From: Victor Julien Date: Fri, 9 Dec 2016 13:46:05 +0000 (+0100) Subject: http_stat_msg: dynamic buffer X-Git-Tag: suricata-4.0.0-beta1~386 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b694d96e2240920fa12f095b21114a866226f33b;p=thirdparty%2Fsuricata.git http_stat_msg: dynamic buffer --- diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c index 866250308f..5de0ce168c 100644 --- a/src/detect-engine-analyzer.c +++ b/src/detect-engine-analyzer.c @@ -120,8 +120,6 @@ void EngineAnalysisFP(Signature *s, char *line) fprintf(fp_engine_analysis_FD, "http raw header content\n"); else if (list_type == DETECT_SM_LIST_HCBDMATCH) fprintf(fp_engine_analysis_FD, "http client body content\n"); - else if (list_type == DETECT_SM_LIST_HSMDMATCH) - fprintf(fp_engine_analysis_FD, "http stat msg content\n"); else { const char *desc = DetectBufferTypeGetDescriptionById(list_type); const char *name = DetectBufferTypeGetNameById(list_type); @@ -464,8 +462,6 @@ static void EngineAnalysisRulesPrintFP(const Signature *s) fprintf(rule_engine_analysis_FD, "http raw header content"); else if (list_type == DETECT_SM_LIST_HCBDMATCH) fprintf(rule_engine_analysis_FD, "http client body content"); - else if (list_type == DETECT_SM_LIST_HSMDMATCH) - fprintf(rule_engine_analysis_FD, "http stat msg content"); else if (list_type == DETECT_SM_LIST_DNSQUERYNAME_MATCH) fprintf(rule_engine_analysis_FD, "dns query name content"); else if (list_type == DETECT_SM_LIST_TLSSNI_MATCH) @@ -571,6 +567,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) const int httpuseragent_id = DetectBufferTypeGetByName("http_user_agent"); const int httpcookie_id = DetectBufferTypeGetByName("http_cookie"); const int httpstatcode_id = DetectBufferTypeGetByName("http_stat_code"); + const int httpstatmsg_id = DetectBufferTypeGetByName("http_stat_msg"); if (s->init_data->init_flags & SIG_FLAG_INIT_BIDIREC) { rule_bidirectional = 1; @@ -634,7 +631,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) raw_http_buf += 1; http_raw_uri_buf += 1; } - else if (list_id == DETECT_SM_LIST_HSMDMATCH) { + else if (list_id == httpstatmsg_id) { rule_pcre_http += 1; raw_http_buf += 1; http_stat_msg_buf += 1; @@ -695,7 +692,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) raw_http_buf += 1; http_raw_uri_buf += 1; } - else if (list_id == DETECT_SM_LIST_HSMDMATCH) { + else if (list_id == httpstatmsg_id) { rule_content_http += 1; raw_http_buf += 1; http_stat_msg_buf += 1; diff --git a/src/detect-engine.c b/src/detect-engine.c index 4e68b24792..381342e892 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -2806,8 +2806,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type) return "http headers"; case DETECT_SM_LIST_HRHDMATCH: return "http raw headers"; - case DETECT_SM_LIST_HSMDMATCH: - return "http stat msg"; case DETECT_SM_LIST_APP_EVENT: return "app layer events"; diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index 513408da5c..e902f261b2 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -329,6 +329,7 @@ static int g_http_cookie_buffer_id = 0; static int g_http_host_buffer_id = 0; static int g_http_raw_host_buffer_id = 0; static int g_http_stat_code_buffer_id = 0; +static int g_http_stat_msg_buffer_id = 0; /** * \test Checks if a fast_pattern is registered in a Signature @@ -10551,7 +10552,7 @@ int DetectFastPatternTest384(void) "content:\"three\"; http_stat_msg; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -10589,7 +10590,7 @@ int DetectFastPatternTest385(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSMDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_stat_msg_buffer_id]; if (sm != NULL) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { @@ -10626,7 +10627,7 @@ int DetectFastPatternTest386(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSMDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_stat_msg_buffer_id]; if (sm != NULL) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { @@ -10657,7 +10658,7 @@ int DetectFastPatternTest387(void) if (de_ctx->sig_list == NULL) goto end; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSMDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_stat_msg_buffer_id]; if (sm == NULL) { goto end; } @@ -10693,7 +10694,7 @@ int DetectFastPatternTest388(void) if (de_ctx->sig_list == NULL) goto end; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSMDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_stat_msg_buffer_id]; if (sm == NULL) { goto end; } @@ -10938,7 +10939,7 @@ int DetectFastPatternTest398(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -10970,7 +10971,7 @@ int DetectFastPatternTest399(void) "content:\"two\"; fast_pattern:only; http_stat_msg; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -11002,7 +11003,7 @@ int DetectFastPatternTest400(void) "content:\"two\"; fast_pattern:only; http_stat_msg; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -11034,7 +11035,7 @@ int DetectFastPatternTest401(void) "content:\"two\"; fast_pattern:only; http_stat_msg; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -11065,7 +11066,7 @@ int DetectFastPatternTest402(void) "content:\"two\"; http_stat_msg; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -11190,7 +11191,7 @@ int DetectFastPatternTest407(void) "content:\"three\"; http_stat_msg; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -11222,7 +11223,7 @@ int DetectFastPatternTest408(void) "content:\"three\"; http_stat_msg; distance:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -11254,7 +11255,7 @@ int DetectFastPatternTest409(void) "content:\"three\"; http_stat_msg; within:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -11286,7 +11287,7 @@ int DetectFastPatternTest410(void) "content:\"three\"; http_stat_msg; offset:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -11318,7 +11319,7 @@ int DetectFastPatternTest411(void) "content:\"three\"; http_stat_msg; depth:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -11350,7 +11351,7 @@ int DetectFastPatternTest412(void) "content:\"oneonethree\"; fast_pattern:3,4; http_stat_msg; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -11382,7 +11383,7 @@ int DetectFastPatternTest413(void) "content:\"oneonethree\"; fast_pattern:3,4; http_stat_msg; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -11414,7 +11415,7 @@ int DetectFastPatternTest414(void) "content:\"oneonethree\"; fast_pattern:3,4; http_stat_msg; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -11446,7 +11447,7 @@ int DetectFastPatternTest415(void) "content:\"oneonethree\"; fast_pattern:3,4; http_stat_msg; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -11553,7 +11554,7 @@ int DetectFastPatternTest419(void) "content:\"three\"; http_stat_msg; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -11682,7 +11683,7 @@ int DetectFastPatternTest424(void) "content:\"three\"; http_stat_msg; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -18837,6 +18838,7 @@ void DetectFastPatternRegisterTests(void) g_http_host_buffer_id = DetectBufferTypeGetByName("http_host"); g_http_raw_host_buffer_id = DetectBufferTypeGetByName("http_raw_host"); g_http_stat_code_buffer_id = DetectBufferTypeGetByName("http_stat_code"); + g_http_stat_msg_buffer_id = DetectBufferTypeGetByName("http_stat_msg"); UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01); UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02); diff --git a/src/detect-http-stat-msg.c b/src/detect-http-stat-msg.c index 2207d13b61..c61c665923 100644 --- a/src/detect-http-stat-msg.c +++ b/src/detect-http-stat-msg.c @@ -63,12 +63,10 @@ #include "stream-tcp-private.h" #include "stream-tcp.h" -int DetectHttpStatMsgMatch (ThreadVars *, DetectEngineThreadCtx *, - Flow *, uint8_t , void *, Signature *, - SigMatch *); static int DetectHttpStatMsgSetup(DetectEngineCtx *, Signature *, char *); -void DetectHttpStatMsgRegisterTests(void); -void DetectHttpStatMsgFree(void *); +static void DetectHttpStatMsgRegisterTests(void); +static void DetectHttpStatMsgSetupCallback(Signature *s); +static int g_http_stat_msg_buffer_id = 0; /** * \brief Registration function for keyword: http_stat_msg @@ -87,13 +85,20 @@ void DetectHttpStatMsgRegister (void) sigmatch_table[DETECT_AL_HTTP_STAT_MSG].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_HTTP_STAT_MSG].flags |= SIGMATCH_PAYLOAD; - DetectMpmAppLayerRegister("http_stat_msg", SIG_FLAG_TOCLIENT, - DETECT_SM_LIST_HSMDMATCH, 3, + DetectAppLayerMpmRegister("http_stat_msg", SIG_FLAG_TOCLIENT, 3, PrefilterTxHttpStatMsgRegister); - DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOCLIENT, - DETECT_SM_LIST_HSMDMATCH, + DetectAppLayerInspectEngineRegister2("http_stat_msg", + ALPROTO_HTTP, SIG_FLAG_TOCLIENT, DetectEngineInspectHttpStatMsg); + + DetectBufferTypeSetDescriptionByName("http_stat_msg", + "http response status message"); + + DetectBufferTypeRegisterSetupCallback("http_stat_msg", + DetectHttpStatMsgSetupCallback); + + g_http_stat_msg_buffer_id = DetectBufferTypeGetByName("http_stat_msg"); } /** @@ -111,11 +116,17 @@ static int DetectHttpStatMsgSetup(DetectEngineCtx *de_ctx, Signature *s, char *a { return DetectEngineContentModifierBufferSetup(de_ctx, s, arg, DETECT_AL_HTTP_STAT_MSG, - DETECT_SM_LIST_HSMDMATCH, + g_http_stat_msg_buffer_id, ALPROTO_HTTP, NULL); } +static void DetectHttpStatMsgSetupCallback(Signature *s) +{ + SCLogDebug("callback invoked by %u", s->id); + s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; +} + #ifdef UNITTESTS /** @@ -148,7 +159,7 @@ int DetectHttpStatMsgTest01(void) "fast_pattern; http_stat_msg; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - if (!(((DetectContentData *)de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSMDMATCH]->ctx)->flags & + if (!(((DetectContentData *)de_ctx->sig_list->sm_lists[g_http_stat_msg_buffer_id]->ctx)->flags & DETECT_CONTENT_FAST_PATTERN)) { goto end; @@ -186,7 +197,7 @@ int DetectHttpStatMsgTest02(void) } result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSMDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_stat_msg_buffer_id]; if (sm == NULL) { printf("no sigmatch(es): "); goto end; diff --git a/src/detect-parse.c b/src/detect-parse.c index 31ec0fa484..842679a376 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -145,7 +145,6 @@ const char *DetectListToHumanString(int list) CASE_CODE_STRING(DETECT_SM_LIST_HCBDMATCH, "http_client_body"); CASE_CODE_STRING(DETECT_SM_LIST_HHDMATCH, "http_header"); CASE_CODE_STRING(DETECT_SM_LIST_HRHDMATCH, "http_raw_header"); - CASE_CODE_STRING(DETECT_SM_LIST_HSMDMATCH, "http_stat_msg"); CASE_CODE_STRING(DETECT_SM_LIST_APP_EVENT, "app-layer-event"); CASE_CODE_STRING(DETECT_SM_LIST_AMATCH, "app-layer"); CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc"); @@ -180,7 +179,6 @@ const char *DetectListToString(int list) CASE_CODE(DETECT_SM_LIST_HCBDMATCH); CASE_CODE(DETECT_SM_LIST_HHDMATCH); CASE_CODE(DETECT_SM_LIST_HRHDMATCH); - CASE_CODE(DETECT_SM_LIST_HSMDMATCH); CASE_CODE(DETECT_SM_LIST_APP_EVENT); CASE_CODE(DETECT_SM_LIST_AMATCH); CASE_CODE(DETECT_SM_LIST_DMATCH); @@ -1424,14 +1422,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) "with flow:to_client or flow:from_server"); SCReturnInt(0); } - } else if (fd->flags & FLOW_PKT_TOSERVER) { - /* check for uricontent + from_server/to_client */ - if (s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use http_" - "server_body, http_stat_msg, http_stat_code " - "with flow:to_server or flow:from_client"); - SCReturnInt(0); - } } } } @@ -1536,8 +1526,7 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) if (s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH] || - s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH] || - s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH]) + s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH]) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature combines packet " "specific matches (like dsize, flags, ttl) with stream / " diff --git a/src/detect-pcre.c b/src/detect-pcre.c index e7cd1581f7..d430193e55 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -478,10 +478,12 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr, *sm_list = DetectPcreSetList(*sm_list, list); break; } - case 'Y': + case 'Y': { /* snort's option */ - *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HSMDMATCH); + int list = DetectBufferTypeGetByName("http_stat_msg"); + *sm_list = DetectPcreSetList(*sm_list, list); break; + } case 'S': { /* snort's option */ int list = DetectBufferTypeGetByName("http_stat_code"); @@ -684,8 +686,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst if (parsed_sm_list == DETECT_SM_LIST_HRUDMATCH || parsed_sm_list == DETECT_SM_LIST_HCBDMATCH || parsed_sm_list == DETECT_SM_LIST_HHDMATCH || - parsed_sm_list == DETECT_SM_LIST_HRHDMATCH || - parsed_sm_list == DETECT_SM_LIST_HSMDMATCH) + parsed_sm_list == DETECT_SM_LIST_HRHDMATCH) { if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. " @@ -718,7 +719,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst case DETECT_SM_LIST_HRUDMATCH: case DETECT_SM_LIST_HHDMATCH: case DETECT_SM_LIST_HRHDMATCH: - case DETECT_SM_LIST_HSMDMATCH: s->flags |= SIG_FLAG_APPLAYER; s->alproto = ALPROTO_HTTP; sm_list = parsed_sm_list; diff --git a/src/detect.c b/src/detect.c index 4de426efef..5ab7af0c3d 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1924,9 +1924,6 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s) if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL) - return 0; - if (s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL) return 0; @@ -2011,9 +2008,6 @@ static int SignatureIsPDOnly(const Signature *s) if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL) - return 0; - if (s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL) return 0; @@ -2117,7 +2111,6 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, const Signature *s) s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL || - s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) { SCReturnInt(0); @@ -2291,11 +2284,6 @@ static int SignatureCreateMask(Signature *s) SCLogDebug("sig requires http app state"); } - if (s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL) { - s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; - SCLogDebug("sig requires http app state"); - } - SigMatch *sm; for (sm = s->init_data->smlists[DETECT_SM_LIST_AMATCH] ; sm != NULL; sm = sm->next) { switch(sm->type) { diff --git a/src/detect.h b/src/detect.h index 3546539164..ce6a609b5e 100644 --- a/src/detect.h +++ b/src/detect.h @@ -123,8 +123,6 @@ enum DetectSigmatchListEnum { DETECT_SM_LIST_HHDMATCH, /* list for http_raw_header keyword and the ones relative to it */ DETECT_SM_LIST_HRHDMATCH, - /* list for http_stat_msg keyword and the ones relative to it */ - DETECT_SM_LIST_HSMDMATCH, /* app event engine sm list */ DETECT_SM_LIST_APP_EVENT,