aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

file-data: make bytejump, bytetest, byteextract and isdataat work better with file_data.

Browse Source
remotes/origin/master-1.2.x
Victor Julien 14 years ago
parent 077970051e
commit 296ce8b5f9
4 changed files with 256 additions and 176 deletions
Show Stats Download Patch File Download Diff File

216
src/detect-byte-extract.c
Unescape Escape View File

@ -589,9 +589,7 @@ int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
if (prev_sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "No preceding content, "
"byte_test or pcre option after file_data");
goto error;
data->flags &= ~DETECT_BYTE_EXTRACT_FLAG_RELATIVE;
}
s->flags |= SIG_FLAG_APPLAYER;
@ -2405,32 +2403,6 @@ int DetectByteExtractTest42(void)
return result;
}
int DetectByteExtractTest43(void)
{
DetectEngineCtx *de_ctx = NULL;
@ -2652,35 +2624,6 @@ int DetectByteExtractTest44(void)
return result;
}
int DetectByteExtractTest45(void)
{
DetectEngineCtx *de_ctx = NULL;
@ -2903,32 +2846,6 @@ int DetectByteExtractTest46(void)
return result;
}
int DetectByteExtractTest47(void)
{
DetectEngineCtx *de_ctx = NULL;
@ -3157,32 +3074,6 @@ int DetectByteExtractTest48(void)
return result;
}
int DetectByteExtractTest49(void)
{
DetectEngineCtx *de_ctx = NULL;
@ -3414,39 +3305,6 @@ int DetectByteExtractTest50(void)
return result;
}
int DetectByteExtractTest51(void)
{
DetectEngineCtx *de_ctx = NULL;
@ -3666,25 +3524,6 @@ int DetectByteExtractTest52(void)
return result;
}
int DetectByteExtractTest53(void)
{
DetectEngineCtx *de_ctx = NULL;
@ -4917,6 +4756,58 @@ int DetectByteExtractTest61(void)
return result;
}
static int DetectByteExtractTest62(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
Signature *s = NULL;
SigMatch *sm = NULL;
DetectByteExtractData *bed = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(file_data; byte_extract:4,2,two,relative,string,hex; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
if (s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH] == NULL) {
goto end;
}
sm = s->sm_lists[DETECT_SM_LIST_HSBDMATCH];
if (sm->type != DETECT_BYTE_EXTRACT) {
result = 0;
goto end;
}
bed = (DetectByteExtractData *)sm->ctx;
if (bed->nbytes != 4 ||
bed->offset != 2 ||
strncmp(bed->name, "two", 3) != 0 ||
bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING) ||
bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
bed->align_value != 0 ||
bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
result = 1;
end:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineCtxFree(de_ctx);
return result;
}
#endif /* UNITTESTS */
void DetectByteExtractRegisterTests(void)
@ -4991,6 +4882,7 @@ void DetectByteExtractRegisterTests(void)
UtRegisterTest("DetectByteExtractTest59", DetectByteExtractTest59, 1);
UtRegisterTest("DetectByteExtractTest60", DetectByteExtractTest60, 1);
UtRegisterTest("DetectByteExtractTest61", DetectByteExtractTest61, 1);
UtRegisterTest("DetectByteExtractTest62", DetectByteExtractTest62, 1);
#endif /* UNITTESTS */
return;

56
src/detect-bytejump.c
Unescape Escape View File

@ -570,9 +570,7 @@ int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr)
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
if (prev_sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "No preceding content, "
"byte_test or pcre option after file_data");
goto error;
data->flags &= ~DETECT_BYTEJUMP_RELATIVE;
}
s->flags |= SIG_FLAG_APPLAYER;
@ -1117,6 +1115,56 @@ int DetectBytejumpTestParse11(void)
return result;
}
/**
* \test Test file_data
*/
static int DetectBytejumpTestParse12(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
Signature *s = NULL;
DetectBytejumpData *bd = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(file_data; byte_jump:4,0,align,multiplier 2, "
"post_offset -16,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
s = de_ctx->sig_list;
if (s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH] == NULL) {
goto end;
}
if (s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->type != DETECT_BYTEJUMP) {
goto end;
}
bd = (DetectBytejumpData *)s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->ctx;
if ((bd->flags & DETECT_BYTEJUMP_DCE) &&
(bd->flags & DETECT_BYTEJUMP_RELATIVE) &&
(bd->flags & DETECT_BYTEJUMP_STRING) &&
(bd->flags & DETECT_BYTEJUMP_BIG) &&
(bd->flags & DETECT_BYTEJUMP_LITTLE) ) {
result = 0;
goto end;
}
result = 1;
end:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test DetectByteJumpTestPacket01 is a test to check matches of
* byte_jump and byte_jump relative works if the previous keyword is pcre
@ -1231,6 +1279,8 @@ void DetectBytejumpRegisterTests(void) {
UtRegisterTest("DetectBytejumpTestParse09", DetectBytejumpTestParse09, 1);
UtRegisterTest("DetectBytejumpTestParse10", DetectBytejumpTestParse10, 1);
UtRegisterTest("DetectBytejumpTestParse11", DetectBytejumpTestParse11, 1);
UtRegisterTest("DetectBytejumpTestParse12", DetectBytejumpTestParse12, 1);
UtRegisterTest("DetectByteJumpTestPacket01", DetectByteJumpTestPacket01, 1);
UtRegisterTest("DetectByteJumpTestPacket02", DetectByteJumpTestPacket02, 1);
UtRegisterTest("DetectByteJumpTestPacket03", DetectByteJumpTestPacket03, 1);

59
src/detect-bytetest.c
Unescape Escape View File

@ -494,9 +494,7 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr)
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
if (prev_sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "No preceding content, "
"byte_test or pcre option after file_data");
goto error;
data->flags &= ~DETECT_BYTETEST_RELATIVE;
}
s->flags |= SIG_FLAG_APPLAYER;
@ -1286,6 +1284,59 @@ int DetectBytetestTestParse21(void)
return result;
}
/**
* \test Test file_data
*/
static int DetectBytetestTestParse22(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
Signature *s = NULL;
DetectBytetestData *bd = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(file_data; byte_test:1,=,1,6,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("sig parse failed: ");
goto end;
}
s = de_ctx->sig_list;
if (s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH] == NULL) {
printf("empty server body list: ");
goto end;
}
if (s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->type != DETECT_BYTETEST) {
printf("bytetest not last sm in server body list: ");
goto end;
}
bd = (DetectBytetestData *)s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->ctx;
if (bd->flags & DETECT_BYTETEST_DCE &&
bd->flags & DETECT_BYTETEST_RELATIVE &&
(bd->flags & DETECT_BYTETEST_STRING) &&
(bd->flags & DETECT_BYTETEST_BIG) &&
(bd->flags & DETECT_BYTETEST_LITTLE) &&
(bd->flags & DETECT_BYTETEST_NEGOP) ) {
printf("wrong flags: ");
goto end;
}
result = 1;
end:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test DetectByteTestTestPacket01 is a test to check matches of
* byte_test and byte_test relative works if the previous keyword is pcre
@ -1466,6 +1517,8 @@ void DetectBytetestRegisterTests(void) {
UtRegisterTest("DetectBytetestTestParse19", DetectBytetestTestParse19, 1);
UtRegisterTest("DetectBytetestTestParse20", DetectBytetestTestParse20, 1);
UtRegisterTest("DetectBytetestTestParse21", DetectBytetestTestParse21, 1);
UtRegisterTest("DetectBytetestTestParse22", DetectBytetestTestParse22, 1);
UtRegisterTest("DetectByteTestTestPacket01", DetectByteTestTestPacket01, 1);
UtRegisterTest("DetectByteTestTestPacket02", DetectByteTestTestPacket02, 1);
UtRegisterTest("DetectByteTestTestPacket03", DetectByteTestTestPacket03, 1);

101
src/detect-isdataat.c
Unescape Escape View File

@ -294,11 +294,44 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
"since this is a dce alproto sig.");
if (offset != NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in isdataat - %s\n", offset);
"seen in isdataat - %s", offset);
goto error;
}
return 0;
}
} else if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
if (idad->flags & ISDATAAT_RELATIVE) {
pm = SigMatchGetLastSMFromLists(s, 10,
DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
if (pm == NULL) {
idad->flags &= ~ISDATAAT_RELATIVE;
}
s->flags |= SIG_FLAG_APPLAYER;
AppLayerHtpEnableResponseBodyCallback();
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
} else {
s->flags |= SIG_FLAG_APPLAYER;
AppLayerHtpEnableResponseBodyCallback();
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
}
if (pm == NULL) {
SCLogDebug("No preceding content or pcre keyword. Possible "
"since this is a file_data sig.");
if (offset != NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in isdataat - %s", offset);
goto error;
}
return 0;
}
prev_pm = pm;
} else {
if (!(idad->flags & ISDATAAT_RELATIVE)) {
SigMatchAppendPayload(s, sm);
@ -318,7 +351,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
}
return 0;
}
pm = SigMatchGetLastSMFromLists(s, 48,
pm = SigMatchGetLastSMFromLists(s, 50,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], /* 1 */
DETECT_URICONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
@ -331,18 +364,19 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], /* 10 */
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], /* 15 */
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], /* 15 */
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], /* 20 */
DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], /* 20 */
DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH]); /* 24 */
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH]); /* 25 */
if (pm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "isdataat relative seen "
"without a previous content uricontent, "
@ -1050,7 +1084,56 @@ static int DetectIsdataatTestParse14(void)
if ( !(data->flags & ISDATAAT_RELATIVE) ||
(data->flags & ISDATAAT_RAWBYTES) ||
!(data->flags & ISDATAAT_NEGATED) ) {
result = 0;
goto end;
}
result = 1;
end:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test file_data with isdataat relative to it
*/
static int DetectIsdataatTestParse15(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
Signature *s = NULL;
DetectIsdataatData *data = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing file_data and isdataat\"; "
"file_data; isdataat:!4,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("sig parse: ");
goto end;
}
s = de_ctx->sig_list;
if (s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH] == NULL) {
printf("server body list empty: ");
goto end;
}
if (s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->type != DETECT_ISDATAAT) {
printf("last server body sm not isdataat: ");
goto end;
}
data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->ctx;
if ( (data->flags & ISDATAAT_RELATIVE) ||
(data->flags & ISDATAAT_RAWBYTES) ||
!(data->flags & ISDATAAT_NEGATED) ) {
goto end;
}
@ -1185,6 +1268,8 @@ void DetectIsdataatRegisterTests(void) {
UtRegisterTest("DetectIsdataatTestParse12", DetectIsdataatTestParse12, 1);
UtRegisterTest("DetectIsdataatTestParse13", DetectIsdataatTestParse13, 1);
UtRegisterTest("DetectIsdataatTestParse14", DetectIsdataatTestParse14, 1);
UtRegisterTest("DetectIsdataatTestParse15", DetectIsdataatTestParse15, 1);
UtRegisterTest("DetectIsdataatTestPacket01", DetectIsdataatTestPacket01, 1);
UtRegisterTest("DetectIsdataatTestPacket02", DetectIsdataatTestPacket02, 1);
UtRegisterTest("DetectIsdataatTestPacket03", DetectIsdataatTestPacket03, 1);

Write Preview
Loading…
Cancel
Save