uint32_t a_ip2 = ntohl(a->ip2.addr_data32[0]);
uint32_t b_ip1 = ntohl(b->ip.addr_data32[0]);
uint32_t b_ip2 = ntohl(b->ip2.addr_data32[0]);
- DetectPort *port = NULL;
DetectAddress *tmp = NULL;
DetectAddress *tmp_c = NULL;
int r = 0;
if (de_ctx != NULL) {
SigGroupHeadCopySigs(de_ctx, b->sh, &tmp_c->sh);
SigGroupHeadCopySigs(de_ctx, a->sh, &b->sh);
-
- for (port = b->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &tmp_c->port, port);
- for (port = a->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &b->port, port);
-
- tmp_c->cnt += b->cnt;
- b->cnt += a->cnt;
}
/* we have 3 parts: [bbb[baba]aaa]
SigGroupHeadCopySigs(de_ctx, tmp->sh, &b->sh);
/* clean tmp list */
SigGroupHeadClearSigs(tmp->sh);
-
- for (port = a->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &tmp->port, port);
- for (port = b->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &a->port, port);
- for (port = tmp->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &b->port, port);
- for (port = tmp->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &tmp_c->port, port);
-
- tmp->cnt += a->cnt;
- a->cnt = 0;
- tmp_c->cnt += tmp->cnt;
- a->cnt += b->cnt;
- b->cnt += tmp->cnt;
- tmp->cnt = 0;
}
/* we have 2 or three parts:
if (de_ctx != NULL) {
/* 'b' overlaps 'a' so 'a' needs the 'b' sigs */
SigGroupHeadCopySigs(de_ctx, b->sh, &a->sh);
-
- for (port = b->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &a->port, port);
- a->cnt += b->cnt;
}
} else if (a_ip2 == b_ip2) {
SCLogDebug("DetectAddressCutIPv4: 2");
SigGroupHeadClearSigs(a->sh);
SigGroupHeadCopySigs(de_ctx, tmp->sh, &a->sh);
SigGroupHeadClearSigs(tmp->sh);
-
- for (port = a->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &tmp->port, a->port);
- for (port = b->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &a->port, port);
- for (port = tmp->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &b->port, port);
-
- tmp->cnt += a->cnt;
- a->cnt = 0;
- a->cnt += b->cnt;
- b->cnt += tmp->cnt;
- tmp->cnt = 0;
}
} else {
SCLogDebug("3");
SigGroupHeadCopySigs(de_ctx, tmp->sh, &b->sh);
/* clean tmp list */
SigGroupHeadClearSigs(tmp->sh);
-
- for (port = a->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &tmp->port, port);
- for (port = b->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &tmp_c->port, port);
- for (port = b->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &a->port, port);
- for (port = tmp->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &b->port, port);
-
- tmp->cnt += a->cnt;
- a->cnt = 0;
- tmp_c->cnt += b->cnt;
- a->cnt += b->cnt;
- b->cnt += tmp->cnt;
- tmp->cnt = 0;
}
}
/* we have 2 or three parts:
SigGroupHeadCopySigs(de_ctx, a->sh, &b->sh);
SigGroupHeadCopySigs(de_ctx, tmp->sh, &a->sh);
SigGroupHeadClearSigs(tmp->sh);
-
- for (port = b->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &tmp->port, b->port);
- for (port = a->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &b->port, port);
- for (port = tmp->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &a->port, port);
-
- tmp->cnt += b->cnt;
- b->cnt = 0;
- b->cnt += a->cnt;
- a->cnt += tmp->cnt;
- tmp->cnt = 0;
}
} else if (a_ip2 == b_ip2) {
SCLogDebug("DetectAddressCutIPv4: 2");
if (de_ctx != NULL) {
/* 'a' overlaps 'b' so a needs the 'a' sigs */
SigGroupHeadCopySigs(de_ctx, a->sh, &b->sh);
-
- for (port = a->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &b->port, port);
-
- b->cnt += a->cnt;
}
} else {
SCLogDebug("DetectAddressCutIPv4: 3");
* 'c' gets 'a' sigs */
SigGroupHeadCopySigs(de_ctx, a->sh, &b->sh);
SigGroupHeadCopySigs(de_ctx, a->sh, &tmp_c->sh);
-
- for (port = a->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &b->port, port);
- for (port = a->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &tmp_c->port, port);
-
- b->cnt += a->cnt;
- tmp_c->cnt += a->cnt;
}
}
}
uint32_t b_ip2[4] = { ntohl(b->ip2.addr_data32[0]), ntohl(b->ip2.addr_data32[1]),
ntohl(b->ip2.addr_data32[2]), ntohl(b->ip2.addr_data32[3]) };
- DetectPort *port = NULL;
DetectAddress *tmp = NULL;
/* default to NULL */
/* copy old b to a */
SigGroupHeadCopySigs(de_ctx, a->sh, &b->sh);
- for (port = b->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &tmp_c->port, port);
- for (port = a->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &b->port, port);
-
- tmp_c->cnt += b->cnt;
- b->cnt += a->cnt;
-
/* we have 3 parts: [bbb[baba]aaa]
* part a: b_ip1 <-> a_ip1 - 1
* part b: a_ip1 <-> b_ip2
/* clean tmp list */
SigGroupHeadClearSigs(tmp->sh);
- for (port = a->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx,&tmp->port, port);
- for (port = b->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx,&a->port, port);
-
- for (port = tmp->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx,&b->port, port);
- for (port = tmp->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx,&tmp_c->port, port);
-
- tmp->cnt += a->cnt;
- a->cnt = 0;
- tmp_c->cnt += tmp->cnt;
- a->cnt += b->cnt;
- b->cnt += tmp->cnt;
- tmp->cnt = 0;
-
/* we have 2 or three parts:
*
* 2 part: [[abab]bbb] or [bbb[baba]]
/* 'b' overlaps 'a' so 'a' needs the 'b' sigs */
SigGroupHeadCopySigs(de_ctx, b->sh, &a->sh);
- for (port = b->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx,&a->port, port);
-
- a->cnt += b->cnt;
-
} else if (AddressIPv6EqU32(a_ip2, b_ip2) == 1) {
AddressCutIPv6Copy(b_ip1, a->ip.addr_data32);
AddressCutIPv6CopySubOne(a_ip1, a->ip2.addr_data32);
SigGroupHeadCopySigs(de_ctx, tmp->sh, &a->sh);
SigGroupHeadClearSigs(tmp->sh);
- for (port = a->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx,&tmp->port, a->port);
- for (port = b->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx,&a->port, port);
- for (port = tmp->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx,&b->port, port);
-
- tmp->cnt += a->cnt;
- a->cnt = 0;
- a->cnt += b->cnt;
- b->cnt += tmp->cnt;
- tmp->cnt = 0;
} else {
AddressCutIPv6Copy(b_ip1, a->ip.addr_data32);
AddressCutIPv6CopySubOne(a_ip1, a->ip2.addr_data32);
/* clean tmp list */
SigGroupHeadClearSigs(tmp->sh);
- for (port = a->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx,&tmp->port, port);
- for (port = b->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx,&tmp_c->port, port);
- for (port = b->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx,&a->port, port);
-
- for (port = tmp->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx,&b->port, port);
-
- tmp->cnt += a->cnt;
- a->cnt = 0;
- tmp_c->cnt += b->cnt;
- a->cnt += b->cnt;
- b->cnt += tmp->cnt;
- tmp->cnt = 0;
}
/* we have 2 or three parts:
*
SigGroupHeadCopySigs(de_ctx, tmp->sh, &a->sh);
SigGroupHeadClearSigs(tmp->sh);
- for (port = b->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx,&tmp->port, b->port);
- for (port = a->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx,&b->port, port);
- for (port = tmp->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx,&a->port, port);
-
- tmp->cnt += b->cnt;
- b->cnt = 0;
- b->cnt += a->cnt;
- a->cnt += tmp->cnt;
- tmp->cnt = 0;
} else if (AddressIPv6EqU32(a_ip2, b_ip2) == 1) {
AddressCutIPv6Copy(a_ip1, a->ip.addr_data32);
AddressCutIPv6CopySubOne(b_ip1, a->ip2.addr_data32);
/* 'a' overlaps 'b' so a needs the 'a' sigs */
SigGroupHeadCopySigs(de_ctx, a->sh, &b->sh);
- for (port = a->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx,&b->port, port);
-
- b->cnt += a->cnt;
} else {
AddressCutIPv6Copy(a_ip1, a->ip.addr_data32);
AddressCutIPv6CopySubOne(b_ip1, a->ip2.addr_data32);
SigGroupHeadCopySigs(de_ctx, a->sh, &b->sh);
SigGroupHeadCopySigs(de_ctx, a->sh, &tmp_c->sh);
- for (port = a->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx,&b->port, port);
- for (port = a->port; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx,&tmp_c->port, port);
-
- b->cnt += a->cnt;
- tmp_c->cnt += a->cnt;
}
}
}
ag->sh = NULL;
- if (!(ag->flags & ADDRESS_HAVEPORT)) {
- SCLogDebug("- ag %p dst_gh %p", ag, ag->dst_gh);
-
- if (ag->dst_gh != NULL)
- DetectAddressHeadFree(ag->dst_gh);
- ag->dst_gh = NULL;
- } else {
- SCLogDebug("- ag %p port %p", ag, ag->port);
-
- if (ag->port != NULL && !(ag->flags & ADDRESS_PORTS_COPY)) {
- SCLogDebug("- ag %p port %p, not a copy so call DetectPortCleanupList",
- ag, ag->port);
- DetectPortCleanupList(ag->port);
- }
- ag->port = NULL;
- }
#ifdef DEBUG
detect_address_group_memory -= sizeof(DetectAddress);
detect_address_group_free_cnt++;
COPY_ADDRESS(&orig->ip, &ag->ip);
COPY_ADDRESS(&orig->ip2, &ag->ip2);
- ag->cnt = 1;
-
return ag;
}
if (r == ADDRESS_EQ) {
/* exact overlap/match */
if (cur != new) {
- DetectPort *port = new->port;
- for ( ; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &cur->port, port);
SigGroupHeadCopySigs(de_ctx, new->sh, &cur->sh);
- cur->cnt += new->cnt;
DetectAddressFree(new);
return 0;
int DetectAddressJoin(DetectEngineCtx *de_ctx, DetectAddress *target,
DetectAddress *source)
{
- DetectPort *port = NULL;
-
if (target == NULL || source == NULL)
return -1;
if (target->ip.family != source->ip.family)
return -1;
- target->cnt += source->cnt;
SigGroupHeadCopySigs(de_ctx, source->sh, &target->sh);
- port = source->port;
- for ( ; port != NULL; port = port->next)
- DetectPortInsertCopy(de_ctx, &target->port, port);
-
if (target->ip.family == AF_INET)
return DetectAddressJoinIPv4(de_ctx, target, source);
else if (target->ip.family == AF_INET6)
#define ADDRESS_FLAG_NOT 0x02 /**< address is negated */
#define ADDRESS_SIGGROUPHEAD_COPY 0x04 /**< sgh is a ptr to another sgh */
-#define ADDRESS_PORTS_COPY 0x08 /**< ports are a ptr to other ports */
-#define ADDRESS_PORTS_NOTUNIQ 0x10
-#define ADDRESS_HAVEPORT 0x20 /**< address has a ports ptr */
/** \brief address structure for use in the detection engine.
*
Address ip;
Address ip2;
- /** ptr to the next address (dst addr in that case) or to the src port */
- union {
- struct DetectAddressHead_ *dst_gh; /**< destination address */
- struct DetectPort_ *port; /**< source port */
- };
-
/** signatures that belong in this group */
struct SigGroupHead_ *sh;
struct DetectAddress_ *prev;
/** ptr to the next address in the list */
struct DetectAddress_ *next;
-
- uint32_t cnt;
} DetectAddress;
/** Signature grouping head. Here 'any', ipv4 and ipv6 are split out */
projects / thirdparty / suricata.git / commitdiff
