|
|
|
|
@ -362,10 +362,16 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
|
|
|
|
|
} else if (smd->type == DETECT_ISDATAAT) {
|
|
|
|
|
SCLogDebug("inspecting isdataat");
|
|
|
|
|
|
|
|
|
|
DetectIsdataatData *id = (DetectIsdataatData *)smd->ctx;
|
|
|
|
|
const DetectIsdataatData *id = (DetectIsdataatData *)smd->ctx;
|
|
|
|
|
uint32_t dataat = id->dataat;
|
|
|
|
|
if (id->flags & ISDATAAT_OFFSET_BE) {
|
|
|
|
|
dataat = det_ctx->bj_values[dataat];
|
|
|
|
|
SCLogDebug("isdataat: using value %u from byte_extract local_id %u", dataat, id->dataat);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (id->flags & ISDATAAT_RELATIVE) {
|
|
|
|
|
if (det_ctx->buffer_offset + id->dataat > buffer_len) {
|
|
|
|
|
SCLogDebug("det_ctx->buffer_offset + id->dataat %"PRIu32" > %"PRIu32, det_ctx->buffer_offset + id->dataat, buffer_len);
|
|
|
|
|
if (det_ctx->buffer_offset + dataat > buffer_len) {
|
|
|
|
|
SCLogDebug("det_ctx->buffer_offset + dataat %"PRIu32" > %"PRIu32, det_ctx->buffer_offset + dataat, buffer_len);
|
|
|
|
|
if (id->flags & ISDATAAT_NEGATED)
|
|
|
|
|
goto match;
|
|
|
|
|
goto no_match;
|
|
|
|
|
@ -376,13 +382,13 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
|
|
|
|
|
goto match;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if (id->dataat < buffer_len) {
|
|
|
|
|
if (dataat < buffer_len) {
|
|
|
|
|
SCLogDebug("absolute isdataat match");
|
|
|
|
|
if (id->flags & ISDATAAT_NEGATED)
|
|
|
|
|
goto no_match;
|
|
|
|
|
goto match;
|
|
|
|
|
} else {
|
|
|
|
|
SCLogDebug("absolute isdataat mismatch, id->isdataat %"PRIu32", buffer_len %"PRIu32"", id->dataat, buffer_len);
|
|
|
|
|
SCLogDebug("absolute isdataat mismatch, id->isdataat %"PRIu32", buffer_len %"PRIu32"", dataat, buffer_len);
|
|
|
|
|
if (id->flags & ISDATAAT_NEGATED)
|
|
|
|
|
goto match;
|
|
|
|
|
goto no_match;
|
|
|
|
|
|
Victor Julien
8 years ago