Skip to content

Commit

Permalink
flow/pkts: allow matching on either direction
Browse files Browse the repository at this point in the history 
For flow.bytes and flow.pkts keywords, allow matching in either
direction.

Feature 5646
  • Loading branch information
@inashivb
inashivb committed Nov 29, 2024
1 parent ac98119 commit 8801b03
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 0 deletions.
6 changes: 6 additions & 0 deletions doc/userguide/rules/flow-keywords.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,8 @@ following directions:

* toserver

* either

Syntax::

flow.pkts:<direction>,[op]<number>
Expand All @@ -339,6 +341,7 @@ The number of packets can be matched exactly, or compared using the _op_ setting

flow.pkts:toclient,3 # exactly 3
flow.pkts:toserver,<3 # smaller than 3
flow.pkts:either,>=2 # greater than or equal to 2

Signature example::

Expand All @@ -358,6 +361,8 @@ following directions:

* toserver

* either

Syntax::

flow.bytes:<direction>,[op]<number>
Expand All @@ -366,6 +371,7 @@ The number of bytes can be matched exactly, or compared using the _op_ setting::

flow.bytes:toclient,3 # exactly 3
flow.bytes:toserver,<3 # smaller than 3
flow.bytes:either,>=2 # greater than or equal to 2

Signature example::

Expand Down
19 changes: 19 additions & 0 deletions src/detect-flow-pkts.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@

#define DETECT_FLOW_TO_SERVER 1
#define DETECT_FLOW_TO_CLIENT 2
#define DETECT_FLOW_TO_EITHER 3

typedef struct DetectFlow_ {
DetectU32Data *pkt_data;
Expand All @@ -44,6 +45,13 @@ static int DetectFlowPktsMatch(
return DetectU32Match(p->flow->todstpktcnt, df->pkt_data);
} else if (df->dir == DETECT_FLOW_TO_CLIENT) {
return DetectU32Match(p->flow->tosrcpktcnt, df->pkt_data);
} else if (df->dir == DETECT_FLOW_TO_EITHER) {
if (DetectU32Match(p->flow->tosrcpktcnt, df->pkt_data)) {
return 1;
}
if (DetectU32Match(p->flow->todstpktcnt, df->pkt_data)) {
return 1;
}
}
return 0;
}
Expand Down Expand Up @@ -131,6 +139,8 @@ static int DetectFlowPktsSetup(DetectEngineCtx *de_ctx, Signature *s, const char
df->dir = DETECT_FLOW_TO_SERVER;
} else if (strcmp(token, "toclient") == 0) {
df->dir = DETECT_FLOW_TO_CLIENT;
} else if (strcmp(token, "either") == 0) {
df->dir = DETECT_FLOW_TO_EITHER;
}

if (dir_set) {
Expand Down Expand Up @@ -234,6 +244,13 @@ static int DetectFlowBytesMatch(
return DetectU64Match(p->flow->todstbytecnt, df->byte_data);
} else if (df->dir == DETECT_FLOW_TO_CLIENT) {
return DetectU64Match(p->flow->tosrcbytecnt, df->byte_data);
} else if (df->dir == DETECT_FLOW_TO_EITHER) {
if (DetectU64Match(p->flow->tosrcbytecnt, df->byte_data)) {
return 1;
}
if (DetectU64Match(p->flow->todstbytecnt, df->byte_data)) {
return 1;
}
}
return 0;
}
Expand Down Expand Up @@ -321,6 +338,8 @@ static int DetectFlowBytesSetup(DetectEngineCtx *de_ctx, Signature *s, const cha
df->dir = DETECT_FLOW_TO_SERVER;
} else if (strcmp(token, "toclient") == 0) {
df->dir = DETECT_FLOW_TO_CLIENT;
} else if (strcmp(token, "either") == 0) {
df->dir = DETECT_FLOW_TO_EITHER;
}

if (dir_set) {
Expand Down

0 comments on commit 8801b03

Please sign in to comment.