if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE,
DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
- DETECT_ISDATAAT, -1);
+ DETECT_BYTEMATH, DETECT_ISDATAAT, -1);
if (prev_pm == NULL) {
sm_list = DETECT_SM_LIST_PMATCH;
} else {
prev_pm = DetectGetLastSMFromLists(s,
DETECT_CONTENT, DETECT_PCRE,
DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
- DETECT_ISDATAAT, -1);
+ DETECT_BYTEMATH, DETECT_ISDATAAT, -1);
if (prev_pm == NULL) {
sm_list = DETECT_SM_LIST_PMATCH;
} else {
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
- cd->flags != (DETECT_CONTENT_OFFSET_BE |
+ cd->flags != (DETECT_CONTENT_OFFSET_VAR |
DETECT_CONTENT_OFFSET) ||
cd->offset != bed->local_id) {
printf("three failed\n");
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
- cd->flags != (DETECT_CONTENT_OFFSET_BE |
+ cd->flags != (DETECT_CONTENT_OFFSET_VAR |
DETECT_CONTENT_OFFSET) ||
cd->offset != bed1->local_id) {
printf("four failed\n");
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
- cd->flags != (DETECT_CONTENT_OFFSET_BE |
+ cd->flags != (DETECT_CONTENT_OFFSET_VAR |
DETECT_CONTENT_OFFSET) ||
cd->offset != bed2->local_id) {
printf("five failed\n");
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
- cd->flags != (DETECT_CONTENT_DEPTH_BE |
+ cd->flags != (DETECT_CONTENT_DEPTH_VAR |
DETECT_CONTENT_DEPTH) ||
cd->depth != bed->local_id ||
cd->offset != 0) {
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
- cd->flags != (DETECT_CONTENT_DEPTH_BE |
+ cd->flags != (DETECT_CONTENT_DEPTH_VAR |
DETECT_CONTENT_DEPTH) ||
cd->depth != bed1->local_id) {
printf("four failed\n");
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
- cd->flags != (DETECT_CONTENT_DEPTH_BE |
+ cd->flags != (DETECT_CONTENT_DEPTH_VAR |
DETECT_CONTENT_DEPTH) ||
cd->depth != bed2->local_id) {
printf("five failed\n");
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
- cd->flags != (DETECT_CONTENT_DISTANCE_BE |
+ cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
DETECT_CONTENT_DISTANCE) ||
cd->distance != bed->local_id ||
cd->offset != 0 ||
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
- cd->flags != (DETECT_CONTENT_DISTANCE_BE |
+ cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
DETECT_CONTENT_DISTANCE |
DETECT_CONTENT_DISTANCE_NEXT) ||
cd->distance != bed1->local_id ||
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
- cd->flags != (DETECT_CONTENT_DISTANCE_BE |
+ cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
DETECT_CONTENT_DISTANCE) ||
cd->distance != bed2->local_id ||
cd->depth != 0 ||
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
- cd->flags != (DETECT_CONTENT_WITHIN_BE |
+ cd->flags != (DETECT_CONTENT_WITHIN_VAR |
DETECT_CONTENT_WITHIN) ||
cd->within != bed->local_id ||
cd->offset != 0 ||
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
- cd->flags != (DETECT_CONTENT_WITHIN_BE |
+ cd->flags != (DETECT_CONTENT_WITHIN_VAR |
DETECT_CONTENT_WITHIN|
DETECT_CONTENT_WITHIN_NEXT) ||
cd->within != bed1->local_id ||
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
- cd->flags != (DETECT_CONTENT_WITHIN_BE |
+ cd->flags != (DETECT_CONTENT_WITHIN_VAR |
DETECT_CONTENT_WITHIN) ||
cd->within != bed2->local_id ||
cd->depth != 0 ||
goto end;
}
btd = (DetectBytetestData *)sm->ctx;
- if (btd->flags != DETECT_BYTETEST_OFFSET_BE ||
+ if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
btd->value != 10 ||
btd->offset != 0) {
printf("three failed\n");
goto end;
}
btd = (DetectBytetestData *)sm->ctx;
- if (btd->flags != (DETECT_BYTETEST_OFFSET_BE |
- DETECT_BYTETEST_VALUE_BE) ||
+ if (btd->flags != (DETECT_BYTETEST_OFFSET_VAR |
+ DETECT_BYTETEST_VALUE_VAR) ||
btd->value != 0 ||
btd->offset != 1) {
printf("three failed\n");
goto end;
}
btd = (DetectBytetestData *)sm->ctx;
- if (btd->flags != DETECT_BYTETEST_OFFSET_BE ||
+ if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
btd->value != 10 ||
btd->offset != 1) {
printf("four failed\n");
goto end;
}
bjd = (DetectBytejumpData *)sm->ctx;
- if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
+ if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
bjd->offset != 0) {
printf("three failed\n");
result = 0;
goto end;
}
bjd = (DetectBytejumpData *)sm->ctx;
- if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
+ if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
bjd->offset != 0) {
printf("three failed\n");
result = 0;
goto end;
}
bjd = (DetectBytejumpData *)sm->ctx;
- if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
+ if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
bjd->offset != 1) {
printf("four failed\n");
result = 0;
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
- cd->flags != (DETECT_CONTENT_DISTANCE_BE |
- DETECT_CONTENT_WITHIN_BE |
+ cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
+ DETECT_CONTENT_WITHIN_VAR |
DETECT_CONTENT_DISTANCE |
DETECT_CONTENT_WITHIN) ||
cd->within != bed1->local_id ||
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
- cd->flags != (DETECT_CONTENT_DISTANCE_BE |
- DETECT_CONTENT_WITHIN_BE |
+ cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
+ DETECT_CONTENT_WITHIN_VAR |
DETECT_CONTENT_DISTANCE |
DETECT_CONTENT_WITHIN) ||
cd->within != bed1->local_id ||
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
- cd->flags != (DETECT_CONTENT_DISTANCE_BE |
- DETECT_CONTENT_WITHIN_BE |
+ cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
+ DETECT_CONTENT_WITHIN_VAR |
DETECT_CONTENT_DISTANCE |
DETECT_CONTENT_WITHIN) ||
cd->within != bed1->local_id ||
goto end;
}
bjd = (DetectBytejumpData *)sm->ctx;
- if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
+ if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
bjd->offset != 0) {
printf("three failed\n");
result = 0;
goto end;
}
bjd = (DetectBytejumpData *)sm->ctx;
- if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
+ if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
bjd->offset != 1) {
printf("four failed\n");
result = 0;
goto end;
}
isdd = (DetectIsdataatData *)sm->ctx;
- if (isdd->flags != ISDATAAT_OFFSET_BE ||
+ if (isdd->flags != ISDATAAT_OFFSET_VAR ||
isdd->dataat != 1) {
printf("isdataat failed\n");
result = 0;
goto end;
}
bjd = (DetectBytejumpData *)sm->ctx;
- if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
+ if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
bjd->offset != 0) {
printf("three failed\n");
result = 0;
goto end;
}
bjd = (DetectBytejumpData *)sm->ctx;
- if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
+ if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
bjd->offset != 1) {
printf("four failed\n");
result = 0;
goto end;
}
isdd = (DetectIsdataatData *)sm->ctx;
- if (isdd->flags != (ISDATAAT_OFFSET_BE |
+ if (isdd->flags != (ISDATAAT_OFFSET_VAR |
ISDATAAT_RELATIVE) ||
isdd->dataat != 1) {
printf("isdataat failed\n");
goto end;
}
isdd = (DetectIsdataatData *)sm->ctx;
- if (isdd->flags != (ISDATAAT_OFFSET_BE) ||
+ if (isdd->flags != (ISDATAAT_OFFSET_VAR) ||
isdd->dataat != bed1->local_id) {
printf("isdataat failed\n");
result = 0;
goto end;
}
isdd = (DetectIsdataatData *)sm->ctx;
- if (isdd->flags != (ISDATAAT_OFFSET_BE |
+ if (isdd->flags != (ISDATAAT_OFFSET_VAR |
ISDATAAT_RELATIVE) ||
isdd->dataat != bed1->local_id) {
printf("isdataat failed\n");
#include "detect-engine.h"
#include "app-layer.h"
-#include "detect-bytejump.h"
+#include "detect-byte.h"
#include "detect-byte-extract.h"
+#include "detect-bytejump.h"
#include "detect-content.h"
#include "detect-uricontent.h"
prev_pm = DetectGetLastSMFromLists(s,
DETECT_CONTENT, DETECT_PCRE,
DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
- DETECT_ISDATAAT, -1);
+ DETECT_ISDATAAT, DETECT_BYTEMATH, -1);
if (prev_pm == NULL) {
sm_list = DETECT_SM_LIST_PMATCH;
} else {
prev_pm = DetectGetLastSMFromLists(s,
DETECT_CONTENT, DETECT_PCRE,
DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
- DETECT_ISDATAAT, -1);
+ DETECT_ISDATAAT, DETECT_BYTEMATH, -1);
if (prev_pm == NULL) {
sm_list = DETECT_SM_LIST_PMATCH;
} else {
}
if (offset != NULL) {
- SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(offset, s);
- if (bed_sm == NULL) {
+ DetectByteIndexType index;
+ if (!DetectByteRetrieveSMVar(offset, s, &index)) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in byte_jump - %s", offset);
goto error;
}
- data->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
- data->flags |= DETECT_BYTEJUMP_OFFSET_BE;
+ data->offset = index;
+ data->flags |= DETECT_CONTENT_OFFSET_VAR;
SCFree(offset);
offset = NULL;
}
#include "detect-content.h"
#include "detect-uricontent.h"
+#include "detect-byte.h"
#include "detect-bytetest.h"
#include "detect-bytejump.h"
#include "detect-byte-extract.h"
/* A successful match depends on negation */
if ((!neg && match) || (neg && !match)) {
- SCLogDebug("MATCH");
+ SCLogDebug("MATCH [bt] extracted value is %"PRIu64, val);
SCReturnInt(1);
}
prev_pm = DetectGetLastSMFromLists(s,
DETECT_CONTENT, DETECT_PCRE,
DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
- DETECT_ISDATAAT, -1);
+ DETECT_ISDATAAT, DETECT_BYTEMATH, -1);
if (prev_pm == NULL) {
sm_list = DETECT_SM_LIST_PMATCH;
} else {
prev_pm = DetectGetLastSMFromLists(s,
DETECT_CONTENT, DETECT_PCRE,
DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
- DETECT_ISDATAAT, -1);
+ DETECT_ISDATAAT, DETECT_BYTEMATH, -1);
if (prev_pm == NULL) {
sm_list = DETECT_SM_LIST_PMATCH;
} else {
}
if (value != NULL) {
- SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(value, s);
- if (bed_sm == NULL) {
+ DetectByteIndexType index;
+ if (!DetectByteRetrieveSMVar(value, s, &index)) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in byte_test - %s\n", value);
goto error;
}
- data->value = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
- data->flags |= DETECT_BYTETEST_VALUE_BE;
+ data->value = index;
+ data->flags |= DETECT_BYTETEST_VALUE_VAR;
SCFree(value);
value = NULL;
}
if (offset != NULL) {
- SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(offset, s);
- if (bed_sm == NULL) {
+ DetectByteIndexType index;
+ if (!DetectByteRetrieveSMVar(offset, s, &index)) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in byte_test - %s\n", offset);
goto error;
}
- data->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
- data->flags |= DETECT_BYTETEST_OFFSET_BE;
+ data->offset = index;
+ data->flags |= DETECT_BYTETEST_OFFSET_VAR;
SCFree(offset);
offset = NULL;
}
#define DETECT_BYTETEST_RELATIVE BIT_U8(3) /**< "relative" offset */
#define DETECT_BYTETEST_DCE BIT_U8(4) /**< dce enabled */
#define DETECT_BYTETEST_BITMASK BIT_U8(5) /**< bitmask supplied*/
-#define DETECT_BYTETEST_VALUE_BE BIT_U8(6) /**< byte extract value enabled */
-#define DETECT_BYTETEST_OFFSET_BE BIT_U8(7) /**< byte extract value enabled */
+#define DETECT_BYTETEST_VALUE_VAR BIT_U8(6) /**< byte extract value enabled */
+#define DETECT_BYTETEST_OFFSET_VAR BIT_U8(7) /**< byte extract value enabled */
typedef struct DetectBytetestData_ {
uint8_t nbytes; /**< Number of bytes to compare */
#define DETECT_CONTENT_ENDS_WITH BIT_U32(10)
/* BE - byte extract */
-#define DETECT_CONTENT_OFFSET_BE BIT_U32(11)
-#define DETECT_CONTENT_DEPTH_BE BIT_U32(12)
-#define DETECT_CONTENT_DISTANCE_BE BIT_U32(13)
-#define DETECT_CONTENT_WITHIN_BE BIT_U32(14)
+#define DETECT_CONTENT_OFFSET_VAR BIT_U32(11)
+#define DETECT_CONTENT_DEPTH_VAR BIT_U32(12)
+#define DETECT_CONTENT_DISTANCE_VAR BIT_U32(13)
+#define DETECT_CONTENT_WITHIN_VAR BIT_U32(14)
/* replace data */
#define DETECT_CONTENT_REPLACE BIT_U32(15)
#include "detect-parse.h"
#include "detect-content.h"
#include "detect-uricontent.h"
+#include "detect-byte.h"
#include "detect-byte-extract.h"
#include "detect-depth.h"
goto end;
}
if (str[0] != '-' && isalpha((unsigned char)str[0])) {
- SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(str, s);
- if (bed_sm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var "
+ DetectByteIndexType index;
+ if (!DetectByteRetrieveSMVar(str, s, &index)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_ keyword var "
"seen in depth - %s.", str);
goto end;
}
- cd->depth = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
- cd->flags |= DETECT_CONTENT_DEPTH_BE;
+ cd->depth = index;
+ cd->flags |= DETECT_CONTENT_DEPTH_VAR;
} else {
if (StringParseUint16(&cd->depth, 0, 0, str) < 0)
{
#include "detect-content.h"
#include "detect-uricontent.h"
#include "detect-pcre.h"
+#include "detect-byte.h"
#include "detect-byte-extract.h"
#include "detect-distance.h"
goto end;
}
if (str[0] != '-' && isalpha((unsigned char)str[0])) {
- SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(str, s);
- if (bed_sm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var "
+ DetectByteIndexType index;
+ if (!DetectByteRetrieveSMVar(str, s, &index)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_ keyword var "
"seen in distance - %s\n", str);
goto end;
}
- cd->distance = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
- cd->flags |= DETECT_CONTENT_DISTANCE_BE;
+ cd->distance = index;
+ cd->flags |= DETECT_CONTENT_DISTANCE_VAR;
} else {
if (StringParseInt32(&cd->distance, 0, 0, str) < 0) {
SCLogError(SC_ERR_INVALID_SIGNATURE,
#include "detect-pcre.h"
#include "detect-isdataat.h"
#include "detect-bytetest.h"
+#include "detect-bytemath.h"
#include "detect-bytejump.h"
#include "detect-byte-extract.h"
#include "detect-replace.h"
int distance = cd->distance;
if (cd->flags & DETECT_CONTENT_DISTANCE) {
- if (cd->flags & DETECT_CONTENT_DISTANCE_BE) {
- distance = det_ctx->bj_values[cd->distance];
+ if (cd->flags & DETECT_CONTENT_DISTANCE_VAR) {
+ distance = det_ctx->byte_values[cd->distance];
}
if (distance < 0 && (uint32_t)(abs(distance)) > offset)
offset = 0;
}
if (cd->flags & DETECT_CONTENT_WITHIN) {
- if (cd->flags & DETECT_CONTENT_WITHIN_BE) {
- if ((int32_t)depth > (int32_t)(prev_buffer_offset + det_ctx->bj_values[cd->within] + distance)) {
- depth = prev_buffer_offset + det_ctx->bj_values[cd->within] + distance;
+ if (cd->flags & DETECT_CONTENT_WITHIN_VAR) {
+ if ((int32_t)depth > (int32_t)(prev_buffer_offset + det_ctx->byte_values[cd->within] + distance)) {
+ depth = prev_buffer_offset + det_ctx->byte_values[cd->within] + distance;
}
} else {
if ((int32_t)depth > (int32_t)(prev_buffer_offset + cd->within + distance)) {
}
}
- if (cd->flags & DETECT_CONTENT_DEPTH_BE) {
- if ((det_ctx->bj_values[cd->depth] + prev_buffer_offset) < depth) {
- depth = prev_buffer_offset + det_ctx->bj_values[cd->depth];
+ if (cd->flags & DETECT_CONTENT_DEPTH_VAR) {
+ if ((det_ctx->byte_values[cd->depth] + prev_buffer_offset) < depth) {
+ depth = prev_buffer_offset + det_ctx->byte_values[cd->depth];
}
} else {
if (cd->depth != 0) {
}
}
- if (cd->flags & DETECT_CONTENT_OFFSET_BE) {
- if (det_ctx->bj_values[cd->offset] > offset)
- offset = det_ctx->bj_values[cd->offset];
+ if (cd->flags & DETECT_CONTENT_OFFSET_VAR) {
+ if (det_ctx->byte_values[cd->offset] > offset)
+ offset = det_ctx->byte_values[cd->offset];
} else {
if (cd->offset > offset) {
offset = cd->offset;
}
} else { /* implied no relative matches */
/* set depth */
- if (cd->flags & DETECT_CONTENT_DEPTH_BE) {
- depth = det_ctx->bj_values[cd->depth];
+ if (cd->flags & DETECT_CONTENT_DEPTH_VAR) {
+ depth = det_ctx->byte_values[cd->depth];
} else {
if (cd->depth != 0) {
depth = cd->depth;
}
/* set offset */
- if (cd->flags & DETECT_CONTENT_OFFSET_BE)
- offset = det_ctx->bj_values[cd->offset];
+ if (cd->flags & DETECT_CONTENT_OFFSET_VAR)
+ offset = det_ctx->byte_values[cd->offset];
else
offset = cd->offset;
prev_buffer_offset = 0;
/* If the value came from a variable, make sure to adjust the depth so it's relative
* to the offset value.
*/
- if (cd->flags & (DETECT_CONTENT_DISTANCE_BE|DETECT_CONTENT_OFFSET_BE|DETECT_CONTENT_DEPTH_BE)) {
+ if (cd->flags & (DETECT_CONTENT_DISTANCE_VAR|DETECT_CONTENT_OFFSET_VAR|DETECT_CONTENT_DEPTH_VAR)) {
depth += offset;
}
const DetectIsdataatData *id = (DetectIsdataatData *)smd->ctx;
uint32_t dataat = id->dataat;
- if (id->flags & ISDATAAT_OFFSET_BE) {
- uint64_t be_value = det_ctx->bj_values[dataat];
+ if (id->flags & ISDATAAT_OFFSET_VAR) {
+ uint64_t be_value = det_ctx->byte_values[dataat];
if (be_value >= 100000000) {
if ((id->flags & ISDATAAT_NEGATED) == 0) {
SCLogDebug("extracted value %"PRIu64" very big: no match", be_value);
uint8_t btflags = btd->flags;
int32_t offset = btd->offset;
uint64_t value = btd->value;
- if (btflags & DETECT_BYTETEST_OFFSET_BE) {
- offset = det_ctx->bj_values[offset];
+ if (btflags & DETECT_BYTETEST_OFFSET_VAR) {
+ offset = det_ctx->byte_values[offset];
}
- if (btflags & DETECT_BYTETEST_VALUE_BE) {
- value = det_ctx->bj_values[value];
+ if (btflags & DETECT_BYTETEST_VALUE_VAR) {
+ value = det_ctx->byte_values[value];
}
/* if we have dce enabled we will have to use the endianness
uint16_t bjflags = bjd->flags;
int32_t offset = bjd->offset;
- if (bjflags & DETECT_BYTEJUMP_OFFSET_BE) {
- offset = det_ctx->bj_values[offset];
+ if (bjflags & DETECT_CONTENT_OFFSET_VAR) {
+ offset = det_ctx->byte_values[offset];
}
/* if we have dce enabled we will have to use the endianness
if (DetectByteExtractDoMatch(det_ctx, smd, s, buffer,
buffer_len,
- &det_ctx->bj_values[bed->local_id],
+ &det_ctx->byte_values[bed->local_id],
endian) != 1) {
goto no_match;
}
+ SCLogDebug("[BE] Fetched value for index %d: %"PRIu64,
+ bed->local_id, det_ctx->byte_values[bed->local_id]);
+ goto match;
+
+ } else if (smd->type == DETECT_BYTEMATH) {
+
+ DetectByteMathData *bmd = (DetectByteMathData *)smd->ctx;
+ uint8_t endian = bmd->endian;
+
+ /* if we have dce enabled we will have to use the endianness
+ * specified by the dce header */
+ if ((bmd->flags & DETECT_BYTEMATH_FLAG_ENDIAN) &&
+ endian == DETECT_BYTEMATH_ENDIAN_DCE &&
+ flags & (DETECT_CI_FLAGS_DCE_LE|DETECT_CI_FLAGS_DCE_BE)) {
+
+ /* enable the endianness flag temporarily. once we are done
+ * processing we reset the flags to the original value*/
+ endian |= ((flags & DETECT_CI_FLAGS_DCE_LE) ?
+ DETECT_BYTEMATH_ENDIAN_LITTLE : DETECT_BYTEMATH_ENDIAN_BIG);
+ }
+ uint64_t rvalue;
+ if (bmd->flags & DETECT_BYTEMATH_RVALUE_VAR) {
+ rvalue = det_ctx->byte_values[bmd->local_id];
+ } else {
+ rvalue = bmd->rvalue;
+ }
+
+
+ if (DetectByteMathDoMatch(det_ctx, smd, s, buffer,
+ buffer_len,
+ rvalue,
+ &det_ctx->byte_values[bmd->local_id],
+ endian) != 1) {
+ goto no_match;
+ }
+
+ SCLogDebug("[BM] Fetched value for index %d: %"PRIu64,
+ bmd->local_id, det_ctx->byte_values[bmd->local_id]);
goto match;
} else if (smd->type == DETECT_BSIZE) {
/* We have to effectively "wild card" values that will be coming from
* byte_extract variables
*/
- if (cd->flags & (DETECT_CONTENT_DEPTH_BE | DETECT_CONTENT_OFFSET_BE)) {
+ if (cd->flags & (DETECT_CONTENT_DEPTH_VAR | DETECT_CONTENT_OFFSET_VAR)) {
pat_depth = pat_offset = 0;
}
#include "detect-nocase.h"
#include "detect-rawbytes.h"
#include "detect-bytetest.h"
+#include "detect-bytemath.h"
#include "detect-bytejump.h"
#include "detect-sameip.h"
#include "detect-l3proto.h"
DetectRawbytesRegister();
DetectBytetestRegister();
DetectBytejumpRegister();
+ DetectBytemathRegister();
DetectSameipRegister();
DetectGeoipRegister();
DetectL3ProtoRegister();
}
/* byte_extract storage */
- det_ctx->bj_values = SCMalloc(sizeof(*det_ctx->bj_values) *
+ det_ctx->byte_values = SCMalloc(sizeof(*det_ctx->byte_values) *
(de_ctx->byte_extract_max_local_id + 1));
- if (det_ctx->bj_values == NULL) {
+ if (det_ctx->byte_values == NULL) {
return TM_ECODE_FAILED;
}
RuleMatchCandidateTxArrayFree(det_ctx);
- if (det_ctx->bj_values != NULL)
- SCFree(det_ctx->bj_values);
+ if (det_ctx->byte_values != NULL)
+ SCFree(det_ctx->byte_values);
/* Decoded base64 data. */
if (det_ctx->base64_decoded != NULL) {
#include "util-debug.h"
#include "util-byte.h"
#include "detect-pcre.h"
-#include "detect-bytejump.h"
-#include "detect-byte-extract.h"
+#include "detect-byte.h"
/**
* \brief Regex for parsing our isdataat options
prev_pm = DetectGetLastSMFromLists(s,
DETECT_CONTENT, DETECT_PCRE,
DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
- DETECT_ISDATAAT, -1);
+ DETECT_ISDATAAT, DETECT_BYTEMATH, -1);
if (prev_pm == NULL)
sm_list = DETECT_SM_LIST_PMATCH;
else {
}
if (offset != NULL) {
- SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(offset, s);
- if (bed_sm == NULL) {
+ DetectByteIndexType index;
+ if (!DetectByteRetrieveSMVar(offset, s, &index)) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in isdataat - %s\n", offset);
goto end;
}
- idad->dataat = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
- idad->flags |= ISDATAAT_OFFSET_BE;
+ idad->dataat = index;
+ idad->flags |= ISDATAAT_OFFSET_VAR;
SCLogDebug("isdataat uses byte_extract with local id %u", idad->dataat);
SCFree(offset);
offset = NULL;
#ifndef __DETECT_ISDATAAT_H__
#define __DETECT_ISDATAAT_H__
-#define ISDATAAT_RELATIVE 0x01
-#define ISDATAAT_RAWBYTES 0x02
-#define ISDATAAT_NEGATED 0x04
-#define ISDATAAT_OFFSET_BE 0x08
+#define ISDATAAT_RELATIVE 0x01
+#define ISDATAAT_RAWBYTES 0x02
+#define ISDATAAT_NEGATED 0x04
+#define ISDATAAT_OFFSET_VAR 0x08
#define ISDATAAT_MIN 0
#define ISDATAAT_MAX 65535
#include "detect-parse.h"
#include "detect-content.h"
#include "detect-uricontent.h"
+#include "detect-byte.h"
#include "detect-byte-extract.h"
#include "detect-offset.h"
goto end;
}
if (str[0] != '-' && isalpha((unsigned char)str[0])) {
- SigMatch *bed_sm =
- DetectByteExtractRetrieveSMVar(str, s);
- if (bed_sm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var "
+ DetectByteIndexType index;
+ if (!DetectByteRetrieveSMVar(str, s, &index)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_ keyword var "
"seen in offset - %s.", str);
goto end;
}
- cd->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
- cd->flags |= DETECT_CONTENT_OFFSET_BE;
+ cd->offset = index;
+ cd->flags |= DETECT_CONTENT_OFFSET_VAR;
} else {
if (StringParseUint16(&cd->offset, 0, 0, str) < 0)
{
#include "detect-parse.h"
#include "detect-content.h"
#include "detect-uricontent.h"
-#include "detect-bytejump.h"
-#include "detect-byte-extract.h"
+#include "detect-byte.h"
#include "app-layer.h"
#include "flow-var.h"
goto end;
}
if (str[0] != '-' && isalpha((unsigned char)str[0])) {
- SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(str, s);
- if (bed_sm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var "
+ DetectByteIndexType index;
+ if (!DetectByteRetrieveSMVar(str, s, &index)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_ keyword var "
"seen in within - %s\n", str);
goto end;
}
- cd->within = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
- cd->flags |= DETECT_CONTENT_WITHIN_BE;
+ cd->within = index;
+ cd->flags |= DETECT_CONTENT_WITHIN_VAR;
} else {
if (StringParseInt32(&cd->within, 0, 0, str) < 0) {
SCLogError(SC_ERR_INVALID_SIGNATURE,
/** ip only rules ctx */
DetectEngineIPOnlyThreadCtx io_ctx;
- /* byte jump values */
- uint64_t *bj_values;
+ /* byte_* values */
+ uint64_t *byte_values;
/* string to replace */
DetectReplaceList *replist;
projects / thirdparty / suricata.git / commitdiff
