*/
int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
- DetectByteExtractData *data = NULL;
SigMatch *sm = NULL;
+ SigMatch *prev_pm = NULL;
+ DetectByteExtractData *data = NULL;
+ int ret = -1;
data = DetectByteExtractParse(arg);
if (data == NULL)
goto error;
- sm = SigMatchAlloc();
- if (sm == NULL)
- goto error;
-
- sm->type = DETECT_BYTE_EXTRACT;
- sm->ctx = (void *)data;
-
- /* assign a local id for the byte extract var */
- DetectByteExtractData *bed = (DetectByteExtractData *)sm->ctx;
- SigMatch *prev_bed_sm =
- SigMatchGetLastSMFromLists(s, 6,
- DETECT_BYTE_EXTRACT,
- s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTE_EXTRACT,
- s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
- DETECT_BYTE_EXTRACT,
- s->sm_lists_tail[DETECT_SM_LIST_UMATCH]);
- if (prev_bed_sm == NULL) {
- /* first one */
- bed->local_id = 0;
- } else {
- bed->local_id = ((DetectByteExtractData *)prev_bed_sm->ctx)->local_id + 1;
- }
- if (bed->local_id > de_ctx->byte_extract_max_local_id)
- de_ctx->byte_extract_max_local_id = bed->local_id;
-
- /* check bytetest modifiers against the signature alproto. In case they conflict
- * chuck out invalid signature */
- if ((data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE)) {
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has "
- "bytetest with dce enabled");
- goto error;
- }
- s->alproto = ALPROTO_DCERPC;
- }
-
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA ||
- s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
- int sm_list;
+ int sm_list;
+ if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
+ if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "dce byte_extract specified "
+ "with file_data option set.");
+ goto error;
+ }
AppLayerHtpEnableResponseBodyCallback();
sm_list = DETECT_SM_LIST_HSBDMATCH;
} else {
sm_list = DETECT_SM_LIST_DMATCH;
}
-
+ s->flags |= SIG_FLAG_APPLAYER;
if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
- SigMatch *prev_sm = NULL;
- prev_sm = SigMatchGetLastSMFromLists(s, 8,
+ prev_pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[sm_list],
- DETECT_BYTETEST, s->sm_lists_tail[sm_list],
- DETECT_BYTEJUMP, s->sm_lists_tail[sm_list],
DETECT_PCRE, s->sm_lists_tail[sm_list]);
- if (prev_sm == NULL) {
- data->flags &= ~DETECT_BYTE_EXTRACT_FLAG_RELATIVE;
- }
}
- s->flags |= SIG_FLAG_APPLAYER;
- SigMatchAppendSMToList(s, sm, sm_list);
- } else {
+ } else if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
- SigMatch *pm =
- SigMatchGetLastSMFromLists(s, 20,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
- if (pm == NULL) {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
- return 0;
+ prev_pm = SigMatchGetLastSMFromLists(s, 12,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
+ if (prev_pm == NULL) {
+ sm_list = DETECT_SM_LIST_PMATCH;
+ } else {
+ sm_list = SigMatchListSMBelongsTo(s, prev_pm);
}
- int list = SigMatchListSMBelongsTo(s, pm);
- SigMatchAppendSMToList(s, sm, list);
} else {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
+ sm_list = DETECT_SM_LIST_PMATCH;
}
- }
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
- return 0;
- }
+ s->alproto = ALPROTO_DCERPC;
+ s->flags |= SIG_FLAG_APPLAYER;
- if ( !(data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE)) {
- return 0;
- }
+ } else if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
+ prev_pm = SigMatchGetLastSMFromLists(s, 168,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ if (prev_pm == NULL) {
+ sm_list = DETECT_SM_LIST_PMATCH;
+ } else {
+ sm_list = SigMatchListSMBelongsTo(s, prev_pm);
+ }
- SigMatch *prev_sm = NULL;
- prev_sm = SigMatchGetLastSMFromLists(s, 6,
- DETECT_CONTENT, sm->prev,
- DETECT_BYTEJUMP, sm->prev,
- DETECT_PCRE, sm->prev);
- if (prev_sm == NULL)
- return 0;
+ } else {
+ sm_list = DETECT_SM_LIST_PMATCH;
+ }
- DetectContentData *cd = NULL;
- DetectPcreData *pe = NULL;
-
- switch (prev_sm->type) {
- case DETECT_CONTENT:
- /* Set the relative next flag on the prev sigmatch */
- cd = (DetectContentData *)prev_sm->ctx;
- if (cd == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
- "previous keyword!");
- return -1;
- }
- cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has "
+ "byte_extract with dce enabled");
+ goto error;
+ }
+ s->alproto = ALPROTO_DCERPC;
+ if ((data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) ||
+ (data->base == DETECT_BYTE_EXTRACT_BASE_DEC) ||
+ (data->base == DETECT_BYTE_EXTRACT_BASE_HEX) ||
+ (data->base == DETECT_BYTE_EXTRACT_BASE_OCT) ) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
+ "A byte_jump keyword with dce holds other invalid modifiers.");
+ goto error;
+ }
+ }
- break;
+ SigMatch *prev_bed_sm = SigMatchGetLastSMFromLists(s, 2,
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[sm_list]);
+ if (prev_bed_sm == NULL)
+ data->local_id = 0;
+ else
+ data->local_id = ((DetectByteExtractData *)prev_bed_sm->ctx)->local_id + 1;
+ if (data->local_id > de_ctx->byte_extract_max_local_id)
+ de_ctx->byte_extract_max_local_id = data->local_id;
- case DETECT_PCRE:
- pe = (DetectPcreData *)prev_sm->ctx;
- if (pe == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
- "previous keyword!");
- return -1;
- }
- pe->flags |= DETECT_PCRE_RELATIVE_NEXT;
- break;
+ sm = SigMatchAlloc();
+ if (sm == NULL)
+ goto error;
+ sm->type = DETECT_BYTE_EXTRACT;
+ sm->ctx = (void *)data;
+ SigMatchAppendSMToList(s, sm, sm_list);
- case DETECT_BYTEJUMP:
- SCLogDebug("No setting relative_next for bytejump. We "
- "have no use for it");
- break;
+ if (!(data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE))
+ goto okay;
- default:
- /* this will never hit */
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
- "previous keyword!");
- return -1;
- } /* switch */
+ if (prev_pm == NULL)
+ goto okay;
- return 0;
+ if (prev_pm->type == DETECT_CONTENT) {
+ DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
+ cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ } else if (prev_pm->type == DETECT_PCRE) {
+ DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
+ pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
+ }
-error:
- if (data != NULL)
- DetectByteExtractFree(data);
- if (sm != NULL)
- SCFree(sm);
- return -1;
+ okay:
+ ret = 0;
+ return ret;
+ error:
+ DetectByteExtractFree(data);
+ return ret;
}
/**
bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
- if (bed->local_id != 2) {
+ if (bed->local_id != 1) {
result = 0;
goto end;
}
bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
- if (bed->local_id != 1) {
+ if (bed->local_id != 0) {
result = 0;
goto end;
}
bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
- if (bed1->local_id != 1) {
+ if (bed1->local_id != 0) {
result = 0;
goto end;
}
bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
- if (bed1->local_id != 1) {
+ if (bed1->local_id != 0) {
result = 0;
goto end;
}
if (bed->nbytes != 4 ||
bed->offset != 2 ||
strncmp(bed->name, "two", 3) != 0 ||
- bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING) ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
bed->align_value != 0 ||
int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr)
{
- DetectBytejumpData *data = NULL;
SigMatch *sm = NULL;
+ SigMatch *prev_pm = NULL;
+ DetectBytejumpData *data = NULL;
char *offset = NULL;
+ int ret = -1;
data = DetectBytejumpParse(optstr, &offset);
if (data == NULL)
goto error;
- sm = SigMatchAlloc();
- if (sm == NULL)
- goto error;
-
- sm->type = DETECT_BYTEJUMP;
- sm->ctx = (void *)data;
-
- /* check bytejump modifiers against the signature alproto. In case they conflict
- * chuck out invalid signature */
- if (data->flags & DETECT_BYTEJUMP_DCE) {
- if (s->alproto != ALPROTO_DCERPC) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has "
- "bytetest with dce enabled");
- goto error;
- }
- if ( (data->flags & DETECT_BYTEJUMP_STRING) ||
- (data->flags & DETECT_BYTEJUMP_LITTLE) ||
- (data->flags & DETECT_BYTEJUMP_BIG) ||
- (data->flags & DETECT_BYTEJUMP_BEGIN) ||
- (data->base == DETECT_BYTEJUMP_BASE_DEC) ||
- (data->base == DETECT_BYTEJUMP_BASE_HEX) ||
- (data->base == DETECT_BYTEJUMP_BASE_OCT) ) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
- "DCERPC rule holds an invalid modifier for bytejump.");
- goto error;
- }
- s->alproto = ALPROTO_DCERPC;
- }
-
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA ||
- s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
- int sm_list;
+ int sm_list;
+ if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
+ if (data->flags & DETECT_BYTEJUMP_DCE) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "dce bytejump specified "
+ "with file_data option set.");
+ goto error;
+ }
AppLayerHtpEnableResponseBodyCallback();
sm_list = DETECT_SM_LIST_HSBDMATCH;
} else {
sm_list = DETECT_SM_LIST_DMATCH;
}
-
+ s->flags |= SIG_FLAG_APPLAYER;
if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
- SigMatch *prev_sm = NULL;
- prev_sm = SigMatchGetLastSMFromLists(s, 8,
+ prev_pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[sm_list],
- DETECT_BYTETEST, s->sm_lists_tail[sm_list],
- DETECT_BYTEJUMP, s->sm_lists_tail[sm_list],
DETECT_PCRE, s->sm_lists_tail[sm_list]);
- if (prev_sm == NULL) {
- data->flags &= ~DETECT_BYTEJUMP_RELATIVE;
+
+ }
+ } else if (data->flags & DETECT_BYTEJUMP_DCE) {
+ if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
+ prev_pm = SigMatchGetLastSMFromLists(s, 12,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
+ if (prev_pm == NULL) {
+ sm_list = DETECT_SM_LIST_PMATCH;
+ } else {
+ sm_list = SigMatchListSMBelongsTo(s, prev_pm);
}
+ } else {
+ sm_list = DETECT_SM_LIST_PMATCH;
}
+
+ s->alproto = ALPROTO_DCERPC;
s->flags |= SIG_FLAG_APPLAYER;
- SigMatchAppendSMToList(s, sm, sm_list);
+
+ } else if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
+ prev_pm = SigMatchGetLastSMFromLists(s, 168,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ if (prev_pm == NULL) {
+ sm_list = DETECT_SM_LIST_PMATCH;
+ } else {
+ sm_list = SigMatchListSMBelongsTo(s, prev_pm);
+ }
+
} else {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
+ sm_list = DETECT_SM_LIST_PMATCH;
+ }
+
+ if (data->flags & DETECT_BYTEJUMP_DCE) {
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has "
+ "bytejump with dce enabled");
+ goto error;
+ }
+ if ((data->flags & DETECT_BYTEJUMP_STRING) ||
+ (data->flags & DETECT_BYTEJUMP_LITTLE) ||
+ (data->flags & DETECT_BYTEJUMP_BIG) ||
+ (data->flags & DETECT_BYTEJUMP_BEGIN) ||
+ (data->base == DETECT_BYTEJUMP_BASE_DEC) ||
+ (data->base == DETECT_BYTEJUMP_BASE_HEX) ||
+ (data->base == DETECT_BYTEJUMP_BASE_OCT) ) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
+ "A byte_jump keyword with dce holds other invalid modifiers.");
+ goto error;
+ }
}
if (offset != NULL) {
- SigMatch *bed_sm =
- DetectByteExtractRetrieveSMVar(offset, s,
- SigMatchListSMBelongsTo(s, sm));
+ SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(offset, s, sm_list);
if (bed_sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in byte_jump - %s\n", offset);
goto error;
}
- DetectBytejumpData *bjd = sm->ctx;
- bjd->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
- bjd->flags |= DETECT_BYTEJUMP_OFFSET_BE;
+ data->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
+ data->flags |= DETECT_BYTEJUMP_OFFSET_BE;
SCFree(offset);
}
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
- return 0;
- }
-
- if ( !(data->flags & DETECT_BYTEJUMP_RELATIVE)) {
- return(0);
- }
-
- SigMatch *prev_sm = NULL;
- prev_sm = SigMatchGetLastSMFromLists(s, 6,
- DETECT_CONTENT, sm->prev,
- DETECT_BYTEJUMP, sm->prev,
- DETECT_PCRE, sm->prev);
- if (prev_sm == NULL) {
- return 0;
- }
-
- DetectContentData *cd = NULL;
- DetectPcreData *pe = NULL;
-
- switch (prev_sm->type) {
- case DETECT_CONTENT:
- /* Set the relative next flag on the prev sigmatch */
- cd = (DetectContentData *)prev_sm->ctx;
- if (cd == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
- "previous keyword!");
- return -1;
- }
- cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
-
- break;
-
- case DETECT_PCRE:
- pe = (DetectPcreData *)prev_sm->ctx;
- if (pe == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
- "previous keyword!");
- return -1;
- }
- pe->flags |= DETECT_PCRE_RELATIVE_NEXT;
-
- break;
-
- case DETECT_BYTEJUMP:
- SCLogDebug("No setting relative_next for bytejump. We "
- "have no use for it");
+ sm = SigMatchAlloc();
+ if (sm == NULL)
+ goto error;
+ sm->type = DETECT_BYTEJUMP;
+ sm->ctx = (void *)data;
+ SigMatchAppendSMToList(s, sm, sm_list);
- break;
+ if (!(data->flags & DETECT_BYTEJUMP_RELATIVE))
+ goto okay;
- default:
- /* this will never hit */
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
- "previous keyword!");
- return -1;
- } /* switch */
+ if (prev_pm == NULL)
+ goto okay;
- return 0;
+ if (prev_pm->type == DETECT_CONTENT) {
+ DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
+ cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ } else if (prev_pm->type == DETECT_PCRE) {
+ DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
+ pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
+ }
-error:
- if (data != NULL)
- DetectBytejumpFree(data);
- if (sm != NULL)
- SCFree(sm);
- return -1;
+ okay:
+ ret = 0;
+ return ret;
+ error:
+ DetectBytejumpFree(data);
+ return ret;
}
/**
*/
void DetectBytejumpFree(void *ptr)
{
+ if (ptr == NULL)
+ return;
+
DetectBytejumpData *data = (DetectBytejumpData *)ptr;
SCFree(data);
}
int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr)
{
- DetectBytetestData *data = NULL;
SigMatch *sm = NULL;
+ SigMatch *prev_pm = NULL;
+ DetectBytetestData *data = NULL;
char *value = NULL;
char *offset = NULL;
+ int ret = -1;
data = DetectBytetestParse(optstr, &value, &offset);
if (data == NULL)
goto error;
- sm = SigMatchAlloc();
- if (sm == NULL)
- goto error;
-
- sm->type = DETECT_BYTETEST;
- sm->ctx = (void *)data;
-
- /* check bytetest modifiers against the signature alproto. In case they conflict
- * chuck out invalid signature */
- if (data->flags & DETECT_BYTETEST_DCE) {
- if (s->alproto != ALPROTO_DCERPC) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has "
- "bytetest with dce enabled");
- goto error;
- }
- if ( (data->flags & DETECT_BYTETEST_STRING) ||
- (data->flags & DETECT_BYTETEST_LITTLE) ||
- (data->flags & DETECT_BYTETEST_BIG) ||
- (data->base == DETECT_BYTETEST_BASE_DEC) ||
- (data->base == DETECT_BYTETEST_BASE_HEX) ||
- (data->base == DETECT_BYTETEST_BASE_OCT) ) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
- "a byte_test keyword with dce holds other invalid modifiers.");
- goto error;
- }
- s->alproto = ALPROTO_DCERPC;
- }
-
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA ||
- s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
- int sm_list;
+ int sm_list;
+ if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
+ if (data->flags & DETECT_BYTETEST_DCE) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "dce bytetest specified "
+ "with file_data option set.");
+ goto error;
+ }
AppLayerHtpEnableResponseBodyCallback();
sm_list = DETECT_SM_LIST_HSBDMATCH;
} else {
sm_list = DETECT_SM_LIST_DMATCH;
}
-
+ s->flags |= SIG_FLAG_APPLAYER;
if (data->flags & DETECT_BYTETEST_RELATIVE) {
- SigMatch *prev_sm = NULL;
- prev_sm = SigMatchGetLastSMFromLists(s, 8,
+ prev_pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[sm_list],
- DETECT_BYTETEST, s->sm_lists_tail[sm_list],
- DETECT_BYTEJUMP, s->sm_lists_tail[sm_list],
DETECT_PCRE, s->sm_lists_tail[sm_list]);
- if (prev_sm == NULL) {
- data->flags &= ~DETECT_BYTETEST_RELATIVE;
+ }
+
+ } else if (data->flags & DETECT_BYTETEST_DCE) {
+ if (data->flags & DETECT_BYTETEST_RELATIVE) {
+ prev_pm = SigMatchGetLastSMFromLists(s, 12,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
+ if (prev_pm == NULL) {
+ sm_list = DETECT_SM_LIST_PMATCH;
+ } else {
+ sm_list = SigMatchListSMBelongsTo(s, prev_pm);
}
+ } else {
+ sm_list = DETECT_SM_LIST_PMATCH;
}
+
+ s->alproto = ALPROTO_DCERPC;
s->flags |= SIG_FLAG_APPLAYER;
- SigMatchAppendSMToList(s, sm, sm_list);
+
+ } else if (data->flags & DETECT_BYTETEST_RELATIVE) {
+ prev_pm = SigMatchGetLastSMFromLists(s, 168,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ if (prev_pm == NULL) {
+ sm_list = DETECT_SM_LIST_PMATCH;
+ } else {
+ sm_list = SigMatchListSMBelongsTo(s, prev_pm);
+ }
+
} else {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
+ sm_list = DETECT_SM_LIST_PMATCH;
+ }
+
+ if (data->flags & DETECT_BYTETEST_DCE) {
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has "
+ "bytetest with dce enabled");
+ goto error;
+ }
+ if ((data->flags & DETECT_BYTETEST_STRING) ||
+ (data->flags & DETECT_BYTETEST_LITTLE) ||
+ (data->flags & DETECT_BYTETEST_BIG) ||
+ (data->base == DETECT_BYTETEST_BASE_DEC) ||
+ (data->base == DETECT_BYTETEST_BASE_HEX) ||
+ (data->base == DETECT_BYTETEST_BASE_OCT) ) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
+ "A byte_test keyword with dce holds other invalid modifiers.");
+ goto error;
+ }
}
if (value != NULL) {
- SigMatch *bed_sm =
- DetectByteExtractRetrieveSMVar(value, s,
- SigMatchListSMBelongsTo(s, sm));
+ SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(value, s, sm_list);
if (bed_sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in byte_test - %s\n", value);
goto error;
}
- DetectBytetestData *btd = sm->ctx;
- btd->value = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
- btd->flags |= DETECT_BYTETEST_VALUE_BE;
+ data->value = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
+ data->flags |= DETECT_BYTETEST_VALUE_BE;
SCFree(value);
}
if (offset != NULL) {
- SigMatch *bed_sm =
- DetectByteExtractRetrieveSMVar(offset, s,
- SigMatchListSMBelongsTo(s, sm));
+ SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(offset, s, sm_list);
if (bed_sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in byte_test - %s\n", offset);
goto error;
}
- DetectBytetestData *btd = sm->ctx;
- btd->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
- btd->flags |= DETECT_BYTETEST_OFFSET_BE;
+ data->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
+ data->flags |= DETECT_BYTETEST_OFFSET_BE;
SCFree(offset);
}
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
- return 0;
- }
-
- if ( !(data->flags & DETECT_BYTETEST_RELATIVE)) {
- return 0;
- }
-
- SigMatch *prev_sm = NULL;
- prev_sm = SigMatchGetLastSMFromLists(s, 6,
- DETECT_CONTENT, sm->prev,
- DETECT_BYTEJUMP, sm->prev,
- DETECT_PCRE, sm->prev);
- if (prev_sm == NULL) {
- return 0;
- }
-
- DetectContentData *cd = NULL;
- DetectPcreData *pe = NULL;
-
- switch (prev_sm->type) {
- case DETECT_CONTENT:
- /* Set the relative next flag on the prev sigmatch */
- cd = (DetectContentData *)prev_sm->ctx;
- if (cd == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
- "previous keyword!");
- return -1;
- }
- cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
-
- break;
-
- case DETECT_PCRE:
- pe = (DetectPcreData *)prev_sm->ctx;
- if (pe == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
- "previous keyword!");
- return -1;
- }
- pe->flags |= DETECT_PCRE_RELATIVE_NEXT;
-
- break;
-
- case DETECT_BYTEJUMP:
- SCLogDebug("No setting relative_next for bytejump. We "
- "have no use for it");
-
- break;
-
- default:
- /* this will never hit */
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
- "previous keyword!");
- return -1;
- } /* switch */
-
- return 0;
-
-error:
- //if (data != NULL)
- // DetectBytetestFree(data);
- //if (sm != NULL)
- // SCFree(sm);
- return -1;
+ sm = SigMatchAlloc();
+ if (sm == NULL)
+ goto error;
+ sm->type = DETECT_BYTETEST;
+ sm->ctx = (void *)data;
+ SigMatchAppendSMToList(s, sm, sm_list);
+
+ if (!(data->flags & DETECT_BYTETEST_RELATIVE))
+ goto okay;
+
+ if (prev_pm == NULL)
+ goto okay;
+ if (prev_pm->type == DETECT_CONTENT) {
+ DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
+ cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ } else if (prev_pm->type == DETECT_PCRE) {
+ DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
+ pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
+ }
+
+ okay:
+ ret = 0;
+ return ret;
+ error:
+ DetectBytetestFree(data);
+ return ret;
}
/**
*/
void DetectBytetestFree(void *ptr)
{
+ if (ptr == NULL)
+ return;
+
DetectBytetestData *data = (DetectBytetestData *)ptr;
SCFree(data);
}
#include "util-unittest-helper.h"
int DetectContentMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
-static int DetectContentSetup (DetectEngineCtx *, Signature *, char *);
+int DetectContentSetup(DetectEngineCtx *, Signature *, char *);
void DetectContentRegisterTests(void);
void DetectContentRegister (void) {
* \retval -1 if error
* \retval 0 if all was ok
*/
-static int DetectContentSetup (DetectEngineCtx *de_ctx, Signature *s, char *contentstr)
+int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, char *contentstr)
{
DetectContentData *cd = NULL;
SigMatch *sm = NULL;
cd = DetectContentParse(contentstr);
- if (cd == NULL) goto error;
-
- sm = SigMatchAlloc();
- if (sm == NULL)
+ if (cd == NULL)
goto error;
-
- sm->type = DETECT_CONTENT;
- sm->ctx = (void *)cd;
- cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_PMATCH);
-
DetectContentPrint(cd);
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
-
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
- cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HSBDMATCH);
- sm->type = DETECT_CONTENT;
-
- /* transfer the sm from the pmatch list to hsbdmatch list */
- SigMatchTransferSigMatchAcrossLists(sm,
- &s->sm_lists[DETECT_SM_LIST_PMATCH],
- &s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- &s->sm_lists[DETECT_SM_LIST_HSBDMATCH],
- &s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
+ int sm_list;
+ if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
+ if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
+ AppLayerHtpEnableResponseBodyCallback();
+ s->alproto = ALPROTO_HTTP;
+ sm_list = DETECT_SM_LIST_HSBDMATCH;
+ } else {
+ sm_list = DETECT_SM_LIST_DMATCH;
+ }
- /* flag the signature to indicate that we scan the app layer data */
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_HTTP;
-
- /* enable http request body callback in the http app layer parser */
- AppLayerHtpEnableResponseBodyCallback();
- } else if (s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
- cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_DMATCH);
- sm->type = DETECT_CONTENT;
-
- /* transfer the sm from the pmatch list to hsbdmatch list */
- SigMatchTransferSigMatchAcrossLists(sm,
- &s->sm_lists[DETECT_SM_LIST_PMATCH],
- &s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- &s->sm_lists[DETECT_SM_LIST_DMATCH],
- &s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
-
- /* flag the signature to indicate that we scan the app layer data */
s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_DCERPC;
+ } else {
+ sm_list = DETECT_SM_LIST_PMATCH;
}
+ sm = SigMatchAlloc();
+ if (sm == NULL)
+ goto error;
+ sm->ctx = (void *)cd;
+ sm->type = DETECT_CONTENT;
+ cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, sm_list);
+ SigMatchAppendSMToList(s, sm, sm_list);
+
return 0;
error:
- if (cd != NULL)
- DetectContentFree(cd);
- if (sm != NULL)
- SCFree(sm);
+ DetectContentFree(cd);
return -1;
}
int DetectContentDataParse(char *keyword, char *contentstr, char** pstr, uint16_t *plen, int *flags);
DetectContentData *DetectContentParseEncloseQuotes(char *);
+int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, char *contentstr);
void DetectContentPrint(DetectContentData *);
void DetectContentFree(void *);
char *str = depthstr;
char dubbed = 0;
SigMatch *pm = NULL;
- DetectContentData *cd = NULL;
+ int ret = -1;
/* strip "'s */
if (depthstr[0] == '\"' && depthstr[strlen(depthstr) - 1] == '\"') {
str = SCStrdup(depthstr + 1);
if (unlikely(str == NULL))
- goto error;
+ goto end;
str[strlen(depthstr) - 2] = '\0';
dubbed = 1;
}
- pm = SigMatchGetLastSMFromLists(s, 30,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ /* retrive the sm to apply the depth against */
+ if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
+ if (s->init_flags & SIG_FLAG_INIT_FILE_DATA)
+ pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
+ else
+ pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
+ } else {
+ pm = SigMatchGetLastSMFromLists(s, 28,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ }
if (pm == NULL) {
SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs "
"preceding content, uricontent option, http_client_body, "
"http_stat_msg, http_stat_code, http_user_agent, "
"http_host, http_raw_host or "
"file_data/dce_stub_data sticky buffer options");
- if (dubbed)
- SCFree(str);
- return -1;
+ goto end;
}
- switch (pm->type) {
- case DETECT_CONTENT:
- cd = (DetectContentData *)pm->ctx;
- if (cd == NULL) {
- SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument");
- if (dubbed) SCFree(str);
- return -1;
- }
-
- if (cd->flags & DETECT_CONTENT_NEGATED) {
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative "
- "negated keyword set along with a fast_pattern");
- goto error;
- }
- } else {
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative "
- "keyword set along with a fast_pattern:only;");
- goto error;
- }
- }
-
- if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a relative keyword "
- "with a non-relative keyword for the same content." );
- goto error;
- }
-
- if (cd->flags & DETECT_CONTENT_DEPTH) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use multiple depths for the same content.");
- goto error;
- }
-
- if (str[0] != '-' && isalpha((unsigned char)str[0])) {
- SigMatch *bed_sm =
- DetectByteExtractRetrieveSMVar(str, s,
- SigMatchListSMBelongsTo(s, pm));
- if (bed_sm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var "
- "seen in depth - %s\n", str);
- goto error;
- }
- cd->depth = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
- cd->flags |= DETECT_CONTENT_DEPTH_BE;
- } else {
- int depth = atoi(str);
- if (depth < 0) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Negative depth "
- "not allowed - %d.", depth);
- goto error;
- }
- if (depth < cd->content_len) {
- uint32_t content_len = cd->content_len;
- SCLogError(SC_ERR_INVALID_SIGNATURE, "depth - %"PRIu16
- " smaller than content length - %"PRIu32,
- cd->depth, content_len);
- goto error;
- }
- cd->depth = depth;
- /* Now update the real limit, as depth is relative to the offset */
- cd->depth += cd->offset;
- }
-
- cd->flags |= DETECT_CONTENT_DEPTH;
-
- break;
+ /* verify other conditions. */
+ DetectContentData *cd = (DetectContentData *)pm->ctx;
- default:
- SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs a preceding "
- "content (or uricontent) option");
- goto error;
+ if (cd->flags & DETECT_CONTENT_DEPTH) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use multiple depths for the same content.");
+ goto end;
}
+ if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a relative "
+ "keyword like within/distance with a absolute "
+ "relative keyword like depth/offset for the same "
+ "content." );
+ goto end;
+ }
+ if (cd->flags & DETECT_CONTENT_NEGATED && cd->flags & DETECT_CONTENT_FAST_PATTERN) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative "
+ "negated keyword set along with a fast_pattern");
+ goto end;
+ }
+ if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative "
+ "keyword set along with a fast_pattern:only;");
+ goto end;
+ }
+ if (str[0] != '-' && isalpha((unsigned char)str[0])) {
+ SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(str, s, SigMatchListSMBelongsTo(s, pm));
+ if (bed_sm == NULL) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var "
+ "seen in depth - %s\n", str);
+ goto end;
+ }
+ cd->depth = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
+ cd->flags |= DETECT_CONTENT_DEPTH_BE;
+ } else {
+ cd->depth = (uint32_t)atoi(str);
+ if (cd->depth < cd->content_len) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "depth - %"PRIu16
+ " smaller than content length - %"PRIu32,
+ cd->depth, cd->content_len);
+ goto end;
+ }
+ /* Now update the real limit, as depth is relative to the offset */
+ cd->depth += cd->offset;
+ }
+ cd->flags |= DETECT_CONTENT_DEPTH;
+ ret = 0;
+ end:
if (dubbed)
SCFree(str);
- return 0;
-
-error:
- if (dubbed)
- SCFree(str);
- return -1;
+ return ret;
}
static int DetectDistanceSetup(DetectEngineCtx *, Signature *, char *);
void DetectDistanceRegisterTests(void);
-void DetectDistanceRegister (void) {
+void DetectDistanceRegister(void)
+{
sigmatch_table[DETECT_DISTANCE].name = "distance";
sigmatch_table[DETECT_DISTANCE].desc = "indicates a relation between this content keyword and the content preceding it";
sigmatch_table[DETECT_DISTANCE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Distance";
char *str = distancestr;
char dubbed = 0;
SigMatch *pm = NULL;
+ int ret = -1;
/* strip "'s */
if (distancestr[0] == '\"' && distancestr[strlen(distancestr) - 1] == '\"') {
str = SCStrdup(distancestr + 1);
if (unlikely(str == NULL))
- goto error;
+ goto end;
str[strlen(distancestr) - 2] = '\0';
dubbed = 1;
}
- pm = SigMatchGetLastSMFromLists(s, 30,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ /* retrive the sm to apply the depth against */
+ if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
+ if (s->init_flags & SIG_FLAG_INIT_FILE_DATA)
+ pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
+ else
+ pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
+ } else {
+ pm = SigMatchGetLastSMFromLists(s, 28,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ }
if (pm == NULL) {
- SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs "
+ SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "distance needs "
"preceding content, uricontent option, http_client_body, "
- "http_server_body, http_header, http_raw_header, http_method, "
- "http_cookie, http_raw_uri, http_stat_msg, http_stat_code, "
- "http_host, http_raw_host or "
- "http_user_agent or file_data/dce_stub_data option");
- if (dubbed)
- SCFree(str);
- return -1;
+ "http_server_body, http_header option, http_raw_header option, "
+ "http_method option, http_cookie, http_raw_uri, "
+ "http_stat_msg, http_stat_code, http_user_agent or "
+ "file_data/dce_stub_data sticky buffer option");
+ goto end;
}
- DetectContentData *cd = NULL;
- DetectPcreData *pe = NULL;
-
- switch (pm->type) {
- case DETECT_CONTENT:
- cd = (DetectContentData *)pm->ctx;
- if (cd == NULL) {
- SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance needs two "
- "preceding content or uricontent options");
- goto error;
- }
-
- if (cd->flags & DETECT_CONTENT_NEGATED) {
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative "
- "negated keyword set along with a fast_pattern");
- goto error;
- }
- } else {
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative "
- "keyword set along with a fast_pattern:only;");
- goto error;
- }
- }
-
- if ((cd->flags & DETECT_CONTENT_DEPTH) || (cd->flags & DETECT_CONTENT_OFFSET)) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a relative keyword "
- "with a non-relative keyword for the same content." );
- goto error;
- }
-
- if (cd->flags & DETECT_CONTENT_DISTANCE) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use multiple distances with the same content. ");
- goto error;
- }
-
- if (str[0] != '-' && isalpha((unsigned char)str[0])) {
- SigMatch *bed_sm =
- DetectByteExtractRetrieveSMVar(str, s,
- SigMatchListSMBelongsTo(s, pm));
- if (bed_sm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var "
- "seen in distance - %s\n", str);
- goto error;
- }
- cd->distance = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
- cd->flags |= DETECT_CONTENT_DISTANCE_BE;
- } else {
- cd->distance = strtol(str, NULL, 10);
- }
-
- cd->flags |= DETECT_CONTENT_DISTANCE;
-
- pm = SigMatchGetLastSMFromLists(s, 6,
- DETECT_CONTENT, pm->prev,
- DETECT_PCRE, pm->prev,
- DETECT_BYTEJUMP, pm->prev);
- if (pm != NULL) {
- switch (pm->type) {
- case DETECT_CONTENT:
- /* Set the relative next flag on the prev sigmatch */
- cd = (DetectContentData *)pm->ctx;
- if (cd == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown previous-"
- "previous keyword!");
- goto error;
- }
- cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
-
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "previous keyword "
- "has a fast_pattern:only; set. Can't have "
- "relative keywords around a fast_pattern "
- "only content");
- goto error;
- }
-
- break;
-
- case DETECT_PCRE:
- pe = (DetectPcreData *) pm->ctx;
- if (pe == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown previous-"
- "previous keyword!");
- goto error;
- }
- pe->flags |= DETECT_PCRE_RELATIVE_NEXT;
-
- break;
-
- case DETECT_BYTEJUMP:
- SCLogDebug("no setting relative_next for bytejump. We "
- "have no use for it");
-
- break;
-
- default:
- /* this will never hit */
- SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown previous-"
- "previous keyword!");
- break;
- }
- }
-
- break;
-
- default:
- SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance needs two "
- "preceding content or uricontent options");
- goto error;
+ /* verify other conditions */
+ DetectContentData *cd = (DetectContentData *)pm->ctx;
+ if (cd->flags & DETECT_CONTENT_DISTANCE) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use multiple distances for the same content.");
+ goto end;
+ }
+ if ((cd->flags & DETECT_CONTENT_DEPTH) || (cd->flags & DETECT_CONTENT_OFFSET)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a relative "
+ "keyword like within/distance with a absolute "
+ "relative keyword like depth/offset for the same "
+ "content." );
+ goto end;
+ }
+ if (cd->flags & DETECT_CONTENT_NEGATED && cd->flags & DETECT_CONTENT_FAST_PATTERN) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative "
+ "negated keyword set along with a fast_pattern");
+ goto end;
}
+ if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative "
+ "keyword set along with a fast_pattern:only;");
+ goto end;
+ }
+ if (str[0] != '-' && isalpha((unsigned char)str[0])) {
+ SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(str, s, SigMatchListSMBelongsTo(s, pm));
+ if (bed_sm == NULL) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var "
+ "seen in distance - %s\n", str);
+ goto end;
+ }
+ cd->distance = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
+ cd->flags |= DETECT_CONTENT_DISTANCE_BE;
+ } else {
+ cd->distance = strtol(str, NULL, 10);
+ }
+ cd->flags |= DETECT_CONTENT_DISTANCE;
- if (dubbed)
- SCFree(str);
- return 0;
+ SigMatch *prev_pm = SigMatchGetLastSMFromLists(s, 4,
+ DETECT_CONTENT, pm->prev,
+ DETECT_PCRE, pm->prev);
+ if (prev_pm == NULL) {
+ ret = 0;
+ goto end;
+ }
+ if (prev_pm->type == DETECT_CONTENT) {
+ DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
+ if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "previous keyword "
+ "has a fast_pattern:only; set. Can't "
+ "have relative keywords around a fast_pattern "
+ "only content");
+ goto end;
+ }
+ cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ } else if (prev_pm->type == DETECT_PCRE) {
+ DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
+ pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
+ }
-error:
+ ret = 0;
+ end:
if (dubbed)
SCFree(str);
- return -1;
+ return ret;
}
#ifdef UNITTESTS
bd->flags & DETECT_BYTEJUMP_LITTLE ||
bd->flags & DETECT_BYTEJUMP_BIG ||
bd->flags & DETECT_BYTEJUMP_STRING ||
- bd->flags & DETECT_BYTEJUMP_RELATIVE ||
+ !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
bd->flags & DETECT_BYTEJUMP_ALIGN ||
bd->flags & DETECT_BYTEJUMP_DCE ) {
result = 0;
bd->flags & DETECT_BYTEJUMP_LITTLE ||
bd->flags & DETECT_BYTEJUMP_BIG ||
bd->flags & DETECT_BYTEJUMP_STRING ||
- bd->flags & DETECT_BYTEJUMP_RELATIVE ||
+ !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
bd->flags & DETECT_BYTEJUMP_ALIGN ||
bd->flags & DETECT_BYTEJUMP_DCE ) {
result = 0;
}
pd = (DetectPcreData *)sm->ctx;
if ( pd->flags & DETECT_PCRE_RAWBYTES ||
- pd->flags & DETECT_PCRE_RELATIVE) {
+ !(pd->flags & DETECT_PCRE_RELATIVE)) {
result = 0;
printf("one failed\n");
goto end;
}
pd = (DetectPcreData *)sm->ctx;
if ( pd->flags & DETECT_PCRE_RAWBYTES ||
- pd->flags & DETECT_PCRE_RELATIVE) {
+ !(pd->flags & DETECT_PCRE_RELATIVE)) {
result = 0;
goto end;
}
if (bd->flags & DETECT_BYTETEST_LITTLE ||
bd->flags & DETECT_BYTETEST_BIG ||
bd->flags & DETECT_BYTETEST_STRING ||
- bd->flags & DETECT_BYTETEST_RELATIVE ||
+ !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
!(bd->flags & DETECT_BYTETEST_DCE) ) {
result = 0;
printf("one failed\n");
}
isd = (DetectIsdataatData *)sm->ctx;
if ( isd->flags & ISDATAAT_RAWBYTES ||
- isd->flags & ISDATAAT_RELATIVE) {
+ !(isd->flags & ISDATAAT_RELATIVE)) {
result = 0;
goto end;
}
bjd->flags & DETECT_BYTEJUMP_LITTLE ||
bjd->flags & DETECT_BYTEJUMP_BIG ||
bjd->flags & DETECT_BYTEJUMP_STRING ||
- bjd->flags & DETECT_BYTEJUMP_RELATIVE ||
+ !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
!(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
!(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
result = 0;
}
pd = (DetectPcreData *)sm->ctx;
if ( pd->flags & DETECT_PCRE_RAWBYTES ||
- pd->flags & DETECT_PCRE_RELATIVE) {
+ !(pd->flags & DETECT_PCRE_RELATIVE)) {
result = 0;
printf("one failed\n");
goto end;
}
isd = (DetectIsdataatData *)sm->ctx;
if ( isd->flags & ISDATAAT_RAWBYTES ||
- isd->flags & ISDATAAT_RELATIVE) {
+ !(isd->flags & ISDATAAT_RELATIVE)) {
result = 0;
goto end;
}
bjd->flags & DETECT_BYTEJUMP_LITTLE ||
bjd->flags & DETECT_BYTEJUMP_BIG ||
bjd->flags & DETECT_BYTEJUMP_STRING ||
- bjd->flags & DETECT_BYTEJUMP_RELATIVE ||
+ !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
!(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
!(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
result = 0;
if (btd->flags & DETECT_BYTETEST_LITTLE ||
btd->flags & DETECT_BYTETEST_BIG ||
btd->flags & DETECT_BYTETEST_STRING ||
- btd->flags & DETECT_BYTETEST_RELATIVE ||
+ !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
!(btd->flags & DETECT_BYTETEST_DCE) ) {
result = 0;
printf("one failed\n");
*
* \retval id Pattern id.
*/
-uint32_t DetectPatternGetId(MpmPatternIdStore *ht, void *ctx, uint8_t sm_list)
+uint32_t DetectPatternGetId(MpmPatternIdStore *ht, void *ctx, Signature *s, uint8_t sm_list)
{
SCEnter();
r = HashTableLookup(ht->hash, (void *)e, sizeof(MpmPatternIdTableElmt));
if (r == NULL) {
- /* we don't have a duplicate with this pattern + id type. If the id is
- * for content, then it is the first entry for such a
- * pattern + id combination. Let us create an entry for it */
- if (sm_list == DETECT_SM_LIST_PMATCH) {
+ if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
+ BUG_ON((sm_list != DETECT_SM_LIST_HSBDMATCH) & (sm_list != DETECT_SM_LIST_DMATCH));
e->id = ht->max_id;
ht->max_id++;
id = e->id;
-
int ret = HashTableAdd(ht->hash, e, sizeof(MpmPatternIdTableElmt));
BUG_ON(ret != 0);
-
e = NULL;
-
- /* the id type is not content or uricontent. It would be one of
- * those http_ modifiers against content then */
} else {
- /* we know that this is one of those http_ modifiers against content.
- * So we would have seen a content before coming across this http_
- * modifier. Let's retrieve this content entry that has already
- * been registered. */
- e->sm_list = DETECT_SM_LIST_PMATCH;
- MpmPatternIdTableElmt *tmp_r = HashTableLookup(ht->hash, (void *)e, sizeof(MpmPatternIdTableElmt));
- if (tmp_r == NULL) {
- SCLogError(SC_ERR_FATAL, "How can this happen? We have to have "
- "a content of type DETECT_CONTENT already registered "
- "at this point. Impossible");
- exit(EXIT_FAILURE);
- }
-
- /* we have retrieved the content, and the content registered was the
- * first entry made(dup_count is 1) for that content. Let us just
- * reset the sm_type to the http_ keyword's sm_type */
- if (tmp_r->dup_count == 1) {
- tmp_r->sm_list = sm_list;
- id = tmp_r->id;
-
- /* interestingly we have more than one entry for this content.
- * Out of these tmp_r->dup_count entries, one would be for the content
- * entry made for this http_ modifier. Erase this entry and make
- * a separate entry for the http_ modifier(of course with a new id) */
- } else {
- tmp_r->dup_count--;
- /* reset the sm_type, since we changed it to DETECT_CONTENT prev */
- e->sm_list = sm_list;
+ /* we don't have a duplicate with this pattern + id type. If the id is
+ * for content, then it is the first entry for such a
+ * pattern + id combination. Let us create an entry for it */
+ if (sm_list == DETECT_SM_LIST_PMATCH) {
e->id = ht->max_id;
ht->max_id++;
id = e->id;
-
int ret = HashTableAdd(ht->hash, e, sizeof(MpmPatternIdTableElmt));
BUG_ON(ret != 0);
-
e = NULL;
+
+ /* the id type is not content or uricontent. It would be one of
+ * those http_ modifiers against content then */
+ } else {
+ /* we know that this is one of those http_ modifiers against content.
+ * So we would have seen a content before coming across this http_
+ * modifier. Let's retrieve this content entry that has already
+ * been registered. */
+ e->sm_list = DETECT_SM_LIST_PMATCH;
+ MpmPatternIdTableElmt *tmp_r = HashTableLookup(ht->hash, (void *)e, sizeof(MpmPatternIdTableElmt));
+ if (tmp_r == NULL) {
+ SCLogError(SC_ERR_FATAL, "How can this happen? We have to have "
+ "a content of type DETECT_CONTENT already registered "
+ "at this point. Impossible");
+ exit(EXIT_FAILURE);
+ }
+
+ /* we have retrieved the content, and the content registered was the
+ * first entry made(dup_count is 1) for that content. Let us just
+ * reset the sm_type to the http_ keyword's sm_type */
+ if (tmp_r->dup_count == 1) {
+ tmp_r->sm_list = sm_list;
+ id = tmp_r->id;
+
+ /* interestingly we have more than one entry for this content.
+ * Out of these tmp_r->dup_count entries, one would be for the content
+ * entry made for this http_ modifier. Erase this entry and make
+ * a separate entry for the http_ modifier(of course with a new id) */
+ } else {
+ tmp_r->dup_count--;
+ /* reset the sm_type, since we changed it to DETECT_CONTENT prev */
+ e->sm_list = sm_list;
+ e->id = ht->max_id;
+ ht->max_id++;
+ id = e->id;
+ int ret = HashTableAdd(ht->hash, e, sizeof(MpmPatternIdTableElmt));
+ BUG_ON(ret != 0);
+ e = NULL;
+ }
}
}
} else {
/* oh cool! It is a duplicate for content, uricontent types. Update the
* dup_count and get out */
- if (sm_list == DETECT_SM_LIST_PMATCH) {
+ if ((s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) ||
+ sm_list == DETECT_SM_LIST_PMATCH) {
+ /* we have a duplicate */
r->dup_count++;
id = r->id;
goto end;
uint32_t MpmPatternIdStoreGetMaxId(MpmPatternIdStore *);
uint32_t DetectContentGetId(MpmPatternIdStore *, DetectContentData *);
uint32_t DetectUricontentGetId(MpmPatternIdStore *, DetectContentData *);
-uint32_t DetectPatternGetId(MpmPatternIdStore *, void *, uint8_t);
+uint32_t DetectPatternGetId(MpmPatternIdStore *, void *, Signature *s, uint8_t);
int SignatureHasPacketContent(Signature *);
int SignatureHasStreamContent(Signature *);
*/
int DetectHttpClientBodySetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
- DetectContentData *cd = NULL;
SigMatch *sm = NULL;
+ int ret = -1;
if (arg != NULL && strcmp(arg, "") != 0) {
- SCLogError(SC_ERR_INVALID_ARGUMENT, "http_client_body supplied with args");
- return -1;
+ SCLogError(SC_ERR_INVALID_ARGUMENT, "http_client_body shouldn't be supplied "
+ "with an argument");
+ goto end;
}
- sm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
- /* if still we are unable to find any content previous keywords, it is an
- * invalid rule */
+ if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_client_body\" keyword seen "
+ "with a sticky buffer still set. Reset sticky buffer "
+ "with pkt_data before using the modifier.");
+ goto end;
+ }
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
+ "alproto set");
+ goto end;
+ }
+ s->flags &= ~SIG_FLAG_TOCLIENT;
+ s->flags |= SIG_FLAG_TOSERVER;
+
+ sm = SigMatchGetLastSMFromLists(s, 2,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_client_body\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_client_body\" keyword");
- return -1;
+ goto end;
}
-
- cd = (DetectContentData *)sm->ctx;
-
- /* http_client_body should not be used with the rawbytes rule */
+ DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_client_body rule can not "
"be used with the rawbytes rule keyword");
- return -1;
- }
-
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
- "alproto set");
- goto error;
- }
-
- if (s->flags & SIG_FLAG_TOCLIENT) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "http_client_body can not be used with flow:to_client or flow:from_server. ");
- goto error;
+ goto end;
}
-
- if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) {
+ if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
- /* pm can be NULL now. To accomodate parsing sigs like -
- * content:one; http_modifier; content:two; distance:0; http_modifier */
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
- tmp_pd->flags &= ~ DETECT_PCRE_RELATIVE_NEXT;
+ tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
+ }
- } /* if (pm != NULL) */
-
- /* reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]);
- if (pm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "http_client_body seen with a "
- "distance or within without a previous http_client_body "
- "content. Invalidating signature.");
- goto error;
- }
- if (pm->type == DETECT_PCRE) {
- DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
- tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
- } else {
- DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
- tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ if (pm != NULL) {
+ if (pm->type == DETECT_CONTENT) {
+ DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
+ tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ } else {
+ DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
+ tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
+ }
}
}
- cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HCBDMATCH);
- sm->type = DETECT_CONTENT;
+ cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HCBDMATCH);
+ s->flags |= SIG_FLAG_APPLAYER;
+ s->alproto = ALPROTO_HTTP;
+ AppLayerHtpEnableRequestBodyCallback();
/* transfer the sm from the pmatch list to hcbdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_HCBDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]);
- /* flag the signature to indicate that we scan the app layer data */
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_HTTP;
- /* enable http request body callback in the http app layer parser */
- AppLayerHtpEnableRequestBodyCallback();
-
- return 0;
-
-error:
- //if (cd != NULL)
- // DetectHttpClientBodyFree(cd);
- //if (sm != NULL)
- // SCFree(sm);
-
- return -1;
+ ret = 0;
+ end:
+ return ret;
}
/**
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; within:5; http_client_body; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- printf("de_ctx->sig_list != NULL\n");
+ if (de_ctx->sig_list == NULL) {
+ printf("de_ctx->sig_list == NULL\n");
goto end;
}
/**
* \brief Registration function for keyword: http_cookie
*/
-void DetectHttpCookieRegister (void) {
+void DetectHttpCookieRegister(void)
+{
sigmatch_table[DETECT_AL_HTTP_COOKIE].name = "http_cookie";
sigmatch_table[DETECT_AL_HTTP_COOKIE].desc = "content modifier to match only on the HTTP cookie-buffer";
sigmatch_table[DETECT_AL_HTTP_COOKIE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_cookie";
* \retval -1 On failure
*/
-static int DetectHttpCookieSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
+static int DetectHttpCookieSetup(DetectEngineCtx *de_ctx, Signature *s, char *str)
{
- DetectContentData *cd = NULL;
SigMatch *sm = NULL;
+ int ret = -1;
if (str != NULL && strcmp(str, "") != 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "http_cookie shouldn't be supplied "
"with an argument");
- return -1;
+ goto end;
}
- if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
- SCLogError(SC_ERR_HTTP_COOKIE_NEEDS_PRECEEDING_CONTENT, "http_cookie "
- "found inside the rule, without any preceding content keywords");
- return -1;
+ if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_cookie\" keyword seen "
+ "with a sticky buffer still set. Reset sticky buffer "
+ "with pkt_data before using the modifier.");
+ goto end;
+ }
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
+ "alproto set");
+ goto end;
}
- sm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
+ sm = SigMatchGetLastSMFromLists(s, 2,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
- SCLogWarning(SC_ERR_HTTP_COOKIE_NEEDS_PRECEEDING_CONTENT, "http_cookie "
- "found inside the rule, without a content context. Please use a "
- "content keyword before using http_cookie");
- return -1;
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_cookie\" keyword "
+ "found inside the rule without a content context. "
+ "Please use a \"content\" keyword before using the "
+ "\"http_cookie\" keyword");
+ goto end;
}
-
- cd = (DetectContentData *)sm->ctx;
-
- /* http_cookie should not be used with the rawbytes rule */
+ DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_HTTP_COOKIE_INCOMPATIBLE_WITH_RAWBYTES, "http_cookie "
"rule can not be used with the rawbytes rule keyword");
- return -1;
- }
-
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains keywords"
- "that conflict with http_cookie");
- goto error;
+ goto end;
}
-
- if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) {
+ if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
if (pm != NULL) {
- /* pm is never NULL. So no NULL check */
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
- } /* if (pm != NULL) */
+ }
- /* please note. reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 4,
- DETECT_CONTENT,
- s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_PCRE,
- s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]);
- if (pm == NULL) {
- SCLogError(SC_ERR_HTTP_COOKIE_RELATIVE_MISSING, "http_cookie with "
- "a distance or within requires preceding http_cookie "
- "content, but none was found");
- goto error;
- }
- if (pm->type == DETECT_PCRE) {
- DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
- tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
- } else {
- DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
- tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]);
+ if (pm != NULL) {
+ if (pm->type == DETECT_CONTENT) {
+ DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
+ tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ } else {
+ DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
+ tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
+ }
}
}
- cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HCDMATCH);
- sm->type = DETECT_CONTENT;
+ cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HCDMATCH);
+ s->flags |= SIG_FLAG_APPLAYER;
+ s->alproto = ALPROTO_HTTP;
/* transfer the sm from the pmatch list to hcdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_HCDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]);
- /* flag the signature to indicate that we scan the app layer data */
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_HTTP;
-
- return 0;
-
-error:
- return -1;
+ ret = 0;
+ end:
+ return ret;
}
/******************************** UNITESTS **********************************/
*/
int DetectHttpHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
- DetectContentData *cd = NULL;
SigMatch *sm = NULL;
+ int ret = -1;
if (arg != NULL && strcmp(arg, "") != 0) {
- SCLogError(SC_ERR_INVALID_ARGUMENT, "http_header supplied with args");
- return -1;
+ SCLogError(SC_ERR_INVALID_ARGUMENT, "http_header shouldn't be supplied with "
+ "an argument");
+ goto end;
+ }
+
+ if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_header\" keyword seen "
+ "with a sticky buffer still set. Reset sticky buffer "
+ "with pkt_data before using the modifier.");
+ goto end;
+ }
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
+ "alproto set");
+ goto end;
}
- sm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
- /* if still we are unable to find any content previous keywords, it is an
- * invalid rule */
+ sm = SigMatchGetLastSMFromLists(s, 2,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_header\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_header\" keyword");
- return -1;
+ goto end;
}
-
- /* cast for further use */
- cd = (DetectContentData *)sm->ctx;
-
- /* http_header should not be used with the rawbytes rule */
+ DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_header rule can not "
"be used with the rawbytes rule keyword");
- return -1;
- }
-
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
- "alproto set");
- goto error;
+ goto end;
}
-
- if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) {
+ if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
if (pm != NULL) {
- /* pm is never NULL. So no NULL check */
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
- } /* if (pm != NULL) */
+ }
- /* please note. reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 4,
- DETECT_CONTENT,
- s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_PCRE,
- s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]);
-
- if (pm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "http_header seen with a "
- "distance or within without a previous http_header "
- "content. Invalidating signature.");
- goto error;
- }
- if (pm->type == DETECT_PCRE) {
- DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
- tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
- } else {
- DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
- tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]);
+ if (pm != NULL) {
+ if (pm->type == DETECT_CONTENT) {
+ DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
+ tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ } else {
+ DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
+ tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
+ }
}
}
- cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HHDMATCH);
- sm->type = DETECT_CONTENT;
+ cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HHDMATCH);
+ s->flags |= SIG_FLAG_APPLAYER;
+ s->alproto = ALPROTO_HTTP;
/* transfer the sm from the pmatch list to hhdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_HHDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]);
- /* flag the signature to indicate that we scan the app layer data */
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_HTTP;
-
- return 0;
-
-error:
- //if (cd != NULL)
- // DetectHttpHeaderFree(cd);
- //
- //if (sm != NULL)
- // SCFree(sm);
-
- return -1;
+ ret = 0;
+ end:
+ return ret;
}
/************************************Unittests*********************************/
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; within:5; http_header; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- printf("de_ctx->sig_list != NULL\n");
+ if (de_ctx->sig_list == NULL) {
+ printf("de_ctx->sig_list == NULL\n");
goto end;
}
*/
int DetectHttpHHSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
- DetectContentData *cd = NULL;
SigMatch *sm = NULL;
+ int ret = -1;
if (arg != NULL && strcmp(arg, "") != 0) {
- SCLogError(SC_ERR_INVALID_ARGUMENT, "http_host not supplied with args");
- goto error;
+ SCLogError(SC_ERR_INVALID_ARGUMENT, "http_host shouldn't be supplied "
+ "with an argument");
+ goto end;
+ }
+
+ if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_host\" keyword seen "
+ "with a sticky buffer still set. Reset sticky buffer "
+ "with pkt_data before using the modifier.");
+ goto end;
+ }
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
+ "alproto set");
+ goto end;
}
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
- /* if we still can't find any previous content keywords, it's an invalid
- * rule */
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_host\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_host\" keyword");
- goto error;
+ goto end;
}
-
- cd = (DetectContentData *)sm->ctx;
-
- /* http_host should not be used with the rawbytes rule */
+ DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "http_host rule can not "
- "be used with the rawbytes rule keyword");
- goto error;
- }
-
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
- "alproto set");
- goto error;
- }
-
- if (s->flags & SIG_FLAG_TOCLIENT) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "http_host can not be used "
- "with flow:to_client or flow:from_server. ");
- goto error;
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "http_host "
+ "rule can not be used with the rawbytes rule keyword");
+ goto end;
}
-
- if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) {
+ if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
- /* pm can be NULL now. To accomodate parsing sigs like -
- * content:one; http_modifier; content:two; distance:0; http_modifier */
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
- tmp_pd->flags &= ~ DETECT_PCRE_RELATIVE_NEXT;
+ tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
+ }
- } /* if (pm != NULL) */
-
- /* reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]);
- if (pm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "http_host seen with a "
- "distance or within without a previous http_host "
- "content. Invalidating signature.");
- goto error;
- }
- if (pm->type == DETECT_PCRE) {
- DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
- tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
- } else {
- DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
- tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ if (pm != NULL) {
+ if (pm->type == DETECT_CONTENT) {
+ DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
+ tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ } else {
+ DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
+ tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
+ }
}
}
- cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HHHDMATCH);
- sm->type = DETECT_CONTENT;
+ cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HHHDMATCH);
+ s->flags |= SIG_FLAG_APPLAYER;
+ s->alproto = ALPROTO_HTTP;
/* transfer the sm from the pmatch list to hhhdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_HHHDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]);
- /* flag the signature to indicate that we scan the app layer data */
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_HTTP;
-
- return 0;
-
-error:
- return -1;
+ ret = 0;
+ end:
+ return ret;
}
/**
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(content:\"one\"; within:5; http_host; nocase; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- printf("de_ctx->sig_list != NULL\n");
+ if (de_ctx->sig_list == NULL) {
+ printf("de_ctx->sig_list == NULL\n");
goto end;
}
*/
int DetectHttpHRHSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
- DetectContentData *cd = NULL;
SigMatch *sm = NULL;
+ int ret = -1;
if (arg != NULL && strcmp(arg, "") != 0) {
- SCLogError(SC_ERR_INVALID_ARGUMENT, "http_raw_host not supplied with args");
- goto error;
+ SCLogError(SC_ERR_INVALID_ARGUMENT, "http_raw_host shouldn't be supplied "
+ "with an argument");
+ goto end;
+ }
+
+ if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_raw_host\" keyword seen "
+ "with a sticky buffer still set. Reset sticky buffer "
+ "with pkt_data before using the modifier.");
+ goto end;
+ }
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
+ "alproto set");
+ goto end;
}
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
- /* if we still can't find any previous content keywords, it's an invalid
- * rule */
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_raw_host\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_raw_host\" keyword");
- goto error;
+ goto end;
}
-
- cd = (DetectContentData *)sm->ctx;
-
- /* http_raw_host should not be used with the rawbytes rule */
+ DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "http_raw_host rule can not "
- "be used with the rawbytes rule keyword");
- goto error;
- }
-
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
- "alproto set");
- goto error;
- }
-
- if (s->flags & SIG_FLAG_TOCLIENT) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "http_raw_host can not be used "
- "with flow:to_client or flow:from_server. ");
- goto error;
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "http_raw_host "
+ "rule can not be used with the rawbytes rule keyword");
+ goto end;
}
-
- if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) {
+ if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
- /* pm can be NULL now. To accomodate parsing sigs like -
- * content:one; http_modifier; content:two; distance:0; http_modifier */
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
- tmp_pd->flags &= ~ DETECT_PCRE_RELATIVE_NEXT;
+ tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
+ }
- } /* if (pm != NULL) */
-
- /* reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
- if (pm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "http_raw_host seen with a "
- "distance or within without a previous http_raw_host "
- "content. Invalidating signature.");
- goto error;
- }
- if (pm->type == DETECT_PCRE) {
- DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
- tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
- } else {
- DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
- tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ if (pm != NULL) {
+ if (pm->type == DETECT_CONTENT) {
+ DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
+ tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ } else {
+ DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
+ tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
+ }
}
}
- cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HRHHDMATCH);
- sm->type = DETECT_CONTENT;
+ cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HRHHDMATCH);
+ s->flags |= SIG_FLAG_APPLAYER;
+ s->alproto = ALPROTO_HTTP;
/* transfer the sm from the pmatch list to hrhhdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_HRHHDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
- /* flag the signature to indicate that we scan the app layer data */
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_HTTP;
-
- return 0;
-
-error:
- return -1;
+ ret = 0;
+ end:
+ return ret;
}
/**
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(content:\"one\"; within:5; http_raw_host; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- printf("de_ctx->sig_list != NULL\n");
+ if (de_ctx->sig_list == NULL) {
+ printf("de_ctx->sig_list == NULL\n");
goto end;
}
static int DetectHttpMethodSetup(DetectEngineCtx *de_ctx, Signature *s, char *str)
{
SCEnter();
- DetectContentData *cd = NULL;
+ SigMatch *sm = NULL;
+ int ret = -1;
if ((str != NULL) && (strcmp(str, "") != 0)) {
- SCLogError(SC_ERR_INVALID_ARGUMENT, "http_method does not take an argument");
- SCReturnInt(-1);
+ SCLogError(SC_ERR_INVALID_ARGUMENT, "http_method shouldn't be supplied "
+ "with an argument");
+ goto end;
}
- if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
- SCLogError(SC_ERR_HTTP_METHOD_NEEDS_PRECEEDING_CONTENT, "http_method "
- "modifies preceding \"content\", but none was found");
- SCReturnInt(-1);
+ if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_method\" keyword seen "
+ "with a sticky buffer still set. Reset sticky buffer "
+ "with pkt_data before using the modifier.");
+ goto end;
}
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
+ "alproto set");
+ goto end;
+ }
+ s->flags &= ~SIG_FLAG_TOCLIENT;
+ s->flags |= SIG_FLAG_TOSERVER;
- SigMatch *sm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
+ sm = SigMatchGetLastSMFromLists(s, 2,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
- SCLogError(SC_ERR_HTTP_METHOD_NEEDS_PRECEEDING_CONTENT, "http_method "
- "modifies preceding \"content\", but none was found");
- SCReturnInt(-1);
+ SCLogError(SC_ERR_HTTP_METHOD_NEEDS_PRECEEDING_CONTENT,
+ "\"http_method\" keyword found inside the rule without "
+ "a content context. Please use a \"content\" keyword "
+ "before using the \"http_cookie\" keyword");
+ goto end;
}
-
- cd = (DetectContentData *)sm->ctx;
-
+ DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_HTTP_METHOD_INCOMPATIBLE_WITH_RAWBYTES, "http_method "
- "cannot be used with \"rawbytes\"");
- SCReturnInt(-1);
- }
-
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains keywords"
- "that conflict with http_method");
- goto error;
+ "cannot be used with \"rawbytes\"");
+ goto end;
}
-
- if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) {
+ if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
if (pm != NULL) {
- /* pm is never NULL. So no NULL check */
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
- } /* if (pm != NULL) */
+ }
- /* please note. reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 4,
- DETECT_CONTENT,
- s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_PCRE,
- s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]);
- if (pm == NULL) {
- SCLogError(SC_ERR_HTTP_METHOD_RELATIVE_MISSING, "http_method with "
- "a distance or within requires preceding http_method "
- "content, but none was found");
- goto error;
- }
- if (pm->type == DETECT_PCRE) {
- DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
- tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
- } else {
- DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
- tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]);
+ if (pm != NULL) {
+ if (pm->type == DETECT_CONTENT) {
+ DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
+ tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ } else {
+ DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
+ tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
+ }
}
}
- cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HMDMATCH);
- sm->type = DETECT_CONTENT;
+ cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HMDMATCH);
+ s->flags |= SIG_FLAG_APPLAYER;
+ s->alproto = ALPROTO_HTTP;
/* transfer the sm from the pmatch list to hmdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_HMDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]);
- /* flag the signature to indicate that we scan the app layer data */
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_HTTP;
-
- SCReturnInt(0);
-
-error:
- SCReturnInt(-1);
+ ret = 0;
+ end:
+ SCReturnInt(ret);
}
/**
*/
int DetectHttpRawHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
- DetectContentData *cd = NULL;
SigMatch *sm = NULL;
+ int ret = -1;
if (arg != NULL && strcmp(arg, "") != 0) {
- SCLogError(SC_ERR_INVALID_ARGUMENT, "http_raw_header supplied with no args");
- return -1;
+ SCLogError(SC_ERR_INVALID_ARGUMENT, "http_raw_header shouldn't be supplied with "
+ "an argument");
+ goto end;
+ }
+
+ if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_rheader\" keyword seen "
+ "with a sticky buffer still set. Reset sticky buffer "
+ "with pkt_data before using the modifier.");
+ goto end;
+ }
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
+ "alproto set");
+ goto end;
}
- sm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
- /* if still we are unable to find any previous content keywords, it is an
- * invalid rule */
+ sm = SigMatchGetLastSMFromLists(s, 2,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_raw_header\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_header\" keyword");
- return -1;
+ goto end;
}
-
- cd = (DetectContentData *)sm->ctx;
-
- /* http_header should not be used with the rawbytes rule */
+ DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "http_header rule can not "
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "http_raw_header rule can not "
"be used with the rawbytes rule keyword");
- return -1;
- }
-
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
- "alproto set");
- goto error;
+ goto end;
}
-
- if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) {
+ if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
if (pm != NULL) {
- /* pm is never NULL. So no NULL check */
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
- } /* if (pm != NULL) */
+ }
- /* please note. reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 4,
- DETECT_CONTENT,
- s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_PCRE,
- s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]);
- if (pm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "http_raw_header seen with a "
- "distance or within without a previous http_raw_header "
- "content. Invalidating signature.");
- goto error;
- }
- if (pm->type == DETECT_PCRE) {
- DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
- tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
- } else {
- DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
- tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]);
+ if (pm != NULL) {
+ if (pm->type == DETECT_CONTENT) {
+ DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
+ tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ } else {
+ DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
+ tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
+ }
}
}
- cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HRUDMATCH);
- sm->type = DETECT_CONTENT;
+ cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HRUDMATCH);
+ s->flags |= SIG_FLAG_APPLAYER;
+ s->alproto = ALPROTO_HTTP;
/* transfer the sm from the pmatch list to hrhdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_HRHDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]);
- /* flag the signature to indicate that we scan the app layer data */
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_HTTP;
-
- return 0;
-
-error:
- //if (cd != NULL)
- // DetectHttpRawHeaderFree(cd);
- //if (sm != NULL)
- // SCFree(sm);
-
- return -1;
+ ret = 0;
+ end:
+ return ret;
}
/************************************Unittests*********************************/
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; within:5; http_raw_header; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- printf("de_ctx->sig_list != NULL\n");
+ if (de_ctx->sig_list == NULL) {
+ printf("de_ctx->sig_list == NULL\n");
goto end;
}
*/
static int DetectHttpRawUriSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
- DetectContentData *cd = NULL;
SigMatch *sm = NULL;
+ int ret = -1;
if (arg != NULL && strcmp(arg, "") != 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "http_raw_uri shouldn't be "
"supplied with an argument");
- goto error;
+ goto end;
+ }
+
+ if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_uri\" keyword seen "
+ "with a sticky buffer still set. Reset sticky buffer "
+ "with pkt_data before using the modifier.");
+ goto end;
+ }
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
+ "alproto set");
+ goto end;
}
+ s->flags &= ~SIG_FLAG_TOCLIENT;
+ s->flags |= SIG_FLAG_TOSERVER;
+ /* retrieve the content to apply it against */
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_raw_uri\" keyword");
- goto error;
+ goto end;
}
-
- cd = (DetectContentData *)sm->ctx;
-
- /* http_raw_uri should not be used with the rawbytes rule */
+ DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_raw_uri rule can not "
"be used with the rawbytes rule keyword");
- goto error;
- }
-
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
- "alproto set");
- goto error;
+ goto end;
}
-
- if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) {
+ if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
- /* pm can be NULL now. To accomodate parsing sigs like -
- * content:one; http_modifier; content:two; distance:0; http_modifier */
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
- } /* if (pm != NULL) */
+ }
- /* reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 4,
- DETECT_CONTENT,
- s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_PCRE,
- s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]);
- if (pm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "rawuricontent seen with a "
- "distance or within without a previous http_raw_uri "
- "content. Invalidating signature.");
- goto error;
- }
- if (pm->type == DETECT_PCRE) {
- DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
- tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
- } else {
- DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
- tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]);
+ if (pm != NULL) {
+ if (pm->type == DETECT_CONTENT) {
+ DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
+ tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ } else {
+ DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
+ tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
+ }
}
}
- cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HRUDMATCH);
- sm->type = DETECT_CONTENT;
+ cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HRUDMATCH);
+ /* Flagged the signature as to inspect the app layer data */
+ s->flags |= SIG_FLAG_APPLAYER;
+ s->alproto = ALPROTO_HTTP;
/* transfer the sm from the pmatch list to hrudmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_HRUDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]);
- /* Flagged the signature as to inspect the app layer data */
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_HTTP;
+ ret = 0;
- return 0;
-
-error:
- return -1;
+ end:
+ return ret;
}
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; within:5; http_raw_uri; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- printf("de_ctx->sig_list != NULL\n");
+ if (de_ctx->sig_list == NULL) {
+ printf("de_ctx->sig_list == NULL\n");
goto end;
}
*/
int DetectHttpServerBodySetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
- DetectContentData *cd = NULL;
SigMatch *sm = NULL;
+ int ret = -1;
if (arg != NULL && strcmp(arg, "") != 0) {
- SCLogError(SC_ERR_INVALID_ARGUMENT, "http_server_body supplied with args");
- return -1;
+ SCLogError(SC_ERR_INVALID_ARGUMENT, "http_server_body shouldn't be supplied with "
+ "an argument");
+ goto end;
}
- sm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
- /* if still we are unable to find any content previous keywords, it is an
- * invalid rule */
+ if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_server_body\" keyword seen "
+ "with a sticky buffer still set. Reset sticky buffer "
+ "with pkt_data before using the modifier.");
+ goto end;
+ }
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
+ "alproto set");
+ goto end;
+ }
+ s->flags &= ~SIG_FLAG_TOSERVER;
+ s->flags |= SIG_FLAG_TOCLIENT;
+
+ sm = SigMatchGetLastSMFromLists(s, 2,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_server_body\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_server_body\" keyword");
- return -1;
+ goto end;
}
-
- cd = (DetectContentData *)sm->ctx;
-
- /* http_server_body should not be used with the rawbytes rule */
+ DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_server_body rule can not "
"be used with the rawbytes rule keyword");
- return -1;
- }
- if ((s->init_flags & SIG_FLAG_INIT_FLOW) && (s->flags & SIG_FLAG_TOSERVER) && !(s->flags & SIG_FLAG_TOCLIENT)) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "http_server_body cannot be used with flow:to_server or from_client");
- return -1;
- }
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
- "alproto set");
- goto error;
+ goto end;
}
-
- if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) {
+ if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
- /* pm can be NULL now. To accomodate parsing sigs like -
- * content:one; http_modifier; content:two; distance:0; http_modifier */
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
- tmp_pd->flags &= ~ DETECT_PCRE_RELATIVE_NEXT;
+ tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
+ }
- } /* if (pm != NULL) */
-
- /* reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
- if (pm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "http_server_body seen with a "
- "distance or within without a previous http_server_body "
- "content. Invalidating signature.");
- goto error;
- }
- if (pm->type == DETECT_PCRE) {
- DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
- tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
- } else {
- DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
- tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ if (pm != NULL) {
+ if (pm->type == DETECT_CONTENT) {
+ DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
+ tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ } else {
+ DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
+ tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
+ }
}
}
- cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HSBDMATCH);
- sm->type = DETECT_CONTENT;
+ cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HSBDMATCH);
+ s->flags |= SIG_FLAG_APPLAYER;
+ s->alproto = ALPROTO_HTTP;
+ AppLayerHtpEnableResponseBodyCallback();
/* transfer the sm from the pmatch list to hsbdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_HSBDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
- /* flag the signature to indicate that we scan the app layer data */
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_HTTP;
-
- /* enable http request body callback in the http app layer parser */
- AppLayerHtpEnableResponseBodyCallback();
-
- return 0;
-
-error:
- //if (cd != NULL)
- // DetectHttpServerBodyFree(cd);
- //if (sm != NULL)
- // SCFree(sm);
-
- return -1;
+ ret = 0;
+ end:
+ return ret;
}
/**
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; within:5; http_server_body; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- printf("de_ctx->sig_list != NULL\n");
+ if (de_ctx->sig_list == NULL) {
+ printf("de_ctx->sig_list == NULL\n");
goto end;
}
* \retval -1 On failure
*/
-static int DetectHttpStatCodeSetup (DetectEngineCtx *de_ctx, Signature *s, char *arg)
+static int DetectHttpStatCodeSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
- DetectContentData *cd = NULL;
SigMatch *sm = NULL;
+ int ret = -1;
if (arg != NULL && strcmp(arg, "") != 0) {
- SCLogError(SC_ERR_INVALID_ARGUMENT, "http_stat_code supplied with args");
- return -1;
+ SCLogError(SC_ERR_INVALID_ARGUMENT, "http_stat_code shouldn't be supplied with "
+ "an argument");
+ goto end;
+ }
+
+ if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_stat_code\" keyword seen "
+ "with a sticky buffer still set. Reset sticky buffer "
+ "with pkt_data before using the modifier.");
+ goto end;
+ }
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
+ "alproto set");
+ goto end;
}
+ s->flags &= ~SIG_FLAG_TOSERVER;
+ s->flags |= SIG_FLAG_TOCLIENT;
- sm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
- /* if still we are unable to find any content previous keywords, it is an
- * invalid rule */
+ sm = SigMatchGetLastSMFromLists(s, 2,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_stat_code\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_stat_code\" keyword");
- return -1;
+ goto end;
}
-
- cd = (DetectContentData *)sm->ctx;
-
- /* http_stat_msg should not be used with the rawbytes rule */
+ DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_stat_code rule can not "
"be used with the rawbytes rule keyword");
- return -1;
- }
-
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
- "alproto set");
- goto error;
+ goto end;
}
-
- if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) {
+ if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
- /* pm can be NULL now. To accomodate parsing sigs like -
- * content:one; http_modifier; content:two; distance:0; http_modifier */
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
- tmp_pd->flags &= ~ DETECT_PCRE_RELATIVE_NEXT;
+ tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
+ }
- } /* if (pm != NULL) */
-
- /* reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]);
- if (pm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "http_stat_code seen with a "
- "distance or within without a previous http_stat_code "
- "content. Invalidating signature.");
- goto error;
- }
- if (pm->type == DETECT_PCRE) {
- DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
- tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
- } else {
- DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
- tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ if (pm != NULL) {
+ if (pm->type == DETECT_CONTENT) {
+ DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
+ tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ } else {
+ DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
+ tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
+ }
}
}
- cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HSCDMATCH);
- sm->type = DETECT_CONTENT;
+ cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HSCDMATCH);
+ s->flags |= SIG_FLAG_APPLAYER;
+ s->alproto = ALPROTO_HTTP;
/* transfer the sm from the pmatch list to hcbdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_HSCDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]);
- /* flag the signature to indicate that we scan the app layer data */
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_HTTP;
-
- return 0;
-
-error:
-
- return -1;
+ ret = 0;
+ end:
+ return ret;
}
#ifdef UNITTESTS
int DetectHttpStatMsgMatch (ThreadVars *, DetectEngineThreadCtx *,
Flow *, uint8_t , void *, Signature *,
SigMatch *);
-static int DetectHttpStatMsgSetup (DetectEngineCtx *, Signature *, char *);
+static int DetectHttpStatMsgSetup(DetectEngineCtx *, Signature *, char *);
void DetectHttpStatMsgRegisterTests(void);
void DetectHttpStatMsgFree(void *);
* \retval -1 On failure
*/
-static int DetectHttpStatMsgSetup (DetectEngineCtx *de_ctx, Signature *s, char *arg)
+static int DetectHttpStatMsgSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
- DetectContentData *cd = NULL;
SigMatch *sm = NULL;
+ int ret = -1;
if (arg != NULL && strcmp(arg, "") != 0) {
- SCLogError(SC_ERR_INVALID_ARGUMENT, "http_stat_msg supplied with args");
- return -1;
+ SCLogError(SC_ERR_INVALID_ARGUMENT, "http_stat_msg shouldn't be supplied with "
+ "an argument");
+ goto end;
+ }
+
+ if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_stat_msg\" keyword seen "
+ "with a sticky buffer still set. Reset sticky buffer "
+ "with pkt_data before using the modifier.");
+ goto end;
+ }
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
+ "alproto set");
+ goto end;
}
+ s->flags &= ~SIG_FLAG_TOSERVER;
+ s->flags |= SIG_FLAG_TOCLIENT;
- sm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
- /* if still we are unable to find any content previous keywords, it is an
- * invalid rule */
+ sm = SigMatchGetLastSMFromLists(s, 2,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_stat_msg\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_stat_msg\" keyword");
- return -1;
+ goto end;
}
-
- cd = (DetectContentData *)sm->ctx;
-
- /* http_stat_msg should not be used with the rawbytes rule */
+ DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_stat_msg rule can not "
"be used with the rawbytes rule keyword");
- return -1;
- }
-
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
- "alproto set");
- goto error;
+ goto end;
}
-
- if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) {
+ if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
- /* pm can be NULL now. To accomodate parsing sigs like -
- * content:one; http_modifier; content:two; distance:0; http_modifier */
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
- tmp_pd->flags &= ~ DETECT_PCRE_RELATIVE_NEXT;
+ tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
+ }
- } /* if (pm != NULL) */
-
- /* reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]);
- if (pm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "http_stat_msg seen with a "
- "distance or within without a previous http_stat_msg "
- "content. Invalidating signature.");
- goto error;
- }
- if (pm->type == DETECT_PCRE) {
- DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
- tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
- } else {
- DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
- tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ if (pm != NULL) {
+ if (pm->type == DETECT_CONTENT) {
+ DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
+ tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ } else {
+ DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
+ tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
+ }
}
}
- cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HSMDMATCH);
- sm->type = DETECT_CONTENT;
+ cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HSMDMATCH);
+ s->flags |= SIG_FLAG_APPLAYER;
+ s->alproto = ALPROTO_HTTP;
/* transfer the sm from the pmatch list to hcbdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_HSMDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]);
- /* flag the signature to indicate that we scan the app layer data */
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_HTTP;
-
- return 0;
-
-error:
-
- return -1;
+ ret = 0;
+ end:
+ return ret;
}
#ifdef UNITTESTS
*/
int DetectHttpUASetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
- DetectContentData *cd = NULL;
SigMatch *sm = NULL;
+ int ret = -1;
if (arg != NULL && strcmp(arg, "") != 0) {
- SCLogError(SC_ERR_INVALID_ARGUMENT, "http_user_agent supplied with args");
- goto error;
+ SCLogError(SC_ERR_INVALID_ARGUMENT, "http_user_agent shouldn't be supplied "
+ "with an argument");
+ goto end;
}
+ if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_user_agent\" keyword seen "
+ "with a sticky buffer still set. Reset sticky buffer "
+ "with pkt_data before using the modifier.");
+ goto end;
+ }
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
+ "alproto set");
+ goto end;
+ }
+ s->flags &= ~SIG_FLAG_TOCLIENT;
+ s->flags |= SIG_FLAG_TOSERVER;
+
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
- /* if we still can't find any previous content keywords, it's an invalid
- * rule */
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_user_agent\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_user_agent\" keyword");
- goto error;
+ goto end;
}
-
- cd = (DetectContentData *)sm->ctx;
-
- /* http_user_agent should not be used with the rawbytes rule */
+ DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_user_agent rule can not "
"be used with the rawbytes rule keyword");
- goto error;
- }
-
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
- "alproto set");
- goto error;
- }
-
- if (s->flags & SIG_FLAG_TOCLIENT) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "http_user_agent can not be used "
- "with flow:to_client or flow:from_server. ");
- goto error;
+ goto end;
}
-
- if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) {
+ if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
- /* pm can be NULL now. To accomodate parsing sigs like -
- * content:one; http_modifier; content:two; distance:0; http_modifier */
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
- tmp_pd->flags &= ~ DETECT_PCRE_RELATIVE_NEXT;
+ tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
+ }
- } /* if (pm != NULL) */
-
- /* reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]);
- if (pm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "http_user_agent seen with a "
- "distance or within without a previous http_user_agent "
- "content. Invalidating signature.");
- goto error;
- }
- if (pm->type == DETECT_PCRE) {
- DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
- tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
- } else {
- DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
- tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ if (pm != NULL) {
+ if (pm->type == DETECT_CONTENT) {
+ DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
+ tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ } else {
+ DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
+ tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
+ }
}
}
- cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HUADMATCH);
- sm->type = DETECT_CONTENT;
+ cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HUADMATCH);
+ s->flags |= SIG_FLAG_APPLAYER;
+ s->alproto = ALPROTO_HTTP;
/* transfer the sm from the pmatch list to huadmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_HUADMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]);
- /* flag the signature to indicate that we scan the app layer data */
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_HTTP;
-
- return 0;
-
-error:
- return -1;
+ ret = 0;
+ end:
+ return ret;
}
/**
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(content:\"one\"; within:5; http_user_agent; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- printf("de_ctx->sig_list != NULL\n");
+ if (de_ctx->sig_list == NULL) {
+ printf("de_ctx->sig_list == NULL\n");
goto end;
}
#include "detect-uricontent.h"
#include "stream-tcp.h"
-static int DetectHttpUriSetup (DetectEngineCtx *, Signature *, char *);
+int DetectHttpUriSetup (DetectEngineCtx *, Signature *, char *);
void DetectHttpUriRegisterTests(void);
/**
* \retval -1 On failure
*/
-static int DetectHttpUriSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
+int DetectHttpUriSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
{
- DetectContentData *cd = NULL;
SigMatch *sm = NULL;
+ int ret = -1;
if (str != NULL && strcmp(str, "") != 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "http_uri shouldn't be supplied with "
- " an argument");
- return -1;
+ "an argument");
+ goto end;
+ }
+
+ if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_uri\" keyword seen "
+ "with a sticky buffer still set. Reset sticky buffer "
+ "with pkt_data before using the modifier.");
+ goto end;
+ }
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
+ "alproto set");
+ goto end;
}
+ s->flags &= ~SIG_FLAG_TOCLIENT;
+ s->flags |= SIG_FLAG_TOSERVER;
- sm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
+ sm = SigMatchGetLastSMFromLists(s, 2,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_uri\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_uri\" keyword");
- return -1;
+ goto end;
}
-
- cd = (DetectContentData *)sm->ctx;
-
- /* http_uri should not be used with the rawbytes rule */
+ DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_uri rule can not "
"be used with the rawbytes rule keyword");
- return -1;
- }
-
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
- "alproto set");
- goto error;
+ goto end;
}
-
- if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) {
+ if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
- /* pm can be NULL now. To accomodate parsing sigs like -
- * content:one; http_modifier; content:two; distance:0; http_modifier */
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
- } /* if (pm != NULL) */
-
- /* reassigning pm */
- pm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH]);
- if (pm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "uricontent seen with a "
- "distance or within without a previous http_uri "
- "content. Invalidating signature.");
- goto error;
}
- DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
- tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+
+ pm = SigMatchGetLastSMFromLists(s, 4,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH]);
+ if (pm != NULL) {
+ if (pm->type == DETECT_CONTENT) {
+ DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
+ tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ } else {
+ DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
+ tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
+ }
+ }
}
- cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_UMATCH);
- sm->type = DETECT_CONTENT;
+ cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_UMATCH);
+ s->flags |= SIG_FLAG_APPLAYER;
+ s->alproto = ALPROTO_HTTP;
- /* transfer the sm from the pmatch list to hcbdmatch list */
+ /* transfer the sm from the pmatch list to umatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_UMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_UMATCH]);
- /* Flagged the signature as to inspect the app layer data */
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_HTTP;
-
- return 0;
+ ret = 0;
-error:
- return -1;
+ end:
+ return ret;
}
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; within:5; http_uri; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- printf("de_ctx->sig_list != NULL\n");
+ if (de_ctx->sig_list == NULL) {
+ printf("de_ctx->sig_list == NULL\n");
goto end;
}
/**
* \brief Registration function for isdataat: keyword
*/
-void DetectIsdataatRegister (void) {
+void DetectIsdataatRegister(void)
+{
sigmatch_table[DETECT_ISDATAAT].name = "isdataat";
sigmatch_table[DETECT_ISDATAAT].desc = "check if there is still data at a specific part of the payload";
sigmatch_table[DETECT_ISDATAAT].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Isadataat";
*/
int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatstr)
{
- DetectIsdataatData *idad = NULL;
SigMatch *sm = NULL;
SigMatch *prev_pm = NULL;
+ DetectIsdataatData *idad = NULL;
char *offset = NULL;
+ int ret = -1;
idad = DetectIsdataatParse(isdataatstr, &offset);
if (idad == NULL)
- goto error;
-
- sm = SigMatchAlloc();
- if (sm == NULL)
- goto error;
-
- sm->type = DETECT_ISDATAAT;
- sm->ctx = (void *)idad;
+ goto end;
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
- int sm_list;
+ int sm_list;
+ if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
AppLayerHtpEnableResponseBodyCallback();
+ s->alproto = ALPROTO_HTTP;
sm_list = DETECT_SM_LIST_HSBDMATCH;
} else {
sm_list = DETECT_SM_LIST_DMATCH;
}
-
+ s->flags |= SIG_FLAG_APPLAYER;
if (idad->flags & ISDATAAT_RELATIVE) {
- s->flags |= SIG_FLAG_APPLAYER;
- SigMatchAppendSMToList(s, sm, sm_list);
- prev_pm = SigMatchGetLastSMFromLists(s, 10,
+ prev_pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[sm_list],
- DETECT_PCRE, s->sm_lists_tail[sm_list],
- DETECT_BYTEJUMP, s->sm_lists_tail[sm_list],
- DETECT_BYTE_EXTRACT, s->sm_lists_tail[sm_list],
- DETECT_BYTETEST, s->sm_lists_tail[sm_list]);
- if (prev_pm == NULL) {
- SCLogDebug("No preceding content or pcre keyword. Possible "
- "since this is a file_data sig.");
- if (offset != NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
- "seen in isdataat - %s", offset);
- goto error;
- }
- idad->flags &= ~ISDATAAT_RELATIVE;
- return 0;
- }
+ DETECT_PCRE, s->sm_lists_tail[sm_list]);
}
+ } else if (idad->flags & ISDATAAT_RELATIVE) {
+ prev_pm = SigMatchGetLastSMFromLists(s, 168,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ if (prev_pm == NULL)
+ sm_list = DETECT_SM_LIST_PMATCH;
+ else
+ sm_list = SigMatchListSMBelongsTo(s, prev_pm);
} else {
- if (!(idad->flags & ISDATAAT_RELATIVE)) {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
- if (offset != NULL) {
- SigMatch *bed_sm =
- DetectByteExtractRetrieveSMVar(offset, s,
- SigMatchListSMBelongsTo(s, sm));
- if (bed_sm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
- "seen in isdataat - %s\n", offset);
- goto error;
- }
- DetectIsdataatData *isdd = sm->ctx;
- isdd->dataat = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
- isdd->flags |= ISDATAAT_OFFSET_BE;
- SCFree(offset);
- }
- return 0;
- }
- prev_pm = SigMatchGetLastSMFromLists(s, 66,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
- DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
- DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
- DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH]);
- if (prev_pm == NULL) {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
- if (offset != NULL) {
- SigMatch *bed_sm =
- DetectByteExtractRetrieveSMVar(offset, s,
- SigMatchListSMBelongsTo(s, sm));
- if (bed_sm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
- "seen in isdataat - %s\n", offset);
- goto error;
- }
- DetectIsdataatData *isdd = sm->ctx;
- isdd->dataat = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
- isdd->flags |= ISDATAAT_OFFSET_BE;
- SCFree(offset);
- }
- SCReturnInt(0);
- } else {
- int list_type = SigMatchListSMBelongsTo(s, prev_pm);
- if (list_type == -1) {
- goto error;
- }
-
- SigMatchAppendSMToList(s, sm, list_type);
- } /* else - if (prev_pm == NULL) */
+ sm_list = DETECT_SM_LIST_PMATCH;
}
if (offset != NULL) {
- SigMatch *bed_sm =
- DetectByteExtractRetrieveSMVar(offset, s,
- SigMatchListSMBelongsTo(s, sm));
+ SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(offset, s, sm_list);
if (bed_sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in isdataat - %s\n", offset);
- goto error;
+ goto end;
}
- DetectIsdataatData *isdd = sm->ctx;
- isdd->dataat = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
- isdd->flags |= ISDATAAT_OFFSET_BE;
+ idad->dataat = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
+ idad->flags |= ISDATAAT_OFFSET_BE;
SCFree(offset);
}
- DetectContentData *cd = NULL;
- DetectPcreData *pe = NULL;
-
- switch (prev_pm->type) {
- case DETECT_CONTENT:
- /* Set the relative next flag on the prev sigmatch */
- cd = (DetectContentData *)prev_pm->ctx;
- if (cd == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
- "previous keyword!");
- return -1;
- }
- cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
-
- break;
-
- case DETECT_PCRE:
- pe = (DetectPcreData *)prev_pm->ctx;
- if (pe == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
- "previous keyword!");
- return -1;
- }
- pe->flags |= DETECT_PCRE_RELATIVE_NEXT;
+ sm = SigMatchAlloc();
+ if (sm == NULL)
+ goto end;
+ sm->type = DETECT_ISDATAAT;
+ sm->ctx = (void *)idad;
+ SigMatchAppendSMToList(s, sm, sm_list);
- break;
+ if (!(idad->flags & ISDATAAT_RELATIVE)) {
+ ret = 0;
+ goto end;
+ }
- case DETECT_BYTEJUMP:
- case DETECT_BYTETEST:
- case DETECT_BYTE_EXTRACT:
- SCLogDebug("Do nothing for byte_jump, byte_test, byte_extract");
- break;
+ if (prev_pm == NULL) {
+ ret = 0;
+ goto end;
+ }
- default:
- /* this will never hit */
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
- "previous keyword!");
- return -1;
- } /* switch */
+ if (prev_pm->type == DETECT_CONTENT) {
+ DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
+ cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ } else if (prev_pm->type == DETECT_PCRE) {
+ DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
+ pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
+ }
- return 0;
+ ret = 0;
-error:
- return -1;
+end:
+ return ret;
}
/**
}
data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->ctx;
- if ( (data->flags & ISDATAAT_RELATIVE) ||
+ if ( !(data->flags & ISDATAAT_RELATIVE) ||
(data->flags & ISDATAAT_RAWBYTES) ||
!(data->flags & ISDATAAT_NEGATED) ) {
goto end;
static int DetectNocaseSetup (DetectEngineCtx *, Signature *, char *);
-void DetectNocaseRegister (void) {
+void DetectNocaseRegister(void)
+{
sigmatch_table[DETECT_NOCASE].name = "nocase";
sigmatch_table[DETECT_NOCASE].desc = "modify content match to be case insensitive";
sigmatch_table[DETECT_NOCASE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Nocase";
{
SCEnter();
+ SigMatch *pm = NULL;
+ int ret = -1;
+
if (nullstr != NULL) {
SCLogError(SC_ERR_INVALID_VALUE, "nocase has value");
- SCReturnInt(-1);
+ goto end;
}
- /* Search for the first previous SigMatch that supports nocase */
- SigMatch *pm = SigMatchGetLastSMFromLists(s, 30,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ /* retrive the sm to apply the depth against */
+ if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
+ if (s->init_flags & SIG_FLAG_INIT_FILE_DATA)
+ pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
+ else
+ pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
+ } else {
+ pm = SigMatchGetLastSMFromLists(s, 28,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ }
if (pm == NULL) {
- SCLogError(SC_ERR_NOCASE_MISSING_PATTERN, "\"nocase\" needs a preceding "
- "content, uricontent, http_client_body, http_server_body, "
- "http_header, http_method, http_uri, http_cookie, "
- "http_raw_uri, http_stat_msg, http_stat_code, "
- "http_user_agent, http_host or http_raw_host option or "
- "file_data/dce_stub_data sticky buffer option");
- SCReturnInt(-1);
+ SCLogError(SC_ERR_NOCASE_MISSING_PATTERN, "nocase needs "
+ "preceding content, uricontent option, http_client_body, "
+ "http_server_body, http_header option, http_raw_header option, "
+ "http_method option, http_cookie, http_raw_uri, "
+ "http_stat_msg, http_stat_code, http_user_agent or "
+ "file_data/dce_stub_data sticky buffer options");
+ goto end;
}
- DetectContentData *cd = NULL;
-
- switch (pm->type) {
- case DETECT_CONTENT:
- cd = (DetectContentData *)pm->ctx;
- if (cd == NULL) {
- SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument");
- SCReturnInt(-1);
- }
- if (cd->flags & DETECT_CONTENT_NOCASE) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use multiple nocase modifiers with the same content");
- SCReturnInt(-1);
- }
- cd->flags |= DETECT_CONTENT_NOCASE;
- /* Recreate the context with nocase chars */
- BoyerMooreCtxToNocase(cd->bm_ctx, cd->content, cd->content_len);
- break;
- /* should never happen */
- default:
- SCLogError(SC_ERR_NOCASE_MISSING_PATTERN, "\"nocase\" needs a preceding "
- "content, uricontent, http_client_body, http_server_body, "
- "http_header, http_method, http_uri, http_cookie or "
- "http_raw_uri option");
- SCReturnInt(-1);
- break;
+
+ /* verify other conditions. */
+ DetectContentData *cd = (DetectContentData *)pm->ctx;;
+
+ if (cd->flags & DETECT_CONTENT_NOCASE) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use multiple nocase modifiers with the same content");
+ goto end;
}
+ cd->flags |= DETECT_CONTENT_NOCASE;
+ /* Recreate the context with nocase chars */
+ BoyerMooreCtxToNocase(cd->bm_ctx, cd->content, cd->content_len);
- SCReturnInt(0);
+ ret = 0;
+ end:
+ SCReturnInt(ret);
}
#include "util-debug.h"
-static int DetectOffsetSetup (DetectEngineCtx *, Signature *, char *);
+static int DetectOffsetSetup(DetectEngineCtx *, Signature *, char *);
void DetectOffsetRegister (void) {
sigmatch_table[DETECT_OFFSET].name = "offset";
char *str = offsetstr;
char dubbed = 0;
SigMatch *pm = NULL;
+ int ret = -1;
/* strip "'s */
- if (offsetstr[0] == '\"' && offsetstr[strlen(offsetstr)-1] == '\"') {
+ if (offsetstr[0] == '\"' && offsetstr[strlen(offsetstr)-1] == '\"') {
str = SCStrdup(offsetstr+1);
if (unlikely(str == NULL))
- goto error;
- str[strlen(offsetstr)-2] = '\0';
+ goto end;
+ str[strlen(offsetstr) - 2] = '\0';
dubbed = 1;
}
- pm = SigMatchGetLastSMFromLists(s, 30,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ /* retrive the sm to apply the depth against */
+ if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
+ if (s->init_flags & SIG_FLAG_INIT_FILE_DATA)
+ pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
+ else
+ pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
+ } else {
+ pm = SigMatchGetLastSMFromLists(s, 28,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ }
if (pm == NULL) {
SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs "
"preceding content, uricontent option, http_client_body, "
- "http_header, http_raw_header, http_method, "
- "http_cookie, http_raw_uri, http_stat_msg, "
- "http_stat_code, http_user_agent or "
- "file_data/dce_stub_data sticky buffers");
- if (dubbed)
- SCFree(str);
- return -1;
+ "http_server_body, http_header option, http_raw_header option, "
+ "http_method option, http_cookie, http_raw_uri, "
+ "http_stat_msg, http_stat_code, http_user_agent or "
+ "file_data/dce_stub_data sticky buffer options");
+ goto end;
}
- DetectContentData *cd = NULL;
- switch (pm->type) {
- case DETECT_CONTENT:
- cd = (DetectContentData *)pm->ctx;
- if (cd == NULL) {
- SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument");
- if (dubbed)
- SCFree(str);
- return -1;
- }
- if (cd->flags & DETECT_CONTENT_NEGATED) {
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative "
- "negated keyword set along with a fast_pattern");
- goto error;
- }
- } else {
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative "
- "keyword set along with a fast_pattern:only;");
- goto error;
- }
- }
-
- if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a relative keyword "
- "with a non-relative keyword for the same content." );
- goto error;
- }
+ /* verify other conditions */
+ DetectContentData *cd = (DetectContentData *)pm->ctx;
- if (cd->flags & DETECT_CONTENT_OFFSET) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use multiple offsets for the same content. ");
- goto error;
- }
-
- if (str[0] != '-' && isalpha((unsigned char)str[0])) {
- SigMatch *bed_sm =
- DetectByteExtractRetrieveSMVar(str, s,
- SigMatchListSMBelongsTo(s, pm));
- if (bed_sm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var "
- "seen in offset - %s\n", str);
- goto error;
- }
- cd->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
- cd->flags |= DETECT_CONTENT_OFFSET_BE;
- } else {
- cd->offset = (uint32_t)atoi(str);
- if (cd->depth != 0) {
- if (cd->depth < cd->content_len) {
- SCLogDebug("depth increased to %"PRIu32" to match pattern len",
- cd->content_len);
- cd->depth = cd->content_len;
- }
- /* Updating the depth as is relative to the offset */
- cd->depth += cd->offset;
- }
+ if (cd->flags & DETECT_CONTENT_OFFSET) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use multiple offsets for the same content. ");
+ goto end;
+ }
+ if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a relative "
+ "keyword like within/distance with a absolute "
+ "relative keyword like depth/offset for the same "
+ "content." );
+ goto end;
+ }
+ if (cd->flags & DETECT_CONTENT_NEGATED && cd->flags & DETECT_CONTENT_FAST_PATTERN) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative "
+ "negated keyword set along with a fast_pattern");
+ goto end;
+ }
+ if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative "
+ "keyword set along with a fast_pattern:only;");
+ goto end;
+ }
+ if (str[0] != '-' && isalpha((unsigned char)str[0])) {
+ SigMatch *bed_sm =
+ DetectByteExtractRetrieveSMVar(str, s, SigMatchListSMBelongsTo(s, pm));
+ if (bed_sm == NULL) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var "
+ "seen in offset - %s\n", str);
+ goto end;
+ }
+ cd->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
+ cd->flags |= DETECT_CONTENT_OFFSET_BE;
+ } else {
+ cd->offset = (uint32_t)atoi(str);
+ if (cd->depth != 0) {
+ if (cd->depth < cd->content_len) {
+ SCLogDebug("depth increased to %"PRIu32" to match pattern len",
+ cd->content_len);
+ cd->depth = cd->content_len;
}
-
- cd->flags |= DETECT_CONTENT_OFFSET;
-
- break;
-
- default:
- SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs a preceding"
- " content keyword");
- goto error;
+ /* Updating the depth as is relative to the offset */
+ cd->depth += cd->offset;
+ }
}
+ cd->flags |= DETECT_CONTENT_OFFSET;
+ ret = 0;
+ end:
if (dubbed)
SCFree(str);
- return 0;
-
-error:
- if (dubbed)
- SCFree(str);
- return -1;
+ return ret;
}
}
}
+ uint32_t sig_flags = 0;
+ if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL ||
+ s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL ||
+ s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL ||
+ s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL ||
+ s->sm_lists[DETECT_SM_LIST_HUADMATCH] != NULL) {
+ sig_flags |= SIG_FLAG_TOSERVER;
+ }
+ if (s->sm_lists[DETECT_SM_LIST_HSBDMATCH] != NULL ||
+ s->sm_lists[DETECT_SM_LIST_HSMDMATCH] != NULL ||
+ s->sm_lists[DETECT_SM_LIST_HSCDMATCH] != NULL) {
+ sig_flags |= SIG_FLAG_TOCLIENT;
+ }
+ if ((sig_flags & (SIG_FLAG_TOCLIENT | SIG_FLAG_TOSERVER)) == (SIG_FLAG_TOCLIENT | SIG_FLAG_TOSERVER)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE,"You seem to have mixed keywords "
+ "that require inspection in both directions. Atm we only "
+ "support keywords in one direction within a rule.");
+ SCReturnInt(0);
+ }
+
if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) {
if ((s->flags & (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) == (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) {
SCLogError(SC_ERR_INVALID_SIGNATURE,"http_raw_header signature "
SCEnter();
DetectPcreData *pd = NULL;
SigMatch *sm = NULL;
- SigMatch *prev_sm = NULL;
+ int ret = -1;
pd = DetectPcreParse(de_ctx, regexstr);
if (pd == NULL)
goto error;
-
- if ((pd->flags & DETECT_PCRE_HTTP_CLIENT_BODY) && (s->init_flags & SIG_FLAG_INIT_FLOW)
- && (s->flags & SIG_FLAG_TOCLIENT) && !(s->flags & SIG_FLAG_TOSERVER)) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Can't use pcre /P with flow:from_server or flow:to_client");
- goto error;
- }
- if (((pd->flags & DETECT_PCRE_URI) || (pd->flags & DETECT_PCRE_HTTP_RAW_URI))
- && (s->init_flags & SIG_FLAG_INIT_FLOW) && (s->flags & SIG_FLAG_TOCLIENT) && !(s->flags & SIG_FLAG_TOSERVER)) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Can't use pcre /U or /I with flow:from_server or flow:to_client");
- goto error;
- }
-
- /* check pcre modifiers against the signature alproto. In case they conflict
- * chuck out invalid signature */
- switch (s->alproto) {
- case ALPROTO_DCERPC:
- if ( (pd->flags & DETECT_PCRE_URI) ||
- (pd->flags & DETECT_PCRE_METHOD) ||
- (pd->flags & DETECT_PCRE_HEADER) ||
- (pd->flags & DETECT_PCRE_RAW_HEADER) ||
- (pd->flags & DETECT_PCRE_COOKIE) ||
- (pd->flags & DETECT_PCRE_HTTP_STAT_MSG) ||
- (pd->flags & DETECT_PCRE_HTTP_STAT_CODE) ||
- (pd->flags & DETECT_PCRE_HTTP_CLIENT_BODY) ||
- (pd->flags & DETECT_PCRE_HTTP_SERVER_BODY) ||
- (pd->flags & DETECT_PCRE_HTTP_RAW_URI) ||
- (pd->flags & DETECT_PCRE_HTTP_USER_AGENT) ||
- (pd->flags & DETECT_PCRE_HTTP_HOST) ||
- (pd->flags & DETECT_PCRE_HTTP_RAW_HOST) ) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
- "DCERPC rule has pcre keyword with http related modifier.");
- goto error;
- }
- break;
-
- default:
- break;
- }
-
pd = DetectPcreParseCapture(regexstr, de_ctx, pd);
if (pd == NULL)
goto error;
- sm = SigMatchAlloc();
- if (sm == NULL)
- goto error;
-
- sm->type = DETECT_PCRE;
- sm->ctx = (void *)pd;
-
- if (pd->flags & DETECT_PCRE_HEADER) {
- SCLogDebug("Header inspection modifier set");
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_HTTP;
-
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HHDMATCH);
- } else if (pd->flags & DETECT_PCRE_RAW_HEADER) {
- SCLogDebug("Raw header inspection modifier set");
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_HTTP;
-
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRHDMATCH);
- } else if (pd->flags & DETECT_PCRE_COOKIE) {
- //sm->type = DETECT_PCRE_HTTPCOOKIE;
-
- SCLogDebug("Cookie inspection modifier set");
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_HTTP;
-
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HCDMATCH);
- } else if (pd->flags & DETECT_PCRE_HTTP_USER_AGENT) {
- SCLogDebug("User-Agent inspection modifier set on pcre");
+ if ((pd->flags & DETECT_PCRE_URI) ||
+ (pd->flags & DETECT_PCRE_METHOD) ||
+ (pd->flags & DETECT_PCRE_HEADER) ||
+ (pd->flags & DETECT_PCRE_RAW_HEADER) ||
+ (pd->flags & DETECT_PCRE_COOKIE) ||
+ (pd->flags & DETECT_PCRE_HTTP_STAT_MSG) ||
+ (pd->flags & DETECT_PCRE_HTTP_STAT_CODE) ||
+ (pd->flags & DETECT_PCRE_HTTP_CLIENT_BODY) ||
+ (pd->flags & DETECT_PCRE_HTTP_SERVER_BODY) ||
+ (pd->flags & DETECT_PCRE_HTTP_RAW_URI) ||
+ (pd->flags & DETECT_PCRE_HTTP_USER_AGENT) ||
+ (pd->flags & DETECT_PCRE_HTTP_HOST) ||
+ (pd->flags & DETECT_PCRE_HTTP_RAW_HOST)) {
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains "
- "conflicting keywords.");
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
+ "Conflicting alprotos detected for this rule. Http "
+ "pcre modifier found along with a different protocol "
+ "for the rule.");
goto error;
}
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_HTTP;
-
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HUADMATCH);
- } else if (pd->flags & DETECT_PCRE_HTTP_HOST) {
- SCLogDebug("Host inspection modifier set on pcre");
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains "
- "conflicting keywords.");
+ if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre found with http "
+ "modifier set, with file_data/dce_stub_data sticky "
+ "option set.");
goto error;
}
+ }
+
+ int sm_list;
+ if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
+ SCLogDebug("adding to http server body list because of file data");
+ s->flags |= SIG_FLAG_APPLAYER;
+ AppLayerHtpEnableResponseBodyCallback();
+ sm_list = DETECT_SM_LIST_HSBDMATCH;
+ } else if (s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
+ SCLogDebug("adding to dmatch list because of dce_stub_data");
+ s->flags |= SIG_FLAG_APPLAYER;
+ sm_list = DETECT_SM_LIST_DMATCH;
+ } else if (pd->flags & DETECT_PCRE_URI) {
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
-
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HHHDMATCH);
- } else if (pd->flags & DETECT_PCRE_HTTP_RAW_HOST) {
- SCLogDebug("Raw Host inspection modifier set on pcre");
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains "
- "conflicting keywords.");
- goto error;
- }
+ sm_list = DETECT_SM_LIST_UMATCH;
+ } else if (pd->flags & DETECT_PCRE_HTTP_RAW_URI) {
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
-
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRHHDMATCH);
- } else if (pd->flags & DETECT_PCRE_METHOD) {
- //sm->type = DETECT_PCRE_HTTPMETHOD;
-
- SCLogDebug("Method inspection modifier set");
+ sm_list = DETECT_SM_LIST_HRUDMATCH;
+ } else if (pd->flags & DETECT_PCRE_HEADER) {
+ SCLogDebug("Header inspection modifier set");
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
-
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HMDMATCH);
+ sm_list = DETECT_SM_LIST_HHDMATCH;
+ } else if (pd->flags & DETECT_PCRE_RAW_HEADER) {
+ SCLogDebug("Raw header inspection modifier set");
+ s->flags |= SIG_FLAG_APPLAYER;
+ s->alproto = ALPROTO_HTTP;
+ sm_list = DETECT_SM_LIST_HRHDMATCH;
} else if (pd->flags & DETECT_PCRE_HTTP_CLIENT_BODY) {
SCLogDebug("Request body inspection modifier set");
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
AppLayerHtpEnableRequestBodyCallback();
-
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HCBDMATCH);
+ sm_list = DETECT_SM_LIST_HCBDMATCH;
} else if (pd->flags & DETECT_PCRE_HTTP_SERVER_BODY) {
SCLogDebug("Response body inspection modifier set");
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
+ sm_list = DETECT_SM_LIST_HSBDMATCH;
AppLayerHtpEnableResponseBodyCallback();
-
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
- } else if (pd->flags & DETECT_PCRE_URI) {
+ } else if (pd->flags & DETECT_PCRE_HTTP_HOST) {
+ SCLogDebug("Host inspection modifier set on pcre");
s->flags |= SIG_FLAG_APPLAYER;
-
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting"
- " keywords.");
- goto error;
- }
-
s->alproto = ALPROTO_HTTP;
-
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_UMATCH);
- } else if (pd->flags & DETECT_PCRE_HTTP_RAW_URI) {
+ sm_list = DETECT_SM_LIST_HHHDMATCH;
+ } else if (pd->flags & DETECT_PCRE_HTTP_RAW_HOST) {
+ SCLogDebug("Raw Host inspection modifier set on pcre");
s->flags |= SIG_FLAG_APPLAYER;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting"
- " keywords.");
- goto error;
- }
s->alproto = ALPROTO_HTTP;
-
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRUDMATCH);
+ sm_list = DETECT_SM_LIST_HRHHDMATCH;
} else if (pd->flags & DETECT_PCRE_HTTP_STAT_MSG) {
s->flags |= SIG_FLAG_APPLAYER;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting"
- " keywords.");
- goto error;
- }
s->alproto = ALPROTO_HTTP;
-
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSMDMATCH);
+ sm_list = DETECT_SM_LIST_HSMDMATCH;
} else if (pd->flags & DETECT_PCRE_HTTP_STAT_CODE) {
s->flags |= SIG_FLAG_APPLAYER;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting"
- " keywords.");
- goto error;
- }
s->alproto = ALPROTO_HTTP;
-
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSCDMATCH);
+ sm_list = DETECT_SM_LIST_HSCDMATCH;
+ } else if (pd->flags & DETECT_PCRE_COOKIE) {
+ SCLogDebug("Cookie inspection modifier set");
+ s->flags |= SIG_FLAG_APPLAYER;
+ s->alproto = ALPROTO_HTTP;
+ sm_list = DETECT_SM_LIST_HCDMATCH;
+ } else if (pd->flags & DETECT_PCRE_METHOD) {
+ SCLogDebug("Method inspection modifier set");
+ s->flags |= SIG_FLAG_APPLAYER;
+ s->alproto = ALPROTO_HTTP;
+ sm_list = DETECT_SM_LIST_HMDMATCH;
+ } else if (pd->flags & DETECT_PCRE_HTTP_USER_AGENT) {
+ SCLogDebug("User-Agent inspection modifier set on pcre");
+ s->flags |= SIG_FLAG_APPLAYER;
+ s->alproto = ALPROTO_HTTP;
+ sm_list = DETECT_SM_LIST_HUADMATCH;
} else {
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
- SCLogDebug("adding to http server body list because of file data");
- s->flags |= SIG_FLAG_APPLAYER;
- AppLayerHtpEnableResponseBodyCallback();
-
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
- } else if (s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
- SCLogDebug("adding to dmatch list because of dce_stub_data");
- s->flags |= SIG_FLAG_APPLAYER;
- AppLayerHtpEnableResponseBodyCallback();
-
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
- } else {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
- }
- }
-
- if (!(pd->flags & DETECT_PCRE_RELATIVE)) {
- SCReturnInt(0);
- }
-
- prev_sm = SigMatchGetLastSMFromLists(s, 4,
- DETECT_CONTENT, sm->prev,
- DETECT_PCRE, sm->prev);
- if (prev_sm == NULL) {
- pd->flags &= ~DETECT_PCRE_RELATIVE;
- SCReturnInt(0);
+ sm_list = DETECT_SM_LIST_PMATCH;
}
- DetectContentData *cd = NULL;
- DetectPcreData *pe = NULL;
-
- switch (prev_sm->type) {
- case DETECT_CONTENT:
- /* Set the relative next flag on the prev sigmatch */
- cd = (DetectContentData *)prev_sm->ctx;
- if (cd == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "content not setup properly");
- SCReturnInt(-1);
- }
- cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
-
- break;
-
- case DETECT_PCRE:
- pe = (DetectPcreData *) prev_sm->ctx;
- if (pe == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre not setup properly");
- SCReturnInt(-1);
- }
- pe->flags |= DETECT_PCRE_RELATIVE_NEXT;
-
- break;
-
- default:
- /* this will never hit */
- SCLogError(SC_ERR_INVALID_SIGNATURE, "prev sigmatch has unknown type: %"PRIu16,
- prev_sm->type);
- SCReturnInt(-1);
- break;
- } /* switch (prev_sm->type) */
-
- SCReturnInt(0);
-
-error:
- if (pd != NULL)
- DetectPcreFree(pd);
- if (sm != NULL)
- SCFree(sm);
-
- SCReturnInt(-1);
+ sm = SigMatchAlloc();
+ if (sm == NULL)
+ goto error;
+ sm->type = DETECT_PCRE;
+ sm->ctx = (void *)pd;
+ SigMatchAppendSMToList(s, sm, sm_list);
+
+ if (!(pd->flags & DETECT_PCRE_RELATIVE))
+ goto okay;
+
+ SigMatch *prev_pm = SigMatchGetLastSMFromLists(s, 4,
+ DETECT_CONTENT, sm->prev,
+ DETECT_PCRE, sm->prev);
+ if (prev_pm == NULL)
+ goto okay;
+ if (prev_pm->type == DETECT_CONTENT) {
+ DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
+ cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ } else if (prev_pm->type == DETECT_PCRE) {
+ DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
+ pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
+ }
+
+ okay:
+ ret = 0;
+ SCReturnInt(ret);
+ error:
+ DetectPcreFree(pd);
+ SCReturnInt(ret);
}
void DetectPcreFree(void *ptr) {
+ if (ptr == NULL)
+ return;
+
DetectPcreData *pd = (DetectPcreData *)ptr;
if (pd->capname != NULL)
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE);
data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
if (data->flags & DETECT_PCRE_RAWBYTES ||
- data->flags & DETECT_PCRE_RELATIVE ||
+ !(data->flags & DETECT_PCRE_RELATIVE) ||
data->flags & DETECT_PCRE_URI) {
result = 0;
goto end;
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE);
data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
if (data->flags & DETECT_PCRE_RAWBYTES ||
- data->flags & DETECT_PCRE_RELATIVE ||
+ !(data->flags & DETECT_PCRE_RELATIVE) ||
data->flags & DETECT_PCRE_URI) {
result = 0;
goto end;
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE);
data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
if (!(data->flags & DETECT_PCRE_RAWBYTES) ||
- data->flags & DETECT_PCRE_RELATIVE ||
+ !(data->flags & DETECT_PCRE_RELATIVE) ||
data->flags & DETECT_PCRE_URI) {
result = 0;
goto end;
data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->ctx;
if (data->flags & DETECT_PCRE_RAWBYTES ||
- data->flags & DETECT_PCRE_RELATIVE ||
+ !(data->flags & DETECT_PCRE_RELATIVE) ||
data->flags & DETECT_PCRE_URI) {
printf("flags not right: ");
goto end;
SigMatch *sm = NULL;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting"
- " keywords.");
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains "
+ "conflicting keywords.");
goto error;
}
if (cd == NULL)
goto error;
- /* Okay so far so good, lets get this into a SigMatch
- * and put it in the Signature. */
sm = SigMatchAlloc();
if (sm == NULL)
goto error;
sm->type = DETECT_CONTENT;
sm->ctx = (void *)cd;
- cd->id = DetectUricontentGetId(de_ctx->mpm_pattern_id_store, cd);
-
/* Flagged the signature as to inspect the app layer data */
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
+ cd->id = DetectUricontentGetId(de_ctx->mpm_pattern_id_store, cd);
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_UMATCH);
SCReturnInt(0);
s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
"\" Test uricontent\"; "
- "uricontent:\"me\"; sid:1;)");
+ "content:\"me\"; uricontent:\"me\"; sid:1;)");
if (s == NULL) {
goto end;
}
DetectUrilenData *urilend = NULL;
SigMatch *sm = NULL;
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
+ "alproto set");
+ goto error;
+ }
+
urilend = DetectUrilenParse(urilenstr);
if (urilend == NULL)
goto error;
-
sm = SigMatchAlloc();
if (sm == NULL)
goto error;
-
sm->type = DETECT_AL_URILEN;
sm->ctx = (void *)urilend;
else
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_UMATCH);
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
- "alproto set");
- goto error;
- }
-
/* Flagged the signature as to inspect the app layer data */
s->flags |= SIG_FLAG_APPLAYER;
+ s->alproto = ALPROTO_HTTP;
SCReturnInt(0);
error:
- if (urilend != NULL) DetectUrilenFree(urilend);
- if (sm != NULL) SCFree(sm);
+ DetectUrilenFree(urilend);
SCReturnInt(-1);
}
*/
void DetectUrilenFree(void *ptr)
{
+ if (ptr != NULL)
+ return;
+
DetectUrilenData *urilend = (DetectUrilenData *)ptr;
SCFree(urilend);
}
#include "detect-pcre.h"
#include "util-unittest.h"
-static int DetectWithinSetup (DetectEngineCtx *, Signature *, char *);
+static int DetectWithinSetup(DetectEngineCtx *, Signature *, char *);
void DetectWithinRegisterTests(void);
-void DetectWithinRegister (void) {
+void DetectWithinRegister(void)
+{
sigmatch_table[DETECT_WITHIN].name = "within";
sigmatch_table[DETECT_WITHIN].desc = "indicate that this content match has to be within a certain distance of the previous content keyword match";
sigmatch_table[DETECT_WITHIN].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Within";
* \retval 0 ok
* \retval -1 error, sig needs to be invalidated
*/
-static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withinstr)
+static int DetectWithinSetup(DetectEngineCtx *de_ctx, Signature *s, char *withinstr)
{
char *str = withinstr;
char dubbed = 0;
SigMatch *pm = NULL;
+ int ret = -1;
/* strip "'s */
if (withinstr[0] == '\"' && withinstr[strlen(withinstr)-1] == '\"') {
str = SCStrdup(withinstr+1);
if (unlikely(str == NULL))
- goto error;
- str[strlen(withinstr)-2] = '\0';
+ goto end;
+ str[strlen(withinstr) - 2] = '\0';
dubbed = 1;
}
- pm = SigMatchGetLastSMFromLists(s, 30,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ /* retrive the sm to apply the depth against */
+ if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
+ if (s->init_flags & SIG_FLAG_INIT_FILE_DATA)
+ pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
+ else
+ pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
+ } else {
+ pm = SigMatchGetLastSMFromLists(s, 28,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ }
if (pm == NULL) {
- SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "\"within\" requires "
- "preceding content, uricontent, http_client_body, "
- "http_server_body, http_header, http_raw_header, "
- "http_method, http_cookie, http_raw_uri, "
- "http_stat_msg, http_stat_code or http_user_agent "
- "option");
- if (dubbed)
- SCFree(str);
- return -1;
+ SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "within needs "
+ "preceding content, uricontent option, http_client_body, "
+ "http_server_body, http_header option, http_raw_header option, "
+ "http_method option, http_cookie, http_raw_uri, "
+ "http_stat_msg, http_stat_code, http_user_agent or "
+ "file_data/dce_stub_data sticky buffer option");
+ goto end;
}
- DetectContentData *cd = NULL;
- DetectPcreData *pe = NULL;
-
- switch (pm->type) {
- case DETECT_CONTENT:
- cd = (DetectContentData *)pm->ctx;
- if (cd == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "content error");
- goto error;
- }
-
- if (cd->flags & DETECT_CONTENT_NEGATED) {
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative "
- "negated keyword set along with a fast_pattern");
- goto error;
- }
- } else {
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative "
- "keyword set along with a fast_pattern:only");
- goto error;
- }
- }
-
- if ((cd->flags & DETECT_CONTENT_DEPTH) || (cd->flags & DETECT_CONTENT_OFFSET)) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a relative keyword "
- "with a non-relative keyword for the same content" );
- goto error;
- }
-
- if (str[0] != '-' && isalpha((unsigned char)str[0])) {
- SigMatch *bed_sm =
- DetectByteExtractRetrieveSMVar(str, s,
- SigMatchListSMBelongsTo(s, pm));
- if (bed_sm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var "
- "seen in within - %s\n", str);
- goto error;
- }
- cd->within = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
- cd->flags |= DETECT_CONTENT_WITHIN_BE;
- } else {
- cd->within = strtol(str, NULL, 10);
- if (cd->within < (int32_t)cd->content_len) {
- SCLogError(SC_ERR_WITHIN_INVALID, "within argument \"%"PRIi32"\" is "
- "less than the content length \"%"PRIu32"\" which is invalid, since "
- "this will never match. Invalidating signature", cd->within,
- cd->content_len);
- goto error;
- }
- }
-
- cd->flags |= DETECT_CONTENT_WITHIN;
-
- pm = SigMatchGetLastSMFromLists(s, 6,
- DETECT_CONTENT, pm->prev,
- DETECT_PCRE, pm->prev,
- DETECT_BYTEJUMP, pm->prev);
- if (pm != NULL) {
- switch (pm->type) {
- case DETECT_CONTENT:
- /* Set the relative next flag on the prev sigmatch */
- cd = (DetectContentData *)pm->ctx;
- if (cd == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "content error");
- goto error;
- }
- cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
-
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "previous keyword "
- "has a fast_pattern:only; set. Can't "
- "have relative keywords around a fast_pattern "
- "only content");
- goto error;
- }
-
- break;
-
- case DETECT_PCRE:
- pe = (DetectPcreData *) pm->ctx;
- if (pe == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre error");
- goto error;
- }
- pe->flags |= DETECT_PCRE_RELATIVE_NEXT;
-
- break;
-
- case DETECT_BYTEJUMP:
- SCLogDebug("no setting relative_next for bytejump. We "
- "have no use for it");
-
- break;
-
- default:
- /* this will never hit */
- SCLogError(SC_ERR_INVALID_SIGNATURE, "unsupported type %d", pm->type);
- break;
- }
- }
- break;
-
- default:
- SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs two "
- "preceding content or uricontent options");
- goto error;
+ /* verify other conditions */
+ DetectContentData *cd = (DetectContentData *)pm->ctx;
+ if (cd->flags & DETECT_CONTENT_WITHIN) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use multiple withins for the same content.");
+ goto end;
+ }
+ if ((cd->flags & DETECT_CONTENT_DEPTH) || (cd->flags & DETECT_CONTENT_OFFSET)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a relative "
+ "keyword like within/distance with a absolute "
+ "relative keyword like depth/offset for the same "
+ "content." );
+ goto end;
+ }
+ if (cd->flags & DETECT_CONTENT_NEGATED && cd->flags & DETECT_CONTENT_FAST_PATTERN) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative "
+ "negated keyword set along with a fast_pattern");
+ goto end;
+ }
+ if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative "
+ "keyword set along with a fast_pattern:only;");
+ goto end;
+ }
+ if (str[0] != '-' && isalpha((unsigned char)str[0])) {
+ SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(str, s, SigMatchListSMBelongsTo(s, pm));
+ if (bed_sm == NULL) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var "
+ "seen in within - %s\n", str);
+ goto end;
+ }
+ cd->within = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
+ cd->flags |= DETECT_CONTENT_WITHIN_BE;
+ } else {
+ cd->within = strtol(str, NULL, 10);
+ if (cd->within < (int32_t)cd->content_len) {
+ SCLogError(SC_ERR_WITHIN_INVALID, "within argument \"%"PRIi32"\" is "
+ "less than the content length \"%"PRIu32"\" which is invalid, since "
+ "this will never match. Invalidating signature", cd->within,
+ cd->content_len);
+ goto end;
+ }
+ }
+ cd->flags |= DETECT_CONTENT_WITHIN;
+
+ /* these are the only ones against which we set a flag. We have other
+ * relative keywords like byttest, isdataat, bytejump, but we don't
+ * set a flag against them */
+ SigMatch *prev_pm = SigMatchGetLastSMFromLists(s, 4,
+ DETECT_CONTENT, pm->prev,
+ DETECT_PCRE, pm->prev);
+ if (prev_pm == NULL) {
+ ret = 0;
+ goto end;
+ }
+ if (prev_pm->type == DETECT_CONTENT) {
+ DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
+ if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "previous keyword "
+ "has a fast_pattern:only; set. Can't "
+ "have relative keywords around a fast_pattern "
+ "only content");
+ goto end;
+ }
+ cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ } else if (prev_pm->type == DETECT_PCRE) {
+ DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
+ pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
}
+ ret = 0;
+ end:
if (dubbed)
SCFree(str);
- return 0;
-
-error:
- if (dubbed)
- SCFree(str);
- return -1;
+ return ret;
}
/***********************************Unittests**********************************/
projects / thirdparty / suricata.git / commitdiff
