flowint: add isnotset support

Similar keywords use `isnotset`, while `flowint` only accepted `notset`
Opted to change the code, not only the regex, to keep the underlying
code also following the same patterns.

Task #7426

(cherry picked from commit 6e4a501e7c96a705df084fd1e74668bc70a00b89)

diff --git a/doc/userguide/rules/flow-keywords.rst b/doc/userguide/rules/flow-keywords.rst
index bb0269299a19e2cbececd8e91f1aa926adc32e42..fdea2183da7f92b2fa1a6a1b9698c3c988181bbd 100644 (file)
--- a/doc/userguide/rules/flow-keywords.rst
+++ b/doc/userguide/rules/flow-keywords.rst
@@ -135,7 +135,7 @@ Define a var (not required), or check that one is set or not set.
 ::
 
     flowint: name, < +,-,=,>,<,>=,<=,==, != >, value;
-    flowint: name, (isset|isnotset);
+    flowint: name, (isset|notset|isnotset);
 
 Compare or alter a var. Add, subtract, compare greater than or less
 than, greater than or equal to, and less than or equal to are

diff --git a/src/detect-engine-sigorder.c b/src/detect-engine-sigorder.c
index bb342e385afed74ae3236cc9798a982e022884f5..b1de08a974de225abf23bfc532831e9cf58367f8 100644 (file)
--- a/src/detect-engine-sigorder.c
+++ b/src/detect-engine-sigorder.c
@@ -200,7 +200,7 @@ static inline int SCSigGetFlowintType(Signature *sig)
                 fi->modifier == FLOWINT_MODIFIER_NE ||
                 fi->modifier == FLOWINT_MODIFIER_GE ||
                 fi->modifier == FLOWINT_MODIFIER_GT ||
-                fi->modifier == FLOWINT_MODIFIER_NOTSET ||
+                fi->modifier == FLOWINT_MODIFIER_ISNOTSET ||
                 fi->modifier == FLOWINT_MODIFIER_ISSET) {
                 read++;
             } else {

diff --git a/src/detect-flowint.c b/src/detect-flowint.c
index 6a28e980ce2667969049a9a92541e573ec00678c..a17508eade23a04328a937ea72c578f2e1bc6c06 100644 (file)
--- a/src/detect-flowint.c
+++ b/src/detect-flowint.c
@@ -48,7 +48,7 @@
 #include "util-profiling.h"
 
 /*                         name             modifiers          value      */
-#define PARSE_REGEX "^\\s*([a-zA-Z][\\w\\d_./]+)\\s*,\\s*([+=-]{1}|==|!=|<|<=|>|>=|isset|notset)\\s*,?\\s*([a-zA-Z][\\w\\d]+|[\\d]{1,10})?\\s*$"
+#define PARSE_REGEX "^\\s*([a-zA-Z][\\w\\d_./]+)\\s*,\\s*([+=-]{1}|==|!=|<|<=|>|>=|isset|notset|isnotset)\\s*,?\\s*([a-zA-Z][\\w\\d]+|[\\d]{1,10})?\\s*$"
 /* Varnames must begin with a letter */
 
 static DetectParseRegex parse_regex;
@@ -140,7 +140,7 @@ int DetectFlowintMatch(DetectEngineThreadCtx *det_ctx,
         goto end;
     }
 
-    if (sfd->modifier == FLOWINT_MODIFIER_NOTSET) {
+    if (sfd->modifier == FLOWINT_MODIFIER_ISNOTSET) {
         SCLogDebug(" Not set %s? = %u", sfd->name,(fv) ? 0 : 1);
         if (fv == NULL)
             ret = 1;
@@ -280,8 +280,8 @@ static DetectFlowintData *DetectFlowintParse(DetectEngineCtx *de_ctx, const char
         modifier = FLOWINT_MODIFIER_GT;
     if (strcmp("isset", modstr) == 0)
         modifier = FLOWINT_MODIFIER_ISSET;
-    if (strcmp("notset", modstr) == 0)
-        modifier = FLOWINT_MODIFIER_NOTSET;
+    if (strcmp("notset", modstr) == 0 || strcmp("isnotset", modstr) == 0)
+        modifier = FLOWINT_MODIFIER_ISNOTSET;
 
     if (modifier == FLOWINT_MODIFIER_UNKNOWN) {
         SCLogError("Unknown modifier");
@@ -293,7 +293,7 @@ static DetectFlowintData *DetectFlowintParse(DetectEngineCtx *de_ctx, const char
         goto error;
 
     /* If we need another arg, check it out(isset doesn't need another arg) */
-    if (modifier != FLOWINT_MODIFIER_ISSET && modifier != FLOWINT_MODIFIER_NOTSET) {
+    if (modifier != FLOWINT_MODIFIER_ISSET && modifier != FLOWINT_MODIFIER_ISNOTSET) {
         if (ret < 4)
             goto error;
 
@@ -398,7 +398,7 @@ static int DetectFlowintSetup(DetectEngineCtx *de_ctx, Signature *s, const char
         case FLOWINT_MODIFIER_GE:
         case FLOWINT_MODIFIER_GT:
         case FLOWINT_MODIFIER_ISSET:
-        case FLOWINT_MODIFIER_NOTSET:
+        case FLOWINT_MODIFIER_ISNOTSET:
             SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
             break;
         default:
@@ -1003,7 +1003,7 @@ static int DetectFlowintTestParseIsset10(void)
     DetectFlowintPrintData(sfd);
     if (sfd != NULL && !strcmp(sfd->name, "myvar")
             && sfd->targettype == FLOWINT_TARGET_SELF
-            && sfd->modifier == FLOWINT_MODIFIER_NOTSET) {
+            && sfd->modifier == FLOWINT_MODIFIER_ISNOTSET) {
 
         result &= 1;
     } else {
@@ -1192,7 +1192,7 @@ static int DetectFlowintTestPacket02Real(void)
     de_ctx->flags |= DE_QUIET;
 
     const char *sigs[5];
-    sigs[0] = "alert tcp any any -> any any (msg:\"Setting a flowint counter\"; content:\"GET\"; flowint: myvar, notset; flowint:maxvar,notset; flowint: myvar,=,1; flowint: maxvar,=,6; sid:101;)";
+    sigs[0] = "alert tcp any any -> any any (msg:\"Setting a flowint counter\"; content:\"GET\"; flowint:myvar,notset; flowint:maxvar,isnotset; flowint: myvar,=,1; flowint: maxvar,=,6; sid:101;)";
     sigs[1] = "alert tcp any any -> any any (msg:\"Adding to flowint counter\"; content:\"Unauthorized\"; flowint:myvar,isset; flowint: myvar,+,2; sid:102;)";
     sigs[2] = "alert tcp any any -> any any (msg:\"if the flowint counter is 3 create a new counter\"; content:\"Unauthorized\"; flowint: myvar, isset; flowint: myvar,==,3; flowint:cntpackets,notset; flowint: cntpackets, =, 0; sid:103;)";
     sigs[3] = "alert tcp any any -> any any (msg:\"and count the rest of the packets received without generating alerts!!!\"; flowint: cntpackets,isset; flowint: cntpackets, +, 1; noalert;sid:104;)";

diff --git a/src/detect-flowint.h b/src/detect-flowint.h
index 6ffa1f09302632734a7193ec27b28cbdd9b0881d..5895328c5a189593320d09712d003adda58b869e 100644 (file)
--- a/src/detect-flowint.h
+++ b/src/detect-flowint.h
@@ -40,7 +40,7 @@ enum {
     FLOWINT_MODIFIER_GT,
     /** Checking if a var is set (keyword isset/notset)*/
     FLOWINT_MODIFIER_ISSET,
-    FLOWINT_MODIFIER_NOTSET,
+    FLOWINT_MODIFIER_ISNOTSET,
 
     FLOWINT_MODIFIER_UNKNOWN
 };