aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Group signatures by protocol.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 17 years ago
parent 2c8e6a7c5a
commit 171c8c777d
5 changed files with 658 additions and 586 deletions
Show Stats Download Patch File Download Diff File

3
src/detect-address.c
Unescape Escape View File

@ -1124,6 +1124,9 @@ DetectAddressGroup *
DetectAddressLookupGroup(DetectAddressGroupsHead *gh, Address *a) {
DetectAddressGroup *g;
if (gh == NULL)
return NULL;
/* XXX should we really do this check every time we run
* this function? */
if (a->family == AF_INET)

11
src/detect-parse.c
Unescape Escape View File

@ -254,12 +254,21 @@ error:
return -1;
}
/* http://www.iana.org/assignments/protocol-numbers
*
*/
int SigParseProto(Signature *s, const char *protostr) {
if (strcasecmp(protostr,"tcp") == 0) {
s->ip_proto = 6;
} else if (strcasecmp(protostr,"udp") == 0) {
s->ip_proto = 17;
} else if (strcasecmp(protostr,"icmp") == 0) {
s->ip_proto = 1;
} else if (strcasecmp(protostr,"ip") == 0) {
s->ip_proto = 4; /* XXX VJ does this make sense? */
} else {
printf("protostr \"%s\"\n", protostr);
printf("Error: protostr \"%s\" not supported\n", protostr);
return -1;
}
return 0;

6
src/detect-uricontent.c
Unescape Escape View File

@ -240,7 +240,11 @@ int DetectUricontentMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p,
return 0;
if (pmt->de_have_httpuri == 1 && pmt->de_scanned_httpuri == 0) {
/* Scan http uri now */
/* don't bother scanning if we don't have a pattern matcher ctx
* which means we don't have uricontent sigs */
if (pmt->mcu == NULL)
return 0;
//printf("DetectUricontentMatch: going to scan uri buffer(s)\n");
/* scan all buffers we have */

130
src/detect.c
Unescape Escape View File

@ -42,7 +42,7 @@
/* XXX store all this in a DetectionEngineCtx one day */
static Signature *sig_list = NULL;
static DetectAddressGroupsHead *g_src_gh = NULL, *g_tmp_gh = NULL;
static DetectAddressGroupsHead *g_src_gh[256], *g_tmp_gh[256];
SigMatch *SigMatchAlloc(void);
void SigMatchFree(SigMatch *sm);
@ -87,13 +87,13 @@ void SigLoadSignatures (void)
prevsig->next = sig;
prevsig = sig;
/*
sig = SigInit("alert tcp any any -> any any (msg:\"ViCtOr nocase test\"; sid:4; rev:13; content:ViCtOr; nocase; depth:150;)");
sig = SigInit("alert udp any any -> any any (msg:\"ViCtOr nocase test\"; sid:4; rev:13; content:ViCtOr; nocase; depth:150;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
/*
sig = SigInit("alert ip any any -> 1.2.3.4 any (msg:\"ViCtOr case test\"; sid:2001; content:ViCtOr; depth:150;)");
if (sig == NULL)
return;
@ -257,7 +257,7 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p)
pmt->de_scanned_httpuri = 0;
/* find the right mpm instance */
DetectAddressGroup *g = DetectAddressLookupGroup(g_src_gh,&p->src);
DetectAddressGroup *g = DetectAddressLookupGroup(g_src_gh[p->proto],&p->src);
if (g != NULL) {
/* source group found, lets try a dst group */
g = DetectAddressLookupGroup(g->dst_gh,&p->dst);
@ -434,19 +434,22 @@ int SigAddressPrepareStage2(Signature *s) {
printf("* Building signature grouping structure, stage 2: building source address list\n");
g_src_gh = DetectAddressGroupsHeadInit();
if (g_src_gh == NULL) {
int i;
for (i = 0; i < 256; i++) {
g_src_gh[i] = DetectAddressGroupsHeadInit();
if (g_src_gh[i] == NULL) {
goto error;
}
g_tmp_gh = DetectAddressGroupsHeadInit();
if (g_tmp_gh == NULL) {
g_tmp_gh[i] = DetectAddressGroupsHeadInit();
if (g_tmp_gh[i] == NULL) {
goto error;
}
}
/* now for every rule add the source group to our temp list */
for (tmp_s = s; tmp_s != NULL; tmp_s = tmp_s->next) {
for (gr = tmp_s->src.ipv4_head; gr != NULL; gr = gr->next) {
if ((lookup_gr = DetectAddressGroupLookup(g_tmp_gh->ipv4_head,gr->ad)) == NULL) {
if ((lookup_gr = DetectAddressGroupLookup(g_tmp_gh[tmp_s->ip_proto]->ipv4_head,gr->ad)) == NULL) {
DetectAddressGroup *grtmp = DetectAddressGroupInit();
if (grtmp == NULL) {
goto error;
@ -456,7 +459,7 @@ int SigAddressPrepareStage2(Signature *s) {
goto error;
}
grtmp->ad = adtmp;
DetectAddressGroupAdd(&g_tmp_gh->ipv4_head,grtmp);
DetectAddressGroupAdd(&g_tmp_gh[tmp_s->ip_proto]->ipv4_head,grtmp);
SigGroupAppend(grtmp,tmp_s);
cnt++;
@ -468,7 +471,7 @@ int SigAddressPrepareStage2(Signature *s) {
}
}
for (gr = tmp_s->src.ipv6_head; gr != NULL; gr = gr->next) {
if ((lookup_gr = DetectAddressGroupLookup(g_tmp_gh->ipv6_head,gr->ad)) == NULL) {
if ((lookup_gr = DetectAddressGroupLookup(g_tmp_gh[tmp_s->ip_proto]->ipv6_head,gr->ad)) == NULL) {
DetectAddressGroup *grtmp = DetectAddressGroupInit();
if (grtmp == NULL) {
goto error;
@ -478,7 +481,7 @@ int SigAddressPrepareStage2(Signature *s) {
goto error;
}
grtmp->ad = adtmp;
DetectAddressGroupAdd(&g_tmp_gh->ipv6_head,grtmp);
DetectAddressGroupAdd(&g_tmp_gh[tmp_s->ip_proto]->ipv6_head,grtmp);
SigGroupAppend(grtmp,tmp_s);
cnt++;
@ -491,7 +494,7 @@ int SigAddressPrepareStage2(Signature *s) {
}
/* XXX review 'any' usage here */
for (gr = tmp_s->src.any_head; gr != NULL; gr = gr->next) {
if ((lookup_gr = DetectAddressGroupLookup(g_tmp_gh->any_head,gr->ad)) == NULL) {
if ((lookup_gr = DetectAddressGroupLookup(g_tmp_gh[tmp_s->ip_proto]->any_head,gr->ad)) == NULL) {
DetectAddressGroup *grtmp = DetectAddressGroupInit();
if (grtmp == NULL) {
goto error;
@ -501,7 +504,7 @@ int SigAddressPrepareStage2(Signature *s) {
goto error;
}
grtmp->ad = adtmp;
DetectAddressGroupAdd(&g_tmp_gh->any_head,grtmp);
DetectAddressGroupAdd(&g_tmp_gh[tmp_s->ip_proto]->any_head,grtmp);
SigGroupAppend(grtmp,tmp_s);
cnt++;
@ -522,38 +525,40 @@ int SigAddressPrepareStage2(Signature *s) {
//DetectAddressGroupPrintList(g_tmp_gh->ipv4_head);
//printf("g_tmp_gh end\n");
for (gr = g_tmp_gh->ipv4_head; gr != NULL; ) {
for (i = 0; i < 256; i++) {
for (gr = g_tmp_gh[i]->ipv4_head; gr != NULL; ) {
//printf("Inserting2'ing: "); DetectAddressDataPrint(gr->ad);
DetectAddressGroup *grnext = gr->next;
gr->next = NULL;
if (DetectAddressGroupInsert(g_src_gh,gr) < 0)
if (DetectAddressGroupInsert(g_src_gh[i],gr) < 0)
goto error;
gr = grnext;
}
for (gr = g_tmp_gh->ipv6_head; gr != NULL; ) {
for (gr = g_tmp_gh[i]->ipv6_head; gr != NULL; ) {
//printf("Inserting2'ing: "); DetectAddressDataPrint(gr->ad);
DetectAddressGroup *grnext = gr->next;
gr->next = NULL;
if (DetectAddressGroupInsert(g_src_gh,gr) < 0)
if (DetectAddressGroupInsert(g_src_gh[i],gr) < 0)
goto error;
gr = grnext;
}
/* XXX whats the point of the any temp list if any is always just
* one object.... ??? */
for (gr = g_tmp_gh->any_head; gr != NULL; ) {
for (gr = g_tmp_gh[i]->any_head; gr != NULL; ) {
//printf("Inserting2'ing: "); DetectAddressDataPrint(gr->ad);
DetectAddressGroup *grnext = gr->next;
gr->next = NULL;
if (DetectAddressGroupInsert(g_src_gh,gr) < 0)
if (DetectAddressGroupInsert(g_src_gh[i],gr) < 0)
goto error;
gr = grnext;
}
}
@ -564,23 +569,64 @@ int SigAddressPrepareStage2(Signature *s) {
//DetectAddressGroupPrintList(g_src_gh->ipv4_head);
//printf("g_src_gh end\n");
printf("* %u signatures, %u sigs appends, %u actual source address inserts\n", sigs,cnt,insert);
/* TCP */
u_int32_t cnt_any = 0, cnt_ipv4 = 0, cnt_ipv6 = 0;
for (gr = g_src_gh[6]->any_head; gr != NULL; gr = gr->next) {
cnt_any++;
}
for (gr = g_src_gh[6]->ipv4_head; gr != NULL; gr = gr->next) {
cnt_ipv4++;
}
for (gr = g_src_gh[6]->ipv6_head; gr != NULL; gr = gr->next) {
cnt_ipv6++;
}
printf("* TCP Source any: %u address blocks.\n", cnt_any);
printf("* TCP Source ipv4: %u address blocks.\n", cnt_ipv4);
printf("* TCP Source ipv6: %u address blocks.\n", cnt_ipv6);
for (gr = g_src_gh->any_head; gr != NULL; gr = gr->next) {
cnt_any = 0, cnt_ipv4 = 0, cnt_ipv6 = 0;
for (gr = g_src_gh[17]->any_head; gr != NULL; gr = gr->next) {
cnt_any++;
}
for (gr = g_src_gh->ipv4_head; gr != NULL; gr = gr->next) {
for (gr = g_src_gh[17]->ipv4_head; gr != NULL; gr = gr->next) {
cnt_ipv4++;
}
for (gr = g_src_gh->ipv6_head; gr != NULL; gr = gr->next) {
for (gr = g_src_gh[17]->ipv6_head; gr != NULL; gr = gr->next) {
cnt_ipv6++;
}
printf("* UDP Source any: %u address blocks.\n", cnt_any);
printf("* UDP Source ipv4: %u address blocks.\n", cnt_ipv4);
printf("* UDP Source ipv6: %u address blocks.\n", cnt_ipv6);
printf("* %u signatures, %u sigs appends, %u actual source address inserts\n", sigs,cnt,insert);
cnt_any = 0, cnt_ipv4 = 0, cnt_ipv6 = 0;
for (gr = g_src_gh[1]->any_head; gr != NULL; gr = gr->next) {
cnt_any++;
}
for (gr = g_src_gh[1]->ipv4_head; gr != NULL; gr = gr->next) {
cnt_ipv4++;
}
for (gr = g_src_gh[1]->ipv6_head; gr != NULL; gr = gr->next) {
cnt_ipv6++;
}
printf("* ICMP Source any: %u address blocks.\n", cnt_any);
printf("* ICMP Source ipv4: %u address blocks.\n", cnt_ipv4);
printf("* ICMP Source ipv6: %u address blocks.\n", cnt_ipv6);
printf("* Source any: %u address blocks.\n", cnt_any);
printf("* Source ipv4: %u address blocks.\n", cnt_ipv4);
printf("* Source ipv6: %u address blocks.\n", cnt_ipv6);
cnt_any = 0, cnt_ipv4 = 0, cnt_ipv6 = 0;
for (gr = g_src_gh[4]->any_head; gr != NULL; gr = gr->next) {
cnt_any++;
}
for (gr = g_src_gh[4]->ipv4_head; gr != NULL; gr = gr->next) {
cnt_ipv4++;
}
for (gr = g_src_gh[4]->ipv6_head; gr != NULL; gr = gr->next) {
cnt_ipv6++;
}
printf("* IP Source any: %u address blocks.\n", cnt_any);
printf("* IP Source ipv4: %u address blocks.\n", cnt_ipv4);
printf("* IP Source ipv6: %u address blocks.\n", cnt_ipv6);
printf("* Building signature grouping structure, stage 2: building source address list... done\n");
return 0;
@ -600,8 +646,10 @@ int SigAddressPrepareStage3(Signature *s) {
SigGroupHeadListClean();
int i;
for (i = 0; i < 256; i++) {
/* loop through the global source address list */
for (gr = g_src_gh->ipv4_head; gr != NULL; gr = gr->next) {
for (gr = g_src_gh[i]->ipv4_head; gr != NULL; gr = gr->next) {
//printf(" * Source group: "); DetectAddressDataPrint(gr->ad); printf("\n");
/* use a tmp list for speeding up insertions */
@ -736,7 +784,8 @@ int SigAddressPrepareStage3(Signature *s) {
//printf(" * Source group: "); DetectAddressDataPrint(gr->ad); printf(": %d destination groups.\n", cnt);
cnt = 0;
}
for (gr = g_src_gh->ipv6_head; gr != NULL; gr = gr->next) {
for (gr = g_src_gh[i]->ipv6_head; gr != NULL; gr = gr->next) {
//printf(" * Source group: "); DetectAddressDataPrint(gr->ad); printf("\n");
/* use a tmp list for speeding up insertions */
@ -871,7 +920,7 @@ int SigAddressPrepareStage3(Signature *s) {
//printf(" * Source group: "); DetectAddressDataPrint(gr->ad); printf(": %d destination groups.\n", cnt);
cnt = 0;
}
for (gr = g_src_gh->any_head; gr != NULL; gr = gr->next) {
for (gr = g_src_gh[i]->any_head; gr != NULL; gr = gr->next) {
//printf(" * Source group: "); DetectAddressDataPrint(gr->ad); printf("\n");
/* use a tmp list for speeding up insertions */
@ -1006,6 +1055,7 @@ int SigAddressPrepareStage3(Signature *s) {
//printf(" * Source group: "); DetectAddressDataPrint(gr->ad); printf(": %d destination groups.\n", cnt);
cnt = 0;
}
}
/* XXX cleanup group head (uri)content_array's */
SigGroupHeadFreeMpmArrays();
@ -1029,25 +1079,28 @@ int SigAddressCleanupStage1(void) {
printf("* Cleaning up signature grouping structure, stage 1...\n");
for (global_src_gr = g_src_gh->ipv4_head; global_src_gr != NULL;
int i;
for (i = 0; i < 256; i++) {
for (global_src_gr = g_src_gh[i]->ipv4_head; global_src_gr != NULL;
global_src_gr = global_src_gr->next)
{
DetectAddressGroupsHeadCleanup(global_src_gr->dst_gh);
}
for (global_src_gr = g_src_gh->ipv6_head; global_src_gr != NULL;
for (global_src_gr = g_src_gh[i]->ipv6_head; global_src_gr != NULL;
global_src_gr = global_src_gr->next)
{
DetectAddressGroupsHeadCleanup(global_src_gr->dst_gh);
}
for (global_src_gr = g_src_gh->any_head; global_src_gr != NULL;
for (global_src_gr = g_src_gh[i]->any_head; global_src_gr != NULL;
global_src_gr = global_src_gr->next)
{
DetectAddressGroupsHeadCleanup(global_src_gr->dst_gh);
}
DetectAddressGroupsHeadCleanup(g_src_gh);
DetectAddressGroupsHeadCleanup(g_src_gh[i]);
}
printf("* Cleaning up signature grouping structure, stage 1... done\n");
return 0;
@ -1064,7 +1117,9 @@ int SigAddressPrepareStage5(void) {
printf("* Building signature grouping structure, stage 5: print...\n");
for (global_src_gr = g_src_gh->ipv4_head; global_src_gr != NULL;
int i;
for (i = 0; i < 256; i++) {
for (global_src_gr = g_src_gh[i]->ipv4_head; global_src_gr != NULL;
global_src_gr = global_src_gr->next)
{
printf("- "); DetectAddressDataPrint(global_src_gr->ad);
@ -1129,7 +1184,7 @@ int SigAddressPrepareStage5(void) {
}
}
for (global_src_gr = g_src_gh->ipv6_head; global_src_gr != NULL;
for (global_src_gr = g_src_gh[i]->ipv6_head; global_src_gr != NULL;
global_src_gr = global_src_gr->next)
{
printf("- "); DetectAddressDataPrint(global_src_gr->ad);
@ -1194,7 +1249,7 @@ int SigAddressPrepareStage5(void) {
}
}
for (global_src_gr = g_src_gh->any_head; global_src_gr != NULL;
for (global_src_gr = g_src_gh[i]->any_head; global_src_gr != NULL;
global_src_gr = global_src_gr->next)
{
printf("- "); DetectAddressDataPrint(global_src_gr->ad);
@ -1285,6 +1340,7 @@ int SigAddressPrepareStage5(void) {
#endif
}
}
}
printf("* Building signature grouping structure, stage 5: print... done\n");
return 0;
}

2
src/detect.h
Unescape Escape View File

@ -48,7 +48,7 @@ typedef struct _Signature {
u_int8_t action;
DetectAddressGroupsHead src, dst;
SigPort sp, dp;
u_int8_t ip_proto;
u_int32_t rulegroup_refcnt;
struct _SigMatch *match;
struct _Signature *next;

Write Preview
Loading…
Cancel
Save