aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Improve detection of app layer, making sure we only handle app layer on 'established' packets. Should really fix #166.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 15 years ago
parent 37442a8a84
commit 2f29b8a724
17 changed files with 134 additions and 20 deletions
Show Stats Download Patch File Download Diff File

3
src/detect-dce-iface.c
Unescape Escape View File

@ -853,6 +853,7 @@ static int DetectDceIfaceTestParse12(void)
f.protoctx = (void *)&ssn;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
@ -1070,6 +1071,7 @@ static int DetectDceIfaceTestParse13(void)
f.proto = IPPROTO_TCP;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
@ -1303,6 +1305,7 @@ static int DetectDceIfaceTestParse14(void)
f.protoctx = (void *)&ssn;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);

6
src/detect-dce-opnum.c
Unescape Escape View File

@ -1137,6 +1137,7 @@ static int DetectDceOpnumTestParse08(void)
f.protoctx = (void *)&ssn;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
@ -1664,6 +1665,7 @@ static int DetectDceOpnumTestParse09(void)
f.protoctx = (void *)&ssn;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
@ -1862,6 +1864,7 @@ static int DetectDceOpnumTestParse10(void)
f.proto = IPPROTO_TCP;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
@ -2139,6 +2142,7 @@ static int DetectDceOpnumTestParse11(void)
f.proto = IPPROTO_TCP;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
@ -2403,6 +2407,7 @@ static int DetectDceOpnumTestParse12(void)
f.proto = IPPROTO_TCP;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
@ -2676,6 +2681,7 @@ static int DetectDceOpnumTestParse13(void)
f.proto = IPPROTO_TCP;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);

4
src/detect-dce-stub-data.c
Unescape Escape View File

@ -649,6 +649,7 @@ static int DetectDceStubDataTestParse02(void)
f.protoctx = (void *)&ssn;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
@ -1186,6 +1187,7 @@ static int DetectDceStubDataTestParse03(void)
f.protoctx = (void *)&ssn;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
@ -1380,6 +1382,7 @@ static int DetectDceStubDataTestParse04(void)
f.proto = IPPROTO_TCP;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
@ -1631,6 +1634,7 @@ static int DetectDceStubDataTestParse05(void)
f.proto = IPPROTO_TCP;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);

14
src/detect-engine-dcepayload.c
Unescape Escape View File

@ -1547,6 +1547,7 @@ int DcePayloadTest01(void)
p[i].proto = IPPROTO_TCP;
p[i].flow = &f;
p[i].flowflags |= FLOW_PKT_TOSERVER;
p[i].flowflags |= FLOW_PKT_ESTABLISHED;
}
p[1].flowflags |= FLOW_PKT_TOCLIENT;
@ -2413,6 +2414,7 @@ int DcePayloadTest02(void)
p[i].proto = IPPROTO_TCP;
p[i].flow = &f;
p[i].flowflags |= FLOW_PKT_TOSERVER;
p[i].flowflags |= FLOW_PKT_ESTABLISHED;
}
p[1].flowflags |= FLOW_PKT_TOCLIENT;
@ -2861,6 +2863,7 @@ int DcePayloadTest03(void)
p[i].proto = IPPROTO_TCP;
p[i].flow = &f;
p[i].flowflags |= FLOW_PKT_TOSERVER;
p[i].flowflags |= FLOW_PKT_ESTABLISHED;
}
p[1].flowflags |= FLOW_PKT_TOCLIENT;
@ -3309,6 +3312,7 @@ int DcePayloadTest04(void)
p[i].proto = IPPROTO_TCP;
p[i].flow = &f;
p[i].flowflags |= FLOW_PKT_TOSERVER;
p[i].flowflags |= FLOW_PKT_ESTABLISHED;
}
p[1].flowflags |= FLOW_PKT_TOCLIENT;
@ -3756,6 +3760,7 @@ int DcePayloadTest05(void)
p[i].proto = IPPROTO_TCP;
p[i].flow = &f;
p[i].flowflags |= FLOW_PKT_TOSERVER;
p[i].flowflags |= FLOW_PKT_ESTABLISHED;
}
p[1].flowflags |= FLOW_PKT_TOCLIENT;
@ -4204,6 +4209,7 @@ int DcePayloadTest06(void)
p[i].proto = IPPROTO_TCP;
p[i].flow = &f;
p[i].flowflags |= FLOW_PKT_TOSERVER;
p[i].flowflags |= FLOW_PKT_ESTABLISHED;
}
p[1].flowflags |= FLOW_PKT_TOCLIENT;
@ -4651,6 +4657,7 @@ int DcePayloadTest07(void)
p[i].proto = IPPROTO_TCP;
p[i].flow = &f;
p[i].flowflags |= FLOW_PKT_TOSERVER;
p[i].flowflags |= FLOW_PKT_ESTABLISHED;
}
p[1].flowflags |= FLOW_PKT_TOCLIENT;
@ -4936,6 +4943,7 @@ int DcePayloadTest08(void)
p[i].proto = IPPROTO_TCP;
p[i].flow = &f;
p[i].flowflags |= FLOW_PKT_TOSERVER;
p[i].flowflags |= FLOW_PKT_ESTABLISHED;
}
FLOW_INITIALIZE(&f);
@ -5160,6 +5168,7 @@ int DcePayloadTest09(void)
p[i].proto = IPPROTO_TCP;
p[i].flow = &f;
p[i].flowflags |= FLOW_PKT_TOSERVER;
p[i].flowflags |= FLOW_PKT_ESTABLISHED;
}
FLOW_INITIALIZE(&f);
@ -5384,6 +5393,7 @@ int DcePayloadTest10(void)
p[i].proto = IPPROTO_TCP;
p[i].flow = &f;
p[i].flowflags |= FLOW_PKT_TOSERVER;
p[i].flowflags |= FLOW_PKT_ESTABLISHED;
}
FLOW_INITIALIZE(&f);
@ -5743,6 +5753,7 @@ int DcePayloadTest11(void)
p[i].proto = IPPROTO_TCP;
p[i].flow = &f;
p[i].flowflags |= FLOW_PKT_TOSERVER;
p[i].flowflags |= FLOW_PKT_ESTABLISHED;
}
FLOW_INITIALIZE(&f);
@ -6116,6 +6127,7 @@ int DcePayloadTest12(void)
p[i].proto = IPPROTO_TCP;
p[i].flow = &f;
p[i].flowflags |= FLOW_PKT_TOSERVER;
p[i].flowflags |= FLOW_PKT_ESTABLISHED;
}
FLOW_INITIALIZE(&f);
@ -6298,6 +6310,7 @@ int DcePayloadTest13(void)
p[i].proto = IPPROTO_TCP;
p[i].flow = &f;
p[i].flowflags |= FLOW_PKT_TOSERVER;
p[i].flowflags |= FLOW_PKT_ESTABLISHED;
}
p[1].flowflags |= FLOW_PKT_TOCLIENT;
p[3].flowflags |= FLOW_PKT_TOCLIENT;
@ -6539,6 +6552,7 @@ int DcePayloadTest14(void)
p[i].proto = IPPROTO_TCP;
p[i].flow = &f;
p[i].flowflags |= FLOW_PKT_TOSERVER;
p[i].flowflags |= FLOW_PKT_ESTABLISHED;
}
p[3].flowflags |= FLOW_PKT_TOCLIENT;
p[5].flowflags |= FLOW_PKT_TOCLIENT;

6
src/detect-engine-state.c
Unescape Escape View File

@ -282,7 +282,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
SCLogDebug("s->id %"PRIu32, s->id);
/* Check the uricontent keywords here. */
if (alproto == ALPROTO_HTTP) {
if (alproto == ALPROTO_HTTP && (flags & STREAM_TOSERVER)) {
if (s->umatch != NULL) {
uinspect = 1;
@ -421,7 +421,7 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete
/* let's continue detection */
/* first, check uricontent */
if (alproto == ALPROTO_HTTP) {
if (alproto == ALPROTO_HTTP && (flags & STREAM_TOSERVER)) {
if (s->umatch != NULL) {
if (!(item->flags & DE_STATE_FLAG_URI_MATCH)) {
SCLogDebug("inspecting uri");
@ -731,6 +731,7 @@ static int DeStateSigTest01(void) {
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -866,6 +867,7 @@ static int DeStateSigTest02(void) {
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);

14
src/detect-flow.c
Unescape Escape View File

@ -108,6 +108,20 @@ int DetectFlowMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, S
{
SCEnter();
SCLogDebug("pkt %p", p);
if (p->flowflags & FLOW_PKT_TOSERVER) {
SCLogDebug("FLOW_PKT_TOSERVER");
} else if (p->flowflags & FLOW_PKT_TOCLIENT) {
SCLogDebug("FLOW_PKT_TOCLIENT");
}
if (p->flowflags & FLOW_PKT_ESTABLISHED) {
SCLogDebug("FLOW_PKT_ESTABLISHED");
} else if (p->flowflags & FLOW_PKT_STATELESS) {
SCLogDebug("FLOW_PKT_STATELESS");
}
uint8_t cnt = 0;
DetectFlowData *fd = (DetectFlowData *)m->ctx;

2
src/detect-ftpbounce.c
Unescape Escape View File

@ -346,6 +346,7 @@ static int DetectFtpbounceTestALMatch02(void) {
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_FTP;
StreamTcpInitConfig(TRUE);
@ -471,6 +472,7 @@ static int DetectFtpbounceTestALMatch03(void) {
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_FTP;
StreamTcpInitConfig(TRUE);

12
src/detect-http-client-body.c
Unescape Escape View File

@ -479,6 +479,7 @@ static int DetectHttpClientBodyTest06(void)
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -590,8 +591,10 @@ static int DetectHttpClientBodyTest07(void)
p1.flow = &f;
p1.flowflags |= FLOW_PKT_TOSERVER;
p1.flowflags |= FLOW_PKT_ESTABLISHED;
p2.flow = &f;
p2.flowflags |= FLOW_PKT_TOSERVER;
p2.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -717,8 +720,10 @@ static int DetectHttpClientBodyTest08(void)
p1.flow = &f;
p1.flowflags |= FLOW_PKT_TOSERVER;
p1.flowflags |= FLOW_PKT_ESTABLISHED;
p2.flow = &f;
p2.flowflags |= FLOW_PKT_TOSERVER;
p2.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -845,8 +850,10 @@ static int DetectHttpClientBodyTest09(void)
p1.flow = &f;
p1.flowflags |= FLOW_PKT_TOSERVER;
p1.flowflags |= FLOW_PKT_ESTABLISHED;
p2.flow = &f;
p2.flowflags |= FLOW_PKT_TOSERVER;
p2.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -973,8 +980,10 @@ static int DetectHttpClientBodyTest10(void)
p1.flow = &f;
p1.flowflags |= FLOW_PKT_TOSERVER;
p1.flowflags |= FLOW_PKT_ESTABLISHED;
p2.flow = &f;
p2.flowflags |= FLOW_PKT_TOSERVER;
p2.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1090,6 +1099,7 @@ static int DetectHttpClientBodyTest11(void)
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1190,6 +1200,7 @@ static int DetectHttpClientBodyTest12(void)
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1290,6 +1301,7 @@ static int DetectHttpClientBodyTest13(void)
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);

7
src/detect-http-cookie.c
Unescape Escape View File

@ -507,6 +507,7 @@ static int DetectHttpCookieSigTest01(void) {
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -608,6 +609,7 @@ static int DetectHttpCookieSigTest02(void) {
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -698,6 +700,7 @@ static int DetectHttpCookieSigTest03(void) {
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -788,6 +791,7 @@ static int DetectHttpCookieSigTest04(void) {
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -878,6 +882,7 @@ static int DetectHttpCookieSigTest05(void) {
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -968,6 +973,7 @@ static int DetectHttpCookieSigTest06(void) {
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1058,6 +1064,7 @@ static int DetectHttpCookieSigTest07(void) {
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);

12
src/detect-http-header.c
Unescape Escape View File

@ -474,6 +474,7 @@ static int DetectHttpHeaderTest06(void)
f.dst.family = AF_INET;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -583,8 +584,10 @@ static int DetectHttpHeaderTest07(void)
f.dst.family = AF_INET;
p1.flow = &f;
p1.flowflags |= FLOW_PKT_TOSERVER;
p1.flowflags |= FLOW_PKT_ESTABLISHED;
p2.flow = &f;
p2.flowflags |= FLOW_PKT_TOSERVER;
p2.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -708,8 +711,10 @@ static int DetectHttpHeaderTest08(void)
f.dst.family = AF_INET;
p1.flow = &f;
p1.flowflags |= FLOW_PKT_TOSERVER;
p1.flowflags |= FLOW_PKT_ESTABLISHED;
p2.flow = &f;
p2.flowflags |= FLOW_PKT_TOSERVER;
p2.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -834,8 +839,10 @@ static int DetectHttpHeaderTest09(void)
f.dst.family = AF_INET;
p1.flow = &f;
p1.flowflags |= FLOW_PKT_TOSERVER;
p1.flowflags |= FLOW_PKT_ESTABLISHED;
p2.flow = &f;
p2.flowflags |= FLOW_PKT_TOSERVER;
p2.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -960,8 +967,10 @@ static int DetectHttpHeaderTest10(void)
f.dst.family = AF_INET;
p1.flow = &f;
p1.flowflags |= FLOW_PKT_TOSERVER;
p1.flowflags |= FLOW_PKT_ESTABLISHED;
p2.flow = &f;
p2.flowflags |= FLOW_PKT_TOSERVER;
p2.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1076,6 +1085,7 @@ static int DetectHttpHeaderTest11(void)
f.dst.family = AF_INET;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1175,6 +1185,7 @@ static int DetectHttpHeaderTest12(void)
f.dst.family = AF_INET;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1275,6 +1286,7 @@ static int DetectHttpHeaderTest13(void)
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);

3
src/detect-http-method.c
Unescape Escape View File

@ -423,6 +423,7 @@ static int DetectHttpMethodSigTest01(void)
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -524,6 +525,7 @@ static int DetectHttpMethodSigTest02(void)
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -624,6 +626,7 @@ static int DetectHttpMethodSigTest03(void)
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);

3
src/detect-pcre.c
Unescape Escape View File

@ -1434,6 +1434,7 @@ static int DetectPcreModifPTest04(void) {
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1569,8 +1570,10 @@ static int DetectPcreModifPTest05(void) {
p1.flow = &f;
p1.flowflags |= FLOW_PKT_TOSERVER;
p1.flowflags |= FLOW_PKT_ESTABLISHED;
p2.flow = &f;
p2.flowflags |= FLOW_PKT_TOSERVER;
p2.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);

3
src/detect-tls-version.c
Unescape Escape View File

@ -339,6 +339,7 @@ static int DetectTlsVersionTestDetect01(void) {
f.protoctx = (void *)&ssn;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_TLS;
StreamTcpInitConfig(TRUE);
@ -454,6 +455,7 @@ static int DetectTlsVersionTestDetect02(void) {
f.protoctx = (void *)&ssn;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_TLS;
StreamTcpInitConfig(TRUE);
@ -567,6 +569,7 @@ static int DetectTlsVersionTestDetect03(void) {
f.protoctx = (void *)&ssn;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_TLS;
StreamTcpInitConfig(TRUE);

11
src/detect-uricontent.c
Unescape Escape View File

@ -819,6 +819,7 @@ static int DetectUriSigTest02(void) {
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -931,6 +932,7 @@ static int DetectUriSigTest03(void) {
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1259,6 +1261,7 @@ static int DetectUriSigTest05(void) {
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1317,7 +1320,7 @@ static int DetectUriSigTest05(void) {
goto end;
}
/* do detect */
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
http_state = f.aldata[AlpGetStateIdx(ALPROTO_HTTP)];
@ -1383,6 +1386,7 @@ static int DetectUriSigTest06(void) {
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1461,10 +1465,10 @@ static int DetectUriSigTest06(void) {
printf("sig: 1 alerted, but it should not:");
goto end;
} else if (! PacketAlertCheck(&p, 2)) {
printf("sig: 2 did not alerted, but it should:");
printf("sig: 2 did not alert, but it should:");
goto end;
} else if (! (PacketAlertCheck(&p, 3))) {
printf("sig: 3 did not alerted, but it should:");
printf("sig: 3 did not alert, but it should:");
goto end;
}
@ -1515,6 +1519,7 @@ static int DetectUriSigTest07(void) {
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);

1
src/detect-urilen.c
Unescape Escape View File

@ -511,6 +511,7 @@ static int DetectUrilenSigTest01(void)
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);

52
src/detect.c
Unescape Escape View File

@ -439,6 +439,7 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx,
SignatureHeader *s = &det_ctx->sgh->head_array[i];
if (s->flags & SIG_FLAG_FLOW && !p->flow) {
SCLogDebug("flow in sig but not in packet");
continue;
}
@ -452,6 +453,7 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx,
/* if the sig has alproto and the session as well they should match */
if (s->alproto != ALPROTO_UNKNOWN && alproto != ALPROTO_UNKNOWN) {
if (s->alproto != alproto) {
SCLogDebug("alproto mismatch");
continue;
}
}
@ -472,6 +474,7 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx,
{
if (de_state_start == FALSE) {
if (det_ctx->de_state_sig_array[s->num] != DE_STATE_MATCH_NEW) {
SCLogDebug("not a new match, ignoring");
continue;
}
}
@ -571,8 +574,14 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
FlowIncrUsecnt(p->flow);
SCMutexLock(&p->flow->m);
alstate = AppLayerGetProtoStateFromPacket(p);
alproto = AppLayerGetProtoFromPacket(p);
if (p->flowflags & FLOW_PKT_ESTABLISHED) {
alstate = AppLayerGetProtoStateFromPacket(p);
alproto = AppLayerGetProtoFromPacket(p);
SCLogDebug("alstate %p, alproto %u", alstate, alproto);
} else {
SCLogDebug("packet doesn't have established flag set");
}
if (p->flowflags & FLOW_PKT_TOSERVER && p->flow->flags & FLOW_SGH_TOSERVER) {
sgh = p->flow->sgh_toserver;
use_flow_sgh = TRUE;
@ -580,6 +589,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
sgh = p->flow->sgh_toclient;
use_flow_sgh = TRUE;
}
if (p->proto == IPPROTO_TCP) {
TcpSession *ssn = (TcpSession *)p->flow->protoctx;
if (ssn != NULL) {
@ -589,7 +599,6 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
ssn->toserver_smsg_head = NULL;
ssn->toserver_smsg_tail = NULL;
//BUG_ON(ssn->toclient_smsg_head != NULL);
SCLogDebug("to_server smsg %p", smsg);
} else {
smsg = ssn->toclient_smsg_head;
@ -597,19 +606,18 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
ssn->toclient_smsg_head = NULL;
ssn->toclient_smsg_tail = NULL;
//BUG_ON(ssn->toserver_smsg_head != NULL);
SCLogDebug("to_client smsg %p", smsg);
}
}
}
SCMutexUnlock(&p->flow->m);
if (p->flowflags & FLOW_PKT_TOSERVER) {
flags |= STREAM_TOSERVER;
SCLogDebug("flag STREAM_TOSERVER set");
} else if (p->flowflags & FLOW_PKT_TOCLIENT) {
flags |= STREAM_TOCLIENT;
SCLogDebug("flag STREAM_TOCLIENT set");
}
SCLogDebug("p->flowflags 0x%02x", p->flowflags);
}
@ -655,9 +663,11 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
}
/* have a look at the reassembled stream (if any) */
if (smsg != NULL && det_ctx->sgh->mpm_stream_ctx != NULL) {
cnt = StreamPatternSearch(th_v, det_ctx, smsg);
SCLogDebug("cnt %u", cnt);
if (p->flowflags & FLOW_PKT_ESTABLISHED) {
if (smsg != NULL && det_ctx->sgh->mpm_stream_ctx != NULL) {
cnt = StreamPatternSearch(th_v, det_ctx, smsg);
SCLogDebug("cnt %u", cnt);
}
}
if (p->payload_len > 0 && det_ctx->sgh->mpm_ctx != NULL &&
@ -719,14 +729,14 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
DetectPort *dport = DetectPortLookupGroup(s->dp,p->dp);
if (dport == NULL) {
SCLogDebug("dport didn't match.");
continue;
goto next;
}
}
if (!(s->flags & SIG_FLAG_SP_ANY)) {
DetectPort *sport = DetectPortLookupGroup(s->sp,p->sp);
if (sport == NULL) {
SCLogDebug("sport didn't match.");
continue;
goto next;
}
}
}
@ -736,7 +746,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
DetectAddress *daddr = DetectAddressLookupInHead(&s->dst,&p->dst);
if (daddr == NULL) {
SCLogDebug("dst addr didn't match.");
continue;
goto next;
}
}
/* check the source address */
@ -744,12 +754,19 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
DetectAddress *saddr = DetectAddressLookupInHead(&s->src,&p->src);
if (saddr == NULL) {
SCLogDebug("src addr didn't match.");
continue;
goto next;
}
}
SCLogDebug("s->amatch %p, s->umatch %p", s->amatch, s->umatch);
if ((s->amatch != NULL || s->umatch != NULL || s->dmatch != NULL) && p->flow != NULL) {
SCLogDebug("s->amatch %p, s->umatch %p, s->dmatch %p",
s->amatch, s->umatch, s->dmatch);
if (s->amatch != NULL || s->umatch != NULL || s->dmatch != NULL) {
if (alstate == NULL) {
SCLogDebug("state matches but no state, we can't match");
goto next;
}
if (de_state_start == TRUE) {
SCLogDebug("stateful app layer match inspection starting");
if (DeStateDetectStartDetection(th_v, de_ctx, det_ctx, s,
@ -3443,6 +3460,7 @@ static int SigTest06Real (int mpm_type) {
f.dst.family = AF_INET;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -3540,6 +3558,7 @@ static int SigTest07Real (int mpm_type) {
f.dst.family = AF_INET;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -3637,6 +3656,7 @@ static int SigTest08Real (int mpm_type) {
f.dst.family = AF_INET;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -3735,6 +3755,7 @@ static int SigTest09Real (int mpm_type) {
f.dst.family = AF_INET;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -3825,6 +3846,7 @@ static int SigTest10Real (int mpm_type) {
f.dst.family = AF_INET;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);

1
src/flow.c
Unescape Escape View File

@ -709,6 +709,7 @@ void FlowHandlePacket (ThreadVars *tv, Packet *p)
f->bytecnt += p->pktlen;
if (f->flags & FLOW_TO_DST_SEEN && f->flags & FLOW_TO_SRC_SEEN) {
SCLogDebug("pkt %p FLOW_PKT_ESTABLISHED", p);
p->flowflags |= FLOW_PKT_ESTABLISHED;
}

Write Preview
Loading…
Cancel
Save