aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Ack/Seq Keywords part 2

Browse Source
remotes/origin/master-1.0.x
Brian Rectanus 17 years ago committed by Victor Julien
parent ed30067bd7
commit b796541e57
4 changed files with 45 additions and 25 deletions
Show Stats Download Patch File Download Diff File

26
src/detect-ack.c
Unescape Escape View File

@ -52,14 +52,14 @@ void DetectAckRegister(void) {
static int DetectAckMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Packet *p, Signature *s, SigMatch *m)
{
uint32_t *data = (uint32_t *)m->ctx;
DetectAckData *data = (DetectAckData *)m->ctx;
/* This is only needed on TCP packets */
if (IPPROTO_TCP != p->proto) {
return 0;
}
return (*data == TCP_GET_ACK(p)) ? 1 : 0;
return (data->ack == TCP_GET_ACK(p)) ? 1 : 0;
}
/**
@ -77,12 +77,12 @@ static int DetectAckMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
static int DetectAckSetup(DetectEngineCtx *de_ctx, Signature *s,
SigMatch *m, char *optstr)
{
uint32_t *data = malloc(sizeof(uint32_t));
DetectAckData *data = malloc(sizeof(DetectAckData));
SigMatch *sm = NULL;
//printf("DetectAckSetup: \'%s\'\n", optstr);
data = malloc(sizeof(uint32_t));
data = malloc(sizeof(DetectAckData));
if (data == NULL) {
printf("DetectAckSetup: malloc failed\n");
goto error;
@ -95,10 +95,10 @@ static int DetectAckSetup(DetectEngineCtx *de_ctx, Signature *s,
sm->type = DETECT_ACK;
if (-1 == ByteExtractStringUint32(data, 10, 0, optstr)) {
if (-1 == ByteExtractStringUint32(&data->ack, 10, 0, optstr)) {
goto error;
}
sm->ctx = (void *)data;
sm->ctx = data;
SigMatchAppend(s, m, sm);
@ -118,7 +118,7 @@ error:
*/
static void DetectAckFree(void *ptr)
{
uint32_t *data = (uint32_t *)ptr;
DetectAckData *data = (DetectAckData *)ptr;
free(data);
}
@ -194,35 +194,35 @@ static int DetectAckSigTest01Real(int mpm_type)
"(msg:\"Testing ack\";ack:foo;sid:1;)") != NULL)
{
printf("invalid ack accepted: ");
goto end;
goto cleanup_engine;
}
if (SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing ack\";ack:9999999999;sid:1;)") != NULL)
{
printf("overflowing ack accepted: ");
goto end;
goto cleanup_engine;
}
if (SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing ack\";ack:-100;sid:1;)") != NULL)
{
printf("negative ack accepted: ");
goto end;
goto cleanup_engine;
}
de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing ack\";sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
goto cleanup_engine;
}
de_ctx->sig_list->next = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing ack\";ack:42;sid:2;)");
if (de_ctx->sig_list->next == NULL) {
goto end;
goto cleanup_engine;
}
SigGroupBuild(de_ctx);
@ -267,6 +267,8 @@ cleanup:
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
PatternMatchDestroy(mpm_ctx);
cleanup_engine:
DetectEngineCtxFree(de_ctx);
end:

7
src/detect-ack.h
Unescape Escape View File

@ -1,6 +1,13 @@
#ifndef __DETECT_ACK_H__
#define __DETECT_ACK_H__
/**
* \brief ack data
*/
typedef struct DetectAckData_ {
uint32_t ack; /**< ack to match */
} DetectAckData;
/**
* \brief Registration function for ack: keyword
*/

26
src/detect-seq.c
Unescape Escape View File

@ -52,14 +52,14 @@ void DetectSeqRegister(void) {
static int DetectSeqMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Packet *p, Signature *s, SigMatch *m)
{
uint32_t *data = (uint32_t *)m->ctx;
DetectSeqData *data = (DetectSeqData *)m->ctx;
/* This is only needed on TCP packets */
if (IPPROTO_TCP != p->proto) {
return 0;
}
return (*data == TCP_GET_SEQ(p)) ? 1 : 0;
return (data->seq == TCP_GET_SEQ(p)) ? 1 : 0;
}
/**
@ -77,12 +77,12 @@ static int DetectSeqMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
static int DetectSeqSetup (DetectEngineCtx *de_ctx, Signature *s,
SigMatch *m, char *optstr)
{
uint32_t *data = malloc(sizeof(uint32_t));
DetectSeqData *data = malloc(sizeof(DetectSeqData));
SigMatch *sm = NULL;
//printf("DetectSeqSetup: \'%s\'\n", optstr);
data = malloc(sizeof(uint32_t));
data = malloc(sizeof(DetectSeqData));
if (data == NULL) {
printf("DetectSeqSetup: malloc failed\n");
goto error;
@ -95,10 +95,10 @@ static int DetectSeqSetup (DetectEngineCtx *de_ctx, Signature *s,
sm->type = DETECT_SEQ;
if (-1 == ByteExtractStringUint32(data, 10, 0, optstr)) {
if (-1 == ByteExtractStringUint32(&data->seq, 10, 0, optstr)) {
goto error;
}
sm->ctx = (void *)data;
sm->ctx = data;
SigMatchAppend(s, m, sm);
@ -118,7 +118,7 @@ error:
*/
static void DetectSeqFree(void *ptr)
{
uint32_t *data = (uint32_t *)ptr;
DetectSeqData *data = (DetectSeqData *)ptr;
free(data);
}
@ -194,35 +194,35 @@ static int DetectSeqSigTest01Real(int mpm_type)
"(msg:\"Testing seq\";seq:foo;sid:1;)") != NULL)
{
printf("invalid seq accepted: ");
goto end;
goto cleanup_engine;
}
if (SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing seq\";seq:9999999999;sid:1;)") != NULL)
{
printf("overflowing seq accepted: ");
goto end;
goto cleanup_engine;
}
if (SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing seq\";seq:-100;sid:1;)") != NULL)
{
printf("negative seq accepted: ");
goto end;
goto cleanup_engine;
}
de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing seq\";sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
goto cleanup_engine;
}
de_ctx->sig_list->next = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing seq\";seq:42;sid:2;)");
if (de_ctx->sig_list->next == NULL) {
goto end;
goto cleanup_engine;
}
SigGroupBuild(de_ctx);
@ -267,6 +267,8 @@ cleanup:
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
PatternMatchDestroy(mpm_ctx);
cleanup_engine:
DetectEngineCtxFree(de_ctx);
end:

11
src/detect-seq.h
Unescape Escape View File

@ -1,7 +1,16 @@
#ifndef __DETECT_SEQ_H__
#define __DETECT_SEQ_H__
/* prototypes */
/**
* \brief seq data
*/
typedef struct DetectSeqData_ {
uint32_t seq; /**< seq to match */
} DetectSeqData;
/**
* \brief Registration function for ack: keyword
*/
void DetectSeqRegister(void);
#endif /* __DETECT_SEQ_H__ */

Write Preview
Loading…
Cancel
Save