aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix for bug 204 (signature ordering with flowbit priority)

Browse Source
remotes/origin/master-1.0.x
Pablo Rincon 16 years ago committed by Victor Julien
parent 1071a53210
commit 0c3906a99b
2 changed files with 73 additions and 8 deletions
Show Stats Download Patch File Download Diff File

70
src/detect-engine-sigorder.c
Unescape Escape View File

@ -112,18 +112,20 @@ static inline int SCSigGetFlowbitsType(Signature *sig)
{ {
SigMatch *sm = sig->match; SigMatch *sm = sig->match;
DetectFlowbitsData *fb = NULL; DetectFlowbitsData *fb = NULL;
int flowbits = 0; int flowbits = DETECT_FLOWBITS_CMD_MAX;
while (sm != NULL) { while (sm != NULL) {
if (sm->type == DETECT_FLOWBITS) { if (sm->type == DETECT_FLOWBITS) {
fb = (DetectFlowbitsData *)sm->ctx; fb = (DetectFlowbitsData *)sm->ctx;
if (flowbits < fb->cmd) if (flowbits > fb->cmd)
flowbits = fb->cmd; flowbits = fb->cmd;
} }
sm = sm->next; sm = sm->next;
} }
SCLogDebug("Sig %s typeval %d", sig->msg, flowbits);
return flowbits; return flowbits;
} }
@ -376,7 +378,7 @@ static void SCSigOrderByFlowbits(DetectEngineCtx *de_ctx,
while (min != NULL && min != max) { while (min != NULL && min != max) {
prev = min; prev = min;
/* the sorting logic */ /* the sorting logic */
if ( *((int *)(sw->user[SC_RADIX_USER_DATA_FLOWBITS])) <= if ( *((int *)(sw->user[SC_RADIX_USER_DATA_FLOWBITS])) >=
*((int *)(min->user[SC_RADIX_USER_DATA_FLOWBITS])) ) { *((int *)(min->user[SC_RADIX_USER_DATA_FLOWBITS])) ) {
min = min->next; min = min->next;
continue; continue;
@ -2056,6 +2058,67 @@ end:
return result; return result;
} }
static int SCSigTestSignatureOrdering11(void)
{
int result = 1;
Signature *prevsig = NULL, *sig = NULL;
SCSigSignatureWrapper *sw = NULL;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering set\"; flowbits:isnotset,myflow1; flowbits:set,myflow2; sid:1; rev:4;)");
if (sig == NULL) {
goto end;
}
prevsig = sig;
de_ctx->sig_list = sig;
sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering toggle\"; flowbits:toggle,myflow2;sid:2; rev:4; )");
if (sig == NULL) {
goto end;
}
prevsig->next = sig;
prevsig = sig;
sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering unset\"; flowbits:isset, myflow1;flowbits:unset,myflow2; sid:3; rev:4; priority:3;)");
if (sig == NULL) {
goto end;
}
prevsig->next = sig;
SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByAction);
SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbits);
SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvar);
SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvar);
SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriority);
SCSigOrderSignatures(de_ctx);
sw = de_ctx->sc_sig_sig_wrapper;
uint8_t pos = 0;
while (sw != NULL) {
switch (pos) {
case 0:
result &=(sw->sig->id == 1)? 1 : 0;
break;
case 1:
result &=(sw->sig->id == 2)? 1 : 0;
break;
case 2:
result &=(sw->sig->id == 3)? 1 : 0;
break;
}
sw = sw->next;
pos++;
}
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
#endif #endif
void SCSigRegisterSignatureOrderingTests(void) void SCSigRegisterSignatureOrderingTests(void)
@ -2073,6 +2136,7 @@ void SCSigRegisterSignatureOrderingTests(void)
UtRegisterTest("SCSigTestSignatureOrdering08", SCSigTestSignatureOrdering08, 1); UtRegisterTest("SCSigTestSignatureOrdering08", SCSigTestSignatureOrdering08, 1);
UtRegisterTest("SCSigTestSignatureOrdering09", SCSigTestSignatureOrdering09, 1); UtRegisterTest("SCSigTestSignatureOrdering09", SCSigTestSignatureOrdering09, 1);
UtRegisterTest("SCSigTestSignatureOrdering10", SCSigTestSignatureOrdering10, 1); UtRegisterTest("SCSigTestSignatureOrdering10", SCSigTestSignatureOrdering10, 1);
UtRegisterTest("SCSigTestSignatureOrdering11", SCSigTestSignatureOrdering11, 1);
#endif #endif

11
src/detect-flowbits.h
Unescape Escape View File

@ -25,12 +25,13 @@
#ifndef __DETECT_FLOWBITS_H__ #ifndef __DETECT_FLOWBITS_H__
#define __DETECT_FLOWBITS_H__ #define __DETECT_FLOWBITS_H__
#define DETECT_FLOWBITS_CMD_ISSET 0 #define DETECT_FLOWBITS_CMD_SET 0
#define DETECT_FLOWBITS_CMD_ISNOTSET 1 #define DETECT_FLOWBITS_CMD_TOGGLE 1
#define DETECT_FLOWBITS_CMD_SET 2 #define DETECT_FLOWBITS_CMD_UNSET 2
#define DETECT_FLOWBITS_CMD_UNSET 3 #define DETECT_FLOWBITS_CMD_ISNOTSET 3
#define DETECT_FLOWBITS_CMD_TOGGLE 4 #define DETECT_FLOWBITS_CMD_ISSET 4
#define DETECT_FLOWBITS_CMD_NOALERT 5 #define DETECT_FLOWBITS_CMD_NOALERT 5
#define DETECT_FLOWBITS_CMD_MAX 6
typedef struct DetectFlowbitsData_ { typedef struct DetectFlowbitsData_ {
uint16_t idx; uint16_t idx;

Write Preview
Loading…
Cancel
Save