Only process a app layer sig if it has the proper state. Make sure a sig can't have conflicting sigmatches, such as ftpbouce and uricontent.

16 years ago · 297001c6d9
parent ec47f840f3
commit 297001c6d9
12 changed files with 73 additions and 7 deletions
--- a/src/detect-dce-iface.c
+++ b/src/detect-dce-iface.c
@ -338,6 +338,12 @@ static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)

    SigMatchAppendAppLayer(s, sm);

+    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
+        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+        goto error;
+    }
+
+    s->alproto = ALPROTO_DCERPC;
    return 0;

 error:
--- a/src/detect-dce-opnum.c
+++ b/src/detect-dce-opnum.c
@ -293,6 +293,12 @@ static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)

    SigMatchAppendAppLayer(s, sm);

+    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
+        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+        goto error;
+    }
+
+    s->alproto = ALPROTO_DCERPC;
    return 0;

 error:
--- a/src/detect-dce-stub-data.c
+++ b/src/detect-dce-stub-data.c
@ -100,6 +100,12 @@ static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, char *a

    SigMatchAppendAppLayer(s, sm);

+    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
+        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+        goto error;
+    }
+
+    s->alproto = ALPROTO_DCERPC;
    return 0;

 error:
--- a/src/detect-ftpbounce.c
+++ b/src/detect-ftpbounce.c
@ -224,17 +224,17 @@ int DetectFtpbounceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
 */
 int DetectFtpbounceSetup(DetectEngineCtx *de_ctx, Signature *s, char *ftpbouncestr)
 {
+    SCEnter();
+
    SigMatch *sm = NULL;

    sm = SigMatchAlloc();
-    if (sm == NULL)
-        return -1;
+    if (sm == NULL) {
+        goto error;;
+    }

    sm->type = DETECT_FTPBOUNCE;

-//    if (s != NULL)
-//        s->flags |= SIG_FLAG_APPLAYER;
-
    /* We don't need to allocate any data for ftpbounce here.
    *
    * TODO: As a suggestion, maybe we can add a flag in the flow
@ -247,7 +247,20 @@ int DetectFtpbounceSetup(DetectEngineCtx *de_ctx, Signature *s, char *ftpbounces
    sm->ctx = NULL;

    SigMatchAppendAppLayer(s, sm);
-    return 0;
+
+    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_FTP) {
+        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+        goto error;
+    }
+
+    s->alproto = ALPROTO_FTP;
+    SCReturnInt(0);
+
+error:
+    if (sm != NULL) {
+        SigMatchFree(sm);
+    }
+    SCReturnInt(-1);
 }

 #ifdef UNITTESTS
--- a/src/detect-http-cookie.c
+++ b/src/detect-http-cookie.c
@ -218,6 +218,12 @@ static int DetectHttpCookieSetup (DetectEngineCtx *de_ctx, Signature *s, char *s
    /* Flagged the signature as to inspect the app layer data */
    s->flags |= SIG_FLAG_APPLAYER;

+    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
+        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+        goto error;
+    }
+
+    s->alproto = ALPROTO_HTTP;
    return 0;
 error:
    if (hd != NULL) {
--- a/src/detect-http-method.c
+++ b/src/detect-http-method.c
@ -205,6 +205,12 @@ static int DetectHttpMethodSetup(DetectEngineCtx *de_ctx, Signature *s, char *st
    /* Flagged the signature as to inspect the app layer data */
    s->flags |= SIG_FLAG_APPLAYER;

+    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
+        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+        goto error;
+    }
+
+    s->alproto = ALPROTO_HTTP;
    SCReturnInt(0);

 error:
--- a/src/detect-tls-version.c
+++ b/src/detect-tls-version.c
@ -224,6 +224,13 @@ static int DetectTlsVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *s
    sm->ctx = (void *)tls;

    SigMatchAppendAppLayer(s, sm);
+
+    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
+        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+        goto error;
+    }
+
+    s->alproto = ALPROTO_TLS;
    return 0;

 error:
--- a/src/detect-uricontent.c
+++ b/src/detect-uricontent.c
@ -247,6 +247,12 @@ int DetectUricontentSetup (DetectEngineCtx *de_ctx, Signature *s, char *contents
    /* Flagged the signature as to inspect the app layer data */
    s->flags |= SIG_FLAG_APPLAYER;

+    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
+        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+        goto error;
+    }
+
+    s->alproto = ALPROTO_HTTP;
    SCReturnInt(0);

 error:
--- a/src/detect.c
+++ b/src/detect.c
@ -83,6 +83,7 @@
 #include "util-rule-vars.h"

 #include "app-layer.h"
+#include "app-layer-protos.h"
 #include "app-layer-htp.h"
 #include "detect-tls-version.h"

@ -110,7 +111,6 @@
 #include "util-cuda.h"

 SigMatch *SigMatchAlloc(void);
-void SigMatchFree(SigMatch *sm);
 void DetectExitPrintStats(ThreadVars *tv, void *data);

 void DbgPrintSigs(DetectEngineCtx *, SigGroupHead *);
@ -604,6 +604,13 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
            continue;
        }

+        /* if the sig has alproto and the session as well they should match */
+        if (s->alproto != ALPROTO_UNKNOWN && alproto != ALPROTO_UNKNOWN) {
+            if (s->alproto != alproto) {
+                continue;
+            }
+        }
+
        /* check the source & dst port in the sig */
        if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP) {
            if (!(s->flags & SIG_FLAG_DP_ANY)) {
--- a/src/detect.h
+++ b/src/detect.h
@ -578,6 +578,7 @@ SigTableElmt sigmatch_table[DETECT_TBLSIZE];

 /* detection api */
 SigMatch *SigMatchAlloc(void);
+void SigMatchFree(SigMatch *sm);
 void SigCleanSignatures(DetectEngineCtx *);

 void SigTableRegisterTests(void);
--- a/src/util-error.c
+++ b/src/util-error.c
@ -118,6 +118,7 @@ const char * SCErrorToString(SCError err)
        CASE_CODE (SC_ERR_B2G_CUDA_ERROR);
        CASE_CODE (SC_ERR_INVALID_YAML_CONF_ENTRY);
        CASE_CODE (SC_ERR_TMQ_ALREADY_REGISTERED);
+        CASE_CODE (SC_ERR_CONFLICTING_RULE_KEYWORDS);
        default:
            return "UNKNOWN_ERROR";
    }
--- a/src/util-error.h
+++ b/src/util-error.h
@ -135,6 +135,7 @@ typedef enum {
    SC_ERR_B2G_CUDA_ERROR,
    SC_ERR_INVALID_YAML_CONF_ENTRY,
    SC_ERR_TMQ_ALREADY_REGISTERED,
+    SC_ERR_CONFLICTING_RULE_KEYWORDS,
 } SCError;

 const char *SCErrorToString(SCError);