From: Anoop Saldanha Date: Mon, 20 Feb 2012 06:13:47 +0000 (+0530) Subject: All http_http_stat_msg modified patterns now are DETECT_CONTENT and not DETECT_AL_HTT... X-Git-Tag: suricata-1.3beta1~180 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=507e1b66e0d880f28df890d0177c7b4312f7f974;p=thirdparty%2Fsuricata.git All http_http_stat_msg modified patterns now are DETECT_CONTENT and not DETECT_AL_HTTP_STAT_MSG --- diff --git a/src/detect-depth.c b/src/detect-depth.c index e982d4ed7c..bf0bc06a1b 100644 --- a/src/detect-depth.c +++ b/src/detect-depth.c @@ -96,7 +96,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]); + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]); if (pm == NULL) { SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs " "preceeding content, uricontent option, http_client_body, " @@ -162,47 +162,6 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths break; - case DETECT_AL_HTTP_STAT_MSG: - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in depth - %s\n", str); - goto error; - } - cd->depth = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_DEPTH_BE; - } else { - cd->depth = (uint32_t)atoi(str); - if (cd->depth < cd->content_len) { - cd->depth = cd->content_len; - SCLogDebug("depth increased to %"PRIu32" to match pattern len ", - cd->depth); - } - /* Now update the real limit, as depth is relative to the offset */ - cd->depth += cd->offset; - cd->flags |= DETECT_CONTENT_DEPTH; - } - - break; - case DETECT_AL_HTTP_STAT_CODE: cd = (DetectContentData *)pm->ctx; if (cd->flags & DETECT_CONTENT_NEGATED) { diff --git a/src/detect-distance.c b/src/detect-distance.c index 948de01801..db992fe4e2 100644 --- a/src/detect-distance.c +++ b/src/detect-distance.c @@ -171,7 +171,7 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]); + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]); if (pm == NULL) { SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs " "preceeding content, uricontent option, http_client_body, " @@ -291,73 +291,6 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, break; - case DETECT_AL_HTTP_STAT_MSG: - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in distance - %s\n", str); - goto error; - } - cd->distance = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_DISTANCE_BE; - } else { - cd->distance = strtol(str, NULL, 10); - if (cd->flags & DETECT_CONTENT_WITHIN) { - if ((cd->distance + cd->content_len) > cd->within) { - cd->within = cd->distance + cd->content_len; - } - } - } - - cd->flags |= DETECT_CONTENT_DISTANCE; - - /* reassigning pm */ - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_AL_HTTP_STAT_MSG, pm->prev, - DETECT_PCRE, pm->prev); - if (pm == NULL) { - SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for " - "http_stat_msg needs preceeding http_stat_msg " - "content"); - goto error; - } - - if (pm->type == DETECT_PCRE) { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } else { - /* reassigning cd */ - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword " - "has a fast_pattern:only; set. You can't " - "have relative keywords around a fast_pattern " - "only content"); - goto error; - } - cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } - - break; - case DETECT_AL_HTTP_STAT_CODE: cd = (DetectContentData *)pm->ctx; if (cd->flags & DETECT_CONTENT_NEGATED) { diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c index 5a68f87cf1..e3435424ff 100644 --- a/src/detect-engine-content-inspection.c +++ b/src/detect-engine-content-inspection.c @@ -108,8 +108,7 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx /* \todo unify this which is phase 2 of payload inspection unification */ if (sm->type == DETECT_CONTENT || - sm->type == DETECT_AL_HTTP_STAT_CODE || - sm->type == DETECT_AL_HTTP_STAT_MSG) { + sm->type == DETECT_AL_HTTP_STAT_CODE) { DetectContentData *cd = (DetectContentData *)sm->ctx; SCLogDebug("inspecting content %"PRIu32" buffer_len %"PRIu32, cd->id, buffer_len); diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index 5f85287b0d..3ca7a4718e 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -146,7 +146,7 @@ void SupportFastPatternForSigMatchTypes(void) SupportFastPatternForSigMatchType(DETECT_CONTENT); SupportFastPatternForSigMatchList(DETECT_SM_LIST_HRUDMATCH); - SupportFastPatternForSigMatchType(DETECT_AL_HTTP_STAT_MSG); + SupportFastPatternForSigMatchType(DETECT_CONTENT); SupportFastPatternForSigMatchList(DETECT_SM_LIST_HSMDMATCH); SupportFastPatternForSigMatchType(DETECT_AL_HTTP_STAT_CODE); @@ -245,7 +245,7 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]); if (pm == NULL) { diff --git a/src/detect-http-stat-msg.c b/src/detect-http-stat-msg.c index 9e05a4bfc5..6a4de2ac8e 100644 --- a/src/detect-http-stat-msg.c +++ b/src/detect-http-stat-msg.c @@ -263,7 +263,7 @@ static int DetectHttpStatMsgSetup (DetectEngineCtx *de_ctx, Signature *s, char * /* reassigning pm */ pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]); if (pm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "http_stat_msg seen with a " @@ -280,7 +280,7 @@ static int DetectHttpStatMsgSetup (DetectEngineCtx *de_ctx, Signature *s, char * } } cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HSMDMATCH); - sm->type = DETECT_AL_HTTP_STAT_MSG; + sm->type = DETECT_CONTENT; /* transfer the sm from the pmatch list to hcbdmatch list */ SigMatchTransferSigMatchAcrossLists(sm, @@ -378,10 +378,10 @@ int DetectHttpStatMsgTest02(void) SigMatch *prev = NULL; while (sm != NULL) { - if (sm->type == DETECT_AL_HTTP_STAT_MSG) { + if (sm->type == DETECT_CONTENT) { result = 1; } else { - printf("expected DETECT_AL_HTTP_STAT_MSG, got %d: ", sm->type); + printf("expected DETECT_CONTENT for http_stat_msg, got %d: ", sm->type); goto end; } prev = sm; diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index 886b10c3be..bc4eaab2e3 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -361,7 +361,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], /* 10 */ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], @@ -419,7 +419,6 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst switch (prev_pm->type) { case DETECT_CONTENT: - case DETECT_AL_HTTP_STAT_MSG: case DETECT_AL_HTTP_STAT_CODE: /* Set the relative next flag on the prev sigmatch */ cd = (DetectContentData *)prev_pm->ctx; diff --git a/src/detect-nocase.c b/src/detect-nocase.c index b74a947488..c00198f5b0 100644 --- a/src/detect-nocase.c +++ b/src/detect-nocase.c @@ -83,7 +83,7 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]); if (pm == NULL) { @@ -98,7 +98,6 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls switch (pm->type) { case DETECT_CONTENT: - case DETECT_AL_HTTP_STAT_MSG: case DETECT_AL_HTTP_STAT_CODE: cd = (DetectContentData *)pm->ctx; if (cd == NULL) { diff --git a/src/detect-offset.c b/src/detect-offset.c index 57d9349724..4470b7af18 100644 --- a/src/detect-offset.c +++ b/src/detect-offset.c @@ -92,7 +92,7 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]); if (pm == NULL) { @@ -163,49 +163,6 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) break; - case DETECT_AL_HTTP_STAT_MSG: - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in offset - %s\n", str); - goto error; - } - cd->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_OFFSET_BE; - } else { - cd->offset = (uint32_t)atoi(str); - if (cd->depth != 0) { - if (cd->depth < cd->content_len) { - SCLogDebug("depth increased to %"PRIu32" to match pattern len", - cd->content_len); - cd->depth = cd->content_len; - } - /* Updating the depth as is relative to the offset */ - cd->depth += cd->offset; - } - } - - cd->flags |= DETECT_CONTENT_OFFSET; - - break; case DETECT_AL_HTTP_STAT_CODE: cd = (DetectContentData *)pm->ctx; diff --git a/src/detect-pcre.c b/src/detect-pcre.c index 9532680a6a..0203b10a80 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -1201,10 +1201,9 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst SCReturnInt(0); } - prev_sm = SigMatchGetLastSMFromLists(s, 8, + prev_sm = SigMatchGetLastSMFromLists(s, 6, DETECT_CONTENT, sm->prev, DETECT_PCRE, sm->prev, - DETECT_AL_HTTP_STAT_MSG, sm->prev, DETECT_AL_HTTP_STAT_CODE, sm->prev); if (prev_sm == NULL) { if (s->alproto == ALPROTO_DCERPC) { @@ -1229,7 +1228,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst switch (prev_sm->type) { case DETECT_CONTENT: - case DETECT_AL_HTTP_STAT_MSG: case DETECT_AL_HTTP_STAT_CODE: /* Set the relative next flag on the prev sigmatch */ cd = (DetectContentData *)prev_sm->ctx; diff --git a/src/detect-within.c b/src/detect-within.c index bdaf3e9f26..838e05bfd6 100644 --- a/src/detect-within.c +++ b/src/detect-within.c @@ -172,7 +172,7 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]); if (pm == NULL) { @@ -300,74 +300,6 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi break; - case DETECT_AL_HTTP_STAT_MSG: - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in within - %s\n", str); - goto error; - } - cd->within = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_WITHIN_BE; - } else { - cd->within = strtol(str, NULL, 10); - if (cd->within < (int32_t)cd->content_len) { - SCLogError(SC_ERR_WITHIN_INVALID, "within argument \"%"PRIi32"\" is " - "less than the content length \"%"PRIu32"\" which is invalid, since " - "this will never match. Invalidating signature", cd->within, - cd->content_len); - goto error; - } - } - - cd->flags |= DETECT_CONTENT_WITHIN; - - /* reassigning pm */ - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_AL_HTTP_STAT_MSG, pm->prev, - DETECT_PCRE, pm->prev); - if (pm == NULL) { - SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for http_stat_msg " - "needs preceeding http_stat_msg content"); - goto error; - } - - if (pm->type == DETECT_PCRE) { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } else { - /* reassigning cd */ - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword " - "has a fast_pattern:only; set. You can't " - "have relative keywords around a fast_pattern " - "only content"); - goto error; - } - cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } - - break; - case DETECT_AL_HTTP_STAT_CODE: cd = (DetectContentData *)pm->ctx; if (cd->flags & DETECT_CONTENT_NEGATED) {