First version of flowints

remotes/origin/master-1.0.x
Pablo Rincon 16 years ago committed by Victor Julien
parent 1b39e602d0
commit a8d7b71490

@ -47,6 +47,7 @@ detect-content.c detect-content.h \
detect-uricontent.c detect-uricontent.h \
detect-flowbits.c detect-flowbits.h \
detect-flowvar.c detect-flowvar.h \
detect-flowint.c detect-flowint.h \
detect-pktvar.c detect-pktvar.h \
detect-pcre.c detect-pcre.h \
detect-depth.c detect-depth.h \

File diff suppressed because it is too large Load Diff

@ -0,0 +1,58 @@
#ifndef __DETECT_FLOWINT_H__
#define __DETECT_FLOWINT_H__
/** Flowint operations allowed */
enum {
/** Changing integer values */
FLOWINT_MODIFIER_SET,
FLOWINT_MODIFIER_ADD,
FLOWINT_MODIFIER_SUB,
/** Comparing integer values */
FLOWINT_MODIFIER_LT,
FLOWINT_MODIFIER_LE,
FLOWINT_MODIFIER_EQ,
FLOWINT_MODIFIER_NE,
FLOWINT_MODIFIER_GE,
FLOWINT_MODIFIER_GT,
/** Checking if a var isset (keyword isset)*/
FLOWINT_MODIFIER_IS,
FLOWINT_MODIFIER_UNKNOWN
};
/** The target can be a value, or another variable arleady declared */
enum {
FLOWINT_TARGET_VAL,
FLOWINT_TARGET_VAR,
FLOWINT_TARGET_SELF,
FLOWINT_TARGET_UNKNOWN
};
/** If the target is another var, get the name and the idx */
typedef struct TargetVar_ {
uint16_t idx;
char *name;
} TargetVar;
/** Context data for flowint vars */
typedef struct DetectFlowintData_ {
char *name; /* This is the main var we are going to use
* against the target */
uint16_t idx;
uint8_t modifier; /* The modifier/operation/condition we are
* going to execute */
uint8_t targettype;
union {
uint32_t value; /* the target value */
TargetVar tvar; /* or the target var */
} target;
} DetectFlowintData;
/* prototypes */
void DetectFlowintRegister (void);
#endif /* __DETECT_FLOWINT_H__ */

@ -67,7 +67,9 @@ int DetectFlowvarMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p
FlowVar *fv = FlowVarGet(p->flow, fd->idx);
if (fv != NULL) {
uint8_t *ptr = BinSearch(fv->value, fv->value_len, fd->content, fd->content_len);
uint8_t *ptr = BinSearch(fv->data.fv_str.value,
fv->data.fv_str.value_len,
fd->content, fd->content_len);
if (ptr != NULL)
ret = 1;
}

@ -188,7 +188,7 @@ int DetectPcreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, S
if (pe->flags & DETECT_PCRE_CAPTURE_PKT) {
PktVarAdd(p, pe->capname, (uint8_t *)str_ptr, ret);
} else if (pe->flags & DETECT_PCRE_CAPTURE_FLOW) {
FlowVarAdd(p->flow, pe->capidx, (uint8_t *)str_ptr, ret);
FlowVarAddStr(p->flow, pe->capidx, (uint8_t *)str_ptr, ret);
}
}
}

@ -52,6 +52,7 @@
#include "detect-id.h"
#include "detect-dsize.h"
#include "detect-flowvar.h"
#include "detect-flowint.h"
#include "detect-pktvar.h"
#include "detect-noalert.h"
#include "detect-flowbits.h"
@ -2781,6 +2782,7 @@ void SigTableSetup(void) {
DetectIdRegister();
DetectDsizeRegister();
DetectFlowvarRegister();
DetectFlowintRegister();
DetectPktvarRegister();
DetectNoalertRegister();
DetectFlowbitsRegister();

@ -442,6 +442,7 @@ enum {
DETECT_ID,
DETECT_DSIZE,
DETECT_FLOWVAR,
DETECT_FLOWINT,
DETECT_PKTVAR,
DETECT_NOALERT,
DETECT_FLOWBITS,

@ -15,10 +15,15 @@
#include "detect.h"
/* puts a new value into a flowvar */
void FlowVarUpdate(FlowVar *fv, uint8_t *value, uint16_t size) {
if (fv->value) free(fv->value);
fv->value = value;
fv->value_len = size;
void FlowVarUpdateStr(FlowVar *fv, uint8_t *value, uint16_t size) {
if (fv->data.fv_str.value) free(fv->data.fv_str.value);
fv->data.fv_str.value = value;
fv->data.fv_str.value_len = size;
}
/* puts a new value into a flowvar */
void FlowVarUpdateInt(FlowVar *fv, uint32_t value) {
fv->data.fv_int.value = value;
}
/* get the flowvar with name 'name' from the flow
@ -36,7 +41,7 @@ FlowVar *FlowVarGet(Flow *f, uint8_t idx) {
}
/* add a flowvar to the flow, or update it */
void FlowVarAdd(Flow *f, uint8_t idx, uint8_t *value, uint16_t size) {
void FlowVarAddStr(Flow *f, uint8_t idx, uint8_t *value, uint16_t size) {
//printf("Adding flow var \"%s\" with value(%" PRId32 ") \"%s\"\n", name, size, value);
SCMutexLock(&f->m);
@ -48,14 +53,42 @@ void FlowVarAdd(Flow *f, uint8_t idx, uint8_t *value, uint16_t size) {
goto out;
fv->type = DETECT_FLOWVAR;
fv->datatype = FLOWVAR_TYPE_STR;
fv->idx = idx;
fv->value = value;
fv->value_len = size;
fv->data.fv_str.value = value;
fv->data.fv_str.value_len = size;
fv->next = NULL;
GenericVarAppend(&f->flowvar, (GenericVar *)fv);
} else {
FlowVarUpdate(fv, value, size);
FlowVarUpdateStr(fv, value, size);
}
out:
mutex_unlock(&f->m);
}
/* add a flowvar to the flow, or update it */
void FlowVarAddInt(Flow *f, uint8_t idx, uint32_t value) {
//printf("Adding flow var \"%s\" with value(%" PRId32 ") \"%s\"\n", name, size, value);
mutex_lock(&f->m);
FlowVar *fv = FlowVarGet(f, idx);
if (fv == NULL) {
fv = malloc(sizeof(FlowVar));
if (fv == NULL)
goto out;
fv->type = DETECT_FLOWVAR;
fv->datatype = FLOWVAR_TYPE_INT;
fv->idx = idx;
fv->data.fv_int.value= value;
fv->next = NULL;
GenericVarAppend(&f->flowvar, (GenericVar *)fv);
} else {
FlowVarUpdateInt(fv, value);
}
out:
@ -66,9 +99,10 @@ void FlowVarFree(FlowVar *fv) {
if (fv == NULL)
return;
if (fv->value != NULL)
free(fv->value);
if (fv->datatype == FLOWVAR_TYPE_STR) {
if (fv->data.fv_str.value != NULL)
free(fv->data.fv_str.value);
}
free(fv);
}
@ -78,15 +112,23 @@ void FlowVarPrint(GenericVar *gv) {
if (gv == NULL)
return;
if (gv->type == DETECT_FLOWVAR) {
if (gv->type == DETECT_FLOWVAR || gv->type == DETECT_FLOWINT) {
FlowVar *fv = (FlowVar *)gv;
printf("Name idx \"%" PRIu32 "\", Value \"", fv->idx);
for (i = 0; i < fv->value_len; i++) {
if (isprint(fv->value[i])) printf("%c", fv->value[i]);
else printf("\\%02X", fv->value[i]);
if (fv->datatype == FLOWVAR_TYPE_STR) {
printf("Name idx \"%" PRIu32 "\", Value \"", fv->idx);
for (i = 0; i < fv->data.fv_str.value_len; i++) {
if (isprint(fv->data.fv_str.value[i]))
printf("%c", fv->data.fv_str.value[i]);
else
printf("\\%02X", fv->data.fv_str.value[i]);
}
printf("\", Len \"%" PRIu32 "\"\n", fv->data.fv_str.value_len);
}
if (fv->datatype == FLOWVAR_TYPE_INT) {
printf("Name idx \"%" PRIu32 "\", Value \"%" PRIu32 "\"", fv->idx,
fv->data.fv_int.value);
}
printf("\", Len \"%" PRIu32 "\"\n", fv->value_len);
}
FlowVarPrint(gv->next);
}

@ -1,21 +1,48 @@
/* Copyright (c) 2008 Victor Julien <victor@inliniac.net> */
/* Copyright (c) 2009 Pablo Rincon <pablo.rincon.crespo@gmail.com> */
#ifndef __FLOW_VAR_H__
#define __FLOW_VAR_H__
#include "flow.h"
#include "util-var.h"
/** Available data types for Flowvars */
#define FLOWVAR_TYPE_STR 1
#define FLOWVAR_TYPE_INT 2
/** Struct used to hold the string data type for flowvars */
typedef struct FlowVarTypeStr {
uint8_t *value;
uint16_t value_len;
}FlowVarTypeStr;
/** Struct used to hold the integer data type for flowvars */
typedef struct FlowVarTypeInt_ {
uint32_t value;
}FlowVarTypeInt;
/** Generic Flowvar Structure */
typedef struct FlowVar_ {
uint8_t type; /* type, DETECT_FLOWVAR in this case */
uint16_t idx; /* name idx */
GenericVar *next; /* right now just implement this as a list,
* in the long run we have think of something
* faster. */
uint8_t *value;
uint16_t value_len;
uint8_t datatype;
union {
FlowVarTypeStr fv_str;
FlowVarTypeInt fv_int;
} data;
} FlowVar;
void FlowVarAdd(Flow *, uint8_t, uint8_t *, uint16_t);
/** Flowvar Interface API */
void FlowVarAddStr(Flow *, uint8_t, uint8_t *, uint16_t);
void FlowVarAddInt(Flow *, uint8_t, uint32_t);
FlowVar *FlowVarGet(Flow *, uint8_t);
void FlowVarFree(FlowVar *);
void FlowVarPrint(GenericVar *);

@ -104,3 +104,27 @@ error:
return 0;
}
/** We need to use this at flowints/flowvars
* Need to support options "isset" and "!isset"
* return 0 if not set, the idx if it's set */
uint8_t VariableNameIsSet(DetectEngineCtx *de_ctx, char *name, uint8_t type) {
VariableName *fn = malloc(sizeof(VariableName));
uint8_t result = 0;
if (fn == NULL)
goto end;
memset(fn, 0, sizeof(VariableName));
fn->type = type;
fn->name = strdup(name);
if (fn->name == NULL)
goto end;
VariableName *lookup_fn = (VariableName *)HashListTableLookup(de_ctx->variable_names, (void *)fn, 0);
if (lookup_fn != NULL)
result = lookup_fn->idx;
end:
VariableNameFree(fn);
return result;
}

Loading…
Cancel
Save