aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Move dce payload inspection to stateful detection engine.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 16 years ago
parent 015385c6bd
commit 8cea3779fa
5 changed files with 227 additions and 170 deletions
Show Stats Download Patch File Download Diff File

268
src/detect-engine-dcepayload.c
Unescape Escape View File

@ -64,21 +64,20 @@
* For accounting the last match in relative matching,
* det_ctx->payload_offset var is used.
*
* \param de_ctx Detection engine context.
* \param det_ctx Detection engine thread context.
* \param s Signature to inspect.
* \param sm SigMatch to inspect.
* \param p Packet.
* \param payload Pointer to the dce stub to inspect.
* \param payload_len Length of the payload
* \param de_ctx Detection engine context.
* \param det_ctx Detection engine thread context.
* \param s Signature to inspect.
* \param sm SigMatch to inspect.
* \param f Flow
* \param payload Pointer to the dce stub to inspect.
* \param payload_len Length of the payload
*
* \retval 0 No match.
* \retval 1 Match.
*/
static int DoInspectDcePayload(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, Signature *s,
SigMatch *sm, Packet *p, uint8_t *stub,
uint32_t stub_len)
DetectEngineThreadCtx *det_ctx, Signature *s,
SigMatch *sm, Flow *f, uint8_t *stub, uint32_t stub_len)
{
SCEnter();
@ -232,8 +231,8 @@ static int DoInspectDcePayload(DetectEngineCtx *de_ctx,
/* see if the next payload keywords match. If not, we will
* search for another occurence of this content and see
* if the others match then until we run out of matches */
int r = DoInspectDcePayload(de_ctx, det_ctx, s, sm->next, p,
stub, stub_len);
int r = DoInspectDcePayload(de_ctx, det_ctx, s, sm->next,
f, stub, stub_len);
if (r == 1) {
SCReturnInt(1);
}
@ -278,7 +277,8 @@ static int DoInspectDcePayload(DetectEngineCtx *de_ctx,
{
SCLogDebug("inspecting pcre");
int r = DetectPcrePayloadDoMatch(det_ctx, s, sm, p, stub, stub_len);
int r = DetectPcrePayloadMatch(det_ctx, s, sm, /* no packet */NULL,
f, stub, stub_len);
if (r == 1) {
goto match;
}
@ -317,8 +317,7 @@ match:
/* this sigmatch matched, inspect the next one. If it was the last,
* the payload portion of the signature matched. */
if (sm->next != NULL) {
int r = DoInspectDcePayload(de_ctx, det_ctx, s, sm->next, p, stub,
stub_len);
int r = DoInspectDcePayload(de_ctx, det_ctx, s, sm->next, f, stub, stub_len);
SCReturnInt(r);
} else {
SCReturnInt(1);
@ -335,14 +334,13 @@ match:
* \param f Flow.
* \param flags App layer flags.
* \param state App layer state.
* \param p Packet.
*
* \retval 0 No match.
* \retval 1 Match.
*/
int DetectEngineInspectDcePayload(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, Signature *s,
Flow *f, uint8_t flags, void *alstate, Packet *p)
Flow *f, uint8_t flags, void *alstate)
{
SCEnter();
DCERPCState *dcerpc_state = (DCERPCState *)alstate;
@ -374,7 +372,7 @@ int DetectEngineInspectDcePayload(DetectEngineCtx *de_ctx,
det_ctx->payload_offset = 0;
r = DoInspectDcePayload(de_ctx, det_ctx, s, s->dmatch, p,
r = DoInspectDcePayload(de_ctx, det_ctx, s, s->dmatch, f,
dce_stub_data, dce_stub_data_len);
if (r == 1) {
SCReturnInt(1);
@ -1619,35 +1617,35 @@ int DcePayloadTest01(void)
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, &p[0]);
if ((PacketAlertCheck(&p[0], 1))) {
printf("sid 1 didn't match but should have: ");
printf("sid 1 didn't match but should have (0): ");
goto end;
}
if ((PacketAlertCheck(&p[0], 2))) {
printf("sid 1 didn't match but should have: ");
printf("sid 2 didn't match but should have (0): ");
goto end;
}
if ((PacketAlertCheck(&p[0], 3))) {
printf("sid 1 didn't match but should have: ");
printf("sid 3 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[0], 4))) {
printf("sid 1 didn't match but should have: ");
printf("sid 4 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[0], 5))) {
printf("sid 1 didn't match but should have: ");
printf("sid 5 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[0], 6))) {
printf("sid 1 didn't match but should have: ");
printf("sid 6 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[0], 7))) {
printf("sid 1 didn't match but should have: ");
printf("sid 7 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[0], 8))) {
printf("sid 1 didn't match but should have: ");
printf("sid 8 didn't match but should have: ");
goto end;
}
@ -1660,35 +1658,35 @@ int DcePayloadTest01(void)
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, &p[1]);
if ((PacketAlertCheck(&p[1], 1))) {
printf("sid 1 didn't match but should have: ");
printf("sid 1 didn't match but should have (1): ");
goto end;
}
if ((PacketAlertCheck(&p[1], 2))) {
printf("sid 1 didn't match but should have: ");
printf("sid 2 didn't match but should have (1): ");
goto end;
}
if ((PacketAlertCheck(&p[1], 3))) {
printf("sid 1 didn't match but should have: ");
printf("sid 3 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[1], 4))) {
printf("sid 1 didn't match but should have: ");
printf("sid 4 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[1], 5))) {
printf("sid 1 didn't match but should have: ");
printf("sid 5 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[1], 6))) {
printf("sid 1 didn't match but should have: ");
printf("sid 6 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[1], 7))) {
printf("sid 1 didn't match but should have: ");
printf("sid 7 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[1], 8))) {
printf("sid 1 didn't match but should have: ");
printf("sid 8 didn't match but should have: ");
goto end;
}
@ -1701,38 +1699,39 @@ int DcePayloadTest01(void)
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, &p[2]);
if ((PacketAlertCheck(&p[2], 1))) {
printf("sid 1 didn't match but should have: ");
printf("sid 1 didn't match but should have (2): ");
goto end;
}
if ((PacketAlertCheck(&p[2], 2))) {
printf("sid 1 didn't match but should have: ");
printf("sid 2 didn't match but should have (2): ");
goto end;
}
if ((PacketAlertCheck(&p[2], 3))) {
printf("sid 1 didn't match but should have: ");
printf("sid 3 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[2], 4))) {
printf("sid 1 didn't match but should have: ");
printf("sid 4 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[2], 5))) {
printf("sid 1 didn't match but should have: ");
printf("sid 5 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[2], 6))) {
printf("sid 1 didn't match but should have: ");
printf("sid 6 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[2], 7))) {
printf("sid 1 didn't match but should have: ");
printf("sid 7 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[2], 8))) {
printf("sid 1 didn't match but should have: ");
printf("sid 8 didn't match but should have: ");
goto end;
}
SCLogDebug("sending request 2");
r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request2, request2_len);
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
@ -1742,38 +1741,39 @@ int DcePayloadTest01(void)
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, &p[3]);
if (!(PacketAlertCheck(&p[3], 1))) {
printf("sid 1 didn't match but should have: ");
printf("sid 1 didn't match but should have (3): ");
goto end;
}
if ((PacketAlertCheck(&p[3], 2))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[3], 2))) {
printf("sid 2 didn't match but should have (3): ");
goto end;
}
if ((PacketAlertCheck(&p[3], 3))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[3], 3))) {
printf("sid 3 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[3], 4))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[3], 4))) {
printf("sid 4 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[3], 5))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[3], 5))) {
printf("sid 5 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[3], 6))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[3], 6))) {
printf("sid 6 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[3], 7))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[3], 7))) {
printf("sid 7 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[3], 8))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[3], 8))) {
printf("sid 8 didn't match but should have: ");
goto end;
}
SCLogDebug("sending request 3");
r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request3, request3_len);
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
@ -1781,40 +1781,42 @@ int DcePayloadTest01(void)
goto end;
}
/* detection phase */
SCLogDebug("inspecting packet 4");
SigMatchSignatures(&tv, de_ctx, det_ctx, &p[4]);
if ((PacketAlertCheck(&p[4], 1))) {
printf("sid 1 didn't match but should have: ");
printf("sid 1 didn't match but should have (4): ");
goto end;
}
if (!(PacketAlertCheck(&p[4], 2))) {
printf("sid 1 didn't match but should have: ");
printf("sid 2 didn't match but should have (4): ");
goto end;
}
if ((PacketAlertCheck(&p[4], 3))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[4], 3))) {
printf("sid 3 didn't match but should have (4): ");
goto end;
}
if ((PacketAlertCheck(&p[4], 4))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[4], 4))) {
printf("sid 4 didn't match but should have (4): ");
goto end;
}
if ((PacketAlertCheck(&p[4], 5))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[4], 5))) {
printf("sid 5 didn't match but should have (4): ");
goto end;
}
if ((PacketAlertCheck(&p[4], 6))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[4], 6))) {
printf("sid 6 didn't match but should have (4): ");
goto end;
}
if ((PacketAlertCheck(&p[4], 7))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[4], 7))) {
printf("sid 7 didn't match but should have (4): ");
goto end;
}
if ((PacketAlertCheck(&p[4], 8))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[4], 8))) {
printf("sid 8 didn't match but should have (4): ");
goto end;
}
SCLogDebug("sending request 4");
r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request4, request4_len);
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
@ -1824,35 +1826,35 @@ int DcePayloadTest01(void)
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, &p[5]);
if ((PacketAlertCheck(&p[5], 1))) {
printf("sid 1 didn't match but should have: ");
printf("sid 1 didn't match but should have (5): ");
goto end;
}
if ((PacketAlertCheck(&p[5], 2))) {
printf("sid 1 didn't match but should have: ");
printf("sid 2 didn't match but should have (5): ");
goto end;
}
if (!(PacketAlertCheck(&p[5], 3))) {
printf("sid 1 didn't match but should have: ");
printf("sid 3 didn't match but should have (5): ");
goto end;
}
if ((PacketAlertCheck(&p[5], 4))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[5], 4))) {
printf("sid 4 didn't match but should have (5): ");
goto end;
}
if ((PacketAlertCheck(&p[5], 5))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[5], 5))) {
printf("sid 5 didn't match but should have (5): ");
goto end;
}
if ((PacketAlertCheck(&p[5], 6))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[5], 6))) {
printf("sid 6 didn't match but should have (5): ");
goto end;
}
if ((PacketAlertCheck(&p[5], 7))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[5], 7))) {
printf("sid 7 didn't match but should have (5): ");
goto end;
}
if ((PacketAlertCheck(&p[5], 8))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[5], 8))) {
printf("sid 8 didn't match but should have (5): ");
goto end;
}
@ -1865,35 +1867,35 @@ int DcePayloadTest01(void)
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, &p[6]);
if ((PacketAlertCheck(&p[6], 1))) {
printf("sid 1 didn't match but should have: ");
printf("sid 1 didn't match but should have (6): ");
goto end;
}
if ((PacketAlertCheck(&p[6], 2))) {
printf("sid 1 didn't match but should have: ");
printf("sid 2 didn't match but should have (6): ");
goto end;
}
if ((PacketAlertCheck(&p[6], 3))) {
printf("sid 1 didn't match but should have: ");
printf("sid 3 didn't match but should have (6): ");
goto end;
}
if (!(PacketAlertCheck(&p[6], 4))) {
printf("sid 1 didn't match but should have: ");
printf("sid 4 didn't match but should have (6): ");
goto end;
}
if ((PacketAlertCheck(&p[6], 5))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[6], 5))) {
printf("sid 5 didn't match but should have (6): ");
goto end;
}
if ((PacketAlertCheck(&p[6], 6))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[6], 6))) {
printf("sid 6 didn't match but should have (6): ");
goto end;
}
if ((PacketAlertCheck(&p[6], 7))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[6], 7))) {
printf("sid 7 didn't match but should have (6): ");
goto end;
}
if ((PacketAlertCheck(&p[6], 8))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[6], 8))) {
printf("sid 8 didn't match but should have (6): ");
goto end;
}
@ -1906,35 +1908,35 @@ int DcePayloadTest01(void)
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, &p[7]);
if ((PacketAlertCheck(&p[7], 1))) {
printf("sid 1 didn't match but should have: ");
printf("sid 1 didn't match but should have (7): ");
goto end;
}
if ((PacketAlertCheck(&p[7], 2))) {
printf("sid 1 didn't match but should have: ");
printf("sid 2 didn't match but should have (7): ");
goto end;
}
if ((PacketAlertCheck(&p[7], 3))) {
printf("sid 1 didn't match but should have: ");
printf("sid 3 didn't match but should have (7): ");
goto end;
}
if ((PacketAlertCheck(&p[7], 4))) {
printf("sid 1 didn't match but should have: ");
printf("sid 4 didn't match but should have (7): ");
goto end;
}
if (!(PacketAlertCheck(&p[7], 5))) {
printf("sid 1 didn't match but should have: ");
printf("sid 5 didn't match but should have (7): ");
goto end;
}
if ((PacketAlertCheck(&p[7], 6))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[7], 6))) {
printf("sid 6 didn't match but should have (7): ");
goto end;
}
if ((PacketAlertCheck(&p[7], 7))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[7], 7))) {
printf("sid 7 didn't match but should have (7): ");
goto end;
}
if ((PacketAlertCheck(&p[7], 8))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[7], 8))) {
printf("sid 8 didn't match but should have (7): ");
goto end;
}
@ -1947,35 +1949,35 @@ int DcePayloadTest01(void)
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, &p[8]);
if ((PacketAlertCheck(&p[8], 1))) {
printf("sid 1 didn't match but should have: ");
printf("sid 1 didn't match but should have (8): ");
goto end;
}
if ((PacketAlertCheck(&p[8], 2))) {
printf("sid 1 didn't match but should have: ");
printf("sid 2 didn't match but should have (8): ");
goto end;
}
if ((PacketAlertCheck(&p[8], 3))) {
printf("sid 1 didn't match but should have: ");
printf("sid 3 didn't match but should have (8): ");
goto end;
}
if ((PacketAlertCheck(&p[8], 4))) {
printf("sid 1 didn't match but should have: ");
printf("sid 4 didn't match but should have (8): ");
goto end;
}
if ((PacketAlertCheck(&p[8], 5))) {
printf("sid 1 didn't match but should have: ");
printf("sid 5 didn't match but should have (8): ");
goto end;
}
if (!(PacketAlertCheck(&p[8], 6))) {
printf("sid 1 didn't match but should have: ");
printf("sid 6 didn't match but should have (8): ");
goto end;
}
if ((PacketAlertCheck(&p[8], 7))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[8], 7))) {
printf("sid 7 didn't match but should have (8): ");
goto end;
}
if ((PacketAlertCheck(&p[8], 8))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[8], 8))) {
printf("sid 8 didn't match but should have (8): ");
goto end;
}
@ -1992,31 +1994,31 @@ int DcePayloadTest01(void)
goto end;
}
if ((PacketAlertCheck(&p[9], 2))) {
printf("sid 1 didn't match but should have: ");
printf("sid 2 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[9], 3))) {
printf("sid 1 didn't match but should have: ");
printf("sid 3 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[9], 4))) {
printf("sid 1 didn't match but should have: ");
printf("sid 4 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[9], 5))) {
printf("sid 1 didn't match but should have: ");
printf("sid 5 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[9], 6))) {
printf("sid 1 didn't match but should have: ");
printf("sid 6 didn't match but should have: ");
goto end;
}
if (!(PacketAlertCheck(&p[9], 7))) {
printf("sid 1 didn't match but should have: ");
printf("sid 7 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[9], 8))) {
printf("sid 1 didn't match but should have: ");
if (!(PacketAlertCheck(&p[9], 8))) {
printf("sid 8 didn't match but should have: ");
goto end;
}
@ -2033,31 +2035,31 @@ int DcePayloadTest01(void)
goto end;
}
if ((PacketAlertCheck(&p[10], 2))) {
printf("sid 1 didn't match but should have: ");
printf("sid 2 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[10], 3))) {
printf("sid 1 didn't match but should have: ");
printf("sid 3 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[10], 4))) {
printf("sid 1 didn't match but should have: ");
printf("sid 4 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[10], 5))) {
printf("sid 1 didn't match but should have: ");
printf("sid 5 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[10], 6))) {
printf("sid 1 didn't match but should have: ");
printf("sid 6 didn't match but should have: ");
goto end;
}
if ((PacketAlertCheck(&p[10], 7))) {
printf("sid 1 didn't match but should have: ");
printf("sid 7 didn't match but should have: ");
goto end;
}
if (!(PacketAlertCheck(&p[10], 8))) {
printf("sid 1 didn't match but should have: ");
printf("sid 8 didn't match but should have: ");
goto end;
}
@ -2472,7 +2474,7 @@ int DcePayloadTest02(void)
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, &p[2]);
if ((PacketAlertCheck(&p[2], 1))) {
if (!(PacketAlertCheck(&p[2], 1))) {
printf("sid 1 didn't match but should have: ");
goto end;
}

3
src/detect-engine-dcepayload.h
Unescape Escape View File

@ -25,7 +25,8 @@
#define __DETECT_ENGINE_DCEPAYLOAD_H__
int DetectEngineInspectDcePayload(DetectEngineCtx *, DetectEngineThreadCtx *,
Signature *, Flow *, uint8_t, void *, Packet *);
Signature *, Flow *, uint8_t, void *);
void DcePayloadRegisterTests(void);
#endif /* __DETECT_ENGINE_DCEPAYLOAD_H__ */

109
src/detect-engine-state.c
Unescape Escape View File

@ -29,7 +29,9 @@
#include "detect-engine.h"
#include "detect-parse.h"
#include "detect-engine-state.h"
#include "detect-engine-uri.h"
#include "detect-engine-dcepayload.h"
#include "stream-tcp.h"
#include "stream-tcp-private.h"
@ -175,8 +177,9 @@ int DeStateUpdateInspectTransactionId(Flow *f) {
* \param s signature
* \param sm sigmatch
* \param uri did uri already match (if any)
* \param dce did dce already match (if any)
*/
void DeStateSignatureAppend(DetectEngineState *state, Signature *s, SigMatch *sm, char uri) {
static void DeStateSignatureAppend(DetectEngineState *state, Signature *s, SigMatch *sm, char uri, char dce) {
DeStateStore *store = state->tail;
if (store == NULL) {
@ -207,6 +210,9 @@ void DeStateSignatureAppend(DetectEngineState *state, Signature *s, SigMatch *sm
if (uri) {
store->store[idx].flags |= DE_STATE_FLAG_URI_MATCH;
}
if (dce) {
store->store[idx].flags |= DE_STATE_FLAG_DCE_MATCH;
}
store->store[idx].nm = sm;
state->cnt++;
@ -264,6 +270,10 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
int r = 0;
char umatch = 0;
char uinspect = 0;
char dmatch = 0;
char dinspect = 0;
char appinspect = 0;
char appmatch = 0;
if (alstate == NULL) {
SCReturnInt(0);
@ -287,8 +297,26 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
SCLogDebug("uri inspected but no match");
}
}
} else if (alproto == ALPROTO_DCERPC) {
if (s->dmatch != NULL) {
dinspect = 1;
SCLogDebug("inspecting dce payload");
if (DetectEngineInspectDcePayload(de_ctx, det_ctx, s, f,
flags, alstate) == 1)
{
SCLogDebug("dce payload matched");
dmatch = 1;
} else {
SCLogDebug("dce payload inspected but no match");
}
}
}
appinspect = uinspect + dinspect;
appmatch = umatch + dmatch;
if (s->amatch != NULL) {
for ( ; sm != NULL; sm = sm->next) {
SCLogDebug("sm %p, sm->next %p", sm, sm->next);
@ -303,7 +331,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
} else if (sm->next == NULL) {
sm = NULL; /* set to NULL as we have a match */
if (!uinspect || (uinspect && umatch)) {
if (!appinspect || (appinspect == appmatch)) {
r = 1;
}
break;
@ -311,12 +339,13 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
}
}
} else {
if (uinspect && umatch) {
if (appinspect > 0 && (appinspect == appmatch)) {
r = 1;
}
}
SCLogDebug("detection done, store results");
SCLogDebug("detection done, store results: sm %p, uri %d, dce %d",
sm, umatch, dmatch);
SCMutexLock(&f->m);
/* match or no match, we store the state anyway
@ -329,7 +358,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
if (f->de_state != NULL) {
SCMutexLock(&f->de_state->m);
DeStateSignatureAppend(f->de_state, s, sm, umatch);
DeStateSignatureAppend(f->de_state, s, sm, umatch, dmatch);
SCMutexUnlock(&f->de_state->m);
}
@ -349,6 +378,10 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete
DeStateStore *store = NULL;
char umatch = 0;
char uinspect = 0;
char dmatch = 0;
char dinspect = 0;
char appinspect = 0;
char appmatch = 0;
if (f == NULL || alstate == NULL || alproto == ALPROTO_UNKNOWN) {
return 0;
@ -400,8 +433,32 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete
SCLogDebug("uri already inspected");
}
}
} else if (alproto == ALPROTO_DCERPC) {
if (s->dmatch != NULL) {
if (!(item->flags & DE_STATE_FLAG_DCE_MATCH)) {
SCLogDebug("inspecting dce payload");
dinspect = 1;
if (DetectEngineInspectDcePayload(de_ctx, det_ctx, s, f,
flags, alstate) == 1)
{
SCLogDebug("dce payload matched");
item->flags |= DE_STATE_FLAG_DCE_MATCH;
dmatch = 1;
} else {
SCLogDebug("dce payload inspected but no match");
}
} else {
SCLogDebug("dce payload already inspected");
}
}
}
appinspect = uinspect + dinspect;
appmatch = umatch + dmatch;
SCLogDebug("appinspect %d, appmatch %d", appinspect, appmatch);
/* next, check the other sig matches */
if (item->nm != NULL) {
SigMatch *sm;
@ -421,7 +478,7 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete
/* mark the sig as matched */
item->nm = NULL;
if (!uinspect || (uinspect && umatch)) {
if (!appinspect || (appinspect == appmatch)) {
det_ctx->de_state_sig_array[item->sid] = DE_STATE_MATCH_NEW;
SCLogDebug("state set to %s", DeStateMatchResultToString(DE_STATE_MATCH_NEW));
} else {
@ -431,7 +488,7 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete
}
}
} else {
if (uinspect && umatch) {
if (appinspect > 0 && (appinspect == appmatch)) {
det_ctx->de_state_sig_array[item->sid] = DE_STATE_MATCH_NEW;
SCLogDebug("state set to %s", DeStateMatchResultToString(DE_STATE_MATCH_NEW));
} else if (uinspect && !umatch) {
@ -524,39 +581,39 @@ static int DeStateTest02(void) {
memset(&s, 0x00, sizeof(s));
s.num = 0;
DeStateSignatureAppend(state, &s, NULL, 0);
DeStateSignatureAppend(state, &s, NULL, 0, 0);
s.num = 11;
DeStateSignatureAppend(state, &s, NULL, 0);
DeStateSignatureAppend(state, &s, NULL, 0, 0);
s.num = 22;
DeStateSignatureAppend(state, &s, NULL, 0);
DeStateSignatureAppend(state, &s, NULL, 0, 0);
s.num = 33;
DeStateSignatureAppend(state, &s, NULL, 0);
DeStateSignatureAppend(state, &s, NULL, 0, 0);
s.num = 44;
DeStateSignatureAppend(state, &s, NULL, 0);
DeStateSignatureAppend(state, &s, NULL, 0, 0);
s.num = 55;
DeStateSignatureAppend(state, &s, NULL, 0);
DeStateSignatureAppend(state, &s, NULL, 0, 0);
s.num = 66;
DeStateSignatureAppend(state, &s, NULL, 0);
DeStateSignatureAppend(state, &s, NULL, 0, 0);
s.num = 77;
DeStateSignatureAppend(state, &s, NULL, 0);
DeStateSignatureAppend(state, &s, NULL, 0, 0);
s.num = 88;
DeStateSignatureAppend(state, &s, NULL, 0);
DeStateSignatureAppend(state, &s, NULL, 0, 0);
s.num = 99;
DeStateSignatureAppend(state, &s, NULL, 0);
DeStateSignatureAppend(state, &s, NULL, 0, 0);
s.num = 100;
DeStateSignatureAppend(state, &s, NULL, 0);
DeStateSignatureAppend(state, &s, NULL, 0, 0);
s.num = 111;
DeStateSignatureAppend(state, &s, NULL, 0);
DeStateSignatureAppend(state, &s, NULL, 0, 0);
s.num = 122;
DeStateSignatureAppend(state, &s, NULL, 0);
DeStateSignatureAppend(state, &s, NULL, 0, 0);
s.num = 133;
DeStateSignatureAppend(state, &s, NULL, 0);
DeStateSignatureAppend(state, &s, NULL, 0, 0);
s.num = 144;
DeStateSignatureAppend(state, &s, NULL, 0);
DeStateSignatureAppend(state, &s, NULL, 0, 0);
s.num = 155;
DeStateSignatureAppend(state, &s, NULL, 0);
DeStateSignatureAppend(state, &s, NULL, 0, 0);
s.num = 166;
DeStateSignatureAppend(state, &s, NULL, 0);
DeStateSignatureAppend(state, &s, NULL, 0, 0);
if (state->head == NULL) {
goto end;
@ -599,9 +656,9 @@ static int DeStateTest03(void) {
memset(&s, 0x00, sizeof(s));
s.num = 11;
DeStateSignatureAppend(state, &s, NULL, 0);
DeStateSignatureAppend(state, &s, NULL, 0, 0);
s.num = 22;
DeStateSignatureAppend(state, &s, NULL, 1);
DeStateSignatureAppend(state, &s, NULL, 1, 0);
if (state->head == NULL) {
goto end;

3
src/detect-engine-state.h
Unescape Escape View File

@ -46,6 +46,7 @@
#define DE_STATE_FLAG_PAYLOAD_MATCH 0x01 /**< payload part of the sig matched */
#define DE_STATE_FLAG_URI_MATCH 0x02 /**< uri part of the sig matched */
#define DE_STATE_FLAG_DCE_MATCH 0x04 /**< dce payload inspection part matched */
typedef enum {
DE_STATE_MATCH_FULL = 0, /**< sig already fully matched, no state */
@ -85,7 +86,7 @@ void DetectEngineStateReset(DetectEngineState *state);
DetectEngineState *DetectEngineStateAlloc(void);
void DetectEngineStateFree(DetectEngineState *);
void DeStateSignatureAppend(DetectEngineState *, Signature *, SigMatch *, char);
//void DeStateSignatureAppend(DetectEngineState *, Signature *, SigMatch *, char);
int DeStateFlowHasState(Flow *);

14
src/detect.c
Unescape Escape View File

@ -467,7 +467,7 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx,
/* de_state check, filter out all signatures that already had a match before
* or just partially match */
if (de_state_start == FALSE) {
if (s->amatch != NULL || s->umatch != NULL) {
if (s->amatch != NULL || s->umatch != NULL || s->dmatch != NULL) {
if (det_ctx->de_state_sig_array[s->num] != DE_STATE_MATCH_NEW) {
continue;
}
@ -760,7 +760,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
SCLogDebug("inspecting signature id %"PRIu32"", s->id);
SCLogDebug("s->amatch %p, s->umatch %p", s->amatch, s->umatch);
if ((s->amatch != NULL || s->umatch != NULL) && p->flow != NULL) {
if ((s->amatch != NULL || s->umatch != NULL || s->dmatch != NULL) && p->flow != NULL) {
if (de_state_start == TRUE) {
SCLogDebug("stateful app layer match inspection starting");
if (DeStateDetectStartDetection(th_v, de_ctx, det_ctx, s,
@ -770,7 +770,9 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
SCLogDebug("signature %"PRIu32" (%"PRIuMAX"): %s",
s->id, (uintmax_t)s->num, DeStateMatchResultToString(det_ctx->de_state_sig_array[s->num]));
if (det_ctx->de_state_sig_array[s->num] != DE_STATE_MATCH_NEW) {
goto next;
if (s->pmatch == NULL && s->dmatch == NULL) {
goto next;
}
}
}
}
@ -818,12 +820,6 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
goto next;
}
}
/* Check the dce keywords here */
if (s->dmatch != NULL) {
if (DetectEngineInspectDcePayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1)
goto next;
}
/* if we get here but have no sigmatches to match against,
* we consider the sig matched. */

Write Preview
Loading…
Cancel
Save