All http_server_body modified patterns now are DETECT_CONTENT and not DETECT_AL_HTTP_...

diff --git a/src/detect-byte-extract.c b/src/detect-byte-extract.c
index 0020cfbce59bd88d2c2a155f8be3c1172633b8d4..a47c08aebbf5bae4a112869c8f19ba3c64113818 100644 (file)
--- a/src/detect-byte-extract.c
+++ b/src/detect-byte-extract.c
@@ -584,7 +584,7 @@ int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
         if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
             SigMatch *prev_sm = NULL;
             prev_sm = SigMatchGetLastSMFromLists(s, 8,
-                    DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+                    DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                     DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                     DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                     DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);

diff --git a/src/detect-bytejump.c b/src/detect-bytejump.c
index 63178c9ae126459691f97ebfbe9be7fe19bbf67a..f79a14e59b6ef4f9e7219c6bea894ee7b475d932 100644 (file)
--- a/src/detect-bytejump.c
+++ b/src/detect-bytejump.c
@@ -565,7 +565,7 @@ int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr)
         if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
             SigMatch *prev_sm = NULL;
             prev_sm = SigMatchGetLastSMFromLists(s, 8,
-                    DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+                    DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                     DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                     DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                     DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);

diff --git a/src/detect-bytetest.c b/src/detect-bytetest.c
index 57e995cc4252e3d632493c729014cff9122ddc11..9ad793e3c303fbb973f51ae5c43952931054b397 100644 (file)
--- a/src/detect-bytetest.c
+++ b/src/detect-bytetest.c
@@ -489,7 +489,7 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr)
         if (data->flags & DETECT_BYTETEST_RELATIVE) {
             SigMatch *prev_sm = NULL;
             prev_sm = SigMatchGetLastSMFromLists(s, 8,
-                    DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+                    DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                     DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                     DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                     DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);

diff --git a/src/detect-content.c b/src/detect-content.c
index 27bf6959fd377706febd4957eb68a4a4f1e557e6..19bf0d062c8de3458e4ea7912dabca644553757b 100644 (file)
--- a/src/detect-content.c
+++ b/src/detect-content.c
@@ -410,7 +410,7 @@ static int DetectContentSetup (DetectEngineCtx *de_ctx, Signature *s, char *cont
 
     if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
         cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HSBDMATCH);
-        sm->type = DETECT_AL_HTTP_SERVER_BODY;
+        sm->type = DETECT_CONTENT;
 
         /* transfer the sm from the pmatch list to hsbdmatch list */
         SigMatchTransferSigMatchAcrossLists(sm,

diff --git a/src/detect-depth.c b/src/detect-depth.c
index 6fd157af08d0bd5851ff35d18dc43955bbb18acb..2840afcec96d1f982c461742552cf1b32258237e 100644 (file)
--- a/src/detect-depth.c
+++ b/src/detect-depth.c
@@ -90,7 +90,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
                     DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
                     DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
                     DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
-                    DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+                    DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                     DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
                     DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
                     DETECT_AL_HTTP_METHOD, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
@@ -162,48 +162,6 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
 
             break;
 
-        case DETECT_AL_HTTP_SERVER_BODY:
-            cd = (DetectContentData *)pm->ctx;
-            if (cd->flags & DETECT_CONTENT_NEGATED) {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "negated keyword set along with a fast_pattern");
-                    goto error;
-                }
-            } else {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "keyword set along with a fast_pattern:only;");
-                    goto error;
-                }
-            }
-
-            if (str[0] != '-' && isalpha(str[0])) {
-                SigMatch *bed_sm =
-                    DetectByteExtractRetrieveSMVar(str, s,
-                                                   SigMatchListSMBelongsTo(s, pm));
-                if (bed_sm == NULL) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
-                               "seen in depth - %s\n", str);
-                    goto error;
-                }
-                cd->depth = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
-                cd->flags |= DETECT_CONTENT_DEPTH_BE;
-            } else {
-                cd->depth = (uint32_t)atoi(str);
-                if (cd->depth < cd->content_len) {
-                    cd->depth = cd->content_len;
-                    SCLogDebug("depth increased to %"PRIu32" to match pattern len ",
-                               cd->depth);
-                }
-                /* Now update the real limit, as depth is relative to the offset */
-                cd->depth += cd->offset;
-            }
-
-            cd->flags |= DETECT_CONTENT_DEPTH;
-
-            break;
-
         case DETECT_AL_HTTP_HEADER:
             cd = (DetectContentData *)pm->ctx;
             if (cd->flags & DETECT_CONTENT_NEGATED) {

diff --git a/src/detect-distance.c b/src/detect-distance.c
index eff3df3785c3dfe572ff52daf092e7e2e062ad0e..976ce867a79c24436cd91f3421e013b60c7fbc50 100644 (file)
--- a/src/detect-distance.c
+++ b/src/detect-distance.c
@@ -165,7 +165,7 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
                 DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
                 DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
                 DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
-                DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+                DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                 DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
                 DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
                 DETECT_AL_HTTP_METHOD, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
@@ -291,82 +291,6 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
 
             break;
 
-        case DETECT_AL_HTTP_SERVER_BODY:
-            cd = (DetectContentData *)pm->ctx;
-
-            if (str[0] != '-' && isalpha(str[0])) {
-                SigMatch *bed_sm =
-                    DetectByteExtractRetrieveSMVar(str, s,
-                                                   SigMatchListSMBelongsTo(s, pm));
-                if (bed_sm == NULL) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
-                               "seen in distance - %s\n", str);
-                    goto error;
-                }
-                cd->distance = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
-                cd->flags |= DETECT_CONTENT_DISTANCE_BE;
-            } else {
-                cd->distance = strtol(str, NULL, 10);
-            }
-
-            if (cd->flags & DETECT_CONTENT_NEGATED) {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "negated keyword set along with a fast_pattern");
-                    goto error;
-                }
-            } else {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "keyword set along with a fast_pattern:only;");
-                    goto error;
-                }
-            }
-
-            cd->flags |= DETECT_CONTENT_DISTANCE;
-
-            /* reassigning pm */
-            pm = SigMatchGetLastSMFromLists(s, 4,
-                                            DETECT_AL_HTTP_SERVER_BODY, pm->prev,
-                                            DETECT_PCRE, pm->prev);
-            if (pm == NULL) {
-                if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
-                    /* file_data; content:"abc"; distance:0; is valid, in this case
-                     * there will be no previous pm. We convert to offset in this case */
-                    cd->flags &= ~DETECT_CONTENT_DISTANCE;
-
-                    if (cd->distance < 0) {
-                        SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have negative distance relative to file_data");
-                        goto error;
-                    }
-
-                    SCLogDebug("converted distance to offset for content relative to file_data");
-                    cd->offset = cd->distance;
-                } else {
-                    SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for http_server_body "
-                            "needs preceeding http_server_body content");
-                    goto error;
-                }
-            } else {
-                if (pm->type == DETECT_PCRE) {
-                    DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
-                    tmp_pd->flags |=  DETECT_PCRE_RELATIVE_NEXT;
-                } else {
-                    /* reassigning cd */
-                    cd = (DetectContentData *)pm->ctx;
-                    if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
-                        SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword "
-                                "has a fast_pattern:only; set.  You can't "
-                                "have relative keywords around a fast_pattern "
-                                "only content");
-                        goto error;
-                    }
-                    cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
-                }
-            }
-
-            break;
-
         case DETECT_AL_HTTP_HEADER:
             cd = (DetectContentData *)pm->ctx;
             if (cd->flags & DETECT_CONTENT_NEGATED) {

diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c
index 0c05ec2bcf2a8bc35bfed3b109bc578309c904e9..2cccf399b8de558c5c5fe902bf2b82a55a32e322 100644 (file)
--- a/src/detect-engine-content-inspection.c
+++ b/src/detect-engine-content-inspection.c
@@ -111,7 +111,6 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
         sm->type == DETECT_AL_HTTP_RAW_URI ||
         sm->type == DETECT_AL_HTTP_HEADER ||
         sm->type == DETECT_AL_HTTP_RAW_HEADER ||
-        sm->type == DETECT_AL_HTTP_SERVER_BODY ||
         sm->type == DETECT_AL_HTTP_COOKIE ||
         sm->type == DETECT_AL_HTTP_METHOD ||
         sm->type == DETECT_AL_HTTP_STAT_CODE ||

diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c
index 0bb687f20c051cb16c195ec1b36469b5b3cea6cb..0bfa79e85a8c59276063f1e12c0979da5ddac159 100644 (file)
--- a/src/detect-fast-pattern.c
+++ b/src/detect-fast-pattern.c
@@ -128,7 +128,7 @@ void SupportFastPatternForSigMatchTypes(void)
     SupportFastPatternForSigMatchType(DETECT_CONTENT);
     SupportFastPatternForSigMatchList(DETECT_SM_LIST_HCBDMATCH);
 
-    SupportFastPatternForSigMatchType(DETECT_AL_HTTP_SERVER_BODY);
+    SupportFastPatternForSigMatchType(DETECT_CONTENT);
     SupportFastPatternForSigMatchList(DETECT_SM_LIST_HSBDMATCH);
 
     SupportFastPatternForSigMatchType(DETECT_AL_HTTP_HEADER);
@@ -240,7 +240,7 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a
             DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
             DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
             DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
-            DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+            DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
             DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
             DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
             DETECT_AL_HTTP_METHOD, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],

diff --git a/src/detect-http-server-body.c b/src/detect-http-server-body.c
index daf3ea0345672d85331c0a4a5282fbc7cc2d94de..6a5682811b45b5fded62bf987455555ee690165a 100644 (file)
--- a/src/detect-http-server-body.c
+++ b/src/detect-http-server-body.c
@@ -148,7 +148,7 @@ int DetectHttpServerBodySetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
 
         /* reassigning pm */
         pm = SigMatchGetLastSMFromLists(s, 4,
-                                        DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+                                        DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                                         DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
         if (pm == NULL) {
             SCLogError(SC_ERR_INVALID_SIGNATURE, "http_server_body seen with a "
@@ -165,7 +165,7 @@ int DetectHttpServerBodySetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
         }
     }
     cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HSBDMATCH);
-    sm->type = DETECT_AL_HTTP_SERVER_BODY;
+    sm->type = DETECT_CONTENT;
 
     /* transfer the sm from the pmatch list to hsbdmatch list */
     SigMatchTransferSigMatchAcrossLists(sm,
@@ -252,7 +252,7 @@ static int DetectHttpServerBodyTest01(void)
         goto end;
     }
 
-    if (sm->type != DETECT_AL_HTTP_SERVER_BODY) {
+    if (sm->type != DETECT_CONTENT) {
         printf("sm type not DETECT_AL_HTTP_SERVER_BODY: ");
         goto end;
     }
@@ -2222,8 +2222,8 @@ int DetectHttpServerBodyTest27(void)
                                "(content:\"one\"; offset:10; http_server_body; pcre:/two/; distance:10; "
                                "content:\"three\"; distance:10; http_server_body; depth:10; "
                                "content:\"four\"; distance:10; sid:1;)");
-    if (de_ctx->sig_list != NULL) {
-        printf("de_ctx->sig_list != NULL\n");
+    if (de_ctx->sig_list == NULL) {
+        printf("de_ctx->sig_list == NULL\n");
         goto end;
     }
 
@@ -2414,8 +2414,8 @@ int DetectHttpServerBodyTest32(void)
     de_ctx->flags |= DE_QUIET;
     de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
                                "(content:\"one\"; http_server_body; within:5; sid:1;)");
-    if (de_ctx->sig_list != NULL) {
-        printf("de_ctx->sig_list != NULL\n");
+    if (de_ctx->sig_list == NULL) {
+        printf("de_ctx->sig_list == NULL\n");
         goto end;
     }
 
@@ -2479,7 +2479,7 @@ int DetectHttpServerBodyTest34(void)
     }
 
     if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH] == NULL ||
-        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->type != DETECT_AL_HTTP_SERVER_BODY ||
+        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->type != DETECT_CONTENT ||
         de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->prev == NULL ||
         de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->prev->type != DETECT_PCRE) {
 
@@ -2532,7 +2532,7 @@ int DetectHttpServerBodyTest35(void)
     if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH] == NULL ||
         de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->type != DETECT_PCRE ||
         de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->prev == NULL ||
-        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->prev->type != DETECT_AL_HTTP_SERVER_BODY) {
+        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->prev->type != DETECT_CONTENT) {
 
         goto end;
     }
@@ -2581,7 +2581,7 @@ int DetectHttpServerBodyTest36(void)
     }
 
     if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH] == NULL ||
-        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->type != DETECT_AL_HTTP_SERVER_BODY ||
+        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->type != DETECT_CONTENT ||
         de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->prev == NULL ||
         de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->prev->type != DETECT_PCRE) {
 

diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c
index b6f724d4a010b5b374b1291f7a06c1644ee42cbd..b832ad52f212ab3a715a87c27f135e25d727973a 100644 (file)
--- a/src/detect-isdataat.c
+++ b/src/detect-isdataat.c
@@ -302,7 +302,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
     } else if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
         if (idad->flags & ISDATAAT_RELATIVE) {
             pm = SigMatchGetLastSMFromLists(s, 10,
-                    DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+                    DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                     DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                     DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                     DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
@@ -355,7 +355,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
                 DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], /* 1 */
                 DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
                 DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
-                DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+                DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                 DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], /* 5 */
                 DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
                 DETECT_AL_HTTP_METHOD, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
@@ -419,7 +419,6 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
 
     switch (prev_pm->type) {
         case DETECT_CONTENT:
-        case DETECT_AL_HTTP_SERVER_BODY:
         case DETECT_AL_HTTP_HEADER:
         case DETECT_AL_HTTP_RAW_HEADER:
         case DETECT_AL_HTTP_METHOD:

diff --git a/src/detect-nocase.c b/src/detect-nocase.c
index 59fb0f2fec98d59efbff997579097fa4550795d1..975a5b2b3a1875713459b7aac22bb58323efd598 100644 (file)
--- a/src/detect-nocase.c
+++ b/src/detect-nocase.c
@@ -78,7 +78,7 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
             DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
             DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
             DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
-            DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+            DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
             DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
             DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
             DETECT_AL_HTTP_METHOD, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
@@ -98,7 +98,6 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
 
     switch (pm->type) {
         case DETECT_CONTENT:
-        case DETECT_AL_HTTP_SERVER_BODY:
         case DETECT_AL_HTTP_HEADER:
         case DETECT_AL_HTTP_RAW_HEADER:
         case DETECT_AL_HTTP_METHOD:

diff --git a/src/detect-offset.c b/src/detect-offset.c
index 1973a68f8a33596c5af264704308a6b800d69a50..d9e8b4af5589608829d05d18107c53c43b66e740 100644 (file)
--- a/src/detect-offset.c
+++ b/src/detect-offset.c
@@ -87,7 +87,7 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
                     DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
                     DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
                     DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
-                    DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+                    DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                     DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
                     DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
                     DETECT_AL_HTTP_METHOD, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
@@ -163,50 +163,6 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
 
             break;
 
-        case DETECT_AL_HTTP_SERVER_BODY:
-            cd = (DetectContentData *)pm->ctx;
-            if (cd->flags & DETECT_CONTENT_NEGATED) {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "negated keyword set along with a fast_pattern");
-                    goto error;
-                }
-            } else {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "keyword set along with a fast_pattern:only;");
-                    goto error;
-                }
-            }
-
-            if (str[0] != '-' && isalpha(str[0])) {
-                SigMatch *bed_sm =
-                    DetectByteExtractRetrieveSMVar(str, s,
-                                                   SigMatchListSMBelongsTo(s, pm));
-                if (bed_sm == NULL) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
-                               "seen in offset - %s\n", str);
-                    goto error;
-                }
-                cd->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
-                cd->flags |= DETECT_CONTENT_OFFSET_BE;
-            } else {
-                cd->offset = (uint32_t)atoi(str);
-                if (cd->depth != 0) {
-                    if (cd->depth < cd->content_len) {
-                        SCLogDebug("depth increased to %"PRIu32" to match pattern len",
-                                   cd->content_len);
-                        cd->depth = cd->content_len;
-                    }
-                    /* Updating the depth as is relative to the offset */
-                    cd->depth += cd->offset;
-                }
-            }
-
-            cd->flags |= DETECT_CONTENT_OFFSET;
-
-            break;
-
         case DETECT_AL_HTTP_HEADER:
             cd = (DetectContentData *)pm->ctx;
             if (cd->flags & DETECT_CONTENT_NEGATED) {

diff --git a/src/detect-pcre.c b/src/detect-pcre.c
index 52368bf465e2b5745cd8b2fee4967d1cbbc99bba..a1254bb86e65544eeede4da25c840b50eb33a8b2 100644 (file)
--- a/src/detect-pcre.c
+++ b/src/detect-pcre.c
@@ -1201,9 +1201,8 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
         SCReturnInt(0);
     }
 
-    prev_sm = SigMatchGetLastSMFromLists(s, 20,
+    prev_sm = SigMatchGetLastSMFromLists(s, 18,
             DETECT_CONTENT, sm->prev,
-            DETECT_AL_HTTP_SERVER_BODY, sm->prev,
             DETECT_AL_HTTP_HEADER, sm->prev,
             DETECT_AL_HTTP_RAW_HEADER, sm->prev,
             DETECT_AL_HTTP_RAW_URI, sm->prev,
@@ -1235,7 +1234,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
 
     switch (prev_sm->type) {
         case DETECT_CONTENT:
-        case DETECT_AL_HTTP_SERVER_BODY:
         case DETECT_AL_HTTP_HEADER:
         case DETECT_AL_HTTP_RAW_HEADER:
         case DETECT_AL_HTTP_STAT_MSG:

diff --git a/src/detect-within.c b/src/detect-within.c
index 03406231be820907bbbac500cd38b3ceabcf1006..571386cbf713bc656b0316ab24f7c595b5de7ccd 100644 (file)
--- a/src/detect-within.c
+++ b/src/detect-within.c
@@ -167,7 +167,7 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
                 DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
                 DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
                 DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
-                DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+                DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                 DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
                 DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
                 DETECT_AL_HTTP_METHOD, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
@@ -300,83 +300,6 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
 
             break;
 
-        case DETECT_AL_HTTP_SERVER_BODY:
-            cd = (DetectContentData *)pm->ctx;
-
-            if (str[0] != '-' && isalpha(str[0])) {
-                SigMatch *bed_sm =
-                    DetectByteExtractRetrieveSMVar(str, s,
-                                                   SigMatchListSMBelongsTo(s, pm));
-                if (bed_sm == NULL) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
-                               "seen in within - %s\n", str);
-                    goto error;
-                }
-                cd->within = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
-                cd->flags |= DETECT_CONTENT_WITHIN_BE;
-            } else {
-                cd->within = strtol(str, NULL, 10);
-                if (cd->within < (int32_t)cd->content_len) {
-                    SCLogError(SC_ERR_WITHIN_INVALID, "within argument \"%"PRIi32"\" is "
-                               "less than the content length \"%"PRIu32"\" which is invalid, since "
-                               "this will never match.  Invalidating signature", cd->within,
-                               cd->content_len);
-                    goto error;
-                }
-            }
-
-            if (cd->flags & DETECT_CONTENT_NEGATED) {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "negated keyword set along with a fast_pattern");
-                    goto error;
-                }
-            } else {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "keyword set along with a fast_pattern:only;");
-                    goto error;
-                }
-            }
-
-            cd->flags |= DETECT_CONTENT_WITHIN;
-
-            /* reassigning pm */
-            pm = SigMatchGetLastSMFromLists(s, 4,
-                                            DETECT_AL_HTTP_SERVER_BODY, pm->prev,
-                                            DETECT_PCRE, pm->prev);
-            if (pm == NULL) {
-                if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
-                    /* file_data; content:"abc"; within:3; is valid, in this case
-                     * there will be no previous pm. We convert to depth in this case */
-                    cd->flags &= ~DETECT_CONTENT_WITHIN;
-
-                    SCLogDebug("converted within to depth for content relative to file_data");
-                    cd->depth = cd->within;
-                } else {
-                    SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "within for http_server_body "
-                            "needs preceeding http_server_body content");
-                    goto error;
-                }
-            } else {
-                if (pm->type == DETECT_PCRE) {
-                    DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
-                    tmp_pd->flags |=  DETECT_PCRE_RELATIVE_NEXT;
-                } else {
-                    /* reassigning cd */
-                    cd = (DetectContentData *)pm->ctx;
-                    if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
-                        SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword "
-                                "has a fast_pattern:only; set.  You can't "
-                                "have relative keywords around a fast_pattern "
-                                "only content");
-                        goto error;
-                    }
-                    cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
-                }
-            }
-            break;
-
         case DETECT_AL_HTTP_HEADER:
             cd = (DetectContentData *)pm->ctx;
             if (cd->flags & DETECT_CONTENT_NEGATED) {