From: Sreeja Athirkandathil Narayanan (sathirka) Date: Wed, 31 May 2023 17:40:18 +0000 (+0000) Subject: Pull request #3810: appid: Changes logic in ssl pattern matching X-Git-Tag: 3.1.63.0~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=feacd06d017fd67b56aff9bb4e9422bc9a53e281;p=thirdparty%2Fsnort3.git Pull request #3810: appid: Changes logic in ssl pattern matching Merge in SNORT/snort3 from ~LCZARNIK/snort3:wildcard to master Squashed commit of the following: commit 6231d29de020c2bcd883429293b9c5fb28775efb Author: Lukasz Czarnik Date: Mon Apr 17 09:50:20 2023 -0400 appid: Changes logic in ssl pattern matching --- diff --git a/src/network_inspectors/appid/detector_plugins/ssl_patterns.cc b/src/network_inspectors/appid/detector_plugins/ssl_patterns.cc index 486999a6f..468bae735 100644 --- a/src/network_inspectors/appid/detector_plugins/ssl_patterns.cc +++ b/src/network_inspectors/appid/detector_plugins/ssl_patterns.cc @@ -99,12 +99,15 @@ static bool scan_patterns(SearchTool& matcher, const uint8_t* data, size_t size, best_match = nullptr; while (mp) { - /* Only patterns that match start of payload, + /* Only patterns that match end of the payload AND + (match the start of the payload + or match after '.' or patterns starting with '.' - or patterns following '.' in payload are considered a match. */ - if (mp->match_start_pos == 0 || - *mp->mpattern->pattern == '.' || - data[mp->match_start_pos-1] == '.') + ) are considered a match. */ + if (mp->match_start_pos + mp->mpattern->pattern_size == (int)size and + (mp->match_start_pos == 0 or + data[mp->match_start_pos-1] == '.' or + *mp->mpattern->pattern == '.')) { if (!best_match || mp->mpattern->pattern_size > best_match->pattern_size)