aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Convert uricontent to use new scanning methods as well. Move http_method and http_cookie keywords out of pmatch list for now.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 16 years ago
parent bef70a04ce
commit b259e362cd
44 changed files with 431 additions and 235 deletions
Show Stats Download Patch File Download Diff File

4
src/detect-ack.c
Unescape Escape View File

@ -76,7 +76,7 @@ static int DetectAckMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
* \retval -1 on Failure
*/
static int DetectAckSetup(DetectEngineCtx *de_ctx, Signature *s,
SigMatch *m, char *optstr)
SigMatch *notused, char *optstr)
{
DetectAckData *data;
SigMatch *sm = NULL;
@ -101,7 +101,7 @@ static int DetectAckSetup(DetectEngineCtx *de_ctx, Signature *s,
}
sm->ctx = data;
SigMatchAppend(s, m, sm);
SigMatchAppendPacket(s, sm);
return 0;

24
src/detect-bytejump.c
Unescape Escape View File

@ -96,8 +96,8 @@ int DetectBytejumpDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, SigMatch
* the packet from that point.
*/
if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
ptr = payload + det_ctx->pkt_off;
len = payload_len - det_ctx->pkt_off;
ptr = payload + det_ctx->payload_offset;
len = payload_len - det_ctx->payload_offset;
/* No match if there is no relative base */
if (ptr == NULL || len == 0) {
@ -181,8 +181,7 @@ int DetectBytejumpDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, SigMatch
#endif /* DEBUG */
/* Adjust the detection context to the jump location. */
det_ctx->pkt_ptr = jumpptr;
det_ctx->pkt_off = jumpptr - payload;
det_ctx->payload_offset = jumpptr - payload;
SCReturnInt(1);
}
@ -205,8 +204,8 @@ int DetectBytejumpMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
* the packet from that point.
*/
if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
ptr = det_ctx->pkt_ptr;
len = p->pktlen - det_ctx->pkt_off;
ptr = p->payload + det_ctx->payload_offset;
len = p->payload_len - det_ctx->payload_offset;
/* No match if there is no relative base */
if (ptr == NULL || len == 0) {
@ -222,10 +221,10 @@ int DetectBytejumpMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
}
/* Verify the to-be-extracted data is within the packet */
if (ptr < p->pkt || data->nbytes > len) {
if (ptr < p->payload || data->nbytes > len) {
SCLogDebug("Data not within packet "
"pkt=%p, ptr=%p, len=%d, nbytes=%d",
p->pkt, ptr, len, data->nbytes);
"payload=%p, ptr=%p, len=%d, nbytes=%d",
p->payload, ptr, len, data->nbytes);
return 0;
}
@ -274,9 +273,9 @@ int DetectBytejumpMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
/* Validate that the jump location is still in the packet
* \todo Should this validate it is still in the *payload*?
*/
if ((jumpptr < p->pkt) || (jumpptr >= p->pkt + p->pktlen)) {
if ((jumpptr < p->payload) || (jumpptr >= p->payload + p->payload_len)) {
SCLogDebug("Jump location (%p) is not within "
"packet (%p-%p)", jumpptr, p->pkt, p->pkt + p->pktlen - 1);
"packet (%p-%p)", jumpptr, p->payload, p->payload + p->payload_len - 1);
return 0;
}
@ -291,8 +290,7 @@ int DetectBytejumpMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
#endif /* DEBUG */
/* Adjust the detection context to the jump location. */
det_ctx->pkt_ptr = jumpptr;
det_ctx->pkt_off = jumpptr - p->pkt;
det_ctx->payload_offset = jumpptr - p->payload;
return 1;
}

8
src/detect-bytetest.c
Unescape Escape View File

@ -102,11 +102,11 @@ int DetectBytetestDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, SigMatch
* the packet from that point.
*/
if (data->flags & DETECT_BYTETEST_RELATIVE) {
SCLogDebug("relative, working with det_ctx->pkt_off %"PRIu32", "
"data->offset %"PRIu32"", det_ctx->pkt_off, data->offset);
SCLogDebug("relative, working with det_ctx->payload_offset %"PRIu32", "
"data->offset %"PRIu32"", det_ctx->payload_offset, data->offset);
ptr = payload + det_ctx->pkt_off;
len = payload_len - det_ctx->pkt_off;
ptr = payload + det_ctx->payload_offset;
len = payload_len - det_ctx->payload_offset;
/* No match if there is no relative base */
if (ptr == NULL || len == 0) {

26
src/detect-content.c
Unescape Escape View File

@ -380,7 +380,7 @@ DoDetectContent(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signat
{
int ret = 0;
char match = 0;
uint16_t pkt_off = det_ctx->pkt_off;
uint16_t payload_offset = det_ctx->payload_offset;
MpmMatch *temp_m = NULL;
SCLogDebug("det_ctx->mtc.match[%"PRIu32"].len %"PRIu32"", co->id, det_ctx->mtc.match[co->id].len);
@ -396,10 +396,10 @@ DoDetectContent(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signat
/* only use pkt offset of previous matches
* on relative matches. */
pkt_off = 0;
payload_offset = 0;
}
SCLogDebug("using pkt_off %"PRIu16"", pkt_off);
SCLogDebug("using payload_offset %"PRIu16"", payload_offset);
/* if we have within or distance coming up next, check this match
* for distance and/or within and check the rest of this match
@ -419,17 +419,17 @@ DoDetectContent(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signat
for (; m != NULL; m = m->next) {
/* first check our match for offset and depth */
if (TestOffsetDepth(m, co, pkt_off) == 1) {
if (TestOffsetDepth(m, co, payload_offset) == 1) {
SCLogDebug("TestOffsetDepth returned 1, for co->id %"PRIu32"", co->id);
SigMatch *real_sm_next = DetectContentFindNextApplicableSM(sm->next);
ret = TestWithinDistanceOffsetDepth(t, det_ctx, m, sm, real_sm_next, pkt_off);
ret = TestWithinDistanceOffsetDepth(t, det_ctx, m, sm, real_sm_next, payload_offset);
if (ret == 1) {
SCLogDebug("TestWithinDistanceOffsetDepth returned 1");
det_ctx->pkt_ptr = p->payload + m->offset;
/* update both the local and ctx pkt_off */
pkt_off = det_ctx->pkt_off = m->offset;
//det_ctx->pkt_ptr = p->payload + m->offset;
/* update both the local and ctx payload_offset */
payload_offset = det_ctx->payload_offset = m->offset;
match = 1;
break;
} else if (ret == -1) {
@ -481,11 +481,11 @@ DoDetectContent(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signat
* after the first match */
if (s->flags & SIG_FLAG_RECURSIVE && det_ctx->pkt_cnt) {
for (; m != NULL; m = m->next) {
if (m->offset >= det_ctx->pkt_off) {
if (m->offset >= det_ctx->payload_offset) {
/* update pkt ptrs, content doesn't use this,
* but pcre does */
det_ctx->pkt_ptr = p->payload + m->offset;
det_ctx->pkt_off = m->offset;
//det_ctx->pkt_ptr = p->payload + m->offset;
det_ctx->payload_offset = m->offset;
match = 1;
break;
}
@ -514,8 +514,8 @@ DoDetectContent(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signat
if (co->negated == 0) {
/* update pkt ptrs, this content run doesn't
* use this, but pcre does */
det_ctx->pkt_ptr = p->payload + m->offset;
det_ctx->pkt_off = m->offset;
//det_ctx->pkt_ptr = p->payload + m->offset;
det_ctx->payload_offset = m->offset;
match = 1;
break;
}

31
src/detect-csum.c
Unescape Escape View File

@ -8,7 +8,10 @@
#include "suricata-common.h"
#include "debug.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-csum.h"
#include "util-unittest.h"
@ -228,7 +231,7 @@ int DetectIPV4CsumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
*
* \retval 0 on success, -1 on failure
*/
int DetectIPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
int DetectIPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused,
char *csum_str)
{
DetectCsumData *cd = NULL;
@ -253,7 +256,7 @@ int DetectIPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
sm->ctx = (void *)cd;
SigMatchAppend(s, m, sm);
SigMatchAppendPacket(s, sm);
return 0;
@ -325,7 +328,7 @@ int DetectTCPV4CsumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
*
* \retval 0 on success, -1 on failure
*/
int DetectTCPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
int DetectTCPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused,
char *csum_str)
{
DetectCsumData *cd = NULL;
@ -350,7 +353,7 @@ int DetectTCPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
sm->ctx = (void *)cd;
SigMatchAppend(s, m, sm);
SigMatchAppendPacket(s, sm);
return 0;
@ -422,7 +425,7 @@ int DetectTCPV6CsumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
*
* \retval 0 on success, -1 on failure
*/
int DetectTCPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
int DetectTCPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused,
char *csum_str)
{
DetectCsumData *cd = NULL;
@ -447,7 +450,7 @@ int DetectTCPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
sm->ctx = (void *)cd;
SigMatchAppend(s, m, sm);
SigMatchAppendPacket(s, sm);
return 0;
@ -519,7 +522,7 @@ int DetectUDPV4CsumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
*
* \retval 0 on success, -1 on failure
*/
int DetectUDPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
int DetectUDPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused,
char *csum_str)
{
DetectCsumData *cd = NULL;
@ -544,7 +547,7 @@ int DetectUDPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
sm->ctx = (void *)cd;
SigMatchAppend(s, m, sm);
SigMatchAppendPacket(s, sm);
return 0;
@ -616,7 +619,7 @@ int DetectUDPV6CsumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
*
* \retval 0 on success, -1 on failure
*/
int DetectUDPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
int DetectUDPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused,
char *csum_str)
{
DetectCsumData *cd = NULL;
@ -641,7 +644,7 @@ int DetectUDPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
sm->ctx = (void *)cd;
SigMatchAppend(s, m, sm);
SigMatchAppendPacket(s, sm);
return 0;
@ -712,7 +715,7 @@ int DetectICMPV4CsumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
*
* \retval 0 on success, -1 on failure
*/
int DetectICMPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
int DetectICMPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused,
char *csum_str)
{
DetectCsumData *cd = NULL;
@ -737,7 +740,7 @@ int DetectICMPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
sm->ctx = (void *)cd;
SigMatchAppend(s, m, sm);
SigMatchAppendPacket(s, sm);
return 0;
@ -808,7 +811,7 @@ int DetectICMPV6CsumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
*
* \retval 0 on success, -1 on failure
*/
int DetectICMPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
int DetectICMPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused,
char *csum_str)
{
DetectCsumData *cd = NULL;
@ -833,7 +836,7 @@ int DetectICMPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
sm->ctx = (void *)cd;
SigMatchAppend(s, m, sm);
SigMatchAppendPacket(s, sm);
return 0;

6
src/detect-dce-iface.c
Unescape Escape View File

@ -3,8 +3,10 @@
*/
#include "suricata-common.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "detect-dce-iface.h"
@ -315,7 +317,7 @@ int DetectDceIfaceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
* \retval 0 on success, -1 on failure.
*/
int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused,
char *arg)
{
DetectDceIfaceData *did = NULL;
@ -335,7 +337,7 @@ int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
sm->type = DETECT_DCE_IFACE;
sm->ctx = (void *)did;
SigMatchAppend(s, m, sm);
SigMatchAppendAppLayer(s, sm);
return 0;

6
src/detect-dce-opnum.c
Unescape Escape View File

@ -3,8 +3,10 @@
*/
#include "suricata-common.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
@ -272,7 +274,7 @@ int DetectDceOpnumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
* \retval 0 on success, -1 on failure
*/
int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused,
char *arg)
{
DetectDceOpnumData *dod = NULL;
@ -292,7 +294,7 @@ int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
sm->type = DETECT_DCE_OPNUM;
sm->ctx = (void *)dod;
SigMatchAppend(s, m, sm);
SigMatchAppendAppLayer(s, sm);
return 0;

6
src/detect-dce-stub-data.c
Unescape Escape View File

@ -3,8 +3,10 @@
*/
#include "suricata-common.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
@ -87,7 +89,7 @@ int DetectDceStubDataMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *
* \retval 0 on success, -1 on failure
*/
int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused,
char *arg)
{
SigMatch *sm = NULL;
@ -99,7 +101,7 @@ int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
sm->type = DETECT_DCE_STUB_DATA;
sm->ctx = NULL;
SigMatchAppend(s, m, sm);
SigMatchAppendAppLayer(s, sm);
return 0;

6
src/detect-decode-event.c
Unescape Escape View File

@ -7,6 +7,8 @@
#include "suricata.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "flow-var.h"
#include "decode-events.h"
@ -150,7 +152,7 @@ error:
* \retval 0 on Success
* \retval -1 on Failure
*/
int DetectDecodeEventSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr)
int DetectDecodeEventSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *rawstr)
{
DetectDecodeEventData *de = NULL;
SigMatch *sm = NULL;
@ -166,7 +168,7 @@ int DetectDecodeEventSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
sm->type = DETECT_DECODE_EVENT;
sm->ctx = (void *)de;
SigMatchAppend(s,m,sm);
SigMatchAppendPacket(s, sm);
return 0;
error:

7
src/detect-dsize.c
Unescape Escape View File

@ -7,7 +7,10 @@
#include "suricata-common.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "flow-var.h"
#include "detect-dsize.h"
@ -224,7 +227,7 @@ error:
* \retval 0 on Success
* \retval -1 on Failure
*/
int DetectDsizeSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr)
int DetectDsizeSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *rawstr)
{
DetectDsizeData *dd = NULL;
SigMatch *sm = NULL;
@ -248,7 +251,7 @@ int DetectDsizeSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *
sm->type = DETECT_DSIZE;
sm->ctx = (void *)dd;
SigMatchAppend(s,m,sm);
SigMatchAppendPacket(s, sm);
/* tell the sig it has a dsize to speed up engine init */
s->flags |= SIG_FLAG_DSIZE;

27
src/detect-engine-mpm.c
Unescape Escape View File

@ -620,6 +620,7 @@ static int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead
} else {
SCLogDebug("%"PRIu32" no scan pattern selected", s->id);
}
#if 0
/* add the rest of the patterns to the search ctx */
for (sm = s->pmatch ; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_CONTENT) {
@ -645,6 +646,7 @@ static int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead
SCLogDebug("%"PRIu32" adding co->id %"PRIu32" to the search phase", s->id, co->id);
}
}
#endif
}
if (fast_pattern != NULL)
@ -696,7 +698,11 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
if (sm->type == DETECT_CONTENT) {
co_cnt++;
s->flags |= SIG_FLAG_MPM;
} else if (sm->type == DETECT_URICONTENT) {
}
}
for (sm = s->match; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_URICONTENT) {
ur_cnt++;
s->flags |= SIG_FLAG_MPM;
}
@ -781,7 +787,10 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
if (!content_added) {
content_added = 1;
}
} else if (sm->type == DETECT_URICONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY)) {
}
}
for (sm = s->match; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_URICONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY)) {
DetectUricontentData *ud = (DetectUricontentData *)sm->ctx;
if (ud->uricontent_len > uricontent_maxlen)
uricontent_maxlen = ud->uricontent_len;
@ -809,11 +818,6 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
if (content_minoffset > cd->offset)
content_minoffset = cd->offset;
}
} else if (sm->type == DETECT_URICONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY)) {
DetectUricontentData *ud = (DetectUricontentData *)sm->ctx;
if (ud->uricontent_len == uricontent_maxlen) {
/** \todo we don't support offset in uricontent */
}
}
}
//if (content_maxlen < 4 && content_cnt) printf(" (%" PRIu32 ", min %" PRIu32 ", max %" PRIu32 ")\n", content_cnt, content_minlen, content_maxlen);
@ -918,7 +922,10 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
if (content_minlen == 0) content_minlen = cd->content_len;
else if (cd->content_len < content_minlen)
content_minlen = cd->content_len;
} else if (sm->type == DETECT_URICONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY)) {
}
}
for (sm = s->match; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_URICONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY)) {
DetectUricontentData *ud = (DetectUricontentData *)sm->ctx;
if (ud->uricontent_len > uricontent_maxlen)
uricontent_maxlen = ud->uricontent_len;
@ -929,7 +936,7 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
}
}
char uricontent_scanadded = 0;
for (sm = s->pmatch; sm != NULL; sm = sm->next) {
for (sm = s->match; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_URICONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY)) {
DetectUricontentData *ud = (DetectUricontentData *)sm->ctx;
@ -944,12 +951,14 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
uricontent_scanadded = 1;
/* otherwise it's a 'search' pattern */
#if 0
} else {
if (ud->flags & DETECT_URICONTENT_NOCASE) {
mpm_table[sh->mpm_uri_ctx->mpm_type].AddPatternNocase(sh->mpm_uri_ctx, ud->uricontent, ud->uricontent_len, 0, 0, ud->id, s->num);
} else {
mpm_table[sh->mpm_uri_ctx->mpm_type].AddPattern(sh->mpm_uri_ctx, ud->uricontent, ud->uricontent_len, 0, 0, ud->id, s->num);
}
#endif
}
}
}

37
src/detect-engine-payload.c
Unescape Escape View File

@ -67,9 +67,9 @@ static inline int DoInspectPacketPayload(DetectEngineCtx *de_ctx,
if (cd->flags & DETECT_CONTENT_DISTANCE ||
cd->flags & DETECT_CONTENT_WITHIN) {
SCLogDebug("det_ctx->pkt_off %"PRIu32, det_ctx->pkt_off);
SCLogDebug("det_ctx->payload_offset %"PRIu32, det_ctx->payload_offset);
offset = det_ctx->pkt_off;
offset = det_ctx->payload_offset;
depth = payload_len;
if (cd->flags & DETECT_CONTENT_DISTANCE) {
@ -82,17 +82,17 @@ static inline int DoInspectPacketPayload(DetectEngineCtx *de_ctx,
}
if (cd->flags & DETECT_CONTENT_WITHIN) {
if ((int32_t)depth > (int32_t)(det_ctx->pkt_off + cd->within)) {
depth = det_ctx->pkt_off + cd->within;
if ((int32_t)depth > (int32_t)(det_ctx->payload_offset + cd->within)) {
depth = det_ctx->payload_offset + cd->within;
}
SCLogDebug("cd->within %"PRIi32", det_ctx->pkt_off %"PRIu32", depth %"PRIu32,
cd->within, det_ctx->pkt_off, depth);
SCLogDebug("cd->within %"PRIi32", det_ctx->payload_offset %"PRIu32", depth %"PRIu32,
cd->within, det_ctx->payload_offset, depth);
}
if (cd->depth != 0) {
if ((cd->depth + det_ctx->pkt_off) < depth) {
depth = det_ctx->pkt_off + cd->depth;
if ((cd->depth + det_ctx->payload_offset) < depth) {
depth = det_ctx->payload_offset + cd->depth;
}
SCLogDebug("cd->depth %"PRIu32", depth %"PRIu32, cd->depth, depth);
@ -102,8 +102,6 @@ static inline int DoInspectPacketPayload(DetectEngineCtx *de_ctx,
offset = cd->offset;
SCLogDebug("setting offset %"PRIu32, offset);
}
//PrintRawDataFp(stdout,payload+offset,depth);
} else { /* implied no relative matches */
/* set depth */
if (cd->depth != 0) {
@ -112,18 +110,15 @@ static inline int DoInspectPacketPayload(DetectEngineCtx *de_ctx,
/* set offset */
offset = cd->offset;
//PrintRawDataFp(stdout,payload+offset,depth);
}
//BUG_ON(depth == 0);
SCLogDebug("offset %"PRIu32", depth %"PRIu32, offset, depth);
if (depth > payload_len)
depth = payload_len;
/* if offset is bigger than depth we can never match on a pattern.
* We can however, match on a negated pattern. */
* We can however, "match" on a negated pattern. */
if (offset > depth || depth == 0) {
if (cd->negated == 1) {
goto match;
@ -131,7 +126,6 @@ static inline int DoInspectPacketPayload(DetectEngineCtx *de_ctx,
SCReturnInt(0);
}
}
//BUG_ON(offset > depth);
uint8_t *spayload = payload + offset;
uint32_t spayload_len = depth - offset;
@ -141,8 +135,11 @@ static inline int DoInspectPacketPayload(DetectEngineCtx *de_ctx,
//PrintRawDataFp(stdout,cd->content,cd->content_len);
//PrintRawDataFp(stdout,spayload,spayload_len);
/* do the actual search */
found = BasicSearch(spayload, spayload_len, cd->content, cd->content_len);
/* next we evaluate the result in combination with the
* negation flag. */
SCLogDebug("found %p cd->negated %d", found, cd->negated);
if (found == NULL && cd->negated == 0) {
@ -150,17 +147,19 @@ static inline int DoInspectPacketPayload(DetectEngineCtx *de_ctx,
} else if (found == NULL && cd->negated == 1) {
goto match;
} else if (found != NULL && cd->negated == 1) {
#ifdef DEBUG
uint32_t match_offset = (uint32_t)((found - payload) + cd->content_len);
SCLogDebug("content %"PRIu32" matched at offset %"PRIu32", but negated so no match", cd->id, match_offset);
#endif
SCReturnInt(0);
} else {
uint32_t match_offset = (uint32_t)((found - payload) + cd->content_len);
SCLogDebug("content %"PRIu32" matched at offset %"PRIu32"", cd->id, match_offset);
det_ctx->pkt_off = match_offset;
det_ctx->payload_offset = match_offset;
if (cd->flags & DETECT_CONTENT_ISDATAAT_RELATIVE) {
if (det_ctx->pkt_off + cd->isdataat > payload_len) {
SCLogDebug("det_ctx->pkt_off + cd->isdataat %"PRIu32" > %"PRIu32, det_ctx->pkt_off + cd->isdataat, payload_len);
if (det_ctx->payload_offset + cd->isdataat > payload_len) {
SCLogDebug("det_ctx->payload_offset + cd->isdataat %"PRIu32" > %"PRIu32, det_ctx->payload_offset + cd->isdataat, payload_len);
SCReturnInt(0);
} else {
SCLogDebug("relative isdataat match");
@ -288,7 +287,7 @@ int DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx,
SCReturnInt(0);
}
det_ctx->pkt_off = 0;
det_ctx->payload_offset = 0;
r = DoInspectPacketPayload(de_ctx, det_ctx, s, s->pmatch, f, flags, alstate, p, p->payload, p->payload_len);
if (r == 1) {

7
src/detect-flags.c
Unescape Escape View File

@ -7,7 +7,10 @@
#include "suricata-common.h"
#include "suricata.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "flow-var.h"
#include "decode-events.h"
@ -421,7 +424,7 @@ error:
* \retval 0 on Success
* \retval -1 on Failure
*/
static int DetectFlagsSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr)
static int DetectFlagsSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *rawstr)
{
DetectFlagsData *de = NULL;
SigMatch *sm = NULL;
@ -437,7 +440,7 @@ static int DetectFlagsSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
sm->type = DETECT_FLAGS;
sm->ctx = (void *)de;
SigMatchAppend(s,m,sm);
SigMatchAppendPacket(s, sm);
return 0;
error:

6
src/detect-flow.c
Unescape Escape View File

@ -8,7 +8,9 @@
#include "suricata-common.h"
#include "debug.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "flow.h"
#include "flow-var.h"
@ -255,7 +257,7 @@ error:
* \retval 0 on Success
* \retval -1 on Failure
*/
int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *flowstr)
int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *flowstr)
{
DetectFlowData *fd = NULL;
SigMatch *sm = NULL;
@ -274,7 +276,7 @@ int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *f
sm->type = DETECT_FLOW;
sm->ctx = (void *)fd;
SigMatchAppend(s,m,sm);
SigMatchAppendPacket(s, sm);
s->flags |= SIG_FLAG_FLOW;
return 0;

4
src/detect-flowbits.c
Unescape Escape View File

@ -133,7 +133,7 @@ int DetectFlowbitMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p
return 0;
}
int DetectFlowbitSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr)
int DetectFlowbitSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *rawstr)
{
DetectFlowbitsData *cd = NULL;
SigMatch *sm = NULL;
@ -229,7 +229,7 @@ int DetectFlowbitSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char
sm->type = DETECT_FLOWBITS;
sm->ctx = (void *)cd;
SigMatchAppend(s,m,sm);
SigMatchAppendPacket(s, sm);
return 0;

4
src/detect-flowint.c
Unescape Escape View File

@ -331,7 +331,7 @@ error:
* \retval -1 if we find any problem
*/
int DetectFlowintSetup(DetectEngineCtx *de_ctx,
Signature *s, SigMatch *m, char *rawstr)
Signature *s, SigMatch *notused, char *rawstr)
{
DetectFlowintData *sfd = NULL;
SigMatch *sm = NULL;
@ -349,7 +349,7 @@ int DetectFlowintSetup(DetectEngineCtx *de_ctx,
sm->type = DETECT_FLOWINT;
sm->ctx =(void *) sfd;
SigMatchAppend(s, m, sm);
SigMatchAppendPacket(s, sm);
return 0;

7
src/detect-flowvar.c
Unescape Escape View File

@ -4,7 +4,10 @@
#include "suricata-common.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-content.h"
#include "threads.h"
#include "flow.h"
@ -79,7 +82,7 @@ int DetectFlowvarMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p
return ret;
}
int DetectFlowvarSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr)
int DetectFlowvarSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *rawstr)
{
DetectFlowvarData *cd = NULL;
SigMatch *sm = NULL;
@ -213,7 +216,7 @@ int DetectFlowvarSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char
sm->type = DETECT_FLOWVAR;
sm->ctx = (void *)cd;
SigMatchAppend(s,m,sm);
SigMatchAppendPacket(s, sm);
if (dubbed) SCFree(str);
return 0;

7
src/detect-fragbits.c
Unescape Escape View File

@ -7,7 +7,10 @@
#include "suricata-common.h"
#include "suricata.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "flow-var.h"
#include "decode-events.h"
@ -252,7 +255,7 @@ error:
* \retval 0 on Success
* \retval -1 on Failure
*/
static int DetectFragBitsSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr)
static int DetectFragBitsSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *rawstr)
{
DetectFragBitsData *de = NULL;
SigMatch *sm = NULL;
@ -268,7 +271,7 @@ static int DetectFragBitsSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch
sm->type = DETECT_FRAGBITS;
sm->ctx = (void *)de;
SigMatchAppend(s,m,sm);
SigMatchAppendPacket(s, sm);
return 0;
error:

6
src/detect-fragoffset.c
Unescape Escape View File

@ -9,7 +9,9 @@
#include "decode.h"
#include "decode-ipv4.h"
#include "decode-ipv6.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-fragoffset.h"
@ -188,7 +190,7 @@ error:
* \retval 0 on Success
* \retval -1 on Failure
*/
int DetectFragOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *fragoffsetstr) {
int DetectFragOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *fragoffsetstr) {
DetectFragOffsetData *fragoff = NULL;
SigMatch *sm = NULL;
@ -201,7 +203,7 @@ int DetectFragOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, c
sm->type = DETECT_FRAGOFFSET;
sm->ctx = (void *)fragoff;
SigMatchAppend(s, m, sm);
SigMatchAppendPacket(s, sm);
return 0;

6
src/detect-ftpbounce.c
Unescape Escape View File

@ -219,8 +219,8 @@ int DetectFtpbounceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
* \retval 0 on Success
* \retval -1 on Failure
*/
int DetectFtpbounceSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
char *ftpbouncestr)
int DetectFtpbounceSetup(DetectEngineCtx *de_ctx, Signature *s,
SigMatch *notused, char *ftpbouncestr)
{
SigMatch *sm = NULL;
@ -244,7 +244,7 @@ int DetectFtpbounceSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
*/
sm->ctx = NULL;
SigMatchAppend(s, m, sm);
SigMatchAppendAppLayer(s, sm);
return 0;
}

59
src/detect-http-cookie.c
Unescape Escape View File

@ -57,7 +57,7 @@ int DetectHttpCookieDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s,
SCEnter();
int ret = 0;
uint8_t i;
size_t idx;
SCMutexLock(&f->m);
SCLogDebug("got lock %p", &f->m);
@ -86,10 +86,10 @@ int DetectHttpCookieDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s,
htp_tx_t *tx = NULL;
for (i = htp_state->new_in_tx_index;
i < list_size(htp_state->connp->conn->transactions); i++)
for (idx = htp_state->new_in_tx_index;
idx < list_size(htp_state->connp->conn->transactions); idx++)
{
tx = list_get(htp_state->connp->conn->transactions, i);
tx = list_get(htp_state->connp->conn->transactions, idx);
if (tx == NULL)
continue;
@ -157,6 +157,9 @@ int DetectHttpCookieSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notu
DetectHttpCookieData *hd = NULL;
SigMatch *sm = NULL;
/** new sig match to replace previous content */
SigMatch *nm = NULL;
if (str != NULL && strcmp(str, "") != 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "http_cookie shouldn't be supplied with"
" an argument");
@ -191,6 +194,12 @@ int DetectHttpCookieSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notu
return -1;
}
nm = SigMatchAlloc();
if (nm == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "SigMatchAlloc failed");
goto error;
}
/* Setup the HttpCookie data from Content data structure */
hd = SCMalloc(sizeof(DetectHttpCookieData));
if (hd == NULL) {
@ -207,14 +216,19 @@ int DetectHttpCookieSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notu
}
memcpy(hd->data, ((DetectContentData *)pm->ctx)->content, hd->data_len);
/* Okay we need to replace the type to HTTP_COOKIE from CONTENT */
SCFree(((DetectContentData *)pm->ctx)->content);
SCFree(pm->ctx);
pm->type = DETECT_AL_HTTP_COOKIE;
pm->ctx = (void *)hd;
nm->type = DETECT_AL_HTTP_COOKIE;
nm->ctx = (void *)hd;
/* pull the previous content from the pmatch list, append
* the new match to the match list */
SigMatchReplaceContent(s, pm, nm);
/* free the old content sigmatch */
DetectContentFree(pm->ctx);
SCFree(pm);
/* Flagged the signature as to scan the app layer data */
s->flags |=SIG_FLAG_APPLAYER;
s->flags |= SIG_FLAG_APPLAYER;
return 0;
error:
@ -300,17 +314,24 @@ int DetectHttpCookieTest03(void)
"http_cookie; content:\"two\"; http_cookie; "
"content:\"two\"; http_cookie; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
if (de_ctx->sig_list == NULL) {
printf("sig parse failed: ");
goto end;
}
result = 0;
sm = de_ctx->sig_list->pmatch;
sm = de_ctx->sig_list->match;
if (sm == NULL) {
printf("no sigmatch(es): ");
goto end;
}
while (sm != NULL) {
if (sm->type == DETECT_AL_HTTP_COOKIE) {
result = 1;
result = 1;
} else {
result = 0;
break;
printf("expected DETECT_AL_HTTP_COOKIE, got %d: ", sm->type);
goto end;
}
sm = sm->next;
}
@ -392,17 +413,17 @@ int DetectHttpCookieTest06(void)
Signature *s = de_ctx->sig_list;
BUG_ON(s->pmatch == NULL);
BUG_ON(s->match == NULL);
if (s->pmatch->type != DETECT_AL_HTTP_COOKIE)
if (s->match->type != DETECT_AL_HTTP_COOKIE)
goto end;
if (s->pmatch->next == NULL) {
if (s->match->next == NULL) {
printf("expected another SigMatch, got NULL: ");
goto end;
}
if (s->pmatch->next->type != DETECT_URICONTENT) {
if (s->match->next->type != DETECT_URICONTENT) {
goto end;
}

29
src/detect-http-method.c
Unescape Escape View File

@ -141,6 +141,8 @@ int DetectHttpMethodSetup(DetectEngineCtx *de_ctx, Signature *s,
DetectHttpMethodData *data = NULL;
SigMatch *sm = NULL;
bstr *method;
/** new sig match to replace previous content */
SigMatch *nm = NULL;
if ((str != NULL) && (strcmp(str, "") != 0)) {
SCLogError(SC_ERR_INVALID_ARGUMENT,
@ -176,9 +178,15 @@ int DetectHttpMethodSetup(DetectEngineCtx *de_ctx, Signature *s,
SCReturnInt(-1);
}
/* Setup the new sigmatch */
nm = SigMatchAlloc();
if (nm == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "SigMatchAlloc failed");
goto error;
}
data = SCMalloc(sizeof(DetectHttpMethodData));
if (data == NULL) {
// XXX: Should we bother with an error - it may fail too?
SCLogError(SC_ERR_MEM_ALLOC, "SCMalloc failed");
goto error;
}
@ -186,7 +194,6 @@ int DetectHttpMethodSetup(DetectEngineCtx *de_ctx, Signature *s,
data->content_len = ((DetectContentData *)pm->ctx)->content_len;
data->content = SCMalloc(data->content_len);
if (data->content == NULL) {
// XXX: Should we bother with an error - it may fail too?
SCLogError(SC_ERR_MEM_ALLOC, "SCMalloc failed");
goto error;
}
@ -196,15 +203,21 @@ int DetectHttpMethodSetup(DetectEngineCtx *de_ctx, Signature *s,
method = bstr_memdup((char *)data->content, data->content_len);
/** \todo error check */
data->method = htp_convert_method_to_number(method);
bstr_free(method);
nm->type = DETECT_AL_HTTP_METHOD;
nm->ctx = (void *)data;
/* pull the previous content from the pmatch list, append
* the new match to the match list */
SigMatchReplaceContent(s, pm, nm);
/* Okay we need to replace the type to HTTP_METHOD from CONTENT */
SCFree(((DetectContentData *)pm->ctx)->content);
SCFree(pm->ctx);
pm->type = DETECT_AL_HTTP_METHOD;
pm->ctx = (void *)data;
/* free the old content sigmatch */
DetectContentFree(pm->ctx);
SCFree(pm);
/* Flagged the signature as to scan the app layer data */
s->flags |=SIG_FLAG_APPLAYER;
s->flags |= SIG_FLAG_APPLAYER;
SCReturnInt(0);

6
src/detect-icmp-id.c
Unescape Escape View File

@ -10,7 +10,9 @@
#include "suricata-common.h"
#include "debug.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-icmp-id.h"
@ -187,7 +189,7 @@ error:
* \retval 0 on Success
* \retval -1 on Failure
*/
int DetectIcmpIdSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *icmpidstr) {
int DetectIcmpIdSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *icmpidstr) {
DetectIcmpIdData *iid = NULL;
SigMatch *sm = NULL;
@ -200,7 +202,7 @@ int DetectIcmpIdSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char
sm->type = DETECT_ICMP_ID;
sm->ctx = (void *)iid;
SigMatchAppend(s, m, sm);
SigMatchAppendPacket(s, sm);
return 0;

6
src/detect-icmp-seq.c
Unescape Escape View File

@ -7,7 +7,9 @@
#include "suricata-common.h"
#include "debug.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-icmp-seq.h"
@ -187,7 +189,7 @@ error:
* \retval 0 on Success
* \retval -1 on Failure
*/
int DetectIcmpSeqSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *icmpseqstr) {
int DetectIcmpSeqSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *icmpseqstr) {
DetectIcmpSeqData *iseq = NULL;
SigMatch *sm = NULL;
@ -200,7 +202,7 @@ int DetectIcmpSeqSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char
sm->type = DETECT_ICMP_SEQ;
sm->ctx = (void *)iseq;
SigMatchAppend(s, m, sm);
SigMatchAppendPacket(s, sm);
return 0;

6
src/detect-icode.c
Unescape Escape View File

@ -10,7 +10,9 @@
#include "suricata-common.h"
#include "debug.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-icode.h"
@ -203,7 +205,7 @@ error:
* \retval 0 on Success
* \retval -1 on Failure
*/
int DetectICodeSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *icodestr) {
int DetectICodeSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *icodestr) {
DetectICodeData *icd = NULL;
SigMatch *sm = NULL;
@ -217,7 +219,7 @@ int DetectICodeSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *i
sm->type = DETECT_ICODE;
sm->ctx = (void *)icd;
SigMatchAppend(s, m, sm);
SigMatchAppendPacket(s, sm);
return 0;

7
src/detect-id.c
Unescape Escape View File

@ -197,14 +197,15 @@ error:
* \retval 0 on Success
* \retval -1 on Failure
*/
int DetectIdSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
int DetectIdSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused,
char *idstr)
{
DetectIdData *id_d = NULL;
SigMatch *sm = NULL;
id_d = DetectIdParse(idstr);
if (id_d == NULL) goto error;
if (id_d == NULL)
goto error;
/* Okay so far so good, lets get this into a SigMatch
* and put it in the Signature. */
@ -215,7 +216,7 @@ int DetectIdSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
sm->type = DETECT_ID;
sm->ctx = (void *)id_d;
SigMatchAppend(s,m,sm);
SigMatchAppendPacket(s, sm);
return 0;

7
src/detect-ipopts.c
Unescape Escape View File

@ -7,7 +7,10 @@
#include "suricata-common.h"
#include "suricata.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "flow-var.h"
#include "decode-events.h"
@ -165,7 +168,7 @@ error:
* \retval 0 on Success
* \retval -1 on Failure
*/
int DetectIpOptsSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr)
int DetectIpOptsSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *rawstr)
{
DetectIpOptsData *de = NULL;
SigMatch *sm = NULL;
@ -181,7 +184,7 @@ int DetectIpOptsSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char
sm->type = DETECT_IPOPTS;
sm->ctx = (void *)de;
SigMatchAppend(s,m,sm);
SigMatchAppendPacket(s, sm);
return 0;
error:

6
src/detect-itype.c
Unescape Escape View File

@ -10,7 +10,9 @@
#include "suricata-common.h"
#include "debug.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-itype.h"
@ -203,7 +205,7 @@ error:
* \retval 0 on Success
* \retval -1 on Failure
*/
int DetectITypeSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *itypestr) {
int DetectITypeSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *itypestr) {
DetectITypeData *itd = NULL;
SigMatch *sm = NULL;
@ -217,7 +219,7 @@ int DetectITypeSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *i
sm->type = DETECT_ITYPE;
sm->ctx = (void *)itd;
SigMatchAppend(s,m,sm);
SigMatchAppendPacket(s, sm);
return 0;

92
src/detect-parse.c
Unescape Escape View File

@ -33,9 +33,6 @@ static pcre *option_pcre = NULL;
static pcre_extra *config_pcre_extra = NULL;
static pcre_extra *option_pcre_extra = NULL;
/* XXX this should be part of the DE */
//static uint32_t signum = 0;
static uint32_t dbg_srcportany_cnt = 0;
static uint32_t dbg_dstportany_cnt = 0;
@ -124,21 +121,58 @@ void SigMatchAppendPayload(Signature *s, SigMatch *new) {
}
}
/* Append 'new' SigMatch to the current Signature. If present
* append it to Sigmatch 'm', otherwise place it in the root.
/** \brief Append a sig match to the signatures non-payload match list
*
* \param s signature
* \param new sigmatch to append
*/
void SigMatchAppend(Signature *s, SigMatch *m, SigMatch *new) {
//printf("s:%p,m:%p,new:%p\n", s,m,new);
void SigMatchAppendPacket(Signature *s, SigMatch *new) {
if (s->match == NULL) {
s->match = new;
s->match_tail = new;
new->next = NULL;
} else {
SigMatch *cur = s->match;
if (m == NULL)
m = s->match;
for ( ; cur->next != NULL; cur = cur->next);
if (s->match == NULL)
s->match = new;
else {
m->next = new;
new->prev = m;
cur->next = new;
new->next = NULL;
new->prev = cur;
s->match_tail = new;
}
}
/** \brief Pull a content 'old' from the pmatch list, append 'new' to match list.
* Used for replacing contents that have http_cookie, etc modifiers.
*/
void SigMatchReplaceContent(Signature *s, SigMatch *old, SigMatch *new) {
if (old == NULL) {
return SigMatchAppendAppLayer(s, new);
}
SigMatch *m = s->pmatch;
SigMatch *pm = m;
for ( ; m != NULL; m = m->next) {
if (m == old) {
if (m == s->pmatch) {
s->pmatch = m->next;
} else {
pm->next = m->next;
}
if (m == s->pmatch_tail) {
s->pmatch_tail = pm;
}
break;
}
pm = m;
}
SigMatchAppendAppLayer(s, new);
}
/**
@ -655,7 +689,10 @@ Signature *SigInit(DetectEngineCtx *de_ctx, char *sigstr) {
if (cd->negated == 1) {
sig->flags |= SIG_FLAG_MPM_NEGCONTENT;
}
} else if (sm->type == DETECT_URICONTENT) {
}
}
for (sm = sig->match; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_URICONTENT) {
DetectUricontentData *ud = (DetectUricontentData *)sm->ctx;
if (ud == NULL)
continue;
@ -679,7 +716,11 @@ Signature *SigInit(DetectEngineCtx *de_ctx, char *sigstr) {
sig->mpm_content_maxlen = cd->content_len;
if (sig->mpm_content_maxlen < cd->content_len)
sig->mpm_content_maxlen = cd->content_len;
} else if (sm->type == DETECT_URICONTENT) {
}
}
for (sm = sig->match; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_URICONTENT) {
DetectUricontentData *ud = (DetectUricontentData *)sm->ctx;
if (sig->mpm_uricontent_maxlen == 0)
sig->mpm_uricontent_maxlen = ud->uricontent_len;
@ -764,7 +805,11 @@ Signature *SigInitReal(DetectEngineCtx *de_ctx, char *sigstr) {
if (cd->negated == 1) {
sig->flags |= SIG_FLAG_MPM_NEGCONTENT;
}
} else if (sm->type == DETECT_URICONTENT) {
}
}
for (sm = sig->match; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_URICONTENT) {
DetectUricontentData *ud = (DetectUricontentData *)sm->ctx;
if (ud == NULL)
continue;
@ -788,7 +833,11 @@ Signature *SigInitReal(DetectEngineCtx *de_ctx, char *sigstr) {
sig->mpm_content_maxlen = cd->content_len;
if (sig->mpm_content_maxlen < cd->content_len)
sig->mpm_content_maxlen = cd->content_len;
} else if (sm->type == DETECT_URICONTENT) {
}
}
for (sm = sig->match; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_URICONTENT) {
DetectUricontentData *ud = (DetectUricontentData *)sm->ctx;
if (sig->mpm_uricontent_maxlen == 0)
sig->mpm_uricontent_maxlen = ud->uricontent_len;
@ -819,7 +868,7 @@ Signature *SigInitReal(DetectEngineCtx *de_ctx, char *sigstr) {
sig->next->mpm_uricontent_maxlen = 0;
SigMatch *sm;
for (sm = sig->next->match; sm != NULL; sm = sm->next) {
for (sm = sig->next->pmatch; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_CONTENT) {
DetectContentData *cd = (DetectContentData *)sm->ctx;
@ -827,7 +876,10 @@ Signature *SigInitReal(DetectEngineCtx *de_ctx, char *sigstr) {
sig->next->mpm_content_maxlen = cd->content_len;
if (sig->next->mpm_content_maxlen < cd->content_len)
sig->next->mpm_content_maxlen = cd->content_len;
} else if (sm->type == DETECT_URICONTENT) {
}
}
for (sm = sig->next->match; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_URICONTENT) {
DetectUricontentData *ud = (DetectUricontentData *)sm->ctx;
if (sig->next->mpm_uricontent_maxlen == 0)
sig->next->mpm_uricontent_maxlen = ud->uricontent_len;

9
src/detect-parse.h
Unescape Escape View File

@ -25,7 +25,14 @@ SigMatch *SigMatchGetLastSM(Signature *, uint8_t);
void SigParsePrepare(void);
void SigParseRegisterTests(void);
Signature *DetectEngineAppendSig(DetectEngineCtx *, char *);
void SigMatchReplace(Signature *, SigMatch *, SigMatch *);
void SigMatchAppendPayload(Signature *s, SigMatch *);
void SigMatchReplaceContent(Signature *, SigMatch *, SigMatch *);
void SigMatchAppendPayload(Signature *, SigMatch *);
void SigMatchAppendPacket(Signature *, SigMatch *);
/** for now we have one list for app layer and packet matches */
#define SigMatchAppendAppLayer SigMatchAppendPacket
#endif /* __DETECT_PARSE_H__ */

19
src/detect-pcre.c
Unescape Escape View File

@ -257,11 +257,11 @@ int DetectPcreDoMatch(DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, S
SCReturnInt(0);
if (s->flags & SIG_FLAG_RECURSIVE) {
ptr = det_ctx->pkt_ptr ? det_ctx->pkt_ptr : p->payload;
len = p->payload_len - det_ctx->pkt_off;
ptr = p->payload + det_ctx->payload_offset;
len = p->payload_len - det_ctx->payload_offset;
} else if (pe->flags & DETECT_PCRE_RELATIVE) {
ptr = det_ctx->pkt_ptr;
len = p->payload_len - det_ctx->pkt_off;
ptr = p->payload + det_ctx->payload_offset;
len = p->payload_len - det_ctx->payload_offset;
if (ptr == NULL || len == 0)
SCReturnInt(0);
} else {
@ -298,10 +298,8 @@ int DetectPcreDoMatch(DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, S
}
}
}
/* update ptrs for pcre RELATIVE */
det_ctx->pkt_ptr = ptr+ov[1];
det_ctx->pkt_off = (ptr+ov[1]) - p->payload;
//printf("DetectPcre: post match: t->pkt_ptr %p t->pkt_off %" PRIu32 "\n", t->pkt_ptr, t->pkt_off);
/* update offset for pcre RELATIVE */
det_ctx->payload_offset = (ptr+ov[1]) - p->payload;
ret = 1;
}
@ -581,9 +579,12 @@ int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, c
SCLogDebug("Body inspection modifier set");
s->flags |= SIG_FLAG_APPLAYER;
pcre_need_htp_request_body = 1;
SigMatchAppendAppLayer(s, sm);
} else {
SigMatchAppendPayload(s, sm);
}
SigMatchAppendPayload(s,sm);
return 0;

7
src/detect-pktvar.c
Unescape Escape View File

@ -4,7 +4,10 @@
#include "suricata-common.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "threads.h"
#include "pkt-var.h"
#include "detect-pktvar.h"
@ -72,7 +75,7 @@ int DetectPktvarMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p,
return ret;
}
int DetectPktvarSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr)
int DetectPktvarSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *rawstr)
{
DetectPktvarData *cd = NULL;
SigMatch *sm = NULL;
@ -206,7 +209,7 @@ int DetectPktvarSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char
sm->type = DETECT_PKTVAR;
sm->ctx = (void *)cd;
SigMatchAppend(s,m,sm);
SigMatchAppendPacket(s, sm);
if (dubbed) SCFree(str);
return 0;

4
src/detect-rpc.c
Unescape Escape View File

@ -250,7 +250,7 @@ error:
* \retval 0 on Success
* \retval -1 on Failure
*/
int DetectRpcSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rpcstr)
int DetectRpcSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *rpcstr)
{
DetectRpcData *rd = NULL;
SigMatch *sm = NULL;
@ -265,7 +265,7 @@ int DetectRpcSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rp
sm->type = DETECT_RPC;
sm->ctx = (void *)rd;
SigMatchAppend(s,m,sm);
SigMatchAppendPacket(s, sm);
return 0;

6
src/detect-sameip.c
Unescape Escape View File

@ -70,12 +70,10 @@ static int DetectSameipMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
* \retval -1 on Failure
*/
static int DetectSameipSetup(DetectEngineCtx *de_ctx, Signature *s,
SigMatch *m, char *optstr)
SigMatch *notused, char *optstr)
{
SigMatch *sm = NULL;
// printf("DetectSameipSetup: \'%s\'\n", optstr);
/* Get this into a SigMatch and put it in the Signature. */
sm = SigMatchAlloc();
if (sm == NULL)
@ -84,7 +82,7 @@ static int DetectSameipSetup(DetectEngineCtx *de_ctx, Signature *s,
sm->type = DETECT_SAMEIP;
sm->ctx = NULL;
SigMatchAppend(s, m, sm);
SigMatchAppendPacket(s, sm);
return 0;

4
src/detect-seq.c
Unescape Escape View File

@ -77,7 +77,7 @@ static int DetectSeqMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
* \retval -1 on Failure
*/
static int DetectSeqSetup (DetectEngineCtx *de_ctx, Signature *s,
SigMatch *m, char *optstr)
SigMatch *notused, char *optstr)
{
DetectSeqData *data;
SigMatch *sm = NULL;
@ -102,7 +102,7 @@ static int DetectSeqSetup (DetectEngineCtx *de_ctx, Signature *s,
}
sm->ctx = data;
SigMatchAppend(s, m, sm);
SigMatchAppendPacket(s, sm);
return 0;

7
src/detect-stream_size.c
Unescape Escape View File

@ -8,7 +8,10 @@
#include "suricata-common.h"
#include "stream-tcp.h"
#include "util-unittest.h"
#include "detect.h"
#include "detect-parse.h"
#include "flow.h"
#include "detect-stream_size.h"
#include "stream-tcp-private.h"
@ -294,7 +297,7 @@ error:
* \retval 0 on Success
* \retval -1 on Failure
*/
int DetectStreamSizeSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *streamstr) {
int DetectStreamSizeSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *streamstr) {
DetectStreamSizeData *sd = NULL;
SigMatch *sm = NULL;
@ -310,7 +313,7 @@ int DetectStreamSizeSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, c
sm->type = DETECT_STREAM_SIZE;
sm->ctx = (void *)sd;
SigMatchAppend(s,m,sm);
SigMatchAppendPacket(s, sm);
return 0;

7
src/detect-threshold.c
Unescape Escape View File

@ -7,7 +7,10 @@
#include "suricata-common.h"
#include "suricata.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "flow-var.h"
#include "decode-events.h"
#include "stream-tcp.h"
@ -185,7 +188,7 @@ error:
* \retval 0 on Success
* \retval -1 on Failure
*/
static int DetectThresholdSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr)
static int DetectThresholdSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *rawstr)
{
DetectThresholdData *de = NULL;
SigMatch *sm = NULL;
@ -201,7 +204,7 @@ static int DetectThresholdSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch
sm->type = DETECT_THRESHOLD;
sm->ctx = (void *)de;
SigMatchAppend(s,m,sm);
SigMatchAppendPacket(s, sm);
return 0;

7
src/detect-tls-version.c
Unescape Escape View File

@ -9,9 +9,10 @@
#include "threads.h"
#include "debug.h"
#include "decode.h"
#include "detect.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
@ -206,7 +207,7 @@ error:
* \retval 0 on Success
* \retval -1 on Failure
*/
int DetectTlsVersionSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *str)
int DetectTlsVersionSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *str)
{
DetectTlsVersionData *tls = NULL;
SigMatch *sm = NULL;
@ -223,7 +224,7 @@ int DetectTlsVersionSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, c
sm->type = DETECT_AL_TLS_VERSION;
sm->ctx = (void *)tls;
SigMatchAppend(s,m,sm);
SigMatchAppendAppLayer(s, sm);
return 0;
error:

7
src/detect-ttl.c
Unescape Escape View File

@ -8,7 +8,10 @@
#include "suricata-common.h"
#include "stream-tcp.h"
#include "util-unittest.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-ttl.h"
#include "util-debug.h"
@ -223,7 +226,7 @@ error:
* \retval 0 on Success
* \retval -1 on Failure
*/
int DetectTtlSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *ttlstr) {
int DetectTtlSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *ttlstr) {
DetectTtlData *ttld = NULL;
SigMatch *sm = NULL;
@ -239,7 +242,7 @@ int DetectTtlSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *tt
sm->type = DETECT_TTL;
sm->ctx = (void *)ttld;
SigMatchAppend(s,m,sm);
SigMatchAppendPacket(s, sm);
return 0;

80
src/detect-uricontent.c
Unescape Escape View File

@ -33,6 +33,7 @@
#include "util-debug.h"
#include "util-unittest.h"
#include "util-binsearch.h"
#include "util-spm.h"
/* prototypes */
int DetectUricontentMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *,
@ -171,10 +172,8 @@ static inline int DoDetectUricontent(ThreadVars *t, DetectEngineThreadCtx *det_c
if (TestOffsetDepth(m, co) == 1) {
ret = TestWithinDistanceOffsetDepth(t, det_ctx, m, sm->next);
if (ret == 1) {
/* update pkt ptrs, content doesn't use this,
* but pcre does */
det_ctx->pkt_ptr = p->payload + m->offset;
det_ctx->pkt_off = m->offset;
/* update payload offset */
det_ctx->payload_offset = m->offset;
match = 1;
break;
}
@ -202,10 +201,8 @@ static inline int DoDetectUricontent(ThreadVars *t, DetectEngineThreadCtx *det_c
for (; m != NULL; m = m->next) {
ret = TestOffsetDepth(m,co);
if (ret == 1) {
/* update pkt ptrs, content doesn't use this,
* but pcre does */
det_ctx->pkt_ptr = p->payload + m->offset;
det_ctx->pkt_off = m->offset;
/* update payload offset */
det_ctx->payload_offset = m->offset;
match = 1;
break;
}
@ -434,8 +431,9 @@ int DetectUricontentSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notu
sm->type = DETECT_URICONTENT;
sm->ctx = (void *)cd;
SigMatchAppendPayload(s,sm);
SigMatchAppendAppLayer(s, sm);
/** \todo use unique id here as well */
cd->id = de_ctx->uricontent_max_id;
de_ctx->uricontent_max_id++;
@ -487,6 +485,7 @@ int DoDetectAppLayerUricontentMatch (ThreadVars *tv, DetectEngineThreadCtx *det_
SCLogDebug("post scan: cnt %" PRIu32 ", searchable %" PRIu32 "",
ret, det_ctx->pmq.searchable);
/*
if (det_ctx->pmq.searchable > 0) {
if (det_ctx->sgh->mpm_uricontent_maxlen == 1) det_ctx->pkts_uri_searched1++;
else if (det_ctx->sgh->mpm_uricontent_maxlen == 2) det_ctx->pkts_uri_searched2++;
@ -497,6 +496,7 @@ int DoDetectAppLayerUricontentMatch (ThreadVars *tv, DetectEngineThreadCtx *det_
ret += UriPatternMatch(tv, det_ctx, uri, uri_len);
}
*/
det_ctx->pmq.searchable = 0;
}
return ret;
@ -524,6 +524,8 @@ int DetectAppLayerUricontentMatch (ThreadVars *tv, DetectEngineThreadCtx *det_ct
{
SCEnter();
int res = 0;
size_t idx = 0;
htp_tx_t *tx = NULL;
/* if we don't have a uri, don't bother scanning */
if (det_ctx->de_have_httpuri == FALSE) {
@ -531,27 +533,63 @@ int DetectAppLayerUricontentMatch (ThreadVars *tv, DetectEngineThreadCtx *det_ct
SCReturnInt(0);
}
/* we're locking the flow as we'll be accessing the HTP state */
SCMutexLock(&f->m);
DetectUricontentData *co = (DetectUricontentData *)sm->ctx;
if (det_ctx->mtcu.match[co->id].len > 0) {
SCLogDebug("Match has been found in the received request and "
"signature s->id %"PRIu32"", s->id);
res = 1;
} else {
if (co == NULL)
goto end;
SCLogDebug("co->id %"PRIu32, co->id);
HtpState *htp_state = (HtpState *)state;
if (htp_state == NULL) {
SCLogDebug("no HTTP state");
goto end;
}
for (idx = htp_state->new_in_tx_index;
idx < list_size(htp_state->connp->conn->transactions); idx++)
{
tx = list_get(htp_state->connp->conn->transactions, idx);
if (tx == NULL || tx->request_uri_normalized == NULL)
continue;
/* Search for the pattern in each uri. Bail out on the first match */
if ((BasicSearch((uint8_t *) bstr_ptr(tx->request_uri_normalized),
bstr_len(tx->request_uri_normalized),
co->uricontent, co->uricontent_len)) != NULL) {
SCLogDebug("Match has been found in the received request and "
"signature s->id %"PRIu32"", s->id);
res = 1;
break;
}
}
if (res == 0) {
SCLogDebug("We don't have app layer URI match");
res = 0;
}
end:
SCMutexUnlock(&f->m);
SCReturnInt(res);
}
/** \brief Run the pattern matcher against the uri(s)
*
* We run against _all_ uri(s) we have as the pattern matcher will
* flag each sig that has a match. We need to do this for all uri(s)
* to not miss possible events.
*
* \warning Make sure the flow/state is locked
* \todo what should we return? Just the fact that we matched?
*/
uint32_t DetectUricontentInspectMpm(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, void *alstate) {
SCEnter();
uint32_t cnt = 0;
uint8_t i;
size_t idx = 0;
htp_tx_t *tx = NULL;
HtpState *htp_state = (HtpState *)alstate;
if (htp_state == NULL) {
@ -559,12 +597,10 @@ uint32_t DetectUricontentInspectMpm(ThreadVars *tv, DetectEngineThreadCtx *det_c
SCReturnUInt(0U);
}
htp_tx_t *tx = NULL;
for (i = htp_state->new_in_tx_index;
i < list_size(htp_state->connp->conn->transactions); i++)
for (idx = htp_state->new_in_tx_index;
idx < list_size(htp_state->connp->conn->transactions); idx++)
{
tx = list_get(htp_state->connp->conn->transactions, i);
tx = list_get(htp_state->connp->conn->transactions, idx);
if (tx == NULL || tx->request_uri_normalized == NULL)
continue;
@ -876,7 +912,7 @@ int DetectUriSigTest01(void)
BUG_ON(de_ctx->sig_list == NULL);
sm = de_ctx->sig_list->pmatch;
sm = de_ctx->sig_list->match;
if (sm->type == DETECT_URICONTENT) {
result = 1;
} else {

9
src/detect-urilen.c
Unescape Escape View File

@ -9,7 +9,10 @@
#include "app-layer-protos.h"
#include "app-layer-htp.h"
#include "util-unittest.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-urilen.h"
#include "util-debug.h"
#include "util-byte.h"
@ -264,7 +267,7 @@ error:
* \retval 0 on Success
* \retval -1 on Failure
*/
int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused,
char *urilenstr)
{
SCEnter();
@ -282,10 +285,10 @@ int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m,
sm->type = DETECT_AL_URILEN;
sm->ctx = (void *)urilend;
SigMatchAppend(s,m,sm);
SigMatchAppendAppLayer(s, sm);
/* Flagged the signature as to scan the app layer data */
s->flags |=SIG_FLAG_APPLAYER;
s->flags |= SIG_FLAG_APPLAYER;
SCReturnInt(0);

6
src/detect-window.c
Unescape Escape View File

@ -8,7 +8,9 @@
#include "suricata-common.h"
#include "debug.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-window.h"
#include "flow.h"
@ -179,7 +181,7 @@ error:
* \retval 0 on Success
* \retval -1 on Failure
*/
int DetectWindowSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *windowstr)
int DetectWindowSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *windowstr)
{
DetectWindowData *wd = NULL;
SigMatch *sm = NULL;
@ -196,7 +198,7 @@ int DetectWindowSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char
sm->type = DETECT_WINDOW;
sm->ctx = (void *)wd;
SigMatchAppend(s,m,sm);
SigMatchAppendPacket(s, sm);
return 0;

26
src/detect.c
Unescape Escape View File

@ -197,7 +197,7 @@ void DetectExitPrintStats(ThreadVars *tv, void *data) {
(float)(det_ctx->pkts_uri_searched/(float)(det_ctx->uris)*100),
(float)(det_ctx->pkts_uri_searched/(float)(det_ctx->pkts_uri_scanned)*100));
SCLogInfo("%"PRIu64" sigs per scan match on avg needed inspection, total scans %"PRIu64", less than 25 sigs need inspect %"PRIu64", more than 100 sigs need inspect %"PRIu64", more than 1000 %"PRIu64" max %"PRIu64"", det_ctx->scans_sigs / det_ctx->scans_match, det_ctx->scans_match, det_ctx->scans_sigsmin25, det_ctx->scans_sigsplus100, det_ctx->scans_sigsplus1000, det_ctx->scans_sigsmax);
SCLogInfo("%"PRIu64" sigs per scan match on avg needed inspection, total scans %"PRIu64", less than 25 sigs need inspect %"PRIu64", more than 100 sigs need inspect %"PRIu64", more than 1000 %"PRIu64" max %"PRIu64"", det_ctx->scans_match ? det_ctx->scans_sigs / det_ctx->scans_match : 0, det_ctx->scans_match, det_ctx->scans_sigsmin25, det_ctx->scans_sigsplus100, det_ctx->scans_sigsplus1000, det_ctx->scans_sigsmax);
}
/** \brief Create the path if default-rule-path was specified
@ -612,11 +612,15 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
SCMutexUnlock(&p->flow->m);
/* only consider uri sigs if we've seen at least one match */
/** \warn when we start supporting negated uri content matches
/** \warning when we start supporting negated uri content matches
* we need to update this check as well */
if (cnt > 0) {
det_ctx->de_have_httpuri = TRUE;
}
SCLogDebug("uricontent cnt %"PRIu32"", cnt);
} else {
SCLogDebug("no uri inspection: have uri %s", det_ctx->sgh->flags & SIG_GROUP_HAVEURICONTENT ? "true":"false");
}
/* inspect the sigs against the packet */
@ -643,8 +647,6 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
continue;
}
//printf("idx %" PRIu32 ", det_ctx->pmq.sig_id_array_cnt %" PRIu32 ", s->id %" PRIu32 " (MPM? %s)\n", idx, det_ctx->pmq.sig_id_array_cnt, s->id, s->flags & SIG_FLAG_MPM ? "TRUE":"FALSE");
//printf("Sig %" PRIu32 "\n", s->id);
/* check the source & dst port in the sig */
if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP) {
if (!(s->flags & SIG_FLAG_DP_ANY)) {
@ -680,11 +682,12 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
}
}
/** we can't check the mpm flags if we do app layer inspection here as well */
//if (s->flags & SIG_FLAG_MPM) {
if (s->pmatch != NULL && DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1)
continue;
//}
/* Check the payload keywords. If we are a MPM sig and we've made
* to here, we've had at least one of the patterns match */
if (s->pmatch != NULL) {
if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1)
continue;
}
/* if we get here but have no sigmatches to match against,
* we consider the sig matched. */
@ -698,9 +701,8 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
p->action |= s->action;
}
} else {
/* reset pkt ptr and offset */
det_ctx->pkt_ptr = NULL;
det_ctx->pkt_off = 0;
/* reset offset */
det_ctx->payload_offset = 0;
/* new signature, so reset indicator of checking distance and within */
det_ctx->de_checking_distancewithin = 0;

15
src/detect.h
Unescape Escape View File

@ -160,7 +160,7 @@ typedef struct Signature_ {
uint8_t nchunk_groups; /**< Internal chunk grp id (for splitted patterns) */
char *msg;
/* classification message */
/** classification message */
char *class_msg;
/** addresses, ports and proto this sig matches on */
@ -170,8 +170,9 @@ typedef struct Signature_ {
/** ptr to the SigMatch list */
struct SigMatch_ *match; /* non-payload matches */
struct SigMatch_ *match_tail; /* non-payload matches, tail of the list */
struct SigMatch_ *pmatch; /* payload matches */
struct SigMatch_ *pmatch_tail; /* payload matches */
struct SigMatch_ *pmatch_tail; /* payload matches, tail of the list */
/** ptr to the next sig in the list */
struct Signature_ *next;
@ -346,9 +347,12 @@ enum {
*/
typedef struct DetectionEngineThreadCtx_ {
/* detection engine variables */
/** \todo rename & comment */
uint8_t *pkt_ptr; /* ptr to the current position in the pkt */
uint32_t pkt_off;
/** offset into the payload of the last match by:
* content, pcre, etc */
uint32_t payload_offset;
/** recursive counter */
uint8_t pkt_cnt;
char de_checking_distancewithin;
@ -577,7 +581,6 @@ SigTableElmt sigmatch_table[DETECT_TBLSIZE];
/* detection api */
SigMatch *SigMatchAlloc(void);
void SigMatchAppend(Signature *, SigMatch *, SigMatch *);
void SigCleanSignatures(DetectEngineCtx *);
void SigTableRegisterTests(void);

Write Preview
Loading…
Cancel
Save