aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

changes to the dce parser stub data processed var. changed to stub data fresh var to indicate if the stub is fresh or not

Browse Source
remotes/origin/master-1.0.x
Anoop Saldanha 16 years ago committed by Victor Julien
parent 45ea0d914e
commit 015385c6bd
14 changed files with 105 additions and 58 deletions
Show Stats Download Patch File Download Diff File

12
src/app-layer-dcerpc-common.h
Unescape Escape View File

@ -137,10 +137,8 @@ typedef struct DCERPCRequest_ {
uint8_t *stub_data_buffer; uint8_t *stub_data_buffer;
/* length of the above buffer */ /* length of the above buffer */
uint32_t stub_data_buffer_len; uint32_t stub_data_buffer_len;
/* used by the dce preproc to indicate fresh entry in the stub data buffer. /* used by the dce preproc to indicate fresh entry in the stub data buffer */
* The dce_stub_data keyword would reset it, once it has processed the uint8_t stub_data_fresh;
* above buffer */
uint8_t stub_data_processed;
} DCERPCRequest; } DCERPCRequest;
typedef struct DCERPCResponse_ { typedef struct DCERPCResponse_ {
@ -148,10 +146,8 @@ typedef struct DCERPCResponse_ {
uint8_t *stub_data_buffer; uint8_t *stub_data_buffer;
/* length of the above buffer */ /* length of the above buffer */
uint32_t stub_data_buffer_len; uint32_t stub_data_buffer_len;
/* used by the dce preproc to indicate fresh entry in the stub data buffer. /* used by the dce preproc to indicate fresh entry in the stub data buffer */
* The dce_stub_data keyword would reset it, once it has processed the uint8_t stub_data_fresh;
* above buffer */
uint8_t stub_data_processed;
} DCERPCResponse; } DCERPCResponse;
typedef struct DCERPC_ { typedef struct DCERPC_ {

63
src/app-layer-dcerpc.c
Unescape Escape View File

@ -897,20 +897,20 @@ static uint32_t StubDataParser(DCERPC *dcerpc, uint8_t *input, uint32_t input_le
SCEnter(); SCEnter();
uint8_t **stub_data_buffer = NULL; uint8_t **stub_data_buffer = NULL;
uint32_t *stub_data_buffer_len = NULL; uint32_t *stub_data_buffer_len = NULL;
uint8_t *stub_data_processed = NULL; uint8_t *stub_data_fresh = NULL;
uint16_t stub_len = 0; uint16_t stub_len = 0;
/* request PDU. Retrieve the request stub buffer */ /* request PDU. Retrieve the request stub buffer */
if (dcerpc->dcerpchdr.type == REQUEST) { if (dcerpc->dcerpchdr.type == REQUEST) {
stub_data_buffer = &dcerpc->dcerpcrequest.stub_data_buffer; stub_data_buffer = &dcerpc->dcerpcrequest.stub_data_buffer;
stub_data_buffer_len = &dcerpc->dcerpcrequest.stub_data_buffer_len; stub_data_buffer_len = &dcerpc->dcerpcrequest.stub_data_buffer_len;
stub_data_processed = &dcerpc->dcerpcrequest.stub_data_processed; stub_data_fresh = &dcerpc->dcerpcrequest.stub_data_fresh;
/* response PDU. Retrieve the response stub buffer */ /* response PDU. Retrieve the response stub buffer */
} else { } else {
stub_data_buffer = &dcerpc->dcerpcresponse.stub_data_buffer; stub_data_buffer = &dcerpc->dcerpcresponse.stub_data_buffer;
stub_data_buffer_len = &dcerpc->dcerpcresponse.stub_data_buffer_len; stub_data_buffer_len = &dcerpc->dcerpcresponse.stub_data_buffer_len;
stub_data_processed = &dcerpc->dcerpcresponse.stub_data_processed; stub_data_fresh = &dcerpc->dcerpcresponse.stub_data_fresh;
} }
stub_len = (dcerpc->padleft < input_len) ? dcerpc->padleft : input_len; stub_len = (dcerpc->padleft < input_len) ? dcerpc->padleft : input_len;
@ -929,7 +929,7 @@ static uint32_t StubDataParser(DCERPC *dcerpc, uint8_t *input, uint32_t input_le
} }
memcpy(*stub_data_buffer + *stub_data_buffer_len, input, stub_len); memcpy(*stub_data_buffer + *stub_data_buffer_len, input, stub_len);
*stub_data_processed = 0; *stub_data_fresh = 1;
/* length of the buffered stub */ /* length of the buffered stub */
*stub_data_buffer_len += stub_len; *stub_data_buffer_len += stub_len;
@ -1097,6 +1097,9 @@ int32_t DCERPCParser(DCERPC *dcerpc, uint8_t *input, uint32_t input_len) {
uint32_t parsed = 0; uint32_t parsed = 0;
int hdrretval = 0; int hdrretval = 0;
dcerpc->dcerpcrequest.stub_data_fresh = 0;
dcerpc->dcerpcresponse.stub_data_fresh = 0;
while (dcerpc->bytesprocessed < DCERPC_HDR_LEN && input_len) { while (dcerpc->bytesprocessed < DCERPC_HDR_LEN && input_len) {
hdrretval = DCERPCParseHeader(dcerpc, input, input_len); hdrretval = DCERPCParseHeader(dcerpc, input, input_len);
if (hdrretval == -1) { if (hdrretval == -1) {
@ -3409,9 +3412,9 @@ int DCERPCParserTest04(void) {
} }
result &= ( (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer == NULL && result &= ( (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer == NULL &&
dcerpc_state->dcerpc.dcerpcrequest.stub_data_processed == 0) && dcerpc_state->dcerpc.dcerpcrequest.stub_data_fresh == 0) &&
(dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL && (dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL &&
dcerpc_state->dcerpc.dcerpcresponse.stub_data_processed == 0) ); dcerpc_state->dcerpc.dcerpcresponse.stub_data_fresh == 0) );
if (result == 0) if (result == 0)
goto end; goto end;
@ -3425,9 +3428,9 @@ int DCERPCParserTest04(void) {
} }
result &= ( (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer == NULL && result &= ( (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer == NULL &&
dcerpc_state->dcerpc.dcerpcrequest.stub_data_processed == 0) && dcerpc_state->dcerpc.dcerpcrequest.stub_data_fresh == 0) &&
(dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL && (dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL &&
dcerpc_state->dcerpc.dcerpcresponse.stub_data_processed == 0) ); dcerpc_state->dcerpc.dcerpcresponse.stub_data_fresh == 0) );
if (result == 0) if (result == 0)
goto end; goto end;
@ -3442,11 +3445,12 @@ int DCERPCParserTest04(void) {
result &= ( (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL && result &= ( (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL &&
dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 1024 && dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 1024 &&
dcerpc_state->dcerpc.dcerpcrequest.stub_data_processed == 0) && dcerpc_state->dcerpc.dcerpcrequest.stub_data_fresh == 1) &&
(dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL && (dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL &&
dcerpc_state->dcerpc.dcerpcresponse.stub_data_processed == 0) ); dcerpc_state->dcerpc.dcerpcresponse.stub_data_fresh == 0) );
if (result == 0) if (result == 0)
goto end; goto end;
dcerpc_state->dcerpc.dcerpcrequest.stub_data_fresh = 0;
/* request2 */ /* request2 */
r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER,
@ -3459,11 +3463,12 @@ int DCERPCParserTest04(void) {
result &= ( (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL && result &= ( (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL &&
dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 2048 && dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 2048 &&
dcerpc_state->dcerpc.dcerpcrequest.stub_data_processed == 0) && dcerpc_state->dcerpc.dcerpcrequest.stub_data_fresh == 1) &&
(dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL && (dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL &&
dcerpc_state->dcerpc.dcerpcresponse.stub_data_processed == 0) ); dcerpc_state->dcerpc.dcerpcresponse.stub_data_fresh == 0) );
if (result == 0) if (result == 0)
goto end; goto end;
dcerpc_state->dcerpc.dcerpcrequest.stub_data_fresh = 0;
/* request3 */ /* request3 */
r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER,
@ -3476,11 +3481,12 @@ int DCERPCParserTest04(void) {
result &= ( (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL && result &= ( (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL &&
dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 3072 && dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 3072 &&
dcerpc_state->dcerpc.dcerpcrequest.stub_data_processed == 0) && dcerpc_state->dcerpc.dcerpcrequest.stub_data_fresh == 1) &&
(dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL && (dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL &&
dcerpc_state->dcerpc.dcerpcresponse.stub_data_processed == 0) ); dcerpc_state->dcerpc.dcerpcresponse.stub_data_fresh == 0) );
if (result == 0) if (result == 0)
goto end; goto end;
dcerpc_state->dcerpc.dcerpcrequest.stub_data_fresh = 0;
/* request4 */ /* request4 */
r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER,
@ -3493,11 +3499,12 @@ int DCERPCParserTest04(void) {
result &= ( (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL && result &= ( (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL &&
dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 4096 && dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 4096 &&
dcerpc_state->dcerpc.dcerpcrequest.stub_data_processed == 0) && dcerpc_state->dcerpc.dcerpcrequest.stub_data_fresh == 1) &&
(dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL && (dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL &&
dcerpc_state->dcerpc.dcerpcresponse.stub_data_processed == 0) ); dcerpc_state->dcerpc.dcerpcresponse.stub_data_fresh == 0) );
if (result == 0) if (result == 0)
goto end; goto end;
dcerpc_state->dcerpc.dcerpcrequest.stub_data_fresh = 0;
/* request5 */ /* request5 */
r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER,
@ -3525,11 +3532,12 @@ int DCERPCParserTest04(void) {
result &= ( (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL && result &= ( (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL &&
dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 6144 && dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 6144 &&
dcerpc_state->dcerpc.dcerpcrequest.stub_data_processed == 0) && dcerpc_state->dcerpc.dcerpcrequest.stub_data_fresh == 1) &&
(dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL && (dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL &&
dcerpc_state->dcerpc.dcerpcresponse.stub_data_processed == 0) ); dcerpc_state->dcerpc.dcerpcresponse.stub_data_fresh == 0) );
if (result == 0) if (result == 0)
goto end; goto end;
dcerpc_state->dcerpc.dcerpcrequest.stub_data_fresh = 0;
/* request7 */ /* request7 */
r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER,
@ -3542,11 +3550,12 @@ int DCERPCParserTest04(void) {
result &= ( (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL && result &= ( (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL &&
dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 7168 && dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 7168 &&
dcerpc_state->dcerpc.dcerpcrequest.stub_data_processed == 0) && dcerpc_state->dcerpc.dcerpcrequest.stub_data_fresh == 1) &&
(dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL && (dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL &&
dcerpc_state->dcerpc.dcerpcresponse.stub_data_processed == 0) ); dcerpc_state->dcerpc.dcerpcresponse.stub_data_fresh == 0) );
if (result == 0) if (result == 0)
goto end; goto end;
dcerpc_state->dcerpc.dcerpcrequest.stub_data_fresh = 0;
/* request8 */ /* request8 */
r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER,
@ -3559,11 +3568,12 @@ int DCERPCParserTest04(void) {
result &= ( (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL && result &= ( (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL &&
dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 8192 && dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 8192 &&
dcerpc_state->dcerpc.dcerpcrequest.stub_data_processed == 0) && dcerpc_state->dcerpc.dcerpcrequest.stub_data_fresh == 1) &&
(dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL && (dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL &&
dcerpc_state->dcerpc.dcerpcresponse.stub_data_processed == 0) ); dcerpc_state->dcerpc.dcerpcresponse.stub_data_fresh == 0) );
if (result == 0) if (result == 0)
goto end; goto end;
dcerpc_state->dcerpc.dcerpcrequest.stub_data_fresh = 0;
/* request9 */ /* request9 */
r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER,
@ -3576,11 +3586,12 @@ int DCERPCParserTest04(void) {
result &= ( (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL && result &= ( (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL &&
dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 8204 && dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 8204 &&
dcerpc_state->dcerpc.dcerpcrequest.stub_data_processed == 0) && dcerpc_state->dcerpc.dcerpcrequest.stub_data_fresh == 1) &&
(dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL && (dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL &&
dcerpc_state->dcerpc.dcerpcrequest.stub_data_processed == 0) ); dcerpc_state->dcerpc.dcerpcresponse.stub_data_fresh == 0) );
if (result == 0) if (result == 0)
goto end; goto end;
dcerpc_state->dcerpc.dcerpcrequest.stub_data_fresh = 0;
/* request1 again */ /* request1 again */
r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER,
@ -3593,9 +3604,9 @@ int DCERPCParserTest04(void) {
result &= ( (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL && result &= ( (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL &&
dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 1024 && dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 1024 &&
dcerpc_state->dcerpc.dcerpcrequest.stub_data_processed == 0) && dcerpc_state->dcerpc.dcerpcrequest.stub_data_fresh == 1) &&
(dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL && (dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL &&
dcerpc_state->dcerpc.dcerpcresponse.stub_data_processed == 0) ); dcerpc_state->dcerpc.dcerpcresponse.stub_data_fresh == 0) );
if (result == 0) if (result == 0)
goto end; goto end;

6
src/detect-bytejump.c
Unescape Escape View File

@ -819,6 +819,9 @@ int DetectBytejumpTestParse09(void) {
return result; return result;
} }
/**
* \test Test dce option.
*/
int DetectBytejumpTestParse10(void) int DetectBytejumpTestParse10(void)
{ {
DetectEngineCtx *de_ctx = NULL; DetectEngineCtx *de_ctx = NULL;
@ -914,6 +917,9 @@ int DetectBytejumpTestParse10(void)
return result; return result;
} }
/**
* \test Test dce option.
*/
int DetectBytejumpTestParse11(void) int DetectBytejumpTestParse11(void)
{ {
DetectEngineCtx *de_ctx = NULL; DetectEngineCtx *de_ctx = NULL;

6
src/detect-bytetest.c
Unescape Escape View File

@ -1046,6 +1046,9 @@ int DetectBytetestTestParse19(void) {
return result; return result;
} }
/**
* \test Test dce option.
*/
int DetectBytetestTestParse20(void) int DetectBytetestTestParse20(void)
{ {
DetectEngineCtx *de_ctx = NULL; DetectEngineCtx *de_ctx = NULL;
@ -1141,6 +1144,9 @@ int DetectBytetestTestParse20(void)
return result; return result;
} }
/**
* \test Test dce option.
*/
int DetectBytetestTestParse21(void) int DetectBytetestTestParse21(void)
{ {
DetectEngineCtx *de_ctx = NULL; DetectEngineCtx *de_ctx = NULL;

6
src/detect-content.c
Unescape Escape View File

@ -1073,6 +1073,9 @@ end:
return result; return result;
} }
/**
* \test Test content for dce sig.
*/
int DetectContentParseTest18(void) int DetectContentParseTest18(void)
{ {
Signature *s = SigAlloc(); Signature *s = SigAlloc();
@ -1103,6 +1106,9 @@ int DetectContentParseTest18(void)
return result; return result;
} }
/**
* \test Test content for dce sig.
*/
int DetectContentParseTest19(void) int DetectContentParseTest19(void)
{ {
DetectEngineCtx *de_ctx = NULL; DetectEngineCtx *de_ctx = NULL;

6
src/detect-dce-stub-data.c
Unescape Escape View File

@ -95,18 +95,16 @@ int DetectDceStubDataMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *
if (flags & STREAM_TOSERVER) { if (flags & STREAM_TOSERVER) {
if (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer == NULL || if (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer == NULL ||
dcerpc_state->dcerpc.dcerpcrequest.stub_data_processed == 1) { dcerpc_state->dcerpc.dcerpcrequest.stub_data_fresh == 0) {
return 0; return 0;
} }
//dcerpc_state->dcerpc.dcerpcrequest.stub_data_processed = 1;
det_ctx->dce_stub_data = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer; det_ctx->dce_stub_data = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer;
det_ctx->dce_stub_data_len = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len; det_ctx->dce_stub_data_len = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len;
} else { } else {
if (dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL || if (dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL ||
dcerpc_state->dcerpc.dcerpcresponse.stub_data_processed == 1) { dcerpc_state->dcerpc.dcerpcresponse.stub_data_fresh == 0) {
return 0; return 0;
} }
//dcerpc_state->dcerpc.dcerpcresponse.stub_data_processed = 1;
det_ctx->dce_stub_data = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer; det_ctx->dce_stub_data = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer;
det_ctx->dce_stub_data_len = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer_len; det_ctx->dce_stub_data_len = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer_len;
} }

2
src/detect-distance.c
Unescape Escape View File

@ -175,7 +175,7 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
} }
cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
} else if ( (pm = SigMatchGetLastSM(match_tail->prev, DETECT_BYTEJUMP)) != NULL) { } else if ( (pm = SigMatchGetLastSM(match_tail, DETECT_BYTEJUMP)) != NULL) {
DetectBytejumpData *data = NULL; DetectBytejumpData *data = NULL;
data = (DetectBytejumpData *) pm->ctx; data = (DetectBytejumpData *) pm->ctx;
if (data == NULL) { if (data == NULL) {

17
src/detect-engine-dcepayload.c
Unescape Escape View File

@ -44,6 +44,7 @@
#include "app-layer.h" #include "app-layer.h"
#include "app-layer-dcerpc.h" #include "app-layer-dcerpc.h"
#include "decode-tcp.h" #include "decode-tcp.h"
#include "flow-util.h"
#include "util-debug.h" #include "util-debug.h"
#include "util-unittest.h" #include "util-unittest.h"
#include "util-unittest-helper.h" #include "util-unittest-helper.h"
@ -357,14 +358,14 @@ int DetectEngineInspectDcePayload(DetectEngineCtx *de_ctx,
* match function. Instead we will retrieve it directly from the app layer. */ * match function. Instead we will retrieve it directly from the app layer. */
if (flags & STREAM_TOSERVER) { if (flags & STREAM_TOSERVER) {
if (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer == NULL || if (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer == NULL ||
dcerpc_state->dcerpc.dcerpcrequest.stub_data_processed == 1) { dcerpc_state->dcerpc.dcerpcrequest.stub_data_fresh == 0) {
SCReturnInt(0); SCReturnInt(0);
} }
dce_stub_data = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer; dce_stub_data = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer;
dce_stub_data_len = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len; dce_stub_data_len = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len;
} else { } else {
if (dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL || if (dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL ||
dcerpc_state->dcerpc.dcerpcresponse.stub_data_processed == 1) { dcerpc_state->dcerpc.dcerpcresponse.stub_data_fresh == 0) {
SCReturnInt(0); SCReturnInt(0);
} }
dce_stub_data = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer; dce_stub_data = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer;
@ -1551,6 +1552,7 @@ int DcePayloadTest01(void)
} }
p[1].flowflags |= FLOW_PKT_TOCLIENT; p[1].flowflags |= FLOW_PKT_TOCLIENT;
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn; f.protoctx = (void *)&ssn;
f.src.family = AF_INET; f.src.family = AF_INET;
f.dst.family = AF_INET; f.dst.family = AF_INET;
@ -2401,6 +2403,7 @@ int DcePayloadTest02(void)
} }
p[1].flowflags |= FLOW_PKT_TOCLIENT; p[1].flowflags |= FLOW_PKT_TOCLIENT;
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn; f.protoctx = (void *)&ssn;
f.src.family = AF_INET; f.src.family = AF_INET;
f.dst.family = AF_INET; f.dst.family = AF_INET;
@ -2837,6 +2840,7 @@ int DcePayloadTest03(void)
} }
p[1].flowflags |= FLOW_PKT_TOCLIENT; p[1].flowflags |= FLOW_PKT_TOCLIENT;
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn; f.protoctx = (void *)&ssn;
f.src.family = AF_INET; f.src.family = AF_INET;
f.dst.family = AF_INET; f.dst.family = AF_INET;
@ -3273,6 +3277,7 @@ int DcePayloadTest04(void)
} }
p[1].flowflags |= FLOW_PKT_TOCLIENT; p[1].flowflags |= FLOW_PKT_TOCLIENT;
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn; f.protoctx = (void *)&ssn;
f.src.family = AF_INET; f.src.family = AF_INET;
f.dst.family = AF_INET; f.dst.family = AF_INET;
@ -3708,6 +3713,7 @@ int DcePayloadTest05(void)
} }
p[1].flowflags |= FLOW_PKT_TOCLIENT; p[1].flowflags |= FLOW_PKT_TOCLIENT;
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn; f.protoctx = (void *)&ssn;
f.src.family = AF_INET; f.src.family = AF_INET;
f.dst.family = AF_INET; f.dst.family = AF_INET;
@ -4144,6 +4150,7 @@ int DcePayloadTest06(void)
} }
p[1].flowflags |= FLOW_PKT_TOCLIENT; p[1].flowflags |= FLOW_PKT_TOCLIENT;
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn; f.protoctx = (void *)&ssn;
f.src.family = AF_INET; f.src.family = AF_INET;
f.dst.family = AF_INET; f.dst.family = AF_INET;
@ -4579,6 +4586,7 @@ int DcePayloadTest07(void)
} }
p[1].flowflags |= FLOW_PKT_TOCLIENT; p[1].flowflags |= FLOW_PKT_TOCLIENT;
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn; f.protoctx = (void *)&ssn;
f.src.family = AF_INET; f.src.family = AF_INET;
f.dst.family = AF_INET; f.dst.family = AF_INET;
@ -4851,6 +4859,7 @@ int DcePayloadTest08(void)
p[i].flowflags |= FLOW_PKT_TOSERVER; p[i].flowflags |= FLOW_PKT_TOSERVER;
} }
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn; f.protoctx = (void *)&ssn;
f.src.family = AF_INET; f.src.family = AF_INET;
f.dst.family = AF_INET; f.dst.family = AF_INET;
@ -5063,6 +5072,7 @@ int DcePayloadTest09(void)
p[i].flowflags |= FLOW_PKT_TOSERVER; p[i].flowflags |= FLOW_PKT_TOSERVER;
} }
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn; f.protoctx = (void *)&ssn;
f.src.family = AF_INET; f.src.family = AF_INET;
f.dst.family = AF_INET; f.dst.family = AF_INET;
@ -5275,6 +5285,7 @@ int DcePayloadTest10(void)
p[i].flowflags |= FLOW_PKT_TOSERVER; p[i].flowflags |= FLOW_PKT_TOSERVER;
} }
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn; f.protoctx = (void *)&ssn;
f.src.family = AF_INET; f.src.family = AF_INET;
f.dst.family = AF_INET; f.dst.family = AF_INET;
@ -5622,6 +5633,7 @@ int DcePayloadTest11(void)
p[i].flowflags |= FLOW_PKT_TOSERVER; p[i].flowflags |= FLOW_PKT_TOSERVER;
} }
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn; f.protoctx = (void *)&ssn;
f.src.family = AF_INET; f.src.family = AF_INET;
f.dst.family = AF_INET; f.dst.family = AF_INET;
@ -5983,6 +5995,7 @@ int DcePayloadTest12(void)
p[i].flowflags |= FLOW_PKT_TOSERVER; p[i].flowflags |= FLOW_PKT_TOSERVER;
} }
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn; f.protoctx = (void *)&ssn;
f.src.family = AF_INET; f.src.family = AF_INET;
f.dst.family = AF_INET; f.dst.family = AF_INET;

6
src/detect-isdataat.c
Unescape Escape View File

@ -390,6 +390,9 @@ int DetectIsdataatTestParse03 (void) {
return result; return result;
} }
/**
* \test Test isdataat option for dce sig.
*/
int DetectIsdataatTestParse04(void) int DetectIsdataatTestParse04(void)
{ {
Signature *s = SigAlloc(); Signature *s = SigAlloc();
@ -407,6 +410,9 @@ int DetectIsdataatTestParse04(void)
return result; return result;
} }
/**
* \test Test isdataat option for dce sig.
*/
int DetectIsdataatTestParse05(void) int DetectIsdataatTestParse05(void)
{ {
DetectEngineCtx *de_ctx = NULL; DetectEngineCtx *de_ctx = NULL;

6
src/detect-pcre.c
Unescape Escape View File

@ -1035,6 +1035,9 @@ static int DetectPcreParseTest09 (void) {
return result; return result;
} }
/**
* \test Test pcre option for dce sig(yeah I'm bored of writing test titles).
*/
int DetectPcreParseTest10(void) int DetectPcreParseTest10(void)
{ {
Signature *s = SigAlloc(); Signature *s = SigAlloc();
@ -1065,6 +1068,9 @@ int DetectPcreParseTest10(void)
return result; return result;
} }
/**
* \test Test pcre option for dce sig.
*/
int DetectPcreParseTest11(void) int DetectPcreParseTest11(void)
{ {
DetectEngineCtx *de_ctx = NULL; DetectEngineCtx *de_ctx = NULL;

3
src/detect-uricontent.c
Unescape Escape View File

@ -332,6 +332,7 @@ int DetectUricontentSetup (DetectEngineCtx *de_ctx, Signature *s, char *contents
{ {
SCEnter(); SCEnter();
DetectUricontentData *cd = NULL;
SigMatch *sm = NULL; SigMatch *sm = NULL;
if (s->alproto == ALPROTO_DCERPC) { if (s->alproto == ALPROTO_DCERPC) {
@ -339,7 +340,7 @@ int DetectUricontentSetup (DetectEngineCtx *de_ctx, Signature *s, char *contents
goto error; goto error;
} }
DetectUricontentData *cd = DoDetectUricontentSetup(contentstr); cd = DoDetectUricontentSetup(contentstr);
if (cd == NULL) if (cd == NULL)
goto error; goto error;

6
src/detect-within.c
Unescape Escape View File

@ -197,7 +197,7 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
} }
cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
} else if ( (pm = SigMatchGetLastSM(match_tail->prev, DETECT_PCRE)) != NULL) { } else if ( (pm = SigMatchGetLastSM(match_tail, DETECT_PCRE)) != NULL) {
DetectPcreData *pe = NULL; DetectPcreData *pe = NULL;
pe = (DetectPcreData *) pm->ctx; pe = (DetectPcreData *) pm->ctx;
if (pe == NULL) { if (pe == NULL) {
@ -206,7 +206,7 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
} }
pe->flags |= DETECT_PCRE_RELATIVE; pe->flags |= DETECT_PCRE_RELATIVE;
} else if ( (pm = SigMatchGetLastSM(match_tail->prev, DETECT_BYTEJUMP)) != NULL) { } else if ( (pm = SigMatchGetLastSM(match_tail, DETECT_BYTEJUMP)) != NULL) {
DetectBytejumpData *data = NULL; DetectBytejumpData *data = NULL;
data = (DetectBytejumpData *) pm->ctx; data = (DetectBytejumpData *) pm->ctx;
if (data == NULL) { if (data == NULL) {
@ -303,4 +303,4 @@ void DetectWithinRegisterTests(void) {
UtRegisterTest("DetectWithinTestPacket01", DetectWithinTestPacket01, 1); UtRegisterTest("DetectWithinTestPacket01", DetectWithinTestPacket01, 1);
UtRegisterTest("DetectWithinTestPacket02", DetectWithinTestPacket02, 1); UtRegisterTest("DetectWithinTestPacket02", DetectWithinTestPacket02, 1);
#endif /* UNITTESTS */ #endif /* UNITTESTS */
} }

12
src/stream-tcp.c
Unescape Escape View File

@ -55,6 +55,16 @@
//#define DEBUG //#define DEBUG
typedef struct StreamTcpThread_ {
uint64_t pkts;
uint16_t counter_tcp_sessions;
/** sessions not picked up because memcap was reached */
uint16_t counter_tcp_ssn_memcap;
TcpReassemblyThreadCtx *ra_ctx; /**< tcp reassembly thread data */
} StreamTcpThread;
TmEcode StreamTcp (ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *); TmEcode StreamTcp (ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
TmEcode StreamTcpThreadInit(ThreadVars *, void *, void **); TmEcode StreamTcpThreadInit(ThreadVars *, void *, void **);
TmEcode StreamTcpThreadDeinit(ThreadVars *, void *); TmEcode StreamTcpThreadDeinit(ThreadVars *, void *);
@ -2510,7 +2520,7 @@ static int StreamTcpPacketStateTimeWait(ThreadVars *tv, Packet *p,
} }
/* flow is and stays locked */ /* flow is and stays locked */
int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt) static int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt)
{ {
SCEnter(); SCEnter();
TcpSession *ssn = (TcpSession *)p->flow->protoctx; TcpSession *ssn = (TcpSession *)p->flow->protoctx;

12
src/stream-tcp.h
Unescape Escape View File

@ -44,16 +44,6 @@ typedef struct TcpStreamCnf_ {
int async_oneside; int async_oneside;
} TcpStreamCnf; } TcpStreamCnf;
typedef struct StreamTcpThread_ {
uint64_t pkts;
uint16_t counter_tcp_sessions;
/** sessions not picked up because memcap was reached */
uint16_t counter_tcp_ssn_memcap;
TcpReassemblyThreadCtx *ra_ctx; /**< tcp reassembly thread data */
} StreamTcpThread;
TcpStreamCnf stream_config; TcpStreamCnf stream_config;
void TmModuleStreamTcpRegister (void); void TmModuleStreamTcpRegister (void);
void StreamTcpInitConfig (char); void StreamTcpInitConfig (char);
@ -64,7 +54,5 @@ void StreamTcpIncrMemuse(uint32_t);
void StreamTcpDecrMemuse(uint32_t); void StreamTcpDecrMemuse(uint32_t);
int StreamTcpCheckMemcap(uint32_t); int StreamTcpCheckMemcap(uint32_t);
int StreamTcpPacket (ThreadVars *, Packet *, StreamTcpThread *);
#endif /* __STREAM_TCP_H__ */ #endif /* __STREAM_TCP_H__ */

Write Preview
Loading…
Cancel
Save