aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect: denote the max detection list; fix issue 1674.

Browse Source 
Denotes the max detection list so that rule validation can
allow post-detection lists to come after base64_data, but
disallow detection lists to come after it.
pull/1943/head
Jason Ish 10 years ago committed by Victor Julien
parent 9afaf14ba4
commit 3c3fe4b47d
3 changed files with 46 additions and 3 deletions
Show Stats Download Patch File Download Diff File

38
src/detect-base64-data.c
Unescape Escape View File

@ -186,6 +186,10 @@ end:
return retval; return retval;
} }
/**
* \test Test that the rule fails to load if the detection list is
* changed after base64_data.
*/
static int DetectBase64DataSetupTest03(void) static int DetectBase64DataSetupTest03(void)
{ {
DetectEngineCtx *de_ctx = NULL; DetectEngineCtx *de_ctx = NULL;
@ -221,6 +225,38 @@ end:
return retval; return retval;
} }
/**
* \test Test that the list can be changed to post-detection lists
* after the base64 keyword.
*/
static int DetectBase64DataSetupTest04(void)
{
DetectEngineCtx *de_ctx = NULL;
int retval = 0;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"some b64thing\"; flow:established,from_server; file_data; content:\"sometext\"; fast_pattern; base64_decode:relative; base64_data; content:\"foobar\"; nocase; tag:session,120,seconds; sid:1111111; rev:1;)");
if (de_ctx->sig_list == NULL) {
printf("SigInit failed: ");
goto end;
}
retval = 1;
end:
if (de_ctx != NULL) {
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineCtxFree(de_ctx);
}
return retval;
}
#endif #endif
static void DetectBase64DataRegisterTests(void) static void DetectBase64DataRegisterTests(void)
@ -232,5 +268,7 @@ static void DetectBase64DataRegisterTests(void)
1); 1);
UtRegisterTest("DetectBase64DataSetupTest03", DetectBase64DataSetupTest03, UtRegisterTest("DetectBase64DataSetupTest03", DetectBase64DataSetupTest03,
1); 1);
UtRegisterTest("DetectBase64DataSetupTest04", DetectBase64DataSetupTest04,
1);
#endif /* UNITTESTS */ #endif /* UNITTESTS */
} }

2
src/detect-parse.c
Unescape Escape View File

@ -1322,7 +1322,7 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
if (s->sm_lists[DETECT_SM_LIST_BASE64_DATA] != NULL) { if (s->sm_lists[DETECT_SM_LIST_BASE64_DATA] != NULL) {
int list; int list;
uint16_t idx = s->sm_lists[DETECT_SM_LIST_BASE64_DATA]->idx; uint16_t idx = s->sm_lists[DETECT_SM_LIST_BASE64_DATA]->idx;
for (list = 0; list < DETECT_SM_LIST_MAX; list++) { for (list = 0; list < DETECT_SM_LIST_DETECT_MAX; list++) {
if (list != DETECT_SM_LIST_BASE64_DATA && if (list != DETECT_SM_LIST_BASE64_DATA &&
s->sm_lists[list] != NULL) { s->sm_lists[list] != NULL) {
if (s->sm_lists[list]->idx > idx) { if (s->sm_lists[list]->idx > idx) {

9
src/detect.h
Unescape Escape View File

@ -116,7 +116,6 @@ enum DetectSigmatchListEnum {
DETECT_SM_LIST_AMATCH, DETECT_SM_LIST_AMATCH,
DETECT_SM_LIST_DMATCH, DETECT_SM_LIST_DMATCH,
DETECT_SM_LIST_TMATCH,
DETECT_SM_LIST_FILEMATCH, DETECT_SM_LIST_FILEMATCH,
@ -130,8 +129,14 @@ enum DetectSigmatchListEnum {
DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH, DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH,
/* Demarcation between detection and post-detection lists. All
* detection lists must come before this. */
DETECT_SM_LIST_DETECT_MAX,
/* list for post match actions: flowbit set, flowint increment, etc */ /* list for post match actions: flowbit set, flowint increment, etc */
DETECT_SM_LIST_POSTMATCH, DETECT_SM_LIST_POSTMATCH = DETECT_SM_LIST_DETECT_MAX,
DETECT_SM_LIST_TMATCH, /**< post-detection tagging */
/* lists for alert thresholding and suppression */ /* lists for alert thresholding and suppression */
DETECT_SM_LIST_SUPPRESS, DETECT_SM_LIST_SUPPRESS,

Write Preview
Loading…
Cancel
Save