aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

turn dce_stub_data into a sticky buffer.

Browse Source
pull/325/head
Anoop Saldanha 13 years ago committed by Victor Julien
parent a308d718ae
commit 51dcf19817
16 changed files with 346 additions and 707 deletions
Show Stats Download Patch File Download Diff File

91
src/detect-byte-extract.c
Unescape Escape View File

@ -571,60 +571,42 @@ int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
/* check bytetest modifiers against the signature alproto. In case they conflict
* chuck out invalid signature */
if ((data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) &&
(s->alproto != ALPROTO_DCERPC)) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has "
"bytetest with dce enabled");
goto error;
if ((data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE)) {
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has "
"bytetest with dce enabled");
goto error;
}
s->alproto = ALPROTO_DCERPC;
}
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA ||
s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
int sm_list;
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
AppLayerHtpEnableResponseBodyCallback();
sm_list = DETECT_SM_LIST_HSBDMATCH;
} else {
sm_list = DETECT_SM_LIST_DMATCH;
}
if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
SigMatch *prev_sm = NULL;
prev_sm = SigMatchGetLastSMFromLists(s, 8,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
DETECT_CONTENT, s->sm_lists_tail[sm_list],
DETECT_BYTETEST, s->sm_lists_tail[sm_list],
DETECT_BYTEJUMP, s->sm_lists_tail[sm_list],
DETECT_PCRE, s->sm_lists_tail[sm_list]);
if (prev_sm == NULL) {
data->flags &= ~DETECT_BYTE_EXTRACT_FLAG_RELATIVE;
}
s->flags |= SIG_FLAG_APPLAYER;
AppLayerHtpEnableResponseBodyCallback();
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
} else {
s->flags |= SIG_FLAG_APPLAYER;
AppLayerHtpEnableResponseBodyCallback();
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
}
} else if (s->alproto == ALPROTO_DCERPC &&
(data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE)) {
SigMatch *pm = NULL;
SigMatch *dm = NULL;
pm = SigMatchGetLastSMFromLists(s, 6,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
dm = SigMatchGetLastSMFromLists(s, 6,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
if (pm == NULL) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
} else if (dm == NULL) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
} else if (pm->idx > dm->idx) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
} else {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
}
s->flags |= SIG_FLAG_APPLAYER;
SigMatchAppendSMToList(s, sm, sm_list);
} else {
if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
SigMatch *pm =
SigMatchGetLastSMFromLists(s, 30,
SigMatchGetLastSMFromLists(s, 20,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
@ -634,21 +616,13 @@ int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (pm == NULL) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
return 0;
}
int list = SigMatchListSMBelongsTo(s, pm);
if (list == DETECT_SM_LIST_UMATCH)
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_UMATCH);
else
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
SigMatchAppendSMToList(s, sm, list);
} else {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
}
@ -667,17 +641,8 @@ int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
DETECT_CONTENT, sm->prev,
DETECT_BYTEJUMP, sm->prev,
DETECT_PCRE, sm->prev);
if (prev_sm == NULL) {
if (s->alproto == ALPROTO_DCERPC) {
SCLogDebug("No preceding content or pcre keyword. Possible "
"since this is a dce alproto sig.");
return 0;
} else {
SCLogError(SC_ERR_INVALID_SIGNATURE, "No preceding content "
"or uricontent or pcre option");
return -1;
}
}
if (prev_sm == NULL)
return 0;
DetectContentData *cd = NULL;
DetectPcreData *pe = NULL;

61
src/detect-bytejump.c
Unescape Escape View File

@ -561,51 +561,32 @@ int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr)
"DCERPC rule holds an invalid modifier for bytejump.");
goto error;
}
s->alproto = ALPROTO_DCERPC;
}
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA ||
s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
int sm_list;
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
AppLayerHtpEnableResponseBodyCallback();
sm_list = DETECT_SM_LIST_HSBDMATCH;
} else {
sm_list = DETECT_SM_LIST_DMATCH;
}
if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
SigMatch *prev_sm = NULL;
prev_sm = SigMatchGetLastSMFromLists(s, 8,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
DETECT_CONTENT, s->sm_lists_tail[sm_list],
DETECT_BYTETEST, s->sm_lists_tail[sm_list],
DETECT_BYTEJUMP, s->sm_lists_tail[sm_list],
DETECT_PCRE, s->sm_lists_tail[sm_list]);
if (prev_sm == NULL) {
data->flags &= ~DETECT_BYTEJUMP_RELATIVE;
}
s->flags |= SIG_FLAG_APPLAYER;
AppLayerHtpEnableResponseBodyCallback();
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
} else {
s->flags |= SIG_FLAG_APPLAYER;
AppLayerHtpEnableResponseBodyCallback();
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
}
} else if (s->alproto == ALPROTO_DCERPC &&
(data->flags & DETECT_BYTEJUMP_RELATIVE)) {
SigMatch *pm = NULL;
SigMatch *dm = NULL;
pm = SigMatchGetLastSMFromLists(s, 6,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
dm = SigMatchGetLastSMFromLists(s, 6,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
if (pm == NULL) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
} else if (dm == NULL) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
} else if (pm->idx > dm->idx) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
} else {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
}
s->flags |= SIG_FLAG_APPLAYER;
SigMatchAppendSMToList(s, sm, sm_list);
} else {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
}
@ -639,13 +620,7 @@ int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr)
DETECT_BYTEJUMP, sm->prev,
DETECT_PCRE, sm->prev);
if (prev_sm == NULL) {
if (s->alproto == ALPROTO_DCERPC) {
SCLogDebug("No preceding content or pcre keyword. Possible "
"since this is an alproto sig.");
return 0;
} else {
return 0;
}
return 0;
}
DetectContentData *cd = NULL;

62
src/detect-bytetest.c
Unescape Escape View File

@ -466,7 +466,7 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr)
/* check bytetest modifiers against the signature alproto. In case they conflict
* chuck out invalid signature */
if (data-> flags & DETECT_BYTETEST_DCE) {
if (data->flags & DETECT_BYTETEST_DCE) {
if (s->alproto != ALPROTO_DCERPC) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has "
"bytetest with dce enabled");
@ -482,52 +482,32 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr)
"a byte_test keyword with dce holds other invalid modifiers.");
goto error;
}
s->alproto = ALPROTO_DCERPC;
}
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA ||
s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
int sm_list;
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
AppLayerHtpEnableResponseBodyCallback();
sm_list = DETECT_SM_LIST_HSBDMATCH;
} else {
sm_list = DETECT_SM_LIST_DMATCH;
}
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
if (data->flags & DETECT_BYTETEST_RELATIVE) {
SigMatch *prev_sm = NULL;
prev_sm = SigMatchGetLastSMFromLists(s, 8,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
DETECT_CONTENT, s->sm_lists_tail[sm_list],
DETECT_BYTETEST, s->sm_lists_tail[sm_list],
DETECT_BYTEJUMP, s->sm_lists_tail[sm_list],
DETECT_PCRE, s->sm_lists_tail[sm_list]);
if (prev_sm == NULL) {
data->flags &= ~DETECT_BYTETEST_RELATIVE;
}
s->flags |= SIG_FLAG_APPLAYER;
AppLayerHtpEnableResponseBodyCallback();
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
} else {
s->flags |= SIG_FLAG_APPLAYER;
AppLayerHtpEnableResponseBodyCallback();
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
}
} else if (s->alproto == ALPROTO_DCERPC &&
(data->flags & DETECT_BYTETEST_RELATIVE)) {
SigMatch *pm = NULL;
SigMatch *dm = NULL;
pm = SigMatchGetLastSMFromLists(s, 6,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
dm = SigMatchGetLastSMFromLists(s, 6,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
if (pm == NULL) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
} else if (dm == NULL) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
} else if (pm->idx > dm->idx) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
} else {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
}
s->flags |= SIG_FLAG_APPLAYER;
SigMatchAppendSMToList(s, sm, sm_list);
} else {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
}
@ -576,13 +556,7 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr)
DETECT_BYTEJUMP, sm->prev,
DETECT_PCRE, sm->prev);
if (prev_sm == NULL) {
if (s->alproto == ALPROTO_DCERPC) {
SCLogDebug("No preceding content or pcre keyword. Possible "
"since this is an alproto sig.");
return 0;
} else {
return 0;
}
return 0;
}
DetectContentData *cd = NULL;

14
src/detect-content.c
Unescape Escape View File

@ -402,6 +402,20 @@ static int DetectContentSetup (DetectEngineCtx *de_ctx, Signature *s, char *cont
/* enable http request body callback in the http app layer parser */
AppLayerHtpEnableResponseBodyCallback();
} else if (s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_DMATCH);
sm->type = DETECT_CONTENT;
/* transfer the sm from the pmatch list to hsbdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_DMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
/* flag the signature to indicate that we scan the app layer data */
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_DCERPC;
}
return 0;

110
src/detect-dce-stub-data.c
Unescape Escape View File

@ -61,7 +61,7 @@ void DetectDceStubDataRegister(void)
sigmatch_table[DETECT_DCE_STUB_DATA].name = "dce_stub_data";
sigmatch_table[DETECT_DCE_STUB_DATA].alproto = ALPROTO_DCERPC;
sigmatch_table[DETECT_DCE_STUB_DATA].Match = NULL;
sigmatch_table[DETECT_DCE_STUB_DATA].AppLayerMatch = DetectDceStubDataMatch;
sigmatch_table[DETECT_DCE_STUB_DATA].AppLayerMatch = NULL;
sigmatch_table[DETECT_DCE_STUB_DATA].Setup = DetectDceStubDataSetup;
sigmatch_table[DETECT_DCE_STUB_DATA].Free = NULL;
sigmatch_table[DETECT_DCE_STUB_DATA].RegisterTests = DetectDceStubDataRegisterTests;
@ -71,42 +71,6 @@ void DetectDceStubDataRegister(void)
return;
}
/**
* \brief App layer match function for the "dce_stub_data" keyword.
*
* \todo Check the need for passing a pointer to hold the address of the stub_data.
*
* \param t Pointer to the ThreadVars instance.
* \param det_ctx Pointer to the DetectEngineThreadCtx.
* \param f Pointer to the flow.
* \param flags Pointer to the flags indicating the flow direction.
* \param state Pointer to the app layer state data.
* \param s Pointer to the Signature instance.
* \param m Pointer to the SigMatch.
*
* \retval 1 On Match.
* \retval 0 On no match.
*/
int DetectDceStubDataMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
uint8_t flags, void *state, Signature *s, SigMatch *m)
{
SCEnter();
DCERPCState *dcerpc_state = (DCERPCState *)state;
if (dcerpc_state == NULL) {
SCLogDebug("No DCERPCState for the flow");
SCReturnInt(0);
}
if (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL ||
dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer != NULL)
{
SCReturnInt(1);
} else {
SCReturnInt(0);
}
}
/**
* \brief Creates a SigMatch for the \"dce_stub_data\" keyword being sent as argument,
* and appends it to the Signature(s).
@ -121,30 +85,18 @@ int DetectDceStubDataMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *
static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
SigMatch *sm = NULL;
sm = SigMatchAlloc();
if (sm == NULL)
goto error;
sm->type = DETECT_DCE_STUB_DATA;
sm->ctx = NULL;
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
"rule contains conflicting keywords.");
goto error;
}
s->init_flags |= SIG_FLAG_INIT_DCE_STUB_DATA;
s->alproto = ALPROTO_DCERPC;
/* Flagged the signature as to inspect the app layer data */
s->flags |= SIG_FLAG_APPLAYER;
return 0;
error:
if (sm != NULL)
SCFree(sm);
return -1;
}
@ -161,7 +113,7 @@ static int DetectDceStubDataTestParse01(void)
result = (DetectDceStubDataSetup(NULL, &s, NULL) == 0);
if (s.sm_lists[DETECT_SM_LIST_AMATCH] != NULL) {
if (s.sm_lists[DETECT_SM_LIST_AMATCH] == NULL) {
result = 1;
} else {
result = 0;
@ -658,7 +610,7 @@ static int DetectDceStubDataTestParse02(void)
s = de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"DCERPC\"; "
"dce_stub_data; "
"dce_stub_data; content:\"|42 42 42 42|\";"
"sid:1;)");
if (s == NULL)
goto end;
@ -1199,7 +1151,7 @@ static int DetectDceStubDataTestParse03(void)
s = de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"DCERPC\"; "
"dce_stub_data; "
"dce_stub_data; content:\"|42 42 42 42|\";"
"sid:1;)");
if (s == NULL)
goto end;
@ -1391,7 +1343,15 @@ static int DetectDceStubDataTestParse04(void)
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
"(msg:\"DCERPC\"; dce_stub_data; sid:1;)");
"(msg:\"DCERPC\"; dce_stub_data; content:\"|00 02|\"; sid:1;)");
if (s == NULL)
goto end;
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
"(msg:\"DCERPC\"; dce_stub_data; content:\"|00 75|\"; sid:2;)");
if (s == NULL)
goto end;
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
"(msg:\"DCERPC\"; dce_stub_data; content:\"|00 18|\"; sid:3;)");
if (s == NULL)
goto end;
@ -1437,7 +1397,7 @@ static int DetectDceStubDataTestParse04(void)
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (!PacketAlertCheck(p, 1))
if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
goto end;
/* response1 */
@ -1453,7 +1413,7 @@ static int DetectDceStubDataTestParse04(void)
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1))
if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
goto end;
/* request2 */
@ -1469,7 +1429,7 @@ static int DetectDceStubDataTestParse04(void)
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (!PacketAlertCheck(p, 1))
if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
goto end;
/* response2 */
@ -1485,7 +1445,7 @@ static int DetectDceStubDataTestParse04(void)
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1))
if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
goto end;
/* request3 */
@ -1501,7 +1461,7 @@ static int DetectDceStubDataTestParse04(void)
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (!PacketAlertCheck(p, 1))
if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
goto end;
/* response3 */
@ -1517,7 +1477,7 @@ static int DetectDceStubDataTestParse04(void)
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1))
if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
goto end;
result = 1;
@ -1658,10 +1618,24 @@ static int DetectDceStubDataTestParse05(void)
s = de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"DCERPC\"; "
"dce_stub_data;"
"dce_stub_data; content:\"|00 02|\"; "
"sid:1;)");
if (s == NULL)
goto end;
s = de_ctx->sig_list->next = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"DCERPC\"; "
"dce_stub_data; content:\"|00 75|\"; "
"sid:2;)");
if (s == NULL)
goto end;
s = de_ctx->sig_list->next->next = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"DCERPC\"; "
"dce_stub_data; content:\"|00 18|\"; "
"sid:3;)");
if (s == NULL)
goto end;
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
@ -1685,7 +1659,7 @@ static int DetectDceStubDataTestParse05(void)
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (!PacketAlertCheck(p, 1))
if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
goto end;
/* response1 */
@ -1701,7 +1675,7 @@ static int DetectDceStubDataTestParse05(void)
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1))
if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
goto end;
/* request2 */
@ -1717,7 +1691,7 @@ static int DetectDceStubDataTestParse05(void)
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (!PacketAlertCheck(p, 1))
if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
goto end;
/* response2 */
@ -1733,7 +1707,7 @@ static int DetectDceStubDataTestParse05(void)
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1))
if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
goto end;
/* request3 */
@ -1749,7 +1723,7 @@ static int DetectDceStubDataTestParse05(void)
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (!PacketAlertCheck(p, 1))
if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
goto end;
/* response3 */

74
src/detect-depth.c
Unescape Escape View File

@ -70,55 +70,35 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
dubbed = 1;
}
switch (s->alproto) {
case ALPROTO_DCERPC:
/* add to the latest content keyword from either dmatch or pmatch */
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs "
"preceding content option for dcerpc sig");
if (dubbed)
SCFree(str);
return -1;
}
break;
default:
pm = SigMatchGetLastSMFromLists(s, 28,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs "
"preceding content, uricontent option, http_client_body, "
"http_server_body, http_header option, http_raw_header option, "
"http_method option, http_cookie, http_raw_uri, "
"http_stat_msg, http_stat_code, http_user_agent, "
"http_host or http_raw_host option");
if (dubbed)
SCFree(str);
return -1;
}
break;
pm = SigMatchGetLastSMFromLists(s, 30,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs "
"preceding content, uricontent option, http_client_body, "
"http_server_body, http_header option, http_raw_header option, "
"http_method option, http_cookie, http_raw_uri, "
"http_stat_msg, http_stat_code, http_user_agent, "
"http_host, http_raw_host or "
"file_data/dce_stub_data sticky buffer options");
if (dubbed)
SCFree(str);
return -1;
}
/* i swear we will clean this up :). Use a single version for all. Using
* separate versions for all now, to avoiding breaking any code */
switch (pm->type) {
case DETECT_CONTENT:
cd = (DetectContentData *)pm->ctx;

149
src/detect-distance.c
Unescape Escape View File

@ -77,116 +77,32 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
dubbed = 1;
}
/* if we still haven't found that the sig is related to DCERPC,
* it's a direct entry into Signature->sm_lists[DETECT_SM_LIST_PMATCH] */
if (s->alproto == ALPROTO_DCERPC) {
SigMatch *dcem = NULL;
SigMatch *dm = NULL;
SigMatch *pm1 = NULL;
SigMatch *pm1_ots = NULL;
SigMatch *pm2_ots = NULL;
dcem = SigMatchGetLastSMFromLists(s, 6,
DETECT_DCE_IFACE, s->sm_lists_tail[DETECT_SM_LIST_AMATCH],
DETECT_DCE_OPNUM, s->sm_lists_tail[DETECT_SM_LIST_AMATCH],
DETECT_DCE_STUB_DATA, s->sm_lists_tail[DETECT_SM_LIST_AMATCH]);
pm1_ots = SigMatchGetLastSMFromLists(s, 6,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (pm1_ots != NULL && pm1_ots->prev != NULL) {
pm2_ots = SigMatchGetLastSMFromLists(s, 6,
DETECT_CONTENT, pm1_ots->prev,
DETECT_PCRE, pm1_ots->prev,
DETECT_BYTEJUMP, pm1_ots->prev);
}
dm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
pm1 = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (dm == NULL && pm1 == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid signature. within "
"needs a preceding content keyword");
goto error;
}
if (dm == NULL) {
if (pm2_ots == NULL) {
if (pm1->idx > dcem->idx) {
/* transfer pm1 to dmatch list and within is against this */
SigMatchTransferSigMatchAcrossLists(pm1,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_DMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
pm = pm1;
} else {
/* within is against pm1 and we continue this way */
pm = pm1;
}
} else if (pm2_ots->idx > dcem->idx) {
/* within is against pm1, pm = pm1; */
pm = pm1;
} else if (pm1->idx > dcem->idx) {
/* transfer pm1 to dmatch list and within is against this */
SigMatchTransferSigMatchAcrossLists(pm1,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_DMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
pm = pm1;
} else {
/* within is against pm1 and we continue this way */
pm = pm1;
}
} else {
if (pm1 == NULL) {
/* within is against dm and continue this way */
pm = dm;
} else if (dm->idx > pm1->idx) {
/* within is against dm */
pm = dm;
} else if (pm2_ots == NULL || pm2_ots->idx < dcem->idx) {
/* trasnfer pm1 to dmatch list and pm = pm1 */
SigMatchTransferSigMatchAcrossLists(pm1,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_DMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
pm = pm1;
} else {
/* within is against pm1, pm = pm1 */
pm = pm1;
}
}
} else {
pm = SigMatchGetLastSMFromLists(s, 28,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs "
"preceding content, uricontent option, http_client_body, "
"http_server_body, http_header, http_raw_header, http_method, "
"http_cookie, http_raw_uri, http_stat_msg, http_stat_code, "
"http_user_agent, http_host or http_raw_host option");
if (dubbed)
SCFree(str);
return -1;
}
pm = SigMatchGetLastSMFromLists(s, 30,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs "
"preceding content, uricontent option, http_client_body, "
"http_server_body, http_header, http_raw_header, http_method, "
"http_cookie, http_raw_uri, http_stat_msg, http_stat_code, "
"http_host, http_raw_host or "
"http_user_agent or file_data/dce_stub_data option");
if (dubbed)
SCFree(str);
return -1;
}
DetectContentData *cd = NULL;
@ -247,18 +163,7 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
DETECT_CONTENT, pm->prev,
DETECT_PCRE, pm->prev,
DETECT_BYTEJUMP, pm->prev);
if (pm == NULL) {
if (s->alproto == ALPROTO_DCERPC) {
SCLogDebug("content relative without a previous content based "
"keyword. Holds good only in the case of DCERPC "
"alproto like now.");
} else {
//SCLogError(SC_ERR_INVALID_SIGNATURE, "No related "
//"previous-previous content or pcre keyword");
//goto error;
;
}
} else {
if (pm != NULL) {
switch (pm->type) {
case DETECT_CONTENT:
/* Set the relative next flag on the prev sigmatch */

92
src/detect-engine-dcepayload.c
Unescape Escape View File

@ -6007,7 +6007,11 @@ int DcePayloadTest13(void)
int i = 0;
char *sig1 = "alert tcp any any -> any any "
"(dce_stub_data; sid:1;)";
"(dce_stub_data; content:\"|00 02|\"; sid:1;)";
char *sig2 = "alert tcp any any -> any any "
"(dce_stub_data; content:\"|00 75|\"; sid:2;)";
char *sig3 = "alert tcp any any -> any any "
"(dce_stub_data; content:\"|00 18|\"; sid:3;)";
Signature *s;
@ -6042,8 +6046,13 @@ int DcePayloadTest13(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, sig1);
s = de_ctx->sig_list;
s = de_ctx->sig_list = SigInit(de_ctx, sig1);
if (s == NULL)
goto end;
s = de_ctx->sig_list->next = SigInit(de_ctx, sig2);
if (s == NULL)
goto end;
s = de_ctx->sig_list->next->next = SigInit(de_ctx, sig3);
if (s == NULL)
goto end;
@ -6058,14 +6067,14 @@ int DcePayloadTest13(void)
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[0]);
if (!(PacketAlertCheck(p[0], 1))) {
if (!PacketAlertCheck(p[0], 1) || PacketAlertCheck(p[0], 2) || PacketAlertCheck(p[0], 3)) {
printf("sid 1 didn't match but should have for packet 0: ");
goto end;
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[6]);
if ((PacketAlertCheck(p[6], 1))) {
if (PacketAlertCheck(p[6], 1) || PacketAlertCheck(p[6], 2) || PacketAlertCheck(p[6], 3)) {
printf("sid 1 matched but shouldn't have for packet 6: ");
goto end;
}
@ -6078,7 +6087,7 @@ int DcePayloadTest13(void)
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[1]);
if ((PacketAlertCheck(p[1], 1))) {
if (PacketAlertCheck(p[1], 1) || PacketAlertCheck(p[1], 2) || PacketAlertCheck(p[1], 3)) {
printf("sid 1 matched but shouldn't have for packet 1: ");
goto end;
}
@ -6094,14 +6103,14 @@ int DcePayloadTest13(void)
* the detection engine state for the flow has been reset because of a
* fresh transaction */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[2]);
if (!(PacketAlertCheck(p[2], 1))) {
if (PacketAlertCheck(p[2], 1) || !PacketAlertCheck(p[2], 2) || PacketAlertCheck(p[2], 3)) {
printf("sid 1 didn't match but should have for packet 2: ");
goto end;
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[7]);
if ((PacketAlertCheck(p[7], 1))) {
if (PacketAlertCheck(p[7], 1) || PacketAlertCheck(p[7], 2) || PacketAlertCheck(p[7], 3)) {
printf("sid 1 matched but shouldn't have for packet 7: ");
goto end;
}
@ -6114,7 +6123,7 @@ int DcePayloadTest13(void)
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[3]);
if ((PacketAlertCheck(p[3], 1))) {
if (PacketAlertCheck(p[3], 1) || PacketAlertCheck(p[3], 2) || PacketAlertCheck(p[3], 3)) {
printf("sid 1 matched but shouldn't have for packet 3: ");
goto end;
}
@ -6130,7 +6139,7 @@ int DcePayloadTest13(void)
* the detection engine state for the flow has been reset because of a
* fresh transaction */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[4]);
if (!(PacketAlertCheck(p[4], 1))) {
if (PacketAlertCheck(p[4], 1) || PacketAlertCheck(p[4], 2) || !PacketAlertCheck(p[4], 3)) {
printf("sid 1 didn't match but should have for packet 4: ");
goto end;
}
@ -6143,7 +6152,7 @@ int DcePayloadTest13(void)
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[5]);
if ((PacketAlertCheck(p[5], 1))) {
if (PacketAlertCheck(p[5], 1) || PacketAlertCheck(p[5], 2) || PacketAlertCheck(p[5], 3)) {
printf("sid 1 matched but shouldn't have for packet 5: ");
goto end;
}
@ -6247,7 +6256,9 @@ int DcePayloadTest14(void)
int i = 0;
char *sig1 = "alert tcp any any -> any any "
"(dce_stub_data; sid:1;)";
"(dce_stub_data; content:\"|7f 01|\"; sid:1;)";
char *sig2 = "alert tcp any any -> any any "
"(dce_stub_data; content:\"|3f 00|\"; sid:2;)";
Signature *s;
@ -6279,8 +6290,10 @@ int DcePayloadTest14(void)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, sig1);
s = de_ctx->sig_list;
s = de_ctx->sig_list = SigInit(de_ctx, sig1);
if (s == NULL)
goto end;
s = de_ctx->sig_list->next = SigInit(de_ctx, sig2);
if (s == NULL)
goto end;
@ -6296,14 +6309,14 @@ int DcePayloadTest14(void)
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[0]);
if (!(PacketAlertCheck(p[0], 1))) {
if (!PacketAlertCheck(p[0], 1) || PacketAlertCheck(p[0], 2)) {
printf("sid 1 didn't match but should have for packet 0: ");
goto end;
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[1]);
if ((PacketAlertCheck(p[1], 1))) {
if (PacketAlertCheck(p[1], 1) || PacketAlertCheck(p[1], 2)) {
printf("sid 1 matched but shouldn't have for packet 1: ");
goto end;
}
@ -6317,7 +6330,7 @@ int DcePayloadTest14(void)
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[2]);
if ((PacketAlertCheck(p[2], 1))) {
if (PacketAlertCheck(p[2], 1) || PacketAlertCheck(p[2], 2)) {
printf("sid 1 matched but shouldn't have for packet 2: ");
goto end;
}
@ -6331,7 +6344,7 @@ int DcePayloadTest14(void)
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[3]);
if ((PacketAlertCheck(p[3], 1))) {
if (PacketAlertCheck(p[3], 1) || PacketAlertCheck(p[3], 2)) {
printf("sid 1 matched but shouldn't have for packet 3: ");
goto end;
}
@ -6347,7 +6360,7 @@ int DcePayloadTest14(void)
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[4]);
if (!(PacketAlertCheck(p[4], 1))) {
if (PacketAlertCheck(p[4], 1) || !PacketAlertCheck(p[4], 2)) {
printf("sid 1 didn't match but should have for packet 4: ");
goto end;
}
@ -6361,7 +6374,7 @@ int DcePayloadTest14(void)
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[5]);
if ((PacketAlertCheck(p[5], 1))) {
if (PacketAlertCheck(p[5], 1) || PacketAlertCheck(p[5], 2)) {
printf("sid 1 matched but shouldn't have for packet 5: ");
goto end;
}
@ -7460,6 +7473,7 @@ int DcePayloadParseTest26(void)
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"dce_stub_data; "
"pkt_data; "
"content:\"one\"; "
"content:\"two\"; "
"content:\"three\"; within:5; "
@ -7714,6 +7728,7 @@ int DcePayloadParseTest28(void)
"dce_stub_data; "
"content:\"one\"; distance:10; within:5; "
"content:\"two\"; within:5;"
"pkt_data; "
"content:\"three\";"
"content:\"four\";"
"sid:1;)");
@ -7839,6 +7854,7 @@ int DcePayloadParseTest29(void)
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"dce_stub_data; "
"pkt_data; "
"pcre:/boom/; "
"content:\"one\"; distance:10; within:5; "
"content:\"two\"; within:5;"
@ -7980,6 +7996,7 @@ int DcePayloadParseTest30(void)
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"dce_stub_data; "
"pkt_data; "
"byte_jump:2,5; "
"content:\"one\"; distance:10; within:5; "
"content:\"two\"; within:5;"
@ -8129,6 +8146,7 @@ int DcePayloadParseTest31(void)
"byte_jump:2,5,relative; "
"content:\"one\"; distance:10; within:5; "
"content:\"two\"; within:5;"
"pkt_data; "
"content:\"three\";"
"content:\"four\";"
"sid:1;)");
@ -8156,7 +8174,7 @@ int DcePayloadParseTest31(void)
bd->flags & DETECT_BYTEJUMP_LITTLE ||
bd->flags & DETECT_BYTEJUMP_BIG ||
bd->flags & DETECT_BYTEJUMP_STRING ||
!(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
bd->flags & DETECT_BYTEJUMP_RELATIVE ||
bd->flags & DETECT_BYTEJUMP_ALIGN ||
bd->flags & DETECT_BYTEJUMP_DCE ) {
result = 0;
@ -8275,6 +8293,7 @@ int DcePayloadParseTest32(void)
"byte_jump:2,5,relative; "
"content:\"one\"; distance:10; within:5; "
"content:\"two\"; within:5;"
"pkt_data; "
"content:\"three\";"
"content:\"four\"; within:4; "
"sid:1;)");
@ -8302,7 +8321,7 @@ int DcePayloadParseTest32(void)
bd->flags & DETECT_BYTEJUMP_LITTLE ||
bd->flags & DETECT_BYTEJUMP_BIG ||
bd->flags & DETECT_BYTEJUMP_STRING ||
!(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
bd->flags & DETECT_BYTEJUMP_RELATIVE ||
bd->flags & DETECT_BYTEJUMP_ALIGN ||
bd->flags & DETECT_BYTEJUMP_DCE ) {
result = 0;
@ -8421,6 +8440,7 @@ int DcePayloadParseTest33(void)
"pcre:/boom/R; "
"content:\"one\"; distance:10; within:5; "
"content:\"two\"; within:5;"
"pkt_data; "
"content:\"three\";"
"content:\"four\"; distance:5;"
"sid:1;)");
@ -8445,7 +8465,7 @@ int DcePayloadParseTest33(void)
}
pd = (DetectPcreData *)sm->ctx;
if ( pd->flags & DETECT_PCRE_RAWBYTES ||
!(pd->flags & DETECT_PCRE_RELATIVE)) {
pd->flags & DETECT_PCRE_RELATIVE) {
result = 0;
printf("one failed\n");
goto end;
@ -8564,6 +8584,7 @@ int DcePayloadParseTest34(void)
"pcre:/boom/R; "
"byte_jump:1,2,relative,align,dce; "
"content:\"one\"; within:4; distance:8; "
"pkt_data; "
"content:\"two\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
@ -8587,7 +8608,7 @@ int DcePayloadParseTest34(void)
}
pd = (DetectPcreData *)sm->ctx;
if ( pd->flags & DETECT_PCRE_RAWBYTES ||
!(pd->flags & DETECT_PCRE_RELATIVE)) {
pd->flags & DETECT_PCRE_RELATIVE) {
result = 0;
goto end;
}
@ -8684,6 +8705,7 @@ int DcePayloadParseTest35(void)
"dce_iface:12345678-1234-1234-1234-123456789012; "
"dce_opnum:10; dce_stub_data; "
"byte_test:1,=,0,0,relative,dce; "
"pkt_data; "
"content:\"one\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
@ -8709,7 +8731,7 @@ int DcePayloadParseTest35(void)
if (bd->flags & DETECT_BYTETEST_LITTLE ||
bd->flags & DETECT_BYTETEST_BIG ||
bd->flags & DETECT_BYTETEST_STRING ||
!(bd->flags & DETECT_BYTETEST_RELATIVE) ||
bd->flags & DETECT_BYTETEST_RELATIVE ||
!(bd->flags & DETECT_BYTETEST_DCE) ) {
result = 0;
printf("one failed\n");
@ -8771,6 +8793,7 @@ int DcePayloadParseTest36(void)
"dce_opnum:10; dce_stub_data; "
"isdataat:10,relative; "
"content:\"one\"; within:4; distance:8; "
"pkt_data; "
"content:\"two\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
@ -8794,7 +8817,7 @@ int DcePayloadParseTest36(void)
}
isd = (DetectIsdataatData *)sm->ctx;
if ( isd->flags & ISDATAAT_RAWBYTES ||
!(isd->flags & ISDATAAT_RELATIVE)) {
isd->flags & ISDATAAT_RELATIVE) {
result = 0;
goto end;
}
@ -8875,6 +8898,7 @@ int DcePayloadParseTest37(void)
"dce_opnum:10; dce_stub_data; "
"byte_jump:1,2,relative,align,dce; "
"byte_test:1,=,2,0,relative,dce; "
"pkt_data; "
"content:\"one\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
@ -8901,7 +8925,7 @@ int DcePayloadParseTest37(void)
bjd->flags & DETECT_BYTEJUMP_LITTLE ||
bjd->flags & DETECT_BYTEJUMP_BIG ||
bjd->flags & DETECT_BYTEJUMP_STRING ||
!(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
bjd->flags & DETECT_BYTEJUMP_RELATIVE ||
!(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
!(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
result = 0;
@ -8983,6 +9007,7 @@ int DcePayloadParseTest38(void)
"pcre:/boom/R; "
"byte_jump:1,2,relative,align,dce; "
"byte_test:1,=,2,0,relative,dce; "
"pkt_data; "
"content:\"one\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
@ -9006,7 +9031,7 @@ int DcePayloadParseTest38(void)
}
pd = (DetectPcreData *)sm->ctx;
if ( pd->flags & DETECT_PCRE_RAWBYTES ||
!(pd->flags & DETECT_PCRE_RELATIVE) ) {
pd->flags & DETECT_PCRE_RELATIVE) {
result = 0;
printf("one failed\n");
goto end;
@ -9187,6 +9212,7 @@ int DcePayloadParseTest40(void)
"content:\"one\"; within:10; "
"content:\"two\"; distance:20; within:30; "
"byte_test:1,=,2,0,relative,dce; "
"pkt_data; "
"content:\"three\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
@ -9314,6 +9340,7 @@ int DcePayloadParseTest41(void)
"dce_iface:12345678-1234-1234-1234-123456789012; "
"dce_opnum:10; dce_stub_data; "
"content:\"one\"; within:10; "
"pkt_data; "
"content:\"two\"; "
"byte_test:1,=,2,0,relative,dce; "
"content:\"three\"; "
@ -9634,6 +9661,7 @@ int DcePayloadParseTest44(void)
"dce_opnum:10; dce_stub_data; "
"isdataat:10,relative; "
"content:\"one\"; within:4; distance:8; "
"pkt_data; "
"content:\"two\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
@ -9657,7 +9685,7 @@ int DcePayloadParseTest44(void)
}
isd = (DetectIsdataatData *)sm->ctx;
if ( isd->flags & ISDATAAT_RAWBYTES ||
!(isd->flags & ISDATAAT_RELATIVE)) {
isd->flags & ISDATAAT_RELATIVE) {
result = 0;
goto end;
}
@ -9759,6 +9787,7 @@ int DcePayloadParseTest45(void)
"content:\"one\"; "
"dce_opnum:10; dce_stub_data; "
"byte_jump:1,2,relative,align,dce; "
"pkt_data; "
"content:\"two\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
@ -9785,7 +9814,7 @@ int DcePayloadParseTest45(void)
bjd->flags & DETECT_BYTEJUMP_LITTLE ||
bjd->flags & DETECT_BYTEJUMP_BIG ||
bjd->flags & DETECT_BYTEJUMP_STRING ||
!(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
bjd->flags & DETECT_BYTEJUMP_RELATIVE ||
!(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
!(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
result = 0;
@ -9870,6 +9899,7 @@ int DcePayloadParseTest46(void)
"content:\"one\"; "
"dce_opnum:10; dce_stub_data; "
"byte_test:1,=,2,0,relative,dce; "
"pkt_data; "
"content:\"two\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
@ -9895,7 +9925,7 @@ int DcePayloadParseTest46(void)
if (btd->flags & DETECT_BYTETEST_LITTLE ||
btd->flags & DETECT_BYTETEST_BIG ||
btd->flags & DETECT_BYTETEST_STRING ||
!(btd->flags & DETECT_BYTETEST_RELATIVE) ||
btd->flags & DETECT_BYTETEST_RELATIVE ||
!(btd->flags & DETECT_BYTETEST_DCE) ) {
result = 0;
printf("one failed\n");

98
src/detect-isdataat.c
Unescape Escape View File

@ -250,8 +250,6 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
{
DetectIsdataatData *idad = NULL;
SigMatch *sm = NULL;
SigMatch *dm = NULL;
SigMatch *pm = NULL;
SigMatch *prev_pm = NULL;
char *offset = NULL;
@ -266,74 +264,36 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
sm->type = DETECT_ISDATAAT;
sm->ctx = (void *)idad;
if (s->alproto == ALPROTO_DCERPC &&
(idad->flags & ISDATAAT_RELATIVE)) {
pm = SigMatchGetLastSMFromLists(s, 6,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
dm = SigMatchGetLastSMFromLists(s, 6,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
if (pm == NULL) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
} else if (dm == NULL) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
} else if (pm->idx > dm->idx) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
} else {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
}
prev_pm = SigMatchGetLastSMFromLists(s, 6,
DETECT_CONTENT, sm->prev,
DETECT_BYTEJUMP, sm->prev,
DETECT_PCRE, sm->prev);
if (prev_pm == NULL) {
SCLogDebug("No preceding content or pcre keyword. Possible "
"since this is a dce alproto sig.");
if (offset != NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in isdataat - %s", offset);
goto error;
}
return 0;
}
} else if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
if (idad->flags & ISDATAAT_RELATIVE) {
pm = SigMatchGetLastSMFromLists(s, 10,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
if (pm == NULL) {
idad->flags &= ~ISDATAAT_RELATIVE;
}
s->flags |= SIG_FLAG_APPLAYER;
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
int sm_list;
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
AppLayerHtpEnableResponseBodyCallback();
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
sm_list = DETECT_SM_LIST_HSBDMATCH;
} else {
s->flags |= SIG_FLAG_APPLAYER;
AppLayerHtpEnableResponseBodyCallback();
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
sm_list = DETECT_SM_LIST_DMATCH;
}
if (pm == NULL) {
SCLogDebug("No preceding content or pcre keyword. Possible "
if (idad->flags & ISDATAAT_RELATIVE) {
s->flags |= SIG_FLAG_APPLAYER;
SigMatchAppendSMToList(s, sm, sm_list);
prev_pm = SigMatchGetLastSMFromLists(s, 10,
DETECT_CONTENT, s->sm_lists_tail[sm_list],
DETECT_PCRE, s->sm_lists_tail[sm_list],
DETECT_BYTEJUMP, s->sm_lists_tail[sm_list],
DETECT_BYTE_EXTRACT, s->sm_lists_tail[sm_list],
DETECT_BYTETEST, s->sm_lists_tail[sm_list]);
if (prev_pm == NULL) {
SCLogDebug("No preceding content or pcre keyword. Possible "
"since this is a file_data sig.");
if (offset != NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in isdataat - %s", offset);
goto error;
if (offset != NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in isdataat - %s", offset);
goto error;
}
idad->flags &= ~ISDATAAT_RELATIVE;
return 0;
}
return 0;
}
prev_pm = pm;
} else {
if (!(idad->flags & ISDATAAT_RELATIVE)) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
@ -353,7 +313,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
}
return 0;
}
pm = SigMatchGetLastSMFromLists(s, 66,
prev_pm = SigMatchGetLastSMFromLists(s, 66,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
@ -387,7 +347,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH]);
if (pm == NULL) {
if (prev_pm == NULL) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
if (offset != NULL) {
SigMatch *bed_sm =
@ -405,15 +365,13 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
}
SCReturnInt(0);
} else {
int list_type = SigMatchListSMBelongsTo(s, pm);
int list_type = SigMatchListSMBelongsTo(s, prev_pm);
if (list_type == -1) {
goto error;
}
SigMatchAppendSMToList(s, sm, list_type);
} /* else - if (pm == NULL) */
prev_pm = pm;
} /* else - if (prev_pm == NULL) */
}
if (offset != NULL) {
@ -556,7 +514,7 @@ int DetectIsdataatTestParse04(void)
s->alproto = ALPROTO_DCERPC;
/* failure since we have no preceding content/pcre/bytejump */
result &= (DetectIsdataatSetup(NULL, s, "30,relative") == 0);
result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] != NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
SigFree(s);

6
src/detect-nocase.c
Unescape Escape View File

@ -76,8 +76,9 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
}
/* Search for the first previous SigMatch that supports nocase */
SigMatch *pm = SigMatchGetLastSMFromLists(s, 28,
SigMatch *pm = SigMatchGetLastSMFromLists(s, 30,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
@ -96,7 +97,8 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
"content, uricontent, http_client_body, http_server_body, "
"http_header, http_method, http_uri, http_cookie, "
"http_raw_uri, http_stat_msg, http_stat_code, "
"http_user_agent, http_host or http_raw_host option");
"http_user_agent, http_host or http_raw_host option or "
"file_data/dce_stub_data sticky buffer option");
SCReturnInt(-1);
}

72
src/detect-offset.c
Unescape Escape View File

@ -68,54 +68,34 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
dubbed = 1;
}
switch (s->alproto) {
case ALPROTO_DCERPC:
/* add to the latest "content" keyword from either dmatch or pmatch */
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs "
"preceding content option for dcerpc sig");
if (dubbed)
SCFree(str);
return -1;
}
break;
default:
pm = SigMatchGetLastSMFromLists(s, 28,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs "
"preceding content or uricontent option, http_client_body, "
"http_header, http_raw_header, http_method, "
"http_cookie, http_raw_uri, http_stat_msg, "
"http_stat_code, http_user_agent, "
"http_host or http_raw_host option");
if (dubbed)
SCFree(str);
return -1;
}
break;
pm = SigMatchGetLastSMFromLists(s, 30,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs "
"preceding content, uricontent option, http_client_body, "
"http_header, http_raw_header, http_method, "
"http_cookie, http_raw_uri, http_stat_msg, "
"http_stat_code, http_user_agent or "
"file_data/dce_stub_data sticky buffers");
if (dubbed)
SCFree(str);
return -1;
}
/* we can remove this switch now with the unified structure */
DetectContentData *cd = NULL;
switch (pm->type) {
case DETECT_CONTENT:

65
src/detect-pcre.c
Unescape Escape View File

@ -793,38 +793,20 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSCDMATCH);
} else {
if (s->alproto == ALPROTO_DCERPC && (pd->flags & DETECT_PCRE_RELATIVE)) {
SigMatch *pm = NULL;
SigMatch *dm = NULL;
pm = SigMatchGetLastSMFromLists(s, 6,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
dm = SigMatchGetLastSMFromLists(s, 6,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (pm == NULL) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
} else if (dm == NULL) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
} else if (pm->idx > dm->idx) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
} else {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
}
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
SCLogDebug("adding to http server body list because of file data");
s->flags |= SIG_FLAG_APPLAYER;
AppLayerHtpEnableResponseBodyCallback();
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
} else if (s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
SCLogDebug("adding to dmatch list because of dce_stub_data");
s->flags |= SIG_FLAG_APPLAYER;
AppLayerHtpEnableResponseBodyCallback();
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
} else {
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
SCLogDebug("adding to http server body list because of file data");
s->flags |= SIG_FLAG_APPLAYER;
AppLayerHtpEnableResponseBodyCallback();
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
} else {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
}
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
}
}
@ -836,19 +818,8 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
if (prev_sm == NULL) {
if (s->alproto == ALPROTO_DCERPC) {
SCLogDebug("No preceding content or pcre keyword. Possible "
"since this is an alproto sig.");
SCReturnInt(0);
} else {
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
SCLogDebug("removing relative flag as we are relative to file_data");
pd->flags &= ~DETECT_PCRE_RELATIVE;
SCReturnInt(0);
} else {
SCReturnInt(0);
}
}
pd->flags &= ~DETECT_PCRE_RELATIVE;
SCReturnInt(0);
}
DetectContentData *cd = NULL;
@ -1172,7 +1143,7 @@ int DetectPcreParseTest11(void)
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE);
data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
if (data->flags & DETECT_PCRE_RAWBYTES ||
!(data->flags & DETECT_PCRE_RELATIVE) ||
data->flags & DETECT_PCRE_RELATIVE ||
data->flags & DETECT_PCRE_URI) {
result = 0;
goto end;
@ -1195,7 +1166,7 @@ int DetectPcreParseTest11(void)
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE);
data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
if (data->flags & DETECT_PCRE_RAWBYTES ||
!(data->flags & DETECT_PCRE_RELATIVE) ||
data->flags & DETECT_PCRE_RELATIVE ||
data->flags & DETECT_PCRE_URI) {
result = 0;
goto end;
@ -1218,7 +1189,7 @@ int DetectPcreParseTest11(void)
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE);
data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
if (!(data->flags & DETECT_PCRE_RAWBYTES) ||
!(data->flags & DETECT_PCRE_RELATIVE) ||
data->flags & DETECT_PCRE_RELATIVE ||
data->flags & DETECT_PCRE_URI) {
result = 0;
goto end;

2
src/detect-pkt-data.c
Unescape Escape View File

@ -73,7 +73,7 @@ void DetectPktDataRegister(void) {
static int DetectPktDataSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
{
SCEnter();
s->init_flags &= (~SIG_FLAG_INIT_FILE_DATA);
s->init_flags &= (~SIG_FLAG_INIT_FILE_DATA & ~SIG_FLAG_INIT_DCE_STUB_DATA);
return 0;
}

6
src/detect-urilen.c
Unescape Escape View File

@ -347,6 +347,12 @@ static int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, char *urile
else
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_UMATCH);
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
"alproto set");
goto error;
}
/* Flagged the signature as to inspect the app layer data */
s->flags |= SIG_FLAG_APPLAYER;

150
src/detect-within.c
Unescape Escape View File

@ -80,117 +80,32 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
dubbed = 1;
}
/* if we still haven't found that the sig is related to DCERPC,
* it's a direct entry into Signature->[DETECT_SM_LIST_PMATCH] */
if (s->alproto == ALPROTO_DCERPC) {
SigMatch *dcem = NULL;
SigMatch *dm = NULL;
SigMatch *pm1 = NULL;
SigMatch *pm1_ots = NULL;
SigMatch *pm2_ots = NULL;
dcem = SigMatchGetLastSMFromLists(s, 6,
DETECT_DCE_IFACE, s->sm_lists_tail[DETECT_SM_LIST_AMATCH],
DETECT_DCE_OPNUM, s->sm_lists_tail[DETECT_SM_LIST_AMATCH],
DETECT_DCE_STUB_DATA, s->sm_lists_tail[DETECT_SM_LIST_AMATCH]);
pm1_ots = SigMatchGetLastSMFromLists(s, 6,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (pm1_ots != NULL && pm1_ots->prev != NULL) {
pm2_ots = SigMatchGetLastSMFromLists(s, 6,
DETECT_CONTENT, pm1_ots->prev,
DETECT_PCRE, pm1_ots->prev,
DETECT_BYTEJUMP, pm1_ots->prev);
}
dm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
pm1 = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (dm == NULL && pm1 == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"within\" requires a "
"preceding content keyword");
goto error;
}
if (dm == NULL) {
if (pm2_ots == NULL) {
if (pm1->idx > dcem->idx) {
/* transfer pm1 to dmatch list and within is against this */
SigMatchTransferSigMatchAcrossLists(pm1,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_DMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
pm = pm1;
} else {
/* within is against pm1 and we continue this way */
pm = pm1;
}
} else if (pm2_ots->idx > dcem->idx) {
/* within is against pm1, pm = pm1; */
pm = pm1;
} else if (pm1->idx > dcem->idx) {
/* transfer pm1 to dmatch list and within is against this */
SigMatchTransferSigMatchAcrossLists(pm1,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_DMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
pm = pm1;
} else {
/* within is against pm1 and we continue this way */
pm = pm1;
}
} else {
if (pm1 == NULL) {
/* within is against dm and continue this way */
pm = dm;
} else if (dm->idx > pm1->idx) {
/* within is against dm */
pm = dm;
} else if (pm2_ots == NULL || pm2_ots->idx < dcem->idx) {
/* trasnfer pm1 to dmatch list and pm = pm1 */
SigMatchTransferSigMatchAcrossLists(pm1,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_DMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
pm = pm1;
} else {
/* within is against pm1, pm = pm1 */
pm = pm1;
}
}
} else {
pm = SigMatchGetLastSMFromLists(s, 28,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "\"within\" requires "
"preceding content, uricontent, http_client_body, "
"http_server_body, http_header, http_raw_header, "
"http_method, http_cookie, http_raw_uri, "
"http_stat_msg, http_stat_code, http_user_agent, "
"http_host or http_raw_host option");
if (dubbed)
SCFree(str);
return -1;
}
pm = SigMatchGetLastSMFromLists(s, 30,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "\"within\" requires "
"preceding content, uricontent, http_client_body, "
"http_server_body, http_header, http_raw_header, "
"http_method, http_cookie, http_raw_uri, "
"http_stat_msg, http_stat_code or http_user_agent "
"option");
if (dubbed)
SCFree(str);
return -1;
}
DetectContentData *cd = NULL;
@ -252,18 +167,7 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
DETECT_CONTENT, pm->prev,
DETECT_PCRE, pm->prev,
DETECT_BYTEJUMP, pm->prev);
if (pm == NULL) {
if (s->alproto == ALPROTO_DCERPC) {
SCLogDebug("content relative without a previous content based "
"keyword. Holds good only in the case of DCERPC "
"alproto like now.");
} else {
//SCLogError(SC_ERR_INVALID_SIGNATURE, "No related "
// "previous-previous content or pcre keyword");
//goto error;
;
}
} else {
if (pm != NULL) {
switch (pm->type) {
case DETECT_CONTENT:
/* Set the relative next flag on the prev sigmatch */

1
src/detect.h
Unescape Escape View File

@ -275,6 +275,7 @@ typedef struct DetectPort_ {
#define SIG_FLAG_INIT_BIDIREC (1<<3) /**< signature has bidirectional operator */
#define SIG_FLAG_INIT_PAYLOAD (1<<4) /**< signature is inspecting the packet payload */
#define SIG_FLAG_INIT_FILE_DATA (1<<5) /**< file_data set */
#define SIG_FLAG_INIT_DCE_STUB_DATA (1<<6) /**< dce_stub_data set */
/* signature mask flags */
#define SIG_MASK_REQUIRE_PAYLOAD (1<<0)

Write Preview
Loading…
Cancel
Save