aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

pcre: parsing cleanup

Browse Source 
Remove all flags indicating the buffer type. They were only used
at parse time.

Because of this the DetectPcreData_ structure could shrink to 32
bytes.
pull/669/head
Victor Julien 12 years ago
parent ab22385083
commit 3e604b8703
9 changed files with 140 additions and 200 deletions
Show Stats Download Patch File Download Diff File

6
src/detect-http-client-body.c
Unescape Escape View File

@ -2208,7 +2208,7 @@ int DetectHttpClientBodyTest34(void)
DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
DetectContentData *hcbd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HTTP_CLIENT_BODY) ||
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
hcbd2->flags != DETECT_CONTENT_WITHIN ||
memcmp(hcbd2->content, "two", hcbd2->content_len) != 0) {
goto end;
@ -2259,7 +2259,7 @@ int DetectHttpClientBodyTest35(void)
DetectContentData *hcbd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
DetectPcreData *pd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
if (pd2->flags != (DETECT_PCRE_RELATIVE | DETECT_PCRE_HTTP_CLIENT_BODY) ||
if (pd2->flags != (DETECT_PCRE_RELATIVE) ||
hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(hcbd1->content, "two", hcbd1->content_len) != 0) {
goto end;
@ -2310,7 +2310,7 @@ int DetectHttpClientBodyTest36(void)
DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
DetectContentData *hcbd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HTTP_CLIENT_BODY) ||
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
hcbd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(hcbd2->content, "two", hcbd2->content_len) != 0) {
goto end;

6
src/detect-http-header.c
Unescape Escape View File

@ -1374,7 +1374,7 @@ int DetectHttpHeaderTest25(void)
DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx;
DetectContentData *hhd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HEADER) ||
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
hhd2->flags != DETECT_CONTENT_WITHIN ||
memcmp(hhd2->content, "two", hhd2->content_len) != 0) {
goto end;
@ -1425,7 +1425,7 @@ int DetectHttpHeaderTest26(void)
DetectContentData *hhd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx;
DetectPcreData *pd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx;
if (pd2->flags != (DETECT_PCRE_RELATIVE | DETECT_PCRE_HEADER) ||
if (pd2->flags != (DETECT_PCRE_RELATIVE) ||
hhd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(hhd1->content, "two", hhd1->content_len) != 0) {
goto end;
@ -1476,7 +1476,7 @@ int DetectHttpHeaderTest27(void)
DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx;
DetectContentData *hhd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HEADER) ||
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
hhd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(hhd2->content, "two", hhd2->content_len) != 0) {
goto end;

6
src/detect-http-hh.c
Unescape Escape View File

@ -1912,7 +1912,7 @@ int DetectHttpHHTest34(void)
DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
DetectContentData *hhhd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HTTP_HOST) ||
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
hhhd2->flags != (DETECT_CONTENT_WITHIN) ||
memcmp(hhhd2->content, "two", hhhd2->content_len) != 0) {
goto end;
@ -1963,7 +1963,7 @@ int DetectHttpHHTest35(void)
DetectContentData *hhhd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
DetectPcreData *pd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
if (pd2->flags != (DETECT_PCRE_RELATIVE | DETECT_PCRE_HTTP_HOST) ||
if (pd2->flags != (DETECT_PCRE_RELATIVE) ||
hhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
memcmp(hhhd1->content, "two", hhhd1->content_len) != 0) {
goto end;
@ -2014,7 +2014,7 @@ int DetectHttpHHTest36(void)
DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
DetectContentData *hhhd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HTTP_HOST) ||
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
hhhd2->flags != (DETECT_CONTENT_DISTANCE) ||
memcmp(hhhd2->content, "two", hhhd2->content_len) != 0) {
goto end;

6
src/detect-http-hrh.c
Unescape Escape View File

@ -1908,7 +1908,7 @@ int DetectHttpHRHTest34(void)
DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx;
DetectContentData *hrhhd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HTTP_RAW_HOST | DETECT_PCRE_CASELESS) ||
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_CASELESS) ||
hrhhd2->flags != (DETECT_CONTENT_WITHIN) ||
memcmp(hrhhd2->content, "two", hrhhd2->content_len) != 0) {
goto end;
@ -1959,7 +1959,7 @@ int DetectHttpHRHTest35(void)
DetectContentData *hrhhd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx;
DetectPcreData *pd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx;
if (pd2->flags != (DETECT_PCRE_RELATIVE | DETECT_PCRE_HTTP_RAW_HOST | DETECT_PCRE_CASELESS) ||
if (pd2->flags != (DETECT_PCRE_RELATIVE | DETECT_PCRE_CASELESS) ||
hrhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
memcmp(hrhhd1->content, "two", hrhhd1->content_len) != 0) {
goto end;
@ -2010,7 +2010,7 @@ int DetectHttpHRHTest36(void)
DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx;
DetectContentData *hrhhd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HTTP_RAW_HOST | DETECT_PCRE_CASELESS) ||
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_CASELESS) ||
hrhhd2->flags != (DETECT_CONTENT_DISTANCE) ||
memcmp(hrhhd2->content, "two", hrhhd2->content_len) != 0) {
goto end;

6
src/detect-http-raw-header.c
Unescape Escape View File

@ -1372,7 +1372,7 @@ int DetectHttpRawHeaderTest25(void)
DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
DetectContentData *hhd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_RAW_HEADER) ||
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
hhd2->flags != DETECT_CONTENT_WITHIN ||
memcmp(hhd2->content, "two", hhd2->content_len) != 0) {
goto end;
@ -1423,7 +1423,7 @@ int DetectHttpRawHeaderTest26(void)
DetectContentData *hhd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
DetectPcreData *pd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
if (pd2->flags != (DETECT_PCRE_RELATIVE | DETECT_PCRE_RAW_HEADER) ||
if (pd2->flags != (DETECT_PCRE_RELATIVE) ||
hhd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(hhd1->content, "two", hhd1->content_len) != 0) {
goto end;
@ -1474,7 +1474,7 @@ int DetectHttpRawHeaderTest27(void)
DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
DetectContentData *hhd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_RAW_HEADER) ||
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
hhd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(hhd2->content, "two", hhd2->content_len) != 0) {
goto end;

6
src/detect-http-server-body.c
Unescape Escape View File

@ -2244,7 +2244,7 @@ int DetectHttpServerBodyTest34(void)
DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->prev->ctx;
DetectContentData *hsbd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HTTP_SERVER_BODY) ||
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
hsbd2->flags != DETECT_CONTENT_WITHIN ||
memcmp(hsbd2->content, "two", hsbd2->content_len) != 0) {
goto end;
@ -2295,7 +2295,7 @@ int DetectHttpServerBodyTest35(void)
DetectContentData *hsbd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->prev->ctx;
DetectPcreData *pd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->ctx;
if (pd2->flags != (DETECT_PCRE_RELATIVE | DETECT_PCRE_HTTP_SERVER_BODY) ||
if (pd2->flags != (DETECT_PCRE_RELATIVE) ||
hsbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(hsbd1->content, "two", hsbd1->content_len) != 0) {
goto end;
@ -2346,7 +2346,7 @@ int DetectHttpServerBodyTest36(void)
DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->prev->ctx;
DetectContentData *hsbd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HTTP_SERVER_BODY) ||
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
hsbd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(hsbd2->content, "two", hsbd2->content_len) != 0) {
goto end;

6
src/detect-http-ua.c
Unescape Escape View File

@ -1916,7 +1916,7 @@ int DetectHttpUATest34(void)
DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx;
DetectContentData *huad2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HTTP_USER_AGENT) ||
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
huad2->flags != DETECT_CONTENT_WITHIN ||
memcmp(huad2->content, "two", huad2->content_len) != 0) {
goto end;
@ -1967,7 +1967,7 @@ int DetectHttpUATest35(void)
DetectContentData *huad1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx;
DetectPcreData *pd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx;
if (pd2->flags != (DETECT_PCRE_RELATIVE | DETECT_PCRE_HTTP_USER_AGENT) ||
if (pd2->flags != (DETECT_PCRE_RELATIVE) ||
huad1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(huad1->content, "two", huad1->content_len) != 0) {
goto end;
@ -2018,7 +2018,7 @@ int DetectHttpUATest36(void)
DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx;
DetectContentData *huad2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HTTP_USER_AGENT) ||
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
huad2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(huad2->content, "two", huad2->content_len) != 0) {
goto end;

271
src/detect-pcre.c
Unescape Escape View File

@ -264,7 +264,15 @@ int DetectPcrePayloadMatch(DetectEngineThreadCtx *det_ctx, Signature *s,
SCReturnInt(ret);
}
DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr)
static int DetectPcreSetList(int list, int set) {
if (list != DETECT_SM_LIST_NOTSET) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "only one pcre option to specify a buffer type is allowed");
return -1;
}
return set;
}
static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr, int *sm_list)
{
int ec;
const char *eb;
@ -354,21 +362,13 @@ DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr)
opts |= PCRE_EXTENDED;
break;
case 'O':
pd->flags |= DETECT_PCRE_MATCH_LIMIT;
break;
case 'B': /* snort's option */
if (pd->flags & DETECT_PCRE_URI) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'B' inconsistent with 'U'");
goto error;
}
if (pd->flags & DETECT_PCRE_HEADER) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'B' inconsistent with 'H'");
goto error;
}
if (pd->flags & DETECT_PCRE_COOKIE) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'B' inconsistent with 'C'");
goto error;
}
if (pd->flags & DETECT_PCRE_METHOD) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'B' inconsistent with 'M'");
if (*sm_list != DETECT_SM_LIST_NOTSET) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'B' inconsistent with chosen buffer");
goto error;
}
pd->flags |= DETECT_PCRE_RAWBYTES;
@ -376,99 +376,83 @@ DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr)
case 'R': /* snort's option */
pd->flags |= DETECT_PCRE_RELATIVE;
break;
/* buffer selection */
case 'U': /* snort's option */
if (pd->flags & DETECT_PCRE_HTTP_RAW_URI) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'U' inconsistent with 'I'");
goto error;
}
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'U' inconsistent with 'B'");
goto error;
}
pd->flags |= DETECT_PCRE_URI;
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_UMATCH);
break;
case 'V':
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'V' inconsistent with 'B'");
goto error;
}
pd->flags |= DETECT_PCRE_HTTP_USER_AGENT;
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HUADMATCH);
break;
case 'W':
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'W' inconsistent with 'B'");
goto error;
}
pd->flags |= DETECT_PCRE_HTTP_HOST;
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HHHDMATCH);
break;
case 'Z':
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'Z' inconsistent with 'B'");
goto error;
}
pd->flags |= DETECT_PCRE_HTTP_RAW_HOST;
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HRHHDMATCH);
break;
case 'H': /* snort's option */
if (pd->flags & DETECT_PCRE_RAW_HEADER) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'H' inconsistent with 'D'");
goto error;
}
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'H' inconsistent with 'B'");
goto error;
}
pd->flags |= DETECT_PCRE_HEADER;
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HHDMATCH);
break;
case 'I': /* snort's option */
if (pd->flags & DETECT_PCRE_URI) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'I' inconsistent with 'U'");
goto error;
}
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'I' inconsistent with 'B'");
goto error;
}
pd->flags |= DETECT_PCRE_HTTP_RAW_URI;
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HRUDMATCH);
break;
case 'D': /* snort's option */
if (pd->flags & DETECT_PCRE_HEADER) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'D' inconsistent with 'H'");
goto error;
}
pd->flags |= DETECT_PCRE_RAW_HEADER;
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HRHDMATCH);
break;
case 'M': /* snort's option */
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'M' inconsistent with 'B'");
goto error;
}
pd->flags |= DETECT_PCRE_METHOD;
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HMDMATCH);
break;
case 'C': /* snort's option */
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'C' inconsistent with 'B'");
goto error;
}
pd->flags |= DETECT_PCRE_COOKIE;
break;
case 'O':
pd->flags |= DETECT_PCRE_MATCH_LIMIT;
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HCDMATCH);
break;
case 'P':
/* snort's option (http request body inspection) */
pd->flags |= DETECT_PCRE_HTTP_CLIENT_BODY;
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HCBDMATCH);
break;
case 'Q':
/* suricata extension (http response body inspection) */
pd->flags |= DETECT_PCRE_HTTP_SERVER_BODY;
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HSBDMATCH);
break;
case 'Y':
/* snort's option */
pd->flags |= DETECT_PCRE_HTTP_STAT_MSG;
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HSMDMATCH);
break;
case 'S':
/* snort's option */
pd->flags |= DETECT_PCRE_HTTP_STAT_CODE;
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HSCDMATCH);
break;
default:
SCLogError(SC_ERR_UNKNOWN_REGEX_MOD, "unknown regex modifier '%c'", *op);
@ -477,10 +461,13 @@ DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr)
op++;
}
}
if (*sm_list == -1)
goto error;
SCLogDebug("DetectPcreParse: \"%s\"", re);
if (pd->flags & DETECT_PCRE_HTTP_HOST) {
/* host header */
if (*sm_list == DETECT_SM_LIST_HHHDMATCH) {
if (pd->flags & DETECT_PCRE_CASELESS) {
SCLogWarning(SC_ERR_INVALID_SIGNATURE, "http host pcre(\"W\") "
"specified along with \"i(caseless)\" modifier. "
@ -541,13 +528,11 @@ DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr)
}
#endif /*PCRE_HAVE_JIT*/
if(pd->sd == NULL)
if (pd->sd == NULL)
pd->sd = (pcre_extra *) SCCalloc(1,sizeof(pcre_extra));
if(pd->sd) {
if (pd->sd) {
if(pd->flags & DETECT_PCRE_MATCH_LIMIT) {
if(pcre_match_limit >= -1) {
pd->sd->match_limit = pcre_match_limit;
pd->sd->flags |= PCRE_EXTRA_MATCH_LIMIT;
@ -558,9 +543,7 @@ DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr)
pd->sd->flags |= PCRE_EXTRA_MATCH_LIMIT_RECURSION;
}
#endif /* NO_PCRE_MATCH_RLIMIT */
}
else {
} else {
pd->sd->match_limit = SC_MATCH_LIMIT_DEFAULT;
pd->sd->flags |= PCRE_EXTRA_MATCH_LIMIT;
#ifndef NO_PCRE_MATCH_RLIMIT
@ -568,7 +551,6 @@ DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr)
pd->sd->flags |= PCRE_EXTRA_MATCH_LIMIT_RECURSION;
#endif /* NO_PCRE_MATCH_RLIMIT */
}
} else {
goto error;
}
@ -658,26 +640,28 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
DetectPcreData *pd = NULL;
SigMatch *sm = NULL;
int ret = -1;
int parsed_sm_list = DETECT_SM_LIST_NOTSET;
pd = DetectPcreParse(de_ctx, regexstr);
pd = DetectPcreParse(de_ctx, regexstr, &parsed_sm_list);
if (pd == NULL)
goto error;
if (DetectPcreParseCapture(regexstr, de_ctx, pd) < 0)
goto error;
if ((pd->flags & DETECT_PCRE_URI) ||
(pd->flags & DETECT_PCRE_METHOD) ||
(pd->flags & DETECT_PCRE_HEADER) ||
(pd->flags & DETECT_PCRE_RAW_HEADER) ||
(pd->flags & DETECT_PCRE_COOKIE) ||
(pd->flags & DETECT_PCRE_HTTP_STAT_MSG) ||
(pd->flags & DETECT_PCRE_HTTP_STAT_CODE) ||
(pd->flags & DETECT_PCRE_HTTP_CLIENT_BODY) ||
(pd->flags & DETECT_PCRE_HTTP_SERVER_BODY) ||
(pd->flags & DETECT_PCRE_HTTP_RAW_URI) ||
(pd->flags & DETECT_PCRE_HTTP_USER_AGENT) ||
(pd->flags & DETECT_PCRE_HTTP_HOST) ||
(pd->flags & DETECT_PCRE_HTTP_RAW_HOST)) {
if (parsed_sm_list == DETECT_SM_LIST_UMATCH ||
parsed_sm_list == DETECT_SM_LIST_HRUDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HCBDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HSBDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HHDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HRHDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HSMDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HSCDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HHHDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HRHHDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HMDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HCDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HUADMATCH)
{
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
"Conflicting alprotos detected for this rule. Http "
@ -693,7 +677,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
}
}
int sm_list;
int sm_list = -1;
if (s->list != DETECT_SM_LIST_NOTSET) {
if (s->list == DETECT_SM_LIST_HSBDMATCH) {
SCLogDebug("adding to http server body list because of file data");
@ -705,72 +689,44 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
}
s->flags |= SIG_FLAG_APPLAYER;
sm_list = s->list;
} else if (pd->flags & DETECT_PCRE_URI) {
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = DETECT_SM_LIST_UMATCH;
} else if (pd->flags & DETECT_PCRE_HTTP_RAW_URI) {
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = DETECT_SM_LIST_HRUDMATCH;
} else if (pd->flags & DETECT_PCRE_HEADER) {
SCLogDebug("Header inspection modifier set");
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = DETECT_SM_LIST_HHDMATCH;
} else if (pd->flags & DETECT_PCRE_RAW_HEADER) {
SCLogDebug("Raw header inspection modifier set");
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = DETECT_SM_LIST_HRHDMATCH;
} else if (pd->flags & DETECT_PCRE_HTTP_CLIENT_BODY) {
SCLogDebug("Request body inspection modifier set");
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
AppLayerHtpEnableRequestBodyCallback();
sm_list = DETECT_SM_LIST_HCBDMATCH;
} else if (pd->flags & DETECT_PCRE_HTTP_SERVER_BODY) {
SCLogDebug("Response body inspection modifier set");
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = DETECT_SM_LIST_HSBDMATCH;
AppLayerHtpEnableResponseBodyCallback();
} else if (pd->flags & DETECT_PCRE_HTTP_HOST) {
SCLogDebug("Host inspection modifier set on pcre");
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = DETECT_SM_LIST_HHHDMATCH;
} else if (pd->flags & DETECT_PCRE_HTTP_RAW_HOST) {
SCLogDebug("Raw Host inspection modifier set on pcre");
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = DETECT_SM_LIST_HRHHDMATCH;
} else if (pd->flags & DETECT_PCRE_HTTP_STAT_MSG) {
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = DETECT_SM_LIST_HSMDMATCH;
} else if (pd->flags & DETECT_PCRE_HTTP_STAT_CODE) {
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = DETECT_SM_LIST_HSCDMATCH;
} else if (pd->flags & DETECT_PCRE_COOKIE) {
SCLogDebug("Cookie inspection modifier set");
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = DETECT_SM_LIST_HCDMATCH;
} else if (pd->flags & DETECT_PCRE_METHOD) {
SCLogDebug("Method inspection modifier set");
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = DETECT_SM_LIST_HMDMATCH;
} else if (pd->flags & DETECT_PCRE_HTTP_USER_AGENT) {
SCLogDebug("User-Agent inspection modifier set on pcre");
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = DETECT_SM_LIST_HUADMATCH;
} else {
sm_list = DETECT_SM_LIST_PMATCH;
switch(parsed_sm_list) {
case DETECT_SM_LIST_HCBDMATCH:
AppLayerHtpEnableRequestBodyCallback();
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = parsed_sm_list;
break;
case DETECT_SM_LIST_HSBDMATCH:
AppLayerHtpEnableResponseBodyCallback();
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = parsed_sm_list;
break;
case DETECT_SM_LIST_UMATCH:
case DETECT_SM_LIST_HRUDMATCH:
case DETECT_SM_LIST_HHDMATCH:
case DETECT_SM_LIST_HRHDMATCH:
case DETECT_SM_LIST_HHHDMATCH:
case DETECT_SM_LIST_HRHHDMATCH:
case DETECT_SM_LIST_HSMDMATCH:
case DETECT_SM_LIST_HSCDMATCH:
case DETECT_SM_LIST_HCDMATCH:
case DETECT_SM_LIST_HMDMATCH:
case DETECT_SM_LIST_HUADMATCH:
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = parsed_sm_list;
break;
case DETECT_SM_LIST_NOTSET:
sm_list = DETECT_SM_LIST_PMATCH;
break;
}
}
if (sm_list == -1)
goto error;
sm = SigMatchAlloc();
if (sm == NULL)
@ -836,11 +792,12 @@ static int DetectPcreParseTest01 (void)
int result = 1;
DetectPcreData *pd = NULL;
char *teststring = "/blah/7";
int list = DETECT_SM_LIST_NOTSET;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
return 0;
pd = DetectPcreParse(de_ctx, teststring);
pd = DetectPcreParse(de_ctx, teststring, &list);
if (pd != NULL) {
printf("expected NULL: got %p", pd);
result = 0;
@ -859,11 +816,12 @@ static int DetectPcreParseTest02 (void)
int result = 1;
DetectPcreData *pd = NULL;
char *teststring = "/blah/Ui$";
int list = DETECT_SM_LIST_NOTSET;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
return 0;
pd = DetectPcreParse(de_ctx, teststring);
pd = DetectPcreParse(de_ctx, teststring, &list);
if (pd != NULL) {
printf("expected NULL: got %p", pd);
result = 0;
@ -881,11 +839,12 @@ static int DetectPcreParseTest03 (void)
int result = 1;
DetectPcreData *pd = NULL;
char *teststring = "/blah/UNi";
int list = DETECT_SM_LIST_NOTSET;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
return 0;
pd = DetectPcreParse(de_ctx, teststring);
pd = DetectPcreParse(de_ctx, teststring, &list);
if (pd != NULL) {
printf("expected NULL: got %p", pd);
result = 0;
@ -903,11 +862,12 @@ static int DetectPcreParseTest04 (void)
int result = 1;
DetectPcreData *pd = NULL;
char *teststring = "/b\\\"lah/i";
int list = DETECT_SM_LIST_NOTSET;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
return 0;
pd = DetectPcreParse(de_ctx, teststring);
pd = DetectPcreParse(de_ctx, teststring, &list);
if (pd == NULL) {
printf("expected %p: got NULL", pd);
result = 0;
@ -926,11 +886,12 @@ static int DetectPcreParseTest05 (void)
int result = 1;
DetectPcreData *pd = NULL;
char *teststring = "/b(l|a)h/";
int list = DETECT_SM_LIST_NOTSET;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
return 0;
pd = DetectPcreParse(de_ctx, teststring);
pd = DetectPcreParse(de_ctx, teststring, &list);
if (pd == NULL) {
printf("expected %p: got NULL", pd);
result = 0;
@ -949,11 +910,12 @@ static int DetectPcreParseTest06 (void)
int result = 1;
DetectPcreData *pd = NULL;
char *teststring = "/b(l|a)h/smi";
int list = DETECT_SM_LIST_NOTSET;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
return 0;
pd = DetectPcreParse(de_ctx, teststring);
pd = DetectPcreParse(de_ctx, teststring, &list);
if (pd == NULL) {
printf("expected %p: got NULL", pd);
result = 0;
@ -972,11 +934,12 @@ static int DetectPcreParseTest07 (void)
int result = 1;
DetectPcreData *pd = NULL;
char *teststring = "/blah/Ui";
int list = DETECT_SM_LIST_NOTSET;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
return 0;
pd = DetectPcreParse(de_ctx, teststring);
pd = DetectPcreParse(de_ctx, teststring, &list);
if (pd == NULL) {
printf("expected %p: got NULL", pd);
result = 0;
@ -995,11 +958,12 @@ static int DetectPcreParseTest08 (void)
int result = 1;
DetectPcreData *pd = NULL;
char *teststring = "/b(l|a)h/O";
int list = DETECT_SM_LIST_NOTSET;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
return 0;
pd = DetectPcreParse(de_ctx, teststring);
pd = DetectPcreParse(de_ctx, teststring, &list);
if (pd == NULL) {
printf("expected %p: got NULL", pd);
result = 0;
@ -1019,11 +983,12 @@ static int DetectPcreParseTest09 (void)
int result = 1;
DetectPcreData *pd = NULL;
char *teststring = "/lala\\\\/";
int list = DETECT_SM_LIST_NOTSET;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
return 0;
pd = DetectPcreParse(de_ctx, teststring);
pd = DetectPcreParse(de_ctx, teststring, &list);
if (pd == NULL) {
printf("expected %p: got NULL", pd);
result = 0;
@ -1098,8 +1063,7 @@ int DetectPcreParseTest11(void)
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE);
data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
if (data->flags & DETECT_PCRE_RAWBYTES ||
!(data->flags & DETECT_PCRE_RELATIVE) ||
data->flags & DETECT_PCRE_URI) {
!(data->flags & DETECT_PCRE_RELATIVE)) {
result = 0;
goto end;
}
@ -1121,8 +1085,7 @@ int DetectPcreParseTest11(void)
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE);
data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
if (data->flags & DETECT_PCRE_RAWBYTES ||
!(data->flags & DETECT_PCRE_RELATIVE) ||
data->flags & DETECT_PCRE_URI) {
!(data->flags & DETECT_PCRE_RELATIVE)) {
result = 0;
goto end;
}
@ -1144,8 +1107,7 @@ int DetectPcreParseTest11(void)
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE);
data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
if (!(data->flags & DETECT_PCRE_RAWBYTES) ||
!(data->flags & DETECT_PCRE_RELATIVE) ||
data->flags & DETECT_PCRE_URI) {
!(data->flags & DETECT_PCRE_RELATIVE)) {
result = 0;
goto end;
}
@ -1207,8 +1169,7 @@ static int DetectPcreParseTest12(void)
data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->ctx;
if (data->flags & DETECT_PCRE_RAWBYTES ||
!(data->flags & DETECT_PCRE_RELATIVE) ||
data->flags & DETECT_PCRE_URI) {
!(data->flags & DETECT_PCRE_RELATIVE)) {
printf("flags not right: ");
goto end;
}
@ -1257,8 +1218,7 @@ static int DetectPcreParseTest13(void)
data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->ctx;
if (data->flags & DETECT_PCRE_RAWBYTES ||
!(data->flags & DETECT_PCRE_RELATIVE) ||
data->flags & DETECT_PCRE_URI) {
!(data->flags & DETECT_PCRE_RELATIVE)) {
printf("flags not right: ");
goto end;
}
@ -1307,8 +1267,7 @@ static int DetectPcreParseTest14(void)
data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->ctx;
if (data->flags & DETECT_PCRE_RAWBYTES ||
data->flags & DETECT_PCRE_RELATIVE ||
data->flags & DETECT_PCRE_URI) {
data->flags & DETECT_PCRE_RELATIVE) {
printf("flags not right: ");
goto end;
}

27
src/detect-pcre.h
Unescape Escape View File

@ -26,38 +26,19 @@
#define DETECT_PCRE_RELATIVE 0x00001
#define DETECT_PCRE_RAWBYTES 0x00002
#define DETECT_PCRE_URI 0x00004
#define DETECT_PCRE_CASELESS 0x00004
#define DETECT_PCRE_CAPTURE_PKT 0x00008
#define DETECT_PCRE_CAPTURE_FLOW 0x00010
#define DETECT_PCRE_MATCH_LIMIT 0x00020
#define DETECT_PCRE_HTTP_CLIENT_BODY 0x00040
#define DETECT_PCRE_HTTP_SERVER_BODY 0x00080
#define DETECT_PCRE_RELATIVE_NEXT 0x00100
/* new modifiers 2.8.5.3 support */
#define DETECT_PCRE_HEADER 0x00200
#define DETECT_PCRE_RAW_HEADER 0x00400
#define DETECT_PCRE_COOKIE 0x00800
#define DETECT_PCRE_METHOD 0x01000
#define DETECT_PCRE_HTTP_RAW_URI 0x02000
#define DETECT_PCRE_HTTP_STAT_MSG 0x04000
#define DETECT_PCRE_HTTP_STAT_CODE 0x08000
#define DETECT_PCRE_HTTP_USER_AGENT 0x10000
#define DETECT_PCRE_HTTP_HOST 0x20000
#define DETECT_PCRE_HTTP_RAW_HOST 0x40000
#define DETECT_PCRE_NEGATE 0x80000
#define DETECT_PCRE_CASELESS 0x100000
#define DETECT_PCRE_RELATIVE_NEXT 0x00040
#define DETECT_PCRE_NEGATE 0x00080
typedef struct DetectPcreData_ {
/* pcre options */
pcre *re;
pcre_extra *sd;
int opts;
uint32_t flags;
uint16_t flags;
uint16_t capidx;
char *capname;
} DetectPcreData;

Write Preview
Loading…
Cancel
Save