fprintf(fp_engine_analysis_FD, "http stat code content\n");
else if (list_type == DETECT_SM_LIST_HSMDMATCH)
fprintf(fp_engine_analysis_FD, "http stat msg content\n");
- else if (list_type == DETECT_SM_LIST_HUADMATCH)
- fprintf(fp_engine_analysis_FD, "http user agent content\n");
else {
const char *desc = DetectBufferTypeGetDescriptionById(list_type);
const char *name = DetectBufferTypeGetNameById(list_type);
fprintf(rule_engine_analysis_FD, "http stat code content");
else if (list_type == DETECT_SM_LIST_HSMDMATCH)
fprintf(rule_engine_analysis_FD, "http stat msg content");
- else if (list_type == DETECT_SM_LIST_HUADMATCH)
- fprintf(rule_engine_analysis_FD, "http user agent content");
else if (list_type == DETECT_SM_LIST_DNSQUERYNAME_MATCH)
fprintf(rule_engine_analysis_FD, "dns query name content");
else if (list_type == DETECT_SM_LIST_TLSSNI_MATCH)
const int filedata_id = DetectBufferTypeGetByName("file_data");
const int httpmethod_id = DetectBufferTypeGetByName("http_method");
const int httpuri_id = DetectBufferTypeGetByName("http_uri");
+ const int httpuseragent_id = DetectBufferTypeGetByName("http_user_agent");
if (s->init_data->init_flags & SIG_FLAG_INIT_BIDIREC) {
rule_bidirectional = 1;
raw_http_buf += 1;
http_stat_code_buf += 1;
}
- else if (list_id == DETECT_SM_LIST_HUADMATCH) {
+ else if (list_id == httpuseragent_id) {
rule_pcre_http += 1;
norm_http_buf += 1;
http_ua_buf += 1;
return "http raw host header";
case DETECT_SM_LIST_HCDMATCH:
return "http cookie";
- case DETECT_SM_LIST_HUADMATCH:
- return "http user-agent";
case DETECT_SM_LIST_APP_EVENT:
return "app layer events";
static int g_file_data_buffer_id = 0;
static int g_http_method_buffer_id = 0;
static int g_http_uri_buffer_id = 0;
+static int g_http_ua_buffer_id = 0;
/**
* \test Checks if a fast_pattern is registered in a Signature
"content:\"three\"; http_user_agent; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
goto end;
result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_ua_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
goto end;
result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_ua_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
if (de_ctx->sig_list == NULL)
goto end;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_ua_buffer_id];
if (sm == NULL) {
goto end;
}
if (de_ctx->sig_list == NULL)
goto end;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_ua_buffer_id];
if (sm == NULL) {
goto end;
}
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
"content:\"two\"; fast_pattern:only; http_user_agent; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
"content:\"two\"; fast_pattern:only; http_user_agent; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
"content:\"two\"; fast_pattern:only; http_user_agent; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
"content:\"two\"; http_user_agent; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
"content:\"three\"; http_user_agent; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"content:\"three\"; http_user_agent; distance:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"content:\"three\"; http_user_agent; within:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"content:\"three\"; http_user_agent; offset:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"content:\"three\"; http_user_agent; depth:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"content:\"oneonethree\"; fast_pattern:3,4; http_user_agent; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"content:\"oneonethree\"; fast_pattern:3,4; http_user_agent; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"content:\"oneonethree\"; fast_pattern:3,4; http_user_agent; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"content:\"oneonethree\"; fast_pattern:3,4; http_user_agent; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"content:\"three\"; http_user_agent; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
"content:\"three\"; http_user_agent; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
g_http_method_buffer_id = DetectBufferTypeGetByName("http_method");
g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
+ g_http_ua_buffer_id = DetectBufferTypeGetByName("http_user_agent");
UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01);
UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02);
#include "detect-http-ua.h"
#include "detect-engine-hua.h"
-int DetectHttpUASetup(DetectEngineCtx *, Signature *, char *);
-void DetectHttpUARegisterTests(void);
-void DetectHttpUAFree(void *);
+static int DetectHttpUASetup(DetectEngineCtx *, Signature *, char *);
+static void DetectHttpUARegisterTests(void);
+static void DetectHttpUAFree(void *);
+static void DetectHttpUASetupCallback(Signature *);
+static int g_http_ua_buffer_id = 0;
/**
* \brief Registers the keyword handlers for the "http_user_agent" keyword.
sigmatch_table[DETECT_AL_HTTP_USER_AGENT].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_HTTP_USER_AGENT].flags |= SIGMATCH_PAYLOAD ;
- DetectMpmAppLayerRegister("http_user_agent", SIG_FLAG_TOSERVER,
- DETECT_SM_LIST_HUADMATCH, 2,
+ DetectAppLayerMpmRegister("http_user_agent", SIG_FLAG_TOSERVER, 2,
PrefilterTxUARegister);
- DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER,
- DETECT_SM_LIST_HUADMATCH,
+ DetectAppLayerInspectEngineRegister2("http_user_agent",
+ ALPROTO_HTTP, SIG_FLAG_TOSERVER,
DetectEngineInspectHttpUA);
- return;
+ DetectBufferTypeSetDescriptionByName("http_user_agent",
+ "http user agent");
+
+ DetectBufferTypeRegisterSetupCallback("http_user_agent",
+ DetectHttpUASetupCallback);
+
+ g_http_ua_buffer_id = DetectBufferTypeGetByName("http_user_agent");
}
/**
{
return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
DETECT_AL_HTTP_USER_AGENT,
- DETECT_SM_LIST_HUADMATCH,
+ g_http_ua_buffer_id,
ALPROTO_HTTP,
NULL);
}
+static void DetectHttpUASetupCallback(Signature *s)
+{
+ SCLogDebug("callback invoked by %u", s->id);
+ s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
+}
+
/**
* \brief The function to free the http_user_agent data.
*
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL\n");
goto end;
}
DetectContentData *cd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
- DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx;
- DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx;
+ DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx;
+ DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx;
if (cd1->flags != 0 || memcmp(cd1->content, "one", cd1->content_len) != 0 ||
cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
huad1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL\n");
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
- DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx;
- DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx;
+ DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx;
+ DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx;
if (pd1->flags != 0 ||
cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
huad1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL\n");
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
- DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx;
- DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx;
+ DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx;
+ DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx;
if (pd1->flags != 0 ||
cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
huad1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL\n");
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
- DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx;
- DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx;
+ DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx;
+ DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx;
if (pd1->flags != DETECT_PCRE_RELATIVE_NEXT ||
cd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL\n");
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
- DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx;
- DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx;
+ DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx;
+ DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
cd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL\n");
goto end;
}
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
- DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx;
- DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx;
+ DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx;
+ DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
cd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL\n");
goto end;
}
- DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx;
- DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx;
+ DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx;
+ DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx;
if (huad1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(huad1->content, "one", huad1->content_len) != 0 ||
huad2->flags != DETECT_CONTENT_DISTANCE ||
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL\n");
goto end;
}
- DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx;
- DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx;
+ DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx;
+ DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx;
if (huad1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(huad1->content, "one", huad1->content_len) != 0 ||
huad2->flags != DETECT_CONTENT_WITHIN ||
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL\n");
goto end;
}
- if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH] == NULL ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->type != DETECT_CONTENT ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev == NULL ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->type != DETECT_PCRE) {
+ if (de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id] == NULL ||
+ de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->type != DETECT_CONTENT ||
+ de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev == NULL ||
+ de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->type != DETECT_PCRE) {
goto end;
}
- DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx;
- DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx;
+ DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx;
+ DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
huad2->flags != DETECT_CONTENT_WITHIN ||
memcmp(huad2->content, "two", huad2->content_len) != 0) {
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL\n");
goto end;
}
- if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH] == NULL ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->type != DETECT_PCRE ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev == NULL ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->type != DETECT_CONTENT) {
+ if (de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id] == NULL ||
+ de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->type != DETECT_PCRE ||
+ de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev == NULL ||
+ de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->type != DETECT_CONTENT) {
goto end;
}
- DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx;
- DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx;
+ DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx;
+ DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx;
if (pd2->flags != (DETECT_PCRE_RELATIVE) ||
huad1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(huad1->content, "two", huad1->content_len) != 0) {
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL\n");
goto end;
}
- if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH] == NULL ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->type != DETECT_CONTENT ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev == NULL ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->type != DETECT_PCRE) {
+ if (de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id] == NULL ||
+ de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->type != DETECT_CONTENT ||
+ de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev == NULL ||
+ de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->type != DETECT_PCRE) {
goto end;
}
- DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx;
- DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx;
+ DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx;
+ DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
huad2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(huad2->content, "two", huad2->content_len) != 0) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRUDMATCH);
else if (lua->flags & DATATYPE_HTTP_REQUEST_COOKIE)
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HCDMATCH);
- else if (lua->flags & DATATYPE_HTTP_REQUEST_UA)
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HUADMATCH);
- else if (lua->flags & (DATATYPE_HTTP_REQUEST_HEADERS|DATATYPE_HTTP_RESPONSE_HEADERS))
+ else if (lua->flags & DATATYPE_HTTP_REQUEST_UA) {
+ int list = DetectBufferTypeGetByName("http_user_agent");
+ SigMatchAppendSMToList(s, sm, list);
+ } else if (lua->flags & (DATATYPE_HTTP_REQUEST_HEADERS|DATATYPE_HTTP_RESPONSE_HEADERS))
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HHDMATCH);
else if (lua->flags & (DATATYPE_HTTP_REQUEST_HEADERS_RAW|DATATYPE_HTTP_RESPONSE_HEADERS_RAW))
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRHDMATCH);
CASE_CODE_STRING(DETECT_SM_LIST_HHHDMATCH, "http_host");
CASE_CODE_STRING(DETECT_SM_LIST_HRHHDMATCH, "http_raw_host");
CASE_CODE_STRING(DETECT_SM_LIST_HCDMATCH, "http_cookie");
- CASE_CODE_STRING(DETECT_SM_LIST_HUADMATCH, "http_user_agent");
CASE_CODE_STRING(DETECT_SM_LIST_APP_EVENT, "app-layer-event");
CASE_CODE_STRING(DETECT_SM_LIST_AMATCH, "app-layer");
CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc");
CASE_CODE(DETECT_SM_LIST_HHHDMATCH);
CASE_CODE(DETECT_SM_LIST_HRHHDMATCH);
CASE_CODE(DETECT_SM_LIST_HCDMATCH);
- CASE_CODE(DETECT_SM_LIST_HUADMATCH);
CASE_CODE(DETECT_SM_LIST_APP_EVENT);
CASE_CODE(DETECT_SM_LIST_AMATCH);
CASE_CODE(DETECT_SM_LIST_DMATCH);
if (fd->flags & FLOW_PKT_TOCLIENT) {
/* check for request + from_server/to_client */
if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL ||
- s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL ||
- s->init_data->smlists[DETECT_SM_LIST_HUADMATCH] != NULL) {
+ s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use uricontent "
"/http_uri , raw_uri, http_client_body, "
"http_method, http_user_agent keywords "
s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH] ||
- s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH])
{
*sm_list = DetectPcreSetList(*sm_list, list);
break;
}
- case 'V':
+ case 'V': {
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'V' inconsistent with 'B'");
goto error;
}
- *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HUADMATCH);
+ int list = DetectBufferTypeGetByName("http_user_agent");
+ *sm_list = DetectPcreSetList(*sm_list, list);
break;
+ }
case 'W':
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'W' inconsistent with 'B'");
parsed_sm_list == DETECT_SM_LIST_HHHDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HRHHDMATCH ||
// parsed_sm_list == DETECT_SM_LIST_HMDMATCH ||
- parsed_sm_list == DETECT_SM_LIST_HCDMATCH ||
- parsed_sm_list == DETECT_SM_LIST_HUADMATCH)
+ parsed_sm_list == DETECT_SM_LIST_HCDMATCH)
{
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
case DETECT_SM_LIST_HSMDMATCH:
case DETECT_SM_LIST_HSCDMATCH:
case DETECT_SM_LIST_HCDMATCH:
- case DETECT_SM_LIST_HUADMATCH:
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = parsed_sm_list;
if (s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL)
return 0;
- if (s->init_data->smlists[DETECT_SM_LIST_HUADMATCH] != NULL)
- return 0;
-
if (s->init_data->smlists[DETECT_SM_LIST_HHHDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL)
return 0;
- if (s->init_data->smlists[DETECT_SM_LIST_HUADMATCH] != NULL)
- return 0;
-
if (s->init_data->smlists[DETECT_SM_LIST_HHHDMATCH] != NULL)
return 0;
s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL ||
- s->init_data->smlists[DETECT_SM_LIST_HUADMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HHHDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HRHHDMATCH] != NULL)
{
SCLogDebug("sig requires http app state");
}
- if (s->init_data->smlists[DETECT_SM_LIST_HUADMATCH] != NULL) {
- s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
- SCLogDebug("sig requires http app state");
- }
-
if (s->init_data->smlists[DETECT_SM_LIST_HHHDMATCH] != NULL) {
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
SCLogDebug("sig requires http app state");
DETECT_SM_LIST_HRHHDMATCH,
/* list for http_cookie keyword and the ones relative to it */
DETECT_SM_LIST_HCDMATCH,
- /* list for http_user_agent keyword and the ones relative to it */
- DETECT_SM_LIST_HUADMATCH,
/* app event engine sm list */
DETECT_SM_LIST_APP_EVENT,
projects / thirdparty / suricata.git / commitdiff
