aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

All http_http_stat_code modified patterns now are DETECT_CONTENT and not DETECT_AL_HTTP_STAT_CODE. Also remove dummy match/free functions for stat code and stat msg

Browse Source
remotes/origin/HEAD
Anoop Saldanha 14 years ago committed by Victor Julien
parent 507e1b66e0
commit 35435f3284
12 changed files with 18 additions and 483 deletions
Show Stats Download Patch File Download Diff File

43
src/detect-depth.c
Unescape Escape View File

@ -95,7 +95,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs "
@ -162,47 +162,6 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
break;
case DETECT_AL_HTTP_STAT_CODE:
cd = (DetectContentData *)pm->ctx;
if (cd->flags & DETECT_CONTENT_NEGATED) {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"negated keyword set along with a fast_pattern");
goto error;
}
} else {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"keyword set along with a fast_pattern:only;");
goto error;
}
}
if (str[0] != '-' && isalpha(str[0])) {
SigMatch *bed_sm =
DetectByteExtractRetrieveSMVar(str, s,
SigMatchListSMBelongsTo(s, pm));
if (bed_sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in depth - %s\n", str);
goto error;
}
cd->depth = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
cd->flags |= DETECT_CONTENT_DEPTH_BE;
} else {
cd->depth = (uint32_t)atoi(str);
if (cd->depth < cd->content_len) {
cd->depth = cd->content_len;
SCLogDebug("depth increased to %"PRIu32" to match pattern len ",
cd->depth);
}
/* Now update the real limit, as depth is relative to the offset */
cd->depth += cd->offset;
cd->flags |= DETECT_CONTENT_DEPTH;
}
break;
default:
SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs a preceeding "
"content (or uricontent) option");

69
src/detect-distance.c
Unescape Escape View File

@ -170,7 +170,7 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs "
@ -291,73 +291,6 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
break;
case DETECT_AL_HTTP_STAT_CODE:
cd = (DetectContentData *)pm->ctx;
if (cd->flags & DETECT_CONTENT_NEGATED) {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"negated keyword set along with a fast_pattern");
goto error;
}
} else {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"keyword set along with a fast_pattern:only;");
goto error;
}
}
if (str[0] != '-' && isalpha(str[0])) {
SigMatch *bed_sm =
DetectByteExtractRetrieveSMVar(str, s,
SigMatchListSMBelongsTo(s, pm));
if (bed_sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in distance - %s\n", str);
goto error;
}
cd->distance = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
cd->flags |= DETECT_CONTENT_DISTANCE_BE;
} else {
cd->distance = strtol(str, NULL, 10);
if (cd->flags & DETECT_CONTENT_WITHIN) {
if ((cd->distance + cd->content_len) > cd->within) {
cd->within = cd->distance + cd->content_len;
}
}
}
cd->flags |= DETECT_CONTENT_DISTANCE;
/* reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_AL_HTTP_STAT_CODE, pm->prev,
DETECT_PCRE, pm->prev);
if (pm == NULL) {
SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for "
"http_stat_code needs preceeding http_stat_code "
"content");
goto error;
}
if (pm->type == DETECT_PCRE) {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
} else {
/* reassigning cd */
cd = (DetectContentData *)pm->ctx;
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword "
"has a fast_pattern:only; set. You can't "
"have relative keywords around a fast_pattern "
"only content");
goto error;
}
cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
}
break;
default:
SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance needs two "
"preceeding content or uricontent options");

3
src/detect-engine-content-inspection.c
Unescape Escape View File

@ -107,8 +107,7 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
}
/* \todo unify this which is phase 2 of payload inspection unification */
if (sm->type == DETECT_CONTENT ||
sm->type == DETECT_AL_HTTP_STAT_CODE) {
if (sm->type == DETECT_CONTENT) {
DetectContentData *cd = (DetectContentData *)sm->ctx;
SCLogDebug("inspecting content %"PRIu32" buffer_len %"PRIu32, cd->id, buffer_len);

4
src/detect-fast-pattern.c
Unescape Escape View File

@ -149,7 +149,7 @@ void SupportFastPatternForSigMatchTypes(void)
SupportFastPatternForSigMatchType(DETECT_CONTENT);
SupportFastPatternForSigMatchList(DETECT_SM_LIST_HSMDMATCH);
SupportFastPatternForSigMatchType(DETECT_AL_HTTP_STAT_CODE);
SupportFastPatternForSigMatchType(DETECT_CONTENT);
SupportFastPatternForSigMatchList(DETECT_SM_LIST_HSCDMATCH);
return;
@ -246,7 +246,7 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "fast_pattern found inside "

128
src/detect-http-stat-code.c
Unescape Escape View File

@ -78,130 +78,12 @@ void DetectHttpStatCodeRegister (void) {
sigmatch_table[DETECT_AL_HTTP_STAT_CODE].AppLayerMatch = NULL;
sigmatch_table[DETECT_AL_HTTP_STAT_CODE].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_AL_HTTP_STAT_CODE].Setup = DetectHttpStatCodeSetup;
sigmatch_table[DETECT_AL_HTTP_STAT_CODE].Free = DetectHttpStatCodeFree;
sigmatch_table[DETECT_AL_HTTP_STAT_CODE].Free = NULL;
sigmatch_table[DETECT_AL_HTTP_STAT_CODE].RegisterTests = DetectHttpStatCodeRegisterTests;
sigmatch_table[DETECT_AL_HTTP_STAT_CODE].flags |= SIGMATCH_PAYLOAD;
}
/**
* \brief match the specified content in the signature with the received http
* status code header in the http response.
*
* \param t pointer to thread vars
* \param det_ctx pointer to the pattern matcher thread
* \param f pointer to the current flow
* \param flags flags to indicate the direction of the received packet
* \param state pointer the app layer state, which will cast into HtpState
* \param s pointer to the current signature
* \param sm pointer to the sigmatch
*
* \retval 0 no match
* \retval 1 match
*/
int DetectHttpStatCodeMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Flow *f, uint8_t flags, void *state, Signature *s,
SigMatch *sm)
{
SCEnter();
int ret = 0;
int idx;
SCMutexLock(&f->m);
SCLogDebug("got lock %p", &f->m);
DetectHttpStatCodeData *co = (DetectHttpStatCodeData *)sm->ctx;
HtpState *htp_state = (HtpState *)state;
if (htp_state == NULL) {
SCLogDebug("no HTTP layer state has been received, so no match");
goto end;
}
if (!(htp_state->flags & HTP_FLAG_STATE_OPEN)) {
SCLogDebug("HTP state not yet properly setup, so no match");
goto end;
}
SCLogDebug("htp_state %p, flow %p", htp_state, f);
SCLogDebug("htp_state->connp %p", htp_state->connp);
SCLogDebug("htp_state->connp->conn %p", htp_state->connp->conn);
if (htp_state->connp == NULL || htp_state->connp->conn == NULL) {
SCLogDebug("HTTP connection structure is NULL");
goto end;
}
htp_tx_t *tx = NULL;
idx = AppLayerTransactionGetInspectId(f);
if (idx == -1) {
goto end;
}
int size = (int)list_size(htp_state->connp->conn->transactions);
for (; idx < size; idx++)
{
tx = list_get(htp_state->connp->conn->transactions, idx);
if (tx == NULL)
continue;
SCLogDebug("we have a response message");
if (co->code != -1) {
if (co->code == tx->response_status_number) {
SCLogDebug("Matched numeric HTTP status value");
ret = 1;
}
} else if (tx->response_status != NULL) {
/* call the case insensitive version if nocase has been specified in
the sig */
if (co->flags & DETECT_AL_HTTP_STAT_CODE_NOCASE) {
if (SpmNocaseSearch((uint8_t *) bstr_ptr(tx->response_status),
bstr_len(tx->response_status), co->data, co->data_len)
!= NULL)
{
SCLogDebug("match has been found in received request and "
"given http_stat_code rule");
ret = 1;
}
} else {
if (SpmSearch((uint8_t *) bstr_ptr(tx->response_status),
bstr_len(tx->response_status), co->data, co->data_len)
!= NULL)
{
SCLogDebug("match has been found in received request and"
" given http_stat_code rule");
ret = 1;
}
}
}
}
SCMutexUnlock(&f->m);
SCReturnInt(ret ^ ((co->flags & DETECT_AL_HTTP_STAT_CODE_NEGATED) ? 1 : 0));
end:
SCMutexUnlock(&f->m);
SCLogDebug("released lock %p", &f->m);
SCReturnInt(ret);
}
/**
* \brief this function clears the memory of http_stat_code modifier keyword
*
* \param ptr Pointer to the Detection Stat Code data
*/
void DetectHttpStatCodeFree(void *ptr)
{
DetectHttpStatCodeData *hsmd = (DetectHttpStatCodeData *)ptr;
if (hsmd == NULL)
return;
if (hsmd->data != NULL)
SCFree(hsmd->data);
SCFree(hsmd);
}
/**
* \brief this function setups the http_stat_code modifier keyword used in the rule
*
@ -269,7 +151,7 @@ static int DetectHttpStatCodeSetup (DetectEngineCtx *de_ctx, Signature *s, char
/* reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_stat_code seen with a "
@ -286,7 +168,7 @@ static int DetectHttpStatCodeSetup (DetectEngineCtx *de_ctx, Signature *s, char
}
}
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HSCDMATCH);
sm->type = DETECT_AL_HTTP_STAT_CODE;
sm->type = DETECT_CONTENT;
/* transfer the sm from the pmatch list to hcbdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
@ -392,10 +274,10 @@ int DetectHttpStatCodeTest02(void)
SigMatch *prev = NULL;
while (sm != NULL) {
if (sm->type == DETECT_AL_HTTP_STAT_CODE) {
if (sm->type == DETECT_CONTENT) {
result = 1;
} else {
printf("expected DETECT_AL_HTTP_STAT_CODE, got %d: ", sm->type);
printf("expected DETECT_CONTENT for http_stat_code, got %d: ", sm->type);
goto end;
}
prev = sm;

10
src/detect-http-stat-code.h
Unescape Escape View File

@ -24,16 +24,6 @@
#ifndef _DETECT_HTTP_STAT_CODE_H
#define _DETECT_HTTP_STAT_CODE_H
#define DETECT_AL_HTTP_STAT_CODE_NOCASE 0x01
#define DETECT_AL_HTTP_STAT_CODE_NEGATED 0x02
typedef struct DetectHttpStatCodeData_ {
uint8_t *data;
uint8_t data_len;
uint8_t flags;
int16_t code; /**< Numeric HTTP status code to match */
} DetectHttpStatCodeData;
/* prototypes */
int DetectHttpStatCodeMatch (ThreadVars *, DetectEngineThreadCtx *,
Flow *, uint8_t , void *, Signature *,

114
src/detect-http-stat-msg.c
Unescape Escape View File

@ -78,124 +78,12 @@ void DetectHttpStatMsgRegister (void) {
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].AppLayerMatch = NULL;
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Setup = DetectHttpStatMsgSetup;
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Free = DetectHttpStatMsgFree;
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Free = NULL;
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].RegisterTests = DetectHttpStatMsgRegisterTests;
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].flags |= SIGMATCH_PAYLOAD;
}
/**
* \brief match the specified content in the signature with the received http
* status message header in the http response.
*
* \param t pointer to thread vars
* \param det_ctx pointer to the pattern matcher thread
* \param f pointer to the current flow
* \param flags flags to indicate the direction of the received packet
* \param state pointer the app layer state, which will cast into HtpState
* \param s pointer to the current signature
* \param sm pointer to the sigmatch
*
* \retval 0 no match
* \retval 1 match
*/
int DetectHttpStatMsgMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Flow *f, uint8_t flags, void *state, Signature *s,
SigMatch *sm)
{
SCEnter();
int ret = 0;
int idx;
SCMutexLock(&f->m);
SCLogDebug("got lock %p", &f->m);
DetectContentData *co = (DetectContentData *)sm->ctx;
HtpState *htp_state = (HtpState *)state;
if (htp_state == NULL) {
SCLogDebug("no HTTP layer state has been received, so no match");
goto end;
}
if (!(htp_state->flags & HTP_FLAG_STATE_OPEN)) {
SCLogDebug("HTP state not yet properly setup, so no match");
goto end;
}
SCLogDebug("htp_state %p, flow %p", htp_state, f);
SCLogDebug("htp_state->connp %p", htp_state->connp);
SCLogDebug("htp_state->connp->conn %p", htp_state->connp->conn);
if (htp_state->connp == NULL || htp_state->connp->conn == NULL) {
SCLogDebug("HTTP connection structure is NULL");
goto end;
}
htp_tx_t *tx = NULL;
idx = AppLayerTransactionGetInspectId(f);
if (idx == -1) {
goto end;
}
int size = (int)list_size(htp_state->connp->conn->transactions);
for (; idx < size; idx++)
{
tx = list_get(htp_state->connp->conn->transactions, idx);
if (tx == NULL)
continue;
if (tx->response_message == NULL)
continue;
SCLogDebug("we have a response message");
/* call the case insensitive version if nocase has been specified in the sig */
if (co->flags & DETECT_CONTENT_NOCASE) {
if (SpmNocaseSearch((uint8_t *) bstr_ptr(tx->response_message),
bstr_len(tx->response_message), co->content, co->content_len) != NULL)
{
SCLogDebug("match has been found in received request and given http_"
"stat_msg rule");
ret = 1;
}
} else {
if (SpmSearch((uint8_t *) bstr_ptr(tx->response_message),
bstr_len(tx->response_message), co->content, co->content_len) != NULL)
{
SCLogDebug("match has been found in received request and given http_"
"stat_msg rule");
ret = 1;
}
}
}
SCMutexUnlock(&f->m);
SCReturnInt(ret ^ ((co->flags & DETECT_CONTENT_NEGATED) ? 1 : 0));
end:
SCMutexUnlock(&f->m);
SCLogDebug("released lock %p", &f->m);
SCReturnInt(ret);
}
/**
* \brief this function clears the memory of http_stat_msg modifier keyword
*
* \param ptr Pointer to the Detection Stat Message data
*/
void DetectHttpStatMsgFree(void *ptr)
{
DetectContentData *hsmd = (DetectContentData *)ptr;
if (hsmd == NULL)
return;
if (hsmd->content != NULL)
SCFree(hsmd->content);
SCFree(hsmd);
}
/**
* \brief this function setups the http_stat_msg modifier keyword used in the rule
*

3
src/detect-isdataat.c
Unescape Escape View File

@ -362,7 +362,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], /* 10 */
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
@ -419,7 +419,6 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
switch (prev_pm->type) {
case DETECT_CONTENT:
case DETECT_AL_HTTP_STAT_CODE:
/* Set the relative next flag on the prev sigmatch */
cd = (DetectContentData *)prev_pm->ctx;
if (cd == NULL) {

3
src/detect-nocase.c
Unescape Escape View File

@ -84,7 +84,7 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_NOCASE_MISSING_PATTERN, "\"nocase\" needs a preceeding "
@ -98,7 +98,6 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
switch (pm->type) {
case DETECT_CONTENT:
case DETECT_AL_HTTP_STAT_CODE:
cd = (DetectContentData *)pm->ctx;
if (cd == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument");

46
src/detect-offset.c
Unescape Escape View File

@ -93,7 +93,7 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs "
@ -164,50 +164,6 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
break;
case DETECT_AL_HTTP_STAT_CODE:
cd = (DetectContentData *)pm->ctx;
if (cd->flags & DETECT_CONTENT_NEGATED) {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"negated keyword set along with a fast_pattern");
goto error;
}
} else {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"keyword set along with a fast_pattern:only;");
goto error;
}
}
if (str[0] != '-' && isalpha(str[0])) {
SigMatch *bed_sm =
DetectByteExtractRetrieveSMVar(str, s,
SigMatchListSMBelongsTo(s, pm));
if (bed_sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in offset - %s\n", str);
goto error;
}
cd->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
cd->flags |= DETECT_CONTENT_OFFSET_BE;
} else {
cd->offset = (uint32_t)atoi(str);
if (cd->depth != 0) {
if (cd->depth < cd->content_len) {
SCLogDebug("depth increased to %"PRIu32" to match pattern len",
cd->content_len);
cd->depth = cd->content_len;
}
/* Updating the depth as is relative to the offset */
cd->depth += cd->offset;
}
}
cd->flags |= DETECT_CONTENT_OFFSET;
break;
default:
SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs a preceeding"
" content or uricontent option");

8
src/detect-pcre.c
Unescape Escape View File

@ -1201,10 +1201,9 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
SCReturnInt(0);
}
prev_sm = SigMatchGetLastSMFromLists(s, 6,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev,
DETECT_AL_HTTP_STAT_CODE, sm->prev);
prev_sm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
if (prev_sm == NULL) {
if (s->alproto == ALPROTO_DCERPC) {
SCLogDebug("No preceding content or pcre keyword. Possible "
@ -1228,7 +1227,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
switch (prev_sm->type) {
case DETECT_CONTENT:
case DETECT_AL_HTTP_STAT_CODE:
/* Set the relative next flag on the prev sigmatch */
cd = (DetectContentData *)prev_sm->ctx;
if (cd == NULL) {

70
src/detect-within.c
Unescape Escape View File

@ -173,7 +173,7 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs"
@ -300,74 +300,6 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
break;
case DETECT_AL_HTTP_STAT_CODE:
cd = (DetectContentData *)pm->ctx;
if (cd->flags & DETECT_CONTENT_NEGATED) {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"negated keyword set along with a fast_pattern");
goto error;
}
} else {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"keyword set along with a fast_pattern:only;");
goto error;
}
}
if (str[0] != '-' && isalpha(str[0])) {
SigMatch *bed_sm =
DetectByteExtractRetrieveSMVar(str, s,
SigMatchListSMBelongsTo(s, pm));
if (bed_sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in within - %s\n", str);
goto error;
}
cd->within = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
cd->flags |= DETECT_CONTENT_WITHIN_BE;
} else {
cd->within = strtol(str, NULL, 10);
if (cd->within < (int32_t)cd->content_len) {
SCLogError(SC_ERR_WITHIN_INVALID, "within argument \"%"PRIi32"\" is "
"less than the content length \"%"PRIu32"\" which is invalid, since "
"this will never match. Invalidating signature", cd->within,
cd->content_len);
goto error;
}
}
cd->flags |= DETECT_CONTENT_WITHIN;
/* reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_AL_HTTP_STAT_CODE, pm->prev,
DETECT_PCRE, pm->prev);
if (pm == NULL) {
SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for http_stat_code "
"needs preceeding http_stat_code content");
goto error;
}
if (pm->type == DETECT_PCRE) {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
} else {
/* reassigning cd */
cd = (DetectContentData *)pm->ctx;
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword "
"has a fast_pattern:only; set. You can't "
"have relative keywords around a fast_pattern "
"only content");
goto error;
}
cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
}
break;
default:
SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs two "
"preceeding content or uricontent options");

Write Preview
Loading…
Cancel
Save