aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added support at Flowints for keywords isset and notset

Browse Source
remotes/origin/master-1.0.x
Pablo Rincon 16 years ago committed by Victor Julien
parent a8d7b71490
commit c6c7742464
5 changed files with 1081 additions and 406 deletions
Show Stats Download Patch File Download Diff File

788
src/detect-flowint.c
Unescape Escape View File

@ -1,8 +1,9 @@
/** Copyright(c) 2009 Open Information Security Foundation. /** Copyright(c) 2009 Open Information Security Foundation.
** \author Pablo Rincon <pablo.rincon.crespo@gmail.com> *
** Flowvar management for integer types, part of the detection engine * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
** Keyword: flowint * Flowvar management for integer types, part of the detection engine
**/ * Keyword: flowint
*/
#include "eidps-common.h" #include "eidps-common.h"
#include "decode.h" #include "decode.h"
@ -20,11 +21,8 @@
#include "detect-engine.h" #include "detect-engine.h"
#include "detect-engine-mpm.h" #include "detect-engine-mpm.h"
#include <inttypes.h> /* for UINT32_MAX */
/* name modifiers value */ /* name modifiers value */
#define PARSE_REGEX "^\\s*([a-zA-Z][\\w\\d_]+),\\s*([+=-]{1}|==|!=|<|<=|>|>=|isset)\\s*,?\\s*([a-zA-Z][\\w\\d]+|[\\d]{1,10})?\\s*$" #define PARSE_REGEX "^\\s*([a-zA-Z][\\w\\d_]+)\\s*,\\s*([+=-]{1}|==|!=|<|<=|>|>=|isset|notset)\\s*,?\\s*([a-zA-Z][\\w\\d]+|[\\d]{1,10})?\\s*$"
/* Varnames must begin with a letter */ /* Varnames must begin with a letter */
static pcre *parse_regex; static pcre *parse_regex;
@ -62,8 +60,8 @@ void DetectFlowintRegister (void)
} }
return; return;
error: error:
SCLogInfo("Error registering flowint detection plugin");
return; return;
} }
@ -89,20 +87,27 @@ int DetectFlowintMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
FlowVar *fvt; FlowVar *fvt;
uint32_t targetval; uint32_t targetval;
/** ATM If we are going to compare the current var with another
* that doesn't exist, the default value will be zero;
* if you don't want this behaviour, you can use the keyword
* "isset" to make it match or not before using the default
* value of zero;
* But it is mandatory that the current var exist, otherwise, it will
* return zero(not match).
*/
if (sfd->targettype == FLOWINT_TARGET_VAR) { if (sfd->targettype == FLOWINT_TARGET_VAR) {
sfd->target.tvar.idx = VariableNameGetIdx(det_ctx->de_ctx, sfd->target.tvar.idx = VariableNameGetIdx(det_ctx->de_ctx,
sfd->target.tvar.name, DETECT_FLOWINT); sfd->target.tvar.name, DETECT_FLOWINT);
fvt = FlowVarGet(p->flow, sfd->target.tvar.idx); fvt = FlowVarGet(p->flow, sfd->target.tvar.idx);
if (fvt == NULL)
/* We don't have that variable initialized yet */ /* We don't have that variable initialized yet */
/* so now we need to determine what to do... */ if (fvt == NULL)
return 0; targetval = 0;
//targetval = 0;
else else
targetval = fvt->data.fv_int.value; targetval = fvt->data.fv_int.value;
} else } else {
targetval = sfd->target.value; targetval = sfd->target.value;
}
SCLogDebug("Our var %s is at idx: %"PRIu16"", sfd->name, sfd->idx); SCLogDebug("Our var %s is at idx: %"PRIu16"", sfd->name, sfd->idx);
@ -113,6 +118,23 @@ int DetectFlowintMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
} }
fv = FlowVarGet(p->flow, sfd->idx); fv = FlowVarGet(p->flow, sfd->idx);
if (sfd->modifier == FLOWINT_MODIFIER_ISSET) {
SCLogDebug(" Isset %s? = %u", sfd->name,(fv) ? 1 : 0);
if (fv != NULL)
return 1;
else
return 0;
}
if (sfd->modifier == FLOWINT_MODIFIER_NOTSET) {
SCLogDebug(" Not set %s? = %u", sfd->name,(fv) ? 0 : 1);
if (fv != NULL)
return 0;
else
return 1;
}
if (fv != NULL && fv->datatype == FLOWVAR_TYPE_INT) { if (fv != NULL && fv->datatype == FLOWVAR_TYPE_INT) {
if (sfd->modifier == FLOWINT_MODIFIER_ADD) { if (sfd->modifier == FLOWINT_MODIFIER_ADD) {
@ -160,13 +182,10 @@ int DetectFlowintMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
} else { } else {
SCLogDebug("Var not found!"); SCLogDebug("Var not found!");
/* It doesn't exist because it wasn't set /* It doesn't exist because it wasn't set
* or it is a string var, we can't compare */ * or it is a string var, that we don't compare here
*/
return 0; return 0;
/* TODO: Add a keyword "isset" */
} }
/* It shouldn't reach this */
return 0;
} }
/** /**
@ -190,7 +209,6 @@ DetectFlowintData *DetectFlowintParse (DetectEngineCtx *de_ctx,
int ov[MAX_SUBSTRINGS]; int ov[MAX_SUBSTRINGS];
uint8_t modifier = FLOWINT_MODIFIER_UNKNOWN; uint8_t modifier = FLOWINT_MODIFIER_UNKNOWN;
unsigned long long value_long = 0; unsigned long long value_long = 0;
uint8_t dubbed = 0;
const char *str_ptr; const char *str_ptr;
ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr),
@ -236,19 +254,21 @@ DetectFlowintData *DetectFlowintParse (DetectEngineCtx *de_ctx,
if (strcmp(">", str_ptr) == 0) if (strcmp(">", str_ptr) == 0)
modifier = FLOWINT_MODIFIER_GT; modifier = FLOWINT_MODIFIER_GT;
if (strcmp("isset", str_ptr) == 0) if (strcmp("isset", str_ptr) == 0)
modifier = FLOWINT_MODIFIER_IS; modifier = FLOWINT_MODIFIER_ISSET;
if (strcmp("notset", str_ptr) == 0)
modifier = FLOWINT_MODIFIER_NOTSET;
if (modifier == FLOWINT_MODIFIER_UNKNOWN) if (modifier == FLOWINT_MODIFIER_UNKNOWN)
goto error; goto error;
sfd = malloc(sizeof(DetectFlowintData)); sfd = malloc(sizeof(DetectFlowintData));
if (sfd == NULL) { if (sfd == NULL) {
SCLogDebug ("DetectFlowintSetup malloc failed"); SCLogError(SC_ERR_MEM_ALLOC, "DetectFlowintSetup malloc failed");
goto error; goto error;
} }
/* If we need another arg, check it out(isset doesn't need another arg) */ /* If we need another arg, check it out(isset doesn't need another arg) */
if (modifier != FLOWINT_MODIFIER_IS) { if (modifier != FLOWINT_MODIFIER_ISSET && modifier != FLOWINT_MODIFIER_NOTSET) {
res = pcre_get_substring((char *) rawstr, ov, MAX_SUBSTRINGS, 3, res = pcre_get_substring((char *) rawstr, ov, MAX_SUBSTRINGS, 3,
&str_ptr); &str_ptr);
varval =(char *) str_ptr; varval =(char *) str_ptr;
@ -256,29 +276,18 @@ DetectFlowintData *DetectFlowintParse (DetectEngineCtx *de_ctx,
SCLogDebug("DetectFlowintParse: pcre_get_substring failed"); SCLogDebug("DetectFlowintParse: pcre_get_substring failed");
return NULL; return NULL;
} }
printf("varval = %s!!!\n", varval);
/* get the target value to operate with /* get the target value to operate with
*(it should be a value or another var) */ *(it should be a value or another var) */
if (varval[0] == '\"' && varval[strlen (varval)-1] == '\"') { str = strdup(varval);
str = strdup (varval + 1); if (str == NULL) {
str[strlen (varval)-2] = '\0'; SCLogError(SC_ERR_MEM_ALLOC, "DetectFlowintSetup malloc from strdup failed");
dubbed = 1;
if (str[0] >= '0' && str[0] <= '9') { /* is digit, look at the regexp */
sfd->targettype = FLOWINT_TARGET_VAL;
value_long = atoll (str);
if (value_long > UINT32_MAX) {
SCLogDebug ("DetectFlowintParse: Cannot load this value."
" Values should be between 0 and %"PRIu32, UINT32_MAX);
goto error; goto error;
} }
} else {
sfd->targettype = FLOWINT_TARGET_VAR; if (str[0] >= '0' && str[0] <= '9') { /* is digit, look at the regexp */
sfd->target.tvar.name = strdup (varval);
}
} else {
if (varval[0] >= '0' && varval[0] <= '9') {
sfd->targettype = FLOWINT_TARGET_VAL; sfd->targettype = FLOWINT_TARGET_VAL;
value_long = atoll (varval); value_long = atoll(str);
if (value_long > UINT32_MAX) { if (value_long > UINT32_MAX) {
SCLogDebug("DetectFlowintParse: Cannot load this value." SCLogDebug("DetectFlowintParse: Cannot load this value."
" Values should be between 0 and %"PRIu32, UINT32_MAX); " Values should be between 0 and %"PRIu32, UINT32_MAX);
@ -286,8 +295,7 @@ DetectFlowintData *DetectFlowintParse (DetectEngineCtx *de_ctx,
} }
} else { } else {
sfd->targettype = FLOWINT_TARGET_VAR; sfd->targettype = FLOWINT_TARGET_VAR;
sfd->target.tvar.name = strdup (varval); sfd->target.tvar.name = str;
}
} }
} else { } else {
sfd->targettype = FLOWINT_TARGET_SELF; sfd->targettype = FLOWINT_TARGET_SELF;
@ -301,11 +309,8 @@ DetectFlowintData *DetectFlowintParse (DetectEngineCtx *de_ctx,
sfd->modifier = modifier; sfd->modifier = modifier;
if (dubbed == 1) free (str);
return sfd; return sfd;
error: error:
if (dubbed == 1) free (str);
if (sfd != NULL) free(sfd); if (sfd != NULL) free(sfd);
return NULL; return NULL;
} }
@ -331,8 +336,6 @@ int DetectFlowintSetup (DetectEngineCtx *de_ctx,
if (sfd == NULL) if (sfd == NULL)
goto error; goto error;
sfd->idx = VariableNameGetIdx (de_ctx, sfd->name, DETECT_FLOWINT);
/* Okay so far so good, lets get this into a SigMatch /* Okay so far so good, lets get this into a SigMatch
* and put it in the Signature. */ * and put it in the Signature. */
sm = SigMatchAlloc(); sm = SigMatchAlloc();
@ -986,7 +989,7 @@ error:
*/ */
int DetectFlowintTestParseIsset10(void) int DetectFlowintTestParseIsset10(void)
{ {
int result = 0; int result = 1;
DetectFlowintData *sfd = NULL; DetectFlowintData *sfd = NULL;
DetectEngineCtx *de_ctx; DetectEngineCtx *de_ctx;
de_ctx = DetectEngineCtxInit(); de_ctx = DetectEngineCtxInit();
@ -998,7 +1001,19 @@ int DetectFlowintTestParseIsset10 (void)
DetectFlowintPrintData(sfd); DetectFlowintPrintData(sfd);
if (sfd != NULL && !strcmp(sfd->name, "myvar") if (sfd != NULL && !strcmp(sfd->name, "myvar")
&& sfd->targettype == FLOWINT_TARGET_SELF && sfd->targettype == FLOWINT_TARGET_SELF
&& sfd->modifier == FLOWINT_MODIFIER_IS) { && sfd->modifier == FLOWINT_MODIFIER_ISSET) {
result &= 1;
} else {
result = 0;
}
if (sfd) DetectFlowintFree(sfd);
sfd = DetectFlowintParse(de_ctx, "myvar, notset");
DetectFlowintPrintData(sfd);
if (sfd != NULL && !strcmp(sfd->name, "myvar")
&& sfd->targettype == FLOWINT_TARGET_SELF
&& sfd->modifier == FLOWINT_MODIFIER_NOTSET) {
result &= 1; result &= 1;
} else { } else {
@ -1094,7 +1109,6 @@ error:
return result; return result;
} }
/** \test DetectFlowintTestPacket01Real /** \test DetectFlowintTestPacket01Real
* \brief Set a counter when we see a content:"GET" * \brief Set a counter when we see a content:"GET"
* and increment it by 2 if we match a "Unauthorized" * and increment it by 2 if we match a "Unauthorized"
@ -1441,6 +1455,674 @@ end:
return result; return result;
} }
/**
* \test DetectFlowintTestPacket02Real
* \brief like DetectFlowintTestPacket01Real but using isset/notset keywords
*/
int DetectFlowintTestPacket02Real()
{
int result = 1;
uint8_t pkt1[] = {
0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13,
0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00,
0x00, 0x3c, 0xc2, 0x26, 0x40, 0x00, 0x40, 0x06,
0xf4, 0x67, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8,
0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51,
0x82, 0xb5, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x02,
0x16, 0xd0, 0xe8, 0xb0, 0x00, 0x00, 0x02, 0x04,
0x05, 0xb4, 0x04, 0x02, 0x08, 0x0a, 0x01, 0x72,
0x40, 0x93, 0x00, 0x00, 0x00, 0x00, 0x01, 0x03,
0x03, 0x07
};
uint8_t pkt2[] = {
0x00, 0x13, 0x20, 0x65, 0x1a, 0x9e, 0x00, 0x1a,
0x2b, 0x19, 0x52, 0xa8, 0x08, 0x00, 0x45, 0x00,
0x00, 0x3c, 0x00, 0x00, 0x40, 0x00, 0x40, 0x06,
0xb6, 0x8e, 0xc0, 0xa8, 0x01, 0x01, 0xc0, 0xa8,
0x01, 0xdc, 0x00, 0x50, 0xe7, 0xf5, 0x21, 0x04,
0x8b, 0xdd, 0x17, 0x51, 0x82, 0xb6, 0xa0, 0x12,
0x16, 0x80, 0x17, 0x8a, 0x00, 0x00, 0x02, 0x04,
0x05, 0xac, 0x04, 0x02, 0x08, 0x0a, 0x01, 0x29,
0x23, 0x63, 0x01, 0x72, 0x40, 0x93, 0x01, 0x03,
0x03, 0x07
};
uint8_t pkt3[] = {
0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13,
0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00,
0x00, 0x34, 0xc2, 0x27, 0x40, 0x00, 0x40, 0x06,
0xf4, 0x6e, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8,
0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51,
0x82, 0xb6, 0x21, 0x04, 0x8b, 0xde, 0x80, 0x10,
0x00, 0x2e, 0x5c, 0xa0, 0x00, 0x00, 0x01, 0x01,
0x08, 0x0a, 0x01, 0x72, 0x40, 0x93, 0x01, 0x29,
0x23, 0x63
};
uint8_t pkt4[] = {
0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13,
0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00,
0x01, 0x12, 0xc2, 0x28, 0x40, 0x00, 0x40, 0x06,
0xf3, 0x8f, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8,
0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51,
0x82, 0xb6, 0x21, 0x04, 0x8b, 0xde, 0x80, 0x18,
0x00, 0x2e, 0x24, 0x39, 0x00, 0x00, 0x01, 0x01,
0x08, 0x0a, 0x01, 0x72, 0x40, 0x93, 0x01, 0x29,
0x23, 0x63, 0x47, 0x45, 0x54, 0x20, 0x2f, 0x20,
0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e,
0x31, 0x2e, 0x31, 0x0d, 0x0a, 0x41, 0x63, 0x63,
0x65, 0x70, 0x74, 0x3a, 0x20, 0x74, 0x65, 0x78,
0x74, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x2c, 0x20,
0x74, 0x65, 0x78, 0x74, 0x2f, 0x70, 0x6c, 0x61,
0x69, 0x6e, 0x2c, 0x20, 0x74, 0x65, 0x78, 0x74,
0x2f, 0x63, 0x73, 0x73, 0x2c, 0x20, 0x74, 0x65,
0x78, 0x74, 0x2f, 0x73, 0x67, 0x6d, 0x6c, 0x2c,
0x20, 0x2a, 0x2f, 0x2a, 0x3b, 0x71, 0x3d, 0x30,
0x2e, 0x30, 0x31, 0x0d, 0x0a, 0x41, 0x63, 0x63,
0x65, 0x70, 0x74, 0x2d, 0x45, 0x6e, 0x63, 0x6f,
0x64, 0x69, 0x6e, 0x67, 0x3a, 0x20, 0x67, 0x7a,
0x69, 0x70, 0x2c, 0x20, 0x62, 0x7a, 0x69, 0x70,
0x32, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70,
0x74, 0x2d, 0x4c, 0x61, 0x6e, 0x67, 0x75, 0x61,
0x67, 0x65, 0x3a, 0x20, 0x65, 0x6e, 0x0d, 0x0a,
0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65,
0x6e, 0x74, 0x3a, 0x20, 0x4c, 0x79, 0x6e, 0x78,
0x2f, 0x32, 0x2e, 0x38, 0x2e, 0x36, 0x72, 0x65,
0x6c, 0x2e, 0x34, 0x20, 0x6c, 0x69, 0x62, 0x77,
0x77, 0x77, 0x2d, 0x46, 0x4d, 0x2f, 0x32, 0x2e,
0x31, 0x34, 0x20, 0x53, 0x53, 0x4c, 0x2d, 0x4d,
0x4d, 0x2f, 0x31, 0x2e, 0x34, 0x2e, 0x31, 0x20,
0x47, 0x4e, 0x55, 0x54, 0x4c, 0x53, 0x2f, 0x32,
0x2e, 0x30, 0x2e, 0x34, 0x0d, 0x0a, 0x0d, 0x0a
};
uint8_t pkt5[] = {
0x00, 0x13, 0x20, 0x65, 0x1a, 0x9e, 0x00, 0x1a,
0x2b, 0x19, 0x52, 0xa8, 0x08, 0x00, 0x45, 0x00,
0x00, 0x34, 0xa8, 0xbd, 0x40, 0x00, 0x40, 0x06,
0x0d, 0xd9, 0xc0, 0xa8, 0x01, 0x01, 0xc0, 0xa8,
0x01, 0xdc, 0x00, 0x50, 0xe7, 0xf5, 0x21, 0x04,
0x8b, 0xde, 0x17, 0x51, 0x83, 0x94, 0x80, 0x10,
0x00, 0x2d, 0x5b, 0xc3, 0x00, 0x00, 0x01, 0x01,
0x08, 0x0a, 0x01, 0x29, 0x23, 0x63, 0x01, 0x72,
0x40, 0x93
};
uint8_t pkt6[] = {
0x00, 0x13, 0x20, 0x65, 0x1a, 0x9e, 0x00, 0x1a,
0x2b, 0x19, 0x52, 0xa8, 0x08, 0x00, 0x45, 0x00,
0x01, 0xe4, 0xa8, 0xbe, 0x40, 0x00, 0x40, 0x06,
0x0c, 0x28, 0xc0, 0xa8, 0x01, 0x01, 0xc0, 0xa8,
0x01, 0xdc, 0x00, 0x50, 0xe7, 0xf5, 0x21, 0x04,
0x8b, 0xde, 0x17, 0x51, 0x83, 0x94, 0x80, 0x18,
0x00, 0x2d, 0x1b, 0x84, 0x00, 0x00, 0x01, 0x01,
0x08, 0x0a, 0x01, 0x29, 0x23, 0x6a, 0x01, 0x72,
0x40, 0x93, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31,
0x2e, 0x31, 0x20, 0x34, 0x30, 0x31, 0x20, 0x55,
0x6e, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
0x7a, 0x65, 0x64, 0x0d, 0x0a, 0x53, 0x65, 0x72,
0x76, 0x65, 0x72, 0x3a, 0x20, 0x6d, 0x69, 0x63,
0x72, 0x6f, 0x5f, 0x68, 0x74, 0x74, 0x70, 0x64,
0x0d, 0x0a, 0x43, 0x61, 0x63, 0x68, 0x65, 0x2d,
0x43, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x3a,
0x20, 0x6e, 0x6f, 0x2d, 0x63, 0x61, 0x63, 0x68,
0x65, 0x0d, 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a,
0x20, 0x57, 0x65, 0x64, 0x2c, 0x20, 0x31, 0x34,
0x20, 0x4f, 0x63, 0x74, 0x20, 0x32, 0x30, 0x30,
0x39, 0x20, 0x31, 0x33, 0x3a, 0x34, 0x39, 0x3a,
0x35, 0x33, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
0x57, 0x57, 0x57, 0x2d, 0x41, 0x75, 0x74, 0x68,
0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65,
0x3a, 0x20, 0x42, 0x61, 0x73, 0x69, 0x63, 0x20,
0x72, 0x65, 0x61, 0x6c, 0x6d, 0x3d, 0x22, 0x44,
0x53, 0x4c, 0x20, 0x52, 0x6f, 0x75, 0x74, 0x65,
0x72, 0x22, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74,
0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65,
0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68,
0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x43, 0x6f, 0x6e,
0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a,
0x20, 0x63, 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a,
0x0d, 0x0a, 0x3c, 0x48, 0x54, 0x4d, 0x4c, 0x3e,
0x3c, 0x48, 0x45, 0x41, 0x44, 0x3e, 0x3c, 0x54,
0x49, 0x54, 0x4c, 0x45, 0x3e, 0x34, 0x30, 0x31,
0x20, 0x55, 0x6e, 0x61, 0x75, 0x74, 0x68, 0x6f,
0x72, 0x69, 0x7a, 0x65, 0x64, 0x3c, 0x2f, 0x54,
0x49, 0x54, 0x4c, 0x45, 0x3e, 0x3c, 0x2f, 0x48,
0x45, 0x41, 0x44, 0x3e, 0x0a, 0x3c, 0x42, 0x4f,
0x44, 0x59, 0x20, 0x42, 0x47, 0x43, 0x4f, 0x4c,
0x4f, 0x52, 0x3d, 0x22, 0x23, 0x63, 0x63, 0x39,
0x39, 0x39, 0x39, 0x22, 0x3e, 0x3c, 0x48, 0x34,
0x3e, 0x34, 0x30, 0x31, 0x20, 0x55, 0x6e, 0x61,
0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65,
0x64, 0x3c, 0x2f, 0x48, 0x34, 0x3e, 0x0a, 0x41,
0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61,
0x74, 0x69, 0x6f, 0x6e, 0x20, 0x72, 0x65, 0x71,
0x75, 0x69, 0x72, 0x65, 0x64, 0x2e, 0x0a, 0x3c,
0x48, 0x52, 0x3e, 0x0a, 0x3c, 0x41, 0x44, 0x44,
0x52, 0x45, 0x53, 0x53, 0x3e, 0x3c, 0x41, 0x20,
0x48, 0x52, 0x45, 0x46, 0x3d, 0x22, 0x68, 0x74,
0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77,
0x2e, 0x61, 0x63, 0x6d, 0x65, 0x2e, 0x63, 0x6f,
0x6d, 0x2f, 0x73, 0x6f, 0x66, 0x74, 0x77, 0x61,
0x72, 0x65, 0x2f, 0x6d, 0x69, 0x63, 0x72, 0x6f,
0x5f, 0x68, 0x74, 0x74, 0x70, 0x64, 0x2f, 0x22,
0x3e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x5f, 0x68,
0x74, 0x74, 0x70, 0x64, 0x3c, 0x2f, 0x41, 0x3e,
0x3c, 0x2f, 0x41, 0x44, 0x44, 0x52, 0x45, 0x53,
0x53, 0x3e, 0x0a, 0x3c, 0x2f, 0x42, 0x4f, 0x44,
0x59, 0x3e, 0x3c, 0x2f, 0x48, 0x54, 0x4d, 0x4c,
0x3e, 0x0a
};
uint8_t pkt7[] = {
0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13,
0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00,
0x00, 0x34, 0xc2, 0x29, 0x40, 0x00, 0x40, 0x06,
0xf4, 0x6c, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8,
0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51,
0x83, 0x94, 0x21, 0x04, 0x8d, 0x8e, 0x80, 0x10,
0x00, 0x36, 0x59, 0xfa, 0x00, 0x00, 0x01, 0x01,
0x08, 0x0a, 0x01, 0x72, 0x40, 0x9c, 0x01, 0x29,
0x23, 0x6a
};
uint8_t pkt8[] = {
0x00, 0x13, 0x20, 0x65, 0x1a, 0x9e, 0x00, 0x1a,
0x2b, 0x19, 0x52, 0xa8, 0x08, 0x00, 0x45, 0x00,
0x00, 0x34, 0xa8, 0xbf, 0x40, 0x00, 0x40, 0x06,
0x0d, 0xd7, 0xc0, 0xa8, 0x01, 0x01, 0xc0, 0xa8,
0x01, 0xdc, 0x00, 0x50, 0xe7, 0xf5, 0x21, 0x04,
0x8d, 0x8e, 0x17, 0x51, 0x83, 0x94, 0x80, 0x11,
0x00, 0x2d, 0x5a, 0x0b, 0x00, 0x00, 0x01, 0x01,
0x08, 0x0a, 0x01, 0x29, 0x23, 0x6a, 0x01, 0x72,
0x40, 0x93
};
uint8_t pkt9[] = {
0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13,
0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00,
0x00, 0x34, 0xc2, 0x2a, 0x40, 0x00, 0x40, 0x06,
0xf4, 0x6b, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8,
0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51,
0x83, 0x94, 0x21, 0x04, 0x8d, 0x8f, 0x80, 0x10,
0x00, 0x36, 0x59, 0xef, 0x00, 0x00, 0x01, 0x01,
0x08, 0x0a, 0x01, 0x72, 0x40, 0xa6, 0x01, 0x29,
0x23, 0x6a
};
uint8_t pkt10[] = {
0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13,
0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00,
0x00, 0x34, 0xc2, 0x2b, 0x40, 0x00, 0x40, 0x06,
0xf4, 0x6a, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8,
0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51,
0x83, 0x94, 0x21, 0x04, 0x8d, 0x8f, 0x80, 0x11,
0x00, 0x36, 0x57, 0x0a, 0x00, 0x00, 0x01, 0x01,
0x08, 0x0a, 0x01, 0x72, 0x43, 0x8a, 0x01, 0x29,
0x23, 0x6a
};
uint8_t pkt11[] = {
0x00, 0x13, 0x20, 0x65, 0x1a, 0x9e, 0x00, 0x1a,
0x2b, 0x19, 0x52, 0xa8, 0x08, 0x00, 0x45, 0x00,
0x00, 0x34, 0x10, 0xaf, 0x40, 0x00, 0x40, 0x06,
0xa5, 0xe7, 0xc0, 0xa8, 0x01, 0x01, 0xc0, 0xa8,
0x01, 0xdc, 0x00, 0x50, 0xe7, 0xf5, 0x21, 0x04,
0x8d, 0x8f, 0x17, 0x51, 0x83, 0x95, 0x80, 0x10,
0x00, 0x2d, 0x54, 0xbb, 0x00, 0x00, 0x01, 0x01,
0x08, 0x0a, 0x01, 0x29, 0x25, 0xc2, 0x01, 0x72,
0x43, 0x8a
};
uint8_t *pkts[] = {
pkt1, pkt2, pkt3, pkt4, pkt5, pkt6, pkt7, pkt8,
pkt9, pkt10, pkt11
};
uint16_t pktssizes[] = {
sizeof(pkt1), sizeof(pkt2), sizeof(pkt3), sizeof(pkt4), sizeof(pkt5),
sizeof(pkt6), sizeof(pkt7), sizeof(pkt8), sizeof(pkt9), sizeof(pkt10),
sizeof(pkt11)
};
Packet p;
DecodeThreadVars dtv;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&th_v, 0, sizeof(th_v));
FlowInitConfig(FLOW_QUIET);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
/* Now that we have the array of packets for the flow, prepare the signatures */
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Setting a flowint counter\"; content:\"GET\"; flowint: myvar, notset; flowint:maxvar,notset; flowint: myvar,=,1; flowint: maxvar,=,6; sid:101;)");
de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Adding to flowint counter\"; content:\"Unauthorized\"; flowint:myvar,isset; flowint: myvar,+,2; sid:102;)");
de_ctx->sig_list->next->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"if the flowint counter is 3 create a new counter\"; content:\"Unauthorized\"; flowint: myvar, isset; flowint: myvar,==,3; flowint:cntpackets,notset; flowint: cntpackets, =, 0; sid:103;)");
de_ctx->sig_list->next->next->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"and count the rest of the packets received without generating alerts!!!\"; flowint: cntpackets,isset; flowint: cntpackets, +, 1; noalert;sid:104;)");
/* comparation of myvar with maxvar */
de_ctx->sig_list->next->next->next->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\" and fire this when it reach 6\"; flowint: cntpackets, isset; flowint: maxvar,isset; flowint: cntpackets, ==, maxvar; sid:105;)");
/* I know it's a bit ugly, */
de_ctx->sig_list->next->next->next->next->next = NULL;
SigGroupBuild(de_ctx);
//PatternMatchPrepare(mpm_ctx, MPM_B2G);
DetectEngineThreadCtxInit(&th_v,(void *) de_ctx,(void *) &det_ctx);
/* Get the idx of the vars we are going to track */
uint16_t idx1, idx2;
idx1 = VariableNameGetIdx(det_ctx->de_ctx, "myvar", DETECT_FLOWINT);
idx2 = VariableNameGetIdx(det_ctx->de_ctx, "cntpackets", DETECT_FLOWINT);
int i;
/* Decode the packets, and test the matches*/
for (i = 0;i < 11;i++) {
memset(&p, 0, sizeof(Packet));
DecodeEthernet(&th_v, &dtv, &p, pkts[i], pktssizes[i], NULL);
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
switch(i) {
case 3:
if (PacketAlertCheck(&p, 101) == 0) {
SCLogDebug("Not declared/initialized!");
result = 0;
}
break;
case 5:
if (PacketAlertCheck(&p, 102) == 0) {
SCLogDebug("Not incremented!");
result = 0;
}
if (PacketAlertCheck(&p, 103) == 0) {
SCLogDebug("myvar is not 3 or bad cmp!!");
result = 0;
}
break;
case 10:
if (PacketAlertCheck(&p, 105) == 0) {
SCLogDebug("Not declared/initialized/or well incremented the"
" second var!");
result = 0;
}
break;
}
SCLogDebug("Raw Packet %d has %u alerts ", i, p.alerts.cnt);
}
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v,(void *) det_ctx);
//PatternMatchDestroy(mpm_ctx);
DetectEngineCtxFree(de_ctx);
FlowShutdown();
return result;
end:
if (de_ctx) {
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
}
if (det_ctx)
DetectEngineThreadCtxDeinit(&th_v,(void *) det_ctx);
//PatternMatchDestroy(mpm_ctx);
if (de_ctx)
DetectEngineCtxFree(de_ctx);
FlowShutdown();
return result;
}
/**
* \test DetectFlowintTestPacket03Real
* \brief Check the behaviour of isset/notset
*/
int DetectFlowintTestPacket03Real()
{
int result = 1;
uint8_t pkt1[] = {
0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13,
0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00,
0x00, 0x3c, 0xc2, 0x26, 0x40, 0x00, 0x40, 0x06,
0xf4, 0x67, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8,
0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51,
0x82, 0xb5, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x02,
0x16, 0xd0, 0xe8, 0xb0, 0x00, 0x00, 0x02, 0x04,
0x05, 0xb4, 0x04, 0x02, 0x08, 0x0a, 0x01, 0x72,
0x40, 0x93, 0x00, 0x00, 0x00, 0x00, 0x01, 0x03,
0x03, 0x07
};
uint8_t pkt2[] = {
0x00, 0x13, 0x20, 0x65, 0x1a, 0x9e, 0x00, 0x1a,
0x2b, 0x19, 0x52, 0xa8, 0x08, 0x00, 0x45, 0x00,
0x00, 0x3c, 0x00, 0x00, 0x40, 0x00, 0x40, 0x06,
0xb6, 0x8e, 0xc0, 0xa8, 0x01, 0x01, 0xc0, 0xa8,
0x01, 0xdc, 0x00, 0x50, 0xe7, 0xf5, 0x21, 0x04,
0x8b, 0xdd, 0x17, 0x51, 0x82, 0xb6, 0xa0, 0x12,
0x16, 0x80, 0x17, 0x8a, 0x00, 0x00, 0x02, 0x04,
0x05, 0xac, 0x04, 0x02, 0x08, 0x0a, 0x01, 0x29,
0x23, 0x63, 0x01, 0x72, 0x40, 0x93, 0x01, 0x03,
0x03, 0x07
};
uint8_t pkt3[] = {
0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13,
0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00,
0x00, 0x34, 0xc2, 0x27, 0x40, 0x00, 0x40, 0x06,
0xf4, 0x6e, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8,
0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51,
0x82, 0xb6, 0x21, 0x04, 0x8b, 0xde, 0x80, 0x10,
0x00, 0x2e, 0x5c, 0xa0, 0x00, 0x00, 0x01, 0x01,
0x08, 0x0a, 0x01, 0x72, 0x40, 0x93, 0x01, 0x29,
0x23, 0x63
};
uint8_t pkt4[] = {
0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13,
0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00,
0x01, 0x12, 0xc2, 0x28, 0x40, 0x00, 0x40, 0x06,
0xf3, 0x8f, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8,
0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51,
0x82, 0xb6, 0x21, 0x04, 0x8b, 0xde, 0x80, 0x18,
0x00, 0x2e, 0x24, 0x39, 0x00, 0x00, 0x01, 0x01,
0x08, 0x0a, 0x01, 0x72, 0x40, 0x93, 0x01, 0x29,
0x23, 0x63, 0x47, 0x45, 0x54, 0x20, 0x2f, 0x20,
0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e,
0x31, 0x2e, 0x31, 0x0d, 0x0a, 0x41, 0x63, 0x63,
0x65, 0x70, 0x74, 0x3a, 0x20, 0x74, 0x65, 0x78,
0x74, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x2c, 0x20,
0x74, 0x65, 0x78, 0x74, 0x2f, 0x70, 0x6c, 0x61,
0x69, 0x6e, 0x2c, 0x20, 0x74, 0x65, 0x78, 0x74,
0x2f, 0x63, 0x73, 0x73, 0x2c, 0x20, 0x74, 0x65,
0x78, 0x74, 0x2f, 0x73, 0x67, 0x6d, 0x6c, 0x2c,
0x20, 0x2a, 0x2f, 0x2a, 0x3b, 0x71, 0x3d, 0x30,
0x2e, 0x30, 0x31, 0x0d, 0x0a, 0x41, 0x63, 0x63,
0x65, 0x70, 0x74, 0x2d, 0x45, 0x6e, 0x63, 0x6f,
0x64, 0x69, 0x6e, 0x67, 0x3a, 0x20, 0x67, 0x7a,
0x69, 0x70, 0x2c, 0x20, 0x62, 0x7a, 0x69, 0x70,
0x32, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70,
0x74, 0x2d, 0x4c, 0x61, 0x6e, 0x67, 0x75, 0x61,
0x67, 0x65, 0x3a, 0x20, 0x65, 0x6e, 0x0d, 0x0a,
0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65,
0x6e, 0x74, 0x3a, 0x20, 0x4c, 0x79, 0x6e, 0x78,
0x2f, 0x32, 0x2e, 0x38, 0x2e, 0x36, 0x72, 0x65,
0x6c, 0x2e, 0x34, 0x20, 0x6c, 0x69, 0x62, 0x77,
0x77, 0x77, 0x2d, 0x46, 0x4d, 0x2f, 0x32, 0x2e,
0x31, 0x34, 0x20, 0x53, 0x53, 0x4c, 0x2d, 0x4d,
0x4d, 0x2f, 0x31, 0x2e, 0x34, 0x2e, 0x31, 0x20,
0x47, 0x4e, 0x55, 0x54, 0x4c, 0x53, 0x2f, 0x32,
0x2e, 0x30, 0x2e, 0x34, 0x0d, 0x0a, 0x0d, 0x0a
};
uint8_t pkt5[] = {
0x00, 0x13, 0x20, 0x65, 0x1a, 0x9e, 0x00, 0x1a,
0x2b, 0x19, 0x52, 0xa8, 0x08, 0x00, 0x45, 0x00,
0x00, 0x34, 0xa8, 0xbd, 0x40, 0x00, 0x40, 0x06,
0x0d, 0xd9, 0xc0, 0xa8, 0x01, 0x01, 0xc0, 0xa8,
0x01, 0xdc, 0x00, 0x50, 0xe7, 0xf5, 0x21, 0x04,
0x8b, 0xde, 0x17, 0x51, 0x83, 0x94, 0x80, 0x10,
0x00, 0x2d, 0x5b, 0xc3, 0x00, 0x00, 0x01, 0x01,
0x08, 0x0a, 0x01, 0x29, 0x23, 0x63, 0x01, 0x72,
0x40, 0x93
};
uint8_t pkt6[] = {
0x00, 0x13, 0x20, 0x65, 0x1a, 0x9e, 0x00, 0x1a,
0x2b, 0x19, 0x52, 0xa8, 0x08, 0x00, 0x45, 0x00,
0x01, 0xe4, 0xa8, 0xbe, 0x40, 0x00, 0x40, 0x06,
0x0c, 0x28, 0xc0, 0xa8, 0x01, 0x01, 0xc0, 0xa8,
0x01, 0xdc, 0x00, 0x50, 0xe7, 0xf5, 0x21, 0x04,
0x8b, 0xde, 0x17, 0x51, 0x83, 0x94, 0x80, 0x18,
0x00, 0x2d, 0x1b, 0x84, 0x00, 0x00, 0x01, 0x01,
0x08, 0x0a, 0x01, 0x29, 0x23, 0x6a, 0x01, 0x72,
0x40, 0x93, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31,
0x2e, 0x31, 0x20, 0x34, 0x30, 0x31, 0x20, 0x55,
0x6e, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
0x7a, 0x65, 0x64, 0x0d, 0x0a, 0x53, 0x65, 0x72,
0x76, 0x65, 0x72, 0x3a, 0x20, 0x6d, 0x69, 0x63,
0x72, 0x6f, 0x5f, 0x68, 0x74, 0x74, 0x70, 0x64,
0x0d, 0x0a, 0x43, 0x61, 0x63, 0x68, 0x65, 0x2d,
0x43, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x3a,
0x20, 0x6e, 0x6f, 0x2d, 0x63, 0x61, 0x63, 0x68,
0x65, 0x0d, 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a,
0x20, 0x57, 0x65, 0x64, 0x2c, 0x20, 0x31, 0x34,
0x20, 0x4f, 0x63, 0x74, 0x20, 0x32, 0x30, 0x30,
0x39, 0x20, 0x31, 0x33, 0x3a, 0x34, 0x39, 0x3a,
0x35, 0x33, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
0x57, 0x57, 0x57, 0x2d, 0x41, 0x75, 0x74, 0x68,
0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65,
0x3a, 0x20, 0x42, 0x61, 0x73, 0x69, 0x63, 0x20,
0x72, 0x65, 0x61, 0x6c, 0x6d, 0x3d, 0x22, 0x44,
0x53, 0x4c, 0x20, 0x52, 0x6f, 0x75, 0x74, 0x65,
0x72, 0x22, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74,
0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65,
0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68,
0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x43, 0x6f, 0x6e,
0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a,
0x20, 0x63, 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a,
0x0d, 0x0a, 0x3c, 0x48, 0x54, 0x4d, 0x4c, 0x3e,
0x3c, 0x48, 0x45, 0x41, 0x44, 0x3e, 0x3c, 0x54,
0x49, 0x54, 0x4c, 0x45, 0x3e, 0x34, 0x30, 0x31,
0x20, 0x55, 0x6e, 0x61, 0x75, 0x74, 0x68, 0x6f,
0x72, 0x69, 0x7a, 0x65, 0x64, 0x3c, 0x2f, 0x54,
0x49, 0x54, 0x4c, 0x45, 0x3e, 0x3c, 0x2f, 0x48,
0x45, 0x41, 0x44, 0x3e, 0x0a, 0x3c, 0x42, 0x4f,
0x44, 0x59, 0x20, 0x42, 0x47, 0x43, 0x4f, 0x4c,
0x4f, 0x52, 0x3d, 0x22, 0x23, 0x63, 0x63, 0x39,
0x39, 0x39, 0x39, 0x22, 0x3e, 0x3c, 0x48, 0x34,
0x3e, 0x34, 0x30, 0x31, 0x20, 0x55, 0x6e, 0x61,
0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65,
0x64, 0x3c, 0x2f, 0x48, 0x34, 0x3e, 0x0a, 0x41,
0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61,
0x74, 0x69, 0x6f, 0x6e, 0x20, 0x72, 0x65, 0x71,
0x75, 0x69, 0x72, 0x65, 0x64, 0x2e, 0x0a, 0x3c,
0x48, 0x52, 0x3e, 0x0a, 0x3c, 0x41, 0x44, 0x44,
0x52, 0x45, 0x53, 0x53, 0x3e, 0x3c, 0x41, 0x20,
0x48, 0x52, 0x45, 0x46, 0x3d, 0x22, 0x68, 0x74,
0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77,
0x2e, 0x61, 0x63, 0x6d, 0x65, 0x2e, 0x63, 0x6f,
0x6d, 0x2f, 0x73, 0x6f, 0x66, 0x74, 0x77, 0x61,
0x72, 0x65, 0x2f, 0x6d, 0x69, 0x63, 0x72, 0x6f,
0x5f, 0x68, 0x74, 0x74, 0x70, 0x64, 0x2f, 0x22,
0x3e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x5f, 0x68,
0x74, 0x74, 0x70, 0x64, 0x3c, 0x2f, 0x41, 0x3e,
0x3c, 0x2f, 0x41, 0x44, 0x44, 0x52, 0x45, 0x53,
0x53, 0x3e, 0x0a, 0x3c, 0x2f, 0x42, 0x4f, 0x44,
0x59, 0x3e, 0x3c, 0x2f, 0x48, 0x54, 0x4d, 0x4c,
0x3e, 0x0a
};
uint8_t pkt7[] = {
0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13,
0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00,
0x00, 0x34, 0xc2, 0x29, 0x40, 0x00, 0x40, 0x06,
0xf4, 0x6c, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8,
0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51,
0x83, 0x94, 0x21, 0x04, 0x8d, 0x8e, 0x80, 0x10,
0x00, 0x36, 0x59, 0xfa, 0x00, 0x00, 0x01, 0x01,
0x08, 0x0a, 0x01, 0x72, 0x40, 0x9c, 0x01, 0x29,
0x23, 0x6a
};
uint8_t pkt8[] = {
0x00, 0x13, 0x20, 0x65, 0x1a, 0x9e, 0x00, 0x1a,
0x2b, 0x19, 0x52, 0xa8, 0x08, 0x00, 0x45, 0x00,
0x00, 0x34, 0xa8, 0xbf, 0x40, 0x00, 0x40, 0x06,
0x0d, 0xd7, 0xc0, 0xa8, 0x01, 0x01, 0xc0, 0xa8,
0x01, 0xdc, 0x00, 0x50, 0xe7, 0xf5, 0x21, 0x04,
0x8d, 0x8e, 0x17, 0x51, 0x83, 0x94, 0x80, 0x11,
0x00, 0x2d, 0x5a, 0x0b, 0x00, 0x00, 0x01, 0x01,
0x08, 0x0a, 0x01, 0x29, 0x23, 0x6a, 0x01, 0x72,
0x40, 0x93
};
uint8_t pkt9[] = {
0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13,
0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00,
0x00, 0x34, 0xc2, 0x2a, 0x40, 0x00, 0x40, 0x06,
0xf4, 0x6b, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8,
0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51,
0x83, 0x94, 0x21, 0x04, 0x8d, 0x8f, 0x80, 0x10,
0x00, 0x36, 0x59, 0xef, 0x00, 0x00, 0x01, 0x01,
0x08, 0x0a, 0x01, 0x72, 0x40, 0xa6, 0x01, 0x29,
0x23, 0x6a
};
uint8_t pkt10[] = {
0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13,
0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00,
0x00, 0x34, 0xc2, 0x2b, 0x40, 0x00, 0x40, 0x06,
0xf4, 0x6a, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8,
0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51,
0x83, 0x94, 0x21, 0x04, 0x8d, 0x8f, 0x80, 0x11,
0x00, 0x36, 0x57, 0x0a, 0x00, 0x00, 0x01, 0x01,
0x08, 0x0a, 0x01, 0x72, 0x43, 0x8a, 0x01, 0x29,
0x23, 0x6a
};
uint8_t pkt11[] = {
0x00, 0x13, 0x20, 0x65, 0x1a, 0x9e, 0x00, 0x1a,
0x2b, 0x19, 0x52, 0xa8, 0x08, 0x00, 0x45, 0x00,
0x00, 0x34, 0x10, 0xaf, 0x40, 0x00, 0x40, 0x06,
0xa5, 0xe7, 0xc0, 0xa8, 0x01, 0x01, 0xc0, 0xa8,
0x01, 0xdc, 0x00, 0x50, 0xe7, 0xf5, 0x21, 0x04,
0x8d, 0x8f, 0x17, 0x51, 0x83, 0x95, 0x80, 0x10,
0x00, 0x2d, 0x54, 0xbb, 0x00, 0x00, 0x01, 0x01,
0x08, 0x0a, 0x01, 0x29, 0x25, 0xc2, 0x01, 0x72,
0x43, 0x8a
};
uint8_t *pkts[] = {
pkt1, pkt2, pkt3, pkt4, pkt5, pkt6, pkt7, pkt8,
pkt9, pkt10, pkt11
};
uint16_t pktssizes[] = {
sizeof(pkt1), sizeof(pkt2), sizeof(pkt3), sizeof(pkt4), sizeof(pkt5),
sizeof(pkt6), sizeof(pkt7), sizeof(pkt8), sizeof(pkt9), sizeof(pkt10),
sizeof(pkt11)
};
Packet p;
DecodeThreadVars dtv;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&th_v, 0, sizeof(th_v));
FlowInitConfig(FLOW_QUIET);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
/* Now that we have the array of packets for the flow, prepare the signatures */
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"check notset\"; content:\"GET\"; flowint: myvar, notset; flowint: myvar,=,0; flowint: other,=,10; sid:101;)");
de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"check isset\"; content:\"Unauthorized\"; flowint:myvar,isset; flowint: other,isset; sid:102;)");
de_ctx->sig_list->next->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"check notset\"; content:\"Unauthorized\"; flowint:lala,isset; sid:103;)");
de_ctx->sig_list->next->next->next = NULL;
SigGroupBuild(de_ctx);
//PatternMatchPrepare(mpm_ctx, MPM_B2G);
DetectEngineThreadCtxInit(&th_v,(void *) de_ctx,(void *) &det_ctx);
/* Get the idx of the vars we are going to track */
uint16_t idx1, idx2;
idx1 = VariableNameGetIdx(det_ctx->de_ctx, "myvar", DETECT_FLOWINT);
idx2 = VariableNameGetIdx(det_ctx->de_ctx, "cntpackets", DETECT_FLOWINT);
int i;
/* Decode the packets, and test the matches*/
for (i = 0;i < 11;i++) {
memset(&p, 0, sizeof(Packet));
DecodeEthernet(&th_v, &dtv, &p, pkts[i], pktssizes[i], NULL);
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
switch(i) {
case 3:
if (PacketAlertCheck(&p, 101) == 0) {
SCLogDebug("Not declared/initialized but match!");
result = 0;
}
if (PacketAlertCheck(&p, 103) != 0) {
SCLogDebug(" var lala is never set, it should NOT match!!");
result = 0;
}
break;
case 5:
if (PacketAlertCheck(&p, 102) == 0) {
SCLogDebug("Not incremented!");
result = 0;
}
if (PacketAlertCheck(&p, 103) != 0) {
SCLogDebug(" var lala is never set, it should NOT match!!");
result = 0;
}
break;
}
SCLogDebug("Raw Packet %d has %u alerts ", i, p.alerts.cnt);
}
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v,(void *) det_ctx);
//PatternMatchDestroy(mpm_ctx);
DetectEngineCtxFree(de_ctx);
FlowShutdown();
return result;
end:
if (de_ctx) {
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
}
if (det_ctx)
DetectEngineThreadCtxDeinit(&th_v,(void *) det_ctx);
//PatternMatchDestroy(mpm_ctx);
if (de_ctx)
DetectEngineCtxFree(de_ctx);
FlowShutdown();
return result;
}
#endif /* UNITTESTS */ #endif /* UNITTESTS */
@ -1492,5 +2174,9 @@ void DetectFlowintRegisterTests (void)
DetectFlowintTestParseInvalidSyntaxis01, 1); DetectFlowintTestParseInvalidSyntaxis01, 1);
UtRegisterTest("DetectFlowintTestPacket01Real", UtRegisterTest("DetectFlowintTestPacket01Real",
DetectFlowintTestPacket01Real, 1); DetectFlowintTestPacket01Real, 1);
UtRegisterTest("DetectFlowintTestPacket02Real",
DetectFlowintTestPacket02Real, 1);
UtRegisterTest("DetectFlowintTestPacket03Real",
DetectFlowintTestPacket03Real, 1);
#endif /* UNITTESTS */ #endif /* UNITTESTS */
} }

20
src/detect-flowint.h
Unescape Escape View File

@ -15,8 +15,9 @@ enum {
FLOWINT_MODIFIER_NE, FLOWINT_MODIFIER_NE,
FLOWINT_MODIFIER_GE, FLOWINT_MODIFIER_GE,
FLOWINT_MODIFIER_GT, FLOWINT_MODIFIER_GT,
/** Checking if a var isset (keyword isset)*/ /** Checking if a var is set (keyword isset/notset)*/
FLOWINT_MODIFIER_IS, FLOWINT_MODIFIER_ISSET,
FLOWINT_MODIFIER_NOTSET,
FLOWINT_MODIFIER_UNKNOWN FLOWINT_MODIFIER_UNKNOWN
}; };
@ -37,17 +38,22 @@ typedef struct TargetVar_ {
/** Context data for flowint vars */ /** Context data for flowint vars */
typedef struct DetectFlowintData_ { typedef struct DetectFlowintData_ {
char *name; /* This is the main var we are going to use /* This is the main var we are going to use
* against the target */ * against the target */
char *name;
/* Internal id of the var */
uint16_t idx; uint16_t idx;
uint8_t modifier; /* The modifier/operation/condition we are /* The modifier/operation/condition we are
* going to execute */ * going to execute */
uint8_t modifier;
uint8_t targettype; uint8_t targettype;
union { union {
uint32_t value; /* the target value */ /* the target value */
TargetVar tvar; /* or the target var */ uint32_t value;
/* or the target var */
TargetVar tvar;
} target; } target;
} DetectFlowintData; } DetectFlowintData;

5
src/flow-var.c
Unescape Escape View File

@ -124,10 +124,11 @@ void FlowVarPrint(GenericVar *gv) {
printf("\\%02X", fv->data.fv_str.value[i]); printf("\\%02X", fv->data.fv_str.value[i]);
} }
printf("\", Len \"%" PRIu32 "\"\n", fv->data.fv_str.value_len); printf("\", Len \"%" PRIu32 "\"\n", fv->data.fv_str.value_len);
} } else if (fv->datatype == FLOWVAR_TYPE_INT) {
if (fv->datatype == FLOWVAR_TYPE_INT) {
printf("Name idx \"%" PRIu32 "\", Value \"%" PRIu32 "\"", fv->idx, printf("Name idx \"%" PRIu32 "\", Value \"%" PRIu32 "\"", fv->idx,
fv->data.fv_int.value); fv->data.fv_int.value);
} else {
printf("Unknown data type at flowvars\n");
} }
} }
FlowVarPrint(gv->next); FlowVarPrint(gv->next);

10
src/flow-var.h
Unescape Escape View File

@ -1,5 +1,11 @@
/* Copyright (c) 2008 Victor Julien <victor@inliniac.net> */ /** Copyright(c) 2009 Open Information Security Foundation.
/* Copyright (c) 2009 Pablo Rincon <pablo.rincon.crespo@gmail.com> */ *
* \author Victor Julien <victor@inliniac.net>
* \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
*
* Flow level variable support for complex detection rules
* Supported types atm are String and Integers
*/
#ifndef __FLOW_VAR_H__ #ifndef __FLOW_VAR_H__
#define __FLOW_VAR_H__ #define __FLOW_VAR_H__

24
src/util-var-name.c
Unescape Escape View File

@ -104,27 +104,3 @@ error:
return 0; return 0;
} }
/** We need to use this at flowints/flowvars
* Need to support options "isset" and "!isset"
* return 0 if not set, the idx if it's set */
uint8_t VariableNameIsSet(DetectEngineCtx *de_ctx, char *name, uint8_t type) {
VariableName *fn = malloc(sizeof(VariableName));
uint8_t result = 0;
if (fn == NULL)
goto end;
memset(fn, 0, sizeof(VariableName));
fn->type = type;
fn->name = strdup(name);
if (fn->name == NULL)
goto end;
VariableName *lookup_fn = (VariableName *)HashListTableLookup(de_ctx->variable_names, (void *)fn, 0);
if (lookup_fn != NULL)
result = lookup_fn->idx;
end:
VariableNameFree(fn);
return result;
}

Write Preview
Loading…
Cancel
Save