From: Eileen Donlon Date: Mon, 12 Mar 2012 22:41:53 +0000 (-0400) Subject: reject rules with duplicate content modifiers X-Git-Tag: suricata-1.3beta1~103 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9376967e65cac9a62d36dd780033ddc3df60c9c8;p=thirdparty%2Fsuricata.git reject rules with duplicate content modifiers reject rules that have multiple depths, offsets, distances, fast_patterns, nocases, or rawbytes for the same content. --- diff --git a/src/detect-depth.c b/src/detect-depth.c index e7afbbb397..94bfcc042f 100644 --- a/src/detect-depth.c +++ b/src/detect-depth.c @@ -142,6 +142,11 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths goto error; } + if (cd->flags & DETECT_CONTENT_DEPTH) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't use multiple depths for the same content."); + goto error; + } + if (str[0] != '-' && isalpha(str[0])) { SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(str, s, diff --git a/src/detect-distance.c b/src/detect-distance.c index 37f85b25e7..55df9f39ed 100644 --- a/src/detect-distance.c +++ b/src/detect-distance.c @@ -216,6 +216,11 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, goto error; } + if (cd->flags & DETECT_CONTENT_DISTANCE) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't use multiple distances with the same content. "); + goto error; + } + if (str[0] != '-' && isalpha(str[0])) { SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(str, s, diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index 8f57583cd2..dab7ee35ed 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -269,6 +269,10 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a } if (arg == NULL|| strcmp(arg, "") == 0) { + if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't use multiple fast_pattern options for the same content. "); + goto error; + } cd->flags |= DETECT_CONTENT_FAST_PATTERN; return 0; } diff --git a/src/detect-nocase.c b/src/detect-nocase.c index c9bed180df..69b07f7ca1 100644 --- a/src/detect-nocase.c +++ b/src/detect-nocase.c @@ -103,6 +103,10 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument"); SCReturnInt(-1); } + if (cd->flags & DETECT_CONTENT_NOCASE) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't use multiple nocase modifiers with the same content; ignoring this option. "); + SCReturnInt(-1); + } cd->flags |= DETECT_CONTENT_NOCASE; /* Recreate the context with nocase chars */ BoyerMooreCtxToNocase(cd->bm_ctx, cd->content, cd->content_len); diff --git a/src/detect-offset.c b/src/detect-offset.c index 15c241313e..dcb21b3826 100644 --- a/src/detect-offset.c +++ b/src/detect-offset.c @@ -141,6 +141,11 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) goto error; } + if (cd->flags & DETECT_CONTENT_OFFSET) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't use multiple offsets for the same content. "); + goto error; + } + if (str[0] != '-' && isalpha(str[0])) { SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(str, s, diff --git a/src/detect-rawbytes.c b/src/detect-rawbytes.c index 480c9ba40c..0952a85795 100644 --- a/src/detect-rawbytes.c +++ b/src/detect-rawbytes.c @@ -75,6 +75,10 @@ static int DetectRawbytesSetup (DetectEngineCtx *de_ctx, Signature *s, char *nul case DETECT_CONTENT: { DetectContentData *cd = (DetectContentData *)pm->ctx; + if (cd->flags & DETECT_CONTENT_RAWBYTES) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't use multiple rawbytes modifiers for the same content. "); + SCReturnInt(-1); + } cd->flags |= DETECT_CONTENT_RAWBYTES; break; }