aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Ack/Seq Keywords part 2

Browse Source
remotes/origin/master-1.0.x
Brian Rectanus 17 years ago committed by Victor Julien
parent ed30067bd7
commit b796541e57
4 changed files with 45 additions and 25 deletions
Show Stats Download Patch File Download Diff File

26
src/detect-ack.c
Unescape Escape View File

@ -52,14 +52,14 @@ void DetectAckRegister(void) {
static int DetectAckMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, static int DetectAckMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Packet *p, Signature *s, SigMatch *m) Packet *p, Signature *s, SigMatch *m)
{ {
uint32_t *data = (uint32_t *)m->ctx; DetectAckData *data = (DetectAckData *)m->ctx;
/* This is only needed on TCP packets */ /* This is only needed on TCP packets */
if (IPPROTO_TCP != p->proto) { if (IPPROTO_TCP != p->proto) {
return 0; return 0;
} }
return (*data == TCP_GET_ACK(p)) ? 1 : 0; return (data->ack == TCP_GET_ACK(p)) ? 1 : 0;
} }
/** /**
@ -77,12 +77,12 @@ static int DetectAckMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
static int DetectAckSetup(DetectEngineCtx *de_ctx, Signature *s, static int DetectAckSetup(DetectEngineCtx *de_ctx, Signature *s,
SigMatch *m, char *optstr) SigMatch *m, char *optstr)
{ {
uint32_t *data = malloc(sizeof(uint32_t)); DetectAckData *data = malloc(sizeof(DetectAckData));
SigMatch *sm = NULL; SigMatch *sm = NULL;
//printf("DetectAckSetup: \'%s\'\n", optstr); //printf("DetectAckSetup: \'%s\'\n", optstr);
data = malloc(sizeof(uint32_t)); data = malloc(sizeof(DetectAckData));
if (data == NULL) { if (data == NULL) {
printf("DetectAckSetup: malloc failed\n"); printf("DetectAckSetup: malloc failed\n");
goto error; goto error;
@ -95,10 +95,10 @@ static int DetectAckSetup(DetectEngineCtx *de_ctx, Signature *s,
sm->type = DETECT_ACK; sm->type = DETECT_ACK;
if (-1 == ByteExtractStringUint32(data, 10, 0, optstr)) { if (-1 == ByteExtractStringUint32(&data->ack, 10, 0, optstr)) {
goto error; goto error;
} }
sm->ctx = (void *)data; sm->ctx = data;
SigMatchAppend(s, m, sm); SigMatchAppend(s, m, sm);
@ -118,7 +118,7 @@ error:
*/ */
static void DetectAckFree(void *ptr) static void DetectAckFree(void *ptr)
{ {
uint32_t *data = (uint32_t *)ptr; DetectAckData *data = (DetectAckData *)ptr;
free(data); free(data);
} }
@ -194,35 +194,35 @@ static int DetectAckSigTest01Real(int mpm_type)
"(msg:\"Testing ack\";ack:foo;sid:1;)") != NULL) "(msg:\"Testing ack\";ack:foo;sid:1;)") != NULL)
{ {
printf("invalid ack accepted: "); printf("invalid ack accepted: ");
goto end; goto cleanup_engine;
} }
if (SigInit(de_ctx, if (SigInit(de_ctx,
"alert tcp any any -> any any " "alert tcp any any -> any any "
"(msg:\"Testing ack\";ack:9999999999;sid:1;)") != NULL) "(msg:\"Testing ack\";ack:9999999999;sid:1;)") != NULL)
{ {
printf("overflowing ack accepted: "); printf("overflowing ack accepted: ");
goto end; goto cleanup_engine;
} }
if (SigInit(de_ctx, if (SigInit(de_ctx,
"alert tcp any any -> any any " "alert tcp any any -> any any "
"(msg:\"Testing ack\";ack:-100;sid:1;)") != NULL) "(msg:\"Testing ack\";ack:-100;sid:1;)") != NULL)
{ {
printf("negative ack accepted: "); printf("negative ack accepted: ");
goto end; goto cleanup_engine;
} }
de_ctx->sig_list = SigInit(de_ctx, de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any " "alert tcp any any -> any any "
"(msg:\"Testing ack\";sid:1;)"); "(msg:\"Testing ack\";sid:1;)");
if (de_ctx->sig_list == NULL) { if (de_ctx->sig_list == NULL) {
goto end; goto cleanup_engine;
} }
de_ctx->sig_list->next = SigInit(de_ctx, de_ctx->sig_list->next = SigInit(de_ctx,
"alert tcp any any -> any any " "alert tcp any any -> any any "
"(msg:\"Testing ack\";ack:42;sid:2;)"); "(msg:\"Testing ack\";ack:42;sid:2;)");
if (de_ctx->sig_list->next == NULL) { if (de_ctx->sig_list->next == NULL) {
goto end; goto cleanup_engine;
} }
SigGroupBuild(de_ctx); SigGroupBuild(de_ctx);
@ -267,6 +267,8 @@ cleanup:
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
PatternMatchDestroy(mpm_ctx); PatternMatchDestroy(mpm_ctx);
cleanup_engine:
DetectEngineCtxFree(de_ctx); DetectEngineCtxFree(de_ctx);
end: end:

7
src/detect-ack.h
Unescape Escape View File

@ -1,6 +1,13 @@
#ifndef __DETECT_ACK_H__ #ifndef __DETECT_ACK_H__
#define __DETECT_ACK_H__ #define __DETECT_ACK_H__
/**
* \brief ack data
*/
typedef struct DetectAckData_ {
uint32_t ack; /**< ack to match */
} DetectAckData;
/** /**
* \brief Registration function for ack: keyword * \brief Registration function for ack: keyword
*/ */

26
src/detect-seq.c
Unescape Escape View File

@ -52,14 +52,14 @@ void DetectSeqRegister(void) {
static int DetectSeqMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, static int DetectSeqMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Packet *p, Signature *s, SigMatch *m) Packet *p, Signature *s, SigMatch *m)
{ {
uint32_t *data = (uint32_t *)m->ctx; DetectSeqData *data = (DetectSeqData *)m->ctx;
/* This is only needed on TCP packets */ /* This is only needed on TCP packets */
if (IPPROTO_TCP != p->proto) { if (IPPROTO_TCP != p->proto) {
return 0; return 0;
} }
return (*data == TCP_GET_SEQ(p)) ? 1 : 0; return (data->seq == TCP_GET_SEQ(p)) ? 1 : 0;
} }
/** /**
@ -77,12 +77,12 @@ static int DetectSeqMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
static int DetectSeqSetup (DetectEngineCtx *de_ctx, Signature *s, static int DetectSeqSetup (DetectEngineCtx *de_ctx, Signature *s,
SigMatch *m, char *optstr) SigMatch *m, char *optstr)
{ {
uint32_t *data = malloc(sizeof(uint32_t)); DetectSeqData *data = malloc(sizeof(DetectSeqData));
SigMatch *sm = NULL; SigMatch *sm = NULL;
//printf("DetectSeqSetup: \'%s\'\n", optstr); //printf("DetectSeqSetup: \'%s\'\n", optstr);
data = malloc(sizeof(uint32_t)); data = malloc(sizeof(DetectSeqData));
if (data == NULL) { if (data == NULL) {
printf("DetectSeqSetup: malloc failed\n"); printf("DetectSeqSetup: malloc failed\n");
goto error; goto error;
@ -95,10 +95,10 @@ static int DetectSeqSetup (DetectEngineCtx *de_ctx, Signature *s,
sm->type = DETECT_SEQ; sm->type = DETECT_SEQ;
if (-1 == ByteExtractStringUint32(data, 10, 0, optstr)) { if (-1 == ByteExtractStringUint32(&data->seq, 10, 0, optstr)) {
goto error; goto error;
} }
sm->ctx = (void *)data; sm->ctx = data;
SigMatchAppend(s, m, sm); SigMatchAppend(s, m, sm);
@ -118,7 +118,7 @@ error:
*/ */
static void DetectSeqFree(void *ptr) static void DetectSeqFree(void *ptr)
{ {
uint32_t *data = (uint32_t *)ptr; DetectSeqData *data = (DetectSeqData *)ptr;
free(data); free(data);
} }
@ -194,35 +194,35 @@ static int DetectSeqSigTest01Real(int mpm_type)
"(msg:\"Testing seq\";seq:foo;sid:1;)") != NULL) "(msg:\"Testing seq\";seq:foo;sid:1;)") != NULL)
{ {
printf("invalid seq accepted: "); printf("invalid seq accepted: ");
goto end; goto cleanup_engine;
} }
if (SigInit(de_ctx, if (SigInit(de_ctx,
"alert tcp any any -> any any " "alert tcp any any -> any any "
"(msg:\"Testing seq\";seq:9999999999;sid:1;)") != NULL) "(msg:\"Testing seq\";seq:9999999999;sid:1;)") != NULL)
{ {
printf("overflowing seq accepted: "); printf("overflowing seq accepted: ");
goto end; goto cleanup_engine;
} }
if (SigInit(de_ctx, if (SigInit(de_ctx,
"alert tcp any any -> any any " "alert tcp any any -> any any "
"(msg:\"Testing seq\";seq:-100;sid:1;)") != NULL) "(msg:\"Testing seq\";seq:-100;sid:1;)") != NULL)
{ {
printf("negative seq accepted: "); printf("negative seq accepted: ");
goto end; goto cleanup_engine;
} }
de_ctx->sig_list = SigInit(de_ctx, de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any " "alert tcp any any -> any any "
"(msg:\"Testing seq\";sid:1;)"); "(msg:\"Testing seq\";sid:1;)");
if (de_ctx->sig_list == NULL) { if (de_ctx->sig_list == NULL) {
goto end; goto cleanup_engine;
} }
de_ctx->sig_list->next = SigInit(de_ctx, de_ctx->sig_list->next = SigInit(de_ctx,
"alert tcp any any -> any any " "alert tcp any any -> any any "
"(msg:\"Testing seq\";seq:42;sid:2;)"); "(msg:\"Testing seq\";seq:42;sid:2;)");
if (de_ctx->sig_list->next == NULL) { if (de_ctx->sig_list->next == NULL) {
goto end; goto cleanup_engine;
} }
SigGroupBuild(de_ctx); SigGroupBuild(de_ctx);
@ -267,6 +267,8 @@ cleanup:
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
PatternMatchDestroy(mpm_ctx); PatternMatchDestroy(mpm_ctx);
cleanup_engine:
DetectEngineCtxFree(de_ctx); DetectEngineCtxFree(de_ctx);
end: end:

11
src/detect-seq.h
Unescape Escape View File

@ -1,7 +1,16 @@
#ifndef __DETECT_SEQ_H__ #ifndef __DETECT_SEQ_H__
#define __DETECT_SEQ_H__ #define __DETECT_SEQ_H__
/* prototypes */ /**
* \brief seq data
*/
typedef struct DetectSeqData_ {
uint32_t seq; /**< seq to match */
} DetectSeqData;
/**
* \brief Registration function for ack: keyword
*/
void DetectSeqRegister(void); void DetectSeqRegister(void);
#endif /* __DETECT_SEQ_H__ */ #endif /* __DETECT_SEQ_H__ */

Write Preview
Loading…
Cancel
Save