From: Victor Julien Date: Thu, 22 Dec 2016 22:56:48 +0000 (+0100) Subject: detect: remove DMATCH list X-Git-Tag: suricata-4.0.0-beta1~340 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fe415ae5185e4a985a1c70cf937a949ac4baf9fb;p=thirdparty%2Fsuricata.git detect: remove DMATCH list --- diff --git a/src/detect-bytejump.c b/src/detect-bytejump.c index 246f1faab7..e09e3f7b7c 100644 --- a/src/detect-bytejump.c +++ b/src/detect-bytejump.c @@ -640,6 +640,7 @@ static void DetectBytejumpFree(void *ptr) #ifdef UNITTESTS #include "util-unittest-helper.h" static int g_file_data_buffer_id = 0; +static int g_dce_stub_data_buffer_id = 0; /** * \test DetectBytejumpTestParse01 is a test to make sure that we return @@ -832,7 +833,7 @@ static int DetectBytejumpTestParse09(void) result &= (DetectBytejumpSetup(NULL, s, "4,0, string, oct, dce") == -1); result &= (DetectBytejumpSetup(NULL, s, "4,0, string, hex, dce") == -1); result &= (DetectBytejumpSetup(NULL, s, "4,0, from_beginning, dce") == -1); - result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); + result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); SigFree(s); return result; @@ -865,12 +866,12 @@ static int DetectBytejumpTestParse10(void) goto end; } s = de_ctx->sig_list; - if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } - result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_BYTEJUMP); - bd = (DetectBytejumpData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; + result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTEJUMP); + bd = (DetectBytejumpData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx; if (!(bd->flags & DETECT_BYTEJUMP_DCE) && !(bd->flags & DETECT_BYTEJUMP_RELATIVE) && (bd->flags & DETECT_BYTEJUMP_STRING) && @@ -892,12 +893,12 @@ static int DetectBytejumpTestParse10(void) goto end; } s = s->next; - if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } - result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_BYTEJUMP); - bd = (DetectBytejumpData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; + result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTEJUMP); + bd = (DetectBytejumpData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx; if (!(bd->flags & DETECT_BYTEJUMP_DCE) && !(bd->flags & DETECT_BYTEJUMP_RELATIVE) && (bd->flags & DETECT_BYTEJUMP_STRING) && @@ -919,12 +920,12 @@ static int DetectBytejumpTestParse10(void) goto end; } s = s->next; - if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } - result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_BYTEJUMP); - bd = (DetectBytejumpData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; + result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTEJUMP); + bd = (DetectBytejumpData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx; if ((bd->flags & DETECT_BYTEJUMP_DCE) && !(bd->flags & DETECT_BYTEJUMP_RELATIVE) && (bd->flags & DETECT_BYTEJUMP_STRING) && @@ -1290,6 +1291,7 @@ static void DetectBytejumpRegisterTests(void) { #ifdef UNITTESTS g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); + g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data"); UtRegisterTest("DetectBytejumpTestParse01", DetectBytejumpTestParse01); UtRegisterTest("DetectBytejumpTestParse02", DetectBytejumpTestParse02); diff --git a/src/detect-bytetest.c b/src/detect-bytetest.c index c51483dd8e..49e58ad7d2 100644 --- a/src/detect-bytetest.c +++ b/src/detect-bytetest.c @@ -578,6 +578,7 @@ static void DetectBytetestFree(void *ptr) #ifdef UNITTESTS #include "util-unittest-helper.h" static int g_file_data_buffer_id = 0; +static int g_dce_stub_data_buffer_id = 0; /** * \test DetectBytetestTestParse01 is a test to make sure that we return "something" @@ -1020,12 +1021,12 @@ static int DetectBytetestTestParse20(void) goto end; } s = de_ctx->sig_list; - if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } - result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_BYTETEST); - bd = (DetectBytetestData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; + result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTETEST); + bd = (DetectBytetestData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx; if (!(bd->flags & DETECT_BYTETEST_DCE) && !(bd->flags & DETECT_BYTETEST_RELATIVE) && (bd->flags & DETECT_BYTETEST_STRING) && @@ -1047,12 +1048,12 @@ static int DetectBytetestTestParse20(void) goto end; } s = s->next; - if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } - result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_BYTETEST); - bd = (DetectBytetestData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; + result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTETEST); + bd = (DetectBytetestData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx; if (!(bd->flags & DETECT_BYTETEST_DCE) && !(bd->flags & DETECT_BYTETEST_RELATIVE) && (bd->flags & DETECT_BYTETEST_STRING) && @@ -1074,12 +1075,12 @@ static int DetectBytetestTestParse20(void) goto end; } s = s->next; - if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } - result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_BYTETEST); - bd = (DetectBytetestData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; + result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTETEST); + bd = (DetectBytetestData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx; if ((bd->flags & DETECT_BYTETEST_DCE) && !(bd->flags & DETECT_BYTETEST_RELATIVE) && (bd->flags & DETECT_BYTETEST_STRING) && @@ -1436,6 +1437,7 @@ static void DetectBytetestRegisterTests(void) { #ifdef UNITTESTS g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); + g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data"); UtRegisterTest("DetectBytetestTestParse01", DetectBytetestTestParse01); UtRegisterTest("DetectBytetestTestParse02", DetectBytetestTestParse02); diff --git a/src/detect-content.c b/src/detect-content.c index 9c77013875..42fb944738 100644 --- a/src/detect-content.c +++ b/src/detect-content.c @@ -425,6 +425,7 @@ void DetectContentFree(void *ptr) #ifdef UNITTESTS /* UNITTESTS */ static int g_file_data_buffer_id = 0; +static int g_dce_stub_data_buffer_id = 0; /** * \test DetectCotentParseTest01 this is a test to make sure we can deal with escaped colons @@ -1133,7 +1134,7 @@ static int DetectContentParseTest18(void) s->alproto = ALPROTO_DCERPC; result &= (DetectContentSetup(de_ctx, s, "\"one\"") == 0); - result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); + result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); SigFree(s); @@ -1142,7 +1143,7 @@ static int DetectContentParseTest18(void) return 0; result &= (DetectContentSetup(de_ctx, s, "\"one\"") == 0); - result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); + result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); end: SigFree(s); @@ -1178,13 +1179,13 @@ static int DetectContentParseTest19(void) goto end; } s = de_ctx->sig_list; - if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } - result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT); + result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT); result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL); - data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; + data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx; if (data->flags & DETECT_CONTENT_RAWBYTES || data->flags & DETECT_CONTENT_NOCASE || data->flags & DETECT_CONTENT_WITHIN || @@ -1207,13 +1208,13 @@ static int DetectContentParseTest19(void) goto end; } s = s->next; - if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } - result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT); + result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT); result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL); - data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; + data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx; if (data->flags & DETECT_CONTENT_RAWBYTES || data->flags & DETECT_CONTENT_NOCASE || !(data->flags & DETECT_CONTENT_WITHIN) || @@ -1238,13 +1239,13 @@ static int DetectContentParseTest19(void) goto end; } s = s->next; - if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } - result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT); + result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT); result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL); - data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; + data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx; if (data->flags & DETECT_CONTENT_RAWBYTES || data->flags & DETECT_CONTENT_NOCASE || data->flags & DETECT_CONTENT_WITHIN || @@ -1256,7 +1257,7 @@ static int DetectContentParseTest19(void) goto end; } result &= (data->offset == 5 && data->depth == 9); - data = (DetectContentData *)s->sm_lists[DETECT_SM_LIST_DMATCH]->ctx; + data = (DetectContentData *)s->sm_lists[g_dce_stub_data_buffer_id]->ctx; if (data->flags & DETECT_CONTENT_RAWBYTES || data->flags & DETECT_CONTENT_NOCASE || !(data->flags & DETECT_CONTENT_WITHIN) || @@ -1279,13 +1280,13 @@ static int DetectContentParseTest19(void) goto end; } s = s->next; - if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } - result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT); + result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT); result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL); - data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; + data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx; if (data->flags & DETECT_CONTENT_RAWBYTES || data->flags & DETECT_CONTENT_NOCASE || data->flags & DETECT_CONTENT_WITHIN || @@ -1309,13 +1310,13 @@ static int DetectContentParseTest19(void) goto end; } s = s->next; - if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } - result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT); + result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT); result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL); - data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; + data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx; if (data->flags & DETECT_CONTENT_RAWBYTES || data->flags & DETECT_CONTENT_NOCASE || !(data->flags & DETECT_CONTENT_WITHIN) || @@ -1339,13 +1340,13 @@ static int DetectContentParseTest19(void) goto end; } s = s->next; - if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } - result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT); + result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT); result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL); - data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; + data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx; if (data->flags & DETECT_CONTENT_RAWBYTES || data->flags & DETECT_CONTENT_NOCASE || data->flags & DETECT_CONTENT_WITHIN || @@ -1369,13 +1370,13 @@ static int DetectContentParseTest19(void) goto end; } s = s->next; - if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } - result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT); + result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT); result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL); - data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; + data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx; if (data->flags & DETECT_CONTENT_RAWBYTES || data->flags & DETECT_CONTENT_NOCASE || data->flags & DETECT_CONTENT_WITHIN || @@ -1399,13 +1400,13 @@ static int DetectContentParseTest19(void) goto end; } s = s->next; - if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } - result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT); + result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT); result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL); - data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; + data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx; if (data->flags & DETECT_CONTENT_RAWBYTES || data->flags & DETECT_CONTENT_NOCASE || data->flags & DETECT_CONTENT_WITHIN || @@ -1427,7 +1428,7 @@ static int DetectContentParseTest19(void) goto end; } s = s->next; - if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] != NULL) { + if (s->sm_lists_tail[g_dce_stub_data_buffer_id] != NULL) { result = 0; goto end; } @@ -2849,6 +2850,7 @@ static void DetectContentRegisterTests(void) { #ifdef UNITTESTS /* UNITTESTS */ g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); + g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data"); UtRegisterTest("DetectContentParseTest01", DetectContentParseTest01); UtRegisterTest("DetectContentParseTest02", DetectContentParseTest02); diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c index bc4831ebb3..fa9788fd2a 100644 --- a/src/detect-dce-stub-data.c +++ b/src/detect-dce-stub-data.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2010 Open Information Security Foundation +/* Copyright (C) 2007-2016 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -19,6 +19,7 @@ * \file * * \author Anoop Saldanha + * \author Anoop Saldanha * * Implements dce_stub_data keyword */ @@ -31,6 +32,8 @@ #include "detect-engine.h" #include "detect-engine-mpm.h" #include "detect-engine-state.h" +#include "detect-engine-prefilter.h" +#include "detect-engine-content-inspection.h" #include "flow.h" #include "flow-var.h" @@ -40,7 +43,9 @@ #include "app-layer-dcerpc.h" #include "queue.h" #include "stream-tcp-reassemble.h" + #include "detect-dce-stub-data.h" +#include "detect-dce-iface.h" #include "util-debug.h" @@ -49,9 +54,140 @@ #include "stream-tcp.h" +#define BUFFER_NAME "dce_stub_data" +#define KEYWORD_NAME "dce_stub_data" + static int DetectDceStubDataSetup(DetectEngineCtx *, Signature *, char *); static void DetectDceStubDataRegisterTests(void); +static int g_dce_stub_data_buffer_id = 0; + +/** \brief DCERPC Stub Data Mpm prefilter callback + * + * \param det_ctx detection engine thread ctx + * \param p packet to inspect + * \param f flow to inspect + * \param txv tx to inspect + * \param pectx inspection context + */ +static void PrefilterTxDceStubDataRequest(DetectEngineThreadCtx *det_ctx, + const void *pectx, + Packet *p, Flow *f, void *txv, + const uint64_t idx, const uint8_t flags) +{ + SCEnter(); + + const MpmCtx *mpm_ctx = (MpmCtx *)pectx; + DCERPCState *dcerpc_state = DetectDceGetState(f->alproto, f->alstate); + if (dcerpc_state == NULL) + return; + + uint32_t buffer_len = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len; + const uint8_t *buffer = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer; + + if (buffer_len >= mpm_ctx->minlen) { + (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx, + &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len); + } +} + +static int PrefilterTxDceStubDataRequestRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx) +{ + SCEnter(); + + int r = PrefilterAppendTxEngine(sgh, PrefilterTxDceStubDataRequest, + ALPROTO_DCERPC, 0, + mpm_ctx, NULL, KEYWORD_NAME " (request)"); + if (r == 0) { + r = PrefilterAppendTxEngine(sgh, PrefilterTxDceStubDataRequest, + ALPROTO_SMB, 0, + mpm_ctx, NULL, KEYWORD_NAME " (request)"); + } + return r; +} + +/** \brief DCERPC Stub Data Mpm prefilter callback + * + * \param det_ctx detection engine thread ctx + * \param p packet to inspect + * \param f flow to inspect + * \param txv tx to inspect + * \param pectx inspection context + */ +static void PrefilterTxDceStubDataResponse(DetectEngineThreadCtx *det_ctx, + const void *pectx, + Packet *p, Flow *f, void *txv, + const uint64_t idx, const uint8_t flags) +{ + SCEnter(); + + const MpmCtx *mpm_ctx = (MpmCtx *)pectx; + DCERPCState *dcerpc_state = DetectDceGetState(f->alproto, f->alstate); + if (dcerpc_state == NULL) + return; + + uint32_t buffer_len = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer_len; + const uint8_t *buffer = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer; + + if (buffer_len >= mpm_ctx->minlen) { + (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx, + &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len); + } +} + +static int PrefilterTxDceStubDataResponseRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx) +{ + SCEnter(); + + int r = PrefilterAppendTxEngine(sgh, PrefilterTxDceStubDataResponse, + ALPROTO_DCERPC, 0, + mpm_ctx, NULL, KEYWORD_NAME " (response)"); + if (r == 0) { + r = PrefilterAppendTxEngine(sgh, PrefilterTxDceStubDataResponse, + ALPROTO_SMB, 0, + mpm_ctx, NULL, KEYWORD_NAME " (response)"); + } + return r; +} + +static int InspectEngineDceStubData(ThreadVars *tv, + DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, + const Signature *s, const SigMatchData *smd, + Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id) +{ + uint32_t buffer_len = 0; + uint8_t *buffer = NULL; + + DCERPCState *dcerpc_state = DetectDceGetState(f->alproto, f->alstate); + if (dcerpc_state == NULL) + goto end; + + if (flags & STREAM_TOSERVER) { + buffer_len = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len; + buffer = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer; + } else if (flags & STREAM_TOCLIENT) { + buffer_len = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer_len; + buffer = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer; + } + + if (buffer == NULL ||buffer_len == 0) + goto end; + + det_ctx->buffer_offset = 0; + det_ctx->discontinue_matching = 0; + det_ctx->inspection_recursion_counter = 0; + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, + f, + buffer, buffer_len, + 0, + DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, + dcerpc_state); + if (r == 1) + return DETECT_ENGINE_INSPECT_SIG_MATCH; + +end: + return DETECT_ENGINE_INSPECT_SIG_NO_MATCH; +} /** * \brief Registers the keyword handlers for the "dce_stub_data" keyword. */ @@ -66,7 +202,26 @@ void DetectDceStubDataRegister(void) sigmatch_table[DETECT_DCE_STUB_DATA].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_DCE_STUB_DATA].flags |= SIGMATCH_PAYLOAD; - return; + DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, + PrefilterTxDceStubDataRequestRegister); + DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, + PrefilterTxDceStubDataResponseRegister); + + DetectAppLayerInspectEngineRegister(BUFFER_NAME, + ALPROTO_DCERPC, SIG_FLAG_TOSERVER, + InspectEngineDceStubData); + DetectAppLayerInspectEngineRegister(BUFFER_NAME, + ALPROTO_DCERPC, SIG_FLAG_TOCLIENT, + InspectEngineDceStubData); + + DetectAppLayerInspectEngineRegister(BUFFER_NAME, + ALPROTO_SMB, SIG_FLAG_TOSERVER, + InspectEngineDceStubData); + DetectAppLayerInspectEngineRegister(BUFFER_NAME, + ALPROTO_SMB, SIG_FLAG_TOCLIENT, + InspectEngineDceStubData); + + g_dce_stub_data_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME); } /** @@ -89,7 +244,7 @@ static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, char *a goto error; } - s->init_data->list = DETECT_SM_LIST_DMATCH; + s->init_data->list = g_dce_stub_data_buffer_id; s->alproto = ALPROTO_DCERPC; s->flags |= SIG_FLAG_APPLAYER; return 0; @@ -110,7 +265,7 @@ static int DetectDceStubDataTestParse01(void) Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (dce_stub_data; content:\"1\"; sid:1;)"); FAIL_IF_NULL(s); - FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_DMATCH]); + FAIL_IF_NULL(s->sm_lists[g_dce_stub_data_buffer_id]); DetectEngineCtxFree(de_ctx); PASS; } diff --git a/src/detect-engine-dcepayload.c b/src/detect-engine-dcepayload.c index cfb60a54fc..0ed15ec5f6 100644 --- a/src/detect-engine-dcepayload.c +++ b/src/detect-engine-dcepayload.c @@ -49,6 +49,9 @@ #include "detect-dce-iface.h" +static int g_dce_stub_data_buffer_id = 0; + +#if 0 /** * \brief Do the content inspection & validation for a signature against dce stub. * @@ -73,7 +76,7 @@ int DetectEngineInspectDcePayload(DetectEngineCtx *de_ctx, uint16_t dce_stub_data_len; int r = 0; - if (s->sm_arrays[DETECT_SM_LIST_DMATCH] == NULL || dcerpc_state == NULL) { + if (s->sm_arrays[g_dce_stub_data_buffer_id] == NULL || dcerpc_state == NULL) { SCReturnInt(0); } @@ -87,13 +90,13 @@ int DetectEngineInspectDcePayload(DetectEngineCtx *de_ctx, det_ctx->discontinue_matching = 0; det_ctx->inspection_recursion_counter = 0; - r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_arrays[DETECT_SM_LIST_DMATCH], + r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_arrays[g_dce_stub_data_buffer_id], f, dce_stub_data, dce_stub_data_len, 0, 0, dcerpc_state); - //r = DoInspectDcePayload(de_ctx, det_ctx, s, s->init_data->smlists[DETECT_SM_LIST_DMATCH], f, + //r = DoInspectDcePayload(de_ctx, det_ctx, s, s->init_data->smlists[g_dce_stub_data_buffer_id], f, //dce_stub_data, dce_stub_data_len, dcerpc_state); if (r == 1) { SCReturnInt(1); @@ -110,13 +113,13 @@ int DetectEngineInspectDcePayload(DetectEngineCtx *de_ctx, det_ctx->discontinue_matching = 0; det_ctx->inspection_recursion_counter = 0; - r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_arrays[DETECT_SM_LIST_DMATCH], + r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_arrays[g_dce_stub_data_buffer_id], f, dce_stub_data, dce_stub_data_len, 0, 0, dcerpc_state); - //r = DoInspectDcePayload(de_ctx, det_ctx, s, s->init_data->smlists[DETECT_SM_LIST_DMATCH], f, + //r = DoInspectDcePayload(de_ctx, det_ctx, s, s->init_data->smlists[g_dce_stub_data_buffer_id], f, //dce_stub_data, dce_stub_data_len, dcerpc_state); if (r == 1) { SCReturnInt(1); @@ -125,6 +128,7 @@ int DetectEngineInspectDcePayload(DetectEngineCtx *de_ctx, SCReturnInt(0); } +#endif /**************************************Unittests*******************************/ @@ -7500,7 +7504,7 @@ static int DcePayloadParseTest25(void) goto end; } - if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] != NULL) { + if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) { result = 0; goto end; } @@ -7623,7 +7627,7 @@ static int DcePayloadParseTest26(void) goto end; } - if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] != NULL) { + if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) { result = 0; goto end; } @@ -7749,7 +7753,7 @@ static int DcePayloadParseTest27(void) goto end; } - if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } @@ -7758,7 +7762,7 @@ static int DcePayloadParseTest27(void) goto end; } - sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; + sm = s->init_data->smlists[g_dce_stub_data_buffer_id]; if (sm->type != DETECT_CONTENT) { result = 0; goto end; @@ -7876,7 +7880,7 @@ static int DcePayloadParseTest28(void) goto end; } - if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } @@ -7885,7 +7889,7 @@ static int DcePayloadParseTest28(void) goto end; } - sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; + sm = s->init_data->smlists[g_dce_stub_data_buffer_id]; if (sm->type != DETECT_CONTENT) { result = 0; goto end; @@ -8005,7 +8009,7 @@ static int DcePayloadParseTest29(void) goto end; } - if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] != NULL) { + if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) { result = 0; goto end; } @@ -8147,7 +8151,7 @@ static int DcePayloadParseTest30(void) goto end; } - if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] != NULL) { + if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) { result = 0; goto end; } @@ -8294,7 +8298,7 @@ static int DcePayloadParseTest31(void) goto end; } - if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } @@ -8303,7 +8307,7 @@ static int DcePayloadParseTest31(void) goto end; } - sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; + sm = s->init_data->smlists[g_dce_stub_data_buffer_id]; if (sm->type != DETECT_BYTEJUMP) { result = 0; goto end; @@ -8441,7 +8445,7 @@ static int DcePayloadParseTest32(void) goto end; } - if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } @@ -8450,7 +8454,7 @@ static int DcePayloadParseTest32(void) goto end; } - sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; + sm = s->init_data->smlists[g_dce_stub_data_buffer_id]; if (sm->type != DETECT_BYTEJUMP) { result = 0; goto end; @@ -8588,7 +8592,7 @@ static int DcePayloadParseTest33(void) goto end; } - if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } @@ -8597,7 +8601,7 @@ static int DcePayloadParseTest33(void) goto end; } - sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; + sm = s->init_data->smlists[g_dce_stub_data_buffer_id]; if (sm->type != DETECT_PCRE) { result = 0; goto end; @@ -8731,7 +8735,7 @@ static int DcePayloadParseTest34(void) goto end; } - if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } @@ -8740,7 +8744,7 @@ static int DcePayloadParseTest34(void) goto end; } - sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; + sm = s->init_data->smlists[g_dce_stub_data_buffer_id]; if (sm->type != DETECT_PCRE) { result = 0; goto end; @@ -8852,7 +8856,7 @@ static int DcePayloadParseTest35(void) goto end; } - if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } @@ -8861,7 +8865,7 @@ static int DcePayloadParseTest35(void) goto end; } - sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; + sm = s->init_data->smlists[g_dce_stub_data_buffer_id]; if (sm->type != DETECT_BYTETEST) { result = 0; goto end; @@ -8940,7 +8944,7 @@ static int DcePayloadParseTest36(void) goto end; } - if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } @@ -8949,7 +8953,7 @@ static int DcePayloadParseTest36(void) goto end; } - sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; + sm = s->init_data->smlists[g_dce_stub_data_buffer_id]; if (sm->type != DETECT_ISDATAAT) { result = 0; goto end; @@ -9045,7 +9049,7 @@ static int DcePayloadParseTest37(void) goto end; } - if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } @@ -9054,7 +9058,7 @@ static int DcePayloadParseTest37(void) goto end; } - sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; + sm = s->init_data->smlists[g_dce_stub_data_buffer_id]; if (sm->type != DETECT_BYTEJUMP) { result = 0; goto end; @@ -9154,7 +9158,7 @@ static int DcePayloadParseTest38(void) goto end; } - if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } @@ -9163,7 +9167,7 @@ static int DcePayloadParseTest38(void) goto end; } - sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; + sm = s->init_data->smlists[g_dce_stub_data_buffer_id]; if (sm->type != DETECT_PCRE) { result = 0; goto end; @@ -9270,7 +9274,7 @@ static int DcePayloadParseTest39(void) goto end; } - if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } @@ -9301,7 +9305,7 @@ static int DcePayloadParseTest39(void) result &= (sm->next == NULL); - sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; + sm = s->init_data->smlists[g_dce_stub_data_buffer_id]; data = (DetectContentData *)sm->ctx; if (data->flags & DETECT_CONTENT_RAWBYTES || data->flags & DETECT_CONTENT_NOCASE || @@ -9359,7 +9363,7 @@ static int DcePayloadParseTest40(void) goto end; } - if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } @@ -9368,7 +9372,7 @@ static int DcePayloadParseTest40(void) goto end; } - sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; + sm = s->init_data->smlists[g_dce_stub_data_buffer_id]; if (sm->type != DETECT_CONTENT) { result = 0; goto end; @@ -9489,7 +9493,7 @@ static int DcePayloadParseTest41(void) goto end; } - if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } @@ -9498,7 +9502,7 @@ static int DcePayloadParseTest41(void) goto end; } - sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; + sm = s->init_data->smlists[g_dce_stub_data_buffer_id]; if (sm->type != DETECT_CONTENT) { result = 0; goto end; @@ -9818,11 +9822,11 @@ static int DcePayloadParseTest44(void) "sid:1;)"); FAIL_IF_NULL(s); - FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH]); + FAIL_IF_NULL(s->init_data->smlists_tail[g_dce_stub_data_buffer_id]); FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]); /* isdataat:10,relative; */ - sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; + sm = s->init_data->smlists[g_dce_stub_data_buffer_id]; FAIL_IF(sm->type != DETECT_ISDATAAT); isd = (DetectIsdataatData *)sm->ctx; FAIL_IF(isd->flags & ISDATAAT_RAWBYTES); @@ -9913,7 +9917,7 @@ static int DcePayloadParseTest45(void) goto end; } - if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } @@ -9922,7 +9926,7 @@ static int DcePayloadParseTest45(void) goto end; } - sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; + sm = s->init_data->smlists[g_dce_stub_data_buffer_id]; if (sm->type != DETECT_BYTEJUMP) { result = 0; goto end; @@ -10025,7 +10029,7 @@ static int DcePayloadParseTest46(void) goto end; } - if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } @@ -10034,7 +10038,7 @@ static int DcePayloadParseTest46(void) goto end; } - sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH]; + sm = s->init_data->smlists[g_dce_stub_data_buffer_id]; if (sm->type != DETECT_BYTETEST) { result = 0; goto end; @@ -10108,6 +10112,7 @@ static int DcePayloadParseTest46(void) void DcePayloadRegisterTests(void) { + g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data"); #ifdef UNITTESTS UtRegisterTest("DcePayloadTest01", DcePayloadTest01); diff --git a/src/detect-engine-dcepayload.h b/src/detect-engine-dcepayload.h index da7dfb9299..d67a3cffe0 100644 --- a/src/detect-engine-dcepayload.h +++ b/src/detect-engine-dcepayload.h @@ -24,8 +24,8 @@ #ifndef __DETECT_ENGINE_DCEPAYLOAD_H__ #define __DETECT_ENGINE_DCEPAYLOAD_H__ -int DetectEngineInspectDcePayload(DetectEngineCtx *, DetectEngineThreadCtx *, - const Signature *, Flow *, uint8_t, void *); +//int DetectEngineInspectDcePayload(DetectEngineCtx *, DetectEngineThreadCtx *, +// const Signature *, Flow *, uint8_t, void *); void DcePayloadRegisterTests(void); diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c index c499a08fe9..8a860e982f 100644 --- a/src/detect-engine-state.c +++ b/src/detect-engine-state.c @@ -303,12 +303,6 @@ int DeStateFlowHasInspectableState(Flow *f, AppProto alproto, return r; } -static int StoreState(Flow *f, const uint8_t flags, const uint8_t alversion) -{ - DeStateStoreStateVersion(f, alversion, flags); - return 1; -} - static void StoreStateTxHandleFiles(DetectEngineThreadCtx *det_ctx, Flow *f, DetectEngineState *destate, const uint8_t flags, const uint64_t tx_id, const uint16_t file_no_match) @@ -383,7 +377,6 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, uint16_t file_no_match = 0; uint32_t inspect_flags = 0; int alert_cnt = 0; - int dmatch = 0; SCLogDebug("rule %u", s->id); @@ -517,51 +510,6 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, break; } /* for */ } - /* DCERPC matches */ - if (s->sm_arrays[DETECT_SM_LIST_DMATCH] != NULL && - (alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB || - alproto == ALPROTO_SMB2)) - { - void *alstate = FlowGetAppState(f); - if (alstate == NULL) { - goto end; - } - - KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_DMATCH); - if (DetectEngineInspectDcePayload(de_ctx, det_ctx, s, f, - flags, alstate) == 1) { - inspect_flags |= DE_STATE_FLAG_DCE_PAYLOAD_INSPECT; - dmatch = 1; - } - } - - /* if AMATCH and/or DMATCH are in use, see if we need to - * alert and store the state */ - if (s->sm_arrays[DETECT_SM_LIST_DMATCH] != NULL) - { - /* if dmatch in use and match - or - sig can't match - */ - if (inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH) { - inspect_flags |= DE_STATE_FLAG_FULL_INSPECT; - } else { - if (dmatch || s->sm_arrays[DETECT_SM_LIST_DMATCH] == NULL) - { - if (!(s->flags & SIG_FLAG_NOALERT)) { - PacketAlertAppend(det_ctx, s, p, 0, - PACKET_ALERT_FLAG_STATE_MATCH); - } else { - DetectSignatureApplyActions(p, s); - } - alert_cnt = 1; - - inspect_flags |= DE_STATE_FLAG_FULL_INSPECT; - } - } - - StoreState(f, flags, alversion); - } end: det_ctx->tx_id = 0; det_ctx->tx_id_set = 0; diff --git a/src/detect-engine-state.h b/src/detect-engine-state.h index 9215739841..d1b789da72 100644 --- a/src/detect-engine-state.h +++ b/src/detect-engine-state.h @@ -53,12 +53,11 @@ #define DE_STATE_FLAG_FULL_INSPECT BIT_U32(0) #define DE_STATE_FLAG_SIG_CANT_MATCH BIT_U32(1) -#define DE_STATE_FLAG_DCE_PAYLOAD_INSPECT BIT_U32(2) -#define DE_STATE_FLAG_FILE_TC_INSPECT BIT_U32(3) -#define DE_STATE_FLAG_FILE_TS_INSPECT BIT_U32(4) +#define DE_STATE_FLAG_FILE_TC_INSPECT BIT_U32(2) +#define DE_STATE_FLAG_FILE_TS_INSPECT BIT_U32(3) /* first bit position after the built-ins */ -#define DE_STATE_FLAG_BASE 5UL +#define DE_STATE_FLAG_BASE 4UL /* state flags */ #define DETECT_ENGINE_STATE_FLAG_FILE_STORE_DISABLED 0x0001 diff --git a/src/detect-engine.c b/src/detect-engine.c index b8ed696058..594e301319 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -2906,8 +2906,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type) case DETECT_SM_LIST_PMATCH: return "packet/stream payload"; - case DETECT_SM_LIST_DMATCH: - return "dcerpc"; case DETECT_SM_LIST_TMATCH: return "tag"; diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index 5a018a5891..6eb098141d 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -290,6 +290,7 @@ void DetectIsdataatFree(void *ptr) #ifdef UNITTESTS +static int g_dce_stub_data_buffer_id = 0; /** * \test DetectIsdataatTestParse01 is a test to make sure that we return a correct IsdataatData structure @@ -353,14 +354,14 @@ int DetectIsdataatTestParse04(void) s->alproto = ALPROTO_DCERPC; result &= (DetectIsdataatSetup(NULL, s, "30") == 0); - result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); + result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); SigFree(s); s = SigAlloc(); s->alproto = ALPROTO_DCERPC; /* failure since we have no preceding content/pcre/bytejump */ result &= (DetectIsdataatSetup(NULL, s, "30,relative") == 0); - result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); + result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); SigFree(s); @@ -393,12 +394,12 @@ int DetectIsdataatTestParse05(void) goto end; } s = de_ctx->sig_list; - if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } - result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_ISDATAAT); - data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; + result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_ISDATAAT); + data = (DetectIsdataatData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx; if ( !(data->flags & ISDATAAT_RELATIVE) || (data->flags & ISDATAAT_RAWBYTES) ) { result = 0; @@ -416,12 +417,12 @@ int DetectIsdataatTestParse05(void) goto end; } s = s->next; - if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } - result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_ISDATAAT); - data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; + result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_ISDATAAT); + data = (DetectIsdataatData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx; if ( !(data->flags & ISDATAAT_RELATIVE) || (data->flags & ISDATAAT_RAWBYTES) ) { result = 0; @@ -439,12 +440,12 @@ int DetectIsdataatTestParse05(void) goto end; } s = s->next; - if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) { + if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) { result = 0; goto end; } - result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_ISDATAAT); - data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; + result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_ISDATAAT); + data = (DetectIsdataatData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx; if ( !(data->flags & ISDATAAT_RELATIVE) || !(data->flags & ISDATAAT_RAWBYTES) ) { result = 0; @@ -459,7 +460,7 @@ int DetectIsdataatTestParse05(void) goto end; } s = s->next; - if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] != NULL) { + if (s->sm_lists_tail[g_dce_stub_data_buffer_id] != NULL) { result = 0; goto end; } @@ -628,6 +629,8 @@ end: void DetectIsdataatRegisterTests(void) { #ifdef UNITTESTS + g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data"); + UtRegisterTest("DetectIsdataatTestParse01", DetectIsdataatTestParse01); UtRegisterTest("DetectIsdataatTestParse02", DetectIsdataatTestParse02); UtRegisterTest("DetectIsdataatTestParse03", DetectIsdataatTestParse03); diff --git a/src/detect-parse.c b/src/detect-parse.c index 7bce331188..6385500f17 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -141,7 +141,6 @@ const char *DetectListToHumanString(int list) switch (list) { CASE_CODE_STRING(DETECT_SM_LIST_MATCH, "packet"); CASE_CODE_STRING(DETECT_SM_LIST_PMATCH, "payload"); - CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc"); CASE_CODE_STRING(DETECT_SM_LIST_TMATCH, "tag"); CASE_CODE_STRING(DETECT_SM_LIST_POSTMATCH, "postmatch"); CASE_CODE_STRING(DETECT_SM_LIST_SUPPRESS, "suppress"); @@ -158,7 +157,6 @@ const char *DetectListToString(int list) switch (list) { CASE_CODE(DETECT_SM_LIST_MATCH); CASE_CODE(DETECT_SM_LIST_PMATCH); - CASE_CODE(DETECT_SM_LIST_DMATCH); CASE_CODE(DETECT_SM_LIST_TMATCH); CASE_CODE(DETECT_SM_LIST_POSTMATCH); CASE_CODE(DETECT_SM_LIST_SUPPRESS); @@ -1598,11 +1596,6 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, char *sigstr, } } - if (sig->init_data->smlists[DETECT_SM_LIST_DMATCH]) - sig->flags |= SIG_FLAG_STATE_MATCH; - /* for other lists this flag is set when the inspect engines - * are registered */ - if (!(sig->init_data->init_flags & SIG_FLAG_INIT_FLOW)) { sig->flags |= SIG_FLAG_TOSERVER; sig->flags |= SIG_FLAG_TOCLIENT; diff --git a/src/detect-pcre.c b/src/detect-pcre.c index e531d6a2cb..d4e3bbe8a0 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -770,6 +770,7 @@ void DetectPcreFree(void *ptr) #ifdef UNITTESTS /* UNITTESTS */ static int g_file_data_buffer_id = 0; static int g_http_header_buffer_id = 0; +static int g_dce_stub_data_buffer_id = 0; /** * \test DetectPcreParseTest01 make sure we don't allow invalid opts 7. @@ -960,7 +961,7 @@ int DetectPcreParseTest10(void) s->alproto = ALPROTO_DCERPC; FAIL_IF_NOT(DetectPcreSetup(de_ctx, s, "/bamboo/") == 0); - FAIL_IF_NOT(s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); + FAIL_IF_NOT(s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); SigFree(s); @@ -969,7 +970,7 @@ int DetectPcreParseTest10(void) /* failure since we have no preceding content/pcre/bytejump */ FAIL_IF_NOT(DetectPcreSetup(de_ctx, s, "/bamboo/") == 0); - FAIL_IF_NOT(s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); + FAIL_IF_NOT(s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); SigFree(s); DetectEngineCtxFree(de_ctx); @@ -997,9 +998,9 @@ int DetectPcreParseTest11(void) "pcre:/bamboo/R; sid:1;)"); FAIL_IF(de_ctx == NULL); s = de_ctx->sig_list; - FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL); - FAIL_IF_NOT(s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE); - data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; + FAIL_IF(s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL); + FAIL_IF_NOT(s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_PCRE); + data = (DetectPcreData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx; FAIL_IF(data->flags & DETECT_PCRE_RAWBYTES || !(data->flags & DETECT_PCRE_RELATIVE)); @@ -1010,9 +1011,9 @@ int DetectPcreParseTest11(void) "pcre:/bamboo/R; sid:1;)"); FAIL_IF_NULL(s->next); s = s->next; - FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL); - FAIL_IF_NOT(s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE); - data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; + FAIL_IF(s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL); + FAIL_IF_NOT(s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_PCRE); + data = (DetectPcreData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx; FAIL_IF(data->flags & DETECT_PCRE_RAWBYTES || !(data->flags & DETECT_PCRE_RELATIVE)); @@ -1023,9 +1024,9 @@ int DetectPcreParseTest11(void) "pcre:/bamboo/RB; sid:1;)"); FAIL_IF(s->next == NULL); s = s->next; - FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL); - FAIL_IF_NOT(s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE); - data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; + FAIL_IF(s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL); + FAIL_IF_NOT(s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_PCRE); + data = (DetectPcreData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx; FAIL_IF(!(data->flags & DETECT_PCRE_RAWBYTES) || !(data->flags & DETECT_PCRE_RELATIVE)); @@ -1034,7 +1035,7 @@ int DetectPcreParseTest11(void) "content:\"one\"; pcre:/bamboo/; sid:1;)"); FAIL_IF(s->next == NULL); s = s->next; - FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_DMATCH] != NULL); + FAIL_IF(s->sm_lists_tail[g_dce_stub_data_buffer_id] != NULL); SigGroupCleanup(de_ctx); SigCleanSignatures(de_ctx); @@ -3312,6 +3313,7 @@ void DetectPcreRegisterTests(void) #ifdef UNITTESTS /* UNITTESTS */ g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); g_http_header_buffer_id = DetectBufferTypeGetByName("http_header"); + g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data"); UtRegisterTest("DetectPcreParseTest01", DetectPcreParseTest01); UtRegisterTest("DetectPcreParseTest02", DetectPcreParseTest02); diff --git a/src/detect.c b/src/detect.c index 780216a30e..4906c52f49 100644 --- a/src/detect.c +++ b/src/detect.c @@ -2221,11 +2221,6 @@ static int SignatureCreateMask(Signature *s) SCLogDebug("sig requires payload"); } - if (s->init_data->smlists[DETECT_SM_LIST_DMATCH] != NULL) { - s->mask |= SIG_MASK_REQUIRE_DCE_STATE; - SCLogDebug("sig requires dce state"); - } - SigMatch *sm; for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) { switch(sm->type) { diff --git a/src/detect.h b/src/detect.h index 0580fa779a..2e01c5f3a2 100644 --- a/src/detect.h +++ b/src/detect.h @@ -88,9 +88,6 @@ enum DetectSigmatchListEnum { DETECT_SM_LIST_MATCH = 0, DETECT_SM_LIST_PMATCH, - /* list for DCE matches */ - DETECT_SM_LIST_DMATCH, - /* base64_data keyword uses some hardcoded logic so consider * built-in * TODO convert to inspect engine */