From: Jeff Lucovsky Date: Sun, 10 Mar 2024 14:04:07 +0000 (-0400) Subject: detect/byte: Refactor endian, base X-Git-Tag: suricata-8.0.0-beta1~1054 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=73dfc58772e658ac7ef9bc7b86f7a0732f297617;p=thirdparty%2Fsuricata.git detect/byte: Refactor endian, base Issue: 6873 Refactor the enums for endian and base handling for broader use. --- diff --git a/rust/src/detect/byte_math.rs b/rust/src/detect/byte_math.rs index 833adfa90a..79f92cce5d 100644 --- a/rust/src/detect/byte_math.rs +++ b/rust/src/detect/byte_math.rs @@ -19,6 +19,7 @@ use crate::detect::error::RuleParseError; use crate::detect::parser::{parse_var, take_until_whitespace, ResultValue}; +use crate::detect::{get_endian_value, get_string_value, ByteBase, ByteEndian}; use std::ffi::{CStr, CString}; use std::os::raw::c_char; @@ -60,26 +61,9 @@ pub enum ByteMathOperator { RightShift = 7, } -#[repr(u8)] -#[derive(Copy, Clone, Debug, PartialEq, Eq)] -// endian -pub enum ByteMathEndian { - _EndianNone = 0, - BigEndian = 1, - LittleEndian = 2, - EndianDCE = 3, -} -pub const DETECT_BYTEMATH_ENDIAN_DEFAULT: ByteMathEndian = ByteMathEndian::BigEndian; +pub const DETECT_BYTEMATH_ENDIAN_DEFAULT: ByteEndian = ByteEndian::BigEndian; -#[repr(u8)] -#[derive(Copy, Clone, Debug, PartialEq, Eq)] -pub enum ByteMathBase { - _BaseNone = 0, - BaseOct = 8, - BaseDec = 10, - BaseHex = 16, -} -const BASE_DEFAULT: ByteMathBase = ByteMathBase::BaseDec; +const BASE_DEFAULT: ByteBase = ByteBase::BaseDec; // Fixed position parameter count: bytes, offset, oper, rvalue, result // result is not parsed with the fixed position parameters as it's @@ -103,8 +87,8 @@ pub struct DetectByteMathData { local_id: u8, nbytes: u8, oper: ByteMathOperator, - endian: ByteMathEndian, // big, little, dce - base: ByteMathBase, // From string or dce + endian: ByteEndian, // big, little, dce + base: ByteBase, // From string or dce } impl Drop for DetectByteMathData { @@ -152,17 +136,6 @@ impl DetectByteMathData { } } -fn get_string_value(value: &str) -> Result { - let res = match value { - "hex" => ByteMathBase::BaseHex, - "oct" => ByteMathBase::BaseOct, - "dec" => ByteMathBase::BaseDec, - _ => return Err(()), - }; - - Ok(res) -} - fn get_oper_value(value: &str) -> Result { let res = match value { "+" => ByteMathOperator::Addition, @@ -177,17 +150,6 @@ fn get_oper_value(value: &str) -> Result { Ok(res) } -fn get_endian_value(value: &str) -> Result { - let res = match value { - "big" => ByteMathEndian::BigEndian, - "little" => ByteMathEndian::LittleEndian, - "dce" => ByteMathEndian::EndianDCE, - _ => return Err(()), - }; - - Ok(res) -} - fn parse_bytemath(input: &str) -> IResult<&str, DetectByteMathData, RuleParseError<&str>> { // Inner utility function for easy error creation. fn make_error(reason: String) -> nom7::Err> { @@ -293,7 +255,7 @@ fn parse_bytemath(input: &str) -> IResult<&str, DetectByteMathData, RuleParseErr return Err(make_error("endianess already set".to_string())); } byte_math.flags |= DETECT_BYTEMATH_FLAG_ENDIAN; - byte_math.endian = ByteMathEndian::EndianDCE; + byte_math.endian = ByteEndian::EndianDCE; } "string" => { if 0 != (byte_math.flags & DETECT_BYTEMATH_FLAG_STRING) { @@ -474,8 +436,9 @@ mod tests { } fn valid_test( - args: &str, nbytes: u8, offset: i32, oper: ByteMathOperator, rvalue_str: &str, nbytes_str: &str, rvalue: u32, - result: &str, base: ByteMathBase, endian: ByteMathEndian, bitmask_val: u32, flags: u8, + args: &str, nbytes: u8, offset: i32, oper: ByteMathOperator, rvalue_str: &str, + nbytes_str: &str, rvalue: u32, result: &str, base: ByteBase, endian: ByteEndian, + bitmask_val: u32, flags: u8, ) { let bmd = DetectByteMathData { nbytes, @@ -515,8 +478,8 @@ mod tests { "", 0, "myresult", - ByteMathBase::BaseDec, - ByteMathEndian::EndianDCE, + ByteBase::BaseDec, + ByteEndian::EndianDCE, 0, DETECT_BYTEMATH_FLAG_RVALUE_VAR | DETECT_BYTEMATH_FLAG_STRING @@ -532,8 +495,8 @@ mod tests { "", 99, "other", - ByteMathBase::BaseDec, - ByteMathEndian::EndianDCE, + ByteBase::BaseDec, + ByteEndian::EndianDCE, 0, DETECT_BYTEMATH_FLAG_STRING | DETECT_BYTEMATH_FLAG_ENDIAN, ); @@ -548,7 +511,7 @@ mod tests { 0, "foo", BASE_DEFAULT, - ByteMathEndian::BigEndian, + ByteEndian::BigEndian, 0, DETECT_BYTEMATH_FLAG_RVALUE_VAR, ); @@ -563,7 +526,7 @@ mod tests { 0, "foo", BASE_DEFAULT, - ByteMathEndian::BigEndian, + ByteEndian::BigEndian, 0, DETECT_BYTEMATH_FLAG_RVALUE_VAR | DETECT_BYTEMATH_FLAG_NBYTES_VAR, ); @@ -578,8 +541,8 @@ mod tests { "", 99, "other", - ByteMathBase::BaseDec, - ByteMathEndian::BigEndian, + ByteBase::BaseDec, + ByteEndian::BigEndian, 0, DETECT_BYTEMATH_FLAG_STRING | DETECT_BYTEMATH_FLAG_ENDIAN, ); @@ -595,53 +558,50 @@ mod tests { rvalue: 0, result: CString::new("foo").unwrap().into_raw(), endian: DETECT_BYTEMATH_ENDIAN_DEFAULT, - base: ByteMathBase::BaseDec, + base: ByteBase::BaseDec, flags: DETECT_BYTEMATH_FLAG_RVALUE_VAR | DETECT_BYTEMATH_FLAG_STRING, ..Default::default() }; - let (_, val) = parse_bytemath( - "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, string dec", - ).unwrap(); + let (_, val) = + parse_bytemath("bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, string dec") + .unwrap(); assert_eq!(val, bmd); bmd.flags = DETECT_BYTEMATH_FLAG_RVALUE_VAR; bmd.base = BASE_DEFAULT; - let (_, val) = parse_bytemath("bytes 4, offset 3933, oper +, rvalue myrvalue, result foo").unwrap(); + let (_, val) = + parse_bytemath("bytes 4, offset 3933, oper +, rvalue myrvalue, result foo").unwrap(); assert_eq!(val, bmd); bmd.flags = DETECT_BYTEMATH_FLAG_RVALUE_VAR | DETECT_BYTEMATH_FLAG_STRING; - bmd.base = ByteMathBase::BaseHex; - let (_, val) = parse_bytemath("bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, string hex").unwrap(); + bmd.base = ByteBase::BaseHex; + let (_, val) = + parse_bytemath("bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, string hex") + .unwrap(); assert_eq!(val, bmd); - bmd.base = ByteMathBase::BaseOct; - let (_, val) = parse_bytemath( - "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, string oct", - ).unwrap(); + bmd.base = ByteBase::BaseOct; + let (_, val) = + parse_bytemath("bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, string oct") + .unwrap(); assert_eq!(val, bmd); } #[test] fn test_parser_string_invalid() { - assert!( - parse_bytemath( - "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, string decimal" - ) - .is_err() - ); - assert!( - parse_bytemath( - "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, string hexadecimal" - ) - .is_err() - ); - assert!( - parse_bytemath( - "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, string octal" - ) - .is_err() - ); + assert!(parse_bytemath( + "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, string decimal" + ) + .is_err()); + assert!(parse_bytemath( + "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, string hexadecimal" + ) + .is_err()); + assert!(parse_bytemath( + "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, string octal" + ) + .is_err()); } #[test] @@ -663,50 +623,38 @@ mod tests { #[test] fn test_parser_bitmask_invalid() { - assert!( - parse_bytemath("bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, bitmask 0x") - .is_err() - ); - assert!( - parse_bytemath( - "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, bitmask x12345678" - ) - .is_err() - ); - assert!( - parse_bytemath( - "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, bitmask X12345678" - ) - .is_err() - ); - assert!( - parse_bytemath( - "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, bitmask 0x123456789012" - ) - .is_err() - ); - assert!( - parse_bytemath("bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, bitmask 0q") - .is_err() - ); - assert!( - parse_bytemath( - "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, bitmask maple" - ) - .is_err() - ); - assert!( - parse_bytemath( - "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, bitmask 0xGHIJKLMN" - ) - .is_err() - ); - assert!( - parse_bytemath( - "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, bitmask #*#*@-" - ) - .is_err() - ); + assert!(parse_bytemath( + "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, bitmask 0x" + ) + .is_err()); + assert!(parse_bytemath( + "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, bitmask x12345678" + ) + .is_err()); + assert!(parse_bytemath( + "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, bitmask X12345678" + ) + .is_err()); + assert!(parse_bytemath( + "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, bitmask 0x123456789012" + ) + .is_err()); + assert!(parse_bytemath( + "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, bitmask 0q" + ) + .is_err()); + assert!(parse_bytemath( + "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, bitmask maple" + ) + .is_err()); + assert!(parse_bytemath( + "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, bitmask 0xGHIJKLMN" + ) + .is_err()); + assert!(parse_bytemath( + "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, bitmask #*#*@-" + ) + .is_err()); } #[test] @@ -718,7 +666,7 @@ mod tests { rvalue_str: CString::new("myrvalue").unwrap().into_raw(), rvalue: 0, result: CString::new("foo").unwrap().into_raw(), - endian: ByteMathEndian::BigEndian, + endian: ByteEndian::BigEndian, base: BASE_DEFAULT, flags: DETECT_BYTEMATH_FLAG_RVALUE_VAR | DETECT_BYTEMATH_FLAG_BITMASK, ..Default::default() @@ -727,23 +675,23 @@ mod tests { bmd.bitmask_val = 0x12345678; let (_, val) = parse_bytemath( "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, bitmask 0x12345678", - ).unwrap(); + ) + .unwrap(); assert_eq!(val, bmd); - bmd.bitmask_val = 0xffff1234; let (_, val) = parse_bytemath( "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, bitmask ffff1234", - ).unwrap(); + ) + .unwrap(); assert_eq!(val, bmd); - bmd.bitmask_val = 0xffff1234; let (_, val) = parse_bytemath( "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, bitmask 0Xffff1234", - ).unwrap(); + ) + .unwrap(); assert_eq!(val, bmd); - } #[test] fn test_parser_endian_valid() { @@ -754,71 +702,61 @@ mod tests { rvalue_str: CString::new("myrvalue").unwrap().into_raw(), rvalue: 0, result: CString::new("foo").unwrap().into_raw(), - endian: ByteMathEndian::BigEndian, + endian: ByteEndian::BigEndian, base: BASE_DEFAULT, flags: DETECT_BYTEMATH_FLAG_RVALUE_VAR | DETECT_BYTEMATH_FLAG_ENDIAN, ..Default::default() }; - let (_, val) = parse_bytemath( - "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, endian big", - ).unwrap(); + let (_, val) = + parse_bytemath("bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, endian big") + .unwrap(); assert_eq!(val, bmd); - - bmd.endian = ByteMathEndian::LittleEndian; + bmd.endian = ByteEndian::LittleEndian; let (_, val) = parse_bytemath( "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, endian little", - ).unwrap(); + ) + .unwrap(); assert_eq!(val, bmd); - - bmd.endian = ByteMathEndian::EndianDCE; - let (_, val) = parse_bytemath("bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, dce").unwrap(); + bmd.endian = ByteEndian::EndianDCE; + let (_, val) = + parse_bytemath("bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, dce") + .unwrap(); assert_eq!(val, bmd); - bmd.endian = DETECT_BYTEMATH_ENDIAN_DEFAULT; bmd.flags = DETECT_BYTEMATH_FLAG_RVALUE_VAR; - let (_, val) = parse_bytemath("bytes 4, offset 3933, oper +, rvalue myrvalue, result foo").unwrap(); + let (_, val) = + parse_bytemath("bytes 4, offset 3933, oper +, rvalue myrvalue, result foo").unwrap(); assert_eq!(val, bmd); - } #[test] fn test_parser_endian_invalid() { - assert!( - parse_bytemath( - "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, endian bigger" - ) - .is_err() - ); - assert!( - parse_bytemath( - "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, endian smaller" - ) - .is_err() - ); + assert!(parse_bytemath( + "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, endian bigger" + ) + .is_err()); + assert!(parse_bytemath( + "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, endian smaller" + ) + .is_err()); // endianess can only be specified once - assert!( - parse_bytemath( - "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, endian big, dce" - ) - .is_err() - ); - assert!( - parse_bytemath( - "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, endian small, endian big" - ) - .is_err() - ); - assert!( - parse_bytemath( - "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, endian small, dce" - ) - .is_err() - ); + assert!(parse_bytemath( + "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, endian big, dce" + ) + .is_err()); + assert!(parse_bytemath( + "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, endian small, endian big" + ) + .is_err()); + assert!(parse_bytemath( + "bytes 4, offset 3933, oper +, rvalue myrvalue, result foo, endian small, dce" + ) + .is_err()); } #[test] @@ -830,59 +768,50 @@ mod tests { rvalue_str: CString::new("myrvalue").unwrap().into_raw(), rvalue: 0, result: CString::new("foo").unwrap().into_raw(), - endian: ByteMathEndian::BigEndian, + endian: ByteEndian::BigEndian, base: BASE_DEFAULT, flags: DETECT_BYTEMATH_FLAG_RVALUE_VAR, ..Default::default() }; - let (_, val) = parse_bytemath("bytes 4, offset 3933, oper +, rvalue myrvalue, result foo").unwrap(); + let (_, val) = + parse_bytemath("bytes 4, offset 3933, oper +, rvalue myrvalue, result foo").unwrap(); assert_eq!(val, bmd); - bmd.oper = ByteMathOperator::Subtraction; - let (_, val) = parse_bytemath("bytes 4, offset 3933, oper -, rvalue myrvalue, result foo").unwrap(); + let (_, val) = + parse_bytemath("bytes 4, offset 3933, oper -, rvalue myrvalue, result foo").unwrap(); assert_eq!(val, bmd); - bmd.oper = ByteMathOperator::Multiplication; - let (_, val) = parse_bytemath("bytes 4, offset 3933, oper *, rvalue myrvalue, result foo").unwrap(); + let (_, val) = + parse_bytemath("bytes 4, offset 3933, oper *, rvalue myrvalue, result foo").unwrap(); assert_eq!(val, bmd); bmd.oper = ByteMathOperator::Division; - let (_, val) = parse_bytemath("bytes 4, offset 3933, oper /, rvalue myrvalue, result foo").unwrap(); + let (_, val) = + parse_bytemath("bytes 4, offset 3933, oper /, rvalue myrvalue, result foo").unwrap(); assert_eq!(val, bmd); bmd.oper = ByteMathOperator::RightShift; - let (_, val) = parse_bytemath("bytes 4, offset 3933, oper >>, rvalue myrvalue, result foo").unwrap(); + let (_, val) = + parse_bytemath("bytes 4, offset 3933, oper >>, rvalue myrvalue, result foo").unwrap(); assert_eq!(val, bmd); bmd.oper = ByteMathOperator::LeftShift; - let (_, val) = parse_bytemath("bytes 4, offset 3933, oper <<, rvalue myrvalue, result foo").unwrap(); + let (_, val) = + parse_bytemath("bytes 4, offset 3933, oper <<, rvalue myrvalue, result foo").unwrap(); assert_eq!(val, bmd); - } #[test] fn test_parser_oper_invalid() { - assert!( - parse_bytemath("bytes 4, offset 0, oper !, rvalue myvalue, result foo").is_err() - ); - assert!( - parse_bytemath("bytes 4, offset 0, oper ^, rvalue myvalue, result foo").is_err() - ); - assert!( - parse_bytemath("bytes 4, offset 0, oper <>, rvalue myvalue, result foo").is_err() - ); - assert!( - parse_bytemath("bytes 4, offset 0, oper ><, rvalue myvalue, result foo").is_err() - ); - assert!( - parse_bytemath("bytes 4, offset 0, oper <, rvalue myvalue, result foo").is_err() - ); - assert!( - parse_bytemath("bytes 4, offset 0, oper >, rvalue myvalue, result foo").is_err() - ); + assert!(parse_bytemath("bytes 4, offset 0, oper !, rvalue myvalue, result foo").is_err()); + assert!(parse_bytemath("bytes 4, offset 0, oper ^, rvalue myvalue, result foo").is_err()); + assert!(parse_bytemath("bytes 4, offset 0, oper <>, rvalue myvalue, result foo").is_err()); + assert!(parse_bytemath("bytes 4, offset 0, oper ><, rvalue myvalue, result foo").is_err()); + assert!(parse_bytemath("bytes 4, offset 0, oper <, rvalue myvalue, result foo").is_err()); + assert!(parse_bytemath("bytes 4, offset 0, oper >, rvalue myvalue, result foo").is_err()); } #[test] @@ -899,18 +828,20 @@ mod tests { ..Default::default() }; - let (_, val) = parse_bytemath("bytes 4, offset 47303, oper *, rvalue 4294967295 , result foo").unwrap(); + let (_, val) = + parse_bytemath("bytes 4, offset 47303, oper *, rvalue 4294967295 , result foo") + .unwrap(); assert_eq!(val, bmd); - bmd.rvalue = 1; - let (_, val) = parse_bytemath("bytes 4, offset 47303, oper *, rvalue 1, result foo").unwrap(); + let (_, val) = + parse_bytemath("bytes 4, offset 47303, oper *, rvalue 1, result foo").unwrap(); assert_eq!(val, bmd); bmd.rvalue = 0; - let (_, val) = parse_bytemath("bytes 4, offset 47303, oper *, rvalue 0, result foo").unwrap(); + let (_, val) = + parse_bytemath("bytes 4, offset 47303, oper *, rvalue 0, result foo").unwrap(); assert_eq!(val, bmd); - } #[test] @@ -935,14 +866,14 @@ mod tests { ..Default::default() }; - let (_, val) = parse_bytemath("bytes 4, offset -65535, oper *, rvalue myrvalue, result foo").unwrap(); + let (_, val) = + parse_bytemath("bytes 4, offset -65535, oper *, rvalue myrvalue, result foo").unwrap(); assert_eq!(val, bmd); - bmd.offset = 65535; - let (_, val) = parse_bytemath("bytes 4, offset 65535, oper *, rvalue myrvalue, result foo").unwrap(); + let (_, val) = + parse_bytemath("bytes 4, offset 65535, oper *, rvalue myrvalue, result foo").unwrap(); assert_eq!(val, bmd); - } #[test] @@ -976,9 +907,7 @@ mod tests { parse_bytemath("bytes 4, offset 3933, endian big, rvalue myrvalue, result foo") .is_err() ); - assert!( - parse_bytemath("bytes 4, offset 3933, oper +, endian big, result foo").is_err() - ); + assert!(parse_bytemath("bytes 4, offset 3933, oper +, endian big, result foo").is_err()); assert!( parse_bytemath("bytes 4, offset 3933, oper +, rvalue myrvalue, endian big").is_err() ); @@ -990,35 +919,30 @@ mod tests { assert!(parse_bytemath("bytes nan").is_err()); assert!(parse_bytemath("bytes 4, offset nan").is_err()); assert!(parse_bytemath("bytes 4, offset 0, three 3, four 4, five 5, six 6, seven 7, eight 8, nine 9, ten 10, eleven 11").is_err()); - assert!( - parse_bytemath("bytes 4, offset 0, oper ><, rvalue myrvalue").is_err() - ); + assert!(parse_bytemath("bytes 4, offset 0, oper ><, rvalue myrvalue").is_err()); assert!( parse_bytemath("bytes 4, offset 0, oper +, rvalue myrvalue, endian endian").is_err() ); } #[test] fn test_parser_multiple() { - assert!( - parse_bytemath( - "bytes 4, bytes 4, offset 0, oper +, rvalue myrvalue, result myresult, endian big" - ) - .is_err() - ); - assert!( - parse_bytemath( - "bytes 4, offset 0, offset 0, oper +, rvalue myrvalue, result myresult, endian big" - ) - .is_err() - ); - assert!( - parse_bytemath( - "bytes 4, offset 0, oper +, oper +, rvalue myrvalue, result myresult, endian big" - ) - .is_err() - ); + assert!(parse_bytemath( + "bytes 4, bytes 4, offset 0, oper +, rvalue myrvalue, result myresult, endian big" + ) + .is_err()); + assert!(parse_bytemath( + "bytes 4, offset 0, offset 0, oper +, rvalue myrvalue, result myresult, endian big" + ) + .is_err()); + assert!(parse_bytemath( + "bytes 4, offset 0, oper +, oper +, rvalue myrvalue, result myresult, endian big" + ) + .is_err()); assert!(parse_bytemath("bytes 4, offset 0, oper +, rvalue myrvalue, rvalue myrvalue, result myresult, endian big").is_err()); assert!(parse_bytemath("bytes 4, offset 0, oper +, rvalue myrvalue, result myresult, result myresult, endian big").is_err()); - assert!(parse_bytemath("bytes 4, offset 0, oper +, rvalue myrvalue, result myresult, endian big, endian big").is_err()); + assert!(parse_bytemath( + "bytes 4, offset 0, oper +, rvalue myrvalue, result myresult, endian big, endian big" + ) + .is_err()); } } diff --git a/rust/src/detect/mod.rs b/rust/src/detect/mod.rs index 766883623a..aee25aaf76 100644 --- a/rust/src/detect/mod.rs +++ b/rust/src/detect/mod.rs @@ -21,11 +21,11 @@ pub mod byte_math; pub mod error; pub mod iprep; pub mod parser; +pub mod requires; pub mod stream_size; pub mod transform_base64; pub mod uint; pub mod uri; -pub mod requires; pub mod tojson; use crate::core::AppProto; @@ -104,6 +104,44 @@ extern { de: *mut c_void, s: *mut c_void, kwid: c_int, ctx: *const c_void, bufid: c_int, ) -> *mut c_void; } +#[repr(u8)] +#[derive(Copy, Clone, Debug, PartialEq, Eq)] +// endian +pub enum ByteEndian { + BigEndian = 1, + LittleEndian = 2, + EndianDCE = 3, +} + +#[repr(u8)] +#[derive(Copy, Clone, Debug, PartialEq, Eq)] +pub enum ByteBase { + BaseOct = 8, + BaseDec = 10, + BaseHex = 16, +} + +fn get_string_value(value: &str) -> Result { + let res = match value { + "hex" => ByteBase::BaseHex, + "oct" => ByteBase::BaseOct, + "dec" => ByteBase::BaseDec, + _ => return Err(()), + }; + + Ok(res) +} + +fn get_endian_value(value: &str) -> Result { + let res = match value { + "big" => ByteEndian::BigEndian, + "little" => ByteEndian::LittleEndian, + "dce" => ByteEndian::EndianDCE, + _ => return Err(()), + }; + + Ok(res) +} #[cfg(test)] mod test { diff --git a/src/detect-bytemath.c b/src/detect-bytemath.c index 42f3aae718..babbee8689 100644 --- a/src/detect-bytemath.c +++ b/src/detect-bytemath.c @@ -147,7 +147,7 @@ int DetectByteMathDoMatch(DetectEngineThreadCtx *det_ctx, const DetectByteMathDa } } } else { - ByteMathEndian bme = endian; + ByteEndian bme = endian; int endianness = (bme == BigEndian) ? BYTE_BIG_ENDIAN : BYTE_LITTLE_ENDIAN; extbytes = ByteExtractUint64(&val, endianness, nbytes, ptr); if (extbytes != nbytes) {