Pull request #3810: appid: Changes logic in ssl pattern matching

Merge in SNORT/snort3 from ~LCZARNIK/snort3:wildcard to master

Squashed commit of the following:

commit 6231d29de020c2bcd883429293b9c5fb28775efb
Author: Lukasz Czarnik <lczarnik@cisco.com>
Date:   Mon Apr 17 09:50:20 2023 -0400

    appid: Changes logic in ssl pattern matching

diff --git a/src/network_inspectors/appid/detector_plugins/ssl_patterns.cc b/src/network_inspectors/appid/detector_plugins/ssl_patterns.cc
index 486999a6f0d7034e767602e66bee818916ac0109..468bae7351c3a9fac22bb9d7ca6e2b960b33a3be 100644 (file)
--- a/src/network_inspectors/appid/detector_plugins/ssl_patterns.cc
+++ b/src/network_inspectors/appid/detector_plugins/ssl_patterns.cc
@@ -99,12 +99,15 @@ static bool scan_patterns(SearchTool& matcher, const uint8_t* data, size_t size,
     best_match = nullptr;
     while (mp)
     {
-        /*  Only patterns that match start of payload,
+        /*  Only patterns that match end of the payload AND
+            (match the start of the payload
+            or match after '.'
             or patterns starting with '.'
-            or patterns following '.' in payload are considered a match. */
-        if (mp->match_start_pos == 0 ||
-            *mp->mpattern->pattern == '.' ||
-            data[mp->match_start_pos-1] == '.')
+            ) are considered a match. */
+        if (mp->match_start_pos + mp->mpattern->pattern_size == (int)size and
+            (mp->match_start_pos == 0 or
+            data[mp->match_start_pos-1] == '.' or
+            *mp->mpattern->pattern == '.'))
         {
             if (!best_match ||
                 mp->mpattern->pattern_size > best_match->pattern_size)