aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add pcre negate support.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 16 years ago
parent 1d553c940b
commit ef6ab4efa0
2 changed files with 94 additions and 60 deletions
Show Stats Download Patch File Download Diff File

49
src/detect-pcre.c
Unescape Escape View File

@ -113,6 +113,8 @@ error:
int DetectPcreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, SigMatch *m) int DetectPcreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, SigMatch *m)
{ {
SCEnter();
#define MAX_SUBSTRINGS 30 #define MAX_SUBSTRINGS 30
int ret = 0; int ret = 0;
int ov[MAX_SUBSTRINGS]; int ov[MAX_SUBSTRINGS];
@ -120,7 +122,7 @@ int DetectPcreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, S
uint16_t len = 0; uint16_t len = 0;
if (p->payload_len == 0) if (p->payload_len == 0)
return 0; SCReturnInt(0);
DetectPcreData *pe = (DetectPcreData *)m->ctx; DetectPcreData *pe = (DetectPcreData *)m->ctx;
if (s->flags & SIG_FLAG_RECURSIVE) { if (s->flags & SIG_FLAG_RECURSIVE) {
@ -130,7 +132,7 @@ int DetectPcreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, S
ptr = det_ctx->pkt_ptr; ptr = det_ctx->pkt_ptr;
len = p->payload_len - det_ctx->pkt_off; len = p->payload_len - det_ctx->pkt_off;
if (ptr == NULL || len == 0) if (ptr == NULL || len == 0)
return 0; SCReturnInt(0);
} else { } else {
ptr = p->payload; ptr = p->payload;
len = p->payload_len; len = p->payload_len;
@ -139,7 +141,21 @@ int DetectPcreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, S
//printf("DetectPcre: ptr %p, len %" PRIu32 "\n", ptr, len); //printf("DetectPcre: ptr %p, len %" PRIu32 "\n", ptr, len);
ret = pcre_exec(pe->re, pe->sd, (char *)ptr, len, 0, 0, ov, MAX_SUBSTRINGS); ret = pcre_exec(pe->re, pe->sd, (char *)ptr, len, 0, 0, ov, MAX_SUBSTRINGS);
if (ret >= 0) { SCLogDebug("ret %d (negating %s)", ret, pe->negate ? "set" : "not set");
if (ret == PCRE_ERROR_NOMATCH) {
if (pe->negate == 1) {
/* regex didn't match with negate option means we consider it a match */
ret = 1;
} else {
ret = 0;
}
} else if (ret >= 0) {
if (pe->negate == 1) {
/* regex matched but we're negated, so not considering it a match */
ret = 0;
} else {
/* regex matched and we're not negated, considering it a match */
if (ret > 1 && pe->capidx != 0) { if (ret > 1 && pe->capidx != 0) {
const char *str_ptr; const char *str_ptr;
ret = pcre_get_substring((char *)ptr, ov, MAX_SUBSTRINGS, 1, &str_ptr); ret = pcre_get_substring((char *)ptr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
@ -193,19 +209,20 @@ int DetectPcreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, S
} }
} }
} }
/* update ptrs for pcre RELATIVE */ /* update ptrs for pcre RELATIVE */
det_ctx->pkt_ptr = ptr+ov[1]; det_ctx->pkt_ptr = ptr+ov[1];
det_ctx->pkt_off = (ptr+ov[1]) - p->payload; det_ctx->pkt_off = (ptr+ov[1]) - p->payload;
//printf("DetectPcre: post match: t->pkt_ptr %p t->pkt_off %" PRIu32 "\n", t->pkt_ptr, t->pkt_off); //printf("DetectPcre: post match: t->pkt_ptr %p t->pkt_off %" PRIu32 "\n", t->pkt_ptr, t->pkt_off);
ret = 1; ret = 1;
}
} else { } else {
SCLogDebug("pcre had matching error");
ret = 0; ret = 0;
} }
//printf("DetectPcreMatch: ret %" PRId32 "\n", ret); SCReturnInt(ret);
return ret;
} }
DetectPcreData *DetectPcreParse (char *regexstr) DetectPcreData *DetectPcreParse (char *regexstr)
@ -220,7 +237,20 @@ DetectPcreData *DetectPcreParse (char *regexstr)
int ret = 0, res = 0; int ret = 0, res = 0;
int ov[MAX_SUBSTRINGS]; int ov[MAX_SUBSTRINGS];
ret = pcre_exec(parse_regex, parse_regex_study, regexstr, strlen(regexstr), 0, 0, ov, MAX_SUBSTRINGS); uint16_t slen = strlen(regexstr);
uint16_t pos = 0;
uint8_t negate = 0;
while (pos < slen && isspace(regexstr[pos])) {
pos++;
}
if (regexstr[pos] == '!') {
negate = 1;
pos++;
}
ret = pcre_exec(parse_regex, parse_regex_study, regexstr+pos, slen-pos, 0, 0, ov, MAX_SUBSTRINGS);
if (ret < 0) { if (ret < 0) {
goto error; goto error;
} }
@ -252,6 +282,9 @@ DetectPcreData *DetectPcreParse (char *regexstr)
} }
memset(pd, 0, sizeof(DetectPcreData)); memset(pd, 0, sizeof(DetectPcreData));
if (negate)
pd->negate = 1;
if (op != NULL) { if (op != NULL) {
while (*op) { while (*op) {
SCLogDebug("regex option %c", *op); SCLogDebug("regex option %c", *op);
@ -759,7 +792,7 @@ static int DetectPcreTestSig03Real(int mpm_type) {
de_ctx->mpm_matcher = mpm_type; de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET; de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"GET\"; pcre:\"!/two/\"; sid:1;)"); de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"GET\"; pcre:!\"/two/\"; sid:1;)");
if (de_ctx->sig_list == NULL) { if (de_ctx->sig_list == NULL) {
result = 0; result = 0;
goto end; goto end;

1
src/detect-pcre.h
Unescape Escape View File

@ -28,6 +28,7 @@ typedef struct DetectPcreData_ {
int32_t distance; int32_t distance;
uint16_t flags; uint16_t flags;
uint8_t negate;
char *capname; char *capname;
uint16_t capidx; uint16_t capidx;

Write Preview
Loading…
Cancel
Save