aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

All uricontent modified patterns now are DETECT_CONTENT and not DETECT_URICONTENT. Step towards unifying all content based patterns. Makes way for easier management of patterns

Browse Source
remotes/origin/master
Anoop Saldanha 14 years ago committed by Victor Julien
parent 93d7a6e671
commit 4810ee9c5f
19 changed files with 84 additions and 465 deletions
Show Stats Download Patch File Download Diff File

38
src/detect-byte-extract.c
Unescape Escape View File

@ -627,7 +627,7 @@ int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) { if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
SigMatch *pm = SigMatch *pm =
SigMatchGetLastSMFromLists(s, 30, SigMatchGetLastSMFromLists(s, 30,
DETECT_URICONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
@ -666,9 +666,8 @@ int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
} }
SigMatch *prev_sm = NULL; SigMatch *prev_sm = NULL;
prev_sm = SigMatchGetLastSMFromLists(s, 8, prev_sm = SigMatchGetLastSMFromLists(s, 6,
DETECT_CONTENT, sm->prev, DETECT_CONTENT, sm->prev,
DETECT_URICONTENT, sm->prev,
DETECT_BYTEJUMP, sm->prev, DETECT_BYTEJUMP, sm->prev,
DETECT_PCRE, sm->prev); DETECT_PCRE, sm->prev);
if (prev_sm == NULL) { if (prev_sm == NULL) {
@ -684,7 +683,6 @@ int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
} }
DetectContentData *cd = NULL; DetectContentData *cd = NULL;
DetectContentData *ud = NULL;
DetectPcreData *pe = NULL; DetectPcreData *pe = NULL;
switch (prev_sm->type) { switch (prev_sm->type) {
@ -700,18 +698,6 @@ int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
break; break;
case DETECT_URICONTENT:
/* Set the relative next flag on the prev sigmatch */
ud = (DetectContentData *)prev_sm->ctx;
if (ud == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
"previous keyword!");
return -1;
}
ud->flags |= DETECT_CONTENT_RELATIVE_NEXT;
break;
case DETECT_PCRE: case DETECT_PCRE:
pe = (DetectPcreData *)prev_sm->ctx; pe = (DetectPcreData *)prev_sm->ctx;
if (pe == NULL) { if (pe == NULL) {
@ -1804,7 +1790,7 @@ int DetectByteExtractTest37(void)
} }
sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
if (sm->type != DETECT_URICONTENT) { if (sm->type != DETECT_CONTENT) {
result = 0; result = 0;
goto end; goto end;
} }
@ -1917,7 +1903,7 @@ int DetectByteExtractTest38(void)
} }
sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
if (sm->type != DETECT_URICONTENT) { if (sm->type != DETECT_CONTENT) {
result = 0; result = 0;
goto end; goto end;
} }
@ -2005,7 +1991,7 @@ int DetectByteExtractTest39(void)
} }
sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
if (sm->type != DETECT_URICONTENT) { if (sm->type != DETECT_CONTENT) {
result = 0; result = 0;
goto end; goto end;
} }
@ -2118,7 +2104,7 @@ int DetectByteExtractTest40(void)
} }
sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
if (sm->type != DETECT_URICONTENT) { if (sm->type != DETECT_CONTENT) {
result = 0; result = 0;
goto end; goto end;
} }
@ -2350,7 +2336,7 @@ int DetectByteExtractTest42(void)
goto end; goto end;
sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
if (sm->type != DETECT_URICONTENT) { if (sm->type != DETECT_CONTENT) {
result = 0; result = 0;
goto end; goto end;
} }
@ -3912,7 +3898,7 @@ int DetectByteExtractTest56(void)
} }
sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
if (sm->type != DETECT_URICONTENT) { if (sm->type != DETECT_CONTENT) {
result = 0; result = 0;
goto end; goto end;
} }
@ -4092,7 +4078,7 @@ int DetectByteExtractTest57(void)
goto end; goto end;
sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
if (sm->type != DETECT_URICONTENT) { if (sm->type != DETECT_CONTENT) {
result = 0; result = 0;
goto end; goto end;
} }
@ -4166,7 +4152,7 @@ int DetectByteExtractTest57(void)
} }
sm = sm->next; sm = sm->next;
if (sm->type != DETECT_URICONTENT) { if (sm->type != DETECT_CONTENT) {
result = 0; result = 0;
goto end; goto end;
} }
@ -4566,7 +4552,7 @@ int DetectByteExtractTest60(void)
} }
sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
if (sm->type != DETECT_URICONTENT) { if (sm->type != DETECT_CONTENT) {
result = 0; result = 0;
goto end; goto end;
} }
@ -4696,7 +4682,7 @@ int DetectByteExtractTest61(void)
} }
sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
if (sm->type != DETECT_URICONTENT) { if (sm->type != DETECT_CONTENT) {
result = 0; result = 0;
goto end; goto end;
} }

16
src/detect-bytejump.c
Unescape Escape View File

@ -632,9 +632,8 @@ int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr)
} }
SigMatch *prev_sm = NULL; SigMatch *prev_sm = NULL;
prev_sm = SigMatchGetLastSMFromLists(s, 8, prev_sm = SigMatchGetLastSMFromLists(s, 6,
DETECT_CONTENT, sm->prev, DETECT_CONTENT, sm->prev,
DETECT_URICONTENT, sm->prev,
DETECT_BYTEJUMP, sm->prev, DETECT_BYTEJUMP, sm->prev,
DETECT_PCRE, sm->prev); DETECT_PCRE, sm->prev);
if (prev_sm == NULL) { if (prev_sm == NULL) {
@ -650,7 +649,6 @@ int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr)
} }
DetectContentData *cd = NULL; DetectContentData *cd = NULL;
DetectContentData *ud = NULL;
DetectPcreData *pe = NULL; DetectPcreData *pe = NULL;
switch (prev_sm->type) { switch (prev_sm->type) {
@ -666,18 +664,6 @@ int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr)
break; break;
case DETECT_URICONTENT:
/* Set the relative next flag on the prev sigmatch */
ud = (DetectContentData *)prev_sm->ctx;
if (ud == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
"previous keyword!");
return -1;
}
ud->flags |= DETECT_CONTENT_RELATIVE_NEXT;
break;
case DETECT_PCRE: case DETECT_PCRE:
pe = (DetectPcreData *)prev_sm->ctx; pe = (DetectPcreData *)prev_sm->ctx;
if (pe == NULL) { if (pe == NULL) {

16
src/detect-bytetest.c
Unescape Escape View File

@ -571,9 +571,8 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr)
} }
SigMatch *prev_sm = NULL; SigMatch *prev_sm = NULL;
prev_sm = SigMatchGetLastSMFromLists(s, 8, prev_sm = SigMatchGetLastSMFromLists(s, 6,
DETECT_CONTENT, sm->prev, DETECT_CONTENT, sm->prev,
DETECT_URICONTENT, sm->prev,
DETECT_BYTEJUMP, sm->prev, DETECT_BYTEJUMP, sm->prev,
DETECT_PCRE, sm->prev); DETECT_PCRE, sm->prev);
if (prev_sm == NULL) { if (prev_sm == NULL) {
@ -589,7 +588,6 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr)
} }
DetectContentData *cd = NULL; DetectContentData *cd = NULL;
DetectContentData *ud = NULL;
DetectPcreData *pe = NULL; DetectPcreData *pe = NULL;
switch (prev_sm->type) { switch (prev_sm->type) {
@ -605,18 +603,6 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr)
break; break;
case DETECT_URICONTENT:
/* Set the relative next flag on the prev sigmatch */
ud = (DetectContentData *)prev_sm->ctx;
if (ud == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
"previous keyword!");
return -1;
}
ud->flags |= DETECT_CONTENT_RELATIVE_NEXT;
break;
case DETECT_PCRE: case DETECT_PCRE:
pe = (DetectPcreData *)prev_sm->ctx; pe = (DetectPcreData *)prev_sm->ctx;
if (pe == NULL) { if (pe == NULL) {

52
src/detect-depth.c
Unescape Escape View File

@ -58,7 +58,6 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
char dubbed = 0; char dubbed = 0;
SigMatch *pm = NULL; SigMatch *pm = NULL;
DetectContentData *cd = NULL; DetectContentData *cd = NULL;
DetectContentData *ud = NULL;
/* strip "'s */ /* strip "'s */
if (depthstr[0] == '\"' && depthstr[strlen(depthstr) - 1] == '\"') { if (depthstr[0] == '\"' && depthstr[strlen(depthstr) - 1] == '\"') {
@ -88,7 +87,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
default: default:
pm = SigMatchGetLastSMFromLists(s, 22, pm = SigMatchGetLastSMFromLists(s, 22,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_URICONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
@ -115,55 +114,6 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
/* i swear we will clean this up :). Use a single version for all. Using /* i swear we will clean this up :). Use a single version for all. Using
* separate versions for all now, to avoiding breaking any code */ * separate versions for all now, to avoiding breaking any code */
switch (pm->type) { switch (pm->type) {
case DETECT_URICONTENT:
ud = (DetectContentData *)pm->ctx;
if (ud == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument");
if (dubbed)
SCFree(str);
return -1;
}
if (ud->flags & DETECT_CONTENT_NEGATED) {
if (ud->flags & DETECT_CONTENT_FAST_PATTERN) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"negated keyword set along with a fast_pattern");
goto error;
}
} else {
if (ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"keyword set along with a fast_pattern:only;");
goto error;
}
}
if (str[0] != '-' && isalpha(str[0])) {
SigMatch *bed_sm =
DetectByteExtractRetrieveSMVar(str, s,
SigMatchListSMBelongsTo(s, pm));
if (bed_sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in depth - %s\n", str);
goto error;
}
ud->depth = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
ud->flags |= DETECT_CONTENT_DEPTH_BE;
} else {
ud->depth = (uint32_t)atoi(str);
if (ud->depth < ud->content_len) {
ud->depth = ud->content_len;
SCLogDebug("depth increased to %"PRIu32" to match pattern len ",
ud->depth);
}
/* Now update the real limit, as depth is relative to the offset */
ud->depth += ud->offset;
}
ud->flags |= DETECT_CONTENT_DEPTH;
break;
case DETECT_CONTENT: case DETECT_CONTENT:
cd = (DetectContentData *)pm->ctx; cd = (DetectContentData *)pm->ctx;
if (cd == NULL) { if (cd == NULL) {

99
src/detect-distance.c
Unescape Escape View File

@ -162,7 +162,7 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
} else { } else {
pm = SigMatchGetLastSMFromLists(s, 22, pm = SigMatchGetLastSMFromLists(s, 22,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_URICONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
@ -184,107 +184,10 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
} }
} }
DetectContentData *ud = NULL;
DetectContentData *cd = NULL; DetectContentData *cd = NULL;
DetectPcreData *pe = NULL; DetectPcreData *pe = NULL;
switch (pm->type) { switch (pm->type) {
case DETECT_URICONTENT:
ud = (DetectContentData *)pm->ctx;
if (ud == NULL) {
SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance needs two "
"preceeding content or uricontent options");
goto error;
}
if (ud->flags & DETECT_CONTENT_NEGATED) {
if (ud->flags & DETECT_CONTENT_FAST_PATTERN) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"negated keyword set along with a fast_pattern");
goto error;
}
} else {
if (ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"keyword set along with a fast_pattern:only;");
goto error;
}
}
if (str[0] != '-' && isalpha(str[0])) {
SigMatch *bed_sm =
DetectByteExtractRetrieveSMVar(str, s,
SigMatchListSMBelongsTo(s, pm));
if (bed_sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in distance - %s\n", str);
goto error;
}
ud->distance = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
ud->flags |= DETECT_CONTENT_DISTANCE_BE;
} else {
ud->distance = strtol(str, NULL, 10);
}
ud->flags |= DETECT_CONTENT_DISTANCE;
pm = SigMatchGetLastSMFromLists(s, 6,
DETECT_URICONTENT, pm->prev,
DETECT_PCRE, pm->prev,
DETECT_BYTEJUMP, pm->prev);
if (pm == NULL) {
SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance needs two "
"preceeding content or uricontent options");
goto error;
}
switch (pm->type) {
case DETECT_URICONTENT:
/* Set the relative next flag on the prev sigmatch */
ud = (DetectContentData *)pm->ctx;
if (ud == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
"previous keyword!");
goto error;
}
ud->flags |= DETECT_CONTENT_RELATIVE_NEXT;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword "
"has a fast_pattern:only; set. You can't "
"have relative keywords around a fast_pattern "
"only content");
goto error;
}
break;
case DETECT_PCRE:
pe = (DetectPcreData *) pm->ctx;
if (pe == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
"previous keyword!");
goto error;
}
pe->flags |= DETECT_PCRE_RELATIVE_NEXT;
break;
case DETECT_BYTEJUMP:
SCLogDebug("No setting relative_next for bytejump. We "
"have no use for it");
break;
default:
/* this will never hit */
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
"previous keyword!");
break;
}
break;
case DETECT_CONTENT: case DETECT_CONTENT:
cd = (DetectContentData *)pm->ctx; cd = (DetectContentData *)pm->ctx;
if (cd == NULL) { if (cd == NULL) {

1
src/detect-engine-content-inspection.c
Unescape Escape View File

@ -108,7 +108,6 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
/* \todo unify this which is phase 2 of payload inspection unification */ /* \todo unify this which is phase 2 of payload inspection unification */
if (sm->type == DETECT_CONTENT || if (sm->type == DETECT_CONTENT ||
sm->type == DETECT_URICONTENT ||
sm->type == DETECT_AL_HTTP_RAW_URI || sm->type == DETECT_AL_HTTP_RAW_URI ||
sm->type == DETECT_AL_HTTP_HEADER || sm->type == DETECT_AL_HTTP_HEADER ||
sm->type == DETECT_AL_HTTP_RAW_HEADER || sm->type == DETECT_AL_HTTP_RAW_HEADER ||

55
src/detect-engine-mpm.c
Unescape Escape View File

@ -1040,12 +1040,16 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
return; return;
} }
int sm_list = SigMatchListSMBelongsTo(s, mpm_sm);
if (sm_list == -1)
BUG_ON(SigMatchListSMBelongsTo(s, mpm_sm) == -1);
uint8_t flags = 0; uint8_t flags = 0;
DetectContentData *cd = NULL; DetectContentData *cd = NULL;
switch (mpm_sm->type) { switch (sm_list) {
case DETECT_CONTENT: case DETECT_SM_LIST_PMATCH:
{ {
cd = (DetectContentData *)mpm_sm->ctx; cd = (DetectContentData *)mpm_sm->ctx;
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) { if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
@ -1240,86 +1244,86 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
break; break;
} /* case DETECT_CONTENT */ } /* case DETECT_CONTENT */
case DETECT_URICONTENT: case DETECT_SM_LIST_UMATCH:
case DETECT_AL_HTTP_RAW_URI: case DETECT_SM_LIST_HRUDMATCH:
case DETECT_AL_HTTP_CLIENT_BODY: case DETECT_SM_LIST_HCBDMATCH:
case DETECT_AL_HTTP_SERVER_BODY: case DETECT_SM_LIST_HSBDMATCH:
case DETECT_AL_HTTP_HEADER: case DETECT_SM_LIST_HHDMATCH:
case DETECT_AL_HTTP_RAW_HEADER: case DETECT_SM_LIST_HRHDMATCH:
case DETECT_AL_HTTP_METHOD: case DETECT_SM_LIST_HMDMATCH:
case DETECT_AL_HTTP_COOKIE: case DETECT_SM_LIST_HCDMATCH:
case DETECT_AL_HTTP_STAT_MSG: case DETECT_SM_LIST_HSMDMATCH:
case DETECT_AL_HTTP_STAT_CODE: case DETECT_SM_LIST_HSCDMATCH:
{ {
MpmCtx *mpm_ctx_ts = NULL; MpmCtx *mpm_ctx_ts = NULL;
MpmCtx *mpm_ctx_tc = NULL; MpmCtx *mpm_ctx_tc = NULL;
uint32_t sgh_flags = 0; uint32_t sgh_flags = 0;
uint32_t cd_flags = 0; uint32_t cd_flags = 0;
if (mpm_sm->type == DETECT_URICONTENT) { if (sm_list == DETECT_SM_LIST_UMATCH) {
if (s->flags & SIG_FLAG_TOSERVER) if (s->flags & SIG_FLAG_TOSERVER)
mpm_ctx_ts = sgh->mpm_uri_ctx_ts; mpm_ctx_ts = sgh->mpm_uri_ctx_ts;
if (s->flags & SIG_FLAG_TOCLIENT) if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_uri_ctx_tc; mpm_ctx_tc = sgh->mpm_uri_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_URI; sgh_flags = SIG_GROUP_HEAD_MPM_URI;
cd_flags = DETECT_CONTENT_URI_MPM; cd_flags = DETECT_CONTENT_URI_MPM;
} else if (mpm_sm->type == DETECT_AL_HTTP_CLIENT_BODY) { } else if (sm_list == DETECT_SM_LIST_HCBDMATCH) {
if (s->flags & SIG_FLAG_TOSERVER) if (s->flags & SIG_FLAG_TOSERVER)
mpm_ctx_ts = sgh->mpm_hcbd_ctx_ts; mpm_ctx_ts = sgh->mpm_hcbd_ctx_ts;
if (s->flags & SIG_FLAG_TOCLIENT) if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hcbd_ctx_tc; mpm_ctx_tc = sgh->mpm_hcbd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HCBD; sgh_flags = SIG_GROUP_HEAD_MPM_HCBD;
cd_flags = DETECT_CONTENT_HCBD_MPM; cd_flags = DETECT_CONTENT_HCBD_MPM;
} else if (mpm_sm->type == DETECT_AL_HTTP_SERVER_BODY) { } else if (sm_list == DETECT_SM_LIST_HSBDMATCH) {
if (s->flags & SIG_FLAG_TOSERVER) if (s->flags & SIG_FLAG_TOSERVER)
mpm_ctx_ts = sgh->mpm_hsbd_ctx_ts; mpm_ctx_ts = sgh->mpm_hsbd_ctx_ts;
if (s->flags & SIG_FLAG_TOCLIENT) if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hsbd_ctx_tc; mpm_ctx_tc = sgh->mpm_hsbd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HSBD; sgh_flags = SIG_GROUP_HEAD_MPM_HSBD;
cd_flags = DETECT_CONTENT_HSBD_MPM; cd_flags = DETECT_CONTENT_HSBD_MPM;
} else if (mpm_sm->type == DETECT_AL_HTTP_HEADER) { } else if (sm_list == DETECT_SM_LIST_HHDMATCH) {
if (s->flags & SIG_FLAG_TOSERVER) if (s->flags & SIG_FLAG_TOSERVER)
mpm_ctx_ts = sgh->mpm_hhd_ctx_ts; mpm_ctx_ts = sgh->mpm_hhd_ctx_ts;
if (s->flags & SIG_FLAG_TOCLIENT) if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hhd_ctx_tc; mpm_ctx_tc = sgh->mpm_hhd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HHD; sgh_flags = SIG_GROUP_HEAD_MPM_HHD;
cd_flags = DETECT_CONTENT_HHD_MPM; cd_flags = DETECT_CONTENT_HHD_MPM;
} else if (mpm_sm->type == DETECT_AL_HTTP_RAW_HEADER) { } else if (sm_list == DETECT_SM_LIST_HRHDMATCH) {
if (s->flags & SIG_FLAG_TOSERVER) if (s->flags & SIG_FLAG_TOSERVER)
mpm_ctx_ts = sgh->mpm_hrhd_ctx_ts; mpm_ctx_ts = sgh->mpm_hrhd_ctx_ts;
if (s->flags & SIG_FLAG_TOCLIENT) if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hrhd_ctx_tc; mpm_ctx_tc = sgh->mpm_hrhd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HRHD; sgh_flags = SIG_GROUP_HEAD_MPM_HRHD;
cd_flags = DETECT_CONTENT_HRHD_MPM; cd_flags = DETECT_CONTENT_HRHD_MPM;
} else if (mpm_sm->type == DETECT_AL_HTTP_METHOD) { } else if (sm_list == DETECT_SM_LIST_HMDMATCH) {
if (s->flags & SIG_FLAG_TOSERVER) if (s->flags & SIG_FLAG_TOSERVER)
mpm_ctx_ts = sgh->mpm_hmd_ctx_ts; mpm_ctx_ts = sgh->mpm_hmd_ctx_ts;
if (s->flags & SIG_FLAG_TOCLIENT) if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hmd_ctx_tc; mpm_ctx_tc = sgh->mpm_hmd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HMD; sgh_flags = SIG_GROUP_HEAD_MPM_HMD;
cd_flags = DETECT_CONTENT_HMD_MPM; cd_flags = DETECT_CONTENT_HMD_MPM;
} else if (mpm_sm->type == DETECT_AL_HTTP_COOKIE) { } else if (sm_list == DETECT_SM_LIST_HCDMATCH) {
if (s->flags & SIG_FLAG_TOSERVER) if (s->flags & SIG_FLAG_TOSERVER)
mpm_ctx_ts = sgh->mpm_hcd_ctx_ts; mpm_ctx_ts = sgh->mpm_hcd_ctx_ts;
if (s->flags & SIG_FLAG_TOCLIENT) if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hcd_ctx_tc; mpm_ctx_tc = sgh->mpm_hcd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HCD; sgh_flags = SIG_GROUP_HEAD_MPM_HCD;
cd_flags = DETECT_CONTENT_HCD_MPM; cd_flags = DETECT_CONTENT_HCD_MPM;
} else if (mpm_sm->type == DETECT_AL_HTTP_RAW_URI) { } else if (sm_list == DETECT_SM_LIST_HRUDMATCH) {
if (s->flags & SIG_FLAG_TOSERVER) if (s->flags & SIG_FLAG_TOSERVER)
mpm_ctx_ts = sgh->mpm_hrud_ctx_ts; mpm_ctx_ts = sgh->mpm_hrud_ctx_ts;
if (s->flags & SIG_FLAG_TOCLIENT) if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hrud_ctx_tc; mpm_ctx_tc = sgh->mpm_hrud_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HRUD; sgh_flags = SIG_GROUP_HEAD_MPM_HRUD;
cd_flags = DETECT_CONTENT_HRUD_MPM; cd_flags = DETECT_CONTENT_HRUD_MPM;
} else if (mpm_sm->type == DETECT_AL_HTTP_STAT_MSG) { } else if (sm_list == DETECT_SM_LIST_HSMDMATCH) {
if (s->flags & SIG_FLAG_TOSERVER) if (s->flags & SIG_FLAG_TOSERVER)
mpm_ctx_ts = sgh->mpm_hsmd_ctx_ts; mpm_ctx_ts = sgh->mpm_hsmd_ctx_ts;
if (s->flags & SIG_FLAG_TOCLIENT) if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hsmd_ctx_tc; mpm_ctx_tc = sgh->mpm_hsmd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HSMD; sgh_flags = SIG_GROUP_HEAD_MPM_HSMD;
cd_flags = DETECT_CONTENT_HSMD_MPM; cd_flags = DETECT_CONTENT_HSMD_MPM;
} else if (mpm_sm->type == DETECT_AL_HTTP_STAT_CODE) { } else if (sm_list == DETECT_SM_LIST_HSCDMATCH) {
if (s->flags & SIG_FLAG_TOSERVER) if (s->flags & SIG_FLAG_TOSERVER)
mpm_ctx_ts = sgh->mpm_hscd_ctx_ts; mpm_ctx_ts = sgh->mpm_hscd_ctx_ts;
if (s->flags & SIG_FLAG_TOCLIENT) if (s->flags & SIG_FLAG_TOCLIENT)
@ -1600,7 +1604,6 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx,
int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh) int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
{ {
Signature *s = NULL; Signature *s = NULL;
SigMatch *sm = NULL;
uint32_t has_co_packet = 0; /**< our sgh has packet payload inspecting content */ uint32_t has_co_packet = 0; /**< our sgh has packet payload inspecting content */
uint32_t has_co_stream = 0; /**< our sgh has stream inspecting content */ uint32_t has_co_stream = 0; /**< our sgh has stream inspecting content */
uint32_t has_co_uri = 0; /**< our sgh has uri inspecting content */ uint32_t has_co_uri = 0; /**< our sgh has uri inspecting content */
@ -1638,10 +1641,8 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
has_co_stream = 1; has_co_stream = 1;
} }
for (sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; sm != NULL; sm = sm->next) { if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL) {
if (sm->type == DETECT_URICONTENT) { has_co_uri = 1;
has_co_uri = 1;
}
} }
if (s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL) { if (s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL) {

2
src/detect-engine-siggroup.c
Unescape Escape View File

@ -1403,7 +1403,7 @@ int SigGroupHeadLoadUricontent(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
continue; continue;
for ( ;sm != NULL; sm = sm->next) { for ( ;sm != NULL; sm = sm->next) {
if (sm->type == DETECT_URICONTENT) { if (sm->type == DETECT_CONTENT) {
co = (DetectContentData *)sm->ctx; co = (DetectContentData *)sm->ctx;
sgh->init->uri_content_array[co->id / 8] |= 1 << (co->id % 8); sgh->init->uri_content_array[co->id / 8] |= 1 << (co->id % 8);

20
src/detect-fast-pattern.c
Unescape Escape View File

@ -122,7 +122,7 @@ void SupportFastPatternForSigMatchTypes(void)
SupportFastPatternForSigMatchType(DETECT_CONTENT); SupportFastPatternForSigMatchType(DETECT_CONTENT);
SupportFastPatternForSigMatchList(DETECT_SM_LIST_PMATCH); SupportFastPatternForSigMatchList(DETECT_SM_LIST_PMATCH);
SupportFastPatternForSigMatchType(DETECT_URICONTENT); SupportFastPatternForSigMatchType(DETECT_CONTENT);
SupportFastPatternForSigMatchList(DETECT_SM_LIST_UMATCH); SupportFastPatternForSigMatchList(DETECT_SM_LIST_UMATCH);
SupportFastPatternForSigMatchType(DETECT_AL_HTTP_CLIENT_BODY); SupportFastPatternForSigMatchType(DETECT_AL_HTTP_CLIENT_BODY);
@ -238,7 +238,7 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a
SigMatch *pm = SigMatchGetLastSMFromLists(s, 22, SigMatch *pm = SigMatchGetLastSMFromLists(s, 22,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_URICONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
@ -2135,7 +2135,7 @@ int DetectFastPatternTest54(void)
result = 0; result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH];
while (sm != NULL) { while (sm != NULL) {
if (sm->type == DETECT_URICONTENT) { if (sm->type == DETECT_CONTENT) {
if ( ((DetectContentData *)sm->ctx)->flags & if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) { DETECT_CONTENT_FAST_PATTERN) {
result = 1; result = 1;
@ -2176,7 +2176,7 @@ int DetectFastPatternTest55(void)
result = 0; result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH];
while (sm != NULL) { while (sm != NULL) {
if (sm->type == DETECT_URICONTENT) { if (sm->type == DETECT_CONTENT) {
if ( ((DetectContentData *)sm->ctx)->flags & if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) { DETECT_CONTENT_FAST_PATTERN) {
result = 1; result = 1;
@ -2213,7 +2213,7 @@ int DetectFastPatternTest56(void)
result = 0; result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH];
DetectContentData *ud = sm->ctx; DetectContentData *ud = sm->ctx;
if (sm->type == DETECT_URICONTENT) { if (sm->type == DETECT_CONTENT) {
if (ud->flags & DETECT_CONTENT_FAST_PATTERN && if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -2249,7 +2249,7 @@ int DetectFastPatternTest57(void)
result = 0; result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH];
DetectContentData *ud = sm->ctx; DetectContentData *ud = sm->ctx;
if (sm->type == DETECT_URICONTENT) { if (sm->type == DETECT_CONTENT) {
if (ud->flags & DETECT_CONTENT_FAST_PATTERN && if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -3216,7 +3216,7 @@ int DetectFastPatternTest94(void)
result = 0; result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH];
while (sm != NULL) { while (sm != NULL) {
if (sm->type == DETECT_URICONTENT) { if (sm->type == DETECT_CONTENT) {
if ( ((DetectContentData *)sm->ctx)->flags & if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) { DETECT_CONTENT_FAST_PATTERN) {
result = 1; result = 1;
@ -3257,7 +3257,7 @@ int DetectFastPatternTest95(void)
result = 0; result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH];
while (sm != NULL) { while (sm != NULL) {
if (sm->type == DETECT_URICONTENT) { if (sm->type == DETECT_CONTENT) {
if ( ((DetectContentData *)sm->ctx)->flags & if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) { DETECT_CONTENT_FAST_PATTERN) {
result = 1; result = 1;
@ -3294,7 +3294,7 @@ int DetectFastPatternTest96(void)
result = 0; result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH];
DetectContentData *ud = sm->ctx; DetectContentData *ud = sm->ctx;
if (sm->type == DETECT_URICONTENT) { if (sm->type == DETECT_CONTENT) {
if (ud->flags & DETECT_CONTENT_FAST_PATTERN && if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -3330,7 +3330,7 @@ int DetectFastPatternTest97(void)
result = 0; result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH];
DetectContentData *ud = sm->ctx; DetectContentData *ud = sm->ctx;
if (sm->type == DETECT_URICONTENT) { if (sm->type == DETECT_CONTENT) {
if (ud->flags & DETECT_CONTENT_FAST_PATTERN && if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&

2
src/detect-http-cookie.c
Unescape Escape View File

@ -383,7 +383,7 @@ int DetectHttpCookieTest06(void)
goto end; goto end;
} }
if (s->sm_lists[DETECT_SM_LIST_UMATCH]->type != DETECT_URICONTENT) { if (s->sm_lists[DETECT_SM_LIST_UMATCH]->type != DETECT_CONTENT) {
goto end; goto end;
} }

25
src/detect-http-uri.c
Unescape Escape View File

@ -140,7 +140,7 @@ static int DetectHttpUriSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
/* reassigning pm */ /* reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 2, pm = SigMatchGetLastSMFromLists(s, 2,
DETECT_URICONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH]); DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH]);
if (pm == NULL) { if (pm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "uricontent seen with a " SCLogError(SC_ERR_INVALID_SIGNATURE, "uricontent seen with a "
"distance or within without a previous http_uri " "distance or within without a previous http_uri "
@ -151,7 +151,7 @@ static int DetectHttpUriSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
} }
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_UMATCH); cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_UMATCH);
sm->type = DETECT_URICONTENT; sm->type = DETECT_CONTENT;
/* transfer the sm from the pmatch list to hcbdmatch list */ /* transfer the sm from the pmatch list to hcbdmatch list */
SigMatchTransferSigMatchAcrossLists(sm, SigMatchTransferSigMatchAcrossLists(sm,
@ -257,7 +257,7 @@ int DetectHttpUriTest03(void)
} }
while (sm != NULL) { while (sm != NULL) {
if (sm->type == DETECT_URICONTENT) { if (sm->type == DETECT_CONTENT) {
result = 1; result = 1;
} else { } else {
printf("expected DETECT_AL_HTTP_URI, got %d: ", sm->type); printf("expected DETECT_AL_HTTP_URI, got %d: ", sm->type);
@ -320,7 +320,7 @@ int DetectHttpUriTest05(void)
} }
if (s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL) if (s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL)
goto end; goto end;
if (s->sm_lists[DETECT_SM_LIST_UMATCH]->type != DETECT_URICONTENT) { if (s->sm_lists[DETECT_SM_LIST_UMATCH]->type != DETECT_CONTENT) {
printf("wrong type\n"); printf("wrong type\n");
goto end; goto end;
} }
@ -702,8 +702,19 @@ int DetectHttpUriTest15(void)
de_ctx->flags |= DE_QUIET; de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_uri; within:5; sid:1;)"); "(content:\"one\"; http_uri; within:5; sid:1;)");
if (de_ctx->sig_list != NULL) { if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list != NULL\n"); printf("de_ctx->sig_list == NULL\n");
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL\n");
goto end;
}
DetectContentData *cd = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
if (memcmp(cd->content, "one", cd->content_len) != 0 ||
cd->flags != DETECT_CONTENT_WITHIN) {
goto end; goto end;
} }
@ -725,7 +736,7 @@ int DetectHttpUriTest16(void)
de_ctx->flags |= DE_QUIET; de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; within:5; sid:1;)"); "(content:\"one\"; within:5; sid:1;)");
if (de_ctx->sig_list != NULL) { if (de_ctx->sig_list != NULL) {
printf("de_ctx->sig_list != NULL\n"); printf("de_ctx->sig_list != NULL\n");
goto end; goto end;

48
src/detect-isdataat.c
Unescape Escape View File

@ -353,7 +353,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
} }
pm = SigMatchGetLastSMFromLists(s, 54, pm = SigMatchGetLastSMFromLists(s, 54,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], /* 1 */ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], /* 1 */
DETECT_URICONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], /* 5 */ DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], /* 5 */
@ -388,50 +388,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
"byte_extract, byte_jump keyword"); "byte_extract, byte_jump keyword");
goto error; goto error;
} else { } else {
int list_type = -1; int list_type = SigMatchListSMBelongsTo(s, pm);
if (pm->type == DETECT_PCRE || pm->type == DETECT_BYTEJUMP ||
pm->type == DETECT_BYTE_EXTRACT || pm->type == DETECT_BYTETEST) {
list_type = SigMatchListSMBelongsTo(s, pm);
} else {
switch (pm->type) {
case DETECT_CONTENT:
list_type = DETECT_SM_LIST_PMATCH;
break;
case DETECT_URICONTENT:
list_type = DETECT_SM_LIST_UMATCH;
break;
case DETECT_AL_HTTP_CLIENT_BODY:
list_type = DETECT_SM_LIST_HCBDMATCH;
break;
case DETECT_AL_HTTP_SERVER_BODY:
list_type = DETECT_SM_LIST_HSBDMATCH;
break;
case DETECT_AL_HTTP_RAW_HEADER:
list_type = DETECT_SM_LIST_HRHDMATCH;
break;
case DETECT_AL_HTTP_HEADER:
list_type = DETECT_SM_LIST_HHDMATCH;
break;
case DETECT_AL_HTTP_METHOD:
list_type = DETECT_SM_LIST_HMDMATCH;
break;
case DETECT_AL_HTTP_COOKIE:
list_type = DETECT_SM_LIST_HCDMATCH;
break;
case DETECT_AL_HTTP_RAW_URI:
list_type = DETECT_SM_LIST_HRUDMATCH;
break;
case DETECT_AL_HTTP_STAT_MSG:
list_type = DETECT_SM_LIST_HSMDMATCH;
break;
case DETECT_AL_HTTP_STAT_CODE:
list_type = DETECT_SM_LIST_HSCDMATCH;
break;
default:
/* would never happen */
break;
} /* switch */
} /* else */
if (list_type == -1) { if (list_type == -1) {
goto error; goto error;
} }
@ -462,7 +419,6 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
switch (prev_pm->type) { switch (prev_pm->type) {
case DETECT_CONTENT: case DETECT_CONTENT:
case DETECT_URICONTENT:
case DETECT_AL_HTTP_CLIENT_BODY: case DETECT_AL_HTTP_CLIENT_BODY:
case DETECT_AL_HTTP_SERVER_BODY: case DETECT_AL_HTTP_SERVER_BODY:
case DETECT_AL_HTTP_HEADER: case DETECT_AL_HTTP_HEADER:

3
src/detect-nocase.c
Unescape Escape View File

@ -76,7 +76,7 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
/* Search for the first previous SigMatch that supports nocase */ /* Search for the first previous SigMatch that supports nocase */
SigMatch *pm = SigMatchGetLastSMFromLists(s, 22, SigMatch *pm = SigMatchGetLastSMFromLists(s, 22,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_URICONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
@ -98,7 +98,6 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
switch (pm->type) { switch (pm->type) {
case DETECT_CONTENT: case DETECT_CONTENT:
case DETECT_URICONTENT:
case DETECT_AL_HTTP_CLIENT_BODY: case DETECT_AL_HTTP_CLIENT_BODY:
case DETECT_AL_HTTP_SERVER_BODY: case DETECT_AL_HTTP_SERVER_BODY:
case DETECT_AL_HTTP_HEADER: case DETECT_AL_HTTP_HEADER:

54
src/detect-offset.c
Unescape Escape View File

@ -85,7 +85,7 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
default: default:
pm = SigMatchGetLastSMFromLists(s, 22, pm = SigMatchGetLastSMFromLists(s, 22,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_URICONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
@ -110,60 +110,8 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
} }
/* we can remove this switch now with the unified structure */ /* we can remove this switch now with the unified structure */
DetectContentData *ud = NULL;
DetectContentData *cd = NULL; DetectContentData *cd = NULL;
switch (pm->type) { switch (pm->type) {
case DETECT_URICONTENT:
ud = (DetectContentData *)pm->ctx;
if (ud == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument");
if (dubbed)
SCFree(str);
return -1;
}
if (ud->flags & DETECT_CONTENT_NEGATED) {
if (ud->flags & DETECT_CONTENT_FAST_PATTERN) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"negated keyword set along with a fast_pattern");
goto error;
}
} else {
if (ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"keyword set along with a fast_pattern:only;");
goto error;
}
}
if (str[0] != '-' && isalpha(str[0])) {
SigMatch *bed_sm =
DetectByteExtractRetrieveSMVar(str, s,
SigMatchListSMBelongsTo(s, pm));
if (bed_sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in offset - %s\n", str);
goto error;
}
ud->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
ud->flags |= DETECT_CONTENT_OFFSET_BE;
} else {
ud->offset = (uint32_t)atoi(str);
if (ud->depth != 0) {
if (ud->depth < ud->content_len) {
SCLogDebug("depth increased to %"PRIu32" to match pattern len",
ud->content_len);
ud->depth = ud->content_len;
}
/* Updating the depth as is relative to the offset */
ud->depth += ud->offset;
}
}
ud->flags |= DETECT_CONTENT_OFFSET;
break;
case DETECT_CONTENT: case DETECT_CONTENT:
cd = (DetectContentData *)pm->ctx; cd = (DetectContentData *)pm->ctx;
if (cd == NULL) { if (cd == NULL) {

2
src/detect-parse.c
Unescape Escape View File

@ -1189,7 +1189,7 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, char *sigstr,
sig->mpm_uricontent_maxlen = 0; sig->mpm_uricontent_maxlen = 0;
for (sm = sig->sm_lists[DETECT_SM_LIST_UMATCH]; sm != NULL; sm = sm->next) { for (sm = sig->sm_lists[DETECT_SM_LIST_UMATCH]; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_URICONTENT) { if (sm->type == DETECT_CONTENT) {
DetectContentData *ud = (DetectContentData *)sm->ctx; DetectContentData *ud = (DetectContentData *)sm->ctx;
if (ud == NULL) if (ud == NULL)
continue; continue;

3
src/detect-pcre.c
Unescape Escape View File

@ -1203,7 +1203,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
prev_sm = SigMatchGetLastSMFromLists(s, 24, prev_sm = SigMatchGetLastSMFromLists(s, 24,
DETECT_CONTENT, sm->prev, DETECT_CONTENT, sm->prev,
DETECT_URICONTENT, sm->prev, DETECT_CONTENT, sm->prev,
DETECT_AL_HTTP_CLIENT_BODY, sm->prev, DETECT_AL_HTTP_CLIENT_BODY, sm->prev,
DETECT_AL_HTTP_SERVER_BODY, sm->prev, DETECT_AL_HTTP_SERVER_BODY, sm->prev,
DETECT_AL_HTTP_HEADER, sm->prev, DETECT_AL_HTTP_HEADER, sm->prev,
@ -1237,7 +1237,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
switch (prev_sm->type) { switch (prev_sm->type) {
case DETECT_CONTENT: case DETECT_CONTENT:
case DETECT_URICONTENT:
case DETECT_AL_HTTP_CLIENT_BODY: case DETECT_AL_HTTP_CLIENT_BODY:
case DETECT_AL_HTTP_SERVER_BODY: case DETECT_AL_HTTP_SERVER_BODY:
case DETECT_AL_HTTP_HEADER: case DETECT_AL_HTTP_HEADER:

4
src/detect-uricontent.c
Unescape Escape View File

@ -371,7 +371,7 @@ int DetectUricontentSetup (DetectEngineCtx *de_ctx, Signature *s, char *contents
if (sm == NULL) if (sm == NULL)
goto error; goto error;
sm->type = DETECT_URICONTENT; sm->type = DETECT_CONTENT;
sm->ctx = (void *)cd; sm->ctx = (void *)cd;
cd->id = DetectUricontentGetId(de_ctx->mpm_pattern_id_store, cd); cd->id = DetectUricontentGetId(de_ctx->mpm_pattern_id_store, cd);
@ -808,7 +808,7 @@ int DetectUriSigTest01(void)
BUG_ON(de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL); BUG_ON(de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL);
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH];
if (sm->type == DETECT_URICONTENT) { if (sm->type == DETECT_CONTENT) {
result = 1; result = 1;
} else { } else {
result = 0; result = 0;

107
src/detect-within.c
Unescape Escape View File

@ -165,7 +165,7 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
} else { } else {
pm = SigMatchGetLastSMFromLists(s, 22, pm = SigMatchGetLastSMFromLists(s, 22,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_URICONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
@ -187,115 +187,10 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
} }
} }
DetectContentData *ud = NULL;
DetectContentData *cd = NULL; DetectContentData *cd = NULL;
DetectPcreData *pe = NULL; DetectPcreData *pe = NULL;
switch (pm->type) { switch (pm->type) {
case DETECT_URICONTENT:
ud = (DetectContentData *)pm->ctx;
if (ud == NULL) {
SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "Unknown previous keyword!\n");
goto error;
}
if (ud->flags & DETECT_CONTENT_NEGATED) {
if (ud->flags & DETECT_CONTENT_FAST_PATTERN) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"negated keyword set along with a fast_pattern");
goto error;
}
} else {
if (ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"keyword set along with a fast_pattern:only;");
goto error;
}
}
if (str[0] != '-' && isalpha(str[0])) {
SigMatch *bed_sm =
DetectByteExtractRetrieveSMVar(str, s,
SigMatchListSMBelongsTo(s, pm));
if (bed_sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in within - %s\n", str);
goto error;
}
ud->within = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
ud->flags |= DETECT_CONTENT_WITHIN_BE;
} else {
ud->within = strtol(str, NULL, 10);
if (ud->within < (int32_t)ud->content_len) {
SCLogError(SC_ERR_WITHIN_INVALID, "within argument \"%"PRIi32"\" is "
"less than the content length \"%"PRIu32"\" which is invalid, since "
"this will never match. Invalidating signature", ud->within,
ud->content_len);
goto error;
}
}
ud->flags |= DETECT_CONTENT_WITHIN;
pm = SigMatchGetLastSMFromLists(s, 6,
DETECT_URICONTENT, pm->prev,
DETECT_PCRE, pm->prev,
DETECT_BYTEJUMP, pm->prev);
if (pm == NULL) {
SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs two "
"preceeding content or uricontent options");
goto error;
}
switch (pm->type) {
case DETECT_URICONTENT:
/* Set the relative next flag on the prev sigmatch */
ud = (DetectContentData *)pm->ctx;
if (ud == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
"previous keyword!");
goto error;
}
ud->flags |= DETECT_CONTENT_RELATIVE_NEXT;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword "
"has a fast_pattern:only; set. You can't "
"have relative keywords around a fast_pattern "
"only content");
goto error;
}
break;
case DETECT_PCRE:
pe = (DetectPcreData *) pm->ctx;
if (pe == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
"previous keyword!");
goto error;
}
pe->flags |= DETECT_PCRE_RELATIVE_NEXT;
break;
case DETECT_BYTEJUMP:
SCLogDebug("No setting relative_next for bytejump. We "
"have no use for it");
break;
default:
/* this will never hit */
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
"previous keyword!");
break;
}
DetectUricontentPrint(ud);
break;
case DETECT_CONTENT: case DETECT_CONTENT:
cd = (DetectContentData *)pm->ctx; cd = (DetectContentData *)pm->ctx;
if (cd == NULL) { if (cd == NULL) {

2
src/detect.c
Unescape Escape View File

@ -273,7 +273,7 @@ static inline void EngineAnalysisWriteFastPattern(Signature *s, SigMatch *mpm_sm
fprintf(fp_engine_analysis_FD, " Fast pattern matcher: "); fprintf(fp_engine_analysis_FD, " Fast pattern matcher: ");
if (mpm_sm->type == DETECT_CONTENT) if (mpm_sm->type == DETECT_CONTENT)
fprintf(fp_engine_analysis_FD, "content\n"); fprintf(fp_engine_analysis_FD, "content\n");
else if (mpm_sm->type == DETECT_URICONTENT) else if (mpm_sm->type == DETECT_CONTENT)
fprintf(fp_engine_analysis_FD, "uricontent\n"); fprintf(fp_engine_analysis_FD, "uricontent\n");
else if (mpm_sm->type == DETECT_AL_HTTP_CLIENT_BODY) else if (mpm_sm->type == DETECT_AL_HTTP_CLIENT_BODY)
fprintf(fp_engine_analysis_FD, "http_client_body\n"); fprintf(fp_engine_analysis_FD, "http_client_body\n");

Write Preview
Loading…
Cancel
Save