diff --git a/src/detect-dns-query.c b/src/detect-dns-query.c index 8f1c6597fe..2ecc23547f 100644 --- a/src/detect-dns-query.c +++ b/src/detect-dns-query.c @@ -89,10 +89,8 @@ void DetectDnsQueryRegister (void) { static int DetectDnsQuerySetup(DetectEngineCtx *de_ctx, Signature *s, char *str) { - return DetectEngineContentModifierBufferSetup(de_ctx, s, str, - DETECT_AL_DNS_QUERY, - DETECT_SM_LIST_DNSQUERY_MATCH, - ALPROTO_DNS, NULL); + s->list = DETECT_SM_LIST_DNSQUERY_MATCH; + return 0; } /** @@ -170,7 +168,7 @@ static int DetectDnsQueryTest01(void) { s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " "(msg:\"Test dns_query option\"; " - "content:\"google\"; nocase; dns_query; sid:1;)"); + "dns_query; content:\"google\"; nocase; sid:1;)"); if (s == NULL) { goto end; } @@ -288,13 +286,13 @@ static int DetectDnsQueryTest02(void) { s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " "(msg:\"Test dns_query option\"; " - "content:\"google.com\"; nocase; dns_query; sid:1;)"); + "dns_query; content:\"google.com\"; nocase; sid:1;)"); if (s == NULL) { goto end; } s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " "(msg:\"Test dns_query option\"; " - "content:\"google.net\"; nocase; dns_query; sid:2;)"); + "dns_query; content:\"google.net\"; nocase; sid:2;)"); if (s == NULL) { goto end; } @@ -518,7 +516,7 @@ static int DetectDnsQueryTest04(void) { s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " "(msg:\"Test dns_query option\"; " - "content:\"google\"; nocase; dns_query; sid:1;)"); + "dns_query; content:\"google\"; nocase; sid:1;)"); if (s == NULL) { goto end; } @@ -663,13 +661,13 @@ static int DetectDnsQueryTest05(void) { s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " "(msg:\"Test dns_query option\"; " - "content:\"google.com\"; nocase; dns_query; sid:1;)"); + "dns_query; content:\"google.com\"; nocase; sid:1;)"); if (s == NULL) { goto end; } s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " "(msg:\"Test dns_query option\"; " - "content:\"google.net\"; nocase; dns_query; sid:2;)"); + "dns_query; content:\"google.net\"; nocase; sid:2;)"); if (s == NULL) { goto end; } @@ -813,15 +811,15 @@ static int DetectDnsQueryTest06(void) { s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " "(msg:\"Test dns_query option\"; " - "content:\"google\"; nocase; dns_query; " - "pcre:\"/google\\.com$/iF\"; sid:1;)"); + "dns_query; content:\"google\"; nocase; " + "pcre:\"/google\\.com$/i\"; sid:1;)"); if (s == NULL) { goto end; } s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " "(msg:\"Test dns_query option\"; " - "content:\"google\"; nocase; dns_query; " - "pcre:\"/^\\.[a-z]{2,3}$/iRF\"; sid:2;)"); + "dns_query; content:\"google\"; nocase; " + "pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)"); if (s == NULL) { goto end; } @@ -945,13 +943,13 @@ static int DetectDnsQueryTest07(void) { s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " "(msg:\"Test dns_query option\"; " - "content:\"google.com\"; nocase; dns_query; sid:1;)"); + "dns_query; content:\"google.com\"; nocase; sid:1;)"); if (s == NULL) { goto end; } s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " "(msg:\"Test dns_query option\"; " - "content:\"google.net\"; nocase; dns_query; sid:2;)"); + "dns_query; content:\"google.net\"; nocase; sid:2;)"); if (s == NULL) { goto end; } diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 01c8ac80c3..23b10fe79b 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -2896,7 +2896,7 @@ uint32_t DetectPatternGetId(MpmPatternIdStore *ht, void *ctx, Signature *s, uint r = HashTableLookup(ht->hash, (void *)e, sizeof(MpmPatternIdTableElmt)); if (r == NULL) { if (s->list != DETECT_SM_LIST_NOTSET) { - BUG_ON((sm_list != DETECT_SM_LIST_HSBDMATCH) && (sm_list != DETECT_SM_LIST_DMATCH)); + BUG_ON(sm_list != DETECT_SM_LIST_HSBDMATCH && sm_list != DETECT_SM_LIST_DMATCH && sm_list != DETECT_SM_LIST_DNSQUERY_MATCH); e->id = ht->max_id; ht->max_id++; id = e->id; diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index 45b6fc768e..a62a5331d9 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -1054,6 +1054,56 @@ static int DetectIsdataatTestParse15(void) return result; } +/** + * \test dns_query with isdataat relative to it + */ +static int DetectIsdataatTestParse16(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + Signature *s = NULL; + DetectIsdataatData *data = NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing dns_query and isdataat\"; " + "dns_query; isdataat:!4,relative; sid:1;)"); + if (de_ctx->sig_list == NULL) { + printf("sig parse: "); + goto end; + } + + s = de_ctx->sig_list; + if (s->sm_lists_tail[DETECT_SM_LIST_DNSQUERY_MATCH] == NULL) { + printf("dns_query list empty: "); + goto end; + } + + if (s->sm_lists_tail[DETECT_SM_LIST_DNSQUERY_MATCH]->type != DETECT_ISDATAAT) { + printf("last dns_query body sm not isdataat: "); + goto end; + } + + data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_DNSQUERY_MATCH]->ctx; + if ( !(data->flags & ISDATAAT_RELATIVE) || + (data->flags & ISDATAAT_RAWBYTES) || + !(data->flags & ISDATAAT_NEGATED) ) { + goto end; + } + + result = 1; + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + /** * \test DetectIsdataatTestPacket01 is a test to check matches of * isdataat, and isdataat relative @@ -1177,6 +1227,7 @@ void DetectIsdataatRegisterTests(void) { UtRegisterTest("DetectIsdataatTestParse13", DetectIsdataatTestParse13, 1); UtRegisterTest("DetectIsdataatTestParse14", DetectIsdataatTestParse14, 1); UtRegisterTest("DetectIsdataatTestParse15", DetectIsdataatTestParse15, 1); + UtRegisterTest("DetectIsdataatTestParse16", DetectIsdataatTestParse16, 1); UtRegisterTest("DetectIsdataatTestPacket01", DetectIsdataatTestPacket01, 1); UtRegisterTest("DetectIsdataatTestPacket02", DetectIsdataatTestPacket02, 1); diff --git a/src/detect-pcre.c b/src/detect-pcre.c index 4d03e0e0d8..e496d8f046 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -471,10 +471,6 @@ DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr) /* snort's option */ pd->flags |= DETECT_PCRE_HTTP_STAT_CODE; break; - case 'F': - /* suricata extension (dns query name) */ - pd->flags |= DETECT_PCRE_DNS_QUERY; - break; default: SCLogError(SC_ERR_UNKNOWN_REGEX_MOD, "unknown regex modifier '%c'", *op); goto error; @@ -697,22 +693,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst } } - if (pd->flags & DETECT_PCRE_DNS_QUERY) { - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DNS) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. " - "Conflicting alprotos detected for this rule. Dns " - "pcre modifier found along with a different protocol " - "for the rule."); - goto error; - } - if (s->list != DETECT_SM_LIST_NOTSET) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre found with dns " - "modifier set, with file_data/dce_stub_data sticky " - "option set."); - goto error; - } - } - int sm_list; if (s->list != DETECT_SM_LIST_NOTSET) { if (s->list == DETECT_SM_LIST_HSBDMATCH) { @@ -720,6 +700,8 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst AppLayerHtpEnableResponseBodyCallback(); } else if (s->list == DETECT_SM_LIST_DMATCH) { SCLogDebug("adding to dmatch list because of dce_stub_data"); + } else if (s->list == DETECT_SM_LIST_DNSQUERY_MATCH) { + SCLogDebug("adding to DETECT_SM_LIST_DNSQUERY_MATCH list because of dns_query"); } s->flags |= SIG_FLAG_APPLAYER; sm_list = s->list; @@ -786,11 +768,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst s->flags |= SIG_FLAG_APPLAYER; s->alproto = ALPROTO_HTTP; sm_list = DETECT_SM_LIST_HUADMATCH; - } else if (pd->flags & DETECT_PCRE_DNS_QUERY) { - SCLogDebug("DNS query inspection modifier set on pcre"); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_DNS; - sm_list = DETECT_SM_LIST_DNSQUERY_MATCH; } else { sm_list = DETECT_SM_LIST_PMATCH; } diff --git a/src/detect-pcre.h b/src/detect-pcre.h index 56c62cc3c6..986ca0a3d5 100644 --- a/src/detect-pcre.h +++ b/src/detect-pcre.h @@ -52,8 +52,6 @@ #define DETECT_PCRE_NEGATE 0x80000 #define DETECT_PCRE_CASELESS 0x100000 -#define DETECT_PCRE_DNS_QUERY 0x200000 - typedef struct DetectPcreData_ { /* pcre options */ pcre *re;