diff --git a/src/detect-engine-port.c b/src/detect-engine-port.c index 8f32d3772c..fb06e17159 100644 --- a/src/detect-engine-port.c +++ b/src/detect-engine-port.c @@ -1064,6 +1064,8 @@ DetectPortLookupGroup(DetectPort *dp, u_int16_t port) { for ( ; p != NULL; p = p->next) { if (DetectPortMatch(p,port) == 1) { + //printf("DetectPortLookupGroup: match, port %u, dp ", port); + //DetectPortPrint(p); printf("\n"); return p; } } diff --git a/src/detect-parse.c b/src/detect-parse.c index 2c2763a49b..b9a3bef928 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -300,17 +300,26 @@ int SigParseProto(Signature *s, const char *protostr) { int SigParsePort(Signature *s, const char *portstr, char flag) { int r = 0; char *port; + char negate = 0; /* XXX VJ exclude handling this for none UDP/TCP proto's */ + if (portstr[0] == '!') { + portstr++; + negate = 1; + } + if (strcmp(portstr,"$HTTP_PORTS") == 0) { - port = "80:81,88"; + if (negate) port = "![80:81,88]"; + else port = "80:81,88"; } else if (strcmp(portstr,"$SHELLCODE_PORTS") == 0) { port = "!80"; } else if (strcmp(portstr,"$ORACLE_PORTS") == 0) { - port = "1521"; + if (negate) port = "!1521"; + else port = "1521"; } else if (strcmp(portstr,"$SSH_PORTS") == 0) { - port = "22"; + if (negate) port = "!22"; + else port = "22"; } else { port = (char *)portstr; } @@ -325,6 +334,8 @@ int SigParsePort(Signature *s, const char *portstr, char flag) { s->flags |= SIG_FLAG_DP_ANY; r = DetectPortParse(&s->dp,(char *)port); + + //DetectPortPrint(s->dp); } if (r < 0) { printf("SigParsePort: DetectPortParse \"%s\" failed\n", portstr); diff --git a/src/detect.c b/src/detect.c index 881094cd37..393ec077ee 100644 --- a/src/detect.c +++ b/src/detect.c @@ -421,6 +421,7 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p) DetectPort *dport = DetectPortLookupGroup(s->dp,p->dp); if (dport == NULL) continue; + } if (!(s->flags & SIG_FLAG_SP_ANY)) { DetectPort *sport = DetectPortLookupGroup(s->sp,p->sp); @@ -440,6 +441,7 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p) if (daddr == NULL) continue; } + /* reset pkt ptr and offset */ pmt->pkt_ptr = NULL; pmt->pkt_off = 0; @@ -2002,7 +2004,7 @@ void DbgPrintSigs2(SigGroupHead *sgh) { /* shortcut for debugging. If enabled Stage5 will * print sigid's for all groups */ -//#define PRINTSIGS +#define PRINTSIGS /* just printing */ int SigAddressPrepareStage5(void) { @@ -3130,6 +3132,106 @@ end: return result; } +int SigTest15 (void) { + u_int8_t *buf = (u_int8_t *) + "CONNECT 213.92.8.7:31204 HTTP/1.1"; + u_int16_t buflen = strlen((char *)buf); + Packet p; + ThreadVars th_v; + PatternMatcherThread *pmt; + int result = 0; + + memset(&th_v, 0, sizeof(th_v)); + memset(&p, 0, sizeof(p)); + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.tcp_payload = buf; + p.tcp_payload_len = buflen; + p.proto = IPPROTO_TCP; + p.dp = 80; + + g_de_ctx = DetectEngineCtxInit(); + if (g_de_ctx == NULL) { + goto end; + } + + g_de_ctx->flags |= DE_QUIET; + + g_de_ctx->sig_list = SigInit("alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; classtype:misc-activity; sid:2008284; rev:2;)"); + if (g_de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + + SigGroupBuild(g_de_ctx); + PatternMatchPrepare(mpm_ctx); + PatternMatcherThreadInit(&th_v, (void *)&pmt); + + SigMatchSignatures(&th_v, pmt, &p); + if (PacketAlertCheck(&p, 2008284)) + result = 0; + else + result = 1; + + SigGroupCleanup(); + SigCleanSignatures(); + PatternMatcherThreadDeinit(&th_v, (void *)pmt); + PatternMatchDestroy(mpm_ctx); + DetectEngineCtxFree(g_de_ctx); +end: + return result; +} + +int SigTest16 (void) { + u_int8_t *buf = (u_int8_t *) + "CONNECT 213.92.8.7:31204 HTTP/1.1"; + u_int16_t buflen = strlen((char *)buf); + Packet p; + ThreadVars th_v; + PatternMatcherThread *pmt; + int result = 0; + + memset(&th_v, 0, sizeof(th_v)); + memset(&p, 0, sizeof(p)); + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.tcp_payload = buf; + p.tcp_payload_len = buflen; + p.proto = IPPROTO_TCP; + p.dp = 1234; + + g_de_ctx = DetectEngineCtxInit(); + if (g_de_ctx == NULL) { + goto end; + } + + g_de_ctx->flags |= DE_QUIET; + + g_de_ctx->sig_list = SigInit("alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; classtype:misc-activity; sid:2008284; rev:2;)"); + if (g_de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + + SigGroupBuild(g_de_ctx); + PatternMatchPrepare(mpm_ctx); + PatternMatcherThreadInit(&th_v, (void *)&pmt); + + SigMatchSignatures(&th_v, pmt, &p); + if (PacketAlertCheck(&p, 2008284)) + result = 1; + else + result = 0; + + SigGroupCleanup(); + SigCleanSignatures(); + PatternMatcherThreadDeinit(&th_v, (void *)pmt); + PatternMatchDestroy(mpm_ctx); + DetectEngineCtxFree(g_de_ctx); +end: + return result; +} + void SigRegisterTests(void) { SigParseRegisterTests(); UtRegisterTest("SigTest01 -- HTTP URI cap", SigTest01, 1); @@ -3146,5 +3248,7 @@ void SigRegisterTests(void) { UtRegisterTest("SigTest12 -- content order matching, normal", SigTest12, 1); UtRegisterTest("SigTest13 -- content order matching, diff order", SigTest13, 1); UtRegisterTest("SigTest14 -- content order matching, distance 0", SigTest14, 1); + UtRegisterTest("SigTest15 -- port negation sig (no match)", SigTest15, 1); + UtRegisterTest("SigTest16 -- port negation sig (match)", SigTest16, 1); } diff --git a/src/vips.c b/src/vips.c index b3db8ffad2..9c6c956db9 100644 --- a/src/vips.c +++ b/src/vips.c @@ -198,10 +198,10 @@ int main(int argc, char **argv) TmModuleRegisterTests(); MpmRegisterTests(); SigTableRegisterTests(); - SigRegisterTests(); HashTableRegisterTests(); BloomFilterRegisterTests(); BloomFilterCountingRegisterTests(); + SigRegisterTests(); UtRunTests(); UtCleanup(); //exit(1);