/* check bytetest modifiers against the signature alproto. In case they conflict
* chuck out invalid signature */
- if ((data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) &&
- (s->alproto != ALPROTO_DCERPC)) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has "
- "bytetest with dce enabled");
- goto error;
+ if ((data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE)) {
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has "
+ "bytetest with dce enabled");
+ goto error;
+ }
+ s->alproto = ALPROTO_DCERPC;
}
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
+ if (s->init_flags & SIG_FLAG_INIT_FILE_DATA ||
+ s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
+ int sm_list;
+ if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
+ AppLayerHtpEnableResponseBodyCallback();
+ sm_list = DETECT_SM_LIST_HSBDMATCH;
+ } else {
+ sm_list = DETECT_SM_LIST_DMATCH;
+ }
+
if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
SigMatch *prev_sm = NULL;
prev_sm = SigMatchGetLastSMFromLists(s, 8,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
+ DETECT_CONTENT, s->sm_lists_tail[sm_list],
+ DETECT_BYTETEST, s->sm_lists_tail[sm_list],
+ DETECT_BYTEJUMP, s->sm_lists_tail[sm_list],
+ DETECT_PCRE, s->sm_lists_tail[sm_list]);
if (prev_sm == NULL) {
data->flags &= ~DETECT_BYTE_EXTRACT_FLAG_RELATIVE;
}
-
- s->flags |= SIG_FLAG_APPLAYER;
- AppLayerHtpEnableResponseBodyCallback();
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
- } else {
- s->flags |= SIG_FLAG_APPLAYER;
- AppLayerHtpEnableResponseBodyCallback();
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
- }
- } else if (s->alproto == ALPROTO_DCERPC &&
- (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE)) {
- SigMatch *pm = NULL;
- SigMatch *dm = NULL;
-
- pm = SigMatchGetLastSMFromLists(s, 6,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
- dm = SigMatchGetLastSMFromLists(s, 6,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
- DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
-
- if (pm == NULL) {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
- } else if (dm == NULL) {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
- } else if (pm->idx > dm->idx) {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
- } else {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
}
+ s->flags |= SIG_FLAG_APPLAYER;
+ SigMatchAppendSMToList(s, sm, sm_list);
} else {
if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
SigMatch *pm =
- SigMatchGetLastSMFromLists(s, 30,
+ SigMatchGetLastSMFromLists(s, 20,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
- DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
- DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
- DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (pm == NULL) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
return 0;
}
int list = SigMatchListSMBelongsTo(s, pm);
- if (list == DETECT_SM_LIST_UMATCH)
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_UMATCH);
- else
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
+ SigMatchAppendSMToList(s, sm, list);
} else {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
}
DETECT_CONTENT, sm->prev,
DETECT_BYTEJUMP, sm->prev,
DETECT_PCRE, sm->prev);
- if (prev_sm == NULL) {
- if (s->alproto == ALPROTO_DCERPC) {
- SCLogDebug("No preceding content or pcre keyword. Possible "
- "since this is a dce alproto sig.");
- return 0;
- } else {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "No preceding content "
- "or uricontent or pcre option");
- return -1;
- }
- }
+ if (prev_sm == NULL)
+ return 0;
DetectContentData *cd = NULL;
DetectPcreData *pe = NULL;
"DCERPC rule holds an invalid modifier for bytejump.");
goto error;
}
+ s->alproto = ALPROTO_DCERPC;
}
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
+ if (s->init_flags & SIG_FLAG_INIT_FILE_DATA ||
+ s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
+ int sm_list;
+ if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
+ AppLayerHtpEnableResponseBodyCallback();
+ sm_list = DETECT_SM_LIST_HSBDMATCH;
+ } else {
+ sm_list = DETECT_SM_LIST_DMATCH;
+ }
+
if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
SigMatch *prev_sm = NULL;
prev_sm = SigMatchGetLastSMFromLists(s, 8,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
+ DETECT_CONTENT, s->sm_lists_tail[sm_list],
+ DETECT_BYTETEST, s->sm_lists_tail[sm_list],
+ DETECT_BYTEJUMP, s->sm_lists_tail[sm_list],
+ DETECT_PCRE, s->sm_lists_tail[sm_list]);
if (prev_sm == NULL) {
data->flags &= ~DETECT_BYTEJUMP_RELATIVE;
}
-
- s->flags |= SIG_FLAG_APPLAYER;
- AppLayerHtpEnableResponseBodyCallback();
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
- } else {
- s->flags |= SIG_FLAG_APPLAYER;
- AppLayerHtpEnableResponseBodyCallback();
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
- }
- } else if (s->alproto == ALPROTO_DCERPC &&
- (data->flags & DETECT_BYTEJUMP_RELATIVE)) {
- SigMatch *pm = NULL;
- SigMatch *dm = NULL;
-
- pm = SigMatchGetLastSMFromLists(s, 6,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
- dm = SigMatchGetLastSMFromLists(s, 6,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
- DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
-
- if (pm == NULL) {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
- } else if (dm == NULL) {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
- } else if (pm->idx > dm->idx) {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
- } else {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
}
+ s->flags |= SIG_FLAG_APPLAYER;
+ SigMatchAppendSMToList(s, sm, sm_list);
} else {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
}
DETECT_BYTEJUMP, sm->prev,
DETECT_PCRE, sm->prev);
if (prev_sm == NULL) {
- if (s->alproto == ALPROTO_DCERPC) {
- SCLogDebug("No preceding content or pcre keyword. Possible "
- "since this is an alproto sig.");
- return 0;
- } else {
- return 0;
- }
+ return 0;
}
DetectContentData *cd = NULL;
/* check bytetest modifiers against the signature alproto. In case they conflict
* chuck out invalid signature */
- if (data-> flags & DETECT_BYTETEST_DCE) {
+ if (data->flags & DETECT_BYTETEST_DCE) {
if (s->alproto != ALPROTO_DCERPC) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has "
"bytetest with dce enabled");
"a byte_test keyword with dce holds other invalid modifiers.");
goto error;
}
+ s->alproto = ALPROTO_DCERPC;
}
+ if (s->init_flags & SIG_FLAG_INIT_FILE_DATA ||
+ s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
+ int sm_list;
+ if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
+ AppLayerHtpEnableResponseBodyCallback();
+ sm_list = DETECT_SM_LIST_HSBDMATCH;
+ } else {
+ sm_list = DETECT_SM_LIST_DMATCH;
+ }
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
if (data->flags & DETECT_BYTETEST_RELATIVE) {
SigMatch *prev_sm = NULL;
prev_sm = SigMatchGetLastSMFromLists(s, 8,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
+ DETECT_CONTENT, s->sm_lists_tail[sm_list],
+ DETECT_BYTETEST, s->sm_lists_tail[sm_list],
+ DETECT_BYTEJUMP, s->sm_lists_tail[sm_list],
+ DETECT_PCRE, s->sm_lists_tail[sm_list]);
if (prev_sm == NULL) {
data->flags &= ~DETECT_BYTETEST_RELATIVE;
}
-
- s->flags |= SIG_FLAG_APPLAYER;
- AppLayerHtpEnableResponseBodyCallback();
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
- } else {
- s->flags |= SIG_FLAG_APPLAYER;
- AppLayerHtpEnableResponseBodyCallback();
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
- }
- } else if (s->alproto == ALPROTO_DCERPC &&
- (data->flags & DETECT_BYTETEST_RELATIVE)) {
- SigMatch *pm = NULL;
- SigMatch *dm = NULL;
-
- pm = SigMatchGetLastSMFromLists(s, 6,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
- dm = SigMatchGetLastSMFromLists(s, 6,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
- DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
-
- if (pm == NULL) {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
- } else if (dm == NULL) {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
- } else if (pm->idx > dm->idx) {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
- } else {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
}
+ s->flags |= SIG_FLAG_APPLAYER;
+ SigMatchAppendSMToList(s, sm, sm_list);
} else {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
}
DETECT_BYTEJUMP, sm->prev,
DETECT_PCRE, sm->prev);
if (prev_sm == NULL) {
- if (s->alproto == ALPROTO_DCERPC) {
- SCLogDebug("No preceding content or pcre keyword. Possible "
- "since this is an alproto sig.");
- return 0;
- } else {
- return 0;
- }
+ return 0;
}
DetectContentData *cd = NULL;
/* enable http request body callback in the http app layer parser */
AppLayerHtpEnableResponseBodyCallback();
+ } else if (s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
+ cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_DMATCH);
+ sm->type = DETECT_CONTENT;
+
+ /* transfer the sm from the pmatch list to hsbdmatch list */
+ SigMatchTransferSigMatchAcrossLists(sm,
+ &s->sm_lists[DETECT_SM_LIST_PMATCH],
+ &s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ &s->sm_lists[DETECT_SM_LIST_DMATCH],
+ &s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
+
+ /* flag the signature to indicate that we scan the app layer data */
+ s->flags |= SIG_FLAG_APPLAYER;
+ s->alproto = ALPROTO_DCERPC;
}
return 0;
sigmatch_table[DETECT_DCE_STUB_DATA].name = "dce_stub_data";
sigmatch_table[DETECT_DCE_STUB_DATA].alproto = ALPROTO_DCERPC;
sigmatch_table[DETECT_DCE_STUB_DATA].Match = NULL;
- sigmatch_table[DETECT_DCE_STUB_DATA].AppLayerMatch = DetectDceStubDataMatch;
+ sigmatch_table[DETECT_DCE_STUB_DATA].AppLayerMatch = NULL;
sigmatch_table[DETECT_DCE_STUB_DATA].Setup = DetectDceStubDataSetup;
sigmatch_table[DETECT_DCE_STUB_DATA].Free = NULL;
sigmatch_table[DETECT_DCE_STUB_DATA].RegisterTests = DetectDceStubDataRegisterTests;
return;
}
-/**
- * \brief App layer match function for the "dce_stub_data" keyword.
- *
- * \todo Check the need for passing a pointer to hold the address of the stub_data.
- *
- * \param t Pointer to the ThreadVars instance.
- * \param det_ctx Pointer to the DetectEngineThreadCtx.
- * \param f Pointer to the flow.
- * \param flags Pointer to the flags indicating the flow direction.
- * \param state Pointer to the app layer state data.
- * \param s Pointer to the Signature instance.
- * \param m Pointer to the SigMatch.
- *
- * \retval 1 On Match.
- * \retval 0 On no match.
- */
-int DetectDceStubDataMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
- uint8_t flags, void *state, Signature *s, SigMatch *m)
-{
- SCEnter();
-
- DCERPCState *dcerpc_state = (DCERPCState *)state;
- if (dcerpc_state == NULL) {
- SCLogDebug("No DCERPCState for the flow");
- SCReturnInt(0);
- }
-
- if (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL ||
- dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer != NULL)
- {
- SCReturnInt(1);
- } else {
- SCReturnInt(0);
- }
-}
-
/**
* \brief Creates a SigMatch for the \"dce_stub_data\" keyword being sent as argument,
* and appends it to the Signature(s).
static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
- SigMatch *sm = NULL;
-
- sm = SigMatchAlloc();
- if (sm == NULL)
- goto error;
-
- sm->type = DETECT_DCE_STUB_DATA;
- sm->ctx = NULL;
-
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
-
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
+ "rule contains conflicting keywords.");
goto error;
}
+ s->init_flags |= SIG_FLAG_INIT_DCE_STUB_DATA;
s->alproto = ALPROTO_DCERPC;
- /* Flagged the signature as to inspect the app layer data */
s->flags |= SIG_FLAG_APPLAYER;
return 0;
error:
- if (sm != NULL)
- SCFree(sm);
return -1;
}
result = (DetectDceStubDataSetup(NULL, &s, NULL) == 0);
- if (s.sm_lists[DETECT_SM_LIST_AMATCH] != NULL) {
+ if (s.sm_lists[DETECT_SM_LIST_AMATCH] == NULL) {
result = 1;
} else {
result = 0;
s = de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"DCERPC\"; "
- "dce_stub_data; "
+ "dce_stub_data; content:\"|42 42 42 42|\";"
"sid:1;)");
if (s == NULL)
goto end;
s = de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"DCERPC\"; "
- "dce_stub_data; "
+ "dce_stub_data; content:\"|42 42 42 42|\";"
"sid:1;)");
if (s == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
- "(msg:\"DCERPC\"; dce_stub_data; sid:1;)");
+ "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 02|\"; sid:1;)");
+ if (s == NULL)
+ goto end;
+ s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 75|\"; sid:2;)");
+ if (s == NULL)
+ goto end;
+ s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 18|\"; sid:3;)");
if (s == NULL)
goto end;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (!PacketAlertCheck(p, 1))
+ if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
goto end;
/* response1 */
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1))
+ if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
goto end;
/* request2 */
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (!PacketAlertCheck(p, 1))
+ if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
goto end;
/* response2 */
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1))
+ if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
goto end;
/* request3 */
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (!PacketAlertCheck(p, 1))
+ if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
goto end;
/* response3 */
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1))
+ if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
goto end;
result = 1;
s = de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"DCERPC\"; "
- "dce_stub_data;"
+ "dce_stub_data; content:\"|00 02|\"; "
"sid:1;)");
if (s == NULL)
goto end;
+ s = de_ctx->sig_list->next = SigInit(de_ctx,
+ "alert tcp any any -> any any "
+ "(msg:\"DCERPC\"; "
+ "dce_stub_data; content:\"|00 75|\"; "
+ "sid:2;)");
+ if (s == NULL)
+ goto end;
+ s = de_ctx->sig_list->next->next = SigInit(de_ctx,
+ "alert tcp any any -> any any "
+ "(msg:\"DCERPC\"; "
+ "dce_stub_data; content:\"|00 18|\"; "
+ "sid:3;)");
+ if (s == NULL)
+ goto end;
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (!PacketAlertCheck(p, 1))
+ if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
goto end;
/* response1 */
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1))
+ if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
goto end;
/* request2 */
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (!PacketAlertCheck(p, 1))
+ if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
goto end;
/* response2 */
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1))
+ if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
goto end;
/* request3 */
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (!PacketAlertCheck(p, 1))
+ if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
goto end;
/* response3 */
dubbed = 1;
}
- switch (s->alproto) {
- case ALPROTO_DCERPC:
- /* add to the latest content keyword from either dmatch or pmatch */
- pm = SigMatchGetLastSMFromLists(s, 4,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
- if (pm == NULL) {
- SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs "
- "preceding content option for dcerpc sig");
- if (dubbed)
- SCFree(str);
- return -1;
- }
-
- break;
-
- default:
- pm = SigMatchGetLastSMFromLists(s, 28,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
- if (pm == NULL) {
- SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs "
- "preceding content, uricontent option, http_client_body, "
- "http_server_body, http_header option, http_raw_header option, "
- "http_method option, http_cookie, http_raw_uri, "
- "http_stat_msg, http_stat_code, http_user_agent, "
- "http_host or http_raw_host option");
- if (dubbed)
- SCFree(str);
- return -1;
- }
-
- break;
+ pm = SigMatchGetLastSMFromLists(s, 30,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ if (pm == NULL) {
+ SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs "
+ "preceding content, uricontent option, http_client_body, "
+ "http_server_body, http_header option, http_raw_header option, "
+ "http_method option, http_cookie, http_raw_uri, "
+ "http_stat_msg, http_stat_code, http_user_agent, "
+ "http_host, http_raw_host or "
+ "file_data/dce_stub_data sticky buffer options");
+ if (dubbed)
+ SCFree(str);
+ return -1;
}
- /* i swear we will clean this up :). Use a single version for all. Using
- * separate versions for all now, to avoiding breaking any code */
switch (pm->type) {
case DETECT_CONTENT:
cd = (DetectContentData *)pm->ctx;
dubbed = 1;
}
- /* if we still haven't found that the sig is related to DCERPC,
- * it's a direct entry into Signature->sm_lists[DETECT_SM_LIST_PMATCH] */
- if (s->alproto == ALPROTO_DCERPC) {
- SigMatch *dcem = NULL;
- SigMatch *dm = NULL;
- SigMatch *pm1 = NULL;
-
- SigMatch *pm1_ots = NULL;
- SigMatch *pm2_ots = NULL;
-
- dcem = SigMatchGetLastSMFromLists(s, 6,
- DETECT_DCE_IFACE, s->sm_lists_tail[DETECT_SM_LIST_AMATCH],
- DETECT_DCE_OPNUM, s->sm_lists_tail[DETECT_SM_LIST_AMATCH],
- DETECT_DCE_STUB_DATA, s->sm_lists_tail[DETECT_SM_LIST_AMATCH]);
-
- pm1_ots = SigMatchGetLastSMFromLists(s, 6,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
- if (pm1_ots != NULL && pm1_ots->prev != NULL) {
- pm2_ots = SigMatchGetLastSMFromLists(s, 6,
- DETECT_CONTENT, pm1_ots->prev,
- DETECT_PCRE, pm1_ots->prev,
- DETECT_BYTEJUMP, pm1_ots->prev);
- }
-
- dm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
- pm1 = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
-
- if (dm == NULL && pm1 == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid signature. within "
- "needs a preceding content keyword");
- goto error;
- }
-
- if (dm == NULL) {
- if (pm2_ots == NULL) {
- if (pm1->idx > dcem->idx) {
- /* transfer pm1 to dmatch list and within is against this */
- SigMatchTransferSigMatchAcrossLists(pm1,
- &s->sm_lists[DETECT_SM_LIST_PMATCH],
- &s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- &s->sm_lists[DETECT_SM_LIST_DMATCH],
- &s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
- pm = pm1;
- } else {
- /* within is against pm1 and we continue this way */
- pm = pm1;
- }
- } else if (pm2_ots->idx > dcem->idx) {
- /* within is against pm1, pm = pm1; */
- pm = pm1;
- } else if (pm1->idx > dcem->idx) {
- /* transfer pm1 to dmatch list and within is against this */
- SigMatchTransferSigMatchAcrossLists(pm1,
- &s->sm_lists[DETECT_SM_LIST_PMATCH],
- &s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- &s->sm_lists[DETECT_SM_LIST_DMATCH],
- &s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
- pm = pm1;
- } else {
- /* within is against pm1 and we continue this way */
- pm = pm1;
- }
- } else {
- if (pm1 == NULL) {
- /* within is against dm and continue this way */
- pm = dm;
- } else if (dm->idx > pm1->idx) {
- /* within is against dm */
- pm = dm;
- } else if (pm2_ots == NULL || pm2_ots->idx < dcem->idx) {
- /* trasnfer pm1 to dmatch list and pm = pm1 */
- SigMatchTransferSigMatchAcrossLists(pm1,
- &s->sm_lists[DETECT_SM_LIST_PMATCH],
- &s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- &s->sm_lists[DETECT_SM_LIST_DMATCH],
- &s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
- pm = pm1;
- } else {
- /* within is against pm1, pm = pm1 */
- pm = pm1;
- }
- }
- } else {
- pm = SigMatchGetLastSMFromLists(s, 28,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
- if (pm == NULL) {
- SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs "
- "preceding content, uricontent option, http_client_body, "
- "http_server_body, http_header, http_raw_header, http_method, "
- "http_cookie, http_raw_uri, http_stat_msg, http_stat_code, "
- "http_user_agent, http_host or http_raw_host option");
- if (dubbed)
- SCFree(str);
- return -1;
- }
+ pm = SigMatchGetLastSMFromLists(s, 30,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ if (pm == NULL) {
+ SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs "
+ "preceding content, uricontent option, http_client_body, "
+ "http_server_body, http_header, http_raw_header, http_method, "
+ "http_cookie, http_raw_uri, http_stat_msg, http_stat_code, "
+ "http_host, http_raw_host or "
+ "http_user_agent or file_data/dce_stub_data option");
+ if (dubbed)
+ SCFree(str);
+ return -1;
}
DetectContentData *cd = NULL;
DETECT_CONTENT, pm->prev,
DETECT_PCRE, pm->prev,
DETECT_BYTEJUMP, pm->prev);
- if (pm == NULL) {
- if (s->alproto == ALPROTO_DCERPC) {
- SCLogDebug("content relative without a previous content based "
- "keyword. Holds good only in the case of DCERPC "
- "alproto like now.");
- } else {
- //SCLogError(SC_ERR_INVALID_SIGNATURE, "No related "
- //"previous-previous content or pcre keyword");
- //goto error;
- ;
- }
- } else {
+ if (pm != NULL) {
switch (pm->type) {
case DETECT_CONTENT:
/* Set the relative next flag on the prev sigmatch */
int i = 0;
char *sig1 = "alert tcp any any -> any any "
- "(dce_stub_data; sid:1;)";
+ "(dce_stub_data; content:\"|00 02|\"; sid:1;)";
+ char *sig2 = "alert tcp any any -> any any "
+ "(dce_stub_data; content:\"|00 75|\"; sid:2;)";
+ char *sig3 = "alert tcp any any -> any any "
+ "(dce_stub_data; content:\"|00 18|\"; sid:3;)";
Signature *s;
goto end;
de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, sig1);
- s = de_ctx->sig_list;
+ s = de_ctx->sig_list = SigInit(de_ctx, sig1);
+ if (s == NULL)
+ goto end;
+ s = de_ctx->sig_list->next = SigInit(de_ctx, sig2);
+ if (s == NULL)
+ goto end;
+ s = de_ctx->sig_list->next->next = SigInit(de_ctx, sig3);
if (s == NULL)
goto end;
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[0]);
- if (!(PacketAlertCheck(p[0], 1))) {
+ if (!PacketAlertCheck(p[0], 1) || PacketAlertCheck(p[0], 2) || PacketAlertCheck(p[0], 3)) {
printf("sid 1 didn't match but should have for packet 0: ");
goto end;
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[6]);
- if ((PacketAlertCheck(p[6], 1))) {
+ if (PacketAlertCheck(p[6], 1) || PacketAlertCheck(p[6], 2) || PacketAlertCheck(p[6], 3)) {
printf("sid 1 matched but shouldn't have for packet 6: ");
goto end;
}
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[1]);
- if ((PacketAlertCheck(p[1], 1))) {
+ if (PacketAlertCheck(p[1], 1) || PacketAlertCheck(p[1], 2) || PacketAlertCheck(p[1], 3)) {
printf("sid 1 matched but shouldn't have for packet 1: ");
goto end;
}
* the detection engine state for the flow has been reset because of a
* fresh transaction */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[2]);
- if (!(PacketAlertCheck(p[2], 1))) {
+ if (PacketAlertCheck(p[2], 1) || !PacketAlertCheck(p[2], 2) || PacketAlertCheck(p[2], 3)) {
printf("sid 1 didn't match but should have for packet 2: ");
goto end;
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[7]);
- if ((PacketAlertCheck(p[7], 1))) {
+ if (PacketAlertCheck(p[7], 1) || PacketAlertCheck(p[7], 2) || PacketAlertCheck(p[7], 3)) {
printf("sid 1 matched but shouldn't have for packet 7: ");
goto end;
}
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[3]);
- if ((PacketAlertCheck(p[3], 1))) {
+ if (PacketAlertCheck(p[3], 1) || PacketAlertCheck(p[3], 2) || PacketAlertCheck(p[3], 3)) {
printf("sid 1 matched but shouldn't have for packet 3: ");
goto end;
}
* the detection engine state for the flow has been reset because of a
* fresh transaction */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[4]);
- if (!(PacketAlertCheck(p[4], 1))) {
+ if (PacketAlertCheck(p[4], 1) || PacketAlertCheck(p[4], 2) || !PacketAlertCheck(p[4], 3)) {
printf("sid 1 didn't match but should have for packet 4: ");
goto end;
}
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[5]);
- if ((PacketAlertCheck(p[5], 1))) {
+ if (PacketAlertCheck(p[5], 1) || PacketAlertCheck(p[5], 2) || PacketAlertCheck(p[5], 3)) {
printf("sid 1 matched but shouldn't have for packet 5: ");
goto end;
}
int i = 0;
char *sig1 = "alert tcp any any -> any any "
- "(dce_stub_data; sid:1;)";
+ "(dce_stub_data; content:\"|7f 01|\"; sid:1;)";
+ char *sig2 = "alert tcp any any -> any any "
+ "(dce_stub_data; content:\"|3f 00|\"; sid:2;)";
Signature *s;
goto end;
de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, sig1);
- s = de_ctx->sig_list;
+ s = de_ctx->sig_list = SigInit(de_ctx, sig1);
+ if (s == NULL)
+ goto end;
+ s = de_ctx->sig_list->next = SigInit(de_ctx, sig2);
if (s == NULL)
goto end;
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[0]);
- if (!(PacketAlertCheck(p[0], 1))) {
+ if (!PacketAlertCheck(p[0], 1) || PacketAlertCheck(p[0], 2)) {
printf("sid 1 didn't match but should have for packet 0: ");
goto end;
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[1]);
- if ((PacketAlertCheck(p[1], 1))) {
+ if (PacketAlertCheck(p[1], 1) || PacketAlertCheck(p[1], 2)) {
printf("sid 1 matched but shouldn't have for packet 1: ");
goto end;
}
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[2]);
- if ((PacketAlertCheck(p[2], 1))) {
+ if (PacketAlertCheck(p[2], 1) || PacketAlertCheck(p[2], 2)) {
printf("sid 1 matched but shouldn't have for packet 2: ");
goto end;
}
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[3]);
- if ((PacketAlertCheck(p[3], 1))) {
+ if (PacketAlertCheck(p[3], 1) || PacketAlertCheck(p[3], 2)) {
printf("sid 1 matched but shouldn't have for packet 3: ");
goto end;
}
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[4]);
- if (!(PacketAlertCheck(p[4], 1))) {
+ if (PacketAlertCheck(p[4], 1) || !PacketAlertCheck(p[4], 2)) {
printf("sid 1 didn't match but should have for packet 4: ");
goto end;
}
}
/* detection phase */
SigMatchSignatures(&tv, de_ctx, det_ctx, p[5]);
- if ((PacketAlertCheck(p[5], 1))) {
+ if (PacketAlertCheck(p[5], 1) || PacketAlertCheck(p[5], 2)) {
printf("sid 1 matched but shouldn't have for packet 5: ");
goto end;
}
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"dce_stub_data; "
+ "pkt_data; "
"content:\"one\"; "
"content:\"two\"; "
"content:\"three\"; within:5; "
"dce_stub_data; "
"content:\"one\"; distance:10; within:5; "
"content:\"two\"; within:5;"
+ "pkt_data; "
"content:\"three\";"
"content:\"four\";"
"sid:1;)");
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"dce_stub_data; "
+ "pkt_data; "
"pcre:/boom/; "
"content:\"one\"; distance:10; within:5; "
"content:\"two\"; within:5;"
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"dce_stub_data; "
+ "pkt_data; "
"byte_jump:2,5; "
"content:\"one\"; distance:10; within:5; "
"content:\"two\"; within:5;"
"byte_jump:2,5,relative; "
"content:\"one\"; distance:10; within:5; "
"content:\"two\"; within:5;"
+ "pkt_data; "
"content:\"three\";"
"content:\"four\";"
"sid:1;)");
bd->flags & DETECT_BYTEJUMP_LITTLE ||
bd->flags & DETECT_BYTEJUMP_BIG ||
bd->flags & DETECT_BYTEJUMP_STRING ||
- !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
+ bd->flags & DETECT_BYTEJUMP_RELATIVE ||
bd->flags & DETECT_BYTEJUMP_ALIGN ||
bd->flags & DETECT_BYTEJUMP_DCE ) {
result = 0;
"byte_jump:2,5,relative; "
"content:\"one\"; distance:10; within:5; "
"content:\"two\"; within:5;"
+ "pkt_data; "
"content:\"three\";"
"content:\"four\"; within:4; "
"sid:1;)");
bd->flags & DETECT_BYTEJUMP_LITTLE ||
bd->flags & DETECT_BYTEJUMP_BIG ||
bd->flags & DETECT_BYTEJUMP_STRING ||
- !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
+ bd->flags & DETECT_BYTEJUMP_RELATIVE ||
bd->flags & DETECT_BYTEJUMP_ALIGN ||
bd->flags & DETECT_BYTEJUMP_DCE ) {
result = 0;
"pcre:/boom/R; "
"content:\"one\"; distance:10; within:5; "
"content:\"two\"; within:5;"
+ "pkt_data; "
"content:\"three\";"
"content:\"four\"; distance:5;"
"sid:1;)");
}
pd = (DetectPcreData *)sm->ctx;
if ( pd->flags & DETECT_PCRE_RAWBYTES ||
- !(pd->flags & DETECT_PCRE_RELATIVE)) {
+ pd->flags & DETECT_PCRE_RELATIVE) {
result = 0;
printf("one failed\n");
goto end;
"pcre:/boom/R; "
"byte_jump:1,2,relative,align,dce; "
"content:\"one\"; within:4; distance:8; "
+ "pkt_data; "
"content:\"two\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
}
pd = (DetectPcreData *)sm->ctx;
if ( pd->flags & DETECT_PCRE_RAWBYTES ||
- !(pd->flags & DETECT_PCRE_RELATIVE)) {
+ pd->flags & DETECT_PCRE_RELATIVE) {
result = 0;
goto end;
}
"dce_iface:12345678-1234-1234-1234-123456789012; "
"dce_opnum:10; dce_stub_data; "
"byte_test:1,=,0,0,relative,dce; "
+ "pkt_data; "
"content:\"one\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
if (bd->flags & DETECT_BYTETEST_LITTLE ||
bd->flags & DETECT_BYTETEST_BIG ||
bd->flags & DETECT_BYTETEST_STRING ||
- !(bd->flags & DETECT_BYTETEST_RELATIVE) ||
+ bd->flags & DETECT_BYTETEST_RELATIVE ||
!(bd->flags & DETECT_BYTETEST_DCE) ) {
result = 0;
printf("one failed\n");
"dce_opnum:10; dce_stub_data; "
"isdataat:10,relative; "
"content:\"one\"; within:4; distance:8; "
+ "pkt_data; "
"content:\"two\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
}
isd = (DetectIsdataatData *)sm->ctx;
if ( isd->flags & ISDATAAT_RAWBYTES ||
- !(isd->flags & ISDATAAT_RELATIVE)) {
+ isd->flags & ISDATAAT_RELATIVE) {
result = 0;
goto end;
}
"dce_opnum:10; dce_stub_data; "
"byte_jump:1,2,relative,align,dce; "
"byte_test:1,=,2,0,relative,dce; "
+ "pkt_data; "
"content:\"one\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
bjd->flags & DETECT_BYTEJUMP_LITTLE ||
bjd->flags & DETECT_BYTEJUMP_BIG ||
bjd->flags & DETECT_BYTEJUMP_STRING ||
- !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
+ bjd->flags & DETECT_BYTEJUMP_RELATIVE ||
!(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
!(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
result = 0;
"pcre:/boom/R; "
"byte_jump:1,2,relative,align,dce; "
"byte_test:1,=,2,0,relative,dce; "
+ "pkt_data; "
"content:\"one\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
}
pd = (DetectPcreData *)sm->ctx;
if ( pd->flags & DETECT_PCRE_RAWBYTES ||
- !(pd->flags & DETECT_PCRE_RELATIVE) ) {
+ pd->flags & DETECT_PCRE_RELATIVE) {
result = 0;
printf("one failed\n");
goto end;
"content:\"one\"; within:10; "
"content:\"two\"; distance:20; within:30; "
"byte_test:1,=,2,0,relative,dce; "
+ "pkt_data; "
"content:\"three\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
"dce_iface:12345678-1234-1234-1234-123456789012; "
"dce_opnum:10; dce_stub_data; "
"content:\"one\"; within:10; "
+ "pkt_data; "
"content:\"two\"; "
"byte_test:1,=,2,0,relative,dce; "
"content:\"three\"; "
"dce_opnum:10; dce_stub_data; "
"isdataat:10,relative; "
"content:\"one\"; within:4; distance:8; "
+ "pkt_data; "
"content:\"two\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
}
isd = (DetectIsdataatData *)sm->ctx;
if ( isd->flags & ISDATAAT_RAWBYTES ||
- !(isd->flags & ISDATAAT_RELATIVE)) {
+ isd->flags & ISDATAAT_RELATIVE) {
result = 0;
goto end;
}
"content:\"one\"; "
"dce_opnum:10; dce_stub_data; "
"byte_jump:1,2,relative,align,dce; "
+ "pkt_data; "
"content:\"two\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
bjd->flags & DETECT_BYTEJUMP_LITTLE ||
bjd->flags & DETECT_BYTEJUMP_BIG ||
bjd->flags & DETECT_BYTEJUMP_STRING ||
- !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
+ bjd->flags & DETECT_BYTEJUMP_RELATIVE ||
!(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
!(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
result = 0;
"content:\"one\"; "
"dce_opnum:10; dce_stub_data; "
"byte_test:1,=,2,0,relative,dce; "
+ "pkt_data; "
"content:\"two\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
if (btd->flags & DETECT_BYTETEST_LITTLE ||
btd->flags & DETECT_BYTETEST_BIG ||
btd->flags & DETECT_BYTETEST_STRING ||
- !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
+ btd->flags & DETECT_BYTETEST_RELATIVE ||
!(btd->flags & DETECT_BYTETEST_DCE) ) {
result = 0;
printf("one failed\n");
{
DetectIsdataatData *idad = NULL;
SigMatch *sm = NULL;
- SigMatch *dm = NULL;
- SigMatch *pm = NULL;
SigMatch *prev_pm = NULL;
char *offset = NULL;
sm->type = DETECT_ISDATAAT;
sm->ctx = (void *)idad;
- if (s->alproto == ALPROTO_DCERPC &&
- (idad->flags & ISDATAAT_RELATIVE)) {
-
- pm = SigMatchGetLastSMFromLists(s, 6,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
- dm = SigMatchGetLastSMFromLists(s, 6,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
- DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
-
- if (pm == NULL) {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
- } else if (dm == NULL) {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
- } else if (pm->idx > dm->idx) {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
- } else {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
- }
- prev_pm = SigMatchGetLastSMFromLists(s, 6,
- DETECT_CONTENT, sm->prev,
- DETECT_BYTEJUMP, sm->prev,
- DETECT_PCRE, sm->prev);
- if (prev_pm == NULL) {
- SCLogDebug("No preceding content or pcre keyword. Possible "
- "since this is a dce alproto sig.");
- if (offset != NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
- "seen in isdataat - %s", offset);
- goto error;
- }
- return 0;
- }
- } else if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
- if (idad->flags & ISDATAAT_RELATIVE) {
- pm = SigMatchGetLastSMFromLists(s, 10,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
- if (pm == NULL) {
- idad->flags &= ~ISDATAAT_RELATIVE;
- }
-
- s->flags |= SIG_FLAG_APPLAYER;
+ if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
+ int sm_list;
+ if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
AppLayerHtpEnableResponseBodyCallback();
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
+ sm_list = DETECT_SM_LIST_HSBDMATCH;
} else {
- s->flags |= SIG_FLAG_APPLAYER;
- AppLayerHtpEnableResponseBodyCallback();
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
+ sm_list = DETECT_SM_LIST_DMATCH;
}
- if (pm == NULL) {
- SCLogDebug("No preceding content or pcre keyword. Possible "
+ if (idad->flags & ISDATAAT_RELATIVE) {
+ s->flags |= SIG_FLAG_APPLAYER;
+ SigMatchAppendSMToList(s, sm, sm_list);
+ prev_pm = SigMatchGetLastSMFromLists(s, 10,
+ DETECT_CONTENT, s->sm_lists_tail[sm_list],
+ DETECT_PCRE, s->sm_lists_tail[sm_list],
+ DETECT_BYTEJUMP, s->sm_lists_tail[sm_list],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[sm_list],
+ DETECT_BYTETEST, s->sm_lists_tail[sm_list]);
+ if (prev_pm == NULL) {
+ SCLogDebug("No preceding content or pcre keyword. Possible "
"since this is a file_data sig.");
- if (offset != NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
- "seen in isdataat - %s", offset);
- goto error;
+ if (offset != NULL) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
+ "seen in isdataat - %s", offset);
+ goto error;
+ }
+ idad->flags &= ~ISDATAAT_RELATIVE;
+ return 0;
}
- return 0;
}
-
- prev_pm = pm;
} else {
if (!(idad->flags & ISDATAAT_RELATIVE)) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
}
return 0;
}
- pm = SigMatchGetLastSMFromLists(s, 66,
+ prev_pm = SigMatchGetLastSMFromLists(s, 66,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH]);
- if (pm == NULL) {
+ if (prev_pm == NULL) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
if (offset != NULL) {
SigMatch *bed_sm =
}
SCReturnInt(0);
} else {
- int list_type = SigMatchListSMBelongsTo(s, pm);
+ int list_type = SigMatchListSMBelongsTo(s, prev_pm);
if (list_type == -1) {
goto error;
}
SigMatchAppendSMToList(s, sm, list_type);
- } /* else - if (pm == NULL) */
-
- prev_pm = pm;
+ } /* else - if (prev_pm == NULL) */
}
if (offset != NULL) {
s->alproto = ALPROTO_DCERPC;
/* failure since we have no preceding content/pcre/bytejump */
result &= (DetectIsdataatSetup(NULL, s, "30,relative") == 0);
- result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] != NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
+ result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
SigFree(s);
}
/* Search for the first previous SigMatch that supports nocase */
- SigMatch *pm = SigMatchGetLastSMFromLists(s, 28,
+ SigMatch *pm = SigMatchGetLastSMFromLists(s, 30,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
"content, uricontent, http_client_body, http_server_body, "
"http_header, http_method, http_uri, http_cookie, "
"http_raw_uri, http_stat_msg, http_stat_code, "
- "http_user_agent, http_host or http_raw_host option");
+ "http_user_agent, http_host or http_raw_host option or "
+ "file_data/dce_stub_data sticky buffer option");
SCReturnInt(-1);
}
dubbed = 1;
}
- switch (s->alproto) {
- case ALPROTO_DCERPC:
- /* add to the latest "content" keyword from either dmatch or pmatch */
- pm = SigMatchGetLastSMFromLists(s, 4,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
- if (pm == NULL) {
- SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs "
- "preceding content option for dcerpc sig");
- if (dubbed)
- SCFree(str);
- return -1;
- }
-
- break;
-
- default:
- pm = SigMatchGetLastSMFromLists(s, 28,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
- if (pm == NULL) {
- SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs "
- "preceding content or uricontent option, http_client_body, "
- "http_header, http_raw_header, http_method, "
- "http_cookie, http_raw_uri, http_stat_msg, "
- "http_stat_code, http_user_agent, "
- "http_host or http_raw_host option");
- if (dubbed)
- SCFree(str);
- return -1;
- }
-
- break;
+ pm = SigMatchGetLastSMFromLists(s, 30,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ if (pm == NULL) {
+ SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs "
+ "preceding content, uricontent option, http_client_body, "
+ "http_header, http_raw_header, http_method, "
+ "http_cookie, http_raw_uri, http_stat_msg, "
+ "http_stat_code, http_user_agent or "
+ "file_data/dce_stub_data sticky buffers");
+ if (dubbed)
+ SCFree(str);
+ return -1;
}
- /* we can remove this switch now with the unified structure */
DetectContentData *cd = NULL;
switch (pm->type) {
case DETECT_CONTENT:
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSCDMATCH);
} else {
- if (s->alproto == ALPROTO_DCERPC && (pd->flags & DETECT_PCRE_RELATIVE)) {
- SigMatch *pm = NULL;
- SigMatch *dm = NULL;
-
- pm = SigMatchGetLastSMFromLists(s, 6,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
- dm = SigMatchGetLastSMFromLists(s, 6,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
-
- if (pm == NULL) {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
- } else if (dm == NULL) {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
- } else if (pm->idx > dm->idx) {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
- } else {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
- }
+ if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
+ SCLogDebug("adding to http server body list because of file data");
+ s->flags |= SIG_FLAG_APPLAYER;
+ AppLayerHtpEnableResponseBodyCallback();
+
+ SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
+ } else if (s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
+ SCLogDebug("adding to dmatch list because of dce_stub_data");
+ s->flags |= SIG_FLAG_APPLAYER;
+ AppLayerHtpEnableResponseBodyCallback();
+
+ SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH);
} else {
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
- SCLogDebug("adding to http server body list because of file data");
- s->flags |= SIG_FLAG_APPLAYER;
- AppLayerHtpEnableResponseBodyCallback();
-
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH);
- } else {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
- }
+ SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
}
}
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
if (prev_sm == NULL) {
- if (s->alproto == ALPROTO_DCERPC) {
- SCLogDebug("No preceding content or pcre keyword. Possible "
- "since this is an alproto sig.");
- SCReturnInt(0);
- } else {
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
- SCLogDebug("removing relative flag as we are relative to file_data");
- pd->flags &= ~DETECT_PCRE_RELATIVE;
- SCReturnInt(0);
- } else {
- SCReturnInt(0);
- }
- }
+ pd->flags &= ~DETECT_PCRE_RELATIVE;
+ SCReturnInt(0);
}
DetectContentData *cd = NULL;
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE);
data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
if (data->flags & DETECT_PCRE_RAWBYTES ||
- !(data->flags & DETECT_PCRE_RELATIVE) ||
+ data->flags & DETECT_PCRE_RELATIVE ||
data->flags & DETECT_PCRE_URI) {
result = 0;
goto end;
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE);
data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
if (data->flags & DETECT_PCRE_RAWBYTES ||
- !(data->flags & DETECT_PCRE_RELATIVE) ||
+ data->flags & DETECT_PCRE_RELATIVE ||
data->flags & DETECT_PCRE_URI) {
result = 0;
goto end;
result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE);
data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
if (!(data->flags & DETECT_PCRE_RAWBYTES) ||
- !(data->flags & DETECT_PCRE_RELATIVE) ||
+ data->flags & DETECT_PCRE_RELATIVE ||
data->flags & DETECT_PCRE_URI) {
result = 0;
goto end;
static int DetectPktDataSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
{
SCEnter();
- s->init_flags &= (~SIG_FLAG_INIT_FILE_DATA);
+ s->init_flags &= (~SIG_FLAG_INIT_FILE_DATA & ~SIG_FLAG_INIT_DCE_STUB_DATA);
return 0;
}
else
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_UMATCH);
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
+ "alproto set");
+ goto error;
+ }
+
/* Flagged the signature as to inspect the app layer data */
s->flags |= SIG_FLAG_APPLAYER;
dubbed = 1;
}
- /* if we still haven't found that the sig is related to DCERPC,
- * it's a direct entry into Signature->[DETECT_SM_LIST_PMATCH] */
- if (s->alproto == ALPROTO_DCERPC) {
- SigMatch *dcem = NULL;
- SigMatch *dm = NULL;
- SigMatch *pm1 = NULL;
-
- SigMatch *pm1_ots = NULL;
- SigMatch *pm2_ots = NULL;
-
- dcem = SigMatchGetLastSMFromLists(s, 6,
- DETECT_DCE_IFACE, s->sm_lists_tail[DETECT_SM_LIST_AMATCH],
- DETECT_DCE_OPNUM, s->sm_lists_tail[DETECT_SM_LIST_AMATCH],
- DETECT_DCE_STUB_DATA, s->sm_lists_tail[DETECT_SM_LIST_AMATCH]);
-
- pm1_ots = SigMatchGetLastSMFromLists(s, 6,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
- if (pm1_ots != NULL && pm1_ots->prev != NULL) {
- pm2_ots = SigMatchGetLastSMFromLists(s, 6,
- DETECT_CONTENT, pm1_ots->prev,
- DETECT_PCRE, pm1_ots->prev,
- DETECT_BYTEJUMP, pm1_ots->prev);
- }
-
- dm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
- pm1 = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
-
- if (dm == NULL && pm1 == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "\"within\" requires a "
- "preceding content keyword");
- goto error;
- }
-
- if (dm == NULL) {
- if (pm2_ots == NULL) {
- if (pm1->idx > dcem->idx) {
- /* transfer pm1 to dmatch list and within is against this */
- SigMatchTransferSigMatchAcrossLists(pm1,
- &s->sm_lists[DETECT_SM_LIST_PMATCH],
- &s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- &s->sm_lists[DETECT_SM_LIST_DMATCH],
- &s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
- pm = pm1;
- } else {
- /* within is against pm1 and we continue this way */
- pm = pm1;
- }
- } else if (pm2_ots->idx > dcem->idx) {
- /* within is against pm1, pm = pm1; */
- pm = pm1;
- } else if (pm1->idx > dcem->idx) {
- /* transfer pm1 to dmatch list and within is against this */
- SigMatchTransferSigMatchAcrossLists(pm1,
- &s->sm_lists[DETECT_SM_LIST_PMATCH],
- &s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- &s->sm_lists[DETECT_SM_LIST_DMATCH],
- &s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
- pm = pm1;
- } else {
- /* within is against pm1 and we continue this way */
- pm = pm1;
- }
- } else {
- if (pm1 == NULL) {
- /* within is against dm and continue this way */
- pm = dm;
- } else if (dm->idx > pm1->idx) {
- /* within is against dm */
- pm = dm;
- } else if (pm2_ots == NULL || pm2_ots->idx < dcem->idx) {
- /* trasnfer pm1 to dmatch list and pm = pm1 */
- SigMatchTransferSigMatchAcrossLists(pm1,
- &s->sm_lists[DETECT_SM_LIST_PMATCH],
- &s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- &s->sm_lists[DETECT_SM_LIST_DMATCH],
- &s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
- pm = pm1;
- } else {
- /* within is against pm1, pm = pm1 */
- pm = pm1;
- }
- }
- } else {
- pm = SigMatchGetLastSMFromLists(s, 28,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
- if (pm == NULL) {
- SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "\"within\" requires "
- "preceding content, uricontent, http_client_body, "
- "http_server_body, http_header, http_raw_header, "
- "http_method, http_cookie, http_raw_uri, "
- "http_stat_msg, http_stat_code, http_user_agent, "
- "http_host or http_raw_host option");
- if (dubbed)
- SCFree(str);
- return -1;
- }
+ pm = SigMatchGetLastSMFromLists(s, 30,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ if (pm == NULL) {
+ SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "\"within\" requires "
+ "preceding content, uricontent, http_client_body, "
+ "http_server_body, http_header, http_raw_header, "
+ "http_method, http_cookie, http_raw_uri, "
+ "http_stat_msg, http_stat_code or http_user_agent "
+ "option");
+ if (dubbed)
+ SCFree(str);
+ return -1;
}
DetectContentData *cd = NULL;
DETECT_CONTENT, pm->prev,
DETECT_PCRE, pm->prev,
DETECT_BYTEJUMP, pm->prev);
- if (pm == NULL) {
- if (s->alproto == ALPROTO_DCERPC) {
- SCLogDebug("content relative without a previous content based "
- "keyword. Holds good only in the case of DCERPC "
- "alproto like now.");
- } else {
- //SCLogError(SC_ERR_INVALID_SIGNATURE, "No related "
- // "previous-previous content or pcre keyword");
- //goto error;
- ;
- }
- } else {
+ if (pm != NULL) {
switch (pm->type) {
case DETECT_CONTENT:
/* Set the relative next flag on the prev sigmatch */
#define SIG_FLAG_INIT_BIDIREC (1<<3) /**< signature has bidirectional operator */
#define SIG_FLAG_INIT_PAYLOAD (1<<4) /**< signature is inspecting the packet payload */
#define SIG_FLAG_INIT_FILE_DATA (1<<5) /**< file_data set */
+#define SIG_FLAG_INIT_DCE_STUB_DATA (1<<6) /**< dce_stub_data set */
/* signature mask flags */
#define SIG_MASK_REQUIRE_PAYLOAD (1<<0)
projects / thirdparty / suricata.git / commitdiff
