From: Anoop Saldanha Date: Mon, 20 Feb 2012 06:29:40 +0000 (+0530) Subject: All http_http_stat_code modified patterns now are DETECT_CONTENT and not DETECT_AL_HT... X-Git-Tag: suricata-1.3beta1~179 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=35435f32848e57575e75ac0940325b8e714e22d5;p=thirdparty%2Fsuricata.git All http_http_stat_code modified patterns now are DETECT_CONTENT and not DETECT_AL_HTTP_STAT_CODE. Also remove dummy match/free functions for stat code and stat msg --- diff --git a/src/detect-depth.c b/src/detect-depth.c index bf0bc06a1b..8c393a50e8 100644 --- a/src/detect-depth.c +++ b/src/detect-depth.c @@ -95,7 +95,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]); if (pm == NULL) { SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs " @@ -162,47 +162,6 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths break; - case DETECT_AL_HTTP_STAT_CODE: - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in depth - %s\n", str); - goto error; - } - cd->depth = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_DEPTH_BE; - } else { - cd->depth = (uint32_t)atoi(str); - if (cd->depth < cd->content_len) { - cd->depth = cd->content_len; - SCLogDebug("depth increased to %"PRIu32" to match pattern len ", - cd->depth); - } - /* Now update the real limit, as depth is relative to the offset */ - cd->depth += cd->offset; - cd->flags |= DETECT_CONTENT_DEPTH; - } - - break; - default: SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs a preceeding " "content (or uricontent) option"); diff --git a/src/detect-distance.c b/src/detect-distance.c index db992fe4e2..5600bb7a98 100644 --- a/src/detect-distance.c +++ b/src/detect-distance.c @@ -170,7 +170,7 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]); if (pm == NULL) { SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs " @@ -291,73 +291,6 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, break; - case DETECT_AL_HTTP_STAT_CODE: - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in distance - %s\n", str); - goto error; - } - cd->distance = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_DISTANCE_BE; - } else { - cd->distance = strtol(str, NULL, 10); - if (cd->flags & DETECT_CONTENT_WITHIN) { - if ((cd->distance + cd->content_len) > cd->within) { - cd->within = cd->distance + cd->content_len; - } - } - } - - cd->flags |= DETECT_CONTENT_DISTANCE; - - /* reassigning pm */ - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_AL_HTTP_STAT_CODE, pm->prev, - DETECT_PCRE, pm->prev); - if (pm == NULL) { - SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for " - "http_stat_code needs preceeding http_stat_code " - "content"); - goto error; - } - - if (pm->type == DETECT_PCRE) { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } else { - /* reassigning cd */ - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword " - "has a fast_pattern:only; set. You can't " - "have relative keywords around a fast_pattern " - "only content"); - goto error; - } - cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } - - break; - default: SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance needs two " "preceeding content or uricontent options"); diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c index e3435424ff..f887b14140 100644 --- a/src/detect-engine-content-inspection.c +++ b/src/detect-engine-content-inspection.c @@ -107,8 +107,7 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx } /* \todo unify this which is phase 2 of payload inspection unification */ - if (sm->type == DETECT_CONTENT || - sm->type == DETECT_AL_HTTP_STAT_CODE) { + if (sm->type == DETECT_CONTENT) { DetectContentData *cd = (DetectContentData *)sm->ctx; SCLogDebug("inspecting content %"PRIu32" buffer_len %"PRIu32, cd->id, buffer_len); diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index 3ca7a4718e..8f57583cd2 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -149,7 +149,7 @@ void SupportFastPatternForSigMatchTypes(void) SupportFastPatternForSigMatchType(DETECT_CONTENT); SupportFastPatternForSigMatchList(DETECT_SM_LIST_HSMDMATCH); - SupportFastPatternForSigMatchType(DETECT_AL_HTTP_STAT_CODE); + SupportFastPatternForSigMatchType(DETECT_CONTENT); SupportFastPatternForSigMatchList(DETECT_SM_LIST_HSCDMATCH); return; @@ -246,7 +246,7 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]); if (pm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "fast_pattern found inside " diff --git a/src/detect-http-stat-code.c b/src/detect-http-stat-code.c index f2c2f46429..c0cca4e2ad 100644 --- a/src/detect-http-stat-code.c +++ b/src/detect-http-stat-code.c @@ -78,130 +78,12 @@ void DetectHttpStatCodeRegister (void) { sigmatch_table[DETECT_AL_HTTP_STAT_CODE].AppLayerMatch = NULL; sigmatch_table[DETECT_AL_HTTP_STAT_CODE].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_AL_HTTP_STAT_CODE].Setup = DetectHttpStatCodeSetup; - sigmatch_table[DETECT_AL_HTTP_STAT_CODE].Free = DetectHttpStatCodeFree; + sigmatch_table[DETECT_AL_HTTP_STAT_CODE].Free = NULL; sigmatch_table[DETECT_AL_HTTP_STAT_CODE].RegisterTests = DetectHttpStatCodeRegisterTests; sigmatch_table[DETECT_AL_HTTP_STAT_CODE].flags |= SIGMATCH_PAYLOAD; } -/** - * \brief match the specified content in the signature with the received http - * status code header in the http response. - * - * \param t pointer to thread vars - * \param det_ctx pointer to the pattern matcher thread - * \param f pointer to the current flow - * \param flags flags to indicate the direction of the received packet - * \param state pointer the app layer state, which will cast into HtpState - * \param s pointer to the current signature - * \param sm pointer to the sigmatch - * - * \retval 0 no match - * \retval 1 match - */ -int DetectHttpStatCodeMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, - Flow *f, uint8_t flags, void *state, Signature *s, - SigMatch *sm) -{ - SCEnter(); - - int ret = 0; - int idx; - - SCMutexLock(&f->m); - SCLogDebug("got lock %p", &f->m); - - DetectHttpStatCodeData *co = (DetectHttpStatCodeData *)sm->ctx; - - HtpState *htp_state = (HtpState *)state; - if (htp_state == NULL) { - SCLogDebug("no HTTP layer state has been received, so no match"); - goto end; - } - - if (!(htp_state->flags & HTP_FLAG_STATE_OPEN)) { - SCLogDebug("HTP state not yet properly setup, so no match"); - goto end; - } - - SCLogDebug("htp_state %p, flow %p", htp_state, f); - SCLogDebug("htp_state->connp %p", htp_state->connp); - SCLogDebug("htp_state->connp->conn %p", htp_state->connp->conn); - - if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { - SCLogDebug("HTTP connection structure is NULL"); - goto end; - } - - htp_tx_t *tx = NULL; - - idx = AppLayerTransactionGetInspectId(f); - if (idx == -1) { - goto end; - } - - int size = (int)list_size(htp_state->connp->conn->transactions); - for (; idx < size; idx++) - { - tx = list_get(htp_state->connp->conn->transactions, idx); - if (tx == NULL) - continue; - - SCLogDebug("we have a response message"); - if (co->code != -1) { - if (co->code == tx->response_status_number) { - SCLogDebug("Matched numeric HTTP status value"); - ret = 1; - } - } else if (tx->response_status != NULL) { - /* call the case insensitive version if nocase has been specified in - the sig */ - if (co->flags & DETECT_AL_HTTP_STAT_CODE_NOCASE) { - if (SpmNocaseSearch((uint8_t *) bstr_ptr(tx->response_status), - bstr_len(tx->response_status), co->data, co->data_len) - != NULL) - { - SCLogDebug("match has been found in received request and " - "given http_stat_code rule"); - ret = 1; - } - } else { - if (SpmSearch((uint8_t *) bstr_ptr(tx->response_status), - bstr_len(tx->response_status), co->data, co->data_len) - != NULL) - { - SCLogDebug("match has been found in received request and" - " given http_stat_code rule"); - ret = 1; - } - } - } - } - - SCMutexUnlock(&f->m); - SCReturnInt(ret ^ ((co->flags & DETECT_AL_HTTP_STAT_CODE_NEGATED) ? 1 : 0)); - -end: - SCMutexUnlock(&f->m); - SCLogDebug("released lock %p", &f->m); - SCReturnInt(ret); -} - -/** - * \brief this function clears the memory of http_stat_code modifier keyword - * - * \param ptr Pointer to the Detection Stat Code data - */ -void DetectHttpStatCodeFree(void *ptr) -{ - DetectHttpStatCodeData *hsmd = (DetectHttpStatCodeData *)ptr; - if (hsmd == NULL) - return; - if (hsmd->data != NULL) - SCFree(hsmd->data); - SCFree(hsmd); -} - /** * \brief this function setups the http_stat_code modifier keyword used in the rule * @@ -269,7 +151,7 @@ static int DetectHttpStatCodeSetup (DetectEngineCtx *de_ctx, Signature *s, char /* reassigning pm */ pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]); if (pm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "http_stat_code seen with a " @@ -286,7 +168,7 @@ static int DetectHttpStatCodeSetup (DetectEngineCtx *de_ctx, Signature *s, char } } cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HSCDMATCH); - sm->type = DETECT_AL_HTTP_STAT_CODE; + sm->type = DETECT_CONTENT; /* transfer the sm from the pmatch list to hcbdmatch list */ SigMatchTransferSigMatchAcrossLists(sm, @@ -392,10 +274,10 @@ int DetectHttpStatCodeTest02(void) SigMatch *prev = NULL; while (sm != NULL) { - if (sm->type == DETECT_AL_HTTP_STAT_CODE) { + if (sm->type == DETECT_CONTENT) { result = 1; } else { - printf("expected DETECT_AL_HTTP_STAT_CODE, got %d: ", sm->type); + printf("expected DETECT_CONTENT for http_stat_code, got %d: ", sm->type); goto end; } prev = sm; diff --git a/src/detect-http-stat-code.h b/src/detect-http-stat-code.h index 23233fc4d3..811c6951c7 100644 --- a/src/detect-http-stat-code.h +++ b/src/detect-http-stat-code.h @@ -24,16 +24,6 @@ #ifndef _DETECT_HTTP_STAT_CODE_H #define _DETECT_HTTP_STAT_CODE_H -#define DETECT_AL_HTTP_STAT_CODE_NOCASE 0x01 -#define DETECT_AL_HTTP_STAT_CODE_NEGATED 0x02 - -typedef struct DetectHttpStatCodeData_ { - uint8_t *data; - uint8_t data_len; - uint8_t flags; - int16_t code; /**< Numeric HTTP status code to match */ -} DetectHttpStatCodeData; - /* prototypes */ int DetectHttpStatCodeMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t , void *, Signature *, diff --git a/src/detect-http-stat-msg.c b/src/detect-http-stat-msg.c index 6a4de2ac8e..824b86ef3f 100644 --- a/src/detect-http-stat-msg.c +++ b/src/detect-http-stat-msg.c @@ -78,124 +78,12 @@ void DetectHttpStatMsgRegister (void) { sigmatch_table[DETECT_AL_HTTP_STAT_MSG].AppLayerMatch = NULL; sigmatch_table[DETECT_AL_HTTP_STAT_MSG].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Setup = DetectHttpStatMsgSetup; - sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Free = DetectHttpStatMsgFree; + sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Free = NULL; sigmatch_table[DETECT_AL_HTTP_STAT_MSG].RegisterTests = DetectHttpStatMsgRegisterTests; sigmatch_table[DETECT_AL_HTTP_STAT_MSG].flags |= SIGMATCH_PAYLOAD; } -/** - * \brief match the specified content in the signature with the received http - * status message header in the http response. - * - * \param t pointer to thread vars - * \param det_ctx pointer to the pattern matcher thread - * \param f pointer to the current flow - * \param flags flags to indicate the direction of the received packet - * \param state pointer the app layer state, which will cast into HtpState - * \param s pointer to the current signature - * \param sm pointer to the sigmatch - * - * \retval 0 no match - * \retval 1 match - */ -int DetectHttpStatMsgMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, - Flow *f, uint8_t flags, void *state, Signature *s, - SigMatch *sm) -{ - SCEnter(); - - int ret = 0; - int idx; - - SCMutexLock(&f->m); - SCLogDebug("got lock %p", &f->m); - - DetectContentData *co = (DetectContentData *)sm->ctx; - - HtpState *htp_state = (HtpState *)state; - if (htp_state == NULL) { - SCLogDebug("no HTTP layer state has been received, so no match"); - goto end; - } - - if (!(htp_state->flags & HTP_FLAG_STATE_OPEN)) { - SCLogDebug("HTP state not yet properly setup, so no match"); - goto end; - } - - SCLogDebug("htp_state %p, flow %p", htp_state, f); - SCLogDebug("htp_state->connp %p", htp_state->connp); - SCLogDebug("htp_state->connp->conn %p", htp_state->connp->conn); - - if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { - SCLogDebug("HTTP connection structure is NULL"); - goto end; - } - - htp_tx_t *tx = NULL; - - idx = AppLayerTransactionGetInspectId(f); - if (idx == -1) { - goto end; - } - - int size = (int)list_size(htp_state->connp->conn->transactions); - for (; idx < size; idx++) - { - tx = list_get(htp_state->connp->conn->transactions, idx); - if (tx == NULL) - continue; - - if (tx->response_message == NULL) - continue; - - SCLogDebug("we have a response message"); - - /* call the case insensitive version if nocase has been specified in the sig */ - if (co->flags & DETECT_CONTENT_NOCASE) { - if (SpmNocaseSearch((uint8_t *) bstr_ptr(tx->response_message), - bstr_len(tx->response_message), co->content, co->content_len) != NULL) - { - SCLogDebug("match has been found in received request and given http_" - "stat_msg rule"); - ret = 1; - } - } else { - if (SpmSearch((uint8_t *) bstr_ptr(tx->response_message), - bstr_len(tx->response_message), co->content, co->content_len) != NULL) - { - SCLogDebug("match has been found in received request and given http_" - "stat_msg rule"); - ret = 1; - } - } - } - - SCMutexUnlock(&f->m); - SCReturnInt(ret ^ ((co->flags & DETECT_CONTENT_NEGATED) ? 1 : 0)); - -end: - SCMutexUnlock(&f->m); - SCLogDebug("released lock %p", &f->m); - SCReturnInt(ret); -} - -/** - * \brief this function clears the memory of http_stat_msg modifier keyword - * - * \param ptr Pointer to the Detection Stat Message data - */ -void DetectHttpStatMsgFree(void *ptr) -{ - DetectContentData *hsmd = (DetectContentData *)ptr; - if (hsmd == NULL) - return; - if (hsmd->content != NULL) - SCFree(hsmd->content); - SCFree(hsmd); -} - /** * \brief this function setups the http_stat_msg modifier keyword used in the rule * diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index bc4eaab2e3..faf5dd109f 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -362,7 +362,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], /* 10 */ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], @@ -419,7 +419,6 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst switch (prev_pm->type) { case DETECT_CONTENT: - case DETECT_AL_HTTP_STAT_CODE: /* Set the relative next flag on the prev sigmatch */ cd = (DetectContentData *)prev_pm->ctx; if (cd == NULL) { diff --git a/src/detect-nocase.c b/src/detect-nocase.c index c00198f5b0..c9bed180df 100644 --- a/src/detect-nocase.c +++ b/src/detect-nocase.c @@ -84,7 +84,7 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]); if (pm == NULL) { SCLogError(SC_ERR_NOCASE_MISSING_PATTERN, "\"nocase\" needs a preceeding " @@ -98,7 +98,6 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls switch (pm->type) { case DETECT_CONTENT: - case DETECT_AL_HTTP_STAT_CODE: cd = (DetectContentData *)pm->ctx; if (cd == NULL) { SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument"); diff --git a/src/detect-offset.c b/src/detect-offset.c index 4470b7af18..dec956b517 100644 --- a/src/detect-offset.c +++ b/src/detect-offset.c @@ -93,7 +93,7 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]); if (pm == NULL) { SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs " @@ -164,50 +164,6 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) break; - case DETECT_AL_HTTP_STAT_CODE: - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in offset - %s\n", str); - goto error; - } - cd->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_OFFSET_BE; - } else { - cd->offset = (uint32_t)atoi(str); - if (cd->depth != 0) { - if (cd->depth < cd->content_len) { - SCLogDebug("depth increased to %"PRIu32" to match pattern len", - cd->content_len); - cd->depth = cd->content_len; - } - /* Updating the depth as is relative to the offset */ - cd->depth += cd->offset; - } - } - - cd->flags |= DETECT_CONTENT_OFFSET; - - break; - default: SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs a preceeding" " content or uricontent option"); diff --git a/src/detect-pcre.c b/src/detect-pcre.c index 0203b10a80..6a49341487 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -1201,10 +1201,9 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst SCReturnInt(0); } - prev_sm = SigMatchGetLastSMFromLists(s, 6, - DETECT_CONTENT, sm->prev, - DETECT_PCRE, sm->prev, - DETECT_AL_HTTP_STAT_CODE, sm->prev); + prev_sm = SigMatchGetLastSMFromLists(s, 4, + DETECT_CONTENT, sm->prev, + DETECT_PCRE, sm->prev); if (prev_sm == NULL) { if (s->alproto == ALPROTO_DCERPC) { SCLogDebug("No preceding content or pcre keyword. Possible " @@ -1228,7 +1227,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst switch (prev_sm->type) { case DETECT_CONTENT: - case DETECT_AL_HTTP_STAT_CODE: /* Set the relative next flag on the prev sigmatch */ cd = (DetectContentData *)prev_sm->ctx; if (cd == NULL) { diff --git a/src/detect-within.c b/src/detect-within.c index 838e05bfd6..525422f46a 100644 --- a/src/detect-within.c +++ b/src/detect-within.c @@ -173,7 +173,7 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]); if (pm == NULL) { SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs" @@ -300,74 +300,6 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi break; - case DETECT_AL_HTTP_STAT_CODE: - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in within - %s\n", str); - goto error; - } - cd->within = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_WITHIN_BE; - } else { - cd->within = strtol(str, NULL, 10); - if (cd->within < (int32_t)cd->content_len) { - SCLogError(SC_ERR_WITHIN_INVALID, "within argument \"%"PRIi32"\" is " - "less than the content length \"%"PRIu32"\" which is invalid, since " - "this will never match. Invalidating signature", cd->within, - cd->content_len); - goto error; - } - } - - cd->flags |= DETECT_CONTENT_WITHIN; - - /* reassigning pm */ - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_AL_HTTP_STAT_CODE, pm->prev, - DETECT_PCRE, pm->prev); - if (pm == NULL) { - SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for http_stat_code " - "needs preceeding http_stat_code content"); - goto error; - } - - if (pm->type == DETECT_PCRE) { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } else { - /* reassigning cd */ - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword " - "has a fast_pattern:only; set. You can't " - "have relative keywords around a fast_pattern " - "only content"); - goto error; - } - cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } - - break; - default: SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs two " "preceeding content or uricontent options");