add support for sigs with uricontent fast_pattern

remotes/origin/master-1.1.x
Anoop Saldanha 15 years ago committed by Victor Julien
parent ea8eaf31aa
commit 4b77f132df

@ -19,6 +19,7 @@
* \file
*
* \author Victor Julien <victor@inliniac.net>
* \author Anoop Saldanha <poonaatsoc@gmail.com>
*
* Implements the depth keyword
*/
@ -56,6 +57,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
char dubbed = 0;
SigMatch *pm = NULL;
DetectContentData *cd = NULL;
DetectUricontentData *ud = NULL;
/* strip "'s */
if (depthstr[0] == '\"' && depthstr[strlen(depthstr)-1] == '\"') {
@ -97,13 +99,28 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
switch (pm->type) {
case DETECT_URICONTENT:
{
DetectUricontentData *ud = (DetectUricontentData *)pm->ctx;
ud = (DetectUricontentData *)pm->ctx;
if (ud == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument");
if (dubbed) SCFree(str);
if (dubbed)
SCFree(str);
return -1;
}
if (ud->flags & DETECT_URICONTENT_NEGATED) {
if (ud->flags & DETECT_URICONTENT_FAST_PATTERN) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"negated keyword set along with a fast_pattern");
goto error;
}
} else {
if (ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"keyword set along with a fast_pattern:only;");
goto error;
}
}
ud->depth = (uint32_t)atoi(str);
if (ud->depth < ud->uricontent_len) {
ud->depth = ud->uricontent_len;
@ -112,11 +129,11 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
}
/* Now update the real limit, as depth is relative to the offset */
ud->depth += ud->offset;
}
break;
ud->flags |= DETECT_URICONTENT_DEPTH;
case DETECT_CONTENT:
break;
case DETECT_CONTENT:
cd = (DetectContentData *)pm->ctx;
if (cd == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument");

@ -19,6 +19,7 @@
* \file
*
* \author Victor Julien <victor@inliniac.net>
* \author Anoop Saldanha <poonaatsoc@gmail.com>
*
* Implements the distance keyword
*/
@ -184,6 +185,20 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
goto error;
}
if (ud->flags & DETECT_URICONTENT_NEGATED) {
if (ud->flags & DETECT_URICONTENT_FAST_PATTERN) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"negated keyword set along with a fast_pattern");
goto error;
}
} else {
if (ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"keyword set along with a fast_pattern:only;");
goto error;
}
}
ud->distance = strtol(str, NULL, 10);
if (ud->flags & DETECT_URICONTENT_WITHIN) {
if ((ud->distance + ud->uricontent_len) > ud->within) {
@ -214,6 +229,14 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
}
ud->flags |= DETECT_URICONTENT_RELATIVE_NEXT;
if (ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword "
"has a fast_pattern:only; set. You can't "
"have relative keywords around a fast_pattern "
"only content");
goto error;
}
break;
case DETECT_PCRE:

File diff suppressed because it is too large Load Diff

@ -19,6 +19,7 @@
* \file
*
* \author Victor Julien <victor@inliniac.net>
* \author Anoop Saldanha <poonaatsoc@gmail.com>
*
* Implements the offset keyword
*/
@ -100,9 +101,25 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
ud = (DetectUricontentData *)pm->ctx;
if (ud == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument");
if (dubbed) SCFree(str);
if (dubbed)
SCFree(str);
return -1;
}
if (ud->flags & DETECT_URICONTENT_NEGATED) {
if (ud->flags & DETECT_URICONTENT_FAST_PATTERN) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"negated keyword set along with a fast_pattern");
goto error;
}
} else {
if (ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"keyword set along with a fast_pattern:only;");
goto error;
}
}
ud->offset = (uint32_t)atoi(str);
if (ud->depth != 0) {
if (ud->depth < ud->uricontent_len) {
@ -113,13 +130,17 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
/* Updating the depth as is relative to the offset */
ud->depth += ud->offset;
}
ud->flags |= DETECT_URICONTENT_OFFSET;
break;
case DETECT_CONTENT:
cd = (DetectContentData *)pm->ctx;
if (cd == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument");
if (dubbed) SCFree(str);
if (dubbed)
SCFree(str);
return -1;
}
@ -155,8 +176,9 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
default:
SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs a preceeding"
" content or uricontent option");
if (dubbed) SCFree(str);
return -1;
if (dubbed)
SCFree(str);
return -1;
break;
}

@ -25,16 +25,22 @@
#ifndef __DETECT_URICONTENT_H__
#define __DETECT_URICONTENT_H__
#define DETECT_URICONTENT_NOCASE 0x01
#define DETECT_URICONTENT_DISTANCE 0x02
#define DETECT_URICONTENT_WITHIN 0x04
#define DETECT_URICONTENT_NOCASE 0x0001
#define DETECT_URICONTENT_DISTANCE 0x0002
#define DETECT_URICONTENT_WITHIN 0x0004
#define DETECT_URICONTENT_OFFSET 0x0008
#define DETECT_URICONTENT_DEPTH 0x0010
#define DETECT_URICONTENT_DISTANCE_NEXT 0x08
#define DETECT_URICONTENT_WITHIN_NEXT 0x10
#define DETECT_URICONTENT_DISTANCE_NEXT 0x0020
#define DETECT_URICONTENT_WITHIN_NEXT 0x0040
#define DETECT_URICONTENT_RAWBYTES 0x20
#define DETECT_URICONTENT_NEGATED 0x40
#define DETECT_URICONTENT_RELATIVE_NEXT 0x80
#define DETECT_URICONTENT_RAWBYTES 0x0080
#define DETECT_URICONTENT_NEGATED 0x0100
#define DETECT_URICONTENT_RELATIVE_NEXT 0x0200
#define DETECT_URICONTENT_FAST_PATTERN 0x0400
#define DETECT_URICONTENT_FAST_PATTERN_ONLY 0x0800
#define DETECT_URICONTENT_FAST_PATTERN_CHOP 0x1000
#define DETECT_URICONTENT_IS_SINGLE(c) (!((c)->flags & DETECT_URICONTENT_DISTANCE || \
(c)->flags & DETECT_URICONTENT_WITHIN || \
@ -48,14 +54,20 @@
typedef struct DetectUricontentData_ {
uint8_t *uricontent;
uint8_t uricontent_len;
uint8_t flags;
PatIntId id;
uint32_t flags;
uint16_t depth;
uint16_t offset;
int32_t distance;
int32_t within;
BmCtx *bm_ctx; /**< Boyer Moore context (for spm search) */
/* if someone wants to add an extra var to this structutre of size 1 byte
* you can reduce the below var to uint8_t. No problemo */
uint16_t avoid_double_check;
/* for chopped fast pattern, the offset */
uint16_t fp_chop_offset;
/* for chopped fast pattern, the length */
uint16_t fp_chop_len;
} DetectUricontentData;
/* prototypes */

@ -19,6 +19,7 @@
* \file
*
* \author Victor Julien <victor@inliniac.net>
* \author Anoop Saldanha <poonaatsoc@gmail.com>
*
* Implements the within keyword
*/
@ -186,6 +187,20 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
goto error;
}
if (ud->flags & DETECT_URICONTENT_NEGATED) {
if (ud->flags & DETECT_URICONTENT_FAST_PATTERN) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"negated keyword set along with a fast_pattern");
goto error;
}
} else {
if (ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"keyword set along with a fast_pattern:only;");
goto error;
}
}
ud->within = strtol(str, NULL, 10);
if (ud->within < (int32_t)ud->uricontent_len) {
SCLogError(SC_ERR_WITHIN_INVALID, "within argument \"%"PRIi32"\" is "
@ -224,6 +239,14 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
}
ud->flags |= DETECT_URICONTENT_RELATIVE_NEXT;
if (ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword "
"has a fast_pattern:only; set. You can't "
"have relative keywords around a fast_pattern "
"only content");
goto error;
}
break;
case DETECT_PCRE:

Loading…
Cancel
Save