|
|
|
|
@ -69,8 +69,8 @@
|
|
|
|
|
* \retval 1 match
|
|
|
|
|
*/
|
|
|
|
|
static int DoInspectPacketPayload(DetectEngineCtx *de_ctx,
|
|
|
|
|
DetectEngineThreadCtx *det_ctx, Signature *s, SigMatch *sm,
|
|
|
|
|
Packet *p, Flow *f, uint8_t *payload, uint32_t payload_len)
|
|
|
|
|
DetectEngineThreadCtx *det_ctx, Signature *s, SigMatch *sm,
|
|
|
|
|
Packet *p, Flow *f, uint8_t *payload, uint32_t payload_len)
|
|
|
|
|
{
|
|
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
@ -198,8 +198,10 @@ static int DoInspectPacketPayload(DetectEngineCtx *de_ctx,
|
|
|
|
|
} else if (found == NULL && cd->flags & DETECT_CONTENT_NEGATED) {
|
|
|
|
|
goto match;
|
|
|
|
|
} else if (found != NULL && cd->flags & DETECT_CONTENT_NEGATED) {
|
|
|
|
|
match_offset = (uint32_t)((found - payload) + cd->content_len);
|
|
|
|
|
SCLogDebug("content %"PRIu32" matched at offset %"PRIu32", but negated so no match", cd->id, match_offset);
|
|
|
|
|
/* don't bother carrying recursive matches now, for preceding
|
|
|
|
|
* relative keywords */
|
|
|
|
|
det_ctx->discontinue_matching = 1;
|
|
|
|
|
SCReturnInt(0);
|
|
|
|
|
} else {
|
|
|
|
|
match_offset = (uint32_t)((found - payload) + cd->content_len);
|
|
|
|
|
@ -222,6 +224,9 @@ static int DoInspectPacketPayload(DetectEngineCtx *de_ctx,
|
|
|
|
|
SCReturnInt(1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (det_ctx->discontinue_matching)
|
|
|
|
|
SCReturnInt(0);
|
|
|
|
|
|
|
|
|
|
/* set the previous match offset to the start of this match + 1 */
|
|
|
|
|
prev_offset = (match_offset - (cd->content_len - 1));
|
|
|
|
|
SCLogDebug("trying to see if there is another match after prev_offset %"PRIu32, prev_offset);
|
|
|
|
|
@ -325,6 +330,7 @@ int DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
det_ctx->payload_offset = 0;
|
|
|
|
|
det_ctx->discontinue_matching = 0;
|
|
|
|
|
|
|
|
|
|
r = DoInspectPacketPayload(de_ctx, det_ctx, s, s->pmatch, p, f, p->payload, p->payload_len);
|
|
|
|
|
if (r == 1) {
|
|
|
|
|
@ -538,6 +544,32 @@ end:
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test Test multiple relative matches with negative matches
|
|
|
|
|
* and show the need for det_ctx->discontinue_matching.
|
|
|
|
|
*/
|
|
|
|
|
static int PayloadTestSig08(void)
|
|
|
|
|
{
|
|
|
|
|
uint8_t *buf = (uint8_t *)"we need to fix this and yes fix this now";
|
|
|
|
|
uint16_t buflen = strlen((char *)buf);
|
|
|
|
|
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
|
|
|
|
|
"content:fix; content:this; within:6; content:!\"and\"; distance:0; sid:1;)";
|
|
|
|
|
|
|
|
|
|
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 1) {
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
end:
|
|
|
|
|
if (p != NULL)
|
|
|
|
|
UTHFreePacket(p);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif /* UNITTESTS */
|
|
|
|
|
|
|
|
|
|
void PayloadRegisterTests(void) {
|
|
|
|
|
@ -549,5 +581,6 @@ void PayloadRegisterTests(void) {
|
|
|
|
|
UtRegisterTest("PayloadTestSig05", PayloadTestSig05, 1);
|
|
|
|
|
UtRegisterTest("PayloadTestSig06", PayloadTestSig06, 1);
|
|
|
|
|
UtRegisterTest("PayloadTestSig07", PayloadTestSig07, 1);
|
|
|
|
|
UtRegisterTest("PayloadTestSig08", PayloadTestSig08, 1);
|
|
|
|
|
#endif /* UNITTESTS */
|
|
|
|
|
}
|
|
|
|
|
|
Anoop Saldanha
15 years ago
committed by
Victor Julien