aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Some code refactoring

Browse Source
remotes/origin/master-1.0.x
Anoop Saldanha 16 years ago committed by Victor Julien
parent 4edcc530ec
commit fbc4d11ed4
4 changed files with 110 additions and 58 deletions
Show Stats Download Patch File Download Diff File

32
src/detect-engine-address.c
Unescape Escape View File

@ -653,7 +653,9 @@ error:
} }
/* XXX error handling */ /* XXX error handling */
int DetectAddressParse2(DetectAddressGroupsHead *gh, DetectAddressGroupsHead *ghn, char *s,int negate) { int DetectAddressParse2(DetectAddressGroupsHead *gh,
DetectAddressGroupsHead *ghn,
char *s, int negate) {
int i, x; int i, x;
int o_set = 0, n_set = 0; int o_set = 0, n_set = 0;
int depth = 0; int depth = 0;
@ -675,10 +677,10 @@ int DetectAddressParse2(DetectAddressGroupsHead *gh, DetectAddressGroupsHead *gh
depth++; depth++;
} else if (s[i] == ']') { } else if (s[i] == ']') {
if (depth == 1) { if (depth == 1) {
address[x-1] = '\0'; address[x - 1] = '\0';
x = 0; x = 0;
DetectAddressParse2(gh,ghn,address,negate ? negate : n_set); DetectAddressParse2(gh, ghn, address, negate? negate: n_set);
n_set = 0; n_set = 0;
} }
depth--; depth--;
@ -686,24 +688,24 @@ int DetectAddressParse2(DetectAddressGroupsHead *gh, DetectAddressGroupsHead *gh
if (o_set == 1) { if (o_set == 1) {
o_set = 0; o_set = 0;
} else { } else {
address[x-1] = '\0'; address[x - 1] = '\0';
if (negate == 0 && n_set == 0) { if (negate == 0 && n_set == 0) {
DetectAddressGroupSetup(gh,address); DetectAddressGroupSetup(gh, address);
} else { } else {
DetectAddressGroupSetup(ghn,address); DetectAddressGroupSetup(ghn, address);
} }
n_set = 0; n_set = 0;
} }
x = 0; x = 0;
} else if (depth == 0 && i == size-1) { } else if (depth == 0 && i == size - 1) {
address[x] = '\0'; address[x] = '\0';
x = 0; x = 0;
if (negate == 0 && n_set == 0) { if (negate == 0 && n_set == 0) {
DetectAddressGroupSetup(gh,address); DetectAddressGroupSetup(gh, address);
} else { } else {
DetectAddressGroupSetup(ghn,address); DetectAddressGroupSetup(ghn, address);
} }
n_set = 0; n_set = 0;
} }
@ -867,19 +869,20 @@ int DetectAddressGroupParse(DetectAddressGroupsHead *gh, char *str) {
goto error; goto error;
} }
r = DetectAddressParse2(gh,ghn,str,/* start with negate no */0); r = DetectAddressParse2(gh, ghn, str,/* start with negate no */0);
if (r < 0) { if (r < 0) {
goto error; goto error;
} }
/* merge the 'not' address groups */ /* merge the 'not' address groups */
if (DetectAddressGroupMergeNot(gh,ghn) < 0) { if (DetectAddressGroupMergeNot(gh, ghn) < 0) {
goto error; goto error;
} }
/* free the temp negate head */ /* free the temp negate head */
DetectAddressGroupsHeadFree(ghn); DetectAddressGroupsHeadFree(ghn);
return 0; return 0;
error: error:
DetectAddressGroupsHeadFree(ghn); DetectAddressGroupsHeadFree(ghn);
return -1; return -1;
@ -887,14 +890,15 @@ error:
DetectAddressGroupsHead *DetectAddressGroupsHeadInit(void) { DetectAddressGroupsHead *DetectAddressGroupsHeadInit(void) {
DetectAddressGroupsHead *gh = malloc(sizeof(DetectAddressGroupsHead)); DetectAddressGroupsHead *gh = malloc(sizeof(DetectAddressGroupsHead));
if (gh == NULL) { if (gh == NULL)
return NULL; return NULL;
} memset(gh, 0, sizeof(DetectAddressGroupsHead));
memset(gh,0,sizeof(DetectAddressGroupsHead));
#ifdef DEBUG #ifdef DEBUG
detect_address_group_head_init_cnt++; detect_address_group_head_init_cnt++;
detect_address_group_head_memory += sizeof(DetectAddressGroupsHead); detect_address_group_head_memory += sizeof(DetectAddressGroupsHead);
#endif #endif
return gh; return gh;
} }

33
src/detect-engine-proto.c
Unescape Escape View File

@ -36,7 +36,11 @@ DetectProto *DetectProtoInit(void) {
return dp; return dp;
} }
/* free a DetectAddressGroup object */ /**
* \brief Free a DetectAddressGroup object
*
* \param dp Pointer to the DetectProto instance to be freed
*/
void DetectProtoFree(DetectProto *dp) { void DetectProtoFree(DetectProto *dp) {
if (dp == NULL) if (dp == NULL)
return; return;
@ -44,24 +48,33 @@ void DetectProtoFree(DetectProto *dp) {
free(dp); free(dp);
} }
/**
* \brief Parses a protocol sent as a string.
*
* \param dp Pointer to the DetectProto instance which will be updated with the
* incoming protocol information.
* \param str Pointer to the string containing the protocol name.
*
* \retval 0 Always return 0.
*/
int DetectProtoParse(DetectProto *dp, char *str) { int DetectProtoParse(DetectProto *dp, char *str) {
int proto; int proto;
if (strcasecmp(str,"tcp") == 0) { if (strcasecmp(str, "tcp") == 0) {
proto = IPPROTO_TCP; proto = IPPROTO_TCP;
dp->proto[(proto/8)] |= 1<<(proto%8); dp->proto[proto / 8] |= 1 << (proto % 8);
} else if (strcasecmp(str,"udp") == 0) { } else if (strcasecmp(str, "udp") == 0) {
proto = IPPROTO_UDP; proto = IPPROTO_UDP;
dp->proto[(proto/8)] |= 1<<(proto%8); dp->proto[proto / 8] |= 1 << (proto % 8);
} else if (strcasecmp(str,"icmp") == 0) { } else if (strcasecmp(str, "icmp") == 0) {
proto = IPPROTO_ICMP; proto = IPPROTO_ICMP;
dp->proto[(proto/8)] |= 1<<(proto%8); dp->proto[proto / 8] |= 1 << (proto % 8);
} else if (strcasecmp(str,"ip") == 0) { } else if (strcasecmp(str, "ip") == 0) {
dp->flags |= DETECT_PROTO_ANY; dp->flags |= DETECT_PROTO_ANY;
memset(&dp->proto,0xFF,sizeof(dp->proto)); memset(&dp->proto, 0xFF, sizeof(dp->proto));
} else { } else {
proto = atoi(str); proto = atoi(str);
dp->proto[(proto/8)] |= 1<<(proto%8); dp->proto[proto / 8] |= 1 << (proto % 8);
} }
return 0; return 0;

81
src/detect-parse.c
Unescape Escape View File

@ -238,24 +238,24 @@ error:
int SigParseAddress(Signature *s, const char *addrstr, char flag) { int SigParseAddress(Signature *s, const char *addrstr, char flag) {
char *addr = NULL; char *addr = NULL;
if (strcmp(addrstr,"$HOME_NET") == 0) { if (strcmp(addrstr, "$HOME_NET") == 0) {
addr = "[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:13c5:5AFE::/64,2001:888:13c5:CAFE::/64]"; addr = "[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:13c5:5AFE::/64,2001:888:13c5:CAFE::/64]";
// addr = "[192.168.0.0/16,10.8.0.0/16,2001:888:13c5:5AFE::/64,2001:888:13c5:CAFE::/64]"; //addr = "[192.168.0.0/16,10.8.0.0/16,2001:888:13c5:5AFE::/64,2001:888:13c5:CAFE::/64]";
} else if (strcmp(addrstr,"$EXTERNAL_NET") == 0) { } else if (strcmp(addrstr, "$EXTERNAL_NET") == 0) {
addr = "[!192.168.0.0/16,2000::/3]"; addr = "[!192.168.0.0/16,2000::/3]";
} else if (strcmp(addrstr,"$HTTP_SERVERS") == 0) { } else if (strcmp(addrstr, "$HTTP_SERVERS") == 0) {
addr = "!192.168.0.0/16"; addr = "!192.168.0.0/16";
} else if (strcmp(addrstr,"$SMTP_SERVERS") == 0) { } else if (strcmp(addrstr, "$SMTP_SERVERS") == 0) {
addr = "!192.168.0.0/16"; addr = "!192.168.0.0/16";
} else if (strcmp(addrstr,"$SQL_SERVERS") == 0) { } else if (strcmp(addrstr, "$SQL_SERVERS") == 0) {
addr = "!192.168.0.0/16"; addr = "!192.168.0.0/16";
} else if (strcmp(addrstr,"$DNS_SERVERS") == 0) { } else if (strcmp(addrstr, "$DNS_SERVERS") == 0) {
addr = "any"; addr = "any";
} else if (strcmp(addrstr,"$TELNET_SERVERS") == 0) { } else if (strcmp(addrstr, "$TELNET_SERVERS") == 0) {
addr = "any"; addr = "any";
} else if (strcmp(addrstr,"$AIM_SERVERS") == 0) { } else if (strcmp(addrstr, "$AIM_SERVERS") == 0) {
addr = "any"; addr = "any";
} else if (strcmp(addrstr,"any") == 0) { } else if (strcmp(addrstr, "any") == 0) {
addr = "any"; addr = "any";
} else { } else {
addr = (char *)addrstr; addr = (char *)addrstr;
@ -264,32 +264,39 @@ int SigParseAddress(Signature *s, const char *addrstr, char flag) {
/* pass on to the address(list) parser */ /* pass on to the address(list) parser */
if (flag == 0) { if (flag == 0) {
if (strcasecmp(addrstr,"any") == 0) if (strcasecmp(addrstr, "any") == 0)
s->flags |= SIG_FLAG_SRC_ANY; s->flags |= SIG_FLAG_SRC_ANY;
if (DetectAddressGroupParse(&s->src,addr) < 0) { if (DetectAddressGroupParse(&s->src, addr) < 0)
goto error; goto error;
}
} else { } else {
if (strcasecmp(addrstr,"any") == 0) if (strcasecmp(addrstr, "any") == 0)
s->flags |= SIG_FLAG_DST_ANY; s->flags |= SIG_FLAG_DST_ANY;
if (DetectAddressGroupParse(&s->dst,addr) < 0) { if (DetectAddressGroupParse(&s->dst, addr) < 0)
goto error; goto error;
} }
}
return 0; return 0;
error: error:
return -1; return -1;
} }
/* http://www.iana.org/assignments/protocol-numbers /**
* \brief Parses the protocol supplied by the Signature.
* *
* http://www.iana.org/assignments/protocol-numbers
*
* \param s Pointer to the Signature instance to which the parsed
* protocol has to be added.
* \param protostr Pointer to the character string containing the protocol name.
*
* \retval 0 On successfully parsing the protocl sent as the argument.
* \retval -1 On failure
*/ */
int SigParseProto(Signature *s, const char *protostr) { int SigParseProto(Signature *s, const char *protostr) {
int r = DetectProtoParse(&s->proto,(char *)protostr); int r = DetectProtoParse(&s->proto, (char *)protostr);
if (r < 0) { if (r < 0) {
return -1; return -1;
} }
@ -349,6 +356,17 @@ int SigParsePort(Signature *s, const char *portstr, char flag) {
return 0; return 0;
} }
/**
* \brief Parses the action that has been used by the Signature and allots it
* to its Signatue instance.
*
* \param s Pointer to the Signatue instance to which the action belongs.
* \param action Pointer to the action string used by the Signature.
*
* \retval 0 On successfully parsing the action string and adding it to the
* Signature.
* \retval -1 On failure.
*/
int SigParseAction(Signature *s, const char *action) { int SigParseAction(Signature *s, const char *action) {
if (strcasecmp(action, "alert") == 0) { if (strcasecmp(action, "alert") == 0) {
s->action = ACTION_ALERT; s->action = ACTION_ALERT;
@ -381,7 +399,7 @@ int SigParseBasics(Signature *s, char *sigstr, char ***result) {
int ov[MAX_SUBSTRINGS]; int ov[MAX_SUBSTRINGS];
int ret = 0, i = 0; int ret = 0, i = 0;
const char **arr = calloc(CONFIG_PARTS+1, sizeof(char *)); const char **arr = calloc(CONFIG_PARTS + 1, sizeof(char *));
if (arr == NULL) if (arr == NULL)
return -1; return -1;
@ -391,11 +409,11 @@ int SigParseBasics(Signature *s, char *sigstr, char ***result) {
goto error; goto error;
} }
for (i = 1; i <= ret-1; i++) { for (i = 1; i <= ret - 1; i++) {
pcre_get_substring(sigstr, ov, MAX_SUBSTRINGS, i, &arr[i-1]); pcre_get_substring(sigstr, ov, MAX_SUBSTRINGS, i, &arr[i - 1]);
//printf("SigParseBasics: arr[%" PRId32 "] = \"%s\"\n", i-1, arr[i-1]); //printf("SigParseBasics: arr[%" PRId32 "] = \"%s\"\n", i-1, arr[i-1]);
} }
arr[i-1]=NULL; arr[i - 1] = NULL;
/* Parse Action */ /* Parse Action */
if (SigParseAction(s, arr[CONFIG_ACTION]) < 0) if (SigParseAction(s, arr[CONFIG_ACTION]) < 0)
@ -409,9 +427,8 @@ int SigParseBasics(Signature *s, char *sigstr, char ***result) {
if (SigParseAddress(s, arr[CONFIG_SRC], 0) < 0) if (SigParseAddress(s, arr[CONFIG_SRC], 0) < 0)
goto error; goto error;
/* For "ip" we parse the ports as well, even though they will /* For "ip" we parse the ports as well, even though they will be just "any".
be just "any". We do this for later sgh building for the * We do this for later sgh building for the tcp and udp protocols. */
tcp and udp protocols. */
if (strcasecmp(arr[CONFIG_PROTO],"tcp") == 0 || if (strcasecmp(arr[CONFIG_PROTO],"tcp") == 0 ||
strcasecmp(arr[CONFIG_PROTO],"udp") == 0 || strcasecmp(arr[CONFIG_PROTO],"udp") == 0 ||
strcasecmp(arr[CONFIG_PROTO],"ip") == 0) { strcasecmp(arr[CONFIG_PROTO],"ip") == 0) {
@ -456,7 +473,7 @@ int SigParse(DetectEngineCtx *de_ctx, Signature *s, char *sigstr) {
} }
/* cleanup */ /* cleanup */
if (basics) { if (basics != NULL) {
int i = 0; int i = 0;
while (basics[i] != NULL) { while (basics[i] != NULL) {
free(basics[i]); free(basics[i]);
@ -464,6 +481,7 @@ int SigParse(DetectEngineCtx *de_ctx, Signature *s, char *sigstr) {
} }
free(basics); free(basics);
} }
return ret; return ret;
} }
@ -495,6 +513,15 @@ void SigFree(Signature *s) {
free(s); free(s);
} }
/**
* \brief Parses a signature and adds it to the Detection Engine Context
*
* \param de_ctx Pointer to the Detection Engine Context
* \param sigstr Pointer to a character string containing the signature to be
* parsed
*
* \retval Pointer to the Signature instance on success; NULL on failure
*/
Signature *SigInit(DetectEngineCtx *de_ctx, char *sigstr) { Signature *SigInit(DetectEngineCtx *de_ctx, char *sigstr) {
Signature *sig = SigAlloc(); Signature *sig = SigAlloc();
if (sig == NULL) if (sig == NULL)

14
src/detect.c
Unescape Escape View File

@ -594,9 +594,10 @@ static int SignatureIsIPOnly(DetectEngineCtx *de_ctx, Signature *s) {
if (sm == NULL) if (sm == NULL)
goto iponly; goto iponly;
for ( ; sm != NULL ; sm = sm->next) for ( ;sm != NULL ;sm = sm->next) {
if(!( sigmatch_table[sm->type].flags & SIGMATCH_IPONLY_COMPAT)) if (!( sigmatch_table[sm->type].flags & SIGMATCH_IPONLY_COMPAT))
return 0; return 0;
}
iponly: iponly:
if (!(de_ctx->flags & DE_QUIET)) { if (!(de_ctx->flags & DE_QUIET)) {
@ -630,7 +631,14 @@ static int SignatureIsInspectingPayload(DetectEngineCtx *de_ctx, Signature *s) {
return 0; return 0;
} }
/* add all signatures to their own source address group */ /**
* \brief Add all signatures to their own source address group
*
* \param de_ctx Pointer to the Detection Engine Context
*
* \retval 0 on success
* \retval -1 on failure
*/
int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) { int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) {
Signature *tmp_s = NULL; Signature *tmp_s = NULL;
DetectAddressGroup *gr = NULL; DetectAddressGroup *gr = NULL;

Write Preview
Loading…
Cancel
Save