DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
if (pm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "No preceding content "
- "or uricontent or pcre option");
- return -1;
+ SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
+ return 0;
}
int list = SigMatchListSMBelongsTo(s, pm);
if (list == DETECT_SM_LIST_UMATCH)
"since this is an alproto sig.");
return 0;
} else {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "No preceding content "
- "or uricontent or pcre option");
- return -1;
+ return 0;
}
}
"since this is an alproto sig.");
return 0;
} else {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "No preceding content "
- "or uricontent or pcre option");
- return -1;
+ return 0;
}
}
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; within:5; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- printf("de_ctx->sig_list != NULL\n");
+ if (de_ctx->sig_list == NULL) {
+ printf("de_ctx->sig_list == NULL\n");
goto end;
}
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; within:5; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- printf("de_ctx->sig_list != NULL\n");
+ if (de_ctx->sig_list == NULL) {
+ printf("de_ctx->sig_list == NULL\n");
goto end;
}
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(content:\"one\"; within:5; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- printf("de_ctx->sig_list != NULL\n");
+ if (de_ctx->sig_list == NULL) {
+ printf("de_ctx->sig_list == NULL\n");
goto end;
}
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(content:\"one\"; within:5; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- printf("de_ctx->sig_list != NULL\n");
+ if (de_ctx->sig_list == NULL) {
+ printf("de_ctx->sig_list == NULL\n");
goto end;
}
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
"(flow:to_server; content:\"one\"; within:5; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- printf("de_ctx->sig_list != NULL\n");
+ if (de_ctx->sig_list == NULL) {
+ printf("de_ctx->sig_list == NULL\n");
goto end;
}
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; within:5; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- printf("de_ctx->sig_list != NULL\n");
+ if (de_ctx->sig_list == NULL) {
+ printf("de_ctx->sig_list == NULL\n");
goto end;
}
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; within:5; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- printf("de_ctx->sig_list != NULL\n");
+ if (de_ctx->sig_list == NULL) {
+ printf("de_ctx->sig_list == NULL\n");
goto end;
}
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(content:\"one\"; within:5; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- printf("de_ctx->sig_list != NULL\n");
+ if (de_ctx->sig_list == NULL) {
+ printf("de_ctx->sig_list == NULL\n");
goto end;
}
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; within:5; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- printf("de_ctx->sig_list != NULL\n");
+ if (de_ctx->sig_list == NULL) {
+ printf("de_ctx->sig_list == NULL\n");
goto end;
}
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH]);
if (pm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "isdataat relative seen "
- "without a previous content uricontent, "
- "http_client_body, http_header, http_raw_header, "
- "http_method, http_cookie, http_raw_uri, "
- "http_stat_msg, http_stat_code, byte_test, "
- "byte_extract, byte_jump, http_user_agent, "
- "http_host or http_raw_host keyword");
- goto error;
+ SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH);
+ if (offset != NULL) {
+ SigMatch *bed_sm =
+ DetectByteExtractRetrieveSMVar(offset, s,
+ SigMatchListSMBelongsTo(s, sm));
+ if (bed_sm == NULL) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
+ "seen in isdataat - %s\n", offset);
+ goto error;
+ }
+ DetectIsdataatData *isdd = sm->ctx;
+ isdd->dataat = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
+ isdd->flags |= ISDATAAT_OFFSET_BE;
+ SCFree(offset);
+ }
+ SCReturnInt(0);
} else {
int list_type = SigMatchListSMBelongsTo(s, pm);
if (list_type == -1) {
#endif /* HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW */
}
- if (s->alproto == ALPROTO_DCERPC) {
- /* \todo We haven't covered dce rpc cases now. They need special
- * treatment, since they do allow distance, within without a
- * previous content, but with respect to the stub buffer */
- ;
- } else {
- SigMatch *sm;
- for (sm = s->sm_lists[DETECT_SM_LIST_PMATCH]; sm != NULL; sm = sm->next) {
- if (sm->type == DETECT_CONTENT) {
- DetectContentData *cd = (DetectContentData *)sm->ctx;
- if ((cd->flags & DETECT_CONTENT_DISTANCE) ||
- (cd->flags & DETECT_CONTENT_WITHIN)) {
- SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
- DETECT_PCRE, sm->prev,
- DETECT_BYTEJUMP, sm->prev);
- if (pm == NULL) {
- SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "within needs two "
- "preceding content or uricontent options");
- SCReturnInt(0);
- } else {
- break;
- }
- } else {
- break;
- }
- }
- }
- }
-
if (s->sm_lists[DETECT_SM_LIST_HHHDMATCH] != NULL) {
for (SigMatch *sm = s->sm_lists[DETECT_SM_LIST_HHHDMATCH];
sm != NULL; sm = sm->next) {
pd->flags &= ~DETECT_PCRE_RELATIVE;
SCReturnInt(0);
} else {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "No preceding content "
- "or uricontent or pcre option");
- SCReturnInt(-1);
+ SCReturnInt(0);
}
}
}
"content:\"GET\"; "
"http_cookie; pcre:\"/abc/RM\"; sid:1;)");
- if (de_ctx->sig_list == NULL) {
+ if (de_ctx->sig_list != NULL) {
result = 1;
} else {
- printf("sig parse should have failed: ");
+ printf("sig parse shouldn't have failed: ");
}
end:
projects / thirdparty / suricata.git / commitdiff
