aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect: add and use util func for alproto sets

Browse Source
pull/2559/head
Victor Julien 9 years ago
parent c477c4370e
commit cc4010343d
20 changed files with 69 additions and 185 deletions
Show Stats Download Patch File Download Diff File

16
src/detect-app-layer-event.c
Unescape Escape View File

@ -336,23 +336,13 @@ static int DetectAppLayerEventSetupP1(DetectEngineCtx *de_ctx, Signature *s, cha
sm->type = DETECT_AL_APP_LAYER_EVENT;
sm->ctx = (SigMatchCtx *)data;
if (s->alproto != ALPROTO_UNKNOWN) {
if (s->alproto != data->alproto) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains "
"conflicting keywords needing different alprotos");
goto error;
}
} else {
s->alproto = data->alproto;
}
if (event_type == APP_LAYER_EVENT_TYPE_PACKET) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
} else {
/* We push it to this list temporarily. We deal with
* these in DetectAppLayerEventPrepare(). */
if (DetectSignatureSetAppProto(s, data->alproto) != 0)
goto error;
SigMatchAppendSMToList(s, sm, g_applayer_events_list_id);
s->flags |= SIG_FLAG_APPLAYER;
}
return 0;

7
src/detect-byte-extract.c
Unescape Escape View File

@ -561,12 +561,9 @@ static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *a
}
if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has "
"byte_extract with dce enabled");
if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
goto error;
}
s->alproto = ALPROTO_DCERPC;
if ((data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) ||
(data->base == DETECT_BYTE_EXTRACT_BASE_DEC) ||
(data->base == DETECT_BYTE_EXTRACT_BASE_HEX) ||

9
src/detect-bytejump.c
Unescape Escape View File

@ -539,8 +539,8 @@ static int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts
sm_list = DETECT_SM_LIST_PMATCH;
}
s->alproto = ALPROTO_DCERPC;
s->flags |= SIG_FLAG_APPLAYER;
if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
goto error;
} else if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
prev_pm = DetectGetLastSMFromLists(s,
@ -560,11 +560,6 @@ static int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts
}
if (data->flags & DETECT_BYTEJUMP_DCE) {
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has "
"bytejump with dce enabled");
goto error;
}
if ((data->flags & DETECT_BYTEJUMP_STRING) ||
(data->flags & DETECT_BYTEJUMP_LITTLE) ||
(data->flags & DETECT_BYTEJUMP_BIG) ||

9
src/detect-bytetest.c
Unescape Escape View File

@ -467,8 +467,8 @@ static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts
sm_list = DETECT_SM_LIST_PMATCH;
}
s->alproto = ALPROTO_DCERPC;
s->flags |= SIG_FLAG_APPLAYER;
if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
goto error;
} else if (data->flags & DETECT_BYTETEST_RELATIVE) {
prev_pm = DetectGetLastSMFromLists(s,
@ -488,11 +488,6 @@ static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts
}
if (data->flags & DETECT_BYTETEST_DCE) {
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has "
"bytetest with dce enabled");
goto error;
}
if ((data->flags & DETECT_BYTETEST_STRING) ||
(data->flags & DETECT_BYTETEST_LITTLE) ||
(data->flags & DETECT_BYTETEST_BIG) ||

21
src/detect-cipservice.c
Unescape Escape View File

@ -207,12 +207,8 @@ static int DetectCipServiceSetup(DetectEngineCtx *de_ctx, Signature *s,
DetectCipServiceData *cipserviced = NULL;
SigMatch *sm = NULL;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_ENIP)
{
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
"rule contains conflicting keywords.");
goto error;
}
if (DetectSignatureSetAppProto(s, ALPROTO_ENIP) != 0)
return -1;
cipserviced = DetectCipServiceParse(rulestr);
if (cipserviced == NULL)
@ -225,10 +221,7 @@ static int DetectCipServiceSetup(DetectEngineCtx *de_ctx, Signature *s,
sm->type = DETECT_CIPSERVICE;
sm->ctx = (void *) cipserviced;
s->alproto = ALPROTO_ENIP;
SigMatchAppendSMToList(s, sm, g_cip_buffer_id);
SCReturnInt(0);
error:
@ -384,12 +377,8 @@ static int DetectEnipCommandSetup(DetectEngineCtx *de_ctx, Signature *s,
DetectEnipCommandData *enipcmdd = NULL;
SigMatch *sm = NULL;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_ENIP)
{
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
"rule contains conflicting keywords.");
goto error;
}
if (DetectSignatureSetAppProto(s, ALPROTO_ENIP) != 0)
return -1;
enipcmdd = DetectEnipCommandParse(rulestr);
if (enipcmdd == NULL)
@ -402,9 +391,7 @@ static int DetectEnipCommandSetup(DetectEngineCtx *de_ctx, Signature *s,
sm->type = DETECT_ENIPCOMMAND;
sm->ctx = (void *) enipcmdd;
s->alproto = ALPROTO_ENIP;
SigMatchAppendSMToList(s, sm, g_enip_buffer_id);
SCReturnInt(0);
error:

8
src/detect-dce-iface.c
Unescape Escape View File

@ -370,10 +370,8 @@ static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
DetectDceIfaceData *did = NULL;
SigMatch *sm = NULL;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
return -1;
}
did = DetectDceIfaceArgParse(arg);
if (did == NULL) {
@ -390,10 +388,6 @@ static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
sm->ctx = (void *)did;
SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
s->alproto = ALPROTO_DCERPC;
/* Flagged the signature as to inspect the app layer data */
s->flags |= SIG_FLAG_APPLAYER;
return 0;
error:

8
src/detect-dce-opnum.c
Unescape Escape View File

@ -296,10 +296,8 @@ static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
return -1;
}
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
return -1;
}
dod = DetectDceOpnumArgParse(arg);
if (dod == NULL) {
@ -316,10 +314,6 @@ static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
sm->ctx = (void *)dod;
SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
s->alproto = ALPROTO_DCERPC;
/* Flagged the signature as to inspect the app layer data */
s->flags |= SIG_FLAG_APPLAYER;
return 0;
error:

12
src/detect-dce-stub-data.c
Unescape Escape View File

@ -237,19 +237,11 @@ void DetectDceStubDataRegister(void)
static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
"rule contains conflicting keywords.");
goto error;
}
if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
return -1;
s->init_data->list = g_dce_stub_data_buffer_id;
s->alproto = ALPROTO_DCERPC;
s->flags |= SIG_FLAG_APPLAYER;
return 0;
error:
return -1;
}
/************************************Unittests*********************************/

7
src/detect-ftpbounce.c
Unescape Escape View File

@ -225,10 +225,8 @@ int DetectFtpbounceSetup(DetectEngineCtx *de_ctx, Signature *s, char *ftpbounces
SigMatch *sm = NULL;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_FTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
if (DetectSignatureSetAppProto(s, ALPROTO_FTP) != 0)
return -1;
}
sm = SigMatchAlloc();
if (sm == NULL) {
@ -249,9 +247,6 @@ int DetectFtpbounceSetup(DetectEngineCtx *de_ctx, Signature *s, char *ftpbounces
sm->ctx = NULL;
SigMatchAppendSMToList(s, sm, g_ftp_request_list_id);
s->alproto = ALPROTO_FTP;
s->flags |= SIG_FLAG_APPLAYER;
SCReturnInt(0);
}

7
src/detect-modbus.c
Unescape Escape View File

@ -366,10 +366,8 @@ static int DetectModbusSetup(DetectEngineCtx *de_ctx, Signature *s, char *str)
DetectModbus *modbus = NULL;
SigMatch *sm = NULL;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_MODBUS) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
goto error;
}
if (DetectSignatureSetAppProto(s, ALPROTO_MODBUS) != 0)
return -1;
if ((modbus = DetectModbusFunctionParse(str)) == NULL) {
if ((modbus = DetectModbusAccessParse(str)) == NULL) {
@ -387,7 +385,6 @@ static int DetectModbusSetup(DetectEngineCtx *de_ctx, Signature *s, char *str)
sm->ctx = (void *) modbus;
SigMatchAppendSMToList(s, sm, g_modbus_buffer_id);
s->alproto = ALPROTO_MODBUS;
SCReturnInt(0);

20
src/detect-parse.c
Unescape Escape View File

@ -1193,6 +1193,26 @@ void SigFree(Signature *s)
SCFree(s);
}
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
{
if (alproto == ALPROTO_UNKNOWN ||
alproto >= ALPROTO_FAILED) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid alproto %u", alproto);
return -1;
}
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != alproto) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
"can't set rule app proto to %s: already set to %s",
AppProtoToString(alproto), AppProtoToString(s->alproto));
return -1;
}
s->alproto = alproto;
s->flags |= SIG_FLAG_APPLAYER;
return 0;
}
/**
* \internal
* \brief build address match array for cache efficient matching

2
src/detect-parse.h
Unescape Escape View File

@ -70,6 +70,8 @@ SigMatch *DetectGetLastSMFromLists(const Signature *s, ...);
SigMatch *DetectGetLastSMByListPtr(const Signature *s, SigMatch *sm_list, ...);
SigMatch *DetectGetLastSMByListId(const Signature *s, int list_id, ...);
int DetectSignatureSetAppProto(Signature *s, AppProto alproto);
/* parse regex setup and free util funcs */
void DetectSetupParseRegexes(const char *parse_str,

7
src/detect-ssh-proto-version.c
Unescape Escape View File

@ -217,10 +217,8 @@ static int DetectSshVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *s
DetectSshVersionData *ssh = NULL;
SigMatch *sm = NULL;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_SSH) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
if (DetectSignatureSetAppProto(s, ALPROTO_SSH) != 0)
return -1;
}
ssh = DetectSshVersionParse(str);
if (ssh == NULL)
@ -236,9 +234,6 @@ static int DetectSshVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *s
sm->ctx = (void *)ssh;
SigMatchAppendSMToList(s, sm, g_ssh_banner_list_id);
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_SSH;
return 0;
error:

8
src/detect-ssh-software-version.c
Unescape Escape View File

@ -212,10 +212,8 @@ static int DetectSshSoftwareVersionSetup (DetectEngineCtx *de_ctx, Signature *s,
DetectSshSoftwareVersionData *ssh = NULL;
SigMatch *sm = NULL;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_SSH) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
if (DetectSignatureSetAppProto(s, ALPROTO_SSH) != 0)
return -1;
}
ssh = DetectSshSoftwareVersionParse(str);
if (ssh == NULL)
@ -230,11 +228,7 @@ static int DetectSshSoftwareVersionSetup (DetectEngineCtx *de_ctx, Signature *s,
sm->type = DETECT_AL_SSH_SOFTWAREVERSION;
sm->ctx = (void *)ssh;
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_SSH;
SigMatchAppendSMToList(s, sm, g_ssh_banner_list_id);
return 0;
error:

12
src/detect-ssl-state.c
Unescape Escape View File

@ -308,12 +308,9 @@ static int DetectSslStateSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
DetectSslStateData *ssd = NULL;
SigMatch *sm = NULL;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
"Rule contains conflicting keywords. Have non-tls alproto "
"set for a rule containing \"ssl_state\" keyword");
goto error;
}
if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
return -1;
ssd = DetectSslStateParse(arg);
if (ssd == NULL)
goto error;
@ -325,10 +322,7 @@ static int DetectSslStateSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
sm->type = DETECT_AL_SSL_STATE;
sm->ctx = (SigMatchCtx*)ssd;
s->alproto = ALPROTO_TLS;
SigMatchAppendSMToList(s, sm, g_tls_generic_list_id);
return 0;
error:

8
src/detect-ssl-version.c
Unescape Escape View File

@ -282,10 +282,8 @@ static int DetectSslVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *s
DetectSslVersionData *ssl = NULL;
SigMatch *sm = NULL;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
goto error;
}
if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
return -1;
ssl = DetectSslVersionParse(str);
if (ssl == NULL)
@ -301,8 +299,6 @@ static int DetectSslVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *s
sm->ctx = (void *)ssl;
SigMatchAppendSMToList(s, sm, g_tls_generic_list_id);
s->alproto = ALPROTO_TLS;
return 0;
error:

39
src/detect-tls-cert-validity.c
Unescape Escape View File

@ -421,6 +421,9 @@ static int DetectTlsExpiredSetup (DetectEngineCtx *de_ctx, Signature *s,
SCLogDebug("\'%s\'", rawstr);
if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
return -1;
dd = SCCalloc(1, sizeof(DetectTlsValidityData));
if (dd == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT,"Allocation \'%s\' failed", rawstr);
@ -433,12 +436,6 @@ static int DetectTlsExpiredSetup (DetectEngineCtx *de_ctx, Signature *s,
if (sm == NULL)
goto error;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
"rule contains conflicting keywords.");
goto error;
}
dd->mode = DETECT_TLS_VALIDITY_EX;
dd->type = DETECT_TLS_TYPE_NOTAFTER;
dd->epoch = 0;
@ -447,11 +444,7 @@ static int DetectTlsExpiredSetup (DetectEngineCtx *de_ctx, Signature *s,
sm->type = DETECT_AL_TLS_EXPIRED;
sm->ctx = (void *)dd;
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_TLS;
SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id);
return 0;
error:
@ -479,6 +472,9 @@ static int DetectTlsValidSetup (DetectEngineCtx *de_ctx, Signature *s,
SCLogDebug("\'%s\'", rawstr);
if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
return -1;
dd = SCCalloc(1, sizeof(DetectTlsValidityData));
if (dd == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT,"Allocation \'%s\' failed", rawstr);
@ -491,12 +487,6 @@ static int DetectTlsValidSetup (DetectEngineCtx *de_ctx, Signature *s,
if (sm == NULL)
goto error;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
"rule contains conflicting keywords.");
goto error;
}
dd->mode = DETECT_TLS_VALIDITY_VA;
dd->type = DETECT_TLS_TYPE_NOTAFTER;
dd->epoch = 0;
@ -505,11 +495,7 @@ static int DetectTlsValidSetup (DetectEngineCtx *de_ctx, Signature *s,
sm->type = DETECT_AL_TLS_VALID;
sm->ctx = (void *)dd;
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_TLS;
SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id);
return 0;
error:
@ -576,6 +562,9 @@ static int DetectTlsValiditySetup (DetectEngineCtx *de_ctx, Signature *s,
SCLogDebug("\'%s\'", rawstr);
if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
return -1;
dd = DetectTlsValidityParse(rawstr);
if (dd == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT,"Parsing \'%s\' failed", rawstr);
@ -588,12 +577,6 @@ static int DetectTlsValiditySetup (DetectEngineCtx *de_ctx, Signature *s,
if (sm == NULL)
goto error;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
"rule contains conflicting keywords.");
goto error;
}
if (type == DETECT_TLS_TYPE_NOTBEFORE) {
dd->type = DETECT_TLS_TYPE_NOTBEFORE;
sm->type = DETECT_AL_TLS_NOTBEFORE;
@ -608,11 +591,7 @@ static int DetectTlsValiditySetup (DetectEngineCtx *de_ctx, Signature *s,
sm->ctx = (void *)dd;
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_TLS;
SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id);
return 0;
error:

7
src/detect-tls-version.c
Unescape Escape View File

@ -221,10 +221,8 @@ static int DetectTlsVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *s
DetectTlsVersionData *tls = NULL;
SigMatch *sm = NULL;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
goto error;
}
if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
return -1;
tls = DetectTlsVersionParse(str);
if (tls == NULL)
@ -241,7 +239,6 @@ static int DetectTlsVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *s
SigMatchAppendSMToList(s, sm, g_tls_generic_list_id);
s->alproto = ALPROTO_TLS;
return 0;
error:

36
src/detect-tls.c
Unescape Escape View File

@ -319,10 +319,8 @@ static int DetectTlsSubjectSetup (DetectEngineCtx *de_ctx, Signature *s, char *s
DetectTlsData *tls = NULL;
SigMatch *sm = NULL;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
goto error;
}
if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
return -1;
tls = DetectTlsSubjectParse(str);
if (tls == NULL)
@ -337,11 +335,7 @@ static int DetectTlsSubjectSetup (DetectEngineCtx *de_ctx, Signature *s, char *s
sm->type = DETECT_AL_TLS_SUBJECT;
sm->ctx = (void *)tls;
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_TLS;
SigMatchAppendSMToList(s, sm, g_tls_cert_list_id);
return 0;
error:
@ -532,10 +526,8 @@ static int DetectTlsIssuerDNSetup (DetectEngineCtx *de_ctx, Signature *s, char *
DetectTlsData *tls = NULL;
SigMatch *sm = NULL;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
goto error;
}
if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
return -1;
tls = DetectTlsIssuerDNParse(str);
if (tls == NULL)
@ -550,11 +542,7 @@ static int DetectTlsIssuerDNSetup (DetectEngineCtx *de_ctx, Signature *s, char *
sm->type = DETECT_AL_TLS_ISSUERDN;
sm->ctx = (void *)tls;
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_TLS;
SigMatchAppendSMToList(s, sm, g_tls_cert_list_id);
return 0;
error:
@ -735,10 +723,8 @@ static int DetectTlsFingerprintSetup (DetectEngineCtx *de_ctx, Signature *s, cha
DetectTlsData *tls = NULL;
SigMatch *sm = NULL;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
goto error;
}
if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
return -1;
tls = DetectTlsFingerprintParse(str);
if (tls == NULL)
@ -753,11 +739,7 @@ static int DetectTlsFingerprintSetup (DetectEngineCtx *de_ctx, Signature *s, cha
sm->type = DETECT_AL_TLS_FINGERPRINT;
sm->ctx = (void *)tls;
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_TLS;
SigMatchAppendSMToList(s, sm, g_tls_cert_list_id);
return 0;
error:
@ -797,18 +779,14 @@ static int DetectTlsStoreSetup (DetectEngineCtx *de_ctx, Signature *s, char *str
{
SigMatch *sm = NULL;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
return -1;
}
sm = SigMatchAlloc();
if (sm == NULL)
return -1;
sm->type = DETECT_AL_TLS_STORE;
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_TLS;
s->flags |= SIG_FLAG_TLSSTORE;
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH);

11
src/detect-urilen.c
Unescape Escape View File

@ -247,11 +247,8 @@ static int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, char *urile
DetectUrilenData *urilend = NULL;
SigMatch *sm = NULL;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
"alproto set");
goto error;
}
if (DetectSignatureSetAppProto(s, ALPROTO_HTTP) != 0)
return -1;
urilend = DetectUrilenParse(urilenstr);
if (urilend == NULL)
@ -267,10 +264,6 @@ static int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, char *urile
else
SigMatchAppendSMToList(s, sm, g_http_uri_buffer_id);
/* Flagged the signature as to inspect the app layer data */
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
SCReturnInt(0);
error:

Write Preview
Loading…
Cancel
Save