From: Jeff Lucovsky Date: Sun, 3 May 2020 13:00:04 +0000 (-0400) Subject: detect: byte_math support X-Git-Tag: suricata-6.0.0-beta1~207 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fb409664d20707dd866d436758136d6d94150f5e;p=thirdparty%2Fsuricata.git detect: byte_math support --- diff --git a/src/detect-byte-extract.c b/src/detect-byte-extract.c index cdcf7f24fa..ed65402321 100644 --- a/src/detect-byte-extract.c +++ b/src/detect-byte-extract.c @@ -536,7 +536,7 @@ static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, const c if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) { prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT, - DETECT_ISDATAAT, -1); + DETECT_BYTEMATH, DETECT_ISDATAAT, -1); if (prev_pm == NULL) { sm_list = DETECT_SM_LIST_PMATCH; } else { @@ -556,7 +556,7 @@ static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, const c prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT, - DETECT_ISDATAAT, -1); + DETECT_BYTEMATH, DETECT_ISDATAAT, -1); if (prev_pm == NULL) { sm_list = DETECT_SM_LIST_PMATCH; } else { @@ -2371,7 +2371,7 @@ static int DetectByteExtractTest43(void) } cd = (DetectContentData *)sm->ctx; if (strncmp((char *)cd->content, "three", cd->content_len) != 0 || - cd->flags != (DETECT_CONTENT_OFFSET_BE | + cd->flags != (DETECT_CONTENT_OFFSET_VAR | DETECT_CONTENT_OFFSET) || cd->offset != bed->local_id) { printf("three failed\n"); @@ -2479,7 +2479,7 @@ static int DetectByteExtractTest44(void) } cd = (DetectContentData *)sm->ctx; if (strncmp((char *)cd->content, "four", cd->content_len) != 0 || - cd->flags != (DETECT_CONTENT_OFFSET_BE | + cd->flags != (DETECT_CONTENT_OFFSET_VAR | DETECT_CONTENT_OFFSET) || cd->offset != bed1->local_id) { printf("four failed\n"); @@ -2494,7 +2494,7 @@ static int DetectByteExtractTest44(void) } cd = (DetectContentData *)sm->ctx; if (strncmp((char *)cd->content, "five", cd->content_len) != 0 || - cd->flags != (DETECT_CONTENT_OFFSET_BE | + cd->flags != (DETECT_CONTENT_OFFSET_VAR | DETECT_CONTENT_OFFSET) || cd->offset != bed2->local_id) { printf("five failed\n"); @@ -2592,7 +2592,7 @@ static int DetectByteExtractTest45(void) } cd = (DetectContentData *)sm->ctx; if (strncmp((char *)cd->content, "three", cd->content_len) != 0 || - cd->flags != (DETECT_CONTENT_DEPTH_BE | + cd->flags != (DETECT_CONTENT_DEPTH_VAR | DETECT_CONTENT_DEPTH) || cd->depth != bed->local_id || cd->offset != 0) { @@ -2701,7 +2701,7 @@ static int DetectByteExtractTest46(void) } cd = (DetectContentData *)sm->ctx; if (strncmp((char *)cd->content, "four", cd->content_len) != 0 || - cd->flags != (DETECT_CONTENT_DEPTH_BE | + cd->flags != (DETECT_CONTENT_DEPTH_VAR | DETECT_CONTENT_DEPTH) || cd->depth != bed1->local_id) { printf("four failed\n"); @@ -2716,7 +2716,7 @@ static int DetectByteExtractTest46(void) } cd = (DetectContentData *)sm->ctx; if (strncmp((char *)cd->content, "five", cd->content_len) != 0 || - cd->flags != (DETECT_CONTENT_DEPTH_BE | + cd->flags != (DETECT_CONTENT_DEPTH_VAR | DETECT_CONTENT_DEPTH) || cd->depth != bed2->local_id) { printf("five failed\n"); @@ -2814,7 +2814,7 @@ static int DetectByteExtractTest47(void) } cd = (DetectContentData *)sm->ctx; if (strncmp((char *)cd->content, "three", cd->content_len) != 0 || - cd->flags != (DETECT_CONTENT_DISTANCE_BE | + cd->flags != (DETECT_CONTENT_DISTANCE_VAR | DETECT_CONTENT_DISTANCE) || cd->distance != bed->local_id || cd->offset != 0 || @@ -2924,7 +2924,7 @@ static int DetectByteExtractTest48(void) } cd = (DetectContentData *)sm->ctx; if (strncmp((char *)cd->content, "four", cd->content_len) != 0 || - cd->flags != (DETECT_CONTENT_DISTANCE_BE | + cd->flags != (DETECT_CONTENT_DISTANCE_VAR | DETECT_CONTENT_DISTANCE | DETECT_CONTENT_DISTANCE_NEXT) || cd->distance != bed1->local_id || @@ -2942,7 +2942,7 @@ static int DetectByteExtractTest48(void) } cd = (DetectContentData *)sm->ctx; if (strncmp((char *)cd->content, "five", cd->content_len) != 0 || - cd->flags != (DETECT_CONTENT_DISTANCE_BE | + cd->flags != (DETECT_CONTENT_DISTANCE_VAR | DETECT_CONTENT_DISTANCE) || cd->distance != bed2->local_id || cd->depth != 0 || @@ -3042,7 +3042,7 @@ static int DetectByteExtractTest49(void) } cd = (DetectContentData *)sm->ctx; if (strncmp((char *)cd->content, "three", cd->content_len) != 0 || - cd->flags != (DETECT_CONTENT_WITHIN_BE | + cd->flags != (DETECT_CONTENT_WITHIN_VAR | DETECT_CONTENT_WITHIN) || cd->within != bed->local_id || cd->offset != 0 || @@ -3153,7 +3153,7 @@ static int DetectByteExtractTest50(void) } cd = (DetectContentData *)sm->ctx; if (strncmp((char *)cd->content, "four", cd->content_len) != 0 || - cd->flags != (DETECT_CONTENT_WITHIN_BE | + cd->flags != (DETECT_CONTENT_WITHIN_VAR | DETECT_CONTENT_WITHIN| DETECT_CONTENT_WITHIN_NEXT) || cd->within != bed1->local_id || @@ -3172,7 +3172,7 @@ static int DetectByteExtractTest50(void) } cd = (DetectContentData *)sm->ctx; if (strncmp((char *)cd->content, "five", cd->content_len) != 0 || - cd->flags != (DETECT_CONTENT_WITHIN_BE | + cd->flags != (DETECT_CONTENT_WITHIN_VAR | DETECT_CONTENT_WITHIN) || cd->within != bed2->local_id || cd->depth != 0 || @@ -3273,7 +3273,7 @@ static int DetectByteExtractTest51(void) goto end; } btd = (DetectBytetestData *)sm->ctx; - if (btd->flags != DETECT_BYTETEST_OFFSET_BE || + if (btd->flags != DETECT_BYTETEST_OFFSET_VAR || btd->value != 10 || btd->offset != 0) { printf("three failed\n"); @@ -3379,8 +3379,8 @@ static int DetectByteExtractTest52(void) goto end; } btd = (DetectBytetestData *)sm->ctx; - if (btd->flags != (DETECT_BYTETEST_OFFSET_BE | - DETECT_BYTETEST_VALUE_BE) || + if (btd->flags != (DETECT_BYTETEST_OFFSET_VAR | + DETECT_BYTETEST_VALUE_VAR) || btd->value != 0 || btd->offset != 1) { printf("three failed\n"); @@ -3394,7 +3394,7 @@ static int DetectByteExtractTest52(void) goto end; } btd = (DetectBytetestData *)sm->ctx; - if (btd->flags != DETECT_BYTETEST_OFFSET_BE || + if (btd->flags != DETECT_BYTETEST_OFFSET_VAR || btd->value != 10 || btd->offset != 1) { printf("four failed\n"); @@ -3492,7 +3492,7 @@ static int DetectByteExtractTest53(void) goto end; } bjd = (DetectBytejumpData *)sm->ctx; - if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE || + if (bjd->flags != DETECT_CONTENT_OFFSET_VAR || bjd->offset != 0) { printf("three failed\n"); result = 0; @@ -3597,7 +3597,7 @@ static int DetectByteExtractTest54(void) goto end; } bjd = (DetectBytejumpData *)sm->ctx; - if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE || + if (bjd->flags != DETECT_CONTENT_OFFSET_VAR || bjd->offset != 0) { printf("three failed\n"); result = 0; @@ -3610,7 +3610,7 @@ static int DetectByteExtractTest54(void) goto end; } bjd = (DetectBytejumpData *)sm->ctx; - if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE || + if (bjd->flags != DETECT_CONTENT_OFFSET_VAR || bjd->offset != 1) { printf("four failed\n"); result = 0; @@ -3720,8 +3720,8 @@ static int DetectByteExtractTest55(void) } cd = (DetectContentData *)sm->ctx; if (strncmp((char *)cd->content, "four", cd->content_len) != 0 || - cd->flags != (DETECT_CONTENT_DISTANCE_BE | - DETECT_CONTENT_WITHIN_BE | + cd->flags != (DETECT_CONTENT_DISTANCE_VAR | + DETECT_CONTENT_WITHIN_VAR | DETECT_CONTENT_DISTANCE | DETECT_CONTENT_WITHIN) || cd->within != bed1->local_id || @@ -3867,8 +3867,8 @@ static int DetectByteExtractTest56(void) } cd = (DetectContentData *)sm->ctx; if (strncmp((char *)cd->content, "four", cd->content_len) != 0 || - cd->flags != (DETECT_CONTENT_DISTANCE_BE | - DETECT_CONTENT_WITHIN_BE | + cd->flags != (DETECT_CONTENT_DISTANCE_VAR | + DETECT_CONTENT_WITHIN_VAR | DETECT_CONTENT_DISTANCE | DETECT_CONTENT_WITHIN) || cd->within != bed1->local_id || @@ -4032,8 +4032,8 @@ static int DetectByteExtractTest57(void) } cd = (DetectContentData *)sm->ctx; if (strncmp((char *)cd->content, "four", cd->content_len) != 0 || - cd->flags != (DETECT_CONTENT_DISTANCE_BE | - DETECT_CONTENT_WITHIN_BE | + cd->flags != (DETECT_CONTENT_DISTANCE_VAR | + DETECT_CONTENT_WITHIN_VAR | DETECT_CONTENT_DISTANCE | DETECT_CONTENT_WITHIN) || cd->within != bed1->local_id || @@ -4144,7 +4144,7 @@ static int DetectByteExtractTest58(void) goto end; } bjd = (DetectBytejumpData *)sm->ctx; - if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE || + if (bjd->flags != DETECT_CONTENT_OFFSET_VAR || bjd->offset != 0) { printf("three failed\n"); result = 0; @@ -4157,7 +4157,7 @@ static int DetectByteExtractTest58(void) goto end; } bjd = (DetectBytejumpData *)sm->ctx; - if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE || + if (bjd->flags != DETECT_CONTENT_OFFSET_VAR || bjd->offset != 1) { printf("four failed\n"); result = 0; @@ -4170,7 +4170,7 @@ static int DetectByteExtractTest58(void) goto end; } isdd = (DetectIsdataatData *)sm->ctx; - if (isdd->flags != ISDATAAT_OFFSET_BE || + if (isdd->flags != ISDATAAT_OFFSET_VAR || isdd->dataat != 1) { printf("isdataat failed\n"); result = 0; @@ -4277,7 +4277,7 @@ static int DetectByteExtractTest59(void) goto end; } bjd = (DetectBytejumpData *)sm->ctx; - if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE || + if (bjd->flags != DETECT_CONTENT_OFFSET_VAR || bjd->offset != 0) { printf("three failed\n"); result = 0; @@ -4290,7 +4290,7 @@ static int DetectByteExtractTest59(void) goto end; } bjd = (DetectBytejumpData *)sm->ctx; - if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE || + if (bjd->flags != DETECT_CONTENT_OFFSET_VAR || bjd->offset != 1) { printf("four failed\n"); result = 0; @@ -4303,7 +4303,7 @@ static int DetectByteExtractTest59(void) goto end; } isdd = (DetectIsdataatData *)sm->ctx; - if (isdd->flags != (ISDATAAT_OFFSET_BE | + if (isdd->flags != (ISDATAAT_OFFSET_VAR | ISDATAAT_RELATIVE) || isdd->dataat != 1) { printf("isdataat failed\n"); @@ -4404,7 +4404,7 @@ static int DetectByteExtractTest60(void) goto end; } isdd = (DetectIsdataatData *)sm->ctx; - if (isdd->flags != (ISDATAAT_OFFSET_BE) || + if (isdd->flags != (ISDATAAT_OFFSET_VAR) || isdd->dataat != bed1->local_id) { printf("isdataat failed\n"); result = 0; @@ -4590,7 +4590,7 @@ static int DetectByteExtractTest61(void) goto end; } isdd = (DetectIsdataatData *)sm->ctx; - if (isdd->flags != (ISDATAAT_OFFSET_BE | + if (isdd->flags != (ISDATAAT_OFFSET_VAR | ISDATAAT_RELATIVE) || isdd->dataat != bed1->local_id) { printf("isdataat failed\n"); diff --git a/src/detect-bytejump.c b/src/detect-bytejump.c index 08fbf0626a..bc98223945 100644 --- a/src/detect-bytejump.c +++ b/src/detect-bytejump.c @@ -31,8 +31,9 @@ #include "detect-engine.h" #include "app-layer.h" -#include "detect-bytejump.h" +#include "detect-byte.h" #include "detect-byte-extract.h" +#include "detect-bytejump.h" #include "detect-content.h" #include "detect-uricontent.h" @@ -539,7 +540,7 @@ static int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, const char prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT, - DETECT_ISDATAAT, -1); + DETECT_ISDATAAT, DETECT_BYTEMATH, -1); if (prev_pm == NULL) { sm_list = DETECT_SM_LIST_PMATCH; } else { @@ -558,7 +559,7 @@ static int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, const char prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT, - DETECT_ISDATAAT, -1); + DETECT_ISDATAAT, DETECT_BYTEMATH, -1); if (prev_pm == NULL) { sm_list = DETECT_SM_LIST_PMATCH; } else { @@ -587,14 +588,14 @@ static int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, const char } if (offset != NULL) { - SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(offset, s); - if (bed_sm == NULL) { + DetectByteIndexType index; + if (!DetectByteRetrieveSMVar(offset, s, &index)) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " "seen in byte_jump - %s", offset); goto error; } - data->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - data->flags |= DETECT_BYTEJUMP_OFFSET_BE; + data->offset = index; + data->flags |= DETECT_CONTENT_OFFSET_VAR; SCFree(offset); offset = NULL; } diff --git a/src/detect-bytetest.c b/src/detect-bytetest.c index feb7f9b086..446f122bb3 100644 --- a/src/detect-bytetest.c +++ b/src/detect-bytetest.c @@ -33,6 +33,7 @@ #include "detect-content.h" #include "detect-uricontent.h" +#include "detect-byte.h" #include "detect-bytetest.h" #include "detect-bytejump.h" #include "detect-byte-extract.h" @@ -241,7 +242,7 @@ int DetectBytetestDoMatch(DetectEngineThreadCtx *det_ctx, /* A successful match depends on negation */ if ((!neg && match) || (neg && !match)) { - SCLogDebug("MATCH"); + SCLogDebug("MATCH [bt] extracted value is %"PRIu64, val); SCReturnInt(1); } @@ -543,7 +544,7 @@ static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, const char prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT, - DETECT_ISDATAAT, -1); + DETECT_ISDATAAT, DETECT_BYTEMATH, -1); if (prev_pm == NULL) { sm_list = DETECT_SM_LIST_PMATCH; } else { @@ -562,7 +563,7 @@ static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, const char prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT, - DETECT_ISDATAAT, -1); + DETECT_ISDATAAT, DETECT_BYTEMATH, -1); if (prev_pm == NULL) { sm_list = DETECT_SM_LIST_PMATCH; } else { @@ -589,27 +590,27 @@ static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, const char } if (value != NULL) { - SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(value, s); - if (bed_sm == NULL) { + DetectByteIndexType index; + if (!DetectByteRetrieveSMVar(value, s, &index)) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " "seen in byte_test - %s\n", value); goto error; } - data->value = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - data->flags |= DETECT_BYTETEST_VALUE_BE; + data->value = index; + data->flags |= DETECT_BYTETEST_VALUE_VAR; SCFree(value); value = NULL; } if (offset != NULL) { - SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(offset, s); - if (bed_sm == NULL) { + DetectByteIndexType index; + if (!DetectByteRetrieveSMVar(offset, s, &index)) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " "seen in byte_test - %s\n", offset); goto error; } - data->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - data->flags |= DETECT_BYTETEST_OFFSET_BE; + data->offset = index; + data->flags |= DETECT_BYTETEST_OFFSET_VAR; SCFree(offset); offset = NULL; } diff --git a/src/detect-bytetest.h b/src/detect-bytetest.h index 0ab024913b..1f6489d4e7 100644 --- a/src/detect-bytetest.h +++ b/src/detect-bytetest.h @@ -46,8 +46,8 @@ #define DETECT_BYTETEST_RELATIVE BIT_U8(3) /**< "relative" offset */ #define DETECT_BYTETEST_DCE BIT_U8(4) /**< dce enabled */ #define DETECT_BYTETEST_BITMASK BIT_U8(5) /**< bitmask supplied*/ -#define DETECT_BYTETEST_VALUE_BE BIT_U8(6) /**< byte extract value enabled */ -#define DETECT_BYTETEST_OFFSET_BE BIT_U8(7) /**< byte extract value enabled */ +#define DETECT_BYTETEST_VALUE_VAR BIT_U8(6) /**< byte extract value enabled */ +#define DETECT_BYTETEST_OFFSET_VAR BIT_U8(7) /**< byte extract value enabled */ typedef struct DetectBytetestData_ { uint8_t nbytes; /**< Number of bytes to compare */ diff --git a/src/detect-content.h b/src/detect-content.h index 30ac0f65e8..a4ad39d407 100644 --- a/src/detect-content.h +++ b/src/detect-content.h @@ -42,10 +42,10 @@ #define DETECT_CONTENT_ENDS_WITH BIT_U32(10) /* BE - byte extract */ -#define DETECT_CONTENT_OFFSET_BE BIT_U32(11) -#define DETECT_CONTENT_DEPTH_BE BIT_U32(12) -#define DETECT_CONTENT_DISTANCE_BE BIT_U32(13) -#define DETECT_CONTENT_WITHIN_BE BIT_U32(14) +#define DETECT_CONTENT_OFFSET_VAR BIT_U32(11) +#define DETECT_CONTENT_DEPTH_VAR BIT_U32(12) +#define DETECT_CONTENT_DISTANCE_VAR BIT_U32(13) +#define DETECT_CONTENT_WITHIN_VAR BIT_U32(14) /* replace data */ #define DETECT_CONTENT_REPLACE BIT_U32(15) diff --git a/src/detect-depth.c b/src/detect-depth.c index 9f30d31c5f..106d96c515 100644 --- a/src/detect-depth.c +++ b/src/detect-depth.c @@ -32,6 +32,7 @@ #include "detect-parse.h" #include "detect-content.h" #include "detect-uricontent.h" +#include "detect-byte.h" #include "detect-byte-extract.h" #include "detect-depth.h" @@ -105,14 +106,14 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, const char * goto end; } if (str[0] != '-' && isalpha((unsigned char)str[0])) { - SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(str, s); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var " + DetectByteIndexType index; + if (!DetectByteRetrieveSMVar(str, s, &index)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_ keyword var " "seen in depth - %s.", str); goto end; } - cd->depth = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_DEPTH_BE; + cd->depth = index; + cd->flags |= DETECT_CONTENT_DEPTH_VAR; } else { if (StringParseUint16(&cd->depth, 0, 0, str) < 0) { diff --git a/src/detect-distance.c b/src/detect-distance.c index c1334b4b96..456ec7ee4d 100644 --- a/src/detect-distance.c +++ b/src/detect-distance.c @@ -36,6 +36,7 @@ #include "detect-content.h" #include "detect-uricontent.h" #include "detect-pcre.h" +#include "detect-byte.h" #include "detect-byte-extract.h" #include "detect-distance.h" @@ -104,14 +105,14 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, goto end; } if (str[0] != '-' && isalpha((unsigned char)str[0])) { - SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(str, s); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var " + DetectByteIndexType index; + if (!DetectByteRetrieveSMVar(str, s, &index)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_ keyword var " "seen in distance - %s\n", str); goto end; } - cd->distance = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_DISTANCE_BE; + cd->distance = index; + cd->flags |= DETECT_CONTENT_DISTANCE_VAR; } else { if (StringParseInt32(&cd->distance, 0, 0, str) < 0) { SCLogError(SC_ERR_INVALID_SIGNATURE, diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c index 754dcb0a69..309efb37a4 100644 --- a/src/detect-engine-content-inspection.c +++ b/src/detect-engine-content-inspection.c @@ -35,6 +35,7 @@ #include "detect-pcre.h" #include "detect-isdataat.h" #include "detect-bytetest.h" +#include "detect-bytemath.h" #include "detect-bytejump.h" #include "detect-byte-extract.h" #include "detect-replace.h" @@ -159,8 +160,8 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx int distance = cd->distance; if (cd->flags & DETECT_CONTENT_DISTANCE) { - if (cd->flags & DETECT_CONTENT_DISTANCE_BE) { - distance = det_ctx->bj_values[cd->distance]; + if (cd->flags & DETECT_CONTENT_DISTANCE_VAR) { + distance = det_ctx->byte_values[cd->distance]; } if (distance < 0 && (uint32_t)(abs(distance)) > offset) offset = 0; @@ -172,9 +173,9 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx } if (cd->flags & DETECT_CONTENT_WITHIN) { - if (cd->flags & DETECT_CONTENT_WITHIN_BE) { - if ((int32_t)depth > (int32_t)(prev_buffer_offset + det_ctx->bj_values[cd->within] + distance)) { - depth = prev_buffer_offset + det_ctx->bj_values[cd->within] + distance; + if (cd->flags & DETECT_CONTENT_WITHIN_VAR) { + if ((int32_t)depth > (int32_t)(prev_buffer_offset + det_ctx->byte_values[cd->within] + distance)) { + depth = prev_buffer_offset + det_ctx->byte_values[cd->within] + distance; } } else { if ((int32_t)depth > (int32_t)(prev_buffer_offset + cd->within + distance)) { @@ -196,9 +197,9 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx } } - if (cd->flags & DETECT_CONTENT_DEPTH_BE) { - if ((det_ctx->bj_values[cd->depth] + prev_buffer_offset) < depth) { - depth = prev_buffer_offset + det_ctx->bj_values[cd->depth]; + if (cd->flags & DETECT_CONTENT_DEPTH_VAR) { + if ((det_ctx->byte_values[cd->depth] + prev_buffer_offset) < depth) { + depth = prev_buffer_offset + det_ctx->byte_values[cd->depth]; } } else { if (cd->depth != 0) { @@ -210,9 +211,9 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx } } - if (cd->flags & DETECT_CONTENT_OFFSET_BE) { - if (det_ctx->bj_values[cd->offset] > offset) - offset = det_ctx->bj_values[cd->offset]; + if (cd->flags & DETECT_CONTENT_OFFSET_VAR) { + if (det_ctx->byte_values[cd->offset] > offset) + offset = det_ctx->byte_values[cd->offset]; } else { if (cd->offset > offset) { offset = cd->offset; @@ -221,8 +222,8 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx } } else { /* implied no relative matches */ /* set depth */ - if (cd->flags & DETECT_CONTENT_DEPTH_BE) { - depth = det_ctx->bj_values[cd->depth]; + if (cd->flags & DETECT_CONTENT_DEPTH_VAR) { + depth = det_ctx->byte_values[cd->depth]; } else { if (cd->depth != 0) { depth = cd->depth; @@ -240,8 +241,8 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx } /* set offset */ - if (cd->flags & DETECT_CONTENT_OFFSET_BE) - offset = det_ctx->bj_values[cd->offset]; + if (cd->flags & DETECT_CONTENT_OFFSET_VAR) + offset = det_ctx->byte_values[cd->offset]; else offset = cd->offset; prev_buffer_offset = 0; @@ -250,7 +251,7 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx /* If the value came from a variable, make sure to adjust the depth so it's relative * to the offset value. */ - if (cd->flags & (DETECT_CONTENT_DISTANCE_BE|DETECT_CONTENT_OFFSET_BE|DETECT_CONTENT_DEPTH_BE)) { + if (cd->flags & (DETECT_CONTENT_DISTANCE_VAR|DETECT_CONTENT_OFFSET_VAR|DETECT_CONTENT_DEPTH_VAR)) { depth += offset; } @@ -375,8 +376,8 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx const DetectIsdataatData *id = (DetectIsdataatData *)smd->ctx; uint32_t dataat = id->dataat; - if (id->flags & ISDATAAT_OFFSET_BE) { - uint64_t be_value = det_ctx->bj_values[dataat]; + if (id->flags & ISDATAAT_OFFSET_VAR) { + uint64_t be_value = det_ctx->byte_values[dataat]; if (be_value >= 100000000) { if ((id->flags & ISDATAAT_NEGATED) == 0) { SCLogDebug("extracted value %"PRIu64" very big: no match", be_value); @@ -461,11 +462,11 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx uint8_t btflags = btd->flags; int32_t offset = btd->offset; uint64_t value = btd->value; - if (btflags & DETECT_BYTETEST_OFFSET_BE) { - offset = det_ctx->bj_values[offset]; + if (btflags & DETECT_BYTETEST_OFFSET_VAR) { + offset = det_ctx->byte_values[offset]; } - if (btflags & DETECT_BYTETEST_VALUE_BE) { - value = det_ctx->bj_values[value]; + if (btflags & DETECT_BYTETEST_VALUE_VAR) { + value = det_ctx->byte_values[value]; } /* if we have dce enabled we will have to use the endianness @@ -489,8 +490,8 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx uint16_t bjflags = bjd->flags; int32_t offset = bjd->offset; - if (bjflags & DETECT_BYTEJUMP_OFFSET_BE) { - offset = det_ctx->bj_values[offset]; + if (bjflags & DETECT_CONTENT_OFFSET_VAR) { + offset = det_ctx->byte_values[offset]; } /* if we have dce enabled we will have to use the endianness @@ -528,11 +529,49 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx if (DetectByteExtractDoMatch(det_ctx, smd, s, buffer, buffer_len, - &det_ctx->bj_values[bed->local_id], + &det_ctx->byte_values[bed->local_id], endian) != 1) { goto no_match; } + SCLogDebug("[BE] Fetched value for index %d: %"PRIu64, + bed->local_id, det_ctx->byte_values[bed->local_id]); + goto match; + + } else if (smd->type == DETECT_BYTEMATH) { + + DetectByteMathData *bmd = (DetectByteMathData *)smd->ctx; + uint8_t endian = bmd->endian; + + /* if we have dce enabled we will have to use the endianness + * specified by the dce header */ + if ((bmd->flags & DETECT_BYTEMATH_FLAG_ENDIAN) && + endian == DETECT_BYTEMATH_ENDIAN_DCE && + flags & (DETECT_CI_FLAGS_DCE_LE|DETECT_CI_FLAGS_DCE_BE)) { + + /* enable the endianness flag temporarily. once we are done + * processing we reset the flags to the original value*/ + endian |= ((flags & DETECT_CI_FLAGS_DCE_LE) ? + DETECT_BYTEMATH_ENDIAN_LITTLE : DETECT_BYTEMATH_ENDIAN_BIG); + } + uint64_t rvalue; + if (bmd->flags & DETECT_BYTEMATH_RVALUE_VAR) { + rvalue = det_ctx->byte_values[bmd->local_id]; + } else { + rvalue = bmd->rvalue; + } + + + if (DetectByteMathDoMatch(det_ctx, smd, s, buffer, + buffer_len, + rvalue, + &det_ctx->byte_values[bmd->local_id], + endian) != 1) { + goto no_match; + } + + SCLogDebug("[BM] Fetched value for index %d: %"PRIu64, + bmd->local_id, det_ctx->byte_values[bmd->local_id]); goto match; } else if (smd->type == DETECT_BSIZE) { diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 6619d35f3f..21a45d8c23 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -745,7 +745,7 @@ static void PopulateMpmHelperAddPattern(MpmCtx *mpm_ctx, /* We have to effectively "wild card" values that will be coming from * byte_extract variables */ - if (cd->flags & (DETECT_CONTENT_DEPTH_BE | DETECT_CONTENT_OFFSET_BE)) { + if (cd->flags & (DETECT_CONTENT_DEPTH_VAR | DETECT_CONTENT_OFFSET_VAR)) { pat_depth = pat_offset = 0; } diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c index 8f754d90d9..c5aba011ad 100644 --- a/src/detect-engine-register.c +++ b/src/detect-engine-register.c @@ -89,6 +89,7 @@ #include "detect-nocase.h" #include "detect-rawbytes.h" #include "detect-bytetest.h" +#include "detect-bytemath.h" #include "detect-bytejump.h" #include "detect-sameip.h" #include "detect-l3proto.h" @@ -481,6 +482,7 @@ void SigTableSetup(void) DetectRawbytesRegister(); DetectBytetestRegister(); DetectBytejumpRegister(); + DetectBytemathRegister(); DetectSameipRegister(); DetectGeoipRegister(); DetectL3ProtoRegister(); diff --git a/src/detect-engine.c b/src/detect-engine.c index a5f0d9225b..cc767c8f08 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -2724,9 +2724,9 @@ static TmEcode ThreadCtxDoInit (DetectEngineCtx *de_ctx, DetectEngineThreadCtx * } /* byte_extract storage */ - det_ctx->bj_values = SCMalloc(sizeof(*det_ctx->bj_values) * + det_ctx->byte_values = SCMalloc(sizeof(*det_ctx->byte_values) * (de_ctx->byte_extract_max_local_id + 1)); - if (det_ctx->bj_values == NULL) { + if (det_ctx->byte_values == NULL) { return TM_ECODE_FAILED; } @@ -2954,8 +2954,8 @@ static void DetectEngineThreadCtxFree(DetectEngineThreadCtx *det_ctx) RuleMatchCandidateTxArrayFree(det_ctx); - if (det_ctx->bj_values != NULL) - SCFree(det_ctx->bj_values); + if (det_ctx->byte_values != NULL) + SCFree(det_ctx->byte_values); /* Decoded base64 data. */ if (det_ctx->base64_decoded != NULL) { diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index 093588d355..c75ae91354 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -44,8 +44,7 @@ #include "util-debug.h" #include "util-byte.h" #include "detect-pcre.h" -#include "detect-bytejump.h" -#include "detect-byte-extract.h" +#include "detect-byte.h" /** * \brief Regex for parsing our isdataat options @@ -227,7 +226,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, const char *isda prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT, - DETECT_ISDATAAT, -1); + DETECT_ISDATAAT, DETECT_BYTEMATH, -1); if (prev_pm == NULL) sm_list = DETECT_SM_LIST_PMATCH; else { @@ -240,14 +239,14 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, const char *isda } if (offset != NULL) { - SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(offset, s); - if (bed_sm == NULL) { + DetectByteIndexType index; + if (!DetectByteRetrieveSMVar(offset, s, &index)) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " "seen in isdataat - %s\n", offset); goto end; } - idad->dataat = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - idad->flags |= ISDATAAT_OFFSET_BE; + idad->dataat = index; + idad->flags |= ISDATAAT_OFFSET_VAR; SCLogDebug("isdataat uses byte_extract with local id %u", idad->dataat); SCFree(offset); offset = NULL; diff --git a/src/detect-isdataat.h b/src/detect-isdataat.h index f264f36d9e..5764d0730a 100644 --- a/src/detect-isdataat.h +++ b/src/detect-isdataat.h @@ -24,10 +24,10 @@ #ifndef __DETECT_ISDATAAT_H__ #define __DETECT_ISDATAAT_H__ -#define ISDATAAT_RELATIVE 0x01 -#define ISDATAAT_RAWBYTES 0x02 -#define ISDATAAT_NEGATED 0x04 -#define ISDATAAT_OFFSET_BE 0x08 +#define ISDATAAT_RELATIVE 0x01 +#define ISDATAAT_RAWBYTES 0x02 +#define ISDATAAT_NEGATED 0x04 +#define ISDATAAT_OFFSET_VAR 0x08 #define ISDATAAT_MIN 0 #define ISDATAAT_MAX 65535 diff --git a/src/detect-offset.c b/src/detect-offset.c index b26c5c2108..acf0913d56 100644 --- a/src/detect-offset.c +++ b/src/detect-offset.c @@ -32,6 +32,7 @@ #include "detect-parse.h" #include "detect-content.h" #include "detect-uricontent.h" +#include "detect-byte.h" #include "detect-byte-extract.h" #include "detect-offset.h" @@ -96,15 +97,14 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, const char *offset goto end; } if (str[0] != '-' && isalpha((unsigned char)str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var " + DetectByteIndexType index; + if (!DetectByteRetrieveSMVar(str, s, &index)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_ keyword var " "seen in offset - %s.", str); goto end; } - cd->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_OFFSET_BE; + cd->offset = index; + cd->flags |= DETECT_CONTENT_OFFSET_VAR; } else { if (StringParseUint16(&cd->offset, 0, 0, str) < 0) { diff --git a/src/detect-within.c b/src/detect-within.c index 05adf06d52..b45db2a7c5 100644 --- a/src/detect-within.c +++ b/src/detect-within.c @@ -33,8 +33,7 @@ #include "detect-parse.h" #include "detect-content.h" #include "detect-uricontent.h" -#include "detect-bytejump.h" -#include "detect-byte-extract.h" +#include "detect-byte.h" #include "app-layer.h" #include "flow-var.h" @@ -104,14 +103,14 @@ static int DetectWithinSetup(DetectEngineCtx *de_ctx, Signature *s, const char * goto end; } if (str[0] != '-' && isalpha((unsigned char)str[0])) { - SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(str, s); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var " + DetectByteIndexType index; + if (!DetectByteRetrieveSMVar(str, s, &index)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_ keyword var " "seen in within - %s\n", str); goto end; } - cd->within = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_WITHIN_BE; + cd->within = index; + cd->flags |= DETECT_CONTENT_WITHIN_VAR; } else { if (StringParseInt32(&cd->within, 0, 0, str) < 0) { SCLogError(SC_ERR_INVALID_SIGNATURE, diff --git a/src/detect.h b/src/detect.h index 2138b6ed21..eab188d9dd 100644 --- a/src/detect.h +++ b/src/detect.h @@ -1116,8 +1116,8 @@ typedef struct DetectEngineThreadCtx_ { /** ip only rules ctx */ DetectEngineIPOnlyThreadCtx io_ctx; - /* byte jump values */ - uint64_t *bj_values; + /* byte_* values */ + uint64_t *byte_values; /* string to replace */ DetectReplaceList *replist;