aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect app-layer-event: clean up registration

Browse Source 
Move engine and registration into the keyword file.

Register as 'ALPROTO_UNKNOWN' instead of per alproto. The
registration will only apply it to those rules that have
events set.
pull/2310/head
Victor Julien 9 years ago
parent 9e35fa7f41
commit a24870f29f
6 changed files with 63 additions and 137 deletions
Show Stats Download Patch File Download Diff File

1
src/Makefile.am
Unescape Escape View File

@ -97,7 +97,6 @@ detect-engine-address-ipv4.c detect-engine-address-ipv4.h \
detect-engine-address-ipv6.c detect-engine-address-ipv6.h \
detect-engine-alert.c detect-engine-alert.h \
detect-engine-analyzer.c detect-engine-analyzer.h \
detect-engine-apt-event.c detect-engine-apt-event.h \
detect-engine.c detect-engine.h \
detect-engine-content-inspection.c detect-engine-content-inspection.h \
detect-engine-dcepayload.c detect-engine-dcepayload.h \

60
src/detect-app-layer-event.c
Unescape Escape View File

@ -53,7 +53,12 @@ static int DetectAppLayerEventAppMatch(ThreadVars *, DetectEngineThreadCtx *, Fl
static int DetectAppLayerEventSetupP1(DetectEngineCtx *, Signature *, char *);
static void DetectAppLayerEventRegisterTests(void);
static void DetectAppLayerEventFree(void *);
static int DetectEngineAptEventInspect(ThreadVars *tv,
DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx,
Signature *s, Flow *f, uint8_t flags,
void *alstate,
void *tx, uint64_t tx_id);
/**
* \brief Registers the keyword handlers for the "app-layer-event" keyword.
*/
@ -69,9 +74,62 @@ void DetectAppLayerEventRegister(void)
sigmatch_table[DETECT_AL_APP_LAYER_EVENT].RegisterTests =
DetectAppLayerEventRegisterTests;
DetectAppLayerInspectEngineRegister(ALPROTO_UNKNOWN,
SIG_FLAG_TOSERVER, DETECT_SM_LIST_APP_EVENT,
DetectEngineAptEventInspect);
DetectAppLayerInspectEngineRegister(ALPROTO_UNKNOWN,
SIG_FLAG_TOCLIENT, DETECT_SM_LIST_APP_EVENT,
DetectEngineAptEventInspect);
return;
}
static int DetectEngineAptEventInspect(ThreadVars *tv,
DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx,
Signature *s, Flow *f, uint8_t flags,
void *alstate,
void *tx, uint64_t tx_id)
{
AppLayerDecoderEvents *decoder_events = NULL;
int r = 0;
AppProto alproto;
SigMatch *sm;
DetectAppLayerEventData *aled = NULL;
alproto = f->alproto;
decoder_events = AppLayerParserGetEventsByTx(f->proto, alproto, alstate, tx_id);
if (decoder_events == NULL)
goto end;
for (sm = s->sm_lists[DETECT_SM_LIST_APP_EVENT]; sm != NULL; sm = sm->next) {
aled = (DetectAppLayerEventData *)sm->ctx;
KEYWORD_PROFILING_START;
if (AppLayerDecoderEventsIsEventSet(decoder_events, aled->event_id)) {
KEYWORD_PROFILING_END(det_ctx, sm->type, 1);
continue;
}
KEYWORD_PROFILING_END(det_ctx, sm->type, 0);
goto end;
}
r = 1;
end:
if (r == 1) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
} else {
if (AppLayerParserGetStateProgress(f->proto, alproto, tx, flags) ==
AppLayerParserGetStateProgressCompletionStatus(alproto, flags))
{
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
} else {
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
}
}
}
static int DetectAppLayerEventPktMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Packet *p, Signature *s, const SigMatchCtx *ctx)

79
src/detect-engine-apt-event.c
Unescape Escape View File

@ -1,79 +0,0 @@
/* Copyright (C) 2007-2013 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/** \file
*
* \author Anoop Saldanha <anoopsaldanha@gmail.com>
*/
#include "suricata-common.h"
#include "suricata.h"
#include "app-layer-parser.h"
#include "detect-app-layer-event.h"
#include "detect-engine-state.h"
#include "stream.h"
#include "detect-engine-apt-event.h"
#include "util-profiling.h"
#include "util-unittest.h"
int DetectEngineAptEventInspect(ThreadVars *tv,
DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx,
Signature *s, Flow *f, uint8_t flags,
void *alstate,
void *tx, uint64_t tx_id)
{
AppLayerDecoderEvents *decoder_events = NULL;
int r = 0;
AppProto alproto;
SigMatch *sm;
DetectAppLayerEventData *aled = NULL;
alproto = f->alproto;
decoder_events = AppLayerParserGetEventsByTx(f->proto, alproto, alstate, tx_id);
if (decoder_events == NULL)
goto end;
for (sm = s->sm_lists[DETECT_SM_LIST_APP_EVENT]; sm != NULL; sm = sm->next) {
aled = (DetectAppLayerEventData *)sm->ctx;
KEYWORD_PROFILING_START;
if (AppLayerDecoderEventsIsEventSet(decoder_events, aled->event_id)) {
KEYWORD_PROFILING_END(det_ctx, sm->type, 1);
continue;
}
KEYWORD_PROFILING_END(det_ctx, sm->type, 0);
goto end;
}
r = 1;
end:
if (r == 1) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
} else {
if (AppLayerParserGetStateProgress(f->proto, alproto, tx, flags) ==
AppLayerParserGetStateProgressCompletionStatus(alproto, flags))
{
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
} else {
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
}
}
}

34
src/detect-engine-apt-event.h
Unescape Escape View File

@ -1,34 +0,0 @@
/* Copyright (C) 2007-2013 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/** \file
*
* \author Anoop Saldanha <anoopsaldanha@gmail.com>
*/
#ifndef __DETECT_ENGINE_APT_EVENT__H__
#define __DETECT_ENGINE_APT_EVENT__H__
int DetectEngineAptEventInspect(ThreadVars *tv,
DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx,
Signature *s, Flow *f, uint8_t flags,
void *alstate,
void *tx, uint64_t tx_id);
void DetectEngineAptEventRegisterTests(void);
#endif /* __DETECT_ENGINE_APT_EVENT__H__ */

6
src/detect-engine.c
Unescape Escape View File

@ -111,7 +111,7 @@ void DetectEngineRegisterAppInspectionEngine(AppProto alproto,
uint8_t flags, void *alstate,
void *tx, uint64_t tx_id))
{
if ((alproto <= ALPROTO_UNKNOWN || alproto >= ALPROTO_FAILED) ||
if ((alproto >= ALPROTO_FAILED) ||
(dir > 1) ||
(sm_list < DETECT_SM_LIST_MATCH || sm_list >= DETECT_SM_LIST_MAX) ||
(Callback == NULL))
@ -170,7 +170,9 @@ int DetectEngineAppInspectionEngine2Signature(Signature *s)
while (t != NULL) {
if (s->sm_lists[t->sm_list] == NULL)
goto next;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != t->alproto)
if (t->alproto == ALPROTO_UNKNOWN) {
/* special case, inspect engine applies to all protocols */
} else if (s->alproto != ALPROTO_UNKNOWN && s->alproto != t->alproto)
goto next;
if (s->flags & SIG_FLAG_TOSERVER && !(s->flags & SIG_FLAG_TOCLIENT)) {

20
src/detect-parse.c
Unescape Escape View File

@ -40,7 +40,6 @@
#include "detect-ipproto.h"
#include "detect-flow.h"
#include "detect-app-layer-protocol.h"
#include "detect-engine-apt-event.h"
#include "detect-lua.h"
#include "detect-app-layer-event.h"
#include "detect-http-method.h"
@ -1642,25 +1641,6 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, char *sigstr,
SigBuildAddressMatchArray(sig);
if (sig->sm_lists[DETECT_SM_LIST_APP_EVENT] != NULL) {
if (AppLayerParserProtocolIsTxEventAware(IPPROTO_TCP, sig->alproto) ||
AppLayerParserProtocolIsTxEventAware(IPPROTO_UDP, sig->alproto))
{
if (sig->flags & SIG_FLAG_TOSERVER) {
DetectEngineRegisterAppInspectionEngine(sig->alproto,
0,
DETECT_SM_LIST_APP_EVENT,
DetectEngineAptEventInspect);
}
if (sig->flags & SIG_FLAG_TOCLIENT) {
DetectEngineRegisterAppInspectionEngine(sig->alproto,
1,
DETECT_SM_LIST_APP_EVENT,
DetectEngineAptEventInspect);
}
}
}
/* validate signature, SigValidate will report the error reason */
if (SigValidate(de_ctx, sig) == 0) {
goto error;

Write Preview
Loading…
Cancel
Save