aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Some code refactoring

Browse Source
remotes/origin/master-1.0.x
Anoop Saldanha 16 years ago committed by Victor Julien
parent 4edcc530ec
commit fbc4d11ed4
4 changed files with 110 additions and 58 deletions
Show Stats Download Patch File Download Diff File

32
src/detect-engine-address.c
Unescape Escape View File

@ -653,7 +653,9 @@ error:
}
/* XXX error handling */
int DetectAddressParse2(DetectAddressGroupsHead *gh, DetectAddressGroupsHead *ghn, char *s,int negate) {
int DetectAddressParse2(DetectAddressGroupsHead *gh,
DetectAddressGroupsHead *ghn,
char *s, int negate) {
int i, x;
int o_set = 0, n_set = 0;
int depth = 0;
@ -675,10 +677,10 @@ int DetectAddressParse2(DetectAddressGroupsHead *gh, DetectAddressGroupsHead *gh
depth++;
} else if (s[i] == ']') {
if (depth == 1) {
address[x-1] = '\0';
address[x - 1] = '\0';
x = 0;
DetectAddressParse2(gh,ghn,address,negate ? negate : n_set);
DetectAddressParse2(gh, ghn, address, negate? negate: n_set);
n_set = 0;
}
depth--;
@ -686,24 +688,24 @@ int DetectAddressParse2(DetectAddressGroupsHead *gh, DetectAddressGroupsHead *gh
if (o_set == 1) {
o_set = 0;
} else {
address[x-1] = '\0';
address[x - 1] = '\0';
if (negate == 0 && n_set == 0) {
DetectAddressGroupSetup(gh,address);
DetectAddressGroupSetup(gh, address);
} else {
DetectAddressGroupSetup(ghn,address);
DetectAddressGroupSetup(ghn, address);
}
n_set = 0;
}
x = 0;
} else if (depth == 0 && i == size-1) {
} else if (depth == 0 && i == size - 1) {
address[x] = '\0';
x = 0;
if (negate == 0 && n_set == 0) {
DetectAddressGroupSetup(gh,address);
DetectAddressGroupSetup(gh, address);
} else {
DetectAddressGroupSetup(ghn,address);
DetectAddressGroupSetup(ghn, address);
}
n_set = 0;
}
@ -867,19 +869,20 @@ int DetectAddressGroupParse(DetectAddressGroupsHead *gh, char *str) {
goto error;
}
r = DetectAddressParse2(gh,ghn,str,/* start with negate no */0);
r = DetectAddressParse2(gh, ghn, str,/* start with negate no */0);
if (r < 0) {
goto error;
}
/* merge the 'not' address groups */
if (DetectAddressGroupMergeNot(gh,ghn) < 0) {
if (DetectAddressGroupMergeNot(gh, ghn) < 0) {
goto error;
}
/* free the temp negate head */
DetectAddressGroupsHeadFree(ghn);
return 0;
error:
DetectAddressGroupsHeadFree(ghn);
return -1;
@ -887,14 +890,15 @@ error:
DetectAddressGroupsHead *DetectAddressGroupsHeadInit(void) {
DetectAddressGroupsHead *gh = malloc(sizeof(DetectAddressGroupsHead));
if (gh == NULL) {
if (gh == NULL)
return NULL;
}
memset(gh,0,sizeof(DetectAddressGroupsHead));
memset(gh, 0, sizeof(DetectAddressGroupsHead));
#ifdef DEBUG
detect_address_group_head_init_cnt++;
detect_address_group_head_memory += sizeof(DetectAddressGroupsHead);
#endif
return gh;
}

33
src/detect-engine-proto.c
Unescape Escape View File

@ -36,7 +36,11 @@ DetectProto *DetectProtoInit(void) {
return dp;
}
/* free a DetectAddressGroup object */
/**
* \brief Free a DetectAddressGroup object
*
* \param dp Pointer to the DetectProto instance to be freed
*/
void DetectProtoFree(DetectProto *dp) {
if (dp == NULL)
return;
@ -44,24 +48,33 @@ void DetectProtoFree(DetectProto *dp) {
free(dp);
}
/**
* \brief Parses a protocol sent as a string.
*
* \param dp Pointer to the DetectProto instance which will be updated with the
* incoming protocol information.
* \param str Pointer to the string containing the protocol name.
*
* \retval 0 Always return 0.
*/
int DetectProtoParse(DetectProto *dp, char *str) {
int proto;
if (strcasecmp(str,"tcp") == 0) {
if (strcasecmp(str, "tcp") == 0) {
proto = IPPROTO_TCP;
dp->proto[(proto/8)] |= 1<<(proto%8);
} else if (strcasecmp(str,"udp") == 0) {
dp->proto[proto / 8] |= 1 << (proto % 8);
} else if (strcasecmp(str, "udp") == 0) {
proto = IPPROTO_UDP;
dp->proto[(proto/8)] |= 1<<(proto%8);
} else if (strcasecmp(str,"icmp") == 0) {
dp->proto[proto / 8] |= 1 << (proto % 8);
} else if (strcasecmp(str, "icmp") == 0) {
proto = IPPROTO_ICMP;
dp->proto[(proto/8)] |= 1<<(proto%8);
} else if (strcasecmp(str,"ip") == 0) {
dp->proto[proto / 8] |= 1 << (proto % 8);
} else if (strcasecmp(str, "ip") == 0) {
dp->flags |= DETECT_PROTO_ANY;
memset(&dp->proto,0xFF,sizeof(dp->proto));
memset(&dp->proto, 0xFF, sizeof(dp->proto));
} else {
proto = atoi(str);
dp->proto[(proto/8)] |= 1<<(proto%8);
dp->proto[proto / 8] |= 1 << (proto % 8);
}
return 0;

81
src/detect-parse.c
Unescape Escape View File

@ -238,24 +238,24 @@ error:
int SigParseAddress(Signature *s, const char *addrstr, char flag) {
char *addr = NULL;
if (strcmp(addrstr,"$HOME_NET") == 0) {
if (strcmp(addrstr, "$HOME_NET") == 0) {
addr = "[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:13c5:5AFE::/64,2001:888:13c5:CAFE::/64]";
// addr = "[192.168.0.0/16,10.8.0.0/16,2001:888:13c5:5AFE::/64,2001:888:13c5:CAFE::/64]";
} else if (strcmp(addrstr,"$EXTERNAL_NET") == 0) {
//addr = "[192.168.0.0/16,10.8.0.0/16,2001:888:13c5:5AFE::/64,2001:888:13c5:CAFE::/64]";
} else if (strcmp(addrstr, "$EXTERNAL_NET") == 0) {
addr = "[!192.168.0.0/16,2000::/3]";
} else if (strcmp(addrstr,"$HTTP_SERVERS") == 0) {
} else if (strcmp(addrstr, "$HTTP_SERVERS") == 0) {
addr = "!192.168.0.0/16";
} else if (strcmp(addrstr,"$SMTP_SERVERS") == 0) {
} else if (strcmp(addrstr, "$SMTP_SERVERS") == 0) {
addr = "!192.168.0.0/16";
} else if (strcmp(addrstr,"$SQL_SERVERS") == 0) {
} else if (strcmp(addrstr, "$SQL_SERVERS") == 0) {
addr = "!192.168.0.0/16";
} else if (strcmp(addrstr,"$DNS_SERVERS") == 0) {
} else if (strcmp(addrstr, "$DNS_SERVERS") == 0) {
addr = "any";
} else if (strcmp(addrstr,"$TELNET_SERVERS") == 0) {
} else if (strcmp(addrstr, "$TELNET_SERVERS") == 0) {
addr = "any";
} else if (strcmp(addrstr,"$AIM_SERVERS") == 0) {
} else if (strcmp(addrstr, "$AIM_SERVERS") == 0) {
addr = "any";
} else if (strcmp(addrstr,"any") == 0) {
} else if (strcmp(addrstr, "any") == 0) {
addr = "any";
} else {
addr = (char *)addrstr;
@ -264,32 +264,39 @@ int SigParseAddress(Signature *s, const char *addrstr, char flag) {
/* pass on to the address(list) parser */
if (flag == 0) {
if (strcasecmp(addrstr,"any") == 0)
if (strcasecmp(addrstr, "any") == 0)
s->flags |= SIG_FLAG_SRC_ANY;
if (DetectAddressGroupParse(&s->src,addr) < 0) {
if (DetectAddressGroupParse(&s->src, addr) < 0)
goto error;
}
} else {
if (strcasecmp(addrstr,"any") == 0)
if (strcasecmp(addrstr, "any") == 0)
s->flags |= SIG_FLAG_DST_ANY;
if (DetectAddressGroupParse(&s->dst,addr) < 0) {
if (DetectAddressGroupParse(&s->dst, addr) < 0)
goto error;
}
}
return 0;
error:
return -1;
}
/* http://www.iana.org/assignments/protocol-numbers
/**
* \brief Parses the protocol supplied by the Signature.
*
* http://www.iana.org/assignments/protocol-numbers
*
* \param s Pointer to the Signature instance to which the parsed
* protocol has to be added.
* \param protostr Pointer to the character string containing the protocol name.
*
* \retval 0 On successfully parsing the protocl sent as the argument.
* \retval -1 On failure
*/
int SigParseProto(Signature *s, const char *protostr) {
int r = DetectProtoParse(&s->proto,(char *)protostr);
int r = DetectProtoParse(&s->proto, (char *)protostr);
if (r < 0) {
return -1;
}
@ -349,6 +356,17 @@ int SigParsePort(Signature *s, const char *portstr, char flag) {
return 0;
}
/**
* \brief Parses the action that has been used by the Signature and allots it
* to its Signatue instance.
*
* \param s Pointer to the Signatue instance to which the action belongs.
* \param action Pointer to the action string used by the Signature.
*
* \retval 0 On successfully parsing the action string and adding it to the
* Signature.
* \retval -1 On failure.
*/
int SigParseAction(Signature *s, const char *action) {
if (strcasecmp(action, "alert") == 0) {
s->action = ACTION_ALERT;
@ -381,7 +399,7 @@ int SigParseBasics(Signature *s, char *sigstr, char ***result) {
int ov[MAX_SUBSTRINGS];
int ret = 0, i = 0;
const char **arr = calloc(CONFIG_PARTS+1, sizeof(char *));
const char **arr = calloc(CONFIG_PARTS + 1, sizeof(char *));
if (arr == NULL)
return -1;
@ -391,11 +409,11 @@ int SigParseBasics(Signature *s, char *sigstr, char ***result) {
goto error;
}
for (i = 1; i <= ret-1; i++) {
pcre_get_substring(sigstr, ov, MAX_SUBSTRINGS, i, &arr[i-1]);
for (i = 1; i <= ret - 1; i++) {
pcre_get_substring(sigstr, ov, MAX_SUBSTRINGS, i, &arr[i - 1]);
//printf("SigParseBasics: arr[%" PRId32 "] = \"%s\"\n", i-1, arr[i-1]);
}
arr[i-1]=NULL;
arr[i - 1] = NULL;
/* Parse Action */
if (SigParseAction(s, arr[CONFIG_ACTION]) < 0)
@ -409,9 +427,8 @@ int SigParseBasics(Signature *s, char *sigstr, char ***result) {
if (SigParseAddress(s, arr[CONFIG_SRC], 0) < 0)
goto error;
/* For "ip" we parse the ports as well, even though they will
be just "any". We do this for later sgh building for the
tcp and udp protocols. */
/* For "ip" we parse the ports as well, even though they will be just "any".
* We do this for later sgh building for the tcp and udp protocols. */
if (strcasecmp(arr[CONFIG_PROTO],"tcp") == 0 ||
strcasecmp(arr[CONFIG_PROTO],"udp") == 0 ||
strcasecmp(arr[CONFIG_PROTO],"ip") == 0) {
@ -456,7 +473,7 @@ int SigParse(DetectEngineCtx *de_ctx, Signature *s, char *sigstr) {
}
/* cleanup */
if (basics) {
if (basics != NULL) {
int i = 0;
while (basics[i] != NULL) {
free(basics[i]);
@ -464,6 +481,7 @@ int SigParse(DetectEngineCtx *de_ctx, Signature *s, char *sigstr) {
}
free(basics);
}
return ret;
}
@ -495,6 +513,15 @@ void SigFree(Signature *s) {
free(s);
}
/**
* \brief Parses a signature and adds it to the Detection Engine Context
*
* \param de_ctx Pointer to the Detection Engine Context
* \param sigstr Pointer to a character string containing the signature to be
* parsed
*
* \retval Pointer to the Signature instance on success; NULL on failure
*/
Signature *SigInit(DetectEngineCtx *de_ctx, char *sigstr) {
Signature *sig = SigAlloc();
if (sig == NULL)

22
src/detect.c
Unescape Escape View File

@ -594,15 +594,16 @@ static int SignatureIsIPOnly(DetectEngineCtx *de_ctx, Signature *s) {
if (sm == NULL)
goto iponly;
for ( ; sm != NULL ; sm = sm->next)
if(!( sigmatch_table[sm->type].flags & SIGMATCH_IPONLY_COMPAT))
for ( ;sm != NULL ;sm = sm->next) {
if (!( sigmatch_table[sm->type].flags & SIGMATCH_IPONLY_COMPAT))
return 0;
}
iponly:
if (!(de_ctx->flags & DE_QUIET)) {
SCLogDebug("IP-ONLY (%" PRIu32 "): source %s, dest %s", s->id,
s->flags & SIG_FLAG_SRC_ANY ? "ANY" : "SET",
s->flags & SIG_FLAG_DST_ANY ? "ANY" : "SET");
s->flags & SIG_FLAG_SRC_ANY ? "ANY" : "SET",
s->flags & SIG_FLAG_DST_ANY ? "ANY" : "SET");
}
return 1;
}
@ -630,7 +631,14 @@ static int SignatureIsInspectingPayload(DetectEngineCtx *de_ctx, Signature *s) {
return 0;
}
/* add all signatures to their own source address group */
/**
* \brief Add all signatures to their own source address group
*
* \param de_ctx Pointer to the Detection Engine Context
*
* \retval 0 on success
* \retval -1 on failure
*/
int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) {
Signature *tmp_s = NULL;
DetectAddressGroup *gr = NULL;
@ -643,7 +651,7 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) {
if (!(de_ctx->flags & DE_QUIET)) {
SCLogDebug("building signature grouping structure, stage 1: "
"adding signatures to signature source addresses...");
"adding signatures to signature source addresses...");
}
de_ctx->sig_array_len = DetectEngineGetMaxSigId(de_ctx);
@ -654,7 +662,7 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) {
memset(de_ctx->sig_array,0,de_ctx->sig_array_size);
SCLogDebug("signature lookup array: %" PRIu32 " sigs, %" PRIu32 " bytes",
de_ctx->sig_array_len, de_ctx->sig_array_size);
de_ctx->sig_array_len, de_ctx->sig_array_size);
/* now for every rule add the source group */
for (tmp_s = de_ctx->sig_list; tmp_s != NULL; tmp_s = tmp_s->next) {

Write Preview
Loading…
Cancel
Save