From: Anoop Saldanha Date: Fri, 22 Feb 2013 13:13:41 +0000 (+0530) Subject: Allow the use of relative without the presence of a related previous keyword. X-Git-Tag: suricata-2.0beta1~218 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a308d718aec1b363bf413741bc56266d62de73a3;p=thirdparty%2Fsuricata.git Allow the use of relative without the presence of a related previous keyword. --- diff --git a/src/detect-byte-extract.c b/src/detect-byte-extract.c index 558822671c..bda9cc34af 100644 --- a/src/detect-byte-extract.c +++ b/src/detect-byte-extract.c @@ -641,9 +641,8 @@ int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); if (pm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "No preceding content " - "or uricontent or pcre option"); - return -1; + SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); + return 0; } int list = SigMatchListSMBelongsTo(s, pm); if (list == DETECT_SM_LIST_UMATCH) diff --git a/src/detect-bytejump.c b/src/detect-bytejump.c index 9b7a051a5d..48da92be7c 100644 --- a/src/detect-bytejump.c +++ b/src/detect-bytejump.c @@ -644,9 +644,7 @@ int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) "since this is an alproto sig."); return 0; } else { - SCLogError(SC_ERR_INVALID_SIGNATURE, "No preceding content " - "or uricontent or pcre option"); - return -1; + return 0; } } diff --git a/src/detect-bytetest.c b/src/detect-bytetest.c index 391d3bbc05..2ffc18d7d0 100644 --- a/src/detect-bytetest.c +++ b/src/detect-bytetest.c @@ -581,9 +581,7 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) "since this is an alproto sig."); return 0; } else { - SCLogError(SC_ERR_INVALID_SIGNATURE, "No preceding content " - "or uricontent or pcre option"); - return -1; + return 0; } } diff --git a/src/detect-http-client-body.c b/src/detect-http-client-body.c index 0f53fcba4d..4fd876722b 100644 --- a/src/detect-http-client-body.c +++ b/src/detect-http-client-body.c @@ -2405,8 +2405,8 @@ int DetectHttpClientBodyTest33(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " "(content:\"one\"; within:5; sid:1;)"); - if (de_ctx->sig_list != NULL) { - printf("de_ctx->sig_list != NULL\n"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); goto end; } diff --git a/src/detect-http-header.c b/src/detect-http-header.c index 40d8d584fe..79c5d6460d 100644 --- a/src/detect-http-header.c +++ b/src/detect-http-header.c @@ -1617,8 +1617,8 @@ int DetectHttpHeaderTest24(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " "(content:\"one\"; within:5; sid:1;)"); - if (de_ctx->sig_list != NULL) { - printf("de_ctx->sig_list != NULL\n"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); goto end; } diff --git a/src/detect-http-hh.c b/src/detect-http-hh.c index fbb426232f..00bab6a1cf 100644 --- a/src/detect-http-hh.c +++ b/src/detect-http-hh.c @@ -2137,8 +2137,8 @@ int DetectHttpHHTest33(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " "(content:\"one\"; within:5; sid:1;)"); - if (de_ctx->sig_list != NULL) { - printf("de_ctx->sig_list != NULL\n"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); goto end; } diff --git a/src/detect-http-hrh.c b/src/detect-http-hrh.c index 4b7a1ca6e0..84a37b6cd0 100644 --- a/src/detect-http-hrh.c +++ b/src/detect-http-hrh.c @@ -2137,8 +2137,8 @@ int DetectHttpHRHTest33(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " "(content:\"one\"; within:5; sid:1;)"); - if (de_ctx->sig_list != NULL) { - printf("de_ctx->sig_list != NULL\n"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); goto end; } diff --git a/src/detect-http-raw-header.c b/src/detect-http-raw-header.c index 2bd8150eff..417aaf0fd7 100644 --- a/src/detect-http-raw-header.c +++ b/src/detect-http-raw-header.c @@ -1612,8 +1612,8 @@ int DetectHttpRawHeaderTest24(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " "(flow:to_server; content:\"one\"; within:5; sid:1;)"); - if (de_ctx->sig_list != NULL) { - printf("de_ctx->sig_list != NULL\n"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); goto end; } diff --git a/src/detect-http-raw-uri.c b/src/detect-http-raw-uri.c index 4ffc9825cf..bf0edb4e2f 100644 --- a/src/detect-http-raw-uri.c +++ b/src/detect-http-raw-uri.c @@ -774,8 +774,8 @@ int DetectHttpRawUriTest16(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " "(content:\"one\"; within:5; sid:1;)"); - if (de_ctx->sig_list != NULL) { - printf("de_ctx->sig_list != NULL\n"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); goto end; } diff --git a/src/detect-http-server-body.c b/src/detect-http-server-body.c index afaca64d59..9c417def01 100644 --- a/src/detect-http-server-body.c +++ b/src/detect-http-server-body.c @@ -2441,8 +2441,8 @@ int DetectHttpServerBodyTest33(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " "(content:\"one\"; within:5; sid:1;)"); - if (de_ctx->sig_list != NULL) { - printf("de_ctx->sig_list != NULL\n"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); goto end; } diff --git a/src/detect-http-ua.c b/src/detect-http-ua.c index d9bf9c3484..9e361763e9 100644 --- a/src/detect-http-ua.c +++ b/src/detect-http-ua.c @@ -2138,8 +2138,8 @@ int DetectHttpUATest33(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " "(content:\"one\"; within:5; sid:1;)"); - if (de_ctx->sig_list != NULL) { - printf("de_ctx->sig_list != NULL\n"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); goto end; } diff --git a/src/detect-http-uri.c b/src/detect-http-uri.c index ad1d9c823a..1fcb302030 100644 --- a/src/detect-http-uri.c +++ b/src/detect-http-uri.c @@ -738,8 +738,8 @@ int DetectHttpUriTest16(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " "(content:\"one\"; within:5; sid:1;)"); - if (de_ctx->sig_list != NULL) { - printf("de_ctx->sig_list != NULL\n"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); goto end; } diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index df934bc4d2..2aed585148 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -388,14 +388,22 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH]); if (pm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "isdataat relative seen " - "without a previous content uricontent, " - "http_client_body, http_header, http_raw_header, " - "http_method, http_cookie, http_raw_uri, " - "http_stat_msg, http_stat_code, byte_test, " - "byte_extract, byte_jump, http_user_agent, " - "http_host or http_raw_host keyword"); - goto error; + SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); + if (offset != NULL) { + SigMatch *bed_sm = + DetectByteExtractRetrieveSMVar(offset, s, + SigMatchListSMBelongsTo(s, sm)); + if (bed_sm == NULL) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " + "seen in isdataat - %s\n", offset); + goto error; + } + DetectIsdataatData *isdd = sm->ctx; + isdd->dataat = ((DetectByteExtractData *)bed_sm->ctx)->local_id; + isdd->flags |= ISDATAAT_OFFSET_BE; + SCFree(offset); + } + SCReturnInt(0); } else { int list_type = SigMatchListSMBelongsTo(s, pm); if (list_type == -1) { diff --git a/src/detect-parse.c b/src/detect-parse.c index ede6811b19..ccae056039 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -1052,35 +1052,6 @@ static int SigValidate(Signature *s) { #endif /* HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW */ } - if (s->alproto == ALPROTO_DCERPC) { - /* \todo We haven't covered dce rpc cases now. They need special - * treatment, since they do allow distance, within without a - * previous content, but with respect to the stub buffer */ - ; - } else { - SigMatch *sm; - for (sm = s->sm_lists[DETECT_SM_LIST_PMATCH]; sm != NULL; sm = sm->next) { - if (sm->type == DETECT_CONTENT) { - DetectContentData *cd = (DetectContentData *)sm->ctx; - if ((cd->flags & DETECT_CONTENT_DISTANCE) || - (cd->flags & DETECT_CONTENT_WITHIN)) { - SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_PCRE, sm->prev, - DETECT_BYTEJUMP, sm->prev); - if (pm == NULL) { - SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "within needs two " - "preceding content or uricontent options"); - SCReturnInt(0); - } else { - break; - } - } else { - break; - } - } - } - } - if (s->sm_lists[DETECT_SM_LIST_HHHDMATCH] != NULL) { for (SigMatch *sm = s->sm_lists[DETECT_SM_LIST_HHHDMATCH]; sm != NULL; sm = sm->next) { diff --git a/src/detect-pcre.c b/src/detect-pcre.c index beb8248ece..45e5e19f22 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -846,9 +846,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst pd->flags &= ~DETECT_PCRE_RELATIVE; SCReturnInt(0); } else { - SCLogError(SC_ERR_INVALID_SIGNATURE, "No preceding content " - "or uricontent or pcre option"); - SCReturnInt(-1); + SCReturnInt(0); } } } @@ -1655,10 +1653,10 @@ int DetectPcreParseTest23(void) "content:\"GET\"; " "http_cookie; pcre:\"/abc/RM\"; sid:1;)"); - if (de_ctx->sig_list == NULL) { + if (de_ctx->sig_list != NULL) { result = 1; } else { - printf("sig parse should have failed: "); + printf("sig parse shouldn't have failed: "); } end: