|
|
|
@ -294,11 +294,44 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
|
|
|
|
|
"since this is a dce alproto sig.");
|
|
|
|
|
if (offset != NULL) {
|
|
|
|
|
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
|
|
|
|
|
"seen in isdataat - %s\n", offset);
|
|
|
|
|
"seen in isdataat - %s", offset);
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
} else if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
|
|
|
|
|
if (idad->flags & ISDATAAT_RELATIVE) {
|
|
|
|
|
pm = SigMatchGetLastSMFromLists(s, 10,
|
|
|
|
|
DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
|
|
|
|
|
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
|
|
|
|
|
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
|
|
|
|
|
DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
|
|
|
|
|
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
|
|
|
|
|
if (pm == NULL) {
|
|
|
|
|
idad->flags &= ~ISDATAAT_RELATIVE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
s->flags |= SIG_FLAG_APPLAYER;
|
|
|
|
|
AppLayerHtpEnableResponseBodyCallback();
|
|
|
|
|
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
|
|
|
|
|
} else {
|
|
|
|
|
s->flags |= SIG_FLAG_APPLAYER;
|
|
|
|
|
AppLayerHtpEnableResponseBodyCallback();
|
|
|
|
|
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (pm == NULL) {
|
|
|
|
|
SCLogDebug("No preceding content or pcre keyword. Possible "
|
|
|
|
|
"since this is a file_data sig.");
|
|
|
|
|
if (offset != NULL) {
|
|
|
|
|
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
|
|
|
|
|
"seen in isdataat - %s", offset);
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
prev_pm = pm;
|
|
|
|
|
} else {
|
|
|
|
|
if (!(idad->flags & ISDATAAT_RELATIVE)) {
|
|
|
|
|
SigMatchAppendPayload(s, sm);
|
|
|
|
@ -318,7 +351,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
pm = SigMatchGetLastSMFromLists(s, 48,
|
|
|
|
|
pm = SigMatchGetLastSMFromLists(s, 50,
|
|
|
|
|
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], /* 1 */
|
|
|
|
|
DETECT_URICONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
|
|
|
|
|
DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
|
|
|
|
@ -331,18 +364,19 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
|
|
|
|
|
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], /* 10 */
|
|
|
|
|
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
|
|
|
|
|
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
|
|
|
|
|
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
|
|
|
|
|
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
|
|
|
|
|
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
|
|
|
|
|
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], /* 15 */
|
|
|
|
|
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], /* 15 */
|
|
|
|
|
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
|
|
|
|
|
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
|
|
|
|
|
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
|
|
|
|
|
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
|
|
|
|
|
DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
|
|
|
|
|
DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], /* 20 */
|
|
|
|
|
DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], /* 20 */
|
|
|
|
|
DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
|
|
|
|
|
DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
|
|
|
|
|
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
|
|
|
|
|
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
|
|
|
|
|
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH]); /* 24 */
|
|
|
|
|
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH]); /* 25 */
|
|
|
|
|
if (pm == NULL) {
|
|
|
|
|
SCLogError(SC_ERR_INVALID_SIGNATURE, "isdataat relative seen "
|
|
|
|
|
"without a previous content uricontent, "
|
|
|
|
@ -1050,7 +1084,56 @@ static int DetectIsdataatTestParse14(void)
|
|
|
|
|
if ( !(data->flags & ISDATAAT_RELATIVE) ||
|
|
|
|
|
(data->flags & ISDATAAT_RAWBYTES) ||
|
|
|
|
|
!(data->flags & ISDATAAT_NEGATED) ) {
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
end:
|
|
|
|
|
SigGroupCleanup(de_ctx);
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test file_data with isdataat relative to it
|
|
|
|
|
*/
|
|
|
|
|
static int DetectIsdataatTestParse15(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
Signature *s = NULL;
|
|
|
|
|
DetectIsdataatData *data = NULL;
|
|
|
|
|
|
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
|
|
|
if (de_ctx == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(msg:\"Testing file_data and isdataat\"; "
|
|
|
|
|
"file_data; isdataat:!4,relative; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
printf("sig parse: ");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
s = de_ctx->sig_list;
|
|
|
|
|
if (s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH] == NULL) {
|
|
|
|
|
printf("server body list empty: ");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->type != DETECT_ISDATAAT) {
|
|
|
|
|
printf("last server body sm not isdataat: ");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->ctx;
|
|
|
|
|
if ( (data->flags & ISDATAAT_RELATIVE) ||
|
|
|
|
|
(data->flags & ISDATAAT_RAWBYTES) ||
|
|
|
|
|
!(data->flags & ISDATAAT_NEGATED) ) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -1185,6 +1268,8 @@ void DetectIsdataatRegisterTests(void) {
|
|
|
|
|
UtRegisterTest("DetectIsdataatTestParse12", DetectIsdataatTestParse12, 1);
|
|
|
|
|
UtRegisterTest("DetectIsdataatTestParse13", DetectIsdataatTestParse13, 1);
|
|
|
|
|
UtRegisterTest("DetectIsdataatTestParse14", DetectIsdataatTestParse14, 1);
|
|
|
|
|
UtRegisterTest("DetectIsdataatTestParse15", DetectIsdataatTestParse15, 1);
|
|
|
|
|
|
|
|
|
|
UtRegisterTest("DetectIsdataatTestPacket01", DetectIsdataatTestPacket01, 1);
|
|
|
|
|
UtRegisterTest("DetectIsdataatTestPacket02", DetectIsdataatTestPacket02, 1);
|
|
|
|
|
UtRegisterTest("DetectIsdataatTestPacket03", DetectIsdataatTestPacket03, 1);
|
|
|
|
|