From 33388805020c9247e53abff74c45270c4c31586b Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Fri, 13 Dec 2024 18:36:31 -0300 Subject: [PATCH] analysis: report rule state altered by other rule Flowbits can make a rule such as a packet rule be treated as a stateful rule, without actually changing the rule type. Add a flag to allow report such cases via the engine analysis. Task #7456 --- src/detect-engine-analyzer.c | 2 ++ src/detect-flowbits.c | 1 + src/detect-parse.c | 3 +++ src/detect.h | 3 +++ 4 files changed, 9 insertions(+) diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c index dae6f9f2f270..880cbf9bd059 100644 --- a/src/detect-engine-analyzer.c +++ b/src/detect-engine-analyzer.c @@ -1047,6 +1047,8 @@ void EngineAnalysisRules2(const DetectEngineCtx *de_ctx, const Signature *s) break; } + jb_set_bool(ctx.js, "rule_state_dependency", s->init_data->rule_state_dependency); + jb_open_array(ctx.js, "flags"); if (s->flags & SIG_FLAG_SRC_ANY) { jb_append_string(ctx.js, "src_any"); diff --git a/src/detect-flowbits.c b/src/detect-flowbits.c index 40f04d75f305..b161f75292a2 100644 --- a/src/detect-flowbits.c +++ b/src/detect-flowbits.c @@ -630,6 +630,7 @@ int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx) if (to_state) { s->init_data->init_flags |= SIG_FLAG_INIT_STATE_MATCH; + s->init_data->rule_state_dependency = true; SCLogDebug("made SID %u stateful because it depends on " "stateful rules that set flowbit %s", s->id, varname); } diff --git a/src/detect-parse.c b/src/detect-parse.c index 3b03dfb92b36..aa69416bd179 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -1537,6 +1537,9 @@ Signature *SigAlloc (void) * overwritten, we can then assign the default value of 3 */ sig->prio = -1; + /* rule interdepency is false, at start */ + sig->init_data->rule_state_dependency = false; + sig->init_data->list = DETECT_SM_LIST_NOTSET; return sig; } diff --git a/src/detect.h b/src/detect.h index 4e31c5fe0284..9343085b2474 100644 --- a/src/detect.h +++ b/src/detect.h @@ -597,6 +597,9 @@ typedef struct SignatureInitData_ { /* highest list/buffer id which holds a DETECT_CONTENT */ uint32_t max_content_list_id; + + /* inter-signature state dependency */ + bool rule_state_dependency; } SignatureInitData; /** \brief Signature container */