aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

IpOpts Rule Keyword

Browse Source 
Signed-off-by: Brian Rectanus <brectanu@gmail.com>
remotes/origin/master-1.0.x
Brian Rectanus 16 years ago committed by Victor Julien
parent 27c61ac148
commit 7f1b0efab3
2 changed files with 44 additions and 45 deletions
Show Stats Download Patch File Download Diff File

61
src/detect-ipopts.c
Unescape Escape View File

@ -25,7 +25,7 @@ static pcre_extra *parse_regex_study;
int DetectIpOptsMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *); int DetectIpOptsMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
int DetectIpOptsSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *str); int DetectIpOptsSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *str);
void IpOptsRegisterTests(void); void IpOptsRegisterTests(void);
void DetectIpOptsFree(void *);
/** /**
* \brief Registration function for ipopts: keyword * \brief Registration function for ipopts: keyword
@ -34,7 +34,7 @@ void DetectIpOptsRegister (void) {
sigmatch_table[DETECT_IPOPTS].name = "ipopts"; sigmatch_table[DETECT_IPOPTS].name = "ipopts";
sigmatch_table[DETECT_IPOPTS].Match = DetectIpOptsMatch; sigmatch_table[DETECT_IPOPTS].Match = DetectIpOptsMatch;
sigmatch_table[DETECT_IPOPTS].Setup = DetectIpOptsSetup; sigmatch_table[DETECT_IPOPTS].Setup = DetectIpOptsSetup;
sigmatch_table[DETECT_IPOPTS].Free = NULL; sigmatch_table[DETECT_IPOPTS].Free = DetectIpOptsFree;
sigmatch_table[DETECT_IPOPTS].RegisterTests = IpOptsRegisterTests; sigmatch_table[DETECT_IPOPTS].RegisterTests = IpOptsRegisterTests;
const char *eb; const char *eb;
@ -62,6 +62,7 @@ error:
} }
/** /**
* \internal
* \brief This function is used to match ip option on a packet with those passed via ipopts: * \brief This function is used to match ip option on a packet with those passed via ipopts:
* *
* \param t pointer to thread vars * \param t pointer to thread vars
@ -82,55 +83,28 @@ int DetectIpOptsMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p,
if(!de || !PKT_IS_IPV4(p) || !p) if(!de || !PKT_IS_IPV4(p) || !p)
return ret; return ret;
while(ipopt < p->IPV4_OPTS_CNT) { /* IPV4_OPT_ANY matches on any options */
switch(de->ipopt) { if (p->IPV4_OPTS_CNT && (de->ipopt == IPV4_OPT_ANY)) {
case IPV4_OPT_RR:
if(p->IPV4_OPTS[ipopt].type == IPV4_OPT_RR)
return 1;
break;
case IPV4_OPT_LSRR:
if(p->IPV4_OPTS[ipopt].type == IPV4_OPT_LSRR)
return 1; return 1;
break;
case IPV4_OPT_EOL:
if(p->IPV4_OPTS[ipopt].type == IPV4_OPT_EOL)
return 1;
break;
case IPV4_OPT_NOP:
if(p->IPV4_OPTS[ipopt].type == IPV4_OPT_NOP)
return 1;
break;
case IPV4_OPT_TS:
if(p->IPV4_OPTS[ipopt].type == IPV4_OPT_TS)
return 1;
break;
case IPV4_OPT_SEC:
if(p->IPV4_OPTS[ipopt].type == IPV4_OPT_SEC)
return 1;
break;
case IPV4_OPT_SSRR:
if(p->IPV4_OPTS[ipopt].type == IPV4_OPT_SSRR)
return 1;
break;
case IPV4_OPT_SID:
if(p->IPV4_OPTS[ipopt].type == IPV4_OPT_SID)
return 1;
break;
case IPV4_OPT_ANY:
return 1;
default:
return ret;
} }
ipopt++; /* Loop through instead of using o_xxx direct access fields so that
* future options do not require any modification here.
*/
while(ipopt < p->IPV4_OPTS_CNT) {
if (p->IPV4_OPTS[ipopt].type == de->ipopt) {
return 1;
}
ipopt++;
} }
return ret; return ret;
} }
/** /**
* \internal
* \brief This function is used to parse ipopts options passed via ipopts: keyword * \brief This function is used to parse ipopts options passed via ipopts: keyword
* *
* \param rawstr Pointer to the user provided ipopts options * \param rawstr Pointer to the user provided ipopts options
@ -152,7 +126,7 @@ DetectIpOptsData *DetectIpOptsParse (char *rawstr)
} }
for(i = 0; DIpOpts[i].ipopt_name != NULL; i++) { for(i = 0; DIpOpts[i].ipopt_name != NULL; i++) {
if((strncasecmp(DIpOpts[i].ipopt_name,rawstr,strlen(DIpOpts[i].ipopt_name))) == 0) { if((strcasecmp(DIpOpts[i].ipopt_name,rawstr)) == 0) {
found = 1; found = 1;
break; break;
} }
@ -177,6 +151,7 @@ error:
} }
/** /**
* \internal
* \brief this function is used to add the parsed ipopts into the current signature * \brief this function is used to add the parsed ipopts into the current signature
* *
* \param de_ctx pointer to the Detection Engine Context * \param de_ctx pointer to the Detection Engine Context
@ -213,11 +188,13 @@ error:
} }
/** /**
* \internal
* \brief this function will free memory associated with DetectIpOptsData * \brief this function will free memory associated with DetectIpOptsData
* *
* \param de pointer to DetectIpOptsData * \param de pointer to DetectIpOptsData
*/ */
void DetectIpOptsFree(DetectIpOptsData *de) { void DetectIpOptsFree(void *de_ptr) {
DetectIpOptsData *de = (DetectIpOptsData *)de_ptr;
if(de) free(de); if(de) free(de);
} }

24
src/detect-ipopts.h
Unescape Escape View File

@ -10,17 +10,39 @@
#include "decode-events.h" #include "decode-events.h"
#include "decode-ipv4.h" #include "decode-ipv4.h"
/**
* \struct DetectIpOptsData_
* DetectIpOptsData_ is used to store ipopts: input value
*/
/**
* \typedef DetectIpOptsData
* A typedef for DetectIpOptsData_
*/
typedef struct DetectIpOptsData_ { typedef struct DetectIpOptsData_ {
uint8_t ipopt; /**< Ip option */ uint8_t ipopt; /**< Ip option */
} DetectIpOptsData; } DetectIpOptsData;
/* prototypes */ /**
* Registration function for ipopts: keyword
*/
void DetectIpOptsRegister (void); void DetectIpOptsRegister (void);
#ifdef DETECT_EVENTS #ifdef DETECT_EVENTS
/**
* Used to check ipopts:any
*/
#define IPV4_OPT_ANY 0xff #define IPV4_OPT_ANY 0xff
/**
* \struct DetectIpOptss_
* DetectIpOptss_ is used to store supported iptops values
*/
struct DetectIpOptss_ { struct DetectIpOptss_ {
char *ipopt_name; /**< Ip option name */ char *ipopt_name; /**< Ip option name */
uint8_t code; /**< Ip option value */ uint8_t code; /**< Ip option value */

Write Preview
Loading…
Cancel
Save