From: Anoop Saldanha Date: Thu, 14 Jun 2012 08:48:23 +0000 (+0530) Subject: we now support offset, depth inspection against all packet payloads and stream messages X-Git-Tag: suricata-1.3rc1~54 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0d602d9cde4f6fb2312c9879fcc2841ad5a40ae0;p=thirdparty%2Fsuricata.git we now support offset, depth inspection against all packet payloads and stream messages --- diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 020c87062e..599901a4b0 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -118,7 +118,7 @@ int SignatureHasStreamContent(Signature *s) { SCReturnInt(0); } - if (SignatureHasPacketContent(s)) { + if (!(s->proto.proto[6 / 8] & 1 << (6 % 8))) { SCReturnInt(0); } @@ -127,6 +127,10 @@ int SignatureHasStreamContent(Signature *s) { SCReturnInt(0); } + if (!(s->flags & SIG_FLAG_REQUIRE_STREAM)) { + SCReturnInt(0); + } + SCReturnInt(1); } diff --git a/src/detect-parse.c b/src/detect-parse.c index d2639d32b9..753bb586f1 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -525,6 +525,8 @@ int SigParseProto(Signature *s, const char *protostr) { SCReturnInt(-1); } + /* if any of these flags are set they are set in a mutually exclusive + * manner */ if (s->proto.flags & DETECT_PROTO_ONLY_PKT) { s->flags |= SIG_FLAG_REQUIRE_PACKET; } else if (s->proto.flags & DETECT_PROTO_ONLY_STREAM) { @@ -1019,7 +1021,8 @@ static int SigValidate(Signature *s) { if (s->flags & SIG_FLAG_REQUIRE_PACKET && s->flags & SIG_FLAG_REQUIRE_STREAM) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "can't mix packet keywords with tcp-stream or flow:only_stream."); + SCLogError(SC_ERR_INVALID_SIGNATURE, "can't mix packet keywords with " + "tcp-stream or flow:only_stream. Invalidating signature."); SCReturnInt(0); } @@ -1128,6 +1131,20 @@ static int SigValidate(Signature *s) { } } + if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) { + s->flags |= SIG_FLAG_REQUIRE_STREAM; + SigMatch *sm = s->sm_lists[DETECT_SM_LIST_PMATCH]; + while (sm != NULL) { + if (sm->type == DETECT_CONTENT && + (((DetectContentData *)(sm->ctx))->flags & + (DETECT_CONTENT_DEPTH | DETECT_CONTENT_OFFSET))) { + s->flags |= SIG_FLAG_REQUIRE_PACKET; + break; + } + sm = sm->next; + } + } + #ifdef DEBUG int i; for (i = 0; i < DETECT_SM_LIST_MAX; i++) { diff --git a/src/detect.c b/src/detect.c index 7572ff35bb..a03a38808b 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1568,7 +1568,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh if (s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) { /* if we have stream msgs, inspect against those first, * but not for a "dsize" signature */ - if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) { + if (s->flags & SIG_FLAG_REQUIRE_STREAM) { char pmatch = 0; if (smsg != NULL) { uint8_t pmq_idx = 0; @@ -1602,8 +1602,10 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh if (pmatch == 0) { SCLogDebug("no match in smsg, fall back to packet payload"); - if (p->flags & PKT_STREAM_ADD) - goto next; + if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) { + if (p->flags & PKT_STREAM_ADD) + goto next; + } if (sms_runflags & SMS_USED_PM) { if (s->flags & SIG_FLAG_MPM_PACKET && !(s->flags & SIG_FLAG_MPM_PACKET_NEG) &&