diff --git a/src/detect-engine-dcepayload.c b/src/detect-engine-dcepayload.c index aca518145b..3121a4ed2b 100644 --- a/src/detect-engine-dcepayload.c +++ b/src/detect-engine-dcepayload.c @@ -64,21 +64,20 @@ * For accounting the last match in relative matching, * det_ctx->payload_offset var is used. * - * \param de_ctx Detection engine context. - * \param det_ctx Detection engine thread context. - * \param s Signature to inspect. - * \param sm SigMatch to inspect. - * \param p Packet. - * \param payload Pointer to the dce stub to inspect. - * \param payload_len Length of the payload + * \param de_ctx Detection engine context. + * \param det_ctx Detection engine thread context. + * \param s Signature to inspect. + * \param sm SigMatch to inspect. + * \param f Flow + * \param payload Pointer to the dce stub to inspect. + * \param payload_len Length of the payload * * \retval 0 No match. * \retval 1 Match. */ static int DoInspectDcePayload(DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, Signature *s, - SigMatch *sm, Packet *p, uint8_t *stub, - uint32_t stub_len) + DetectEngineThreadCtx *det_ctx, Signature *s, + SigMatch *sm, Flow *f, uint8_t *stub, uint32_t stub_len) { SCEnter(); @@ -232,8 +231,8 @@ static int DoInspectDcePayload(DetectEngineCtx *de_ctx, /* see if the next payload keywords match. If not, we will * search for another occurence of this content and see * if the others match then until we run out of matches */ - int r = DoInspectDcePayload(de_ctx, det_ctx, s, sm->next, p, - stub, stub_len); + int r = DoInspectDcePayload(de_ctx, det_ctx, s, sm->next, + f, stub, stub_len); if (r == 1) { SCReturnInt(1); } @@ -278,7 +277,8 @@ static int DoInspectDcePayload(DetectEngineCtx *de_ctx, { SCLogDebug("inspecting pcre"); - int r = DetectPcrePayloadDoMatch(det_ctx, s, sm, p, stub, stub_len); + int r = DetectPcrePayloadMatch(det_ctx, s, sm, /* no packet */NULL, + f, stub, stub_len); if (r == 1) { goto match; } @@ -317,8 +317,7 @@ match: /* this sigmatch matched, inspect the next one. If it was the last, * the payload portion of the signature matched. */ if (sm->next != NULL) { - int r = DoInspectDcePayload(de_ctx, det_ctx, s, sm->next, p, stub, - stub_len); + int r = DoInspectDcePayload(de_ctx, det_ctx, s, sm->next, f, stub, stub_len); SCReturnInt(r); } else { SCReturnInt(1); @@ -335,14 +334,13 @@ match: * \param f Flow. * \param flags App layer flags. * \param state App layer state. - * \param p Packet. * * \retval 0 No match. * \retval 1 Match. */ int DetectEngineInspectDcePayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Signature *s, - Flow *f, uint8_t flags, void *alstate, Packet *p) + Flow *f, uint8_t flags, void *alstate) { SCEnter(); DCERPCState *dcerpc_state = (DCERPCState *)alstate; @@ -374,7 +372,7 @@ int DetectEngineInspectDcePayload(DetectEngineCtx *de_ctx, det_ctx->payload_offset = 0; - r = DoInspectDcePayload(de_ctx, det_ctx, s, s->dmatch, p, + r = DoInspectDcePayload(de_ctx, det_ctx, s, s->dmatch, f, dce_stub_data, dce_stub_data_len); if (r == 1) { SCReturnInt(1); @@ -1619,35 +1617,35 @@ int DcePayloadTest01(void) /* detection phase */ SigMatchSignatures(&tv, de_ctx, det_ctx, &p[0]); if ((PacketAlertCheck(&p[0], 1))) { - printf("sid 1 didn't match but should have: "); + printf("sid 1 didn't match but should have (0): "); goto end; } if ((PacketAlertCheck(&p[0], 2))) { - printf("sid 1 didn't match but should have: "); + printf("sid 2 didn't match but should have (0): "); goto end; } if ((PacketAlertCheck(&p[0], 3))) { - printf("sid 1 didn't match but should have: "); + printf("sid 3 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[0], 4))) { - printf("sid 1 didn't match but should have: "); + printf("sid 4 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[0], 5))) { - printf("sid 1 didn't match but should have: "); + printf("sid 5 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[0], 6))) { - printf("sid 1 didn't match but should have: "); + printf("sid 6 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[0], 7))) { - printf("sid 1 didn't match but should have: "); + printf("sid 7 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[0], 8))) { - printf("sid 1 didn't match but should have: "); + printf("sid 8 didn't match but should have: "); goto end; } @@ -1660,35 +1658,35 @@ int DcePayloadTest01(void) /* detection phase */ SigMatchSignatures(&tv, de_ctx, det_ctx, &p[1]); if ((PacketAlertCheck(&p[1], 1))) { - printf("sid 1 didn't match but should have: "); + printf("sid 1 didn't match but should have (1): "); goto end; } if ((PacketAlertCheck(&p[1], 2))) { - printf("sid 1 didn't match but should have: "); + printf("sid 2 didn't match but should have (1): "); goto end; } if ((PacketAlertCheck(&p[1], 3))) { - printf("sid 1 didn't match but should have: "); + printf("sid 3 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[1], 4))) { - printf("sid 1 didn't match but should have: "); + printf("sid 4 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[1], 5))) { - printf("sid 1 didn't match but should have: "); + printf("sid 5 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[1], 6))) { - printf("sid 1 didn't match but should have: "); + printf("sid 6 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[1], 7))) { - printf("sid 1 didn't match but should have: "); + printf("sid 7 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[1], 8))) { - printf("sid 1 didn't match but should have: "); + printf("sid 8 didn't match but should have: "); goto end; } @@ -1701,38 +1699,39 @@ int DcePayloadTest01(void) /* detection phase */ SigMatchSignatures(&tv, de_ctx, det_ctx, &p[2]); if ((PacketAlertCheck(&p[2], 1))) { - printf("sid 1 didn't match but should have: "); + printf("sid 1 didn't match but should have (2): "); goto end; } if ((PacketAlertCheck(&p[2], 2))) { - printf("sid 1 didn't match but should have: "); + printf("sid 2 didn't match but should have (2): "); goto end; } if ((PacketAlertCheck(&p[2], 3))) { - printf("sid 1 didn't match but should have: "); + printf("sid 3 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[2], 4))) { - printf("sid 1 didn't match but should have: "); + printf("sid 4 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[2], 5))) { - printf("sid 1 didn't match but should have: "); + printf("sid 5 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[2], 6))) { - printf("sid 1 didn't match but should have: "); + printf("sid 6 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[2], 7))) { - printf("sid 1 didn't match but should have: "); + printf("sid 7 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[2], 8))) { - printf("sid 1 didn't match but should have: "); + printf("sid 8 didn't match but should have: "); goto end; } + SCLogDebug("sending request 2"); r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request2, request2_len); if (r != 0) { printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); @@ -1742,38 +1741,39 @@ int DcePayloadTest01(void) /* detection phase */ SigMatchSignatures(&tv, de_ctx, det_ctx, &p[3]); if (!(PacketAlertCheck(&p[3], 1))) { - printf("sid 1 didn't match but should have: "); + printf("sid 1 didn't match but should have (3): "); goto end; } - if ((PacketAlertCheck(&p[3], 2))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[3], 2))) { + printf("sid 2 didn't match but should have (3): "); goto end; } - if ((PacketAlertCheck(&p[3], 3))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[3], 3))) { + printf("sid 3 didn't match but should have: "); goto end; } - if ((PacketAlertCheck(&p[3], 4))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[3], 4))) { + printf("sid 4 didn't match but should have: "); goto end; } - if ((PacketAlertCheck(&p[3], 5))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[3], 5))) { + printf("sid 5 didn't match but should have: "); goto end; } - if ((PacketAlertCheck(&p[3], 6))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[3], 6))) { + printf("sid 6 didn't match but should have: "); goto end; } - if ((PacketAlertCheck(&p[3], 7))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[3], 7))) { + printf("sid 7 didn't match but should have: "); goto end; } - if ((PacketAlertCheck(&p[3], 8))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[3], 8))) { + printf("sid 8 didn't match but should have: "); goto end; } + SCLogDebug("sending request 3"); r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request3, request3_len); if (r != 0) { printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); @@ -1781,40 +1781,42 @@ int DcePayloadTest01(void) goto end; } /* detection phase */ + SCLogDebug("inspecting packet 4"); SigMatchSignatures(&tv, de_ctx, det_ctx, &p[4]); if ((PacketAlertCheck(&p[4], 1))) { - printf("sid 1 didn't match but should have: "); + printf("sid 1 didn't match but should have (4): "); goto end; } if (!(PacketAlertCheck(&p[4], 2))) { - printf("sid 1 didn't match but should have: "); + printf("sid 2 didn't match but should have (4): "); goto end; } - if ((PacketAlertCheck(&p[4], 3))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[4], 3))) { + printf("sid 3 didn't match but should have (4): "); goto end; } - if ((PacketAlertCheck(&p[4], 4))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[4], 4))) { + printf("sid 4 didn't match but should have (4): "); goto end; } - if ((PacketAlertCheck(&p[4], 5))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[4], 5))) { + printf("sid 5 didn't match but should have (4): "); goto end; } - if ((PacketAlertCheck(&p[4], 6))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[4], 6))) { + printf("sid 6 didn't match but should have (4): "); goto end; } - if ((PacketAlertCheck(&p[4], 7))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[4], 7))) { + printf("sid 7 didn't match but should have (4): "); goto end; } - if ((PacketAlertCheck(&p[4], 8))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[4], 8))) { + printf("sid 8 didn't match but should have (4): "); goto end; } + SCLogDebug("sending request 4"); r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request4, request4_len); if (r != 0) { printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); @@ -1824,35 +1826,35 @@ int DcePayloadTest01(void) /* detection phase */ SigMatchSignatures(&tv, de_ctx, det_ctx, &p[5]); if ((PacketAlertCheck(&p[5], 1))) { - printf("sid 1 didn't match but should have: "); + printf("sid 1 didn't match but should have (5): "); goto end; } if ((PacketAlertCheck(&p[5], 2))) { - printf("sid 1 didn't match but should have: "); + printf("sid 2 didn't match but should have (5): "); goto end; } if (!(PacketAlertCheck(&p[5], 3))) { - printf("sid 1 didn't match but should have: "); + printf("sid 3 didn't match but should have (5): "); goto end; } - if ((PacketAlertCheck(&p[5], 4))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[5], 4))) { + printf("sid 4 didn't match but should have (5): "); goto end; } - if ((PacketAlertCheck(&p[5], 5))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[5], 5))) { + printf("sid 5 didn't match but should have (5): "); goto end; } - if ((PacketAlertCheck(&p[5], 6))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[5], 6))) { + printf("sid 6 didn't match but should have (5): "); goto end; } - if ((PacketAlertCheck(&p[5], 7))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[5], 7))) { + printf("sid 7 didn't match but should have (5): "); goto end; } - if ((PacketAlertCheck(&p[5], 8))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[5], 8))) { + printf("sid 8 didn't match but should have (5): "); goto end; } @@ -1865,35 +1867,35 @@ int DcePayloadTest01(void) /* detection phase */ SigMatchSignatures(&tv, de_ctx, det_ctx, &p[6]); if ((PacketAlertCheck(&p[6], 1))) { - printf("sid 1 didn't match but should have: "); + printf("sid 1 didn't match but should have (6): "); goto end; } if ((PacketAlertCheck(&p[6], 2))) { - printf("sid 1 didn't match but should have: "); + printf("sid 2 didn't match but should have (6): "); goto end; } if ((PacketAlertCheck(&p[6], 3))) { - printf("sid 1 didn't match but should have: "); + printf("sid 3 didn't match but should have (6): "); goto end; } if (!(PacketAlertCheck(&p[6], 4))) { - printf("sid 1 didn't match but should have: "); + printf("sid 4 didn't match but should have (6): "); goto end; } - if ((PacketAlertCheck(&p[6], 5))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[6], 5))) { + printf("sid 5 didn't match but should have (6): "); goto end; } - if ((PacketAlertCheck(&p[6], 6))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[6], 6))) { + printf("sid 6 didn't match but should have (6): "); goto end; } - if ((PacketAlertCheck(&p[6], 7))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[6], 7))) { + printf("sid 7 didn't match but should have (6): "); goto end; } - if ((PacketAlertCheck(&p[6], 8))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[6], 8))) { + printf("sid 8 didn't match but should have (6): "); goto end; } @@ -1906,35 +1908,35 @@ int DcePayloadTest01(void) /* detection phase */ SigMatchSignatures(&tv, de_ctx, det_ctx, &p[7]); if ((PacketAlertCheck(&p[7], 1))) { - printf("sid 1 didn't match but should have: "); + printf("sid 1 didn't match but should have (7): "); goto end; } if ((PacketAlertCheck(&p[7], 2))) { - printf("sid 1 didn't match but should have: "); + printf("sid 2 didn't match but should have (7): "); goto end; } if ((PacketAlertCheck(&p[7], 3))) { - printf("sid 1 didn't match but should have: "); + printf("sid 3 didn't match but should have (7): "); goto end; } if ((PacketAlertCheck(&p[7], 4))) { - printf("sid 1 didn't match but should have: "); + printf("sid 4 didn't match but should have (7): "); goto end; } if (!(PacketAlertCheck(&p[7], 5))) { - printf("sid 1 didn't match but should have: "); + printf("sid 5 didn't match but should have (7): "); goto end; } - if ((PacketAlertCheck(&p[7], 6))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[7], 6))) { + printf("sid 6 didn't match but should have (7): "); goto end; } - if ((PacketAlertCheck(&p[7], 7))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[7], 7))) { + printf("sid 7 didn't match but should have (7): "); goto end; } - if ((PacketAlertCheck(&p[7], 8))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[7], 8))) { + printf("sid 8 didn't match but should have (7): "); goto end; } @@ -1947,35 +1949,35 @@ int DcePayloadTest01(void) /* detection phase */ SigMatchSignatures(&tv, de_ctx, det_ctx, &p[8]); if ((PacketAlertCheck(&p[8], 1))) { - printf("sid 1 didn't match but should have: "); + printf("sid 1 didn't match but should have (8): "); goto end; } if ((PacketAlertCheck(&p[8], 2))) { - printf("sid 1 didn't match but should have: "); + printf("sid 2 didn't match but should have (8): "); goto end; } if ((PacketAlertCheck(&p[8], 3))) { - printf("sid 1 didn't match but should have: "); + printf("sid 3 didn't match but should have (8): "); goto end; } if ((PacketAlertCheck(&p[8], 4))) { - printf("sid 1 didn't match but should have: "); + printf("sid 4 didn't match but should have (8): "); goto end; } if ((PacketAlertCheck(&p[8], 5))) { - printf("sid 1 didn't match but should have: "); + printf("sid 5 didn't match but should have (8): "); goto end; } if (!(PacketAlertCheck(&p[8], 6))) { - printf("sid 1 didn't match but should have: "); + printf("sid 6 didn't match but should have (8): "); goto end; } - if ((PacketAlertCheck(&p[8], 7))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[8], 7))) { + printf("sid 7 didn't match but should have (8): "); goto end; } - if ((PacketAlertCheck(&p[8], 8))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[8], 8))) { + printf("sid 8 didn't match but should have (8): "); goto end; } @@ -1992,31 +1994,31 @@ int DcePayloadTest01(void) goto end; } if ((PacketAlertCheck(&p[9], 2))) { - printf("sid 1 didn't match but should have: "); + printf("sid 2 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[9], 3))) { - printf("sid 1 didn't match but should have: "); + printf("sid 3 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[9], 4))) { - printf("sid 1 didn't match but should have: "); + printf("sid 4 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[9], 5))) { - printf("sid 1 didn't match but should have: "); + printf("sid 5 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[9], 6))) { - printf("sid 1 didn't match but should have: "); + printf("sid 6 didn't match but should have: "); goto end; } if (!(PacketAlertCheck(&p[9], 7))) { - printf("sid 1 didn't match but should have: "); + printf("sid 7 didn't match but should have: "); goto end; } - if ((PacketAlertCheck(&p[9], 8))) { - printf("sid 1 didn't match but should have: "); + if (!(PacketAlertCheck(&p[9], 8))) { + printf("sid 8 didn't match but should have: "); goto end; } @@ -2033,31 +2035,31 @@ int DcePayloadTest01(void) goto end; } if ((PacketAlertCheck(&p[10], 2))) { - printf("sid 1 didn't match but should have: "); + printf("sid 2 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[10], 3))) { - printf("sid 1 didn't match but should have: "); + printf("sid 3 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[10], 4))) { - printf("sid 1 didn't match but should have: "); + printf("sid 4 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[10], 5))) { - printf("sid 1 didn't match but should have: "); + printf("sid 5 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[10], 6))) { - printf("sid 1 didn't match but should have: "); + printf("sid 6 didn't match but should have: "); goto end; } if ((PacketAlertCheck(&p[10], 7))) { - printf("sid 1 didn't match but should have: "); + printf("sid 7 didn't match but should have: "); goto end; } if (!(PacketAlertCheck(&p[10], 8))) { - printf("sid 1 didn't match but should have: "); + printf("sid 8 didn't match but should have: "); goto end; } @@ -2472,7 +2474,7 @@ int DcePayloadTest02(void) } /* detection phase */ SigMatchSignatures(&tv, de_ctx, det_ctx, &p[2]); - if ((PacketAlertCheck(&p[2], 1))) { + if (!(PacketAlertCheck(&p[2], 1))) { printf("sid 1 didn't match but should have: "); goto end; } diff --git a/src/detect-engine-dcepayload.h b/src/detect-engine-dcepayload.h index 0723bb4da5..ccc4794ba3 100644 --- a/src/detect-engine-dcepayload.h +++ b/src/detect-engine-dcepayload.h @@ -25,7 +25,8 @@ #define __DETECT_ENGINE_DCEPAYLOAD_H__ int DetectEngineInspectDcePayload(DetectEngineCtx *, DetectEngineThreadCtx *, - Signature *, Flow *, uint8_t, void *, Packet *); + Signature *, Flow *, uint8_t, void *); + void DcePayloadRegisterTests(void); #endif /* __DETECT_ENGINE_DCEPAYLOAD_H__ */ diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c index 19d885542b..c706e67c3f 100644 --- a/src/detect-engine-state.c +++ b/src/detect-engine-state.c @@ -29,7 +29,9 @@ #include "detect-engine.h" #include "detect-parse.h" #include "detect-engine-state.h" + #include "detect-engine-uri.h" +#include "detect-engine-dcepayload.h" #include "stream-tcp.h" #include "stream-tcp-private.h" @@ -175,8 +177,9 @@ int DeStateUpdateInspectTransactionId(Flow *f) { * \param s signature * \param sm sigmatch * \param uri did uri already match (if any) + * \param dce did dce already match (if any) */ -void DeStateSignatureAppend(DetectEngineState *state, Signature *s, SigMatch *sm, char uri) { +static void DeStateSignatureAppend(DetectEngineState *state, Signature *s, SigMatch *sm, char uri, char dce) { DeStateStore *store = state->tail; if (store == NULL) { @@ -207,6 +210,9 @@ void DeStateSignatureAppend(DetectEngineState *state, Signature *s, SigMatch *sm if (uri) { store->store[idx].flags |= DE_STATE_FLAG_URI_MATCH; } + if (dce) { + store->store[idx].flags |= DE_STATE_FLAG_DCE_MATCH; + } store->store[idx].nm = sm; state->cnt++; @@ -264,6 +270,10 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, int r = 0; char umatch = 0; char uinspect = 0; + char dmatch = 0; + char dinspect = 0; + char appinspect = 0; + char appmatch = 0; if (alstate == NULL) { SCReturnInt(0); @@ -287,8 +297,26 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, SCLogDebug("uri inspected but no match"); } } + } else if (alproto == ALPROTO_DCERPC) { + if (s->dmatch != NULL) { + dinspect = 1; + + SCLogDebug("inspecting dce payload"); + + if (DetectEngineInspectDcePayload(de_ctx, det_ctx, s, f, + flags, alstate) == 1) + { + SCLogDebug("dce payload matched"); + dmatch = 1; + } else { + SCLogDebug("dce payload inspected but no match"); + } + } } + appinspect = uinspect + dinspect; + appmatch = umatch + dmatch; + if (s->amatch != NULL) { for ( ; sm != NULL; sm = sm->next) { SCLogDebug("sm %p, sm->next %p", sm, sm->next); @@ -303,7 +331,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, } else if (sm->next == NULL) { sm = NULL; /* set to NULL as we have a match */ - if (!uinspect || (uinspect && umatch)) { + if (!appinspect || (appinspect == appmatch)) { r = 1; } break; @@ -311,12 +339,13 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, } } } else { - if (uinspect && umatch) { + if (appinspect > 0 && (appinspect == appmatch)) { r = 1; } } - SCLogDebug("detection done, store results"); + SCLogDebug("detection done, store results: sm %p, uri %d, dce %d", + sm, umatch, dmatch); SCMutexLock(&f->m); /* match or no match, we store the state anyway @@ -329,7 +358,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, if (f->de_state != NULL) { SCMutexLock(&f->de_state->m); - DeStateSignatureAppend(f->de_state, s, sm, umatch); + DeStateSignatureAppend(f->de_state, s, sm, umatch, dmatch); SCMutexUnlock(&f->de_state->m); } @@ -349,6 +378,10 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete DeStateStore *store = NULL; char umatch = 0; char uinspect = 0; + char dmatch = 0; + char dinspect = 0; + char appinspect = 0; + char appmatch = 0; if (f == NULL || alstate == NULL || alproto == ALPROTO_UNKNOWN) { return 0; @@ -400,8 +433,32 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete SCLogDebug("uri already inspected"); } } + } else if (alproto == ALPROTO_DCERPC) { + if (s->dmatch != NULL) { + if (!(item->flags & DE_STATE_FLAG_DCE_MATCH)) { + SCLogDebug("inspecting dce payload"); + dinspect = 1; + + if (DetectEngineInspectDcePayload(de_ctx, det_ctx, s, f, + flags, alstate) == 1) + { + SCLogDebug("dce payload matched"); + item->flags |= DE_STATE_FLAG_DCE_MATCH; + dmatch = 1; + } else { + SCLogDebug("dce payload inspected but no match"); + } + } else { + SCLogDebug("dce payload already inspected"); + } + } + } + appinspect = uinspect + dinspect; + appmatch = umatch + dmatch; + SCLogDebug("appinspect %d, appmatch %d", appinspect, appmatch); + /* next, check the other sig matches */ if (item->nm != NULL) { SigMatch *sm; @@ -421,7 +478,7 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete /* mark the sig as matched */ item->nm = NULL; - if (!uinspect || (uinspect && umatch)) { + if (!appinspect || (appinspect == appmatch)) { det_ctx->de_state_sig_array[item->sid] = DE_STATE_MATCH_NEW; SCLogDebug("state set to %s", DeStateMatchResultToString(DE_STATE_MATCH_NEW)); } else { @@ -431,7 +488,7 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete } } } else { - if (uinspect && umatch) { + if (appinspect > 0 && (appinspect == appmatch)) { det_ctx->de_state_sig_array[item->sid] = DE_STATE_MATCH_NEW; SCLogDebug("state set to %s", DeStateMatchResultToString(DE_STATE_MATCH_NEW)); } else if (uinspect && !umatch) { @@ -524,39 +581,39 @@ static int DeStateTest02(void) { memset(&s, 0x00, sizeof(s)); s.num = 0; - DeStateSignatureAppend(state, &s, NULL, 0); + DeStateSignatureAppend(state, &s, NULL, 0, 0); s.num = 11; - DeStateSignatureAppend(state, &s, NULL, 0); + DeStateSignatureAppend(state, &s, NULL, 0, 0); s.num = 22; - DeStateSignatureAppend(state, &s, NULL, 0); + DeStateSignatureAppend(state, &s, NULL, 0, 0); s.num = 33; - DeStateSignatureAppend(state, &s, NULL, 0); + DeStateSignatureAppend(state, &s, NULL, 0, 0); s.num = 44; - DeStateSignatureAppend(state, &s, NULL, 0); + DeStateSignatureAppend(state, &s, NULL, 0, 0); s.num = 55; - DeStateSignatureAppend(state, &s, NULL, 0); + DeStateSignatureAppend(state, &s, NULL, 0, 0); s.num = 66; - DeStateSignatureAppend(state, &s, NULL, 0); + DeStateSignatureAppend(state, &s, NULL, 0, 0); s.num = 77; - DeStateSignatureAppend(state, &s, NULL, 0); + DeStateSignatureAppend(state, &s, NULL, 0, 0); s.num = 88; - DeStateSignatureAppend(state, &s, NULL, 0); + DeStateSignatureAppend(state, &s, NULL, 0, 0); s.num = 99; - DeStateSignatureAppend(state, &s, NULL, 0); + DeStateSignatureAppend(state, &s, NULL, 0, 0); s.num = 100; - DeStateSignatureAppend(state, &s, NULL, 0); + DeStateSignatureAppend(state, &s, NULL, 0, 0); s.num = 111; - DeStateSignatureAppend(state, &s, NULL, 0); + DeStateSignatureAppend(state, &s, NULL, 0, 0); s.num = 122; - DeStateSignatureAppend(state, &s, NULL, 0); + DeStateSignatureAppend(state, &s, NULL, 0, 0); s.num = 133; - DeStateSignatureAppend(state, &s, NULL, 0); + DeStateSignatureAppend(state, &s, NULL, 0, 0); s.num = 144; - DeStateSignatureAppend(state, &s, NULL, 0); + DeStateSignatureAppend(state, &s, NULL, 0, 0); s.num = 155; - DeStateSignatureAppend(state, &s, NULL, 0); + DeStateSignatureAppend(state, &s, NULL, 0, 0); s.num = 166; - DeStateSignatureAppend(state, &s, NULL, 0); + DeStateSignatureAppend(state, &s, NULL, 0, 0); if (state->head == NULL) { goto end; @@ -599,9 +656,9 @@ static int DeStateTest03(void) { memset(&s, 0x00, sizeof(s)); s.num = 11; - DeStateSignatureAppend(state, &s, NULL, 0); + DeStateSignatureAppend(state, &s, NULL, 0, 0); s.num = 22; - DeStateSignatureAppend(state, &s, NULL, 1); + DeStateSignatureAppend(state, &s, NULL, 1, 0); if (state->head == NULL) { goto end; diff --git a/src/detect-engine-state.h b/src/detect-engine-state.h index ccc649b5d9..01e2680089 100644 --- a/src/detect-engine-state.h +++ b/src/detect-engine-state.h @@ -46,6 +46,7 @@ #define DE_STATE_FLAG_PAYLOAD_MATCH 0x01 /**< payload part of the sig matched */ #define DE_STATE_FLAG_URI_MATCH 0x02 /**< uri part of the sig matched */ +#define DE_STATE_FLAG_DCE_MATCH 0x04 /**< dce payload inspection part matched */ typedef enum { DE_STATE_MATCH_FULL = 0, /**< sig already fully matched, no state */ @@ -85,7 +86,7 @@ void DetectEngineStateReset(DetectEngineState *state); DetectEngineState *DetectEngineStateAlloc(void); void DetectEngineStateFree(DetectEngineState *); -void DeStateSignatureAppend(DetectEngineState *, Signature *, SigMatch *, char); +//void DeStateSignatureAppend(DetectEngineState *, Signature *, SigMatch *, char); int DeStateFlowHasState(Flow *); diff --git a/src/detect.c b/src/detect.c index 0f5ea90a28..1611e89615 100644 --- a/src/detect.c +++ b/src/detect.c @@ -467,7 +467,7 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx, /* de_state check, filter out all signatures that already had a match before * or just partially match */ if (de_state_start == FALSE) { - if (s->amatch != NULL || s->umatch != NULL) { + if (s->amatch != NULL || s->umatch != NULL || s->dmatch != NULL) { if (det_ctx->de_state_sig_array[s->num] != DE_STATE_MATCH_NEW) { continue; } @@ -760,7 +760,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh SCLogDebug("inspecting signature id %"PRIu32"", s->id); SCLogDebug("s->amatch %p, s->umatch %p", s->amatch, s->umatch); - if ((s->amatch != NULL || s->umatch != NULL) && p->flow != NULL) { + if ((s->amatch != NULL || s->umatch != NULL || s->dmatch != NULL) && p->flow != NULL) { if (de_state_start == TRUE) { SCLogDebug("stateful app layer match inspection starting"); if (DeStateDetectStartDetection(th_v, de_ctx, det_ctx, s, @@ -770,7 +770,9 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh SCLogDebug("signature %"PRIu32" (%"PRIuMAX"): %s", s->id, (uintmax_t)s->num, DeStateMatchResultToString(det_ctx->de_state_sig_array[s->num])); if (det_ctx->de_state_sig_array[s->num] != DE_STATE_MATCH_NEW) { - goto next; + if (s->pmatch == NULL && s->dmatch == NULL) { + goto next; + } } } } @@ -818,12 +820,6 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh goto next; } } - /* Check the dce keywords here */ - if (s->dmatch != NULL) { - if (DetectEngineInspectDcePayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1) - goto next; - } - /* if we get here but have no sigmatches to match against, * we consider the sig matched. */