aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix negated variables, add tests.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 17 years ago
parent dce2c12915
commit 0250642cc0
4 changed files with 122 additions and 5 deletions
Show Stats Download Patch File Download Diff File

2
src/detect-engine-port.c
Unescape Escape View File

@ -1064,6 +1064,8 @@ DetectPortLookupGroup(DetectPort *dp, u_int16_t port) {
for ( ; p != NULL; p = p->next) { for ( ; p != NULL; p = p->next) {
if (DetectPortMatch(p,port) == 1) { if (DetectPortMatch(p,port) == 1) {
//printf("DetectPortLookupGroup: match, port %u, dp ", port);
//DetectPortPrint(p); printf("\n");
return p; return p;
} }
} }

17
src/detect-parse.c
Unescape Escape View File

@ -300,17 +300,26 @@ int SigParseProto(Signature *s, const char *protostr) {
int SigParsePort(Signature *s, const char *portstr, char flag) { int SigParsePort(Signature *s, const char *portstr, char flag) {
int r = 0; int r = 0;
char *port; char *port;
char negate = 0;
/* XXX VJ exclude handling this for none UDP/TCP proto's */ /* XXX VJ exclude handling this for none UDP/TCP proto's */
if (portstr[0] == '!') {
portstr++;
negate = 1;
}
if (strcmp(portstr,"$HTTP_PORTS") == 0) { if (strcmp(portstr,"$HTTP_PORTS") == 0) {
port = "80:81,88"; if (negate) port = "![80:81,88]";
else port = "80:81,88";
} else if (strcmp(portstr,"$SHELLCODE_PORTS") == 0) { } else if (strcmp(portstr,"$SHELLCODE_PORTS") == 0) {
port = "!80"; port = "!80";
} else if (strcmp(portstr,"$ORACLE_PORTS") == 0) { } else if (strcmp(portstr,"$ORACLE_PORTS") == 0) {
port = "1521"; if (negate) port = "!1521";
else port = "1521";
} else if (strcmp(portstr,"$SSH_PORTS") == 0) { } else if (strcmp(portstr,"$SSH_PORTS") == 0) {
port = "22"; if (negate) port = "!22";
else port = "22";
} else { } else {
port = (char *)portstr; port = (char *)portstr;
} }
@ -325,6 +334,8 @@ int SigParsePort(Signature *s, const char *portstr, char flag) {
s->flags |= SIG_FLAG_DP_ANY; s->flags |= SIG_FLAG_DP_ANY;
r = DetectPortParse(&s->dp,(char *)port); r = DetectPortParse(&s->dp,(char *)port);
//DetectPortPrint(s->dp);
} }
if (r < 0) { if (r < 0) {
printf("SigParsePort: DetectPortParse \"%s\" failed\n", portstr); printf("SigParsePort: DetectPortParse \"%s\" failed\n", portstr);

106
src/detect.c
Unescape Escape View File

@ -421,6 +421,7 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p)
DetectPort *dport = DetectPortLookupGroup(s->dp,p->dp); DetectPort *dport = DetectPortLookupGroup(s->dp,p->dp);
if (dport == NULL) if (dport == NULL)
continue; continue;
} }
if (!(s->flags & SIG_FLAG_SP_ANY)) { if (!(s->flags & SIG_FLAG_SP_ANY)) {
DetectPort *sport = DetectPortLookupGroup(s->sp,p->sp); DetectPort *sport = DetectPortLookupGroup(s->sp,p->sp);
@ -440,6 +441,7 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p)
if (daddr == NULL) if (daddr == NULL)
continue; continue;
} }
/* reset pkt ptr and offset */ /* reset pkt ptr and offset */
pmt->pkt_ptr = NULL; pmt->pkt_ptr = NULL;
pmt->pkt_off = 0; pmt->pkt_off = 0;
@ -2002,7 +2004,7 @@ void DbgPrintSigs2(SigGroupHead *sgh) {
/* shortcut for debugging. If enabled Stage5 will /* shortcut for debugging. If enabled Stage5 will
* print sigid's for all groups */ * print sigid's for all groups */
//#define PRINTSIGS #define PRINTSIGS
/* just printing */ /* just printing */
int SigAddressPrepareStage5(void) { int SigAddressPrepareStage5(void) {
@ -3130,6 +3132,106 @@ end:
return result; return result;
} }
int SigTest15 (void) {
u_int8_t *buf = (u_int8_t *)
"CONNECT 213.92.8.7:31204 HTTP/1.1";
u_int16_t buflen = strlen((char *)buf);
Packet p;
ThreadVars th_v;
PatternMatcherThread *pmt;
int result = 0;
memset(&th_v, 0, sizeof(th_v));
memset(&p, 0, sizeof(p));
p.src.family = AF_INET;
p.dst.family = AF_INET;
p.tcp_payload = buf;
p.tcp_payload_len = buflen;
p.proto = IPPROTO_TCP;
p.dp = 80;
g_de_ctx = DetectEngineCtxInit();
if (g_de_ctx == NULL) {
goto end;
}
g_de_ctx->flags |= DE_QUIET;
g_de_ctx->sig_list = SigInit("alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; classtype:misc-activity; sid:2008284; rev:2;)");
if (g_de_ctx->sig_list == NULL) {
result = 0;
goto end;
}
SigGroupBuild(g_de_ctx);
PatternMatchPrepare(mpm_ctx);
PatternMatcherThreadInit(&th_v, (void *)&pmt);
SigMatchSignatures(&th_v, pmt, &p);
if (PacketAlertCheck(&p, 2008284))
result = 0;
else
result = 1;
SigGroupCleanup();
SigCleanSignatures();
PatternMatcherThreadDeinit(&th_v, (void *)pmt);
PatternMatchDestroy(mpm_ctx);
DetectEngineCtxFree(g_de_ctx);
end:
return result;
}
int SigTest16 (void) {
u_int8_t *buf = (u_int8_t *)
"CONNECT 213.92.8.7:31204 HTTP/1.1";
u_int16_t buflen = strlen((char *)buf);
Packet p;
ThreadVars th_v;
PatternMatcherThread *pmt;
int result = 0;
memset(&th_v, 0, sizeof(th_v));
memset(&p, 0, sizeof(p));
p.src.family = AF_INET;
p.dst.family = AF_INET;
p.tcp_payload = buf;
p.tcp_payload_len = buflen;
p.proto = IPPROTO_TCP;
p.dp = 1234;
g_de_ctx = DetectEngineCtxInit();
if (g_de_ctx == NULL) {
goto end;
}
g_de_ctx->flags |= DE_QUIET;
g_de_ctx->sig_list = SigInit("alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; classtype:misc-activity; sid:2008284; rev:2;)");
if (g_de_ctx->sig_list == NULL) {
result = 0;
goto end;
}
SigGroupBuild(g_de_ctx);
PatternMatchPrepare(mpm_ctx);
PatternMatcherThreadInit(&th_v, (void *)&pmt);
SigMatchSignatures(&th_v, pmt, &p);
if (PacketAlertCheck(&p, 2008284))
result = 1;
else
result = 0;
SigGroupCleanup();
SigCleanSignatures();
PatternMatcherThreadDeinit(&th_v, (void *)pmt);
PatternMatchDestroy(mpm_ctx);
DetectEngineCtxFree(g_de_ctx);
end:
return result;
}
void SigRegisterTests(void) { void SigRegisterTests(void) {
SigParseRegisterTests(); SigParseRegisterTests();
UtRegisterTest("SigTest01 -- HTTP URI cap", SigTest01, 1); UtRegisterTest("SigTest01 -- HTTP URI cap", SigTest01, 1);
@ -3146,5 +3248,7 @@ void SigRegisterTests(void) {
UtRegisterTest("SigTest12 -- content order matching, normal", SigTest12, 1); UtRegisterTest("SigTest12 -- content order matching, normal", SigTest12, 1);
UtRegisterTest("SigTest13 -- content order matching, diff order", SigTest13, 1); UtRegisterTest("SigTest13 -- content order matching, diff order", SigTest13, 1);
UtRegisterTest("SigTest14 -- content order matching, distance 0", SigTest14, 1); UtRegisterTest("SigTest14 -- content order matching, distance 0", SigTest14, 1);
UtRegisterTest("SigTest15 -- port negation sig (no match)", SigTest15, 1);
UtRegisterTest("SigTest16 -- port negation sig (match)", SigTest16, 1);
} }

2
src/vips.c
Unescape Escape View File

@ -198,10 +198,10 @@ int main(int argc, char **argv)
TmModuleRegisterTests(); TmModuleRegisterTests();
MpmRegisterTests(); MpmRegisterTests();
SigTableRegisterTests(); SigTableRegisterTests();
SigRegisterTests();
HashTableRegisterTests(); HashTableRegisterTests();
BloomFilterRegisterTests(); BloomFilterRegisterTests();
BloomFilterCountingRegisterTests(); BloomFilterCountingRegisterTests();
SigRegisterTests();
UtRunTests(); UtRunTests();
UtCleanup(); UtCleanup();
//exit(1); //exit(1);

Write Preview
Loading…
Cancel
Save