|
|
|
|
@ -278,7 +278,8 @@ uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThrea
|
|
|
|
|
const uint8_t *sbuffer = buffer + offset;
|
|
|
|
|
uint32_t sbuffer_len = depth - offset;
|
|
|
|
|
uint32_t match_offset = 0;
|
|
|
|
|
SCLogDebug("sbuffer_len %"PRIu32, sbuffer_len);
|
|
|
|
|
SCLogDebug("sbuffer_len %" PRIu32 " depth: %" PRIu32 ", buffer_len: %" PRIu32,
|
|
|
|
|
sbuffer_len, depth, buffer_len);
|
|
|
|
|
#ifdef DEBUG
|
|
|
|
|
BUG_ON(sbuffer_len > buffer_len);
|
|
|
|
|
#endif
|
|
|
|
|
@ -308,16 +309,30 @@ uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThrea
|
|
|
|
|
} else {
|
|
|
|
|
goto match;
|
|
|
|
|
}
|
|
|
|
|
} else if (cd->flags & DETECT_CONTENT_NEGATED) {
|
|
|
|
|
SCLogDebug("content %"PRIu32" matched at offset %"PRIu32", but negated so no match", cd->id, match_offset);
|
|
|
|
|
} else {
|
|
|
|
|
match_offset = (uint32_t)((found - buffer) + cd->content_len);
|
|
|
|
|
if (cd->flags & DETECT_CONTENT_NEGATED) {
|
|
|
|
|
SCLogDebug("content %" PRIu32 " matched at offset %" PRIu32
|
|
|
|
|
", but negated so no match",
|
|
|
|
|
cd->id, match_offset);
|
|
|
|
|
/* don't bother carrying recursive matches now, for preceding
|
|
|
|
|
* relative keywords */
|
|
|
|
|
|
|
|
|
|
/* found a match but not at the end of the buffer */
|
|
|
|
|
if (cd->flags & DETECT_CONTENT_ENDS_WITH) {
|
|
|
|
|
if (sbuffer_len != match_offset) {
|
|
|
|
|
SCLogDebug("content \"%s\" %" PRIu32 " matched at offset %" PRIu32
|
|
|
|
|
", but not at end of buffer so match",
|
|
|
|
|
cd->content, cd->id, match_offset);
|
|
|
|
|
goto match;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (DETECT_CONTENT_IS_SINGLE(cd))
|
|
|
|
|
det_ctx->discontinue_matching = 1;
|
|
|
|
|
goto no_match;
|
|
|
|
|
} else {
|
|
|
|
|
match_offset = (uint32_t)((found - buffer) + cd->content_len);
|
|
|
|
|
SCLogDebug("content %"PRIu32" matched at offset %"PRIu32"", cd->id, match_offset);
|
|
|
|
|
SCLogDebug("content %" PRIu32 " matched at offset %" PRIu32 "", cd->id,
|
|
|
|
|
match_offset);
|
|
|
|
|
det_ctx->buffer_offset = match_offset;
|
|
|
|
|
|
|
|
|
|
if ((cd->flags & DETECT_CONTENT_ENDS_WITH) == 0 || match_offset == buffer_len) {
|
|
|
|
|
@ -326,7 +341,8 @@ uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThrea
|
|
|
|
|
if (inspection_mode == DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD) {
|
|
|
|
|
/* we will need to replace content if match is confirmed
|
|
|
|
|
* cast to non-const as replace writes to it. */
|
|
|
|
|
det_ctx->replist = DetectReplaceAddToList(det_ctx->replist, (uint8_t *)found, cd);
|
|
|
|
|
det_ctx->replist = DetectReplaceAddToList(
|
|
|
|
|
det_ctx->replist, (uint8_t *)found, cd);
|
|
|
|
|
} else {
|
|
|
|
|
SCLogWarning("Can't modify payload without packet");
|
|
|
|
|
}
|
|
|
|
|
@ -337,7 +353,7 @@ uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThrea
|
|
|
|
|
goto match;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SCLogDebug("content %"PRIu32, cd->id);
|
|
|
|
|
SCLogDebug("content %" PRIu32, cd->id);
|
|
|
|
|
KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
|
|
|
|
|
|
|
|
|
|
/* see if the next buffer keywords match. If not, we will
|
|
|
|
|
@ -362,11 +378,14 @@ uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThrea
|
|
|
|
|
goto no_match;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SCLogDebug("'next sm' depends on me %p, lets see what we can do (flags %u)", cd, cd->flags);
|
|
|
|
|
SCLogDebug("'next sm' depends on me %p, lets see what we can do (flags %u)",
|
|
|
|
|
cd, cd->flags);
|
|
|
|
|
}
|
|
|
|
|
/* set the previous match offset to the start of this match + 1 */
|
|
|
|
|
prev_offset = (match_offset - (cd->content_len - 1));
|
|
|
|
|
SCLogDebug("trying to see if there is another match after prev_offset %"PRIu32, prev_offset);
|
|
|
|
|
SCLogDebug("trying to see if there is another match after prev_offset %" PRIu32,
|
|
|
|
|
prev_offset);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
} while(1);
|
|
|
|
|
|
Jeff Lucovsky
2 years ago
committed by
Victor Julien