From: Anoop Saldanha Date: Thu, 5 Jul 2012 06:24:06 +0000 (+0530) Subject: rule analyzer updated for sigs with offset/depth set + alproto set X-Git-Tag: suricata-1.3~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=946a9ece3208aa4783163499683c273bda369f9d;p=thirdparty%2Fsuricata.git rule analyzer updated for sigs with offset/depth set + alproto set --- diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c index 74346a493b..8b3ec5f97b 100644 --- a/src/detect-engine-analyzer.c +++ b/src/detect-engine-analyzer.c @@ -181,6 +181,7 @@ void EngineAnalysisRules(Signature *s, char *line) uint32_t rule_flowint = 0; //uint32_t rule_flowvar = 0; uint32_t rule_content_http = 0; + uint32_t rule_content_offset_depth = 0; uint32_t list_id = 0; uint32_t rule_warning = 0; uint32_t raw_http_buf = 0; @@ -216,8 +217,7 @@ void EngineAnalysisRules(Signature *s, char *line) if (s->flags & SIG_FLAG_REQUIRE_PACKET) { packet_buf += 1; - } - else { + } else if (s->flags & SIG_FLAG_REQUIRE_PACKET) { stream_buf += 1; } for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) { @@ -303,13 +303,13 @@ void EngineAnalysisRules(Signature *s, char *line) } else if (list_id == DETECT_SM_LIST_HCBDMATCH) { rule_content_http += 1; - http_client_body_buf += 1; raw_http_buf += 1; + http_client_body_buf += 1; } else if (list_id == DETECT_SM_LIST_HSBDMATCH) { rule_content_http += 1; - http_server_body_buf += 1; raw_http_buf += 1; + http_server_body_buf += 1; } else if (list_id == DETECT_SM_LIST_HRHDMATCH) { rule_content_http += 1; @@ -333,11 +333,16 @@ void EngineAnalysisRules(Signature *s, char *line) } else if (list_id == DETECT_SM_LIST_HMDMATCH) { rule_content_http += 1; - http_method_buf += 1; raw_http_buf += 1; + http_method_buf += 1; } - else { + else if (list_id == DETECT_SM_LIST_PMATCH) { rule_content += 1; + DetectContentData *cd = (DetectContentData *)sm->ctx; + if (cd->flags & + (DETECT_CONTENT_OFFSET | DETECT_CONTENT_DEPTH)) { + rule_content_offset_depth++; + } } } else if (sm->type == DETECT_FLOW) { @@ -508,6 +513,22 @@ void EngineAnalysisRules(Signature *s, char *line) && (rule_pcre > 0 || rule_pcre_http > 0)*/) { fprintf(rule_engine_analysis_FD, " Warning: Rule uses pcre with only a http_method content; possible performance issue.\n"); } + if (rule_content_offset_depth > 0) { + fprintf(rule_engine_analysis_FD, " Warning: Rule has depth" + "/offset with raw content keywords. Please note the " + "offset/depth will be checked against both packet " + "payloads and stream. If you meant to have the offset/" + "depth checked against just the payload, you can update " + "the signature as \"alert tcp-pkt...\"\n"); + } + if (rule_content_offset_depth > 0 && s->alproto != ALPROTO_UNKNOWN) { + fprintf(rule_engine_analysis_FD, " Warning: Rule has " + "offset/depth set along with a match on a specific " + "app layer protocol - %d. This can lead to FNs if we " + "have a offset/depth content match on a packet payload " + "before we can detect the app layer protocol for the " + "flow.\n", s->alproto); + } if (rule_warning == 0) { fprintf(rule_engine_analysis_FD, " No warnings for this rule.\n"); }