From: Victor Julien Date: Fri, 9 Dec 2016 13:00:48 +0000 (+0100) Subject: http_stat_code: dynamic buffer X-Git-Tag: suricata-4.0.0-beta1~387 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e3ab4f5eab75fa83bb501b925003ed233ba89b5;p=thirdparty%2Fsuricata.git http_stat_code: dynamic buffer --- diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c index 5f1320589e..866250308f 100644 --- a/src/detect-engine-analyzer.c +++ b/src/detect-engine-analyzer.c @@ -120,8 +120,6 @@ void EngineAnalysisFP(Signature *s, char *line) fprintf(fp_engine_analysis_FD, "http raw header content\n"); else if (list_type == DETECT_SM_LIST_HCBDMATCH) fprintf(fp_engine_analysis_FD, "http client body content\n"); - else if (list_type == DETECT_SM_LIST_HSCDMATCH) - fprintf(fp_engine_analysis_FD, "http stat code content\n"); else if (list_type == DETECT_SM_LIST_HSMDMATCH) fprintf(fp_engine_analysis_FD, "http stat msg content\n"); else { @@ -466,8 +464,6 @@ static void EngineAnalysisRulesPrintFP(const Signature *s) fprintf(rule_engine_analysis_FD, "http raw header content"); else if (list_type == DETECT_SM_LIST_HCBDMATCH) fprintf(rule_engine_analysis_FD, "http client body content"); - else if (list_type == DETECT_SM_LIST_HSCDMATCH) - fprintf(rule_engine_analysis_FD, "http stat code content"); else if (list_type == DETECT_SM_LIST_HSMDMATCH) fprintf(rule_engine_analysis_FD, "http stat msg content"); else if (list_type == DETECT_SM_LIST_DNSQUERYNAME_MATCH) @@ -574,6 +570,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) const int httpuri_id = DetectBufferTypeGetByName("http_uri"); const int httpuseragent_id = DetectBufferTypeGetByName("http_user_agent"); const int httpcookie_id = DetectBufferTypeGetByName("http_cookie"); + const int httpstatcode_id = DetectBufferTypeGetByName("http_stat_code"); if (s->init_data->init_flags & SIG_FLAG_INIT_BIDIREC) { rule_bidirectional = 1; @@ -642,7 +639,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) raw_http_buf += 1; http_stat_msg_buf += 1; } - else if (list_id == DETECT_SM_LIST_HSCDMATCH) { + else if (list_id == httpstatcode_id) { rule_pcre_http += 1; raw_http_buf += 1; http_stat_code_buf += 1; @@ -703,7 +700,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) raw_http_buf += 1; http_stat_msg_buf += 1; } - else if (list_id == DETECT_SM_LIST_HSCDMATCH) { + else if (list_id == httpstatcode_id) { rule_content_http += 1; raw_http_buf += 1; http_stat_code_buf += 1; diff --git a/src/detect-engine.c b/src/detect-engine.c index 9bffb06846..4e68b24792 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -2808,8 +2808,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type) return "http raw headers"; case DETECT_SM_LIST_HSMDMATCH: return "http stat msg"; - case DETECT_SM_LIST_HSCDMATCH: - return "http stat code"; case DETECT_SM_LIST_APP_EVENT: return "app layer events"; diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index 30f89aa996..513408da5c 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -328,6 +328,7 @@ static int g_http_ua_buffer_id = 0; static int g_http_cookie_buffer_id = 0; static int g_http_host_buffer_id = 0; static int g_http_raw_host_buffer_id = 0; +static int g_http_stat_code_buffer_id = 0; /** * \test Checks if a fast_pattern is registered in a Signature @@ -11719,7 +11720,7 @@ int DetectFastPatternTest425(void) "content:\"three\"; http_stat_code; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -11757,7 +11758,7 @@ int DetectFastPatternTest426(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSCDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_stat_code_buffer_id]; if (sm != NULL) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { @@ -11794,7 +11795,7 @@ int DetectFastPatternTest427(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSCDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_stat_code_buffer_id]; if (sm != NULL) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { @@ -11825,7 +11826,7 @@ int DetectFastPatternTest428(void) if (de_ctx->sig_list == NULL) goto end; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSCDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_stat_code_buffer_id]; if (sm == NULL) { goto end; } @@ -11862,7 +11863,7 @@ int DetectFastPatternTest429(void) if (de_ctx->sig_list == NULL) goto end; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSCDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_stat_code_buffer_id]; if (sm == NULL) { goto end; } @@ -12107,7 +12108,7 @@ int DetectFastPatternTest439(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -12139,7 +12140,7 @@ int DetectFastPatternTest440(void) "content:\"two\"; fast_pattern:only; http_stat_code; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -12171,7 +12172,7 @@ int DetectFastPatternTest441(void) "content:\"two\"; fast_pattern:only; http_stat_code; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -12203,7 +12204,7 @@ int DetectFastPatternTest442(void) "content:\"two\"; fast_pattern:only; http_stat_code; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -12234,7 +12235,7 @@ int DetectFastPatternTest443(void) "content:\"two\"; http_stat_code; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -12359,7 +12360,7 @@ int DetectFastPatternTest448(void) "content:\"three\"; http_stat_code; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -12391,7 +12392,7 @@ int DetectFastPatternTest449(void) "content:\"three\"; http_stat_code; distance:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -12423,7 +12424,7 @@ int DetectFastPatternTest450(void) "content:\"three\"; http_stat_code; within:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -12455,7 +12456,7 @@ int DetectFastPatternTest451(void) "content:\"three\"; http_stat_code; offset:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -12487,7 +12488,7 @@ int DetectFastPatternTest452(void) "content:\"three\"; http_stat_code; depth:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -12519,7 +12520,7 @@ int DetectFastPatternTest453(void) "content:\"oneonethree\"; fast_pattern:3,4; http_stat_code; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -12551,7 +12552,7 @@ int DetectFastPatternTest454(void) "content:\"oneonethree\"; fast_pattern:3,4; http_stat_code; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -12583,7 +12584,7 @@ int DetectFastPatternTest455(void) "content:\"oneonethree\"; fast_pattern:3,4; http_stat_code; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -12615,7 +12616,7 @@ int DetectFastPatternTest456(void) "content:\"oneonethree\"; fast_pattern:3,4; http_stat_code; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -12722,7 +12723,7 @@ int DetectFastPatternTest460(void) "content:\"three\"; http_stat_code; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -12851,7 +12852,7 @@ int DetectFastPatternTest465(void) "content:\"three\"; http_stat_code; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_code_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -18835,6 +18836,7 @@ void DetectFastPatternRegisterTests(void) g_http_cookie_buffer_id = DetectBufferTypeGetByName("http_cookie"); g_http_host_buffer_id = DetectBufferTypeGetByName("http_host"); g_http_raw_host_buffer_id = DetectBufferTypeGetByName("http_raw_host"); + g_http_stat_code_buffer_id = DetectBufferTypeGetByName("http_stat_code"); UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01); UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02); diff --git a/src/detect-http-stat-code.c b/src/detect-http-stat-code.c index a67bf26ed4..2749584bb8 100644 --- a/src/detect-http-stat-code.c +++ b/src/detect-http-stat-code.c @@ -63,12 +63,10 @@ #include "stream-tcp-private.h" #include "stream-tcp.h" -int DetectHttpStatCodeMatch(ThreadVars *, DetectEngineThreadCtx *, - Flow *, uint8_t , void *, Signature *, - SigMatch *); static int DetectHttpStatCodeSetup(DetectEngineCtx *, Signature *, char *); -void DetectHttpStatCodeRegisterTests(void); -void DetectHttpStatCodeFree(void *); +static void DetectHttpStatCodeRegisterTests(void); +static void DetectHttpStatCodeSetupCallback(Signature *); +static int g_http_stat_code_buffer_id = 0; /** * \brief Registration function for keyword: http_stat_code @@ -87,13 +85,20 @@ void DetectHttpStatCodeRegister (void) sigmatch_table[DETECT_AL_HTTP_STAT_CODE].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_HTTP_STAT_CODE].flags |= SIGMATCH_PAYLOAD; - DetectMpmAppLayerRegister("http_stat_code", SIG_FLAG_TOCLIENT, - DETECT_SM_LIST_HSCDMATCH, 4, + DetectAppLayerMpmRegister("http_stat_code", SIG_FLAG_TOCLIENT, 4, PrefilterTxHttpStatCodeRegister); - DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOCLIENT, - DETECT_SM_LIST_HSCDMATCH, + DetectAppLayerInspectEngineRegister2("http_stat_code", + ALPROTO_HTTP, SIG_FLAG_TOCLIENT, DetectEngineInspectHttpStatCode); + + DetectBufferTypeSetDescriptionByName("http_stat_code", + "http response status code"); + + DetectBufferTypeRegisterSetupCallback("http_stat_code", + DetectHttpStatCodeSetupCallback); + + g_http_stat_code_buffer_id = DetectBufferTypeGetByName("http_stat_code"); } /** @@ -111,11 +116,17 @@ static int DetectHttpStatCodeSetup(DetectEngineCtx *de_ctx, Signature *s, char * { return DetectEngineContentModifierBufferSetup(de_ctx, s, arg, DETECT_AL_HTTP_STAT_CODE, - DETECT_SM_LIST_HSCDMATCH, + g_http_stat_code_buffer_id, ALPROTO_HTTP, NULL); } +static void DetectHttpStatCodeSetupCallback(Signature *s) +{ + SCLogDebug("callback invoked by %u", s->id); + s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; +} + #ifdef UNITTESTS /** @@ -156,7 +167,7 @@ int DetectHttpStatCodeTest01(void) printf("sid 3 parse failed: "); goto end; } - if (!(((DetectContentData *)de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSCDMATCH]->ctx)->flags & + if (!(((DetectContentData *)de_ctx->sig_list->sm_lists[g_http_stat_code_buffer_id]->ctx)->flags & DETECT_CONTENT_FAST_PATTERN)) { goto end; @@ -194,7 +205,7 @@ int DetectHttpStatCodeTest02(void) } result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSCDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_stat_code_buffer_id]; if (sm == NULL) { printf("no sigmatch(es): "); goto end; diff --git a/src/detect-parse.c b/src/detect-parse.c index bf60cea1cb..31ec0fa484 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -146,7 +146,6 @@ const char *DetectListToHumanString(int list) CASE_CODE_STRING(DETECT_SM_LIST_HHDMATCH, "http_header"); CASE_CODE_STRING(DETECT_SM_LIST_HRHDMATCH, "http_raw_header"); CASE_CODE_STRING(DETECT_SM_LIST_HSMDMATCH, "http_stat_msg"); - CASE_CODE_STRING(DETECT_SM_LIST_HSCDMATCH, "http_stat_code"); CASE_CODE_STRING(DETECT_SM_LIST_APP_EVENT, "app-layer-event"); CASE_CODE_STRING(DETECT_SM_LIST_AMATCH, "app-layer"); CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc"); @@ -182,7 +181,6 @@ const char *DetectListToString(int list) CASE_CODE(DETECT_SM_LIST_HHDMATCH); CASE_CODE(DETECT_SM_LIST_HRHDMATCH); CASE_CODE(DETECT_SM_LIST_HSMDMATCH); - CASE_CODE(DETECT_SM_LIST_HSCDMATCH); CASE_CODE(DETECT_SM_LIST_APP_EVENT); CASE_CODE(DETECT_SM_LIST_AMATCH); CASE_CODE(DETECT_SM_LIST_DMATCH); @@ -1428,8 +1426,7 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) } } else if (fd->flags & FLOW_PKT_TOSERVER) { /* check for uricontent + from_server/to_client */ - if (s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL || - s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL) { + if (s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use http_" "server_body, http_stat_msg, http_stat_code " "with flow:to_server or flow:from_client"); @@ -1540,8 +1537,7 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH] || - s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH] || - s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH]) + s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH]) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature combines packet " "specific matches (like dsize, flags, ttl) with stream / " diff --git a/src/detect-pcre.c b/src/detect-pcre.c index 627794e5e7..e7cd1581f7 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -482,10 +482,12 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr, /* snort's option */ *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HSMDMATCH); break; - case 'S': + case 'S': { /* snort's option */ - *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HSCDMATCH); + int list = DetectBufferTypeGetByName("http_stat_code"); + *sm_list = DetectPcreSetList(*sm_list, list); break; + } default: SCLogError(SC_ERR_UNKNOWN_REGEX_MOD, "unknown regex modifier '%c'", *op); goto error; @@ -683,8 +685,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst parsed_sm_list == DETECT_SM_LIST_HCBDMATCH || parsed_sm_list == DETECT_SM_LIST_HHDMATCH || parsed_sm_list == DETECT_SM_LIST_HRHDMATCH || - parsed_sm_list == DETECT_SM_LIST_HSMDMATCH || - parsed_sm_list == DETECT_SM_LIST_HSCDMATCH) + parsed_sm_list == DETECT_SM_LIST_HSMDMATCH) { if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. " @@ -718,7 +719,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst case DETECT_SM_LIST_HHDMATCH: case DETECT_SM_LIST_HRHDMATCH: case DETECT_SM_LIST_HSMDMATCH: - case DETECT_SM_LIST_HSCDMATCH: s->flags |= SIG_FLAG_APPLAYER; s->alproto = ALPROTO_HTTP; sm_list = parsed_sm_list; diff --git a/src/detect.c b/src/detect.c index 197b08ed74..4de426efef 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1927,9 +1927,6 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s) if (s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL) return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL) - return 0; - if (s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL) return 0; @@ -2017,9 +2014,6 @@ static int SignatureIsPDOnly(const Signature *s) if (s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL) return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL) - return 0; - if (s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL) return 0; @@ -2124,7 +2118,6 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, const Signature *s) s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL || - s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) { SCReturnInt(0); @@ -2303,11 +2296,6 @@ static int SignatureCreateMask(Signature *s) SCLogDebug("sig requires http app state"); } - if (s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL) { - s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; - SCLogDebug("sig requires http app state"); - } - SigMatch *sm; for (sm = s->init_data->smlists[DETECT_SM_LIST_AMATCH] ; sm != NULL; sm = sm->next) { switch(sm->type) { diff --git a/src/detect.h b/src/detect.h index 060b56fe1d..3546539164 100644 --- a/src/detect.h +++ b/src/detect.h @@ -125,8 +125,6 @@ enum DetectSigmatchListEnum { DETECT_SM_LIST_HRHDMATCH, /* list for http_stat_msg keyword and the ones relative to it */ DETECT_SM_LIST_HSMDMATCH, - /* list for http_stat_code keyword and the ones relative to it */ - DETECT_SM_LIST_HSCDMATCH, /* app event engine sm list */ DETECT_SM_LIST_APP_EVENT,