From: Mike Stepanek (mstepane) <mstepane@cisco.com>
Date: Fri, 9 Jul 2021 09:18:31 +0000 (+0000)
Subject: Merge pull request #2971 in SNORT/snort3 from ~OSHUMEIK/snort3:s2l_rawbytes to master
X-Git-Tag: 3.1.8.0~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aa15ca0570067b4b3c1b675f7424dff9d6b0e4ed;p=thirdparty%2Fsnort3.git

Merge pull request #2971 in SNORT/snort3 from ~OSHUMEIK/snort3:s2l_rawbytes to master

Squashed commit of the following:

commit 7ee3dce4ab3049449811c4bb4cc933c1c5e5ea1c
Author: Oleksii Shumeiko <oshumeik@cisco.com>
Date:   Thu Jul 8 13:49:40 2021 +0300

    snort2lua: set raw_data buffer for rawbytes and B flag in PCRE
---

diff --git a/tools/snort2lua/rule_states/dev_notes.txt b/tools/snort2lua/rule_states/dev_notes.txt
index 5865d274c..9670ffcbb 100644
--- a/tools/snort2lua/rule_states/dev_notes.txt
+++ b/tools/snort2lua/rule_states/dev_notes.txt
@@ -13,6 +13,7 @@ until explicitly reset by other rule options.
 Snort2 implemented the following list of "sticky" buffer rule options:
 
 * pkt_data
+* raw_data
 * file_data
 * dce_stub_fdata
 * dnp3_data
diff --git a/tools/snort2lua/rule_states/rule_isdataat.cc b/tools/snort2lua/rule_states/rule_isdataat.cc
index 8ce5b7576..4ed238093 100644
--- a/tools/snort2lua/rule_states/rule_isdataat.cc
+++ b/tools/snort2lua/rule_states/rule_isdataat.cc
@@ -61,7 +61,7 @@ bool IsDataAt::convert(std::istringstream& data_stream)
                 rule_api.add_suboption("relative");
 
             else if (value == "rawbytes")
-                rule_api.set_curr_options_buffer("pkt_data");
+                rule_api.set_curr_options_buffer("raw_data");
 
             else
                 rule_api.bad_rule(data_stream, value + " - unknown modifier!!");
diff --git a/tools/snort2lua/rule_states/rule_pcre.cc b/tools/snort2lua/rule_states/rule_pcre.cc
index 7d096e601..a959d4797 100644
--- a/tools/snort2lua/rule_states/rule_pcre.cc
+++ b/tools/snort2lua/rule_states/rule_pcre.cc
@@ -89,7 +89,7 @@ bool Pcre::convert(std::istringstream& data_stream)
 
         switch (c)
         {
-        case 'B': sticky_buffer = "pkt_data"; break;
+        case 'B': sticky_buffer = "raw_data"; break;
         case 'U': sticky_buffer = "http_uri"; break;
         case 'P': sticky_buffer = "pcre_P_option_body"; break;
         case 'H': sticky_buffer = "pcre_H_option_header"; break;