diff --git a/src/detect-byte-extract.c b/src/detect-byte-extract.c index bda9cc34af..993ec24c83 100644 --- a/src/detect-byte-extract.c +++ b/src/detect-byte-extract.c @@ -571,60 +571,42 @@ int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) /* check bytetest modifiers against the signature alproto. In case they conflict * chuck out invalid signature */ - if ((data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) && - (s->alproto != ALPROTO_DCERPC)) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has " - "bytetest with dce enabled"); - goto error; + if ((data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE)) { + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has " + "bytetest with dce enabled"); + goto error; + } + s->alproto = ALPROTO_DCERPC; } - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { + if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || + s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) { + int sm_list; + if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { + AppLayerHtpEnableResponseBodyCallback(); + sm_list = DETECT_SM_LIST_HSBDMATCH; + } else { + sm_list = DETECT_SM_LIST_DMATCH; + } + if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) { SigMatch *prev_sm = NULL; prev_sm = SigMatchGetLastSMFromLists(s, 8, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]); + DETECT_CONTENT, s->sm_lists_tail[sm_list], + DETECT_BYTETEST, s->sm_lists_tail[sm_list], + DETECT_BYTEJUMP, s->sm_lists_tail[sm_list], + DETECT_PCRE, s->sm_lists_tail[sm_list]); if (prev_sm == NULL) { data->flags &= ~DETECT_BYTE_EXTRACT_FLAG_RELATIVE; } - - s->flags |= SIG_FLAG_APPLAYER; - AppLayerHtpEnableResponseBodyCallback(); - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH); - } else { - s->flags |= SIG_FLAG_APPLAYER; - AppLayerHtpEnableResponseBodyCallback(); - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH); - } - } else if (s->alproto == ALPROTO_DCERPC && - (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE)) { - SigMatch *pm = NULL; - SigMatch *dm = NULL; - - pm = SigMatchGetLastSMFromLists(s, 6, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - dm = SigMatchGetLastSMFromLists(s, 6, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], - DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); - - if (pm == NULL) { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH); - } else if (dm == NULL) { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH); - } else if (pm->idx > dm->idx) { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); - } else { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH); } + s->flags |= SIG_FLAG_APPLAYER; + SigMatchAppendSMToList(s, sm, sm_list); } else { if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) { SigMatch *pm = - SigMatchGetLastSMFromLists(s, 30, + SigMatchGetLastSMFromLists(s, 20, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], @@ -634,21 +616,13 @@ int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], - DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], - DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], - DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); if (pm == NULL) { SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); return 0; } int list = SigMatchListSMBelongsTo(s, pm); - if (list == DETECT_SM_LIST_UMATCH) - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_UMATCH); - else - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); + SigMatchAppendSMToList(s, sm, list); } else { SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); } @@ -667,17 +641,8 @@ int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) DETECT_CONTENT, sm->prev, DETECT_BYTEJUMP, sm->prev, DETECT_PCRE, sm->prev); - if (prev_sm == NULL) { - if (s->alproto == ALPROTO_DCERPC) { - SCLogDebug("No preceding content or pcre keyword. Possible " - "since this is a dce alproto sig."); - return 0; - } else { - SCLogError(SC_ERR_INVALID_SIGNATURE, "No preceding content " - "or uricontent or pcre option"); - return -1; - } - } + if (prev_sm == NULL) + return 0; DetectContentData *cd = NULL; DetectPcreData *pe = NULL; diff --git a/src/detect-bytejump.c b/src/detect-bytejump.c index 48da92be7c..6576039e0a 100644 --- a/src/detect-bytejump.c +++ b/src/detect-bytejump.c @@ -561,51 +561,32 @@ int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) "DCERPC rule holds an invalid modifier for bytejump."); goto error; } + s->alproto = ALPROTO_DCERPC; } - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { + if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || + s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) { + int sm_list; + if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { + AppLayerHtpEnableResponseBodyCallback(); + sm_list = DETECT_SM_LIST_HSBDMATCH; + } else { + sm_list = DETECT_SM_LIST_DMATCH; + } + if (data->flags & DETECT_BYTEJUMP_RELATIVE) { SigMatch *prev_sm = NULL; prev_sm = SigMatchGetLastSMFromLists(s, 8, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]); + DETECT_CONTENT, s->sm_lists_tail[sm_list], + DETECT_BYTETEST, s->sm_lists_tail[sm_list], + DETECT_BYTEJUMP, s->sm_lists_tail[sm_list], + DETECT_PCRE, s->sm_lists_tail[sm_list]); if (prev_sm == NULL) { data->flags &= ~DETECT_BYTEJUMP_RELATIVE; } - - s->flags |= SIG_FLAG_APPLAYER; - AppLayerHtpEnableResponseBodyCallback(); - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH); - } else { - s->flags |= SIG_FLAG_APPLAYER; - AppLayerHtpEnableResponseBodyCallback(); - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH); - } - } else if (s->alproto == ALPROTO_DCERPC && - (data->flags & DETECT_BYTEJUMP_RELATIVE)) { - SigMatch *pm = NULL; - SigMatch *dm = NULL; - - pm = SigMatchGetLastSMFromLists(s, 6, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - dm = SigMatchGetLastSMFromLists(s, 6, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], - DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); - - if (pm == NULL) { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH); - } else if (dm == NULL) { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH); - } else if (pm->idx > dm->idx) { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); - } else { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH); } + s->flags |= SIG_FLAG_APPLAYER; + SigMatchAppendSMToList(s, sm, sm_list); } else { SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); } @@ -639,13 +620,7 @@ int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) DETECT_BYTEJUMP, sm->prev, DETECT_PCRE, sm->prev); if (prev_sm == NULL) { - if (s->alproto == ALPROTO_DCERPC) { - SCLogDebug("No preceding content or pcre keyword. Possible " - "since this is an alproto sig."); - return 0; - } else { - return 0; - } + return 0; } DetectContentData *cd = NULL; diff --git a/src/detect-bytetest.c b/src/detect-bytetest.c index 2ffc18d7d0..b12d6f068f 100644 --- a/src/detect-bytetest.c +++ b/src/detect-bytetest.c @@ -466,7 +466,7 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) /* check bytetest modifiers against the signature alproto. In case they conflict * chuck out invalid signature */ - if (data-> flags & DETECT_BYTETEST_DCE) { + if (data->flags & DETECT_BYTETEST_DCE) { if (s->alproto != ALPROTO_DCERPC) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has " "bytetest with dce enabled"); @@ -482,52 +482,32 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) "a byte_test keyword with dce holds other invalid modifiers."); goto error; } + s->alproto = ALPROTO_DCERPC; } + if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || + s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) { + int sm_list; + if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { + AppLayerHtpEnableResponseBodyCallback(); + sm_list = DETECT_SM_LIST_HSBDMATCH; + } else { + sm_list = DETECT_SM_LIST_DMATCH; + } - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { if (data->flags & DETECT_BYTETEST_RELATIVE) { SigMatch *prev_sm = NULL; prev_sm = SigMatchGetLastSMFromLists(s, 8, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]); + DETECT_CONTENT, s->sm_lists_tail[sm_list], + DETECT_BYTETEST, s->sm_lists_tail[sm_list], + DETECT_BYTEJUMP, s->sm_lists_tail[sm_list], + DETECT_PCRE, s->sm_lists_tail[sm_list]); if (prev_sm == NULL) { data->flags &= ~DETECT_BYTETEST_RELATIVE; } - - s->flags |= SIG_FLAG_APPLAYER; - AppLayerHtpEnableResponseBodyCallback(); - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH); - } else { - s->flags |= SIG_FLAG_APPLAYER; - AppLayerHtpEnableResponseBodyCallback(); - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH); - } - } else if (s->alproto == ALPROTO_DCERPC && - (data->flags & DETECT_BYTETEST_RELATIVE)) { - SigMatch *pm = NULL; - SigMatch *dm = NULL; - - pm = SigMatchGetLastSMFromLists(s, 6, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - dm = SigMatchGetLastSMFromLists(s, 6, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], - DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); - - if (pm == NULL) { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH); - } else if (dm == NULL) { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH); - } else if (pm->idx > dm->idx) { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); - } else { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH); } + s->flags |= SIG_FLAG_APPLAYER; + SigMatchAppendSMToList(s, sm, sm_list); } else { SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); } @@ -576,13 +556,7 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) DETECT_BYTEJUMP, sm->prev, DETECT_PCRE, sm->prev); if (prev_sm == NULL) { - if (s->alproto == ALPROTO_DCERPC) { - SCLogDebug("No preceding content or pcre keyword. Possible " - "since this is an alproto sig."); - return 0; - } else { - return 0; - } + return 0; } DetectContentData *cd = NULL; diff --git a/src/detect-content.c b/src/detect-content.c index 5e6371d3bc..6094de913f 100644 --- a/src/detect-content.c +++ b/src/detect-content.c @@ -402,6 +402,20 @@ static int DetectContentSetup (DetectEngineCtx *de_ctx, Signature *s, char *cont /* enable http request body callback in the http app layer parser */ AppLayerHtpEnableResponseBodyCallback(); + } else if (s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) { + cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_DMATCH); + sm->type = DETECT_CONTENT; + + /* transfer the sm from the pmatch list to hsbdmatch list */ + SigMatchTransferSigMatchAcrossLists(sm, + &s->sm_lists[DETECT_SM_LIST_PMATCH], + &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + &s->sm_lists[DETECT_SM_LIST_DMATCH], + &s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); + + /* flag the signature to indicate that we scan the app layer data */ + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_DCERPC; } return 0; diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c index fe97aa0b33..7786fd5acd 100644 --- a/src/detect-dce-stub-data.c +++ b/src/detect-dce-stub-data.c @@ -61,7 +61,7 @@ void DetectDceStubDataRegister(void) sigmatch_table[DETECT_DCE_STUB_DATA].name = "dce_stub_data"; sigmatch_table[DETECT_DCE_STUB_DATA].alproto = ALPROTO_DCERPC; sigmatch_table[DETECT_DCE_STUB_DATA].Match = NULL; - sigmatch_table[DETECT_DCE_STUB_DATA].AppLayerMatch = DetectDceStubDataMatch; + sigmatch_table[DETECT_DCE_STUB_DATA].AppLayerMatch = NULL; sigmatch_table[DETECT_DCE_STUB_DATA].Setup = DetectDceStubDataSetup; sigmatch_table[DETECT_DCE_STUB_DATA].Free = NULL; sigmatch_table[DETECT_DCE_STUB_DATA].RegisterTests = DetectDceStubDataRegisterTests; @@ -71,42 +71,6 @@ void DetectDceStubDataRegister(void) return; } -/** - * \brief App layer match function for the "dce_stub_data" keyword. - * - * \todo Check the need for passing a pointer to hold the address of the stub_data. - * - * \param t Pointer to the ThreadVars instance. - * \param det_ctx Pointer to the DetectEngineThreadCtx. - * \param f Pointer to the flow. - * \param flags Pointer to the flags indicating the flow direction. - * \param state Pointer to the app layer state data. - * \param s Pointer to the Signature instance. - * \param m Pointer to the SigMatch. - * - * \retval 1 On Match. - * \retval 0 On no match. - */ -int DetectDceStubDataMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, - uint8_t flags, void *state, Signature *s, SigMatch *m) -{ - SCEnter(); - - DCERPCState *dcerpc_state = (DCERPCState *)state; - if (dcerpc_state == NULL) { - SCLogDebug("No DCERPCState for the flow"); - SCReturnInt(0); - } - - if (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL || - dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer != NULL) - { - SCReturnInt(1); - } else { - SCReturnInt(0); - } -} - /** * \brief Creates a SigMatch for the \"dce_stub_data\" keyword being sent as argument, * and appends it to the Signature(s). @@ -121,30 +85,18 @@ int DetectDceStubDataMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow * static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { - SigMatch *sm = NULL; - - sm = SigMatchAlloc(); - if (sm == NULL) - goto error; - - sm->type = DETECT_DCE_STUB_DATA; - sm->ctx = NULL; - - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH); - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, + "rule contains conflicting keywords."); goto error; } + s->init_flags |= SIG_FLAG_INIT_DCE_STUB_DATA; s->alproto = ALPROTO_DCERPC; - /* Flagged the signature as to inspect the app layer data */ s->flags |= SIG_FLAG_APPLAYER; return 0; error: - if (sm != NULL) - SCFree(sm); return -1; } @@ -161,7 +113,7 @@ static int DetectDceStubDataTestParse01(void) result = (DetectDceStubDataSetup(NULL, &s, NULL) == 0); - if (s.sm_lists[DETECT_SM_LIST_AMATCH] != NULL) { + if (s.sm_lists[DETECT_SM_LIST_AMATCH] == NULL) { result = 1; } else { result = 0; @@ -658,7 +610,7 @@ static int DetectDceStubDataTestParse02(void) s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " "(msg:\"DCERPC\"; " - "dce_stub_data; " + "dce_stub_data; content:\"|42 42 42 42|\";" "sid:1;)"); if (s == NULL) goto end; @@ -1199,7 +1151,7 @@ static int DetectDceStubDataTestParse03(void) s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " "(msg:\"DCERPC\"; " - "dce_stub_data; " + "dce_stub_data; content:\"|42 42 42 42|\";" "sid:1;)"); if (s == NULL) goto end; @@ -1391,7 +1343,15 @@ static int DetectDceStubDataTestParse04(void) de_ctx->flags |= DE_QUIET; s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any " - "(msg:\"DCERPC\"; dce_stub_data; sid:1;)"); + "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 02|\"; sid:1;)"); + if (s == NULL) + goto end; + s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any " + "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 75|\"; sid:2;)"); + if (s == NULL) + goto end; + s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any " + "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 18|\"; sid:3;)"); if (s == NULL) goto end; @@ -1437,7 +1397,7 @@ static int DetectDceStubDataTestParse04(void) /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - if (!PacketAlertCheck(p, 1)) + if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3)) goto end; /* response1 */ @@ -1453,7 +1413,7 @@ static int DetectDceStubDataTestParse04(void) /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - if (PacketAlertCheck(p, 1)) + if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3)) goto end; /* request2 */ @@ -1469,7 +1429,7 @@ static int DetectDceStubDataTestParse04(void) /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - if (!PacketAlertCheck(p, 1)) + if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3)) goto end; /* response2 */ @@ -1485,7 +1445,7 @@ static int DetectDceStubDataTestParse04(void) /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - if (PacketAlertCheck(p, 1)) + if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3)) goto end; /* request3 */ @@ -1501,7 +1461,7 @@ static int DetectDceStubDataTestParse04(void) /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - if (!PacketAlertCheck(p, 1)) + if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3)) goto end; /* response3 */ @@ -1517,7 +1477,7 @@ static int DetectDceStubDataTestParse04(void) /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - if (PacketAlertCheck(p, 1)) + if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3)) goto end; result = 1; @@ -1658,10 +1618,24 @@ static int DetectDceStubDataTestParse05(void) s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " "(msg:\"DCERPC\"; " - "dce_stub_data;" + "dce_stub_data; content:\"|00 02|\"; " "sid:1;)"); if (s == NULL) goto end; + s = de_ctx->sig_list->next = SigInit(de_ctx, + "alert tcp any any -> any any " + "(msg:\"DCERPC\"; " + "dce_stub_data; content:\"|00 75|\"; " + "sid:2;)"); + if (s == NULL) + goto end; + s = de_ctx->sig_list->next->next = SigInit(de_ctx, + "alert tcp any any -> any any " + "(msg:\"DCERPC\"; " + "dce_stub_data; content:\"|00 18|\"; " + "sid:3;)"); + if (s == NULL) + goto end; SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); @@ -1685,7 +1659,7 @@ static int DetectDceStubDataTestParse05(void) /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - if (!PacketAlertCheck(p, 1)) + if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3)) goto end; /* response1 */ @@ -1701,7 +1675,7 @@ static int DetectDceStubDataTestParse05(void) /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - if (PacketAlertCheck(p, 1)) + if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3)) goto end; /* request2 */ @@ -1717,7 +1691,7 @@ static int DetectDceStubDataTestParse05(void) /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - if (!PacketAlertCheck(p, 1)) + if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3)) goto end; /* response2 */ @@ -1733,7 +1707,7 @@ static int DetectDceStubDataTestParse05(void) /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - if (PacketAlertCheck(p, 1)) + if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3)) goto end; /* request3 */ @@ -1749,7 +1723,7 @@ static int DetectDceStubDataTestParse05(void) /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - if (!PacketAlertCheck(p, 1)) + if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3)) goto end; /* response3 */ diff --git a/src/detect-depth.c b/src/detect-depth.c index ddccb0f2ce..f591fc9604 100644 --- a/src/detect-depth.c +++ b/src/detect-depth.c @@ -70,55 +70,35 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths dubbed = 1; } - switch (s->alproto) { - case ALPROTO_DCERPC: - /* add to the latest content keyword from either dmatch or pmatch */ - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - if (pm == NULL) { - SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs " - "preceding content option for dcerpc sig"); - if (dubbed) - SCFree(str); - return -1; - } - - break; - - default: - pm = SigMatchGetLastSMFromLists(s, 28, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); - if (pm == NULL) { - SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs " - "preceding content, uricontent option, http_client_body, " - "http_server_body, http_header option, http_raw_header option, " - "http_method option, http_cookie, http_raw_uri, " - "http_stat_msg, http_stat_code, http_user_agent, " - "http_host or http_raw_host option"); - if (dubbed) - SCFree(str); - return -1; - } - - break; + pm = SigMatchGetLastSMFromLists(s, 30, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); + if (pm == NULL) { + SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs " + "preceding content, uricontent option, http_client_body, " + "http_server_body, http_header option, http_raw_header option, " + "http_method option, http_cookie, http_raw_uri, " + "http_stat_msg, http_stat_code, http_user_agent, " + "http_host, http_raw_host or " + "file_data/dce_stub_data sticky buffer options"); + if (dubbed) + SCFree(str); + return -1; } - /* i swear we will clean this up :). Use a single version for all. Using - * separate versions for all now, to avoiding breaking any code */ switch (pm->type) { case DETECT_CONTENT: cd = (DetectContentData *)pm->ctx; diff --git a/src/detect-distance.c b/src/detect-distance.c index ddb01e393b..d351dbb4c9 100644 --- a/src/detect-distance.c +++ b/src/detect-distance.c @@ -77,116 +77,32 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, dubbed = 1; } - /* if we still haven't found that the sig is related to DCERPC, - * it's a direct entry into Signature->sm_lists[DETECT_SM_LIST_PMATCH] */ - if (s->alproto == ALPROTO_DCERPC) { - SigMatch *dcem = NULL; - SigMatch *dm = NULL; - SigMatch *pm1 = NULL; - - SigMatch *pm1_ots = NULL; - SigMatch *pm2_ots = NULL; - - dcem = SigMatchGetLastSMFromLists(s, 6, - DETECT_DCE_IFACE, s->sm_lists_tail[DETECT_SM_LIST_AMATCH], - DETECT_DCE_OPNUM, s->sm_lists_tail[DETECT_SM_LIST_AMATCH], - DETECT_DCE_STUB_DATA, s->sm_lists_tail[DETECT_SM_LIST_AMATCH]); - - pm1_ots = SigMatchGetLastSMFromLists(s, 6, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - if (pm1_ots != NULL && pm1_ots->prev != NULL) { - pm2_ots = SigMatchGetLastSMFromLists(s, 6, - DETECT_CONTENT, pm1_ots->prev, - DETECT_PCRE, pm1_ots->prev, - DETECT_BYTEJUMP, pm1_ots->prev); - } - - dm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); - pm1 = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - - if (dm == NULL && pm1 == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid signature. within " - "needs a preceding content keyword"); - goto error; - } - - if (dm == NULL) { - if (pm2_ots == NULL) { - if (pm1->idx > dcem->idx) { - /* transfer pm1 to dmatch list and within is against this */ - SigMatchTransferSigMatchAcrossLists(pm1, - &s->sm_lists[DETECT_SM_LIST_PMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - &s->sm_lists[DETECT_SM_LIST_DMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); - pm = pm1; - } else { - /* within is against pm1 and we continue this way */ - pm = pm1; - } - } else if (pm2_ots->idx > dcem->idx) { - /* within is against pm1, pm = pm1; */ - pm = pm1; - } else if (pm1->idx > dcem->idx) { - /* transfer pm1 to dmatch list and within is against this */ - SigMatchTransferSigMatchAcrossLists(pm1, - &s->sm_lists[DETECT_SM_LIST_PMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - &s->sm_lists[DETECT_SM_LIST_DMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); - pm = pm1; - } else { - /* within is against pm1 and we continue this way */ - pm = pm1; - } - } else { - if (pm1 == NULL) { - /* within is against dm and continue this way */ - pm = dm; - } else if (dm->idx > pm1->idx) { - /* within is against dm */ - pm = dm; - } else if (pm2_ots == NULL || pm2_ots->idx < dcem->idx) { - /* trasnfer pm1 to dmatch list and pm = pm1 */ - SigMatchTransferSigMatchAcrossLists(pm1, - &s->sm_lists[DETECT_SM_LIST_PMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - &s->sm_lists[DETECT_SM_LIST_DMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); - pm = pm1; - } else { - /* within is against pm1, pm = pm1 */ - pm = pm1; - } - } - } else { - pm = SigMatchGetLastSMFromLists(s, 28, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); - if (pm == NULL) { - SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs " - "preceding content, uricontent option, http_client_body, " - "http_server_body, http_header, http_raw_header, http_method, " - "http_cookie, http_raw_uri, http_stat_msg, http_stat_code, " - "http_user_agent, http_host or http_raw_host option"); - if (dubbed) - SCFree(str); - return -1; - } + pm = SigMatchGetLastSMFromLists(s, 30, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); + if (pm == NULL) { + SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs " + "preceding content, uricontent option, http_client_body, " + "http_server_body, http_header, http_raw_header, http_method, " + "http_cookie, http_raw_uri, http_stat_msg, http_stat_code, " + "http_host, http_raw_host or " + "http_user_agent or file_data/dce_stub_data option"); + if (dubbed) + SCFree(str); + return -1; } DetectContentData *cd = NULL; @@ -247,18 +163,7 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, DETECT_CONTENT, pm->prev, DETECT_PCRE, pm->prev, DETECT_BYTEJUMP, pm->prev); - if (pm == NULL) { - if (s->alproto == ALPROTO_DCERPC) { - SCLogDebug("content relative without a previous content based " - "keyword. Holds good only in the case of DCERPC " - "alproto like now."); - } else { - //SCLogError(SC_ERR_INVALID_SIGNATURE, "No related " - //"previous-previous content or pcre keyword"); - //goto error; - ; - } - } else { + if (pm != NULL) { switch (pm->type) { case DETECT_CONTENT: /* Set the relative next flag on the prev sigmatch */ diff --git a/src/detect-engine-dcepayload.c b/src/detect-engine-dcepayload.c index f5396d581e..dac52009e7 100644 --- a/src/detect-engine-dcepayload.c +++ b/src/detect-engine-dcepayload.c @@ -6007,7 +6007,11 @@ int DcePayloadTest13(void) int i = 0; char *sig1 = "alert tcp any any -> any any " - "(dce_stub_data; sid:1;)"; + "(dce_stub_data; content:\"|00 02|\"; sid:1;)"; + char *sig2 = "alert tcp any any -> any any " + "(dce_stub_data; content:\"|00 75|\"; sid:2;)"; + char *sig3 = "alert tcp any any -> any any " + "(dce_stub_data; content:\"|00 18|\"; sid:3;)"; Signature *s; @@ -6042,8 +6046,13 @@ int DcePayloadTest13(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, sig1); - s = de_ctx->sig_list; + s = de_ctx->sig_list = SigInit(de_ctx, sig1); + if (s == NULL) + goto end; + s = de_ctx->sig_list->next = SigInit(de_ctx, sig2); + if (s == NULL) + goto end; + s = de_ctx->sig_list->next->next = SigInit(de_ctx, sig3); if (s == NULL) goto end; @@ -6058,14 +6067,14 @@ int DcePayloadTest13(void) } /* detection phase */ SigMatchSignatures(&tv, de_ctx, det_ctx, p[0]); - if (!(PacketAlertCheck(p[0], 1))) { + if (!PacketAlertCheck(p[0], 1) || PacketAlertCheck(p[0], 2) || PacketAlertCheck(p[0], 3)) { printf("sid 1 didn't match but should have for packet 0: "); goto end; } /* detection phase */ SigMatchSignatures(&tv, de_ctx, det_ctx, p[6]); - if ((PacketAlertCheck(p[6], 1))) { + if (PacketAlertCheck(p[6], 1) || PacketAlertCheck(p[6], 2) || PacketAlertCheck(p[6], 3)) { printf("sid 1 matched but shouldn't have for packet 6: "); goto end; } @@ -6078,7 +6087,7 @@ int DcePayloadTest13(void) } /* detection phase */ SigMatchSignatures(&tv, de_ctx, det_ctx, p[1]); - if ((PacketAlertCheck(p[1], 1))) { + if (PacketAlertCheck(p[1], 1) || PacketAlertCheck(p[1], 2) || PacketAlertCheck(p[1], 3)) { printf("sid 1 matched but shouldn't have for packet 1: "); goto end; } @@ -6094,14 +6103,14 @@ int DcePayloadTest13(void) * the detection engine state for the flow has been reset because of a * fresh transaction */ SigMatchSignatures(&tv, de_ctx, det_ctx, p[2]); - if (!(PacketAlertCheck(p[2], 1))) { + if (PacketAlertCheck(p[2], 1) || !PacketAlertCheck(p[2], 2) || PacketAlertCheck(p[2], 3)) { printf("sid 1 didn't match but should have for packet 2: "); goto end; } /* detection phase */ SigMatchSignatures(&tv, de_ctx, det_ctx, p[7]); - if ((PacketAlertCheck(p[7], 1))) { + if (PacketAlertCheck(p[7], 1) || PacketAlertCheck(p[7], 2) || PacketAlertCheck(p[7], 3)) { printf("sid 1 matched but shouldn't have for packet 7: "); goto end; } @@ -6114,7 +6123,7 @@ int DcePayloadTest13(void) } /* detection phase */ SigMatchSignatures(&tv, de_ctx, det_ctx, p[3]); - if ((PacketAlertCheck(p[3], 1))) { + if (PacketAlertCheck(p[3], 1) || PacketAlertCheck(p[3], 2) || PacketAlertCheck(p[3], 3)) { printf("sid 1 matched but shouldn't have for packet 3: "); goto end; } @@ -6130,7 +6139,7 @@ int DcePayloadTest13(void) * the detection engine state for the flow has been reset because of a * fresh transaction */ SigMatchSignatures(&tv, de_ctx, det_ctx, p[4]); - if (!(PacketAlertCheck(p[4], 1))) { + if (PacketAlertCheck(p[4], 1) || PacketAlertCheck(p[4], 2) || !PacketAlertCheck(p[4], 3)) { printf("sid 1 didn't match but should have for packet 4: "); goto end; } @@ -6143,7 +6152,7 @@ int DcePayloadTest13(void) } /* detection phase */ SigMatchSignatures(&tv, de_ctx, det_ctx, p[5]); - if ((PacketAlertCheck(p[5], 1))) { + if (PacketAlertCheck(p[5], 1) || PacketAlertCheck(p[5], 2) || PacketAlertCheck(p[5], 3)) { printf("sid 1 matched but shouldn't have for packet 5: "); goto end; } @@ -6247,7 +6256,9 @@ int DcePayloadTest14(void) int i = 0; char *sig1 = "alert tcp any any -> any any " - "(dce_stub_data; sid:1;)"; + "(dce_stub_data; content:\"|7f 01|\"; sid:1;)"; + char *sig2 = "alert tcp any any -> any any " + "(dce_stub_data; content:\"|3f 00|\"; sid:2;)"; Signature *s; @@ -6279,8 +6290,10 @@ int DcePayloadTest14(void) goto end; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, sig1); - s = de_ctx->sig_list; + s = de_ctx->sig_list = SigInit(de_ctx, sig1); + if (s == NULL) + goto end; + s = de_ctx->sig_list->next = SigInit(de_ctx, sig2); if (s == NULL) goto end; @@ -6296,14 +6309,14 @@ int DcePayloadTest14(void) } /* detection phase */ SigMatchSignatures(&tv, de_ctx, det_ctx, p[0]); - if (!(PacketAlertCheck(p[0], 1))) { + if (!PacketAlertCheck(p[0], 1) || PacketAlertCheck(p[0], 2)) { printf("sid 1 didn't match but should have for packet 0: "); goto end; } /* detection phase */ SigMatchSignatures(&tv, de_ctx, det_ctx, p[1]); - if ((PacketAlertCheck(p[1], 1))) { + if (PacketAlertCheck(p[1], 1) || PacketAlertCheck(p[1], 2)) { printf("sid 1 matched but shouldn't have for packet 1: "); goto end; } @@ -6317,7 +6330,7 @@ int DcePayloadTest14(void) } /* detection phase */ SigMatchSignatures(&tv, de_ctx, det_ctx, p[2]); - if ((PacketAlertCheck(p[2], 1))) { + if (PacketAlertCheck(p[2], 1) || PacketAlertCheck(p[2], 2)) { printf("sid 1 matched but shouldn't have for packet 2: "); goto end; } @@ -6331,7 +6344,7 @@ int DcePayloadTest14(void) } /* detection phase */ SigMatchSignatures(&tv, de_ctx, det_ctx, p[3]); - if ((PacketAlertCheck(p[3], 1))) { + if (PacketAlertCheck(p[3], 1) || PacketAlertCheck(p[3], 2)) { printf("sid 1 matched but shouldn't have for packet 3: "); goto end; } @@ -6347,7 +6360,7 @@ int DcePayloadTest14(void) } /* detection phase */ SigMatchSignatures(&tv, de_ctx, det_ctx, p[4]); - if (!(PacketAlertCheck(p[4], 1))) { + if (PacketAlertCheck(p[4], 1) || !PacketAlertCheck(p[4], 2)) { printf("sid 1 didn't match but should have for packet 4: "); goto end; } @@ -6361,7 +6374,7 @@ int DcePayloadTest14(void) } /* detection phase */ SigMatchSignatures(&tv, de_ctx, det_ctx, p[5]); - if ((PacketAlertCheck(p[5], 1))) { + if (PacketAlertCheck(p[5], 1) || PacketAlertCheck(p[5], 2)) { printf("sid 1 matched but shouldn't have for packet 5: "); goto end; } @@ -7460,6 +7473,7 @@ int DcePayloadParseTest26(void) s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " "(msg:\"Testing bytejump_body\"; " "dce_stub_data; " + "pkt_data; " "content:\"one\"; " "content:\"two\"; " "content:\"three\"; within:5; " @@ -7714,6 +7728,7 @@ int DcePayloadParseTest28(void) "dce_stub_data; " "content:\"one\"; distance:10; within:5; " "content:\"two\"; within:5;" + "pkt_data; " "content:\"three\";" "content:\"four\";" "sid:1;)"); @@ -7839,6 +7854,7 @@ int DcePayloadParseTest29(void) s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " "(msg:\"Testing bytejump_body\"; " "dce_stub_data; " + "pkt_data; " "pcre:/boom/; " "content:\"one\"; distance:10; within:5; " "content:\"two\"; within:5;" @@ -7980,6 +7996,7 @@ int DcePayloadParseTest30(void) s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " "(msg:\"Testing bytejump_body\"; " "dce_stub_data; " + "pkt_data; " "byte_jump:2,5; " "content:\"one\"; distance:10; within:5; " "content:\"two\"; within:5;" @@ -8129,6 +8146,7 @@ int DcePayloadParseTest31(void) "byte_jump:2,5,relative; " "content:\"one\"; distance:10; within:5; " "content:\"two\"; within:5;" + "pkt_data; " "content:\"three\";" "content:\"four\";" "sid:1;)"); @@ -8156,7 +8174,7 @@ int DcePayloadParseTest31(void) bd->flags & DETECT_BYTEJUMP_LITTLE || bd->flags & DETECT_BYTEJUMP_BIG || bd->flags & DETECT_BYTEJUMP_STRING || - !(bd->flags & DETECT_BYTEJUMP_RELATIVE) || + bd->flags & DETECT_BYTEJUMP_RELATIVE || bd->flags & DETECT_BYTEJUMP_ALIGN || bd->flags & DETECT_BYTEJUMP_DCE ) { result = 0; @@ -8275,6 +8293,7 @@ int DcePayloadParseTest32(void) "byte_jump:2,5,relative; " "content:\"one\"; distance:10; within:5; " "content:\"two\"; within:5;" + "pkt_data; " "content:\"three\";" "content:\"four\"; within:4; " "sid:1;)"); @@ -8302,7 +8321,7 @@ int DcePayloadParseTest32(void) bd->flags & DETECT_BYTEJUMP_LITTLE || bd->flags & DETECT_BYTEJUMP_BIG || bd->flags & DETECT_BYTEJUMP_STRING || - !(bd->flags & DETECT_BYTEJUMP_RELATIVE) || + bd->flags & DETECT_BYTEJUMP_RELATIVE || bd->flags & DETECT_BYTEJUMP_ALIGN || bd->flags & DETECT_BYTEJUMP_DCE ) { result = 0; @@ -8421,6 +8440,7 @@ int DcePayloadParseTest33(void) "pcre:/boom/R; " "content:\"one\"; distance:10; within:5; " "content:\"two\"; within:5;" + "pkt_data; " "content:\"three\";" "content:\"four\"; distance:5;" "sid:1;)"); @@ -8445,7 +8465,7 @@ int DcePayloadParseTest33(void) } pd = (DetectPcreData *)sm->ctx; if ( pd->flags & DETECT_PCRE_RAWBYTES || - !(pd->flags & DETECT_PCRE_RELATIVE)) { + pd->flags & DETECT_PCRE_RELATIVE) { result = 0; printf("one failed\n"); goto end; @@ -8564,6 +8584,7 @@ int DcePayloadParseTest34(void) "pcre:/boom/R; " "byte_jump:1,2,relative,align,dce; " "content:\"one\"; within:4; distance:8; " + "pkt_data; " "content:\"two\"; " "sid:1;)"); if (de_ctx->sig_list == NULL) { @@ -8587,7 +8608,7 @@ int DcePayloadParseTest34(void) } pd = (DetectPcreData *)sm->ctx; if ( pd->flags & DETECT_PCRE_RAWBYTES || - !(pd->flags & DETECT_PCRE_RELATIVE)) { + pd->flags & DETECT_PCRE_RELATIVE) { result = 0; goto end; } @@ -8684,6 +8705,7 @@ int DcePayloadParseTest35(void) "dce_iface:12345678-1234-1234-1234-123456789012; " "dce_opnum:10; dce_stub_data; " "byte_test:1,=,0,0,relative,dce; " + "pkt_data; " "content:\"one\"; " "sid:1;)"); if (de_ctx->sig_list == NULL) { @@ -8709,7 +8731,7 @@ int DcePayloadParseTest35(void) if (bd->flags & DETECT_BYTETEST_LITTLE || bd->flags & DETECT_BYTETEST_BIG || bd->flags & DETECT_BYTETEST_STRING || - !(bd->flags & DETECT_BYTETEST_RELATIVE) || + bd->flags & DETECT_BYTETEST_RELATIVE || !(bd->flags & DETECT_BYTETEST_DCE) ) { result = 0; printf("one failed\n"); @@ -8771,6 +8793,7 @@ int DcePayloadParseTest36(void) "dce_opnum:10; dce_stub_data; " "isdataat:10,relative; " "content:\"one\"; within:4; distance:8; " + "pkt_data; " "content:\"two\"; " "sid:1;)"); if (de_ctx->sig_list == NULL) { @@ -8794,7 +8817,7 @@ int DcePayloadParseTest36(void) } isd = (DetectIsdataatData *)sm->ctx; if ( isd->flags & ISDATAAT_RAWBYTES || - !(isd->flags & ISDATAAT_RELATIVE)) { + isd->flags & ISDATAAT_RELATIVE) { result = 0; goto end; } @@ -8875,6 +8898,7 @@ int DcePayloadParseTest37(void) "dce_opnum:10; dce_stub_data; " "byte_jump:1,2,relative,align,dce; " "byte_test:1,=,2,0,relative,dce; " + "pkt_data; " "content:\"one\"; " "sid:1;)"); if (de_ctx->sig_list == NULL) { @@ -8901,7 +8925,7 @@ int DcePayloadParseTest37(void) bjd->flags & DETECT_BYTEJUMP_LITTLE || bjd->flags & DETECT_BYTEJUMP_BIG || bjd->flags & DETECT_BYTEJUMP_STRING || - !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) || + bjd->flags & DETECT_BYTEJUMP_RELATIVE || !(bjd->flags & DETECT_BYTEJUMP_ALIGN) || !(bjd->flags & DETECT_BYTEJUMP_DCE) ) { result = 0; @@ -8983,6 +9007,7 @@ int DcePayloadParseTest38(void) "pcre:/boom/R; " "byte_jump:1,2,relative,align,dce; " "byte_test:1,=,2,0,relative,dce; " + "pkt_data; " "content:\"one\"; " "sid:1;)"); if (de_ctx->sig_list == NULL) { @@ -9006,7 +9031,7 @@ int DcePayloadParseTest38(void) } pd = (DetectPcreData *)sm->ctx; if ( pd->flags & DETECT_PCRE_RAWBYTES || - !(pd->flags & DETECT_PCRE_RELATIVE) ) { + pd->flags & DETECT_PCRE_RELATIVE) { result = 0; printf("one failed\n"); goto end; @@ -9187,6 +9212,7 @@ int DcePayloadParseTest40(void) "content:\"one\"; within:10; " "content:\"two\"; distance:20; within:30; " "byte_test:1,=,2,0,relative,dce; " + "pkt_data; " "content:\"three\"; " "sid:1;)"); if (de_ctx->sig_list == NULL) { @@ -9314,6 +9340,7 @@ int DcePayloadParseTest41(void) "dce_iface:12345678-1234-1234-1234-123456789012; " "dce_opnum:10; dce_stub_data; " "content:\"one\"; within:10; " + "pkt_data; " "content:\"two\"; " "byte_test:1,=,2,0,relative,dce; " "content:\"three\"; " @@ -9634,6 +9661,7 @@ int DcePayloadParseTest44(void) "dce_opnum:10; dce_stub_data; " "isdataat:10,relative; " "content:\"one\"; within:4; distance:8; " + "pkt_data; " "content:\"two\"; " "sid:1;)"); if (de_ctx->sig_list == NULL) { @@ -9657,7 +9685,7 @@ int DcePayloadParseTest44(void) } isd = (DetectIsdataatData *)sm->ctx; if ( isd->flags & ISDATAAT_RAWBYTES || - !(isd->flags & ISDATAAT_RELATIVE)) { + isd->flags & ISDATAAT_RELATIVE) { result = 0; goto end; } @@ -9759,6 +9787,7 @@ int DcePayloadParseTest45(void) "content:\"one\"; " "dce_opnum:10; dce_stub_data; " "byte_jump:1,2,relative,align,dce; " + "pkt_data; " "content:\"two\"; " "sid:1;)"); if (de_ctx->sig_list == NULL) { @@ -9785,7 +9814,7 @@ int DcePayloadParseTest45(void) bjd->flags & DETECT_BYTEJUMP_LITTLE || bjd->flags & DETECT_BYTEJUMP_BIG || bjd->flags & DETECT_BYTEJUMP_STRING || - !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) || + bjd->flags & DETECT_BYTEJUMP_RELATIVE || !(bjd->flags & DETECT_BYTEJUMP_ALIGN) || !(bjd->flags & DETECT_BYTEJUMP_DCE) ) { result = 0; @@ -9870,6 +9899,7 @@ int DcePayloadParseTest46(void) "content:\"one\"; " "dce_opnum:10; dce_stub_data; " "byte_test:1,=,2,0,relative,dce; " + "pkt_data; " "content:\"two\"; " "sid:1;)"); if (de_ctx->sig_list == NULL) { @@ -9895,7 +9925,7 @@ int DcePayloadParseTest46(void) if (btd->flags & DETECT_BYTETEST_LITTLE || btd->flags & DETECT_BYTETEST_BIG || btd->flags & DETECT_BYTETEST_STRING || - !(btd->flags & DETECT_BYTETEST_RELATIVE) || + btd->flags & DETECT_BYTETEST_RELATIVE || !(btd->flags & DETECT_BYTETEST_DCE) ) { result = 0; printf("one failed\n"); diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index 2aed585148..6d1bb58d0a 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -250,8 +250,6 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst { DetectIsdataatData *idad = NULL; SigMatch *sm = NULL; - SigMatch *dm = NULL; - SigMatch *pm = NULL; SigMatch *prev_pm = NULL; char *offset = NULL; @@ -266,74 +264,36 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst sm->type = DETECT_ISDATAAT; sm->ctx = (void *)idad; - if (s->alproto == ALPROTO_DCERPC && - (idad->flags & ISDATAAT_RELATIVE)) { - - pm = SigMatchGetLastSMFromLists(s, 6, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - dm = SigMatchGetLastSMFromLists(s, 6, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], - DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); - - if (pm == NULL) { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH); - } else if (dm == NULL) { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH); - } else if (pm->idx > dm->idx) { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); - } else { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH); - } - prev_pm = SigMatchGetLastSMFromLists(s, 6, - DETECT_CONTENT, sm->prev, - DETECT_BYTEJUMP, sm->prev, - DETECT_PCRE, sm->prev); - if (prev_pm == NULL) { - SCLogDebug("No preceding content or pcre keyword. Possible " - "since this is a dce alproto sig."); - if (offset != NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in isdataat - %s", offset); - goto error; - } - return 0; - } - } else if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { - if (idad->flags & ISDATAAT_RELATIVE) { - pm = SigMatchGetLastSMFromLists(s, 10, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]); - if (pm == NULL) { - idad->flags &= ~ISDATAAT_RELATIVE; - } - - s->flags |= SIG_FLAG_APPLAYER; + if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) { + int sm_list; + if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { AppLayerHtpEnableResponseBodyCallback(); - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH); + sm_list = DETECT_SM_LIST_HSBDMATCH; } else { - s->flags |= SIG_FLAG_APPLAYER; - AppLayerHtpEnableResponseBodyCallback(); - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH); + sm_list = DETECT_SM_LIST_DMATCH; } - if (pm == NULL) { - SCLogDebug("No preceding content or pcre keyword. Possible " + if (idad->flags & ISDATAAT_RELATIVE) { + s->flags |= SIG_FLAG_APPLAYER; + SigMatchAppendSMToList(s, sm, sm_list); + prev_pm = SigMatchGetLastSMFromLists(s, 10, + DETECT_CONTENT, s->sm_lists_tail[sm_list], + DETECT_PCRE, s->sm_lists_tail[sm_list], + DETECT_BYTEJUMP, s->sm_lists_tail[sm_list], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[sm_list], + DETECT_BYTETEST, s->sm_lists_tail[sm_list]); + if (prev_pm == NULL) { + SCLogDebug("No preceding content or pcre keyword. Possible " "since this is a file_data sig."); - if (offset != NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in isdataat - %s", offset); - goto error; + if (offset != NULL) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " + "seen in isdataat - %s", offset); + goto error; + } + idad->flags &= ~ISDATAAT_RELATIVE; + return 0; } - return 0; } - - prev_pm = pm; } else { if (!(idad->flags & ISDATAAT_RELATIVE)) { SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); @@ -353,7 +313,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst } return 0; } - pm = SigMatchGetLastSMFromLists(s, 66, + prev_pm = SigMatchGetLastSMFromLists(s, 66, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], @@ -387,7 +347,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH]); - if (pm == NULL) { + if (prev_pm == NULL) { SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); if (offset != NULL) { SigMatch *bed_sm = @@ -405,15 +365,13 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst } SCReturnInt(0); } else { - int list_type = SigMatchListSMBelongsTo(s, pm); + int list_type = SigMatchListSMBelongsTo(s, prev_pm); if (list_type == -1) { goto error; } SigMatchAppendSMToList(s, sm, list_type); - } /* else - if (pm == NULL) */ - - prev_pm = pm; + } /* else - if (prev_pm == NULL) */ } if (offset != NULL) { @@ -556,7 +514,7 @@ int DetectIsdataatTestParse04(void) s->alproto = ALPROTO_DCERPC; /* failure since we have no preceding content/pcre/bytejump */ result &= (DetectIsdataatSetup(NULL, s, "30,relative") == 0); - result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] != NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL); + result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); SigFree(s); diff --git a/src/detect-nocase.c b/src/detect-nocase.c index 336e3883e7..4325aff66e 100644 --- a/src/detect-nocase.c +++ b/src/detect-nocase.c @@ -76,8 +76,9 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls } /* Search for the first previous SigMatch that supports nocase */ - SigMatch *pm = SigMatchGetLastSMFromLists(s, 28, + SigMatch *pm = SigMatchGetLastSMFromLists(s, 30, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], @@ -96,7 +97,8 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls "content, uricontent, http_client_body, http_server_body, " "http_header, http_method, http_uri, http_cookie, " "http_raw_uri, http_stat_msg, http_stat_code, " - "http_user_agent, http_host or http_raw_host option"); + "http_user_agent, http_host or http_raw_host option or " + "file_data/dce_stub_data sticky buffer option"); SCReturnInt(-1); } diff --git a/src/detect-offset.c b/src/detect-offset.c index 204104b836..84e17ce4f2 100644 --- a/src/detect-offset.c +++ b/src/detect-offset.c @@ -68,54 +68,34 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) dubbed = 1; } - switch (s->alproto) { - case ALPROTO_DCERPC: - /* add to the latest "content" keyword from either dmatch or pmatch */ - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - if (pm == NULL) { - SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs " - "preceding content option for dcerpc sig"); - if (dubbed) - SCFree(str); - return -1; - } - - break; - - default: - pm = SigMatchGetLastSMFromLists(s, 28, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); - if (pm == NULL) { - SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs " - "preceding content or uricontent option, http_client_body, " - "http_header, http_raw_header, http_method, " - "http_cookie, http_raw_uri, http_stat_msg, " - "http_stat_code, http_user_agent, " - "http_host or http_raw_host option"); - if (dubbed) - SCFree(str); - return -1; - } - - break; + pm = SigMatchGetLastSMFromLists(s, 30, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); + if (pm == NULL) { + SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs " + "preceding content, uricontent option, http_client_body, " + "http_header, http_raw_header, http_method, " + "http_cookie, http_raw_uri, http_stat_msg, " + "http_stat_code, http_user_agent or " + "file_data/dce_stub_data sticky buffers"); + if (dubbed) + SCFree(str); + return -1; } - /* we can remove this switch now with the unified structure */ DetectContentData *cd = NULL; switch (pm->type) { case DETECT_CONTENT: diff --git a/src/detect-pcre.c b/src/detect-pcre.c index 45e5e19f22..9620945eec 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -793,38 +793,20 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSCDMATCH); } else { - if (s->alproto == ALPROTO_DCERPC && (pd->flags & DETECT_PCRE_RELATIVE)) { - SigMatch *pm = NULL; - SigMatch *dm = NULL; - - pm = SigMatchGetLastSMFromLists(s, 6, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - dm = SigMatchGetLastSMFromLists(s, 6, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - - if (pm == NULL) { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH); - } else if (dm == NULL) { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH); - } else if (pm->idx > dm->idx) { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); - } else { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH); - } + if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { + SCLogDebug("adding to http server body list because of file data"); + s->flags |= SIG_FLAG_APPLAYER; + AppLayerHtpEnableResponseBodyCallback(); + + SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH); + } else if (s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) { + SCLogDebug("adding to dmatch list because of dce_stub_data"); + s->flags |= SIG_FLAG_APPLAYER; + AppLayerHtpEnableResponseBodyCallback(); + + SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH); } else { - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { - SCLogDebug("adding to http server body list because of file data"); - s->flags |= SIG_FLAG_APPLAYER; - AppLayerHtpEnableResponseBodyCallback(); - - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH); - } else { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); - } + SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); } } @@ -836,19 +818,8 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst DETECT_CONTENT, sm->prev, DETECT_PCRE, sm->prev); if (prev_sm == NULL) { - if (s->alproto == ALPROTO_DCERPC) { - SCLogDebug("No preceding content or pcre keyword. Possible " - "since this is an alproto sig."); - SCReturnInt(0); - } else { - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { - SCLogDebug("removing relative flag as we are relative to file_data"); - pd->flags &= ~DETECT_PCRE_RELATIVE; - SCReturnInt(0); - } else { - SCReturnInt(0); - } - } + pd->flags &= ~DETECT_PCRE_RELATIVE; + SCReturnInt(0); } DetectContentData *cd = NULL; @@ -1172,7 +1143,7 @@ int DetectPcreParseTest11(void) result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE); data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; if (data->flags & DETECT_PCRE_RAWBYTES || - !(data->flags & DETECT_PCRE_RELATIVE) || + data->flags & DETECT_PCRE_RELATIVE || data->flags & DETECT_PCRE_URI) { result = 0; goto end; @@ -1195,7 +1166,7 @@ int DetectPcreParseTest11(void) result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE); data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; if (data->flags & DETECT_PCRE_RAWBYTES || - !(data->flags & DETECT_PCRE_RELATIVE) || + data->flags & DETECT_PCRE_RELATIVE || data->flags & DETECT_PCRE_URI) { result = 0; goto end; @@ -1218,7 +1189,7 @@ int DetectPcreParseTest11(void) result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE); data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; if (!(data->flags & DETECT_PCRE_RAWBYTES) || - !(data->flags & DETECT_PCRE_RELATIVE) || + data->flags & DETECT_PCRE_RELATIVE || data->flags & DETECT_PCRE_URI) { result = 0; goto end; diff --git a/src/detect-pkt-data.c b/src/detect-pkt-data.c index 2a1560e7dd..836c9c026b 100644 --- a/src/detect-pkt-data.c +++ b/src/detect-pkt-data.c @@ -73,7 +73,7 @@ void DetectPktDataRegister(void) { static int DetectPktDataSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) { SCEnter(); - s->init_flags &= (~SIG_FLAG_INIT_FILE_DATA); + s->init_flags &= (~SIG_FLAG_INIT_FILE_DATA & ~SIG_FLAG_INIT_DCE_STUB_DATA); return 0; } diff --git a/src/detect-urilen.c b/src/detect-urilen.c index d974357d29..80c20a218b 100644 --- a/src/detect-urilen.c +++ b/src/detect-urilen.c @@ -347,6 +347,12 @@ static int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, char *urile else SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_UMATCH); + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " + "alproto set"); + goto error; + } + /* Flagged the signature as to inspect the app layer data */ s->flags |= SIG_FLAG_APPLAYER; diff --git a/src/detect-within.c b/src/detect-within.c index c609ab9da5..d5768db673 100644 --- a/src/detect-within.c +++ b/src/detect-within.c @@ -80,117 +80,32 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi dubbed = 1; } - /* if we still haven't found that the sig is related to DCERPC, - * it's a direct entry into Signature->[DETECT_SM_LIST_PMATCH] */ - if (s->alproto == ALPROTO_DCERPC) { - SigMatch *dcem = NULL; - SigMatch *dm = NULL; - SigMatch *pm1 = NULL; - - SigMatch *pm1_ots = NULL; - SigMatch *pm2_ots = NULL; - - dcem = SigMatchGetLastSMFromLists(s, 6, - DETECT_DCE_IFACE, s->sm_lists_tail[DETECT_SM_LIST_AMATCH], - DETECT_DCE_OPNUM, s->sm_lists_tail[DETECT_SM_LIST_AMATCH], - DETECT_DCE_STUB_DATA, s->sm_lists_tail[DETECT_SM_LIST_AMATCH]); - - pm1_ots = SigMatchGetLastSMFromLists(s, 6, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - if (pm1_ots != NULL && pm1_ots->prev != NULL) { - pm2_ots = SigMatchGetLastSMFromLists(s, 6, - DETECT_CONTENT, pm1_ots->prev, - DETECT_PCRE, pm1_ots->prev, - DETECT_BYTEJUMP, pm1_ots->prev); - } - - dm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); - pm1 = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - - if (dm == NULL && pm1 == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"within\" requires a " - "preceding content keyword"); - goto error; - } - - if (dm == NULL) { - if (pm2_ots == NULL) { - if (pm1->idx > dcem->idx) { - /* transfer pm1 to dmatch list and within is against this */ - SigMatchTransferSigMatchAcrossLists(pm1, - &s->sm_lists[DETECT_SM_LIST_PMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - &s->sm_lists[DETECT_SM_LIST_DMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); - pm = pm1; - } else { - /* within is against pm1 and we continue this way */ - pm = pm1; - } - } else if (pm2_ots->idx > dcem->idx) { - /* within is against pm1, pm = pm1; */ - pm = pm1; - } else if (pm1->idx > dcem->idx) { - /* transfer pm1 to dmatch list and within is against this */ - SigMatchTransferSigMatchAcrossLists(pm1, - &s->sm_lists[DETECT_SM_LIST_PMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - &s->sm_lists[DETECT_SM_LIST_DMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); - pm = pm1; - } else { - /* within is against pm1 and we continue this way */ - pm = pm1; - } - } else { - if (pm1 == NULL) { - /* within is against dm and continue this way */ - pm = dm; - } else if (dm->idx > pm1->idx) { - /* within is against dm */ - pm = dm; - } else if (pm2_ots == NULL || pm2_ots->idx < dcem->idx) { - /* trasnfer pm1 to dmatch list and pm = pm1 */ - SigMatchTransferSigMatchAcrossLists(pm1, - &s->sm_lists[DETECT_SM_LIST_PMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - &s->sm_lists[DETECT_SM_LIST_DMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); - pm = pm1; - } else { - /* within is against pm1, pm = pm1 */ - pm = pm1; - } - } - } else { - pm = SigMatchGetLastSMFromLists(s, 28, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); - if (pm == NULL) { - SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "\"within\" requires " - "preceding content, uricontent, http_client_body, " - "http_server_body, http_header, http_raw_header, " - "http_method, http_cookie, http_raw_uri, " - "http_stat_msg, http_stat_code, http_user_agent, " - "http_host or http_raw_host option"); - if (dubbed) - SCFree(str); - return -1; - } + pm = SigMatchGetLastSMFromLists(s, 30, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); + if (pm == NULL) { + SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "\"within\" requires " + "preceding content, uricontent, http_client_body, " + "http_server_body, http_header, http_raw_header, " + "http_method, http_cookie, http_raw_uri, " + "http_stat_msg, http_stat_code or http_user_agent " + "option"); + if (dubbed) + SCFree(str); + return -1; } DetectContentData *cd = NULL; @@ -252,18 +167,7 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi DETECT_CONTENT, pm->prev, DETECT_PCRE, pm->prev, DETECT_BYTEJUMP, pm->prev); - if (pm == NULL) { - if (s->alproto == ALPROTO_DCERPC) { - SCLogDebug("content relative without a previous content based " - "keyword. Holds good only in the case of DCERPC " - "alproto like now."); - } else { - //SCLogError(SC_ERR_INVALID_SIGNATURE, "No related " - // "previous-previous content or pcre keyword"); - //goto error; - ; - } - } else { + if (pm != NULL) { switch (pm->type) { case DETECT_CONTENT: /* Set the relative next flag on the prev sigmatch */ diff --git a/src/detect.h b/src/detect.h index 41a5da82d5..b975180f95 100644 --- a/src/detect.h +++ b/src/detect.h @@ -275,6 +275,7 @@ typedef struct DetectPort_ { #define SIG_FLAG_INIT_BIDIREC (1<<3) /**< signature has bidirectional operator */ #define SIG_FLAG_INIT_PAYLOAD (1<<4) /**< signature is inspecting the packet payload */ #define SIG_FLAG_INIT_FILE_DATA (1<<5) /**< file_data set */ +#define SIG_FLAG_INIT_DCE_STUB_DATA (1<<6) /**< dce_stub_data set */ /* signature mask flags */ #define SIG_MASK_REQUIRE_PAYLOAD (1<<0)