657  if (skip_fw) {
658  continue;
659  }
660  /* skip for this table, but not for later. Mostly for showing
661  * alerts for both packet:filter and app:filter together. */
662  if (skip_table) {
663  if (s->detect_table <= skip_table_id)
664  continue;
665  skip_table = false;
666  }
667 
668  if (dropped) {
669  SCLogDebug("Skipping firewall signature after a drop.");
670  continue;
671  }
672 
673  const uint16_t pre_alert_cnt = p->alerts.cnt;
674  struct DetectFirewallPolicy pol = HandleFirewallRule(de_ctx, det_ctx, p, pa);
675  /* drop is immediate */
676  if (pol.action & ACTION_DROP) {
677  dropped = true;
678  } else if (pol.action & ACTION_ACCEPT) {
679  SCLogDebug("fw sid %u setting skip_fw for action %02x scope %s", s->id, pol.action,
681  /* see if we want to skip other alerts for this table */
682  if (pol.action_scope == ACTION_SCOPE_HOOK) {
683  skip_table_id = s->detect_table;
684  skip_table = true;
685  } else {
686  skip_fw = true;
687  }
688  fw_accept_packet = true;
689  if (pol.action_scope == ACTION_SCOPE_FLOW)
690  fw_accept_flow = true;
691  }
692  if (pol.action & ACTION_PASS) {
693  skip_td = true;
694  }
695  if (pre_alert_cnt < p->alerts.cnt)
696  alerted = true;
697  if (dropped)
698  goto fw_dropped;
699 
700  continue;
701  }
702 
703  SCLogDebug("sid: %u, action %02x, firewall? %s", s->id, pa->action,
705 
706  /* if a firewall rule told us to skip, we don't count the skipped
707  * alerts. */
708  if (have_fw_rules && skip_td) {
709  continue;
710  }
711 
712  int res = PacketAlertHandle(de_ctx, det_ctx, s, p, pa);
713  SCLogDebug("sid %u: res %d", pa->s->id, res);
714  if (res > 0) {
715  /* Now, if we have an alert, we have to check if we want
716  * to tag this session or src/dst host */
717  if (s->sm_arrays[DETECT_SM_LIST_TMATCH] != NULL) {
720  while (1) {
721  /* tags are set only for alerts */
723  sigmatch_table[smd->type].Match(det_ctx, p, (Signature *)s, smd->ctx);
724  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
725  if (smd->is_last)
726  break;
727  smd++;
728  }
729  }
730 
731  bool skip_action_set = false;
732  if ((p->action & (ACTION_DROP | ACTION_ACCEPT)) != 0) {
733  if (p->action & ACTION_DROP) {
734  if (pa->action & (ACTION_PASS | ACTION_ACCEPT)) {
735  skip_action_set = true;
736  }
737  } else {
738  if (pa->action & (ACTION_DROP)) {
739  skip_action_set = true;
740  }
741  }
742  }
743  SCLogDebug("packet %" PRIu64 ": i:%u sid:%u skip_action_set %s", PcapPacketCntGet(p), i,
744  s->id, BOOL2STR(skip_action_set));
745  if (!skip_action_set) {
746  /* set actions on the flow */
747  FlowApplySignatureActions(p, pa, s, pa->flags);
748 
749  SCLogDebug("sid %u: action %02x (DROP %s, PASS %s)", pa->s->id, pa->action,
751 
752  /* set actions on packet */
753  PacketApplySignatureActions(p, s, pa);
754  }
755  }
756 
757  /* Thresholding removes this alert */
758  if (res == 0 || res == 2 || (s->action & (ACTION_ALERT | ACTION_PASS)) == 0) {
759  SCLogDebug("sid:%u: skipping alert because of thresholding (res=%d) or NOALERT (%02x)",
760  s->id, res, s->action);
761  /* we will not copy this to the AlertQueue */
762  p->alerts.suppressed++;
763  } else if (p->alerts.cnt < packet_alert_max) {
764  p->alerts.alerts[p->alerts.cnt++] = *pa;
765  SCLogDebug("appending sid %" PRIu32 " alert to Packet::alerts at pos %u; action:%02x",
766  s->id, i, pa->action);
767 
768  if (pa->action & ACTION_ALERT) {
769  alerted = true;
770  }
771  /* pass with alert, we're done. Alert is logged. */
772  if (pa->action & ACTION_PASS) {
773  SCLogDebug("sid:%u: is a pass rule, so break out of loop", s->id);
774  if (!have_fw_rules)
775  break;
776  SCLogDebug("skipping td");
777  skip_td = true;
778  continue;
779  }
780  } else {
781  p->alerts.discarded++;
782  }
783 
784  if (s->action & ACTION_DROP) {
785  dropped = true;
786  }
787  }
788 
789 fw_dropped:
790  /* after threat detection has been handled, see if the fw intended to accept (drop is handled
791  * immediately by the fw), as fw accept can be overruled by td drop. */
792  if (have_fw_rules) {
793  if (p->action & ACTION_DROP) {
794  SCLogDebug("packet %" PRIu64 ": dropped by TD", PcapPacketCntGet(p));
795  } else if (fw_accept_packet) {
796  p->action |= ACTION_ACCEPT;
797  if (p->flow && fw_accept_flow) {
799  SCLogDebug("packet %" PRIu64 ": FLOW_ACTION_ACCEPT set from firewall",
801  }
802  }
803  }
804 
805  /* Set flag on flow to indicate that it has alerts. We use the bool to
806  * exclude pass-only entries in `Packet::alerts` */
807  if (alerted && p->flow != NULL) {
808  if (!FlowHasAlerts(p->flow)) {
811  }
812  }
813 
814  /* Notify capture layer about packets with real alerts (not pass-only),
815  * so capture impl can update per-capture context (e.g. pcap-file alert counts). */
816  if (alerted) {
818  }
819 }
820 
821 /**
822  * \brief Check the threshold of the sigs that match, set actions, break on pass action
823  * This function iterate the packet alerts array, removing those that didn't match
824  * the threshold, and those that match after a signature with the action "pass".
825  * The array is sorted by action priority/order
826  * \param de_ctx detection engine context
827  * \param det_ctx detection engine thread context
828  * \param p pointer to the packet
829  */
831 {
832  SCEnter();
833 
834  if (det_ctx->alert_queue_size > 0) {
835  PacketAlertFinalizeProcessQueue(de_ctx, det_ctx, p);
836  if (det_ctx->json_content_len)
838  }
839 
840  /* At this point, we should have all the new alerts. Now check the tag
841  * keyword context for sessions and hosts */
842  if (!(p->flags & PKT_PSEUDO_STREAM_END))
843  TagHandlePacket(de_ctx, det_ctx, p);
844 }
845 
846 #ifdef UNITTESTS
848 #endif
PacketCheckAction
bool PacketCheckAction(const Packet *p, const uint8_t a)
Definition: packet.c:50
PKT_DROP_REASON_RULES_THRESHOLD
@ PKT_DROP_REASON_RULES_THRESHOLD
Definition: decode.h:393
DetectEngineThreadCtx_::alert_queue_size
uint16_t alert_queue_size
Definition: detect.h:1376
FlowSetHasAlertsFlag
void FlowSetHasAlertsFlag(Flow *f)
Set flag to indicate that flow has alerts.
Definition: flow.c:154
PacketAlerts_::firewall_discarded
uint16_t firewall_discarded
Definition: decode.h:290
FLOW_ACTION_BY_FIREWALL
#define FLOW_ACTION_BY_FIREWALL
Definition: flow.h:125
PacketAlert_::s
const struct Signature_ * s
Definition: decode.h:253
AlertQueueFree
void AlertQueueFree(DetectEngineThreadCtx *det_ctx)
Definition: detect-engine-alert.c:282
Flow_::flags
uint64_t flags
Definition: flow.h:403
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
PACKET_ALERT_FLAG_STATE_MATCH
#define PACKET_ALERT_FLAG_STATE_MATCH
Definition: decode.h:269
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
ACTION_PASS
#define ACTION_PASS
Definition: action-globals.h:34
PKT_DROP_REASON_FW_RULES
@ PKT_DROP_REASON_FW_RULES
Definition: decode.h:406
KEYWORD_PROFILING_SET_LIST
#define KEYWORD_PROFILING_SET_LIST(ctx, list)
Definition: util-profiling.h:46
PcapPacketCntGet
uint64_t PcapPacketCntGet(const Packet *p)
Definition: decode.c:1180
DETECT_TABLE_PACKET_PRE_STREAM
@ DETECT_TABLE_PACKET_PRE_STREAM
Definition: detect.h:559
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
SigMatchData_::is_last
bool is_last
Definition: detect.h:367
ActionScopeToString
const char * ActionScopeToString(enum ActionScope s)
Definition: detect-parse.c:3816
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:288
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:144
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:368
action-globals.h
Packet_::flags
uint32_t flags
Definition: decode.h:561
Packet_::action
uint8_t action
Definition: decode.h:623
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:354
DETECT_SM_LIST_THRESHOLD
@ DETECT_SM_LIST_THRESHOLD
Definition: detect.h:133
TAG_SIG_ID
#define TAG_SIG_ID
Definition: detect-engine-tag.h:42
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:973
PacketAlerts_::alerts
PacketAlert * alerts
Definition: decode.h:292
ACTION_SCOPE_FLOW
@ ACTION_SCOPE_FLOW
Definition: action-globals.h:45
ACTION_REJECT_ANY
#define ACTION_REJECT_ANY
Definition: action-globals.h:38
PacketAlerts_::drop
PacketAlert drop
Definition: decode.h:295
CaptureHooksOnPacketWithAlerts
void CaptureHooksOnPacketWithAlerts(const Packet *p)
Definition: capture-hooks.c:53
ACTION_DROP_REJECT
#define ACTION_DROP_REJECT
Definition: action-globals.h:40
FLOW_ACTION_DROP
#define FLOW_ACTION_DROP
Definition: flow.h:69
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:738
p
Packet * p
Definition: fuzz_iprep.c:21
EngineModeIsFirewall
bool EngineModeIsFirewall(void)
Definition: suricata.c:239
SigMatchData_
Data needed for Match()
Definition: detect.h:365
KEYWORD_PROFILING_START
#define KEYWORD_PROFILING_START
Definition: util-profiling.h:50
SigMatchData_::type
uint16_t type
Definition: detect.h:366
DetectFirewallPolicy::action
uint8_t action
Definition: detect.h:925
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:636
KEYWORD_PROFILING_END
#define KEYWORD_PROFILING_END(ctx, type, m)
Definition: util-profiling.h:64
PacketAlert_::tx_id
uint64_t tx_id
Definition: decode.h:254
PacketAlert_::action
uint8_t action
Definition: decode.h:251
SIG_FLAG_FIREWALL
#define SIG_FLAG_FIREWALL
Definition: detect.h:245
AlertQueueInit
void AlertQueueInit(DetectEngineThreadCtx *det_ctx)
Definition: detect-engine-alert.c:269
Signature_::gid
uint32_t gid
Definition: detect.h:721
FLOW_ACTION_PASS
#define FLOW_ACTION_PASS
Definition: flow.h:116
AlertQueueAppendAppTxFromPacket
void AlertQueueAppendAppTxFromPacket(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id, uint8_t alert_flags)
Append signature to local packet alert queue for later preprocessing This does not automatically set ...
Definition: detect-engine-alert.c:436
SignaturePropertyFlowAction
SignaturePropertyFlowAction
Definition: detect.h:83
AlertQueueAppendAppTx
void AlertQueueAppendAppTx(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id, uint8_t alert_flags)
Append signature to local packet alert queue for later preprocessing.
Definition: detect-engine-alert.c:424
capture-hooks.h
PacketAlert_::json_info
struct PacketContextData * json_info
Definition: decode.h:256
decode.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:22
DetectEngineThreadCtx_
Definition: detect.h:1291
DETECT_THRESHOLD
@ DETECT_THRESHOLD
Definition: detect-engine-register.h:65
PKT_PSEUDO_STREAM_END
#define PKT_PSEUDO_STREAM_END
Definition: decode.h:1312
util-exception-policy.h
PKT_DROP_REASON_FW_FLOW_PRE_HOOK
@ PKT_DROP_REASON_FW_FLOW_PRE_HOOK
Definition: decode.h:410
BOOL2STR
#define BOOL2STR(b)
Definition: util-debug.h:542
SCEnter
#define SCEnter(...)
Definition: util-debug.h:284
detect.h
PacketContextData
Definition: decode.h:242
DETECT_TABLE_PACKET_PRE_FLOW
@ DETECT_TABLE_PACKET_PRE_FLOW
Definition: detect.h:558
PacketAlerts_::discarded
uint16_t discarded
Definition: decode.h:289
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:325
detect-engine-tag.h
PKT_DROP_REASON_RULES
@ PKT_DROP_REASON_RULES
Definition: decode.h:392
Signature_::action
uint8_t action
Definition: detect.h:690
util-profiling.h
PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW
#define PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW
Definition: decode.h:267
Signature_::flags
uint32_t flags
Definition: detect.h:676
PKT_ALERT_CTX_USED
#define PKT_ALERT_CTX_USED
Definition: decode.h:1299
ACTION_ALERT
#define ACTION_ALERT
Definition: action-globals.h:29
Packet_
Definition: decode.h:515
DetectEngineThreadCtx_::frame_id
int64_t frame_id
Definition: detect.h:1368
ACTION_SCOPE_AUTO
@ ACTION_SCOPE_AUTO
Definition: action-globals.h:43
detect-engine-alert.h
DetectEngineThreadCtx_::alert_queue_capacity
uint16_t alert_queue_capacity
Definition: detect.h:1377
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1471
PacketAlert_::iid
SigIntId iid
Definition: decode.h:250
signature_properties
const struct SignatureProperties signature_properties[SIG_TYPE_MAX]
Definition: detect-engine.c:117
PACKET_ALERT_NOTX
#define PACKET_ALERT_NOTX
Definition: detect.h:55
SIG_TYPE_NOT_SET
@ SIG_TYPE_NOT_SET
Definition: detect.h:65
PACKET_ALERT_FLAG_APPLY_ACTION_TO_PACKET
#define PACKET_ALERT_FLAG_APPLY_ACTION_TO_PACKET
Definition: decode.h:281
PacketAlertFinalize
void PacketAlertFinalize(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Check the threshold of the sigs that match, set actions, break on pass action This function iterate t...
Definition: detect-engine-alert.c:830
PACKET_ALERT_FLAG_STREAM_MATCH
#define PACKET_ALERT_FLAG_STREAM_MATCH
Definition: decode.h:271
TagHandlePacket
void TagHandlePacket(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Search tags for src and dst. Update entries of the tag, remove if necessary.
Definition: detect-engine-tag.c:523
PACKET_ALERT_FLAG_FRAME
#define PACKET_ALERT_FLAG_FRAME
Definition: decode.h:277
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
PacketAlert_::frame_id
int64_t frame_id
Definition: decode.h:255
PacketAlert_::flags
uint8_t flags
Definition: decode.h:252
Packet_::flow
struct Flow_ * flow
Definition: decode.h:563
suricata-common.h
SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL
@ SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL
Definition: detect.h:86
ActionScope
ActionScope
Definition: action-globals.h:42
DetectThresholdData_
Definition: detect-threshold.h:62
ACTION_SCOPE_HOOK
@ ACTION_SCOPE_HOOK
Definition: action-globals.h:46
Signature_::action_scope
uint8_t action_scope
Definition: detect.h:697
packet.h
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
Signature_::rev
uint32_t rev
Definition: detect.h:722
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
FatalError
#define FatalError(...)
Definition: util-debug.h:517
ACTION_CONFIG
#define ACTION_CONFIG
Definition: action-globals.h:35
PacketContextData::next
struct PacketContextData * next
Definition: decode.h:244
DETECT_SM_LIST_TMATCH
@ DETECT_SM_LIST_TMATCH
Definition: detect.h:129
PKT_DROP_REASON_FW_STREAM_PRE_HOOK
@ PKT_DROP_REASON_FW_STREAM_PRE_HOOK
Definition: decode.h:409
SIG_TYPE_MAX
@ SIG_TYPE_MAX
Definition: detect.h:79
Signature_::prio
int prio
Definition: detect.h:723
AlertQueueAppendPacket
void AlertQueueAppendPacket(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint8_t alert_flags)
Append signature to local packet alert queue for later preprocessing.
Definition: detect-engine-alert.c:446
SigGetThresholdTypeIter
const DetectThresholdData * SigGetThresholdTypeIter(const Signature *sig, const SigMatchData **psm, int list)
Return next DetectThresholdData for signature.
Definition: detect-engine-threshold.c:677
FLOW_ACTION_ACCEPT
#define FLOW_ACTION_ACCEPT
Definition: flow.h:63
util-validate.h
DetectEngineThreadCtx_::alert_queue
PacketAlert * alert_queue
Definition: detect.h:1378
PACKET_ALERT_FLAG_RATE_FILTER_MODIFIED
#define PACKET_ALERT_FLAG_RATE_FILTER_MODIFIED
Definition: decode.h:275
DetectEngineThreadCtx_::json_content
SigJsonContent * json_content
Definition: detect.h:1328
PacketAlerts_::suppressed
uint16_t suppressed
Definition: decode.h:291
DetectFirewallPolicy
Definition: detect.h:924
Signature_::iid
SigIntId iid
Definition: detect.h:687
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-engine-alert.c
Signature_::id
uint32_t id
Definition: detect.h:720
ACTION_SCOPE_PACKET
@ ACTION_SCOPE_PACKET
Definition: action-globals.h:44
detect-parse.h
Signature_
Signature container.
Definition: detect.h:675
PACKET_ALERT_FLAG_TX
#define PACKET_ALERT_FLAG_TX
Definition: decode.h:273
PacketAlertTagInit
void PacketAlertTagInit(void)
Definition: detect-engine-alert.c:48
PacketDrop
void PacketDrop(Packet *p, const uint8_t action, enum PacketDropReason r)
issue drop action
Definition: packet.c:34
ACTION_ACCEPT
#define ACTION_ACCEPT
Definition: action-globals.h:36
suricata.h
PacketAlert_
Definition: decode.h:249
Signature_::detect_table
uint8_t detect_table
Definition: detect.h:709
FlowHasAlerts
int FlowHasAlerts(const Flow *f)
Check if flow has alerts.
Definition: flow.c:165
packet_alert_max
uint16_t packet_alert_max
Definition: decode.c:82
DetectEngineThreadCtx_::json_content_len
uint8_t json_content_len
Definition: detect.h:1330
TAG_SIG_GEN
#define TAG_SIG_GEN
Definition: detect-engine-tag.h:41
PacketContextData::json_string
char * json_string
Definition: decode.h:243
SIG_PROP_FLOW_ACTION_FLOW
@ SIG_PROP_FLOW_ACTION_FLOW
Definition: detect.h:85
PacketAlertThreshold
int PacketAlertThreshold(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectThresholdData *td, Packet *p, const Signature *s, PacketAlert *pa)
Make the threshold logic for signatures.
Definition: detect-engine-threshold.c:1197
flow.h
PKT_FIRST_ALERTS
#define PKT_FIRST_ALERTS
Definition: decode.h:1359
DetectFirewallPolicy::action_scope
uint8_t action_scope
Definition: detect.h:926
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:288
Signature_::type
enum SignatureType type
Definition: detect.h:678
DETECT_SM_LIST_SUPPRESS
@ DETECT_SM_LIST_SUPPRESS
Definition: detect.h:132
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:109
SignatureProperties::flow_action
enum SignaturePropertyFlowAction flow_action
Definition: detect.h:90
SigJsonContent::json_content
char json_content[SIG_JSON_CONTENT_ITEM_LEN]
Definition: detect.h:1285
SigJsonContent::id
void * id
Definition: detect.h:1284
detect-engine-threshold.h