|
|
|
@ -739,22 +739,29 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
|
|
|
|
if (!(pd->flags & DETECT_PCRE_RELATIVE))
|
|
|
|
if (!(pd->flags & DETECT_PCRE_RELATIVE))
|
|
|
|
goto okay;
|
|
|
|
goto okay;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* errors below shouldn't free pd */
|
|
|
|
|
|
|
|
|
|
|
|
SigMatch *prev_pm = SigMatchGetLastSMFromLists(s, 4,
|
|
|
|
SigMatch *prev_pm = SigMatchGetLastSMFromLists(s, 4,
|
|
|
|
DETECT_CONTENT, sm->prev,
|
|
|
|
DETECT_CONTENT, sm->prev,
|
|
|
|
DETECT_PCRE, sm->prev);
|
|
|
|
DETECT_PCRE, sm->prev);
|
|
|
|
if (prev_pm == NULL)
|
|
|
|
if (s->list == DETECT_SM_LIST_NOTSET && prev_pm == NULL) {
|
|
|
|
|
|
|
|
SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre with /R (relative) needs "
|
|
|
|
|
|
|
|
"preceeding match in the same buffer");
|
|
|
|
|
|
|
|
goto error_nofree;
|
|
|
|
|
|
|
|
/* null is allowed when we use a sticky buffer */
|
|
|
|
|
|
|
|
} else if (prev_pm == NULL)
|
|
|
|
goto okay;
|
|
|
|
goto okay;
|
|
|
|
if (prev_pm->type == DETECT_CONTENT) {
|
|
|
|
if (prev_pm->type == DETECT_CONTENT) {
|
|
|
|
DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
|
|
|
|
DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
|
|
|
|
cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
|
|
|
|
cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
|
|
|
|
} else if (prev_pm->type == DETECT_PCRE) {
|
|
|
|
} else if (prev_pm->type == DETECT_PCRE) {
|
|
|
|
DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
|
|
|
|
DetectPcreData *tmp = (DetectPcreData *)prev_pm->ctx;
|
|
|
|
pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
|
|
|
|
tmp->flags |= DETECT_PCRE_RELATIVE_NEXT;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (pd->capidx != 0) {
|
|
|
|
if (pd->capidx != 0) {
|
|
|
|
if (DetectFlowvarPostMatchSetup(s, pd->capidx) < 0)
|
|
|
|
if (DetectFlowvarPostMatchSetup(s, pd->capidx) < 0)
|
|
|
|
goto error;
|
|
|
|
goto error_nofree;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
okay:
|
|
|
|
okay:
|
|
|
|
@ -762,6 +769,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
|
|
|
|
SCReturnInt(ret);
|
|
|
|
SCReturnInt(ret);
|
|
|
|
error:
|
|
|
|
error:
|
|
|
|
DetectPcreFree(pd);
|
|
|
|
DetectPcreFree(pd);
|
|
|
|
|
|
|
|
error_nofree:
|
|
|
|
SCReturnInt(ret);
|
|
|
|
SCReturnInt(ret);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
@ -1539,7 +1547,7 @@ int DetectPcreParseTest23(void)
|
|
|
|
"content:\"GET\"; "
|
|
|
|
"content:\"GET\"; "
|
|
|
|
"http_cookie; pcre:\"/abc/RM\"; sid:1;)");
|
|
|
|
"http_cookie; pcre:\"/abc/RM\"; sid:1;)");
|
|
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list != NULL) {
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
result = 1;
|
|
|
|
result = 1;
|
|
|
|
} else {
|
|
|
|
} else {
|
|
|
|
printf("sig parse shouldn't have failed: ");
|
|
|
|
printf("sig parse shouldn't have failed: ");
|
|
|
|
@ -1640,6 +1648,34 @@ static int DetectPcreParseTest26(void)
|
|
|
|
return result;
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/** \test Bug 1098 */
|
|
|
|
|
|
|
|
static int DetectPcreParseTest27(void)
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
|
|
|
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any 80 "
|
|
|
|
|
|
|
|
"(content:\"baduricontent\"; http_raw_uri; "
|
|
|
|
|
|
|
|
"pcre:\"/^[a-z]{5}\\.html/R\"; sid:2; rev:2;)");
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
|
|
|
printf("sig parse should have failed: ");
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
|
|
|
if (de_ctx != NULL)
|
|
|
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
|
|
|
if (de_ctx != NULL)
|
|
|
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
return result;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int DetectPcreTestSig01Real(int mpm_type)
|
|
|
|
static int DetectPcreTestSig01Real(int mpm_type)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
uint8_t *buf = (uint8_t *)
|
|
|
|
uint8_t *buf = (uint8_t *)
|
|
|
|
@ -4049,6 +4085,7 @@ void DetectPcreRegisterTests(void) {
|
|
|
|
UtRegisterTest("DetectPcreParseTest24", DetectPcreParseTest24, 1);
|
|
|
|
UtRegisterTest("DetectPcreParseTest24", DetectPcreParseTest24, 1);
|
|
|
|
UtRegisterTest("DetectPcreParseTest25", DetectPcreParseTest25, 1);
|
|
|
|
UtRegisterTest("DetectPcreParseTest25", DetectPcreParseTest25, 1);
|
|
|
|
UtRegisterTest("DetectPcreParseTest26", DetectPcreParseTest26, 1);
|
|
|
|
UtRegisterTest("DetectPcreParseTest26", DetectPcreParseTest26, 1);
|
|
|
|
|
|
|
|
UtRegisterTest("DetectPcreParseTest27", DetectPcreParseTest27, 1);
|
|
|
|
|
|
|
|
|
|
|
|
UtRegisterTest("DetectPcreTestSig01B2g -- pcre test", DetectPcreTestSig01B2g, 1);
|
|
|
|
UtRegisterTest("DetectPcreTestSig01B2g -- pcre test", DetectPcreTestSig01B2g, 1);
|
|
|
|
UtRegisterTest("DetectPcreTestSig01B3g -- pcre test", DetectPcreTestSig01B3g, 1);
|
|
|
|
UtRegisterTest("DetectPcreTestSig01B3g -- pcre test", DetectPcreTestSig01B3g, 1);
|
|
|
|
|
Victor Julien
11 years ago