xbits: expire (first steps)

10 years ago · fbdcffabc2
parent 7b79b9458d
commit fbdcffabc2
3 changed files with 20 additions and 4 deletions
--- a/src/detect-xbits.c
+++ b/src/detect-xbits.c
@ -50,10 +50,10 @@
 #include "util-debug.h"

 /*
-    xbits:set,bitname,track ip_pair
+    xbits:set,bitname,track ip_pair,expire 60
 */

-#define PARSE_REGEX         "([a-z]+)(?:,([^,]+))?(?:,(?:track\\s+([^,]+)))"
+#define PARSE_REGEX     "([a-z]+)" "(?:,\\s*([^,]+))?" "(?:,\\s*(?:track\\s+([^,]+)))" "(?:,\\s*(?:expire\\s+([^,]+)))?"
 static pcre *parse_regex;
 static pcre_extra *parse_regex_study;

@ -213,10 +213,11 @@ int DetectXbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
    char fb_cmd_str[16] = "", fb_name[256] = "";
    char hb_dir_str[16] = "";
    enum VarTypes var_type = VAR_TYPE_NOT_SET;
+    int expire = 30;

    ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS);
-    if (ret != 2 && ret != 3 && ret != 4) {
-        SCLogError(SC_ERR_PCRE_MATCH, "\"%s\" is not a valid setting for hostbits.", rawstr);
+    if (ret != 2 && ret != 3 && ret != 4 && ret != 5) {
+        SCLogError(SC_ERR_PCRE_MATCH, "\"%s\" is not a valid setting for xbits.", rawstr);
        return -1;
    }
    SCLogDebug("ret %d, %s", ret, rawstr);
@ -254,6 +255,18 @@ int DetectXbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
                    goto error;
                }
            }
+
+            if (ret >= 5) {
+                char expire_str[16] = "";
+                res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 4, expire_str, sizeof(expire_str));
+                if (res < 0) {
+                    SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
+                    goto error;
+                }
+                SCLogDebug("expire_str %s", expire_str);
+                expire = atoi(expire_str);
+                SCLogDebug("expire %d", expire);
+            }
        }
    }

@ -299,6 +312,7 @@ int DetectXbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
    cd->cmd = fb_cmd;
    cd->tracker = hb_dir;
    cd->type = var_type;
+    cd->expire = expire;

    SCLogDebug("idx %" PRIu32 ", cmd %s, name %s",
        cd->idx, fb_cmd_str, strlen(fb_name) ? fb_name : "(none)");
--- a/src/detect-xbits.h
+++ b/src/detect-xbits.h
@ -41,6 +41,7 @@ typedef struct DetectXbitsData_ {
    uint16_t idx;
    uint8_t cmd;
    uint8_t tracker;
+    uint32_t expire;
    /** data type: host/ippair/flow used for sig sorting in sigorder */
    enum VarTypes type;
 } DetectXbitsData;
--- a/src/util-var.h
+++ b/src/util-var.h
@ -54,6 +54,7 @@ typedef struct XBit_ {
    uint8_t type;       /* type, DETECT_XBITS in this case */
    uint16_t idx;       /* name idx */
    GenericVar *next;
+    uint32_t expire;
 } XBit;

 void GenericVarFree(GenericVar *);