aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

support for 'negation' in addresses and the 'any' special case.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 17 years ago
parent 876f0c95c7
commit b7bc35e8b2
7 changed files with 586 additions and 129 deletions
Show Stats Download Patch File Download Diff File

56
src/detect-address-ipv4.c
Unescape Escape View File

@ -89,7 +89,7 @@ int AddressCutIPv4(DetectAddressData *a, DetectAddressData *b, DetectAddressData
b->ip2[0] = htonl(a_ip2);
DetectAddressData *tmp_c;
tmp_c = malloc(sizeof(DetectAddressData));
tmp_c = DetectAddressDataInit();
if (tmp_c == NULL) {
goto error;
}
@ -111,7 +111,7 @@ int AddressCutIPv4(DetectAddressData *a, DetectAddressData *b, DetectAddressData
b->ip2[0] = htonl(b_ip2);
DetectAddressData *tmp_c;
tmp_c = malloc(sizeof(DetectAddressData));
tmp_c = DetectAddressDataInit();
if (tmp_c == NULL) {
goto error;
}
@ -155,7 +155,7 @@ int AddressCutIPv4(DetectAddressData *a, DetectAddressData *b, DetectAddressData
b->ip2[0] = htonl(a_ip2);
DetectAddressData *tmp_c;
tmp_c = malloc(sizeof(DetectAddressData));
tmp_c = DetectAddressDataInit();
if (tmp_c == NULL) {
goto error;
}
@ -199,7 +199,7 @@ int AddressCutIPv4(DetectAddressData *a, DetectAddressData *b, DetectAddressData
b->ip2[0] = htonl(b_ip2);
DetectAddressData *tmp_c;
tmp_c = malloc(sizeof(DetectAddressData));
tmp_c = DetectAddressDataInit();
if (tmp_c == NULL) {
goto error;
}
@ -217,4 +217,52 @@ error:
}
/* a = 1.2.3.4
* must result in: a == 0.0.0.0-1.2.3.3, b == 1.2.3.5-255.255.255.255
*
* a = 0.0.0.0/32
* must result in: a == 0.0.0.1-255.255.255.255, b == NULL
*
* a = 255.255.255.255
* must result in: a == 0.0.0.0-255.255.255.254, b == NULL
*
*/
int AddressCutNotIPv4(DetectAddressData *a, DetectAddressData **b) {
u_int32_t a_ip1 = ntohl(a->ip[0]);
u_int32_t a_ip2 = ntohl(a->ip2[0]);
/* default to NULL */
*b = NULL;
if (a_ip1 != 0x00000000 && a_ip2 != 0xFFFFFFFF) {
a->ip[0] = htonl(0x00000000);
a->ip2[0] = htonl(a_ip1 - 1);
DetectAddressData *tmp_b;
tmp_b = DetectAddressDataInit();
if (tmp_b == NULL) {
goto error;
}
tmp_b->family = AF_INET;
tmp_b->ip[0] = htonl(a_ip2 + 1);
tmp_b->ip2[0] = htonl(0xFFFFFFFF);
*b = tmp_b;
} else if (a_ip1 == 0x00000000 && a_ip2 != 0xFFFFFFFF) {
a->ip[0] = htonl(a_ip2 + 1);
a->ip2[0] = htonl(0xFFFFFFFF);
} else if (a_ip1 != 0x00000000 && a_ip2 == 0xFFFFFFFF) {
a->ip[0] = htonl(0x00000000);
a->ip2[0] = htonl(a_ip1 - 1);
} else {
goto error;
}
return 0;
error:
return -1;
}

1
src/detect-address-ipv4.h
Unescape Escape View File

@ -8,6 +8,7 @@
int AddressCmpIPv4(DetectAddressData *, DetectAddressData *);
int AddressCutIPv4(DetectAddressData *, DetectAddressData *, DetectAddressData **);
int AddressCutNotIPv4(DetectAddressData *, DetectAddressData **);
#endif /* __DETECT_ADDRESS_IPV4_H__ */

70
src/detect-address-ipv6.c
Unescape Escape View File

@ -213,7 +213,7 @@ int AddressCutIPv6(DetectAddressData *a, DetectAddressData *b, DetectAddressData
AddressCutIPv6Copy(a_ip2, b->ip2);
DetectAddressData *tmp_c;
tmp_c = malloc(sizeof(DetectAddressData));
tmp_c = DetectAddressDataInit();
if (tmp_c == NULL) {
goto error;
}
@ -235,7 +235,7 @@ int AddressCutIPv6(DetectAddressData *a, DetectAddressData *b, DetectAddressData
AddressCutIPv6Copy(b_ip2, b->ip2);
DetectAddressData *tmp_c;
tmp_c = malloc(sizeof(DetectAddressData));
tmp_c = DetectAddressDataInit();
if (tmp_c == NULL) {
goto error;
}
@ -279,7 +279,7 @@ int AddressCutIPv6(DetectAddressData *a, DetectAddressData *b, DetectAddressData
AddressCutIPv6Copy(a_ip2, b->ip2);
DetectAddressData *tmp_c;
tmp_c = malloc(sizeof(DetectAddressData));
tmp_c = DetectAddressDataInit();
if (tmp_c == NULL) {
goto error;
}
@ -323,7 +323,7 @@ int AddressCutIPv6(DetectAddressData *a, DetectAddressData *b, DetectAddressData
AddressCutIPv6Copy(b_ip2, b->ip2);
DetectAddressData *tmp_c;
tmp_c = malloc(sizeof(DetectAddressData));
tmp_c = DetectAddressDataInit();
if (tmp_c == NULL) {
goto error;
}
@ -340,6 +340,68 @@ error:
return -1;
}
/* a = 1.2.3.4
* must result in: a == 0.0.0.0-1.2.3.3, b == 1.2.3.5-255.255.255.255
*
* a = 0.0.0.0/32
* must result in: a == 0.0.0.1-255.255.255.255, b == NULL
*
* a = 255.255.255.255
* must result in: a == 0.0.0.0-255.255.255.254, b == NULL
*
*/
int AddressCutNotIPv6(DetectAddressData *a, DetectAddressData **b) {
u_int32_t a_ip1[4] = { ntohl(a->ip[0]), ntohl(a->ip[1]), ntohl(a->ip[2]), ntohl(a->ip[3]) };
u_int32_t a_ip2[4] = { ntohl(a->ip2[0]), ntohl(a->ip2[1]), ntohl(a->ip2[2]), ntohl(a->ip2[3]) };
u_int32_t ip_nul[4] = { 0x00000000, 0x00000000, 0x00000000, 0x00000000 };
u_int32_t ip_max[4] = { 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF };
/* default to NULL */
*b = NULL;
if (a_ip1[0] != 0x00000000 && a_ip1[1] != 0x00000000 &&
a_ip1[2] != 0x00000000 && a_ip1[3] != 0x00000000 &&
a_ip2[0] != 0xFFFFFFFF && a_ip2[1] != 0xFFFFFFFF &&
a_ip2[2] != 0xFFFFFFFF && a_ip2[3] != 0xFFFFFFFF)
{
AddressCutIPv6Copy(ip_nul, a->ip);
AddressCutIPv6CopySubOne(a_ip1, a->ip2);
DetectAddressData *tmp_b;
tmp_b = DetectAddressDataInit();
if (tmp_b == NULL) {
goto error;
}
tmp_b->family = AF_INET6;
AddressCutIPv6CopyAddOne(a_ip2, tmp_b->ip);
AddressCutIPv6Copy(ip_max, tmp_b->ip2);
*b = tmp_b;
} else if (a_ip1[0] == 0x00000000 && a_ip1[1] == 0x00000000 &&
a_ip1[2] == 0x00000000 && a_ip1[3] == 0x00000000 &&
a_ip2[0] != 0xFFFFFFFF && a_ip2[1] != 0xFFFFFFFF &&
a_ip2[2] != 0xFFFFFFFF && a_ip2[3] != 0xFFFFFFFF)
{
AddressCutIPv6CopyAddOne(a_ip2, a->ip);
AddressCutIPv6Copy(ip_max, a->ip2);
} else if (a_ip1[0] != 0x00000000 && a_ip1[1] != 0x00000000 &&
a_ip1[2] != 0x00000000 && a_ip1[3] != 0x00000000 &&
a_ip2[0] == 0xFFFFFFFF && a_ip2[1] == 0xFFFFFFFF &&
a_ip2[2] == 0xFFFFFFFF && a_ip2[3] == 0xFFFFFFFF)
{
AddressCutIPv6Copy(ip_nul, a->ip);
AddressCutIPv6CopyAddOne(a_ip2, a->ip2);
} else {
goto error;
}
return 0;
error:
return -1;
}
/* TESTS */

1
src/detect-address-ipv6.h
Unescape Escape View File

@ -13,6 +13,7 @@ int AddressIPv6Le(u_int32_t *, u_int32_t *);
int AddressIPv6Ge(u_int32_t *, u_int32_t *);
int AddressCutIPv6(DetectAddressData *, DetectAddressData *, DetectAddressData **);
int AddressCutNotIPv6(DetectAddressData *, DetectAddressData **);
int AddressCmpIPv6(DetectAddressData *, DetectAddressData *);
void DetectAddressIPv6Tests(void);

573
src/detect-address.c
View File

File diff suppressed because it is too large Load Diff

7
src/detect-address.h
Unescape Escape View File

@ -13,10 +13,14 @@ enum {
ADDRESS_GT, /* bigger [bbb] [aaa] */
};
#define ADDRESS_FLAG_ANY 0x1
#define ADDRESS_FLAG_NOT 0x2
typedef struct DetectAddressData_ {
u_int8_t family;
u_int32_t ip[4];
u_int32_t ip2[4];
u_int8_t flags;
} DetectAddressData;
typedef struct DetectAddressGroup_ {
@ -33,6 +37,7 @@ typedef struct DetectAddressGroup_ {
} DetectAddressGroup;
typedef struct DetectAddressGroupsHead_ {
DetectAddressGroup *any_head;
DetectAddressGroup *ipv4_head;
DetectAddressGroup *ipv6_head;
} DetectAddressGroupsHead;
@ -41,6 +46,8 @@ typedef struct DetectAddressGroupsHead_ {
void DetectAddressRegister (void);
DetectAddressGroupsHead *DetectAddressGroupsHeadInit();
void DetectAddressGroupsHeadFree(DetectAddressGroupsHead *);
DetectAddressData *DetectAddressDataInit(void);
void DetectAddressDataFree(DetectAddressData *);
#endif /* __DETECT_ADDRESS_H__ */

7
src/detect-parse.c
Unescape Escape View File

@ -195,9 +195,16 @@ error:
return -1;
}
/* XXX implement this for real
*
*/
int SigParseAddress(Signature *s, const char *addrstr, char flag) {
char *addr = NULL;
if (strcmp(addrstr,"$HOME_NET") == 0) {
addr = "192.168.0.0/16";
} else if (strcmp(addrstr,"$EXTERNAL_NET") == 0) {
addr = "!192.168.0.0/16";
} else if (strcmp(addrstr,"$HTTP_SERVERS") == 0) {
} else if (strcmp(addrstr,"$SMTP_SERVERS") == 0) {
} else if (strcmp(addrstr,"$SQL_SERVERS") == 0) {

Write Preview
Loading…
Cancel
Save