Commit Graph

397 Commits (c41e64d637fc0ce7a95e68c2de08f4d4ea24f49f)

Author SHA1 Message Date
Victor Julien e2c6e1be33 detect-parse: set ipprotos earlier
A high level proto like HTTP implies TCP. However this wasn't set
until after all the parsing was complete which means that keywords
couldn't test if the ipproto matched.

This patch populates the ipprotos right when the higher level proto
is parsed.
9 years ago
Victor Julien a44da9f5cb detect: simplify SIG_FLAG_STATE_MATCH set logic 9 years ago
Eric Leblond 5b1de57d73 detect-parse: simplify port prefiltering
Regular expression was not matching some authorized setting like
"![1234, 1235]". This patch simplify the regexp to match on
possible character and let the port parsing code handle the
complete verification.
9 years ago
Jason Ish a59f31a99f DNP3: Lua detect support.
Adds support for access the DNP3 transaction in Lua rules.
9 years ago
Jason Ish 1a31bded4a DNP3: dnp3_data, dnp3_func, dnp3_ind, dnp3_obj rule keywords 9 years ago
kwong a3ffebd835 Adding SCADA EtherNet/IP and CIP protocol support
Add support for the ENIP/CIP Industrial protocol

This is an app layer implementation which uses the "enip" protocol
and "cip_service" and "enip_command" keywords

Implements AFL entry points
9 years ago
Victor Julien a24870f29f detect app-layer-event: clean up registration
Move engine and registration into the keyword file.

Register as 'ALPROTO_UNKNOWN' instead of per alproto. The
registration will only apply it to those rules that have
events set.
9 years ago
Victor Julien 5f994756e6 detect-engine: improved inspect engines
Inspect engines are called per signature per sigmatch list. Most
wrap around DetectEngineContentInspection, but it's more generic.

Until now, the inspect engines were setup in a large per ipproto,
per alproto, per direction table. For stateful inspection each
engine needed a global flag.

This approach had a number of issues:
1. inefficient: each inspection round walked the table and then
   checked if the inspect engine was even needed for the current
   rule.
2. clumsy registration with global flag registration.
3. global flag space was approaching the need for 64 bits
4. duplicate registration for alprotos supporting both TCP and
   TCP (DNS).

This patch introduces a new approach.

First, it does away with the per ipproto engines. This wasn't used.

Second, it adds a per signature list of inspect engine containing
only those engines that actually apply to the rule.

Third, it gets rid of the global flags and replaces it with flags
assigned per rule per engine.
9 years ago
Victor Julien f1e3840516 http_response_body: implement keyword with mpm
Implemented as 'stickybuffer'.
9 years ago
Victor Julien 4c98b6cef3 http_request_line: implement keyword and mpm
Implemented as 'stickybuffer'.

Move all logic into the keyword file and remove bad tests that tested
URI instead of request line.
9 years ago
Victor Julien c4dcb20522 detect-parse: add new func to get last sigmatch
Add SigMatchGetLastSM which simply returns the very last SM added
to the signature.

Minor cleanups.
9 years ago
Mats Klepsland dc8e0b3cf2 detect: add detect engine for tls validity keywords
Add detect engine for tls validity keywords (tls_cert_notbefore and
tls_cert_notafter).
9 years ago
Jason Ish 04da43d65d rule parsing: check for balanced double quotes
If a rule option value starts with a double quote, ensure it
ends with a double quote, exclusive of white space which gets
trimmed anyways.

Catches errors like 'filemagic:"picture" sid:5555555;' reporting
that a missing semicolon may be the error.
9 years ago
Mats Klepsland 4172c4c8ac tls: add (mpm) keyword tls_cert_subject
This keyword is a replacement for tls.subject.
9 years ago
Mats Klepsland 9b2717799c tls: add (mpm) keyword tls_cert_issuer
This keyword is a replacement for tls.issuerdn.
9 years ago
Victor Julien 215d0d54c7 detect: optimize rule address parsing
Many rules have the same address vars, so instead of parsing them
each time use a hash to store the string and the parsed result.

Rules now reference the stored result in the hash table.
9 years ago
Victor Julien c957c62824 detect file: enable HTTP inspection from validate func 9 years ago
Victor Julien 621860f5b2 detect file: enforce protocol in single place
Instead of trying to enforce the app layer protocol in each file
function, enforce it in the generic validation function.
9 years ago
Victor Julien 0e2ea4e63b detect: remove unused debug code 9 years ago
Mats Klepsland a13df67864 detect: add (mpm) keyword for tls_sni
Match on server name indication (SNI) extension in TLS using tls_sni
keyword, e.g:

alert tls any any -> any any (msg:"SNI test"; tls_sni;
        content:"example.com"; sid:12345;)
9 years ago
maxtors 9d3fd82849 Removed duplicate include statements. 9 years ago
Victor Julien 1c8775b340 QA: --afl-rules for faster rule fuzzing 9 years ago
Victor Julien 4a2e816bea detect parser: add parse regex util function
Add regex setup and free util functions. Keywords often use a regex
to parse rule input. Introduce a common function to do this setup.

Also create a list of registered regexes to free at engine shutdown.
9 years ago
Alexander Gozman 365015c2d5 Support sending rejects via libnet when running under non-root.
Since version 1.1.6 libnet handles capabilities correctly.
So changing libnet's version checking a little bit should do the trick.
9 years ago
Jason Ish 796dd5223b tests: no longer necessary to provide successful return code
1 pass, 0 is fail.
9 years ago
Victor Julien 92c571b26d detect: move sm_list to string funcs to parser code 9 years ago
Victor Julien f720dfd21e detect: validate http_method pattern
Leading and trailing spaces and tabs are invalid as these are not part
of the buffer as returned by libhtp.
9 years ago
Victor Julien 0d3f671b55 detect: constify mpm/detect funcs 9 years ago
Victor Julien 4f8e1f59a6 mpm: remove obsolete mpm algos
Remove: ac-gfbs, wumanber, b2g, b3g.
9 years ago
Victor Julien f836256e20 detect: fix small mem leak on duplicate sigs
Direct leak of 80 byte(s) in 5 object(s) allocated from:
    #0 0x4c673b in __interceptor_malloc (/home/victor/dev/suricata/src/suricata+0x4c673b)
    #1 0xb7a425 in DetectEngineSignatureIsDuplicate /home/victor/dev/suricata/src/detect-parse.c:1715:10
    #2 0xb79390 in DetectEngineAppendSig /home/victor/dev/suricata/src/detect-parse.c:1836:19
    #3 0x86fe56 in DetectLoadSigFile /home/victor/dev/suricata/src/detect.c:357:15
    #4 0x815fee in ProcessSigFiles /home/victor/dev/suricata/src/detect.c:419:13
    #5 0x8139a8 in SigLoadSignatures /home/victor/dev/suricata/src/detect.c:499:15
    #6 0xfe435d in LoadSignatures /home/victor/dev/suricata/src/suricata.c:1979:9
    #7 0xfcd87e in main /home/victor/dev/suricata/src/suricata.c:2345:17
    #8 0x7fb66bf7cec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287
9 years ago
Jason Ish 3c3fe4b47d detect: denote the max detection list; fix issue 1674.
Denotes the max detection list so that rule validation can
allow post-detection lists to come after base64_data, but
disallow detection lists to come after it.
9 years ago
Victor Julien adecf41720 base64: code style fixups 10 years ago
Jason Ish 6b15686fd1 base64_decode, base64_data: decode and match base64 10 years ago
Victor Julien 2716c78628 mpm: improve SGH content len tracking
SGH's track content length for rule grouping.

This patch changes the logic to only consider the pattern that is
used in the mpm for a sig.
10 years ago
Victor Julien e529ebb50e mpm: redo uri maxlen logic
The mpm_uricontent_maxlen logic was meant to track the shortest
possible pattern in the MPM of a SGH. So a minlen more than a maxlen.

This patch replaces the complicated tracking logic by a simpler
scheme. When the SGH's are finalize, the minlen is calculated.

It also fixes a small corner case where the calculated "maxlen" could
be wrong. This would require a smaller pattern in a rule to be forced
as fast pattern.
10 years ago
Jason Ish 06beca62f5 app-layer: template for application layer content inspection 10 years ago
Victor Julien 433e511b63 dns: generic inspect engines for DNS 10 years ago
Victor Julien 2c8e8c2516 dns: rename type so it's purpose is more clear 10 years ago
Victor Julien 8949054212 detect: remove unused match_flags from inspect engines 10 years ago
Victor Julien 393689ce44 classification: remove global from parsing
Parsing code used a 'fd' global. Remove this.
10 years ago
Giuseppe Longo 04561f13d3 signature: set flags and test the protocol
This checks if the signature's protocol is http
when setup the content keyword.

Also sets the proper flags based by protocol
since the flag SIG_FLAG_TOSERVER has to be set
if the proto is smtp, otherwise SIG_FLAG_TOCLIENT
is it's http.
10 years ago
Giuseppe Longo 41a1a9f4af find and replace HSBDMATCH by FILEDATA
This commit do a find and replace of the following:

- DETECT_SM_LIST_HSBDMATCH by DETECT_SM_LIST_FILEDATA
  sed -i 's/DETECT_SM_LIST_HSBDMATCH/DETECT_SM_LIST_FILEDATA/g' src/*

- HSBD by FILEDATA:
  sed -i 's/HSBDMATCH/FILEDATA/g' src/*
10 years ago
Victor Julien 0bc27c7dc7 rule-vars: take detect engine as arg 10 years ago
Victor Julien 3083f51cc6 detect:pass DetectEngineCtx to port parsing
Preparation for prefix handling in port parsing.
10 years ago
Victor Julien 2be9ccfe9c detect: pass DetectEngineCtx to address parsing
Preparation for prefix handling in address parsing.
10 years ago
Victor Julien 6723d03c7e http: add inspection engine for http request line
No MPM though.
10 years ago
Victor Julien 6717c356e3 Clean up sm_array memory at SigFree 11 years ago
Victor Julien d951de2f19 Bug 977: -T / --init-errors-fatal to process all rules
Have -T / --init-errors-fatal process all rules so that it's easier
to debug problems in ruleset. Otherwise it can be a lengthy fix, test
error cycle if multiple rules have issues.

Convert empty rulefile error into a warning.

Bug #977
11 years ago
DIALLO David b3bf2f9939 Detect: Add Modbus keyword management
Add the modbus.function and subfunction) keywords for public function match in rules (Modbus layer).
Matching based on code function, and if necessary, sub-function code
or based on category (assigned, unassigned, public, user or reserved)
and negation is permitted.

Add the modbus.access keyword for read/write Modbus function match in rules (Modbus layer).
Matching based on access type (read or write),
and/or function type (discretes, coils, input or holding)
and, if necessary, read or write address access,
and, if necessary, value to write.
For address and value matching, "<", ">" and "<>" is permitted.

Based on TLS source code and file size source code (address and value matching).

Signed-off-by: David DIALLO <diallo@et.esia.fr>
11 years ago
Ken Steele 38710697db Speed up SigMatchGetLastSMFromLists()
SigMatchGetLastSMFromLists() is finding the sm with the largest
index among all of the values returned from SigMatchGetLastSM() on
the set of (list and type) tuples passed as arguments.

The function was creating an array of the types, then creating an array
of the results of SigMatchGetLastSM(), sorting that list completely, then
only returning the first values from the list.

The new code, gets one set of arguments from the variable arguments, calls
SigMatchGetLastSM() and if the returned sm has a larger index, keeps that
as the last sm.
11 years ago
Victor Julien d9c523a332 filestore: fix parsing bug
Filestore keyword can have options or no options, and the parser
was enforcing the NOOPT flag too strictly.

Bug #1288
11 years ago
Victor Julien 690a85698f rule parser: fix crashing on malformed options
Fix crashing on malformed rule options like 'rev;1;'.

Bug 1254.
11 years ago
Victor Julien f23399d672 Rename Lua code to just Lua
As we support regular Lua as well as LuaJIT, it makes more sense to call
it all Lua.
11 years ago
Ken Steele 8f1d75039a Enforce function coding standard
Functions should be defined as:

int foo(void)
{
}

Rather than:
int food(void) {
}

All functions where changed by a script to match this standard.
11 years ago
Victor Julien 25cbf36d40 lua/luajit: use HAVE_LUA mostly
Only use HAVE_LUAJIT if things are done differently from HAVE_LUA,
like in the states pool.
11 years ago
Victor Julien 1af39d55cf detect: allow alias registration for rule keywords
This allows for registering a keyword under another name while keeping
the old name active and supported.

Do this for 'luajit', which can now also be used as just 'lua'.
11 years ago
Victor Julien 1ac805f1b3 Fix address parsing issues
Fix issue where negating a range containing a negation would fail.

E.g. HOME_NET: [192.168.0.0/16,!192.168.10.0], can be used in a rule
     as !$HOME_NET.

Also, fix another parsing issue:

If the negation range would be bigger than the 'positive' range, parsing
wouldn't be correct. Now this case is rejected.

E.g. [192.168.1.3,!192.168.0.0/16] is now explicitly rejected

Ticket 1079.
12 years ago
Anoop Saldanha d06a193012 Remove BUG_ON(1) in app layer event second stage preparation function.
This lets us single out and print rules that result in a failure, than
just post a core dump.
12 years ago
Victor Julien f5f148805c app layer: uint16_t alproto -> AppProto alproto
This conversion was missing in a couple of places.
12 years ago
Anoop Saldanha 429c6388f6 App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].

Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
  parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
  "dnsudp" in the rules.  A user who previously wrote a rule like this -

  "alert dnstcp....." or
  "alert dnsudp....."

  would now have to use,

  alert dns (ipproto:tcp;) or
  alert udp (app-layer-protocol:dns;) or
  alert ip (ipproto:udp; app-layer-protocol:dns;)

  The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
  callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
  STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
  functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0.  This is
  needed by unittests, which would try to clean the flow, and that would
  call the api, AppLayerParserCleanupParserState(), which would try to
  clean the app state, but the app layer now needs an ipproto to figure
  out which api to internally call to clean the state, and if the ipproto
  is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
  they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
Anoop Saldanha 127ef8f903 Use a typdef AppProto <-> uint16_t for representing app layer protocol.
Some minor refactoring/cleanup, including renaming functions.
12 years ago
Ken Steele f9705377ae Remove pkt variable from Packet structure.
The uint8_t *pkt in the Packet structure always points to the memory
immediately following the Packet structure. It is better to simply
calculate that value every time than store the 8 byte pointer.
12 years ago
Victor Julien ae69a4a024 luajit: pass calling rule's sid,gid,rev to script as SCRuleSid, SCRuleGid, SCRuleRev. 12 years ago
Victor Julien 1f69da80bf rule parser: convert to use pcre_copy_string 12 years ago
Victor Julien d397ed94c5 detect: use macro for max rule size 12 years ago
Victor Julien 3f4ce6dadd rule parser: don't use uninitialized value 12 years ago
Victor Julien 54610cb4a4 rule parsing cleanups
Clean up usage of array of pointers to the various parts of a rule.
12 years ago
Victor Julien 67989e7e4e rule parsing: reduce mallocs and clean up
Reduce mallocs during rule parsing. Also, no longer recursively
call the option parse function.
12 years ago
Victor Julien e7f6107e79 signature address parsing improvements and tests
Fix sigatures not supporting [10.0.0.0/24, !10.1.1.1] notation when
used directly in a rule instead of through a variable.

Add tests for Bugs #815 and #920.
12 years ago
Anoop Saldanha d0c5f51293 Update rule engine relationship with regard to setting ip protocol between specifying protocol after action, ip_proto and app-layer-protocol.
Now we can specify alproto, ip_proto combinations this way

alert dns (ip_proto:[tcp/udp];)
alert ip (app-layer-protocol:dns;)
alert ip (app-layer-protocol:dns; ip_proto:tcp;)
alert tcp (app-layer-protocol:dns:)

so on.  Neater than using dnstcp/dnsudp.

This is related to feature #424.
12 years ago
Anoop Saldanha f592c481dc Introduce a separate inspection engine for app events. 12 years ago
Anoop Saldanha b1dffdfbe0 Add app layer protocol packet event detection support. 12 years ago
Anoop Saldanha 1077acecd7 validate dns sigs that are reported as plain dns and not dnsudp or dnstcp. 12 years ago
Anoop Saldanha 94e40907e2 feature #727 - Add support for app-layer-protocol:<protocol> keyword 12 years ago
Anoop Saldanha ddde572fba Introduce new options into the conf file to enable/disable -
1. Proto detection
2. Parsers

For app layer protocols.

libhtp has now been moved to the section under app-layer.protocols.http,
but we still provide backward compatibility with older conf files.
12 years ago
Anoop Saldanha d9686fae57 Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well. 12 years ago
Victor Julien 4827a4dcef Coverity 400477: pcre_get_substring retval
Add missing return code check to pcre_get_substring call.
12 years ago
Eric Leblond c5bd04f102 unittest: recycle packet before exit
To avoid an issue with flow validation, we need to recycle the packet
before cleaning the flow.
12 years ago
Anoop Saldanha 48cf0585fb Suricata upgrade to libhtp 0.5.x.
Remove the support for now unsupported personalities from libhtp -
TOMCAT_6_0, APACHE and APACHE_2_2.  We instead use the APACHE_2
personality.
12 years ago
Victor Julien 73e27c1fb7 Generate proper errors if sid,gid,rev values are out of range. Bug #779. 12 years ago
Victor Julien 7292998a58 Content: set up sticky buffers like file_data and dce_stub_data w/o flags, but with a list variable 12 years ago
Victor Julien f10dd603ff DNS: adding dns_request content modifier 12 years ago
Victor Julien 59780ca770 Hacks to enable alert dns even though we have dnstcp and dnsudp parsers. Needs proper solution later. 12 years ago
Anoop Saldanha d4d18e3136 Transaction engine redesigned.
Improved accuracy, improved performance.  Performance improvement
noticeable with http heavy traffic and ruleset.

A lot of other cosmetic changes carried out as well.  Wrappers introduced
for a lot of app layer functions.

Failing dce unittests disabled.  Will be reintroduced in the updated dce
engine.

Cross transaction matching taken care of.  FPs emanating from these
matches have now disappeared.  Double inspection of transactions taken
care of as well.
12 years ago
Victor Julien 19511cda97 Remove obsolete DetectParseContentString function, it has been replaced by DetectContentDataParse 12 years ago
Victor Julien 4165de4771 Minor SigValidate cleanup 12 years ago
Anoop Saldanha 0d7305dfc7 Update the way we handle http_host keywords.
Previously we would have forced all users to use nocase with http_host
keywords(since the hostname buffer is lowercase).

We now error out on sigs that has nocase set with http_host set.  Also if
the http_host pattern or http_host pcre has an uppercase character set, we
invalidate such sigs.  Unittests also updated to reflect the above change.
12 years ago
Anoop Saldanha 4c6efa2d40 Update content id assignment.
All fp id assignment now happens in one go.
Also noticing a slight perf increase, probably emanating from improved cache
perf.
Removed irrelevant unittests as well.
12 years ago
Anoop Saldanha 60be1751d5 Figure out sig fp during validation stage, instead of staging stage. 12 years ago
Anoop Saldanha f8ae53ac02 Further customize content modifier buffer registration.
Allow modifier setups functions to have CustomCallbacks to enable their
internal conditions.
12 years ago
Anoop Saldanha a304a98d1d http_* setup unified. 12 years ago
Anoop Saldanha 0b5d277254 code cleanup for all content based keywords. 12 years ago
Anoop Saldanha a308d718ae Allow the use of relative without the presence of a related previous keyword. 12 years ago
Anoop Saldanha 3511f91bba Add support for the new keyword - http_raw_host header.
The corresponding pcre modifier would be 'Z'.
13 years ago
Anoop Saldanha c4ce19a1be Add support for a new keyword to inspect http_host header.
The corresponding content keyword would now be - http_host.
The corresponding pcre modifier would be W.
13 years ago
Last G 8ae11f73b2 Added parentheses to fix Eclipse static code analysis
Fixed bug in action priority (REJECT_DST had lowest prio)
13 years ago
Victor Julien 84bad6db77 Silence compiler warnings found by clang 13 years ago
Eric Leblond e176be6fcc Use unlikely for error treatment.
When handling error case on SCMallog, SCCalloc or SCStrdup
we are in an unlikely case. This patch adds the unlikely()
expression to indicate this to gcc.

This patch has been obtained via coccinelle. The transformation
is the following:

@istested@
identifier x;
statement S1;
identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)";
@@

x = func(...)
... when != x
- if (x == NULL) S1
+ if (unlikely(x == NULL)) S1
13 years ago
pi-rho 0df4c5838d spelling corrections documented in redmine bug#533 13 years ago
Victor Julien e0bfcb7dde Only set SIG_FLAG_REQUIRE_STREAM if signature inspects TCP. 13 years ago
Anoop Saldanha bf6cd48259 if a sig's set as stream sig only, don't updated it as both stream and pkt sig if offset/depth's present
bug #495 - update rule analyzer to not warn on offset_depth-tcp_pkt update if sig is stream only

bug #497 - rule_warnings fixed
13 years ago
Anoop Saldanha 960d421f9d Update SigValidate() to allow http keywords to be specified in the right flow direction 13 years ago
Victor Julien ab421978f0 Free all sig match structs when freeing a signature. 13 years ago
Victor Julien af97c36c08 Properly clean signature's ip only data. 13 years ago
Victor Julien 19e3348cae Fix a reload memleak in the duplicate sig detection hash. 13 years ago
Anoop Saldanha 0d602d9cde we now support offset, depth inspection against all packet payloads and stream messages 13 years ago
Anoop Saldanha a34f91358d tests to highlight that
- suricata treates sigs with offset/depth without any packet keywords as stream sigs
- as a consequence suricata will FN on such sigs

The tests introduced here will fail, displaying the issues.  The
next patch in the series would fix the said issues.
13 years ago
Anoop Saldanha 988c92f71c http user agent keyword + mpm + inspection + fast pattern support added 13 years ago
Victor Julien 073ce64786 Fix parsing of tcp-pkt and tcp-stream sigs, add unittest. 13 years ago
Eileen Donlon da633d490b fix misleading comment 13 years ago
Victor Julien da3c5bf84d Minor error message cleanups 13 years ago
Victor Julien cdba2f50d1 Various fixes and improvements based on feedback by Coverity analyzer. 14 years ago
Anoop Saldanha 4810ee9c5f All uricontent modified patterns now are DETECT_CONTENT and not DETECT_URICONTENT. Step towards unifying all content based patterns. Makes way for easier management of patterns 14 years ago
Anoop Saldanha 93d7a6e671 code cleanup. Remove unused functions 14 years ago
Anoop Saldanha eb07c345b8 code cleanup - replace SigMatchAppendThreshold with SigMatchAppendSMToList 14 years ago
Anoop Saldanha dd7e710f35 code cleanup - replace SigMatchAppendPostMatch with SigMatchAppendSMToList 14 years ago
Anoop Saldanha a4638fb0ad code cleanup - replace SigMatchAppendPacket with SigMatchAppendSMToList 14 years ago
Anoop Saldanha ff38d42bf1 code cleanup - replace SigMatchAppendTag with SigMatchAppendSMToList 14 years ago
Anoop Saldanha ac68c3f893 code cleanup - replace SigMatchAppendDcePayload with SigMatchAppendSMToList 14 years ago
Anoop Saldanha 6cab663bf0 code cleanup - replace SigMatchAppendPayload with SigMatchAppendSMToList 14 years ago
Anoop Saldanha c4cb37b8da code cleanup - replace SigMatchAppendUricontent with SigMatchAppendSMToList 14 years ago
Anoop Saldanha c9af50ea0c code cleanup - replace SigMatchAppendAppLayer with SigMatchAppendSMToList 14 years ago
Anoop Saldanha bbb9f35f26 code cleanup - replace SigMatchGetLastSM with SigMatchGetLastSMFromLists 14 years ago
Anoop Saldanha 09313cf9bd Support http stat code detection engine, fast pattern(mpm engine included). Fix http stat code setup function. Fix pcre option for stat msg keyword. With this the pcre options for server_body is Q, for stat_msg is Y and for stat_code is S 14 years ago
Anoop Saldanha 2007c2711c Support http stat msg detection engine, fast pattern(mpm engine included). Fix http stat msg setup function. Fix pcre option for stat msg keyword 14 years ago
Anoop Saldanha 3b5d95547d bug #412 - Remove the commented out SigInitReal() 14 years ago
Anoop Saldanha 6cbd3a1046 bug #412 - Unify SigInit() and SigInitReal(). Remove any use of SigInitReal() 14 years ago
Anoop Saldanha 88ad3691d1 bug #405 - fix bug where raw uri inspection sigs were not treated as stateful sigs 14 years ago
Victor Julien c8c4a76dc6 Move threshold to it's own sig match list. 14 years ago
Victor Julien 02e1229565 Enforce flow direction for http_raw_header sigs. Fix unittests that missed the flow direction. 14 years ago
Victor Julien e81f94cd83 Fix flowbits sigmatch structure added to the match and post-match list, causing corruption of the prev ptr. This lead to an endless loop condition in the thresholding code. Thanks to Chris Wakelin for reporting the issue. 14 years ago
Victor Julien 6eeab37ab3 Add post-match list, move flowbits set, etc functions to it. Move flowint set, etc functions to it as well. 14 years ago
Victor Julien aac2d91bcc Set DROP flag for reject action so in addition to sending the rst, in IPS mode also drop the offending packet. 14 years ago
Victor Julien e55390e4e7 Add check to invalidate signatures that inspect raw http headers in the to_client direction (response headers) if libhtp hasn't been patched yet. Also add hack to disable the test for unittests, many tests fail and we'll fix those ASAP. 14 years ago
Victor Julien 21ee59e6f3 Add signature direction (flow:toserver/flow:toclient) as a signature flag. 14 years ago
Victor Julien 298289f43f Let flow:only_stream and flow:no_stream set the require packet and require stream flags. Toss out sigs with conflicting settings. Rename flow:stream_only to flow:only_stream. Fixes #261. 14 years ago
Victor Julien e0cf2ccb91 Fix invalid direction error message. 14 years ago
Victor Julien 07e560b137 file-data: initial file_data support
Support file_data for: content, pcre (relative), byte_test, byte_jump,
byte_extract, isdataat.

File_data support is handled at signature parsing time, all matches
occurring after the file_data in the rule are converted to http_server_body
matches.

Content matches relative to the file_data are converted. Within to depth,
distance to offset. Relative to the start of the body buffer.
14 years ago
Victor Julien d5ed28b065 Remove SIG_FLAG_MPM flag. 14 years ago
Victor Julien 4992f7c417 Remove SIG_FLAG_MPM_URI flag. It was checked but never set. 14 years ago
Victor Julien 2650551192 Rename signature init flags to indicate they are init flags. 14 years ago
Victor Julien 89f83e714c Introduce http_server_body keyword.
The http_server_body content modifier modifies the previous content to inspect
the normalized (dechunked, unzipped) http_server_body. The workings are similar
to http_client_body. Additionally, a new pcre flag was introduced "/S".

To facilitate this change the signature flags field was changed to be 64 bit.
14 years ago
Victor Julien 23e01d23d3 Implement filestore keyword, including a way for the stateful detection engine to conclude that a file will never have to be stored. 14 years ago
Victor Julien 70f0d3d2e7 Add negation to filename and fileext, use same syntax as with content. 14 years ago
Eileen Donlon a92d15ed37 Fixed duplicate signature check 14 years ago
Anoop Saldanha 7433d92dd2 undo this commit -
commit eff08f93d8
Author: Anoop Saldanha <poonaatsoc@gmail.com>
Date:   Thu Nov 3 14:31:24 2011 +0530

    update failing unittest to reflect the mpm design update

Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
14 years ago
Victor Julien d070869c48 Reinstate replace validation check. 14 years ago
Anoop Saldanha eff08f93d8 update failing unittest to reflect the mpm design update 14 years ago
Victor Julien af51493da2 Mpm update: Toss out signatures that mix pkt and stream/state. Update profiling code to track new mpm. 14 years ago
Anoop Saldanha 9887084370 support multiple ipprotos in the same sig + unittest 14 years ago