add support for sigs with uricontent fast_pattern

15 years ago · 4b77f132df
parent ea8eaf31aa
commit 4b77f132df
6 changed files with 1299 additions and 57 deletions
--- a/src/detect-depth.c
+++ b/src/detect-depth.c
@ -19,6 +19,7 @@
 * \file
 *
 * \author Victor Julien <victor@inliniac.net>
+ * \author Anoop Saldanha <poonaatsoc@gmail.com>
 *
 * Implements the depth keyword
 */
@ -56,6 +57,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
    char dubbed = 0;
    SigMatch *pm = NULL;
    DetectContentData *cd = NULL;
+    DetectUricontentData *ud = NULL;

    /* strip "'s */
    if (depthstr[0] == '\"' && depthstr[strlen(depthstr)-1] == '\"') {
@ -97,13 +99,28 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths

    switch (pm->type) {
        case DETECT_URICONTENT:
-        {
-            DetectUricontentData *ud = (DetectUricontentData *)pm->ctx;
+            ud = (DetectUricontentData *)pm->ctx;
            if (ud == NULL) {
                SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument");
-                if (dubbed) SCFree(str);
+                if (dubbed)
+                    SCFree(str);
                return -1;
            }
+
+            if (ud->flags & DETECT_URICONTENT_NEGATED) {
+                if (ud->flags & DETECT_URICONTENT_FAST_PATTERN) {
+                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
+                               "negated keyword set along with a fast_pattern");
+                    goto error;
+                }
+            } else {
+                if (ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) {
+                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
+                               "keyword set along with a fast_pattern:only;");
+                    goto error;
+                }
+            }
+
            ud->depth = (uint32_t)atoi(str);
            if (ud->depth < ud->uricontent_len) {
                ud->depth = ud->uricontent_len;
@ -112,11 +129,11 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
            }
            /* Now update the real limit, as depth is relative to the offset */
            ud->depth += ud->offset;
-        }
-        break;
+            ud->flags |= DETECT_URICONTENT_DEPTH;

-        case DETECT_CONTENT:
+            break;

+        case DETECT_CONTENT:
            cd = (DetectContentData *)pm->ctx;
            if (cd == NULL) {
                SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument");
--- a/src/detect-distance.c
+++ b/src/detect-distance.c
@ -19,6 +19,7 @@
 * \file
 *
 * \author Victor Julien <victor@inliniac.net>
+ * \author Anoop Saldanha <poonaatsoc@gmail.com>
 *
 * Implements the distance keyword
 */
@ -184,6 +185,20 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
                goto error;
            }

+            if (ud->flags & DETECT_URICONTENT_NEGATED) {
+                if (ud->flags & DETECT_URICONTENT_FAST_PATTERN) {
+                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
+                               "negated keyword set along with a fast_pattern");
+                    goto error;
+                }
+            } else {
+                if (ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) {
+                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
+                               "keyword set along with a fast_pattern:only;");
+                    goto error;
+                }
+            }
+
            ud->distance = strtol(str, NULL, 10);
            if (ud->flags & DETECT_URICONTENT_WITHIN) {
                if ((ud->distance + ud->uricontent_len) > ud->within) {
@ -214,6 +229,14 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
                    }
                    ud->flags |= DETECT_URICONTENT_RELATIVE_NEXT;

+                    if (ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) {
+                        SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword "
+                                   "has a fast_pattern:only; set.  You can't "
+                                   "have relative keywords around a fast_pattern "
+                                   "only content");
+                        goto error;
+                    }
+
                    break;

                case DETECT_PCRE:
--- a/src/detect-fast-pattern.c
+++ b/src/detect-fast-pattern.c
--- a/src/detect-offset.c
+++ b/src/detect-offset.c
@ -19,6 +19,7 @@
 * \file
 *
 * \author Victor Julien <victor@inliniac.net>
+ * \author Anoop Saldanha <poonaatsoc@gmail.com>
 *
 * Implements the offset keyword
 */
@ -100,9 +101,25 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
            ud = (DetectUricontentData *)pm->ctx;
            if (ud == NULL) {
                SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument");
-                if (dubbed) SCFree(str);
+                if (dubbed)
+                    SCFree(str);
                return -1;
            }
+
+            if (ud->flags & DETECT_URICONTENT_NEGATED) {
+                if (ud->flags & DETECT_URICONTENT_FAST_PATTERN) {
+                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
+                               "negated keyword set along with a fast_pattern");
+                    goto error;
+                }
+            } else {
+                if (ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) {
+                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
+                               "keyword set along with a fast_pattern:only;");
+                    goto error;
+                }
+            }
+
            ud->offset = (uint32_t)atoi(str);
            if (ud->depth != 0) {
                if (ud->depth < ud->uricontent_len) {
@ -113,13 +130,17 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
                /* Updating the depth as is relative to the offset */
                ud->depth += ud->offset;
            }
+
+            ud->flags |= DETECT_URICONTENT_OFFSET;
+
            break;

        case DETECT_CONTENT:
            cd = (DetectContentData *)pm->ctx;
            if (cd == NULL) {
                SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument");
-                if (dubbed) SCFree(str);
+                if (dubbed)
+                    SCFree(str);
                return -1;
            }

@ -155,8 +176,9 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
        default:
            SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs a preceeding"
                    " content or uricontent option");
-            if (dubbed) SCFree(str);
-                return -1;
+            if (dubbed)
+                SCFree(str);
+            return -1;

            break;
    }
--- a/src/detect-uricontent.h
+++ b/src/detect-uricontent.h
@ -25,16 +25,22 @@
 #ifndef __DETECT_URICONTENT_H__
 #define __DETECT_URICONTENT_H__

-#define DETECT_URICONTENT_NOCASE        0x01
-#define DETECT_URICONTENT_DISTANCE      0x02
-#define DETECT_URICONTENT_WITHIN        0x04
+#define DETECT_URICONTENT_NOCASE            0x0001
+#define DETECT_URICONTENT_DISTANCE          0x0002
+#define DETECT_URICONTENT_WITHIN            0x0004
+#define DETECT_URICONTENT_OFFSET            0x0008
+#define DETECT_URICONTENT_DEPTH             0x0010

-#define DETECT_URICONTENT_DISTANCE_NEXT 0x08
-#define DETECT_URICONTENT_WITHIN_NEXT   0x10
+#define DETECT_URICONTENT_DISTANCE_NEXT     0x0020
+#define DETECT_URICONTENT_WITHIN_NEXT       0x0040

-#define DETECT_URICONTENT_RAWBYTES      0x20
-#define DETECT_URICONTENT_NEGATED       0x40
-#define DETECT_URICONTENT_RELATIVE_NEXT 0x80
+#define DETECT_URICONTENT_RAWBYTES          0x0080
+#define DETECT_URICONTENT_NEGATED           0x0100
+#define DETECT_URICONTENT_RELATIVE_NEXT     0x0200
+
+#define DETECT_URICONTENT_FAST_PATTERN      0x0400
+#define DETECT_URICONTENT_FAST_PATTERN_ONLY 0x0800
+#define DETECT_URICONTENT_FAST_PATTERN_CHOP 0x1000

 #define DETECT_URICONTENT_IS_SINGLE(c) (!((c)->flags & DETECT_URICONTENT_DISTANCE || \
                                       (c)->flags & DETECT_URICONTENT_WITHIN || \
@ -48,14 +54,20 @@
 typedef struct DetectUricontentData_ {
    uint8_t *uricontent;
    uint8_t uricontent_len;
-    uint8_t flags;
    PatIntId id;
+    uint32_t flags;
    uint16_t depth;
    uint16_t offset;
    int32_t distance;
    int32_t within;
    BmCtx *bm_ctx;     /**< Boyer Moore context (for spm search) */
-
+    /* if someone wants to add an extra var to this structutre of size 1 byte
+     * you can reduce the below var to uint8_t.  No problemo */
+    uint16_t avoid_double_check;
+    /* for chopped fast pattern, the offset */
+    uint16_t fp_chop_offset;
+    /* for chopped fast pattern, the length */
+    uint16_t fp_chop_len;
 } DetectUricontentData;

 /* prototypes */
--- a/src/detect-within.c
+++ b/src/detect-within.c
@ -19,6 +19,7 @@
 * \file
 *
 * \author Victor Julien <victor@inliniac.net>
+ * \author Anoop Saldanha <poonaatsoc@gmail.com>
 *
 * Implements the within keyword
 */
@ -186,6 +187,20 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
                goto error;
            }

+            if (ud->flags & DETECT_URICONTENT_NEGATED) {
+                if (ud->flags & DETECT_URICONTENT_FAST_PATTERN) {
+                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
+                               "negated keyword set along with a fast_pattern");
+                    goto error;
+                }
+            } else {
+                if (ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) {
+                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
+                               "keyword set along with a fast_pattern:only;");
+                    goto error;
+                }
+            }
+
            ud->within = strtol(str, NULL, 10);
            if (ud->within < (int32_t)ud->uricontent_len) {
                SCLogError(SC_ERR_WITHIN_INVALID, "within argument \"%"PRIi32"\" is "
@ -224,6 +239,14 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
                    }
                    ud->flags |= DETECT_URICONTENT_RELATIVE_NEXT;

+                    if (ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) {
+                        SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword "
+                                   "has a fast_pattern:only; set.  You can't "
+                                   "have relative keywords around a fast_pattern "
+                                   "only content");
+                        goto error;
+                    }
+
                    break;

                case DETECT_PCRE: