From: Jeff Lucovsky Date: Mon, 16 Dec 2019 22:07:20 +0000 (-0500) Subject: detect: byte-test convert neg_op flag to a bool X-Git-Tag: suricata-6.0.0-beta1~604 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e0bd79670c82506a6f99f1fed1560cc887805ada;p=thirdparty%2Fsuricata.git detect: byte-test convert neg_op flag to a bool Only 8 flags are permitted so convert one of them to a struct member. I choose neg_op --- diff --git a/src/detect-bytetest.c b/src/detect-bytetest.c index 4bae033fa9..017fef1de5 100644 --- a/src/detect-bytetest.c +++ b/src/detect-bytetest.c @@ -151,7 +151,7 @@ int DetectBytetestDoMatch(DetectEngineThreadCtx *det_ctx, SCReturnInt(0); } - neg = flags & DETECT_BYTETEST_NEGOP; + neg = data->neg_op; /* Extract the byte data */ if (flags & DETECT_BYTETEST_STRING) { @@ -699,7 +699,7 @@ static int DetectBytetestTestParse02(void) && (data->nbytes == 4) && (data->value == 1) && (data->offset == 0) - && (data->flags == DETECT_BYTETEST_NEGOP) + && (data->neg_op) && (data->base == DETECT_BYTETEST_BASE_UNSET)) { result = 1; @@ -723,8 +723,8 @@ static int DetectBytetestTestParse03(void) && (data->nbytes == 4) && (data->value == 1) && (data->offset == 0) - && (data->flags == ( DETECT_BYTETEST_NEGOP - |DETECT_BYTETEST_RELATIVE)) + && (data->neg_op) + && (data->flags == DETECT_BYTETEST_RELATIVE) && (data->base == DETECT_BYTETEST_BASE_UNSET)) { result = 1; @@ -748,8 +748,8 @@ static int DetectBytetestTestParse04(void) && (data->nbytes == 4) && (data->value == 1) && (data->offset == 0) - && (data->flags == ( DETECT_BYTETEST_NEGOP - |DETECT_BYTETEST_STRING)) + && (data->neg_op) + && (data->flags == DETECT_BYTETEST_STRING) && (data->base == DETECT_BYTETEST_BASE_OCT)) { result = 1; @@ -821,7 +821,7 @@ static int DetectBytetestTestParse07(void) && (data->nbytes == 4) && (data->value == 5) && (data->offset == 0) - && (data->flags == 4) + && (data->flags & DETECT_BYTETEST_BIG) && (data->base == DETECT_BYTETEST_BASE_UNSET)) { result = 1; @@ -869,7 +869,7 @@ static int DetectBytetestTestParse09(void) && (data->nbytes == 4) && (data->value == 5) && (data->offset == 0) - && (data->flags == DETECT_BYTETEST_NEGOP) + && (data->neg_op) && (data->base == DETECT_BYTETEST_BASE_UNSET)) { result = 1; @@ -893,7 +893,8 @@ static int DetectBytetestTestParse10(void) && (data->nbytes == 4) && (data->value == 5) && (data->offset == 0) - && (data->flags == (DETECT_BYTETEST_NEGOP|DETECT_BYTETEST_LITTLE)) + && (data->neg_op) + && (data->flags == DETECT_BYTETEST_LITTLE) && (data->base == DETECT_BYTETEST_BASE_UNSET)) { result = 1; @@ -917,8 +918,8 @@ static int DetectBytetestTestParse11(void) && (data->nbytes == 4) && (data->value == 5) && (data->offset == 0) - && (data->flags == ( DETECT_BYTETEST_NEGOP - |DETECT_BYTETEST_LITTLE + && (data->neg_op) + && (data->flags == (DETECT_BYTETEST_LITTLE |DETECT_BYTETEST_STRING |DETECT_BYTETEST_RELATIVE)) && (data->base == DETECT_BYTETEST_BASE_HEX)) @@ -1124,7 +1125,7 @@ static int DetectBytetestTestParse20(void) (bd->flags & DETECT_BYTETEST_STRING) && (bd->flags & DETECT_BYTETEST_BIG) && (bd->flags & DETECT_BYTETEST_LITTLE) && - (bd->flags & DETECT_BYTETEST_NEGOP) ) { + (bd->neg_op) ) { result = 0; goto end; } @@ -1151,7 +1152,7 @@ static int DetectBytetestTestParse20(void) (bd->flags & DETECT_BYTETEST_STRING) && (bd->flags & DETECT_BYTETEST_BIG) && (bd->flags & DETECT_BYTETEST_LITTLE) && - (bd->flags & DETECT_BYTETEST_NEGOP) ) { + (bd->neg_op) ) { result = 0; goto end; } @@ -1178,7 +1179,7 @@ static int DetectBytetestTestParse20(void) (bd->flags & DETECT_BYTETEST_STRING) && (bd->flags & DETECT_BYTETEST_BIG) && (bd->flags & DETECT_BYTETEST_LITTLE) && - (bd->flags & DETECT_BYTETEST_NEGOP) ) { + (bd->neg_op) ) { result = 0; goto end; } @@ -1351,7 +1352,7 @@ static int DetectBytetestTestParse22(void) (bd->flags & DETECT_BYTETEST_STRING) && (bd->flags & DETECT_BYTETEST_BIG) && (bd->flags & DETECT_BYTETEST_LITTLE) && - (bd->flags & DETECT_BYTETEST_NEGOP) ) { + (bd->neg_op) ) { printf("wrong flags: "); goto end; } diff --git a/src/detect-bytetest.h b/src/detect-bytetest.h index e79cdeee68..0ab024913b 100644 --- a/src/detect-bytetest.h +++ b/src/detect-bytetest.h @@ -40,22 +40,22 @@ #define DETECT_BYTETEST_BASE_HEX 16 /**< "hex" type value string */ /** Bytetest Flags */ -#define DETECT_BYTETEST_NEGOP BIT_U16(0) /**< "!" negated operator */ -#define DETECT_BYTETEST_LITTLE BIT_U16(1) /**< "little" endian value */ -#define DETECT_BYTETEST_BIG BIT_U16(2) /**< "bi" endian value */ -#define DETECT_BYTETEST_STRING BIT_U16(3) /**< "string" value */ -#define DETECT_BYTETEST_RELATIVE BIT_U16(4) /**< "relative" offset */ -#define DETECT_BYTETEST_DCE BIT_U16(5) /**< dce enabled */ -#define DETECT_BYTETEST_BITMASK BIT_U16(6) /**< bitmask supplied*/ -#define DETECT_BYTETEST_VALUE_BE BIT_U16(7) /**< byte extract value enabled */ -#define DETECT_BYTETEST_OFFSET_BE BIT_U16(8) /**< byte extract value enabled */ +#define DETECT_BYTETEST_LITTLE BIT_U8(0) /**< "little" endian value */ +#define DETECT_BYTETEST_BIG BIT_U8(1) /**< "bi" endian value */ +#define DETECT_BYTETEST_STRING BIT_U8(2) /**< "string" value */ +#define DETECT_BYTETEST_RELATIVE BIT_U8(3) /**< "relative" offset */ +#define DETECT_BYTETEST_DCE BIT_U8(4) /**< dce enabled */ +#define DETECT_BYTETEST_BITMASK BIT_U8(5) /**< bitmask supplied*/ +#define DETECT_BYTETEST_VALUE_BE BIT_U8(6) /**< byte extract value enabled */ +#define DETECT_BYTETEST_OFFSET_BE BIT_U8(7) /**< byte extract value enabled */ typedef struct DetectBytetestData_ { uint8_t nbytes; /**< Number of bytes to compare */ uint8_t op; /**< Operator used to compare */ uint8_t base; /**< String value base (oct|dec|hex) */ uint8_t bitmask_shift_count; /**< bitmask trailing 0 count */ - uint16_t flags; /**< Flags (big|little|relative|string|bitmask) */ + uint8_t flags; /**< Flags (big|little|relative|string|bitmask) */ + bool neg_op; int32_t offset; /**< Offset in payload */ uint32_t bitmask; /**< bitmask value */ uint64_t value; /**< Value to compare against */