aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add more mask flags.

Browse Source
remotes/origin/master-1.1.x
Victor Julien 14 years ago
parent 4b52823ab6
commit 1e0b050a54
2 changed files with 76 additions and 11 deletions
Show Stats Download Patch File Download Diff File

67
src/detect.c
Unescape Escape View File

@ -1998,6 +1998,9 @@ deonly:
SCReturnInt(1); SCReturnInt(1);
} }
#define MASK_TCP_INITDEINIT_FLAGS (TH_SYN|TH_RST|TH_FIN)
#define MASK_TCP_UNUSUAL_FLAGS (TH_URG|TH_ECN|TH_CWR)
/* Create mask for this packet + it's flow if it has one /* Create mask for this packet + it's flow if it has one
* *
* Sets SIG_MASK_REQUIRE_PAYLOAD, SIG_MASK_REQUIRE_FLOW, * Sets SIG_MASK_REQUIRE_PAYLOAD, SIG_MASK_REQUIRE_FLOW,
@ -2008,6 +2011,18 @@ PacketCreateMask(Packet *p, SignatureMask *mask, uint16_t alproto, void *alstate
if (!(p->flags & PKT_NOPAYLOAD_INSPECTION) && (p->payload_len > 0 || smsg != NULL)) { if (!(p->flags & PKT_NOPAYLOAD_INSPECTION) && (p->payload_len > 0 || smsg != NULL)) {
SCLogDebug("packet has payload"); SCLogDebug("packet has payload");
(*mask) |= SIG_MASK_REQUIRE_PAYLOAD; (*mask) |= SIG_MASK_REQUIRE_PAYLOAD;
} else {
SCLogDebug("packet has no payload");
(*mask) |= SIG_MASK_REQUIRE_NO_PAYLOAD;
}
if (PKT_IS_TCP(p)) {
if ((p->tcph->th_flags & MASK_TCP_INITDEINIT_FLAGS) != 0) {
(*mask) |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT;
}
if ((p->tcph->th_flags & MASK_TCP_UNUSUAL_FLAGS) != 0) {
(*mask) |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL;
}
} }
if (p->flags & PKT_HAS_FLOW) { if (p->flags & PKT_HAS_FLOW) {
@ -2123,9 +2138,61 @@ static int SignatureCreateMask(Signature *s) {
s->mask |= SIG_MASK_REQUIRE_FLOW; s->mask |= SIG_MASK_REQUIRE_FLOW;
SCLogDebug("sig requires flow to be able to manipulate " SCLogDebug("sig requires flow to be able to manipulate "
"flowbit(s)"); "flowbit(s)");
break;
}
case DETECT_FLAGS:
{
DetectFlagsData *fl = (DetectFlagsData *)sm->ctx;
if (fl->flags & TH_SYN) {
s->mask |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT;
SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_INITDEINIT");
}
if (fl->flags & TH_RST) {
s->mask |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT;
SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_INITDEINIT");
}
if (fl->flags & TH_FIN) {
s->mask |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT;
SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_INITDEINIT");
}
if (fl->flags & TH_URG) {
s->mask |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL;
SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_UNUSUAL");
}
if (fl->flags & TH_ECN) {
s->mask |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL;
SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_UNUSUAL");
}
if (fl->flags & TH_CWR) {
s->mask |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL;
SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_UNUSUAL");
} }
break; break;
} }
case DETECT_DSIZE:
{
DetectDsizeData *ds = (DetectDsizeData *)sm->ctx;
switch (ds->mode) {
case DETECTDSIZE_RA:
case DETECTDSIZE_LT:
case DETECTDSIZE_GT:
s->mask |= SIG_MASK_REQUIRE_PAYLOAD;
SCLogDebug("sig requires payload");
break;
case DETECTDSIZE_EQ:
if (ds->dsize > 0) {
s->mask |= SIG_MASK_REQUIRE_PAYLOAD;
SCLogDebug("sig requires payload");
} else if (ds->dsize == 0) {
s->mask |= SIG_MASK_REQUIRE_NO_PAYLOAD;
SCLogDebug("sig requires no payload");
}
break;
}
break;
}
}
} }
if (s->mask & SIG_MASK_REQUIRE_DCE_STATE || if (s->mask & SIG_MASK_REQUIRE_DCE_STATE ||

10
src/detect.h
Unescape Escape View File

@ -271,12 +271,10 @@ typedef struct DetectPort_ {
/* signature mask flags */ /* signature mask flags */
#define SIG_MASK_REQUIRE_PAYLOAD 0x01 #define SIG_MASK_REQUIRE_PAYLOAD 0x01
#define SIG_MASK_REQUIRE_FLOW 0x02 #define SIG_MASK_REQUIRE_FLOW 0x02
//#define SIG_MASK_REQUIRE_PKTVAR 0x04 #define SIG_MASK_REQUIRE_FLAGS_INITDEINIT 0x04 /* SYN, FIN, RST */
#define SIG_MASK_REQUIRE_FLAGS_UNUSUAL 0x08 /* URG, ECN, CWR */
//#define SIG_MASK_REQUIRE_FLOWBIT 0x08 // VJ: can't prefilter as it's dynamic #define SIG_MASK_REQUIRE_NO_PAYLOAD 0x10
//#define SIG_MASK_REQUIRE_FLOWVAR 0x10 //
//#define SIG_MASK_REQUIRE_FLOWINT 0x20
#define SIG_MASK_REQUIRE_HTTP_STATE 0x40 #define SIG_MASK_REQUIRE_HTTP_STATE 0x40
#define SIG_MASK_REQUIRE_DCE_STATE 0x80 #define SIG_MASK_REQUIRE_DCE_STATE 0x80

Write Preview
Loading…
Cancel
Save