add ip.src and ip.dst to each rule so that GUI can show IPs of alerts

Montimage · Jun 1, 2023 · 4a00e2b · 4a00e2b
1 parent 0544436
commit 4a00e2b
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/rules/96.http2_dos_recognition.xml b/rules/96.http2_dos_recognition.xml
@@ -58,7 +58,7 @@ static inline bool em_5g_check_msg_throughput( const void *data ){
     description="5G Http2 DoS attack Recognition">
     <event value="COMPUTE" event_id="1" 
         description="HTTP2 check on the methods/ types that can realize a flooding"
-           boolean_expression="((( http2.header_method == 131) || (http2.header_method==130)  || (http2.type==8)) )"/>
+           boolean_expression="(((( http2.header_method == 131) || (http2.header_method==130))  || (http2.type==8)) &amp;&amp; (ip.src != ip.dst) )"/>
 
    <event value="COMPUTE" event_id="2" 
         description="Calculate total"

diff --git a/rules/97.http2_compression_attack_recognition.xml b/rules/97.http2_compression_attack_recognition.xml
@@ -27,7 +27,7 @@ static int em_check( double header_length,double packet_id){
     description="5G Http2 DoS attack Recognition" if_satisfied="">
     <event value="COMPUTE" event_id="1" 
         description="HTTP2 Compression attack"
-           boolean_expression="( (http2.header_length>350) &amp;&amp; (16384>http2.header_length ) &amp;&amp; ( http2.header_method == 131) &amp;&amp;  #em_check(http2.header_length,meta.packet_index) &amp;&amp; (2800>meta.packet_len))"/>
+           boolean_expression="(( ((((http2.header_length>350) &amp;&amp; (16384>http2.header_length )) &amp;&amp; ( http2.header_method == 131)) &amp;&amp;  #em_check(http2.header_length,meta.packet_index)) &amp;&amp; (2800>meta.packet_len)) &amp;&amp; (ip.src != ip.dst))"/>
 
  <event value="COMPUTE" event_id="2" 
            description="Nothing"