From: Victor Julien Date: Wed, 14 Dec 2016 10:42:58 +0000 (+0100) Subject: file_data: dynamic buffer X-Git-Tag: suricata-4.0.0-beta1~395 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6bd37611eebe68574d5a29d04d333740a276b928;p=thirdparty%2Fsuricata.git file_data: dynamic buffer --- diff --git a/src/detect-base64-data.c b/src/detect-base64-data.c index 7b1be1f137..97fd2e09b7 100644 --- a/src/detect-base64-data.c +++ b/src/detect-base64-data.c @@ -74,6 +74,8 @@ int DetectBase64DataDoMatch(DetectEngineCtx *de_ctx, #include "detect-engine.h" +static int g_file_data_buffer_id = 0; + static int DetectBase64DataSetupTest01(void) { DetectEngineCtx *de_ctx = NULL; @@ -151,7 +153,7 @@ static int DetectBase64DataSetupTest02(void) goto end; } - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA]; + sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id]; if (sm == NULL) { printf("DETECT_SM_LIST_FILEDATA is NULL: "); goto end; @@ -249,6 +251,8 @@ end: static void DetectBase64DataRegisterTests(void) { #ifdef UNITTESTS + g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); + UtRegisterTest("DetectBase64DataSetupTest01", DetectBase64DataSetupTest01); UtRegisterTest("DetectBase64DataSetupTest02", DetectBase64DataSetupTest02); UtRegisterTest("DetectBase64DataSetupTest03", DetectBase64DataSetupTest03); diff --git a/src/detect-byte-extract.c b/src/detect-byte-extract.c index 06f39e5c74..64a512458f 100644 --- a/src/detect-byte-extract.c +++ b/src/detect-byte-extract.c @@ -520,16 +520,8 @@ static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *a int sm_list; if (s->init_data->list != DETECT_SM_LIST_NOTSET) { - if (s->init_data->list == DETECT_SM_LIST_FILEDATA) { - if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "dce byte_extract specified " - "with file_data option set."); - goto error; - } - AppLayerHtpEnableResponseBodyCallback(); - } sm_list = s->init_data->list; - s->flags |= SIG_FLAG_APPLAYER; + if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) { prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1); } @@ -679,6 +671,8 @@ SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s) #ifdef UNITTESTS +static int g_file_data_buffer_id = 0; + static int DetectByteExtractTest01(void) { int result = 0; @@ -4634,11 +4628,11 @@ static int DetectByteExtractTest62(void) goto end; } - if (s->sm_lists_tail[DETECT_SM_LIST_FILEDATA] == NULL) { + if (s->sm_lists_tail[g_file_data_buffer_id] == NULL) { goto end; } - sm = s->sm_lists[DETECT_SM_LIST_FILEDATA]; + sm = s->sm_lists[g_file_data_buffer_id]; if (sm->type != DETECT_BYTE_EXTRACT) { result = 0; goto end; @@ -4736,6 +4730,8 @@ static int DetectByteExtractTestParseNoBase(void) static void DetectByteExtractRegisterTests(void) { #ifdef UNITTESTS + g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); + UtRegisterTest("DetectByteExtractTest01", DetectByteExtractTest01); UtRegisterTest("DetectByteExtractTest02", DetectByteExtractTest02); UtRegisterTest("DetectByteExtractTest03", DetectByteExtractTest03); diff --git a/src/detect-bytejump.c b/src/detect-bytejump.c index 4eb362b0b9..246f1faab7 100644 --- a/src/detect-bytejump.c +++ b/src/detect-bytejump.c @@ -519,16 +519,8 @@ static int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts int sm_list; if (s->init_data->list != DETECT_SM_LIST_NOTSET) { - if (s->init_data->list == DETECT_SM_LIST_FILEDATA) { - if (data->flags & DETECT_BYTEJUMP_DCE) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "dce bytejump specified " - "with file_data option set."); - goto error; - } - AppLayerHtpEnableResponseBodyCallback(); - } sm_list = s->init_data->list; - s->flags |= SIG_FLAG_APPLAYER; + if (data->flags & DETECT_BYTEJUMP_RELATIVE) { prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1); } @@ -647,6 +639,8 @@ static void DetectBytejumpFree(void *ptr) /* UNITTESTS */ #ifdef UNITTESTS #include "util-unittest-helper.h" +static int g_file_data_buffer_id = 0; + /** * \test DetectBytejumpTestParse01 is a test to make sure that we return * "something" when given valid bytejump opt @@ -1070,15 +1064,15 @@ static int DetectBytejumpTestParse12(void) } s = de_ctx->sig_list; - if (s->sm_lists_tail[DETECT_SM_LIST_FILEDATA] == NULL) { + if (s->sm_lists_tail[g_file_data_buffer_id] == NULL) { goto end; } - if (s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->type != DETECT_BYTEJUMP) { + if (s->sm_lists_tail[g_file_data_buffer_id]->type != DETECT_BYTEJUMP) { goto end; } - bd = (DetectBytejumpData *)s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + bd = (DetectBytejumpData *)s->sm_lists_tail[g_file_data_buffer_id]->ctx; if ((bd->flags & DETECT_BYTEJUMP_DCE) && (bd->flags & DETECT_BYTEJUMP_RELATIVE) && (bd->flags & DETECT_BYTEJUMP_STRING) && @@ -1295,6 +1289,8 @@ end: static void DetectBytejumpRegisterTests(void) { #ifdef UNITTESTS + g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); + UtRegisterTest("DetectBytejumpTestParse01", DetectBytejumpTestParse01); UtRegisterTest("DetectBytejumpTestParse02", DetectBytejumpTestParse02); UtRegisterTest("DetectBytejumpTestParse03", DetectBytejumpTestParse03); diff --git a/src/detect-bytetest.c b/src/detect-bytetest.c index 15938a0c41..c51483dd8e 100644 --- a/src/detect-bytetest.c +++ b/src/detect-bytetest.c @@ -446,16 +446,8 @@ static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts int sm_list; if (s->init_data->list != DETECT_SM_LIST_NOTSET) { - if (s->init_data->list == DETECT_SM_LIST_FILEDATA) { - if (data->flags & DETECT_BYTETEST_DCE) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "dce bytetest specified " - "with file_data option set."); - goto error; - } - AppLayerHtpEnableResponseBodyCallback(); - } sm_list = s->init_data->list; - s->flags |= SIG_FLAG_APPLAYER; + if (data->flags & DETECT_BYTETEST_RELATIVE) { prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1); } @@ -585,6 +577,8 @@ static void DetectBytetestFree(void *ptr) /* UNITTESTS */ #ifdef UNITTESTS #include "util-unittest-helper.h" +static int g_file_data_buffer_id = 0; + /** * \test DetectBytetestTestParse01 is a test to make sure that we return "something" * when given valid bytetest opt @@ -1248,17 +1242,17 @@ static int DetectBytetestTestParse22(void) } s = de_ctx->sig_list; - if (s->sm_lists_tail[DETECT_SM_LIST_FILEDATA] == NULL) { + if (s->sm_lists_tail[g_file_data_buffer_id] == NULL) { printf("empty server body list: "); goto end; } - if (s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->type != DETECT_BYTETEST) { + if (s->sm_lists_tail[g_file_data_buffer_id]->type != DETECT_BYTETEST) { printf("bytetest not last sm in server body list: "); goto end; } - bd = (DetectBytetestData *)s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + bd = (DetectBytetestData *)s->sm_lists_tail[g_file_data_buffer_id]->ctx; if (bd->flags & DETECT_BYTETEST_DCE && bd->flags & DETECT_BYTETEST_RELATIVE && (bd->flags & DETECT_BYTETEST_STRING) && @@ -1441,6 +1435,8 @@ end: static void DetectBytetestRegisterTests(void) { #ifdef UNITTESTS + g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); + UtRegisterTest("DetectBytetestTestParse01", DetectBytetestTestParse01); UtRegisterTest("DetectBytetestTestParse02", DetectBytetestTestParse02); UtRegisterTest("DetectBytetestTestParse03", DetectBytetestTestParse03); diff --git a/src/detect-content.c b/src/detect-content.c index 7726c4b8f7..9c77013875 100644 --- a/src/detect-content.c +++ b/src/detect-content.c @@ -385,16 +385,8 @@ int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, char *contentstr) goto error; DetectContentPrint(cd); - int sm_list; - if (s->init_data->list != DETECT_SM_LIST_NOTSET) { - if (s->init_data->list == DETECT_SM_LIST_FILEDATA && s->alproto == ALPROTO_HTTP) { - AppLayerHtpEnableResponseBodyCallback(); - s->alproto = ALPROTO_HTTP; - } - - s->flags |= SIG_FLAG_APPLAYER; - sm_list = s->init_data->list; - } else { + int sm_list = s->init_data->list; + if (sm_list == DETECT_SM_LIST_NOTSET) { sm_list = DETECT_SM_LIST_PMATCH; } @@ -432,6 +424,7 @@ void DetectContentFree(void *ptr) } #ifdef UNITTESTS /* UNITTESTS */ +static int g_file_data_buffer_id = 0; /** * \test DetectCotentParseTest01 this is a test to make sure we can deal with escaped colons @@ -1950,7 +1943,7 @@ static int DetectContentParseTest36(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) { + if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) { printf("content not in FILEDATA list: "); goto end; } @@ -1990,7 +1983,7 @@ static int DetectContentParseTest37(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) { + if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) { printf("content not in FILEDATA list: "); goto end; } @@ -2030,7 +2023,7 @@ static int DetectContentParseTest38(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) { + if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) { printf("content not in FILEDATA list: "); goto end; } @@ -2114,7 +2107,7 @@ static int DetectContentParseTest39(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) { + if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) { printf("content not in FILEDATA list: "); goto end; } @@ -2154,7 +2147,7 @@ static int DetectContentParseTest40(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) { + if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) { printf("content not in FILEDATA list: "); goto end; } @@ -2855,6 +2848,8 @@ static int DetectLongContentTest3(void) static void DetectContentRegisterTests(void) { #ifdef UNITTESTS /* UNITTESTS */ + g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); + UtRegisterTest("DetectContentParseTest01", DetectContentParseTest01); UtRegisterTest("DetectContentParseTest02", DetectContentParseTest02); UtRegisterTest("DetectContentParseTest03", DetectContentParseTest03); diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c index 16acb2fc4b..a13f405282 100644 --- a/src/detect-engine-analyzer.c +++ b/src/detect-engine-analyzer.c @@ -126,8 +126,6 @@ void EngineAnalysisFP(Signature *s, char *line) fprintf(fp_engine_analysis_FD, "http cookie content\n"); else if (list_type == DETECT_SM_LIST_HCBDMATCH) fprintf(fp_engine_analysis_FD, "http client body content\n"); - else if (list_type == DETECT_SM_LIST_FILEDATA) - fprintf(fp_engine_analysis_FD, "http server body content\n"); else if (list_type == DETECT_SM_LIST_HSCDMATCH) fprintf(fp_engine_analysis_FD, "http stat code content\n"); else if (list_type == DETECT_SM_LIST_HSMDMATCH) @@ -482,8 +480,6 @@ static void EngineAnalysisRulesPrintFP(const Signature *s) fprintf(rule_engine_analysis_FD, "http cookie content"); else if (list_type == DETECT_SM_LIST_HCBDMATCH) fprintf(rule_engine_analysis_FD, "http client body content"); - else if (list_type == DETECT_SM_LIST_FILEDATA) - fprintf(rule_engine_analysis_FD, "http server body content"); else if (list_type == DETECT_SM_LIST_HSCDMATCH) fprintf(rule_engine_analysis_FD, "http stat code content"); else if (list_type == DETECT_SM_LIST_HSMDMATCH) @@ -588,6 +584,9 @@ void EngineAnalysisRules(const Signature *s, const char *line) uint32_t warn_no_direction = 0; uint32_t warn_both_direction = 0; + const int nlists = DetectBufferTypeMaxId(); + const int filedata_id = DetectBufferTypeGetByName("file_data"); + if (s->init_data->init_flags & SIG_FLAG_INIT_BIDIREC) { rule_bidirectional = 1; } @@ -606,8 +605,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) rule_ipv6_only += 1; } - for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) { - + for (list_id = 0; list_id < nlists; list_id++) { SigMatch *sm = NULL; for (sm = s->init_data->smlists[list_id]; sm != NULL; sm = sm->next) { if (sm->type == DETECT_PCRE) { @@ -631,7 +629,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) norm_http_buf += 1; http_cookie_buf += 1; } - else if (list_id == DETECT_SM_LIST_FILEDATA) { + else if (list_id == filedata_id) { rule_pcre_http += 1; http_server_body_buf += 1; raw_http_buf += 1; @@ -697,7 +695,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) raw_http_buf += 1; http_client_body_buf += 1; } - else if (list_id == DETECT_SM_LIST_FILEDATA) { + else if (list_id == filedata_id) { rule_content_http += 1; raw_http_buf += 1; http_server_body_buf += 1; diff --git a/src/detect-engine.c b/src/detect-engine.c index 460d37502a..cbaef3ed9e 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -2804,8 +2804,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type) return "http raw uri"; case DETECT_SM_LIST_HCBDMATCH: return "http client body"; - case DETECT_SM_LIST_FILEDATA: - return "http server body"; case DETECT_SM_LIST_HHDMATCH: return "http headers"; case DETECT_SM_LIST_HRHDMATCH: diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index 9661eee6d2..e4d415c382 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -321,6 +321,7 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a /*----------------------------------Unittests---------------------------------*/ #ifdef UNITTESTS +static int g_file_data_buffer_id = 0; /** * \test Checks if a fast_pattern is registered in a Signature @@ -12883,7 +12884,7 @@ int DetectFastPatternTest466(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -12921,7 +12922,7 @@ int DetectFastPatternTest467(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA]; + sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id]; if (sm != NULL) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { @@ -12958,7 +12959,7 @@ int DetectFastPatternTest468(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA]; + sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id]; if (sm != NULL) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { @@ -12989,7 +12990,7 @@ int DetectFastPatternTest469(void) if (de_ctx->sig_list == NULL) goto end; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA]; + sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id]; if (sm == NULL) { goto end; } @@ -13025,7 +13026,7 @@ int DetectFastPatternTest470(void) if (de_ctx->sig_list == NULL) goto end; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA]; + sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id]; if (sm == NULL) { goto end; } @@ -13270,7 +13271,7 @@ int DetectFastPatternTest480(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -13303,7 +13304,7 @@ int DetectFastPatternTest481(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -13336,7 +13337,7 @@ int DetectFastPatternTest482(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -13369,7 +13370,7 @@ int DetectFastPatternTest483(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -13401,7 +13402,7 @@ int DetectFastPatternTest484(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -13527,7 +13528,7 @@ int DetectFastPatternTest489(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -13560,7 +13561,7 @@ int DetectFastPatternTest490(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -13593,7 +13594,7 @@ int DetectFastPatternTest491(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -13626,7 +13627,7 @@ int DetectFastPatternTest492(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -13659,7 +13660,7 @@ int DetectFastPatternTest493(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -13692,7 +13693,7 @@ int DetectFastPatternTest494(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -13725,7 +13726,7 @@ int DetectFastPatternTest495(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -13758,7 +13759,7 @@ int DetectFastPatternTest496(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -13791,7 +13792,7 @@ int DetectFastPatternTest497(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -13899,7 +13900,7 @@ int DetectFastPatternTest501(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -14029,7 +14030,7 @@ int DetectFastPatternTest506(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -14089,7 +14090,7 @@ int DetectFastPatternTest508(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA]; + sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id]; if (sm != NULL) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { @@ -14126,7 +14127,7 @@ int DetectFastPatternTest509(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA]; + sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id]; if (sm != NULL) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { @@ -14157,7 +14158,7 @@ int DetectFastPatternTest510(void) if (de_ctx->sig_list == NULL) goto end; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA]; + sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id]; if (sm == NULL) { goto end; } @@ -14193,7 +14194,7 @@ int DetectFastPatternTest511(void) if (de_ctx->sig_list == NULL) goto end; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA]; + sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id]; if (sm == NULL) { goto end; } @@ -14438,7 +14439,7 @@ int DetectFastPatternTest521(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -14471,7 +14472,7 @@ int DetectFastPatternTest522(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -14504,7 +14505,7 @@ int DetectFastPatternTest523(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -14537,7 +14538,7 @@ int DetectFastPatternTest524(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -14569,7 +14570,7 @@ int DetectFastPatternTest525(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -14695,7 +14696,7 @@ int DetectFastPatternTest530(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -14728,7 +14729,7 @@ int DetectFastPatternTest531(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -14761,7 +14762,7 @@ int DetectFastPatternTest532(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -14794,7 +14795,7 @@ int DetectFastPatternTest533(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -14827,7 +14828,7 @@ int DetectFastPatternTest534(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -14860,7 +14861,7 @@ int DetectFastPatternTest535(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -14893,7 +14894,7 @@ int DetectFastPatternTest536(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -14926,7 +14927,7 @@ int DetectFastPatternTest537(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -14959,7 +14960,7 @@ int DetectFastPatternTest538(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -15067,7 +15068,7 @@ int DetectFastPatternTest542(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -15197,7 +15198,7 @@ int DetectFastPatternTest547(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -18820,8 +18821,9 @@ int DetectFastPatternTest671(void) void DetectFastPatternRegisterTests(void) { - #ifdef UNITTESTS + g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); + UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01); UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02); UtRegisterTest("DetectFastPatternTest03", DetectFastPatternTest03); diff --git a/src/detect-file-data.c b/src/detect-file-data.c index 167ca67137..e9a4a14b94 100644 --- a/src/detect-file-data.c +++ b/src/detect-file-data.c @@ -48,6 +48,9 @@ static int DetectFiledataSetup (DetectEngineCtx *, Signature *, char *); static void DetectFiledataRegisterTests(void); +static void DetectFiledataSetupCallback(Signature *s); +static int g_file_data_buffer_id = 0; + /** * \brief Registration function for keyword: file_data */ @@ -63,19 +66,25 @@ void DetectFiledataRegister(void) sigmatch_table[DETECT_FILE_DATA].RegisterTests = DetectFiledataRegisterTests; sigmatch_table[DETECT_FILE_DATA].flags = SIGMATCH_NOOPT; - DetectMpmAppLayerRegister("file_data", SIG_FLAG_TOSERVER, - DETECT_SM_LIST_FILEDATA, 2, + DetectAppLayerMpmRegister("file_data", SIG_FLAG_TOSERVER, 2, PrefilterTxSmtpFiledataRegister); - DetectMpmAppLayerRegister("file_data", SIG_FLAG_TOCLIENT, - DETECT_SM_LIST_FILEDATA, 2, + DetectAppLayerMpmRegister("file_data", SIG_FLAG_TOCLIENT, 2, PrefilterTxHttpResponseBodyRegister); - DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOCLIENT, - DETECT_SM_LIST_FILEDATA, + DetectAppLayerInspectEngineRegister2("file_data", + ALPROTO_HTTP, SIG_FLAG_TOCLIENT, DetectEngineInspectHttpServerBody); - DetectAppLayerInspectEngineRegister(ALPROTO_SMTP, SIG_FLAG_TOSERVER, - DETECT_SM_LIST_FILEDATA, + DetectAppLayerInspectEngineRegister2("file_data", + ALPROTO_SMTP, SIG_FLAG_TOSERVER, DetectEngineInspectSMTPFiledata); + + DetectBufferTypeRegisterSetupCallback("file_data", + DetectFiledataSetupCallback); + + DetectBufferTypeSetDescriptionByName("file_data", + "http response body or smtp attachments data"); + + g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); } /** @@ -114,12 +123,27 @@ static int DetectFiledataSetup (DetectEngineCtx *de_ctx, Signature *s, char *str return -1; } - s->init_data->list = DETECT_SM_LIST_FILEDATA; - + s->init_data->list = DetectBufferTypeGetByName("file_data"); return 0; } +static void DetectFiledataSetupCallback(Signature *s) +{ + if (s->alproto == ALPROTO_HTTP || s->alproto == ALPROTO_UNKNOWN) { + AppLayerHtpEnableRequestBodyCallback(); + } + if (s->alproto == ALPROTO_HTTP) { + s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; + } else if (s->alproto == ALPROTO_SMTP) { + s->mask |= SIG_MASK_REQUIRE_SMTP_STATE; + } + + SCLogDebug("callback invoked by %u", s->id); +} + #ifdef UNITTESTS +#include "detect-isdataat.h" + static int DetectFiledataParseTest01(void) { DetectEngineCtx *de_ctx = NULL; @@ -143,7 +167,7 @@ static int DetectFiledataParseTest01(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) { + if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) { printf("content not in FILEDATA list: "); goto end; } @@ -180,7 +204,7 @@ static int DetectFiledataParseTest02(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) { + if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) { printf("content not in FILEDATA list: "); goto end; } @@ -217,7 +241,7 @@ static int DetectFiledataParseTest03(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) { + if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) { printf("content not in FILEDATA list: "); goto end; } @@ -286,6 +310,60 @@ end: return result; } + +static int DetectFiledataIsdataatParseTest1(void) +{ + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + FAIL_IF_NULL(de_ctx); + de_ctx->flags |= DE_QUIET; + + Signature *s = DetectEngineAppendSig(de_ctx, + "alert tcp any any -> any any (" + "file_data; content:\"one\"; " + "isdataat:!4,relative; sid:1;)"); + FAIL_IF_NULL(s); + + SigMatch *sm = s->init_data->smlists[g_file_data_buffer_id]; + FAIL_IF_NULL(sm); + FAIL_IF_NOT(sm->type == DETECT_CONTENT); + sm = sm->next; + FAIL_IF_NULL(sm); + FAIL_IF_NOT(sm->type == DETECT_ISDATAAT); + + DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx; + FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE); + FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED); + FAIL_IF(data->flags & ISDATAAT_RAWBYTES); + + DetectEngineCtxFree(de_ctx); + PASS; +} + +static int DetectFiledataIsdataatParseTest2(void) +{ + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + FAIL_IF_NULL(de_ctx); + de_ctx->flags |= DE_QUIET; + + Signature *s = DetectEngineAppendSig(de_ctx, + "alert tcp any any -> any any (" + "file_data; " + "isdataat:!4,relative; sid:1;)"); + FAIL_IF_NULL(s); + + SigMatch *sm = s->init_data->smlists_tail[g_file_data_buffer_id]; + FAIL_IF_NULL(sm); + FAIL_IF_NOT(sm->type == DETECT_ISDATAAT); + + DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx; + FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE); + FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED); + FAIL_IF(data->flags & ISDATAAT_RAWBYTES); + + DetectEngineCtxFree(de_ctx); + PASS; +} + #endif void DetectFiledataRegisterTests(void) @@ -296,5 +374,10 @@ void DetectFiledataRegisterTests(void) UtRegisterTest("DetectFiledataParseTest03", DetectFiledataParseTest03); UtRegisterTest("DetectFiledataParseTest04", DetectFiledataParseTest04); UtRegisterTest("DetectFiledataParseTest05", DetectFiledataParseTest05); + + UtRegisterTest("DetectFiledataIsdataatParseTest1", + DetectFiledataIsdataatParseTest1); + UtRegisterTest("DetectFiledataIsdataatParseTest2", + DetectFiledataIsdataatParseTest2); #endif } diff --git a/src/detect-http-server-body.c b/src/detect-http-server-body.c index e1337e59ca..9c40d480d2 100644 --- a/src/detect-http-server-body.c +++ b/src/detect-http-server-body.c @@ -59,9 +59,11 @@ #include "detect-http-server-body.h" #include "stream-tcp.h" -int DetectHttpServerBodySetup(DetectEngineCtx *, Signature *, char *); -void DetectHttpServerBodyRegisterTests(void); -void DetectHttpServerBodyFree(void *); +static int DetectHttpServerBodySetup(DetectEngineCtx *, Signature *, char *); +static void DetectHttpServerBodyRegisterTests(void); +static void DetectHttpServerBodyFree(void *); + +static int g_file_data_buffer_id = 0; /** * \brief Registers the keyword handlers for the "http_server_body" keyword. @@ -78,15 +80,9 @@ void DetectHttpServerBodyRegister(void) sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].RegisterTests = DetectHttpServerBodyRegisterTests; sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].flags |= SIGMATCH_NOOPT; - sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].flags |= SIGMATCH_PAYLOAD ; -} + sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].flags |= SIGMATCH_PAYLOAD; -static void DetectHttpServerBodySetupCallback(Signature *s) -{ - s->flags |= SIG_FLAG_APPLAYER; - AppLayerHtpEnableResponseBodyCallback(); - - return; + g_file_data_buffer_id = DetectBufferTypeRegister("file_data"); } /** @@ -106,9 +102,8 @@ int DetectHttpServerBodySetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { return DetectEngineContentModifierBufferSetup(de_ctx, s, arg, DETECT_AL_HTTP_SERVER_BODY, - DETECT_SM_LIST_FILEDATA, - ALPROTO_HTTP, - DetectHttpServerBodySetupCallback); + g_file_data_buffer_id, + ALPROTO_HTTP, NULL); } /** @@ -166,7 +161,7 @@ static int DetectHttpServerBodyTest01(void) goto end; } - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA]; + sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id]; if (sm == NULL) { goto end; } @@ -1815,15 +1810,15 @@ int DetectHttpServerBodyTest22(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n"); goto end; } DetectContentData *cd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx; DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; - DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; - DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; + DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (cd1->flags != 0 || memcmp(cd1->content, "one", cd1->content_len) != 0 || cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 || hsbd1->flags != DETECT_CONTENT_RELATIVE_NEXT || @@ -1870,15 +1865,15 @@ int DetectHttpServerBodyTest23(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n"); goto end; } DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx; DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; - DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; - DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; + DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (pd1->flags != 0 || cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 || hsbd1->flags != DETECT_CONTENT_RELATIVE_NEXT || @@ -1924,15 +1919,15 @@ int DetectHttpServerBodyTest24(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n"); goto end; } DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx; DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; - DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; - DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; + DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (pd1->flags != 0 || cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 || hsbd1->flags != DETECT_CONTENT_RELATIVE_NEXT || @@ -1979,15 +1974,15 @@ int DetectHttpServerBodyTest25(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n"); goto end; } DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx; DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; - DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; - DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; + DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (pd1->flags != DETECT_PCRE_RELATIVE_NEXT || cd2->flags != DETECT_CONTENT_DISTANCE || memcmp(cd2->content, "four", cd2->content_len) != 0 || @@ -2035,15 +2030,15 @@ int DetectHttpServerBodyTest26(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n"); goto end; } DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx; DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; - DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; - DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; + DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || cd2->flags != DETECT_CONTENT_DISTANCE || memcmp(cd2->content, "four", cd2->content_len) != 0 || @@ -2118,15 +2113,15 @@ int DetectHttpServerBodyTest28(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n"); goto end; } DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx; DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; - DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; - DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; + DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || cd2->flags != DETECT_CONTENT_DISTANCE || memcmp(cd2->content, "four", cd2->content_len) != 0 || @@ -2173,13 +2168,13 @@ int DetectHttpServerBodyTest29(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n"); goto end; } - DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; - DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; + DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (hsbd1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(hsbd1->content, "one", hsbd1->content_len) != 0 || hsbd2->flags != DETECT_CONTENT_DISTANCE || @@ -2217,13 +2212,13 @@ int DetectHttpServerBodyTest30(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n"); goto end; } - DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; - DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; + DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (hsbd1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(hsbd1->content, "one", hsbd1->content_len) != 0 || hsbd2->flags != DETECT_CONTENT_WITHIN || @@ -2316,38 +2311,32 @@ int DetectHttpServerBodyTest34(void) DetectEngineCtx *de_ctx = NULL; int result = 0; - if ( (de_ctx = DetectEngineCtxInit()) == NULL) - goto end; + de_ctx = DetectEngineCtxInit(); + FAIL_IF_NULL(de_ctx); de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " "(pcre:/one/Q; " "content:\"two\"; within:5; http_server_body; sid:1;)"); - if (de_ctx->sig_list == NULL) { - printf("de_ctx->sig_list == NULL\n"); - goto end; - } + FAIL_IF_NULL(de_ctx->sig_list); - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n"); - goto end; - } + FAIL_IF_NOT_NULL(de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH]); - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n"); goto end; } - if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA] == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->type != DETECT_CONTENT || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->type != DETECT_PCRE) { + if (de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id] == NULL || + de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->type != DETECT_CONTENT || + de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev == NULL || + de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->type != DETECT_PCRE) { goto end; } - DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; - DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; + DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || hsbd2->flags != DETECT_CONTENT_WITHIN || memcmp(hsbd2->content, "two", hsbd2->content_len) != 0) { @@ -2384,21 +2373,21 @@ int DetectHttpServerBodyTest35(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n"); goto end; } - if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA] == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->type != DETECT_PCRE || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->type != DETECT_CONTENT) { + if (de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id] == NULL || + de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->type != DETECT_PCRE || + de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev == NULL || + de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->type != DETECT_CONTENT) { goto end; } - DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; - DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; + DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (pd2->flags != (DETECT_PCRE_RELATIVE) || hsbd1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(hsbd1->content, "two", hsbd1->content_len) != 0) { @@ -2435,21 +2424,21 @@ int DetectHttpServerBodyTest36(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n"); goto end; } - if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA] == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->type != DETECT_CONTENT || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->type != DETECT_PCRE) { + if (de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id] == NULL || + de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->type != DETECT_CONTENT || + de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev == NULL || + de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->type != DETECT_PCRE) { goto end; } - DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->prev->ctx; - DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx; + DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx; if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || hsbd2->flags != DETECT_CONTENT_DISTANCE || memcmp(hsbd2->content, "two", hsbd2->content_len) != 0) { diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index ad3b16ae79..407b0a6e70 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -211,12 +211,8 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst int sm_list; if (s->init_data->list != DETECT_SM_LIST_NOTSET) { - if (s->init_data->list == DETECT_SM_LIST_FILEDATA) { - AppLayerHtpEnableResponseBodyCallback(); - s->alproto = ALPROTO_HTTP; - } sm_list = s->init_data->list; - s->flags |= SIG_FLAG_APPLAYER; + if (idad->flags & ISDATAAT_RELATIVE) { prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1); } @@ -828,103 +824,6 @@ int DetectIsdataatTestParse13(void) return result; } -static int DetectIsdataatTestParse14(void) -{ - DetectEngineCtx *de_ctx = NULL; - int result = 0; - Signature *s = NULL; - DetectIsdataatData *data = NULL; - - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " - "(msg:\"Testing file_data and isdataat\"; " - "file_data; content:\"one\"; " - "isdataat:!4,relative; sid:1;)"); - if (de_ctx->sig_list == NULL) { - goto end; - } - - s = de_ctx->sig_list; - if (s->sm_lists_tail[DETECT_SM_LIST_FILEDATA] == NULL) { - printf("server body list empty: "); - goto end; - } - - if (s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->type != DETECT_ISDATAAT) { - printf("last server body sm not isdataat: "); - goto end; - } - - data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; - if ( !(data->flags & ISDATAAT_RELATIVE) || - (data->flags & ISDATAAT_RAWBYTES) || - !(data->flags & ISDATAAT_NEGATED) ) { - goto end; - } - - result = 1; - end: - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - - return result; -} - -/** - * \test file_data with isdataat relative to it - */ -static int DetectIsdataatTestParse15(void) -{ - DetectEngineCtx *de_ctx = NULL; - int result = 0; - Signature *s = NULL; - DetectIsdataatData *data = NULL; - - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " - "(msg:\"Testing file_data and isdataat\"; " - "file_data; isdataat:!4,relative; sid:1;)"); - if (de_ctx->sig_list == NULL) { - printf("sig parse: "); - goto end; - } - - s = de_ctx->sig_list; - if (s->sm_lists_tail[DETECT_SM_LIST_FILEDATA] == NULL) { - printf("server body list empty: "); - goto end; - } - - if (s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->type != DETECT_ISDATAAT) { - printf("last server body sm not isdataat: "); - goto end; - } - - data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; - if ( !(data->flags & ISDATAAT_RELATIVE) || - (data->flags & ISDATAAT_RAWBYTES) || - !(data->flags & ISDATAAT_NEGATED) ) { - goto end; - } - - result = 1; - end: - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - - return result; -} - /** * \test dns_query with isdataat relative to it */ @@ -1100,8 +999,6 @@ void DetectIsdataatRegisterTests(void) UtRegisterTest("DetectIsdataatTestParse11", DetectIsdataatTestParse11); UtRegisterTest("DetectIsdataatTestParse12", DetectIsdataatTestParse12); UtRegisterTest("DetectIsdataatTestParse13", DetectIsdataatTestParse13); - UtRegisterTest("DetectIsdataatTestParse14", DetectIsdataatTestParse14); - UtRegisterTest("DetectIsdataatTestParse15", DetectIsdataatTestParse15); UtRegisterTest("DetectIsdataatTestParse16", DetectIsdataatTestParse16); UtRegisterTest("DetectIsdataatTestPacket01", DetectIsdataatTestPacket01); diff --git a/src/detect-lua.c b/src/detect-lua.c index 06a0315207..6a60482c3f 100644 --- a/src/detect-lua.c +++ b/src/detect-lua.c @@ -991,9 +991,10 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) else SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH); } else if (lua->alproto == ALPROTO_HTTP) { - if (lua->flags & DATATYPE_HTTP_RESPONSE_BODY) - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_FILEDATA); - else if (lua->flags & DATATYPE_HTTP_REQUEST_BODY) + if (lua->flags & DATATYPE_HTTP_RESPONSE_BODY) { + int list = DetectBufferTypeGetByName("file_data"); + SigMatchAppendSMToList(s, sm, list); + } else if (lua->flags & DATATYPE_HTTP_REQUEST_BODY) SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HCBDMATCH); else if (lua->flags & DATATYPE_HTTP_URI) SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_UMATCH); diff --git a/src/detect-parse.c b/src/detect-parse.c index 18fbb9d51a..98c3bf1d14 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -144,7 +144,6 @@ const char *DetectListToHumanString(int list) CASE_CODE_STRING(DETECT_SM_LIST_UMATCH, "http_uri"); CASE_CODE_STRING(DETECT_SM_LIST_HRUDMATCH, "http_raw_uri"); CASE_CODE_STRING(DETECT_SM_LIST_HCBDMATCH, "http_client_body"); - CASE_CODE_STRING(DETECT_SM_LIST_FILEDATA, "file_data"); CASE_CODE_STRING(DETECT_SM_LIST_HHDMATCH, "http_header"); CASE_CODE_STRING(DETECT_SM_LIST_HRHDMATCH, "http_raw_header"); CASE_CODE_STRING(DETECT_SM_LIST_HSMDMATCH, "http_stat_msg"); @@ -188,7 +187,6 @@ const char *DetectListToString(int list) CASE_CODE(DETECT_SM_LIST_UMATCH); CASE_CODE(DETECT_SM_LIST_HRUDMATCH); CASE_CODE(DETECT_SM_LIST_HCBDMATCH); - CASE_CODE(DETECT_SM_LIST_FILEDATA); CASE_CODE(DETECT_SM_LIST_HHDMATCH); CASE_CODE(DETECT_SM_LIST_HRHDMATCH); CASE_CODE(DETECT_SM_LIST_HSMDMATCH); @@ -1592,7 +1590,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) if (s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH] || - s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA] || s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH] || diff --git a/src/detect-pcre.c b/src/detect-pcre.c index 918c475998..6be08703aa 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -458,10 +458,12 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr, /* snort's option (http request body inspection) */ *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HCBDMATCH); break; - case 'Q': + case 'Q': { + int list = DetectBufferTypeGetByName("file_data"); /* suricata extension (http response body inspection) */ - *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_FILEDATA); + *sm_list = DetectPcreSetList(*sm_list, list); break; + } case 'Y': /* snort's option */ *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HSMDMATCH); @@ -666,7 +668,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst if (parsed_sm_list == DETECT_SM_LIST_UMATCH || parsed_sm_list == DETECT_SM_LIST_HRUDMATCH || parsed_sm_list == DETECT_SM_LIST_HCBDMATCH || - parsed_sm_list == DETECT_SM_LIST_FILEDATA || parsed_sm_list == DETECT_SM_LIST_HHDMATCH || parsed_sm_list == DETECT_SM_LIST_HRHDMATCH || parsed_sm_list == DETECT_SM_LIST_HSMDMATCH || @@ -694,14 +695,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst int sm_list = -1; if (s->init_data->list != DETECT_SM_LIST_NOTSET) { - if (s->init_data->list == DETECT_SM_LIST_FILEDATA) { - SCLogDebug("adding to http server body list because of file data"); - AppLayerHtpEnableResponseBodyCallback(); - } else if (s->init_data->list == DETECT_SM_LIST_DMATCH) { - SCLogDebug("adding to dmatch list because of dce_stub_data"); - } else if (s->init_data->list == DETECT_SM_LIST_DNSQUERYNAME_MATCH) { - SCLogDebug("adding to DETECT_SM_LIST_DNSQUERYNAME_MATCH list because of dns_query"); - } s->flags |= SIG_FLAG_APPLAYER; sm_list = s->init_data->list; } else { @@ -713,13 +706,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst sm_list = parsed_sm_list; break; - case DETECT_SM_LIST_FILEDATA: - AppLayerHtpEnableResponseBodyCallback(); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - sm_list = parsed_sm_list; - break; - case DETECT_SM_LIST_UMATCH: case DETECT_SM_LIST_HRUDMATCH: case DETECT_SM_LIST_HHDMATCH: @@ -738,6 +724,9 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst case DETECT_SM_LIST_NOTSET: sm_list = DETECT_SM_LIST_PMATCH; break; + default: + sm_list = parsed_sm_list; + break; } } if (sm_list == -1) @@ -805,6 +794,7 @@ void DetectPcreFree(void *ptr) } #ifdef UNITTESTS /* UNITTESTS */ +static int g_file_data_buffer_id = 0; /** * \test DetectPcreParseTest01 make sure we don't allow invalid opts 7. @@ -1097,11 +1087,11 @@ static int DetectPcreParseTest12(void) FAIL_IF (de_ctx->sig_list == NULL); s = de_ctx->sig_list; - FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_FILEDATA] == NULL); + FAIL_IF(s->sm_lists_tail[g_file_data_buffer_id] == NULL); - FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->type != DETECT_PCRE); + FAIL_IF(s->sm_lists_tail[g_file_data_buffer_id]->type != DETECT_PCRE); - data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + data = (DetectPcreData *)s->sm_lists_tail[g_file_data_buffer_id]->ctx; FAIL_IF(data->flags & DETECT_PCRE_RAWBYTES || !(data->flags & DETECT_PCRE_RELATIVE)); @@ -1130,11 +1120,11 @@ static int DetectPcreParseTest13(void) FAIL_IF(de_ctx->sig_list == NULL); s = de_ctx->sig_list; - FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_FILEDATA] == NULL); + FAIL_IF(s->sm_lists_tail[g_file_data_buffer_id] == NULL); - FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->type != DETECT_PCRE); + FAIL_IF(s->sm_lists_tail[g_file_data_buffer_id]->type != DETECT_PCRE); - data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + data = (DetectPcreData *)s->sm_lists_tail[g_file_data_buffer_id]->ctx; FAIL_IF(data->flags & DETECT_PCRE_RAWBYTES || !(data->flags & DETECT_PCRE_RELATIVE)); @@ -1163,11 +1153,11 @@ static int DetectPcreParseTest14(void) FAIL_IF(de_ctx->sig_list == NULL); s = de_ctx->sig_list; - FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_FILEDATA] == NULL); + FAIL_IF(s->sm_lists_tail[g_file_data_buffer_id] == NULL); - FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->type != DETECT_PCRE); + FAIL_IF(s->sm_lists_tail[g_file_data_buffer_id]->type != DETECT_PCRE); - data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_FILEDATA]->ctx; + data = (DetectPcreData *)s->sm_lists_tail[g_file_data_buffer_id]->ctx; FAIL_IF(data->flags & DETECT_PCRE_RAWBYTES || data->flags & DETECT_PCRE_RELATIVE); @@ -3345,6 +3335,8 @@ static int DetectPcreParseHttpHost(void) void DetectPcreRegisterTests(void) { #ifdef UNITTESTS /* UNITTESTS */ + g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); + UtRegisterTest("DetectPcreParseTest01", DetectPcreParseTest01); UtRegisterTest("DetectPcreParseTest02", DetectPcreParseTest02); UtRegisterTest("DetectPcreParseTest03", DetectPcreParseTest03); diff --git a/src/detect-pkt-data.c b/src/detect-pkt-data.c index d1c956ea83..8f740636bc 100644 --- a/src/detect-pkt-data.c +++ b/src/detect-pkt-data.c @@ -82,6 +82,7 @@ static int DetectPktDataSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) #ifdef UNITTESTS /************************************Unittests*********************************/ +static int g_file_data_buffer_id = 0; static int DetectPktDataTest01(void) { @@ -105,9 +106,9 @@ static int DetectPktDataTest01(void) } /* sm should be in the MATCH list */ - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA]; + sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id]; if (sm == NULL) { - printf("sm not in DETECT_SM_LIST_FILEDATA: "); + printf("sm not in g_file_data_buffer_id: "); goto end; } @@ -145,6 +146,8 @@ end: static void DetectPktDataTestRegister(void) { #ifdef UNITTESTS + g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); + UtRegisterTest("DetectPktDataTest01", DetectPktDataTest01); #endif } diff --git a/src/detect.c b/src/detect.c index 3afdf81b70..11aecad951 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1918,9 +1918,6 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s) if (s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL) return 0; - if (s->init_data->smlists[DETECT_SM_LIST_FILEDATA] != NULL) - return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL) return 0; @@ -2029,9 +2026,6 @@ static int SignatureIsPDOnly(const Signature *s) if (s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL) return 0; - if (s->init_data->smlists[DETECT_SM_LIST_FILEDATA] != NULL) - return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL) return 0; @@ -2164,7 +2158,6 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, const Signature *s) s->init_data->smlists[DETECT_SM_LIST_UMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL || - s->init_data->smlists[DETECT_SM_LIST_FILEDATA] != NULL || s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HMDMATCH] != NULL || @@ -2337,16 +2330,6 @@ static int SignatureCreateMask(Signature *s) SCLogDebug("sig requires http app state"); } - if (s->init_data->smlists[DETECT_SM_LIST_FILEDATA] != NULL) { - /* set the state depending from the protocol */ - if (s->alproto == ALPROTO_HTTP) - s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; - else if (s->alproto == ALPROTO_SMTP) - s->mask |= SIG_MASK_REQUIRE_SMTP_STATE; - - SCLogDebug("sig requires http or smtp app state"); - } - if (s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL) { s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; SCLogDebug("sig requires http app state"); diff --git a/src/detect.h b/src/detect.h index c238bcb39f..330b918f4b 100644 --- a/src/detect.h +++ b/src/detect.h @@ -121,8 +121,6 @@ enum DetectSigmatchListEnum { DETECT_SM_LIST_HRUDMATCH, /* list for http_client_body keyword and the ones relative to it */ DETECT_SM_LIST_HCBDMATCH, - /* list for http_server_body keyword and the ones relative to it */ - DETECT_SM_LIST_FILEDATA, /* list for http_header keyword and the ones relative to it */ DETECT_SM_LIST_HHDMATCH, /* list for http_raw_header keyword and the ones relative to it */