]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
projects / thirdparty / suricata.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9730867)
All http_http_raw_header modified patterns now are DETECT_CONTENT and not DETECT_AL_H...
authorAnoop Saldanha <poonaatsoc@gmail.com>
Sun, 19 Feb 2012 17:49:52 +0000 (23:19 +0530)
committerVictor Julien <victor@inliniac.net>
Tue, 21 Feb 2012 20:34:39 +0000 (21:34 +0100)
src/detect-depth.c patch | blob | blame | history
src/detect-distance.c patch | blob | blame | history
src/detect-engine-content-inspection.c patch | blob | blame | history
src/detect-fast-pattern.c patch | blob | blame | history
src/detect-http-raw-header.c patch | blob | blame | history
src/detect-isdataat.c patch | blob | blame | history
src/detect-nocase.c patch | blob | blame | history
src/detect-offset.c patch | blob | blame | history
src/detect-pcre.c patch | blob | blame | history
src/detect-within.c patch | blob | blame | history
src/detect.c patch | blob | blame | history

diff --git a/src/detect-depth.c b/src/detect-depth.c
index 217da4af421d09a0db9119278c1ec5522f445a41..13a06d36117523bb575535bf30bf8fa5294b7f15 100644 (file)
--- a/src/detect-depth.c
+++ b/src/detect-depth.c
@@ -92,7 +92,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
                     DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
                     DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                     DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
-                    DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+                    DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
                     DETECT_AL_HTTP_METHOD, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
                     DETECT_AL_HTTP_COOKIE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
                     DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
@@ -162,48 +162,6 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
 
             break;
 
-        case DETECT_AL_HTTP_RAW_HEADER:
-            cd = (DetectContentData *)pm->ctx;
-            if (cd->flags & DETECT_CONTENT_NEGATED) {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "negated keyword set along with a fast_pattern");
-                    goto error;
-                }
-            } else {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "keyword set along with a fast_pattern:only;");
-                    goto error;
-                }
-            }
-
-            if (str[0] != '-' && isalpha(str[0])) {
-                SigMatch *bed_sm =
-                    DetectByteExtractRetrieveSMVar(str, s,
-                                                   SigMatchListSMBelongsTo(s, pm));
-                if (bed_sm == NULL) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
-                               "seen in depth - %s\n", str);
-                    goto error;
-                }
-                cd->depth = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
-                cd->flags |= DETECT_CONTENT_DEPTH_BE;
-            } else {
-                cd->depth = (uint32_t)atoi(str);
-                if (cd->depth < cd->content_len) {
-                    cd->depth = cd->content_len;
-                    SCLogDebug("depth increased to %"PRIu32" to match pattern len ",
-                               cd->depth);
-                }
-                /* Now update the real limit, as depth is relative to the offset */
-                cd->depth += cd->offset;
-            }
-
-            cd->flags |= DETECT_CONTENT_DEPTH;
-
-            break;
-
         case DETECT_AL_HTTP_METHOD:
             cd = (DetectContentData *)pm->ctx;
             if (cd->flags & DETECT_CONTENT_NEGATED) {
diff --git a/src/detect-distance.c b/src/detect-distance.c
index effb507641199314bddf9cfdae8afa843cb9a0e6..f66d2dd960d1003ad7f7bb30620a5c1c30b61e57 100644 (file)
--- a/src/detect-distance.c
+++ b/src/detect-distance.c
@@ -167,7 +167,7 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
                 DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
                 DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                 DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
-                DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+                DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
                 DETECT_AL_HTTP_METHOD, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
                 DETECT_AL_HTTP_COOKIE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
                 DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
@@ -291,68 +291,6 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
 
             break;
 
-        case DETECT_AL_HTTP_RAW_HEADER:
-            cd = (DetectContentData *)pm->ctx;
-            if (cd->flags & DETECT_CONTENT_NEGATED) {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "negated keyword set along with a fast_pattern");
-                    goto error;
-                }
-            } else {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "keyword set along with a fast_pattern:only;");
-                    goto error;
-                }
-            }
-
-            if (str[0] != '-' && isalpha(str[0])) {
-                SigMatch *bed_sm =
-                    DetectByteExtractRetrieveSMVar(str, s,
-                                                   SigMatchListSMBelongsTo(s, pm));
-                if (bed_sm == NULL) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
-                               "seen in distance - %s\n", str);
-                    goto error;
-                }
-                cd->distance = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
-                cd->flags |= DETECT_CONTENT_DISTANCE_BE;
-            } else {
-                cd->distance = strtol(str, NULL, 10);
-            }
-
-            cd->flags |= DETECT_CONTENT_DISTANCE;
-
-            /* reassigning pm */
-            pm = SigMatchGetLastSMFromLists(s, 4,
-                                            DETECT_AL_HTTP_RAW_HEADER, pm->prev,
-                                            DETECT_PCRE, pm->prev);
-            if (pm == NULL) {
-                SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for "
-                           "http_raw_header needs preceeding http_raw_header "
-                           "content");
-                goto error;
-            }
-
-            if (pm->type == DETECT_PCRE) {
-                DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
-                tmp_pd->flags |=  DETECT_PCRE_RELATIVE_NEXT;
-            } else {
-                /* reassigning cd */
-                cd = (DetectContentData *)pm->ctx;
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword "
-                               "has a fast_pattern:only; set.  You can't "
-                               "have relative keywords around a fast_pattern "
-                               "only content");
-                    goto error;
-                }
-                cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
-            }
-
-            break;
-
         case DETECT_AL_HTTP_METHOD:
             cd = (DetectContentData *)pm->ctx;
             if (cd->flags & DETECT_CONTENT_NEGATED) {
diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c
index 23acaf92a0f608ae1fc2320016dff60f6704ffe1..59c19b5d5ee689147dbbade677742cbb644b58d3 100644 (file)
--- a/src/detect-engine-content-inspection.c
+++ b/src/detect-engine-content-inspection.c
@@ -109,7 +109,6 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
     /* \todo unify this which is phase 2 of payload inspection unification */
     if (sm->type == DETECT_CONTENT ||
         sm->type == DETECT_AL_HTTP_RAW_URI ||
-        sm->type == DETECT_AL_HTTP_RAW_HEADER ||
         sm->type == DETECT_AL_HTTP_COOKIE ||
         sm->type == DETECT_AL_HTTP_METHOD ||
         sm->type == DETECT_AL_HTTP_STAT_CODE ||
diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c
index b3efee0054e23ddbfd6ae27e396fd010cdc7df27..460058f8a253c8c7b697bd728edc8882f2b464fc 100644 (file)
--- a/src/detect-fast-pattern.c
+++ b/src/detect-fast-pattern.c
@@ -134,7 +134,7 @@ void SupportFastPatternForSigMatchTypes(void)
     SupportFastPatternForSigMatchType(DETECT_CONTENT);
     SupportFastPatternForSigMatchList(DETECT_SM_LIST_HHDMATCH);
 
-    SupportFastPatternForSigMatchType(DETECT_AL_HTTP_RAW_HEADER);
+    SupportFastPatternForSigMatchType(DETECT_CONTENT);
     SupportFastPatternForSigMatchList(DETECT_SM_LIST_HRHDMATCH);
 
     SupportFastPatternForSigMatchType(DETECT_AL_HTTP_METHOD);
@@ -242,7 +242,7 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a
             DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
             DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
             DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
-            DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+            DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
             DETECT_AL_HTTP_METHOD, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
             DETECT_AL_HTTP_COOKIE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
             DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
diff --git a/src/detect-http-raw-header.c b/src/detect-http-raw-header.c
index fffc14d04f554cf443f214268bc869ace03627d2..8f5ad07f24f696b243d8d970017257d43b2cb5ea 100644 (file)
--- a/src/detect-http-raw-header.c
+++ b/src/detect-http-raw-header.c
@@ -167,7 +167,7 @@ int DetectHttpRawHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
 
         /* please note.  reassigning pm */
         pm = SigMatchGetLastSMFromLists(s, 4,
-                                        DETECT_AL_HTTP_RAW_HEADER,
+                                        DETECT_CONTENT,
                                         s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
                                         DETECT_PCRE,
                                         s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]);
@@ -186,7 +186,7 @@ int DetectHttpRawHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
         }
     }
     cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HRUDMATCH);
-    sm->type = DETECT_AL_HTTP_RAW_HEADER;
+    sm->type = DETECT_CONTENT;
 
     /* transfer the sm from the pmatch list to hrhdmatch list */
     SigMatchTransferSigMatchAcrossLists(sm,
@@ -243,7 +243,7 @@ static int DetectHttpRawHeaderTest01(void)
 
     sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH];
     if (sm != NULL) {
-        result &= (sm->type == DETECT_AL_HTTP_RAW_HEADER);
+        result &= (sm->type == DETECT_CONTENT);
         result &= (sm->next == NULL);
     } else {
         result = 0;
@@ -1589,8 +1589,8 @@ int DetectHttpRawHeaderTest23(void)
     de_ctx->flags |= DE_QUIET;
     de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
                                "(flow:to_server; content:\"one\"; http_raw_header; within:5; sid:1;)");
-    if (de_ctx->sig_list != NULL) {
-        printf("de_ctx->sig_list != NULL\n");
+    if (de_ctx->sig_list == NULL) {
+        printf("de_ctx->sig_list == NULL\n");
         goto end;
     }
 
@@ -1654,7 +1654,7 @@ int DetectHttpRawHeaderTest25(void)
     }
 
     if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH] == NULL ||
-        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->type != DETECT_AL_HTTP_RAW_HEADER ||
+        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->type != DETECT_CONTENT ||
         de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev == NULL ||
         de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->type != DETECT_PCRE) {
 
@@ -1707,7 +1707,7 @@ int DetectHttpRawHeaderTest26(void)
     if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH] == NULL ||
         de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->type != DETECT_PCRE ||
         de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev == NULL ||
-        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->type != DETECT_AL_HTTP_RAW_HEADER) {
+        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->type != DETECT_CONTENT) {
 
         goto end;
     }
@@ -1756,7 +1756,7 @@ int DetectHttpRawHeaderTest27(void)
     }
 
     if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH] == NULL ||
-        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->type != DETECT_AL_HTTP_RAW_HEADER ||
+        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->type != DETECT_CONTENT ||
         de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev == NULL ||
         de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->type != DETECT_PCRE) {
 
diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c
index be2009ac7c2bb0d0e8bea2e83cd4bdf185b9dea3..47facb4a073440624e99a9554938279eaea24a51 100644 (file)
--- a/src/detect-isdataat.c
+++ b/src/detect-isdataat.c
@@ -357,7 +357,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
                 DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
                 DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                 DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], /* 5 */
-                DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+                DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
                 DETECT_AL_HTTP_METHOD, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
                 DETECT_AL_HTTP_COOKIE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
                 DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
@@ -419,7 +419,6 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
 
     switch (prev_pm->type) {
         case DETECT_CONTENT:
-        case DETECT_AL_HTTP_RAW_HEADER:
         case DETECT_AL_HTTP_METHOD:
         case DETECT_AL_HTTP_COOKIE:
         case DETECT_AL_HTTP_RAW_URI:
diff --git a/src/detect-nocase.c b/src/detect-nocase.c
index d87b53b40990974ea5a96bf07c8bfc1e2c664b03..1092597f3cd64f41a14db5df7c7544ef287ec9e3 100644 (file)
--- a/src/detect-nocase.c
+++ b/src/detect-nocase.c
@@ -80,7 +80,7 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
             DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
             DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
             DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
-            DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+            DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
             DETECT_AL_HTTP_METHOD, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
             DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
             DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
@@ -98,7 +98,6 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
 
     switch (pm->type) {
         case DETECT_CONTENT:
-        case DETECT_AL_HTTP_RAW_HEADER:
         case DETECT_AL_HTTP_METHOD:
         case DETECT_AL_HTTP_COOKIE:
         case DETECT_AL_HTTP_RAW_URI:
diff --git a/src/detect-offset.c b/src/detect-offset.c
index 2a5f6013b3fbaebb9120e11c04181be95946fa21..62ead6f0648184c34addd60f938ec00e89f2ab34 100644 (file)
--- a/src/detect-offset.c
+++ b/src/detect-offset.c
@@ -89,7 +89,7 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
                     DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
                     DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                     DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
-                    DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+                    DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
                     DETECT_AL_HTTP_METHOD, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
                     DETECT_AL_HTTP_COOKIE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
                     DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
@@ -163,50 +163,6 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
 
             break;
 
-        case DETECT_AL_HTTP_RAW_HEADER:
-            cd = (DetectContentData *)pm->ctx;
-            if (cd->flags & DETECT_CONTENT_NEGATED) {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "negated keyword set along with a fast_pattern");
-                    goto error;
-                }
-            } else {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "keyword set along with a fast_pattern:only;");
-                    goto error;
-                }
-            }
-
-            if (str[0] != '-' && isalpha(str[0])) {
-                SigMatch *bed_sm =
-                    DetectByteExtractRetrieveSMVar(str, s,
-                                                   SigMatchListSMBelongsTo(s, pm));
-                if (bed_sm == NULL) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
-                               "seen in offset - %s\n", str);
-                    goto error;
-                }
-                cd->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
-                cd->flags |= DETECT_CONTENT_OFFSET_BE;
-            } else {
-                cd->offset = (uint32_t)atoi(str);
-                if (cd->depth != 0) {
-                    if (cd->depth < cd->content_len) {
-                        SCLogDebug("depth increased to %"PRIu32" to match pattern len",
-                                   cd->content_len);
-                        cd->depth = cd->content_len;
-                    }
-                    /* Updating the depth as is relative to the offset */
-                    cd->depth += cd->offset;
-                }
-            }
-
-            cd->flags |= DETECT_CONTENT_OFFSET;
-
-            break;
-
         case DETECT_AL_HTTP_METHOD:
             cd = (DetectContentData *)pm->ctx;
             if (cd->flags & DETECT_CONTENT_NEGATED) {
diff --git a/src/detect-pcre.c b/src/detect-pcre.c
index 1093e8cd357ecd3b7b95baf5feaa26a576f8f3ce..e4edb4396cbd0e5c3cac8dbff78682788566bb66 100644 (file)
--- a/src/detect-pcre.c
+++ b/src/detect-pcre.c
@@ -1201,9 +1201,8 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
         SCReturnInt(0);
     }
 
-    prev_sm = SigMatchGetLastSMFromLists(s, 16,
+    prev_sm = SigMatchGetLastSMFromLists(s, 14,
             DETECT_CONTENT, sm->prev,
-            DETECT_AL_HTTP_RAW_HEADER, sm->prev,
             DETECT_AL_HTTP_RAW_URI, sm->prev,
             DETECT_AL_HTTP_COOKIE, sm->prev,
             DETECT_AL_HTTP_METHOD, sm->prev,
@@ -1233,7 +1232,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
 
     switch (prev_sm->type) {
         case DETECT_CONTENT:
-        case DETECT_AL_HTTP_RAW_HEADER:
         case DETECT_AL_HTTP_STAT_MSG:
         case DETECT_AL_HTTP_STAT_CODE:
         case DETECT_AL_HTTP_RAW_URI:
diff --git a/src/detect-within.c b/src/detect-within.c
index 492fb6ee391d78ba419654f0410e5e5498582a2c..bfa2feda4af79371147758c30b2d40d461541679 100644 (file)
--- a/src/detect-within.c
+++ b/src/detect-within.c
@@ -169,7 +169,7 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
                 DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
                 DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                 DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
-                DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+                DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
                 DETECT_AL_HTTP_METHOD, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
                 DETECT_AL_HTTP_COOKIE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
                 DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
@@ -300,74 +300,6 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
 
             break;
 
-        case DETECT_AL_HTTP_RAW_HEADER:
-            cd = (DetectContentData *)pm->ctx;
-            if (cd->flags & DETECT_CONTENT_NEGATED) {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "negated keyword set along with a fast_pattern");
-                    goto error;
-                }
-            } else {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "keyword set along with a fast_pattern:only;");
-                    goto error;
-                }
-            }
-
-            if (str[0] != '-' && isalpha(str[0])) {
-                SigMatch *bed_sm =
-                    DetectByteExtractRetrieveSMVar(str, s,
-                                                   SigMatchListSMBelongsTo(s, pm));
-                if (bed_sm == NULL) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
-                               "seen in within - %s\n", str);
-                    goto error;
-                }
-                cd->within = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
-                cd->flags |= DETECT_CONTENT_WITHIN_BE;
-            } else {
-                cd->within = strtol(str, NULL, 10);
-                if (cd->within < (int32_t)cd->content_len) {
-                    SCLogError(SC_ERR_WITHIN_INVALID, "within argument \"%"PRIi32"\" is "
-                               "less than the content length \"%"PRIu32"\" which is invalid, since "
-                               "this will never match.  Invalidating signature", cd->within,
-                               cd->content_len);
-                    goto error;
-                }
-            }
-
-            cd->flags |= DETECT_CONTENT_WITHIN;
-
-            /* reassigning pm */
-            pm = SigMatchGetLastSMFromLists(s, 4,
-                                            DETECT_AL_HTTP_RAW_HEADER, pm->prev,
-                                            DETECT_PCRE, pm->prev);
-            if (pm == NULL) {
-                SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for http_raw_header "
-                           "needs preceeding http_raw_header content");
-                goto error;
-            }
-
-            if (pm->type == DETECT_PCRE) {
-                DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
-                tmp_pd->flags |=  DETECT_PCRE_RELATIVE_NEXT;
-            } else {
-                /* reassigning cd */
-                cd = (DetectContentData *)pm->ctx;
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword "
-                               "has a fast_pattern:only; set.  You can't "
-                               "have relative keywords around a fast_pattern "
-                               "only content");
-                    goto error;
-                }
-                cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
-            }
-
-            break;
-
         case DETECT_AL_HTTP_METHOD:
             cd = (DetectContentData *)pm->ctx;
             if (cd->flags & DETECT_CONTENT_NEGATED) {
diff --git a/src/detect.c b/src/detect.c
index c0feff9dfc0c05af80afe6486ed425df94fc5b1a..4cc62cdd9936c413875c7cdd57449a02bbeebfc9 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -2212,7 +2212,6 @@ static int SignatureCreateMask(Signature *s) {
             case DETECT_AL_HTTP_COOKIE:
             case DETECT_AL_HTTP_METHOD:
             case DETECT_AL_URILEN:
-            case DETECT_AL_HTTP_RAW_HEADER:
             case DETECT_AL_HTTP_URI:
             case DETECT_AL_HTTP_RAW_URI:
                 s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
Mirror of https://github.com/OISF/suricata.git