sm->type = DETECT_AL_APP_LAYER_EVENT;
sm->ctx = (SigMatchCtx *)data;
- if (s->alproto != ALPROTO_UNKNOWN) {
- if (s->alproto != data->alproto) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains "
- "conflicting keywords needing different alprotos");
- goto error;
- }
- } else {
- s->alproto = data->alproto;
- }
-
if (event_type == APP_LAYER_EVENT_TYPE_PACKET) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
} else {
- /* We push it to this list temporarily. We deal with
- * these in DetectAppLayerEventPrepare(). */
+ if (DetectSignatureSetAppProto(s, data->alproto) != 0)
+ goto error;
+
SigMatchAppendSMToList(s, sm, g_applayer_events_list_id);
- s->flags |= SIG_FLAG_APPLAYER;
}
return 0;
}
if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has "
- "byte_extract with dce enabled");
+ if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
goto error;
- }
- s->alproto = ALPROTO_DCERPC;
+
if ((data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) ||
(data->base == DETECT_BYTE_EXTRACT_BASE_DEC) ||
(data->base == DETECT_BYTE_EXTRACT_BASE_HEX) ||
sm_list = DETECT_SM_LIST_PMATCH;
}
- s->alproto = ALPROTO_DCERPC;
- s->flags |= SIG_FLAG_APPLAYER;
+ if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
+ goto error;
} else if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
prev_pm = DetectGetLastSMFromLists(s,
}
if (data->flags & DETECT_BYTEJUMP_DCE) {
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has "
- "bytejump with dce enabled");
- goto error;
- }
if ((data->flags & DETECT_BYTEJUMP_STRING) ||
(data->flags & DETECT_BYTEJUMP_LITTLE) ||
(data->flags & DETECT_BYTEJUMP_BIG) ||
sm_list = DETECT_SM_LIST_PMATCH;
}
- s->alproto = ALPROTO_DCERPC;
- s->flags |= SIG_FLAG_APPLAYER;
+ if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
+ goto error;
} else if (data->flags & DETECT_BYTETEST_RELATIVE) {
prev_pm = DetectGetLastSMFromLists(s,
}
if (data->flags & DETECT_BYTETEST_DCE) {
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has "
- "bytetest with dce enabled");
- goto error;
- }
if ((data->flags & DETECT_BYTETEST_STRING) ||
(data->flags & DETECT_BYTETEST_LITTLE) ||
(data->flags & DETECT_BYTETEST_BIG) ||
DetectCipServiceData *cipserviced = NULL;
SigMatch *sm = NULL;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_ENIP)
- {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
- "rule contains conflicting keywords.");
- goto error;
- }
+ if (DetectSignatureSetAppProto(s, ALPROTO_ENIP) != 0)
+ return -1;
cipserviced = DetectCipServiceParse(rulestr);
if (cipserviced == NULL)
sm->type = DETECT_CIPSERVICE;
sm->ctx = (void *) cipserviced;
- s->alproto = ALPROTO_ENIP;
-
SigMatchAppendSMToList(s, sm, g_cip_buffer_id);
-
SCReturnInt(0);
error:
DetectEnipCommandData *enipcmdd = NULL;
SigMatch *sm = NULL;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_ENIP)
- {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
- "rule contains conflicting keywords.");
- goto error;
- }
+ if (DetectSignatureSetAppProto(s, ALPROTO_ENIP) != 0)
+ return -1;
enipcmdd = DetectEnipCommandParse(rulestr);
if (enipcmdd == NULL)
sm->type = DETECT_ENIPCOMMAND;
sm->ctx = (void *) enipcmdd;
- s->alproto = ALPROTO_ENIP;
SigMatchAppendSMToList(s, sm, g_enip_buffer_id);
-
SCReturnInt(0);
error:
DetectDceIfaceData *did = NULL;
SigMatch *sm = NULL;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+ if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
return -1;
- }
did = DetectDceIfaceArgParse(arg);
if (did == NULL) {
sm->ctx = (void *)did;
SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
-
- s->alproto = ALPROTO_DCERPC;
- /* Flagged the signature as to inspect the app layer data */
- s->flags |= SIG_FLAG_APPLAYER;
return 0;
error:
return -1;
}
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+ if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
return -1;
- }
dod = DetectDceOpnumArgParse(arg);
if (dod == NULL) {
sm->ctx = (void *)dod;
SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
-
- s->alproto = ALPROTO_DCERPC;
- /* Flagged the signature as to inspect the app layer data */
- s->flags |= SIG_FLAG_APPLAYER;
return 0;
error:
static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
- "rule contains conflicting keywords.");
- goto error;
- }
+ if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
+ return -1;
s->init_data->list = g_dce_stub_data_buffer_id;
- s->alproto = ALPROTO_DCERPC;
- s->flags |= SIG_FLAG_APPLAYER;
return 0;
-
- error:
- return -1;
}
/************************************Unittests*********************************/
SigMatch *sm = NULL;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_FTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+ if (DetectSignatureSetAppProto(s, ALPROTO_FTP) != 0)
return -1;
- }
sm = SigMatchAlloc();
if (sm == NULL) {
sm->ctx = NULL;
SigMatchAppendSMToList(s, sm, g_ftp_request_list_id);
-
- s->alproto = ALPROTO_FTP;
- s->flags |= SIG_FLAG_APPLAYER;
SCReturnInt(0);
}
DetectModbus *modbus = NULL;
SigMatch *sm = NULL;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_MODBUS) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
- goto error;
- }
+ if (DetectSignatureSetAppProto(s, ALPROTO_MODBUS) != 0)
+ return -1;
if ((modbus = DetectModbusFunctionParse(str)) == NULL) {
if ((modbus = DetectModbusAccessParse(str)) == NULL) {
sm->ctx = (void *) modbus;
SigMatchAppendSMToList(s, sm, g_modbus_buffer_id);
- s->alproto = ALPROTO_MODBUS;
SCReturnInt(0);
SCFree(s);
}
+int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
+{
+ if (alproto == ALPROTO_UNKNOWN ||
+ alproto >= ALPROTO_FAILED) {
+ SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid alproto %u", alproto);
+ return -1;
+ }
+
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != alproto) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
+ "can't set rule app proto to %s: already set to %s",
+ AppProtoToString(alproto), AppProtoToString(s->alproto));
+ return -1;
+ }
+
+ s->alproto = alproto;
+ s->flags |= SIG_FLAG_APPLAYER;
+ return 0;
+}
+
/**
* \internal
* \brief build address match array for cache efficient matching
SigMatch *DetectGetLastSMByListPtr(const Signature *s, SigMatch *sm_list, ...);
SigMatch *DetectGetLastSMByListId(const Signature *s, int list_id, ...);
+int DetectSignatureSetAppProto(Signature *s, AppProto alproto);
+
/* parse regex setup and free util funcs */
void DetectSetupParseRegexes(const char *parse_str,
DetectSshVersionData *ssh = NULL;
SigMatch *sm = NULL;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_SSH) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+ if (DetectSignatureSetAppProto(s, ALPROTO_SSH) != 0)
return -1;
- }
ssh = DetectSshVersionParse(str);
if (ssh == NULL)
sm->ctx = (void *)ssh;
SigMatchAppendSMToList(s, sm, g_ssh_banner_list_id);
-
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_SSH;
return 0;
error:
DetectSshSoftwareVersionData *ssh = NULL;
SigMatch *sm = NULL;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_SSH) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+ if (DetectSignatureSetAppProto(s, ALPROTO_SSH) != 0)
return -1;
- }
ssh = DetectSshSoftwareVersionParse(str);
if (ssh == NULL)
sm->type = DETECT_AL_SSH_SOFTWAREVERSION;
sm->ctx = (void *)ssh;
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_SSH;
-
SigMatchAppendSMToList(s, sm, g_ssh_banner_list_id);
-
return 0;
error:
DetectSslStateData *ssd = NULL;
SigMatch *sm = NULL;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
- "Rule contains conflicting keywords. Have non-tls alproto "
- "set for a rule containing \"ssl_state\" keyword");
- goto error;
- }
+ if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
+ return -1;
+
ssd = DetectSslStateParse(arg);
if (ssd == NULL)
goto error;
sm->type = DETECT_AL_SSL_STATE;
sm->ctx = (SigMatchCtx*)ssd;
- s->alproto = ALPROTO_TLS;
-
SigMatchAppendSMToList(s, sm, g_tls_generic_list_id);
-
return 0;
error:
DetectSslVersionData *ssl = NULL;
SigMatch *sm = NULL;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
- goto error;
- }
+ if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
+ return -1;
ssl = DetectSslVersionParse(str);
if (ssl == NULL)
sm->ctx = (void *)ssl;
SigMatchAppendSMToList(s, sm, g_tls_generic_list_id);
-
- s->alproto = ALPROTO_TLS;
return 0;
error:
SCLogDebug("\'%s\'", rawstr);
+ if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
+ return -1;
+
dd = SCCalloc(1, sizeof(DetectTlsValidityData));
if (dd == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT,"Allocation \'%s\' failed", rawstr);
if (sm == NULL)
goto error;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
- "rule contains conflicting keywords.");
- goto error;
- }
-
dd->mode = DETECT_TLS_VALIDITY_EX;
dd->type = DETECT_TLS_TYPE_NOTAFTER;
dd->epoch = 0;
sm->type = DETECT_AL_TLS_EXPIRED;
sm->ctx = (void *)dd;
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_TLS;
-
SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id);
-
return 0;
error:
SCLogDebug("\'%s\'", rawstr);
+ if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
+ return -1;
+
dd = SCCalloc(1, sizeof(DetectTlsValidityData));
if (dd == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT,"Allocation \'%s\' failed", rawstr);
if (sm == NULL)
goto error;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
- "rule contains conflicting keywords.");
- goto error;
- }
-
dd->mode = DETECT_TLS_VALIDITY_VA;
dd->type = DETECT_TLS_TYPE_NOTAFTER;
dd->epoch = 0;
sm->type = DETECT_AL_TLS_VALID;
sm->ctx = (void *)dd;
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_TLS;
-
SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id);
-
return 0;
error:
SCLogDebug("\'%s\'", rawstr);
+ if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
+ return -1;
+
dd = DetectTlsValidityParse(rawstr);
if (dd == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT,"Parsing \'%s\' failed", rawstr);
if (sm == NULL)
goto error;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
- "rule contains conflicting keywords.");
- goto error;
- }
-
if (type == DETECT_TLS_TYPE_NOTBEFORE) {
dd->type = DETECT_TLS_TYPE_NOTBEFORE;
sm->type = DETECT_AL_TLS_NOTBEFORE;
sm->ctx = (void *)dd;
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_TLS;
-
SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id);
-
return 0;
error:
DetectTlsVersionData *tls = NULL;
SigMatch *sm = NULL;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
- goto error;
- }
+ if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
+ return -1;
tls = DetectTlsVersionParse(str);
if (tls == NULL)
SigMatchAppendSMToList(s, sm, g_tls_generic_list_id);
- s->alproto = ALPROTO_TLS;
return 0;
error:
DetectTlsData *tls = NULL;
SigMatch *sm = NULL;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
- goto error;
- }
+ if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
+ return -1;
tls = DetectTlsSubjectParse(str);
if (tls == NULL)
sm->type = DETECT_AL_TLS_SUBJECT;
sm->ctx = (void *)tls;
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_TLS;
-
SigMatchAppendSMToList(s, sm, g_tls_cert_list_id);
-
return 0;
error:
DetectTlsData *tls = NULL;
SigMatch *sm = NULL;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
- goto error;
- }
+ if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
+ return -1;
tls = DetectTlsIssuerDNParse(str);
if (tls == NULL)
sm->type = DETECT_AL_TLS_ISSUERDN;
sm->ctx = (void *)tls;
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_TLS;
-
SigMatchAppendSMToList(s, sm, g_tls_cert_list_id);
-
return 0;
error:
DetectTlsData *tls = NULL;
SigMatch *sm = NULL;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
- goto error;
- }
+ if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
+ return -1;
tls = DetectTlsFingerprintParse(str);
if (tls == NULL)
sm->type = DETECT_AL_TLS_FINGERPRINT;
sm->ctx = (void *)tls;
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_TLS;
-
SigMatchAppendSMToList(s, sm, g_tls_cert_list_id);
-
return 0;
error:
{
SigMatch *sm = NULL;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+ if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
return -1;
- }
sm = SigMatchAlloc();
if (sm == NULL)
return -1;
sm->type = DETECT_AL_TLS_STORE;
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_TLS;
s->flags |= SIG_FLAG_TLSSTORE;
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH);
DetectUrilenData *urilend = NULL;
SigMatch *sm = NULL;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
- "alproto set");
- goto error;
- }
+ if (DetectSignatureSetAppProto(s, ALPROTO_HTTP) != 0)
+ return -1;
urilend = DetectUrilenParse(urilenstr);
if (urilend == NULL)
else
SigMatchAppendSMToList(s, sm, g_http_uri_buffer_id);
- /* Flagged the signature as to inspect the app layer data */
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_HTTP;
-
SCReturnInt(0);
error:
projects / thirdparty / suricata.git / commitdiff
