aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect: remove DMATCH list

Browse Source
pull/2559/head
Victor Julien 9 years ago
parent 1c02cf4542
commit fe415ae518
14 changed files with 292 additions and 191 deletions
Show Stats Download Patch File Download Diff File

22
src/detect-bytejump.c
Unescape Escape View File

@ -640,6 +640,7 @@ static void DetectBytejumpFree(void *ptr)
#ifdef UNITTESTS #ifdef UNITTESTS
#include "util-unittest-helper.h" #include "util-unittest-helper.h"
static int g_file_data_buffer_id = 0; static int g_file_data_buffer_id = 0;
static int g_dce_stub_data_buffer_id = 0;
/** /**
* \test DetectBytejumpTestParse01 is a test to make sure that we return * \test DetectBytejumpTestParse01 is a test to make sure that we return
@ -832,7 +833,7 @@ static int DetectBytejumpTestParse09(void)
result &= (DetectBytejumpSetup(NULL, s, "4,0, string, oct, dce") == -1); result &= (DetectBytejumpSetup(NULL, s, "4,0, string, oct, dce") == -1);
result &= (DetectBytejumpSetup(NULL, s, "4,0, string, hex, dce") == -1); result &= (DetectBytejumpSetup(NULL, s, "4,0, string, hex, dce") == -1);
result &= (DetectBytejumpSetup(NULL, s, "4,0, from_beginning, dce") == -1); result &= (DetectBytejumpSetup(NULL, s, "4,0, from_beginning, dce") == -1);
result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
SigFree(s); SigFree(s);
return result; return result;
@ -865,12 +866,12 @@ static int DetectBytejumpTestParse10(void)
goto end; goto end;
} }
s = de_ctx->sig_list; s = de_ctx->sig_list;
if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_BYTEJUMP); result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTEJUMP);
bd = (DetectBytejumpData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; bd = (DetectBytejumpData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
if (!(bd->flags & DETECT_BYTEJUMP_DCE) && if (!(bd->flags & DETECT_BYTEJUMP_DCE) &&
!(bd->flags & DETECT_BYTEJUMP_RELATIVE) && !(bd->flags & DETECT_BYTEJUMP_RELATIVE) &&
(bd->flags & DETECT_BYTEJUMP_STRING) && (bd->flags & DETECT_BYTEJUMP_STRING) &&
@ -892,12 +893,12 @@ static int DetectBytejumpTestParse10(void)
goto end; goto end;
} }
s = s->next; s = s->next;
if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_BYTEJUMP); result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTEJUMP);
bd = (DetectBytejumpData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; bd = (DetectBytejumpData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
if (!(bd->flags & DETECT_BYTEJUMP_DCE) && if (!(bd->flags & DETECT_BYTEJUMP_DCE) &&
!(bd->flags & DETECT_BYTEJUMP_RELATIVE) && !(bd->flags & DETECT_BYTEJUMP_RELATIVE) &&
(bd->flags & DETECT_BYTEJUMP_STRING) && (bd->flags & DETECT_BYTEJUMP_STRING) &&
@ -919,12 +920,12 @@ static int DetectBytejumpTestParse10(void)
goto end; goto end;
} }
s = s->next; s = s->next;
if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_BYTEJUMP); result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTEJUMP);
bd = (DetectBytejumpData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; bd = (DetectBytejumpData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
if ((bd->flags & DETECT_BYTEJUMP_DCE) && if ((bd->flags & DETECT_BYTEJUMP_DCE) &&
!(bd->flags & DETECT_BYTEJUMP_RELATIVE) && !(bd->flags & DETECT_BYTEJUMP_RELATIVE) &&
(bd->flags & DETECT_BYTEJUMP_STRING) && (bd->flags & DETECT_BYTEJUMP_STRING) &&
@ -1290,6 +1291,7 @@ static void DetectBytejumpRegisterTests(void)
{ {
#ifdef UNITTESTS #ifdef UNITTESTS
g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
UtRegisterTest("DetectBytejumpTestParse01", DetectBytejumpTestParse01); UtRegisterTest("DetectBytejumpTestParse01", DetectBytejumpTestParse01);
UtRegisterTest("DetectBytejumpTestParse02", DetectBytejumpTestParse02); UtRegisterTest("DetectBytejumpTestParse02", DetectBytejumpTestParse02);

20
src/detect-bytetest.c
Unescape Escape View File

@ -578,6 +578,7 @@ static void DetectBytetestFree(void *ptr)
#ifdef UNITTESTS #ifdef UNITTESTS
#include "util-unittest-helper.h" #include "util-unittest-helper.h"
static int g_file_data_buffer_id = 0; static int g_file_data_buffer_id = 0;
static int g_dce_stub_data_buffer_id = 0;
/** /**
* \test DetectBytetestTestParse01 is a test to make sure that we return "something" * \test DetectBytetestTestParse01 is a test to make sure that we return "something"
@ -1020,12 +1021,12 @@ static int DetectBytetestTestParse20(void)
goto end; goto end;
} }
s = de_ctx->sig_list; s = de_ctx->sig_list;
if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_BYTETEST); result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTETEST);
bd = (DetectBytetestData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; bd = (DetectBytetestData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
if (!(bd->flags & DETECT_BYTETEST_DCE) && if (!(bd->flags & DETECT_BYTETEST_DCE) &&
!(bd->flags & DETECT_BYTETEST_RELATIVE) && !(bd->flags & DETECT_BYTETEST_RELATIVE) &&
(bd->flags & DETECT_BYTETEST_STRING) && (bd->flags & DETECT_BYTETEST_STRING) &&
@ -1047,12 +1048,12 @@ static int DetectBytetestTestParse20(void)
goto end; goto end;
} }
s = s->next; s = s->next;
if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_BYTETEST); result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTETEST);
bd = (DetectBytetestData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; bd = (DetectBytetestData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
if (!(bd->flags & DETECT_BYTETEST_DCE) && if (!(bd->flags & DETECT_BYTETEST_DCE) &&
!(bd->flags & DETECT_BYTETEST_RELATIVE) && !(bd->flags & DETECT_BYTETEST_RELATIVE) &&
(bd->flags & DETECT_BYTETEST_STRING) && (bd->flags & DETECT_BYTETEST_STRING) &&
@ -1074,12 +1075,12 @@ static int DetectBytetestTestParse20(void)
goto end; goto end;
} }
s = s->next; s = s->next;
if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_BYTETEST); result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTETEST);
bd = (DetectBytetestData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; bd = (DetectBytetestData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
if ((bd->flags & DETECT_BYTETEST_DCE) && if ((bd->flags & DETECT_BYTETEST_DCE) &&
!(bd->flags & DETECT_BYTETEST_RELATIVE) && !(bd->flags & DETECT_BYTETEST_RELATIVE) &&
(bd->flags & DETECT_BYTETEST_STRING) && (bd->flags & DETECT_BYTETEST_STRING) &&
@ -1436,6 +1437,7 @@ static void DetectBytetestRegisterTests(void)
{ {
#ifdef UNITTESTS #ifdef UNITTESTS
g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
UtRegisterTest("DetectBytetestTestParse01", DetectBytetestTestParse01); UtRegisterTest("DetectBytetestTestParse01", DetectBytetestTestParse01);
UtRegisterTest("DetectBytetestTestParse02", DetectBytetestTestParse02); UtRegisterTest("DetectBytetestTestParse02", DetectBytetestTestParse02);

58
src/detect-content.c
Unescape Escape View File

@ -425,6 +425,7 @@ void DetectContentFree(void *ptr)
#ifdef UNITTESTS /* UNITTESTS */ #ifdef UNITTESTS /* UNITTESTS */
static int g_file_data_buffer_id = 0; static int g_file_data_buffer_id = 0;
static int g_dce_stub_data_buffer_id = 0;
/** /**
* \test DetectCotentParseTest01 this is a test to make sure we can deal with escaped colons * \test DetectCotentParseTest01 this is a test to make sure we can deal with escaped colons
@ -1133,7 +1134,7 @@ static int DetectContentParseTest18(void)
s->alproto = ALPROTO_DCERPC; s->alproto = ALPROTO_DCERPC;
result &= (DetectContentSetup(de_ctx, s, "\"one\"") == 0); result &= (DetectContentSetup(de_ctx, s, "\"one\"") == 0);
result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
SigFree(s); SigFree(s);
@ -1142,7 +1143,7 @@ static int DetectContentParseTest18(void)
return 0; return 0;
result &= (DetectContentSetup(de_ctx, s, "\"one\"") == 0); result &= (DetectContentSetup(de_ctx, s, "\"one\"") == 0);
result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
end: end:
SigFree(s); SigFree(s);
@ -1178,13 +1179,13 @@ static int DetectContentParseTest19(void)
goto end; goto end;
} }
s = de_ctx->sig_list; s = de_ctx->sig_list;
if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT); result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL); result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
if (data->flags & DETECT_CONTENT_RAWBYTES || if (data->flags & DETECT_CONTENT_RAWBYTES ||
data->flags & DETECT_CONTENT_NOCASE || data->flags & DETECT_CONTENT_NOCASE ||
data->flags & DETECT_CONTENT_WITHIN || data->flags & DETECT_CONTENT_WITHIN ||
@ -1207,13 +1208,13 @@ static int DetectContentParseTest19(void)
goto end; goto end;
} }
s = s->next; s = s->next;
if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT); result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL); result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
if (data->flags & DETECT_CONTENT_RAWBYTES || if (data->flags & DETECT_CONTENT_RAWBYTES ||
data->flags & DETECT_CONTENT_NOCASE || data->flags & DETECT_CONTENT_NOCASE ||
!(data->flags & DETECT_CONTENT_WITHIN) || !(data->flags & DETECT_CONTENT_WITHIN) ||
@ -1238,13 +1239,13 @@ static int DetectContentParseTest19(void)
goto end; goto end;
} }
s = s->next; s = s->next;
if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT); result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL); result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
if (data->flags & DETECT_CONTENT_RAWBYTES || if (data->flags & DETECT_CONTENT_RAWBYTES ||
data->flags & DETECT_CONTENT_NOCASE || data->flags & DETECT_CONTENT_NOCASE ||
data->flags & DETECT_CONTENT_WITHIN || data->flags & DETECT_CONTENT_WITHIN ||
@ -1256,7 +1257,7 @@ static int DetectContentParseTest19(void)
goto end; goto end;
} }
result &= (data->offset == 5 && data->depth == 9); result &= (data->offset == 5 && data->depth == 9);
data = (DetectContentData *)s->sm_lists[DETECT_SM_LIST_DMATCH]->ctx; data = (DetectContentData *)s->sm_lists[g_dce_stub_data_buffer_id]->ctx;
if (data->flags & DETECT_CONTENT_RAWBYTES || if (data->flags & DETECT_CONTENT_RAWBYTES ||
data->flags & DETECT_CONTENT_NOCASE || data->flags & DETECT_CONTENT_NOCASE ||
!(data->flags & DETECT_CONTENT_WITHIN) || !(data->flags & DETECT_CONTENT_WITHIN) ||
@ -1279,13 +1280,13 @@ static int DetectContentParseTest19(void)
goto end; goto end;
} }
s = s->next; s = s->next;
if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT); result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL); result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
if (data->flags & DETECT_CONTENT_RAWBYTES || if (data->flags & DETECT_CONTENT_RAWBYTES ||
data->flags & DETECT_CONTENT_NOCASE || data->flags & DETECT_CONTENT_NOCASE ||
data->flags & DETECT_CONTENT_WITHIN || data->flags & DETECT_CONTENT_WITHIN ||
@ -1309,13 +1310,13 @@ static int DetectContentParseTest19(void)
goto end; goto end;
} }
s = s->next; s = s->next;
if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT); result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL); result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
if (data->flags & DETECT_CONTENT_RAWBYTES || if (data->flags & DETECT_CONTENT_RAWBYTES ||
data->flags & DETECT_CONTENT_NOCASE || data->flags & DETECT_CONTENT_NOCASE ||
!(data->flags & DETECT_CONTENT_WITHIN) || !(data->flags & DETECT_CONTENT_WITHIN) ||
@ -1339,13 +1340,13 @@ static int DetectContentParseTest19(void)
goto end; goto end;
} }
s = s->next; s = s->next;
if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT); result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL); result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
if (data->flags & DETECT_CONTENT_RAWBYTES || if (data->flags & DETECT_CONTENT_RAWBYTES ||
data->flags & DETECT_CONTENT_NOCASE || data->flags & DETECT_CONTENT_NOCASE ||
data->flags & DETECT_CONTENT_WITHIN || data->flags & DETECT_CONTENT_WITHIN ||
@ -1369,13 +1370,13 @@ static int DetectContentParseTest19(void)
goto end; goto end;
} }
s = s->next; s = s->next;
if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT); result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL); result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
if (data->flags & DETECT_CONTENT_RAWBYTES || if (data->flags & DETECT_CONTENT_RAWBYTES ||
data->flags & DETECT_CONTENT_NOCASE || data->flags & DETECT_CONTENT_NOCASE ||
data->flags & DETECT_CONTENT_WITHIN || data->flags & DETECT_CONTENT_WITHIN ||
@ -1399,13 +1400,13 @@ static int DetectContentParseTest19(void)
goto end; goto end;
} }
s = s->next; s = s->next;
if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT); result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL); result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
if (data->flags & DETECT_CONTENT_RAWBYTES || if (data->flags & DETECT_CONTENT_RAWBYTES ||
data->flags & DETECT_CONTENT_NOCASE || data->flags & DETECT_CONTENT_NOCASE ||
data->flags & DETECT_CONTENT_WITHIN || data->flags & DETECT_CONTENT_WITHIN ||
@ -1427,7 +1428,7 @@ static int DetectContentParseTest19(void)
goto end; goto end;
} }
s = s->next; s = s->next;
if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] != NULL) { if (s->sm_lists_tail[g_dce_stub_data_buffer_id] != NULL) {
result = 0; result = 0;
goto end; goto end;
} }
@ -2849,6 +2850,7 @@ static void DetectContentRegisterTests(void)
{ {
#ifdef UNITTESTS /* UNITTESTS */ #ifdef UNITTESTS /* UNITTESTS */
g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
UtRegisterTest("DetectContentParseTest01", DetectContentParseTest01); UtRegisterTest("DetectContentParseTest01", DetectContentParseTest01);
UtRegisterTest("DetectContentParseTest02", DetectContentParseTest02); UtRegisterTest("DetectContentParseTest02", DetectContentParseTest02);

163
src/detect-dce-stub-data.c
Unescape Escape View File

@ -1,4 +1,4 @@
/* Copyright (C) 2007-2010 Open Information Security Foundation /* Copyright (C) 2007-2016 Open Information Security Foundation
* *
* You can copy, redistribute or modify this Program under the terms of * You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free * the GNU General Public License version 2 as published by the Free
@ -19,6 +19,7 @@
* \file * \file
* *
* \author Anoop Saldanha <anoopsaldanha@gmail.com> * \author Anoop Saldanha <anoopsaldanha@gmail.com>
* \author Anoop Saldanha <victor@inliniac.net>
* *
* Implements dce_stub_data keyword * Implements dce_stub_data keyword
*/ */
@ -31,6 +32,8 @@
#include "detect-engine.h" #include "detect-engine.h"
#include "detect-engine-mpm.h" #include "detect-engine-mpm.h"
#include "detect-engine-state.h" #include "detect-engine-state.h"
#include "detect-engine-prefilter.h"
#include "detect-engine-content-inspection.h"
#include "flow.h" #include "flow.h"
#include "flow-var.h" #include "flow-var.h"
@ -40,7 +43,9 @@
#include "app-layer-dcerpc.h" #include "app-layer-dcerpc.h"
#include "queue.h" #include "queue.h"
#include "stream-tcp-reassemble.h" #include "stream-tcp-reassemble.h"
#include "detect-dce-stub-data.h" #include "detect-dce-stub-data.h"
#include "detect-dce-iface.h"
#include "util-debug.h" #include "util-debug.h"
@ -49,9 +54,140 @@
#include "stream-tcp.h" #include "stream-tcp.h"
#define BUFFER_NAME "dce_stub_data"
#define KEYWORD_NAME "dce_stub_data"
static int DetectDceStubDataSetup(DetectEngineCtx *, Signature *, char *); static int DetectDceStubDataSetup(DetectEngineCtx *, Signature *, char *);
static void DetectDceStubDataRegisterTests(void); static void DetectDceStubDataRegisterTests(void);
static int g_dce_stub_data_buffer_id = 0;
/** \brief DCERPC Stub Data Mpm prefilter callback
*
* \param det_ctx detection engine thread ctx
* \param p packet to inspect
* \param f flow to inspect
* \param txv tx to inspect
* \param pectx inspection context
*/
static void PrefilterTxDceStubDataRequest(DetectEngineThreadCtx *det_ctx,
const void *pectx,
Packet *p, Flow *f, void *txv,
const uint64_t idx, const uint8_t flags)
{
SCEnter();
const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
DCERPCState *dcerpc_state = DetectDceGetState(f->alproto, f->alstate);
if (dcerpc_state == NULL)
return;
uint32_t buffer_len = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len;
const uint8_t *buffer = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer;
if (buffer_len >= mpm_ctx->minlen) {
(void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
&det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
}
}
static int PrefilterTxDceStubDataRequestRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx)
{
SCEnter();
int r = PrefilterAppendTxEngine(sgh, PrefilterTxDceStubDataRequest,
ALPROTO_DCERPC, 0,
mpm_ctx, NULL, KEYWORD_NAME " (request)");
if (r == 0) {
r = PrefilterAppendTxEngine(sgh, PrefilterTxDceStubDataRequest,
ALPROTO_SMB, 0,
mpm_ctx, NULL, KEYWORD_NAME " (request)");
}
return r;
}
/** \brief DCERPC Stub Data Mpm prefilter callback
*
* \param det_ctx detection engine thread ctx
* \param p packet to inspect
* \param f flow to inspect
* \param txv tx to inspect
* \param pectx inspection context
*/
static void PrefilterTxDceStubDataResponse(DetectEngineThreadCtx *det_ctx,
const void *pectx,
Packet *p, Flow *f, void *txv,
const uint64_t idx, const uint8_t flags)
{
SCEnter();
const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
DCERPCState *dcerpc_state = DetectDceGetState(f->alproto, f->alstate);
if (dcerpc_state == NULL)
return;
uint32_t buffer_len = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer_len;
const uint8_t *buffer = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer;
if (buffer_len >= mpm_ctx->minlen) {
(void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
&det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
}
}
static int PrefilterTxDceStubDataResponseRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx)
{
SCEnter();
int r = PrefilterAppendTxEngine(sgh, PrefilterTxDceStubDataResponse,
ALPROTO_DCERPC, 0,
mpm_ctx, NULL, KEYWORD_NAME " (response)");
if (r == 0) {
r = PrefilterAppendTxEngine(sgh, PrefilterTxDceStubDataResponse,
ALPROTO_SMB, 0,
mpm_ctx, NULL, KEYWORD_NAME " (response)");
}
return r;
}
static int InspectEngineDceStubData(ThreadVars *tv,
DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
const Signature *s, const SigMatchData *smd,
Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
{
uint32_t buffer_len = 0;
uint8_t *buffer = NULL;
DCERPCState *dcerpc_state = DetectDceGetState(f->alproto, f->alstate);
if (dcerpc_state == NULL)
goto end;
if (flags & STREAM_TOSERVER) {
buffer_len = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len;
buffer = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer;
} else if (flags & STREAM_TOCLIENT) {
buffer_len = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer_len;
buffer = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer;
}
if (buffer == NULL ||buffer_len == 0)
goto end;
det_ctx->buffer_offset = 0;
det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0;
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd,
f,
buffer, buffer_len,
0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE,
dcerpc_state);
if (r == 1)
return DETECT_ENGINE_INSPECT_SIG_MATCH;
end:
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
}
/** /**
* \brief Registers the keyword handlers for the "dce_stub_data" keyword. * \brief Registers the keyword handlers for the "dce_stub_data" keyword.
*/ */
@ -66,7 +202,26 @@ void DetectDceStubDataRegister(void)
sigmatch_table[DETECT_DCE_STUB_DATA].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_DCE_STUB_DATA].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_DCE_STUB_DATA].flags |= SIGMATCH_PAYLOAD; sigmatch_table[DETECT_DCE_STUB_DATA].flags |= SIGMATCH_PAYLOAD;
return; DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
PrefilterTxDceStubDataRequestRegister);
DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
PrefilterTxDceStubDataResponseRegister);
DetectAppLayerInspectEngineRegister(BUFFER_NAME,
ALPROTO_DCERPC, SIG_FLAG_TOSERVER,
InspectEngineDceStubData);
DetectAppLayerInspectEngineRegister(BUFFER_NAME,
ALPROTO_DCERPC, SIG_FLAG_TOCLIENT,
InspectEngineDceStubData);
DetectAppLayerInspectEngineRegister(BUFFER_NAME,
ALPROTO_SMB, SIG_FLAG_TOSERVER,
InspectEngineDceStubData);
DetectAppLayerInspectEngineRegister(BUFFER_NAME,
ALPROTO_SMB, SIG_FLAG_TOCLIENT,
InspectEngineDceStubData);
g_dce_stub_data_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
} }
/** /**
@ -89,7 +244,7 @@ static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, char *a
goto error; goto error;
} }
s->init_data->list = DETECT_SM_LIST_DMATCH; s->init_data->list = g_dce_stub_data_buffer_id;
s->alproto = ALPROTO_DCERPC; s->alproto = ALPROTO_DCERPC;
s->flags |= SIG_FLAG_APPLAYER; s->flags |= SIG_FLAG_APPLAYER;
return 0; return 0;
@ -110,7 +265,7 @@ static int DetectDceStubDataTestParse01(void)
Signature *s = DetectEngineAppendSig(de_ctx, Signature *s = DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any (dce_stub_data; content:\"1\"; sid:1;)"); "alert tcp any any -> any any (dce_stub_data; content:\"1\"; sid:1;)");
FAIL_IF_NULL(s); FAIL_IF_NULL(s);
FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_DMATCH]); FAIL_IF_NULL(s->sm_lists[g_dce_stub_data_buffer_id]);
DetectEngineCtxFree(de_ctx); DetectEngineCtxFree(de_ctx);
PASS; PASS;
} }

87
src/detect-engine-dcepayload.c
Unescape Escape View File

@ -49,6 +49,9 @@
#include "detect-dce-iface.h" #include "detect-dce-iface.h"
static int g_dce_stub_data_buffer_id = 0;
#if 0
/** /**
* \brief Do the content inspection & validation for a signature against dce stub. * \brief Do the content inspection & validation for a signature against dce stub.
* *
@ -73,7 +76,7 @@ int DetectEngineInspectDcePayload(DetectEngineCtx *de_ctx,
uint16_t dce_stub_data_len; uint16_t dce_stub_data_len;
int r = 0; int r = 0;
if (s->sm_arrays[DETECT_SM_LIST_DMATCH] == NULL || dcerpc_state == NULL) { if (s->sm_arrays[g_dce_stub_data_buffer_id] == NULL || dcerpc_state == NULL) {
SCReturnInt(0); SCReturnInt(0);
} }
@ -87,13 +90,13 @@ int DetectEngineInspectDcePayload(DetectEngineCtx *de_ctx,
det_ctx->discontinue_matching = 0; det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0; det_ctx->inspection_recursion_counter = 0;
r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_arrays[DETECT_SM_LIST_DMATCH], r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_arrays[g_dce_stub_data_buffer_id],
f, f,
dce_stub_data, dce_stub_data,
dce_stub_data_len, dce_stub_data_len,
0, 0,
0, dcerpc_state); 0, dcerpc_state);
//r = DoInspectDcePayload(de_ctx, det_ctx, s, s->init_data->smlists[DETECT_SM_LIST_DMATCH], f, //r = DoInspectDcePayload(de_ctx, det_ctx, s, s->init_data->smlists[g_dce_stub_data_buffer_id], f,
//dce_stub_data, dce_stub_data_len, dcerpc_state); //dce_stub_data, dce_stub_data_len, dcerpc_state);
if (r == 1) { if (r == 1) {
SCReturnInt(1); SCReturnInt(1);
@ -110,13 +113,13 @@ int DetectEngineInspectDcePayload(DetectEngineCtx *de_ctx,
det_ctx->discontinue_matching = 0; det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0; det_ctx->inspection_recursion_counter = 0;
r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_arrays[DETECT_SM_LIST_DMATCH], r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_arrays[g_dce_stub_data_buffer_id],
f, f,
dce_stub_data, dce_stub_data,
dce_stub_data_len, dce_stub_data_len,
0, 0,
0, dcerpc_state); 0, dcerpc_state);
//r = DoInspectDcePayload(de_ctx, det_ctx, s, s->init_data->smlists[DETECT_SM_LIST_DMATCH], f, //r = DoInspectDcePayload(de_ctx, det_ctx, s, s->init_data->smlists[g_dce_stub_data_buffer_id], f,
//dce_stub_data, dce_stub_data_len, dcerpc_state); //dce_stub_data, dce_stub_data_len, dcerpc_state);
if (r == 1) { if (r == 1) {
SCReturnInt(1); SCReturnInt(1);
@ -125,6 +128,7 @@ int DetectEngineInspectDcePayload(DetectEngineCtx *de_ctx,
SCReturnInt(0); SCReturnInt(0);
} }
#endif
/**************************************Unittests*******************************/ /**************************************Unittests*******************************/
@ -7500,7 +7504,7 @@ static int DcePayloadParseTest25(void)
goto end; goto end;
} }
if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] != NULL) { if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
result = 0; result = 0;
goto end; goto end;
} }
@ -7623,7 +7627,7 @@ static int DcePayloadParseTest26(void)
goto end; goto end;
} }
if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] != NULL) { if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
result = 0; result = 0;
goto end; goto end;
} }
@ -7749,7 +7753,7 @@ static int DcePayloadParseTest27(void)
goto end; goto end;
} }
if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
@ -7758,7 +7762,7 @@ static int DcePayloadParseTest27(void)
goto end; goto end;
} }
sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
if (sm->type != DETECT_CONTENT) { if (sm->type != DETECT_CONTENT) {
result = 0; result = 0;
goto end; goto end;
@ -7876,7 +7880,7 @@ static int DcePayloadParseTest28(void)
goto end; goto end;
} }
if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
@ -7885,7 +7889,7 @@ static int DcePayloadParseTest28(void)
goto end; goto end;
} }
sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
if (sm->type != DETECT_CONTENT) { if (sm->type != DETECT_CONTENT) {
result = 0; result = 0;
goto end; goto end;
@ -8005,7 +8009,7 @@ static int DcePayloadParseTest29(void)
goto end; goto end;
} }
if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] != NULL) { if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
result = 0; result = 0;
goto end; goto end;
} }
@ -8147,7 +8151,7 @@ static int DcePayloadParseTest30(void)
goto end; goto end;
} }
if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] != NULL) { if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
result = 0; result = 0;
goto end; goto end;
} }
@ -8294,7 +8298,7 @@ static int DcePayloadParseTest31(void)
goto end; goto end;
} }
if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
@ -8303,7 +8307,7 @@ static int DcePayloadParseTest31(void)
goto end; goto end;
} }
sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
if (sm->type != DETECT_BYTEJUMP) { if (sm->type != DETECT_BYTEJUMP) {
result = 0; result = 0;
goto end; goto end;
@ -8441,7 +8445,7 @@ static int DcePayloadParseTest32(void)
goto end; goto end;
} }
if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
@ -8450,7 +8454,7 @@ static int DcePayloadParseTest32(void)
goto end; goto end;
} }
sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
if (sm->type != DETECT_BYTEJUMP) { if (sm->type != DETECT_BYTEJUMP) {
result = 0; result = 0;
goto end; goto end;
@ -8588,7 +8592,7 @@ static int DcePayloadParseTest33(void)
goto end; goto end;
} }
if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
@ -8597,7 +8601,7 @@ static int DcePayloadParseTest33(void)
goto end; goto end;
} }
sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
if (sm->type != DETECT_PCRE) { if (sm->type != DETECT_PCRE) {
result = 0; result = 0;
goto end; goto end;
@ -8731,7 +8735,7 @@ static int DcePayloadParseTest34(void)
goto end; goto end;
} }
if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
@ -8740,7 +8744,7 @@ static int DcePayloadParseTest34(void)
goto end; goto end;
} }
sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
if (sm->type != DETECT_PCRE) { if (sm->type != DETECT_PCRE) {
result = 0; result = 0;
goto end; goto end;
@ -8852,7 +8856,7 @@ static int DcePayloadParseTest35(void)
goto end; goto end;
} }
if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
@ -8861,7 +8865,7 @@ static int DcePayloadParseTest35(void)
goto end; goto end;
} }
sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
if (sm->type != DETECT_BYTETEST) { if (sm->type != DETECT_BYTETEST) {
result = 0; result = 0;
goto end; goto end;
@ -8940,7 +8944,7 @@ static int DcePayloadParseTest36(void)
goto end; goto end;
} }
if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
@ -8949,7 +8953,7 @@ static int DcePayloadParseTest36(void)
goto end; goto end;
} }
sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
if (sm->type != DETECT_ISDATAAT) { if (sm->type != DETECT_ISDATAAT) {
result = 0; result = 0;
goto end; goto end;
@ -9045,7 +9049,7 @@ static int DcePayloadParseTest37(void)
goto end; goto end;
} }
if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
@ -9054,7 +9058,7 @@ static int DcePayloadParseTest37(void)
goto end; goto end;
} }
sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
if (sm->type != DETECT_BYTEJUMP) { if (sm->type != DETECT_BYTEJUMP) {
result = 0; result = 0;
goto end; goto end;
@ -9154,7 +9158,7 @@ static int DcePayloadParseTest38(void)
goto end; goto end;
} }
if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
@ -9163,7 +9167,7 @@ static int DcePayloadParseTest38(void)
goto end; goto end;
} }
sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
if (sm->type != DETECT_PCRE) { if (sm->type != DETECT_PCRE) {
result = 0; result = 0;
goto end; goto end;
@ -9270,7 +9274,7 @@ static int DcePayloadParseTest39(void)
goto end; goto end;
} }
if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
@ -9301,7 +9305,7 @@ static int DcePayloadParseTest39(void)
result &= (sm->next == NULL); result &= (sm->next == NULL);
sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
data = (DetectContentData *)sm->ctx; data = (DetectContentData *)sm->ctx;
if (data->flags & DETECT_CONTENT_RAWBYTES || if (data->flags & DETECT_CONTENT_RAWBYTES ||
data->flags & DETECT_CONTENT_NOCASE || data->flags & DETECT_CONTENT_NOCASE ||
@ -9359,7 +9363,7 @@ static int DcePayloadParseTest40(void)
goto end; goto end;
} }
if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
@ -9368,7 +9372,7 @@ static int DcePayloadParseTest40(void)
goto end; goto end;
} }
sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
if (sm->type != DETECT_CONTENT) { if (sm->type != DETECT_CONTENT) {
result = 0; result = 0;
goto end; goto end;
@ -9489,7 +9493,7 @@ static int DcePayloadParseTest41(void)
goto end; goto end;
} }
if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
@ -9498,7 +9502,7 @@ static int DcePayloadParseTest41(void)
goto end; goto end;
} }
sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
if (sm->type != DETECT_CONTENT) { if (sm->type != DETECT_CONTENT) {
result = 0; result = 0;
goto end; goto end;
@ -9818,11 +9822,11 @@ static int DcePayloadParseTest44(void)
"sid:1;)"); "sid:1;)");
FAIL_IF_NULL(s); FAIL_IF_NULL(s);
FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH]); FAIL_IF_NULL(s->init_data->smlists_tail[g_dce_stub_data_buffer_id]);
FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]); FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
/* isdataat:10,relative; */ /* isdataat:10,relative; */
sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
FAIL_IF(sm->type != DETECT_ISDATAAT); FAIL_IF(sm->type != DETECT_ISDATAAT);
isd = (DetectIsdataatData *)sm->ctx; isd = (DetectIsdataatData *)sm->ctx;
FAIL_IF(isd->flags & ISDATAAT_RAWBYTES); FAIL_IF(isd->flags & ISDATAAT_RAWBYTES);
@ -9913,7 +9917,7 @@ static int DcePayloadParseTest45(void)
goto end; goto end;
} }
if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
@ -9922,7 +9926,7 @@ static int DcePayloadParseTest45(void)
goto end; goto end;
} }
sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
if (sm->type != DETECT_BYTEJUMP) { if (sm->type != DETECT_BYTEJUMP) {
result = 0; result = 0;
goto end; goto end;
@ -10025,7 +10029,7 @@ static int DcePayloadParseTest46(void)
goto end; goto end;
} }
if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
@ -10034,7 +10038,7 @@ static int DcePayloadParseTest46(void)
goto end; goto end;
} }
sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
if (sm->type != DETECT_BYTETEST) { if (sm->type != DETECT_BYTETEST) {
result = 0; result = 0;
goto end; goto end;
@ -10108,6 +10112,7 @@ static int DcePayloadParseTest46(void)
void DcePayloadRegisterTests(void) void DcePayloadRegisterTests(void)
{ {
g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
#ifdef UNITTESTS #ifdef UNITTESTS
UtRegisterTest("DcePayloadTest01", DcePayloadTest01); UtRegisterTest("DcePayloadTest01", DcePayloadTest01);

4
src/detect-engine-dcepayload.h
Unescape Escape View File

@ -24,8 +24,8 @@
#ifndef __DETECT_ENGINE_DCEPAYLOAD_H__ #ifndef __DETECT_ENGINE_DCEPAYLOAD_H__
#define __DETECT_ENGINE_DCEPAYLOAD_H__ #define __DETECT_ENGINE_DCEPAYLOAD_H__
int DetectEngineInspectDcePayload(DetectEngineCtx *, DetectEngineThreadCtx *, //int DetectEngineInspectDcePayload(DetectEngineCtx *, DetectEngineThreadCtx *,
const Signature *, Flow *, uint8_t, void *); // const Signature *, Flow *, uint8_t, void *);
void DcePayloadRegisterTests(void); void DcePayloadRegisterTests(void);

52
src/detect-engine-state.c
Unescape Escape View File

@ -303,12 +303,6 @@ int DeStateFlowHasInspectableState(Flow *f, AppProto alproto,
return r; return r;
} }
static int StoreState(Flow *f, const uint8_t flags, const uint8_t alversion)
{
DeStateStoreStateVersion(f, alversion, flags);
return 1;
}
static void StoreStateTxHandleFiles(DetectEngineThreadCtx *det_ctx, Flow *f, static void StoreStateTxHandleFiles(DetectEngineThreadCtx *det_ctx, Flow *f,
DetectEngineState *destate, const uint8_t flags, DetectEngineState *destate, const uint8_t flags,
const uint64_t tx_id, const uint16_t file_no_match) const uint64_t tx_id, const uint16_t file_no_match)
@ -383,7 +377,6 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
uint16_t file_no_match = 0; uint16_t file_no_match = 0;
uint32_t inspect_flags = 0; uint32_t inspect_flags = 0;
int alert_cnt = 0; int alert_cnt = 0;
int dmatch = 0;
SCLogDebug("rule %u", s->id); SCLogDebug("rule %u", s->id);
@ -517,51 +510,6 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
break; break;
} /* for */ } /* for */
} }
/* DCERPC matches */
if (s->sm_arrays[DETECT_SM_LIST_DMATCH] != NULL &&
(alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB ||
alproto == ALPROTO_SMB2))
{
void *alstate = FlowGetAppState(f);
if (alstate == NULL) {
goto end;
}
KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_DMATCH);
if (DetectEngineInspectDcePayload(de_ctx, det_ctx, s, f,
flags, alstate) == 1) {
inspect_flags |= DE_STATE_FLAG_DCE_PAYLOAD_INSPECT;
dmatch = 1;
}
}
/* if AMATCH and/or DMATCH are in use, see if we need to
* alert and store the state */
if (s->sm_arrays[DETECT_SM_LIST_DMATCH] != NULL)
{
/* if dmatch in use and match
or
sig can't match
*/
if (inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH) {
inspect_flags |= DE_STATE_FLAG_FULL_INSPECT;
} else {
if (dmatch || s->sm_arrays[DETECT_SM_LIST_DMATCH] == NULL)
{
if (!(s->flags & SIG_FLAG_NOALERT)) {
PacketAlertAppend(det_ctx, s, p, 0,
PACKET_ALERT_FLAG_STATE_MATCH);
} else {
DetectSignatureApplyActions(p, s);
}
alert_cnt = 1;
inspect_flags |= DE_STATE_FLAG_FULL_INSPECT;
}
}
StoreState(f, flags, alversion);
}
end: end:
det_ctx->tx_id = 0; det_ctx->tx_id = 0;
det_ctx->tx_id_set = 0; det_ctx->tx_id_set = 0;

7
src/detect-engine-state.h
Unescape Escape View File

@ -53,12 +53,11 @@
#define DE_STATE_FLAG_FULL_INSPECT BIT_U32(0) #define DE_STATE_FLAG_FULL_INSPECT BIT_U32(0)
#define DE_STATE_FLAG_SIG_CANT_MATCH BIT_U32(1) #define DE_STATE_FLAG_SIG_CANT_MATCH BIT_U32(1)
#define DE_STATE_FLAG_DCE_PAYLOAD_INSPECT BIT_U32(2) #define DE_STATE_FLAG_FILE_TC_INSPECT BIT_U32(2)
#define DE_STATE_FLAG_FILE_TC_INSPECT BIT_U32(3) #define DE_STATE_FLAG_FILE_TS_INSPECT BIT_U32(3)
#define DE_STATE_FLAG_FILE_TS_INSPECT BIT_U32(4)
/* first bit position after the built-ins */ /* first bit position after the built-ins */
#define DE_STATE_FLAG_BASE 5UL #define DE_STATE_FLAG_BASE 4UL
/* state flags */ /* state flags */
#define DETECT_ENGINE_STATE_FLAG_FILE_STORE_DISABLED 0x0001 #define DETECT_ENGINE_STATE_FLAG_FILE_STORE_DISABLED 0x0001

2
src/detect-engine.c
Unescape Escape View File

@ -2906,8 +2906,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
case DETECT_SM_LIST_PMATCH: case DETECT_SM_LIST_PMATCH:
return "packet/stream payload"; return "packet/stream payload";
case DETECT_SM_LIST_DMATCH:
return "dcerpc";
case DETECT_SM_LIST_TMATCH: case DETECT_SM_LIST_TMATCH:
return "tag"; return "tag";

27
src/detect-isdataat.c
Unescape Escape View File

@ -290,6 +290,7 @@ void DetectIsdataatFree(void *ptr)
#ifdef UNITTESTS #ifdef UNITTESTS
static int g_dce_stub_data_buffer_id = 0;
/** /**
* \test DetectIsdataatTestParse01 is a test to make sure that we return a correct IsdataatData structure * \test DetectIsdataatTestParse01 is a test to make sure that we return a correct IsdataatData structure
@ -353,14 +354,14 @@ int DetectIsdataatTestParse04(void)
s->alproto = ALPROTO_DCERPC; s->alproto = ALPROTO_DCERPC;
result &= (DetectIsdataatSetup(NULL, s, "30") == 0); result &= (DetectIsdataatSetup(NULL, s, "30") == 0);
result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
SigFree(s); SigFree(s);
s = SigAlloc(); s = SigAlloc();
s->alproto = ALPROTO_DCERPC; s->alproto = ALPROTO_DCERPC;
/* failure since we have no preceding content/pcre/bytejump */ /* failure since we have no preceding content/pcre/bytejump */
result &= (DetectIsdataatSetup(NULL, s, "30,relative") == 0); result &= (DetectIsdataatSetup(NULL, s, "30,relative") == 0);
result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
SigFree(s); SigFree(s);
@ -393,12 +394,12 @@ int DetectIsdataatTestParse05(void)
goto end; goto end;
} }
s = de_ctx->sig_list; s = de_ctx->sig_list;
if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_ISDATAAT); result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_ISDATAAT);
data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; data = (DetectIsdataatData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
if ( !(data->flags & ISDATAAT_RELATIVE) || if ( !(data->flags & ISDATAAT_RELATIVE) ||
(data->flags & ISDATAAT_RAWBYTES) ) { (data->flags & ISDATAAT_RAWBYTES) ) {
result = 0; result = 0;
@ -416,12 +417,12 @@ int DetectIsdataatTestParse05(void)
goto end; goto end;
} }
s = s->next; s = s->next;
if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_ISDATAAT); result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_ISDATAAT);
data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; data = (DetectIsdataatData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
if ( !(data->flags & ISDATAAT_RELATIVE) || if ( !(data->flags & ISDATAAT_RELATIVE) ||
(data->flags & ISDATAAT_RAWBYTES) ) { (data->flags & ISDATAAT_RAWBYTES) ) {
result = 0; result = 0;
@ -439,12 +440,12 @@ int DetectIsdataatTestParse05(void)
goto end; goto end;
} }
s = s->next; s = s->next;
if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_ISDATAAT); result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_ISDATAAT);
data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; data = (DetectIsdataatData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
if ( !(data->flags & ISDATAAT_RELATIVE) || if ( !(data->flags & ISDATAAT_RELATIVE) ||
!(data->flags & ISDATAAT_RAWBYTES) ) { !(data->flags & ISDATAAT_RAWBYTES) ) {
result = 0; result = 0;
@ -459,7 +460,7 @@ int DetectIsdataatTestParse05(void)
goto end; goto end;
} }
s = s->next; s = s->next;
if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] != NULL) { if (s->sm_lists_tail[g_dce_stub_data_buffer_id] != NULL) {
result = 0; result = 0;
goto end; goto end;
} }
@ -628,6 +629,8 @@ end:
void DetectIsdataatRegisterTests(void) void DetectIsdataatRegisterTests(void)
{ {
#ifdef UNITTESTS #ifdef UNITTESTS
g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
UtRegisterTest("DetectIsdataatTestParse01", DetectIsdataatTestParse01); UtRegisterTest("DetectIsdataatTestParse01", DetectIsdataatTestParse01);
UtRegisterTest("DetectIsdataatTestParse02", DetectIsdataatTestParse02); UtRegisterTest("DetectIsdataatTestParse02", DetectIsdataatTestParse02);
UtRegisterTest("DetectIsdataatTestParse03", DetectIsdataatTestParse03); UtRegisterTest("DetectIsdataatTestParse03", DetectIsdataatTestParse03);

7
src/detect-parse.c
Unescape Escape View File

@ -141,7 +141,6 @@ const char *DetectListToHumanString(int list)
switch (list) { switch (list) {
CASE_CODE_STRING(DETECT_SM_LIST_MATCH, "packet"); CASE_CODE_STRING(DETECT_SM_LIST_MATCH, "packet");
CASE_CODE_STRING(DETECT_SM_LIST_PMATCH, "payload"); CASE_CODE_STRING(DETECT_SM_LIST_PMATCH, "payload");
CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc");
CASE_CODE_STRING(DETECT_SM_LIST_TMATCH, "tag"); CASE_CODE_STRING(DETECT_SM_LIST_TMATCH, "tag");
CASE_CODE_STRING(DETECT_SM_LIST_POSTMATCH, "postmatch"); CASE_CODE_STRING(DETECT_SM_LIST_POSTMATCH, "postmatch");
CASE_CODE_STRING(DETECT_SM_LIST_SUPPRESS, "suppress"); CASE_CODE_STRING(DETECT_SM_LIST_SUPPRESS, "suppress");
@ -158,7 +157,6 @@ const char *DetectListToString(int list)
switch (list) { switch (list) {
CASE_CODE(DETECT_SM_LIST_MATCH); CASE_CODE(DETECT_SM_LIST_MATCH);
CASE_CODE(DETECT_SM_LIST_PMATCH); CASE_CODE(DETECT_SM_LIST_PMATCH);
CASE_CODE(DETECT_SM_LIST_DMATCH);
CASE_CODE(DETECT_SM_LIST_TMATCH); CASE_CODE(DETECT_SM_LIST_TMATCH);
CASE_CODE(DETECT_SM_LIST_POSTMATCH); CASE_CODE(DETECT_SM_LIST_POSTMATCH);
CASE_CODE(DETECT_SM_LIST_SUPPRESS); CASE_CODE(DETECT_SM_LIST_SUPPRESS);
@ -1598,11 +1596,6 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, char *sigstr,
} }
} }
if (sig->init_data->smlists[DETECT_SM_LIST_DMATCH])
sig->flags |= SIG_FLAG_STATE_MATCH;
/* for other lists this flag is set when the inspect engines
* are registered */
if (!(sig->init_data->init_flags & SIG_FLAG_INIT_FLOW)) { if (!(sig->init_data->init_flags & SIG_FLAG_INIT_FLOW)) {
sig->flags |= SIG_FLAG_TOSERVER; sig->flags |= SIG_FLAG_TOSERVER;
sig->flags |= SIG_FLAG_TOCLIENT; sig->flags |= SIG_FLAG_TOCLIENT;

26
src/detect-pcre.c
Unescape Escape View File

@ -770,6 +770,7 @@ void DetectPcreFree(void *ptr)
#ifdef UNITTESTS /* UNITTESTS */ #ifdef UNITTESTS /* UNITTESTS */
static int g_file_data_buffer_id = 0; static int g_file_data_buffer_id = 0;
static int g_http_header_buffer_id = 0; static int g_http_header_buffer_id = 0;
static int g_dce_stub_data_buffer_id = 0;
/** /**
* \test DetectPcreParseTest01 make sure we don't allow invalid opts 7. * \test DetectPcreParseTest01 make sure we don't allow invalid opts 7.
@ -960,7 +961,7 @@ int DetectPcreParseTest10(void)
s->alproto = ALPROTO_DCERPC; s->alproto = ALPROTO_DCERPC;
FAIL_IF_NOT(DetectPcreSetup(de_ctx, s, "/bamboo/") == 0); FAIL_IF_NOT(DetectPcreSetup(de_ctx, s, "/bamboo/") == 0);
FAIL_IF_NOT(s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); FAIL_IF_NOT(s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
SigFree(s); SigFree(s);
@ -969,7 +970,7 @@ int DetectPcreParseTest10(void)
/* failure since we have no preceding content/pcre/bytejump */ /* failure since we have no preceding content/pcre/bytejump */
FAIL_IF_NOT(DetectPcreSetup(de_ctx, s, "/bamboo/") == 0); FAIL_IF_NOT(DetectPcreSetup(de_ctx, s, "/bamboo/") == 0);
FAIL_IF_NOT(s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); FAIL_IF_NOT(s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
SigFree(s); SigFree(s);
DetectEngineCtxFree(de_ctx); DetectEngineCtxFree(de_ctx);
@ -997,9 +998,9 @@ int DetectPcreParseTest11(void)
"pcre:/bamboo/R; sid:1;)"); "pcre:/bamboo/R; sid:1;)");
FAIL_IF(de_ctx == NULL); FAIL_IF(de_ctx == NULL);
s = de_ctx->sig_list; s = de_ctx->sig_list;
FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL); FAIL_IF(s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL);
FAIL_IF_NOT(s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE); FAIL_IF_NOT(s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_PCRE);
data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; data = (DetectPcreData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
FAIL_IF(data->flags & DETECT_PCRE_RAWBYTES || FAIL_IF(data->flags & DETECT_PCRE_RAWBYTES ||
!(data->flags & DETECT_PCRE_RELATIVE)); !(data->flags & DETECT_PCRE_RELATIVE));
@ -1010,9 +1011,9 @@ int DetectPcreParseTest11(void)
"pcre:/bamboo/R; sid:1;)"); "pcre:/bamboo/R; sid:1;)");
FAIL_IF_NULL(s->next); FAIL_IF_NULL(s->next);
s = s->next; s = s->next;
FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL); FAIL_IF(s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL);
FAIL_IF_NOT(s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE); FAIL_IF_NOT(s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_PCRE);
data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; data = (DetectPcreData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
FAIL_IF(data->flags & DETECT_PCRE_RAWBYTES || FAIL_IF(data->flags & DETECT_PCRE_RAWBYTES ||
!(data->flags & DETECT_PCRE_RELATIVE)); !(data->flags & DETECT_PCRE_RELATIVE));
@ -1023,9 +1024,9 @@ int DetectPcreParseTest11(void)
"pcre:/bamboo/RB; sid:1;)"); "pcre:/bamboo/RB; sid:1;)");
FAIL_IF(s->next == NULL); FAIL_IF(s->next == NULL);
s = s->next; s = s->next;
FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL); FAIL_IF(s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL);
FAIL_IF_NOT(s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE); FAIL_IF_NOT(s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_PCRE);
data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; data = (DetectPcreData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
FAIL_IF(!(data->flags & DETECT_PCRE_RAWBYTES) || FAIL_IF(!(data->flags & DETECT_PCRE_RAWBYTES) ||
!(data->flags & DETECT_PCRE_RELATIVE)); !(data->flags & DETECT_PCRE_RELATIVE));
@ -1034,7 +1035,7 @@ int DetectPcreParseTest11(void)
"content:\"one\"; pcre:/bamboo/; sid:1;)"); "content:\"one\"; pcre:/bamboo/; sid:1;)");
FAIL_IF(s->next == NULL); FAIL_IF(s->next == NULL);
s = s->next; s = s->next;
FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_DMATCH] != NULL); FAIL_IF(s->sm_lists_tail[g_dce_stub_data_buffer_id] != NULL);
SigGroupCleanup(de_ctx); SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx); SigCleanSignatures(de_ctx);
@ -3312,6 +3313,7 @@ void DetectPcreRegisterTests(void)
#ifdef UNITTESTS /* UNITTESTS */ #ifdef UNITTESTS /* UNITTESTS */
g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
g_http_header_buffer_id = DetectBufferTypeGetByName("http_header"); g_http_header_buffer_id = DetectBufferTypeGetByName("http_header");
g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
UtRegisterTest("DetectPcreParseTest01", DetectPcreParseTest01); UtRegisterTest("DetectPcreParseTest01", DetectPcreParseTest01);
UtRegisterTest("DetectPcreParseTest02", DetectPcreParseTest02); UtRegisterTest("DetectPcreParseTest02", DetectPcreParseTest02);

5
src/detect.c
Unescape Escape View File

@ -2221,11 +2221,6 @@ static int SignatureCreateMask(Signature *s)
SCLogDebug("sig requires payload"); SCLogDebug("sig requires payload");
} }
if (s->init_data->smlists[DETECT_SM_LIST_DMATCH] != NULL) {
s->mask |= SIG_MASK_REQUIRE_DCE_STATE;
SCLogDebug("sig requires dce state");
}
SigMatch *sm; SigMatch *sm;
for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) { for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
switch(sm->type) { switch(sm->type) {

3
src/detect.h
Unescape Escape View File

@ -88,9 +88,6 @@ enum DetectSigmatchListEnum {
DETECT_SM_LIST_MATCH = 0, DETECT_SM_LIST_MATCH = 0,
DETECT_SM_LIST_PMATCH, DETECT_SM_LIST_PMATCH,
/* list for DCE matches */
DETECT_SM_LIST_DMATCH,
/* base64_data keyword uses some hardcoded logic so consider /* base64_data keyword uses some hardcoded logic so consider
* built-in * built-in
* TODO convert to inspect engine */ * TODO convert to inspect engine */

Write Preview
Loading…
Cancel
Save