aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

vars: redo var name <-> idx handling

Browse Source 
Can't use sm type anymore as multiple var carriers (host/flow/etc) will
all have xbits.
pull/1422/head
Victor Julien 11 years ago
parent f77c3d9a2c
commit dea8dda3c1
15 changed files with 177 additions and 136 deletions
Show Stats Download Patch File Download Diff File

104
src/detect-engine-sigorder.c
Unescape Escape View File

@ -25,7 +25,7 @@
#include "suricata-common.h"
#include "detect.h"
#include "detect-hostbits.h"
#include "detect-xbits.h"
#include "detect-flowbits.h"
#include "detect-flowint.h"
#include "detect-parse.h"
@ -59,10 +59,10 @@
#define DETECT_FLOWINT_TYPE_SET_READ 3
#define DETECT_FLOWINT_TYPE_SET 4
#define DETECT_HOSTBITS_NOT_USED 1
#define DETECT_HOSTBITS_TYPE_READ 2
#define DETECT_HOSTBITS_TYPE_SET_READ 3
#define DETECT_HOSTBITS_TYPE_SET 4
#define DETECT_XBITS_NOT_USED 1
#define DETECT_XBITS_TYPE_READ 2
#define DETECT_XBITS_TYPE_SET_READ 3
#define DETECT_XBITS_TYPE_SET 4
/**
@ -347,37 +347,39 @@ static inline int SCSigGetPktvarType(Signature *sig)
}
/**
* \brief Returns the hostbit type set for this signature. If more than one
* hostbit has been set for the same rule, we return the hostbit type of
* \brief Returns the xbit type set for this signature. If more than one
* xbit has been set for the same rule, we return the xbit type of
* the maximum priority/value, where priority/value is maximum for the
* ones that set the value and the lowest for ones that read the value.
* If no hostbit has been set for the rule, we return 0, which indicates
* the least value amongst hostbit types.
* If no xbit has been set for the rule, we return 0, which indicates
* the least value amongst xbit types.
*
* \param sig Pointer to the Signature from which the hostbit value has to be
* \param sig Pointer to the Signature from which the xbit value has to be
* returned.
*
* \retval hostbits The hostbits type for this signature if it is set; if it is
* \retval xbits The xbits type for this signature if it is set; if it is
* not set, return 0
*/
static inline int SCSigGetHostbitsType(Signature *sig)
static inline int SCSigGetXbitsType(Signature *sig, enum VarTypes type)
{
DetectHostbitsData *fb = NULL;
int hostbits_user_type = DETECT_HOSTBITS_NOT_USED;
DetectXbitsData *fb = NULL;
int xbits_user_type = DETECT_XBITS_NOT_USED;
int read = 0;
int write = 0;
SigMatch *sm = sig->sm_lists[DETECT_SM_LIST_MATCH];
while (sm != NULL) {
if (sm->type == DETECT_HOSTBITS) {
fb = (DetectHostbitsData *)sm->ctx;
if (fb->cmd == DETECT_HOSTBITS_CMD_ISNOTSET ||
fb->cmd == DETECT_HOSTBITS_CMD_ISSET) {
read++;
} else {
if (sm->type == DETECT_XBITS) {
fb = (DetectXbitsData *)sm->ctx;
if (fb->type == type) {
if (fb->cmd == DETECT_XBITS_CMD_ISNOTSET ||
fb->cmd == DETECT_XBITS_CMD_ISSET) {
read++;
} else {
#ifdef DEBUG
BUG_ON(1);
BUG_ON(1);
#endif
}
}
}
@ -387,15 +389,17 @@ static inline int SCSigGetHostbitsType(Signature *sig)
sm = sig->sm_lists[DETECT_SM_LIST_POSTMATCH];
while (sm != NULL) {
if (sm->type == DETECT_HOSTBITS) {
fb = (DetectHostbitsData *)sm->ctx;
if (fb->cmd == DETECT_HOSTBITS_CMD_SET ||
fb->cmd == DETECT_HOSTBITS_CMD_UNSET ||
fb->cmd == DETECT_HOSTBITS_CMD_TOGGLE) {
write++;
} else {
fb = (DetectXbitsData *)sm->ctx;
if (fb->type == type) {
if (fb->cmd == DETECT_XBITS_CMD_SET ||
fb->cmd == DETECT_XBITS_CMD_UNSET ||
fb->cmd == DETECT_XBITS_CMD_TOGGLE) {
write++;
} else {
#ifdef DEBUG
BUG_ON(1);
BUG_ON(1);
#endif
}
}
}
@ -403,16 +407,16 @@ static inline int SCSigGetHostbitsType(Signature *sig)
}
if (read > 0 && write == 0) {
hostbits_user_type = DETECT_HOSTBITS_TYPE_READ;
xbits_user_type = DETECT_XBITS_TYPE_READ;
} else if (read == 0 && write > 0) {
hostbits_user_type = DETECT_HOSTBITS_TYPE_SET;
xbits_user_type = DETECT_XBITS_TYPE_SET;
} else if (read > 0 && write > 0) {
hostbits_user_type = DETECT_HOSTBITS_TYPE_SET_READ;
xbits_user_type = DETECT_XBITS_TYPE_SET_READ;
}
SCLogDebug("Sig %s typeval %d", sig->msg, hostbits_user_type);
SCLogDebug("Sig %s typeval %d", sig->msg, xbits_user_type);
return hostbits_user_type;
return xbits_user_type;
}
/**
@ -457,15 +461,27 @@ static inline void SCSigProcessUserDataForPktvar(SCSigSignatureWrapper *sw)
}
/**
* \brief Processes the flowbits data for this signature and caches it for
* \brief Processes the hostbits data for this signature and caches it for
* future use. This is needed to optimize the sig_ordering module.
*
* \param sw The sigwrapper/signature for which the flowbits data has to be
* \param sw The sigwrapper/signature for which the hostbits data has to be
* cached
*/
static inline void SCSigProcessUserDataForHostbits(SCSigSignatureWrapper *sw)
{
sw->user[SC_RADIX_USER_DATA_HOSTBITS] = SCSigGetHostbitsType(sw->sig);
sw->user[SC_RADIX_USER_DATA_HOSTBITS] = SCSigGetXbitsType(sw->sig, VAR_TYPE_HOST_BIT);
}
/**
* \brief Processes the hostbits data for this signature and caches it for
* future use. This is needed to optimize the sig_ordering module.
*
* \param sw The sigwrapper/signature for which the hostbits data has to be
* cached
*/
static inline void SCSigProcessUserDataForIPPairbits(SCSigSignatureWrapper *sw)
{
sw->user[SC_RADIX_USER_DATA_IPPAIRBITS] = SCSigGetXbitsType(sw->sig, VAR_TYPE_IPPAIR_BIT);
}
/* Return 1 if sw1 comes before sw2 in the final list. */
@ -629,6 +645,20 @@ static int SCSigOrderByHostbitsCompare(SCSigSignatureWrapper *sw1,
sw2->user[SC_RADIX_USER_DATA_HOSTBITS];
}
/**
* \brief Orders an incoming Signature based on its ippairbits (xbits) type
*
* \param de_ctx Pointer to the detection engine context from which the
* signatures have to be ordered.
* \param sw The new signature that has to be ordered based on its bits
*/
static int SCSigOrderByIPPairbitsCompare(SCSigSignatureWrapper *sw1,
SCSigSignatureWrapper *sw2)
{
return sw1->user[SC_RADIX_USER_DATA_IPPAIRBITS] -
sw2->user[SC_RADIX_USER_DATA_IPPAIRBITS];
}
/**
* \brief Orders an incoming Signature based on its priority type
*
@ -666,6 +696,7 @@ static inline SCSigSignatureWrapper *SCSigAllocSignatureWrapper(Signature *sig)
SCSigProcessUserDataForFlowint(sw);
SCSigProcessUserDataForPktvar(sw);
SCSigProcessUserDataForHostbits(sw);
SCSigProcessUserDataForIPPairbits(sw);
return sw;
}
@ -746,6 +777,7 @@ void SCSigRegisterSignatureOrderingFuncs(DetectEngineCtx *de_ctx)
SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByHostbitsCompare);
SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByIPPairbitsCompare);
SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
}

1
src/detect-engine-sigorder.h
Unescape Escape View File

@ -34,6 +34,7 @@ typedef enum{
SC_RADIX_USER_DATA_PKTVAR,
SC_RADIX_USER_DATA_FLOWINT,
SC_RADIX_USER_DATA_HOSTBITS,
SC_RADIX_USER_DATA_IPPAIRBITS,
SC_RADIX_USER_DATA_MAX
} SCRadixUserDataType;

10
src/detect-flowbits.c
Unescape Escape View File

@ -244,7 +244,7 @@ int DetectFlowbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
if (unlikely(cd == NULL))
goto error;
cd->idx = VariableNameGetIdx(de_ctx, fb_name, DETECT_FLOWBITS);
cd->idx = VariableNameGetIdx(de_ctx, fb_name, VAR_TYPE_FLOW_BIT);
cd->cmd = fb_cmd;
SCLogDebug("idx %" PRIu32 ", cmd %s, name %s",
@ -616,7 +616,7 @@ static int FlowBitsTestSig04(void)
s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"isset option\"; flowbits:isset,fbt; content:\"GET \"; sid:1;)");
idx = VariableNameGetIdx(de_ctx, "fbt", DETECT_FLOWBITS);
idx = VariableNameGetIdx(de_ctx, "fbt", VAR_TYPE_FLOW_BIT);
if (s == NULL || idx != 1) {
goto end;
@ -797,7 +797,7 @@ static int FlowBitsTestSig06(void)
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
idx = VariableNameGetIdx(de_ctx, "myflow", DETECT_FLOWBITS);
idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_FLOW_BIT);
gv = p->flow->flowvar;
@ -903,7 +903,7 @@ static int FlowBitsTestSig07(void)
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
idx = VariableNameGetIdx(de_ctx, "myflow", DETECT_FLOWBITS);
idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_FLOW_BIT);
gv = p->flow->flowvar;
@ -1012,7 +1012,7 @@ static int FlowBitsTestSig08(void)
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
idx = VariableNameGetIdx(de_ctx, "myflow", DETECT_FLOWBITS);
idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_FLOW_BIT);
gv = p->flow->flowvar;

4
src/detect-flowint.c
Unescape Escape View File

@ -126,7 +126,7 @@ int DetectFlowintMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
* return zero(not match).
*/
if (sfd->targettype == FLOWINT_TARGET_VAR) {
uint16_t tvar_idx = VariableNameGetIdx(det_ctx->de_ctx, sfd->target.tvar.name, DETECT_FLOWINT);
uint16_t tvar_idx = VariableNameGetIdx(det_ctx->de_ctx, sfd->target.tvar.name, VAR_TYPE_FLOW_INT);
fvt = FlowVarGet(p->flow, tvar_idx);
/* We don't have that variable initialized yet */
@ -351,7 +351,7 @@ DetectFlowintData *DetectFlowintParse(DetectEngineCtx *de_ctx, char *rawstr)
goto error;
}
if (de_ctx != NULL)
sfd->idx = VariableNameGetIdx(de_ctx, varname, DETECT_FLOWINT);
sfd->idx = VariableNameGetIdx(de_ctx, varname, VAR_TYPE_FLOW_INT);
sfd->modifier = modifier;
pcre_free_substring(varname);

2
src/detect-flowvar.c
Unescape Escape View File

@ -188,7 +188,7 @@ static int DetectFlowvarSetup (DetectEngineCtx *de_ctx, Signature *s, char *raws
fd->name = SCStrdup(varname);
if (unlikely(fd->name == NULL))
goto error;
fd->idx = VariableNameGetIdx(de_ctx, varname, DETECT_FLOWVAR);
fd->idx = VariableNameGetIdx(de_ctx, varname, VAR_TYPE_FLOW_VAR);
/* Okay so far so good, lets get this into a SigMatch
* and put it in the Signature. */

115
src/detect-hostbits.c
Unescape Escape View File

@ -106,10 +106,10 @@ error:
return;
}
static int DetectHostbitMatchToggle (Packet *p, const DetectHostbitsData *fd)
static int DetectHostbitMatchToggle (Packet *p, const DetectXbitsData *fd)
{
switch (fd->dir) {
case DETECT_HOSTBITS_DIR_SRC:
switch (fd->tracker) {
case DETECT_XBITS_TRACK_IPSRC:
if (p->host_src == NULL) {
p->host_src = HostGetHostFromHash(&p->src);
if (p->host_src == NULL)
@ -121,7 +121,7 @@ static int DetectHostbitMatchToggle (Packet *p, const DetectHostbitsData *fd)
HostBitToggle(p->host_src,fd->idx);
HostUnlock(p->host_src);
break;
case DETECT_HOSTBITS_DIR_DST:
case DETECT_XBITS_TRACK_IPDST:
if (p->host_dst == NULL) {
p->host_dst = HostGetHostFromHash(&p->dst);
if (p->host_dst == NULL)
@ -138,10 +138,10 @@ static int DetectHostbitMatchToggle (Packet *p, const DetectHostbitsData *fd)
}
/* return true even if bit not found */
static int DetectHostbitMatchUnset (Packet *p, const DetectHostbitsData *fd)
static int DetectHostbitMatchUnset (Packet *p, const DetectXbitsData *fd)
{
switch (fd->dir) {
case DETECT_HOSTBITS_DIR_SRC:
switch (fd->tracker) {
case DETECT_XBITS_TRACK_IPSRC:
if (p->host_src == NULL) {
p->host_src = HostLookupHostFromHash(&p->src);
if (p->host_src == NULL)
@ -152,7 +152,7 @@ static int DetectHostbitMatchUnset (Packet *p, const DetectHostbitsData *fd)
HostBitUnset(p->host_src,fd->idx);
HostUnlock(p->host_src);
break;
case DETECT_HOSTBITS_DIR_DST:
case DETECT_XBITS_TRACK_IPDST:
if (p->host_dst == NULL) {
p->host_dst = HostLookupHostFromHash(&p->dst);
if (p->host_dst == NULL)
@ -167,10 +167,10 @@ static int DetectHostbitMatchUnset (Packet *p, const DetectHostbitsData *fd)
return 1;
}
static int DetectHostbitMatchSet (Packet *p, const DetectHostbitsData *fd)
static int DetectHostbitMatchSet (Packet *p, const DetectXbitsData *fd)
{
switch (fd->dir) {
case DETECT_HOSTBITS_DIR_SRC:
switch (fd->tracker) {
case DETECT_XBITS_TRACK_IPSRC:
if (p->host_src == NULL) {
p->host_src = HostGetHostFromHash(&p->src);
if (p->host_src == NULL)
@ -181,7 +181,7 @@ static int DetectHostbitMatchSet (Packet *p, const DetectHostbitsData *fd)
HostBitSet(p->host_src,fd->idx);
HostUnlock(p->host_src);
break;
case DETECT_HOSTBITS_DIR_DST:
case DETECT_XBITS_TRACK_IPDST:
if (p->host_dst == NULL) {
p->host_dst = HostGetHostFromHash(&p->dst);
if (p->host_dst == NULL)
@ -196,11 +196,11 @@ static int DetectHostbitMatchSet (Packet *p, const DetectHostbitsData *fd)
return 1;
}
static int DetectHostbitMatchIsset (Packet *p, const DetectHostbitsData *fd)
static int DetectHostbitMatchIsset (Packet *p, const DetectXbitsData *fd)
{
int r = 0;
switch (fd->dir) {
case DETECT_HOSTBITS_DIR_SRC:
switch (fd->tracker) {
case DETECT_XBITS_TRACK_IPSRC:
if (p->host_src == NULL) {
p->host_src = HostLookupHostFromHash(&p->src);
if (p->host_src == NULL)
@ -208,11 +208,10 @@ static int DetectHostbitMatchIsset (Packet *p, const DetectHostbitsData *fd)
} else
HostLock(p->host_src);
HostLock(p->host_src);
r = HostBitIsset(p->host_src,fd->idx);
HostUnlock(p->host_src);
return r;
case DETECT_HOSTBITS_DIR_DST:
case DETECT_XBITS_TRACK_IPDST:
if (p->host_dst == NULL) {
p->host_dst = HostLookupHostFromHash(&p->dst);
if (p->host_dst == NULL)
@ -220,7 +219,6 @@ static int DetectHostbitMatchIsset (Packet *p, const DetectHostbitsData *fd)
} else
HostLock(p->host_dst);
HostLock(p->host_dst);
r = HostBitIsset(p->host_dst,fd->idx);
HostUnlock(p->host_dst);
return r;
@ -228,11 +226,11 @@ static int DetectHostbitMatchIsset (Packet *p, const DetectHostbitsData *fd)
return 0;
}
static int DetectHostbitMatchIsnotset (Packet *p, const DetectHostbitsData *fd)
static int DetectHostbitMatchIsnotset (Packet *p, const DetectXbitsData *fd)
{
int r = 0;
switch (fd->dir) {
case DETECT_HOSTBITS_DIR_SRC:
switch (fd->tracker) {
case DETECT_XBITS_TRACK_IPSRC:
if (p->host_src == NULL) {
p->host_src = HostLookupHostFromHash(&p->src);
if (p->host_src == NULL)
@ -240,11 +238,10 @@ static int DetectHostbitMatchIsnotset (Packet *p, const DetectHostbitsData *fd)
} else
HostLock(p->host_src);
HostLock(p->host_src);
r = HostBitIsnotset(p->host_src,fd->idx);
HostUnlock(p->host_src);
return r;
case DETECT_HOSTBITS_DIR_DST:
case DETECT_XBITS_TRACK_IPDST:
if (p->host_dst == NULL) {
p->host_dst = HostLookupHostFromHash(&p->dst);
if (p->host_dst == NULL)
@ -252,7 +249,6 @@ static int DetectHostbitMatchIsnotset (Packet *p, const DetectHostbitsData *fd)
} else
HostLock(p->host_dst);
HostLock(p->host_dst);
r = HostBitIsnotset(p->host_dst,fd->idx);
HostUnlock(p->host_dst);
return r;
@ -268,20 +264,20 @@ static int DetectHostbitMatchIsnotset (Packet *p, const DetectHostbitsData *fd)
int DetectHostbitMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, const SigMatchCtx *ctx)
{
const DetectHostbitsData *fd = (const DetectHostbitsData *)ctx;
const DetectXbitsData *fd = (const DetectXbitsData *)ctx;
if (fd == NULL)
return 0;
switch (fd->cmd) {
case DETECT_HOSTBITS_CMD_ISSET:
case DETECT_XBITS_CMD_ISSET:
return DetectHostbitMatchIsset(p,fd);
case DETECT_HOSTBITS_CMD_ISNOTSET:
case DETECT_XBITS_CMD_ISNOTSET:
return DetectHostbitMatchIsnotset(p,fd);
case DETECT_HOSTBITS_CMD_SET:
case DETECT_XBITS_CMD_SET:
return DetectHostbitMatchSet(p,fd);
case DETECT_HOSTBITS_CMD_UNSET:
case DETECT_XBITS_CMD_UNSET:
return DetectHostbitMatchUnset(p,fd);
case DETECT_HOSTBITS_CMD_TOGGLE:
case DETECT_XBITS_CMD_TOGGLE:
return DetectHostbitMatchToggle(p,fd);
default:
SCLogError(SC_ERR_UNKNOWN_VALUE, "unknown cmd %" PRIu32 "", fd->cmd);
@ -293,7 +289,7 @@ int DetectHostbitMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p
int DetectHostbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
{
DetectHostbitsData *cd = NULL;
DetectXbitsData *cd = NULL;
SigMatch *sm = NULL;
uint8_t fb_cmd = 0;
uint8_t hb_dir = 0;
@ -330,11 +326,11 @@ int DetectHostbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
SCLogInfo("hb_dir_str %s", hb_dir_str);
if (strlen(hb_dir_str) > 0) {
if (strcmp(hb_dir_str, "src") == 0)
hb_dir = DETECT_HOSTBITS_DIR_SRC;
hb_dir = DETECT_XBITS_TRACK_IPSRC;
else if (strcmp(hb_dir_str, "dst") == 0)
hb_dir = DETECT_HOSTBITS_DIR_DST;
hb_dir = DETECT_XBITS_TRACK_IPDST;
else if (strcmp(hb_dir_str, "both") == 0) {
hb_dir = DETECT_HOSTBITS_DIR_BOTH;
//hb_dir = DETECT_XBITS_TRACK_IPBOTH;
SCLogError(SC_ERR_UNIMPLEMENTED, "'both' not implemented");
goto error;
} else {
@ -346,46 +342,47 @@ int DetectHostbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
}
if (strcmp(fb_cmd_str,"noalert") == 0) {
fb_cmd = DETECT_HOSTBITS_CMD_NOALERT;
fb_cmd = DETECT_XBITS_CMD_NOALERT;
} else if (strcmp(fb_cmd_str,"isset") == 0) {
fb_cmd = DETECT_HOSTBITS_CMD_ISSET;
fb_cmd = DETECT_XBITS_CMD_ISSET;
} else if (strcmp(fb_cmd_str,"isnotset") == 0) {
fb_cmd = DETECT_HOSTBITS_CMD_ISNOTSET;
fb_cmd = DETECT_XBITS_CMD_ISNOTSET;
} else if (strcmp(fb_cmd_str,"set") == 0) {
fb_cmd = DETECT_HOSTBITS_CMD_SET;
fb_cmd = DETECT_XBITS_CMD_SET;
} else if (strcmp(fb_cmd_str,"unset") == 0) {
fb_cmd = DETECT_HOSTBITS_CMD_UNSET;
fb_cmd = DETECT_XBITS_CMD_UNSET;
} else if (strcmp(fb_cmd_str,"toggle") == 0) {
fb_cmd = DETECT_HOSTBITS_CMD_TOGGLE;
fb_cmd = DETECT_XBITS_CMD_TOGGLE;
} else {
SCLogError(SC_ERR_UNKNOWN_VALUE, "ERROR: flowbits action \"%s\" is not supported.", fb_cmd_str);
goto error;
}
switch (fb_cmd) {
case DETECT_HOSTBITS_CMD_NOALERT:
case DETECT_XBITS_CMD_NOALERT:
if (strlen(fb_name) != 0)
goto error;
s->flags |= SIG_FLAG_NOALERT;
return 0;
case DETECT_HOSTBITS_CMD_ISNOTSET:
case DETECT_HOSTBITS_CMD_ISSET:
case DETECT_HOSTBITS_CMD_SET:
case DETECT_HOSTBITS_CMD_UNSET:
case DETECT_HOSTBITS_CMD_TOGGLE:
case DETECT_XBITS_CMD_ISNOTSET:
case DETECT_XBITS_CMD_ISSET:
case DETECT_XBITS_CMD_SET:
case DETECT_XBITS_CMD_UNSET:
case DETECT_XBITS_CMD_TOGGLE:
default:
if (strlen(fb_name) == 0)
goto error;
break;
}
cd = SCMalloc(sizeof(DetectHostbitsData));
cd = SCMalloc(sizeof(DetectXbitsData));
if (unlikely(cd == NULL))
goto error;
cd->idx = VariableNameGetIdx(de_ctx, fb_name, DETECT_HOSTBITS);
cd->idx = VariableNameGetIdx(de_ctx, fb_name, VAR_TYPE_HOST_BIT);
cd->cmd = fb_cmd;
cd->dir = hb_dir;
cd->tracker = hb_dir;
cd->type = VAR_TYPE_HOST_BIT;
SCLogDebug("idx %" PRIu32 ", cmd %s, name %s",
cd->idx, fb_cmd_str, strlen(fb_name) ? fb_name : "(none)");
@ -400,19 +397,19 @@ int DetectHostbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
sm->ctx = (void *)cd;
switch (fb_cmd) {
case DETECT_HOSTBITS_CMD_NOALERT:
case DETECT_XBITS_CMD_NOALERT:
/* nothing to do */
break;
case DETECT_HOSTBITS_CMD_ISNOTSET:
case DETECT_HOSTBITS_CMD_ISSET:
case DETECT_XBITS_CMD_ISNOTSET:
case DETECT_XBITS_CMD_ISSET:
/* checks, so packet list */
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
break;
case DETECT_HOSTBITS_CMD_SET:
case DETECT_HOSTBITS_CMD_UNSET:
case DETECT_HOSTBITS_CMD_TOGGLE:
case DETECT_XBITS_CMD_SET:
case DETECT_XBITS_CMD_UNSET:
case DETECT_XBITS_CMD_TOGGLE:
/* modifiers, only run when entire sig has matched */
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH);
break;
@ -430,7 +427,7 @@ error:
void DetectHostbitFree (void *ptr)
{
DetectHostbitsData *fd = (DetectHostbitsData *)ptr;
DetectXbitsData *fd = (DetectXbitsData *)ptr;
if (fd == NULL)
return;
@ -727,7 +724,7 @@ static int HostBitsTestSig04(void)
s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"isset option\"; hostbits:isset,fbt; content:\"GET \"; sid:1;)");
idx = VariableNameGetIdx(de_ctx, "fbt", DETECT_HOSTBITS);
idx = VariableNameGetIdx(de_ctx, "fbt", VAR_TYPE_HOST_BIT);
if (s == NULL || idx != 1) {
goto end;
@ -922,7 +919,7 @@ static int HostBitsTestSig06(void)
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
idx = VariableNameGetIdx(de_ctx, "myflow", DETECT_HOSTBITS);
idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_HOST_BIT);
gv = p->flow->flowvar;
@ -1028,7 +1025,7 @@ static int HostBitsTestSig07(void)
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
idx = VariableNameGetIdx(de_ctx, "myflow", DETECT_HOSTBITS);
idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_HOST_BIT);
gv = p->flow->flowvar;

18
src/detect-hostbits.h
Unescape Escape View File

@ -24,23 +24,7 @@
#ifndef __DETECT_HOSTBITS_H__
#define __DETECT_HOSTBITS_H__
#define DETECT_HOSTBITS_CMD_SET 0
#define DETECT_HOSTBITS_CMD_TOGGLE 1
#define DETECT_HOSTBITS_CMD_UNSET 2
#define DETECT_HOSTBITS_CMD_ISNOTSET 3
#define DETECT_HOSTBITS_CMD_ISSET 4
#define DETECT_HOSTBITS_CMD_NOALERT 5
#define DETECT_HOSTBITS_CMD_MAX 6
#define DETECT_HOSTBITS_DIR_SRC 0
#define DETECT_HOSTBITS_DIR_DST 1
#define DETECT_HOSTBITS_DIR_BOTH 2
typedef struct DetectHostbitsData_ {
uint16_t idx;
uint8_t cmd;
uint8_t dir;
} DetectHostbitsData;
#include "detect-xbits.h"
/* prototypes */
void DetectHostbitsRegister (void);

4
src/detect-lua.c
Unescape Escape View File

@ -831,7 +831,7 @@ static int DetectLuaSetupPrime(DetectEngineCtx *de_ctx, DetectLuaData *ld)
goto error;
}
uint16_t idx = VariableNameGetIdx(de_ctx, (char *)value, DETECT_FLOWVAR);
uint16_t idx = VariableNameGetIdx(de_ctx, (char *)value, VAR_TYPE_FLOW_VAR);
ld->flowvar[ld->flowvars++] = idx;
SCLogDebug("script uses flowvar %u with script id %u", idx, ld->flowvars - 1);
}
@ -853,7 +853,7 @@ static int DetectLuaSetupPrime(DetectEngineCtx *de_ctx, DetectLuaData *ld)
goto error;
}
uint16_t idx = VariableNameGetIdx(de_ctx, (char *)value, DETECT_FLOWINT);
uint16_t idx = VariableNameGetIdx(de_ctx, (char *)value, VAR_TYPE_FLOW_INT);
ld->flowint[ld->flowints++] = idx;
SCLogDebug("script uses flowint %u with script id %u", idx, ld->flowints - 1);
}

4
src/detect-pcre.c
Unescape Escape View File

@ -620,9 +620,9 @@ static int DetectPcreParseCapture(char *regexstr, DetectEngineCtx *de_ctx, Detec
}
if (pd->capname != NULL) {
if (pd->flags & DETECT_PCRE_CAPTURE_PKT)
pd->capidx = VariableNameGetIdx(de_ctx, (char *)pd->capname, DETECT_PKTVAR);
pd->capidx = VariableNameGetIdx(de_ctx, (char *)pd->capname, VAR_TYPE_PKT_VAR);
else if (pd->flags & DETECT_PCRE_CAPTURE_FLOW)
pd->capidx = VariableNameGetIdx(de_ctx, (char *)pd->capname, DETECT_FLOWVAR);
pd->capidx = VariableNameGetIdx(de_ctx, (char *)pd->capname, VAR_TYPE_FLOW_VAR);
}
SCLogDebug("pd->capname %s", pd->capname);

13
src/detect-xbits.c
Unescape Escape View File

@ -197,6 +197,7 @@ int DetectXbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
int ov[MAX_SUBSTRINGS];
char fb_cmd_str[16] = "", fb_name[256] = "";
char hb_dir_str[16] = "";
enum VarTypes var_type = VAR_TYPE_NOT_SET;
ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS);
if (ret != 2 && ret != 3 && ret != 4) {
@ -224,12 +225,15 @@ int DetectXbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
}
SCLogDebug("hb_dir_str %s", hb_dir_str);
if (strlen(hb_dir_str) > 0) {
if (strcmp(hb_dir_str, "ip_src") == 0)
if (strcmp(hb_dir_str, "ip_src") == 0) {
hb_dir = DETECT_XBITS_TRACK_IPSRC;
else if (strcmp(hb_dir_str, "ip_dst") == 0)
var_type = VAR_TYPE_HOST_BIT;
} else if (strcmp(hb_dir_str, "ip_dst") == 0) {
hb_dir = DETECT_XBITS_TRACK_IPDST;
else if (strcmp(hb_dir_str, "ip_pair") == 0) {
var_type = VAR_TYPE_HOST_BIT;
} else if (strcmp(hb_dir_str, "ip_pair") == 0) {
hb_dir = DETECT_XBITS_TRACK_IPPAIR;
var_type = VAR_TYPE_IPPAIR_BIT;
} else {
// TODO
goto error;
@ -276,9 +280,10 @@ int DetectXbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
if (unlikely(cd == NULL))
goto error;
cd->idx = VariableNameGetIdx(de_ctx, fb_name, DETECT_XBITS);
cd->idx = VariableNameGetIdx(de_ctx, fb_name, var_type);
cd->cmd = fb_cmd;
cd->tracker = hb_dir;
cd->type = var_type;
SCLogDebug("idx %" PRIu32 ", cmd %s, name %s",
cd->idx, fb_cmd_str, strlen(fb_name) ? fb_name : "(none)");

2
src/detect-xbits.h
Unescape Escape View File

@ -41,6 +41,8 @@ typedef struct DetectXbitsData_ {
uint16_t idx;
uint8_t cmd;
uint8_t tracker;
/** data type: host/ippair/flow used for sig sorting in sigorder */
enum VarTypes type;
} DetectXbitsData;
/* prototypes */

2
src/detect.c
Unescape Escape View File

@ -1104,7 +1104,7 @@ static void AlertDebugLogModeSyncFlowbitsNamesToPacketStruct(Packet *p, DetectEn
}
FlowBit *fb = (FlowBit *) gv;
char *name = VariableIdxGetName(de_ctx, fb->idx, fb->type);
char *name = VariableIdxGetName(de_ctx, fb->idx, VAR_TYPE_FLOW_BIT);
if (name != NULL) {
p->debuglog_flowbits_names[i] = SCStrdup(name);
if (p->debuglog_flowbits_names[i] == NULL) {

10
src/util-var-name.c
Unescape Escape View File

@ -131,11 +131,11 @@ void VariableNameFreeHash(DetectEngineCtx *de_ctx)
/** \brief Get a name idx for a name. If the name is already used reuse the idx.
* \param name nul terminated string with the name
* \param type variable type (DETECT_FLOWBITS, DETECT_PKTVAR, etc)
* \param type variable type
* \retval 0 in case of error
* \retval _ the idx.
* \retval idx the idx or 0
*/
uint16_t VariableNameGetIdx(DetectEngineCtx *de_ctx, char *name, uint8_t type)
uint16_t VariableNameGetIdx(DetectEngineCtx *de_ctx, char *name, enum VarTypes type)
{
uint16_t idx = 0;
@ -170,11 +170,11 @@ error:
/** \brief Get a name from the idx.
* \param idx index of the variable whose name is to be fetched
* \param type variable type (DETECT_FLOWBITS, DETECT_PKTVAR, etc)
* \param type variable type
* \retval NULL in case of error
* \retval name of the variable if successful.
*/
char *VariableIdxGetName(DetectEngineCtx *de_ctx, uint16_t idx, uint8_t type)
char *VariableIdxGetName(DetectEngineCtx *de_ctx, uint16_t idx, enum VarTypes type)
{
VariableName *fn = SCMalloc(sizeof(VariableName));
if (unlikely(fn == NULL))

4
src/util-var-name.h
Unescape Escape View File

@ -27,8 +27,8 @@
int VariableNameInitHash(DetectEngineCtx *);
void VariableNameFreeHash(DetectEngineCtx *);
uint16_t VariableNameGetIdx(DetectEngineCtx *, char *, uint8_t);
char * VariableIdxGetName(DetectEngineCtx *, uint16_t , uint8_t);
uint16_t VariableNameGetIdx(DetectEngineCtx *, char *, enum VarTypes);
char * VariableIdxGetName(DetectEngineCtx *, uint16_t , enum VarTypes);
#endif

20
src/util-var.h
Unescape Escape View File

@ -24,6 +24,26 @@
#ifndef __UTIL_VAR_H__
#define __UTIL_VAR_H__
enum VarTypes {
VAR_TYPE_NOT_SET,
VAR_TYPE_PKT_BIT,
VAR_TYPE_PKT_INT,
VAR_TYPE_PKT_VAR,
VAR_TYPE_FLOW_BIT,
VAR_TYPE_FLOW_INT,
VAR_TYPE_FLOW_VAR,
VAR_TYPE_HOST_BIT,
VAR_TYPE_HOST_INT,
VAR_TYPE_HOST_VAR,
VAR_TYPE_IPPAIR_BIT,
VAR_TYPE_IPPAIR_INT,
VAR_TYPE_IPPAIR_VAR,
};
typedef struct GenericVar_ {
uint8_t type;
uint16_t idx;

Write Preview
Loading…
Cancel
Save