diff --git a/src/detect-content.c b/src/detect-content.c index 27a7f51254..565d745e3b 100644 --- a/src/detect-content.c +++ b/src/detect-content.c @@ -339,7 +339,7 @@ SigMatch *SigMatchGetLastPattern(Signature *s) { BUG_ON(s == NULL); SigMatch *co_sm = DetectContentFindPrevApplicableSM(s->pmatch_tail); - SigMatch *ur_sm = SigMatchGetLastSM(s->match, DETECT_URICONTENT); + SigMatch *ur_sm = SigMatchGetLastSM(s->match_tail, DETECT_URICONTENT); SigMatch *sm = NULL; if (co_sm != NULL && ur_sm != NULL) { diff --git a/src/detect-detection-filter.c b/src/detect-detection-filter.c index f10b51fa04..e25e93afec 100644 --- a/src/detect-detection-filter.c +++ b/src/detect-detection-filter.c @@ -30,7 +30,7 @@ static pcre *parse_regex; static pcre_extra *parse_regex_study; int DetectDetectionFilterMatch(ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *); -int DetectDetectionFilterSetup(DetectEngineCtx *, Signature *, SigMatch *, char *); +static int DetectDetectionFilterSetup(DetectEngineCtx *, Signature *, char *); void DetectDetectionFilterRegisterTests(void); void DetectDetectionFilterFree(void *); @@ -43,6 +43,8 @@ void DetectDetectionFilterRegister (void) { sigmatch_table[DETECT_DETECTION_FILTER].Setup = DetectDetectionFilterSetup; sigmatch_table[DETECT_DETECTION_FILTER].Free = DetectDetectionFilterFree; sigmatch_table[DETECT_DETECTION_FILTER].RegisterTests = DetectDetectionFilterRegisterTests; + /* this is compatible to ip-only signatures */ + sigmatch_table[DETECT_DETECTION_FILTER].flags |= SIGMATCH_IPONLY_COMPAT; const char *eb; int eo; @@ -187,20 +189,20 @@ error: * \retval 0 on Success * \retval -1 on Failure */ -int DetectDetectionFilterSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr) { +int DetectDetectionFilterSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr) { SCEnter(); DetectThresholdData *df = NULL; SigMatch *sm = NULL; SigMatch *tmpm = NULL; /* checks if there's a previous instance of threshold */ - tmpm = SigMatchGetLastSM(s, DETECT_THRESHOLD); + tmpm = SigMatchGetLastSM(s->match_tail, DETECT_THRESHOLD); if (tmpm != NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and \"threshold\" are not allowed in the same rule"); SCReturnInt(-1); } /* checks there's no previous instance of detection_filter */ - tmpm = SigMatchGetLastSM(s, DETECT_DETECTION_FILTER); + tmpm = SigMatchGetLastSM(s->match_tail, DETECT_DETECTION_FILTER); if (tmpm != NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "At most one \"detection_filter\" is allowed per rule"); SCReturnInt(-1); @@ -217,7 +219,7 @@ int DetectDetectionFilterSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch sm->type = DETECT_DETECTION_FILTER; sm->ctx = (void *)df; - SigMatchAppend(s,m,sm); + SigMatchAppendPacket(s, sm); return 0; @@ -381,6 +383,8 @@ static int DetectDetectionFilterTestSig1(void) { p.ip4h = &ip4h; p.ip4h->ip_src.s_addr = 0x01010101; p.ip4h->ip_dst.s_addr = 0x02020202; + p.sp = 1024; + p.dp = 80; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) { @@ -389,7 +393,7 @@ static int DetectDetectionFilterTestSig1(void) { de_ctx->flags |= DE_QUIET; - s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"detection_filter Test\"; detection_filter: track by_dst, count 4, seconds 60; sid:1;)"); + s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"detection_filter Test\"; detection_filter: track by_dst, count 4, seconds 60; sid:1;)"); if (s == NULL) { goto end; } @@ -454,6 +458,8 @@ static int DetectDetectionFilterTestSig2(void) { p.ip4h = &ip4h; p.ip4h->ip_src.s_addr = 0x01010101; p.ip4h->ip_dst.s_addr = 0x02020202; + p.sp = 1024; + p.dp = 80; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) { @@ -462,7 +468,7 @@ static int DetectDetectionFilterTestSig2(void) { de_ctx->flags |= DE_QUIET; - s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"detection_filter Test 2\"; detection_filter: track by_dst, count 4, seconds 60; sid:10;)"); + s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"detection_filter Test 2\"; detection_filter: track by_dst, count 4, seconds 60; sid:10;)"); if (s == NULL) { goto end; } diff --git a/src/detect-ftpbounce.c b/src/detect-ftpbounce.c index 4147cef375..59ae710101 100644 --- a/src/detect-ftpbounce.c +++ b/src/detect-ftpbounce.c @@ -189,7 +189,7 @@ int DetectFtpbounceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, if (!(PKT_IS_TCP(p))) return 0; - SigMatch *sm = SigMatchGetLastSM(s->pmatch, DETECT_CONTENT); + SigMatch *sm = SigMatchGetLastSM(s->pmatch_tail, DETECT_CONTENT); if (sm == NULL) return 0; diff --git a/src/detect-parse.c b/src/detect-parse.c index 2f703eda43..0f3bf84f89 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -247,7 +247,7 @@ void SigMatchReplace(Signature *s, SigMatch *m, SigMatch *new) { * \brief Returns a pointer to the last SigMatch instance of a particular type * in a Signature of the payload list. * - * \param s Pointer to the Signature. + * \param s Pointer to the tail of the sigmatch list * \param type SigMatch type which has to be searched for in the Signature. * * \retval match Pointer to the last SigMatch instance of type 'type'. @@ -258,7 +258,7 @@ SigMatch *SigMatchGetLastSM(SigMatch *sm, uint8_t type) if (sm->type == type) { return sm; } - sm = sm->next; + sm = sm->prev; } return NULL; diff --git a/src/detect-threshold.c b/src/detect-threshold.c index 9aa9d2c36c..f2e5acb693 100644 --- a/src/detect-threshold.c +++ b/src/detect-threshold.c @@ -197,7 +197,7 @@ static int DetectThresholdSetup (DetectEngineCtx *de_ctx, Signature *s, char *ra SigMatch *tmpm = NULL; /* checks if there is a previous instance of detection_filter */ - tmpm = SigMatchGetLastSM(s, DETECT_DETECTION_FILTER); + tmpm = SigMatchGetLastSM(s->match_tail, DETECT_DETECTION_FILTER); if (tmpm != NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and \"threshold\" are not allowed in the same rule"); SCReturnInt(-1);