From: Victor Julien Date: Fri, 28 Jun 2013 14:24:10 +0000 (+0200) Subject: Content: set up sticky buffers like file_data and dce_stub_data w/o flags, but with... X-Git-Tag: suricata-2.0beta1~50 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7292998a58b9d96d83903854899ef65ee2f784e5;p=thirdparty%2Fsuricata.git Content: set up sticky buffers like file_data and dce_stub_data w/o flags, but with a list variable --- diff --git a/src/detect-byte-extract.c b/src/detect-byte-extract.c index 6a20b188d0..a7225f31f8 100644 --- a/src/detect-byte-extract.c +++ b/src/detect-byte-extract.c @@ -545,18 +545,16 @@ int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) goto error; int sm_list; - if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { + if (s->list != DETECT_SM_LIST_NOTSET) { + if (s->list == DETECT_SM_LIST_HSBDMATCH) { if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) { SCLogError(SC_ERR_INVALID_SIGNATURE, "dce byte_extract specified " "with file_data option set."); goto error; } AppLayerHtpEnableResponseBodyCallback(); - sm_list = DETECT_SM_LIST_HSBDMATCH; - } else { - sm_list = DETECT_SM_LIST_DMATCH; } + sm_list = s->list; s->flags |= SIG_FLAG_APPLAYER; if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) { prev_pm = SigMatchGetLastSMFromLists(s, 4, diff --git a/src/detect-bytejump.c b/src/detect-bytejump.c index ac65197b65..9549e8e4ca 100644 --- a/src/detect-bytejump.c +++ b/src/detect-bytejump.c @@ -538,18 +538,16 @@ int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) goto error; int sm_list; - if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { + if (s->list != DETECT_SM_LIST_NOTSET) { + if (s->list == DETECT_SM_LIST_HSBDMATCH) { if (data->flags & DETECT_BYTEJUMP_DCE) { SCLogError(SC_ERR_INVALID_SIGNATURE, "dce bytejump specified " "with file_data option set."); goto error; } AppLayerHtpEnableResponseBodyCallback(); - sm_list = DETECT_SM_LIST_HSBDMATCH; - } else { - sm_list = DETECT_SM_LIST_DMATCH; } + sm_list = s->list; s->flags |= SIG_FLAG_APPLAYER; if (data->flags & DETECT_BYTEJUMP_RELATIVE) { prev_pm = SigMatchGetLastSMFromLists(s, 4, diff --git a/src/detect-bytetest.c b/src/detect-bytetest.c index 7e849f1777..661bb310c9 100644 --- a/src/detect-bytetest.c +++ b/src/detect-bytetest.c @@ -459,18 +459,16 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) goto error; int sm_list; - if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { + if (s->list != DETECT_SM_LIST_NOTSET) { + if (s->list == DETECT_SM_LIST_HSBDMATCH) { if (data->flags & DETECT_BYTETEST_DCE) { SCLogError(SC_ERR_INVALID_SIGNATURE, "dce bytetest specified " "with file_data option set."); goto error; } AppLayerHtpEnableResponseBodyCallback(); - sm_list = DETECT_SM_LIST_HSBDMATCH; - } else { - sm_list = DETECT_SM_LIST_DMATCH; } + sm_list = s->list; s->flags |= SIG_FLAG_APPLAYER; if (data->flags & DETECT_BYTETEST_RELATIVE) { prev_pm = SigMatchGetLastSMFromLists(s, 4, diff --git a/src/detect-content.c b/src/detect-content.c index 631466e4cd..0a885cdbab 100644 --- a/src/detect-content.c +++ b/src/detect-content.c @@ -384,16 +384,14 @@ int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, char *contentstr) DetectContentPrint(cd); int sm_list; - if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { + if (s->list != DETECT_SM_LIST_NOTSET) { + if (s->list == DETECT_SM_LIST_HSBDMATCH) { AppLayerHtpEnableResponseBodyCallback(); s->alproto = ALPROTO_HTTP; - sm_list = DETECT_SM_LIST_HSBDMATCH; - } else { - sm_list = DETECT_SM_LIST_DMATCH; } s->flags |= SIG_FLAG_APPLAYER; + sm_list = s->list; } else { sm_list = DETECT_SM_LIST_PMATCH; } diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c index 7786fd5acd..72bf35af69 100644 --- a/src/detect-dce-stub-data.c +++ b/src/detect-dce-stub-data.c @@ -91,7 +91,7 @@ static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, char *a goto error; } - s->init_flags |= SIG_FLAG_INIT_DCE_STUB_DATA; + s->list = DETECT_SM_LIST_DMATCH; s->alproto = ALPROTO_DCERPC; s->flags |= SIG_FLAG_APPLAYER; return 0; diff --git a/src/detect-depth.c b/src/detect-depth.c index 6473ae8583..b075f1656f 100644 --- a/src/detect-depth.c +++ b/src/detect-depth.c @@ -71,11 +71,8 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths } /* retrive the sm to apply the depth against */ - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) { - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) - pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]); - else - pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); + if (s->list != DETECT_SM_LIST_NOTSET) { + pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[s->list]); } else { pm = SigMatchGetLastSMFromLists(s, 28, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], diff --git a/src/detect-distance.c b/src/detect-distance.c index b0cf071cd0..d0ab9e96c6 100644 --- a/src/detect-distance.c +++ b/src/detect-distance.c @@ -80,11 +80,8 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, } /* retrive the sm to apply the depth against */ - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) { - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) - pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]); - else - pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); + if (s->list != DETECT_SM_LIST_NOTSET) { + pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[s->list]); } else { pm = SigMatchGetLastSMFromLists(s, 28, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 7aedf0c639..01c8ac80c3 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -2895,8 +2895,8 @@ uint32_t DetectPatternGetId(MpmPatternIdStore *ht, void *ctx, Signature *s, uint r = HashTableLookup(ht->hash, (void *)e, sizeof(MpmPatternIdTableElmt)); if (r == NULL) { - if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { - BUG_ON((sm_list != DETECT_SM_LIST_HSBDMATCH) & (sm_list != DETECT_SM_LIST_DMATCH)); + if (s->list != DETECT_SM_LIST_NOTSET) { + BUG_ON((sm_list != DETECT_SM_LIST_HSBDMATCH) && (sm_list != DETECT_SM_LIST_DMATCH)); e->id = ht->max_id; ht->max_id++; id = e->id; @@ -2960,7 +2960,7 @@ uint32_t DetectPatternGetId(MpmPatternIdStore *ht, void *ctx, Signature *s, uint } else { /* oh cool! It is a duplicate for content, uricontent types. Update the * dup_count and get out */ - if ((s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) || + if ((s->list != DETECT_SM_LIST_NOTSET) || sm_list == DETECT_SM_LIST_PMATCH) { /* we have a duplicate */ r->dup_count++; diff --git a/src/detect-file-data.c b/src/detect-file-data.c index 7b826ca8fb..f1b8057906 100644 --- a/src/detect-file-data.c +++ b/src/detect-file-data.c @@ -78,7 +78,8 @@ static int DetectFiledataSetup (DetectEngineCtx *de_ctx, Signature *s, char *str SCLogError(SC_ERR_INVALID_SIGNATURE, "Can't use file_data with flow:to_server or from_client with http."); return -1; } - s->init_flags |= SIG_FLAG_INIT_FILE_DATA; + + s->list = DETECT_SM_LIST_HSBDMATCH; return 0; } diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index 9e2d31cd32..45b6fc768e 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -260,14 +260,12 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst goto end; int sm_list; - if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { + if (s->list != DETECT_SM_LIST_NOTSET) { + if (s->list == DETECT_SM_LIST_HSBDMATCH) { AppLayerHtpEnableResponseBodyCallback(); s->alproto = ALPROTO_HTTP; - sm_list = DETECT_SM_LIST_HSBDMATCH; - } else { - sm_list = DETECT_SM_LIST_DMATCH; } + sm_list = s->list; s->flags |= SIG_FLAG_APPLAYER; if (idad->flags & ISDATAAT_RELATIVE) { prev_pm = SigMatchGetLastSMFromLists(s, 4, diff --git a/src/detect-nocase.c b/src/detect-nocase.c index 6bab8f271e..6946135127 100644 --- a/src/detect-nocase.c +++ b/src/detect-nocase.c @@ -80,11 +80,8 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls } /* retrive the sm to apply the depth against */ - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) { - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) - pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]); - else - pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); + if (s->list != DETECT_SM_LIST_NOTSET) { + pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[s->list]); } else { pm = SigMatchGetLastSMFromLists(s, 28, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], diff --git a/src/detect-offset.c b/src/detect-offset.c index afbe44cf6b..34f45736e9 100644 --- a/src/detect-offset.c +++ b/src/detect-offset.c @@ -70,11 +70,8 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) } /* retrive the sm to apply the depth against */ - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) { - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) - pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]); - else - pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); + if (s->list != DETECT_SM_LIST_NOTSET) { + pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[s->list]); } else { pm = SigMatchGetLastSMFromLists(s, 28, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], diff --git a/src/detect-parse.c b/src/detect-parse.c index 98324d65c1..c3ba7bf1c4 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -109,7 +109,7 @@ int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s goto end; } - if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { + if (s->list != DETECT_SM_LIST_NOTSET) { SCLogError(SC_ERR_INVALID_SIGNATURE, "\"%s\" keyword seen " "with a sticky buffer still set. Reset sticky buffer " "with pkt_data before using the modifier.", @@ -902,6 +902,8 @@ Signature *SigAlloc (void) { * overwritten after the Signature has been parsed, and if it hasn't been * overwritten, we can then assign the default value of 3 */ sig->prio = -1; + + sig->list = DETECT_SM_LIST_NOTSET; return sig; } diff --git a/src/detect-pcre.c b/src/detect-pcre.c index 24163c18c1..4d03e0e0d8 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -689,7 +689,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst "for the rule."); goto error; } - if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { + if (s->list != DETECT_SM_LIST_NOTSET) { SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre found with http " "modifier set, with file_data/dce_stub_data sticky " "option set."); @@ -705,7 +705,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst "for the rule."); goto error; } - if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { + if (s->list != DETECT_SM_LIST_NOTSET) { SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre found with dns " "modifier set, with file_data/dce_stub_data sticky " "option set."); @@ -714,15 +714,15 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst } int sm_list; - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { - SCLogDebug("adding to http server body list because of file data"); - s->flags |= SIG_FLAG_APPLAYER; - AppLayerHtpEnableResponseBodyCallback(); - sm_list = DETECT_SM_LIST_HSBDMATCH; - } else if (s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) { - SCLogDebug("adding to dmatch list because of dce_stub_data"); + if (s->list != DETECT_SM_LIST_NOTSET) { + if (s->list == DETECT_SM_LIST_HSBDMATCH) { + SCLogDebug("adding to http server body list because of file data"); + AppLayerHtpEnableResponseBodyCallback(); + } else if (s->list == DETECT_SM_LIST_DMATCH) { + SCLogDebug("adding to dmatch list because of dce_stub_data"); + } s->flags |= SIG_FLAG_APPLAYER; - sm_list = DETECT_SM_LIST_DMATCH; + sm_list = s->list; } else if (pd->flags & DETECT_PCRE_URI) { s->flags |= SIG_FLAG_APPLAYER; s->alproto = ALPROTO_HTTP; diff --git a/src/detect-pkt-data.c b/src/detect-pkt-data.c index 836c9c026b..c159a0ff1b 100644 --- a/src/detect-pkt-data.c +++ b/src/detect-pkt-data.c @@ -73,7 +73,7 @@ void DetectPktDataRegister(void) { static int DetectPktDataSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) { SCEnter(); - s->init_flags &= (~SIG_FLAG_INIT_FILE_DATA & ~SIG_FLAG_INIT_DCE_STUB_DATA); + s->list = DETECT_SM_LIST_NOTSET; return 0; } @@ -126,8 +126,8 @@ static int DetectPktDataTest01(void) } - if (sig->init_flags & SIG_FLAG_INIT_FILE_DATA) { - printf("sm init_flags SIG_FLAG_INIT_FILE_DATA set: "); + if (sig->list != DETECT_SM_LIST_NOTSET) { + printf("sticky buffer set: "); goto end; } diff --git a/src/detect-rawbytes.c b/src/detect-rawbytes.c index 2695c147b5..cf676d005b 100644 --- a/src/detect-rawbytes.c +++ b/src/detect-rawbytes.c @@ -59,7 +59,7 @@ static int DetectRawbytesSetup (DetectEngineCtx *de_ctx, Signature *s, char *nul return -1; } - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { + if (s->list != DETECT_SM_LIST_NOTSET) { SCLogError(SC_ERR_RAWBYTES_FILE_DATA, "\"rawbytes\" cannot be combined with \"file_data\""); SCReturnInt(-1); } diff --git a/src/detect-within.c b/src/detect-within.c index 0f6d9265c3..6e02ef0375 100644 --- a/src/detect-within.c +++ b/src/detect-within.c @@ -83,11 +83,8 @@ static int DetectWithinSetup(DetectEngineCtx *de_ctx, Signature *s, char *within } /* retrive the sm to apply the depth against */ - if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) - pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]); - else - pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); + if (s->list != DETECT_SM_LIST_NOTSET) { + pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[s->list]); } else { pm = SigMatchGetLastSMFromLists(s, 28, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], diff --git a/src/detect.h b/src/detect.h index a2c82a63e4..57acb988d7 100644 --- a/src/detect.h +++ b/src/detect.h @@ -123,6 +123,11 @@ enum { /* list for alert thresholding */ DETECT_SM_LIST_THRESHOLD, DETECT_SM_LIST_MAX, + + /* used for Signature->list, which indicates which list + * we're adding keywords to in cases of sticky buffers like + * file_data */ + DETECT_SM_LIST_NOTSET, }; /* a is ... than b */ @@ -277,8 +282,6 @@ typedef struct DetectPort_ { #define SIG_FLAG_INIT_FLOW (1<<2) /**< signature has a flow setting */ #define SIG_FLAG_INIT_BIDIREC (1<<3) /**< signature has bidirectional operator */ #define SIG_FLAG_INIT_PAYLOAD (1<<4) /**< signature is inspecting the packet payload */ -#define SIG_FLAG_INIT_FILE_DATA (1<<5) /**< file_data set */ -#define SIG_FLAG_INIT_DCE_STUB_DATA (1<<6) /**< dce_stub_data set */ /* signature mask flags */ #define SIG_MASK_REQUIRE_PAYLOAD (1<<0) @@ -460,6 +463,8 @@ typedef struct Signature_ { * to warn the user about any possible problem */ char *sig_str; + int list; + /** ptr to the next sig in the list */ struct Signature_ *next; } Signature;