Skip to content

Commit

Permalink
flow/pkts: allow matching on either direction
Browse files Browse the repository at this point in the history
For flow.bytes and flow.pkts keywords, allow matching in either
direction.

Feature 5646
  • Loading branch information
inashivb committed Jan 6, 2025
1 parent 3d1609f commit 356b9bc
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 0 deletions.
6 changes: 6 additions & 0 deletions doc/userguide/rules/flow-keywords.rst
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,8 @@ following directions:

* toserver

* either

Syntax::

flow.pkts:<direction>,[op]<number>
Expand All @@ -339,6 +341,7 @@ The number of packets can be matched exactly, or compared using the _op_ setting

flow.pkts:toclient,3 # exactly 3
flow.pkts:toserver,<3 # smaller than 3
flow.pkts:either,>=2 # greater than or equal to 2

Signature example::

Expand All @@ -361,6 +364,8 @@ following directions:

* toserver

* either

Syntax::

flow.bytes:<direction>,[op]<number>
Expand All @@ -369,6 +374,7 @@ The number of bytes can be matched exactly, or compared using the _op_ setting::

flow.bytes:toclient,3 # exactly 3
flow.bytes:toserver,<3 # smaller than 3
flow.bytes:either,>=2 # greater than or equal to 2

Signature example::

Expand Down
15 changes: 15 additions & 0 deletions src/detect-flow-pkts.c
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
enum FlowDirection {
DETECT_FLOW_TOSERVER = 1,
DETECT_FLOW_TOCLIENT,
DETECT_FLOW_TOEITHER,
};

typedef struct DetectFlow_ {
Expand All @@ -46,6 +47,11 @@ static int DetectFlowPktsMatch(
return DetectU32Match(p->flow->todstpktcnt, df->pkt_data);
} else if (df->dir == DETECT_FLOW_TOCLIENT) {
return DetectU32Match(p->flow->tosrcpktcnt, df->pkt_data);
} else if (df->dir == DETECT_FLOW_TOEITHER) {
if (DetectU32Match(p->flow->tosrcpktcnt, df->pkt_data)) {
return 1;
}
return DetectU32Match(p->flow->todstpktcnt, df->pkt_data);
}
return 0;
}
Expand Down Expand Up @@ -133,6 +139,8 @@ static int DetectFlowPktsSetup(DetectEngineCtx *de_ctx, Signature *s, const char
dir = DETECT_FLOW_TOSERVER;
} else if (strcmp(token, "toclient") == 0) {
dir = DETECT_FLOW_TOCLIENT;
} else if (strcmp(token, "either") == 0) {
dir = DETECT_FLOW_TOEITHER;
}

if (dir) {
Expand Down Expand Up @@ -267,6 +275,11 @@ static int DetectFlowBytesMatch(
return DetectU64Match(p->flow->todstbytecnt, df->byte_data);
} else if (df->dir == DETECT_FLOW_TOCLIENT) {
return DetectU64Match(p->flow->tosrcbytecnt, df->byte_data);
} else if (df->dir == DETECT_FLOW_TOEITHER) {
if (DetectU64Match(p->flow->tosrcbytecnt, df->byte_data)) {
return 1;
}
return DetectU64Match(p->flow->todstbytecnt, df->byte_data);
}
return 0;
}
Expand Down Expand Up @@ -354,6 +367,8 @@ static int DetectFlowBytesSetup(DetectEngineCtx *de_ctx, Signature *s, const cha
dir = DETECT_FLOW_TOSERVER;
} else if (strcmp(token, "toclient") == 0) {
dir = DETECT_FLOW_TOCLIENT;
} else if (strcmp(token, "either") == 0) {
dir = DETECT_FLOW_TOEITHER;
}

if (dir) {
Expand Down

0 comments on commit 356b9bc

Please sign in to comment.