From: Anoop Saldanha Date: Mon, 20 Feb 2012 06:02:42 +0000 (+0530) Subject: All http_http_raw_uri modified patterns now are DETECT_CONTENT and not DETECT_AL_HTTP... X-Git-Tag: suricata-1.3beta1~181 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=059ee217ff69493a356a00e25a92080703725dc7;p=thirdparty%2Fsuricata.git All http_http_raw_uri modified patterns now are DETECT_CONTENT and not DETECT_AL_HTTP_RAW_URI --- diff --git a/src/detect-depth.c b/src/detect-depth.c index c5e69aefce..e982d4ed7c 100644 --- a/src/detect-depth.c +++ b/src/detect-depth.c @@ -88,7 +88,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths pm = SigMatchGetLastSMFromLists(s, 22, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], - DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], @@ -162,47 +162,6 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths break; - case DETECT_AL_HTTP_RAW_URI: - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in depth - %s\n", str); - goto error; - } - cd->depth = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_DEPTH_BE; - } else { - cd->depth = (uint32_t)atoi(str); - if (cd->depth < cd->content_len) { - cd->depth = cd->content_len; - SCLogDebug("depth increased to %"PRIu32" to match pattern len ", - cd->depth); - } - /* Now update the real limit, as depth is relative to the offset */ - cd->depth += cd->offset; - cd->flags |= DETECT_CONTENT_DEPTH; - } - - break; - case DETECT_AL_HTTP_STAT_MSG: cd = (DetectContentData *)pm->ctx; if (cd->flags & DETECT_CONTENT_NEGATED) { diff --git a/src/detect-distance.c b/src/detect-distance.c index 03751ff342..948de01801 100644 --- a/src/detect-distance.c +++ b/src/detect-distance.c @@ -163,7 +163,7 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, pm = SigMatchGetLastSMFromLists(s, 22, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], - DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], @@ -291,68 +291,6 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, break; - case DETECT_AL_HTTP_RAW_URI: - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in distance - %s\n", str); - goto error; - } - cd->distance = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_DISTANCE_BE; - } else { - cd->distance = strtol(str, NULL, 10); - } - - cd->flags |= DETECT_CONTENT_DISTANCE; - - /* reassigning pm */ - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_AL_HTTP_RAW_URI, pm->prev, - DETECT_PCRE, pm->prev); - if (pm == NULL) { - SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for " - "http_raw_uri needs preceeding http_raw_uri " - "content"); - goto error; - } - - if (pm->type == DETECT_PCRE) { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } else { - /* reassigning cd */ - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword " - "has a fast_pattern:only; set. You can't " - "have relative keywords around a fast_pattern " - "only content"); - goto error; - } - cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } - - break; - case DETECT_AL_HTTP_STAT_MSG: cd = (DetectContentData *)pm->ctx; if (cd->flags & DETECT_CONTENT_NEGATED) { diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c index 7d0f8a8c28..5a68f87cf1 100644 --- a/src/detect-engine-content-inspection.c +++ b/src/detect-engine-content-inspection.c @@ -108,7 +108,6 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx /* \todo unify this which is phase 2 of payload inspection unification */ if (sm->type == DETECT_CONTENT || - sm->type == DETECT_AL_HTTP_RAW_URI || sm->type == DETECT_AL_HTTP_STAT_CODE || sm->type == DETECT_AL_HTTP_STAT_MSG) { diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index ca637f67d5..5f85287b0d 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -143,7 +143,7 @@ void SupportFastPatternForSigMatchTypes(void) SupportFastPatternForSigMatchType(DETECT_CONTENT); SupportFastPatternForSigMatchList(DETECT_SM_LIST_HCDMATCH); - SupportFastPatternForSigMatchType(DETECT_AL_HTTP_RAW_URI); + SupportFastPatternForSigMatchType(DETECT_CONTENT); SupportFastPatternForSigMatchList(DETECT_SM_LIST_HRUDMATCH); SupportFastPatternForSigMatchType(DETECT_AL_HTTP_STAT_MSG); @@ -247,7 +247,7 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]); + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]); if (pm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "fast_pattern found inside " "the rule, without a content context. Please use a " diff --git a/src/detect-http-raw-uri.c b/src/detect-http-raw-uri.c index c52942e2f2..f2dc7a0168 100644 --- a/src/detect-http-raw-uri.c +++ b/src/detect-http-raw-uri.c @@ -139,7 +139,7 @@ static int DetectHttpRawUriSetup(DetectEngineCtx *de_ctx, Signature *s, char *ar /* reassigning pm */ pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_AL_HTTP_RAW_URI, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]); @@ -158,7 +158,7 @@ static int DetectHttpRawUriSetup(DetectEngineCtx *de_ctx, Signature *s, char *ar } } cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HRUDMATCH); - sm->type = DETECT_AL_HTTP_RAW_URI; + sm->type = DETECT_CONTENT; /* transfer the sm from the pmatch list to hrudmatch list */ SigMatchTransferSigMatchAcrossLists(sm, @@ -264,11 +264,11 @@ int DetectHttpRawUriTest03(void) } while (sm != NULL) { - if (sm->type == DETECT_AL_HTTP_RAW_URI) { + if (sm->type == DETECT_CONTENT) { result = 1; } else { - printf("expected DETECT_AL_HTTP_RAW_URI(%d), got %d: ", - DETECT_AL_HTTP_RAW_URI, sm->type); + printf("expected DETECT_CONTENT for http_raw_uri(%d), got %d: ", + DETECT_CONTENT, sm->type); goto end; } sm = sm->next; @@ -331,7 +331,7 @@ int DetectHttpRawUriTest05(void) } if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL) goto end; - if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH]->type != DETECT_AL_HTTP_RAW_URI) { + if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH]->type != DETECT_CONTENT) { printf("wrong type\n"); goto end; } @@ -749,8 +749,8 @@ int DetectHttpRawUriTest15(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " "(content:\"one\"; http_raw_uri; within:5; sid:1;)"); - if (de_ctx->sig_list != NULL) { - printf("de_ctx->sig_list != NULL\n"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); goto end; } diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index d843fdb699..886b10c3be 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -360,7 +360,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], /* 10 */ @@ -419,7 +419,6 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst switch (prev_pm->type) { case DETECT_CONTENT: - case DETECT_AL_HTTP_RAW_URI: case DETECT_AL_HTTP_STAT_MSG: case DETECT_AL_HTTP_STAT_CODE: /* Set the relative next flag on the prev sigmatch */ diff --git a/src/detect-nocase.c b/src/detect-nocase.c index 03a5b6bae9..b74a947488 100644 --- a/src/detect-nocase.c +++ b/src/detect-nocase.c @@ -82,7 +82,7 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]); @@ -98,7 +98,6 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls switch (pm->type) { case DETECT_CONTENT: - case DETECT_AL_HTTP_RAW_URI: case DETECT_AL_HTTP_STAT_MSG: case DETECT_AL_HTTP_STAT_CODE: cd = (DetectContentData *)pm->ctx; diff --git a/src/detect-offset.c b/src/detect-offset.c index b9ea9ab6a9..57d9349724 100644 --- a/src/detect-offset.c +++ b/src/detect-offset.c @@ -94,7 +94,7 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]); + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]); if (pm == NULL) { SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs " "preceeding content or uricontent option, http_client_body, " @@ -163,50 +163,6 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) break; - case DETECT_AL_HTTP_RAW_URI: - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in offset - %s\n", str); - goto error; - } - cd->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_OFFSET_BE; - } else { - cd->offset = (uint32_t)atoi(str); - if (cd->depth != 0) { - if (cd->depth < cd->content_len) { - SCLogDebug("depth increased to %"PRIu32" to match pattern len", - cd->content_len); - cd->depth = cd->content_len; - } - /* Updating the depth as is relative to the offset */ - cd->depth += cd->offset; - } - } - - cd->flags |= DETECT_CONTENT_OFFSET; - - break; - case DETECT_AL_HTTP_STAT_MSG: cd = (DetectContentData *)pm->ctx; if (cd->flags & DETECT_CONTENT_NEGATED) { diff --git a/src/detect-pcre.c b/src/detect-pcre.c index 71cf8435f4..9532680a6a 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -1201,9 +1201,8 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst SCReturnInt(0); } - prev_sm = SigMatchGetLastSMFromLists(s, 10, + prev_sm = SigMatchGetLastSMFromLists(s, 8, DETECT_CONTENT, sm->prev, - DETECT_AL_HTTP_RAW_URI, sm->prev, DETECT_PCRE, sm->prev, DETECT_AL_HTTP_STAT_MSG, sm->prev, DETECT_AL_HTTP_STAT_CODE, sm->prev); @@ -1232,7 +1231,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst case DETECT_CONTENT: case DETECT_AL_HTTP_STAT_MSG: case DETECT_AL_HTTP_STAT_CODE: - case DETECT_AL_HTTP_RAW_URI: /* Set the relative next flag on the prev sigmatch */ cd = (DetectContentData *)prev_sm->ctx; if (cd == NULL) { diff --git a/src/detect-within.c b/src/detect-within.c index 72a3a856e5..bdaf3e9f26 100644 --- a/src/detect-within.c +++ b/src/detect-within.c @@ -174,7 +174,7 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]); + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]); if (pm == NULL) { SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs" "preceeding content, uricontent, http_client_body, " @@ -300,74 +300,6 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi break; - case DETECT_AL_HTTP_RAW_URI: - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in within - %s\n", str); - goto error; - } - cd->within = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_WITHIN_BE; - } else { - cd->within = strtol(str, NULL, 10); - if (cd->within < (int32_t)cd->content_len) { - SCLogError(SC_ERR_WITHIN_INVALID, "within argument \"%"PRIi32"\" is " - "less than the content length \"%"PRIu32"\" which is invalid, since " - "this will never match. Invalidating signature", cd->within, - cd->content_len); - goto error; - } - } - - cd->flags |= DETECT_CONTENT_WITHIN; - - /* reassigning pm */ - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_AL_HTTP_RAW_URI, pm->prev, - DETECT_PCRE, pm->prev); - if (pm == NULL) { - SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for http_raw_uri " - "needs preceeding http_raw_uri content"); - goto error; - } - - if (pm->type == DETECT_PCRE) { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } else { - /* reassigning cd */ - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword " - "has a fast_pattern:only; set. You can't " - "have relative keywords around a fast_pattern " - "only content"); - goto error; - } - cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } - - break; - case DETECT_AL_HTTP_STAT_MSG: cd = (DetectContentData *)pm->ctx; if (cd->flags & DETECT_CONTENT_NEGATED) { diff --git a/src/detect.c b/src/detect.c index 667d258122..6cb8cd15cd 100644 --- a/src/detect.c +++ b/src/detect.c @@ -2211,7 +2211,6 @@ static int SignatureCreateMask(Signature *s) { switch(sm->type) { case DETECT_AL_URILEN: case DETECT_AL_HTTP_URI: - case DETECT_AL_HTTP_RAW_URI: s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; SCLogDebug("sig requires dce http state"); break;