aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect: remove hardcoded sm_list logic from setup

Browse Source 
Introduce utility functions to aid this.
pull/2559/head
Victor Julien 9 years ago
parent 04592efb76
commit 779d40cedf
31 changed files with 366 additions and 828 deletions
Show Stats Download Patch File Download Diff File

2
src/detect-app-layer-protocol.c
Unescape Escape View File

@ -165,7 +165,7 @@ static int DetectAppLayerProtocolSetup(DetectEngineCtx *de_ctx,
if (data == NULL)
goto error;
SigMatch *tsm = s->sm_lists[DETECT_SM_LIST_MATCH];
SigMatch *tsm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
for ( ; tsm != NULL; tsm = tsm->next) {
if (tsm->type == DETECT_AL_APP_LAYER_PROTOCOL) {
const DetectAppLayerProtocolData *them = (const DetectAppLayerProtocolData *)tsm->ctx;

17
src/detect-base64-data.c
Unescape Escape View File

@ -17,6 +17,7 @@
#include "suricata-common.h"
#include "detect.h"
#include "detect-engine.h"
#include "detect-engine-content-inspection.h"
#include "detect-parse.h"
@ -45,21 +46,7 @@ static int DetectBase64DataSetup(DetectEngineCtx *de_ctx, Signature *s,
SigMatch *pm = NULL;
/* Check for a preceding base64_decode. */
pm = SigMatchGetLastSMFromLists(s, 28,
DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
pm = DetectGetLastSMFromLists(s, DETECT_BASE64_DECODE, -1);
if (pm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE,
"\"base64_data\" keyword seen without preceding base64_decode.");

90
src/detect-base64-decode.c
Unescape Escape View File

@ -203,92 +203,10 @@ static int DetectBase64DecodeSetup(DetectEngineCtx *de_ctx, Signature *s,
#endif
}
else {
/* Copied from detect-isdataat.c. */
pm = SigMatchGetLastSMFromLists(s, 168,
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
pm = DetectGetLastSMFromLists(s,
DETECT_CONTENT, DETECT_PCRE,
DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
DETECT_ISDATAAT, -1);
if (pm == NULL) {
sm_list = DETECT_SM_LIST_PMATCH;
}

115
src/detect-byte-extract.c
Unescape Escape View File

@ -531,19 +531,13 @@ static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *a
sm_list = s->init_data->list;
s->flags |= SIG_FLAG_APPLAYER;
if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
prev_pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->init_data->smlists_tail[sm_list],
DETECT_PCRE, s->init_data->smlists_tail[sm_list]);
prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
}
} else if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
prev_pm = SigMatchGetLastSMFromLists(s, 12,
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE,
DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
DETECT_ISDATAAT, -1);
if (prev_pm == NULL) {
sm_list = DETECT_SM_LIST_PMATCH;
} else {
@ -559,96 +553,10 @@ static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *a
s->flags |= SIG_FLAG_APPLAYER;
} else if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
prev_pm = SigMatchGetLastSMFromLists(s, 168,
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
prev_pm = DetectGetLastSMFromLists(s,
DETECT_CONTENT, DETECT_PCRE,
DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
DETECT_ISDATAAT, -1);
if (prev_pm == NULL) {
sm_list = DETECT_SM_LIST_PMATCH;
} else {
@ -680,8 +588,8 @@ static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *a
}
}
SigMatch *prev_bed_sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[sm_list]);
SigMatch *prev_bed_sm = DetectGetLastSMByListId(s, sm_list,
DETECT_BYTE_EXTRACT, -1);
if (prev_bed_sm == NULL)
data->local_id = 0;
else
@ -749,8 +657,9 @@ SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
{
DetectByteExtractData *bed = NULL;
int list;
const int nlists = DetectBufferTypeMaxId();
for (list = 0; list < DETECT_SM_LIST_MAX; list++) {
for (list = 0; list < nlists; list++) {
SigMatch *sm = s->init_data->smlists[list];
while (sm != NULL) {
if (sm->type == DETECT_BYTE_EXTRACT) {

110
src/detect-bytejump.c
Unescape Escape View File

@ -530,20 +530,14 @@ static int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts
sm_list = s->init_data->list;
s->flags |= SIG_FLAG_APPLAYER;
if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
prev_pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->init_data->smlists_tail[sm_list],
DETECT_PCRE, s->init_data->smlists_tail[sm_list]);
prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
}
} else if (data->flags & DETECT_BYTEJUMP_DCE) {
if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
prev_pm = SigMatchGetLastSMFromLists(s, 12,
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
prev_pm = DetectGetLastSMFromLists(s,
DETECT_CONTENT, DETECT_PCRE,
DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
DETECT_ISDATAAT, -1);
if (prev_pm == NULL) {
sm_list = DETECT_SM_LIST_PMATCH;
} else {
@ -559,96 +553,10 @@ static int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts
s->flags |= SIG_FLAG_APPLAYER;
} else if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
prev_pm = SigMatchGetLastSMFromLists(s, 168,
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
prev_pm = DetectGetLastSMFromLists(s,
DETECT_CONTENT, DETECT_PCRE,
DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
DETECT_ISDATAAT, -1);
if (prev_pm == NULL) {
sm_list = DETECT_SM_LIST_PMATCH;
} else {

109
src/detect-bytetest.c
Unescape Escape View File

@ -457,20 +457,15 @@ static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts
sm_list = s->init_data->list;
s->flags |= SIG_FLAG_APPLAYER;
if (data->flags & DETECT_BYTETEST_RELATIVE) {
prev_pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->init_data->smlists_tail[sm_list],
DETECT_PCRE, s->init_data->smlists_tail[sm_list]);
prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
}
} else if (data->flags & DETECT_BYTETEST_DCE) {
if (data->flags & DETECT_BYTETEST_RELATIVE) {
prev_pm = SigMatchGetLastSMFromLists(s, 12,
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
prev_pm = DetectGetLastSMFromLists(s,
DETECT_CONTENT, DETECT_PCRE,
DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
DETECT_ISDATAAT, -1);
if (prev_pm == NULL) {
sm_list = DETECT_SM_LIST_PMATCH;
} else {
@ -486,96 +481,10 @@ static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts
s->flags |= SIG_FLAG_APPLAYER;
} else if (data->flags & DETECT_BYTETEST_RELATIVE) {
prev_pm = SigMatchGetLastSMFromLists(s, 168,
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
prev_pm = DetectGetLastSMFromLists(s,
DETECT_CONTENT, DETECT_PCRE,
DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
DETECT_ISDATAAT, -1);
if (prev_pm == NULL) {
sm_list = DETECT_SM_LIST_PMATCH;
} else {

4
src/detect-csum.c
Unescape Escape View File

@ -955,13 +955,13 @@ int DetectCsumInvalidArgsTestParse02(void)
FAIL_IF_NULL(de_ctx);\
Signature *s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:valid; sid:1;)");\
FAIL_IF_NULL(s);\
SigMatch *sm = SigMatchGetLastSMFromLists(s, 2, (kwtype), s->sm_lists[DETECT_SM_LIST_MATCH]);\
SigMatch *sm = DetectGetLastSMFromLists(s, (kwtype), -1);\
FAIL_IF_NULL(sm);\
FAIL_IF_NULL(sm->ctx);\
FAIL_IF_NOT(((DetectCsumData *)sm->ctx)->valid == 1);\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:INVALID; sid:2;)");\
FAIL_IF_NULL(s);\
sm = SigMatchGetLastSMFromLists(s, 2, (kwtype), s->sm_lists[DETECT_SM_LIST_MATCH]);\
sm = DetectGetLastSMFromLists(s, (kwtype), -1);\
FAIL_IF_NULL(sm);\
FAIL_IF_NULL(sm->ctx);\
FAIL_IF_NOT(((DetectCsumData *)sm->ctx)->valid == 0);\

20
src/detect-depth.c
Unescape Escape View File

@ -74,25 +74,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
}
/* retrive the sm to apply the depth against */
if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->init_data->smlists_tail[s->init_data->list]);
} else {
pm = SigMatchGetLastSMFromLists(s, 28,
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
}
pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, -1);
if (pm == NULL) {
SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs "
"preceding content, uricontent option, http_client_body, "

6
src/detect-detection-filter.c
Unescape Escape View File

@ -215,15 +215,13 @@ static int DetectDetectionFilterSetup (DetectEngineCtx *de_ctx, Signature *s, ch
SigMatch *tmpm = NULL;
/* checks if there's a previous instance of threshold */
tmpm = SigMatchGetLastSMFromLists(s, 2,
DETECT_THRESHOLD, s->init_data->smlists_tail[DETECT_SM_LIST_MATCH]);
tmpm = DetectGetLastSMFromLists(s, DETECT_THRESHOLD, -1);
if (tmpm != NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and \"threshold\" are not allowed in the same rule");
SCReturnInt(-1);
}
/* checks there's no previous instance of detection_filter */
tmpm = SigMatchGetLastSMFromLists(s, 2,
DETECT_DETECTION_FILTER, s->init_data->smlists_tail[DETECT_SM_LIST_MATCH]);
tmpm = DetectGetLastSMFromLists(s, DETECT_DETECTION_FILTER, -1);
if (tmpm != NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "At most one \"detection_filter\" is allowed per rule");
SCReturnInt(-1);

27
src/detect-distance.c
Unescape Escape View File

@ -80,26 +80,8 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
dubbed = 1;
}
/* retrive the sm to apply the depth against */
if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->init_data->smlists_tail[s->init_data->list]);
} else {
pm = SigMatchGetLastSMFromLists(s, 28,
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
}
/* retrieve the sm to apply the distance against */
pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, -1);
if (pm == NULL) {
SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "distance needs "
"preceding content, uricontent option, http_client_body, "
@ -147,9 +129,8 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
}
cd->flags |= DETECT_CONTENT_DISTANCE;
SigMatch *prev_pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, pm->prev,
DETECT_PCRE, pm->prev);
SigMatch *prev_pm = DetectGetLastSMByListPtr(s, pm->prev,
DETECT_CONTENT, DETECT_PCRE, -1);
if (prev_pm == NULL) {
ret = 0;
goto end;

4
src/detect-dsize.c
Unescape Escape View File

@ -256,9 +256,7 @@ static int DetectDsizeSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr
DetectDsizeData *dd = NULL;
SigMatch *sm = NULL;
if (SigMatchGetLastSMFromLists(s, 2,
DETECT_DSIZE,
s->init_data->smlists_tail[DETECT_SM_LIST_MATCH]) != NULL) {
if (DetectGetLastSMFromLists(s, DETECT_DSIZE, -1)) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Can't use 2 or more dsizes in "
"the same sig. Invalidating signature.");
goto error;

2
src/detect-engine-analyzer.c
Unescape Escape View File

@ -553,7 +553,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
//uint32_t rule_flowvar = 0;
uint32_t rule_content_http = 0;
uint32_t rule_content_offset_depth = 0;
uint32_t list_id = 0;
int32_t list_id = 0;
uint32_t rule_warning = 0;
uint32_t raw_http_buf = 0;
uint32_t norm_http_buf = 0;

27
src/detect-engine-mpm.c
Unescape Escape View File

@ -119,6 +119,17 @@ void DetectMpmAppLayerRegister(const char *name,
SupportFastPatternForSigMatchList(sm_list, priority);
}
void DetectAppLayerMpmRegister(const char *name,
int direction, int priority,
int (*PrefilterRegister)(SigGroupHead *sgh, MpmCtx *mpm_ctx))
{
DetectBufferTypeSupportsMpm(name);
int sm_list = DetectBufferTypeGetByName(name);
BUG_ON(sm_list == -1);
DetectMpmAppLayerRegister(name, direction, sm_list, priority,
PrefilterRegister);
}
void DetectMpmInitializeAppMpms(DetectEngineCtx *de_ctx)
{
BUG_ON(g_app_mpms_list_cnt == 0);
@ -543,18 +554,20 @@ void RetrieveFPForSig(Signature *s)
if (s->init_data->mpm_sm != NULL)
return;
const int nlists = DetectBufferTypeMaxId();
SigMatch *mpm_sm = NULL, *sm = NULL;
int nn_sm_list[DETECT_SM_LIST_MAX];
int n_sm_list[DETECT_SM_LIST_MAX];
memset(nn_sm_list, 0, sizeof(nn_sm_list));
memset(n_sm_list, 0, sizeof(n_sm_list));
int nn_sm_list[nlists];
int n_sm_list[nlists];
memset(nn_sm_list, 0, nlists * sizeof(int));
memset(n_sm_list, 0, nlists * sizeof(int));
int count_nn_sm_list = 0;
int count_n_sm_list = 0;
int list_id;
/* inspect rule to see if we have the fast_pattern reg to
* force using a sig, otherwise keep stats about the patterns */
for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) {
for (list_id = 0; list_id < nlists; list_id++) {
if (s->init_data->smlists[list_id] == NULL)
continue;
@ -595,7 +608,9 @@ void RetrieveFPForSig(Signature *s)
return;
}
int final_sm_list[DETECT_SM_LIST_MAX] = { 0 };
int final_sm_list[nlists];
memset(&final_sm_list, 0, (nlists * sizeof(int)));
int count_final_sm_list = 0;
int priority;

4
src/detect-engine-mpm.h
Unescape Escape View File

@ -93,5 +93,9 @@ void DetectMpmAppLayerRegister(const char *name,
int direction, int sm_list, int priority,
int (*PrefilterRegister)(SigGroupHead *sgh, MpmCtx *mpm_ctx));
void DetectAppLayerMpmRegister(const char *name,
int direction, int priority,
int (*PrefilterRegister)(SigGroupHead *sgh, MpmCtx *mpm_ctx));
#endif /* __DETECT_ENGINE_MPM_H__ */

25
src/detect-engine.c
Unescape Escape View File

@ -104,9 +104,11 @@ static DetectEngineAppInspectionEngine *g_app_inspect_engines = NULL;
void DetectAppLayerInspectEngineRegister(AppProto alproto,
uint32_t dir, int32_t sm_list, InspectEngineFuncPtr Callback)
{
const int nlists = DetectBufferTypeMaxId();
if ((alproto >= ALPROTO_FAILED) ||
(!(dir == SIG_FLAG_TOSERVER || dir == SIG_FLAG_TOCLIENT)) ||
(sm_list < DETECT_SM_LIST_MATCH || sm_list >= DETECT_SM_LIST_MAX) ||
(sm_list < DETECT_SM_LIST_MATCH || sm_list >= nlists) ||
(Callback == NULL))
{
SCLogError(SC_ERR_INVALID_ARGUMENTS, "Invalid arguments");
@ -142,13 +144,24 @@ void DetectAppLayerInspectEngineRegister(AppProto alproto,
}
}
void DetectAppLayerInspectEngineRegister2(const char *name,
AppProto alproto, uint32_t dir, InspectEngineFuncPtr Callback)
{
DetectBufferTypeRegister(name);
int sm_list = DetectBufferTypeGetByName(name);
BUG_ON(sm_list == -1);
DetectAppLayerInspectEngineRegister(alproto, dir, sm_list, Callback);
}
int DetectEngineAppInspectionEngine2Signature(Signature *s)
{
SigMatchData *ptrs[DETECT_SM_LIST_MAX] = { NULL };
const int nlists = DetectBufferTypeMaxId();
SigMatchData *ptrs[nlists];
memset(&ptrs, 0, (nlists * sizeof(SigMatchData *)));
/* convert lists to SigMatchData arrays */
int i = 0;
for (i = DETECT_SM_LIST_BUILTIN_MAX; i < DETECT_SM_LIST_MAX; i++) {
for (i = DETECT_SM_LIST_BUILTIN_MAX; i < nlists; i++) {
if (s->init_data->smlists[i] == NULL)
continue;
@ -215,7 +228,9 @@ next:
*/
void DetectEngineAppInspectionEngineSignatureFree(Signature *s)
{
SigMatchData *ptrs[DETECT_SM_LIST_MAX] = { NULL };
const int nlists = DetectBufferTypeMaxId();
SigMatchData *ptrs[nlists];
memset(&ptrs, 0, (nlists * sizeof(SigMatchData *)));
/* free engines and put smd in the array */
DetectEngineAppInspectionEngine *ie = s->app_inspect;
@ -229,7 +244,7 @@ void DetectEngineAppInspectionEngineSignatureFree(Signature *s)
/* free the smds */
int i;
for (i = 0; i < DETECT_SM_LIST_MAX; i++)
for (i = 0; i < nlists; i++)
{
if (ptrs[i] == NULL)
continue;

3
src/detect-engine.h
Unescape Escape View File

@ -106,6 +106,9 @@ int DetectEngineInspectGenericList(ThreadVars *, const DetectEngineCtx *,
void DetectAppLayerInspectEngineRegister(AppProto alproto,
uint32_t dir, int32_t sm_list, InspectEngineFuncPtr Callback);
void DetectAppLayerInspectEngineRegister2(const char *name,
AppProto alproto, uint32_t dir, InspectEngineFuncPtr Callback);
int DetectEngineAppInspectionEngine2Signature(Signature *s);
void DetectEngineAppInspectionEngineSignatureFree(Signature *s);

72
src/detect-fast-pattern.c
Unescape Escape View File

@ -162,63 +162,27 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a
int ov[MAX_SUBSTRINGS];
char arg_substr[128] = "";
DetectContentData *cd = NULL;
const int nlists = DetectBufferTypeMaxId();
if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL &&
s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH] == NULL &&
s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH] == NULL &&
s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA] == NULL &&
s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH] == NULL &&
s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH] == NULL &&
s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH] == NULL &&
s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH] == NULL &&
s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH] == NULL &&
s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH] == NULL &&
s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH] == NULL &&
s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH] == NULL &&
s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH] == NULL &&
s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH] == NULL &&
s->init_data->smlists_tail[DETECT_SM_LIST_DNSQUERYNAME_MATCH] == NULL &&
s->init_data->smlists_tail[DETECT_SM_LIST_TLSSNI_MATCH] == NULL &&
s->init_data->smlists_tail[DETECT_SM_LIST_TLSISSUER_MATCH] == NULL &&
s->init_data->smlists_tail[DETECT_SM_LIST_TLSSUBJECT_MATCH] == NULL &&
s->init_data->smlists_tail[DETECT_SM_LIST_HTTP_REQLINEMATCH] == NULL) {
SCLogWarning(SC_WARN_COMPATIBILITY, "fast_pattern found inside the "
"rule, without a preceding content based keyword. "
"Currently we provide fast_pattern support for content, "
"uricontent, http_client_body, http_server_body, http_header, "
"http_raw_header, http_method, http_cookie, "
"http_raw_uri, http_stat_msg, http_stat_code, "
"http_user_agent, http_host, http_raw_host, "
"http_request_line, dns_query, "
"tls_sni, tls_cert_issuer or tls_cert_subject option");
SigMatch *pm1 = DetectGetLastSMFromMpmLists(s);
SigMatch *pm2 = DetectGetLastSMFromLists(s, DETECT_CONTENT, -1);
if (pm1 == NULL && pm2 == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "fast_pattern found inside "
"the rule, without a content context. Please use a "
"content based keyword before using fast_pattern");
return -1;
}
SigMatch *pm = SigMatchGetLastSMFromLists(s, 38,
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HTTP_REQLINEMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_DNSQUERYNAME_MATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_TLSSNI_MATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_TLSISSUER_MATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_TLSSUBJECT_MATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "fast_pattern found inside "
"the rule, without a content context. Please use a "
"content based keyword before using fast_pattern");
return -1;
SigMatch *pm = NULL;
if (pm1 && pm2) {
if (pm1->idx > pm2->idx)
pm = pm1;
else
pm = pm2;
} else if (pm1 && !pm2) {
pm = pm1;
} else {
pm = pm2;
}
cd = (DetectContentData *)pm->ctx;
@ -242,7 +206,7 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a
}
else { /*allow only one content to have fast_pattern modifier*/
int list_id = 0;
for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) {
for (list_id = 0; list_id < nlists; list_id++) {
SigMatch *sm = NULL;
for (sm = s->init_data->smlists[list_id]; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_CONTENT) {

98
src/detect-isdataat.c
Unescape Escape View File

@ -218,101 +218,13 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
sm_list = s->init_data->list;
s->flags |= SIG_FLAG_APPLAYER;
if (idad->flags & ISDATAAT_RELATIVE) {
prev_pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->init_data->smlists_tail[sm_list],
DETECT_PCRE, s->init_data->smlists_tail[sm_list]);
prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
}
} else if (idad->flags & ISDATAAT_RELATIVE) {
prev_pm = SigMatchGetLastSMFromLists(s, 168,
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
prev_pm = DetectGetLastSMFromLists(s,
DETECT_CONTENT, DETECT_PCRE,
DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
DETECT_ISDATAAT, -1);
if (prev_pm == NULL)
sm_list = DETECT_SM_LIST_PMATCH;
else {

29
src/detect-nocase.c
Unescape Escape View File

@ -79,37 +79,14 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
goto end;
}
/* retrive the sm to apply the depth against */
if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->init_data->smlists_tail[s->init_data->list]);
} else {
pm = SigMatchGetLastSMFromLists(s, 28,
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
}
/* retrive the sm to apply the nocase against */
pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, -1);
if (pm == NULL) {
SCLogError(SC_ERR_NOCASE_MISSING_PATTERN, "nocase needs "
"preceding content, uricontent option, http_client_body, "
"http_server_body, http_header option, http_raw_header option, "
"http_method option, http_cookie, http_raw_uri, "
"http_stat_msg, http_stat_code, http_user_agent or "
"file_data/dce_stub_data sticky buffer options");
"preceding content option");
goto end;
}
/* verify other conditions. */
DetectContentData *cd = (DetectContentData *)pm->ctx;;

29
src/detect-offset.c
Unescape Escape View File

@ -72,37 +72,14 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
dubbed = 1;
}
/* retrive the sm to apply the depth against */
if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->init_data->smlists_tail[s->init_data->list]);
} else {
pm = SigMatchGetLastSMFromLists(s, 28,
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
}
/* retrive the sm to apply the offset against */
pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, -1);
if (pm == NULL) {
SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs "
"preceding content, uricontent option, http_client_body, "
"http_server_body, http_header option, http_raw_header option, "
"http_method option, http_cookie, http_raw_uri, "
"http_stat_msg, http_stat_code, http_user_agent or "
"file_data/dce_stub_data sticky buffer options");
"preceding content option");
goto end;
}
/* verify other conditions */
DetectContentData *cd = (DetectContentData *)pm->ctx;

221
src/detect-parse.c
Unescape Escape View File

@ -75,6 +75,10 @@ static pcre *option_pcre = NULL;
static pcre_extra *config_pcre_extra = NULL;
static pcre_extra *option_pcre_extra = NULL;
static void SigMatchTransferSigMatchAcrossLists(SigMatch *sm,
SigMatch **src_sm_list, SigMatch **src_sm_list_tail,
SigMatch **dst_sm_list, SigMatch **dst_sm_list_tail);
/**
* \brief We use this as data to the hash table DetectEngineCtx->dup_sig_hash_table.
*/
@ -220,9 +224,10 @@ const char *DetectListToString(int list)
return "unknown";
}
int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg,
uint8_t sm_type, uint8_t sm_list,
AppProto alproto, void (*CustomCallback)(Signature *s))
int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx,
Signature *s, const char *arg,
int sm_type, int sm_list,
AppProto alproto, void (*CustomCallback)(Signature *s))
{
SigMatch *sm = NULL;
int ret = -1;
@ -240,15 +245,14 @@ int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s
sigmatch_table[sm_type].name);
goto end;
}
/* for now let's hardcode it as http */
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != alproto) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting "
"alprotos set");
goto end;
}
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
sm = DetectGetLastSMByListId(s,
DETECT_SM_LIST_PMATCH, DETECT_CONTENT, -1);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"%s\" keyword "
"found inside the rule without a content context. "
@ -265,9 +269,8 @@ int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s
goto end;
}
if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
SigMatch *pm = DetectGetLastSMByListPtr(s, sm->prev,
DETECT_CONTENT, DETECT_PCRE, -1);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
@ -278,9 +281,8 @@ int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s
}
}
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->init_data->smlists_tail[sm_list],
DETECT_PCRE, s->init_data->smlists_tail[sm_list]);
pm = DetectGetLastSMByListId(s, sm_list,
DETECT_CONTENT, DETECT_PCRE, -1);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
@ -296,7 +298,7 @@ int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s
s->alproto = alproto;
s->flags |= SIG_FLAG_APPLAYER;
/* transfer the sm from the pmatch list to hcbdmatch list */
/* transfer the sm from the pmatch list to sm_list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->init_data->smlists[DETECT_SM_LIST_PMATCH],
&s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
@ -408,7 +410,7 @@ void SigMatchRemoveSMFromList(Signature *s, SigMatch *sm, int sm_list)
*
* \retval match Pointer to the last SigMatch instance of type 'type'.
*/
static SigMatch *SigMatchGetLastSMByType(SigMatch *sm, uint8_t type)
static SigMatch *SigMatchGetLastSMByType(SigMatch *sm, int type)
{
while (sm != NULL) {
if (sm->type == type) {
@ -420,33 +422,139 @@ static SigMatch *SigMatchGetLastSMByType(SigMatch *sm, uint8_t type)
return NULL;
}
/** \brief get the last SigMatch from lists that support
* MPM.
* \note only supports the lists that are registered through
* DetectBufferTypeSupportsMpm().
*/
SigMatch *DetectGetLastSMFromMpmLists(const Signature *s)
{
SigMatch *sm_last = NULL;
SigMatch *sm_new;
int sm_type;
/* if we have a sticky buffer, use that */
if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
if (!(DetectBufferTypeSupportsMpmGetById(s->init_data->list))) {
return NULL;
}
sm_last = DetectGetLastSMByListPtr(s,
s->init_data->smlists_tail[s->init_data->list],
DETECT_CONTENT, -1);
return sm_last;
}
/* otherwise brute force it */
const int nlists = DetectBufferTypeMaxId();
for (sm_type = 0; sm_type < nlists; sm_type++) {
if (!DetectBufferTypeSupportsMpmGetById(sm_type))
continue;
SigMatch *sm_list = s->init_data->smlists_tail[sm_type];
sm_new = SigMatchGetLastSMByType(sm_list, DETECT_CONTENT);
if (sm_new == NULL)
continue;
if (sm_last == NULL || sm_new->idx > sm_last->idx)
sm_last = sm_new;
}
return sm_last;
}
/**
* \brief Returns the sm with the largest index (added latest) from the lists
* passed to us.
*
* \retval Pointer to Last sm.
*/
SigMatch *SigMatchGetLastSMFromLists(const Signature *s, int args, ...)
SigMatch *DetectGetLastSMFromLists(const Signature *s, ...)
{
if (args == 0 || args % 2 != 0) {
SCLogError(SC_ERR_INVALID_ARGUMENTS, "You need to send an even no of args "
"(non zero as well) to this function, since we need a "
"SigMatch list for every SigMatch type(send a map of sm_type "
"and sm_list) sent");
/* as this is a bug we should abort to ease debugging */
BUG_ON(1);
SigMatch *sm_last = NULL;
SigMatch *sm_new;
/* otherwise brute force it */
const int nlists = DetectBufferTypeMaxId();
for (int buf_type = 0; buf_type < nlists; buf_type++) {
if (s->init_data->smlists[buf_type] == NULL)
continue;
if (s->init_data->list != DETECT_SM_LIST_NOTSET &&
buf_type != s->init_data->list)
continue;
int sm_type;
va_list ap;
va_start(ap, s);
for (sm_type = va_arg(ap, int); sm_type != -1; sm_type = va_arg(ap, int))
{
sm_new = SigMatchGetLastSMByType(s->init_data->smlists_tail[buf_type], sm_type);
if (sm_new == NULL)
continue;
if (sm_last == NULL || sm_new->idx > sm_last->idx)
sm_last = sm_new;
}
va_end(ap);
}
return sm_last;
}
/**
* \brief Returns the sm with the largest index (added last) from the list
* passed to us as a pointer.
*
* \param sm_list pointer to the SigMatch we should look before
* \param va_args list of keyword types terminated by -1
*
* \retval sm_last to last sm.
*/
SigMatch *DetectGetLastSMByListPtr(const Signature *s, SigMatch *sm_list, ...)
{
SigMatch *sm_last = NULL;
SigMatch *sm_new;
int i;
int sm_type;
va_list ap;
va_start(ap, sm_list);
for (sm_type = va_arg(ap, int); sm_type != -1; sm_type = va_arg(ap, int))
{
sm_new = SigMatchGetLastSMByType(sm_list, sm_type);
if (sm_new == NULL)
continue;
if (sm_last == NULL || sm_new->idx > sm_last->idx)
sm_last = sm_new;
}
va_end(ap);
return sm_last;
}
/**
* \brief Returns the sm with the largest index (added last) from the list
* passed to us as an id.
*
* \param list_id id of the list to be searched
* \param va_args list of keyword types terminated by -1
*
* \retval sm_last to last sm.
*/
SigMatch *DetectGetLastSMByListId(const Signature *s, int list_id, ...)
{
SigMatch *sm_last = NULL;
SigMatch *sm_new;
int sm_type;
SigMatch *sm_list = s->init_data->smlists_tail[list_id];
if (sm_list == NULL)
return NULL;
va_list ap;
va_start(ap, args);
va_start(ap, list_id);
for (i = 0; i < args; i += 2) {
int sm_type = va_arg(ap, int);
SigMatch *sm_list = va_arg(ap, SigMatch *);
for (sm_type = va_arg(ap, int); sm_type != -1; sm_type = va_arg(ap, int))
{
sm_new = SigMatchGetLastSMByType(sm_list, sm_type);
if (sm_new == NULL)
continue;
@ -462,15 +570,16 @@ SigMatch *SigMatchGetLastSMFromLists(const Signature *s, int args, ...)
/**
* \brief Returns the sm with the largest index (added latest) from this sig
*
* \retval Pointer to Last sm.
* \retval sm_last Pointer to last sm
*/
SigMatch *SigMatchGetLastSM(const Signature *s)
SigMatch *DetectGetLastSM(const Signature *s)
{
const int nlists = DetectBufferTypeMaxId();
SigMatch *sm_last = NULL;
SigMatch *sm_new;
int i;
for (i = 0; i < DETECT_SM_LIST_MAX; i ++) {
for (i = 0; i < nlists; i ++) {
sm_new = s->init_data->smlists_tail[i];
if (sm_new == NULL)
continue;
@ -481,9 +590,9 @@ SigMatch *SigMatchGetLastSM(const Signature *s)
return sm_last;
}
void SigMatchTransferSigMatchAcrossLists(SigMatch *sm,
SigMatch **src_sm_list, SigMatch **src_sm_list_tail,
SigMatch **dst_sm_list, SigMatch **dst_sm_list_tail)
static void SigMatchTransferSigMatchAcrossLists(SigMatch *sm,
SigMatch **src_sm_list, SigMatch **src_sm_list_tail,
SigMatch **dst_sm_list, SigMatch **dst_sm_list_tail)
{
/* we won't do any checks for args */
@ -515,9 +624,10 @@ void SigMatchTransferSigMatchAcrossLists(SigMatch *sm,
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
{
const int nlists = DetectBufferTypeMaxId();
int list = 0;
for (list = 0; list < DETECT_SM_LIST_MAX; list++) {
for (list = 0; list < nlists; list++) {
const SigMatch *sm = s->init_data->smlists[list];
while (sm != NULL) {
if (sm == key_sm)
@ -1001,6 +1111,22 @@ Signature *SigAlloc (void)
SCFree(sig);
return NULL;
}
int lists = DetectBufferTypeMaxId();
SCLogDebug("smlists size %d", lists);
sig->init_data->smlists = SCCalloc(lists, sizeof(SigMatch *));
if (sig->init_data->smlists == NULL) {
SCFree(sig->init_data);
SCFree(sig);
return NULL;
}
sig->init_data->smlists_tail = SCCalloc(lists, sizeof(SigMatch *));
if (sig->init_data->smlists_tail == NULL) {
SCFree(sig->init_data->smlists_tail);
SCFree(sig->init_data);
SCFree(sig);
return NULL;
}
/* assign it to -1, so that we can later check if the value has been
* overwritten after the Signature has been parsed, and if it hasn't been
@ -1067,6 +1193,8 @@ static void SigMatchFreeArrays(Signature *s, int ctxs)
void SigFree(Signature *s)
{
const int nlists = DetectBufferTypeMaxId();
if (s == NULL)
return;
@ -1078,7 +1206,7 @@ void SigFree(Signature *s)
int i;
if (s->init_data) {
for (i = 0; i < DETECT_SM_LIST_MAX; i++) {
for (i = 0; i < nlists; i++) {
SigMatch *sm = s->init_data->smlists[i];
while (sm != NULL) {
SigMatch *nsm = sm->next;
@ -1089,6 +1217,8 @@ void SigFree(Signature *s)
}
SigMatchFreeArrays(s, (s->init_data == NULL));
if (s->init_data) {
SCFree(s->init_data->smlists);
SCFree(s->init_data->smlists_tail);
SCFree(s->init_data);
s->init_data = NULL;
}
@ -1437,21 +1567,8 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
//}
if (s->flags & SIG_FLAG_REQUIRE_PACKET) {
pm = SigMatchGetLastSMFromLists(s, 24,
DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
if (pm != NULL) {
pm = DetectGetLastSMFromLists(s, DETECT_REPLACE, -1);
if (pm != NULL && SigMatchListSMBelongsTo(s, pm) != DETECT_SM_LIST_PMATCH) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature has"
" replace keyword linked with a modified content"
" keyword (http_*, dce_*). It only supports content on"
@ -1529,7 +1646,7 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
if (s->init_data->smlists[DETECT_SM_LIST_BASE64_DATA] != NULL) {
int list;
uint16_t idx = s->init_data->smlists[DETECT_SM_LIST_BASE64_DATA]->idx;
for (list = 0; list < DETECT_SM_LIST_MAX; list++) {
for (list = 0; list < nlists; list++) {
if (list == DETECT_SM_LIST_POSTMATCH ||
list == DETECT_SM_LIST_TMATCH ||
list == DETECT_SM_LIST_SUPPRESS ||
@ -1555,7 +1672,7 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
#ifdef DEBUG
int i;
for (i = 0; i < DETECT_SM_LIST_MAX; i++) {
for (i = 0; i < nlists; i++) {
if (s->init_data->smlists[i] != NULL) {
for (sm = s->init_data->smlists[i]; sm != NULL; sm = sm->next) {
BUG_ON(sm == sm->prev);

15
src/detect-parse.h
Unescape Escape View File

@ -45,11 +45,6 @@ Signature *SigAlloc(void);
void SigFree(Signature *s);
Signature *SigInit(DetectEngineCtx *,char *sigstr);
Signature *SigInitReal(DetectEngineCtx *, char *);
SigMatch *SigMatchGetLastSMFromLists(const Signature *, int, ...);
SigMatch *SigMatchGetLastSM(const Signature *);
void SigMatchTransferSigMatchAcrossLists(SigMatch *sm,
SigMatch **, SigMatch **s,
SigMatch **, SigMatch **);
SigMatchData* SigMatchList2DataArray(SigMatch *head);
void SigParsePrepare(void);
void SigParseRegisterTests(void);
@ -62,13 +57,19 @@ int SigMatchListSMBelongsTo(const Signature *, const SigMatch *);
int DetectParseDupSigHashInit(DetectEngineCtx *);
void DetectParseDupSigHashFree(DetectEngineCtx *);
int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg,
uint8_t sm_type, uint8_t sm_list,
int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg,
int sm_type, int sm_list,
AppProto alproto, void (*CustomCallback)(Signature *s));
const char *DetectListToHumanString(int list);
const char *DetectListToString(int list);
SigMatch *DetectGetLastSM(const Signature *);
SigMatch *DetectGetLastSMFromMpmLists(const Signature *s);
SigMatch *DetectGetLastSMFromLists(const Signature *s, ...);
SigMatch *DetectGetLastSMByListPtr(const Signature *s, SigMatch *sm_list, ...);
SigMatch *DetectGetLastSMByListId(const Signature *s, int list_id, ...);
/* parse regex setup and free util funcs */
void DetectSetupParseRegexes(const char *parse_str,

5
src/detect-pcre.c
Unescape Escape View File

@ -760,9 +760,8 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
/* errors below shouldn't free pd */
SigMatch *prev_pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
SigMatch *prev_pm = DetectGetLastSMByListPtr(s, sm->prev,
DETECT_CONTENT, DETECT_PCRE, -1);
if (s->init_data->list == DETECT_SM_LIST_NOTSET && prev_pm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre with /R (relative) needs "
"preceeding match in the same buffer");

2
src/detect-prefilter.c
Unescape Escape View File

@ -72,7 +72,7 @@ static int DetectPrefilterSetup (DetectEngineCtx *de_ctx, Signature *s, char *nu
goto end;
}
sm = SigMatchGetLastSM(s);
sm = DetectGetLastSM(s);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "prefilter needs preceding match");
goto end;

4
src/detect-rawbytes.c
Unescape Escape View File

@ -65,8 +65,8 @@ static int DetectRawbytesSetup (DetectEngineCtx *de_ctx, Signature *s, char *nul
SCReturnInt(-1);
}
SigMatch *pm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
SigMatch *pm = DetectGetLastSMByListId(s, DETECT_SM_LIST_PMATCH,
DETECT_CONTENT, -1);
if (pm == NULL) {
SCLogError(SC_ERR_RAWBYTES_MISSING_CONTENT, "\"rawbytes\" needs a preceding content option");
SCReturnInt(-1);

6
src/detect-replace.c
Unescape Escape View File

@ -103,9 +103,9 @@ int DetectReplaceSetup(DetectEngineCtx *de_ctx, Signature *s, char *replacestr)
return 0;
}
/* add to the latest "content" keyword from either dmatch or pmatch */
pm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
/* add to the latest "content" keyword from pmatch */
pm = DetectGetLastSMByListId(s, DETECT_SM_LIST_PMATCH,
DETECT_CONTENT, -1);
if (pm == NULL) {
SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "replace needs"
"preceding content option for raw sig");

6
src/detect-threshold.c
Unescape Escape View File

@ -229,10 +229,10 @@ static int DetectThresholdSetup(DetectEngineCtx *de_ctx, Signature *s, char *raw
SigMatch *tmpm = NULL;
/* checks if there is a previous instance of detection_filter */
tmpm = SigMatchGetLastSMFromLists(s, 2,
DETECT_DETECTION_FILTER, s->init_data->smlists[DETECT_SM_LIST_MATCH]);
tmpm = DetectGetLastSMFromLists(s, DETECT_DETECTION_FILTER, -1);
if (tmpm != NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and \"threshold\" are not allowed in the same rule");
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and "
"\"threshold\" are not allowed in the same rule");
SCReturnInt(-1);
}

34
src/detect-within.c
Unescape Escape View File

@ -84,37 +84,14 @@ static int DetectWithinSetup(DetectEngineCtx *de_ctx, Signature *s, char *within
dubbed = 1;
}
/* retrive the sm to apply the depth against */
if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->init_data->smlists_tail[s->init_data->list]);
} else {
pm = SigMatchGetLastSMFromLists(s, 28,
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
}
/* retrieve the sm to apply the within against */
pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, -1);
if (pm == NULL) {
SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "within needs "
"preceding content, uricontent option, http_client_body, "
"http_server_body, http_header option, http_raw_header option, "
"http_method option, http_cookie, http_raw_uri, "
"http_stat_msg, http_stat_code, http_user_agent or "
"file_data/dce_stub_data sticky buffer option");
"preceding content option");
goto end;
}
/* verify other conditions */
DetectContentData *cd = (DetectContentData *)pm->ctx;
if (cd->flags & DETECT_CONTENT_WITHIN) {
@ -162,9 +139,8 @@ static int DetectWithinSetup(DetectEngineCtx *de_ctx, Signature *s, char *within
/* these are the only ones against which we set a flag. We have other
* relative keywords like byttest, isdataat, bytejump, but we don't
* set a flag against them */
SigMatch *prev_pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, pm->prev,
DETECT_PCRE, pm->prev);
SigMatch *prev_pm = DetectGetLastSMByListPtr(s, pm->prev,
DETECT_CONTENT, DETECT_PCRE, -1);
if (prev_pm == NULL) {
ret = 0;
goto end;

9
src/detect.c
Unescape Escape View File

@ -3486,7 +3486,7 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx)
int prefilter_list = DETECT_TBLSIZE;
/* get the keyword supporting prefilter with the lowest type */
for (i = 0; i < DETECT_SM_LIST_MAX; i++) {
for (i = 0; i < nlists; i++) {
SigMatch *sm = tmp_s->init_data->smlists[i];
while (sm != NULL) {
if (sigmatch_table[sm->type].SupportsPrefilter != NULL) {
@ -3500,7 +3500,7 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx)
/* apply that keyword as prefilter */
if (prefilter_list != DETECT_TBLSIZE) {
for (i = 0; i < DETECT_SM_LIST_MAX; i++) {
for (i = 0; i < nlists; i++) {
SigMatch *sm = tmp_s->init_data->smlists[i];
while (sm != NULL) {
if (sm->type == prefilter_list) {
@ -3963,6 +3963,7 @@ static int SigMatchPrepare(DetectEngineCtx *de_ctx)
{
SCEnter();
const int nlists = DetectBufferTypeMaxId();
Signature *s = de_ctx->sig_list;
for (; s != NULL; s = s->next) {
/* set up inspect engines */
@ -3976,7 +3977,7 @@ static int SigMatchPrepare(DetectEngineCtx *de_ctx)
/* free lists. Ctx' are xferred to sm_arrays so won't get freed */
int i;
for (i = 0; i < DETECT_SM_LIST_MAX; i++) {
for (i = 0; i < nlists; i++) {
SigMatch *sm = s->init_data->smlists[i];
while (sm != NULL) {
SigMatch *nsm = sm->next;
@ -3984,6 +3985,8 @@ static int SigMatchPrepare(DetectEngineCtx *de_ctx)
sm = nsm;
}
}
SCFree(s->init_data->smlists);
SCFree(s->init_data->smlists_tail);
SCFree(s->init_data);
s->init_data = NULL;
}

13
src/detect.h
Unescape Escape View File

@ -108,6 +108,11 @@ enum DetectSigmatchListEnum {
DETECT_SM_LIST_SUPPRESS,
DETECT_SM_LIST_THRESHOLD,
/* used for Signature->list, which indicates which list
* we're adding keywords to in cases of sticky buffers like
* file_data */
DETECT_SM_LIST_NOTSET,
DETECT_SM_LIST_BUILTIN_MAX,
/* list for http_uri keyword and the ones relative to it */
@ -166,10 +171,6 @@ enum DetectSigmatchListEnum {
DETECT_SM_LIST_MAX,
/* used for Signature->list, which indicates which list
* we're adding keywords to in cases of sticky buffers like
* file_data */
DETECT_SM_LIST_NOTSET,
};
/* a is ... than b */
@ -441,9 +442,9 @@ typedef struct SignatureInitData_ {
int prefilter_list;
/* holds all sm lists */
struct SigMatch_ *smlists[DETECT_SM_LIST_MAX];
struct SigMatch_ **smlists;
/* holds all sm lists' tails */
struct SigMatch_ *smlists_tail[DETECT_SM_LIST_MAX];
struct SigMatch_ **smlists_tail;
} SignatureInitData;
/** \brief Signature container */

86
src/util-threshold-config.c
Unescape Escape View File

@ -1,4 +1,4 @@
/* Copyright (C) 2007-2010 Open Information Security Foundation
/* Copyright (C) 2007-2016 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
@ -460,8 +460,8 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid
/* Install it */
if (id == 0 && gid == 0) {
for (s = de_ctx->sig_list; s != NULL; s = s->next) {
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_THRESHOLD, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
sm = DetectGetLastSMByListId(s,
DETECT_SM_LIST_THRESHOLD, DETECT_THRESHOLD, -1);
if (sm != NULL) {
SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
"an event var set. The signature event var is "
@ -470,8 +470,8 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid
continue;
}
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_DETECTION_FILTER, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
sm = DetectGetLastSMByListId(s,
DETECT_SM_LIST_THRESHOLD, DETECT_DETECTION_FILTER, -1);
if (sm != NULL) {
SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
"an event var set. The signature event var is "
@ -523,18 +523,8 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid
} else if (id == 0 && gid > 0) {
for (s = de_ctx->sig_list; s != NULL; s = s->next) {
if (s->gid == gid) {
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_THRESHOLD, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
if (sm != NULL) {
SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
"an event var set. The signature event var is "
"given precedence over the threshold.conf one. "
"We'll change this in the future though.", id);
continue;
}
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_DETECTION_FILTER, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
sm = DetectGetLastSMByListId(s, DETECT_SM_LIST_THRESHOLD,
DETECT_THRESHOLD, DETECT_DETECTION_FILTER, -1);
if (sm != NULL) {
SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
"an event var set. The signature event var is "
@ -596,8 +586,8 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid
if (parsed_type != TYPE_SUPPRESS && parsed_type != TYPE_THRESHOLD &&
parsed_type != TYPE_BOTH && parsed_type != TYPE_LIMIT)
{
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_THRESHOLD, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
sm = DetectGetLastSMByListId(s,
DETECT_SM_LIST_THRESHOLD, DETECT_THRESHOLD, -1);
if (sm != NULL) {
SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
"a threshold set. The signature event var is "
@ -606,8 +596,8 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid
goto end;
}
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_DETECTION_FILTER, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
sm = DetectGetLastSMByListId(s, DETECT_SM_LIST_THRESHOLD,
DETECT_DETECTION_FILTER, -1);
if (sm != NULL) {
SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
"a detection_filter set. The signature event var is "
@ -617,20 +607,14 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid
}
/* replace threshold on sig if we have a global override for it */
#if 1
} else if (parsed_type == TYPE_THRESHOLD || parsed_type == TYPE_BOTH || parsed_type == TYPE_LIMIT) {
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_THRESHOLD, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
if (sm == NULL) {
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_DETECTION_FILTER, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
}
sm = DetectGetLastSMByListId(s, DETECT_SM_LIST_THRESHOLD,
DETECT_THRESHOLD, DETECT_DETECTION_FILTER, -1);
if (sm != NULL) {
SigMatchRemoveSMFromList(s, sm, DETECT_SM_LIST_THRESHOLD);
SigMatchFree(sm);
sm = NULL;
}
#endif
}
de = SCMalloc(sizeof(DetectThresholdData));
@ -1448,8 +1432,8 @@ int SCThresholdConfTest01(void)
FAIL_IF_NULL(g_ut_threshold_fp);
SCThresholdConfInitContext(de_ctx);
SigMatch *m = SigMatchGetLastSMFromLists(sig, 2,
DETECT_THRESHOLD, sig->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
SigMatch *m = DetectGetLastSMByListId(sig, DETECT_SM_LIST_THRESHOLD,
DETECT_THRESHOLD, -1);
FAIL_IF_NULL(m);
DetectThresholdData *de = (DetectThresholdData *)m->ctx;
@ -1481,8 +1465,8 @@ int SCThresholdConfTest02(void)
FAIL_IF_NULL(g_ut_threshold_fp);
SCThresholdConfInitContext(de_ctx);
SigMatch *m = SigMatchGetLastSMFromLists(sig, 2,
DETECT_THRESHOLD, sig->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
SigMatch *m = DetectGetLastSMByListId(sig, DETECT_SM_LIST_THRESHOLD,
DETECT_THRESHOLD, -1);
FAIL_IF_NULL(m);
DetectThresholdData *de = (DetectThresholdData *)m->ctx;
@ -1514,8 +1498,8 @@ int SCThresholdConfTest03(void)
FAIL_IF_NULL(g_ut_threshold_fp);
SCThresholdConfInitContext(de_ctx);
SigMatch *m = SigMatchGetLastSMFromLists(sig, 2,
DETECT_THRESHOLD, sig->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
SigMatch *m = DetectGetLastSMByListId(sig, DETECT_SM_LIST_THRESHOLD,
DETECT_THRESHOLD, -1);
FAIL_IF_NULL(m);
DetectThresholdData *de = (DetectThresholdData *)m->ctx;
@ -1547,8 +1531,8 @@ int SCThresholdConfTest04(void)
FAIL_IF_NULL(g_ut_threshold_fp);
SCThresholdConfInitContext(de_ctx);
SigMatch *m = SigMatchGetLastSMFromLists(sig, 2,
DETECT_THRESHOLD, sig->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
SigMatch *m = DetectGetLastSMByListId(sig, DETECT_SM_LIST_THRESHOLD,
DETECT_THRESHOLD, -1);
FAIL_IF_NOT_NULL(m);
DetectEngineCtxFree(de_ctx);
@ -1584,24 +1568,24 @@ int SCThresholdConfTest05(void)
SCThresholdConfInitContext(de_ctx);
Signature *s = de_ctx->sig_list;
SigMatch *m = SigMatchGetLastSMFromLists(s, 2,
DETECT_THRESHOLD, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
SigMatch *m = DetectGetLastSMByListId(s, DETECT_SM_LIST_THRESHOLD,
DETECT_THRESHOLD, -1);
FAIL_IF_NULL(m);
FAIL_IF_NULL(m->ctx);
DetectThresholdData *de = (DetectThresholdData *)m->ctx;
FAIL_IF_NOT(de->type == TYPE_THRESHOLD && de->track == TRACK_SRC && de->count == 100 && de->seconds == 60);
s = de_ctx->sig_list->next;
m = SigMatchGetLastSMFromLists(s, 2,
DETECT_THRESHOLD, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
m = DetectGetLastSMByListId(s, DETECT_SM_LIST_THRESHOLD,
DETECT_THRESHOLD, -1);
FAIL_IF_NULL(m);
FAIL_IF_NULL(m->ctx);
de = (DetectThresholdData *)m->ctx;
FAIL_IF_NOT(de->type == TYPE_THRESHOLD && de->track == TRACK_SRC && de->count == 100 && de->seconds == 60);
s = de_ctx->sig_list->next->next;
m = SigMatchGetLastSMFromLists(s, 2,
DETECT_THRESHOLD, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
m = DetectGetLastSMByListId(s, DETECT_SM_LIST_THRESHOLD,
DETECT_THRESHOLD, -1);
FAIL_IF_NULL(m);
FAIL_IF_NULL(m->ctx);
de = (DetectThresholdData *)m->ctx;
@ -1631,8 +1615,8 @@ int SCThresholdConfTest06(void)
FAIL_IF_NULL(g_ut_threshold_fp);
SCThresholdConfInitContext(de_ctx);
SigMatch *m = SigMatchGetLastSMFromLists(sig, 2,
DETECT_THRESHOLD, sig->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
SigMatch *m = DetectGetLastSMByListId(sig, DETECT_SM_LIST_THRESHOLD,
DETECT_THRESHOLD, -1);
FAIL_IF_NULL(m);
DetectThresholdData *de = (DetectThresholdData *)m->ctx;
@ -1664,8 +1648,8 @@ int SCThresholdConfTest07(void)
FAIL_IF_NULL(g_ut_threshold_fp);
SCThresholdConfInitContext(de_ctx);
SigMatch *m = SigMatchGetLastSMFromLists(sig, 2,
DETECT_DETECTION_FILTER, sig->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
SigMatch *m = DetectGetLastSMByListId(sig, DETECT_SM_LIST_THRESHOLD,
DETECT_DETECTION_FILTER, -1);
FAIL_IF_NULL(m);
DetectThresholdData *de = (DetectThresholdData *)m->ctx;
@ -1698,8 +1682,8 @@ int SCThresholdConfTest08(void)
FAIL_IF_NULL(g_ut_threshold_fp);
SCThresholdConfInitContext(de_ctx);
SigMatch *m = SigMatchGetLastSMFromLists(sig, 2,
DETECT_DETECTION_FILTER, sig->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
SigMatch *m = DetectGetLastSMByListId(sig, DETECT_SM_LIST_THRESHOLD,
DETECT_DETECTION_FILTER, -1);
FAIL_IF_NULL(m);
DetectThresholdData *de = (DetectThresholdData *)m->ctx;
@ -2109,8 +2093,8 @@ int SCThresholdConfTest13(void)
FAIL_IF_NULL(g_ut_threshold_fp);
SCThresholdConfInitContext(de_ctx);
SigMatch *m = SigMatchGetLastSMFromLists(sig, 2,
DETECT_THRESHOLD, sig->init_data->smlists[DETECT_SM_LIST_SUPPRESS]);
SigMatch *m = DetectGetLastSMByListId(sig,
DETECT_SM_LIST_SUPPRESS, DETECT_THRESHOLD, -1);
FAIL_IF_NULL(m);
DetectThresholdData *de = (DetectThresholdData *)m->ctx;

Write Preview
Loading…
Cancel
Save