From 678763c3f49e1b5838febce4b1e0a3bf7c0d96c9 Mon Sep 17 00:00:00 2001 From: Anoop Saldanha Date: Thu, 17 May 2012 21:53:36 +0530 Subject: [PATCH] bug #454 - global check to see if address and port vars are properly configured --- src/detect-engine-address.c | 48 +++++++++++++++++++++++++++++++++++++ src/detect-engine-address.h | 2 ++ src/detect-engine-port.c | 46 +++++++++++++++++++++++++++++++++++ src/detect-engine-port.h | 2 ++ src/suricata.c | 5 ++++ src/util-error.c | 2 ++ src/util-error.h | 1 + 7 files changed, 106 insertions(+) diff --git a/src/detect-engine-address.c b/src/detect-engine-address.c index cbcde7b458..edcae6af85 100644 --- a/src/detect-engine-address.c +++ b/src/detect-engine-address.c @@ -34,6 +34,7 @@ #include "util-cidr.h" #include "util-unittest.h" #include "util-rule-vars.h" +#include "conf.h" #include "detect-engine-siggroup.h" #include "detect-engine-address.h" @@ -1227,6 +1228,53 @@ error: return -1; } +int DetectAddressTestConfVars(void) +{ + SCLogDebug("Testing address conf vars for any misconfigured values"); + + ConfNode *address_vars_node = ConfGetNode("vars.address-groups"); + if (address_vars_node == NULL) { + return 0; + } + + ConfNode *seq_node; + TAILQ_FOREACH(seq_node, &address_vars_node->head, next) { + SCLogDebug("Testing %s - %s\n", seq_node->name, seq_node->val); + + DetectAddressHead *gh = DetectAddressHeadInit(); + if (gh == NULL) { + goto error; + } + DetectAddressHead *ghn = DetectAddressHeadInit(); + if (ghn == NULL) { + goto error; + } + + int r = DetectAddressParse2(gh, ghn, seq_node->val, /* start with negate no */0); + if (r < 0) { + goto error; + } + + if (DetectAddressIsCompleteIPSpace(ghn)) { + SCLogError(SC_ERR_ADDRESS_ENGINE_GENERIC, + "Address var - \"%s\" has the complete IP space negated " + "with it's value \"%s\". Rule address range is NIL. " + "Probably have a !any or an address range that supplies " + "a NULL address range", seq_node->name, seq_node->val); + goto error; + } + + if (gh != NULL) + DetectAddressHeadFree(gh); + if (ghn != NULL) + DetectAddressHeadFree(ghn); + } + + return 0; + error: + return -1; +} + /** * \brief Parses an address group sent as a character string and updates the * DetectAddressHead sent as the argument with the relevant address diff --git a/src/detect-engine-address.h b/src/detect-engine-address.h index 6a924a92d0..f185b7abde 100644 --- a/src/detect-engine-address.h +++ b/src/detect-engine-address.h @@ -56,6 +56,8 @@ int DetectAddressCmp(DetectAddress *, DetectAddress *); int DetectAddressMatchIPv4(DetectMatchAddressIPv4 *, uint16_t, Address *); int DetectAddressMatchIPv6(DetectMatchAddressIPv6 *, uint16_t, Address *); +int DetectAddressTestConfVars(void); + void DetectAddressTests(void); #endif /* __DETECT_ADDRESS_H__ */ diff --git a/src/detect-engine-port.c b/src/detect-engine-port.c index 666dcd4ae4..07295aeb3d 100644 --- a/src/detect-engine-port.c +++ b/src/detect-engine-port.c @@ -44,6 +44,7 @@ #include "detect-engine-siggroup.h" #include "detect-engine-port.h" +#include "conf.h" #include "util-debug.h" #include "util-error.h" @@ -1288,6 +1289,51 @@ error: return -1; } +int DetectPortTestConfVars(void) +{ + SCLogDebug("Testing port conf vars for any misconfigured values"); + + ConfNode *port_vars_node = ConfGetNode("vars.port-groups"); + if (port_vars_node == NULL) { + return 0; + } + + ConfNode *seq_node; + TAILQ_FOREACH(seq_node, &port_vars_node->head, next) { + SCLogDebug("Testing %s - %s\n", seq_node->name, seq_node->val); + + DetectPort *gh = DetectPortInit(); + if (gh == NULL) { + goto error; + } + DetectPort *ghn = NULL; + + int r = DetectPortParseDo(&gh, &ghn, seq_node->val, /* start with negate no */0); + if (r < 0) { + goto error; + } + + if (DetectPortIsCompletePortSpace(ghn)) { + SCLogError(SC_ERR_PORT_ENGINE_GENERIC, + "Port var - \"%s\" has the complete Port range negated " + "with it's value \"%s\". Port space range is NIL. " + "Probably have a !any or a port range that supplies " + "a NULL address range", seq_node->name, seq_node->val); + goto error; + } + + if (gh != NULL) + DetectPortFree(gh); + if (ghn != NULL) + DetectPortFree(ghn); + } + + return 0; + error: + return -1; +} + + /** * \brief Function for parsing port strings * diff --git a/src/detect-engine-port.h b/src/detect-engine-port.h index 7d79021eb3..bfba92d19a 100644 --- a/src/detect-engine-port.h +++ b/src/detect-engine-port.h @@ -60,6 +60,8 @@ void DetectPortPrintList(DetectPort *head); int DetectPortCmp(DetectPort *, DetectPort *); void DetectPortFree(DetectPort *); +int DetectPortTestConfVars(void); + void DetectPortTests(void); #endif /* __DETECT_PORT_H__ */ diff --git a/src/suricata.c b/src/suricata.c index afbe20f2d4..521423226c 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -1638,6 +1638,11 @@ int main(int argc, char **argv) if (MagicInit() != 0) exit(EXIT_FAILURE); + if (DetectAddressTestConfVars() < 0) + exit(0); + if (DetectPortTestConfVars() < 0) + exit(0); + if (SigLoadSignatures(de_ctx, sig_file, sig_file_exclusive) < 0) { if (sig_file == NULL) { SCLogError(SC_ERR_OPENING_FILE, "Signature file has not been provided"); diff --git a/src/util-error.c b/src/util-error.c index b70c934d15..80e6377aea 100644 --- a/src/util-error.c +++ b/src/util-error.c @@ -99,6 +99,8 @@ const char * SCErrorToString(SCError err) CASE_CODE (SC_ERR_REASSEMBLY); CASE_CODE (SC_ERR_POOL_INIT); CASE_CODE (SC_ERR_UNIMPLEMENTED); + CASE_CODE (SC_ERR_ADDRESS_ENGINE_GENERIC); + CASE_CODE (SC_ERR_PORT_ENGINE_GENERIC); CASE_CODE (SC_ERR_FAST_LOG_GENERIC); CASE_CODE (SC_ERR_ADDRESS_ENGINE_GENERIC); CASE_CODE (SC_ERR_IPONLY_RADIX); diff --git a/src/util-error.h b/src/util-error.h index 52fa0c1658..6774f86289 100644 --- a/src/util-error.h +++ b/src/util-error.h @@ -117,6 +117,7 @@ typedef enum { SC_ERR_DAEMON, SC_ERR_UNIMPLEMENTED, SC_ERR_ADDRESS_ENGINE_GENERIC, + SC_ERR_PORT_ENGINE_GENERIC, SC_ERR_IPONLY_RADIX, SC_ERR_FAST_LOG_GENERIC, SC_ERR_DEBUG_LOG_GENERIC, -- 2.47.2