aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Gid Keyword

Browse Source 
Signed-off-by: Brian Rectanus <brectanu@gmail.com>
remotes/origin/master-1.0.x
Breno Silva 16 years ago committed by Victor Julien
parent 6100a7f610
commit 15a8f34d36
7 changed files with 231 additions and 7 deletions
Show Stats Download Patch File Download Diff File

1
src/Makefile.am
Unescape Escape View File

@ -73,6 +73,7 @@ detect-decode-event.c detect-decode-event.h \
detect-ipopts.c detect-ipopts.h \ detect-ipopts.c detect-ipopts.h \
detect-flags.c detect-flags.h \ detect-flags.c detect-flags.h \
detect-fragbits.c detect-fragbits.h \ detect-fragbits.c detect-fragbits.h \
detect-gid.c detect-gid.h \
detect-noalert.c detect-noalert.h \ detect-noalert.c detect-noalert.h \
detect-csum.c detect-csum.h \ detect-csum.c detect-csum.h \
util-print.c util-print.h \ util-print.c util-print.h \

2
src/decode.h
Unescape Escape View File

@ -142,7 +142,7 @@ typedef uint16_t Port;
/* structure to store the sids/gids/etc the detection engine /* structure to store the sids/gids/etc the detection engine
* found in this packet */ * found in this packet */
typedef struct PacketAlert_ { typedef struct PacketAlert_ {
uint8_t gid; uint32_t gid;
uint32_t sid; uint32_t sid;
uint8_t rev; uint8_t rev;
uint8_t class; uint8_t class;

2
src/detect-engine-iponly.c
Unescape Escape View File

@ -378,7 +378,7 @@ void IPOnlyMatchPacket(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx,
if (!(s->flags & SIG_FLAG_NOALERT)) { if (!(s->flags & SIG_FLAG_NOALERT)) {
PacketAlertAppend(p, 1, s->id, s->rev, s->prio, s->msg); PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg);
/* set verdict on packet */ /* set verdict on packet */
p->action = s->action; p->action = s->action;

173
src/detect-gid.c
Unescape Escape View File

@ -0,0 +1,173 @@
/* Copyright (c) 2009 Open Information Security Foundation */
/** \file
* \author Breno Silva <breno.silva@gmail.com>
*/
#include "eidps-common.h"
#include "eidps.h"
#include "decode.h"
#include "detect.h"
#include "flow-var.h"
#include "decode-events.h"
#include "detect-gid.h"
#include "util-unittest.h"
#define PARSE_REGEX "[0-9]+"
static pcre *parse_regex;
static pcre_extra *parse_regex_study;
static int DetectGidSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *str);
/**
* \brief Registration function for gid: keyword
*/
void DetectGidRegister (void) {
sigmatch_table[DETECT_GID].name = "gid";
sigmatch_table[DETECT_GID].Match = NULL;
sigmatch_table[DETECT_GID].Setup = DetectGidSetup;
sigmatch_table[DETECT_GID].Free = NULL;
sigmatch_table[DETECT_GID].RegisterTests = GidRegisterTests;
const char *eb;
int opts = 0;
int eo;
parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL);
if(parse_regex == NULL)
{
printf("pcre compile of \"%s\" failed at offset %" PRId32 ": %s\n", PARSE_REGEX, eo, eb);
goto error;
}
parse_regex_study = pcre_study(parse_regex, 0, &eb);
if(eb != NULL)
{
printf("pcre study failed: %s\n", eb);
goto error;
}
error:
return;
}
/**
* \internal
* \brief This function is used to parse gid options passed via gid: keyword
*
* \param rawstr Pointer to the user provided gid options
*
* \retval gid number on success
* \retval -1 on failure
*/
static uint32_t DetectGidParse (char *rawstr)
{
int ret = 0, res = 0;
#define MAX_SUBSTRINGS 30
int ov[MAX_SUBSTRINGS];
const char *str_ptr = NULL;
char *ptr = NULL;
uint32_t rc;
ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS);
if (ret < 1) {
return -1;
}
res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 0, &str_ptr);
if (res < 0) {
return -1;
}
ptr = (char *)str_ptr;
if(ptr == NULL)
return -1;
rc = (uint32_t )atol(ptr);
free(ptr);
return rc;
}
/**
* \internal
* \brief this function is used to add the parsed gid into the current signature
*
* \param de_ctx pointer to the Detection Engine Context
* \param s pointer to the Current Signature
* \param m pointer to the Current SigMatch
* \param rawstr pointer to the user provided gid options
*
* \retval 0 on Success
* \retval -1 on Failure
*/
static int DetectGidSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr)
{
s->gid = DetectGidParse(rawstr);
if(s->gid > 0)
return 0;
return -1;
}
/*
* ONLY TESTS BELOW THIS COMMENT
*/
#ifdef UNITTESTS
/**
* \test GidTestParse01 is a test for a valid gid value
*
* \retval 1 on succces
* \retval 0 on failure
*/
static int GidTestParse01 (void) {
int gid = 0;
gid = DetectGidParse("1");
if (gid == 1) {
return 1;
}
return 0;
}
/**
* \test GidTestParse02 is a test for an invalid gid value
*
* \retval 1 on succces
* \retval 0 on failure
*/
static int GidTestParse02 (void) {
int gid = 0;
gid = DetectGidParse("a");
if (gid > 1) {
return 1;
}
return 0;
}
#endif /* UNITTESTS */
/**
* \brief this function registers unit tests for Gid
*/
void GidRegisterTests(void) {
#ifdef UNITTESTS
UtRegisterTest("GidTestParse01", GidTestParse01, 1);
UtRegisterTest("GidTestParse02", GidTestParse02, 0);
#endif /* UNITTESTS */
}

40
src/detect-gid.h
Unescape Escape View File

@ -0,0 +1,40 @@
/* Copyright (c) 2009 Open Information Security Foundation */
/** \file
* \author Breno Silva <breno.silva@gmail.com>
*/
#ifndef __DETECT_GID_H__
#define __DETECT_GID_H__
#include "decode-events.h"
#include "decode-ipv4.h"
#include "decode-tcp.h"
/**
* \struct DetectGidData_
* DetectGidData_ is used to store gid: input value
*/
/**
* \typedef DetectGidData
* A typedef for DetectGidData_
*/
typedef struct DetectGidData_ {
uint32_t gid; /**< Rule gid */
} DetectGidData;
/**
* Registration function for gid: keyword
*/
void DetectGidRegister (void);
/**
* This function registers unit tests for Gid
*/
void GidRegisterTests(void);
#endif /*__DETECT_GID_H__ */

16
src/detect.c
Unescape Escape View File

@ -17,10 +17,11 @@
#include "detect-engine-iponly.h" #include "detect-engine-iponly.h"
#include "detect-decode-event.h" #include "detect-decode-event.h"
#include "detect-ipopts.h" #include "detect-ipopts.h"
#include "detect-flags.h" #include "detect-flags.h"
#include "detect-fragbits.h" #include "detect-fragbits.h"
#include "detect-gid.h"
#include "detect-content.h" #include "detect-content.h"
#include "detect-uricontent.h" #include "detect-uricontent.h"
#include "detect-pcre.h" #include "detect-pcre.h"
@ -274,11 +275,14 @@ int PacketAlertCheck(Packet *p, uint32_t sid)
return match; return match;
} }
int PacketAlertAppend(Packet *p, uint8_t gid, uint32_t sid, uint8_t rev, uint8_t prio, char *msg) int PacketAlertAppend(Packet *p, uint32_t gid, uint32_t sid, uint8_t rev, uint8_t prio, char *msg)
{ {
/* XXX overflow check? */ /* XXX overflow check? */
if(gid > 1)
p->alerts.alerts[p->alerts.cnt].gid = gid; p->alerts.alerts[p->alerts.cnt].gid = gid;
else
p->alerts.alerts[p->alerts.cnt].gid = 1;
p->alerts.alerts[p->alerts.cnt].sid = sid; p->alerts.alerts[p->alerts.cnt].sid = sid;
p->alerts.alerts[p->alerts.cnt].rev = rev; p->alerts.alerts[p->alerts.cnt].rev = rev;
p->alerts.alerts[p->alerts.cnt].prio = prio; p->alerts.alerts[p->alerts.cnt].prio = prio;
@ -466,7 +470,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
if (!(s->flags & SIG_FLAG_NOALERT)) { if (!(s->flags & SIG_FLAG_NOALERT)) {
/* only add once */ /* only add once */
if (rmatch == 0) { if (rmatch == 0) {
PacketAlertAppend(p, 1, s->id, s->rev, s->prio, s->msg); PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg);
/* set verdict on packet */ /* set verdict on packet */
p->action = s->action; p->action = s->action;
@ -499,7 +503,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
fmatch = 1; fmatch = 1;
//printf("DE : sig %" PRIu32 " matched\n", s->id); //printf("DE : sig %" PRIu32 " matched\n", s->id);
if (!(s->flags & SIG_FLAG_NOALERT)) { if (!(s->flags & SIG_FLAG_NOALERT)) {
PacketAlertAppend(p, 1, s->id, s->rev, s->prio, s->msg); PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg);
/* set verdict on packet */ /* set verdict on packet */
p->action = s->action; p->action = s->action;
@ -2590,7 +2594,11 @@ void SigTableSetup(void) {
DetectDecodeEventRegister(); DetectDecodeEventRegister();
DetectIpOptsRegister(); DetectIpOptsRegister();
DetectFlagsRegister(); DetectFlagsRegister();
<<<<<<< HEAD:src/detect.c
DetectFragBitsRegister(); DetectFragBitsRegister();
=======
DetectGidRegister();
>>>>>>> Gid Keyword:src/detect.c
DetectCsumRegister(); DetectCsumRegister();
DetectStreamSizeRegister(); DetectStreamSizeRegister();

4
src/detect.h
Unescape Escape View File

@ -145,6 +145,7 @@ typedef struct Signature_ {
uint8_t rev; uint8_t rev;
uint8_t prio; uint8_t prio;
uint32_t gid; /**< generator id */
uint32_t num; /**< signature number, internal id */ uint32_t num; /**< signature number, internal id */
uint32_t id; /**< sid, set by the 'sid' rule keyword */ uint32_t id; /**< sid, set by the 'sid' rule keyword */
char *msg; char *msg;
@ -436,6 +437,7 @@ enum {
DETECT_IPOPTS, DETECT_IPOPTS,
DETECT_FLAGS, DETECT_FLAGS,
DETECT_FRAGBITS, DETECT_FRAGBITS,
DETECT_GID,
/* make sure this stays last */ /* make sure this stays last */
DETECT_TBLSIZE, DETECT_TBLSIZE,
@ -456,7 +458,7 @@ void TmModuleDetectRegister (void);
int SigGroupBuild(DetectEngineCtx *); int SigGroupBuild(DetectEngineCtx *);
int SigGroupCleanup(); int SigGroupCleanup();
int PacketAlertAppend(Packet *, uint8_t, uint32_t, uint8_t, uint8_t, char *); int PacketAlertAppend(Packet *, uint32_t, uint32_t, uint8_t, uint8_t, char *);
int SigLoadSignatures (DetectEngineCtx *, char *); int SigLoadSignatures (DetectEngineCtx *, char *);
void SigTableSetup(void); void SigTableSetup(void);

Write Preview
Loading…
Cancel
Save