if (s->mask & SIG_MASK_REQUIRE_FLAGS_UNUSUAL) {
jb_append_string(ctx.js, "tcp_flags_unusual");
}
- if (s->mask & SIG_MASK_REQUIRE_DCERPC) {
- jb_append_string(ctx.js, "dcerpc");
- }
if (s->mask & SIG_MASK_REQUIRE_ENGINE_EVENT) {
jb_append_string(ctx.js, "engine_event");
}
SCLogDebug("packet has flow");
(*mask) |= SIG_MASK_REQUIRE_FLOW;
}
-
- if (alproto == ALPROTO_SMB || alproto == ALPROTO_DCERPC) {
- SCLogDebug("packet will be inspected for DCERPC");
- (*mask) |= SIG_MASK_REQUIRE_DCERPC;
- }
-}
-
-static int g_dce_generic_list_id = -1;
-static int g_dce_stub_data_buffer_id = -1;
-
-static bool SignatureNeedsDCERPCMask(const Signature *s)
-{
- if (g_dce_generic_list_id == -1) {
- g_dce_generic_list_id = DetectBufferTypeGetByName("dce_generic");
- SCLogDebug("g_dce_generic_list_id %d", g_dce_generic_list_id);
- }
- if (g_dce_stub_data_buffer_id == -1) {
- g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
- SCLogDebug("g_dce_stub_data_buffer_id %d", g_dce_stub_data_buffer_id);
- }
-
- if (DetectBufferIsPresent(s, g_dce_generic_list_id) ||
- DetectBufferIsPresent(s, g_dce_stub_data_buffer_id)) {
- return true;
- }
-
- return false;
}
static int SignatureCreateMask(Signature *s)
{
SCEnter();
- if (SignatureNeedsDCERPCMask(s)) {
- s->mask |= SIG_MASK_REQUIRE_DCERPC;
- SCLogDebug("sig requires DCERPC");
- }
-
if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL) {
s->mask |= SIG_MASK_REQUIRE_PAYLOAD;
SCLogDebug("sig requires payload");
#define SIG_MASK_REQUIRE_FLAGS_INITDEINIT BIT_U8(2) /* SYN, FIN, RST */
#define SIG_MASK_REQUIRE_FLAGS_UNUSUAL BIT_U8(3) /* URG, ECN, CWR */
#define SIG_MASK_REQUIRE_NO_PAYLOAD BIT_U8(4)
-#define SIG_MASK_REQUIRE_DCERPC BIT_U8(5) /* require either SMB+DCE or raw DCE */
-// vacancy
+// vacancy 2x
#define SIG_MASK_REQUIRE_ENGINE_EVENT BIT_U8(7)
/* for now a uint8_t is enough */
projects / thirdparty / suricata.git / commitdiff
