From 215335fdc6431e1c5de6155aa64c152bda507b72 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Thu, 13 Jan 2022 10:39:12 -0500 Subject: [PATCH] detect/file_data: Reject invalid protocols Issue: #4895 This commit causes Suricata to reject signatures that combine TCP-based alerts using file_data with NFS keywords. file_data doesn't support the NFS protocol. --- src/detect-file-data.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/detect-file-data.c b/src/detect-file-data.c index 4a798a4b2b..ae95ca685c 100644 --- a/src/detect-file-data.c +++ b/src/detect-file-data.c @@ -55,6 +55,8 @@ static int DetectFiledataSetup (DetectEngineCtx *, Signature *, const char *); #ifdef UNITTESTS static void DetectFiledataRegisterTests(void); #endif +static _Bool DetectFiledataValidateCallback(const Signature *s, + const char **sigerror); static void DetectFiledataSetupCallback(const DetectEngineCtx *de_ctx, Signature *s); static int g_file_data_buffer_id = 0; @@ -112,6 +114,8 @@ void DetectFiledataRegister(void) DetectEngineInspectFiledata, NULL); DetectBufferTypeRegisterSetupCallback("file_data", DetectFiledataSetupCallback); + DetectBufferTypeRegisterValidateCallback("file_data", + DetectFiledataValidateCallback); DetectAppLayerInspectEngineRegister2("file_data", ALPROTO_SMB, SIG_FLAG_TOSERVER, 0, DetectEngineInspectFiledata, NULL); @@ -194,6 +198,18 @@ static int DetectFiledataSetup (DetectEngineCtx *de_ctx, Signature *s, const cha return 0; } +static _Bool DetectFiledataValidateCallback(const Signature *s, + const char **sigerror) +{ + if (s->alproto == ALPROTO_NFS) { + *sigerror = "Can't use file_data with NFS keywords"; + SCLogError(SC_ERR_INVALID_SIGNATURE, + "Can't use file_data with NFS keywords"); + return FALSE; + } + return TRUE; +} + static void DetectFiledataSetupCallback(const DetectEngineCtx *de_ctx, Signature *s) { -- 2.47.2