From: Tom Peters (thopeter) <thopeter@cisco.com>
Date: Fri, 30 Nov 2018 19:26:31 +0000 (-0500)
Subject: Merge pull request #1443 in SNORT/snort3 from ~MIREDDEN/snort3:snort2lua_fix_pcre_PH_... 
X-Git-Tag: 3.0.0-250~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e96f6b53d1fe2d1bdbd27884af91ea02536549b0;p=thirdparty%2Fsnort3.git

Merge pull request #1443 in SNORT/snort3 from ~MIREDDEN/snort3:snort2lua_fix_pcre_PH_options_for_sip to master

Squashed commit of the following:

commit 68ae2da5c5ff36675a6aba8f2710ce8327103e15
Author: Mike Redden <miredden@cisco.com>
Date:   Mon Nov 26 14:04:07 2018 -0500

    snort2lua: Fix pcre H and P option conversions for sip
---

diff --git a/tools/snort2lua/data/data_types/dt_rule.cc b/tools/snort2lua/data/data_types/dt_rule.cc
index 505267905..86d72c49b 100644
--- a/tools/snort2lua/data/data_types/dt_rule.cc
+++ b/tools/snort2lua/data/data_types/dt_rule.cc
@@ -49,7 +49,7 @@ bool Rule::add_hdr_data(const std::string& data)
     }
 }
 
-void Rule::set_rule_old_action(const std::string &action)
+void Rule::set_rule_old_action(const std::string& action)
 {
     old_action = action;
 }
@@ -177,3 +177,92 @@ std::ostream& operator<<(std::ostream& out, const Rule& rule)
     return out;
 }
 
+void Rule::resolve_pcre_buffer_options()
+{
+    std::vector<RuleOption*>::iterator iter;
+    std::string curr_sticky_buffer = "";
+    bool is_sip = false;
+    std::string name;
+    const std::string service = get_option("service");
+    std::string new_buffer;
+
+    if (service == "sip")
+        is_sip = true;
+
+    iter = options.begin();
+
+    while (iter != options.end())
+    {
+        name = (*iter)->get_name();
+
+        if (name == "pcre_P_option_body" || name == "pcre_H_option_header")
+        {
+            delete(*iter);
+            iter = options.erase(iter);
+
+            if (is_sip)
+            {
+                if (name == "pcre_P_option_body")
+                {
+                    new_buffer = "sip_body";
+                }
+                else
+                {
+                    new_buffer = "sip_header";
+                }
+            }
+            else
+            {
+                if (name == "pcre_P_option_body")
+                {
+                    new_buffer = "http_client_body";
+                }
+                else
+                {
+                    new_buffer = "http_header";
+                }
+            }
+
+            if (curr_sticky_buffer != new_buffer)
+            {
+                curr_sticky_buffer = new_buffer;
+                RuleOption* new_opt = new RuleOption(new_buffer);
+                options.insert(iter, new_opt);
+                ++iter;
+            }
+        }
+        else if (name == "pkt_data")
+        {
+            curr_sticky_buffer = name;
+            ++iter;
+        }
+        else if (name == "http_uri" ||
+            name == "http_raw_uri" ||
+            name == "http_cookie" ||
+            name == "http_raw_cookie" ||
+            name == "http_method" ||
+            name == "http_stat_code" ||
+            name == "http_stat_msg" ||
+            name == "http_header" ||
+            name == "http_client_body" ||
+            name == "sip_header" ||
+            name == "sip_body")
+        {
+            if (curr_sticky_buffer == name)
+            {
+                delete(*iter);
+                iter = options.erase(iter);
+            }
+            else
+            {
+                curr_sticky_buffer = name;
+                ++iter;
+            }
+        }
+        else
+        {
+            ++iter;
+        }
+    }
+}
+
diff --git a/tools/snort2lua/data/data_types/dt_rule.h b/tools/snort2lua/data/data_types/dt_rule.h
index 913f327bb..ec69b4e56 100644
--- a/tools/snort2lua/data/data_types/dt_rule.h
+++ b/tools/snort2lua/data/data_types/dt_rule.h
@@ -50,6 +50,7 @@ public:
     void make_comment();
     void set_old_http_rule();
     bool is_old_http_rule() { return old_http_rule; }
+    void resolve_pcre_buffer_options();
 
     friend std::ostream& operator<<(std::ostream&, const Rule&);
 
diff --git a/tools/snort2lua/data/dt_rule_api.cc b/tools/snort2lua/data/dt_rule_api.cc
index b0443e6f0..f426c2e31 100644
--- a/tools/snort2lua/data/dt_rule_api.cc
+++ b/tools/snort2lua/data/dt_rule_api.cc
@@ -264,6 +264,12 @@ bool RuleApi::is_old_http_rule()
     return curr_rule->is_old_http_rule();
 }
 
+void RuleApi::resolve_pcre_buffer_options()
+{
+    if (curr_rule)
+        curr_rule->resolve_pcre_buffer_options();
+}
+
 std::ostream& operator<<(std::ostream& out, const RuleApi& data)
 {
     if (DataApi::is_default_mode())
diff --git a/tools/snort2lua/data/dt_rule_api.h b/tools/snort2lua/data/dt_rule_api.h
index c69e7ebfe..311028d37 100644
--- a/tools/snort2lua/data/dt_rule_api.h
+++ b/tools/snort2lua/data/dt_rule_api.h
@@ -81,6 +81,7 @@ public:
     void bad_rule(std::istringstream& stream, const std::string& bad_option);
     void old_http_rule();
     bool is_old_http_rule();
+    void resolve_pcre_buffer_options();
 
 private:
     static std::size_t error_count;
diff --git a/tools/snort2lua/helpers/converter.cc b/tools/snort2lua/helpers/converter.cc
index cc4c0eee1..89b4a21a7 100644
--- a/tools/snort2lua/helpers/converter.cc
+++ b/tools/snort2lua/helpers/converter.cc
@@ -291,6 +291,8 @@ int Converter::parse_file(
                     table_api.close_table();
                 }
 
+                rule_api.resolve_pcre_buffer_options();
+		
                 if (commented_rule)
                     rule_api.make_rule_a_comment();
 
diff --git a/tools/snort2lua/rule_states/rule_pcre.cc b/tools/snort2lua/rule_states/rule_pcre.cc
index 926e19d7e..0ff7c6c63 100644
--- a/tools/snort2lua/rule_states/rule_pcre.cc
+++ b/tools/snort2lua/rule_states/rule_pcre.cc
@@ -93,8 +93,8 @@ bool Pcre::convert(std::istringstream& data_stream)
         {
         case 'B': sticky_buffer = "pkt_data"; break;
         case 'U': sticky_buffer = "http_uri"; break;
-        case 'P': sticky_buffer = "http_client_body"; break;
-        case 'H': sticky_buffer = "http_header"; break;
+        case 'P': sticky_buffer = "pcre_P_option_body"; break;
+        case 'H': sticky_buffer = "pcre_H_option_header"; break;
         case 'M': sticky_buffer = "http_method"; break;
         case 'C': sticky_buffer = "http_cookie"; break;
         case 'I': sticky_buffer = "http_raw_uri"; break;