Merge pull request #1443 in SNORT/snort3 from ~MIREDDEN/snort3:snort2lua_fix_pcre_PH_...

Squashed commit of the following:

commit 68ae2da5c5ff36675a6aba8f2710ce8327103e15
Author: Mike Redden <miredden@cisco.com>
Date:   Mon Nov 26 14:04:07 2018 -0500

    snort2lua: Fix pcre H and P option conversions for sip

diff --git a/tools/snort2lua/data/data_types/dt_rule.cc b/tools/snort2lua/data/data_types/dt_rule.cc
index 50526790537149f1fe292cf77adb2fd6b1ee2330..86d72c49be0ebae5c3b8c6bd48598d14453a02c6 100644 (file)
--- a/tools/snort2lua/data/data_types/dt_rule.cc
+++ b/tools/snort2lua/data/data_types/dt_rule.cc
@@ -49,7 +49,7 @@ bool Rule::add_hdr_data(const std::string& data)
     }
 }
 
-void Rule::set_rule_old_action(const std::string &action)
+void Rule::set_rule_old_action(const std::string& action)
 {
     old_action = action;
 }
@@ -177,3 +177,92 @@ std::ostream& operator<<(std::ostream& out, const Rule& rule)
     return out;
 }
 
+void Rule::resolve_pcre_buffer_options()
+{
+    std::vector<RuleOption*>::iterator iter;
+    std::string curr_sticky_buffer = "";
+    bool is_sip = false;
+    std::string name;
+    const std::string service = get_option("service");
+    std::string new_buffer;
+
+    if (service == "sip")
+        is_sip = true;
+
+    iter = options.begin();
+
+    while (iter != options.end())
+    {
+        name = (*iter)->get_name();
+
+        if (name == "pcre_P_option_body" || name == "pcre_H_option_header")
+        {
+            delete(*iter);
+            iter = options.erase(iter);
+
+            if (is_sip)
+            {
+                if (name == "pcre_P_option_body")
+                {
+                    new_buffer = "sip_body";
+                }
+                else
+                {
+                    new_buffer = "sip_header";
+                }
+            }
+            else
+            {
+                if (name == "pcre_P_option_body")
+                {
+                    new_buffer = "http_client_body";
+                }
+                else
+                {
+                    new_buffer = "http_header";
+                }
+            }
+
+            if (curr_sticky_buffer != new_buffer)
+            {
+                curr_sticky_buffer = new_buffer;
+                RuleOption* new_opt = new RuleOption(new_buffer);
+                options.insert(iter, new_opt);
+                ++iter;
+            }
+        }
+        else if (name == "pkt_data")
+        {
+            curr_sticky_buffer = name;
+            ++iter;
+        }
+        else if (name == "http_uri" ||
+            name == "http_raw_uri" ||
+            name == "http_cookie" ||
+            name == "http_raw_cookie" ||
+            name == "http_method" ||
+            name == "http_stat_code" ||
+            name == "http_stat_msg" ||
+            name == "http_header" ||
+            name == "http_client_body" ||
+            name == "sip_header" ||
+            name == "sip_body")
+        {
+            if (curr_sticky_buffer == name)
+            {
+                delete(*iter);
+                iter = options.erase(iter);
+            }
+            else
+            {
+                curr_sticky_buffer = name;
+                ++iter;
+            }
+        }
+        else
+        {
+            ++iter;
+        }
+    }
+}
+

diff --git a/tools/snort2lua/data/data_types/dt_rule.h b/tools/snort2lua/data/data_types/dt_rule.h
index 913f327bbd173d5876cc92a225d8f0b41ecc34df..ec69b4e566b9569805171d836ac5c3241c54175f 100644 (file)
--- a/tools/snort2lua/data/data_types/dt_rule.h
+++ b/tools/snort2lua/data/data_types/dt_rule.h
@@ -50,6 +50,7 @@ public:
     void make_comment();
     void set_old_http_rule();
     bool is_old_http_rule() { return old_http_rule; }
+    void resolve_pcre_buffer_options();
 
     friend std::ostream& operator<<(std::ostream&, const Rule&);
 

diff --git a/tools/snort2lua/data/dt_rule_api.cc b/tools/snort2lua/data/dt_rule_api.cc
index b0443e6f086e8beca193c2b292be4ecdc6b4d21e..f426c2e31c44cffc23ebaf80d19658d4a57d8a9b 100644 (file)
--- a/tools/snort2lua/data/dt_rule_api.cc
+++ b/tools/snort2lua/data/dt_rule_api.cc
@@ -264,6 +264,12 @@ bool RuleApi::is_old_http_rule()
     return curr_rule->is_old_http_rule();
 }
 
+void RuleApi::resolve_pcre_buffer_options()
+{
+    if (curr_rule)
+        curr_rule->resolve_pcre_buffer_options();
+}
+
 std::ostream& operator<<(std::ostream& out, const RuleApi& data)
 {
     if (DataApi::is_default_mode())

diff --git a/tools/snort2lua/data/dt_rule_api.h b/tools/snort2lua/data/dt_rule_api.h
index c69e7ebfec3917d33d2020cb046209e47284b353..311028d372380ffa9eeb3850875b4f49aa869d43 100644 (file)
--- a/tools/snort2lua/data/dt_rule_api.h
+++ b/tools/snort2lua/data/dt_rule_api.h
@@ -81,6 +81,7 @@ public:
     void bad_rule(std::istringstream& stream, const std::string& bad_option);
     void old_http_rule();
     bool is_old_http_rule();
+    void resolve_pcre_buffer_options();
 
 private:
     static std::size_t error_count;

diff --git a/tools/snort2lua/helpers/converter.cc b/tools/snort2lua/helpers/converter.cc
index cc4c0eee1769fcd15f0787e087668149f5c1a6dd..89b4a21a722c06565a22e2d2fc324be882ca8d0b 100644 (file)
--- a/tools/snort2lua/helpers/converter.cc
+++ b/tools/snort2lua/helpers/converter.cc
@@ -291,6 +291,8 @@ int Converter::parse_file(
                     table_api.close_table();
                 }
 
+                rule_api.resolve_pcre_buffer_options();
+               
                 if (commented_rule)
                     rule_api.make_rule_a_comment();
 

diff --git a/tools/snort2lua/rule_states/rule_pcre.cc b/tools/snort2lua/rule_states/rule_pcre.cc
index 926e19d7e2edabd384783eda73facbf09ee7e8d0..0ff7c6c6334d13cc34f1e70be5bd028b3503c0d6 100644 (file)
--- a/tools/snort2lua/rule_states/rule_pcre.cc
+++ b/tools/snort2lua/rule_states/rule_pcre.cc
@@ -93,8 +93,8 @@ bool Pcre::convert(std::istringstream& data_stream)
         {
         case 'B': sticky_buffer = "pkt_data"; break;
         case 'U': sticky_buffer = "http_uri"; break;
-        case 'P': sticky_buffer = "http_client_body"; break;
-        case 'H': sticky_buffer = "http_header"; break;
+        case 'P': sticky_buffer = "pcre_P_option_body"; break;
+        case 'H': sticky_buffer = "pcre_H_option_header"; break;
         case 'M': sticky_buffer = "http_method"; break;
         case 'C': sticky_buffer = "http_cookie"; break;
         case 'I': sticky_buffer = "http_raw_uri"; break;