From: Anoop Saldanha Date: Fri, 21 Sep 2012 17:48:11 +0000 (+0530) Subject: detect-pcre.c cleanup. Delete old pcre functions that we no longer use. X-Git-Tag: suricata-1.4beta2~43 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b0b405286021dba110448b42db543789b1432a56;p=thirdparty%2Fsuricata.git detect-pcre.c cleanup. Delete old pcre functions that we no longer use. --- diff --git a/src/detect-pcre.c b/src/detect-pcre.c index 50337eb6b9..ad3ba3f96e 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -84,7 +84,7 @@ void DetectPcreRegisterTests(void); void DetectPcreRegister (void) { sigmatch_table[DETECT_PCRE].name = "pcre"; - sigmatch_table[DETECT_PCRE].Match = DetectPcreMatch; + sigmatch_table[DETECT_PCRE].Match = NULL; sigmatch_table[DETECT_PCRE].AppLayerMatch = NULL; sigmatch_table[DETECT_PCRE].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_PCRE].Setup = DetectPcreSetup; @@ -161,279 +161,6 @@ error: return; } -/** - * \brief Match a regex on data sent at an http method (needs the l7 parser). - * - * \param det_ctx Thread detection ctx. - * \param s Signature. - * \param sm SigMatch to match against. - * \param data Data to match against. - * \param data_len Data length. - * - * \retval 1: match - * \retval 0: no match - */ -int DetectPcreALDoMatchMethod(DetectEngineThreadCtx *det_ctx, Signature *s, - SigMatch *m, Flow *f, uint8_t flags, - void *state) -{ - SCEnter(); - - int ret = 0; - int toret = 0; - int idx; - -#define MAX_SUBSTRINGS 30 - int ov[MAX_SUBSTRINGS]; - uint8_t *ptr = NULL; - uint16_t len = 0; - - DetectPcreData *pe = (DetectPcreData *)m->ctx; - - FLOWLOCK_RDLOCK(f); - - HtpState *htp_state = (HtpState *)state; - if (htp_state == NULL) { - SCLogDebug("no HTTP layer state has been received, so no match"); - goto end; - } - - if (!(htp_state->flags & HTP_FLAG_STATE_OPEN)) { - SCLogDebug("HTP state not yet properly setup, so no match"); - goto end; - } - - SCLogDebug("htp_state %p, flow %p", htp_state, f); - SCLogDebug("htp_state->connp %p", htp_state->connp); - SCLogDebug("htp_state->connp->conn %p", htp_state->connp->conn); - - if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { - SCLogDebug("HTTP connection structure is NULL"); - goto end; - } - - htp_tx_t *tx = NULL; - - idx = AppLayerTransactionGetInspectId(f); - if (idx == -1) { - goto end; - } - - int size = (int)list_size(htp_state->connp->conn->transactions); - for (; idx < size; idx++) - { - tx = list_get(htp_state->connp->conn->transactions, idx); - if (tx == NULL) - continue; - - ptr = (uint8_t *) bstr_ptr(tx->request_method); - len = bstr_size(tx->request_method); - if (ptr == NULL) - continue; - - //printf("Matching Method"); - //PrintRawUriFp(stdout, (uint8_t*)ptr, len); - - /* run the actual pcre detection */ - ret = pcre_exec(pe->re, pe->sd, (char *)ptr, len, 0, 0, ov, MAX_SUBSTRINGS); - SCLogDebug("ret %d (negating %s)", ret, (pe->flags & DETECT_PCRE_NEGATE) ? "set" : "not set"); - - if (ret == PCRE_ERROR_NOMATCH) { - if (pe->flags & DETECT_PCRE_NEGATE) { - /* regex didn't match with negate option means we - * consider it a match */ - ret = 1; - toret |= ret; - break; - } else { - ret = 0; - } - toret |= ret; - } else if (ret >= 0) { - if (pe->flags & DETECT_PCRE_NEGATE) { - /* regex matched but we're negated, so not - * considering it a match */ - ret = 0; - } else { - /* regex matched and we're not negated, - * considering it a match */ - ret = 1; - toret |= ret; - break; - } - } else { - SCLogDebug("pcre had matching error"); - ret = 0; - } - } - -end: - FLOWLOCK_UNLOCK(f); - - SCReturnInt(toret); -} - -/** - * \brief Match a regex on data sent at an http cookie (needs the l7 parser). - * - * \param det_ctx Thread detection ctx. - * \param s Signature. - * \param sm SigMatch to match against. - * \param data Data to match against. - * \param data_len Data length. - * - * \retval 1: match - * \retval 0: no match - */ -int DetectPcreALDoMatchCookie(DetectEngineThreadCtx *det_ctx, Signature *s, - SigMatch *m, Flow *f, uint8_t flags, - void *state) -{ - SCEnter(); - - int ret = 0; - int toret = 0; - int idx; - -#define MAX_SUBSTRINGS 30 - int ov[MAX_SUBSTRINGS]; - uint8_t *ptr = NULL; - uint16_t len = 0; - - DetectPcreData *pe = (DetectPcreData *)m->ctx; - - FLOWLOCK_RDLOCK(f); - - HtpState *htp_state = (HtpState *)state; - if (htp_state == NULL) { - SCLogDebug("no HTTP layer state has been received, so no match"); - goto end; - } - - if (!(htp_state->flags & HTP_FLAG_STATE_OPEN)) { - SCLogDebug("HTP state not yet properly setup, so no match"); - goto end; - } - - SCLogDebug("htp_state %p, flow %p", htp_state, f); - SCLogDebug("htp_state->connp %p", htp_state->connp); - SCLogDebug("htp_state->connp->conn %p", htp_state->connp->conn); - - if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { - SCLogDebug("HTTP connection structure is NULL"); - goto end; - } - - htp_tx_t *tx = NULL; - - idx = AppLayerTransactionGetInspectId(f); - if (idx == -1) { - goto end; - } - - int size = (int)list_size(htp_state->connp->conn->transactions); - for (; idx < size; idx++) - { - tx = list_get(htp_state->connp->conn->transactions, idx); - if (tx == NULL) - continue; - - htp_header_t *h = NULL; - h = (htp_header_t *) table_getc(tx->request_headers, "Cookie"); - if (h == NULL) { - SCLogDebug("no HTTP Cookie header in the received request"); - goto end; - } - ptr = (uint8_t *) bstr_ptr(h->value); - len = bstr_size(h->value); - - if (ptr == NULL) - continue; - - //printf("Matching Cookie"); - //PrintRawUriFp(stdout, (uint8_t*)ptr, len); - - SCLogDebug("we have a cookie header"); - - /* run the actual pcre detection */ - ret = pcre_exec(pe->re, pe->sd, (char *)ptr, len, 0, 0, ov, MAX_SUBSTRINGS); - SCLogDebug("ret %d (negating %s)", ret, (pe->flags & DETECT_PCRE_NEGATE) ? "set" : "not set"); - - if (ret == PCRE_ERROR_NOMATCH) { - if (pe->flags & DETECT_PCRE_NEGATE) { - /* regex didn't match with negate option means we - * consider it a match */ - ret = 1; - toret |= ret; - break; - } else { - ret = 0; - } - toret |= ret; - } else if (ret >= 0) { - if (pe->flags & DETECT_PCRE_NEGATE) { - /* regex matched but we're negated, so not - * considering it a match */ - ret = 0; - } else { - /* regex matched and we're not negated, - * considering it a match */ - ret = 1; - toret |= ret; - break; - } - } else { - SCLogDebug("pcre had matching error"); - if (pe->flags & DETECT_PCRE_NEGATE) { - ret = 1; - toret |= ret; - break; - } else { - ret = 0; - } - toret |= ret; - } - } - -end: - FLOWLOCK_UNLOCK(f); - SCReturnInt(toret); -} - -/** - * \brief match the specified pcre at http method, requesting it from htp/L7 - * - * \param t pointer to thread vars - * \param det_ctx pointer to the pattern matcher thread - * \param p pointer to the current packet - * \param m pointer to the sigmatch that we will cast into DetectPcreData - * - * \retval int 0 no match; 1 match - */ -int DetectPcreALMatchMethod(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, - uint8_t flags, void *state, Signature *s, SigMatch *m) -{ - int r = DetectPcreALDoMatchMethod(det_ctx, s, m, f, flags, state); - SCReturnInt(r); -} - -/** - * \brief match the specified pcre at http cookie, requesting it from htp/L7 - * - * \param t pointer to thread vars - * \param det_ctx pointer to the pattern matcher thread - * \param p pointer to the current packet - * \param m pointer to the sigmatch that we will cast into DetectPcreData - * - * \retval int 0 no match; 1 match - */ -int DetectPcreALMatchCookie(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, - uint8_t flags, void *state, Signature *s, SigMatch *m) -{ - int r = DetectPcreALDoMatchCookie(det_ctx, s, m, f, flags, state); - SCReturnInt(r); -} - /** * \brief Match a regex on a single payload. * @@ -531,202 +258,6 @@ int DetectPcrePayloadMatch(DetectEngineThreadCtx *det_ctx, Signature *s, SCReturnInt(ret); } -/** - * \brief match a regex on a single payload' - * - * \param det_ctx thread detection ctx - * \param p packet - * \param s signature - * \param sm sig match to match against - * - * \retval 1 match - * \retval 0 no match - */ -int DetectPcrePacketPayloadMatch(DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, SigMatch *sm) { - SCEnter(); -#define MAX_SUBSTRINGS 30 - int ret = 0; - int ov[MAX_SUBSTRINGS]; - uint8_t *ptr = NULL; - uint16_t len = 0; - - if (p->payload_len == 0) - SCReturnInt(0); - - DetectPcreData *pe = (DetectPcreData *)sm->ctx; - - /* If we want to inspect the http body, we will use HTP L7 parser */ - if (pe->flags & DETECT_PCRE_HTTP_CLIENT_BODY) - SCReturnInt(0); - - if (pe->flags & DETECT_PCRE_RELATIVE) { - ptr = p->payload + det_ctx->buffer_offset; - len = p->payload_len - det_ctx->buffer_offset; - if (ptr == NULL || len == 0) - SCReturnInt(0); - } else { - ptr = p->payload; - len = p->payload_len; - } - - /* run the actual pcre detection */ - ret = pcre_exec(pe->re, pe->sd, (char *)ptr, len, 0, 0, ov, MAX_SUBSTRINGS); - SCLogDebug("ret %d (negating %s)", ret, (pe->flags & DETECT_PCRE_NEGATE) ? "set" : "not set"); - - if (ret == PCRE_ERROR_NOMATCH) { - if (pe->flags & DETECT_PCRE_NEGATE) { - /* regex didn't match with negate option means we - * consider it a match */ - ret = 1; - } else { - ret = 0; - } - } else if (ret >= 0) { - if (pe->flags & DETECT_PCRE_NEGATE) { - /* regex matched but we're negated, so not - * considering it a match */ - ret = 0; - } else { - /* regex matched and we're not negated, - * considering it a match */ - - /* see if we need to do substring capturing. */ - if (ret > 1 && pe->capidx != 0) { - const char *str_ptr; - ret = pcre_get_substring((char *)ptr, ov, MAX_SUBSTRINGS, 1, &str_ptr); - if (ret) { - if (pe->flags & DETECT_PCRE_CAPTURE_PKT) { - PktVarAdd(p, pe->capname, (uint8_t *)str_ptr, ret); - } else if (pe->flags & DETECT_PCRE_CAPTURE_FLOW) { - FlowVarAddStr(p->flow, pe->capidx, (uint8_t *)str_ptr, ret); - } - } - } - - /* update offset for pcre RELATIVE */ - det_ctx->buffer_offset = (ptr+ov[1]) - p->payload; - - ret = 1; - } - - } else { - SCLogDebug("pcre had matching error"); - ret = 0; - } - SCReturnInt(ret); -} - -/** - * \brief Match a regex on data sent as arg. - * - * \param det_ctx Thread detection ctx. - * \param s Signature. - * \param sm SigMatch to match against. - * \param data Data to match against. - * \param data_len Data length. - * - * \retval 1: match - * \retval 0: no match - */ -int DetectPcrePayloadDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, - SigMatch *sm, Packet *p, uint8_t *data, - uint16_t data_len) -{ - SCEnter(); - -#define MAX_SUBSTRINGS 30 - int ret = 0; - int ov[MAX_SUBSTRINGS]; - uint8_t *ptr = NULL; - uint16_t len = 0; - - if (data_len == 0) - SCReturnInt(0); - - DetectPcreData *pe = (DetectPcreData *)sm->ctx; - - /* If we want to inspect the http body, we will use HTP L7 parser */ - if (pe->flags & DETECT_PCRE_HTTP_CLIENT_BODY) - SCReturnInt(0); - - if (pe->flags & DETECT_PCRE_RELATIVE) { - ptr = data + det_ctx->buffer_offset; - len = data_len - det_ctx->buffer_offset; - if (ptr == NULL || len == 0) - SCReturnInt(0); - } else { - ptr = data; - len = data_len; - } - - /* run the actual pcre detection */ - ret = pcre_exec(pe->re, pe->sd, (char *)ptr, len, 0, 0, ov, MAX_SUBSTRINGS); - SCLogDebug("ret %d (negating %s)", ret, (pe->flags & DETECT_PCRE_NEGATE) ? "set" : "not set"); - - if (ret == PCRE_ERROR_NOMATCH) { - if (pe->flags & DETECT_PCRE_NEGATE) { - /* regex didn't match with negate option means we - * consider it a match */ - ret = 1; - } else { - ret = 0; - } - } else if (ret >= 0) { - if (pe->flags & DETECT_PCRE_NEGATE) { - /* regex matched but we're negated, so not - * considering it a match */ - ret = 0; - } else { - /* regex matched and we're not negated, - * considering it a match */ - - /* see if we need to do substring capturing. */ - if (ret > 1 && pe->capidx != 0) { - const char *str_ptr; - ret = pcre_get_substring((char *)ptr, ov, MAX_SUBSTRINGS, 1, &str_ptr); - if (ret) { - if (pe->flags & DETECT_PCRE_CAPTURE_PKT) { - PktVarAdd(p, pe->capname, (uint8_t *)str_ptr, ret); - } else if (pe->flags & DETECT_PCRE_CAPTURE_FLOW) { - FlowVarAddStr(p->flow, pe->capidx, (uint8_t *)str_ptr, ret); - } - } - } - - /* update offset for pcre RELATIVE */ - det_ctx->buffer_offset = (ptr + ov[1]) - data; - - ret = 1; - } - - } else { - SCLogDebug("pcre had matching error"); - ret = 0; - } - SCReturnInt(ret); -} - -/** - * \brief DetectPcreMatch will try to match a regex on a single packet; - * DetectPcreALMatch is used if we parse the option 'P' - * - * \param t pointer to the threadvars structure - * \param det_ctx thread detection ctx - * \param p packet - * \param s signature - * \param sm sig match to match against - * - * \retval 1: match - * \retval 0: no match - */ -int DetectPcreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, - Signature *s, SigMatch *sm) -{ - SCEnter(); - int r = DetectPcrePacketPayloadMatch(det_ctx, p, s, sm); - SCReturnInt(r); -} - DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr) { int ec;