diff --git a/src/detect-http-uri.c b/src/detect-http-uri.c index d2d22acaa0..9c9529d22a 100644 --- a/src/detect-http-uri.c +++ b/src/detect-http-uri.c @@ -60,7 +60,6 @@ void DetectHttpUriRegisterTests(void); void DetectHttpUriRegister (void) { sigmatch_table[DETECT_AL_HTTP_URI].name = "http_uri"; sigmatch_table[DETECT_AL_HTTP_URI].Match = NULL; - //sigmatch_table[DETECT_AL_HTTP_URI].AppLayerMatch = DetectHttpUriMatch; sigmatch_table[DETECT_AL_HTTP_URI].AppLayerMatch = NULL; sigmatch_table[DETECT_AL_HTTP_URI].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_AL_HTTP_URI].Setup = DetectHttpUriSetup; @@ -143,7 +142,7 @@ static int DetectHttpUriSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) /* pull the previous content from the pmatch list, append * the new match to the match list */ - SigMatchReplaceContent(s, pm, nm); + SigMatchReplaceContentToUricontent(s, pm, nm); /* free the old content sigmatch, the content pattern memory * is taken over by the new sigmatch */ @@ -253,7 +252,7 @@ int DetectHttpUriTest03(void) goto end; } - sm = de_ctx->sig_list->amatch; + sm = de_ctx->sig_list->umatch; if (sm == NULL) { printf("no sigmatch(es): "); goto end; @@ -328,7 +327,8 @@ int DetectHttpUriTest05(void) goto end; } - int uricomp = strcmp((const char *)((DetectUricontentData*) s->umatch->ctx)->uricontent, "we are testing http_uri keyword"); + char *str = "we are testing http_uri keyword"; + int uricomp = memcmp((const char *)((DetectUricontentData*) s->umatch->ctx)->uricontent, str, strlen(str)-1); int urilen = ((DetectUricontentData*) s->umatch_tail->ctx)->uricontent_len; if (uricomp != 0 || urilen != strlen("we are testing http_uri keyword")) { diff --git a/src/detect-parse.c b/src/detect-parse.c index 81f240906c..40e816c86e 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -282,6 +282,70 @@ void SigMatchReplaceContent(Signature *s, SigMatch *old, SigMatch *new) { new->idx = pm->idx; } +/** + * \brief Pull a content 'old' from the pmatch list, append 'new' to umatch list. + * + * Used for replacing contents that have the http_uri modifier that need to be + * moved to the uri inspection list. + */ +void SigMatchReplaceContentToUricontent(Signature *s, SigMatch *old, SigMatch *new) { + BUG_ON(old == NULL); + + SigMatch *m = s->pmatch; + SigMatch *pm = m; + + for ( ; m != NULL; m = m->next) { + if (m == old) { + if (m == s->pmatch) { + s->pmatch = m->next; + if (m->next != NULL) { + m->next->prev = NULL; + } + } else { + pm->next = m->next; + if (m->next != NULL) { + m->next->prev = pm; + } + } + + if (m == s->pmatch_tail) { + if (pm == m) { + s->pmatch_tail = NULL; + } else { + s->pmatch_tail = pm; + } + } + + //printf("m %p s->pmatch %p s->pmatch_tail %p\n", m, s->pmatch, s->pmatch_tail); + break; + } + + pm = m; + } + + /* finally append the "new" sig match to the app layer list */ + /** \todo if the app layer gets it's own list, adapt this code */ + if (s->umatch == NULL) { + s->umatch = new; + s->umatch_tail = new; + new->next = NULL; + new->prev = NULL; + } else { + SigMatch *cur = s->umatch; + + for ( ; cur->next != NULL; cur = cur->next); + + cur->next = new; + new->next = NULL; + new->prev = cur; + s->umatch_tail = new; + } + + /* move over the idx */ + if (pm != NULL) + new->idx = pm->idx; +} + /** * \brief Replaces the old sigmatch with the new sigmatch in the current * signature. diff --git a/src/detect-parse.h b/src/detect-parse.h index c3417b7d6f..820dd91d50 100644 --- a/src/detect-parse.h +++ b/src/detect-parse.h @@ -52,6 +52,7 @@ Signature *DetectEngineAppendSig(DetectEngineCtx *, char *); void SigMatchReplace(Signature *, SigMatch *, SigMatch *); void SigMatchReplaceContent(Signature *, SigMatch *, SigMatch *); +void SigMatchReplaceContentToUricontent(Signature *, SigMatch *, SigMatch *); void SigMatchAppendPayload(Signature *, SigMatch *); void SigMatchAppendPacket(Signature *, SigMatch *);