aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

file_data: dynamic buffer

Browse Source
pull/2559/head
Victor Julien 9 years ago
parent 7052f9b933
commit 6bd37611ee
17 changed files with 283 additions and 355 deletions
Show Stats Download Patch File Download Diff File

6
src/detect-base64-data.c
Unescape Escape View File

@ -74,6 +74,8 @@ int DetectBase64DataDoMatch(DetectEngineCtx *de_ctx,
#include "detect-engine.h"
static int g_file_data_buffer_id = 0;
static int DetectBase64DataSetupTest01(void)
{
DetectEngineCtx *de_ctx = NULL;
@ -151,7 +153,7 @@ static int DetectBase64DataSetupTest02(void)
goto end;
}
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA];
sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id];
if (sm == NULL) {
printf("DETECT_SM_LIST_FILEDATA is NULL: ");
goto end;
@ -249,6 +251,8 @@ end:
static void DetectBase64DataRegisterTests(void)
{
#ifdef UNITTESTS
g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
UtRegisterTest("DetectBase64DataSetupTest01", DetectBase64DataSetupTest01);
UtRegisterTest("DetectBase64DataSetupTest02", DetectBase64DataSetupTest02);
UtRegisterTest("DetectBase64DataSetupTest03", DetectBase64DataSetupTest03);

18
src/detect-byte-extract.c
Unescape Escape View File

@ -520,16 +520,8 @@ static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *a
int sm_list;
if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
if (s->init_data->list == DETECT_SM_LIST_FILEDATA) {
if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "dce byte_extract specified "
"with file_data option set.");
goto error;
}
AppLayerHtpEnableResponseBodyCallback();
}
sm_list = s->init_data->list;
s->flags |= SIG_FLAG_APPLAYER;
if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
}
@ -679,6 +671,8 @@ SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
#ifdef UNITTESTS
static int g_file_data_buffer_id = 0;
static int DetectByteExtractTest01(void)
{
int result = 0;
@ -4634,11 +4628,11 @@ static int DetectByteExtractTest62(void)
goto end;
}
if (s->sm_lists_tail[DETECT_SM_LIST_FILEDATA] == NULL) {
if (s->sm_lists_tail[g_file_data_buffer_id] == NULL) {
goto end;
}
sm = s->sm_lists[DETECT_SM_LIST_FILEDATA];
sm = s->sm_lists[g_file_data_buffer_id];
if (sm->type != DETECT_BYTE_EXTRACT) {
result = 0;
goto end;
@ -4736,6 +4730,8 @@ static int DetectByteExtractTestParseNoBase(void)
static void DetectByteExtractRegisterTests(void)
{
#ifdef UNITTESTS
g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
UtRegisterTest("DetectByteExtractTest01", DetectByteExtractTest01);
UtRegisterTest("DetectByteExtractTest02", DetectByteExtractTest02);
UtRegisterTest("DetectByteExtractTest03", DetectByteExtractTest03);

20
src/detect-bytejump.c
Unescape Escape View File

@ -519,16 +519,8 @@ static int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts
int sm_list;
if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
if (s->init_data->list == DETECT_SM_LIST_FILEDATA) {
if (data->flags & DETECT_BYTEJUMP_DCE) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "dce bytejump specified "
"with file_data option set.");
goto error;
}
AppLayerHtpEnableResponseBodyCallback();
}
sm_list = s->init_data->list;
s->flags |= SIG_FLAG_APPLAYER;
if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
}
@ -647,6 +639,8 @@ static void DetectBytejumpFree(void *ptr)
/* UNITTESTS */
#ifdef UNITTESTS
#include "util-unittest-helper.h"
static int g_file_data_buffer_id = 0;
/**
* \test DetectBytejumpTestParse01 is a test to make sure that we return
* "something" when given valid bytejump opt
@ -1070,15 +1064,15 @@ static int DetectBytejumpTestParse12(void)
}
s = de_ctx->sig_list;
if (s->sm_lists_tail[DETECT_SM_LIST_FILEDATA] == NULL) {
if (s->sm_lists_tail[g_file_data_buffer_id] == NULL) {
goto end;
}
if (s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->type != DETECT_BYTEJUMP) {
if (s->sm_lists_tail[g_file_data_buffer_id]->type != DETECT_BYTEJUMP) {
goto end;
}
bd = (DetectBytejumpData *)s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
bd = (DetectBytejumpData *)s->sm_lists_tail[g_file_data_buffer_id]->ctx;
if ((bd->flags & DETECT_BYTEJUMP_DCE) &&
(bd->flags & DETECT_BYTEJUMP_RELATIVE) &&
(bd->flags & DETECT_BYTEJUMP_STRING) &&
@ -1295,6 +1289,8 @@ end:
static void DetectBytejumpRegisterTests(void)
{
#ifdef UNITTESTS
g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
UtRegisterTest("DetectBytejumpTestParse01", DetectBytejumpTestParse01);
UtRegisterTest("DetectBytejumpTestParse02", DetectBytejumpTestParse02);
UtRegisterTest("DetectBytejumpTestParse03", DetectBytejumpTestParse03);

20
src/detect-bytetest.c
Unescape Escape View File

@ -446,16 +446,8 @@ static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts
int sm_list;
if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
if (s->init_data->list == DETECT_SM_LIST_FILEDATA) {
if (data->flags & DETECT_BYTETEST_DCE) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "dce bytetest specified "
"with file_data option set.");
goto error;
}
AppLayerHtpEnableResponseBodyCallback();
}
sm_list = s->init_data->list;
s->flags |= SIG_FLAG_APPLAYER;
if (data->flags & DETECT_BYTETEST_RELATIVE) {
prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
}
@ -585,6 +577,8 @@ static void DetectBytetestFree(void *ptr)
/* UNITTESTS */
#ifdef UNITTESTS
#include "util-unittest-helper.h"
static int g_file_data_buffer_id = 0;
/**
* \test DetectBytetestTestParse01 is a test to make sure that we return "something"
* when given valid bytetest opt
@ -1248,17 +1242,17 @@ static int DetectBytetestTestParse22(void)
}
s = de_ctx->sig_list;
if (s->sm_lists_tail[DETECT_SM_LIST_FILEDATA] == NULL) {
if (s->sm_lists_tail[g_file_data_buffer_id] == NULL) {
printf("empty server body list: ");
goto end;
}
if (s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->type != DETECT_BYTETEST) {
if (s->sm_lists_tail[g_file_data_buffer_id]->type != DETECT_BYTETEST) {
printf("bytetest not last sm in server body list: ");
goto end;
}
bd = (DetectBytetestData *)s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
bd = (DetectBytetestData *)s->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (bd->flags & DETECT_BYTETEST_DCE &&
bd->flags & DETECT_BYTETEST_RELATIVE &&
(bd->flags & DETECT_BYTETEST_STRING) &&
@ -1441,6 +1435,8 @@ end:
static void DetectBytetestRegisterTests(void)
{
#ifdef UNITTESTS
g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
UtRegisterTest("DetectBytetestTestParse01", DetectBytetestTestParse01);
UtRegisterTest("DetectBytetestTestParse02", DetectBytetestTestParse02);
UtRegisterTest("DetectBytetestTestParse03", DetectBytetestTestParse03);

25
src/detect-content.c
Unescape Escape View File

@ -385,16 +385,8 @@ int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, char *contentstr)
goto error;
DetectContentPrint(cd);
int sm_list;
if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
if (s->init_data->list == DETECT_SM_LIST_FILEDATA && s->alproto == ALPROTO_HTTP) {
AppLayerHtpEnableResponseBodyCallback();
s->alproto = ALPROTO_HTTP;
}
s->flags |= SIG_FLAG_APPLAYER;
sm_list = s->init_data->list;
} else {
int sm_list = s->init_data->list;
if (sm_list == DETECT_SM_LIST_NOTSET) {
sm_list = DETECT_SM_LIST_PMATCH;
}
@ -432,6 +424,7 @@ void DetectContentFree(void *ptr)
}
#ifdef UNITTESTS /* UNITTESTS */
static int g_file_data_buffer_id = 0;
/**
* \test DetectCotentParseTest01 this is a test to make sure we can deal with escaped colons
@ -1950,7 +1943,7 @@ static int DetectContentParseTest36(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
printf("content not in FILEDATA list: ");
goto end;
}
@ -1990,7 +1983,7 @@ static int DetectContentParseTest37(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
printf("content not in FILEDATA list: ");
goto end;
}
@ -2030,7 +2023,7 @@ static int DetectContentParseTest38(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
printf("content not in FILEDATA list: ");
goto end;
}
@ -2114,7 +2107,7 @@ static int DetectContentParseTest39(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
printf("content not in FILEDATA list: ");
goto end;
}
@ -2154,7 +2147,7 @@ static int DetectContentParseTest40(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
printf("content not in FILEDATA list: ");
goto end;
}
@ -2855,6 +2848,8 @@ static int DetectLongContentTest3(void)
static void DetectContentRegisterTests(void)
{
#ifdef UNITTESTS /* UNITTESTS */
g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
UtRegisterTest("DetectContentParseTest01", DetectContentParseTest01);
UtRegisterTest("DetectContentParseTest02", DetectContentParseTest02);
UtRegisterTest("DetectContentParseTest03", DetectContentParseTest03);

14
src/detect-engine-analyzer.c
Unescape Escape View File

@ -126,8 +126,6 @@ void EngineAnalysisFP(Signature *s, char *line)
fprintf(fp_engine_analysis_FD, "http cookie content\n");
else if (list_type == DETECT_SM_LIST_HCBDMATCH)
fprintf(fp_engine_analysis_FD, "http client body content\n");
else if (list_type == DETECT_SM_LIST_FILEDATA)
fprintf(fp_engine_analysis_FD, "http server body content\n");
else if (list_type == DETECT_SM_LIST_HSCDMATCH)
fprintf(fp_engine_analysis_FD, "http stat code content\n");
else if (list_type == DETECT_SM_LIST_HSMDMATCH)
@ -482,8 +480,6 @@ static void EngineAnalysisRulesPrintFP(const Signature *s)
fprintf(rule_engine_analysis_FD, "http cookie content");
else if (list_type == DETECT_SM_LIST_HCBDMATCH)
fprintf(rule_engine_analysis_FD, "http client body content");
else if (list_type == DETECT_SM_LIST_FILEDATA)
fprintf(rule_engine_analysis_FD, "http server body content");
else if (list_type == DETECT_SM_LIST_HSCDMATCH)
fprintf(rule_engine_analysis_FD, "http stat code content");
else if (list_type == DETECT_SM_LIST_HSMDMATCH)
@ -588,6 +584,9 @@ void EngineAnalysisRules(const Signature *s, const char *line)
uint32_t warn_no_direction = 0;
uint32_t warn_both_direction = 0;
const int nlists = DetectBufferTypeMaxId();
const int filedata_id = DetectBufferTypeGetByName("file_data");
if (s->init_data->init_flags & SIG_FLAG_INIT_BIDIREC) {
rule_bidirectional = 1;
}
@ -606,8 +605,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
rule_ipv6_only += 1;
}
for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) {
for (list_id = 0; list_id < nlists; list_id++) {
SigMatch *sm = NULL;
for (sm = s->init_data->smlists[list_id]; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_PCRE) {
@ -631,7 +629,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
norm_http_buf += 1;
http_cookie_buf += 1;
}
else if (list_id == DETECT_SM_LIST_FILEDATA) {
else if (list_id == filedata_id) {
rule_pcre_http += 1;
http_server_body_buf += 1;
raw_http_buf += 1;
@ -697,7 +695,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
raw_http_buf += 1;
http_client_body_buf += 1;
}
else if (list_id == DETECT_SM_LIST_FILEDATA) {
else if (list_id == filedata_id) {
rule_content_http += 1;
raw_http_buf += 1;
http_server_body_buf += 1;

2
src/detect-engine.c
Unescape Escape View File

@ -2804,8 +2804,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
return "http raw uri";
case DETECT_SM_LIST_HCBDMATCH:
return "http client body";
case DETECT_SM_LIST_FILEDATA:
return "http server body";
case DETECT_SM_LIST_HHDMATCH:
return "http headers";
case DETECT_SM_LIST_HRHDMATCH:

86
src/detect-fast-pattern.c
Unescape Escape View File

@ -321,6 +321,7 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a
/*----------------------------------Unittests---------------------------------*/
#ifdef UNITTESTS
static int g_file_data_buffer_id = 0;
/**
* \test Checks if a fast_pattern is registered in a Signature
@ -12883,7 +12884,7 @@ int DetectFastPatternTest466(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -12921,7 +12922,7 @@ int DetectFastPatternTest467(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA];
sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
@ -12958,7 +12959,7 @@ int DetectFastPatternTest468(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA];
sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
@ -12989,7 +12990,7 @@ int DetectFastPatternTest469(void)
if (de_ctx->sig_list == NULL)
goto end;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA];
sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id];
if (sm == NULL) {
goto end;
}
@ -13025,7 +13026,7 @@ int DetectFastPatternTest470(void)
if (de_ctx->sig_list == NULL)
goto end;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA];
sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id];
if (sm == NULL) {
goto end;
}
@ -13270,7 +13271,7 @@ int DetectFastPatternTest480(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -13303,7 +13304,7 @@ int DetectFastPatternTest481(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -13336,7 +13337,7 @@ int DetectFastPatternTest482(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -13369,7 +13370,7 @@ int DetectFastPatternTest483(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -13401,7 +13402,7 @@ int DetectFastPatternTest484(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -13527,7 +13528,7 @@ int DetectFastPatternTest489(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -13560,7 +13561,7 @@ int DetectFastPatternTest490(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -13593,7 +13594,7 @@ int DetectFastPatternTest491(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -13626,7 +13627,7 @@ int DetectFastPatternTest492(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -13659,7 +13660,7 @@ int DetectFastPatternTest493(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -13692,7 +13693,7 @@ int DetectFastPatternTest494(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -13725,7 +13726,7 @@ int DetectFastPatternTest495(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -13758,7 +13759,7 @@ int DetectFastPatternTest496(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -13791,7 +13792,7 @@ int DetectFastPatternTest497(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -13899,7 +13900,7 @@ int DetectFastPatternTest501(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -14029,7 +14030,7 @@ int DetectFastPatternTest506(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -14089,7 +14090,7 @@ int DetectFastPatternTest508(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA];
sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
@ -14126,7 +14127,7 @@ int DetectFastPatternTest509(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA];
sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
@ -14157,7 +14158,7 @@ int DetectFastPatternTest510(void)
if (de_ctx->sig_list == NULL)
goto end;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA];
sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id];
if (sm == NULL) {
goto end;
}
@ -14193,7 +14194,7 @@ int DetectFastPatternTest511(void)
if (de_ctx->sig_list == NULL)
goto end;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA];
sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id];
if (sm == NULL) {
goto end;
}
@ -14438,7 +14439,7 @@ int DetectFastPatternTest521(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -14471,7 +14472,7 @@ int DetectFastPatternTest522(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -14504,7 +14505,7 @@ int DetectFastPatternTest523(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -14537,7 +14538,7 @@ int DetectFastPatternTest524(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -14569,7 +14570,7 @@ int DetectFastPatternTest525(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -14695,7 +14696,7 @@ int DetectFastPatternTest530(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -14728,7 +14729,7 @@ int DetectFastPatternTest531(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -14761,7 +14762,7 @@ int DetectFastPatternTest532(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -14794,7 +14795,7 @@ int DetectFastPatternTest533(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -14827,7 +14828,7 @@ int DetectFastPatternTest534(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -14860,7 +14861,7 @@ int DetectFastPatternTest535(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -14893,7 +14894,7 @@ int DetectFastPatternTest536(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -14926,7 +14927,7 @@ int DetectFastPatternTest537(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -14959,7 +14960,7 @@ int DetectFastPatternTest538(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -15067,7 +15068,7 @@ int DetectFastPatternTest542(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -15197,7 +15198,7 @@ int DetectFastPatternTest547(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -18820,8 +18821,9 @@ int DetectFastPatternTest671(void)
void DetectFastPatternRegisterTests(void)
{
#ifdef UNITTESTS
g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01);
UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02);
UtRegisterTest("DetectFastPatternTest03", DetectFastPatternTest03);

109
src/detect-file-data.c
Unescape Escape View File

@ -48,6 +48,9 @@
static int DetectFiledataSetup (DetectEngineCtx *, Signature *, char *);
static void DetectFiledataRegisterTests(void);
static void DetectFiledataSetupCallback(Signature *s);
static int g_file_data_buffer_id = 0;
/**
* \brief Registration function for keyword: file_data
*/
@ -63,19 +66,25 @@ void DetectFiledataRegister(void)
sigmatch_table[DETECT_FILE_DATA].RegisterTests = DetectFiledataRegisterTests;
sigmatch_table[DETECT_FILE_DATA].flags = SIGMATCH_NOOPT;
DetectMpmAppLayerRegister("file_data", SIG_FLAG_TOSERVER,
DETECT_SM_LIST_FILEDATA, 2,
DetectAppLayerMpmRegister("file_data", SIG_FLAG_TOSERVER, 2,
PrefilterTxSmtpFiledataRegister);
DetectMpmAppLayerRegister("file_data", SIG_FLAG_TOCLIENT,
DETECT_SM_LIST_FILEDATA, 2,
DetectAppLayerMpmRegister("file_data", SIG_FLAG_TOCLIENT, 2,
PrefilterTxHttpResponseBodyRegister);
DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
DETECT_SM_LIST_FILEDATA,
DetectAppLayerInspectEngineRegister2("file_data",
ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
DetectEngineInspectHttpServerBody);
DetectAppLayerInspectEngineRegister(ALPROTO_SMTP, SIG_FLAG_TOSERVER,
DETECT_SM_LIST_FILEDATA,
DetectAppLayerInspectEngineRegister2("file_data",
ALPROTO_SMTP, SIG_FLAG_TOSERVER,
DetectEngineInspectSMTPFiledata);
DetectBufferTypeRegisterSetupCallback("file_data",
DetectFiledataSetupCallback);
DetectBufferTypeSetDescriptionByName("file_data",
"http response body or smtp attachments data");
g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
}
/**
@ -114,12 +123,27 @@ static int DetectFiledataSetup (DetectEngineCtx *de_ctx, Signature *s, char *str
return -1;
}
s->init_data->list = DETECT_SM_LIST_FILEDATA;
s->init_data->list = DetectBufferTypeGetByName("file_data");
return 0;
}
static void DetectFiledataSetupCallback(Signature *s)
{
if (s->alproto == ALPROTO_HTTP || s->alproto == ALPROTO_UNKNOWN) {
AppLayerHtpEnableRequestBodyCallback();
}
if (s->alproto == ALPROTO_HTTP) {
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
} else if (s->alproto == ALPROTO_SMTP) {
s->mask |= SIG_MASK_REQUIRE_SMTP_STATE;
}
SCLogDebug("callback invoked by %u", s->id);
}
#ifdef UNITTESTS
#include "detect-isdataat.h"
static int DetectFiledataParseTest01(void)
{
DetectEngineCtx *de_ctx = NULL;
@ -143,7 +167,7 @@ static int DetectFiledataParseTest01(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
printf("content not in FILEDATA list: ");
goto end;
}
@ -180,7 +204,7 @@ static int DetectFiledataParseTest02(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
printf("content not in FILEDATA list: ");
goto end;
}
@ -217,7 +241,7 @@ static int DetectFiledataParseTest03(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
printf("content not in FILEDATA list: ");
goto end;
}
@ -286,6 +310,60 @@ end:
return result;
}
static int DetectFiledataIsdataatParseTest1(void)
{
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
Signature *s = DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any ("
"file_data; content:\"one\"; "
"isdataat:!4,relative; sid:1;)");
FAIL_IF_NULL(s);
SigMatch *sm = s->init_data->smlists[g_file_data_buffer_id];
FAIL_IF_NULL(sm);
FAIL_IF_NOT(sm->type == DETECT_CONTENT);
sm = sm->next;
FAIL_IF_NULL(sm);
FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
DetectEngineCtxFree(de_ctx);
PASS;
}
static int DetectFiledataIsdataatParseTest2(void)
{
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
Signature *s = DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any ("
"file_data; "
"isdataat:!4,relative; sid:1;)");
FAIL_IF_NULL(s);
SigMatch *sm = s->init_data->smlists_tail[g_file_data_buffer_id];
FAIL_IF_NULL(sm);
FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
DetectEngineCtxFree(de_ctx);
PASS;
}
#endif
void DetectFiledataRegisterTests(void)
@ -296,5 +374,10 @@ void DetectFiledataRegisterTests(void)
UtRegisterTest("DetectFiledataParseTest03", DetectFiledataParseTest03);
UtRegisterTest("DetectFiledataParseTest04", DetectFiledataParseTest04);
UtRegisterTest("DetectFiledataParseTest05", DetectFiledataParseTest05);
UtRegisterTest("DetectFiledataIsdataatParseTest1",
DetectFiledataIsdataatParseTest1);
UtRegisterTest("DetectFiledataIsdataatParseTest2",
DetectFiledataIsdataatParseTest2);
#endif
}

151
src/detect-http-server-body.c
Unescape Escape View File

@ -59,9 +59,11 @@
#include "detect-http-server-body.h"
#include "stream-tcp.h"
int DetectHttpServerBodySetup(DetectEngineCtx *, Signature *, char *);
void DetectHttpServerBodyRegisterTests(void);
void DetectHttpServerBodyFree(void *);
static int DetectHttpServerBodySetup(DetectEngineCtx *, Signature *, char *);
static void DetectHttpServerBodyRegisterTests(void);
static void DetectHttpServerBodyFree(void *);
static int g_file_data_buffer_id = 0;
/**
* \brief Registers the keyword handlers for the "http_server_body" keyword.
@ -78,15 +80,9 @@ void DetectHttpServerBodyRegister(void)
sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].RegisterTests = DetectHttpServerBodyRegisterTests;
sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].flags |= SIGMATCH_PAYLOAD ;
}
sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].flags |= SIGMATCH_PAYLOAD;
static void DetectHttpServerBodySetupCallback(Signature *s)
{
s->flags |= SIG_FLAG_APPLAYER;
AppLayerHtpEnableResponseBodyCallback();
return;
g_file_data_buffer_id = DetectBufferTypeRegister("file_data");
}
/**
@ -106,9 +102,8 @@ int DetectHttpServerBodySetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
DETECT_AL_HTTP_SERVER_BODY,
DETECT_SM_LIST_FILEDATA,
ALPROTO_HTTP,
DetectHttpServerBodySetupCallback);
g_file_data_buffer_id,
ALPROTO_HTTP, NULL);
}
/**
@ -166,7 +161,7 @@ static int DetectHttpServerBodyTest01(void)
goto end;
}
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA];
sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id];
if (sm == NULL) {
goto end;
}
@ -1815,15 +1810,15 @@ int DetectHttpServerBodyTest22(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n");
goto end;
}
DetectContentData *cd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (cd1->flags != 0 || memcmp(cd1->content, "one", cd1->content_len) != 0 ||
cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
hsbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
@ -1870,15 +1865,15 @@ int DetectHttpServerBodyTest23(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n");
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (pd1->flags != 0 ||
cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
hsbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
@ -1924,15 +1919,15 @@ int DetectHttpServerBodyTest24(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n");
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (pd1->flags != 0 ||
cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
hsbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
@ -1979,15 +1974,15 @@ int DetectHttpServerBodyTest25(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n");
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (pd1->flags != DETECT_PCRE_RELATIVE_NEXT ||
cd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
@ -2035,15 +2030,15 @@ int DetectHttpServerBodyTest26(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n");
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
cd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
@ -2118,15 +2113,15 @@ int DetectHttpServerBodyTest28(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n");
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
cd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
@ -2173,13 +2168,13 @@ int DetectHttpServerBodyTest29(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n");
goto end;
}
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (hsbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(hsbd1->content, "one", hsbd1->content_len) != 0 ||
hsbd2->flags != DETECT_CONTENT_DISTANCE ||
@ -2217,13 +2212,13 @@ int DetectHttpServerBodyTest30(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n");
goto end;
}
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (hsbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(hsbd1->content, "one", hsbd1->content_len) != 0 ||
hsbd2->flags != DETECT_CONTENT_WITHIN ||
@ -2316,38 +2311,32 @@ int DetectHttpServerBodyTest34(void)
DetectEngineCtx *de_ctx = NULL;
int result = 0;
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
goto end;
de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(pcre:/one/Q; "
"content:\"two\"; within:5; http_server_body; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
}
FAIL_IF_NULL(de_ctx->sig_list);
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
goto end;
}
FAIL_IF_NOT_NULL(de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH]);
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n");
goto end;
}
if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA] == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->type != DETECT_CONTENT ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->type != DETECT_PCRE) {
if (de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id] == NULL ||
de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->type != DETECT_CONTENT ||
de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->type != DETECT_PCRE) {
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
hsbd2->flags != DETECT_CONTENT_WITHIN ||
memcmp(hsbd2->content, "two", hsbd2->content_len) != 0) {
@ -2384,21 +2373,21 @@ int DetectHttpServerBodyTest35(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n");
goto end;
}
if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA] == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->type != DETECT_PCRE ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->type != DETECT_CONTENT) {
if (de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id] == NULL ||
de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->type != DETECT_PCRE ||
de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->type != DETECT_CONTENT) {
goto end;
}
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (pd2->flags != (DETECT_PCRE_RELATIVE) ||
hsbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(hsbd1->content, "two", hsbd1->content_len) != 0) {
@ -2435,21 +2424,21 @@ int DetectHttpServerBodyTest36(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n");
goto end;
}
if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA] == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->type != DETECT_CONTENT ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->type != DETECT_PCRE) {
if (de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id] == NULL ||
de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->type != DETECT_CONTENT ||
de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->type != DETECT_PCRE) {
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx;
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
hsbd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(hsbd2->content, "two", hsbd2->content_len) != 0) {

105
src/detect-isdataat.c
Unescape Escape View File

@ -211,12 +211,8 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
int sm_list;
if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
if (s->init_data->list == DETECT_SM_LIST_FILEDATA) {
AppLayerHtpEnableResponseBodyCallback();
s->alproto = ALPROTO_HTTP;
}
sm_list = s->init_data->list;
s->flags |= SIG_FLAG_APPLAYER;
if (idad->flags & ISDATAAT_RELATIVE) {
prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
}
@ -828,103 +824,6 @@ int DetectIsdataatTestParse13(void)
return result;
}
static int DetectIsdataatTestParse14(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
Signature *s = NULL;
DetectIsdataatData *data = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing file_data and isdataat\"; "
"file_data; content:\"one\"; "
"isdataat:!4,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
s = de_ctx->sig_list;
if (s->sm_lists_tail[DETECT_SM_LIST_FILEDATA] == NULL) {
printf("server body list empty: ");
goto end;
}
if (s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->type != DETECT_ISDATAAT) {
printf("last server body sm not isdataat: ");
goto end;
}
data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
if ( !(data->flags & ISDATAAT_RELATIVE) ||
(data->flags & ISDATAAT_RAWBYTES) ||
!(data->flags & ISDATAAT_NEGATED) ) {
goto end;
}
result = 1;
end:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test file_data with isdataat relative to it
*/
static int DetectIsdataatTestParse15(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
Signature *s = NULL;
DetectIsdataatData *data = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing file_data and isdataat\"; "
"file_data; isdataat:!4,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("sig parse: ");
goto end;
}
s = de_ctx->sig_list;
if (s->sm_lists_tail[DETECT_SM_LIST_FILEDATA] == NULL) {
printf("server body list empty: ");
goto end;
}
if (s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->type != DETECT_ISDATAAT) {
printf("last server body sm not isdataat: ");
goto end;
}
data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
if ( !(data->flags & ISDATAAT_RELATIVE) ||
(data->flags & ISDATAAT_RAWBYTES) ||
!(data->flags & ISDATAAT_NEGATED) ) {
goto end;
}
result = 1;
end:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test dns_query with isdataat relative to it
*/
@ -1100,8 +999,6 @@ void DetectIsdataatRegisterTests(void)
UtRegisterTest("DetectIsdataatTestParse11", DetectIsdataatTestParse11);
UtRegisterTest("DetectIsdataatTestParse12", DetectIsdataatTestParse12);
UtRegisterTest("DetectIsdataatTestParse13", DetectIsdataatTestParse13);
UtRegisterTest("DetectIsdataatTestParse14", DetectIsdataatTestParse14);
UtRegisterTest("DetectIsdataatTestParse15", DetectIsdataatTestParse15);
UtRegisterTest("DetectIsdataatTestParse16", DetectIsdataatTestParse16);
UtRegisterTest("DetectIsdataatTestPacket01", DetectIsdataatTestPacket01);

7
src/detect-lua.c
Unescape Escape View File

@ -991,9 +991,10 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
else
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
} else if (lua->alproto == ALPROTO_HTTP) {
if (lua->flags & DATATYPE_HTTP_RESPONSE_BODY)
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_FILEDATA);
else if (lua->flags & DATATYPE_HTTP_REQUEST_BODY)
if (lua->flags & DATATYPE_HTTP_RESPONSE_BODY) {
int list = DetectBufferTypeGetByName("file_data");
SigMatchAppendSMToList(s, sm, list);
} else if (lua->flags & DATATYPE_HTTP_REQUEST_BODY)
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HCBDMATCH);
else if (lua->flags & DATATYPE_HTTP_URI)
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_UMATCH);

3
src/detect-parse.c
Unescape Escape View File

@ -144,7 +144,6 @@ const char *DetectListToHumanString(int list)
CASE_CODE_STRING(DETECT_SM_LIST_UMATCH, "http_uri");
CASE_CODE_STRING(DETECT_SM_LIST_HRUDMATCH, "http_raw_uri");
CASE_CODE_STRING(DETECT_SM_LIST_HCBDMATCH, "http_client_body");
CASE_CODE_STRING(DETECT_SM_LIST_FILEDATA, "file_data");
CASE_CODE_STRING(DETECT_SM_LIST_HHDMATCH, "http_header");
CASE_CODE_STRING(DETECT_SM_LIST_HRHDMATCH, "http_raw_header");
CASE_CODE_STRING(DETECT_SM_LIST_HSMDMATCH, "http_stat_msg");
@ -188,7 +187,6 @@ const char *DetectListToString(int list)
CASE_CODE(DETECT_SM_LIST_UMATCH);
CASE_CODE(DETECT_SM_LIST_HRUDMATCH);
CASE_CODE(DETECT_SM_LIST_HCBDMATCH);
CASE_CODE(DETECT_SM_LIST_FILEDATA);
CASE_CODE(DETECT_SM_LIST_HHDMATCH);
CASE_CODE(DETECT_SM_LIST_HRHDMATCH);
CASE_CODE(DETECT_SM_LIST_HSMDMATCH);
@ -1592,7 +1590,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
if (s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH] ||

46
src/detect-pcre.c
Unescape Escape View File

@ -458,10 +458,12 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr,
/* snort's option (http request body inspection) */
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HCBDMATCH);
break;
case 'Q':
case 'Q': {
int list = DetectBufferTypeGetByName("file_data");
/* suricata extension (http response body inspection) */
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_FILEDATA);
*sm_list = DetectPcreSetList(*sm_list, list);
break;
}
case 'Y':
/* snort's option */
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HSMDMATCH);
@ -666,7 +668,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
if (parsed_sm_list == DETECT_SM_LIST_UMATCH ||
parsed_sm_list == DETECT_SM_LIST_HRUDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HCBDMATCH ||
parsed_sm_list == DETECT_SM_LIST_FILEDATA ||
parsed_sm_list == DETECT_SM_LIST_HHDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HRHDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HSMDMATCH ||
@ -694,14 +695,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
int sm_list = -1;
if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
if (s->init_data->list == DETECT_SM_LIST_FILEDATA) {
SCLogDebug("adding to http server body list because of file data");
AppLayerHtpEnableResponseBodyCallback();
} else if (s->init_data->list == DETECT_SM_LIST_DMATCH) {
SCLogDebug("adding to dmatch list because of dce_stub_data");
} else if (s->init_data->list == DETECT_SM_LIST_DNSQUERYNAME_MATCH) {
SCLogDebug("adding to DETECT_SM_LIST_DNSQUERYNAME_MATCH list because of dns_query");
}
s->flags |= SIG_FLAG_APPLAYER;
sm_list = s->init_data->list;
} else {
@ -713,13 +706,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
sm_list = parsed_sm_list;
break;
case DETECT_SM_LIST_FILEDATA:
AppLayerHtpEnableResponseBodyCallback();
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = parsed_sm_list;
break;
case DETECT_SM_LIST_UMATCH:
case DETECT_SM_LIST_HRUDMATCH:
case DETECT_SM_LIST_HHDMATCH:
@ -738,6 +724,9 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
case DETECT_SM_LIST_NOTSET:
sm_list = DETECT_SM_LIST_PMATCH;
break;
default:
sm_list = parsed_sm_list;
break;
}
}
if (sm_list == -1)
@ -805,6 +794,7 @@ void DetectPcreFree(void *ptr)
}
#ifdef UNITTESTS /* UNITTESTS */
static int g_file_data_buffer_id = 0;
/**
* \test DetectPcreParseTest01 make sure we don't allow invalid opts 7.
@ -1097,11 +1087,11 @@ static int DetectPcreParseTest12(void)
FAIL_IF (de_ctx->sig_list == NULL);
s = de_ctx->sig_list;
FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_FILEDATA] == NULL);
FAIL_IF(s->sm_lists_tail[g_file_data_buffer_id] == NULL);
FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->type != DETECT_PCRE);
FAIL_IF(s->sm_lists_tail[g_file_data_buffer_id]->type != DETECT_PCRE);
data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
data = (DetectPcreData *)s->sm_lists_tail[g_file_data_buffer_id]->ctx;
FAIL_IF(data->flags & DETECT_PCRE_RAWBYTES ||
!(data->flags & DETECT_PCRE_RELATIVE));
@ -1130,11 +1120,11 @@ static int DetectPcreParseTest13(void)
FAIL_IF(de_ctx->sig_list == NULL);
s = de_ctx->sig_list;
FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_FILEDATA] == NULL);
FAIL_IF(s->sm_lists_tail[g_file_data_buffer_id] == NULL);
FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->type != DETECT_PCRE);
FAIL_IF(s->sm_lists_tail[g_file_data_buffer_id]->type != DETECT_PCRE);
data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
data = (DetectPcreData *)s->sm_lists_tail[g_file_data_buffer_id]->ctx;
FAIL_IF(data->flags & DETECT_PCRE_RAWBYTES ||
!(data->flags & DETECT_PCRE_RELATIVE));
@ -1163,11 +1153,11 @@ static int DetectPcreParseTest14(void)
FAIL_IF(de_ctx->sig_list == NULL);
s = de_ctx->sig_list;
FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_FILEDATA] == NULL);
FAIL_IF(s->sm_lists_tail[g_file_data_buffer_id] == NULL);
FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->type != DETECT_PCRE);
FAIL_IF(s->sm_lists_tail[g_file_data_buffer_id]->type != DETECT_PCRE);
data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx;
data = (DetectPcreData *)s->sm_lists_tail[g_file_data_buffer_id]->ctx;
FAIL_IF(data->flags & DETECT_PCRE_RAWBYTES ||
data->flags & DETECT_PCRE_RELATIVE);
@ -3345,6 +3335,8 @@ static int DetectPcreParseHttpHost(void)
void DetectPcreRegisterTests(void)
{
#ifdef UNITTESTS /* UNITTESTS */
g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
UtRegisterTest("DetectPcreParseTest01", DetectPcreParseTest01);
UtRegisterTest("DetectPcreParseTest02", DetectPcreParseTest02);
UtRegisterTest("DetectPcreParseTest03", DetectPcreParseTest03);

7
src/detect-pkt-data.c
Unescape Escape View File

@ -82,6 +82,7 @@ static int DetectPktDataSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
#ifdef UNITTESTS
/************************************Unittests*********************************/
static int g_file_data_buffer_id = 0;
static int DetectPktDataTest01(void)
{
@ -105,9 +106,9 @@ static int DetectPktDataTest01(void)
}
/* sm should be in the MATCH list */
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA];
sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id];
if (sm == NULL) {
printf("sm not in DETECT_SM_LIST_FILEDATA: ");
printf("sm not in g_file_data_buffer_id: ");
goto end;
}
@ -145,6 +146,8 @@ end:
static void DetectPktDataTestRegister(void)
{
#ifdef UNITTESTS
g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
UtRegisterTest("DetectPktDataTest01", DetectPktDataTest01);
#endif
}

17
src/detect.c
Unescape Escape View File

@ -1918,9 +1918,6 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
if (s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_FILEDATA] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL)
return 0;
@ -2029,9 +2026,6 @@ static int SignatureIsPDOnly(const Signature *s)
if (s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_FILEDATA] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL)
return 0;
@ -2164,7 +2158,6 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, const Signature *s)
s->init_data->smlists[DETECT_SM_LIST_UMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_FILEDATA] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HMDMATCH] != NULL ||
@ -2337,16 +2330,6 @@ static int SignatureCreateMask(Signature *s)
SCLogDebug("sig requires http app state");
}
if (s->init_data->smlists[DETECT_SM_LIST_FILEDATA] != NULL) {
/* set the state depending from the protocol */
if (s->alproto == ALPROTO_HTTP)
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
else if (s->alproto == ALPROTO_SMTP)
s->mask |= SIG_MASK_REQUIRE_SMTP_STATE;
SCLogDebug("sig requires http or smtp app state");
}
if (s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL) {
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
SCLogDebug("sig requires http app state");

2
src/detect.h
Unescape Escape View File

@ -121,8 +121,6 @@ enum DetectSigmatchListEnum {
DETECT_SM_LIST_HRUDMATCH,
/* list for http_client_body keyword and the ones relative to it */
DETECT_SM_LIST_HCBDMATCH,
/* list for http_server_body keyword and the ones relative to it */
DETECT_SM_LIST_FILEDATA,
/* list for http_header keyword and the ones relative to it */
DETECT_SM_LIST_HHDMATCH,
/* list for http_raw_header keyword and the ones relative to it */

Write Preview
Loading…
Cancel
Save