aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Content: set up sticky buffers like file_data and dce_stub_data w/o flags, but with a list variable

Browse Source
pull/414/merge
Victor Julien 13 years ago
parent d476e4e50d
commit 7292998a58
18 changed files with 55 additions and 72 deletions
Show Stats Download Patch File Download Diff File

8
src/detect-byte-extract.c
Unescape Escape View File

@ -545,18 +545,16 @@ int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
goto error;
int sm_list;
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
if (s->list != DETECT_SM_LIST_NOTSET) {
if (s->list == DETECT_SM_LIST_HSBDMATCH) {
if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "dce byte_extract specified "
"with file_data option set.");
goto error;
}
AppLayerHtpEnableResponseBodyCallback();
sm_list = DETECT_SM_LIST_HSBDMATCH;
} else {
sm_list = DETECT_SM_LIST_DMATCH;
}
sm_list = s->list;
s->flags |= SIG_FLAG_APPLAYER;
if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
prev_pm = SigMatchGetLastSMFromLists(s, 4,

8
src/detect-bytejump.c
Unescape Escape View File

@ -538,18 +538,16 @@ int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr)
goto error;
int sm_list;
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
if (s->list != DETECT_SM_LIST_NOTSET) {
if (s->list == DETECT_SM_LIST_HSBDMATCH) {
if (data->flags & DETECT_BYTEJUMP_DCE) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "dce bytejump specified "
"with file_data option set.");
goto error;
}
AppLayerHtpEnableResponseBodyCallback();
sm_list = DETECT_SM_LIST_HSBDMATCH;
} else {
sm_list = DETECT_SM_LIST_DMATCH;
}
sm_list = s->list;
s->flags |= SIG_FLAG_APPLAYER;
if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
prev_pm = SigMatchGetLastSMFromLists(s, 4,

8
src/detect-bytetest.c
Unescape Escape View File

@ -459,18 +459,16 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr)
goto error;
int sm_list;
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
if (s->list != DETECT_SM_LIST_NOTSET) {
if (s->list == DETECT_SM_LIST_HSBDMATCH) {
if (data->flags & DETECT_BYTETEST_DCE) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "dce bytetest specified "
"with file_data option set.");
goto error;
}
AppLayerHtpEnableResponseBodyCallback();
sm_list = DETECT_SM_LIST_HSBDMATCH;
} else {
sm_list = DETECT_SM_LIST_DMATCH;
}
sm_list = s->list;
s->flags |= SIG_FLAG_APPLAYER;
if (data->flags & DETECT_BYTETEST_RELATIVE) {
prev_pm = SigMatchGetLastSMFromLists(s, 4,

8
src/detect-content.c
Unescape Escape View File

@ -384,16 +384,14 @@ int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, char *contentstr)
DetectContentPrint(cd);
int sm_list;
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
if (s->list != DETECT_SM_LIST_NOTSET) {
if (s->list == DETECT_SM_LIST_HSBDMATCH) {
AppLayerHtpEnableResponseBodyCallback();
s->alproto = ALPROTO_HTTP;
sm_list = DETECT_SM_LIST_HSBDMATCH;
} else {
sm_list = DETECT_SM_LIST_DMATCH;
}
s->flags |= SIG_FLAG_APPLAYER;
sm_list = s->list;
} else {
sm_list = DETECT_SM_LIST_PMATCH;
}

2
src/detect-dce-stub-data.c
Unescape Escape View File

@ -91,7 +91,7 @@ static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, char *a
goto error;
}
s->init_flags |= SIG_FLAG_INIT_DCE_STUB_DATA;
s->list = DETECT_SM_LIST_DMATCH;
s->alproto = ALPROTO_DCERPC;
s->flags |= SIG_FLAG_APPLAYER;
return 0;

7
src/detect-depth.c
Unescape Escape View File

@ -71,11 +71,8 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
}
/* retrive the sm to apply the depth against */
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA)
pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
else
pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
if (s->list != DETECT_SM_LIST_NOTSET) {
pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[s->list]);
} else {
pm = SigMatchGetLastSMFromLists(s, 28,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],

7
src/detect-distance.c
Unescape Escape View File

@ -80,11 +80,8 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
}
/* retrive the sm to apply the depth against */
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA)
pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
else
pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
if (s->list != DETECT_SM_LIST_NOTSET) {
pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[s->list]);
} else {
pm = SigMatchGetLastSMFromLists(s, 28,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],

6
src/detect-engine-mpm.c
Unescape Escape View File

@ -2895,8 +2895,8 @@ uint32_t DetectPatternGetId(MpmPatternIdStore *ht, void *ctx, Signature *s, uint
r = HashTableLookup(ht->hash, (void *)e, sizeof(MpmPatternIdTableElmt));
if (r == NULL) {
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
BUG_ON((sm_list != DETECT_SM_LIST_HSBDMATCH) & (sm_list != DETECT_SM_LIST_DMATCH));
if (s->list != DETECT_SM_LIST_NOTSET) {
BUG_ON((sm_list != DETECT_SM_LIST_HSBDMATCH) && (sm_list != DETECT_SM_LIST_DMATCH));
e->id = ht->max_id;
ht->max_id++;
id = e->id;
@ -2960,7 +2960,7 @@ uint32_t DetectPatternGetId(MpmPatternIdStore *ht, void *ctx, Signature *s, uint
} else {
/* oh cool! It is a duplicate for content, uricontent types. Update the
* dup_count and get out */
if ((s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) ||
if ((s->list != DETECT_SM_LIST_NOTSET) ||
sm_list == DETECT_SM_LIST_PMATCH) {
/* we have a duplicate */
r->dup_count++;

3
src/detect-file-data.c
Unescape Escape View File

@ -78,7 +78,8 @@ static int DetectFiledataSetup (DetectEngineCtx *de_ctx, Signature *s, char *str
SCLogError(SC_ERR_INVALID_SIGNATURE, "Can't use file_data with flow:to_server or from_client with http.");
return -1;
}
s->init_flags |= SIG_FLAG_INIT_FILE_DATA;
s->list = DETECT_SM_LIST_HSBDMATCH;
return 0;
}

8
src/detect-isdataat.c
Unescape Escape View File

@ -260,14 +260,12 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
goto end;
int sm_list;
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
if (s->list != DETECT_SM_LIST_NOTSET) {
if (s->list == DETECT_SM_LIST_HSBDMATCH) {
AppLayerHtpEnableResponseBodyCallback();
s->alproto = ALPROTO_HTTP;
sm_list = DETECT_SM_LIST_HSBDMATCH;
} else {
sm_list = DETECT_SM_LIST_DMATCH;
}
sm_list = s->list;
s->flags |= SIG_FLAG_APPLAYER;
if (idad->flags & ISDATAAT_RELATIVE) {
prev_pm = SigMatchGetLastSMFromLists(s, 4,

7
src/detect-nocase.c
Unescape Escape View File

@ -80,11 +80,8 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
}
/* retrive the sm to apply the depth against */
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA)
pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
else
pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
if (s->list != DETECT_SM_LIST_NOTSET) {
pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[s->list]);
} else {
pm = SigMatchGetLastSMFromLists(s, 28,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],

7
src/detect-offset.c
Unescape Escape View File

@ -70,11 +70,8 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
}
/* retrive the sm to apply the depth against */
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA)
pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
else
pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
if (s->list != DETECT_SM_LIST_NOTSET) {
pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[s->list]);
} else {
pm = SigMatchGetLastSMFromLists(s, 28,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],

4
src/detect-parse.c
Unescape Escape View File

@ -109,7 +109,7 @@ int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s
goto end;
}
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
if (s->list != DETECT_SM_LIST_NOTSET) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"%s\" keyword seen "
"with a sticky buffer still set. Reset sticky buffer "
"with pkt_data before using the modifier.",
@ -902,6 +902,8 @@ Signature *SigAlloc (void) {
* overwritten after the Signature has been parsed, and if it hasn't been
* overwritten, we can then assign the default value of 3 */
sig->prio = -1;
sig->list = DETECT_SM_LIST_NOTSET;
return sig;
}

20
src/detect-pcre.c
Unescape Escape View File

@ -689,7 +689,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
"for the rule.");
goto error;
}
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
if (s->list != DETECT_SM_LIST_NOTSET) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre found with http "
"modifier set, with file_data/dce_stub_data sticky "
"option set.");
@ -705,7 +705,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
"for the rule.");
goto error;
}
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
if (s->list != DETECT_SM_LIST_NOTSET) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre found with dns "
"modifier set, with file_data/dce_stub_data sticky "
"option set.");
@ -714,15 +714,15 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
}
int sm_list;
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
SCLogDebug("adding to http server body list because of file data");
s->flags |= SIG_FLAG_APPLAYER;
AppLayerHtpEnableResponseBodyCallback();
sm_list = DETECT_SM_LIST_HSBDMATCH;
} else if (s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
SCLogDebug("adding to dmatch list because of dce_stub_data");
if (s->list != DETECT_SM_LIST_NOTSET) {
if (s->list == DETECT_SM_LIST_HSBDMATCH) {
SCLogDebug("adding to http server body list because of file data");
AppLayerHtpEnableResponseBodyCallback();
} else if (s->list == DETECT_SM_LIST_DMATCH) {
SCLogDebug("adding to dmatch list because of dce_stub_data");
}
s->flags |= SIG_FLAG_APPLAYER;
sm_list = DETECT_SM_LIST_DMATCH;
sm_list = s->list;
} else if (pd->flags & DETECT_PCRE_URI) {
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;

6
src/detect-pkt-data.c
Unescape Escape View File

@ -73,7 +73,7 @@ void DetectPktDataRegister(void) {
static int DetectPktDataSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
{
SCEnter();
s->init_flags &= (~SIG_FLAG_INIT_FILE_DATA & ~SIG_FLAG_INIT_DCE_STUB_DATA);
s->list = DETECT_SM_LIST_NOTSET;
return 0;
}
@ -126,8 +126,8 @@ static int DetectPktDataTest01(void)
}
if (sig->init_flags & SIG_FLAG_INIT_FILE_DATA) {
printf("sm init_flags SIG_FLAG_INIT_FILE_DATA set: ");
if (sig->list != DETECT_SM_LIST_NOTSET) {
printf("sticky buffer set: ");
goto end;
}

2
src/detect-rawbytes.c
Unescape Escape View File

@ -59,7 +59,7 @@ static int DetectRawbytesSetup (DetectEngineCtx *de_ctx, Signature *s, char *nul
return -1;
}
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
if (s->list != DETECT_SM_LIST_NOTSET) {
SCLogError(SC_ERR_RAWBYTES_FILE_DATA, "\"rawbytes\" cannot be combined with \"file_data\"");
SCReturnInt(-1);
}

7
src/detect-within.c
Unescape Escape View File

@ -83,11 +83,8 @@ static int DetectWithinSetup(DetectEngineCtx *de_ctx, Signature *s, char *within
}
/* retrive the sm to apply the depth against */
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA)
pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
else
pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
if (s->list != DETECT_SM_LIST_NOTSET) {
pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[s->list]);
} else {
pm = SigMatchGetLastSMFromLists(s, 28,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],

9
src/detect.h
Unescape Escape View File

@ -123,6 +123,11 @@ enum {
/* list for alert thresholding */
DETECT_SM_LIST_THRESHOLD,
DETECT_SM_LIST_MAX,
/* used for Signature->list, which indicates which list
* we're adding keywords to in cases of sticky buffers like
* file_data */
DETECT_SM_LIST_NOTSET,
};
/* a is ... than b */
@ -277,8 +282,6 @@ typedef struct DetectPort_ {
#define SIG_FLAG_INIT_FLOW (1<<2) /**< signature has a flow setting */
#define SIG_FLAG_INIT_BIDIREC (1<<3) /**< signature has bidirectional operator */
#define SIG_FLAG_INIT_PAYLOAD (1<<4) /**< signature is inspecting the packet payload */
#define SIG_FLAG_INIT_FILE_DATA (1<<5) /**< file_data set */
#define SIG_FLAG_INIT_DCE_STUB_DATA (1<<6) /**< dce_stub_data set */
/* signature mask flags */
#define SIG_MASK_REQUIRE_PAYLOAD (1<<0)
@ -460,6 +463,8 @@ typedef struct Signature_ {
* to warn the user about any possible problem */
char *sig_str;
int list;
/** ptr to the next sig in the list */
struct Signature_ *next;
} Signature;

Write Preview
Loading…
Cancel
Save