From 1e0b050a547bc52da3d6a174283c6a2a220b41c3 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 3 Jun 2011 16:33:16 +0200 Subject: [PATCH] Add more mask flags. --- src/detect.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++- src/detect.h | 18 ++++++-------- 2 files changed, 76 insertions(+), 11 deletions(-) diff --git a/src/detect.c b/src/detect.c index 4032e08153..caeb7a7f50 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1998,6 +1998,9 @@ deonly: SCReturnInt(1); } +#define MASK_TCP_INITDEINIT_FLAGS (TH_SYN|TH_RST|TH_FIN) +#define MASK_TCP_UNUSUAL_FLAGS (TH_URG|TH_ECN|TH_CWR) + /* Create mask for this packet + it's flow if it has one * * Sets SIG_MASK_REQUIRE_PAYLOAD, SIG_MASK_REQUIRE_FLOW, @@ -2008,6 +2011,18 @@ PacketCreateMask(Packet *p, SignatureMask *mask, uint16_t alproto, void *alstate if (!(p->flags & PKT_NOPAYLOAD_INSPECTION) && (p->payload_len > 0 || smsg != NULL)) { SCLogDebug("packet has payload"); (*mask) |= SIG_MASK_REQUIRE_PAYLOAD; + } else { + SCLogDebug("packet has no payload"); + (*mask) |= SIG_MASK_REQUIRE_NO_PAYLOAD; + } + + if (PKT_IS_TCP(p)) { + if ((p->tcph->th_flags & MASK_TCP_INITDEINIT_FLAGS) != 0) { + (*mask) |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT; + } + if ((p->tcph->th_flags & MASK_TCP_UNUSUAL_FLAGS) != 0) { + (*mask) |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL; + } } if (p->flags & PKT_HAS_FLOW) { @@ -2123,8 +2138,60 @@ static int SignatureCreateMask(Signature *s) { s->mask |= SIG_MASK_REQUIRE_FLOW; SCLogDebug("sig requires flow to be able to manipulate " "flowbit(s)"); + break; + } + case DETECT_FLAGS: + { + DetectFlagsData *fl = (DetectFlagsData *)sm->ctx; + + if (fl->flags & TH_SYN) { + s->mask |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT; + SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_INITDEINIT"); + } + if (fl->flags & TH_RST) { + s->mask |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT; + SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_INITDEINIT"); + } + if (fl->flags & TH_FIN) { + s->mask |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT; + SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_INITDEINIT"); + } + if (fl->flags & TH_URG) { + s->mask |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL; + SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_UNUSUAL"); + } + if (fl->flags & TH_ECN) { + s->mask |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL; + SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_UNUSUAL"); + } + if (fl->flags & TH_CWR) { + s->mask |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL; + SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_UNUSUAL"); + } + break; + } + case DETECT_DSIZE: + { + DetectDsizeData *ds = (DetectDsizeData *)sm->ctx; + switch (ds->mode) { + case DETECTDSIZE_RA: + case DETECTDSIZE_LT: + case DETECTDSIZE_GT: + s->mask |= SIG_MASK_REQUIRE_PAYLOAD; + SCLogDebug("sig requires payload"); + break; + case DETECTDSIZE_EQ: + if (ds->dsize > 0) { + s->mask |= SIG_MASK_REQUIRE_PAYLOAD; + SCLogDebug("sig requires payload"); + } else if (ds->dsize == 0) { + s->mask |= SIG_MASK_REQUIRE_NO_PAYLOAD; + SCLogDebug("sig requires no payload"); + } + break; + } + break; } - break; } } diff --git a/src/detect.h b/src/detect.h index 3f3bfd1e4f..241aaa961a 100644 --- a/src/detect.h +++ b/src/detect.h @@ -269,16 +269,14 @@ typedef struct DetectPort_ { /* signature mask flags */ -#define SIG_MASK_REQUIRE_PAYLOAD 0x01 -#define SIG_MASK_REQUIRE_FLOW 0x02 -//#define SIG_MASK_REQUIRE_PKTVAR 0x04 - -//#define SIG_MASK_REQUIRE_FLOWBIT 0x08 // VJ: can't prefilter as it's dynamic -//#define SIG_MASK_REQUIRE_FLOWVAR 0x10 -//#define SIG_MASK_REQUIRE_FLOWINT 0x20 - -#define SIG_MASK_REQUIRE_HTTP_STATE 0x40 -#define SIG_MASK_REQUIRE_DCE_STATE 0x80 +#define SIG_MASK_REQUIRE_PAYLOAD 0x01 +#define SIG_MASK_REQUIRE_FLOW 0x02 +#define SIG_MASK_REQUIRE_FLAGS_INITDEINIT 0x04 /* SYN, FIN, RST */ +#define SIG_MASK_REQUIRE_FLAGS_UNUSUAL 0x08 /* URG, ECN, CWR */ +#define SIG_MASK_REQUIRE_NO_PAYLOAD 0x10 +// +#define SIG_MASK_REQUIRE_HTTP_STATE 0x40 +#define SIG_MASK_REQUIRE_DCE_STATE 0x80 /* for now a uint8_t is enough */ #define SignatureMask uint8_t