aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

http_stat_code: dynamic buffer

Browse Source
pull/2559/head
Victor Julien 9 years ago
parent 128b59d4f6
commit 7e3ab4f5ea
8 changed files with 56 additions and 66 deletions
Show Stats Download Patch File Download Diff File

9
src/detect-engine-analyzer.c
Unescape Escape View File

@ -120,8 +120,6 @@ void EngineAnalysisFP(Signature *s, char *line)
fprintf(fp_engine_analysis_FD, "http raw header content\n");
else if (list_type == DETECT_SM_LIST_HCBDMATCH)
fprintf(fp_engine_analysis_FD, "http client body content\n");
else if (list_type == DETECT_SM_LIST_HSCDMATCH)
fprintf(fp_engine_analysis_FD, "http stat code content\n");
else if (list_type == DETECT_SM_LIST_HSMDMATCH)
fprintf(fp_engine_analysis_FD, "http stat msg content\n");
else {
@ -466,8 +464,6 @@ static void EngineAnalysisRulesPrintFP(const Signature *s)
fprintf(rule_engine_analysis_FD, "http raw header content");
else if (list_type == DETECT_SM_LIST_HCBDMATCH)
fprintf(rule_engine_analysis_FD, "http client body content");
else if (list_type == DETECT_SM_LIST_HSCDMATCH)
fprintf(rule_engine_analysis_FD, "http stat code content");
else if (list_type == DETECT_SM_LIST_HSMDMATCH)
fprintf(rule_engine_analysis_FD, "http stat msg content");
else if (list_type == DETECT_SM_LIST_DNSQUERYNAME_MATCH)
@ -574,6 +570,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
const int httpuri_id = DetectBufferTypeGetByName("http_uri");
const int httpuseragent_id = DetectBufferTypeGetByName("http_user_agent");
const int httpcookie_id = DetectBufferTypeGetByName("http_cookie");
const int httpstatcode_id = DetectBufferTypeGetByName("http_stat_code");
if (s->init_data->init_flags & SIG_FLAG_INIT_BIDIREC) {
rule_bidirectional = 1;
@ -642,7 +639,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
raw_http_buf += 1;
http_stat_msg_buf += 1;
}
else if (list_id == DETECT_SM_LIST_HSCDMATCH) {
else if (list_id == httpstatcode_id) {
rule_pcre_http += 1;
raw_http_buf += 1;
http_stat_code_buf += 1;
@ -703,7 +700,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
raw_http_buf += 1;
http_stat_msg_buf += 1;
}
else if (list_id == DETECT_SM_LIST_HSCDMATCH) {
else if (list_id == httpstatcode_id) {
rule_content_http += 1;
raw_http_buf += 1;
http_stat_code_buf += 1;

2
src/detect-engine.c
Unescape Escape View File

@ -2808,8 +2808,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
return "http raw headers";
case DETECT_SM_LIST_HSMDMATCH:
return "http stat msg";
case DETECT_SM_LIST_HSCDMATCH:
return "http stat code";
case DETECT_SM_LIST_APP_EVENT:
return "app layer events";

44
src/detect-fast-pattern.c
Unescape Escape View File

@ -328,6 +328,7 @@ static int g_http_ua_buffer_id = 0;
static int g_http_cookie_buffer_id = 0;
static int g_http_host_buffer_id = 0;
static int g_http_raw_host_buffer_id = 0;
static int g_http_stat_code_buffer_id = 0;
/**
* \test Checks if a fast_pattern is registered in a Signature
@ -11719,7 +11720,7 @@ int DetectFastPatternTest425(void)
"content:\"three\"; http_stat_code; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -11757,7 +11758,7 @@ int DetectFastPatternTest426(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSCDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_stat_code_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
@ -11794,7 +11795,7 @@ int DetectFastPatternTest427(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSCDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_stat_code_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
@ -11825,7 +11826,7 @@ int DetectFastPatternTest428(void)
if (de_ctx->sig_list == NULL)
goto end;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSCDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_stat_code_buffer_id];
if (sm == NULL) {
goto end;
}
@ -11862,7 +11863,7 @@ int DetectFastPatternTest429(void)
if (de_ctx->sig_list == NULL)
goto end;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSCDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_stat_code_buffer_id];
if (sm == NULL) {
goto end;
}
@ -12107,7 +12108,7 @@ int DetectFastPatternTest439(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -12139,7 +12140,7 @@ int DetectFastPatternTest440(void)
"content:\"two\"; fast_pattern:only; http_stat_code; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -12171,7 +12172,7 @@ int DetectFastPatternTest441(void)
"content:\"two\"; fast_pattern:only; http_stat_code; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -12203,7 +12204,7 @@ int DetectFastPatternTest442(void)
"content:\"two\"; fast_pattern:only; http_stat_code; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -12234,7 +12235,7 @@ int DetectFastPatternTest443(void)
"content:\"two\"; http_stat_code; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -12359,7 +12360,7 @@ int DetectFastPatternTest448(void)
"content:\"three\"; http_stat_code; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -12391,7 +12392,7 @@ int DetectFastPatternTest449(void)
"content:\"three\"; http_stat_code; distance:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -12423,7 +12424,7 @@ int DetectFastPatternTest450(void)
"content:\"three\"; http_stat_code; within:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -12455,7 +12456,7 @@ int DetectFastPatternTest451(void)
"content:\"three\"; http_stat_code; offset:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -12487,7 +12488,7 @@ int DetectFastPatternTest452(void)
"content:\"three\"; http_stat_code; depth:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -12519,7 +12520,7 @@ int DetectFastPatternTest453(void)
"content:\"oneonethree\"; fast_pattern:3,4; http_stat_code; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -12551,7 +12552,7 @@ int DetectFastPatternTest454(void)
"content:\"oneonethree\"; fast_pattern:3,4; http_stat_code; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -12583,7 +12584,7 @@ int DetectFastPatternTest455(void)
"content:\"oneonethree\"; fast_pattern:3,4; http_stat_code; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -12615,7 +12616,7 @@ int DetectFastPatternTest456(void)
"content:\"oneonethree\"; fast_pattern:3,4; http_stat_code; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -12722,7 +12723,7 @@ int DetectFastPatternTest460(void)
"content:\"three\"; http_stat_code; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -12851,7 +12852,7 @@ int DetectFastPatternTest465(void)
"content:\"three\"; http_stat_code; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -18835,6 +18836,7 @@ void DetectFastPatternRegisterTests(void)
g_http_cookie_buffer_id = DetectBufferTypeGetByName("http_cookie");
g_http_host_buffer_id = DetectBufferTypeGetByName("http_host");
g_http_raw_host_buffer_id = DetectBufferTypeGetByName("http_raw_host");
g_http_stat_code_buffer_id = DetectBufferTypeGetByName("http_stat_code");
UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01);
UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02);

35
src/detect-http-stat-code.c
Unescape Escape View File

@ -63,12 +63,10 @@
#include "stream-tcp-private.h"
#include "stream-tcp.h"
int DetectHttpStatCodeMatch(ThreadVars *, DetectEngineThreadCtx *,
Flow *, uint8_t , void *, Signature *,
SigMatch *);
static int DetectHttpStatCodeSetup(DetectEngineCtx *, Signature *, char *);
void DetectHttpStatCodeRegisterTests(void);
void DetectHttpStatCodeFree(void *);
static void DetectHttpStatCodeRegisterTests(void);
static void DetectHttpStatCodeSetupCallback(Signature *);
static int g_http_stat_code_buffer_id = 0;
/**
* \brief Registration function for keyword: http_stat_code
@ -87,13 +85,20 @@ void DetectHttpStatCodeRegister (void)
sigmatch_table[DETECT_AL_HTTP_STAT_CODE].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_HTTP_STAT_CODE].flags |= SIGMATCH_PAYLOAD;
DetectMpmAppLayerRegister("http_stat_code", SIG_FLAG_TOCLIENT,
DETECT_SM_LIST_HSCDMATCH, 4,
DetectAppLayerMpmRegister("http_stat_code", SIG_FLAG_TOCLIENT, 4,
PrefilterTxHttpStatCodeRegister);
DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
DETECT_SM_LIST_HSCDMATCH,
DetectAppLayerInspectEngineRegister2("http_stat_code",
ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
DetectEngineInspectHttpStatCode);
DetectBufferTypeSetDescriptionByName("http_stat_code",
"http response status code");
DetectBufferTypeRegisterSetupCallback("http_stat_code",
DetectHttpStatCodeSetupCallback);
g_http_stat_code_buffer_id = DetectBufferTypeGetByName("http_stat_code");
}
/**
@ -111,11 +116,17 @@ static int DetectHttpStatCodeSetup(DetectEngineCtx *de_ctx, Signature *s, char *
{
return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
DETECT_AL_HTTP_STAT_CODE,
DETECT_SM_LIST_HSCDMATCH,
g_http_stat_code_buffer_id,
ALPROTO_HTTP,
NULL);
}
static void DetectHttpStatCodeSetupCallback(Signature *s)
{
SCLogDebug("callback invoked by %u", s->id);
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
}
#ifdef UNITTESTS
/**
@ -156,7 +167,7 @@ int DetectHttpStatCodeTest01(void)
printf("sid 3 parse failed: ");
goto end;
}
if (!(((DetectContentData *)de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSCDMATCH]->ctx)->flags &
if (!(((DetectContentData *)de_ctx->sig_list->sm_lists[g_http_stat_code_buffer_id]->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN))
{
goto end;
@ -194,7 +205,7 @@ int DetectHttpStatCodeTest02(void)
}
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSCDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_stat_code_buffer_id];
if (sm == NULL) {
printf("no sigmatch(es): ");
goto end;

8
src/detect-parse.c
Unescape Escape View File

@ -146,7 +146,6 @@ const char *DetectListToHumanString(int list)
CASE_CODE_STRING(DETECT_SM_LIST_HHDMATCH, "http_header");
CASE_CODE_STRING(DETECT_SM_LIST_HRHDMATCH, "http_raw_header");
CASE_CODE_STRING(DETECT_SM_LIST_HSMDMATCH, "http_stat_msg");
CASE_CODE_STRING(DETECT_SM_LIST_HSCDMATCH, "http_stat_code");
CASE_CODE_STRING(DETECT_SM_LIST_APP_EVENT, "app-layer-event");
CASE_CODE_STRING(DETECT_SM_LIST_AMATCH, "app-layer");
CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc");
@ -182,7 +181,6 @@ const char *DetectListToString(int list)
CASE_CODE(DETECT_SM_LIST_HHDMATCH);
CASE_CODE(DETECT_SM_LIST_HRHDMATCH);
CASE_CODE(DETECT_SM_LIST_HSMDMATCH);
CASE_CODE(DETECT_SM_LIST_HSCDMATCH);
CASE_CODE(DETECT_SM_LIST_APP_EVENT);
CASE_CODE(DETECT_SM_LIST_AMATCH);
CASE_CODE(DETECT_SM_LIST_DMATCH);
@ -1428,8 +1426,7 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
}
} else if (fd->flags & FLOW_PKT_TOSERVER) {
/* check for uricontent + from_server/to_client */
if (s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL) {
if (s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use http_"
"server_body, http_stat_msg, http_stat_code "
"with flow:to_server or flow:from_client");
@ -1540,8 +1537,7 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH])
s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH])
{
SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature combines packet "
"specific matches (like dsize, flags, ttl) with stream / "

10
src/detect-pcre.c
Unescape Escape View File

@ -482,10 +482,12 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr,
/* snort's option */
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HSMDMATCH);
break;
case 'S':
case 'S': {
/* snort's option */
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HSCDMATCH);
int list = DetectBufferTypeGetByName("http_stat_code");
*sm_list = DetectPcreSetList(*sm_list, list);
break;
}
default:
SCLogError(SC_ERR_UNKNOWN_REGEX_MOD, "unknown regex modifier '%c'", *op);
goto error;
@ -683,8 +685,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
parsed_sm_list == DETECT_SM_LIST_HCBDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HHDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HRHDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HSMDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HSCDMATCH)
parsed_sm_list == DETECT_SM_LIST_HSMDMATCH)
{
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
@ -718,7 +719,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
case DETECT_SM_LIST_HHDMATCH:
case DETECT_SM_LIST_HRHDMATCH:
case DETECT_SM_LIST_HSMDMATCH:
case DETECT_SM_LIST_HSCDMATCH:
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = parsed_sm_list;

12
src/detect.c
Unescape Escape View File

@ -1927,9 +1927,6 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
if (s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL)
return 0;
@ -2017,9 +2014,6 @@ static int SignatureIsPDOnly(const Signature *s)
if (s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL)
return 0;
@ -2124,7 +2118,6 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, const Signature *s)
s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL)
{
SCReturnInt(0);
@ -2303,11 +2296,6 @@ static int SignatureCreateMask(Signature *s)
SCLogDebug("sig requires http app state");
}
if (s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL) {
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
SCLogDebug("sig requires http app state");
}
SigMatch *sm;
for (sm = s->init_data->smlists[DETECT_SM_LIST_AMATCH] ; sm != NULL; sm = sm->next) {
switch(sm->type) {

2
src/detect.h
Unescape Escape View File

@ -125,8 +125,6 @@ enum DetectSigmatchListEnum {
DETECT_SM_LIST_HRHDMATCH,
/* list for http_stat_msg keyword and the ones relative to it */
DETECT_SM_LIST_HSMDMATCH,
/* list for http_stat_code keyword and the ones relative to it */
DETECT_SM_LIST_HSCDMATCH,
/* app event engine sm list */
DETECT_SM_LIST_APP_EVENT,

Write Preview
Loading…
Cancel
Save