goto error;
int sm_list;
- if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
+ if (s->list != DETECT_SM_LIST_NOTSET) {
+ if (s->list == DETECT_SM_LIST_HSBDMATCH) {
if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "dce byte_extract specified "
"with file_data option set.");
goto error;
}
AppLayerHtpEnableResponseBodyCallback();
- sm_list = DETECT_SM_LIST_HSBDMATCH;
- } else {
- sm_list = DETECT_SM_LIST_DMATCH;
}
+ sm_list = s->list;
s->flags |= SIG_FLAG_APPLAYER;
if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
prev_pm = SigMatchGetLastSMFromLists(s, 4,
goto error;
int sm_list;
- if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
+ if (s->list != DETECT_SM_LIST_NOTSET) {
+ if (s->list == DETECT_SM_LIST_HSBDMATCH) {
if (data->flags & DETECT_BYTEJUMP_DCE) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "dce bytejump specified "
"with file_data option set.");
goto error;
}
AppLayerHtpEnableResponseBodyCallback();
- sm_list = DETECT_SM_LIST_HSBDMATCH;
- } else {
- sm_list = DETECT_SM_LIST_DMATCH;
}
+ sm_list = s->list;
s->flags |= SIG_FLAG_APPLAYER;
if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
prev_pm = SigMatchGetLastSMFromLists(s, 4,
goto error;
int sm_list;
- if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
+ if (s->list != DETECT_SM_LIST_NOTSET) {
+ if (s->list == DETECT_SM_LIST_HSBDMATCH) {
if (data->flags & DETECT_BYTETEST_DCE) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "dce bytetest specified "
"with file_data option set.");
goto error;
}
AppLayerHtpEnableResponseBodyCallback();
- sm_list = DETECT_SM_LIST_HSBDMATCH;
- } else {
- sm_list = DETECT_SM_LIST_DMATCH;
}
+ sm_list = s->list;
s->flags |= SIG_FLAG_APPLAYER;
if (data->flags & DETECT_BYTETEST_RELATIVE) {
prev_pm = SigMatchGetLastSMFromLists(s, 4,
DetectContentPrint(cd);
int sm_list;
- if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
+ if (s->list != DETECT_SM_LIST_NOTSET) {
+ if (s->list == DETECT_SM_LIST_HSBDMATCH) {
AppLayerHtpEnableResponseBodyCallback();
s->alproto = ALPROTO_HTTP;
- sm_list = DETECT_SM_LIST_HSBDMATCH;
- } else {
- sm_list = DETECT_SM_LIST_DMATCH;
}
s->flags |= SIG_FLAG_APPLAYER;
+ sm_list = s->list;
} else {
sm_list = DETECT_SM_LIST_PMATCH;
}
goto error;
}
- s->init_flags |= SIG_FLAG_INIT_DCE_STUB_DATA;
+ s->list = DETECT_SM_LIST_DMATCH;
s->alproto = ALPROTO_DCERPC;
s->flags |= SIG_FLAG_APPLAYER;
return 0;
}
/* retrive the sm to apply the depth against */
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA)
- pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
- else
- pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
+ if (s->list != DETECT_SM_LIST_NOTSET) {
+ pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[s->list]);
} else {
pm = SigMatchGetLastSMFromLists(s, 28,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
}
/* retrive the sm to apply the depth against */
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA)
- pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
- else
- pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
+ if (s->list != DETECT_SM_LIST_NOTSET) {
+ pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[s->list]);
} else {
pm = SigMatchGetLastSMFromLists(s, 28,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
r = HashTableLookup(ht->hash, (void *)e, sizeof(MpmPatternIdTableElmt));
if (r == NULL) {
- if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
- BUG_ON((sm_list != DETECT_SM_LIST_HSBDMATCH) & (sm_list != DETECT_SM_LIST_DMATCH));
+ if (s->list != DETECT_SM_LIST_NOTSET) {
+ BUG_ON((sm_list != DETECT_SM_LIST_HSBDMATCH) && (sm_list != DETECT_SM_LIST_DMATCH));
e->id = ht->max_id;
ht->max_id++;
id = e->id;
} else {
/* oh cool! It is a duplicate for content, uricontent types. Update the
* dup_count and get out */
- if ((s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) ||
+ if ((s->list != DETECT_SM_LIST_NOTSET) ||
sm_list == DETECT_SM_LIST_PMATCH) {
/* we have a duplicate */
r->dup_count++;
SCLogError(SC_ERR_INVALID_SIGNATURE, "Can't use file_data with flow:to_server or from_client with http.");
return -1;
}
- s->init_flags |= SIG_FLAG_INIT_FILE_DATA;
+
+ s->list = DETECT_SM_LIST_HSBDMATCH;
return 0;
}
goto end;
int sm_list;
- if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
+ if (s->list != DETECT_SM_LIST_NOTSET) {
+ if (s->list == DETECT_SM_LIST_HSBDMATCH) {
AppLayerHtpEnableResponseBodyCallback();
s->alproto = ALPROTO_HTTP;
- sm_list = DETECT_SM_LIST_HSBDMATCH;
- } else {
- sm_list = DETECT_SM_LIST_DMATCH;
}
+ sm_list = s->list;
s->flags |= SIG_FLAG_APPLAYER;
if (idad->flags & ISDATAAT_RELATIVE) {
prev_pm = SigMatchGetLastSMFromLists(s, 4,
}
/* retrive the sm to apply the depth against */
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA)
- pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
- else
- pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
+ if (s->list != DETECT_SM_LIST_NOTSET) {
+ pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[s->list]);
} else {
pm = SigMatchGetLastSMFromLists(s, 28,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
}
/* retrive the sm to apply the depth against */
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA)
- pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
- else
- pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
+ if (s->list != DETECT_SM_LIST_NOTSET) {
+ pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[s->list]);
} else {
pm = SigMatchGetLastSMFromLists(s, 28,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
goto end;
}
- if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
+ if (s->list != DETECT_SM_LIST_NOTSET) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"%s\" keyword seen "
"with a sticky buffer still set. Reset sticky buffer "
"with pkt_data before using the modifier.",
* overwritten after the Signature has been parsed, and if it hasn't been
* overwritten, we can then assign the default value of 3 */
sig->prio = -1;
+
+ sig->list = DETECT_SM_LIST_NOTSET;
return sig;
}
"for the rule.");
goto error;
}
- if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
+ if (s->list != DETECT_SM_LIST_NOTSET) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre found with http "
"modifier set, with file_data/dce_stub_data sticky "
"option set.");
"for the rule.");
goto error;
}
- if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
+ if (s->list != DETECT_SM_LIST_NOTSET) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre found with dns "
"modifier set, with file_data/dce_stub_data sticky "
"option set.");
}
int sm_list;
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
- SCLogDebug("adding to http server body list because of file data");
- s->flags |= SIG_FLAG_APPLAYER;
- AppLayerHtpEnableResponseBodyCallback();
- sm_list = DETECT_SM_LIST_HSBDMATCH;
- } else if (s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) {
- SCLogDebug("adding to dmatch list because of dce_stub_data");
+ if (s->list != DETECT_SM_LIST_NOTSET) {
+ if (s->list == DETECT_SM_LIST_HSBDMATCH) {
+ SCLogDebug("adding to http server body list because of file data");
+ AppLayerHtpEnableResponseBodyCallback();
+ } else if (s->list == DETECT_SM_LIST_DMATCH) {
+ SCLogDebug("adding to dmatch list because of dce_stub_data");
+ }
s->flags |= SIG_FLAG_APPLAYER;
- sm_list = DETECT_SM_LIST_DMATCH;
+ sm_list = s->list;
} else if (pd->flags & DETECT_PCRE_URI) {
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
static int DetectPktDataSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
{
SCEnter();
- s->init_flags &= (~SIG_FLAG_INIT_FILE_DATA & ~SIG_FLAG_INIT_DCE_STUB_DATA);
+ s->list = DETECT_SM_LIST_NOTSET;
return 0;
}
}
- if (sig->init_flags & SIG_FLAG_INIT_FILE_DATA) {
- printf("sm init_flags SIG_FLAG_INIT_FILE_DATA set: ");
+ if (sig->list != DETECT_SM_LIST_NOTSET) {
+ printf("sticky buffer set: ");
goto end;
}
return -1;
}
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) {
+ if (s->list != DETECT_SM_LIST_NOTSET) {
SCLogError(SC_ERR_RAWBYTES_FILE_DATA, "\"rawbytes\" cannot be combined with \"file_data\"");
SCReturnInt(-1);
}
}
/* retrive the sm to apply the depth against */
- if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
- if (s->init_flags & SIG_FLAG_INIT_FILE_DATA)
- pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
- else
- pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
+ if (s->list != DETECT_SM_LIST_NOTSET) {
+ pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[s->list]);
} else {
pm = SigMatchGetLastSMFromLists(s, 28,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
/* list for alert thresholding */
DETECT_SM_LIST_THRESHOLD,
DETECT_SM_LIST_MAX,
+
+ /* used for Signature->list, which indicates which list
+ * we're adding keywords to in cases of sticky buffers like
+ * file_data */
+ DETECT_SM_LIST_NOTSET,
};
/* a is ... than b */
#define SIG_FLAG_INIT_FLOW (1<<2) /**< signature has a flow setting */
#define SIG_FLAG_INIT_BIDIREC (1<<3) /**< signature has bidirectional operator */
#define SIG_FLAG_INIT_PAYLOAD (1<<4) /**< signature is inspecting the packet payload */
-#define SIG_FLAG_INIT_FILE_DATA (1<<5) /**< file_data set */
-#define SIG_FLAG_INIT_DCE_STUB_DATA (1<<6) /**< dce_stub_data set */
/* signature mask flags */
#define SIG_MASK_REQUIRE_PAYLOAD (1<<0)
* to warn the user about any possible problem */
char *sig_str;
+ int list;
+
/** ptr to the next sig in the list */
struct Signature_ *next;
} Signature;
projects / thirdparty / suricata.git / commitdiff
