aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fixes the offset case for content matches + a case not handled by the prevous fix for multiple relative content matches. fix for payload.c dcepayload.c and uri.c

Browse Source
remotes/origin/master-1.0.x
Anoop Saldanha 15 years ago committed by Victor Julien
parent 92eb380594
commit fa373516c5
3 changed files with 236 additions and 9 deletions
Show Stats Download Patch File Download Diff File

108
src/detect-engine-dcepayload.c
Unescape Escape View File

@ -169,7 +169,8 @@ static int DoInspectDcePayload(DetectEngineCtx *de_ctx,
* matches after the first occurence. */
SCLogDebug("offset %"PRIu32", prev_offset %"PRIu32, offset,
prev_offset);
offset += prev_offset;
if (prev_offset != 0)
offset = prev_offset;
SCLogDebug("offset %"PRIu32", depth %"PRIu32, offset, depth);
@ -178,6 +179,8 @@ static int DoInspectDcePayload(DetectEngineCtx *de_ctx,
/* if offset is bigger than depth we can never match on a
* pattern. We can however, "match" on a negated pattern. */
/* \todo why isn't it >= ?. Same question applies for
* detect-engine-dcepayload.c and detect-engine-uri.c */
if (offset > depth || depth == 0) {
if (cd->flags & DETECT_CONTENT_NEGATED) {
goto match;
@ -241,8 +244,7 @@ static int DoInspectDcePayload(DetectEngineCtx *de_ctx,
}
/* set the previous match offset to the start of this match + 1 */
prev_offset += (match_offset - (cd->content_len - 1));
prev_offset -= (prev_payload_offset);
prev_offset = (match_offset - (cd->content_len - 1));
SCLogDebug("trying to see if there is another match after "
"prev_offset %"PRIu32, prev_offset);
}
@ -7706,6 +7708,105 @@ end:
return result;
}
/**
* \test Test the working of consecutive relative matches with offset.
*/
int DcePayloadTest24(void)
{
int result = 0;
uint8_t request1[] = {
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, /* " " */
0x20, 0x74, 0x68, 0x75, 0x73, 0x20, 0x74, 0x68, /* " thus th" */
0x75, 0x73, 0x20, 0x69, 0x73, 0x20, 0x61, 0x20, /* "us is a " */
0x62, 0x69, 0x67 }; /* "big" */
uint32_t request1_len = sizeof(request1);
TcpSession ssn;
Packet p;
ThreadVars tv;
DetectEngineCtx *de_ctx = NULL;
DetectEngineThreadCtx *det_ctx = NULL;
Flow f;
int r;
char *sig1 = "alert tcp any any -> any any "
"(msg:\"testing dce consecutive relative matches\"; dce_stub_data; "
"content:thus; offset:8; content:is; within:6; "
"content:big; within:8; sid:1;)";
Signature *s;
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
memset(&ssn, 0, sizeof(TcpSession));
memset(&p, 0, sizeof(Packet));
p.src.family = AF_INET;
p.dst.family = AF_INET;
p.payload = NULL;
p.payload_len = 0;
p.proto = IPPROTO_TCP;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.src.family = AF_INET;
f.dst.family = AF_INET;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
FlowL7DataPtrInit(&f);
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, sig1);
s = de_ctx->sig_list;
if (s == NULL)
goto end;
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
/* request 1 */
r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len);
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, &p);
if (!(PacketAlertCheck(&p, 1))) {
printf("sid 1 didn't match but should have for packet: ");
goto end;
}
result = 1;
end:
if (de_ctx != NULL) {
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
}
FlowL7DataPtrFree(&f);
StreamTcpFreeConfig(TRUE);
return result;
}
#endif /* UNITTESTS */
void DcePayloadRegisterTests(void)
@ -7735,6 +7836,7 @@ void DcePayloadRegisterTests(void)
UtRegisterTest("DcePayloadTest21", DcePayloadTest21, 1);
UtRegisterTest("DcePayloadTest22", DcePayloadTest22, 1);
UtRegisterTest("DcePayloadTest23", DcePayloadTest23, 1);
UtRegisterTest("DcePayloadTest24", DcePayloadTest24, 1);
#endif /* UNITTESTS */
return;

35
src/detect-engine-payload.c
Unescape Escape View File

@ -153,7 +153,8 @@ static int DoInspectPacketPayload(DetectEngineCtx *de_ctx,
/* update offset with prev_offset if we're searching for
* matches after the first occurence. */
SCLogDebug("offset %"PRIu32", prev_offset %"PRIu32, offset, prev_offset);
offset += prev_offset;
if (prev_offset != 0)
offset = prev_offset;
SCLogDebug("offset %"PRIu32", depth %"PRIu32, offset, depth);
@ -179,6 +180,9 @@ static int DoInspectPacketPayload(DetectEngineCtx *de_ctx,
//PrintRawDataFp(stdout,cd->content,cd->content_len);
//PrintRawDataFp(stdout,spayload,spayload_len);
/* \todo Add another optimization here. If cd->content_len is
* greater than spayload_len found is anyways NULL */
/* do the actual search */
if (cd->flags & DETECT_CONTENT_NOCASE)
found = BoyerMooreNocase(cd->content, cd->content_len, spayload, spayload_len, cd->bm_ctx->bmGs, cd->bm_ctx->bmBc);
@ -219,8 +223,7 @@ static int DoInspectPacketPayload(DetectEngineCtx *de_ctx,
}
/* set the previous match offset to the start of this match + 1 */
prev_offset += (match_offset - (cd->content_len - 1));
prev_offset -= (prev_payload_offset);
prev_offset = (match_offset - (cd->content_len - 1));
SCLogDebug("trying to see if there is another match after prev_offset %"PRIu32, prev_offset);
}
@ -510,6 +513,31 @@ end:
return result;
}
/**
* \test Test multiple relative matches.
*/
static int PayloadTestSig07(void)
{
uint8_t *buf = (uint8_t *)" thus thus is a big";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:thus; offset:8; content:is; within:6; content:big; within:8; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
#endif /* UNITTESTS */
void PayloadRegisterTests(void) {
@ -520,5 +548,6 @@ void PayloadRegisterTests(void) {
UtRegisterTest("PayloadTestSig04", PayloadTestSig04, 1);
UtRegisterTest("PayloadTestSig05", PayloadTestSig05, 1);
UtRegisterTest("PayloadTestSig06", PayloadTestSig06, 1);
UtRegisterTest("PayloadTestSig07", PayloadTestSig07, 1);
#endif /* UNITTESTS */
}

102
src/detect-engine-uri.c
Unescape Escape View File

@ -158,7 +158,8 @@ static int DoInspectPacketUri(DetectEngineCtx *de_ctx,
/* update offset with prev_offset if we're searching for
* matches after the first occurence. */
SCLogDebug("offset %"PRIu32", prev_offset %"PRIu32, prev_offset, depth);
offset += prev_offset;
if (prev_offset != 0)
offset = prev_offset;
SCLogDebug("offset %"PRIu32", depth %"PRIu32, offset, depth);
@ -198,6 +199,7 @@ static int DoInspectPacketUri(DetectEngineCtx *de_ctx,
} else if (found == NULL && ud->flags & DETECT_URICONTENT_NEGATED) {
goto match;
} else if (found != NULL && ud->flags & DETECT_URICONTENT_NEGATED) {
/* why are we saving match offset here? */
match_offset = (uint32_t)((found - payload) + ud->uricontent_len);
SCLogDebug("uricontent %"PRIu32" matched at offset %"PRIu32", but negated so no match", ud->id, match_offset);
SCReturnInt(0);
@ -223,8 +225,7 @@ static int DoInspectPacketUri(DetectEngineCtx *de_ctx,
}
/* set the previous match offset to the start of this match + 1 */
prev_offset += (match_offset - (ud->uricontent_len - 1));
prev_offset -= (prev_payload_offset);
prev_offset = (match_offset - (ud->uricontent_len - 1));
SCLogDebug("trying to see if there is another match after prev_offset %"PRIu32, prev_offset);
}
@ -2587,6 +2588,100 @@ end:
return result;
}
/**
* \test Test multiple relative contents with offset
*/
static int UriTestSig20(void)
{
int result = 0;
uint8_t *http_buf = (uint8_t *)"POST /_________thus_thus_is_a_big HTTP/1.0\r\n"
"User-Agent: Mozilla/1.0\r\n";
uint32_t http_buf_len = strlen((char *)http_buf);
Flow f;
TcpSession ssn;
HtpState *http_state = NULL;
Packet p;
ThreadVars tv;
DetectEngineThreadCtx *det_ctx = NULL;
memset(&tv, 0, sizeof(ThreadVars));
memset(&p, 0, sizeof(Packet));
memset(&f, 0, sizeof(Flow));
memset(&ssn, 0, sizeof(TcpSession));
p.src.family = AF_INET;
p.dst.family = AF_INET;
p.payload = http_buf;
p.payload_len = http_buf_len;
p.proto = IPPROTO_TCP;
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.src.family = AF_INET;
f.dst.family = AF_INET;
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
FlowL7DataPtrInit(&f);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->mpm_matcher = MPM_B2G;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"test multiple relative uricontents\"; "
"uricontent:thus; offset:8; "
"uricontent:is; within:6; "
"uricontent:big; within:8; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_buf_len);
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
goto end;
}
http_state = f.aldata[AlpGetStateIdx(ALPROTO_HTTP)];
if (http_state == NULL) {
printf("no http state: ");
goto end;
}
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, &p);
if (!PacketAlertCheck(&p, 1)) {
printf("sig 1 alerted, but it should not: ");
goto end;
}
result = 1;
end:
if (det_ctx != NULL)
DetectEngineThreadCtxDeinit(&tv, det_ctx);
if (de_ctx != NULL)
SigGroupCleanup(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
return result;
}
#endif /* UNITTESTS */
void UriRegisterTests(void)
@ -2612,6 +2707,7 @@ void UriRegisterTests(void)
UtRegisterTest("UriTestSig17", UriTestSig17, 1);
UtRegisterTest("UriTestSig18", UriTestSig18, 1);
UtRegisterTest("UriTestSig19", UriTestSig19, 1);
UtRegisterTest("UriTestSig20", UriTestSig20, 1);
#endif /* UNITTESTS */
return;

Write Preview
Loading…
Cancel
Save