From: Victor Julien <victor@inliniac.net>
Date: Sun, 10 Jun 2012 13:27:08 +0000 (+0200)
Subject: filemd5: implement negated matching.
X-Git-Tag: suricata-1.3rc1~68
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b744708f28de32e11dd81e2cc99c42249d49d9dc;p=thirdparty%2Fsuricata.git

filemd5: implement negated matching.
---

diff --git a/src/detect-filemd5.c b/src/detect-filemd5.c
index 471d8e4ec8..ca6b047d1f 100644
--- a/src/detect-filemd5.c
+++ b/src/detect-filemd5.c
@@ -188,7 +188,15 @@ int DetectFileMd5Match (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
 
     if (file->flags & FILE_MD5) {
         if (MD5MatchLookupBuffer(filemd5->hash, file->md5, sizeof(file->md5)) == 1) {
-            ret = 1;
+            if (filemd5->negated == 0)
+                ret = 1;
+            else
+                ret = 0;
+        } else {
+            if (filemd5->negated == 0)
+                ret = 0;
+            else
+                ret = 1;
         }
     }
 
@@ -214,6 +222,11 @@ DetectFileMd5Data *DetectFileMd5Parse (char *str)
 
     memset(filemd5, 0x00, sizeof(DetectFileMd5Data));
 
+    if (strlen(str) && str[0] == '!') {
+        filemd5->negated = 1;
+        str++;
+    }
+
     filemd5->hash = ROHashInit(18, 16);
     if (filemd5->hash == NULL) {
         goto error;
@@ -261,7 +274,7 @@ DetectFileMd5Data *DetectFileMd5Parse (char *str)
     if (ROHashInitFinalize(filemd5->hash) != 1) {
         goto error;
     }
-    SCLogInfo("MD5 hash size %u bytes", ROHashMemorySize(filemd5->hash));
+    SCLogInfo("MD5 hash size %u bytes%s", ROHashMemorySize(filemd5->hash), filemd5->negated ? ", negated match" : "");
 
     return filemd5;
 
diff --git a/src/detect-filemd5.h b/src/detect-filemd5.h
index 0305a5d6fc..486812f7c6 100644
--- a/src/detect-filemd5.h
+++ b/src/detect-filemd5.h
@@ -28,6 +28,7 @@
 
 typedef struct DetectFileMd5Data {
     ROHashTable *hash;
+    int negated;
 } DetectFileMd5Data;
 
 /* prototypes */