2024 April 14th update

2025-09-29 11:16:30 +03:00 · 2024-04-14 12:55:54 +00:00
parent 7a7f65a77a
commit 942b2ef8b4
79 changed files with 1800 additions and 3778 deletions
--- a/components/security_apps/ips/include/ips_basic_policy.h
+++ b/components/security_apps/ips/include/ips_basic_policy.h
@@ -50,9 +50,13 @@ public:

 private:
    void readRules(cereal::JSONInputArchive &ar);
+    void readTriggerId(cereal::JSONInputArchive &ar);
+    void readExceptionId(cereal::JSONInputArchive &ar);
    void readDefaultAction(cereal::JSONInputArchive &ar);

    std::vector<Rule> rules;
+    std::string trigger_id;
+    std::string exception_id;
 };

 #endif // __IPS_BASIC_POLICY_H__
--- a/components/security_apps/ips/include/ips_signatures.h
+++ b/components/security_apps/ips/include/ips_signatures.h
@@ -27,6 +27,7 @@
 #include "log_generator.h"
 #include "parsed_context.h"
 #include "pm_hook.h"
+#include "i_generic_rulebase.h"

 /// \namespace IPSSignatureSubTypes
 /// \brief Namespace containing subtypes for IPS signatures.
@@ -348,8 +349,16 @@ public:
    /// \brief Construct a SignatureAndAction object.
    /// \param _signature The complete signature.
    /// \param _action The signature action.
-    SignatureAndAction(std::shared_ptr<CompleteSignature> _signature, SignatureAction _action) :
-        signature(_signature), action(_action)
+    SignatureAndAction(
+        std::shared_ptr<CompleteSignature> _signature,
+        SignatureAction _action,
+        std::string _trigger_id,
+        std::string _exception_id)
+            :
+        signature(_signature),
+        action(_action),
+        trigger_id(_trigger_id),
+        exception_id(_exception_id)
    {}

    /// \brief Check if the signature is matched for prevention.
@@ -375,6 +384,11 @@ public:
        return signature->getContext();
    }

+    LogTriggerConf getTrigger() const;
+
+    std::set<ParameterBehavior>
+    getBehavior(const std::unordered_map<std::string, std::set<std::string>> &exceptions_dict) const;
+
 private:
    /// \brief Get the action results for the IPS state.
    /// \param ips_state The IPS entry.
@@ -382,6 +396,8 @@ private:

    std::shared_ptr<CompleteSignature> signature;
    SignatureAction action;
+    std::string trigger_id;
+    std::string exception_id;
 };
 } // namespace IPSSignatureSubTypes

--- a/components/security_apps/ips/include/snort_basic_policy.h
+++ b/components/security_apps/ips/include/snort_basic_policy.h
@@ -17,6 +17,8 @@ public:
 private:
    IPSSignatureSubTypes::SignatureAction action = IPSSignatureSubTypes::SignatureAction::IGNORE;
    std::vector<std::string> file_names;
+    std::string trigger_id;
+    std::string exception_id;
 };

 #endif // __SNORT_BASIC_POLICY_H__