aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

http_client_body: dynamic buffer

Browse Source
pull/2559/head
Victor Julien 8 years ago
parent e7d5e845c7
commit ee55aefa1c
10 changed files with 143 additions and 174 deletions
Show Stats Download Patch File Download Diff File

9
src/detect-engine-analyzer.c
Unescape Escape View File

@ -114,8 +114,6 @@ void EngineAnalysisFP(Signature *s, char *line)
fprintf(fp_engine_analysis_FD, "content\n");
else if (list_type == DETECT_SM_LIST_HRUDMATCH)
fprintf(fp_engine_analysis_FD, "http raw uri content\n");
else if (list_type == DETECT_SM_LIST_HCBDMATCH)
fprintf(fp_engine_analysis_FD, "http client body content\n");
else {
const char *desc = DetectBufferTypeGetDescriptionById(list_type);
const char *name = DetectBufferTypeGetNameById(list_type);
@ -452,8 +450,6 @@ static void EngineAnalysisRulesPrintFP(const Signature *s)
}
else if (list_type == DETECT_SM_LIST_HRUDMATCH)
fprintf(rule_engine_analysis_FD, "http raw uri content");
else if (list_type == DETECT_SM_LIST_HCBDMATCH)
fprintf(rule_engine_analysis_FD, "http client body content");
else if (list_type == DETECT_SM_LIST_DNSQUERYNAME_MATCH)
fprintf(rule_engine_analysis_FD, "dns query name content");
else if (list_type == DETECT_SM_LIST_TLSSNI_MATCH)
@ -562,6 +558,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
const int httpstatmsg_id = DetectBufferTypeGetByName("http_stat_msg");
const int httpheader_id = DetectBufferTypeGetByName("http_header");
const int httprawheader_id = DetectBufferTypeGetByName("http_raw_header");
const int httpclientbody_id = DetectBufferTypeGetByName("http_client_body");
if (s->init_data->init_flags & SIG_FLAG_INIT_BIDIREC) {
rule_bidirectional = 1;
@ -585,7 +582,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
SigMatch *sm = NULL;
for (sm = s->init_data->smlists[list_id]; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_PCRE) {
if (list_id == DETECT_SM_LIST_HCBDMATCH) {
if (list_id == httpclientbody_id) {
rule_pcre_http += 1;
http_client_body_buf += 1;
raw_http_buf += 1;
@ -666,7 +663,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
http_cookie_buf += 1;
}
}
else if (list_id == DETECT_SM_LIST_HCBDMATCH) {
else if (list_id == httpclientbody_id) {
rule_content_http += 1;
raw_http_buf += 1;
http_client_body_buf += 1;

2
src/detect-engine.c
Unescape Escape View File

@ -2800,8 +2800,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
case DETECT_SM_LIST_HRUDMATCH:
return "http raw uri";
case DETECT_SM_LIST_HCBDMATCH:
return "http client body";
case DETECT_SM_LIST_APP_EVENT:
return "app layer events";

44
src/detect-fast-pattern.c
Unescape Escape View File

@ -332,6 +332,7 @@ static int g_http_stat_code_buffer_id = 0;
static int g_http_stat_msg_buffer_id = 0;
static int g_http_raw_header_buffer_id = 0;
static int g_http_header_buffer_id = 0;
static int g_http_client_body_buffer_id = 0;
/**
* \test Checks if a fast_pattern is registered in a Signature
@ -3768,7 +3769,7 @@ int DetectFastPatternTest134(void)
"(content:\"one\"; http_client_body; content:!\"oneonetwo\"; fast_pattern:3,4; http_client_body; content:\"three\"; http_client_body; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -3806,7 +3807,7 @@ int DetectFastPatternTest135(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
@ -3843,7 +3844,7 @@ int DetectFastPatternTest136(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
@ -3875,7 +3876,7 @@ int DetectFastPatternTest137(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id];
DetectContentData *ud = (DetectContentData *)sm->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
@ -3909,7 +3910,7 @@ int DetectFastPatternTest138(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id];
DetectContentData *ud = (DetectContentData *)sm->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -4139,7 +4140,7 @@ int DetectFastPatternTest148(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -4169,7 +4170,7 @@ int DetectFastPatternTest149(void)
"(content:\"one\"; http_client_body; content:\"two\"; http_client_body; within:30; content:\"two\"; fast_pattern:only; http_client_body; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -4199,7 +4200,7 @@ int DetectFastPatternTest150(void)
"(content:\"one\"; http_client_body; content:\"two\"; http_client_body; offset:30; content:\"two\"; fast_pattern:only; http_client_body; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -4229,7 +4230,7 @@ int DetectFastPatternTest151(void)
"(content:\"one\"; http_client_body; content:\"two\"; http_client_body; depth:30; content:\"two\"; fast_pattern:only; http_client_body; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -4259,7 +4260,7 @@ int DetectFastPatternTest152(void)
"(content:!\"one\"; fast_pattern; http_client_body; content:\"two\"; http_client_body; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -4378,7 +4379,7 @@ int DetectFastPatternTest157(void)
"(content:\"one\"; http_client_body; content:\"oneonetwo\"; fast_pattern:3,4; http_client_body; content:\"three\"; http_client_body; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -4408,7 +4409,7 @@ int DetectFastPatternTest158(void)
"(content:\"one\"; http_client_body; content:\"oneonetwo\"; fast_pattern:3,4; http_client_body; content:\"three\"; http_client_body; distance:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -4438,7 +4439,7 @@ int DetectFastPatternTest159(void)
"(content:\"one\"; http_client_body; content:\"oneonetwo\"; fast_pattern:3,4; http_client_body; content:\"three\"; http_client_body; within:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -4468,7 +4469,7 @@ int DetectFastPatternTest160(void)
"(content:\"one\"; http_client_body; content:\"oneonetwo\"; fast_pattern:3,4; http_client_body; content:\"three\"; http_client_body; offset:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -4498,7 +4499,7 @@ int DetectFastPatternTest161(void)
"(content:\"one\"; http_client_body; content:\"oneonetwo\"; fast_pattern:3,4; http_client_body; content:\"three\"; http_client_body; depth:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -4528,7 +4529,7 @@ int DetectFastPatternTest162(void)
"(content:\"one\"; http_client_body; content:\"two\"; http_client_body; distance:10; content:\"oneonethree\"; fast_pattern:3,4; http_client_body; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -4558,7 +4559,7 @@ int DetectFastPatternTest163(void)
"(content:\"one\"; http_client_body; content:\"two\"; http_client_body; within:10; content:\"oneonethree\"; fast_pattern:3,4; http_client_body; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -4588,7 +4589,7 @@ int DetectFastPatternTest164(void)
"(content:\"one\"; http_client_body; content:\"two\"; http_client_body; offset:10; content:\"oneonethree\"; fast_pattern:3,4; http_client_body; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -4618,7 +4619,7 @@ int DetectFastPatternTest165(void)
"(content:\"one\"; http_client_body; content:\"two\"; http_client_body; depth:10; content:\"oneonethree\"; fast_pattern:3,4; http_client_body; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -4717,7 +4718,7 @@ int DetectFastPatternTest169(void)
"(content:\"one\"; http_client_body; content:!\"oneonetwo\"; fast_pattern:3,4; http_client_body; content:\"three\"; http_client_body; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -4836,7 +4837,7 @@ int DetectFastPatternTest174(void)
"(content:\"one\"; http_client_body; content:!\"oneonetwo\"; fast_pattern:3,4; http_client_body; content:\"three\"; http_client_body; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -18843,6 +18844,7 @@ void DetectFastPatternRegisterTests(void)
g_http_stat_msg_buffer_id = DetectBufferTypeGetByName("http_stat_msg");
g_http_header_buffer_id = DetectBufferTypeGetByName("http_header");
g_http_raw_header_buffer_id = DetectBufferTypeGetByName("http_raw_header");
g_http_client_body_buffer_id = DetectBufferTypeGetByName("http_client_body");
UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01);
UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02);

172
src/detect-http-client-body.c
Unescape Escape View File

@ -58,9 +58,11 @@
#include "detect-engine-hcbd.h"
#include "stream-tcp.h"
int DetectHttpClientBodySetup(DetectEngineCtx *, Signature *, char *);
void DetectHttpClientBodyRegisterTests(void);
void DetectHttpClientBodyFree(void *);
static int DetectHttpClientBodySetup(DetectEngineCtx *, Signature *, char *);
static void DetectHttpClientBodyRegisterTests(void);
static void DetectHttpClientBodyFree(void *);
static void DetectHttpClientBodySetupCallback(Signature *s);
static int g_http_client_body_buffer_id = 0;
/**
* \brief Registers the keyword handlers for the "http_client_body" keyword.
@ -79,19 +81,27 @@ void DetectHttpClientBodyRegister(void)
sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].flags |= SIGMATCH_NOOPT ;
sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].flags |= SIGMATCH_PAYLOAD ;
DetectMpmAppLayerRegister("http_client_body", SIG_FLAG_TOSERVER,
DETECT_SM_LIST_HCBDMATCH, 2,
DetectAppLayerMpmRegister("http_client_body", SIG_FLAG_TOSERVER, 2,
PrefilterTxHttpRequestBodyRegister);
DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER,
DETECT_SM_LIST_HCBDMATCH,
DetectAppLayerInspectEngineRegister2("http_client_body",
ALPROTO_HTTP, SIG_FLAG_TOSERVER,
DetectEngineInspectHttpClientBody);
DetectBufferTypeSetDescriptionByName("http_client_body",
"http request body");
DetectBufferTypeRegisterSetupCallback("http_client_body",
DetectHttpClientBodySetupCallback);
g_http_client_body_buffer_id = DetectBufferTypeGetByName("http_client_body");
}
static void DetectHttpClientBodySetupCallback(Signature *s)
{
SCLogDebug("callback invoked by %u", s->id);
AppLayerHtpEnableRequestBodyCallback();
return;
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
}
/**
@ -111,9 +121,9 @@ int DetectHttpClientBodySetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
DETECT_AL_HTTP_CLIENT_BODY,
DETECT_SM_LIST_HCBDMATCH,
g_http_client_body_buffer_id,
ALPROTO_HTTP,
DetectHttpClientBodySetupCallback);
NULL);
}
/**
@ -141,6 +151,7 @@ void DetectHttpClientBodyFree(void *ptr)
#ifdef UNITTESTS
#include "detect-isdataat.h"
#include "stream-tcp-reassemble.h"
/**
@ -1751,15 +1762,15 @@ int DetectHttpClientBodyTest22(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
goto end;
}
DetectContentData *cd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
if (cd1->flags != 0 || memcmp(cd1->content, "one", cd1->content_len) != 0 ||
cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
@ -1806,15 +1817,15 @@ int DetectHttpClientBodyTest23(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
if (pd1->flags != 0 ||
cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
@ -1860,15 +1871,15 @@ int DetectHttpClientBodyTest24(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
if (pd1->flags != 0 ||
cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
@ -1915,15 +1926,15 @@ int DetectHttpClientBodyTest25(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
if (pd1->flags != DETECT_PCRE_RELATIVE_NEXT ||
cd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
@ -1971,15 +1982,15 @@ int DetectHttpClientBodyTest26(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
cd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
@ -2054,15 +2065,15 @@ int DetectHttpClientBodyTest28(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
cd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
@ -2109,13 +2120,13 @@ int DetectHttpClientBodyTest29(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
goto end;
}
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
if (hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(hcbd1->content, "one", hcbd1->content_len) != 0 ||
hcbd2->flags != DETECT_CONTENT_DISTANCE ||
@ -2153,13 +2164,13 @@ int DetectHttpClientBodyTest30(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
goto end;
}
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
if (hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(hcbd1->content, "one", hcbd1->content_len) != 0 ||
hcbd2->flags != DETECT_CONTENT_WITHIN ||
@ -2269,21 +2280,21 @@ int DetectHttpClientBodyTest34(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
goto end;
}
if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH] == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->type != DETECT_CONTENT ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->type != DETECT_PCRE) {
if (de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id] == NULL ||
de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->type != DETECT_CONTENT ||
de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->type != DETECT_PCRE) {
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
hcbd2->flags != DETECT_CONTENT_WITHIN ||
memcmp(hcbd2->content, "two", hcbd2->content_len) != 0) {
@ -2320,21 +2331,21 @@ int DetectHttpClientBodyTest35(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
goto end;
}
if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH] == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->type != DETECT_PCRE ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->type != DETECT_CONTENT) {
if (de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id] == NULL ||
de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->type != DETECT_PCRE ||
de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->type != DETECT_CONTENT) {
goto end;
}
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
DetectContentData *hcbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
if (pd2->flags != (DETECT_PCRE_RELATIVE) ||
hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(hcbd1->content, "two", hcbd1->content_len) != 0) {
@ -2371,21 +2382,21 @@ int DetectHttpClientBodyTest36(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCBDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_client_body_buffer_id] == NULL\n");
goto end;
}
if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH] == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->type != DETECT_CONTENT ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->type != DETECT_PCRE) {
if (de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id] == NULL ||
de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->type != DETECT_CONTENT ||
de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->type != DETECT_PCRE) {
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx;
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->prev->ctx;
DetectContentData *hcbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_client_body_buffer_id]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
hcbd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(hcbd2->content, "two", hcbd2->content_len) != 0) {
@ -2400,6 +2411,31 @@ int DetectHttpClientBodyTest36(void)
return result;
}
static int DetectHttpClientBodyIsdataatParseTest(void)
{
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
Signature *s = DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any ("
"content:\"one\"; http_client_body; "
"isdataat:!4,relative; sid:1;)");
FAIL_IF_NULL(s);
SigMatch *sm = s->init_data->smlists_tail[g_http_client_body_buffer_id];
FAIL_IF_NULL(sm);
FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
DetectEngineCtxFree(de_ctx);
PASS;
}
#endif /* UNITTESTS */
void DetectHttpClientBodyRegisterTests(void)
@ -2436,6 +2472,10 @@ void DetectHttpClientBodyRegisterTests(void)
UtRegisterTest("DetectHttpClientBodyTest34", DetectHttpClientBodyTest34);
UtRegisterTest("DetectHttpClientBodyTest35", DetectHttpClientBodyTest35);
UtRegisterTest("DetectHttpClientBodyTest36", DetectHttpClientBodyTest36);
UtRegisterTest("DetectHttpClientBodyIsdataatParseTest",
DetectHttpClientBodyIsdataatParseTest);
#endif /* UNITTESTS */
return;

45
src/detect-isdataat.c
Unescape Escape View File

@ -516,50 +516,6 @@ int DetectIsdataatTestParse06(void)
return result;
}
int DetectIsdataatTestParse09(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
Signature *s = NULL;
DetectIsdataatData *data = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:\"one\"; http_client_body; "
"isdataat:!4,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
s = de_ctx->sig_list;
if (s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH] == NULL) {
goto end;
}
result = 1;
result &= (s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->type == DETECT_ISDATAAT);
data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx;
if ( !(data->flags & ISDATAAT_RELATIVE) ||
(data->flags & ISDATAAT_RAWBYTES) ||
!(data->flags & ISDATAAT_NEGATED) ) {
result = 0;
goto end;
}
end:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test dns_query with isdataat relative to it
*/
@ -728,7 +684,6 @@ void DetectIsdataatRegisterTests(void)
UtRegisterTest("DetectIsdataatTestParse04", DetectIsdataatTestParse04);
UtRegisterTest("DetectIsdataatTestParse05", DetectIsdataatTestParse05);
UtRegisterTest("DetectIsdataatTestParse06", DetectIsdataatTestParse06);
UtRegisterTest("DetectIsdataatTestParse09", DetectIsdataatTestParse09);
UtRegisterTest("DetectIsdataatTestParse16", DetectIsdataatTestParse16);
UtRegisterTest("DetectIsdataatTestPacket01", DetectIsdataatTestPacket01);

7
src/detect-lua.c
Unescape Escape View File

@ -994,9 +994,10 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
if (lua->flags & DATATYPE_HTTP_RESPONSE_BODY) {
int list = DetectBufferTypeGetByName("file_data");
SigMatchAppendSMToList(s, sm, list);
} else if (lua->flags & DATATYPE_HTTP_REQUEST_BODY)
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HCBDMATCH);
else if (lua->flags & DATATYPE_HTTP_URI) {
} else if (lua->flags & DATATYPE_HTTP_REQUEST_BODY) {
int list = DetectBufferTypeGetByName("http_client_body");
SigMatchAppendSMToList(s, sm, list);
} else if (lua->flags & DATATYPE_HTTP_URI) {
int list = DetectBufferTypeGetByName("http_uri");
SigMatchAppendSMToList(s, sm, list);
} else if (lua->flags & DATATYPE_HTTP_URI_RAW)

8
src/detect-parse.c
Unescape Escape View File

@ -142,7 +142,6 @@ const char *DetectListToHumanString(int list)
CASE_CODE_STRING(DETECT_SM_LIST_MATCH, "packet");
CASE_CODE_STRING(DETECT_SM_LIST_PMATCH, "payload");
CASE_CODE_STRING(DETECT_SM_LIST_HRUDMATCH, "http_raw_uri");
CASE_CODE_STRING(DETECT_SM_LIST_HCBDMATCH, "http_client_body");
CASE_CODE_STRING(DETECT_SM_LIST_APP_EVENT, "app-layer-event");
CASE_CODE_STRING(DETECT_SM_LIST_AMATCH, "app-layer");
CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc");
@ -174,7 +173,6 @@ const char *DetectListToString(int list)
CASE_CODE(DETECT_SM_LIST_MATCH);
CASE_CODE(DETECT_SM_LIST_PMATCH);
CASE_CODE(DETECT_SM_LIST_HRUDMATCH);
CASE_CODE(DETECT_SM_LIST_HCBDMATCH);
CASE_CODE(DETECT_SM_LIST_APP_EVENT);
CASE_CODE(DETECT_SM_LIST_AMATCH);
CASE_CODE(DETECT_SM_LIST_DMATCH);
@ -1410,8 +1408,7 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
if (fd->flags & FLOW_PKT_TOCLIENT) {
/* check for request + from_server/to_client */
if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL) {
if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use uricontent "
"/http_uri , raw_uri, http_client_body, "
"http_method, http_user_agent keywords "
@ -1509,8 +1506,7 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
}
}
if (s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH])
if (s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH])
{
SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature combines packet "
"specific matches (like dsize, flags, ttl) with stream / "

16
src/detect-pcre.c
Unescape Escape View File

@ -471,10 +471,12 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr,
*sm_list = DetectPcreSetList(*sm_list, list);
break;
}
case 'P':
case 'P': {
/* snort's option (http request body inspection) */
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HCBDMATCH);
int list = DetectBufferTypeGetByName("http_client_body");
*sm_list = DetectPcreSetList(*sm_list, list);
break;
}
case 'Q': {
int list = DetectBufferTypeGetByName("file_data");
/* suricata extension (http response body inspection) */
@ -686,8 +688,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
if (DetectPcreParseCapture(regexstr, de_ctx, pd) < 0)
goto error;
if (parsed_sm_list == DETECT_SM_LIST_HRUDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HCBDMATCH)
if (parsed_sm_list == DETECT_SM_LIST_HRUDMATCH)
{
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
@ -710,13 +711,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
sm_list = s->init_data->list;
} else {
switch(parsed_sm_list) {
case DETECT_SM_LIST_HCBDMATCH:
AppLayerHtpEnableRequestBodyCallback();
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = parsed_sm_list;
break;
case DETECT_SM_LIST_HRUDMATCH:
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;

12
src/detect.c
Unescape Escape View File

@ -1912,9 +1912,6 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL)
return 0;
@ -1990,9 +1987,6 @@ static int SignatureIsPDOnly(const Signature *s)
if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL)
return 0;
@ -2096,7 +2090,6 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, const Signature *s)
if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL)
{
SCReturnInt(0);
@ -2250,11 +2243,6 @@ static int SignatureCreateMask(Signature *s)
SCLogDebug("sig requires dce state");
}
if (s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL) {
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
SCLogDebug("sig requires http app state");
}
if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) {
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
SCLogDebug("sig requires http app state");

2
src/detect.h
Unescape Escape View File

@ -117,8 +117,6 @@ enum DetectSigmatchListEnum {
/* list for http_raw_uri keyword and the ones relative to it */
DETECT_SM_LIST_HRUDMATCH = DETECT_SM_LIST_BUILTIN_MAX,
/* list for http_client_body keyword and the ones relative to it */
DETECT_SM_LIST_HCBDMATCH,
/* app event engine sm list */
DETECT_SM_LIST_APP_EVENT,

Write Preview
Loading…
Cancel
Save