aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

http_raw_host: dynamic buffer

Browse Source
pull/2559/head
Victor Julien 9 years ago
parent 296c275e23
commit 128b59d4f6
7 changed files with 108 additions and 119 deletions
Show Stats Download Patch File Download Diff File

2
src/detect-engine.c
Unescape Escape View File

@ -2810,8 +2810,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
return "http stat msg";
case DETECT_SM_LIST_HSCDMATCH:
return "http stat code";
case DETECT_SM_LIST_HRHHDMATCH:
return "http raw host header";
case DETECT_SM_LIST_APP_EVENT:
return "app layer events";

44
src/detect-fast-pattern.c
Unescape Escape View File

@ -327,6 +327,7 @@ static int g_http_uri_buffer_id = 0;
static int g_http_ua_buffer_id = 0;
static int g_http_cookie_buffer_id = 0;
static int g_http_host_buffer_id = 0;
static int g_http_raw_host_buffer_id = 0;
/**
* \test Checks if a fast_pattern is registered in a Signature
@ -17580,7 +17581,7 @@ int DetectFastPatternTest630(void)
"content:\"three\"; http_raw_host; nocase; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
ud->flags & DETECT_CONTENT_NOCASE &&
@ -17619,7 +17620,7 @@ int DetectFastPatternTest631(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id];
if (sm != NULL) {
if ( (((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) &&
@ -17658,7 +17659,7 @@ int DetectFastPatternTest632(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id];
if (sm != NULL) {
if ( (((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) &&
@ -17691,7 +17692,7 @@ int DetectFastPatternTest633(void)
if (de_ctx->sig_list == NULL)
goto end;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id];
if (sm == NULL) {
goto end;
}
@ -17728,7 +17729,7 @@ int DetectFastPatternTest634(void)
if (de_ctx->sig_list == NULL)
goto end;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id];
if (sm == NULL) {
goto end;
}
@ -17974,7 +17975,7 @@ int DetectFastPatternTest644(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NOCASE &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
@ -18007,7 +18008,7 @@ int DetectFastPatternTest645(void)
"content:\"two\"; fast_pattern:only; http_raw_host; nocase; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NOCASE &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
@ -18040,7 +18041,7 @@ int DetectFastPatternTest646(void)
"content:\"two\"; fast_pattern:only; http_raw_host; nocase; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NOCASE &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
@ -18073,7 +18074,7 @@ int DetectFastPatternTest647(void)
"content:\"two\"; fast_pattern:only; http_raw_host; nocase; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NOCASE &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
@ -18105,7 +18106,7 @@ int DetectFastPatternTest648(void)
"content:\"two\"; http_raw_host; nocase; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NOCASE &&
ud->flags & DETECT_CONTENT_NEGATED &&
@ -18231,7 +18232,7 @@ int DetectFastPatternTest653(void)
"content:\"three\"; http_raw_host; nocase; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NOCASE &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -18264,7 +18265,7 @@ int DetectFastPatternTest654(void)
"content:\"three\"; http_raw_host; distance:30; nocase; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NOCASE &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -18297,7 +18298,7 @@ int DetectFastPatternTest655(void)
"content:\"three\"; http_raw_host; within:30; nocase; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NOCASE &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -18330,7 +18331,7 @@ int DetectFastPatternTest656(void)
"content:\"three\"; http_raw_host; offset:30; nocase; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NOCASE &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -18363,7 +18364,7 @@ int DetectFastPatternTest657(void)
"content:\"three\"; http_raw_host; depth:30; nocase; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NOCASE &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -18396,7 +18397,7 @@ int DetectFastPatternTest658(void)
"content:\"oneonethree\"; fast_pattern:3,4; http_raw_host; nocase; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NOCASE &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -18429,7 +18430,7 @@ int DetectFastPatternTest659(void)
"content:\"oneonethree\"; fast_pattern:3,4; http_raw_host; nocase; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NOCASE &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -18462,7 +18463,7 @@ int DetectFastPatternTest660(void)
"content:\"oneonethree\"; fast_pattern:3,4; http_raw_host; nocase; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NOCASE &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -18495,7 +18496,7 @@ int DetectFastPatternTest661(void)
"content:\"oneonethree\"; fast_pattern:3,4; http_raw_host; nocase; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NOCASE &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -18603,7 +18604,7 @@ int DetectFastPatternTest665(void)
"content:\"three\"; http_raw_host; nocase; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NOCASE &&
ud->flags & DETECT_CONTENT_NEGATED &&
@ -18733,7 +18734,7 @@ int DetectFastPatternTest670(void)
"content:\"three\"; http_raw_host; nocase; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NOCASE &&
ud->flags & DETECT_CONTENT_NEGATED &&
@ -18833,6 +18834,7 @@ void DetectFastPatternRegisterTests(void)
g_http_ua_buffer_id = DetectBufferTypeGetByName("http_user_agent");
g_http_cookie_buffer_id = DetectBufferTypeGetByName("http_cookie");
g_http_host_buffer_id = DetectBufferTypeGetByName("http_host");
g_http_raw_host_buffer_id = DetectBufferTypeGetByName("http_raw_host");
UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01);
UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02);

150
src/detect-http-hrh.c
Unescape Escape View File

@ -59,9 +59,11 @@
#include "detect-http-hrh.h"
#include "detect-engine-hrhhd.h"
int DetectHttpHRHSetup(DetectEngineCtx *, Signature *, char *);
void DetectHttpHRHRegisterTests(void);
void DetectHttpHRHFree(void *);
static int DetectHttpHRHSetup(DetectEngineCtx *, Signature *, char *);
static void DetectHttpHRHRegisterTests(void);
static void DetectHttpHRHFree(void *);
static void DetectHttpHostRawSetupCallback(Signature *);
static int g_http_raw_host_buffer_id = 0;
/**
* \brief Registers the keyword handlers for the "http_raw_host" keyword.
@ -79,15 +81,20 @@ void DetectHttpHRHRegister(void)
sigmatch_table[DETECT_AL_HTTP_RAW_HOST].flags |= SIGMATCH_NOOPT ;
sigmatch_table[DETECT_AL_HTTP_RAW_HOST].flags |= SIGMATCH_PAYLOAD ;
DetectMpmAppLayerRegister("http_raw_host", SIG_FLAG_TOSERVER,
DETECT_SM_LIST_HRHHDMATCH, 2,
DetectAppLayerMpmRegister("http_raw_host", SIG_FLAG_TOSERVER, 2,
PrefilterTxHostnameRawRegister);
DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER,
DETECT_SM_LIST_HRHHDMATCH,
DetectAppLayerInspectEngineRegister2("http_raw_host",
ALPROTO_HTTP, SIG_FLAG_TOSERVER,
DetectEngineInspectHttpHRH);
return;
DetectBufferTypeSetDescriptionByName("http_raw_host",
"http raw host header");
DetectBufferTypeRegisterSetupCallback("http_raw_host",
DetectHttpHostRawSetupCallback);
g_http_raw_host_buffer_id = DetectBufferTypeGetByName("http_raw_host");
}
/**
@ -107,11 +114,17 @@ int DetectHttpHRHSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
DETECT_AL_HTTP_RAW_HOST,
DETECT_SM_LIST_HRHHDMATCH,
g_http_raw_host_buffer_id,
ALPROTO_HTTP,
NULL);
}
static void DetectHttpHostRawSetupCallback(Signature *s)
{
SCLogDebug("callback invoked by %u", s->id);
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
}
/**
* \brief The function to free the http_raw_host data.
*
@ -1406,13 +1419,6 @@ end:
return result;
}
int DetectHttpHRHTest22(void)
{
DetectEngineCtx *de_ctx = NULL;
@ -1435,15 +1441,15 @@ int DetectHttpHRHTest22(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL\n");
goto end;
}
DetectContentData *cd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
DetectContentData *hrhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx;
DetectContentData *hrhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx;
DetectContentData *hrhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->ctx;
DetectContentData *hrhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->ctx;
if (cd1->flags != 0 || memcmp(cd1->content, "one", cd1->content_len) != 0 ||
cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
hrhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
@ -1490,15 +1496,15 @@ int DetectHttpHRHTest23(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL\n");
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
DetectContentData *hrhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx;
DetectContentData *hrhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx;
DetectContentData *hrhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->ctx;
DetectContentData *hrhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->ctx;
if (pd1->flags != 0 ||
cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
hrhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
@ -1544,15 +1550,15 @@ int DetectHttpHRHTest24(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL\n");
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
DetectContentData *hrhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx;
DetectContentData *hrhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx;
DetectContentData *hrhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->ctx;
DetectContentData *hrhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->ctx;
if (pd1->flags != 0 ||
cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
hrhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
@ -1599,15 +1605,15 @@ int DetectHttpHRHTest25(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL\n");
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
DetectContentData *hrhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx;
DetectContentData *hrhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx;
DetectContentData *hrhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->ctx;
DetectContentData *hrhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->ctx;
if (pd1->flags != DETECT_PCRE_RELATIVE_NEXT ||
cd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
@ -1655,15 +1661,15 @@ int DetectHttpHRHTest26(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL\n");
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
DetectContentData *hrhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx;
DetectContentData *hrhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx;
DetectContentData *hrhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->ctx;
DetectContentData *hrhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
cd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
@ -1738,15 +1744,15 @@ int DetectHttpHRHTest28(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL\n");
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
DetectContentData *hrhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx;
DetectContentData *hrhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx;
DetectContentData *hrhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->ctx;
DetectContentData *hrhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
cd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
@ -1793,13 +1799,13 @@ int DetectHttpHRHTest29(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL\n");
goto end;
}
DetectContentData *hrhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx;
DetectContentData *hrhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx;
DetectContentData *hrhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->ctx;
DetectContentData *hrhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->ctx;
if (hrhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
memcmp(hrhhd1->content, "one", hrhhd1->content_len) != 0 ||
hrhhd2->flags != (DETECT_CONTENT_DISTANCE) ||
@ -1837,13 +1843,13 @@ int DetectHttpHRHTest30(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL\n");
goto end;
}
DetectContentData *hrhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx;
DetectContentData *hrhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx;
DetectContentData *hrhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->ctx;
DetectContentData *hrhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->ctx;
if (hrhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
memcmp(hrhhd1->content, "one", hrhhd1->content_len) != 0 ||
hrhhd2->flags != (DETECT_CONTENT_WITHIN) ||
@ -1953,21 +1959,21 @@ int DetectHttpHRHTest34(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL\n");
goto end;
}
if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH] == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->type != DETECT_CONTENT ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->type != DETECT_PCRE) {
if (de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id] == NULL ||
de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->type != DETECT_CONTENT ||
de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->type != DETECT_PCRE) {
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx;
DetectContentData *hrhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx;
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->ctx;
DetectContentData *hrhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_CASELESS) ||
hrhhd2->flags != (DETECT_CONTENT_WITHIN) ||
memcmp(hrhhd2->content, "two", hrhhd2->content_len) != 0) {
@ -2004,21 +2010,21 @@ int DetectHttpHRHTest35(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL\n");
goto end;
}
if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH] == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->type != DETECT_PCRE ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->type != DETECT_CONTENT) {
if (de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id] == NULL ||
de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->type != DETECT_PCRE ||
de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->type != DETECT_CONTENT) {
goto end;
}
DetectContentData *hrhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx;
DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx;
DetectContentData *hrhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->ctx;
DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->ctx;
if (pd2->flags != (DETECT_PCRE_RELATIVE | DETECT_PCRE_CASELESS) ||
hrhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
memcmp(hrhhd1->content, "two", hrhhd1->content_len) != 0) {
@ -2055,21 +2061,21 @@ int DetectHttpHRHTest36(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHHDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_raw_host_buffer_id] == NULL\n");
goto end;
}
if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH] == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->type != DETECT_CONTENT ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->type != DETECT_PCRE) {
if (de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id] == NULL ||
de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->type != DETECT_CONTENT ||
de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->type != DETECT_PCRE) {
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx;
DetectContentData *hrhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx;
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->prev->ctx;
DetectContentData *hrhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_host_buffer_id]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_CASELESS) ||
hrhhd2->flags != (DETECT_CONTENT_DISTANCE) ||
memcmp(hrhhd2->content, "two", hrhhd2->content_len) != 0) {

5
src/detect-parse.c
Unescape Escape View File

@ -147,7 +147,6 @@ const char *DetectListToHumanString(int list)
CASE_CODE_STRING(DETECT_SM_LIST_HRHDMATCH, "http_raw_header");
CASE_CODE_STRING(DETECT_SM_LIST_HSMDMATCH, "http_stat_msg");
CASE_CODE_STRING(DETECT_SM_LIST_HSCDMATCH, "http_stat_code");
CASE_CODE_STRING(DETECT_SM_LIST_HRHHDMATCH, "http_raw_host");
CASE_CODE_STRING(DETECT_SM_LIST_APP_EVENT, "app-layer-event");
CASE_CODE_STRING(DETECT_SM_LIST_AMATCH, "app-layer");
CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc");
@ -184,7 +183,6 @@ const char *DetectListToString(int list)
CASE_CODE(DETECT_SM_LIST_HRHDMATCH);
CASE_CODE(DETECT_SM_LIST_HSMDMATCH);
CASE_CODE(DETECT_SM_LIST_HSCDMATCH);
CASE_CODE(DETECT_SM_LIST_HRHHDMATCH);
CASE_CODE(DETECT_SM_LIST_APP_EVENT);
CASE_CODE(DETECT_SM_LIST_AMATCH);
CASE_CODE(DETECT_SM_LIST_DMATCH);
@ -1543,8 +1541,7 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH])
s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH])
{
SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature combines packet "
"specific matches (like dsize, flags, ttl) with stream / "

10
src/detect-pcre.c
Unescape Escape View File

@ -424,13 +424,15 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr,
check_host_header = 1;
break;
}
case 'Z':
case 'Z': {
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'Z' inconsistent with 'B'");
goto error;
}
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HRHHDMATCH);
int list = DetectBufferTypeGetByName("http_raw_host");
*sm_list = DetectPcreSetList(*sm_list, list);
break;
}
case 'H': /* snort's option */
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'H' inconsistent with 'B'");
@ -682,8 +684,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
parsed_sm_list == DETECT_SM_LIST_HHDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HRHDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HSMDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HSCDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HRHHDMATCH)
parsed_sm_list == DETECT_SM_LIST_HSCDMATCH)
{
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
@ -716,7 +717,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
case DETECT_SM_LIST_HRUDMATCH:
case DETECT_SM_LIST_HHDMATCH:
case DETECT_SM_LIST_HRHDMATCH:
case DETECT_SM_LIST_HRHHDMATCH:
case DETECT_SM_LIST_HSMDMATCH:
case DETECT_SM_LIST_HSCDMATCH:
s->flags |= SIG_FLAG_APPLAYER;

14
src/detect.c
Unescape Escape View File

@ -1930,9 +1930,6 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
if (s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HRHHDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL)
return 0;
@ -2023,9 +2020,6 @@ static int SignatureIsPDOnly(const Signature *s)
if (s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HRHHDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL)
return 0;
@ -2131,8 +2125,7 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, const Signature *s)
s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HRHHDMATCH] != NULL)
s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL)
{
SCReturnInt(0);
}
@ -2315,11 +2308,6 @@ static int SignatureCreateMask(Signature *s)
SCLogDebug("sig requires http app state");
}
if (s->init_data->smlists[DETECT_SM_LIST_HRHHDMATCH] != NULL) {
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
SCLogDebug("sig requires http app state");
}
SigMatch *sm;
for (sm = s->init_data->smlists[DETECT_SM_LIST_AMATCH] ; sm != NULL; sm = sm->next) {
switch(sm->type) {

2
src/detect.h
Unescape Escape View File

@ -127,8 +127,6 @@ enum DetectSigmatchListEnum {
DETECT_SM_LIST_HSMDMATCH,
/* list for http_stat_code keyword and the ones relative to it */
DETECT_SM_LIST_HSCDMATCH,
/* list for http_raw_host keyword and the ones relative to it */
DETECT_SM_LIST_HRHHDMATCH,
/* app event engine sm list */
DETECT_SM_LIST_APP_EVENT,

Write Preview
Loading…
Cancel
Save