raw urilen inspection moves to raw uri list. Won't make any difference wrt inspection

14 years ago · 9287cce674
parent 0677190960
commit 9287cce674
3 changed files with 48 additions and 15 deletions
--- a/src/detect-engine-hrud.c
+++ b/src/detect-engine-hrud.c
@ -39,6 +39,7 @@
 #include "detect-engine-mpm.h"
 #include "detect-parse.h"
 #include "detect-engine-state.h"
+#include "detect-urilen.h"
 #include "detect-pcre.h"
 #include "detect-isdataat.h"
 #include "detect-bytetest.h"
@ -314,6 +315,38 @@ static int DoInspectHttpRawUri(DetectEngineCtx *de_ctx,
                SCReturnInt(0);
            }
        }
+    } else if (sm->type == DETECT_AL_URILEN) {
+        SCLogDebug("inspecting uri len");
+
+        int r = 0;
+        DetectUrilenData *urilend = (DetectUrilenData *) sm->ctx;
+
+        switch (urilend->mode) {
+            case DETECT_URILEN_EQ:
+                if (payload_len == urilend->urilen1)
+                    r = 1;
+                break;
+            case DETECT_URILEN_LT:
+                if (payload_len < urilend->urilen1)
+                    r = 1;
+                break;
+            case DETECT_URILEN_GT:
+                if (payload_len > urilend->urilen1)
+                    r = 1;
+                break;
+            case DETECT_URILEN_RA:
+                if (payload_len > urilend->urilen1 &&
+                    payload_len < urilend->urilen2) {
+                    r = 1;
+                }
+                break;
+        }
+
+        if (r == 1) {
+            goto match;
+        }
+
+        SCReturnInt(0);
    } else {
        /* we should never get here, but bail out just in case */
        SCLogDebug("sm->type %u", sm->type);
--- a/src/detect-engine-uri.c
+++ b/src/detect-engine-uri.c
@ -78,8 +78,7 @@
 static int DoInspectPacketUri(DetectEngineCtx *de_ctx,
                              DetectEngineThreadCtx *det_ctx,
                              Signature *s, SigMatch *sm,
-                              uint8_t *payload, uint32_t payload_len,
-                              htp_tx_t *tx)
+                              uint8_t *payload, uint32_t payload_len)
 {
    SCEnter();

@ -273,7 +272,7 @@ static int DoInspectPacketUri(DetectEngineCtx *de_ctx,
                /* see if the next payload keywords match. If not, we will
                 * search for another occurence of this uricontent and see
                 * if the others match then until we run out of matches */
-                int r = DoInspectPacketUri(de_ctx,det_ctx,s,sm->next, payload, payload_len, tx);
+                int r = DoInspectPacketUri(de_ctx,det_ctx,s,sm->next, payload, payload_len);
                if (r == 1) {
                    SCReturnInt(1);
                }
@ -315,7 +314,7 @@ static int DoInspectPacketUri(DetectEngineCtx *de_ctx,
             * search for another occurence of this pcre and see
             * if the others match, until we run out of matches */
            r = DoInspectPacketUri(de_ctx, det_ctx, s, sm->next,
-                                   payload, payload_len, tx);
+                                   payload, payload_len);
            if (r == 1) {
                SCReturnInt(1);
            }
@ -360,27 +359,25 @@ static int DoInspectPacketUri(DetectEngineCtx *de_ctx,

        int r = 0;
        DetectUrilenData *urilend = (DetectUrilenData *) sm->ctx;
-        uint32_t p_len = payload_len;
-        if (urilend->raw_buffer)
-            p_len = bstr_len(tx->request_uri);

        switch (urilend->mode) {
            case DETECT_URILEN_EQ:
-                if (p_len == urilend->urilen1)
+                if (payload_len == urilend->urilen1)
                    r = 1;
                break;
            case DETECT_URILEN_LT:
-                if (p_len < urilend->urilen1)
+                if (payload_len < urilend->urilen1)
                    r = 1;
                break;
            case DETECT_URILEN_GT:
-                if (p_len > urilend->urilen1)
+                if (payload_len > urilend->urilen1)
                    r = 1;
                break;
            case DETECT_URILEN_RA:
-                if (p_len > urilend->urilen1 &&
-                        p_len < urilend->urilen2)
+                if (payload_len > urilend->urilen1 &&
+                    payload_len < urilend->urilen2) {
                    r = 1;
+                }
                break;
        }

@ -413,7 +410,7 @@ match:
     * the payload portion of the signature matched. */
    if (sm->next != NULL) {
        int r = DoInspectPacketUri(de_ctx, det_ctx, s, sm->next, payload,
-                                   payload_len, tx);
+                                   payload_len);
        SCReturnInt(r);
    } else {
        SCReturnInt(1);
@ -486,7 +483,7 @@ int DetectEngineInspectPacketUris(DetectEngineCtx *de_ctx,
         * transaction at the app layer */
        r = DoInspectPacketUri(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_UMATCH],
                               (uint8_t *)bstr_ptr(tx->request_uri_normalized),
-                               bstr_len(tx->request_uri_normalized), tx);
+                               bstr_len(tx->request_uri_normalized));
        if (r == 1) {
            break;
        }
--- a/src/detect-urilen.c
+++ b/src/detect-urilen.c
@ -342,7 +342,10 @@ static int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, char *urile
    sm->type = DETECT_AL_URILEN;
    sm->ctx = (void *)urilend;

-    SigMatchAppendUricontent(s,sm);
+    if (urilend->raw_buffer)
+        SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRUDMATCH);
+    else
+        SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_UMATCH);

    /* Flagged the signature as to inspect the app layer data */
    s->flags |= SIG_FLAG_APPLAYER;