diff --git a/src/detect-byte-extract.c b/src/detect-byte-extract.c index 3d9b46427f..0020cfbce5 100644 --- a/src/detect-byte-extract.c +++ b/src/detect-byte-extract.c @@ -627,7 +627,7 @@ int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) { SigMatch *pm = SigMatchGetLastSMFromLists(s, 30, - DETECT_URICONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], @@ -666,9 +666,8 @@ int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) } SigMatch *prev_sm = NULL; - prev_sm = SigMatchGetLastSMFromLists(s, 8, + prev_sm = SigMatchGetLastSMFromLists(s, 6, DETECT_CONTENT, sm->prev, - DETECT_URICONTENT, sm->prev, DETECT_BYTEJUMP, sm->prev, DETECT_PCRE, sm->prev); if (prev_sm == NULL) { @@ -684,7 +683,6 @@ int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) } DetectContentData *cd = NULL; - DetectContentData *ud = NULL; DetectPcreData *pe = NULL; switch (prev_sm->type) { @@ -700,18 +698,6 @@ int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) break; - case DETECT_URICONTENT: - /* Set the relative next flag on the prev sigmatch */ - ud = (DetectContentData *)prev_sm->ctx; - if (ud == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" - "previous keyword!"); - return -1; - } - ud->flags |= DETECT_CONTENT_RELATIVE_NEXT; - - break; - case DETECT_PCRE: pe = (DetectPcreData *)prev_sm->ctx; if (pe == NULL) { @@ -1804,7 +1790,7 @@ int DetectByteExtractTest37(void) } sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; - if (sm->type != DETECT_URICONTENT) { + if (sm->type != DETECT_CONTENT) { result = 0; goto end; } @@ -1917,7 +1903,7 @@ int DetectByteExtractTest38(void) } sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; - if (sm->type != DETECT_URICONTENT) { + if (sm->type != DETECT_CONTENT) { result = 0; goto end; } @@ -2005,7 +1991,7 @@ int DetectByteExtractTest39(void) } sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; - if (sm->type != DETECT_URICONTENT) { + if (sm->type != DETECT_CONTENT) { result = 0; goto end; } @@ -2118,7 +2104,7 @@ int DetectByteExtractTest40(void) } sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; - if (sm->type != DETECT_URICONTENT) { + if (sm->type != DETECT_CONTENT) { result = 0; goto end; } @@ -2350,7 +2336,7 @@ int DetectByteExtractTest42(void) goto end; sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; - if (sm->type != DETECT_URICONTENT) { + if (sm->type != DETECT_CONTENT) { result = 0; goto end; } @@ -3912,7 +3898,7 @@ int DetectByteExtractTest56(void) } sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; - if (sm->type != DETECT_URICONTENT) { + if (sm->type != DETECT_CONTENT) { result = 0; goto end; } @@ -4092,7 +4078,7 @@ int DetectByteExtractTest57(void) goto end; sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; - if (sm->type != DETECT_URICONTENT) { + if (sm->type != DETECT_CONTENT) { result = 0; goto end; } @@ -4166,7 +4152,7 @@ int DetectByteExtractTest57(void) } sm = sm->next; - if (sm->type != DETECT_URICONTENT) { + if (sm->type != DETECT_CONTENT) { result = 0; goto end; } @@ -4566,7 +4552,7 @@ int DetectByteExtractTest60(void) } sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; - if (sm->type != DETECT_URICONTENT) { + if (sm->type != DETECT_CONTENT) { result = 0; goto end; } @@ -4696,7 +4682,7 @@ int DetectByteExtractTest61(void) } sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; - if (sm->type != DETECT_URICONTENT) { + if (sm->type != DETECT_CONTENT) { result = 0; goto end; } diff --git a/src/detect-bytejump.c b/src/detect-bytejump.c index 94856b034a..63178c9ae1 100644 --- a/src/detect-bytejump.c +++ b/src/detect-bytejump.c @@ -632,9 +632,8 @@ int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) } SigMatch *prev_sm = NULL; - prev_sm = SigMatchGetLastSMFromLists(s, 8, + prev_sm = SigMatchGetLastSMFromLists(s, 6, DETECT_CONTENT, sm->prev, - DETECT_URICONTENT, sm->prev, DETECT_BYTEJUMP, sm->prev, DETECT_PCRE, sm->prev); if (prev_sm == NULL) { @@ -650,7 +649,6 @@ int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) } DetectContentData *cd = NULL; - DetectContentData *ud = NULL; DetectPcreData *pe = NULL; switch (prev_sm->type) { @@ -666,18 +664,6 @@ int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) break; - case DETECT_URICONTENT: - /* Set the relative next flag on the prev sigmatch */ - ud = (DetectContentData *)prev_sm->ctx; - if (ud == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" - "previous keyword!"); - return -1; - } - ud->flags |= DETECT_CONTENT_RELATIVE_NEXT; - - break; - case DETECT_PCRE: pe = (DetectPcreData *)prev_sm->ctx; if (pe == NULL) { diff --git a/src/detect-bytetest.c b/src/detect-bytetest.c index 1ccd88cc9b..57e995cc42 100644 --- a/src/detect-bytetest.c +++ b/src/detect-bytetest.c @@ -571,9 +571,8 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) } SigMatch *prev_sm = NULL; - prev_sm = SigMatchGetLastSMFromLists(s, 8, + prev_sm = SigMatchGetLastSMFromLists(s, 6, DETECT_CONTENT, sm->prev, - DETECT_URICONTENT, sm->prev, DETECT_BYTEJUMP, sm->prev, DETECT_PCRE, sm->prev); if (prev_sm == NULL) { @@ -589,7 +588,6 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) } DetectContentData *cd = NULL; - DetectContentData *ud = NULL; DetectPcreData *pe = NULL; switch (prev_sm->type) { @@ -605,18 +603,6 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) break; - case DETECT_URICONTENT: - /* Set the relative next flag on the prev sigmatch */ - ud = (DetectContentData *)prev_sm->ctx; - if (ud == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" - "previous keyword!"); - return -1; - } - ud->flags |= DETECT_CONTENT_RELATIVE_NEXT; - - break; - case DETECT_PCRE: pe = (DetectPcreData *)prev_sm->ctx; if (pe == NULL) { diff --git a/src/detect-depth.c b/src/detect-depth.c index 36e02f6a23..6fc6c99a38 100644 --- a/src/detect-depth.c +++ b/src/detect-depth.c @@ -58,7 +58,6 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths char dubbed = 0; SigMatch *pm = NULL; DetectContentData *cd = NULL; - DetectContentData *ud = NULL; /* strip "'s */ if (depthstr[0] == '\"' && depthstr[strlen(depthstr) - 1] == '\"') { @@ -88,7 +87,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths default: pm = SigMatchGetLastSMFromLists(s, 22, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_URICONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], @@ -115,55 +114,6 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths /* i swear we will clean this up :). Use a single version for all. Using * separate versions for all now, to avoiding breaking any code */ switch (pm->type) { - case DETECT_URICONTENT: - ud = (DetectContentData *)pm->ctx; - if (ud == NULL) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument"); - if (dubbed) - SCFree(str); - return -1; - } - - if (ud->flags & DETECT_CONTENT_NEGATED) { - if (ud->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in depth - %s\n", str); - goto error; - } - ud->depth = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - ud->flags |= DETECT_CONTENT_DEPTH_BE; - } else { - ud->depth = (uint32_t)atoi(str); - if (ud->depth < ud->content_len) { - ud->depth = ud->content_len; - SCLogDebug("depth increased to %"PRIu32" to match pattern len ", - ud->depth); - } - /* Now update the real limit, as depth is relative to the offset */ - ud->depth += ud->offset; - } - - ud->flags |= DETECT_CONTENT_DEPTH; - - break; - case DETECT_CONTENT: cd = (DetectContentData *)pm->ctx; if (cd == NULL) { diff --git a/src/detect-distance.c b/src/detect-distance.c index 1e146c4db7..63ed3c92de 100644 --- a/src/detect-distance.c +++ b/src/detect-distance.c @@ -162,7 +162,7 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, } else { pm = SigMatchGetLastSMFromLists(s, 22, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_URICONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], @@ -184,107 +184,10 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, } } - DetectContentData *ud = NULL; DetectContentData *cd = NULL; DetectPcreData *pe = NULL; switch (pm->type) { - case DETECT_URICONTENT: - ud = (DetectContentData *)pm->ctx; - if (ud == NULL) { - SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance needs two " - "preceeding content or uricontent options"); - goto error; - } - - if (ud->flags & DETECT_CONTENT_NEGATED) { - if (ud->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in distance - %s\n", str); - goto error; - } - ud->distance = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - ud->flags |= DETECT_CONTENT_DISTANCE_BE; - } else { - ud->distance = strtol(str, NULL, 10); - } - - ud->flags |= DETECT_CONTENT_DISTANCE; - - pm = SigMatchGetLastSMFromLists(s, 6, - DETECT_URICONTENT, pm->prev, - DETECT_PCRE, pm->prev, - DETECT_BYTEJUMP, pm->prev); - if (pm == NULL) { - SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance needs two " - "preceeding content or uricontent options"); - goto error; - } - - switch (pm->type) { - case DETECT_URICONTENT: - /* Set the relative next flag on the prev sigmatch */ - ud = (DetectContentData *)pm->ctx; - if (ud == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" - "previous keyword!"); - goto error; - } - ud->flags |= DETECT_CONTENT_RELATIVE_NEXT; - - if (ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword " - "has a fast_pattern:only; set. You can't " - "have relative keywords around a fast_pattern " - "only content"); - goto error; - } - - break; - - case DETECT_PCRE: - pe = (DetectPcreData *) pm->ctx; - if (pe == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" - "previous keyword!"); - goto error; - } - pe->flags |= DETECT_PCRE_RELATIVE_NEXT; - - break; - - case DETECT_BYTEJUMP: - SCLogDebug("No setting relative_next for bytejump. We " - "have no use for it"); - - break; - - default: - /* this will never hit */ - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" - "previous keyword!"); - break; - } - - break; - case DETECT_CONTENT: cd = (DetectContentData *)pm->ctx; if (cd == NULL) { diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c index 6bc2d29661..f48160aadf 100644 --- a/src/detect-engine-content-inspection.c +++ b/src/detect-engine-content-inspection.c @@ -108,7 +108,6 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx /* \todo unify this which is phase 2 of payload inspection unification */ if (sm->type == DETECT_CONTENT || - sm->type == DETECT_URICONTENT || sm->type == DETECT_AL_HTTP_RAW_URI || sm->type == DETECT_AL_HTTP_HEADER || sm->type == DETECT_AL_HTTP_RAW_HEADER || diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 9d4cc45f6c..26d7d6049a 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -1040,12 +1040,16 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, return; } + int sm_list = SigMatchListSMBelongsTo(s, mpm_sm); + if (sm_list == -1) + BUG_ON(SigMatchListSMBelongsTo(s, mpm_sm) == -1); + uint8_t flags = 0; DetectContentData *cd = NULL; - switch (mpm_sm->type) { - case DETECT_CONTENT: + switch (sm_list) { + case DETECT_SM_LIST_PMATCH: { cd = (DetectContentData *)mpm_sm->ctx; if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) { @@ -1240,86 +1244,86 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, break; } /* case DETECT_CONTENT */ - case DETECT_URICONTENT: - case DETECT_AL_HTTP_RAW_URI: - case DETECT_AL_HTTP_CLIENT_BODY: - case DETECT_AL_HTTP_SERVER_BODY: - case DETECT_AL_HTTP_HEADER: - case DETECT_AL_HTTP_RAW_HEADER: - case DETECT_AL_HTTP_METHOD: - case DETECT_AL_HTTP_COOKIE: - case DETECT_AL_HTTP_STAT_MSG: - case DETECT_AL_HTTP_STAT_CODE: + case DETECT_SM_LIST_UMATCH: + case DETECT_SM_LIST_HRUDMATCH: + case DETECT_SM_LIST_HCBDMATCH: + case DETECT_SM_LIST_HSBDMATCH: + case DETECT_SM_LIST_HHDMATCH: + case DETECT_SM_LIST_HRHDMATCH: + case DETECT_SM_LIST_HMDMATCH: + case DETECT_SM_LIST_HCDMATCH: + case DETECT_SM_LIST_HSMDMATCH: + case DETECT_SM_LIST_HSCDMATCH: { MpmCtx *mpm_ctx_ts = NULL; MpmCtx *mpm_ctx_tc = NULL; uint32_t sgh_flags = 0; uint32_t cd_flags = 0; - if (mpm_sm->type == DETECT_URICONTENT) { + if (sm_list == DETECT_SM_LIST_UMATCH) { if (s->flags & SIG_FLAG_TOSERVER) mpm_ctx_ts = sgh->mpm_uri_ctx_ts; if (s->flags & SIG_FLAG_TOCLIENT) mpm_ctx_tc = sgh->mpm_uri_ctx_tc; sgh_flags = SIG_GROUP_HEAD_MPM_URI; cd_flags = DETECT_CONTENT_URI_MPM; - } else if (mpm_sm->type == DETECT_AL_HTTP_CLIENT_BODY) { + } else if (sm_list == DETECT_SM_LIST_HCBDMATCH) { if (s->flags & SIG_FLAG_TOSERVER) mpm_ctx_ts = sgh->mpm_hcbd_ctx_ts; if (s->flags & SIG_FLAG_TOCLIENT) mpm_ctx_tc = sgh->mpm_hcbd_ctx_tc; sgh_flags = SIG_GROUP_HEAD_MPM_HCBD; cd_flags = DETECT_CONTENT_HCBD_MPM; - } else if (mpm_sm->type == DETECT_AL_HTTP_SERVER_BODY) { + } else if (sm_list == DETECT_SM_LIST_HSBDMATCH) { if (s->flags & SIG_FLAG_TOSERVER) mpm_ctx_ts = sgh->mpm_hsbd_ctx_ts; if (s->flags & SIG_FLAG_TOCLIENT) mpm_ctx_tc = sgh->mpm_hsbd_ctx_tc; sgh_flags = SIG_GROUP_HEAD_MPM_HSBD; cd_flags = DETECT_CONTENT_HSBD_MPM; - } else if (mpm_sm->type == DETECT_AL_HTTP_HEADER) { + } else if (sm_list == DETECT_SM_LIST_HHDMATCH) { if (s->flags & SIG_FLAG_TOSERVER) mpm_ctx_ts = sgh->mpm_hhd_ctx_ts; if (s->flags & SIG_FLAG_TOCLIENT) mpm_ctx_tc = sgh->mpm_hhd_ctx_tc; sgh_flags = SIG_GROUP_HEAD_MPM_HHD; cd_flags = DETECT_CONTENT_HHD_MPM; - } else if (mpm_sm->type == DETECT_AL_HTTP_RAW_HEADER) { + } else if (sm_list == DETECT_SM_LIST_HRHDMATCH) { if (s->flags & SIG_FLAG_TOSERVER) mpm_ctx_ts = sgh->mpm_hrhd_ctx_ts; if (s->flags & SIG_FLAG_TOCLIENT) mpm_ctx_tc = sgh->mpm_hrhd_ctx_tc; sgh_flags = SIG_GROUP_HEAD_MPM_HRHD; cd_flags = DETECT_CONTENT_HRHD_MPM; - } else if (mpm_sm->type == DETECT_AL_HTTP_METHOD) { + } else if (sm_list == DETECT_SM_LIST_HMDMATCH) { if (s->flags & SIG_FLAG_TOSERVER) mpm_ctx_ts = sgh->mpm_hmd_ctx_ts; if (s->flags & SIG_FLAG_TOCLIENT) mpm_ctx_tc = sgh->mpm_hmd_ctx_tc; sgh_flags = SIG_GROUP_HEAD_MPM_HMD; cd_flags = DETECT_CONTENT_HMD_MPM; - } else if (mpm_sm->type == DETECT_AL_HTTP_COOKIE) { + } else if (sm_list == DETECT_SM_LIST_HCDMATCH) { if (s->flags & SIG_FLAG_TOSERVER) mpm_ctx_ts = sgh->mpm_hcd_ctx_ts; if (s->flags & SIG_FLAG_TOCLIENT) mpm_ctx_tc = sgh->mpm_hcd_ctx_tc; sgh_flags = SIG_GROUP_HEAD_MPM_HCD; cd_flags = DETECT_CONTENT_HCD_MPM; - } else if (mpm_sm->type == DETECT_AL_HTTP_RAW_URI) { + } else if (sm_list == DETECT_SM_LIST_HRUDMATCH) { if (s->flags & SIG_FLAG_TOSERVER) mpm_ctx_ts = sgh->mpm_hrud_ctx_ts; if (s->flags & SIG_FLAG_TOCLIENT) mpm_ctx_tc = sgh->mpm_hrud_ctx_tc; sgh_flags = SIG_GROUP_HEAD_MPM_HRUD; cd_flags = DETECT_CONTENT_HRUD_MPM; - } else if (mpm_sm->type == DETECT_AL_HTTP_STAT_MSG) { + } else if (sm_list == DETECT_SM_LIST_HSMDMATCH) { if (s->flags & SIG_FLAG_TOSERVER) mpm_ctx_ts = sgh->mpm_hsmd_ctx_ts; if (s->flags & SIG_FLAG_TOCLIENT) mpm_ctx_tc = sgh->mpm_hsmd_ctx_tc; sgh_flags = SIG_GROUP_HEAD_MPM_HSMD; cd_flags = DETECT_CONTENT_HSMD_MPM; - } else if (mpm_sm->type == DETECT_AL_HTTP_STAT_CODE) { + } else if (sm_list == DETECT_SM_LIST_HSCDMATCH) { if (s->flags & SIG_FLAG_TOSERVER) mpm_ctx_ts = sgh->mpm_hscd_ctx_ts; if (s->flags & SIG_FLAG_TOCLIENT) @@ -1600,7 +1604,6 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx, int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh) { Signature *s = NULL; - SigMatch *sm = NULL; uint32_t has_co_packet = 0; /**< our sgh has packet payload inspecting content */ uint32_t has_co_stream = 0; /**< our sgh has stream inspecting content */ uint32_t has_co_uri = 0; /**< our sgh has uri inspecting content */ @@ -1638,10 +1641,8 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh) has_co_stream = 1; } - for (sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; sm != NULL; sm = sm->next) { - if (sm->type == DETECT_URICONTENT) { - has_co_uri = 1; - } + if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL) { + has_co_uri = 1; } if (s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL) { diff --git a/src/detect-engine-siggroup.c b/src/detect-engine-siggroup.c index 10f3128c56..90310ef507 100644 --- a/src/detect-engine-siggroup.c +++ b/src/detect-engine-siggroup.c @@ -1403,7 +1403,7 @@ int SigGroupHeadLoadUricontent(DetectEngineCtx *de_ctx, SigGroupHead *sgh) continue; for ( ;sm != NULL; sm = sm->next) { - if (sm->type == DETECT_URICONTENT) { + if (sm->type == DETECT_CONTENT) { co = (DetectContentData *)sm->ctx; sgh->init->uri_content_array[co->id / 8] |= 1 << (co->id % 8); diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index 4df26c713b..376880d25a 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -122,7 +122,7 @@ void SupportFastPatternForSigMatchTypes(void) SupportFastPatternForSigMatchType(DETECT_CONTENT); SupportFastPatternForSigMatchList(DETECT_SM_LIST_PMATCH); - SupportFastPatternForSigMatchType(DETECT_URICONTENT); + SupportFastPatternForSigMatchType(DETECT_CONTENT); SupportFastPatternForSigMatchList(DETECT_SM_LIST_UMATCH); SupportFastPatternForSigMatchType(DETECT_AL_HTTP_CLIENT_BODY); @@ -238,7 +238,7 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a SigMatch *pm = SigMatchGetLastSMFromLists(s, 22, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_URICONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], @@ -2135,7 +2135,7 @@ int DetectFastPatternTest54(void) result = 0; sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; while (sm != NULL) { - if (sm->type == DETECT_URICONTENT) { + if (sm->type == DETECT_CONTENT) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { result = 1; @@ -2176,7 +2176,7 @@ int DetectFastPatternTest55(void) result = 0; sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; while (sm != NULL) { - if (sm->type == DETECT_URICONTENT) { + if (sm->type == DETECT_CONTENT) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { result = 1; @@ -2213,7 +2213,7 @@ int DetectFastPatternTest56(void) result = 0; sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; DetectContentData *ud = sm->ctx; - if (sm->type == DETECT_URICONTENT) { + if (sm->type == DETECT_CONTENT) { if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -2249,7 +2249,7 @@ int DetectFastPatternTest57(void) result = 0; sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; DetectContentData *ud = sm->ctx; - if (sm->type == DETECT_URICONTENT) { + if (sm->type == DETECT_CONTENT) { if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -3216,7 +3216,7 @@ int DetectFastPatternTest94(void) result = 0; sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; while (sm != NULL) { - if (sm->type == DETECT_URICONTENT) { + if (sm->type == DETECT_CONTENT) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { result = 1; @@ -3257,7 +3257,7 @@ int DetectFastPatternTest95(void) result = 0; sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; while (sm != NULL) { - if (sm->type == DETECT_URICONTENT) { + if (sm->type == DETECT_CONTENT) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { result = 1; @@ -3294,7 +3294,7 @@ int DetectFastPatternTest96(void) result = 0; sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; DetectContentData *ud = sm->ctx; - if (sm->type == DETECT_URICONTENT) { + if (sm->type == DETECT_CONTENT) { if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -3330,7 +3330,7 @@ int DetectFastPatternTest97(void) result = 0; sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; DetectContentData *ud = sm->ctx; - if (sm->type == DETECT_URICONTENT) { + if (sm->type == DETECT_CONTENT) { if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && diff --git a/src/detect-http-cookie.c b/src/detect-http-cookie.c index f32404eb01..f995d60fab 100644 --- a/src/detect-http-cookie.c +++ b/src/detect-http-cookie.c @@ -383,7 +383,7 @@ int DetectHttpCookieTest06(void) goto end; } - if (s->sm_lists[DETECT_SM_LIST_UMATCH]->type != DETECT_URICONTENT) { + if (s->sm_lists[DETECT_SM_LIST_UMATCH]->type != DETECT_CONTENT) { goto end; } diff --git a/src/detect-http-uri.c b/src/detect-http-uri.c index ae75740ec0..78d4003a06 100644 --- a/src/detect-http-uri.c +++ b/src/detect-http-uri.c @@ -140,7 +140,7 @@ static int DetectHttpUriSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) /* reassigning pm */ pm = SigMatchGetLastSMFromLists(s, 2, - DETECT_URICONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH]); + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH]); if (pm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "uricontent seen with a " "distance or within without a previous http_uri " @@ -151,7 +151,7 @@ static int DetectHttpUriSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; } cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_UMATCH); - sm->type = DETECT_URICONTENT; + sm->type = DETECT_CONTENT; /* transfer the sm from the pmatch list to hcbdmatch list */ SigMatchTransferSigMatchAcrossLists(sm, @@ -257,7 +257,7 @@ int DetectHttpUriTest03(void) } while (sm != NULL) { - if (sm->type == DETECT_URICONTENT) { + if (sm->type == DETECT_CONTENT) { result = 1; } else { printf("expected DETECT_AL_HTTP_URI, got %d: ", sm->type); @@ -320,7 +320,7 @@ int DetectHttpUriTest05(void) } if (s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL) goto end; - if (s->sm_lists[DETECT_SM_LIST_UMATCH]->type != DETECT_URICONTENT) { + if (s->sm_lists[DETECT_SM_LIST_UMATCH]->type != DETECT_CONTENT) { printf("wrong type\n"); goto end; } @@ -702,8 +702,19 @@ int DetectHttpUriTest15(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " "(content:\"one\"; http_uri; within:5; sid:1;)"); - if (de_ctx->sig_list != NULL) { - printf("de_ctx->sig_list != NULL\n"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); + goto end; + } + + if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL) { + printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL\n"); + goto end; + } + + DetectContentData *cd = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + if (memcmp(cd->content, "one", cd->content_len) != 0 || + cd->flags != DETECT_CONTENT_WITHIN) { goto end; } @@ -725,7 +736,7 @@ int DetectHttpUriTest16(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; within:5; sid:1;)"); + "(content:\"one\"; within:5; sid:1;)"); if (de_ctx->sig_list != NULL) { printf("de_ctx->sig_list != NULL\n"); goto end; diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index b1ad15656f..9bfe5a4599 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -353,7 +353,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst } pm = SigMatchGetLastSMFromLists(s, 54, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], /* 1 */ - DETECT_URICONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], /* 5 */ @@ -388,50 +388,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst "byte_extract, byte_jump keyword"); goto error; } else { - int list_type = -1; - if (pm->type == DETECT_PCRE || pm->type == DETECT_BYTEJUMP || - pm->type == DETECT_BYTE_EXTRACT || pm->type == DETECT_BYTETEST) { - list_type = SigMatchListSMBelongsTo(s, pm); - } else { - switch (pm->type) { - case DETECT_CONTENT: - list_type = DETECT_SM_LIST_PMATCH; - break; - case DETECT_URICONTENT: - list_type = DETECT_SM_LIST_UMATCH; - break; - case DETECT_AL_HTTP_CLIENT_BODY: - list_type = DETECT_SM_LIST_HCBDMATCH; - break; - case DETECT_AL_HTTP_SERVER_BODY: - list_type = DETECT_SM_LIST_HSBDMATCH; - break; - case DETECT_AL_HTTP_RAW_HEADER: - list_type = DETECT_SM_LIST_HRHDMATCH; - break; - case DETECT_AL_HTTP_HEADER: - list_type = DETECT_SM_LIST_HHDMATCH; - break; - case DETECT_AL_HTTP_METHOD: - list_type = DETECT_SM_LIST_HMDMATCH; - break; - case DETECT_AL_HTTP_COOKIE: - list_type = DETECT_SM_LIST_HCDMATCH; - break; - case DETECT_AL_HTTP_RAW_URI: - list_type = DETECT_SM_LIST_HRUDMATCH; - break; - case DETECT_AL_HTTP_STAT_MSG: - list_type = DETECT_SM_LIST_HSMDMATCH; - break; - case DETECT_AL_HTTP_STAT_CODE: - list_type = DETECT_SM_LIST_HSCDMATCH; - break; - default: - /* would never happen */ - break; - } /* switch */ - } /* else */ + int list_type = SigMatchListSMBelongsTo(s, pm); if (list_type == -1) { goto error; } @@ -462,7 +419,6 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst switch (prev_pm->type) { case DETECT_CONTENT: - case DETECT_URICONTENT: case DETECT_AL_HTTP_CLIENT_BODY: case DETECT_AL_HTTP_SERVER_BODY: case DETECT_AL_HTTP_HEADER: diff --git a/src/detect-nocase.c b/src/detect-nocase.c index 9b1102c23b..8c20f459e4 100644 --- a/src/detect-nocase.c +++ b/src/detect-nocase.c @@ -76,7 +76,7 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls /* Search for the first previous SigMatch that supports nocase */ SigMatch *pm = SigMatchGetLastSMFromLists(s, 22, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_URICONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], @@ -98,7 +98,6 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls switch (pm->type) { case DETECT_CONTENT: - case DETECT_URICONTENT: case DETECT_AL_HTTP_CLIENT_BODY: case DETECT_AL_HTTP_SERVER_BODY: case DETECT_AL_HTTP_HEADER: diff --git a/src/detect-offset.c b/src/detect-offset.c index a46b72c91b..b35980cd20 100644 --- a/src/detect-offset.c +++ b/src/detect-offset.c @@ -85,7 +85,7 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) default: pm = SigMatchGetLastSMFromLists(s, 22, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_URICONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], @@ -110,60 +110,8 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) } /* we can remove this switch now with the unified structure */ - DetectContentData *ud = NULL; DetectContentData *cd = NULL; switch (pm->type) { - case DETECT_URICONTENT: - ud = (DetectContentData *)pm->ctx; - if (ud == NULL) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument"); - if (dubbed) - SCFree(str); - return -1; - } - - if (ud->flags & DETECT_CONTENT_NEGATED) { - if (ud->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in offset - %s\n", str); - goto error; - } - ud->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - ud->flags |= DETECT_CONTENT_OFFSET_BE; - } else { - ud->offset = (uint32_t)atoi(str); - if (ud->depth != 0) { - if (ud->depth < ud->content_len) { - SCLogDebug("depth increased to %"PRIu32" to match pattern len", - ud->content_len); - ud->depth = ud->content_len; - } - /* Updating the depth as is relative to the offset */ - ud->depth += ud->offset; - } - } - - ud->flags |= DETECT_CONTENT_OFFSET; - - break; - case DETECT_CONTENT: cd = (DetectContentData *)pm->ctx; if (cd == NULL) { diff --git a/src/detect-parse.c b/src/detect-parse.c index 385b1d9736..8a42ff75f3 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -1189,7 +1189,7 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, char *sigstr, sig->mpm_uricontent_maxlen = 0; for (sm = sig->sm_lists[DETECT_SM_LIST_UMATCH]; sm != NULL; sm = sm->next) { - if (sm->type == DETECT_URICONTENT) { + if (sm->type == DETECT_CONTENT) { DetectContentData *ud = (DetectContentData *)sm->ctx; if (ud == NULL) continue; diff --git a/src/detect-pcre.c b/src/detect-pcre.c index 89deda319f..7170769600 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -1203,7 +1203,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst prev_sm = SigMatchGetLastSMFromLists(s, 24, DETECT_CONTENT, sm->prev, - DETECT_URICONTENT, sm->prev, + DETECT_CONTENT, sm->prev, DETECT_AL_HTTP_CLIENT_BODY, sm->prev, DETECT_AL_HTTP_SERVER_BODY, sm->prev, DETECT_AL_HTTP_HEADER, sm->prev, @@ -1237,7 +1237,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst switch (prev_sm->type) { case DETECT_CONTENT: - case DETECT_URICONTENT: case DETECT_AL_HTTP_CLIENT_BODY: case DETECT_AL_HTTP_SERVER_BODY: case DETECT_AL_HTTP_HEADER: diff --git a/src/detect-uricontent.c b/src/detect-uricontent.c index 39b64b8425..e42aafccd1 100644 --- a/src/detect-uricontent.c +++ b/src/detect-uricontent.c @@ -371,7 +371,7 @@ int DetectUricontentSetup (DetectEngineCtx *de_ctx, Signature *s, char *contents if (sm == NULL) goto error; - sm->type = DETECT_URICONTENT; + sm->type = DETECT_CONTENT; sm->ctx = (void *)cd; cd->id = DetectUricontentGetId(de_ctx->mpm_pattern_id_store, cd); @@ -808,7 +808,7 @@ int DetectUriSigTest01(void) BUG_ON(de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL); sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; - if (sm->type == DETECT_URICONTENT) { + if (sm->type == DETECT_CONTENT) { result = 1; } else { result = 0; diff --git a/src/detect-within.c b/src/detect-within.c index c5beb3a5a8..899f375b4e 100644 --- a/src/detect-within.c +++ b/src/detect-within.c @@ -165,7 +165,7 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi } else { pm = SigMatchGetLastSMFromLists(s, 22, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_URICONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], @@ -187,115 +187,10 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi } } - DetectContentData *ud = NULL; DetectContentData *cd = NULL; DetectPcreData *pe = NULL; switch (pm->type) { - case DETECT_URICONTENT: - ud = (DetectContentData *)pm->ctx; - if (ud == NULL) { - SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "Unknown previous keyword!\n"); - goto error; - } - - if (ud->flags & DETECT_CONTENT_NEGATED) { - if (ud->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in within - %s\n", str); - goto error; - } - ud->within = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - ud->flags |= DETECT_CONTENT_WITHIN_BE; - } else { - ud->within = strtol(str, NULL, 10); - if (ud->within < (int32_t)ud->content_len) { - SCLogError(SC_ERR_WITHIN_INVALID, "within argument \"%"PRIi32"\" is " - "less than the content length \"%"PRIu32"\" which is invalid, since " - "this will never match. Invalidating signature", ud->within, - ud->content_len); - goto error; - } - } - - ud->flags |= DETECT_CONTENT_WITHIN; - - pm = SigMatchGetLastSMFromLists(s, 6, - DETECT_URICONTENT, pm->prev, - DETECT_PCRE, pm->prev, - DETECT_BYTEJUMP, pm->prev); - if (pm == NULL) { - SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs two " - "preceeding content or uricontent options"); - goto error; - } - - switch (pm->type) { - case DETECT_URICONTENT: - /* Set the relative next flag on the prev sigmatch */ - ud = (DetectContentData *)pm->ctx; - if (ud == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" - "previous keyword!"); - goto error; - } - ud->flags |= DETECT_CONTENT_RELATIVE_NEXT; - - if (ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword " - "has a fast_pattern:only; set. You can't " - "have relative keywords around a fast_pattern " - "only content"); - goto error; - } - - break; - - case DETECT_PCRE: - pe = (DetectPcreData *) pm->ctx; - if (pe == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" - "previous keyword!"); - goto error; - } - pe->flags |= DETECT_PCRE_RELATIVE_NEXT; - - break; - - case DETECT_BYTEJUMP: - SCLogDebug("No setting relative_next for bytejump. We " - "have no use for it"); - - break; - - default: - /* this will never hit */ - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" - "previous keyword!"); - break; - } - - DetectUricontentPrint(ud); - - break; - case DETECT_CONTENT: cd = (DetectContentData *)pm->ctx; if (cd == NULL) { diff --git a/src/detect.c b/src/detect.c index ccbe5626be..c8be3ffd07 100644 --- a/src/detect.c +++ b/src/detect.c @@ -273,7 +273,7 @@ static inline void EngineAnalysisWriteFastPattern(Signature *s, SigMatch *mpm_sm fprintf(fp_engine_analysis_FD, " Fast pattern matcher: "); if (mpm_sm->type == DETECT_CONTENT) fprintf(fp_engine_analysis_FD, "content\n"); - else if (mpm_sm->type == DETECT_URICONTENT) + else if (mpm_sm->type == DETECT_CONTENT) fprintf(fp_engine_analysis_FD, "uricontent\n"); else if (mpm_sm->type == DETECT_AL_HTTP_CLIENT_BODY) fprintf(fp_engine_analysis_FD, "http_client_body\n");