From: Andreas Herz <andi@geekosphere.org>
Date: Fri, 4 Aug 2017 23:06:22 +0000 (+0200)
Subject: keyword-filesize: add units
X-Git-Tag: suricata-4.1.0-beta1~481
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f0794c16f6adaa3e8a79553a8fcc81aadeed9c7;p=thirdparty%2Fsuricata.git

keyword-filesize: add units
---

diff --git a/doc/userguide/rules/file-keywords.rst b/doc/userguide/rules/file-keywords.rst
index 44c5b667a9..9a173bd8e5 100644
--- a/doc/userguide/rules/file-keywords.rst
+++ b/doc/userguide/rules/file-keywords.rst
@@ -124,12 +124,14 @@ Syntax::
 
   filesize:<value>;
 
+Possible units are KB, MB and GB, without any unit the default is bytes.
+
 Examples::
 
   filesize:100; # exactly 100 bytes
   filesize:100<>200; # greater than 100 and smaller than 200
-  filesize:>100; # greater than 100
-  filesize:<100; # smaller than 100
+  filesize:>100MB; # greater than 100 megabytes
+  filesize:<100MB; # smaller than 100 megabytes
 
 **Note**: For files that are not completely tracked because of packet
 loss or stream.depth being reached on the "greater than" is
diff --git a/src/detect-filesize.c b/src/detect-filesize.c
index 48c1a0e2ee..1e18178ec4 100644
--- a/src/detect-filesize.c
+++ b/src/detect-filesize.c
@@ -28,6 +28,7 @@
 #include "app-layer-htp.h"
 #include "util-unittest.h"
 #include "util-unittest-helper.h"
+#include "util-misc.h"
 
 #include "detect.h"
 #include "detect-parse.h"
@@ -43,7 +44,7 @@
 /**
  * \brief Regex for parsing our filesize
  */
-#define PARSE_REGEX  "^(?:\\s*)(<|>)?(?:\\s*)([0-9]{1,23})(?:\\s*)(?:(<>)(?:\\s*)([0-9]{1,23}))?\\s*$"
+#define PARSE_REGEX  "^(?:\\s*)(<|>)?(?:\\s*)([0-9]{1,23}[a-zA-Z]{0,2})(?:\\s*)(?:(<>)(?:\\s*)([0-9]{1,23}[a-zA-Z]{0,2}))?\\s*$"
 
 static pcre *parse_regex;
 static pcre_extra *parse_regex_study;
@@ -214,8 +215,8 @@ static DetectFilesizeData *DetectFilesizeParse (const char *str)
     }
 
     /** set the first value */
-    if (ByteExtractStringUint64(&fsd->size1,10,strlen(arg2),arg2) <= 0){
-        SCLogError(SC_ERR_INVALID_ARGUMENT,"Invalid size :\"%s\"",arg2);
+    if (ParseSizeStringU64(arg2, &fsd->size1) < 0) {
+        SCLogError(SC_ERR_SIZE_PARSE, "Error parsing filesize value - %s", arg2);
         goto error;
     }
 
@@ -227,9 +228,8 @@ static DetectFilesizeData *DetectFilesizeParse (const char *str)
             goto error;
         }
 
-        if(ByteExtractStringUint64(&fsd->size2,10,strlen(arg4),arg4) <= 0)
-        {
-            SCLogError(SC_ERR_INVALID_ARGUMENT,"Invalid size :\"%s\"",arg4);
+        if (ParseSizeStringU64(arg4, &fsd->size2) < 0) {
+            SCLogError(SC_ERR_SIZE_PARSE, "Error parsing filesize value - %s", arg4);
             goto error;
         }