Improve distance/within/nocase handling, sig parsing error reporting.

remotes/origin/master-1.0.x
Victor Julien 16 years ago
parent 4862488dac
commit ae94b102cb

@ -7,6 +7,7 @@
#include "detect-content.h" #include "detect-content.h"
#include "detect-uricontent.h" #include "detect-uricontent.h"
#include "detect-pcre.h" #include "detect-pcre.h"
#include "util-debug.h"
int DetectDistanceSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *distancestr); int DetectDistanceSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *distancestr);
@ -36,57 +37,38 @@ int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, cha
SigMatch *pm = m; SigMatch *pm = m;
if (pm == NULL) { if (pm == NULL) {
printf("DetectDistanceSetup: No previous match!\n"); SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance needs two preceeding content options");
goto error; goto error;
} }
if (pm->type == DETECT_PCRE) { /** Search for the first previous DetectContent
DetectPcreData *pe = (DetectPcreData *)pm->ctx; * SigMatch (it can be the same as this one) */
pm = DetectContentFindPrevApplicableSM(m);
pe->distance = strtol(str, NULL, 10); if (pm == NULL || DetectContentHasPrevSMPattern(pm) == NULL) {
pe->flags |= DETECT_PCRE_DISTANCE; SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance needs two preceeding content options");
//printf("DetectDistanceSetup: set distance %" PRId32 " for previous pcre\n", pe->distance); return -1;
}
} else if (pm->type == DETECT_CONTENT) {
/** Search for the first previous DetectContent
* SigMatch (it can be the same as this one) */
pm = DetectContentFindPrevApplicableSM(m);
if (pm == NULL || DetectContentHasPrevSMPattern(pm) == NULL) {
printf("DetectDistanceSetup: Unknown previous keyword!\n");
return -1;
}
DetectContentData *cd = (DetectContentData *)pm->ctx;
if (cd == NULL) {
printf("DetectDistanceSetup: Unknown previous keyword!\n");
return -1;
}
cd->distance = strtol(str, NULL, 10);
cd->flags |= DETECT_CONTENT_DISTANCE;
/** Propagate the modifiers through the first chunk DetectContentData *cd = (DetectContentData *)pm->ctx;
* (SigMatch) if we're dealing with chunks */ if (cd == NULL) {
if (cd->flags & DETECT_CONTENT_IS_CHUNK) printf("DetectDistanceSetup: Unknown previous keyword!\n");
DetectContentPropagateDistance(pm); return -1;
}
//DetectContentPrint(cd); cd->distance = strtol(str, NULL, 10);
//printf("DetectDistanceSetup: set distance %" PRId32 " for previous content\n", cd->distance); cd->flags |= DETECT_CONTENT_DISTANCE;
} else if (pm->type == DETECT_URICONTENT) {
DetectUricontentData *cd = (DetectUricontentData *)pm->ctx;
cd->distance = strtol(str, NULL, 10); /** Propagate the modifiers through the first chunk
cd->flags |= DETECT_URICONTENT_DISTANCE; * (SigMatch) if we're dealing with chunks */
if (cd->flags & DETECT_CONTENT_IS_CHUNK)
DetectContentPropagateDistance(pm);
//printf("DetectDistanceSetup: set distance %" PRId32 " for previous content\n", cd->distance); //DetectContentPrint(cd);
} else { //printf("DetectDistanceSetup: set distance %" PRId32 " for previous content\n", cd->distance);
printf("DetectDistanceSetup: Unknown previous keyword!\n");
goto error;
}
pm = m->prev; pm = DetectContentFindPrevApplicableSM(m->prev);
if (pm == NULL) { if (pm == NULL) {
printf("DetectDistanceSetup: No previous-previous match!\n"); SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance needs two preceeding content options");
goto error; goto error;
} }

@ -24,7 +24,7 @@ void DetectNocaseRegister (void) {
int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *nullstr) int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *nullstr)
{ {
//printf("DetectNocaseSetup: s->match:%p,m:%p\n", s->match, m); int ret = 0;
if (nullstr != NULL) { if (nullstr != NULL) {
printf("DetectNocaseSetup: nocase has no value\n"); printf("DetectNocaseSetup: nocase has no value\n");
@ -32,30 +32,22 @@ int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char
} }
SigMatch *pm = m; SigMatch *pm = m;
if (pm != NULL) { for (; pm != NULL; pm = pm->prev) {
#if 0
if (pm->type == DETECT_PCRE) {
DetectPcreData *pe = (DetectPcreData *)pm->ctx;
printf("DetectNocaseSetup: set depth %" PRIu32 " for previous pcre\n", pe->depth);
} else
#endif
if (pm->type == DETECT_CONTENT) { if (pm->type == DETECT_CONTENT) {
DetectContentData *cd = (DetectContentData *)pm->ctx; DetectContentData *cd = (DetectContentData *)pm->ctx;
//printf("DetectNocaseSetup: set nocase for previous content\n"); //printf("DetectNocaseSetup: set nocase for previous content\n");
cd->flags |= DETECT_CONTENT_NOCASE; cd->flags |= DETECT_CONTENT_NOCASE;
goto end;
} else if (pm->type == DETECT_URICONTENT) { } else if (pm->type == DETECT_URICONTENT) {
DetectUricontentData *cd = (DetectUricontentData *)pm->ctx; DetectUricontentData *cd = (DetectUricontentData *)pm->ctx;
//printf("DetectNocaseSetup: set nocase for previous content\n"); //printf("DetectNocaseSetup: set nocase for previous content\n");
cd->flags |= DETECT_URICONTENT_NOCASE; cd->flags |= DETECT_URICONTENT_NOCASE;
} else { goto end;
printf("DetectNocaseSetup: Unknown previous keyword! (type %" PRIu32 ")\n", pm->type);
return -1;
} }
} else {
printf("DetectNocaseSetup: No previous match! (pm == NULL)\n");
return -1;
} }
return 0; ret = -1;
end:
return ret;
} }

@ -665,7 +665,7 @@ Signature *SigInit(DetectEngineCtx *de_ctx, char *sigstr) {
error: error:
if ( sig != NULL ) SigFree(sig); if ( sig != NULL ) SigFree(sig);
if (de_ctx->failure_fatal == 1) { if (de_ctx->failure_fatal == 1) {
SCLogError(SC_ERR_INVALID_SIGNATURE,"Signature init failed %s ",sigstr); SCLogError(SC_ERR_INVALID_SIGNATURE,"Signature parsing failed: \"%s\"", sigstr);
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
return NULL; return NULL;
@ -801,6 +801,10 @@ error:
SigFree(sig->next); SigFree(sig->next);
SigFree(sig); SigFree(sig);
} }
if (de_ctx->failure_fatal == 1) {
SCLogError(SC_ERR_INVALID_SIGNATURE,"Signature init failed \"%s\"",sigstr);
exit(EXIT_FAILURE);
}
/* if something failed, restore the old signum count /* if something failed, restore the old signum count
* since we didn't install it */ * since we didn't install it */
de_ctx->signum = oldsignum; de_ctx->signum = oldsignum;

@ -11,6 +11,7 @@
#include "detect-content.h" #include "detect-content.h"
#include "detect-uricontent.h" #include "detect-uricontent.h"
#include "detect-pcre.h" #include "detect-pcre.h"
#include "util-debug.h"
int DetectWithinSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *withinstr); int DetectWithinSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *withinstr);
@ -40,58 +41,38 @@ int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char
SigMatch *pm = m; SigMatch *pm = m;
if (pm == NULL) { if (pm == NULL) {
printf("DetectWithinSetup: No previous match!\n"); SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs two preceeding content options");
goto error; goto error;
} }
/* Set the within flag on the Sigmatch */ /** Search for the first previous DetectContent
if (pm->type == DETECT_PCRE) { * SigMatch (it can be the same as this one) */
DetectPcreData *pe = (DetectPcreData *)pm->ctx; pm = DetectContentFindPrevApplicableSM(m);
if (pm == NULL || DetectContentHasPrevSMPattern(pm) == NULL) {
pe->within = strtol(str, NULL, 10); SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs two preceeding content options");
pe->flags |= DETECT_PCRE_WITHIN; goto error;
//printf("DetectWithinSetup: set within %" PRId32 " for previous pcre\n", pe->within); }
} else if (pm->type == DETECT_CONTENT) {
/** Search for the first previous DetectContent
* SigMatch (it can be the same as this one) */
pm = DetectContentFindPrevApplicableSM(m);
if (pm == NULL || DetectContentHasPrevSMPattern(pm) == NULL) {
printf("DetectWithinSetup: Unknown previous keyword!\n");
return -1;
}
DetectContentData *cd = (DetectContentData *)pm->ctx;
if (cd == NULL) {
printf("DetectWithinSetup: Unknown previous keyword!\n");
return -1;
}
cd->within = strtol(str, NULL, 10);
cd->flags |= DETECT_CONTENT_WITHIN;
/** Propagate the modifiers through the first chunk
* (SigMatch) if we're dealing with chunks */
if (cd->flags & DETECT_CONTENT_IS_CHUNK)
DetectContentPropagateWithin(pm);
//DetectContentPrint(cd);
//printf("DetectWithinSetup: set within %" PRId32 " for previous content\n", cd->within);
} else if (pm->type == DETECT_URICONTENT) {
DetectUricontentData *ud = (DetectUricontentData *)pm->ctx;
ud->within = strtol(str, NULL, 10);
ud->flags |= DETECT_URICONTENT_WITHIN;
//printf("DetectWithinSetup: set within %" PRId32 " for previous content\n", cd->within); DetectContentData *cd = (DetectContentData *)pm->ctx;
} else { if (cd == NULL) {
printf("DetectWithinSetup: Unknown previous keyword!\n"); printf("DetectWithinSetup: Unknown previous keyword!\n");
goto error; goto error;
} }
pm = m->prev; cd->within = strtol(str, NULL, 10);
cd->flags |= DETECT_CONTENT_WITHIN;
/** Propagate the modifiers through the first chunk
* (SigMatch) if we're dealing with chunks */
if (cd->flags & DETECT_CONTENT_IS_CHUNK)
DetectContentPropagateWithin(pm);
//DetectContentPrint(cd);
//printf("DetectWithinSetup: set within %" PRId32 " for previous content\n", cd->within);
pm = DetectContentFindPrevApplicableSM(m->prev);
if (pm == NULL) { if (pm == NULL) {
printf("DetectWithinSetup: No previous-previous match!\n"); SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs two preceeding content options");
goto error; goto error;
} }

@ -66,6 +66,8 @@ const char * SCErrorToString(SCError err)
CASE_CODE (SC_ERR_UNDEFINED_VAR); CASE_CODE (SC_ERR_UNDEFINED_VAR);
CASE_CODE (SC_RULE_KEYWORD_UNKNOWN); CASE_CODE (SC_RULE_KEYWORD_UNKNOWN);
CASE_CODE (SC_ERR_FLAGS_MODIFIER); CASE_CODE (SC_ERR_FLAGS_MODIFIER);
CASE_CODE (SC_ERR_DISTANCE_MISSING_CONTENT);
CASE_CODE (SC_ERR_WITHIN_MISSING_CONTENT);
default: default:
return "UNKNOWN_ERROR"; return "UNKNOWN_ERROR";
} }

@ -77,6 +77,8 @@ typedef enum {
SC_ERR_UNDEFINED_VAR, SC_ERR_UNDEFINED_VAR,
SC_RULE_KEYWORD_UNKNOWN, SC_RULE_KEYWORD_UNKNOWN,
SC_ERR_FLAGS_MODIFIER, SC_ERR_FLAGS_MODIFIER,
SC_ERR_DISTANCE_MISSING_CONTENT,
SC_ERR_WITHIN_MISSING_CONTENT,
} SCError; } SCError;
const char *SCErrorToString(SCError); const char *SCErrorToString(SCError);

Loading…
Cancel
Save