From 15a8f34d3635aa20caa5e7150fe8d79496d879af Mon Sep 17 00:00:00 2001
From: Breno Silva <breno.silva@gmail.com>
Date: Wed, 21 Oct 2009 07:15:19 -0200
Subject: [PATCH] Gid Keyword

Signed-off-by: Brian Rectanus <brectanu@gmail.com>
---
 src/Makefile.am            |   1 +
 src/decode.h               |   2 +-
 src/detect-engine-iponly.c |   2 +-
 src/detect-gid.c           | 173 +++++++++++++++++++++++++++++++++++++
 src/detect-gid.h           |  40 +++++++++
 src/detect.c               |  16 +++-
 src/detect.h               |   4 +-
 7 files changed, 231 insertions(+), 7 deletions(-)
 create mode 100644 src/detect-gid.c
 create mode 100644 src/detect-gid.h

diff --git a/src/Makefile.am b/src/Makefile.am
index c0f26d6adf..bfc572c859 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -73,6 +73,7 @@ detect-decode-event.c detect-decode-event.h \
 detect-ipopts.c detect-ipopts.h \
 detect-flags.c detect-flags.h \
 detect-fragbits.c detect-fragbits.h \
+detect-gid.c detect-gid.h \
 detect-noalert.c detect-noalert.h \
 detect-csum.c detect-csum.h \
 util-print.c util-print.h \
diff --git a/src/decode.h b/src/decode.h
index f8fd035bd5..f4baf2642a 100644
--- a/src/decode.h
+++ b/src/decode.h
@@ -142,7 +142,7 @@ typedef uint16_t Port;
 /* structure to store the sids/gids/etc the detection engine
  * found in this packet */
 typedef struct PacketAlert_ {
-    uint8_t  gid;
+    uint32_t  gid;
     uint32_t sid;
     uint8_t  rev;
     uint8_t class;
diff --git a/src/detect-engine-iponly.c b/src/detect-engine-iponly.c
index dbd68380b6..20eb04ba0c 100644
--- a/src/detect-engine-iponly.c
+++ b/src/detect-engine-iponly.c
@@ -378,7 +378,7 @@ void IPOnlyMatchPacket(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx,
 
 
         if (!(s->flags & SIG_FLAG_NOALERT)) {
-            PacketAlertAppend(p, 1, s->id, s->rev, s->prio, s->msg);
+            PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg);
 
             /* set verdict on packet */
             p->action = s->action;
diff --git a/src/detect-gid.c b/src/detect-gid.c
new file mode 100644
index 0000000000..88103dad18
--- /dev/null
+++ b/src/detect-gid.c
@@ -0,0 +1,173 @@
+/* Copyright (c) 2009 Open Information Security Foundation */
+
+/** \file
+ *  \author Breno Silva <breno.silva@gmail.com>
+ */
+
+#include "eidps-common.h"
+#include "eidps.h"
+#include "decode.h"
+#include "detect.h"
+#include "flow-var.h"
+#include "decode-events.h"
+
+#include "detect-gid.h"
+#include "util-unittest.h"
+
+#define PARSE_REGEX "[0-9]+"
+
+static pcre *parse_regex;
+static pcre_extra *parse_regex_study;
+
+static int DetectGidSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *str);
+
+/**
+ * \brief Registration function for gid: keyword
+ */
+
+void DetectGidRegister (void) {
+    sigmatch_table[DETECT_GID].name = "gid";
+    sigmatch_table[DETECT_GID].Match = NULL;
+    sigmatch_table[DETECT_GID].Setup = DetectGidSetup;
+    sigmatch_table[DETECT_GID].Free  = NULL;
+    sigmatch_table[DETECT_GID].RegisterTests = GidRegisterTests;
+
+    const char *eb;
+    int opts = 0;
+    int eo;
+
+    parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL);
+    if(parse_regex == NULL)
+    {
+        printf("pcre compile of \"%s\" failed at offset %" PRId32 ": %s\n", PARSE_REGEX, eo, eb);
+        goto error;
+    }
+
+    parse_regex_study = pcre_study(parse_regex, 0, &eb);
+    if(eb != NULL)
+    {
+        printf("pcre study failed: %s\n", eb);
+        goto error;
+    }
+
+error:
+    return;
+
+}
+
+/**
+ * \internal
+ * \brief This function is used to parse gid options passed via gid: keyword
+ *
+ * \param rawstr Pointer to the user provided gid options
+ *
+ * \retval  gid number on success
+ * \retval -1 on failure
+ */
+static uint32_t DetectGidParse (char *rawstr)
+{
+    int ret = 0, res = 0;
+#define MAX_SUBSTRINGS 30
+    int ov[MAX_SUBSTRINGS];
+    const char *str_ptr = NULL;
+    char *ptr = NULL;
+    uint32_t rc;
+
+    ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS);
+
+    if (ret < 1) {
+        return -1;
+    }
+
+    res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 0, &str_ptr);
+
+    if (res < 0) {
+        return -1;
+    }
+
+    ptr = (char *)str_ptr;
+
+    if(ptr == NULL)
+        return -1;
+
+    rc = (uint32_t )atol(ptr);
+
+    free(ptr);
+    return rc;
+}
+
+/**
+ * \internal
+ * \brief this function is used to add the parsed gid into the current signature
+ *
+ * \param de_ctx pointer to the Detection Engine Context
+ * \param s pointer to the Current Signature
+ * \param m pointer to the Current SigMatch
+ * \param rawstr pointer to the user provided gid options
+ *
+ * \retval 0 on Success
+ * \retval -1 on Failure
+ */
+static int DetectGidSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr)
+{
+    s->gid = DetectGidParse(rawstr);
+
+    if(s->gid > 0)
+    return 0;
+
+    return -1;
+}
+
+/*
+ * ONLY TESTS BELOW THIS COMMENT
+ */
+
+#ifdef UNITTESTS
+/**
+ * \test GidTestParse01 is a test for a  valid gid value
+ *
+ *  \retval 1 on succces
+ *  \retval 0 on failure
+ */
+static int GidTestParse01 (void) {
+
+    int gid = 0;
+
+    gid = DetectGidParse("1");
+
+    if (gid == 1) {
+        return 1;
+    }
+
+    return 0;
+}
+
+/**
+ * \test GidTestParse02 is a test for an invalid gid value
+ *
+ *  \retval 1 on succces
+ *  \retval 0 on failure
+ */
+static int GidTestParse02 (void) {
+
+    int gid = 0;
+
+    gid = DetectGidParse("a");
+
+    if (gid > 1) {
+        return 1;
+    }
+
+    return 0;
+}
+#endif /* UNITTESTS */
+
+/**
+ * \brief this function registers unit tests for Gid
+ */
+void GidRegisterTests(void) {
+#ifdef UNITTESTS
+    UtRegisterTest("GidTestParse01", GidTestParse01, 1);
+    UtRegisterTest("GidTestParse02", GidTestParse02, 0);
+#endif /* UNITTESTS */
+}
diff --git a/src/detect-gid.h b/src/detect-gid.h
new file mode 100644
index 0000000000..112db39017
--- /dev/null
+++ b/src/detect-gid.h
@@ -0,0 +1,40 @@
+/* Copyright (c) 2009 Open Information Security Foundation */
+
+/** \file
+ *  \author Breno Silva <breno.silva@gmail.com>
+ */
+
+#ifndef __DETECT_GID_H__
+#define __DETECT_GID_H__
+
+#include "decode-events.h"
+#include "decode-ipv4.h"
+#include "decode-tcp.h"
+
+/**
+ * \struct DetectGidData_
+ * DetectGidData_ is used to store gid: input value
+ */
+
+/**
+ * \typedef DetectGidData
+ * A typedef for DetectGidData_
+ */
+
+typedef struct DetectGidData_ {
+    uint32_t gid;  /**< Rule gid */
+} DetectGidData;
+
+/**
+ * Registration function for gid: keyword
+ */
+
+void DetectGidRegister (void);
+
+/**
+ * This function registers unit tests for Gid
+ */
+
+void GidRegisterTests(void);
+
+#endif /*__DETECT_GID_H__ */
diff --git a/src/detect.c b/src/detect.c
index 9c66bd441b..eca9e6f59e 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -17,10 +17,11 @@
 #include "detect-engine-iponly.h"
 
 #include "detect-decode-event.h"
+
 #include "detect-ipopts.h"
 #include "detect-flags.h"
 #include "detect-fragbits.h"
-
+#include "detect-gid.h"
 #include "detect-content.h"
 #include "detect-uricontent.h"
 #include "detect-pcre.h"
@@ -274,11 +275,14 @@ int PacketAlertCheck(Packet *p, uint32_t sid)
     return match;
 }
 
-int PacketAlertAppend(Packet *p, uint8_t gid, uint32_t sid, uint8_t rev, uint8_t prio, char *msg)
+int PacketAlertAppend(Packet *p, uint32_t gid, uint32_t sid, uint8_t rev, uint8_t prio, char *msg)
 {
     /* XXX overflow check? */
 
+    if(gid > 1)
     p->alerts.alerts[p->alerts.cnt].gid = gid;
+    else
+    p->alerts.alerts[p->alerts.cnt].gid = 1;
     p->alerts.alerts[p->alerts.cnt].sid = sid;
     p->alerts.alerts[p->alerts.cnt].rev = rev;
     p->alerts.alerts[p->alerts.cnt].prio = prio;
@@ -466,7 +470,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
                             if (!(s->flags & SIG_FLAG_NOALERT)) {
                                 /* only add once */
                                 if (rmatch == 0) {
-                                    PacketAlertAppend(p, 1, s->id, s->rev, s->prio, s->msg);
+                                    PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg);
 
                                     /* set verdict on packet */
                                     p->action = s->action;
@@ -499,7 +503,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
                         fmatch = 1;
 //printf("DE : sig %" PRIu32 " matched\n", s->id);
                         if (!(s->flags & SIG_FLAG_NOALERT)) {
-                            PacketAlertAppend(p, 1, s->id, s->rev, s->prio, s->msg);
+                            PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg);
 
                             /* set verdict on packet */
                             p->action = s->action;
@@ -2590,7 +2594,11 @@ void SigTableSetup(void) {
     DetectDecodeEventRegister();
     DetectIpOptsRegister();
     DetectFlagsRegister();
+<<<<<<< HEAD:src/detect.c
     DetectFragBitsRegister();
+=======
+    DetectGidRegister();
+>>>>>>> Gid Keyword:src/detect.c
     DetectCsumRegister();
     DetectStreamSizeRegister();
 
diff --git a/src/detect.h b/src/detect.h
index 22d8fae1eb..068587eb53 100644
--- a/src/detect.h
+++ b/src/detect.h
@@ -145,6 +145,7 @@ typedef struct Signature_ {
     uint8_t rev;
     uint8_t prio;
 
+    uint32_t gid; /**< generator id */
     uint32_t num; /**< signature number, internal id */
     uint32_t id;  /**< sid, set by the 'sid' rule keyword */
     char *msg;
@@ -436,6 +437,7 @@ enum {
     DETECT_IPOPTS,
     DETECT_FLAGS,
     DETECT_FRAGBITS,
+    DETECT_GID,
 
     /* make sure this stays last */
     DETECT_TBLSIZE,
@@ -456,7 +458,7 @@ void TmModuleDetectRegister (void);
 int SigGroupBuild(DetectEngineCtx *);
 int SigGroupCleanup();
 
-int PacketAlertAppend(Packet *, uint8_t, uint32_t, uint8_t, uint8_t, char *);
+int PacketAlertAppend(Packet *, uint32_t, uint32_t, uint8_t, uint8_t, char *);
 
 int SigLoadSignatures (DetectEngineCtx *, char *);
 void SigTableSetup(void);