detect: remove DMATCH list

author Victor Julien <victor@inliniac.net>

Thu, 22 Dec 2016 22:56:48 +0000 (23:56 +0100)

committer Victor Julien <victor@inliniac.net>

Thu, 16 Feb 2017 09:35:43 +0000 (10:35 +0100)
author Victor Julien <victor@inliniac.net>
Thu, 22 Dec 2016 22:56:48 +0000 (23:56 +0100)
committer Victor Julien <victor@inliniac.net>
Thu, 16 Feb 2017 09:35:43 +0000 (10:35 +0100)
diff --git a/src/detect-bytejump.c b/src/detect-bytejump.c

index 246f1faab767c394a49a8d087f1b3f95fb2e4a1f..e09e3f7b7cef2a7ec870c4231a28dbd7afac1c61 100644 (file)
--- a/src/detect-bytejump.c
+++ b/src/detect-bytejump.c
@@ -640,6 +640,7 @@ static void DetectBytejumpFree(void *ptr)
  #ifdef UNITTESTS
  #include "util-unittest-helper.h"
  static int g_file_data_buffer_id = 0;
+static int g_dce_stub_data_buffer_id = 0;
  
  /**
   * \test DetectBytejumpTestParse01 is a test to make sure that we return
@@ -832,7 +833,7 @@ static int DetectBytejumpTestParse09(void)
      result &= (DetectBytejumpSetup(NULL, s, "4,0, string, oct, dce") == -1);
      result &= (DetectBytejumpSetup(NULL, s, "4,0, string, hex, dce") == -1);
      result &= (DetectBytejumpSetup(NULL, s, "4,0, from_beginning, dce") == -1);
-    result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
+    result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
  
      SigFree(s);
      return result;
@@ -865,12 +866,12 @@ static int DetectBytejumpTestParse10(void)
          goto end;
      }
      s = de_ctx->sig_list;
-    if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
-    result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_BYTEJUMP);
-    bd = (DetectBytejumpData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
+    result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTEJUMP);
+    bd = (DetectBytejumpData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
      if (!(bd->flags & DETECT_BYTEJUMP_DCE) &&
          !(bd->flags & DETECT_BYTEJUMP_RELATIVE) &&
          (bd->flags & DETECT_BYTEJUMP_STRING) &&
@@ -892,12 +893,12 @@ static int DetectBytejumpTestParse10(void)
          goto end;
      }
      s = s->next;
-    if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
-    result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_BYTEJUMP);
-    bd = (DetectBytejumpData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
+    result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTEJUMP);
+    bd = (DetectBytejumpData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
      if (!(bd->flags & DETECT_BYTEJUMP_DCE) &&
          !(bd->flags & DETECT_BYTEJUMP_RELATIVE) &&
          (bd->flags & DETECT_BYTEJUMP_STRING) &&
@@ -919,12 +920,12 @@ static int DetectBytejumpTestParse10(void)
          goto end;
      }
      s = s->next;
-    if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
-    result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_BYTEJUMP);
-    bd = (DetectBytejumpData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
+    result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTEJUMP);
+    bd = (DetectBytejumpData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
      if ((bd->flags & DETECT_BYTEJUMP_DCE) &&
          !(bd->flags & DETECT_BYTEJUMP_RELATIVE) &&
          (bd->flags & DETECT_BYTEJUMP_STRING) &&
@@ -1290,6 +1291,7 @@ static void DetectBytejumpRegisterTests(void)
  {
  #ifdef UNITTESTS
      g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
+    g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
  
      UtRegisterTest("DetectBytejumpTestParse01", DetectBytejumpTestParse01);
      UtRegisterTest("DetectBytejumpTestParse02", DetectBytejumpTestParse02);
diff --git a/src/detect-bytetest.c b/src/detect-bytetest.c

index c51483dd8e9ca5fc576680c05ed74b1de2b7b60d..49e58ad7d2055a06a4918eba1d996f01dae426f5 100644 (file)
--- a/src/detect-bytetest.c
+++ b/src/detect-bytetest.c
@@ -578,6 +578,7 @@ static void DetectBytetestFree(void *ptr)
  #ifdef UNITTESTS
  #include "util-unittest-helper.h"
  static int g_file_data_buffer_id = 0;
+static int g_dce_stub_data_buffer_id = 0;
  
  /**
   * \test DetectBytetestTestParse01 is a test to make sure that we return "something"
@@ -1020,12 +1021,12 @@ static int DetectBytetestTestParse20(void)
          goto end;
      }
      s = de_ctx->sig_list;
-    if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
-    result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_BYTETEST);
-    bd = (DetectBytetestData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
+    result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTETEST);
+    bd = (DetectBytetestData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
      if (!(bd->flags & DETECT_BYTETEST_DCE) &&
          !(bd->flags & DETECT_BYTETEST_RELATIVE) &&
          (bd->flags & DETECT_BYTETEST_STRING) &&
@@ -1047,12 +1048,12 @@ static int DetectBytetestTestParse20(void)
          goto end;
      }
      s = s->next;
-    if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
-    result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_BYTETEST);
-    bd = (DetectBytetestData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
+    result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTETEST);
+    bd = (DetectBytetestData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
      if (!(bd->flags & DETECT_BYTETEST_DCE) &&
          !(bd->flags & DETECT_BYTETEST_RELATIVE) &&
          (bd->flags & DETECT_BYTETEST_STRING) &&
@@ -1074,12 +1075,12 @@ static int DetectBytetestTestParse20(void)
          goto end;
      }
      s = s->next;
-    if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
-    result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_BYTETEST);
-    bd = (DetectBytetestData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
+    result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTETEST);
+    bd = (DetectBytetestData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
      if ((bd->flags & DETECT_BYTETEST_DCE) &&
          !(bd->flags & DETECT_BYTETEST_RELATIVE) &&
          (bd->flags & DETECT_BYTETEST_STRING) &&
@@ -1436,6 +1437,7 @@ static void DetectBytetestRegisterTests(void)
  {
  #ifdef UNITTESTS
      g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
+    g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
  
      UtRegisterTest("DetectBytetestTestParse01", DetectBytetestTestParse01);
      UtRegisterTest("DetectBytetestTestParse02", DetectBytetestTestParse02);
diff --git a/src/detect-content.c b/src/detect-content.c

index 9c77013875e47bef763407f1e862254687cf6139..42fb944738dfc02738af8cf62285c42d9428d706 100644 (file)
--- a/src/detect-content.c
+++ b/src/detect-content.c
@@ -425,6 +425,7 @@ void DetectContentFree(void *ptr)
  
  #ifdef UNITTESTS /* UNITTESTS */
  static int g_file_data_buffer_id = 0;
+static int g_dce_stub_data_buffer_id = 0;
  
  /**
   * \test DetectCotentParseTest01 this is a test to make sure we can deal with escaped colons
@@ -1133,7 +1134,7 @@ static int DetectContentParseTest18(void)
      s->alproto = ALPROTO_DCERPC;
  
      result &= (DetectContentSetup(de_ctx, s, "\"one\"") == 0);
-    result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
+    result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
  
      SigFree(s);
  
@@ -1142,7 +1143,7 @@ static int DetectContentParseTest18(void)
          return 0;
  
      result &= (DetectContentSetup(de_ctx, s, "\"one\"") == 0);
-    result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
+    result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
  
   end:
      SigFree(s);
@@ -1178,13 +1179,13 @@ static int DetectContentParseTest19(void)
          goto end;
      }
      s = de_ctx->sig_list;
-    if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
-    result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT);
+    result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
      result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
-    data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
+    data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
      if (data->flags & DETECT_CONTENT_RAWBYTES ||
          data->flags & DETECT_CONTENT_NOCASE ||
          data->flags & DETECT_CONTENT_WITHIN ||
@@ -1207,13 +1208,13 @@ static int DetectContentParseTest19(void)
          goto end;
      }
      s = s->next;
-    if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
-    result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT);
+    result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
      result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
-    data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
+    data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
      if (data->flags & DETECT_CONTENT_RAWBYTES ||
          data->flags & DETECT_CONTENT_NOCASE ||
          !(data->flags & DETECT_CONTENT_WITHIN) ||
@@ -1238,13 +1239,13 @@ static int DetectContentParseTest19(void)
          goto end;
      }
      s = s->next;
-    if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
-    result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT);
+    result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
      result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
-    data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
+    data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
      if (data->flags & DETECT_CONTENT_RAWBYTES ||
          data->flags & DETECT_CONTENT_NOCASE ||
          data->flags & DETECT_CONTENT_WITHIN ||
@@ -1256,7 +1257,7 @@ static int DetectContentParseTest19(void)
          goto end;
      }
      result &= (data->offset == 5 && data->depth == 9);
-    data = (DetectContentData *)s->sm_lists[DETECT_SM_LIST_DMATCH]->ctx;
+    data = (DetectContentData *)s->sm_lists[g_dce_stub_data_buffer_id]->ctx;
      if (data->flags & DETECT_CONTENT_RAWBYTES ||
          data->flags & DETECT_CONTENT_NOCASE ||
          !(data->flags & DETECT_CONTENT_WITHIN) ||
@@ -1279,13 +1280,13 @@ static int DetectContentParseTest19(void)
          goto end;
      }
      s = s->next;
-    if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
-    result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT);
+    result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
      result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
-    data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
+    data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
      if (data->flags & DETECT_CONTENT_RAWBYTES ||
          data->flags & DETECT_CONTENT_NOCASE ||
          data->flags & DETECT_CONTENT_WITHIN ||
@@ -1309,13 +1310,13 @@ static int DetectContentParseTest19(void)
          goto end;
      }
      s = s->next;
-    if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
-    result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT);
+    result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
      result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
-    data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
+    data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
      if (data->flags & DETECT_CONTENT_RAWBYTES ||
          data->flags & DETECT_CONTENT_NOCASE ||
          !(data->flags & DETECT_CONTENT_WITHIN) ||
@@ -1339,13 +1340,13 @@ static int DetectContentParseTest19(void)
          goto end;
      }
      s = s->next;
-    if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
-    result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT);
+    result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
      result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
-    data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
+    data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
      if (data->flags & DETECT_CONTENT_RAWBYTES ||
          data->flags & DETECT_CONTENT_NOCASE ||
          data->flags & DETECT_CONTENT_WITHIN ||
@@ -1369,13 +1370,13 @@ static int DetectContentParseTest19(void)
          goto end;
      }
      s = s->next;
-    if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
-    result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT);
+    result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
      result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
-    data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
+    data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
      if (data->flags & DETECT_CONTENT_RAWBYTES ||
          data->flags & DETECT_CONTENT_NOCASE ||
          data->flags & DETECT_CONTENT_WITHIN ||
@@ -1399,13 +1400,13 @@ static int DetectContentParseTest19(void)
          goto end;
      }
      s = s->next;
-    if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
-    result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT);
+    result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
      result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
-    data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
+    data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
      if (data->flags & DETECT_CONTENT_RAWBYTES ||
          data->flags & DETECT_CONTENT_NOCASE ||
          data->flags & DETECT_CONTENT_WITHIN ||
@@ -1427,7 +1428,7 @@ static int DetectContentParseTest19(void)
          goto end;
      }
      s = s->next;
-    if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] != NULL) {
+    if (s->sm_lists_tail[g_dce_stub_data_buffer_id] != NULL) {
          result = 0;
          goto end;
      }
@@ -2849,6 +2850,7 @@ static void DetectContentRegisterTests(void)
  {
  #ifdef UNITTESTS /* UNITTESTS */
      g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
+    g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
  
      UtRegisterTest("DetectContentParseTest01", DetectContentParseTest01);
      UtRegisterTest("DetectContentParseTest02", DetectContentParseTest02);
diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c

index bc4831ebb3fe8ad5c6422495535f5b7f6b51013c..fa9788fd2ada6c1634de95690b82f331f811835d 100644 (file)
--- a/src/detect-dce-stub-data.c
+++ b/src/detect-dce-stub-data.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2007-2010 Open Information Security Foundation
+/* Copyright (C) 2007-2016 Open Information Security Foundation
   *
   * You can copy, redistribute or modify this Program under the terms of
   * the GNU General Public License version 2 as published by the Free
@@ -19,6 +19,7 @@
   * \file
   *
   * \author Anoop Saldanha <anoopsaldanha@gmail.com>
+ * \author Anoop Saldanha <victor@inliniac.net>
   *
   * Implements dce_stub_data keyword
   */
@@ -31,6 +32,8 @@
  #include "detect-engine.h"
  #include "detect-engine-mpm.h"
  #include "detect-engine-state.h"
+#include "detect-engine-prefilter.h"
+#include "detect-engine-content-inspection.h"
  
  #include "flow.h"
  #include "flow-var.h"
@@ -40,7 +43,9 @@
  #include "app-layer-dcerpc.h"
  #include "queue.h"
  #include "stream-tcp-reassemble.h"
+
  #include "detect-dce-stub-data.h"
+#include "detect-dce-iface.h"
  
  #include "util-debug.h"
  
@@ -49,9 +54,140 @@
  
  #include "stream-tcp.h"
  
+#define BUFFER_NAME "dce_stub_data"
+#define KEYWORD_NAME "dce_stub_data"
+
  static int DetectDceStubDataSetup(DetectEngineCtx *, Signature *, char *);
  static void DetectDceStubDataRegisterTests(void);
+static int g_dce_stub_data_buffer_id = 0;
+
+/** \brief DCERPC Stub Data Mpm prefilter callback
+ *
+ *  \param det_ctx detection engine thread ctx
+ *  \param p packet to inspect
+ *  \param f flow to inspect
+ *  \param txv tx to inspect
+ *  \param pectx inspection context
+ */
+static void PrefilterTxDceStubDataRequest(DetectEngineThreadCtx *det_ctx,
+        const void *pectx,
+        Packet *p, Flow *f, void *txv,
+        const uint64_t idx, const uint8_t flags)
+{
+    SCEnter();
+
+    const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
+    DCERPCState *dcerpc_state = DetectDceGetState(f->alproto, f->alstate);
+    if (dcerpc_state == NULL)
+        return;
+
+    uint32_t buffer_len = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len;
+    const uint8_t *buffer = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer;
+
+    if (buffer_len >= mpm_ctx->minlen) {
+        (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
+                &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
+    }
+}
+
+static int PrefilterTxDceStubDataRequestRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx)
+{
+    SCEnter();
+
+    int r = PrefilterAppendTxEngine(sgh, PrefilterTxDceStubDataRequest,
+        ALPROTO_DCERPC, 0,
+        mpm_ctx, NULL, KEYWORD_NAME " (request)");
+    if (r == 0) {
+        r = PrefilterAppendTxEngine(sgh, PrefilterTxDceStubDataRequest,
+                ALPROTO_SMB, 0,
+                mpm_ctx, NULL, KEYWORD_NAME " (request)");
+    }
+    return r;
+}
+
+/** \brief DCERPC Stub Data Mpm prefilter callback
+ *
+ *  \param det_ctx detection engine thread ctx
+ *  \param p packet to inspect
+ *  \param f flow to inspect
+ *  \param txv tx to inspect
+ *  \param pectx inspection context
+ */
+static void PrefilterTxDceStubDataResponse(DetectEngineThreadCtx *det_ctx,
+        const void *pectx,
+        Packet *p, Flow *f, void *txv,
+        const uint64_t idx, const uint8_t flags)
+{
+    SCEnter();
+
+    const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
  
+    DCERPCState *dcerpc_state = DetectDceGetState(f->alproto, f->alstate);
+    if (dcerpc_state == NULL)
+        return;
+
+    uint32_t buffer_len = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer_len;
+    const uint8_t *buffer = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer;
+
+    if (buffer_len >= mpm_ctx->minlen) {
+        (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
+                &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
+    }
+}
+
+static int PrefilterTxDceStubDataResponseRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx)
+{
+    SCEnter();
+
+    int r = PrefilterAppendTxEngine(sgh, PrefilterTxDceStubDataResponse,
+        ALPROTO_DCERPC, 0,
+        mpm_ctx, NULL, KEYWORD_NAME " (response)");
+    if (r == 0) {
+        r = PrefilterAppendTxEngine(sgh, PrefilterTxDceStubDataResponse,
+                ALPROTO_SMB, 0,
+                mpm_ctx, NULL, KEYWORD_NAME " (response)");
+    }
+    return r;
+}
+
+static int InspectEngineDceStubData(ThreadVars *tv,
+        DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
+        const Signature *s, const SigMatchData *smd,
+        Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
+{
+    uint32_t buffer_len = 0;
+    uint8_t *buffer = NULL;
+
+    DCERPCState *dcerpc_state = DetectDceGetState(f->alproto, f->alstate);
+    if (dcerpc_state == NULL)
+        goto end;
+
+    if (flags & STREAM_TOSERVER) {
+        buffer_len = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len;
+        buffer = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer;
+    } else if (flags & STREAM_TOCLIENT) {
+        buffer_len = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer_len;
+        buffer = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer;
+    }
+
+    if (buffer == NULL ||buffer_len == 0)
+        goto end;
+
+    det_ctx->buffer_offset = 0;
+    det_ctx->discontinue_matching = 0;
+    det_ctx->inspection_recursion_counter = 0;
+    int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd,
+                                          f,
+                                          buffer, buffer_len,
+                                          0,
+                                          DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE,
+                                          dcerpc_state);
+    if (r == 1)
+        return DETECT_ENGINE_INSPECT_SIG_MATCH;
+
+end:
+    return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
+}
  /**
   * \brief Registers the keyword handlers for the "dce_stub_data" keyword.
   */
@@ -66,7 +202,26 @@ void DetectDceStubDataRegister(void)
      sigmatch_table[DETECT_DCE_STUB_DATA].flags |= SIGMATCH_NOOPT;
      sigmatch_table[DETECT_DCE_STUB_DATA].flags |= SIGMATCH_PAYLOAD;
  
-    return;
+    DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
+            PrefilterTxDceStubDataRequestRegister);
+    DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
+            PrefilterTxDceStubDataResponseRegister);
+
+    DetectAppLayerInspectEngineRegister(BUFFER_NAME,
+            ALPROTO_DCERPC, SIG_FLAG_TOSERVER,
+            InspectEngineDceStubData);
+    DetectAppLayerInspectEngineRegister(BUFFER_NAME,
+            ALPROTO_DCERPC, SIG_FLAG_TOCLIENT,
+            InspectEngineDceStubData);
+
+    DetectAppLayerInspectEngineRegister(BUFFER_NAME,
+            ALPROTO_SMB, SIG_FLAG_TOSERVER,
+            InspectEngineDceStubData);
+    DetectAppLayerInspectEngineRegister(BUFFER_NAME,
+            ALPROTO_SMB, SIG_FLAG_TOCLIENT,
+            InspectEngineDceStubData);
+
+    g_dce_stub_data_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
  }
  
  /**
@@ -89,7 +244,7 @@ static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, char *a
          goto error;
      }
  
-    s->init_data->list = DETECT_SM_LIST_DMATCH;
+    s->init_data->list = g_dce_stub_data_buffer_id;
      s->alproto = ALPROTO_DCERPC;
      s->flags |= SIG_FLAG_APPLAYER;
      return 0;
@@ -110,7 +265,7 @@ static int DetectDceStubDataTestParse01(void)
      Signature *s = DetectEngineAppendSig(de_ctx,
              "alert tcp any any -> any any (dce_stub_data; content:\"1\"; sid:1;)");
      FAIL_IF_NULL(s);
-    FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_DMATCH]);
+    FAIL_IF_NULL(s->sm_lists[g_dce_stub_data_buffer_id]);
      DetectEngineCtxFree(de_ctx);
      PASS;
  }
diff --git a/src/detect-engine-dcepayload.c b/src/detect-engine-dcepayload.c

index cfb60a54fc1d203c486b66b042788b56dc158ed6..0ed15ec5f623ddfa15d859d355d55a936911cc13 100644 (file)
--- a/src/detect-engine-dcepayload.c
+++ b/src/detect-engine-dcepayload.c
@@ -49,6 +49,9 @@
  
  #include "detect-dce-iface.h"
  
+static int g_dce_stub_data_buffer_id = 0;
+
+#if 0
  /**
   * \brief Do the content inspection & validation for a signature against dce stub.
   *
@@ -73,7 +76,7 @@ int DetectEngineInspectDcePayload(DetectEngineCtx *de_ctx,
      uint16_t dce_stub_data_len;
      int r = 0;
  
-    if (s->sm_arrays[DETECT_SM_LIST_DMATCH] == NULL || dcerpc_state == NULL) {
+    if (s->sm_arrays[g_dce_stub_data_buffer_id] == NULL || dcerpc_state == NULL) {
          SCReturnInt(0);
      }
  
@@ -87,13 +90,13 @@ int DetectEngineInspectDcePayload(DetectEngineCtx *de_ctx,
          det_ctx->discontinue_matching = 0;
          det_ctx->inspection_recursion_counter = 0;
  
-        r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_arrays[DETECT_SM_LIST_DMATCH],
+        r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_arrays[g_dce_stub_data_buffer_id],
                                            f,
                                            dce_stub_data,
                                            dce_stub_data_len,
                                            0,
                                            0, dcerpc_state);
-        //r = DoInspectDcePayload(de_ctx, det_ctx, s, s->init_data->smlists[DETECT_SM_LIST_DMATCH], f,
+        //r = DoInspectDcePayload(de_ctx, det_ctx, s, s->init_data->smlists[g_dce_stub_data_buffer_id], f,
          //dce_stub_data, dce_stub_data_len, dcerpc_state);
          if (r == 1) {
              SCReturnInt(1);
@@ -110,13 +113,13 @@ int DetectEngineInspectDcePayload(DetectEngineCtx *de_ctx,
          det_ctx->discontinue_matching = 0;
          det_ctx->inspection_recursion_counter = 0;
  
-        r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_arrays[DETECT_SM_LIST_DMATCH],
+        r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_arrays[g_dce_stub_data_buffer_id],
                                            f,
                                            dce_stub_data,
                                            dce_stub_data_len,
                                            0,
                                            0, dcerpc_state);
-        //r = DoInspectDcePayload(de_ctx, det_ctx, s, s->init_data->smlists[DETECT_SM_LIST_DMATCH], f,
+        //r = DoInspectDcePayload(de_ctx, det_ctx, s, s->init_data->smlists[g_dce_stub_data_buffer_id], f,
          //dce_stub_data, dce_stub_data_len, dcerpc_state);
          if (r == 1) {
              SCReturnInt(1);
@@ -125,6 +128,7 @@ int DetectEngineInspectDcePayload(DetectEngineCtx *de_ctx,
  
      SCReturnInt(0);
  }
+#endif
  
  /**************************************Unittests*******************************/
  
@@ -7500,7 +7504,7 @@ static int DcePayloadParseTest25(void)
          goto end;
      }
  
-    if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] != NULL) {
+    if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
          result = 0;
          goto end;
      }
@@ -7623,7 +7627,7 @@ static int DcePayloadParseTest26(void)
          goto end;
      }
  
-    if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] != NULL) {
+    if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
          result = 0;
          goto end;
      }
@@ -7749,7 +7753,7 @@ static int DcePayloadParseTest27(void)
          goto end;
      }
  
-    if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
@@ -7758,7 +7762,7 @@ static int DcePayloadParseTest27(void)
          goto end;
      }
  
-    sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH];
+    sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
      if (sm->type != DETECT_CONTENT) {
          result = 0;
          goto end;
@@ -7876,7 +7880,7 @@ static int DcePayloadParseTest28(void)
          goto end;
      }
  
-    if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
@@ -7885,7 +7889,7 @@ static int DcePayloadParseTest28(void)
          goto end;
      }
  
-    sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH];
+    sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
      if (sm->type != DETECT_CONTENT) {
          result = 0;
          goto end;
@@ -8005,7 +8009,7 @@ static int DcePayloadParseTest29(void)
          goto end;
      }
  
-    if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] != NULL) {
+    if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
          result = 0;
          goto end;
      }
@@ -8147,7 +8151,7 @@ static int DcePayloadParseTest30(void)
          goto end;
      }
  
-    if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] != NULL) {
+    if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
          result = 0;
          goto end;
      }
@@ -8294,7 +8298,7 @@ static int DcePayloadParseTest31(void)
          goto end;
      }
  
-    if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
@@ -8303,7 +8307,7 @@ static int DcePayloadParseTest31(void)
          goto end;
      }
  
-    sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH];
+    sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
      if (sm->type != DETECT_BYTEJUMP) {
          result = 0;
          goto end;
@@ -8441,7 +8445,7 @@ static int DcePayloadParseTest32(void)
          goto end;
      }
  
-    if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
@@ -8450,7 +8454,7 @@ static int DcePayloadParseTest32(void)
          goto end;
      }
  
-    sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH];
+    sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
      if (sm->type != DETECT_BYTEJUMP) {
          result = 0;
          goto end;
@@ -8588,7 +8592,7 @@ static int DcePayloadParseTest33(void)
          goto end;
      }
  
-    if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
@@ -8597,7 +8601,7 @@ static int DcePayloadParseTest33(void)
          goto end;
      }
  
-    sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH];
+    sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
      if (sm->type != DETECT_PCRE) {
          result = 0;
          goto end;
@@ -8731,7 +8735,7 @@ static int DcePayloadParseTest34(void)
          goto end;
      }
  
-    if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
@@ -8740,7 +8744,7 @@ static int DcePayloadParseTest34(void)
          goto end;
      }
  
-    sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH];
+    sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
      if (sm->type != DETECT_PCRE) {
          result = 0;
          goto end;
@@ -8852,7 +8856,7 @@ static int DcePayloadParseTest35(void)
          goto end;
      }
  
-    if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
@@ -8861,7 +8865,7 @@ static int DcePayloadParseTest35(void)
          goto end;
      }
  
-    sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH];
+    sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
      if (sm->type != DETECT_BYTETEST) {
          result = 0;
          goto end;
@@ -8940,7 +8944,7 @@ static int DcePayloadParseTest36(void)
          goto end;
      }
  
-    if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
@@ -8949,7 +8953,7 @@ static int DcePayloadParseTest36(void)
          goto end;
      }
  
-    sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH];
+    sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
      if (sm->type != DETECT_ISDATAAT) {
          result = 0;
          goto end;
@@ -9045,7 +9049,7 @@ static int DcePayloadParseTest37(void)
          goto end;
      }
  
-    if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
@@ -9054,7 +9058,7 @@ static int DcePayloadParseTest37(void)
          goto end;
      }
  
-    sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH];
+    sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
      if (sm->type != DETECT_BYTEJUMP) {
          result = 0;
          goto end;
@@ -9154,7 +9158,7 @@ static int DcePayloadParseTest38(void)
          goto end;
      }
  
-    if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
@@ -9163,7 +9167,7 @@ static int DcePayloadParseTest38(void)
          goto end;
      }
  
-    sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH];
+    sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
      if (sm->type != DETECT_PCRE) {
          result = 0;
          goto end;
@@ -9270,7 +9274,7 @@ static int DcePayloadParseTest39(void)
          goto end;
      }
  
-    if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
@@ -9301,7 +9305,7 @@ static int DcePayloadParseTest39(void)
  
      result &= (sm->next == NULL);
  
-    sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH];
+    sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
      data = (DetectContentData *)sm->ctx;
      if (data->flags & DETECT_CONTENT_RAWBYTES ||
          data->flags & DETECT_CONTENT_NOCASE ||
@@ -9359,7 +9363,7 @@ static int DcePayloadParseTest40(void)
          goto end;
      }
  
-    if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
@@ -9368,7 +9372,7 @@ static int DcePayloadParseTest40(void)
          goto end;
      }
  
-    sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH];
+    sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
      if (sm->type != DETECT_CONTENT) {
          result = 0;
          goto end;
@@ -9489,7 +9493,7 @@ static int DcePayloadParseTest41(void)
          goto end;
      }
  
-    if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
@@ -9498,7 +9502,7 @@ static int DcePayloadParseTest41(void)
          goto end;
      }
  
-    sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH];
+    sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
      if (sm->type != DETECT_CONTENT) {
          result = 0;
          goto end;
@@ -9818,11 +9822,11 @@ static int DcePayloadParseTest44(void)
              "sid:1;)");
      FAIL_IF_NULL(s);
  
-    FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH]);
+    FAIL_IF_NULL(s->init_data->smlists_tail[g_dce_stub_data_buffer_id]);
      FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
  
      /* isdataat:10,relative; */
-    sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH];
+    sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
      FAIL_IF(sm->type != DETECT_ISDATAAT);
      isd = (DetectIsdataatData *)sm->ctx;
      FAIL_IF(isd->flags & ISDATAAT_RAWBYTES);
@@ -9913,7 +9917,7 @@ static int DcePayloadParseTest45(void)
          goto end;
      }
  
-    if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
@@ -9922,7 +9926,7 @@ static int DcePayloadParseTest45(void)
          goto end;
      }
  
-    sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH];
+    sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
      if (sm->type != DETECT_BYTEJUMP) {
          result = 0;
          goto end;
@@ -10025,7 +10029,7 @@ static int DcePayloadParseTest46(void)
          goto end;
      }
  
-    if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
@@ -10034,7 +10038,7 @@ static int DcePayloadParseTest46(void)
          goto end;
      }
  
-    sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH];
+    sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
      if (sm->type != DETECT_BYTETEST) {
          result = 0;
          goto end;
@@ -10108,6 +10112,7 @@ static int DcePayloadParseTest46(void)
  
  void DcePayloadRegisterTests(void)
  {
+    g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
  
  #ifdef UNITTESTS
      UtRegisterTest("DcePayloadTest01", DcePayloadTest01);
diff --git a/src/detect-engine-dcepayload.h b/src/detect-engine-dcepayload.h

index da7dfb92996e22fbd9b3754707fe3212549808ac..d67a3cffe0937221429f215a5067c82c1bf18763 100644 (file)
--- a/src/detect-engine-dcepayload.h
+++ b/src/detect-engine-dcepayload.h
@@ -24,8 +24,8 @@
  #ifndef __DETECT_ENGINE_DCEPAYLOAD_H__
  #define __DETECT_ENGINE_DCEPAYLOAD_H__
  
-int DetectEngineInspectDcePayload(DetectEngineCtx *, DetectEngineThreadCtx *,
-        const Signature *, Flow *, uint8_t, void *);
+//int DetectEngineInspectDcePayload(DetectEngineCtx *, DetectEngineThreadCtx *,
+//        const Signature *, Flow *, uint8_t, void *);
  
  void DcePayloadRegisterTests(void);
  
diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c

index c499a08fe93657586114cd89fd6147e0b0b7371f..8a860e982f84845b99d02adb4f9a955e5ad0a770 100644 (file)
--- a/src/detect-engine-state.c
+++ b/src/detect-engine-state.c
@@ -303,12 +303,6 @@ int DeStateFlowHasInspectableState(Flow *f, AppProto alproto,
      return r;
  }
  
-static int StoreState(Flow *f, const uint8_t flags, const uint8_t alversion)
-{
-    DeStateStoreStateVersion(f, alversion, flags);
-    return 1;
-}
-
  static void StoreStateTxHandleFiles(DetectEngineThreadCtx *det_ctx, Flow *f,
                                      DetectEngineState *destate, const uint8_t flags,
                                      const uint64_t tx_id, const uint16_t file_no_match)
@@ -383,7 +377,6 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
      uint16_t file_no_match = 0;
      uint32_t inspect_flags = 0;
      int alert_cnt = 0;
-    int dmatch = 0;
  
      SCLogDebug("rule %u", s->id);
  
@@ -517,51 +510,6 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
                  break;
          } /* for */
      }
-    /* DCERPC matches */
-    if (s->sm_arrays[DETECT_SM_LIST_DMATCH] != NULL &&
-               (alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB ||
-                alproto == ALPROTO_SMB2))
-    {
-        void *alstate = FlowGetAppState(f);
-        if (alstate == NULL) {
-            goto end;
-        }
-
-        KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_DMATCH);
-        if (DetectEngineInspectDcePayload(de_ctx, det_ctx, s, f,
-                    flags, alstate) == 1) {
-            inspect_flags |= DE_STATE_FLAG_DCE_PAYLOAD_INSPECT;
-            dmatch = 1;
-        }
-    }
-
-    /* if AMATCH and/or DMATCH are in use, see if we need to
-     * alert and store the state */
-    if (s->sm_arrays[DETECT_SM_LIST_DMATCH] != NULL)
-    {
-        /* if dmatch in use and match
-           or
-           sig can't match
-         */
-        if (inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH) {
-            inspect_flags |= DE_STATE_FLAG_FULL_INSPECT;
-        } else {
-            if (dmatch || s->sm_arrays[DETECT_SM_LIST_DMATCH] == NULL)
-            {
-                if (!(s->flags & SIG_FLAG_NOALERT)) {
-                    PacketAlertAppend(det_ctx, s, p, 0,
-                            PACKET_ALERT_FLAG_STATE_MATCH);
-                } else {
-                    DetectSignatureApplyActions(p, s);
-                }
-                alert_cnt = 1;
-
-                inspect_flags |= DE_STATE_FLAG_FULL_INSPECT;
-            }
-        }
-
-        StoreState(f, flags, alversion);
-    }
   end:
      det_ctx->tx_id = 0;
      det_ctx->tx_id_set = 0;
diff --git a/src/detect-engine-state.h b/src/detect-engine-state.h

index 9215739841ccfdbe67471503dc3fb8c6a240d766..d1b789da724094bda27cbb2b4b6d560f8893a3de 100644 (file)
--- a/src/detect-engine-state.h
+++ b/src/detect-engine-state.h
@@ -53,12 +53,11 @@
  #define DE_STATE_FLAG_FULL_INSPECT              BIT_U32(0)
  #define DE_STATE_FLAG_SIG_CANT_MATCH            BIT_U32(1)
  
-#define DE_STATE_FLAG_DCE_PAYLOAD_INSPECT       BIT_U32(2)
-#define DE_STATE_FLAG_FILE_TC_INSPECT           BIT_U32(3)
-#define DE_STATE_FLAG_FILE_TS_INSPECT           BIT_U32(4)
+#define DE_STATE_FLAG_FILE_TC_INSPECT           BIT_U32(2)
+#define DE_STATE_FLAG_FILE_TS_INSPECT           BIT_U32(3)
  
  /* first bit position after the built-ins */
-#define DE_STATE_FLAG_BASE                      5UL
+#define DE_STATE_FLAG_BASE                      4UL
  
  /* state flags */
  #define DETECT_ENGINE_STATE_FLAG_FILE_STORE_DISABLED 0x0001
diff --git a/src/detect-engine.c b/src/detect-engine.c

index b8ed69605824fcef72b525a41382bdae265e769f..594e301319331a9f1412274e70c64ef8c51e7df0 100644 (file)
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@@ -2906,8 +2906,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
          case DETECT_SM_LIST_PMATCH:
              return "packet/stream payload";
  
-        case DETECT_SM_LIST_DMATCH:
-            return "dcerpc";
          case DETECT_SM_LIST_TMATCH:
              return "tag";
  
diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c

index 5a018a5891b97a351b7a8427cc1588ec370a13af..6eb098141d9c3f2677fe10e458dede672bbdbda1 100644 (file)
--- a/src/detect-isdataat.c
+++ b/src/detect-isdataat.c
@@ -290,6 +290,7 @@ void DetectIsdataatFree(void *ptr)
  
  
  #ifdef UNITTESTS
+static int g_dce_stub_data_buffer_id = 0;
  
  /**
   * \test DetectIsdataatTestParse01 is a test to make sure that we return a correct IsdataatData structure
@@ -353,14 +354,14 @@ int DetectIsdataatTestParse04(void)
      s->alproto = ALPROTO_DCERPC;
  
      result &= (DetectIsdataatSetup(NULL, s, "30") == 0);
-    result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
+    result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
      SigFree(s);
  
      s = SigAlloc();
      s->alproto = ALPROTO_DCERPC;
      /* failure since we have no preceding content/pcre/bytejump */
      result &= (DetectIsdataatSetup(NULL, s, "30,relative") == 0);
-    result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
+    result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
  
      SigFree(s);
  
@@ -393,12 +394,12 @@ int DetectIsdataatTestParse05(void)
          goto end;
      }
      s = de_ctx->sig_list;
-    if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
-    result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_ISDATAAT);
-    data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
+    result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_ISDATAAT);
+    data = (DetectIsdataatData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
      if ( !(data->flags & ISDATAAT_RELATIVE) ||
           (data->flags & ISDATAAT_RAWBYTES) ) {
          result = 0;
@@ -416,12 +417,12 @@ int DetectIsdataatTestParse05(void)
          goto end;
      }
      s = s->next;
-    if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
-    result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_ISDATAAT);
-    data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
+    result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_ISDATAAT);
+    data = (DetectIsdataatData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
      if ( !(data->flags & ISDATAAT_RELATIVE) ||
           (data->flags & ISDATAAT_RAWBYTES) ) {
          result = 0;
@@ -439,12 +440,12 @@ int DetectIsdataatTestParse05(void)
          goto end;
      }
      s = s->next;
-    if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
+    if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
          result = 0;
          goto end;
      }
-    result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_ISDATAAT);
-    data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
+    result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_ISDATAAT);
+    data = (DetectIsdataatData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
      if ( !(data->flags & ISDATAAT_RELATIVE) ||
           !(data->flags & ISDATAAT_RAWBYTES) ) {
          result = 0;
@@ -459,7 +460,7 @@ int DetectIsdataatTestParse05(void)
          goto end;
      }
      s = s->next;
-    if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] != NULL) {
+    if (s->sm_lists_tail[g_dce_stub_data_buffer_id] != NULL) {
          result = 0;
          goto end;
      }
@@ -628,6 +629,8 @@ end:
  void DetectIsdataatRegisterTests(void)
  {
  #ifdef UNITTESTS
+    g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
+
      UtRegisterTest("DetectIsdataatTestParse01", DetectIsdataatTestParse01);
      UtRegisterTest("DetectIsdataatTestParse02", DetectIsdataatTestParse02);
      UtRegisterTest("DetectIsdataatTestParse03", DetectIsdataatTestParse03);
diff --git a/src/detect-parse.c b/src/detect-parse.c

index 7bce331188baca59ab5587a223ed45f9c8af6a68..6385500f171c592bdc0edb04651d1105cb95a5e8 100644 (file)
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -141,7 +141,6 @@ const char *DetectListToHumanString(int list)
      switch (list) {
          CASE_CODE_STRING(DETECT_SM_LIST_MATCH, "packet");
          CASE_CODE_STRING(DETECT_SM_LIST_PMATCH, "payload");
-        CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc");
          CASE_CODE_STRING(DETECT_SM_LIST_TMATCH, "tag");
          CASE_CODE_STRING(DETECT_SM_LIST_POSTMATCH, "postmatch");
          CASE_CODE_STRING(DETECT_SM_LIST_SUPPRESS, "suppress");
@@ -158,7 +157,6 @@ const char *DetectListToString(int list)
      switch (list) {
          CASE_CODE(DETECT_SM_LIST_MATCH);
          CASE_CODE(DETECT_SM_LIST_PMATCH);
-        CASE_CODE(DETECT_SM_LIST_DMATCH);
          CASE_CODE(DETECT_SM_LIST_TMATCH);
          CASE_CODE(DETECT_SM_LIST_POSTMATCH);
          CASE_CODE(DETECT_SM_LIST_SUPPRESS);
@@ -1598,11 +1596,6 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, char *sigstr,
          }
      }
  
-    if (sig->init_data->smlists[DETECT_SM_LIST_DMATCH])
-        sig->flags |= SIG_FLAG_STATE_MATCH;
-    /* for other lists this flag is set when the inspect engines
-     * are registered */
-
      if (!(sig->init_data->init_flags & SIG_FLAG_INIT_FLOW)) {
          sig->flags |= SIG_FLAG_TOSERVER;
          sig->flags |= SIG_FLAG_TOCLIENT;
diff --git a/src/detect-pcre.c b/src/detect-pcre.c

index e531d6a2cbffa20cabb30ca5f55f7d069aa75d32..d4e3bbe8a0d0359b2a717c5d955232f2f41df7e4 100644 (file)
--- a/src/detect-pcre.c
+++ b/src/detect-pcre.c
@@ -770,6 +770,7 @@ void DetectPcreFree(void *ptr)
  #ifdef UNITTESTS /* UNITTESTS */
  static int g_file_data_buffer_id = 0;
  static int g_http_header_buffer_id = 0;
+static int g_dce_stub_data_buffer_id = 0;
  
  /**
   * \test DetectPcreParseTest01 make sure we don't allow invalid opts 7.
@@ -960,7 +961,7 @@ int DetectPcreParseTest10(void)
      s->alproto = ALPROTO_DCERPC;
  
      FAIL_IF_NOT(DetectPcreSetup(de_ctx, s, "/bamboo/") == 0);
-    FAIL_IF_NOT(s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
+    FAIL_IF_NOT(s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
  
      SigFree(s);
  
@@ -969,7 +970,7 @@ int DetectPcreParseTest10(void)
  
      /* failure since we have no preceding content/pcre/bytejump */
      FAIL_IF_NOT(DetectPcreSetup(de_ctx, s, "/bamboo/") == 0);
-    FAIL_IF_NOT(s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
+    FAIL_IF_NOT(s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
  
      SigFree(s);
      DetectEngineCtxFree(de_ctx);
@@ -997,9 +998,9 @@ int DetectPcreParseTest11(void)
                                 "pcre:/bamboo/R; sid:1;)");
      FAIL_IF(de_ctx == NULL);
      s = de_ctx->sig_list;
-    FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL);
-    FAIL_IF_NOT(s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE);
-    data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
+    FAIL_IF(s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL);
+    FAIL_IF_NOT(s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_PCRE);
+    data = (DetectPcreData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
      FAIL_IF(data->flags & DETECT_PCRE_RAWBYTES ||
          !(data->flags & DETECT_PCRE_RELATIVE));
  
@@ -1010,9 +1011,9 @@ int DetectPcreParseTest11(void)
                        "pcre:/bamboo/R; sid:1;)");
      FAIL_IF_NULL(s->next);
      s = s->next;
-    FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL);
-    FAIL_IF_NOT(s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE);
-    data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
+    FAIL_IF(s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL);
+    FAIL_IF_NOT(s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_PCRE);
+    data = (DetectPcreData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
      FAIL_IF(data->flags & DETECT_PCRE_RAWBYTES ||
          !(data->flags & DETECT_PCRE_RELATIVE));
  
@@ -1023,9 +1024,9 @@ int DetectPcreParseTest11(void)
                        "pcre:/bamboo/RB; sid:1;)");
      FAIL_IF(s->next == NULL);
      s = s->next;
-    FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL);
-    FAIL_IF_NOT(s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE);
-    data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
+    FAIL_IF(s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL);
+    FAIL_IF_NOT(s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_PCRE);
+    data = (DetectPcreData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
      FAIL_IF(!(data->flags & DETECT_PCRE_RAWBYTES) ||
          !(data->flags & DETECT_PCRE_RELATIVE));
  
@@ -1034,7 +1035,7 @@ int DetectPcreParseTest11(void)
                        "content:\"one\"; pcre:/bamboo/; sid:1;)");
      FAIL_IF(s->next == NULL);
      s = s->next;
-    FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_DMATCH] != NULL);
+    FAIL_IF(s->sm_lists_tail[g_dce_stub_data_buffer_id] != NULL);
  
      SigGroupCleanup(de_ctx);
      SigCleanSignatures(de_ctx);
@@ -3312,6 +3313,7 @@ void DetectPcreRegisterTests(void)
  #ifdef UNITTESTS /* UNITTESTS */
      g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
      g_http_header_buffer_id = DetectBufferTypeGetByName("http_header");
+    g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
  
      UtRegisterTest("DetectPcreParseTest01", DetectPcreParseTest01);
      UtRegisterTest("DetectPcreParseTest02", DetectPcreParseTest02);
diff --git a/src/detect.c b/src/detect.c

index 780216a30e2f65c8373aee4bd9d111e82552c490..4906c52f49ae0b62ccdd2f2d991559d161f3f2cc 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -2221,11 +2221,6 @@ static int SignatureCreateMask(Signature *s)
          SCLogDebug("sig requires payload");
      }
  
-    if (s->init_data->smlists[DETECT_SM_LIST_DMATCH] != NULL) {
-        s->mask |= SIG_MASK_REQUIRE_DCE_STATE;
-        SCLogDebug("sig requires dce state");
-    }
-
      SigMatch *sm;
      for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
          switch(sm->type) {
diff --git a/src/detect.h b/src/detect.h

index 0580fa779af8efa6fa048f4980c62429bbab0760..2e01c5f3a2b8a1b8893eb296a0b789cc5a655f38 100644 (file)
--- a/src/detect.h
+++ b/src/detect.h
@@ -88,9 +88,6 @@ enum DetectSigmatchListEnum {
      DETECT_SM_LIST_MATCH = 0,
      DETECT_SM_LIST_PMATCH,
  
-    /* list for DCE matches */
-    DETECT_SM_LIST_DMATCH,
-
      /* base64_data keyword uses some hardcoded logic so consider
       * built-in
       * TODO convert to inspect engine */
author	Victor Julien <victor@inliniac.net>
	Thu, 22 Dec 2016 22:56:48 +0000 (23:56 +0100)
committer	Victor Julien <victor@inliniac.net>
	Thu, 16 Feb 2017 09:35:43 +0000 (10:35 +0100)
src/detect-bytejump.c		patch \| blob \| blame \| history
src/detect-bytetest.c		patch \| blob \| blame \| history
src/detect-content.c		patch \| blob \| blame \| history
src/detect-dce-stub-data.c		patch \| blob \| blame \| history
src/detect-engine-dcepayload.c		patch \| blob \| blame \| history
src/detect-engine-dcepayload.h		patch \| blob \| blame \| history
src/detect-engine-state.c		patch \| blob \| blame \| history
src/detect-engine-state.h		patch \| blob \| blame \| history
src/detect-engine.c		patch \| blob \| blame \| history
src/detect-isdataat.c		patch \| blob \| blame \| history
src/detect-parse.c		patch \| blob \| blame \| history
src/detect-pcre.c		patch \| blob \| blame \| history
src/detect.c		patch \| blob \| blame \| history
src/detect.h		patch \| blob \| blame \| history