aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect: integer keywords now support hexadecimal

Browse Source 
So that we can write enip.revision: 0x203

Ticket: 6645
pull/10277/head
Philippe Antoine 2 years ago committed by Victor Julien
parent d73ccd0f52
commit 3b65a2bb61
1 changed files with 34 additions and 7 deletions
Show Stats Download Patch File Download Diff File

41
rust/src/detect/uint.rs
Unescape Escape View File

@ -17,7 +17,7 @@
use nom7::branch::alt;
use nom7::bytes::complete::{is_a, tag, tag_no_case, take_while};
use nom7::character::complete::digit1;
use nom7::character::complete::{digit1, hex_digit1};
use nom7::combinator::{all_consuming, map_opt, opt, value, verify};
use nom7::error::{make_error, ErrorKind};
use nom7::Err;
@ -73,8 +73,25 @@ pub fn detect_parse_uint_unit(i: &str) -> IResult<&str, u64> {
return Ok((i, unit));
}
pub fn detect_parse_uint_value_hex<T: DetectIntType>(i: &str) -> IResult<&str, T> {
let (i, _) = tag("0x")(i)?;
let (i, arg1s) = hex_digit1(i)?;
match T::from_str_radix(arg1s, 16) {
Ok(arg1) => Ok((i, arg1)),
_ => Err(Err::Error(make_error(i, ErrorKind::Verify))),
}
}
pub fn detect_parse_uint_value<T: DetectIntType>(i: &str) -> IResult<&str, T> {
let (i, arg1) = alt((
detect_parse_uint_value_hex,
map_opt(digit1, |s: &str| s.parse::<T>().ok()),
))(i)?;
Ok((i, arg1))
}
pub fn detect_parse_uint_with_unit<T: DetectIntType>(i: &str) -> IResult<&str, T> {
let (i, arg1) = map_opt(digit1, |s: &str| s.parse::<T>().ok())(i)?;
let (i, arg1) = detect_parse_uint_value::<T>(i)?;
let (i, unit) = opt(detect_parse_uint_unit)(i)?;
if arg1 >= T::one() {
if let Some(u) = unit {
@ -107,11 +124,11 @@ pub fn detect_parse_uint_start_equal<T: DetectIntType>(
pub fn detect_parse_uint_start_interval<T: DetectIntType>(
i: &str,
) -> IResult<&str, DetectUintData<T>> {
let (i, arg1) = map_opt(digit1, |s: &str| s.parse::<T>().ok())(i)?;
let (i, arg1) = detect_parse_uint_value(i)?;
let (i, _) = opt(is_a(" "))(i)?;
let (i, _) = alt((tag("-"), tag("<>")))(i)?;
let (i, _) = opt(is_a(" "))(i)?;
let (i, arg2) = verify(map_opt(digit1, |s: &str| s.parse::<T>().ok()), |x| {
let (i, arg2) = verify(detect_parse_uint_value, |x| {
x > &arg1 && *x - arg1 > T::one()
})(i)?;
Ok((
@ -127,13 +144,13 @@ pub fn detect_parse_uint_start_interval<T: DetectIntType>(
fn detect_parse_uint_start_interval_inclusive<T: DetectIntType>(
i: &str,
) -> IResult<&str, DetectUintData<T>> {
let (i, arg1) = verify(map_opt(digit1, |s: &str| s.parse::<T>().ok()), |x| {
let (i, arg1) = verify(detect_parse_uint_value::<T>, |x| {
*x > T::min_value()
})(i)?;
let (i, _) = opt(is_a(" "))(i)?;
let (i, _) = alt((tag("-"), tag("<>")))(i)?;
let (i, _) = opt(is_a(" "))(i)?;
let (i, arg2) = verify(map_opt(digit1, |s: &str| s.parse::<T>().ok()), |x| {
let (i, arg2) = verify(detect_parse_uint_value::<T>, |x| {
*x > arg1 && *x < T::max_value()
})(i)?;
Ok((
@ -162,7 +179,7 @@ pub fn detect_parse_uint_mode(i: &str) -> IResult<&str, DetectUintMode> {
fn detect_parse_uint_start_symbol<T: DetectIntType>(i: &str) -> IResult<&str, DetectUintData<T>> {
let (i, mode) = detect_parse_uint_mode(i)?;
let (i, _) = opt(is_a(" "))(i)?;
let (i, arg1) = map_opt(digit1, |s: &str| s.parse::<T>().ok())(i)?;
let (i, arg1) = detect_parse_uint_value(i)?;
match mode {
DetectUintMode::DetectUintModeNe => {}
@ -407,6 +424,16 @@ pub unsafe extern "C" fn rs_detect_u16_free(ctx: &mut DetectUintData<u16>) {
mod tests {
use super::*;
#[test]
fn test_parse_uint_hex() {
let (_, val) = detect_parse_uint::<u64>("0x100").unwrap();
assert_eq!(val.arg1, 0x100);
let (_, val) = detect_parse_uint::<u8>("0xFF").unwrap();
assert_eq!(val.arg1, 255);
let (_, val) = detect_parse_uint::<u8>("0xff").unwrap();
assert_eq!(val.arg1, 255);
}
#[test]
fn test_parse_uint_unit() {
let (_, val) = detect_parse_uint::<u64>(" 2kb").unwrap();

Write Preview
Loading…
Cancel
Save