From: Victor Julien Date: Sat, 30 Nov 2013 12:00:17 +0000 (+0100) Subject: pcre: parsing cleanup X-Git-Tag: suricata-2.0beta2~108 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3e604b8703a21ef94fd7f264199e3f1edd53e7be;p=thirdparty%2Fsuricata.git pcre: parsing cleanup Remove all flags indicating the buffer type. They were only used at parse time. Because of this the DetectPcreData_ structure could shrink to 32 bytes. --- diff --git a/src/detect-http-client-body.c b/src/detect-http-client-body.c index 9c8dd64f08..b1a7cc7503 100644 --- a/src/detect-http-client-body.c +++ b/src/detect-http-client-body.c @@ -2208,7 +2208,7 @@ int DetectHttpClientBodyTest34(void) DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx; DetectContentData *hcbd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx; - if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HTTP_CLIENT_BODY) || + if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || hcbd2->flags != DETECT_CONTENT_WITHIN || memcmp(hcbd2->content, "two", hcbd2->content_len) != 0) { goto end; @@ -2259,7 +2259,7 @@ int DetectHttpClientBodyTest35(void) DetectContentData *hcbd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx; DetectPcreData *pd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx; - if (pd2->flags != (DETECT_PCRE_RELATIVE | DETECT_PCRE_HTTP_CLIENT_BODY) || + if (pd2->flags != (DETECT_PCRE_RELATIVE) || hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(hcbd1->content, "two", hcbd1->content_len) != 0) { goto end; @@ -2310,7 +2310,7 @@ int DetectHttpClientBodyTest36(void) DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->ctx; DetectContentData *hcbd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->ctx; - if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HTTP_CLIENT_BODY) || + if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || hcbd2->flags != DETECT_CONTENT_DISTANCE || memcmp(hcbd2->content, "two", hcbd2->content_len) != 0) { goto end; diff --git a/src/detect-http-header.c b/src/detect-http-header.c index 3cd26c2ecd..9686b7ded4 100644 --- a/src/detect-http-header.c +++ b/src/detect-http-header.c @@ -1374,7 +1374,7 @@ int DetectHttpHeaderTest25(void) DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx; DetectContentData *hhd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx; - if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HEADER) || + if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || hhd2->flags != DETECT_CONTENT_WITHIN || memcmp(hhd2->content, "two", hhd2->content_len) != 0) { goto end; @@ -1425,7 +1425,7 @@ int DetectHttpHeaderTest26(void) DetectContentData *hhd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx; DetectPcreData *pd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx; - if (pd2->flags != (DETECT_PCRE_RELATIVE | DETECT_PCRE_HEADER) || + if (pd2->flags != (DETECT_PCRE_RELATIVE) || hhd1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(hhd1->content, "two", hhd1->content_len) != 0) { goto end; @@ -1476,7 +1476,7 @@ int DetectHttpHeaderTest27(void) DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx; DetectContentData *hhd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx; - if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HEADER) || + if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || hhd2->flags != DETECT_CONTENT_DISTANCE || memcmp(hhd2->content, "two", hhd2->content_len) != 0) { goto end; diff --git a/src/detect-http-hh.c b/src/detect-http-hh.c index 7b65730b0d..3783bb9000 100644 --- a/src/detect-http-hh.c +++ b/src/detect-http-hh.c @@ -1912,7 +1912,7 @@ int DetectHttpHHTest34(void) DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx; DetectContentData *hhhd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx; - if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HTTP_HOST) || + if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || hhhd2->flags != (DETECT_CONTENT_WITHIN) || memcmp(hhhd2->content, "two", hhhd2->content_len) != 0) { goto end; @@ -1963,7 +1963,7 @@ int DetectHttpHHTest35(void) DetectContentData *hhhd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx; DetectPcreData *pd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx; - if (pd2->flags != (DETECT_PCRE_RELATIVE | DETECT_PCRE_HTTP_HOST) || + if (pd2->flags != (DETECT_PCRE_RELATIVE) || hhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) || memcmp(hhhd1->content, "two", hhhd1->content_len) != 0) { goto end; @@ -2014,7 +2014,7 @@ int DetectHttpHHTest36(void) DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx; DetectContentData *hhhd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx; - if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HTTP_HOST) || + if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || hhhd2->flags != (DETECT_CONTENT_DISTANCE) || memcmp(hhhd2->content, "two", hhhd2->content_len) != 0) { goto end; diff --git a/src/detect-http-hrh.c b/src/detect-http-hrh.c index 8100439c12..a0b79c699f 100644 --- a/src/detect-http-hrh.c +++ b/src/detect-http-hrh.c @@ -1908,7 +1908,7 @@ int DetectHttpHRHTest34(void) DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx; DetectContentData *hrhhd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx; - if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HTTP_RAW_HOST | DETECT_PCRE_CASELESS) || + if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_CASELESS) || hrhhd2->flags != (DETECT_CONTENT_WITHIN) || memcmp(hrhhd2->content, "two", hrhhd2->content_len) != 0) { goto end; @@ -1959,7 +1959,7 @@ int DetectHttpHRHTest35(void) DetectContentData *hrhhd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx; DetectPcreData *pd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx; - if (pd2->flags != (DETECT_PCRE_RELATIVE | DETECT_PCRE_HTTP_RAW_HOST | DETECT_PCRE_CASELESS) || + if (pd2->flags != (DETECT_PCRE_RELATIVE | DETECT_PCRE_CASELESS) || hrhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) || memcmp(hrhhd1->content, "two", hrhhd1->content_len) != 0) { goto end; @@ -2010,7 +2010,7 @@ int DetectHttpHRHTest36(void) DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->prev->ctx; DetectContentData *hrhhd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]->ctx; - if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HTTP_RAW_HOST | DETECT_PCRE_CASELESS) || + if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_CASELESS) || hrhhd2->flags != (DETECT_CONTENT_DISTANCE) || memcmp(hrhhd2->content, "two", hrhhd2->content_len) != 0) { goto end; diff --git a/src/detect-http-raw-header.c b/src/detect-http-raw-header.c index 3113d40f03..f82ff11511 100644 --- a/src/detect-http-raw-header.c +++ b/src/detect-http-raw-header.c @@ -1372,7 +1372,7 @@ int DetectHttpRawHeaderTest25(void) DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; DetectContentData *hhd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; - if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_RAW_HEADER) || + if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || hhd2->flags != DETECT_CONTENT_WITHIN || memcmp(hhd2->content, "two", hhd2->content_len) != 0) { goto end; @@ -1423,7 +1423,7 @@ int DetectHttpRawHeaderTest26(void) DetectContentData *hhd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; DetectPcreData *pd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; - if (pd2->flags != (DETECT_PCRE_RELATIVE | DETECT_PCRE_RAW_HEADER) || + if (pd2->flags != (DETECT_PCRE_RELATIVE) || hhd1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(hhd1->content, "two", hhd1->content_len) != 0) { goto end; @@ -1474,7 +1474,7 @@ int DetectHttpRawHeaderTest27(void) DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; DetectContentData *hhd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; - if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_RAW_HEADER) || + if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || hhd2->flags != DETECT_CONTENT_DISTANCE || memcmp(hhd2->content, "two", hhd2->content_len) != 0) { goto end; diff --git a/src/detect-http-server-body.c b/src/detect-http-server-body.c index d49f47f905..072eb4102e 100644 --- a/src/detect-http-server-body.c +++ b/src/detect-http-server-body.c @@ -2244,7 +2244,7 @@ int DetectHttpServerBodyTest34(void) DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->prev->ctx; DetectContentData *hsbd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->ctx; - if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HTTP_SERVER_BODY) || + if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || hsbd2->flags != DETECT_CONTENT_WITHIN || memcmp(hsbd2->content, "two", hsbd2->content_len) != 0) { goto end; @@ -2295,7 +2295,7 @@ int DetectHttpServerBodyTest35(void) DetectContentData *hsbd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->prev->ctx; DetectPcreData *pd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->ctx; - if (pd2->flags != (DETECT_PCRE_RELATIVE | DETECT_PCRE_HTTP_SERVER_BODY) || + if (pd2->flags != (DETECT_PCRE_RELATIVE) || hsbd1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(hsbd1->content, "two", hsbd1->content_len) != 0) { goto end; @@ -2346,7 +2346,7 @@ int DetectHttpServerBodyTest36(void) DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->prev->ctx; DetectContentData *hsbd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->ctx; - if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HTTP_SERVER_BODY) || + if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || hsbd2->flags != DETECT_CONTENT_DISTANCE || memcmp(hsbd2->content, "two", hsbd2->content_len) != 0) { goto end; diff --git a/src/detect-http-ua.c b/src/detect-http-ua.c index f657a7bdf8..ee619b4230 100644 --- a/src/detect-http-ua.c +++ b/src/detect-http-ua.c @@ -1916,7 +1916,7 @@ int DetectHttpUATest34(void) DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx; DetectContentData *huad2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx; - if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HTTP_USER_AGENT) || + if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || huad2->flags != DETECT_CONTENT_WITHIN || memcmp(huad2->content, "two", huad2->content_len) != 0) { goto end; @@ -1967,7 +1967,7 @@ int DetectHttpUATest35(void) DetectContentData *huad1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx; DetectPcreData *pd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx; - if (pd2->flags != (DETECT_PCRE_RELATIVE | DETECT_PCRE_HTTP_USER_AGENT) || + if (pd2->flags != (DETECT_PCRE_RELATIVE) || huad1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(huad1->content, "two", huad1->content_len) != 0) { goto end; @@ -2018,7 +2018,7 @@ int DetectHttpUATest36(void) DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx; DetectContentData *huad2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx; - if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HTTP_USER_AGENT) || + if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || huad2->flags != DETECT_CONTENT_DISTANCE || memcmp(huad2->content, "two", huad2->content_len) != 0) { goto end; diff --git a/src/detect-pcre.c b/src/detect-pcre.c index a15c200891..1539022a28 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -264,7 +264,15 @@ int DetectPcrePayloadMatch(DetectEngineThreadCtx *det_ctx, Signature *s, SCReturnInt(ret); } -DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr) +static int DetectPcreSetList(int list, int set) { + if (list != DETECT_SM_LIST_NOTSET) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "only one pcre option to specify a buffer type is allowed"); + return -1; + } + return set; +} + +static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr, int *sm_list) { int ec; const char *eb; @@ -354,21 +362,13 @@ DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr) opts |= PCRE_EXTENDED; break; + case 'O': + pd->flags |= DETECT_PCRE_MATCH_LIMIT; + break; + case 'B': /* snort's option */ - if (pd->flags & DETECT_PCRE_URI) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'B' inconsistent with 'U'"); - goto error; - } - if (pd->flags & DETECT_PCRE_HEADER) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'B' inconsistent with 'H'"); - goto error; - } - if (pd->flags & DETECT_PCRE_COOKIE) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'B' inconsistent with 'C'"); - goto error; - } - if (pd->flags & DETECT_PCRE_METHOD) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'B' inconsistent with 'M'"); + if (*sm_list != DETECT_SM_LIST_NOTSET) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'B' inconsistent with chosen buffer"); goto error; } pd->flags |= DETECT_PCRE_RAWBYTES; @@ -376,99 +376,83 @@ DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr) case 'R': /* snort's option */ pd->flags |= DETECT_PCRE_RELATIVE; break; + + /* buffer selection */ + case 'U': /* snort's option */ - if (pd->flags & DETECT_PCRE_HTTP_RAW_URI) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'U' inconsistent with 'I'"); - goto error; - } if (pd->flags & DETECT_PCRE_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'U' inconsistent with 'B'"); goto error; } - pd->flags |= DETECT_PCRE_URI; + *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_UMATCH); break; case 'V': if (pd->flags & DETECT_PCRE_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'V' inconsistent with 'B'"); goto error; } - pd->flags |= DETECT_PCRE_HTTP_USER_AGENT; + *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HUADMATCH); break; case 'W': if (pd->flags & DETECT_PCRE_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'W' inconsistent with 'B'"); goto error; } - pd->flags |= DETECT_PCRE_HTTP_HOST; + *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HHHDMATCH); break; case 'Z': if (pd->flags & DETECT_PCRE_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'Z' inconsistent with 'B'"); goto error; } - pd->flags |= DETECT_PCRE_HTTP_RAW_HOST; + *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HRHHDMATCH); break; case 'H': /* snort's option */ - if (pd->flags & DETECT_PCRE_RAW_HEADER) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'H' inconsistent with 'D'"); - goto error; - } if (pd->flags & DETECT_PCRE_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'H' inconsistent with 'B'"); goto error; } - pd->flags |= DETECT_PCRE_HEADER; + *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HHDMATCH); break; case 'I': /* snort's option */ - if (pd->flags & DETECT_PCRE_URI) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'I' inconsistent with 'U'"); - goto error; - } if (pd->flags & DETECT_PCRE_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'I' inconsistent with 'B'"); goto error; } - pd->flags |= DETECT_PCRE_HTTP_RAW_URI; + *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HRUDMATCH); break; case 'D': /* snort's option */ - if (pd->flags & DETECT_PCRE_HEADER) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'D' inconsistent with 'H'"); - goto error; - } - pd->flags |= DETECT_PCRE_RAW_HEADER; + *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HRHDMATCH); break; case 'M': /* snort's option */ if (pd->flags & DETECT_PCRE_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'M' inconsistent with 'B'"); goto error; } - pd->flags |= DETECT_PCRE_METHOD; + *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HMDMATCH); break; case 'C': /* snort's option */ if (pd->flags & DETECT_PCRE_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'C' inconsistent with 'B'"); goto error; } - pd->flags |= DETECT_PCRE_COOKIE; - break; - case 'O': - pd->flags |= DETECT_PCRE_MATCH_LIMIT; + *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HCDMATCH); break; case 'P': /* snort's option (http request body inspection) */ - pd->flags |= DETECT_PCRE_HTTP_CLIENT_BODY; + *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HCBDMATCH); break; case 'Q': /* suricata extension (http response body inspection) */ - pd->flags |= DETECT_PCRE_HTTP_SERVER_BODY; + *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HSBDMATCH); break; case 'Y': /* snort's option */ - pd->flags |= DETECT_PCRE_HTTP_STAT_MSG; + *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HSMDMATCH); break; case 'S': /* snort's option */ - pd->flags |= DETECT_PCRE_HTTP_STAT_CODE; + *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HSCDMATCH); break; default: SCLogError(SC_ERR_UNKNOWN_REGEX_MOD, "unknown regex modifier '%c'", *op); @@ -477,10 +461,13 @@ DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr) op++; } } + if (*sm_list == -1) + goto error; SCLogDebug("DetectPcreParse: \"%s\"", re); - if (pd->flags & DETECT_PCRE_HTTP_HOST) { + /* host header */ + if (*sm_list == DETECT_SM_LIST_HHHDMATCH) { if (pd->flags & DETECT_PCRE_CASELESS) { SCLogWarning(SC_ERR_INVALID_SIGNATURE, "http host pcre(\"W\") " "specified along with \"i(caseless)\" modifier. " @@ -541,13 +528,11 @@ DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr) } #endif /*PCRE_HAVE_JIT*/ - if(pd->sd == NULL) + if (pd->sd == NULL) pd->sd = (pcre_extra *) SCCalloc(1,sizeof(pcre_extra)); - if(pd->sd) { - + if (pd->sd) { if(pd->flags & DETECT_PCRE_MATCH_LIMIT) { - if(pcre_match_limit >= -1) { pd->sd->match_limit = pcre_match_limit; pd->sd->flags |= PCRE_EXTRA_MATCH_LIMIT; @@ -558,9 +543,7 @@ DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr) pd->sd->flags |= PCRE_EXTRA_MATCH_LIMIT_RECURSION; } #endif /* NO_PCRE_MATCH_RLIMIT */ - } - else { - + } else { pd->sd->match_limit = SC_MATCH_LIMIT_DEFAULT; pd->sd->flags |= PCRE_EXTRA_MATCH_LIMIT; #ifndef NO_PCRE_MATCH_RLIMIT @@ -568,7 +551,6 @@ DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr) pd->sd->flags |= PCRE_EXTRA_MATCH_LIMIT_RECURSION; #endif /* NO_PCRE_MATCH_RLIMIT */ } - } else { goto error; } @@ -658,26 +640,28 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst DetectPcreData *pd = NULL; SigMatch *sm = NULL; int ret = -1; + int parsed_sm_list = DETECT_SM_LIST_NOTSET; - pd = DetectPcreParse(de_ctx, regexstr); + pd = DetectPcreParse(de_ctx, regexstr, &parsed_sm_list); if (pd == NULL) goto error; if (DetectPcreParseCapture(regexstr, de_ctx, pd) < 0) goto error; - if ((pd->flags & DETECT_PCRE_URI) || - (pd->flags & DETECT_PCRE_METHOD) || - (pd->flags & DETECT_PCRE_HEADER) || - (pd->flags & DETECT_PCRE_RAW_HEADER) || - (pd->flags & DETECT_PCRE_COOKIE) || - (pd->flags & DETECT_PCRE_HTTP_STAT_MSG) || - (pd->flags & DETECT_PCRE_HTTP_STAT_CODE) || - (pd->flags & DETECT_PCRE_HTTP_CLIENT_BODY) || - (pd->flags & DETECT_PCRE_HTTP_SERVER_BODY) || - (pd->flags & DETECT_PCRE_HTTP_RAW_URI) || - (pd->flags & DETECT_PCRE_HTTP_USER_AGENT) || - (pd->flags & DETECT_PCRE_HTTP_HOST) || - (pd->flags & DETECT_PCRE_HTTP_RAW_HOST)) { + if (parsed_sm_list == DETECT_SM_LIST_UMATCH || + parsed_sm_list == DETECT_SM_LIST_HRUDMATCH || + parsed_sm_list == DETECT_SM_LIST_HCBDMATCH || + parsed_sm_list == DETECT_SM_LIST_HSBDMATCH || + parsed_sm_list == DETECT_SM_LIST_HHDMATCH || + parsed_sm_list == DETECT_SM_LIST_HRHDMATCH || + parsed_sm_list == DETECT_SM_LIST_HSMDMATCH || + parsed_sm_list == DETECT_SM_LIST_HSCDMATCH || + parsed_sm_list == DETECT_SM_LIST_HHHDMATCH || + parsed_sm_list == DETECT_SM_LIST_HRHHDMATCH || + parsed_sm_list == DETECT_SM_LIST_HMDMATCH || + parsed_sm_list == DETECT_SM_LIST_HCDMATCH || + parsed_sm_list == DETECT_SM_LIST_HUADMATCH) + { if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. " "Conflicting alprotos detected for this rule. Http " @@ -693,7 +677,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst } } - int sm_list; + int sm_list = -1; if (s->list != DETECT_SM_LIST_NOTSET) { if (s->list == DETECT_SM_LIST_HSBDMATCH) { SCLogDebug("adding to http server body list because of file data"); @@ -705,72 +689,44 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst } s->flags |= SIG_FLAG_APPLAYER; sm_list = s->list; - } else if (pd->flags & DETECT_PCRE_URI) { - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - sm_list = DETECT_SM_LIST_UMATCH; - } else if (pd->flags & DETECT_PCRE_HTTP_RAW_URI) { - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - sm_list = DETECT_SM_LIST_HRUDMATCH; - } else if (pd->flags & DETECT_PCRE_HEADER) { - SCLogDebug("Header inspection modifier set"); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - sm_list = DETECT_SM_LIST_HHDMATCH; - } else if (pd->flags & DETECT_PCRE_RAW_HEADER) { - SCLogDebug("Raw header inspection modifier set"); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - sm_list = DETECT_SM_LIST_HRHDMATCH; - } else if (pd->flags & DETECT_PCRE_HTTP_CLIENT_BODY) { - SCLogDebug("Request body inspection modifier set"); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - AppLayerHtpEnableRequestBodyCallback(); - sm_list = DETECT_SM_LIST_HCBDMATCH; - } else if (pd->flags & DETECT_PCRE_HTTP_SERVER_BODY) { - SCLogDebug("Response body inspection modifier set"); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - sm_list = DETECT_SM_LIST_HSBDMATCH; - AppLayerHtpEnableResponseBodyCallback(); - } else if (pd->flags & DETECT_PCRE_HTTP_HOST) { - SCLogDebug("Host inspection modifier set on pcre"); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - sm_list = DETECT_SM_LIST_HHHDMATCH; - } else if (pd->flags & DETECT_PCRE_HTTP_RAW_HOST) { - SCLogDebug("Raw Host inspection modifier set on pcre"); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - sm_list = DETECT_SM_LIST_HRHHDMATCH; - } else if (pd->flags & DETECT_PCRE_HTTP_STAT_MSG) { - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - sm_list = DETECT_SM_LIST_HSMDMATCH; - } else if (pd->flags & DETECT_PCRE_HTTP_STAT_CODE) { - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - sm_list = DETECT_SM_LIST_HSCDMATCH; - } else if (pd->flags & DETECT_PCRE_COOKIE) { - SCLogDebug("Cookie inspection modifier set"); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - sm_list = DETECT_SM_LIST_HCDMATCH; - } else if (pd->flags & DETECT_PCRE_METHOD) { - SCLogDebug("Method inspection modifier set"); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - sm_list = DETECT_SM_LIST_HMDMATCH; - } else if (pd->flags & DETECT_PCRE_HTTP_USER_AGENT) { - SCLogDebug("User-Agent inspection modifier set on pcre"); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - sm_list = DETECT_SM_LIST_HUADMATCH; } else { - sm_list = DETECT_SM_LIST_PMATCH; + switch(parsed_sm_list) { + case DETECT_SM_LIST_HCBDMATCH: + AppLayerHtpEnableRequestBodyCallback(); + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_HTTP; + sm_list = parsed_sm_list; + break; + + case DETECT_SM_LIST_HSBDMATCH: + AppLayerHtpEnableResponseBodyCallback(); + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_HTTP; + sm_list = parsed_sm_list; + break; + + case DETECT_SM_LIST_UMATCH: + case DETECT_SM_LIST_HRUDMATCH: + case DETECT_SM_LIST_HHDMATCH: + case DETECT_SM_LIST_HRHDMATCH: + case DETECT_SM_LIST_HHHDMATCH: + case DETECT_SM_LIST_HRHHDMATCH: + case DETECT_SM_LIST_HSMDMATCH: + case DETECT_SM_LIST_HSCDMATCH: + case DETECT_SM_LIST_HCDMATCH: + case DETECT_SM_LIST_HMDMATCH: + case DETECT_SM_LIST_HUADMATCH: + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_HTTP; + sm_list = parsed_sm_list; + break; + case DETECT_SM_LIST_NOTSET: + sm_list = DETECT_SM_LIST_PMATCH; + break; + } } + if (sm_list == -1) + goto error; sm = SigMatchAlloc(); if (sm == NULL) @@ -836,11 +792,12 @@ static int DetectPcreParseTest01 (void) int result = 1; DetectPcreData *pd = NULL; char *teststring = "/blah/7"; + int list = DETECT_SM_LIST_NOTSET; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) return 0; - pd = DetectPcreParse(de_ctx, teststring); + pd = DetectPcreParse(de_ctx, teststring, &list); if (pd != NULL) { printf("expected NULL: got %p", pd); result = 0; @@ -859,11 +816,12 @@ static int DetectPcreParseTest02 (void) int result = 1; DetectPcreData *pd = NULL; char *teststring = "/blah/Ui$"; + int list = DETECT_SM_LIST_NOTSET; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) return 0; - pd = DetectPcreParse(de_ctx, teststring); + pd = DetectPcreParse(de_ctx, teststring, &list); if (pd != NULL) { printf("expected NULL: got %p", pd); result = 0; @@ -881,11 +839,12 @@ static int DetectPcreParseTest03 (void) int result = 1; DetectPcreData *pd = NULL; char *teststring = "/blah/UNi"; + int list = DETECT_SM_LIST_NOTSET; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) return 0; - pd = DetectPcreParse(de_ctx, teststring); + pd = DetectPcreParse(de_ctx, teststring, &list); if (pd != NULL) { printf("expected NULL: got %p", pd); result = 0; @@ -903,11 +862,12 @@ static int DetectPcreParseTest04 (void) int result = 1; DetectPcreData *pd = NULL; char *teststring = "/b\\\"lah/i"; + int list = DETECT_SM_LIST_NOTSET; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) return 0; - pd = DetectPcreParse(de_ctx, teststring); + pd = DetectPcreParse(de_ctx, teststring, &list); if (pd == NULL) { printf("expected %p: got NULL", pd); result = 0; @@ -926,11 +886,12 @@ static int DetectPcreParseTest05 (void) int result = 1; DetectPcreData *pd = NULL; char *teststring = "/b(l|a)h/"; + int list = DETECT_SM_LIST_NOTSET; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) return 0; - pd = DetectPcreParse(de_ctx, teststring); + pd = DetectPcreParse(de_ctx, teststring, &list); if (pd == NULL) { printf("expected %p: got NULL", pd); result = 0; @@ -949,11 +910,12 @@ static int DetectPcreParseTest06 (void) int result = 1; DetectPcreData *pd = NULL; char *teststring = "/b(l|a)h/smi"; + int list = DETECT_SM_LIST_NOTSET; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) return 0; - pd = DetectPcreParse(de_ctx, teststring); + pd = DetectPcreParse(de_ctx, teststring, &list); if (pd == NULL) { printf("expected %p: got NULL", pd); result = 0; @@ -972,11 +934,12 @@ static int DetectPcreParseTest07 (void) int result = 1; DetectPcreData *pd = NULL; char *teststring = "/blah/Ui"; + int list = DETECT_SM_LIST_NOTSET; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) return 0; - pd = DetectPcreParse(de_ctx, teststring); + pd = DetectPcreParse(de_ctx, teststring, &list); if (pd == NULL) { printf("expected %p: got NULL", pd); result = 0; @@ -995,11 +958,12 @@ static int DetectPcreParseTest08 (void) int result = 1; DetectPcreData *pd = NULL; char *teststring = "/b(l|a)h/O"; + int list = DETECT_SM_LIST_NOTSET; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) return 0; - pd = DetectPcreParse(de_ctx, teststring); + pd = DetectPcreParse(de_ctx, teststring, &list); if (pd == NULL) { printf("expected %p: got NULL", pd); result = 0; @@ -1019,11 +983,12 @@ static int DetectPcreParseTest09 (void) int result = 1; DetectPcreData *pd = NULL; char *teststring = "/lala\\\\/"; + int list = DETECT_SM_LIST_NOTSET; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) return 0; - pd = DetectPcreParse(de_ctx, teststring); + pd = DetectPcreParse(de_ctx, teststring, &list); if (pd == NULL) { printf("expected %p: got NULL", pd); result = 0; @@ -1098,8 +1063,7 @@ int DetectPcreParseTest11(void) result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE); data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; if (data->flags & DETECT_PCRE_RAWBYTES || - !(data->flags & DETECT_PCRE_RELATIVE) || - data->flags & DETECT_PCRE_URI) { + !(data->flags & DETECT_PCRE_RELATIVE)) { result = 0; goto end; } @@ -1121,8 +1085,7 @@ int DetectPcreParseTest11(void) result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE); data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; if (data->flags & DETECT_PCRE_RAWBYTES || - !(data->flags & DETECT_PCRE_RELATIVE) || - data->flags & DETECT_PCRE_URI) { + !(data->flags & DETECT_PCRE_RELATIVE)) { result = 0; goto end; } @@ -1144,8 +1107,7 @@ int DetectPcreParseTest11(void) result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE); data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; if (!(data->flags & DETECT_PCRE_RAWBYTES) || - !(data->flags & DETECT_PCRE_RELATIVE) || - data->flags & DETECT_PCRE_URI) { + !(data->flags & DETECT_PCRE_RELATIVE)) { result = 0; goto end; } @@ -1207,8 +1169,7 @@ static int DetectPcreParseTest12(void) data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->ctx; if (data->flags & DETECT_PCRE_RAWBYTES || - !(data->flags & DETECT_PCRE_RELATIVE) || - data->flags & DETECT_PCRE_URI) { + !(data->flags & DETECT_PCRE_RELATIVE)) { printf("flags not right: "); goto end; } @@ -1257,8 +1218,7 @@ static int DetectPcreParseTest13(void) data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->ctx; if (data->flags & DETECT_PCRE_RAWBYTES || - !(data->flags & DETECT_PCRE_RELATIVE) || - data->flags & DETECT_PCRE_URI) { + !(data->flags & DETECT_PCRE_RELATIVE)) { printf("flags not right: "); goto end; } @@ -1307,8 +1267,7 @@ static int DetectPcreParseTest14(void) data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->ctx; if (data->flags & DETECT_PCRE_RAWBYTES || - data->flags & DETECT_PCRE_RELATIVE || - data->flags & DETECT_PCRE_URI) { + data->flags & DETECT_PCRE_RELATIVE) { printf("flags not right: "); goto end; } diff --git a/src/detect-pcre.h b/src/detect-pcre.h index 986ca0a3d5..e0098cb1c0 100644 --- a/src/detect-pcre.h +++ b/src/detect-pcre.h @@ -26,38 +26,19 @@ #define DETECT_PCRE_RELATIVE 0x00001 #define DETECT_PCRE_RAWBYTES 0x00002 -#define DETECT_PCRE_URI 0x00004 - +#define DETECT_PCRE_CASELESS 0x00004 #define DETECT_PCRE_CAPTURE_PKT 0x00008 #define DETECT_PCRE_CAPTURE_FLOW 0x00010 #define DETECT_PCRE_MATCH_LIMIT 0x00020 - -#define DETECT_PCRE_HTTP_CLIENT_BODY 0x00040 -#define DETECT_PCRE_HTTP_SERVER_BODY 0x00080 - -#define DETECT_PCRE_RELATIVE_NEXT 0x00100 - -/* new modifiers 2.8.5.3 support */ -#define DETECT_PCRE_HEADER 0x00200 -#define DETECT_PCRE_RAW_HEADER 0x00400 -#define DETECT_PCRE_COOKIE 0x00800 -#define DETECT_PCRE_METHOD 0x01000 -#define DETECT_PCRE_HTTP_RAW_URI 0x02000 -#define DETECT_PCRE_HTTP_STAT_MSG 0x04000 -#define DETECT_PCRE_HTTP_STAT_CODE 0x08000 -#define DETECT_PCRE_HTTP_USER_AGENT 0x10000 -#define DETECT_PCRE_HTTP_HOST 0x20000 -#define DETECT_PCRE_HTTP_RAW_HOST 0x40000 - -#define DETECT_PCRE_NEGATE 0x80000 -#define DETECT_PCRE_CASELESS 0x100000 +#define DETECT_PCRE_RELATIVE_NEXT 0x00040 +#define DETECT_PCRE_NEGATE 0x00080 typedef struct DetectPcreData_ { /* pcre options */ pcre *re; pcre_extra *sd; int opts; - uint32_t flags; + uint16_t flags; uint16_t capidx; char *capname; } DetectPcreData;