diff --git a/src/Makefile.am b/src/Makefile.am index 20ad52eec9..ba1dba6feb 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -47,6 +47,8 @@ detect-depth.c detect-depth.h \ detect-nocase.c detect-nocase.h \ detect-recursive.c detect-recursive.h \ detect-rawbytes.c detect-rawbytes.h \ +detect-bytetest.c detect-bytetest.h \ +detect-bytejump.c detect-bytejump.h \ detect-within.c detect-within.h \ detect-distance.c detect-distance.h \ detect-offset.c detect-offset.h \ diff --git a/src/detect-bytejump.c b/src/detect-bytejump.c new file mode 100644 index 0000000000..377466beea --- /dev/null +++ b/src/detect-bytejump.c @@ -0,0 +1,526 @@ +/** Copyright (c) 2009 Open Information Security Foundation + * + * \author Brian Rectanus + */ + +#include +#include + +#include "eidps-common.h" +#include "debug.h" +#include "decode.h" +#include "detect.h" + +#include "detect-bytejump.h" + +#include "util-byte.h" +#include "util-unittest.h" + +/** + * \brief Regex for parsing our options + */ +/** \todo We probably just need a simple tokenizer here */ +/** \todo Cannot have > 9 captures and we need 10 -- write a comma separated value tokenizer for this. */ +#define PARSE_REGEX "^\\s*" \ + "([^\\s,]+)" \ + "\\s*,\\s*([^\\s,]+)" \ + "(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \ + "(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \ + "(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \ + "(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \ + "(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \ + "(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \ + "(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \ + "(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \ + "\\s*$" + +static pcre *parse_regex; +static pcre_extra *parse_regex_study; + +void DetectBytejumpRegisterTests(void); + +void DetectBytejumpRegister (void) { + const char *eb; + int eo; + int opts = 0; + + sigmatch_table[DETECT_BYTEJUMP].name = "byte_jump"; + sigmatch_table[DETECT_BYTEJUMP].Match = DetectBytejumpMatch; + sigmatch_table[DETECT_BYTEJUMP].Setup = DetectBytejumpSetup; + sigmatch_table[DETECT_BYTEJUMP].Free = DetectBytejumpFree; + sigmatch_table[DETECT_BYTEJUMP].RegisterTests = DetectBytejumpRegisterTests; + + parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL); + if(parse_regex == NULL) + { + printf("DetectBytejumpRegister: pcre compile of \"%s\" failed at offset %" PRId32 ": %s\n", PARSE_REGEX, eo, eb); + goto error; + } + + parse_regex_study = pcre_study(parse_regex, 0, &eb); + if(eb != NULL) + { + printf("DetectBytejumpRegister: pcre study failed: %s\n", eb); + goto error; + } + return; + +error: + /* XXX */ + return; +} + +int DetectBytejumpMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, SigMatch *m) +{ + DetectBytejumpData *data = (DetectBytejumpData *)m->ctx; + uint8_t *ptr = NULL; + uint8_t *jumpptr = ptr; + uint16_t len = 0; + uint64_t val = 0; + int match; + + if (p->payload_len == 0) { + return 0; + } + + /* Calculate the ptr value for the bytejump and length remaining in + * the packet from that point. + */ + if (data->flags & DETECT_BYTEJUMP_RELATIVE) { + ptr = det_ctx->pkt_ptr; + len = p->pktlen - det_ctx->pkt_off; + + /* No match if there is no relative base */ + if (ptr == NULL || len == 0) { + return 0; + } + + ptr += data->offset; + len -= data->offset; + } + else { + ptr = p->payload + data->offset; + len = p->payload_len - data->offset; + } + + /* Verify the to-be-extracted data is within the packet */ + if ((ptr < p->pkt) || (len < 0) || (data->nbytes > len)) { + printf("DetectBytejumpMatch: Data not within packet pkt=%p, ptr=%p, len=%d, nbytes=%d\n", p->pkt, ptr, len, data->nbytes); + return 0; + } + + /* Extract the byte data */ + if (data->flags & DETECT_BYTEJUMP_STRING) { + int ret = ByteExtractStringUint64(&val, data->base, data->nbytes, (const char *)ptr); + if(ret != 0) { + printf("DetectBytejumpMatch: Error extracting %d bytes of string data: %d\n", data->nbytes, ret); + return -1; + } + } + else { + int endianness = (data->flags & DETECT_BYTEJUMP_LITTLE) ? BYTE_LITTLE_ENDIAN : BYTE_BIG_ENDIAN; + int ret = ByteExtractUint64(&val, endianness, data->nbytes, ptr); + if (ret != 0) { + printf("DetectBytejumpMatch: Error extracting %d bytes of numeric data: %d\n", data->nbytes, ret); + return -1; + } + } + + /* Adjust the jump value based on flags */ + val *= data->multiplier; + if (data->flags & DETECT_BYTEJUMP_ALIGN) { + if ((val % 4) != 0) { + val += 4 - (val % 4); + } + } + val += data->post_offset; + + /* Calculate the jump location */ + if (data->flags & DETECT_BYTEJUMP_BEGIN) { + jumpptr = p->payload + val; + } + else { + jumpptr = ptr + val; + } + + /* Validate that the jump location is still in the packet + * \todo Should this validate it is still in the *payload*? + */ + if ((jumpptr < p->pkt) || (jumpptr >= p->pkt + p->pktlen)) { + printf("DetectBytejumpMatch: Jump location (%p) is not within packet (%p-%p)\n", jumpptr, p->pkt, p->pkt + p->pktlen - 1); + return 0; + } + +#ifdef DEBUG + { + uint8_t *sptr = (data->flags & DETECT_BYTEJUMP_BEGIN) ? p->payload : ptr; + printf("DetectBytejumpMatch: Jumping %" PRId64 " bytes from %p (%08x) to %p (%08x)\n", val, sptr, (int)(sptr - p->payload), jumpptr, (int)(jumpptr - p->payload)); + } +#endif /* DEBUG */ + + /* Adjust the detection context to the jump location. */ + det_ctx->pkt_ptr = jumpptr; + det_ctx->pkt_off = jumpptr - p->pkt; + +#ifdef DEBUG + if (match) { + printf("DetectBytejumpMatch: MATCH\n"); + } + else { + printf("DetectBytejumpMatch: NO MATCH\n"); + } +#endif /* DEBUG */ + + return match; +} + +DetectBytejumpData *DetectBytejumpParse(char *optstr) +{ + DetectBytejumpData *data = NULL; + char *args[10] = { + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, + NULL, NULL + }; +#define MAX_SUBSTRINGS 30 + int ret = 0, res = 0; + int ov[MAX_SUBSTRINGS]; + int i; + uint32_t nbytes; + const char *str_ptr; + + /* Execute the regex and populate args with captures. */ + ret = pcre_exec(parse_regex, parse_regex_study, optstr, strlen(optstr), 0, 0, ov, MAX_SUBSTRINGS); + if (ret < 2 || ret > 10) { + printf("DetectBytejumpParse: parse error, ret %" PRId32 ", string \"%s\"\n", ret, optstr); + goto error; + } + for (i = 0; i < (ret - 1); i++) { + res = pcre_get_substring((char *)optstr, ov, MAX_SUBSTRINGS, i + 1, &str_ptr); + if (res < 0) { + printf("DetectBytejumpParse: pcre_get_substring failed for arg %d\n", i + 1); + goto error; + } + args[i] = (char *)str_ptr; + } + + /* Initialize the data */ + data = malloc(sizeof(DetectBytejumpData)); + if (data == NULL) { + printf("DetectBytejumpParse: malloc failed\n"); + goto error; + } + data->base = DETECT_BYTEJUMP_BASE_UNSET; + data->flags = 0; + data->multiplier = 1; + data->post_offset = 0; + + /* + * The first two options are required and positional. The + * remaining arguments are flags and are not positional. + */ + + /* Number of bytes */ + if (ByteExtractStringUint32(&nbytes, 10, strlen(args[0]), args[0]) != 0) { + printf("DetectBytejumpParse: Malformed number of bytes: %s\n", optstr); + goto error; + } + + /* Offset */ + if (ByteExtractStringInt32(&data->offset, 0, strlen(args[1]), args[1]) != 0) { + printf("DetectBytejumpParse: Malformed offset: %s\n", optstr); + goto error; + } + + + /* The remaining options are flags. */ + /** \todo Error on dups? */ + for (i = 2; i < (ret - 1); i++) { + if (strcmp("relative", args[i]) == 0) { + data->flags |= DETECT_BYTEJUMP_RELATIVE; + } else if (strcasecmp("string", args[i]) == 0) { + data->flags |= DETECT_BYTEJUMP_STRING; + } else if (strcasecmp("dec", args[i]) == 0) { + data->base |= DETECT_BYTEJUMP_BASE_DEC; + } else if (strcasecmp("hex", args[i]) == 0) { + data->base |= DETECT_BYTEJUMP_BASE_HEX; + } else if (strcasecmp("oct", args[i]) == 0) { + data->base |= DETECT_BYTEJUMP_BASE_OCT; + } else if (strcasecmp("big", args[i]) == 0) { + if (data->flags & DETECT_BYTEJUMP_LITTLE) { + data->flags ^= DETECT_BYTEJUMP_LITTLE; + } + } else if (strcasecmp("little", args[i]) == 0) { + data->flags |= DETECT_BYTEJUMP_LITTLE; + } else if (strcasecmp("from_beginning", args[i]) == 0) { + data->flags |= DETECT_BYTEJUMP_BEGIN; + } else if (strcasecmp("align", args[i]) == 0) { + data->flags |= DETECT_BYTEJUMP_ALIGN; + } else if (strncasecmp("multiplier ", args[i], 11) == 0) { + if (ByteExtractStringUint32(&data->multiplier, 10, strlen(args[i]) - 11, args[i] + 11) != 0) { + printf("DetectBytejumpParse: Malformed multiplier: %s\n", optstr); + goto error; + } + printf("MULTIPLIER: %d\n", data->multiplier); + } else if (strncasecmp("post_offset ", args[i], 12) == 0) { + if (ByteExtractStringInt32(&data->post_offset, 10, strlen(args[i]) - 12, args[i] + 12) != 0) { + printf("DetectBytejumpParse: Malformed post_offset: %s\n", optstr); + goto error; + } + printf("POST_OFFSET: %d\n", data->post_offset); + } else { + printf("DetectBytejumpParse: Unknown option: \"%s\"\n", args[i]); + goto error; + } + } + + if (data->flags & DETECT_BYTEJUMP_STRING) { + /* 23 - This is the largest string (octal, with a zero prefix) that + * will not overflow uint64_t. The only way this length + * could be over 23 and still not overflow is if it were zero + * prefixed and we only support 1 byte of zero prefix for octal. + * + * "01777777777777777777777" = 0xffffffffffffffff + */ + if (nbytes > 23) { + printf("DetectBytejumpParse: Cannot test more than 23 bytes with \"string\": %s\n", optstr); + goto error; + } + } else { + if (nbytes > 8) { + printf("DetectBytejumpParse: Cannot test more than 8 bytes without \"string\": %s\n", optstr); + goto error; + } + if (data->base != DETECT_BYTEJUMP_BASE_UNSET) { + printf("DetectBytejumpParse: Cannot use a base without \"string\": %s\n", optstr); + goto error; + } + } + + /* This is max 23 so it will fit in a byte (see above) */ + data->nbytes = (uint8_t)nbytes; + + for (i = 0; i < (ret - 1); i++){ + if (args[i] != NULL) free(args[i]); + } + return data; + +error: + for (i = 0; i < (ret - 1); i++){ + if (args[i] != NULL) free(args[i]); + } + if (data != NULL) DetectBytejumpFree(data); + return NULL; +} + +int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *optstr) +{ + DetectBytejumpData *data = NULL; + SigMatch *sm = NULL; + + //printf("DetectBytejumpSetup: \'%s\'\n", optstr); + + data = DetectBytejumpParse(optstr); + if (data == NULL) goto error; + + sm = SigMatchAlloc(); + if (sm == NULL) + goto error; + + sm->type = DETECT_BYTEJUMP; + sm->ctx = (void *)data; + + SigMatchAppend(s,m,sm); + + return 0; + +error: + if (data != NULL) DetectBytejumpFree(data); + if (sm != NULL) free(sm); + return -1; +} + +/** + * \brief this function will free memory associated with DetectBytejumpData + * + * \param data pointer to DetectBytejumpData + */ +void DetectBytejumpFree(void *ptr) +{ + DetectBytejumpData *data = (DetectBytejumpData *)ptr; + free(data); +} + + +/* UNITTESTS */ +#ifdef UNITTESTS + +/** + * \test DetectBytejumpTestParse01 is a test to make sure that we return + * "something" when given valid bytejump opt + */ +int DetectBytejumpTestParse01(void) { + int result = 0; + DetectBytejumpData *data = NULL; + data = DetectBytejumpParse("4,0"); + if (data != NULL) { + DetectBytejumpFree(data); + result = 1; + } + + return result; +} + +/** + * \test DetectBytejumpTestParse02 is a test for setting the required opts + */ +int DetectBytejumpTestParse02(void) { + int result = 0; + DetectBytejumpData *data = NULL; + data = DetectBytejumpParse("4, 0"); + if (data != NULL) { + if ( (data->nbytes == 4) + && (data->offset == 0) + && (data->multiplier == 1) + && (data->post_offset == 0) + && (data->flags == 0) + && (data->base == DETECT_BYTEJUMP_BASE_UNSET)) + { + result = 1; + } + DetectBytejumpFree(data); + } + + return result; +} + +/** + * \test DetectBytejumpTestParse03 is a test for setting the optional flags + */ +int DetectBytejumpTestParse03(void) { + int result = 0; + DetectBytejumpData *data = NULL; + data = DetectBytejumpParse(" 4,0 , relative , little, string, dec, align, from_beginning"); + if (data != NULL) { + if ( (data->nbytes == 4) + && (data->offset == 0) + && (data->multiplier == 1) + && (data->post_offset == 0) + && (data->flags == ( DETECT_BYTEJUMP_RELATIVE + |DETECT_BYTEJUMP_LITTLE + |DETECT_BYTEJUMP_STRING + |DETECT_BYTEJUMP_ALIGN + |DETECT_BYTEJUMP_BEGIN)) + && (data->base == DETECT_BYTEJUMP_BASE_DEC)) + { + result = 1; + } + DetectBytejumpFree(data); + } + + return result; +} + +/** + * \test DetectBytejumpTestParse04 is a test for setting the optional flags + * with parameters + * + * \todo This fails becuase we can only have 9 captures and there are 10. + */ +int DetectBytejumpTestParse04(void) { + int result = 0; + DetectBytejumpData *data = NULL; + data = DetectBytejumpParse(" 4,0 , relative , little, string, dec, align, from_beginning , multiplier 2 , post_offset -16 "); + if (data != NULL) { + if ( (data->nbytes == 4) + && (data->offset == 0) + && (data->multiplier == 2) + && (data->post_offset == 0) + && (data->flags == ( DETECT_BYTEJUMP_RELATIVE + |DETECT_BYTEJUMP_LITTLE + |DETECT_BYTEJUMP_ALIGN + |DETECT_BYTEJUMP_STRING + |DETECT_BYTEJUMP_BEGIN)) + && (data->base == DETECT_BYTEJUMP_BASE_DEC)) + { + result = 1; + } + DetectBytejumpFree(data); + } + + return result; +} + +/** + * \test DetectBytejumpTestParse05 is a test for setting base without string + */ +int DetectBytejumpTestParse05(void) { + int result = 0; + DetectBytejumpData *data = NULL; + data = DetectBytejumpParse(" 4,0 , relative , little, dec, align, from_beginning"); + if (data == NULL) { + result = 1; + } + + return result; +} + +/** + * \test DetectBytejumpTestParse06 is a test for too many bytes to extract + */ +int DetectBytejumpTestParse06(void) { + int result = 0; + DetectBytejumpData *data = NULL; + data = DetectBytejumpParse("9, 0"); + if (data == NULL) { + result = 1; + } + + return result; +} + +/** + * \test DetectBytejumpTestParse07 is a test for too many string bytes to extract + */ +int DetectBytejumpTestParse07(void) { + int result = 0; + DetectBytejumpData *data = NULL; + data = DetectBytejumpParse("24, 0, string, dec"); + if (data == NULL) { + result = 1; + } + + return result; +} + +/** + * \test DetectBytejumpTestParse08 is a test for offset too big + */ +int DetectBytejumpTestParse08(void) { + int result = 0; + DetectBytejumpData *data = NULL; + data = DetectBytejumpParse("4, 0xffffffffffffffff"); + if (data == NULL) { + result = 1; + } + + return result; +} +#endif /* UNITTESTS */ + + +/** + * \brief this function registers unit tests for DetectBytejump + */ +void DetectBytejumpRegisterTests(void) { +#ifdef UNITTESTS + UtRegisterTest("DetectBytejumpTestParse01", DetectBytejumpTestParse01, 1); + UtRegisterTest("DetectBytejumpTestParse02", DetectBytejumpTestParse02, 1); + UtRegisterTest("DetectBytejumpTestParse03", DetectBytejumpTestParse03, 1); + UtRegisterTest("DetectBytejumpTestParse04", DetectBytejumpTestParse04, 1); + UtRegisterTest("DetectBytejumpTestParse05", DetectBytejumpTestParse05, 1); + UtRegisterTest("DetectBytejumpTestParse06", DetectBytejumpTestParse06, 1); + UtRegisterTest("DetectBytejumpTestParse07", DetectBytejumpTestParse07, 1); + UtRegisterTest("DetectBytejumpTestParse08", DetectBytejumpTestParse08, 1); +#endif /* UNITTESTS */ +} + diff --git a/src/detect-bytejump.h b/src/detect-bytejump.h new file mode 100644 index 0000000000..a960a0905a --- /dev/null +++ b/src/detect-bytejump.h @@ -0,0 +1,93 @@ +/** Copyright (c) 2009 Open Information Security Foundation + * + * \author Brian Rectanus + */ + +#ifndef __DETECT_BYTEJUMP_H__ +#define __DETECT_BYTEJUMP_H__ + +/** Bytejump Base */ +#define DETECT_BYTEJUMP_BASE_UNSET 0 /**< Unset type value string (automatic)*/ +#define DETECT_BYTEJUMP_BASE_OCT 8 /**< "oct" type value string */ +#define DETECT_BYTEJUMP_BASE_DEC 10 /**< "dec" type value string */ +#define DETECT_BYTEJUMP_BASE_HEX 16 /**< "hex" type value string */ + +/** Bytejump Flags */ +#define DETECT_BYTEJUMP_BEGIN 0x01 /**< "from_beginning" jump */ +#define DETECT_BYTEJUMP_LITTLE 0x02 /**< "little" endian value (default "big") */ +#define DETECT_BYTEJUMP_STRING 0x04 /**< "string" value */ +#define DETECT_BYTEJUMP_RELATIVE 0x08 /**< "relative" offset */ +#define DETECT_BYTEJUMP_ALIGN 0x10 /**< "align" offset */ + +typedef struct DetectBytejumpData_ { + uint8_t nbytes; /**< Number of bytes to compare */ + uint8_t base; /**< String value base (oct|dec|hex) */ + uint8_t flags; /**< Flags (big|little|relative|string) */ + uint32_t multiplier; /**< Multiplier for nbytes (multiplier n)*/ + int32_t offset; /**< Offset in payload to extract value */ + int32_t post_offset; /**< Offset to adjust post-jump */ +} DetectBytejumpData; + +/* prototypes */ + +/** + * Registration function for byte_jump. + * + * \todo add support for no_stream and stream_only + */ +void DetectBytejumpRegister (void); + +/** + * This function is used to add the parsed byte_jump data + * into the current signature. + * + * \param de_ctx pointer to the Detection Engine Context + * \param s pointer to the Current Signature + * \param m pointer to the Current SigMatch + * \param optstr pointer to the user provided options + * + * \retval 0 on Success + * \retval -1 on Failure + */ +int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *optstr); + +/** + * \brief this function will free memory associated with DetectBytejumpData + * + * \param data pointer to DetectBytejumpData + */ +void DetectBytejumpFree(void *ptr); + +/** + * This function is used to parse byte_jump options passed via + * + * byte_jump: bytes, offset [,flags [, ...]] + * + * flags: "big", "little", "relative", "string", "oct", "dec", "hex" + * "align", "from beginning", "multiplier N", "post_offset N" + * + * \param optstr Pointer to the user provided byte_jump options + * + * \retval data pointer to DetectBytejumpData on success + * \retval NULL on failure + */ +DetectBytejumpData *DetectBytejumpParse(char *optstr); + +/** + * This function is used to match byte_jump + * + * \param t pointer to thread vars + * \param det_ctx pointer to the pattern matcher thread + * \param p pointer to the current packet + * \param m pointer to the sigmatch that we will cast into DetectBytejumpData + * + * \retval -1 error + * \retval 0 no match + * \retval 1 match + * + * \todo The return seems backwards. We should return a non-zero error code. One of the error codes is "no match". As-is if someone accidentally does: if (DetectBytejumpMatch(...)) { match }, then they catch an error as a match. + */ +int DetectBytejumpMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, SigMatch *m); + +#endif /* __DETECT_BYTEJUMP_H__ */ + diff --git a/src/detect-bytetest.c b/src/detect-bytetest.c new file mode 100644 index 0000000000..1f218a7ccc --- /dev/null +++ b/src/detect-bytetest.c @@ -0,0 +1,729 @@ +/** Copyright (c) 2009 Open Information Security Foundation + * + * \author Brian Rectanus + */ + +#include +#include + +#include "eidps-common.h" +#include "debug.h" +#include "decode.h" +#include "detect.h" + +#include "detect-bytetest.h" + +#include "util-byte.h" +#include "util-unittest.h" + +/** + * \brief Regex for parsing our options + */ +/** \todo We probably just need a simple tokenizer here */ +#define PARSE_REGEX "^\\s*" \ + "([^\\s,]+)" \ + "\\s*,\\s*(\\!?)\\s*([^\\s,]*)" \ + "\\s*,\\s*([^\\s,]+)" \ + "\\s*,\\s*([^\\s,]+)" \ + "(?:\\s*,\\s*([^\\s,]+))?" \ + "(?:\\s*,\\s*([^\\s,]+))?" \ + "(?:\\s*,\\s*([^\\s,]+))?" \ + "(?:\\s*,\\s*([^\\s,]+))?" \ + "\\s*$" + +static pcre *parse_regex; +static pcre_extra *parse_regex_study; + +void DetectBytetestRegisterTests(void); + +void DetectBytetestRegister (void) { + const char *eb; + int eo; + int opts = 0; + + sigmatch_table[DETECT_BYTETEST].name = "byte_test"; + sigmatch_table[DETECT_BYTETEST].Match = DetectBytetestMatch; + sigmatch_table[DETECT_BYTETEST].Setup = DetectBytetestSetup; + sigmatch_table[DETECT_BYTETEST].Free = DetectBytetestFree; + sigmatch_table[DETECT_BYTETEST].RegisterTests = DetectBytetestRegisterTests; + + parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL); + if(parse_regex == NULL) + { + printf("DetectBytetestRegister: pcre compile of \"%s\" failed at offset %" PRId32 ": %s\n", PARSE_REGEX, eo, eb); + goto error; + } + + parse_regex_study = pcre_study(parse_regex, 0, &eb); + if(eb != NULL) + { + printf("DetectBytetestRegister: pcre study failed: %s\n", eb); + goto error; + } + return; + +error: + /* XXX */ + return; +} + +int DetectBytetestMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, SigMatch *m) +{ + DetectBytetestData *data = (DetectBytetestData *)m->ctx; + uint8_t *ptr = NULL; + uint16_t len = 0; + uint64_t val = 0; + int neg; + int match; + + if (p->payload_len == 0) { + return 0; + } + + /* Calculate the ptr value for the bytetest and length remaining in + * the packet from that point. + */ + if (data->flags & DETECT_BYTETEST_RELATIVE) { + ptr = det_ctx->pkt_ptr; + len = p->pktlen - det_ctx->pkt_off; + + /* No match if there is no relative base */ + if (ptr == NULL || len == 0) { + return 0; + } + + ptr += data->offset; + len -= data->offset; + } + else { + ptr = p->payload + data->offset; + len = p->payload_len - data->offset; + } + + /* Validate that the to-be-extracted is within the packet + * \todo Should this validate it is in the *payload*? + */ + if ((ptr < p->pkt) || (len < 0) || (data->nbytes > len)) { + printf("DetectBytetestMatch: Data not within packet pkt=%p, ptr=%p, len=%d, nbytes=%d\n", p->pkt, ptr, len, data->nbytes); + return 0; + } + + neg = data->flags & DETECT_BYTETEST_NEGOP; + + /* Extract the byte data */ + if (data->flags & DETECT_BYTETEST_STRING) { + int ret = ByteExtractStringUint64(&val, data->base, data->nbytes, (const char *)ptr); + if(ret != 0) { + printf("DetectBytetestMatch: Error extracting %d bytes of string data: %d\n", data->nbytes, ret); + return -1; + } +#ifdef DEBUG + printf("DetectBytetestMatch: Comparing base %d string 0x%" PRIx64 " %s%c 0x%" PRIx64 "\n", data->base, val, (neg ? "!" : ""), data->op, data->value); +#endif /* DEBUG */ + } + else { + int endianness = (data->flags & DETECT_BYTETEST_LITTLE) ? BYTE_LITTLE_ENDIAN : BYTE_BIG_ENDIAN; + int ret = ByteExtractUint64(&val, endianness, data->nbytes, ptr); + if (ret != 0) { + printf("DetectBytetestMatch: Error extracting %d bytes of numeric data: %d\n", data->nbytes, ret); + return -1; + } + +#ifdef DEBUG + printf("DetectBytetestMatch: Comparing numeric 0x%" PRIx64 " %s%c 0x%" PRIx64 "\n", val, (neg ? "!" : ""), data->op, data->value); +#endif /* DEBUG */ + } + + + /* Compare using the configured operator */ + match = 0; + switch (data->op) { + case DETECT_BYTETEST_OP_EQ: + if (val == data->value) { + match = 1; + } + break; + case DETECT_BYTETEST_OP_LT: + if (val < data->value) { + match = 1; + } + break; + case DETECT_BYTETEST_OP_GT: + if (val > data->value) { + match = 1; + } + break; + case DETECT_BYTETEST_OP_AND: + if (val & data->value) { + match = 1; + } + break; + case DETECT_BYTETEST_OP_OR: + if (val ^ data->value) { + match = 1; + } + break; + default: + /* Should never get here as we handle this in parsing. */ + return -1; + } + + /* A successful match depends on negation */ + if ((!neg && match) || (neg && !match)) { +#ifdef DEBUG + printf("DetectBytetestMatch: MATCH\n"); +#endif /* DEBUG */ + return 1; + } + +#ifdef DEBUG + printf("DetectBytetestMatch: NO MATCH\n"); +#endif /* DEBUG */ + return 0; +} + +DetectBytetestData *DetectBytetestParse(char *optstr) +{ + DetectBytetestData *data = NULL; + char *args[9] = { + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, + NULL + }; +#define MAX_SUBSTRINGS 30 + int ret = 0, res = 0; + int ov[MAX_SUBSTRINGS]; + int i; + uint32_t nbytes; + const char *str_ptr; + + /* Execute the regex and populate args with captures. */ + ret = pcre_exec(parse_regex, parse_regex_study, optstr, strlen(optstr), 0, 0, ov, MAX_SUBSTRINGS); + if (ret < 6 || ret > 10) { + printf("DetectBytetestParse: parse error, ret %" PRId32 ", string %s\n", ret, optstr); + goto error; + } + for (i = 0; i < (ret - 1); i++) { + res = pcre_get_substring((char *)optstr, ov, MAX_SUBSTRINGS, i + 1, &str_ptr); + if (res < 0) { + printf("DetectBytetestParse: pcre_get_substring failed for arg %d\n", i + 1); + goto error; + } + args[i] = (char *)str_ptr; + } + + /* Initialize the data */ + data = malloc(sizeof(DetectBytetestData)); + if (data == NULL) { + printf("DetectBytetestParse: malloc failed\n"); + goto error; + } + data->base = DETECT_BYTETEST_BASE_UNSET; + data->flags = 0; + + + /* + * The first four options are required and positional. The + * remaining arguments are flags and are not positional. + */ + + /* Number of bytes */ + if (ByteExtractStringUint32(&nbytes, 10, 0, args[0]) != 0) { + printf("DetectBytetestParse: Malformed number of bytes: %s\n", str_ptr); + goto error; + } + + /* Operator is next two args: neg + op */ + data->op = 0; + if (*args[1] == '!') { + data->flags |= DETECT_BYTETEST_NEGOP; + } + if ((strcmp("=", args[2]) == 0) || ((data->flags & DETECT_BYTETEST_NEGOP) && strcmp("", args[2]) == 0)) { + data->op |= DETECT_BYTETEST_OP_EQ; + } else if (strcmp("<", args[2]) == 0) { + data->op |= DETECT_BYTETEST_OP_LT; + } else if (strcmp(">", args[2]) == 0) { + data->op |= DETECT_BYTETEST_OP_GT; + } else if (strcmp("&", args[2]) == 0) { + data->op |= DETECT_BYTETEST_OP_AND; + } else if (strcmp("^", args[2]) == 0) { + data->op |= DETECT_BYTETEST_OP_OR; + } else { + // XXX Error + goto error; + } + + /* Value */ + if (ByteExtractStringUint64(&data->value, 0, 0, args[3]) != 0) { + printf("DetectBytetestParse: Malformed value: %s\n", str_ptr); + goto error; + } + + /* Offset */ + if (ByteExtractStringInt32(&data->offset, 0, 0, args[4]) != 0) { + printf("DetectBytetestParse: Malformed offset: %s\n", str_ptr); + goto error; + } + + + /* The remaining options are flags. */ + /** \todo Error on dups? */ + for (i = 5; i < (ret - 1); i++) { + if (strcmp("relative", args[i]) == 0) { + data->flags |= DETECT_BYTETEST_RELATIVE; + } else if (strcasecmp("string", args[i]) == 0) { + data->flags |= DETECT_BYTETEST_STRING; + } else if (strcasecmp("dec", args[i]) == 0) { + data->base |= DETECT_BYTETEST_BASE_DEC; + } else if (strcasecmp("hex", args[i]) == 0) { + data->base |= DETECT_BYTETEST_BASE_HEX; + } else if (strcasecmp("oct", args[i]) == 0) { + data->base |= DETECT_BYTETEST_BASE_OCT; + } else if (strcasecmp("big", args[i]) == 0) { + if (data->flags & DETECT_BYTETEST_LITTLE) { + data->flags ^= DETECT_BYTETEST_LITTLE; + } + } else if (strcasecmp("little", args[i]) == 0) { + data->flags |= DETECT_BYTETEST_LITTLE; + } else { + printf("DetectBytetestParse: Unknown option: \"%s\"\n", args[i]); + goto error; + } + } + + if (data->flags & DETECT_BYTETEST_STRING) { + /* 23 - This is the largest string (octal, with a zero prefix) that + * will not overflow uint64_t. The only way this length + * could be over 23 and still not overflow is if it were zero + * prefixed and we only support 1 byte of zero prefix for octal. + * + * "01777777777777777777777" = 0xffffffffffffffff + */ + if (nbytes > 23) { + printf("DetectBytetestParse: Cannot test more than 23 bytes with \"string\": %s\n", optstr); + goto error; + } + } else { + if (nbytes > 8) { + printf("DetectBytetestParse: Cannot test more than 8 bytes without \"string\": %s\n", optstr); + goto error; + } + if (data->base != DETECT_BYTETEST_BASE_UNSET) { + printf("DetectBytetestParse: Cannot use a base without \"string\": %s\n", optstr); + goto error; + } + } + + /* This is max 23 so it will fit in a byte (see above) */ + data->nbytes = (uint8_t)nbytes; + + for (i = 0; i < (ret - 1); i++){ + if (args[i] != NULL) free(args[i]); + } + return data; + +error: + for (i = 0; i < (ret - 1); i++){ + if (args[i] != NULL) free(args[i]); + } + if (data != NULL) DetectBytetestFree(data); + return NULL; +} + +int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *optstr) +{ + DetectBytetestData *data = NULL; + SigMatch *sm = NULL; + + //printf("DetectBytetestSetup: \'%s\'\n", optstr); + + data = DetectBytetestParse(optstr); + if (data == NULL) goto error; + + sm = SigMatchAlloc(); + if (sm == NULL) + goto error; + + sm->type = DETECT_BYTETEST; + sm->ctx = (void *)data; + + SigMatchAppend(s,m,sm); + + return 0; + +error: + if (data != NULL) DetectBytetestFree(data); + if (sm != NULL) free(sm); + return -1; +} + +/** + * \brief this function will free memory associated with DetectBytetestData + * + * \param data pointer to DetectBytetestData + */ +void DetectBytetestFree(void *ptr) +{ + DetectBytetestData *data = (DetectBytetestData *)ptr; + free(data); +} + + +/* UNITTESTS */ +#ifdef UNITTESTS + +/** + * \test DetectBytetestTestParse01 is a test to make sure that we return "something" + * when given valid bytetest opt + */ +int DetectBytetestTestParse01(void) { + int result = 0; + DetectBytetestData *data = NULL; + data = DetectBytetestParse("4, =, 1 , 0"); + if (data != NULL) { + DetectBytetestFree(data); + result = 1; + } + + return result; +} + +/** + * \test DetectBytetestTestParse02 is a test for setting the required opts + */ +int DetectBytetestTestParse02(void) { + int result = 0; + DetectBytetestData *data = NULL; + data = DetectBytetestParse("4, !=, 1, 0"); + if (data != NULL) { + if ( (data->op == DETECT_BYTETEST_OP_EQ) + && (data->nbytes == 4) + && (data->value == 1) + && (data->offset == 0) + && (data->flags == DETECT_BYTETEST_NEGOP) + && (data->base == DETECT_BYTETEST_BASE_UNSET)) + { + result = 1; + } + DetectBytetestFree(data); + } + + return result; +} + +/** + * \test DetectBytetestTestParse03 is a test for setting the relative flag + */ +int DetectBytetestTestParse03(void) { + int result = 0; + DetectBytetestData *data = NULL; + data = DetectBytetestParse("4, !=, 1, 0, relative"); + if (data != NULL) { + if ( (data->op == DETECT_BYTETEST_OP_EQ) + && (data->nbytes == 4) + && (data->value == 1) + && (data->offset == 0) + && (data->flags == ( DETECT_BYTETEST_NEGOP + |DETECT_BYTETEST_RELATIVE)) + && (data->base == DETECT_BYTETEST_BASE_UNSET)) + { + result = 1; + } + DetectBytetestFree(data); + } + + return result; +} + +/** + * \test DetectBytetestTestParse04 is a test for setting the string/oct flags + */ +int DetectBytetestTestParse04(void) { + int result = 0; + DetectBytetestData *data = NULL; + data = DetectBytetestParse("4, !=, 1, 0, string, oct"); + if (data != NULL) { + if ( (data->op == DETECT_BYTETEST_OP_EQ) + && (data->nbytes == 4) + && (data->value == 1) + && (data->offset == 0) + && (data->flags == ( DETECT_BYTETEST_NEGOP + |DETECT_BYTETEST_STRING)) + && (data->base == DETECT_BYTETEST_BASE_OCT)) + { + result = 1; + } + DetectBytetestFree(data); + } + + return result; +} + +/** + * \test DetectBytetestTestParse05 is a test for setting the string/dec flags + */ +int DetectBytetestTestParse05(void) { + int result = 0; + DetectBytetestData *data = NULL; + data = DetectBytetestParse("4, =, 1, 0, string, dec"); + if (data != NULL) { + if ( (data->op == DETECT_BYTETEST_OP_EQ) + && (data->nbytes == 4) + && (data->value == 1) + && (data->offset == 0) + && (data->flags == DETECT_BYTETEST_STRING) + && (data->base == DETECT_BYTETEST_BASE_DEC)) + { + result = 1; + } + DetectBytetestFree(data); + } + + return result; +} + +/** + * \test DetectBytetestTestParse06 is a test for setting the string/hex flags + */ +int DetectBytetestTestParse06(void) { + int result = 0; + DetectBytetestData *data = NULL; + data = DetectBytetestParse("4, >, 1, 0, string, hex"); + if (data != NULL) { + if ( (data->op == DETECT_BYTETEST_OP_GT) + && (data->nbytes == 4) + && (data->value == 1) + && (data->offset == 0) + && (data->flags == DETECT_BYTETEST_STRING) + && (data->base == DETECT_BYTETEST_BASE_HEX)) + { + result = 1; + } + DetectBytetestFree(data); + } + + return result; +} + +/** + * \test DetectBytetestTestParse07 is a test for setting the big flag + */ +int DetectBytetestTestParse07(void) { + int result = 0; + DetectBytetestData *data = NULL; + data = DetectBytetestParse("4, <, 5, 0, big"); + if (data != NULL) { + if ( (data->op == DETECT_BYTETEST_OP_LT) + && (data->nbytes == 4) + && (data->value == 5) + && (data->offset == 0) + && (data->flags == 0) + && (data->base == DETECT_BYTETEST_BASE_UNSET)) + { + result = 1; + } + DetectBytetestFree(data); + } + + return result; +} + +/** + * \test DetectBytetestTestParse08 is a test for setting the little flag + */ +int DetectBytetestTestParse08(void) { + int result = 0; + DetectBytetestData *data = NULL; + data = DetectBytetestParse("4, <, 5, 0, little"); + if (data != NULL) { + if ( (data->op == DETECT_BYTETEST_OP_LT) + && (data->nbytes == 4) + && (data->value == 5) + && (data->offset == 0) + && (data->flags == DETECT_BYTETEST_LITTLE) + && (data->base == DETECT_BYTETEST_BASE_UNSET)) + { + result = 1; + } + DetectBytetestFree(data); + } + + return result; +} + +/** + * \test DetectBytetestTestParse09 is a test for neg operator only + */ +int DetectBytetestTestParse09(void) { + int result = 0; + DetectBytetestData *data = NULL; + data = DetectBytetestParse("4, !, 5, 0"); + if (data != NULL) { + if ( (data->op == DETECT_BYTETEST_OP_EQ) + && (data->nbytes == 4) + && (data->value == 5) + && (data->offset == 0) + && (data->flags == DETECT_BYTETEST_NEGOP) + && (data->base == DETECT_BYTETEST_BASE_UNSET)) + { + result = 1; + } + DetectBytetestFree(data); + } + + return result; +} + +/** + * \test DetectBytetestTestParse10 is a test for whitespace + */ +int DetectBytetestTestParse10(void) { + int result = 0; + DetectBytetestData *data = NULL; + data = DetectBytetestParse(" 4 , ! &, 5 , 0 , little "); + if (data != NULL) { + if ( (data->op == DETECT_BYTETEST_OP_AND) + && (data->nbytes == 4) + && (data->value == 5) + && (data->offset == 0) + && (data->flags == (DETECT_BYTETEST_NEGOP|DETECT_BYTETEST_LITTLE)) + && (data->base == DETECT_BYTETEST_BASE_UNSET)) + { + result = 1; + } + DetectBytetestFree(data); + } + + return result; +} + +/** + * \test DetectBytetestTestParse11 is a test for whitespace + */ +int DetectBytetestTestParse11(void) { + int result = 0; + DetectBytetestData *data = NULL; + data = DetectBytetestParse("4,!^,5,0,little,string,relative,hex"); + if (data != NULL) { + if ( (data->op == DETECT_BYTETEST_OP_OR) + && (data->nbytes == 4) + && (data->value == 5) + && (data->offset == 0) + && (data->flags == ( DETECT_BYTETEST_NEGOP + |DETECT_BYTETEST_LITTLE + |DETECT_BYTETEST_STRING + |DETECT_BYTETEST_RELATIVE)) + && (data->base == DETECT_BYTETEST_BASE_HEX)) + { + result = 1; + } + DetectBytetestFree(data); + } + + return result; +} + +/** + * \test DetectBytetestTestParse12 is a test for hex w/o string + */ +int DetectBytetestTestParse12(void) { + int result = 0; + DetectBytetestData *data = NULL; + data = DetectBytetestParse("4, =, 1, 0, hex"); + if (data == NULL) { + result = 1; + } + + return result; +} + +/** + * \test DetectBytetestTestParse13 is a test for too many bytes to extract + */ +int DetectBytetestTestParse13(void) { + int result = 0; + DetectBytetestData *data = NULL; + data = DetectBytetestParse("9, =, 1, 0"); + if (data == NULL) { + result = 1; + } + + return result; +} + +/** + * \test DetectBytetestTestParse14 is a test for large string extraction + */ +int DetectBytetestTestParse14(void) { + int result = 0; + DetectBytetestData *data = NULL; + data = DetectBytetestParse("23,=,0xffffffffffffffff,0,string,oct"); + if (data != NULL) { + if ( (data->op == DETECT_BYTETEST_OP_EQ) + && (data->nbytes == 23) + && (data->value == 0xffffffffffffffff) + && (data->offset == 0) + && (data->flags == DETECT_BYTETEST_STRING) + && (data->base == DETECT_BYTETEST_BASE_OCT)) + { + result = 1; + } + DetectBytetestFree(data); + } + + return result; +} + +/** + * \test DetectBytetestTestParse15 is a test for too many bytes to extract (string) + */ +int DetectBytetestTestParse15(void) { + int result = 0; + DetectBytetestData *data = NULL; + data = DetectBytetestParse("24, =, 0xffffffffffffffff, 0, string"); + if (data == NULL) { + result = 1; + } + + return result; +} + +/** + * \test DetectBytetestTestParse16 is a test for offset too big + */ +int DetectBytetestTestParse16(void) { + int result = 0; + DetectBytetestData *data = NULL; + data = DetectBytetestParse("4,=,0,0xffffffffffffffff"); + if (data == NULL) { + result = 1; + } + + return result; +} +#endif /* UNITTESTS */ + + +/** + * \brief this function registers unit tests for DetectBytetest + */ +void DetectBytetestRegisterTests(void) { +#ifdef UNITTESTS + UtRegisterTest("DetectBytetestTestParse01", DetectBytetestTestParse01, 1); + UtRegisterTest("DetectBytetestTestParse02", DetectBytetestTestParse02, 1); + UtRegisterTest("DetectBytetestTestParse03", DetectBytetestTestParse03, 1); + UtRegisterTest("DetectBytetestTestParse04", DetectBytetestTestParse04, 1); + UtRegisterTest("DetectBytetestTestParse05", DetectBytetestTestParse05, 1); + UtRegisterTest("DetectBytetestTestParse06", DetectBytetestTestParse06, 1); + UtRegisterTest("DetectBytetestTestParse07", DetectBytetestTestParse07, 1); + UtRegisterTest("DetectBytetestTestParse08", DetectBytetestTestParse08, 1); + UtRegisterTest("DetectBytetestTestParse09", DetectBytetestTestParse09, 1); + UtRegisterTest("DetectBytetestTestParse10", DetectBytetestTestParse10, 1); + UtRegisterTest("DetectBytetestTestParse11", DetectBytetestTestParse11, 1); + UtRegisterTest("DetectBytetestTestParse12", DetectBytetestTestParse12, 1); + UtRegisterTest("DetectBytetestTestParse13", DetectBytetestTestParse13, 1); + UtRegisterTest("DetectBytetestTestParse14", DetectBytetestTestParse14, 1); + UtRegisterTest("DetectBytetestTestParse15", DetectBytetestTestParse15, 1); + UtRegisterTest("DetectBytetestTestParse16", DetectBytetestTestParse16, 1); +#endif /* UNITTESTS */ +} + diff --git a/src/detect-bytetest.h b/src/detect-bytetest.h new file mode 100644 index 0000000000..abfe9be7ad --- /dev/null +++ b/src/detect-bytetest.h @@ -0,0 +1,98 @@ +/** Copyright (c) 2009 Open Information Security Foundation + * + * \author Brian Rectanus + */ + +#ifndef __DETECT_BYTETEST_H__ +#define __DETECT_BYTETEST_H__ + +/** Bytetest Operators */ +#define DETECT_BYTETEST_OP_LT '<' /**< "less than" operator */ +#define DETECT_BYTETEST_OP_GT '>' /**< "greater than" operator */ +#define DETECT_BYTETEST_OP_EQ '=' /**< "equals" operator */ +#define DETECT_BYTETEST_OP_AND '&' /**< "bitwise and" operator */ +#define DETECT_BYTETEST_OP_OR '^' /**< "bitwise or" operator */ + +/** Bytetest Base */ +#define DETECT_BYTETEST_BASE_UNSET 0 /**< Unset type value string (automatic)*/ +#define DETECT_BYTETEST_BASE_OCT 8 /**< "oct" type value string */ +#define DETECT_BYTETEST_BASE_DEC 10 /**< "dec" type value string */ +#define DETECT_BYTETEST_BASE_HEX 16 /**< "hex" type value string */ + +/** Bytetest Flags */ +#define DETECT_BYTETEST_NEGOP 0x01 /**< "!" negated operator */ +#define DETECT_BYTETEST_LITTLE 0x02 /**< "little" endian value (default "big") */ +#define DETECT_BYTETEST_STRING 0x04 /**< "string" value */ +#define DETECT_BYTETEST_RELATIVE 0x08 /**< "relative" offset */ + +typedef struct DetectBytetestData_ { + uint8_t nbytes; /**< Number of bytes to compare */ + uint8_t op; /**< Operator used to compare */ + uint8_t base; /**< String value base (oct|dec|hex) */ + uint8_t flags; /**< Flags (big|little|relative|string) */ + int32_t offset; /**< Offset in payload */ + uint64_t value; /**< Value to compare against */ +} DetectBytetestData; + +/* prototypes */ + +/** + * Registration function for byte_test. + * + * \todo add support for no_stream and stream_only + */ +void DetectBytetestRegister (void); + +/** + * This function is used to add the parsed byte_test data + * into the current signature. + * + * \param de_ctx pointer to the Detection Engine Context + * \param s pointer to the Current Signature + * \param m pointer to the Current SigMatch + * \param optstr pointer to the user provided options + * + * \retval 0 on Success + * \retval -1 on Failure + */ +int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *optstr); + +/** + * \brief this function will free memory associated with DetectBytetestData + * + * \param data pointer to DetectBytetestData + */ +void DetectBytetestFree(void *ptr); + +/** + * This function is used to parse byte_test options passed via + * + * byte_test: bytes, [!]op, value, offset [,flags [, ...]] + * + * flags: "big", "little", "relative", "string", "oct", "dec", "hex" + * + * \param optstr Pointer to the user provided byte_test options + * + * \retval data pointer to DetectBytetestData on success + * \retval NULL on failure + */ +DetectBytetestData *DetectBytetestParse(char *optstr); + +/** + * This function is used to match byte_test + * + * \param t pointer to thread vars + * \param det_ctx pointer to the pattern matcher thread + * \param p pointer to the current packet + * \param m pointer to the sigmatch that we will cast into DetectBytetestData + * + * \retval -1 error + * \retval 0 no match + * \retval 1 match + * + * \todo The return seems backwards. We should return a non-zero error code. One of the error codes is "no match". As-is if someone accidentally does: if (DetectBytetestMatch(...)) { match }, then they catch an error as a match. + */ +int DetectBytetestMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, SigMatch *m); + +#endif /* __DETECT_BYTETEST_H__ */ + diff --git a/src/detect.c b/src/detect.c index 567e76c45c..867b3fff31 100644 --- a/src/detect.c +++ b/src/detect.c @@ -26,6 +26,8 @@ #include "detect-nocase.h" #include "detect-recursive.h" #include "detect-rawbytes.h" +#include "detect-bytetest.h" +#include "detect-bytejump.h" #include "detect-within.h" #include "detect-distance.h" #include "detect-offset.h" @@ -2489,6 +2491,8 @@ void SigTableSetup(void) { DetectNocaseRegister(); DetectRecursiveRegister(); DetectRawbytesRegister(); + DetectBytetestRegister(); + DetectBytejumpRegister(); DetectWithinRegister(); DetectDistanceRegister(); DetectOffsetRegister(); diff --git a/src/detect.h b/src/detect.h index e1abb93046..b11fe70704 100644 --- a/src/detect.h +++ b/src/detect.h @@ -393,6 +393,8 @@ enum { DETECT_NOCASE, DETECT_RECURSIVE, DETECT_RAWBYTES, + DETECT_BYTETEST, + DETECT_BYTEJUMP, DETECT_FLOW, DETECT_DSIZE, DETECT_FLOWVAR,