From c9bed6e0b2b1f16ec176c1ae2e622f1f62307fd1 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Thu, 13 Jan 2022 10:39:12 -0500 Subject: [PATCH] detect/file_data: Reject invalid protocols Issue: #4895 This commit causes Suricata to reject signatures that combine TCP-based alerts using file_data with NFS keywords. file_data doesn't support the NFS protocol. (cherry picked from commit 215335fdc6431e1c5de6155aa64c152bda507b72) --- src/detect-file-data.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/detect-file-data.c b/src/detect-file-data.c index ce0223ceac..8536b93942 100644 --- a/src/detect-file-data.c +++ b/src/detect-file-data.c @@ -55,6 +55,7 @@ static int DetectFiledataSetup (DetectEngineCtx *, Signature *, const char *); #ifdef UNITTESTS static void DetectFiledataRegisterTests(void); #endif +static _Bool DetectFiledataValidateCallback(const Signature *s, const char **sigerror); static void DetectFiledataSetupCallback(const DetectEngineCtx *de_ctx, Signature *s); static int g_file_data_buffer_id = 0; @@ -118,6 +119,7 @@ void DetectFiledataRegister(void) DetectEngineInspectFiledata, NULL); DetectBufferTypeRegisterSetupCallback("file_data", DetectFiledataSetupCallback); + DetectBufferTypeRegisterValidateCallback("file_data", DetectFiledataValidateCallback); DetectAppLayerInspectEngineRegister2("file_data", ALPROTO_SMB, SIG_FLAG_TOSERVER, 0, DetectEngineInspectFiledata, NULL); @@ -207,6 +209,16 @@ static int DetectFiledataSetup (DetectEngineCtx *de_ctx, Signature *s, const cha return 0; } +static _Bool DetectFiledataValidateCallback(const Signature *s, const char **sigerror) +{ + if (s->alproto == ALPROTO_NFS) { + *sigerror = "Can't use file_data with NFS keywords"; + SCLogError(SC_ERR_INVALID_SIGNATURE, "Can't use file_data with NFS keywords"); + return FALSE; + } + return TRUE; +} + static void DetectFiledataSetupCallback(const DetectEngineCtx *de_ctx, Signature *s) { -- 2.47.2