aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

http_uri: dynamic buffer

Browse Source 
Clean up tests
pull/2559/head
Victor Julien 9 years ago
parent e34102d67a
commit 6346a074a7
15 changed files with 238 additions and 268 deletions
Show Stats Download Patch File Download Diff File

24
src/detect-byte-extract.c
Unescape Escape View File

@ -672,6 +672,7 @@ SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
#ifdef UNITTESTS
static int g_file_data_buffer_id = 0;
static int g_http_uri_buffer_id = 0;
static int DetectByteExtractTest01(void)
{
@ -1691,7 +1692,7 @@ static int DetectByteExtractTest37(void)
goto end;
}
sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
sm = s->sm_lists[g_http_uri_buffer_id];
if (sm->type != DETECT_CONTENT) {
result = 0;
goto end;
@ -1804,7 +1805,7 @@ static int DetectByteExtractTest38(void)
goto end;
}
sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
sm = s->sm_lists[g_http_uri_buffer_id];
if (sm->type != DETECT_CONTENT) {
result = 0;
goto end;
@ -1892,7 +1893,7 @@ static int DetectByteExtractTest39(void)
goto end;
}
sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
sm = s->sm_lists[g_http_uri_buffer_id];
if (sm->type != DETECT_CONTENT) {
result = 0;
goto end;
@ -2005,7 +2006,7 @@ static int DetectByteExtractTest40(void)
goto end;
}
sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
sm = s->sm_lists[g_http_uri_buffer_id];
if (sm->type != DETECT_CONTENT) {
result = 0;
goto end;
@ -2237,7 +2238,7 @@ static int DetectByteExtractTest42(void)
if (sm->next != NULL)
goto end;
sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
sm = s->sm_lists[g_http_uri_buffer_id];
if (sm->type != DETECT_CONTENT) {
result = 0;
goto end;
@ -3776,7 +3777,7 @@ static int DetectByteExtractTest56(void)
goto end;
}
sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
sm = s->sm_lists[g_http_uri_buffer_id];
if (sm->type != DETECT_CONTENT) {
result = 0;
goto end;
@ -3948,7 +3949,7 @@ static int DetectByteExtractTest57(void)
if (sm->next != NULL)
goto end;
sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
sm = s->sm_lists[g_http_uri_buffer_id];
if (sm->type != DETECT_CONTENT) {
result = 0;
goto end;
@ -4411,12 +4412,12 @@ static int DetectByteExtractTest60(void)
if (sm->next != NULL)
goto end;
if (s->sm_lists_tail[DETECT_SM_LIST_UMATCH] == NULL) {
if (s->sm_lists_tail[g_http_uri_buffer_id] == NULL) {
result = 0;
goto end;
}
sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
sm = s->sm_lists[g_http_uri_buffer_id];
if (sm->type != DETECT_CONTENT) {
result = 0;
goto end;
@ -4541,12 +4542,12 @@ static int DetectByteExtractTest61(void)
if (sm->next != NULL)
goto end;
if (s->sm_lists_tail[DETECT_SM_LIST_UMATCH] == NULL) {
if (s->sm_lists_tail[g_http_uri_buffer_id] == NULL) {
result = 0;
goto end;
}
sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
sm = s->sm_lists[g_http_uri_buffer_id];
if (sm->type != DETECT_CONTENT) {
result = 0;
goto end;
@ -4731,6 +4732,7 @@ static void DetectByteExtractRegisterTests(void)
{
#ifdef UNITTESTS
g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
UtRegisterTest("DetectByteExtractTest01", DetectByteExtractTest01);
UtRegisterTest("DetectByteExtractTest02", DetectByteExtractTest02);

11
src/detect-engine-analyzer.c
Unescape Escape View File

@ -112,8 +112,6 @@ void EngineAnalysisFP(Signature *s, char *line)
int list_type = SigMatchListSMBelongsTo(s, mpm_sm);
if (list_type == DETECT_SM_LIST_PMATCH)
fprintf(fp_engine_analysis_FD, "content\n");
else if (list_type == DETECT_SM_LIST_UMATCH)
fprintf(fp_engine_analysis_FD, "http uri content\n");
else if (list_type == DETECT_SM_LIST_HRUDMATCH)
fprintf(fp_engine_analysis_FD, "http raw uri content\n");
else if (list_type == DETECT_SM_LIST_HHDMATCH)
@ -464,8 +462,6 @@ static void EngineAnalysisRulesPrintFP(const Signature *s)
fprintf(rule_engine_analysis_FD, "%s",
payload ? (stream ? "payload and reassembled stream" : "payload") : "reassembled stream");
}
else if (list_type == DETECT_SM_LIST_UMATCH)
fprintf(rule_engine_analysis_FD, "http uri content");
else if (list_type == DETECT_SM_LIST_HRUDMATCH)
fprintf(rule_engine_analysis_FD, "http raw uri content");
else if (list_type == DETECT_SM_LIST_HHDMATCH)
@ -583,6 +579,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
const int nlists = DetectBufferTypeMaxId();
const int filedata_id = DetectBufferTypeGetByName("file_data");
const int httpmethod_id = DetectBufferTypeGetByName("http_method");
const int httpuri_id = DetectBufferTypeGetByName("http_uri");
if (s->init_data->init_flags & SIG_FLAG_INIT_BIDIREC) {
rule_bidirectional = 1;
@ -611,7 +608,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
http_client_body_buf += 1;
raw_http_buf += 1;
}
else if (list_id == DETECT_SM_LIST_UMATCH) {
else if (list_id == httpuri_id) {
rule_pcre_http += 1;
norm_http_buf += 1;
http_uri_buf += 1;
@ -667,7 +664,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
}
else if (sm->type == DETECT_CONTENT) {
if (list_id == DETECT_SM_LIST_UMATCH
if (list_id == httpuri_id
|| list_id == DETECT_SM_LIST_HHDMATCH
|| list_id == DETECT_SM_LIST_HCDMATCH) {
rule_content_http += 1;
@ -677,7 +674,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
warn_encoding_norm_http_buf += 1;
rule_warning += 1;
}
if (list_id == DETECT_SM_LIST_UMATCH) {
if (list_id == httpuri_id) {
http_uri_buf += 1;
}
else if (list_id == DETECT_SM_LIST_HHDMATCH) {

2
src/detect-engine.c
Unescape Escape View File

@ -2798,8 +2798,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
case DETECT_SM_LIST_PMATCH:
return "packet/stream payload";
case DETECT_SM_LIST_UMATCH:
return "http uri";
case DETECT_SM_LIST_HRUDMATCH:
return "http raw uri";
case DETECT_SM_LIST_HCBDMATCH:

82
src/detect-fast-pattern.c
Unescape Escape View File

@ -323,6 +323,7 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a
#ifdef UNITTESTS
static int g_file_data_buffer_id = 0;
static int g_http_method_buffer_id = 0;
static int g_http_uri_buffer_id = 0;
/**
* \test Checks if a fast_pattern is registered in a Signature
@ -1594,7 +1595,7 @@ int DetectFastPatternTest54(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_uri_buffer_id];
while (sm != NULL) {
if (sm->type == DETECT_CONTENT) {
if ( ((DetectContentData *)sm->ctx)->flags &
@ -1635,7 +1636,7 @@ int DetectFastPatternTest55(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_uri_buffer_id];
while (sm != NULL) {
if (sm->type == DETECT_CONTENT) {
if ( ((DetectContentData *)sm->ctx)->flags &
@ -1672,7 +1673,7 @@ int DetectFastPatternTest56(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_uri_buffer_id];
DetectContentData *ud = (DetectContentData *)sm->ctx;
if (sm->type == DETECT_CONTENT) {
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
@ -1708,7 +1709,7 @@ int DetectFastPatternTest57(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_uri_buffer_id];
DetectContentData *ud = (DetectContentData *)sm->ctx;
if (sm->type == DETECT_CONTENT) {
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
@ -1940,7 +1941,7 @@ int DetectFastPatternTest67(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -1970,7 +1971,7 @@ int DetectFastPatternTest68(void)
"(uricontent:\"one\"; uricontent:\"two\"; within:30; uricontent:\"two\"; fast_pattern:only; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -2000,7 +2001,7 @@ int DetectFastPatternTest69(void)
"(uricontent:\"one\"; uricontent:\"two\"; offset:30; uricontent:\"two\"; fast_pattern:only; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -2030,7 +2031,7 @@ int DetectFastPatternTest70(void)
"(uricontent:\"one\"; uricontent:\"two\"; depth:30; uricontent:\"two\"; fast_pattern:only; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -2060,7 +2061,7 @@ int DetectFastPatternTest71(void)
"(uricontent:!\"one\"; fast_pattern; uricontent:\"two\"; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -2179,7 +2180,7 @@ int DetectFastPatternTest76(void)
"(uricontent:\"one\"; uricontent:\"oneonetwo\"; fast_pattern:3,4; uricontent:\"three\"; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -2209,7 +2210,7 @@ int DetectFastPatternTest77(void)
"(uricontent:\"one\"; uricontent:\"oneonetwo\"; fast_pattern:3,4; uricontent:\"three\"; distance:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -2239,7 +2240,7 @@ int DetectFastPatternTest78(void)
"(uricontent:\"one\"; uricontent:\"oneonetwo\"; fast_pattern:3,4; uricontent:\"three\"; within:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -2269,7 +2270,7 @@ int DetectFastPatternTest79(void)
"(uricontent:\"one\"; uricontent:\"oneonetwo\"; fast_pattern:3,4; uricontent:\"three\"; offset:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -2299,7 +2300,7 @@ int DetectFastPatternTest80(void)
"(uricontent:\"one\"; uricontent:\"oneonetwo\"; fast_pattern:3,4; uricontent:\"three\"; depth:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -2329,7 +2330,7 @@ int DetectFastPatternTest81(void)
"(uricontent:\"one\"; uricontent:\"two\"; distance:10; uricontent:\"oneonethree\"; fast_pattern:3,4; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -2359,7 +2360,7 @@ int DetectFastPatternTest82(void)
"(uricontent:\"one\"; uricontent:\"two\"; within:10; uricontent:\"oneonethree\"; fast_pattern:3,4; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -2389,7 +2390,7 @@ int DetectFastPatternTest83(void)
"(uricontent:\"one\"; uricontent:\"two\"; offset:10; uricontent:\"oneonethree\"; fast_pattern:3,4; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -2419,7 +2420,7 @@ int DetectFastPatternTest84(void)
"(uricontent:\"one\"; uricontent:\"two\"; depth:10; uricontent:\"oneonethree\"; fast_pattern:3,4; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -2518,7 +2519,7 @@ int DetectFastPatternTest88(void)
"(uricontent:\"one\"; uricontent:!\"oneonetwo\"; fast_pattern:3,4; uricontent:\"three\"; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -2642,7 +2643,7 @@ int DetectFastPatternTest93(void)
"(uricontent:\"one\"; content:!\"oneonetwo\"; fast_pattern:3,4; http_uri; uricontent:\"three\"; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -2680,7 +2681,7 @@ int DetectFastPatternTest94(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_uri_buffer_id];
while (sm != NULL) {
if (sm->type == DETECT_CONTENT) {
if ( ((DetectContentData *)sm->ctx)->flags &
@ -2721,7 +2722,7 @@ int DetectFastPatternTest95(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_uri_buffer_id];
while (sm != NULL) {
if (sm->type == DETECT_CONTENT) {
if ( ((DetectContentData *)sm->ctx)->flags &
@ -2758,7 +2759,7 @@ int DetectFastPatternTest96(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_uri_buffer_id];
DetectContentData *ud = (DetectContentData *)sm->ctx;
if (sm->type == DETECT_CONTENT) {
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
@ -2794,7 +2795,7 @@ int DetectFastPatternTest97(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_uri_buffer_id];
DetectContentData *ud = (DetectContentData *)sm->ctx;
if (sm->type == DETECT_CONTENT) {
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
@ -3026,7 +3027,7 @@ int DetectFastPatternTest107(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -3056,7 +3057,7 @@ int DetectFastPatternTest108(void)
"(uricontent:\"one\"; uricontent:\"two\"; within:30; content:\"two\"; fast_pattern:only; http_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -3086,7 +3087,7 @@ int DetectFastPatternTest109(void)
"(uricontent:\"one\"; uricontent:\"two\"; offset:30; content:\"two\"; fast_pattern:only; http_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -3116,7 +3117,7 @@ int DetectFastPatternTest110(void)
"(uricontent:\"one\"; uricontent:\"two\"; depth:30; content:\"two\"; fast_pattern:only; http_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -3146,7 +3147,7 @@ int DetectFastPatternTest111(void)
"(content:!\"one\"; fast_pattern; http_uri; uricontent:\"two\"; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -3265,7 +3266,7 @@ int DetectFastPatternTest116(void)
"(uricontent:\"one\"; content:\"oneonetwo\"; fast_pattern:3,4; http_uri; uricontent:\"three\"; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -3295,7 +3296,7 @@ int DetectFastPatternTest117(void)
"(uricontent:\"one\"; content:\"oneonetwo\"; fast_pattern:3,4; http_uri; uricontent:\"three\"; distance:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -3325,7 +3326,7 @@ int DetectFastPatternTest118(void)
"(uricontent:\"one\"; content:\"oneonetwo\"; fast_pattern:3,4; http_uri; uricontent:\"three\"; within:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -3355,7 +3356,7 @@ int DetectFastPatternTest119(void)
"(uricontent:\"one\"; content:\"oneonetwo\"; fast_pattern:3,4; http_uri; uricontent:\"three\"; offset:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -3385,7 +3386,7 @@ int DetectFastPatternTest120(void)
"(uricontent:\"one\"; content:\"oneonetwo\"; fast_pattern:3,4; http_uri; uricontent:\"three\"; depth:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -3415,7 +3416,7 @@ int DetectFastPatternTest121(void)
"(uricontent:\"one\"; uricontent:\"two\"; distance:10; content:\"oneonethree\"; fast_pattern:3,4; http_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -3445,7 +3446,7 @@ int DetectFastPatternTest122(void)
"(uricontent:\"one\"; uricontent:\"two\"; within:10; content:\"oneonethree\"; fast_pattern:3,4; http_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -3475,7 +3476,7 @@ int DetectFastPatternTest123(void)
"(uricontent:\"one\"; uricontent:\"two\"; offset:10; content:\"oneonethree\"; fast_pattern:3,4; http_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -3505,7 +3506,7 @@ int DetectFastPatternTest124(void)
"(uricontent:\"one\"; uricontent:\"two\"; depth:10; content:\"oneonethree\"; fast_pattern:3,4; http_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -3604,7 +3605,7 @@ int DetectFastPatternTest128(void)
"(uricontent:\"one\"; content:!\"oneonetwo\"; fast_pattern:3,4; http_uri; uricontent:\"three\"; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -3723,7 +3724,7 @@ int DetectFastPatternTest133(void)
"(uricontent:\"one\"; content:!\"oneonetwo\"; fast_pattern:3,4; http_uri; uricontent:\"three\"; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -18825,6 +18826,7 @@ void DetectFastPatternRegisterTests(void)
#ifdef UNITTESTS
g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
g_http_method_buffer_id = DetectBufferTypeGetByName("http_method");
g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01);
UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02);

20
src/detect-http-cookie.c
Unescape Escape View File

@ -138,11 +138,13 @@ static int DetectHttpCookieSetup(DetectEngineCtx *de_ctx, Signature *s, char *st
#include "stream-tcp-reassemble.h"
static int g_http_uri_buffer_id = 0;
/**
* \test Checks if a http_cookie is registered in a Signature, if content is not
* specified in the signature
*/
int DetectHttpCookieTest01(void)
static int DetectHttpCookieTest01(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
@ -166,7 +168,7 @@ end:
* \test Checks if a http_cookie is registered in a Signature, if some parameter
* is specified with http_cookie in the signature
*/
int DetectHttpCookieTest02(void)
static int DetectHttpCookieTest02(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
@ -190,7 +192,7 @@ end:
/**
* \test Checks if a http_cookie is registered in a Signature
*/
int DetectHttpCookieTest03(void)
static int DetectHttpCookieTest03(void)
{
SigMatch *sm = NULL;
DetectEngineCtx *de_ctx = NULL;
@ -237,7 +239,7 @@ end:
* \test Checks if a http_cookie is registered in a Signature, when fast_pattern
* is also specified in the signature (now it should)
*/
int DetectHttpCookieTest04(void)
static int DetectHttpCookieTest04(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
@ -262,7 +264,7 @@ end:
* \test Checks if a http_cookie is registered in a Signature, when rawbytes is
* also specified in the signature
*/
int DetectHttpCookieTest05(void)
static int DetectHttpCookieTest05(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
@ -287,7 +289,7 @@ int DetectHttpCookieTest05(void)
* \test Checks if a http_cookie is registered in a Signature, when rawbytes is
* also specified in the signature
*/
int DetectHttpCookieTest06(void)
static int DetectHttpCookieTest06(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
@ -309,12 +311,12 @@ int DetectHttpCookieTest06(void)
if (s->sm_lists[DETECT_SM_LIST_HCDMATCH]->type != DETECT_CONTENT)
goto end;
if (s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL) {
if (s->sm_lists[g_http_uri_buffer_id] == NULL) {
printf("expected another SigMatch, got NULL: ");
goto end;
}
if (s->sm_lists[DETECT_SM_LIST_UMATCH]->type != DETECT_CONTENT) {
if (s->sm_lists[g_http_uri_buffer_id]->type != DETECT_CONTENT) {
goto end;
}
@ -1279,6 +1281,8 @@ end:
void DetectHttpCookieRegisterTests (void)
{
#ifdef UNITTESTS /* UNITTESTS */
g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
UtRegisterTest("DetectHttpCookieTest01", DetectHttpCookieTest01);
UtRegisterTest("DetectHttpCookieTest02", DetectHttpCookieTest02);
UtRegisterTest("DetectHttpCookieTest03", DetectHttpCookieTest03);

130
src/detect-http-uri.c
Unescape Escape View File

@ -56,8 +56,10 @@
#include "detect-engine-uri.h"
#include "stream-tcp.h"
int DetectHttpUriSetup (DetectEngineCtx *, Signature *, char *);
void DetectHttpUriRegisterTests(void);
static void DetectHttpUriRegisterTests(void);
static void DetectHttpUriSetupCallback(Signature *s);
static int g_http_uri_buffer_id = 0;
/**
* \brief Registration function for keyword: http_uri
@ -76,13 +78,19 @@ void DetectHttpUriRegister (void)
sigmatch_table[DETECT_AL_HTTP_URI].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_HTTP_URI].flags |= SIGMATCH_PAYLOAD;
DetectMpmAppLayerRegister("http_uri", SIG_FLAG_TOSERVER,
DETECT_SM_LIST_UMATCH, 2,
DetectAppLayerMpmRegister("http_uri", SIG_FLAG_TOSERVER, 2,
PrefilterTxUriRegister);
DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER,
DETECT_SM_LIST_UMATCH,
DetectAppLayerInspectEngineRegister2("http_uri", ALPROTO_HTTP, SIG_FLAG_TOSERVER,
DetectEngineInspectHttpUri);
DetectBufferTypeSetDescriptionByName("http_uri",
"http request uri");
DetectBufferTypeRegisterSetupCallback("http_uri",
DetectHttpUriSetupCallback);
g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
}
@ -101,23 +109,29 @@ int DetectHttpUriSetup(DetectEngineCtx *de_ctx, Signature *s, char *str)
{
return DetectEngineContentModifierBufferSetup(de_ctx, s, str,
DETECT_AL_HTTP_URI,
DETECT_SM_LIST_UMATCH,
g_http_uri_buffer_id,
ALPROTO_HTTP,
NULL);
}
static void DetectHttpUriSetupCallback(Signature *s)
{
SCLogDebug("callback invoked by %u", s->id);
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
}
/******************************** UNITESTS **********************************/
#ifdef UNITTESTS
#include "detect-isdataat.h"
#include "stream-tcp-reassemble.h"
/**
* \test Checks if a http_uri is registered in a Signature, if content is not
* specified in the signature
*/
int DetectHttpUriTest01(void)
static int DetectHttpUriTest01(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
@ -141,7 +155,7 @@ end:
* \test Checks if a http_uri is registered in a Signature, if some parameter
* is specified with http_uri in the signature
*/
int DetectHttpUriTest02(void)
static int DetectHttpUriTest02(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
@ -165,7 +179,7 @@ end:
/**
* \test Checks if a http_uri is registered in a Signature
*/
int DetectHttpUriTest03(void)
static int DetectHttpUriTest03(void)
{
SigMatch *sm = NULL;
DetectEngineCtx *de_ctx = NULL;
@ -186,7 +200,7 @@ int DetectHttpUriTest03(void)
goto end;
}
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_uri_buffer_id];
if (sm == NULL) {
printf("no sigmatch(es): ");
goto end;
@ -212,7 +226,7 @@ end:
* \test Checks if a http_uri is registered in a Signature, when rawbytes is
* also specified in the signature
*/
int DetectHttpUriTest04(void)
static int DetectHttpUriTest04(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
@ -237,7 +251,7 @@ int DetectHttpUriTest04(void)
* \test Checks if a http_uri is successfully converted to a uricontent
*
*/
int DetectHttpUriTest05(void)
static int DetectHttpUriTest05(void)
{
DetectEngineCtx *de_ctx = NULL;
Signature *s = NULL;
@ -254,16 +268,16 @@ int DetectHttpUriTest05(void)
printf("sig failed to parse\n");
goto end;
}
if (s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL)
if (s->sm_lists[g_http_uri_buffer_id] == NULL)
goto end;
if (s->sm_lists[DETECT_SM_LIST_UMATCH]->type != DETECT_CONTENT) {
if (s->sm_lists[g_http_uri_buffer_id]->type != DETECT_CONTENT) {
printf("wrong type\n");
goto end;
}
char *str = "we are testing http_uri keyword";
int uricomp = memcmp((const char *)((DetectContentData*) s->sm_lists[DETECT_SM_LIST_UMATCH]->ctx)->content, str, strlen(str)-1);
int urilen = ((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx)->content_len;
int uricomp = memcmp((const char *)((DetectContentData*) s->sm_lists[g_http_uri_buffer_id]->ctx)->content, str, strlen(str)-1);
int urilen = ((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->content_len;
if (uricomp != 0 ||
urilen != strlen("we are testing http_uri keyword")) {
printf("sig failed to parse, content not setup properly\n");
@ -277,7 +291,7 @@ end:
return result;
}
int DetectHttpUriTest12(void)
static int DetectHttpUriTest12(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
@ -299,13 +313,13 @@ int DetectHttpUriTest12(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n");
goto end;
}
DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx;
DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(ud1->content, "one", ud1->content_len) != 0 ||
ud2->flags != DETECT_CONTENT_DISTANCE ||
@ -321,7 +335,7 @@ int DetectHttpUriTest12(void)
return result;
}
int DetectHttpUriTest13(void)
static int DetectHttpUriTest13(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
@ -343,13 +357,13 @@ int DetectHttpUriTest13(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n");
goto end;
}
DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx;
DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(ud1->content, "one", ud1->content_len) != 0 ||
ud2->flags != DETECT_CONTENT_WITHIN ||
@ -365,7 +379,7 @@ int DetectHttpUriTest13(void)
return result;
}
int DetectHttpUriTest14(void)
static int DetectHttpUriTest14(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
@ -389,7 +403,7 @@ int DetectHttpUriTest14(void)
return result;
}
int DetectHttpUriTest15(void)
static int DetectHttpUriTest15(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
@ -405,12 +419,12 @@ int DetectHttpUriTest15(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n");
goto end;
}
DetectContentData *cd = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
DetectContentData *cd = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
if (memcmp(cd->content, "one", cd->content_len) != 0 ||
cd->flags != DETECT_CONTENT_WITHIN) {
goto end;
@ -424,7 +438,7 @@ int DetectHttpUriTest15(void)
return result;
}
int DetectHttpUriTest16(void)
static int DetectHttpUriTest16(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
@ -448,7 +462,7 @@ int DetectHttpUriTest16(void)
return result;
}
int DetectHttpUriTest17(void)
static int DetectHttpUriTest17(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
@ -470,13 +484,13 @@ int DetectHttpUriTest17(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n");
goto end;
}
DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx;
DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(ud1->content, "one", ud1->content_len) != 0 ||
ud2->flags != DETECT_CONTENT_DISTANCE ||
@ -492,7 +506,7 @@ int DetectHttpUriTest17(void)
return result;
}
int DetectHttpUriTest18(void)
static int DetectHttpUriTest18(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
@ -514,13 +528,13 @@ int DetectHttpUriTest18(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n");
goto end;
}
DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx;
DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx;
DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx;
if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(ud1->content, "one", ud1->content_len) != 0 ||
ud2->flags != DETECT_CONTENT_WITHIN ||
@ -536,12 +550,37 @@ int DetectHttpUriTest18(void)
return result;
}
static int DetectHttpUriIsdataatParseTest(void)
{
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
Signature *s = DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any ("
"content:\"one\"; http_uri; "
"isdataat:!4,relative; sid:1;)");
FAIL_IF_NULL(s);
SigMatch *sm = s->init_data->smlists_tail[g_http_uri_buffer_id];
FAIL_IF_NULL(sm);
FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
DetectEngineCtxFree(de_ctx);
PASS;
}
#endif /* UNITTESTS */
/**
* \brief Register the UNITTESTS for the http_uri keyword
*/
void DetectHttpUriRegisterTests (void)
static void DetectHttpUriRegisterTests (void)
{
#ifdef UNITTESTS /* UNITTESTS */
UtRegisterTest("DetectHttpUriTest01", DetectHttpUriTest01);
@ -556,6 +595,9 @@ void DetectHttpUriRegisterTests (void)
UtRegisterTest("DetectHttpUriTest16", DetectHttpUriTest16);
UtRegisterTest("DetectHttpUriTest17", DetectHttpUriTest17);
UtRegisterTest("DetectHttpUriTest18", DetectHttpUriTest18);
UtRegisterTest("DetectHttpUriIsdataatParseTest",
DetectHttpUriIsdataatParseTest);
#endif /* UNITTESTS */
}

5
src/detect-http-uri.h
Unescape Escape View File

@ -25,10 +25,7 @@
#define _DETECT_HTTP_URI_H
/* prototypes */
int DetectHttpUriSetup (DetectEngineCtx *, Signature *, char *);
void DetectHttpUriRegister (void);
int DetectHttpUriSetup(DetectEngineCtx *de_ctx, Signature *s, char *str);
int DetectHttpUriDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s,
SigMatch *sm, Flow *f, uint8_t flags, void *state);
#endif /* _DETECT_HTTP_URI_H */

90
src/detect-isdataat.c
Unescape Escape View File

@ -516,94 +516,6 @@ int DetectIsdataatTestParse06(void)
return result;
}
int DetectIsdataatTestParse07(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
Signature *s = NULL;
DetectIsdataatData *data = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"uricontent:\"one\"; "
"isdataat:!4,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
s = de_ctx->sig_list;
if (s->sm_lists_tail[DETECT_SM_LIST_UMATCH] == NULL) {
goto end;
}
result = 1;
result &= (s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->type == DETECT_ISDATAAT);
data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
if ( !(data->flags & ISDATAAT_RELATIVE) ||
(data->flags & ISDATAAT_RAWBYTES) ||
!(data->flags & ISDATAAT_NEGATED) ) {
result = 0;
goto end;
}
end:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineCtxFree(de_ctx);
return result;
}
int DetectIsdataatTestParse08(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
Signature *s = NULL;
DetectIsdataatData *data = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:\"one\"; http_uri; "
"isdataat:!4,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
s = de_ctx->sig_list;
if (s->sm_lists_tail[DETECT_SM_LIST_UMATCH] == NULL) {
goto end;
}
result = 1;
result &= (s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->type == DETECT_ISDATAAT);
data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
if ( !(data->flags & ISDATAAT_RELATIVE) ||
(data->flags & ISDATAAT_RAWBYTES) ||
!(data->flags & ISDATAAT_NEGATED) ) {
result = 0;
goto end;
}
end:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineCtxFree(de_ctx);
return result;
}
int DetectIsdataatTestParse09(void)
{
DetectEngineCtx *de_ctx = NULL;
@ -948,8 +860,6 @@ void DetectIsdataatRegisterTests(void)
UtRegisterTest("DetectIsdataatTestParse04", DetectIsdataatTestParse04);
UtRegisterTest("DetectIsdataatTestParse05", DetectIsdataatTestParse05);
UtRegisterTest("DetectIsdataatTestParse06", DetectIsdataatTestParse06);
UtRegisterTest("DetectIsdataatTestParse07", DetectIsdataatTestParse07);
UtRegisterTest("DetectIsdataatTestParse08", DetectIsdataatTestParse08);
UtRegisterTest("DetectIsdataatTestParse09", DetectIsdataatTestParse09);
UtRegisterTest("DetectIsdataatTestParse10", DetectIsdataatTestParse10);
UtRegisterTest("DetectIsdataatTestParse11", DetectIsdataatTestParse11);

7
src/detect-lua.c
Unescape Escape View File

@ -996,9 +996,10 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
SigMatchAppendSMToList(s, sm, list);
} else if (lua->flags & DATATYPE_HTTP_REQUEST_BODY)
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HCBDMATCH);
else if (lua->flags & DATATYPE_HTTP_URI)
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_UMATCH);
else if (lua->flags & DATATYPE_HTTP_URI_RAW)
else if (lua->flags & DATATYPE_HTTP_URI) {
int list = DetectBufferTypeGetByName("http_uri");
SigMatchAppendSMToList(s, sm, list);
} else if (lua->flags & DATATYPE_HTTP_URI_RAW)
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRUDMATCH);
else if (lua->flags & DATATYPE_HTTP_REQUEST_COOKIE)
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HCDMATCH);

10
src/detect-parse.c
Unescape Escape View File

@ -141,7 +141,6 @@ const char *DetectListToHumanString(int list)
switch (list) {
CASE_CODE_STRING(DETECT_SM_LIST_MATCH, "packet");
CASE_CODE_STRING(DETECT_SM_LIST_PMATCH, "payload");
CASE_CODE_STRING(DETECT_SM_LIST_UMATCH, "http_uri");
CASE_CODE_STRING(DETECT_SM_LIST_HRUDMATCH, "http_raw_uri");
CASE_CODE_STRING(DETECT_SM_LIST_HCBDMATCH, "http_client_body");
CASE_CODE_STRING(DETECT_SM_LIST_HHDMATCH, "http_header");
@ -183,7 +182,6 @@ const char *DetectListToString(int list)
switch (list) {
CASE_CODE(DETECT_SM_LIST_MATCH);
CASE_CODE(DETECT_SM_LIST_PMATCH);
CASE_CODE(DETECT_SM_LIST_UMATCH);
CASE_CODE(DETECT_SM_LIST_HRUDMATCH);
CASE_CODE(DETECT_SM_LIST_HCBDMATCH);
CASE_CODE(DETECT_SM_LIST_HHDMATCH);
@ -1430,9 +1428,8 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
continue;
if (fd->flags & FLOW_PKT_TOCLIENT) {
/* check for uricontent + from_server/to_client */
if (s->init_data->smlists[DETECT_SM_LIST_UMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL ||
/* check for request + from_server/to_client */
if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HUADMATCH] != NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use uricontent "
@ -1580,8 +1577,7 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
}
}
if (s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH] ||
if (s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH] ||

13
src/detect-pcre.c
Unescape Escape View File

@ -395,13 +395,15 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr,
/* buffer selection */
case 'U': /* snort's option */
case 'U': { /* snort's option */
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'U' inconsistent with 'B'");
goto error;
}
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_UMATCH);
int list = DetectBufferTypeGetByName("http_uri");
*sm_list = DetectPcreSetList(*sm_list, list);
break;
}
case 'V':
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'V' inconsistent with 'B'");
@ -440,7 +442,7 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr,
case 'D': /* snort's option */
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HRHDMATCH);
break;
case 'M': /* snort's option */
case 'M': { /* snort's option */
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'M' inconsistent with 'B'");
goto error;
@ -448,6 +450,7 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr,
int list = DetectBufferTypeGetByName("http_method");
*sm_list = DetectPcreSetList(*sm_list, list);
break;
}
case 'C': /* snort's option */
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'C' inconsistent with 'B'");
@ -666,8 +669,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
if (DetectPcreParseCapture(regexstr, de_ctx, pd) < 0)
goto error;
if (parsed_sm_list == DETECT_SM_LIST_UMATCH ||
parsed_sm_list == DETECT_SM_LIST_HRUDMATCH ||
if (parsed_sm_list == DETECT_SM_LIST_HRUDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HCBDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HHDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HRHDMATCH ||
@ -707,7 +709,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
sm_list = parsed_sm_list;
break;
case DETECT_SM_LIST_UMATCH:
case DETECT_SM_LIST_HRUDMATCH:
case DETECT_SM_LIST_HHDMATCH:
case DETECT_SM_LIST_HRHDMATCH:

89
src/detect-uricontent.c
Unescape Escape View File

@ -58,12 +58,10 @@
/* prototypes */
static int DetectUricontentSetup (DetectEngineCtx *, Signature *, char *);
void HttpUriRegisterTests(void);
static void DetectUricontentRegisterTests(void);
static void DetectUricontentFree(void *);
int DetectAppLayerUricontentMatch (ThreadVars *, DetectEngineThreadCtx *,
Flow *, uint8_t , void *,
Signature *, SigMatch *);
void DetectUricontentFree(void *);
static int g_http_uri_buffer_id = 0;
/**
* \brief Registration function for uricontent: keyword
@ -75,9 +73,11 @@ void DetectUricontentRegister (void)
sigmatch_table[DETECT_URICONTENT].Match = NULL;
sigmatch_table[DETECT_URICONTENT].Setup = DetectUricontentSetup;
sigmatch_table[DETECT_URICONTENT].Free = DetectUricontentFree;
sigmatch_table[DETECT_URICONTENT].RegisterTests = HttpUriRegisterTests;
sigmatch_table[DETECT_URICONTENT].RegisterTests = DetectUricontentRegisterTests;
sigmatch_table[DETECT_URICONTENT].flags |= SIGMATCH_PAYLOAD;
g_http_uri_buffer_id = DetectBufferTypeRegister("http_uri");
}
/**
@ -194,6 +194,7 @@ error:
#ifdef UNITTESTS
#include "detect-isdataat.h"
#include "stream-tcp-reassemble.h"
/** \test Test case where path traversal has been sent as a path string in the
@ -499,8 +500,8 @@ int DetectUriSigTest01(void)
"\" Test uricontent\"; content:\"me\"; uricontent:\"me\"; sid:1;)");
FAIL_IF_NULL(s);
BUG_ON(s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL);
FAIL_IF_NOT(de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]->type == DETECT_CONTENT);
BUG_ON(s->sm_lists[g_http_uri_buffer_id] == NULL);
FAIL_IF_NOT(de_ctx->sig_list->sm_lists[g_http_uri_buffer_id]->type == DETECT_CONTENT);
DetectEngineCtxFree(de_ctx);
PASS;
@ -777,7 +778,7 @@ static int DetectUriSigTest04(void)
"\" Test uricontent\"; "
"uricontent:\"foo\"; sid:1;)");
if (s == NULL ||
s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL ||
s->sm_lists[g_http_uri_buffer_id] == NULL ||
s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL ||
s->sm_lists[DETECT_SM_LIST_MATCH] != NULL)
{
@ -789,7 +790,7 @@ static int DetectUriSigTest04(void)
"\" Test uricontent and content\"; "
"uricontent:\"foo\"; content:\"bar\";sid:1;)");
if (s == NULL ||
s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL ||
s->sm_lists[g_http_uri_buffer_id] == NULL ||
s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL ||
s->sm_lists[DETECT_SM_LIST_MATCH] != NULL)
{
@ -802,7 +803,7 @@ static int DetectUriSigTest04(void)
"uricontent:\"foo\"; content:\"bar\";"
" depth:10; offset: 5; sid:1;)");
if (s == NULL ||
s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL ||
s->sm_lists[g_http_uri_buffer_id] == NULL ||
s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL ||
((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 ||
((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 ||
@ -817,10 +818,10 @@ static int DetectUriSigTest04(void)
"content:\"foo\"; uricontent:\"bar\";"
" depth:10; offset: 5; sid:1;)");
if (s == NULL ||
s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL ||
s->sm_lists[g_http_uri_buffer_id] == NULL ||
s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL ||
((DetectContentData *)s->sm_lists[DETECT_SM_LIST_UMATCH]->ctx)->depth != 15 ||
((DetectContentData *)s->sm_lists[DETECT_SM_LIST_UMATCH]->ctx)->offset != 5 ||
((DetectContentData *)s->sm_lists[g_http_uri_buffer_id]->ctx)->depth != 15 ||
((DetectContentData *)s->sm_lists[g_http_uri_buffer_id]->ctx)->offset != 5 ||
s->sm_lists[DETECT_SM_LIST_MATCH] != NULL)
{
printf("sig 4 failed to parse: ");
@ -852,7 +853,7 @@ static int DetectUriSigTest04(void)
"\"two_contents\"; within:30; sid:1;)");
if (s == NULL) {
goto end;
} else if (s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL ||
} else if (s->sm_lists[g_http_uri_buffer_id] == NULL ||
s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL ||
((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 ||
((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 ||
@ -871,15 +872,15 @@ static int DetectUriSigTest04(void)
"\"two_uricontents\"; within:30; sid:1;)");
if (s == NULL) {
goto end;
} else if (s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL ||
} else if (s->sm_lists[g_http_uri_buffer_id] == NULL ||
s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL ||
((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 ||
((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 ||
((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx)->within != 30 ||
((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->within != 30 ||
s->sm_lists[DETECT_SM_LIST_MATCH] != NULL)
{
printf("sig 8 failed to parse: ");
DetectUricontentPrint((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx);
DetectUricontentPrint((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx);
goto end;
}
@ -891,7 +892,7 @@ static int DetectUriSigTest04(void)
if (s == NULL) {
goto end;
} else if (
s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL ||
s->sm_lists[g_http_uri_buffer_id] == NULL ||
s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL ||
((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 ||
((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 ||
@ -911,15 +912,15 @@ static int DetectUriSigTest04(void)
if (s == NULL) {
goto end;
} else if (
s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL ||
s->sm_lists[g_http_uri_buffer_id] == NULL ||
s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL ||
((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 ||
((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 ||
((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx)->distance != 30 ||
((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->distance != 30 ||
s->sm_lists[DETECT_SM_LIST_MATCH] != NULL)
{
printf("sig 10 failed to parse: ");
DetectUricontentPrint((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx);
DetectUricontentPrint((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx);
goto end;
}
@ -935,21 +936,21 @@ static int DetectUriSigTest04(void)
goto end;
}
if (s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL || s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) {
printf("umatch %p or pmatch %p: ", s->sm_lists[DETECT_SM_LIST_UMATCH], s->sm_lists[DETECT_SM_LIST_PMATCH]);
if (s->sm_lists[g_http_uri_buffer_id] == NULL || s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) {
printf("umatch %p or pmatch %p: ", s->sm_lists[g_http_uri_buffer_id], s->sm_lists[DETECT_SM_LIST_PMATCH]);
goto end;
}
if ( ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 ||
((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 ||
((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx)->distance != 30 ||
((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx)->within != 60 ||
((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->distance != 30 ||
((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->within != 60 ||
((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx)->distance != 45 ||
((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx)->within != 70 ||
s->sm_lists[DETECT_SM_LIST_MATCH] != NULL) {
printf("sig 10 failed to parse, content not setup properly: ");
DetectContentPrint((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx);
DetectUricontentPrint((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx);
DetectUricontentPrint((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx);
DetectContentPrint((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx);
goto end;
}
@ -1490,12 +1491,12 @@ int DetectUriSigTest12(void)
goto end;
}
if (s->sm_lists_tail[DETECT_SM_LIST_UMATCH] == NULL || s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx == NULL) {
if (s->sm_lists_tail[g_http_uri_buffer_id] == NULL || s->sm_lists_tail[g_http_uri_buffer_id]->ctx == NULL) {
printf("de_ctx->pmatch_tail == NULL && de_ctx->pmatch_tail->ctx == NULL: ");
goto end;
}
ud = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx;
ud = (DetectContentData *)s->sm_lists_tail[g_http_uri_buffer_id]->ctx;
result = (strncmp("boo", (char *)ud->content, ud->content_len) == 0);
end:
@ -1855,9 +1856,34 @@ int DetectUriContentParseTest24(void)
return result;
}
static int DetectUricontentIsdataatParseTest(void)
{
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
Signature *s = DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any ("
"uricontent:\"one\"; "
"isdataat:!4,relative; sid:1;)");
FAIL_IF_NULL(s);
SigMatch *sm = s->init_data->smlists_tail[g_http_uri_buffer_id];
FAIL_IF_NULL(sm);
FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
DetectEngineCtxFree(de_ctx);
PASS;
}
#endif /* UNITTESTS */
void HttpUriRegisterTests(void)
static void DetectUricontentRegisterTests(void)
{
#ifdef UNITTESTS
UtRegisterTest("HTTPUriTest01", HTTPUriTest01);
@ -1890,5 +1916,8 @@ void HttpUriRegisterTests(void)
UtRegisterTest("DetectUriContentParseTest22", DetectUriContentParseTest22);
UtRegisterTest("DetectUriContentParseTest23", DetectUriContentParseTest23);
UtRegisterTest("DetectUriContentParseTest24", DetectUriContentParseTest24);
UtRegisterTest("DetectUricontentIsdataatParseTest",
DetectUricontentIsdataatParseTest);
#endif /* UNITTESTS */
}

7
src/detect-urilen.c
Unescape Escape View File

@ -32,6 +32,7 @@
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-state.h"
#include "detect-urilen.h"
@ -53,6 +54,8 @@ static int DetectUrilenSetup (DetectEngineCtx *, Signature *, char *);
void DetectUrilenFree (void *);
void DetectUrilenRegisterTests (void);
static int g_http_uri_buffer_id = 0;
/**
* \brief Registration function for urilen: keyword
*/
@ -70,6 +73,8 @@ void DetectUrilenRegister(void)
sigmatch_table[DETECT_AL_URILEN].flags |= SIGMATCH_PAYLOAD;
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
g_http_uri_buffer_id = DetectBufferTypeRegister("http_uri");
}
/**
@ -260,7 +265,7 @@ static int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, char *urile
if (urilend->raw_buffer)
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRUDMATCH);
else
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_UMATCH);
SigMatchAppendSMToList(s, sm, g_http_uri_buffer_id);
/* Flagged the signature as to inspect the app layer data */
s->flags |= SIG_FLAG_APPLAYER;

12
src/detect.c
Unescape Escape View File

@ -1912,9 +1912,6 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_UMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL)
return 0;
@ -2017,9 +2014,6 @@ static int SignatureIsPDOnly(const Signature *s)
if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_UMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL)
return 0;
@ -2149,7 +2143,6 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, const Signature *s)
}
if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_UMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL ||
@ -2313,11 +2306,6 @@ static int SignatureCreateMask(Signature *s)
SCLogDebug("sig requires dce state");
}
if (s->init_data->smlists[DETECT_SM_LIST_UMATCH] != NULL) {
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
SCLogDebug("sig requires http state");
}
if (s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL) {
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
SCLogDebug("sig requires http app state");

4
src/detect.h
Unescape Escape View File

@ -115,10 +115,8 @@ enum DetectSigmatchListEnum {
DETECT_SM_LIST_BUILTIN_MAX,
/* list for http_uri keyword and the ones relative to it */
DETECT_SM_LIST_UMATCH = DETECT_SM_LIST_BUILTIN_MAX,
/* list for http_raw_uri keyword and the ones relative to it */
DETECT_SM_LIST_HRUDMATCH,
DETECT_SM_LIST_HRUDMATCH = DETECT_SM_LIST_BUILTIN_MAX,
/* list for http_client_body keyword and the ones relative to it */
DETECT_SM_LIST_HCBDMATCH,
/* list for http_header keyword and the ones relative to it */

Write Preview
Loading…
Cancel
Save