aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Implement flow:established and flow:stateless

Browse Source
remotes/origin/master-1.0.x
Victor Julien 16 years ago
parent 1ae490e6c8
commit ffa013b2d8
3 changed files with 19 additions and 6 deletions
Show Stats Download Patch File Download Diff File

18
src/detect-flow.c
Unescape Escape View File

@ -57,17 +57,22 @@ error:
int DetectFlowMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *m)
{
int ret = 0;
u_int8_t cnt = 0;
DetectFlowData *fd = (DetectFlowData *)m->ctx;
if (fd->flags & FLOW_PKT_TOSERVER && p->flowflags & FLOW_PKT_TOSERVER) {
ret = 1;
cnt++;
} else if (fd->flags & FLOW_PKT_TOCLIENT && p->flowflags & FLOW_PKT_TOCLIENT) {
cnt++;
}
else if (fd->flags & FLOW_PKT_TOCLIENT && p->flowflags & FLOW_PKT_TOCLIENT) {
ret = 1;
if (fd->flags & FLOW_PKT_ESTABLISHED && p->flowflags & FLOW_PKT_ESTABLISHED) {
cnt++;
} else if (!(fd->flags & FLOW_PKT_ESTABLISHED) && p->flowflags & FLOW_PKT_STATELESS) {
cnt++;
}
int ret = (fd->match_cnt == cnt) ? 1 : 0;
//printf("DetectFlowMatch: returning %d\n", ret);
return ret;
}
@ -127,6 +132,7 @@ int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *f
if (strcmp(state,"to_server") == 0) fd->flags |= FLOW_PKT_TOSERVER;
if (strcmp(state,"from_server") == 0) fd->flags |= FLOW_PKT_TOCLIENT;
if (strcmp(state,"from_client") == 0) fd->flags |= FLOW_PKT_TOSERVER;
fd->match_cnt = 1;
}
if (dir) {
if (strcmp(dir,"established") == 0) fd->flags |= FLOW_PKT_ESTABLISHED;
@ -135,6 +141,7 @@ int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *f
if (strcmp(dir,"to_server") == 0) fd->flags |= FLOW_PKT_TOSERVER;
if (strcmp(dir,"from_server") == 0) fd->flags |= FLOW_PKT_TOCLIENT;
if (strcmp(dir,"from_client") == 0) fd->flags |= FLOW_PKT_TOSERVER;
fd->match_cnt = 2;
}
if (stream) {
if (strcmp(stream,"established") == 0) fd->flags |= FLOW_PKT_ESTABLISHED;
@ -143,6 +150,7 @@ int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *f
if (strcmp(stream,"to_server") == 0) fd->flags |= FLOW_PKT_TOSERVER;
if (strcmp(stream,"from_server") == 0) fd->flags |= FLOW_PKT_TOCLIENT;
if (strcmp(stream,"from_client") == 0) fd->flags |= FLOW_PKT_TOSERVER;
fd->match_cnt = 3;
}
/* Okay so far so good, lets get this into a SigMatch

3
src/detect-flow.h
Unescape Escape View File

@ -2,7 +2,8 @@
#define __DETECT_FLOW_H__
typedef struct _DetectFlowData {
u_int8_t flags;
u_int8_t flags; /* flags to match */
u_int8_t match_cnt; /* number of matches we need */
} DetectFlowData;
/* prototypes */

4
src/flow.c
Unescape Escape View File

@ -233,6 +233,10 @@ void FlowHandlePacket (ThreadVars *th_v, Packet *p)
}
f->bytecnt += p->pktlen;
if (f->flags & FLOW_TO_DST_SEEN && f->flags & FLOW_TO_SRC_SEEN) {
p->flowflags |= FLOW_PKT_ESTABLISHED;
}
/* update queue positions */
FlowUpdateQueue(f);

Write Preview
Loading…
Cancel
Save