DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs "
break;
- case DETECT_AL_HTTP_STAT_CODE:
- cd = (DetectContentData *)pm->ctx;
- if (cd->flags & DETECT_CONTENT_NEGATED) {
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
- "negated keyword set along with a fast_pattern");
- goto error;
- }
- } else {
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
- "keyword set along with a fast_pattern:only;");
- goto error;
- }
- }
-
- if (str[0] != '-' && isalpha(str[0])) {
- SigMatch *bed_sm =
- DetectByteExtractRetrieveSMVar(str, s,
- SigMatchListSMBelongsTo(s, pm));
- if (bed_sm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
- "seen in depth - %s\n", str);
- goto error;
- }
- cd->depth = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
- cd->flags |= DETECT_CONTENT_DEPTH_BE;
- } else {
- cd->depth = (uint32_t)atoi(str);
- if (cd->depth < cd->content_len) {
- cd->depth = cd->content_len;
- SCLogDebug("depth increased to %"PRIu32" to match pattern len ",
- cd->depth);
- }
- /* Now update the real limit, as depth is relative to the offset */
- cd->depth += cd->offset;
- cd->flags |= DETECT_CONTENT_DEPTH;
- }
-
- break;
-
default:
SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs a preceeding "
"content (or uricontent) option");
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs "
break;
- case DETECT_AL_HTTP_STAT_CODE:
- cd = (DetectContentData *)pm->ctx;
- if (cd->flags & DETECT_CONTENT_NEGATED) {
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
- "negated keyword set along with a fast_pattern");
- goto error;
- }
- } else {
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
- "keyword set along with a fast_pattern:only;");
- goto error;
- }
- }
-
- if (str[0] != '-' && isalpha(str[0])) {
- SigMatch *bed_sm =
- DetectByteExtractRetrieveSMVar(str, s,
- SigMatchListSMBelongsTo(s, pm));
- if (bed_sm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
- "seen in distance - %s\n", str);
- goto error;
- }
- cd->distance = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
- cd->flags |= DETECT_CONTENT_DISTANCE_BE;
- } else {
- cd->distance = strtol(str, NULL, 10);
- if (cd->flags & DETECT_CONTENT_WITHIN) {
- if ((cd->distance + cd->content_len) > cd->within) {
- cd->within = cd->distance + cd->content_len;
- }
- }
- }
-
- cd->flags |= DETECT_CONTENT_DISTANCE;
-
- /* reassigning pm */
- pm = SigMatchGetLastSMFromLists(s, 4,
- DETECT_AL_HTTP_STAT_CODE, pm->prev,
- DETECT_PCRE, pm->prev);
- if (pm == NULL) {
- SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for "
- "http_stat_code needs preceeding http_stat_code "
- "content");
- goto error;
- }
-
- if (pm->type == DETECT_PCRE) {
- DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
- tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
- } else {
- /* reassigning cd */
- cd = (DetectContentData *)pm->ctx;
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword "
- "has a fast_pattern:only; set. You can't "
- "have relative keywords around a fast_pattern "
- "only content");
- goto error;
- }
- cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
- }
-
- break;
-
default:
SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance needs two "
"preceeding content or uricontent options");
}
/* \todo unify this which is phase 2 of payload inspection unification */
- if (sm->type == DETECT_CONTENT ||
- sm->type == DETECT_AL_HTTP_STAT_CODE) {
+ if (sm->type == DETECT_CONTENT) {
DetectContentData *cd = (DetectContentData *)sm->ctx;
SCLogDebug("inspecting content %"PRIu32" buffer_len %"PRIu32, cd->id, buffer_len);
SupportFastPatternForSigMatchType(DETECT_CONTENT);
SupportFastPatternForSigMatchList(DETECT_SM_LIST_HSMDMATCH);
- SupportFastPatternForSigMatchType(DETECT_AL_HTTP_STAT_CODE);
+ SupportFastPatternForSigMatchType(DETECT_CONTENT);
SupportFastPatternForSigMatchList(DETECT_SM_LIST_HSCDMATCH);
return;
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "fast_pattern found inside "
sigmatch_table[DETECT_AL_HTTP_STAT_CODE].AppLayerMatch = NULL;
sigmatch_table[DETECT_AL_HTTP_STAT_CODE].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_AL_HTTP_STAT_CODE].Setup = DetectHttpStatCodeSetup;
- sigmatch_table[DETECT_AL_HTTP_STAT_CODE].Free = DetectHttpStatCodeFree;
+ sigmatch_table[DETECT_AL_HTTP_STAT_CODE].Free = NULL;
sigmatch_table[DETECT_AL_HTTP_STAT_CODE].RegisterTests = DetectHttpStatCodeRegisterTests;
sigmatch_table[DETECT_AL_HTTP_STAT_CODE].flags |= SIGMATCH_PAYLOAD;
}
-/**
- * \brief match the specified content in the signature with the received http
- * status code header in the http response.
- *
- * \param t pointer to thread vars
- * \param det_ctx pointer to the pattern matcher thread
- * \param f pointer to the current flow
- * \param flags flags to indicate the direction of the received packet
- * \param state pointer the app layer state, which will cast into HtpState
- * \param s pointer to the current signature
- * \param sm pointer to the sigmatch
- *
- * \retval 0 no match
- * \retval 1 match
- */
-int DetectHttpStatCodeMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
- Flow *f, uint8_t flags, void *state, Signature *s,
- SigMatch *sm)
-{
- SCEnter();
-
- int ret = 0;
- int idx;
-
- SCMutexLock(&f->m);
- SCLogDebug("got lock %p", &f->m);
-
- DetectHttpStatCodeData *co = (DetectHttpStatCodeData *)sm->ctx;
-
- HtpState *htp_state = (HtpState *)state;
- if (htp_state == NULL) {
- SCLogDebug("no HTTP layer state has been received, so no match");
- goto end;
- }
-
- if (!(htp_state->flags & HTP_FLAG_STATE_OPEN)) {
- SCLogDebug("HTP state not yet properly setup, so no match");
- goto end;
- }
-
- SCLogDebug("htp_state %p, flow %p", htp_state, f);
- SCLogDebug("htp_state->connp %p", htp_state->connp);
- SCLogDebug("htp_state->connp->conn %p", htp_state->connp->conn);
-
- if (htp_state->connp == NULL || htp_state->connp->conn == NULL) {
- SCLogDebug("HTTP connection structure is NULL");
- goto end;
- }
-
- htp_tx_t *tx = NULL;
-
- idx = AppLayerTransactionGetInspectId(f);
- if (idx == -1) {
- goto end;
- }
-
- int size = (int)list_size(htp_state->connp->conn->transactions);
- for (; idx < size; idx++)
- {
- tx = list_get(htp_state->connp->conn->transactions, idx);
- if (tx == NULL)
- continue;
-
- SCLogDebug("we have a response message");
- if (co->code != -1) {
- if (co->code == tx->response_status_number) {
- SCLogDebug("Matched numeric HTTP status value");
- ret = 1;
- }
- } else if (tx->response_status != NULL) {
- /* call the case insensitive version if nocase has been specified in
- the sig */
- if (co->flags & DETECT_AL_HTTP_STAT_CODE_NOCASE) {
- if (SpmNocaseSearch((uint8_t *) bstr_ptr(tx->response_status),
- bstr_len(tx->response_status), co->data, co->data_len)
- != NULL)
- {
- SCLogDebug("match has been found in received request and "
- "given http_stat_code rule");
- ret = 1;
- }
- } else {
- if (SpmSearch((uint8_t *) bstr_ptr(tx->response_status),
- bstr_len(tx->response_status), co->data, co->data_len)
- != NULL)
- {
- SCLogDebug("match has been found in received request and"
- " given http_stat_code rule");
- ret = 1;
- }
- }
- }
- }
-
- SCMutexUnlock(&f->m);
- SCReturnInt(ret ^ ((co->flags & DETECT_AL_HTTP_STAT_CODE_NEGATED) ? 1 : 0));
-
-end:
- SCMutexUnlock(&f->m);
- SCLogDebug("released lock %p", &f->m);
- SCReturnInt(ret);
-}
-
-/**
- * \brief this function clears the memory of http_stat_code modifier keyword
- *
- * \param ptr Pointer to the Detection Stat Code data
- */
-void DetectHttpStatCodeFree(void *ptr)
-{
- DetectHttpStatCodeData *hsmd = (DetectHttpStatCodeData *)ptr;
- if (hsmd == NULL)
- return;
- if (hsmd->data != NULL)
- SCFree(hsmd->data);
- SCFree(hsmd);
-}
-
/**
* \brief this function setups the http_stat_code modifier keyword used in the rule
*
/* reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 4,
- DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_stat_code seen with a "
}
}
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HSCDMATCH);
- sm->type = DETECT_AL_HTTP_STAT_CODE;
+ sm->type = DETECT_CONTENT;
/* transfer the sm from the pmatch list to hcbdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
SigMatch *prev = NULL;
while (sm != NULL) {
- if (sm->type == DETECT_AL_HTTP_STAT_CODE) {
+ if (sm->type == DETECT_CONTENT) {
result = 1;
} else {
- printf("expected DETECT_AL_HTTP_STAT_CODE, got %d: ", sm->type);
+ printf("expected DETECT_CONTENT for http_stat_code, got %d: ", sm->type);
goto end;
}
prev = sm;
#ifndef _DETECT_HTTP_STAT_CODE_H
#define _DETECT_HTTP_STAT_CODE_H
-#define DETECT_AL_HTTP_STAT_CODE_NOCASE 0x01
-#define DETECT_AL_HTTP_STAT_CODE_NEGATED 0x02
-
-typedef struct DetectHttpStatCodeData_ {
- uint8_t *data;
- uint8_t data_len;
- uint8_t flags;
- int16_t code; /**< Numeric HTTP status code to match */
-} DetectHttpStatCodeData;
-
/* prototypes */
int DetectHttpStatCodeMatch (ThreadVars *, DetectEngineThreadCtx *,
Flow *, uint8_t , void *, Signature *,
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].AppLayerMatch = NULL;
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Setup = DetectHttpStatMsgSetup;
- sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Free = DetectHttpStatMsgFree;
+ sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Free = NULL;
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].RegisterTests = DetectHttpStatMsgRegisterTests;
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].flags |= SIGMATCH_PAYLOAD;
}
-/**
- * \brief match the specified content in the signature with the received http
- * status message header in the http response.
- *
- * \param t pointer to thread vars
- * \param det_ctx pointer to the pattern matcher thread
- * \param f pointer to the current flow
- * \param flags flags to indicate the direction of the received packet
- * \param state pointer the app layer state, which will cast into HtpState
- * \param s pointer to the current signature
- * \param sm pointer to the sigmatch
- *
- * \retval 0 no match
- * \retval 1 match
- */
-int DetectHttpStatMsgMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
- Flow *f, uint8_t flags, void *state, Signature *s,
- SigMatch *sm)
-{
- SCEnter();
-
- int ret = 0;
- int idx;
-
- SCMutexLock(&f->m);
- SCLogDebug("got lock %p", &f->m);
-
- DetectContentData *co = (DetectContentData *)sm->ctx;
-
- HtpState *htp_state = (HtpState *)state;
- if (htp_state == NULL) {
- SCLogDebug("no HTTP layer state has been received, so no match");
- goto end;
- }
-
- if (!(htp_state->flags & HTP_FLAG_STATE_OPEN)) {
- SCLogDebug("HTP state not yet properly setup, so no match");
- goto end;
- }
-
- SCLogDebug("htp_state %p, flow %p", htp_state, f);
- SCLogDebug("htp_state->connp %p", htp_state->connp);
- SCLogDebug("htp_state->connp->conn %p", htp_state->connp->conn);
-
- if (htp_state->connp == NULL || htp_state->connp->conn == NULL) {
- SCLogDebug("HTTP connection structure is NULL");
- goto end;
- }
-
- htp_tx_t *tx = NULL;
-
- idx = AppLayerTransactionGetInspectId(f);
- if (idx == -1) {
- goto end;
- }
-
- int size = (int)list_size(htp_state->connp->conn->transactions);
- for (; idx < size; idx++)
- {
- tx = list_get(htp_state->connp->conn->transactions, idx);
- if (tx == NULL)
- continue;
-
- if (tx->response_message == NULL)
- continue;
-
- SCLogDebug("we have a response message");
-
- /* call the case insensitive version if nocase has been specified in the sig */
- if (co->flags & DETECT_CONTENT_NOCASE) {
- if (SpmNocaseSearch((uint8_t *) bstr_ptr(tx->response_message),
- bstr_len(tx->response_message), co->content, co->content_len) != NULL)
- {
- SCLogDebug("match has been found in received request and given http_"
- "stat_msg rule");
- ret = 1;
- }
- } else {
- if (SpmSearch((uint8_t *) bstr_ptr(tx->response_message),
- bstr_len(tx->response_message), co->content, co->content_len) != NULL)
- {
- SCLogDebug("match has been found in received request and given http_"
- "stat_msg rule");
- ret = 1;
- }
- }
- }
-
- SCMutexUnlock(&f->m);
- SCReturnInt(ret ^ ((co->flags & DETECT_CONTENT_NEGATED) ? 1 : 0));
-
-end:
- SCMutexUnlock(&f->m);
- SCLogDebug("released lock %p", &f->m);
- SCReturnInt(ret);
-}
-
-/**
- * \brief this function clears the memory of http_stat_msg modifier keyword
- *
- * \param ptr Pointer to the Detection Stat Message data
- */
-void DetectHttpStatMsgFree(void *ptr)
-{
- DetectContentData *hsmd = (DetectContentData *)ptr;
- if (hsmd == NULL)
- return;
- if (hsmd->content != NULL)
- SCFree(hsmd->content);
- SCFree(hsmd);
-}
-
/**
* \brief this function setups the http_stat_msg modifier keyword used in the rule
*
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], /* 10 */
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
switch (prev_pm->type) {
case DETECT_CONTENT:
- case DETECT_AL_HTTP_STAT_CODE:
/* Set the relative next flag on the prev sigmatch */
cd = (DetectContentData *)prev_pm->ctx;
if (cd == NULL) {
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_NOCASE_MISSING_PATTERN, "\"nocase\" needs a preceeding "
switch (pm->type) {
case DETECT_CONTENT:
- case DETECT_AL_HTTP_STAT_CODE:
cd = (DetectContentData *)pm->ctx;
if (cd == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument");
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs "
break;
- case DETECT_AL_HTTP_STAT_CODE:
- cd = (DetectContentData *)pm->ctx;
- if (cd->flags & DETECT_CONTENT_NEGATED) {
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
- "negated keyword set along with a fast_pattern");
- goto error;
- }
- } else {
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
- "keyword set along with a fast_pattern:only;");
- goto error;
- }
- }
-
- if (str[0] != '-' && isalpha(str[0])) {
- SigMatch *bed_sm =
- DetectByteExtractRetrieveSMVar(str, s,
- SigMatchListSMBelongsTo(s, pm));
- if (bed_sm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
- "seen in offset - %s\n", str);
- goto error;
- }
- cd->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
- cd->flags |= DETECT_CONTENT_OFFSET_BE;
- } else {
- cd->offset = (uint32_t)atoi(str);
- if (cd->depth != 0) {
- if (cd->depth < cd->content_len) {
- SCLogDebug("depth increased to %"PRIu32" to match pattern len",
- cd->content_len);
- cd->depth = cd->content_len;
- }
- /* Updating the depth as is relative to the offset */
- cd->depth += cd->offset;
- }
- }
-
- cd->flags |= DETECT_CONTENT_OFFSET;
-
- break;
-
default:
SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs a preceeding"
" content or uricontent option");
SCReturnInt(0);
}
- prev_sm = SigMatchGetLastSMFromLists(s, 6,
- DETECT_CONTENT, sm->prev,
- DETECT_PCRE, sm->prev,
- DETECT_AL_HTTP_STAT_CODE, sm->prev);
+ prev_sm = SigMatchGetLastSMFromLists(s, 4,
+ DETECT_CONTENT, sm->prev,
+ DETECT_PCRE, sm->prev);
if (prev_sm == NULL) {
if (s->alproto == ALPROTO_DCERPC) {
SCLogDebug("No preceding content or pcre keyword. Possible "
switch (prev_sm->type) {
case DETECT_CONTENT:
- case DETECT_AL_HTTP_STAT_CODE:
/* Set the relative next flag on the prev sigmatch */
cd = (DetectContentData *)prev_sm->ctx;
if (cd == NULL) {
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs"
break;
- case DETECT_AL_HTTP_STAT_CODE:
- cd = (DetectContentData *)pm->ctx;
- if (cd->flags & DETECT_CONTENT_NEGATED) {
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
- "negated keyword set along with a fast_pattern");
- goto error;
- }
- } else {
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
- "keyword set along with a fast_pattern:only;");
- goto error;
- }
- }
-
- if (str[0] != '-' && isalpha(str[0])) {
- SigMatch *bed_sm =
- DetectByteExtractRetrieveSMVar(str, s,
- SigMatchListSMBelongsTo(s, pm));
- if (bed_sm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
- "seen in within - %s\n", str);
- goto error;
- }
- cd->within = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
- cd->flags |= DETECT_CONTENT_WITHIN_BE;
- } else {
- cd->within = strtol(str, NULL, 10);
- if (cd->within < (int32_t)cd->content_len) {
- SCLogError(SC_ERR_WITHIN_INVALID, "within argument \"%"PRIi32"\" is "
- "less than the content length \"%"PRIu32"\" which is invalid, since "
- "this will never match. Invalidating signature", cd->within,
- cd->content_len);
- goto error;
- }
- }
-
- cd->flags |= DETECT_CONTENT_WITHIN;
-
- /* reassigning pm */
- pm = SigMatchGetLastSMFromLists(s, 4,
- DETECT_AL_HTTP_STAT_CODE, pm->prev,
- DETECT_PCRE, pm->prev);
- if (pm == NULL) {
- SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for http_stat_code "
- "needs preceeding http_stat_code content");
- goto error;
- }
-
- if (pm->type == DETECT_PCRE) {
- DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
- tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
- } else {
- /* reassigning cd */
- cd = (DetectContentData *)pm->ctx;
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword "
- "has a fast_pattern:only; set. You can't "
- "have relative keywords around a fast_pattern "
- "only content");
- goto error;
- }
- cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
- }
-
- break;
-
default:
SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs two "
"preceeding content or uricontent options");
projects / thirdparty / suricata.git / commitdiff
