void DetectPcreRegister (void) {
sigmatch_table[DETECT_PCRE].name = "pcre";
- sigmatch_table[DETECT_PCRE].Match = DetectPcreMatch;
+ sigmatch_table[DETECT_PCRE].Match = NULL;
sigmatch_table[DETECT_PCRE].AppLayerMatch = NULL;
sigmatch_table[DETECT_PCRE].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_PCRE].Setup = DetectPcreSetup;
return;
}
-/**
- * \brief Match a regex on data sent at an http method (needs the l7 parser).
- *
- * \param det_ctx Thread detection ctx.
- * \param s Signature.
- * \param sm SigMatch to match against.
- * \param data Data to match against.
- * \param data_len Data length.
- *
- * \retval 1: match
- * \retval 0: no match
- */
-int DetectPcreALDoMatchMethod(DetectEngineThreadCtx *det_ctx, Signature *s,
- SigMatch *m, Flow *f, uint8_t flags,
- void *state)
-{
- SCEnter();
-
- int ret = 0;
- int toret = 0;
- int idx;
-
-#define MAX_SUBSTRINGS 30
- int ov[MAX_SUBSTRINGS];
- uint8_t *ptr = NULL;
- uint16_t len = 0;
-
- DetectPcreData *pe = (DetectPcreData *)m->ctx;
-
- FLOWLOCK_RDLOCK(f);
-
- HtpState *htp_state = (HtpState *)state;
- if (htp_state == NULL) {
- SCLogDebug("no HTTP layer state has been received, so no match");
- goto end;
- }
-
- if (!(htp_state->flags & HTP_FLAG_STATE_OPEN)) {
- SCLogDebug("HTP state not yet properly setup, so no match");
- goto end;
- }
-
- SCLogDebug("htp_state %p, flow %p", htp_state, f);
- SCLogDebug("htp_state->connp %p", htp_state->connp);
- SCLogDebug("htp_state->connp->conn %p", htp_state->connp->conn);
-
- if (htp_state->connp == NULL || htp_state->connp->conn == NULL) {
- SCLogDebug("HTTP connection structure is NULL");
- goto end;
- }
-
- htp_tx_t *tx = NULL;
-
- idx = AppLayerTransactionGetInspectId(f);
- if (idx == -1) {
- goto end;
- }
-
- int size = (int)list_size(htp_state->connp->conn->transactions);
- for (; idx < size; idx++)
- {
- tx = list_get(htp_state->connp->conn->transactions, idx);
- if (tx == NULL)
- continue;
-
- ptr = (uint8_t *) bstr_ptr(tx->request_method);
- len = bstr_size(tx->request_method);
- if (ptr == NULL)
- continue;
-
- //printf("Matching Method");
- //PrintRawUriFp(stdout, (uint8_t*)ptr, len);
-
- /* run the actual pcre detection */
- ret = pcre_exec(pe->re, pe->sd, (char *)ptr, len, 0, 0, ov, MAX_SUBSTRINGS);
- SCLogDebug("ret %d (negating %s)", ret, (pe->flags & DETECT_PCRE_NEGATE) ? "set" : "not set");
-
- if (ret == PCRE_ERROR_NOMATCH) {
- if (pe->flags & DETECT_PCRE_NEGATE) {
- /* regex didn't match with negate option means we
- * consider it a match */
- ret = 1;
- toret |= ret;
- break;
- } else {
- ret = 0;
- }
- toret |= ret;
- } else if (ret >= 0) {
- if (pe->flags & DETECT_PCRE_NEGATE) {
- /* regex matched but we're negated, so not
- * considering it a match */
- ret = 0;
- } else {
- /* regex matched and we're not negated,
- * considering it a match */
- ret = 1;
- toret |= ret;
- break;
- }
- } else {
- SCLogDebug("pcre had matching error");
- ret = 0;
- }
- }
-
-end:
- FLOWLOCK_UNLOCK(f);
-
- SCReturnInt(toret);
-}
-
-/**
- * \brief Match a regex on data sent at an http cookie (needs the l7 parser).
- *
- * \param det_ctx Thread detection ctx.
- * \param s Signature.
- * \param sm SigMatch to match against.
- * \param data Data to match against.
- * \param data_len Data length.
- *
- * \retval 1: match
- * \retval 0: no match
- */
-int DetectPcreALDoMatchCookie(DetectEngineThreadCtx *det_ctx, Signature *s,
- SigMatch *m, Flow *f, uint8_t flags,
- void *state)
-{
- SCEnter();
-
- int ret = 0;
- int toret = 0;
- int idx;
-
-#define MAX_SUBSTRINGS 30
- int ov[MAX_SUBSTRINGS];
- uint8_t *ptr = NULL;
- uint16_t len = 0;
-
- DetectPcreData *pe = (DetectPcreData *)m->ctx;
-
- FLOWLOCK_RDLOCK(f);
-
- HtpState *htp_state = (HtpState *)state;
- if (htp_state == NULL) {
- SCLogDebug("no HTTP layer state has been received, so no match");
- goto end;
- }
-
- if (!(htp_state->flags & HTP_FLAG_STATE_OPEN)) {
- SCLogDebug("HTP state not yet properly setup, so no match");
- goto end;
- }
-
- SCLogDebug("htp_state %p, flow %p", htp_state, f);
- SCLogDebug("htp_state->connp %p", htp_state->connp);
- SCLogDebug("htp_state->connp->conn %p", htp_state->connp->conn);
-
- if (htp_state->connp == NULL || htp_state->connp->conn == NULL) {
- SCLogDebug("HTTP connection structure is NULL");
- goto end;
- }
-
- htp_tx_t *tx = NULL;
-
- idx = AppLayerTransactionGetInspectId(f);
- if (idx == -1) {
- goto end;
- }
-
- int size = (int)list_size(htp_state->connp->conn->transactions);
- for (; idx < size; idx++)
- {
- tx = list_get(htp_state->connp->conn->transactions, idx);
- if (tx == NULL)
- continue;
-
- htp_header_t *h = NULL;
- h = (htp_header_t *) table_getc(tx->request_headers, "Cookie");
- if (h == NULL) {
- SCLogDebug("no HTTP Cookie header in the received request");
- goto end;
- }
- ptr = (uint8_t *) bstr_ptr(h->value);
- len = bstr_size(h->value);
-
- if (ptr == NULL)
- continue;
-
- //printf("Matching Cookie");
- //PrintRawUriFp(stdout, (uint8_t*)ptr, len);
-
- SCLogDebug("we have a cookie header");
-
- /* run the actual pcre detection */
- ret = pcre_exec(pe->re, pe->sd, (char *)ptr, len, 0, 0, ov, MAX_SUBSTRINGS);
- SCLogDebug("ret %d (negating %s)", ret, (pe->flags & DETECT_PCRE_NEGATE) ? "set" : "not set");
-
- if (ret == PCRE_ERROR_NOMATCH) {
- if (pe->flags & DETECT_PCRE_NEGATE) {
- /* regex didn't match with negate option means we
- * consider it a match */
- ret = 1;
- toret |= ret;
- break;
- } else {
- ret = 0;
- }
- toret |= ret;
- } else if (ret >= 0) {
- if (pe->flags & DETECT_PCRE_NEGATE) {
- /* regex matched but we're negated, so not
- * considering it a match */
- ret = 0;
- } else {
- /* regex matched and we're not negated,
- * considering it a match */
- ret = 1;
- toret |= ret;
- break;
- }
- } else {
- SCLogDebug("pcre had matching error");
- if (pe->flags & DETECT_PCRE_NEGATE) {
- ret = 1;
- toret |= ret;
- break;
- } else {
- ret = 0;
- }
- toret |= ret;
- }
- }
-
-end:
- FLOWLOCK_UNLOCK(f);
- SCReturnInt(toret);
-}
-
-/**
- * \brief match the specified pcre at http method, requesting it from htp/L7
- *
- * \param t pointer to thread vars
- * \param det_ctx pointer to the pattern matcher thread
- * \param p pointer to the current packet
- * \param m pointer to the sigmatch that we will cast into DetectPcreData
- *
- * \retval int 0 no match; 1 match
- */
-int DetectPcreALMatchMethod(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
- uint8_t flags, void *state, Signature *s, SigMatch *m)
-{
- int r = DetectPcreALDoMatchMethod(det_ctx, s, m, f, flags, state);
- SCReturnInt(r);
-}
-
-/**
- * \brief match the specified pcre at http cookie, requesting it from htp/L7
- *
- * \param t pointer to thread vars
- * \param det_ctx pointer to the pattern matcher thread
- * \param p pointer to the current packet
- * \param m pointer to the sigmatch that we will cast into DetectPcreData
- *
- * \retval int 0 no match; 1 match
- */
-int DetectPcreALMatchCookie(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
- uint8_t flags, void *state, Signature *s, SigMatch *m)
-{
- int r = DetectPcreALDoMatchCookie(det_ctx, s, m, f, flags, state);
- SCReturnInt(r);
-}
-
/**
* \brief Match a regex on a single payload.
*
SCReturnInt(ret);
}
-/**
- * \brief match a regex on a single payload'
- *
- * \param det_ctx thread detection ctx
- * \param p packet
- * \param s signature
- * \param sm sig match to match against
- *
- * \retval 1 match
- * \retval 0 no match
- */
-int DetectPcrePacketPayloadMatch(DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, SigMatch *sm) {
- SCEnter();
-#define MAX_SUBSTRINGS 30
- int ret = 0;
- int ov[MAX_SUBSTRINGS];
- uint8_t *ptr = NULL;
- uint16_t len = 0;
-
- if (p->payload_len == 0)
- SCReturnInt(0);
-
- DetectPcreData *pe = (DetectPcreData *)sm->ctx;
-
- /* If we want to inspect the http body, we will use HTP L7 parser */
- if (pe->flags & DETECT_PCRE_HTTP_CLIENT_BODY)
- SCReturnInt(0);
-
- if (pe->flags & DETECT_PCRE_RELATIVE) {
- ptr = p->payload + det_ctx->buffer_offset;
- len = p->payload_len - det_ctx->buffer_offset;
- if (ptr == NULL || len == 0)
- SCReturnInt(0);
- } else {
- ptr = p->payload;
- len = p->payload_len;
- }
-
- /* run the actual pcre detection */
- ret = pcre_exec(pe->re, pe->sd, (char *)ptr, len, 0, 0, ov, MAX_SUBSTRINGS);
- SCLogDebug("ret %d (negating %s)", ret, (pe->flags & DETECT_PCRE_NEGATE) ? "set" : "not set");
-
- if (ret == PCRE_ERROR_NOMATCH) {
- if (pe->flags & DETECT_PCRE_NEGATE) {
- /* regex didn't match with negate option means we
- * consider it a match */
- ret = 1;
- } else {
- ret = 0;
- }
- } else if (ret >= 0) {
- if (pe->flags & DETECT_PCRE_NEGATE) {
- /* regex matched but we're negated, so not
- * considering it a match */
- ret = 0;
- } else {
- /* regex matched and we're not negated,
- * considering it a match */
-
- /* see if we need to do substring capturing. */
- if (ret > 1 && pe->capidx != 0) {
- const char *str_ptr;
- ret = pcre_get_substring((char *)ptr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
- if (ret) {
- if (pe->flags & DETECT_PCRE_CAPTURE_PKT) {
- PktVarAdd(p, pe->capname, (uint8_t *)str_ptr, ret);
- } else if (pe->flags & DETECT_PCRE_CAPTURE_FLOW) {
- FlowVarAddStr(p->flow, pe->capidx, (uint8_t *)str_ptr, ret);
- }
- }
- }
-
- /* update offset for pcre RELATIVE */
- det_ctx->buffer_offset = (ptr+ov[1]) - p->payload;
-
- ret = 1;
- }
-
- } else {
- SCLogDebug("pcre had matching error");
- ret = 0;
- }
- SCReturnInt(ret);
-}
-
-/**
- * \brief Match a regex on data sent as arg.
- *
- * \param det_ctx Thread detection ctx.
- * \param s Signature.
- * \param sm SigMatch to match against.
- * \param data Data to match against.
- * \param data_len Data length.
- *
- * \retval 1: match
- * \retval 0: no match
- */
-int DetectPcrePayloadDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s,
- SigMatch *sm, Packet *p, uint8_t *data,
- uint16_t data_len)
-{
- SCEnter();
-
-#define MAX_SUBSTRINGS 30
- int ret = 0;
- int ov[MAX_SUBSTRINGS];
- uint8_t *ptr = NULL;
- uint16_t len = 0;
-
- if (data_len == 0)
- SCReturnInt(0);
-
- DetectPcreData *pe = (DetectPcreData *)sm->ctx;
-
- /* If we want to inspect the http body, we will use HTP L7 parser */
- if (pe->flags & DETECT_PCRE_HTTP_CLIENT_BODY)
- SCReturnInt(0);
-
- if (pe->flags & DETECT_PCRE_RELATIVE) {
- ptr = data + det_ctx->buffer_offset;
- len = data_len - det_ctx->buffer_offset;
- if (ptr == NULL || len == 0)
- SCReturnInt(0);
- } else {
- ptr = data;
- len = data_len;
- }
-
- /* run the actual pcre detection */
- ret = pcre_exec(pe->re, pe->sd, (char *)ptr, len, 0, 0, ov, MAX_SUBSTRINGS);
- SCLogDebug("ret %d (negating %s)", ret, (pe->flags & DETECT_PCRE_NEGATE) ? "set" : "not set");
-
- if (ret == PCRE_ERROR_NOMATCH) {
- if (pe->flags & DETECT_PCRE_NEGATE) {
- /* regex didn't match with negate option means we
- * consider it a match */
- ret = 1;
- } else {
- ret = 0;
- }
- } else if (ret >= 0) {
- if (pe->flags & DETECT_PCRE_NEGATE) {
- /* regex matched but we're negated, so not
- * considering it a match */
- ret = 0;
- } else {
- /* regex matched and we're not negated,
- * considering it a match */
-
- /* see if we need to do substring capturing. */
- if (ret > 1 && pe->capidx != 0) {
- const char *str_ptr;
- ret = pcre_get_substring((char *)ptr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
- if (ret) {
- if (pe->flags & DETECT_PCRE_CAPTURE_PKT) {
- PktVarAdd(p, pe->capname, (uint8_t *)str_ptr, ret);
- } else if (pe->flags & DETECT_PCRE_CAPTURE_FLOW) {
- FlowVarAddStr(p->flow, pe->capidx, (uint8_t *)str_ptr, ret);
- }
- }
- }
-
- /* update offset for pcre RELATIVE */
- det_ctx->buffer_offset = (ptr + ov[1]) - data;
-
- ret = 1;
- }
-
- } else {
- SCLogDebug("pcre had matching error");
- ret = 0;
- }
- SCReturnInt(ret);
-}
-
-/**
- * \brief DetectPcreMatch will try to match a regex on a single packet;
- * DetectPcreALMatch is used if we parse the option 'P'
- *
- * \param t pointer to the threadvars structure
- * \param det_ctx thread detection ctx
- * \param p packet
- * \param s signature
- * \param sm sig match to match against
- *
- * \retval 1: match
- * \retval 0: no match
- */
-int DetectPcreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p,
- Signature *s, SigMatch *sm)
-{
- SCEnter();
- int r = DetectPcrePacketPayloadMatch(det_ctx, p, s, sm);
- SCReturnInt(r);
-}
-
DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr)
{
int ec;
projects / thirdparty / suricata.git / commitdiff
