From cc4010343dd495df44d0791f4aadadb63656982e Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Sat, 24 Dec 2016 10:43:36 +0100 Subject: [PATCH] detect: add and use util func for alproto sets --- src/detect-app-layer-event.c | 16 +++---------- src/detect-byte-extract.c | 7 ++---- src/detect-bytejump.c | 9 ++----- src/detect-bytetest.c | 9 ++----- src/detect-cipservice.c | 21 ++++------------- src/detect-dce-iface.c | 8 +------ src/detect-dce-opnum.c | 8 +------ src/detect-dce-stub-data.c | 12 ++-------- src/detect-ftpbounce.c | 7 +----- src/detect-modbus.c | 7 ++---- src/detect-parse.c | 20 ++++++++++++++++ src/detect-parse.h | 2 ++ src/detect-ssh-proto-version.c | 7 +----- src/detect-ssh-software-version.c | 8 +------ src/detect-ssl-state.c | 12 +++------- src/detect-ssl-version.c | 8 ++----- src/detect-tls-cert-validity.c | 39 +++++++------------------------ src/detect-tls-version.c | 7 ++---- src/detect-tls.c | 36 ++++++---------------------- src/detect-urilen.c | 11 ++------- 20 files changed, 69 insertions(+), 185 deletions(-) diff --git a/src/detect-app-layer-event.c b/src/detect-app-layer-event.c index c7128c27a7..8658d3955e 100644 --- a/src/detect-app-layer-event.c +++ b/src/detect-app-layer-event.c @@ -336,23 +336,13 @@ static int DetectAppLayerEventSetupP1(DetectEngineCtx *de_ctx, Signature *s, cha sm->type = DETECT_AL_APP_LAYER_EVENT; sm->ctx = (SigMatchCtx *)data; - if (s->alproto != ALPROTO_UNKNOWN) { - if (s->alproto != data->alproto) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains " - "conflicting keywords needing different alprotos"); - goto error; - } - } else { - s->alproto = data->alproto; - } - if (event_type == APP_LAYER_EVENT_TYPE_PACKET) { SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH); } else { - /* We push it to this list temporarily. We deal with - * these in DetectAppLayerEventPrepare(). */ + if (DetectSignatureSetAppProto(s, data->alproto) != 0) + goto error; + SigMatchAppendSMToList(s, sm, g_applayer_events_list_id); - s->flags |= SIG_FLAG_APPLAYER; } return 0; diff --git a/src/detect-byte-extract.c b/src/detect-byte-extract.c index 07f358367c..0b0f473477 100644 --- a/src/detect-byte-extract.c +++ b/src/detect-byte-extract.c @@ -561,12 +561,9 @@ static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *a } if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) { - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has " - "byte_extract with dce enabled"); + if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0) goto error; - } - s->alproto = ALPROTO_DCERPC; + if ((data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) || (data->base == DETECT_BYTE_EXTRACT_BASE_DEC) || (data->base == DETECT_BYTE_EXTRACT_BASE_HEX) || diff --git a/src/detect-bytejump.c b/src/detect-bytejump.c index 872cd56b06..8db0adfefb 100644 --- a/src/detect-bytejump.c +++ b/src/detect-bytejump.c @@ -539,8 +539,8 @@ static int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts sm_list = DETECT_SM_LIST_PMATCH; } - s->alproto = ALPROTO_DCERPC; - s->flags |= SIG_FLAG_APPLAYER; + if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0) + goto error; } else if (data->flags & DETECT_BYTEJUMP_RELATIVE) { prev_pm = DetectGetLastSMFromLists(s, @@ -560,11 +560,6 @@ static int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts } if (data->flags & DETECT_BYTEJUMP_DCE) { - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has " - "bytejump with dce enabled"); - goto error; - } if ((data->flags & DETECT_BYTEJUMP_STRING) || (data->flags & DETECT_BYTEJUMP_LITTLE) || (data->flags & DETECT_BYTEJUMP_BIG) || diff --git a/src/detect-bytetest.c b/src/detect-bytetest.c index 731ad6f4e6..4ad7f53e83 100644 --- a/src/detect-bytetest.c +++ b/src/detect-bytetest.c @@ -467,8 +467,8 @@ static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts sm_list = DETECT_SM_LIST_PMATCH; } - s->alproto = ALPROTO_DCERPC; - s->flags |= SIG_FLAG_APPLAYER; + if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0) + goto error; } else if (data->flags & DETECT_BYTETEST_RELATIVE) { prev_pm = DetectGetLastSMFromLists(s, @@ -488,11 +488,6 @@ static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts } if (data->flags & DETECT_BYTETEST_DCE) { - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has " - "bytetest with dce enabled"); - goto error; - } if ((data->flags & DETECT_BYTETEST_STRING) || (data->flags & DETECT_BYTETEST_LITTLE) || (data->flags & DETECT_BYTETEST_BIG) || diff --git a/src/detect-cipservice.c b/src/detect-cipservice.c index 6452ffaff6..de9aa04c40 100644 --- a/src/detect-cipservice.c +++ b/src/detect-cipservice.c @@ -207,12 +207,8 @@ static int DetectCipServiceSetup(DetectEngineCtx *de_ctx, Signature *s, DetectCipServiceData *cipserviced = NULL; SigMatch *sm = NULL; - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_ENIP) - { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, - "rule contains conflicting keywords."); - goto error; - } + if (DetectSignatureSetAppProto(s, ALPROTO_ENIP) != 0) + return -1; cipserviced = DetectCipServiceParse(rulestr); if (cipserviced == NULL) @@ -225,10 +221,7 @@ static int DetectCipServiceSetup(DetectEngineCtx *de_ctx, Signature *s, sm->type = DETECT_CIPSERVICE; sm->ctx = (void *) cipserviced; - s->alproto = ALPROTO_ENIP; - SigMatchAppendSMToList(s, sm, g_cip_buffer_id); - SCReturnInt(0); error: @@ -384,12 +377,8 @@ static int DetectEnipCommandSetup(DetectEngineCtx *de_ctx, Signature *s, DetectEnipCommandData *enipcmdd = NULL; SigMatch *sm = NULL; - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_ENIP) - { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, - "rule contains conflicting keywords."); - goto error; - } + if (DetectSignatureSetAppProto(s, ALPROTO_ENIP) != 0) + return -1; enipcmdd = DetectEnipCommandParse(rulestr); if (enipcmdd == NULL) @@ -402,9 +391,7 @@ static int DetectEnipCommandSetup(DetectEngineCtx *de_ctx, Signature *s, sm->type = DETECT_ENIPCOMMAND; sm->ctx = (void *) enipcmdd; - s->alproto = ALPROTO_ENIP; SigMatchAppendSMToList(s, sm, g_enip_buffer_id); - SCReturnInt(0); error: diff --git a/src/detect-dce-iface.c b/src/detect-dce-iface.c index 50e7477401..e1bf69d4df 100644 --- a/src/detect-dce-iface.c +++ b/src/detect-dce-iface.c @@ -370,10 +370,8 @@ static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) DetectDceIfaceData *did = NULL; SigMatch *sm = NULL; - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); + if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0) return -1; - } did = DetectDceIfaceArgParse(arg); if (did == NULL) { @@ -390,10 +388,6 @@ static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) sm->ctx = (void *)did; SigMatchAppendSMToList(s, sm, g_dce_generic_list_id); - - s->alproto = ALPROTO_DCERPC; - /* Flagged the signature as to inspect the app layer data */ - s->flags |= SIG_FLAG_APPLAYER; return 0; error: diff --git a/src/detect-dce-opnum.c b/src/detect-dce-opnum.c index 5417826ea0..9098a47150 100644 --- a/src/detect-dce-opnum.c +++ b/src/detect-dce-opnum.c @@ -296,10 +296,8 @@ static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) return -1; } - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); + if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0) return -1; - } dod = DetectDceOpnumArgParse(arg); if (dod == NULL) { @@ -316,10 +314,6 @@ static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) sm->ctx = (void *)dod; SigMatchAppendSMToList(s, sm, g_dce_generic_list_id); - - s->alproto = ALPROTO_DCERPC; - /* Flagged the signature as to inspect the app layer data */ - s->flags |= SIG_FLAG_APPLAYER; return 0; error: diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c index 6318e0dfc5..ee7275dede 100644 --- a/src/detect-dce-stub-data.c +++ b/src/detect-dce-stub-data.c @@ -237,19 +237,11 @@ void DetectDceStubDataRegister(void) static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, - "rule contains conflicting keywords."); - goto error; - } + if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0) + return -1; s->init_data->list = g_dce_stub_data_buffer_id; - s->alproto = ALPROTO_DCERPC; - s->flags |= SIG_FLAG_APPLAYER; return 0; - - error: - return -1; } /************************************Unittests*********************************/ diff --git a/src/detect-ftpbounce.c b/src/detect-ftpbounce.c index 0e2c2a07b5..8e33aaf9d0 100644 --- a/src/detect-ftpbounce.c +++ b/src/detect-ftpbounce.c @@ -225,10 +225,8 @@ int DetectFtpbounceSetup(DetectEngineCtx *de_ctx, Signature *s, char *ftpbounces SigMatch *sm = NULL; - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_FTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); + if (DetectSignatureSetAppProto(s, ALPROTO_FTP) != 0) return -1; - } sm = SigMatchAlloc(); if (sm == NULL) { @@ -249,9 +247,6 @@ int DetectFtpbounceSetup(DetectEngineCtx *de_ctx, Signature *s, char *ftpbounces sm->ctx = NULL; SigMatchAppendSMToList(s, sm, g_ftp_request_list_id); - - s->alproto = ALPROTO_FTP; - s->flags |= SIG_FLAG_APPLAYER; SCReturnInt(0); } diff --git a/src/detect-modbus.c b/src/detect-modbus.c index 19518e2826..1c84f5778e 100644 --- a/src/detect-modbus.c +++ b/src/detect-modbus.c @@ -366,10 +366,8 @@ static int DetectModbusSetup(DetectEngineCtx *de_ctx, Signature *s, char *str) DetectModbus *modbus = NULL; SigMatch *sm = NULL; - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_MODBUS) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); - goto error; - } + if (DetectSignatureSetAppProto(s, ALPROTO_MODBUS) != 0) + return -1; if ((modbus = DetectModbusFunctionParse(str)) == NULL) { if ((modbus = DetectModbusAccessParse(str)) == NULL) { @@ -387,7 +385,6 @@ static int DetectModbusSetup(DetectEngineCtx *de_ctx, Signature *s, char *str) sm->ctx = (void *) modbus; SigMatchAppendSMToList(s, sm, g_modbus_buffer_id); - s->alproto = ALPROTO_MODBUS; SCReturnInt(0); diff --git a/src/detect-parse.c b/src/detect-parse.c index 6385500f17..f2d34f36a6 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -1193,6 +1193,26 @@ void SigFree(Signature *s) SCFree(s); } +int DetectSignatureSetAppProto(Signature *s, AppProto alproto) +{ + if (alproto == ALPROTO_UNKNOWN || + alproto >= ALPROTO_FAILED) { + SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid alproto %u", alproto); + return -1; + } + + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != alproto) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, + "can't set rule app proto to %s: already set to %s", + AppProtoToString(alproto), AppProtoToString(s->alproto)); + return -1; + } + + s->alproto = alproto; + s->flags |= SIG_FLAG_APPLAYER; + return 0; +} + /** * \internal * \brief build address match array for cache efficient matching diff --git a/src/detect-parse.h b/src/detect-parse.h index 15f5092266..456ef66a03 100644 --- a/src/detect-parse.h +++ b/src/detect-parse.h @@ -70,6 +70,8 @@ SigMatch *DetectGetLastSMFromLists(const Signature *s, ...); SigMatch *DetectGetLastSMByListPtr(const Signature *s, SigMatch *sm_list, ...); SigMatch *DetectGetLastSMByListId(const Signature *s, int list_id, ...); +int DetectSignatureSetAppProto(Signature *s, AppProto alproto); + /* parse regex setup and free util funcs */ void DetectSetupParseRegexes(const char *parse_str, diff --git a/src/detect-ssh-proto-version.c b/src/detect-ssh-proto-version.c index ebf8ce0c64..db23714852 100644 --- a/src/detect-ssh-proto-version.c +++ b/src/detect-ssh-proto-version.c @@ -217,10 +217,8 @@ static int DetectSshVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *s DetectSshVersionData *ssh = NULL; SigMatch *sm = NULL; - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_SSH) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); + if (DetectSignatureSetAppProto(s, ALPROTO_SSH) != 0) return -1; - } ssh = DetectSshVersionParse(str); if (ssh == NULL) @@ -236,9 +234,6 @@ static int DetectSshVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *s sm->ctx = (void *)ssh; SigMatchAppendSMToList(s, sm, g_ssh_banner_list_id); - - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_SSH; return 0; error: diff --git a/src/detect-ssh-software-version.c b/src/detect-ssh-software-version.c index 7ab8ecffca..da5cc5190b 100644 --- a/src/detect-ssh-software-version.c +++ b/src/detect-ssh-software-version.c @@ -212,10 +212,8 @@ static int DetectSshSoftwareVersionSetup (DetectEngineCtx *de_ctx, Signature *s, DetectSshSoftwareVersionData *ssh = NULL; SigMatch *sm = NULL; - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_SSH) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); + if (DetectSignatureSetAppProto(s, ALPROTO_SSH) != 0) return -1; - } ssh = DetectSshSoftwareVersionParse(str); if (ssh == NULL) @@ -230,11 +228,7 @@ static int DetectSshSoftwareVersionSetup (DetectEngineCtx *de_ctx, Signature *s, sm->type = DETECT_AL_SSH_SOFTWAREVERSION; sm->ctx = (void *)ssh; - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_SSH; - SigMatchAppendSMToList(s, sm, g_ssh_banner_list_id); - return 0; error: diff --git a/src/detect-ssl-state.c b/src/detect-ssl-state.c index 88394b579f..1a85ebdc41 100644 --- a/src/detect-ssl-state.c +++ b/src/detect-ssl-state.c @@ -308,12 +308,9 @@ static int DetectSslStateSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) DetectSslStateData *ssd = NULL; SigMatch *sm = NULL; - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, - "Rule contains conflicting keywords. Have non-tls alproto " - "set for a rule containing \"ssl_state\" keyword"); - goto error; - } + if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0) + return -1; + ssd = DetectSslStateParse(arg); if (ssd == NULL) goto error; @@ -325,10 +322,7 @@ static int DetectSslStateSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) sm->type = DETECT_AL_SSL_STATE; sm->ctx = (SigMatchCtx*)ssd; - s->alproto = ALPROTO_TLS; - SigMatchAppendSMToList(s, sm, g_tls_generic_list_id); - return 0; error: diff --git a/src/detect-ssl-version.c b/src/detect-ssl-version.c index 661c6b89bf..82ac3632eb 100644 --- a/src/detect-ssl-version.c +++ b/src/detect-ssl-version.c @@ -282,10 +282,8 @@ static int DetectSslVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *s DetectSslVersionData *ssl = NULL; SigMatch *sm = NULL; - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); - goto error; - } + if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0) + return -1; ssl = DetectSslVersionParse(str); if (ssl == NULL) @@ -301,8 +299,6 @@ static int DetectSslVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *s sm->ctx = (void *)ssl; SigMatchAppendSMToList(s, sm, g_tls_generic_list_id); - - s->alproto = ALPROTO_TLS; return 0; error: diff --git a/src/detect-tls-cert-validity.c b/src/detect-tls-cert-validity.c index 2a868566d5..17e4b32df7 100644 --- a/src/detect-tls-cert-validity.c +++ b/src/detect-tls-cert-validity.c @@ -421,6 +421,9 @@ static int DetectTlsExpiredSetup (DetectEngineCtx *de_ctx, Signature *s, SCLogDebug("\'%s\'", rawstr); + if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0) + return -1; + dd = SCCalloc(1, sizeof(DetectTlsValidityData)); if (dd == NULL) { SCLogError(SC_ERR_INVALID_ARGUMENT,"Allocation \'%s\' failed", rawstr); @@ -433,12 +436,6 @@ static int DetectTlsExpiredSetup (DetectEngineCtx *de_ctx, Signature *s, if (sm == NULL) goto error; - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, - "rule contains conflicting keywords."); - goto error; - } - dd->mode = DETECT_TLS_VALIDITY_EX; dd->type = DETECT_TLS_TYPE_NOTAFTER; dd->epoch = 0; @@ -447,11 +444,7 @@ static int DetectTlsExpiredSetup (DetectEngineCtx *de_ctx, Signature *s, sm->type = DETECT_AL_TLS_EXPIRED; sm->ctx = (void *)dd; - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_TLS; - SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id); - return 0; error: @@ -479,6 +472,9 @@ static int DetectTlsValidSetup (DetectEngineCtx *de_ctx, Signature *s, SCLogDebug("\'%s\'", rawstr); + if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0) + return -1; + dd = SCCalloc(1, sizeof(DetectTlsValidityData)); if (dd == NULL) { SCLogError(SC_ERR_INVALID_ARGUMENT,"Allocation \'%s\' failed", rawstr); @@ -491,12 +487,6 @@ static int DetectTlsValidSetup (DetectEngineCtx *de_ctx, Signature *s, if (sm == NULL) goto error; - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, - "rule contains conflicting keywords."); - goto error; - } - dd->mode = DETECT_TLS_VALIDITY_VA; dd->type = DETECT_TLS_TYPE_NOTAFTER; dd->epoch = 0; @@ -505,11 +495,7 @@ static int DetectTlsValidSetup (DetectEngineCtx *de_ctx, Signature *s, sm->type = DETECT_AL_TLS_VALID; sm->ctx = (void *)dd; - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_TLS; - SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id); - return 0; error: @@ -576,6 +562,9 @@ static int DetectTlsValiditySetup (DetectEngineCtx *de_ctx, Signature *s, SCLogDebug("\'%s\'", rawstr); + if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0) + return -1; + dd = DetectTlsValidityParse(rawstr); if (dd == NULL) { SCLogError(SC_ERR_INVALID_ARGUMENT,"Parsing \'%s\' failed", rawstr); @@ -588,12 +577,6 @@ static int DetectTlsValiditySetup (DetectEngineCtx *de_ctx, Signature *s, if (sm == NULL) goto error; - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, - "rule contains conflicting keywords."); - goto error; - } - if (type == DETECT_TLS_TYPE_NOTBEFORE) { dd->type = DETECT_TLS_TYPE_NOTBEFORE; sm->type = DETECT_AL_TLS_NOTBEFORE; @@ -608,11 +591,7 @@ static int DetectTlsValiditySetup (DetectEngineCtx *de_ctx, Signature *s, sm->ctx = (void *)dd; - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_TLS; - SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id); - return 0; error: diff --git a/src/detect-tls-version.c b/src/detect-tls-version.c index 198bb6fae0..1f027b8247 100644 --- a/src/detect-tls-version.c +++ b/src/detect-tls-version.c @@ -221,10 +221,8 @@ static int DetectTlsVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *s DetectTlsVersionData *tls = NULL; SigMatch *sm = NULL; - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); - goto error; - } + if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0) + return -1; tls = DetectTlsVersionParse(str); if (tls == NULL) @@ -241,7 +239,6 @@ static int DetectTlsVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *s SigMatchAppendSMToList(s, sm, g_tls_generic_list_id); - s->alproto = ALPROTO_TLS; return 0; error: diff --git a/src/detect-tls.c b/src/detect-tls.c index 9a1a2122bf..585eabe3c9 100644 --- a/src/detect-tls.c +++ b/src/detect-tls.c @@ -319,10 +319,8 @@ static int DetectTlsSubjectSetup (DetectEngineCtx *de_ctx, Signature *s, char *s DetectTlsData *tls = NULL; SigMatch *sm = NULL; - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); - goto error; - } + if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0) + return -1; tls = DetectTlsSubjectParse(str); if (tls == NULL) @@ -337,11 +335,7 @@ static int DetectTlsSubjectSetup (DetectEngineCtx *de_ctx, Signature *s, char *s sm->type = DETECT_AL_TLS_SUBJECT; sm->ctx = (void *)tls; - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_TLS; - SigMatchAppendSMToList(s, sm, g_tls_cert_list_id); - return 0; error: @@ -532,10 +526,8 @@ static int DetectTlsIssuerDNSetup (DetectEngineCtx *de_ctx, Signature *s, char * DetectTlsData *tls = NULL; SigMatch *sm = NULL; - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); - goto error; - } + if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0) + return -1; tls = DetectTlsIssuerDNParse(str); if (tls == NULL) @@ -550,11 +542,7 @@ static int DetectTlsIssuerDNSetup (DetectEngineCtx *de_ctx, Signature *s, char * sm->type = DETECT_AL_TLS_ISSUERDN; sm->ctx = (void *)tls; - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_TLS; - SigMatchAppendSMToList(s, sm, g_tls_cert_list_id); - return 0; error: @@ -735,10 +723,8 @@ static int DetectTlsFingerprintSetup (DetectEngineCtx *de_ctx, Signature *s, cha DetectTlsData *tls = NULL; SigMatch *sm = NULL; - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); - goto error; - } + if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0) + return -1; tls = DetectTlsFingerprintParse(str); if (tls == NULL) @@ -753,11 +739,7 @@ static int DetectTlsFingerprintSetup (DetectEngineCtx *de_ctx, Signature *s, cha sm->type = DETECT_AL_TLS_FINGERPRINT; sm->ctx = (void *)tls; - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_TLS; - SigMatchAppendSMToList(s, sm, g_tls_cert_list_id); - return 0; error: @@ -797,18 +779,14 @@ static int DetectTlsStoreSetup (DetectEngineCtx *de_ctx, Signature *s, char *str { SigMatch *sm = NULL; - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); + if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0) return -1; - } sm = SigMatchAlloc(); if (sm == NULL) return -1; sm->type = DETECT_AL_TLS_STORE; - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_TLS; s->flags |= SIG_FLAG_TLSSTORE; SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH); diff --git a/src/detect-urilen.c b/src/detect-urilen.c index c569930725..65f4b0b24b 100644 --- a/src/detect-urilen.c +++ b/src/detect-urilen.c @@ -247,11 +247,8 @@ static int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, char *urile DetectUrilenData *urilend = NULL; SigMatch *sm = NULL; - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto error; - } + if (DetectSignatureSetAppProto(s, ALPROTO_HTTP) != 0) + return -1; urilend = DetectUrilenParse(urilenstr); if (urilend == NULL) @@ -267,10 +264,6 @@ static int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, char *urile else SigMatchAppendSMToList(s, sm, g_http_uri_buffer_id); - /* Flagged the signature as to inspect the app layer data */ - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - SCReturnInt(0); error: -- 2.47.2