aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Some refactoring of the code, error handling done

Browse Source
remotes/origin/master-1.0.x
Anoop Saldanha 16 years ago committed by Victor Julien
parent e2fc2545f2
commit 0815ed7c9e
6 changed files with 121 additions and 92 deletions
Show Stats Download Patch File Download Diff File

28
src/detect-engine-address.c
Unescape Escape View File

@ -458,15 +458,15 @@ int DetectAddressInsert(DetectAddressGroupsHead *gh, DetectAddressData *new) {
DetectAddressGroup *head = NULL;
/* get our head ptr based on the address we want to insert */
head = GetHeadPtr(gh,new);
head = GetHeadPtr(gh, new);
/* see if it already exists or overlaps with existing ag's */
if (head != NULL) {
DetectAddressGroup *ag = NULL,*cur = NULL;
DetectAddressGroup *ag = NULL, *cur = NULL;
int r = 0;
for (cur = head; cur != NULL; cur = cur->next) {
r = DetectAddressCmp(new,cur->ad);
r = DetectAddressCmp(new, cur->ad);
if (r == ADDRESS_ER) {
printf("ADDRESS_ER DetectAddressCmp compared:\n");
DetectAddressDataPrint(new);
@ -519,7 +519,7 @@ int DetectAddressInsert(DetectAddressGroupsHead *gh, DetectAddressData *new) {
if (head == cur) {
head = ag;
if (SetHeadPtr(gh,head) < 0)
if (SetHeadPtr(gh, head) < 0)
goto error;
}
return 1;
@ -529,7 +529,7 @@ int DetectAddressInsert(DetectAddressGroupsHead *gh, DetectAddressData *new) {
} else if (r == ADDRESS_ES) {
DetectAddressData *c = NULL;
r = DetectAddressCut(cur->ad,new,&c);
r = DetectAddressCut(cur->ad, new, &c);
if (r == -1)
goto error;
@ -540,7 +540,7 @@ int DetectAddressInsert(DetectAddressGroupsHead *gh, DetectAddressData *new) {
return 1;
} else if (r == ADDRESS_EB) {
DetectAddressData *c = NULL;
r = DetectAddressCut(cur->ad,new,&c);
r = DetectAddressCut(cur->ad, new, &c);
if (r == -1)
goto error;
@ -551,7 +551,7 @@ int DetectAddressInsert(DetectAddressGroupsHead *gh, DetectAddressData *new) {
return 1;
} else if (r == ADDRESS_LE) {
DetectAddressData *c = NULL;
r = DetectAddressCut(cur->ad,new,&c);
r = DetectAddressCut(cur->ad, new, &c);
if (r == -1)
goto error;
@ -562,7 +562,7 @@ int DetectAddressInsert(DetectAddressGroupsHead *gh, DetectAddressData *new) {
return 1;
} else if (r == ADDRESS_GE) {
DetectAddressData *c = NULL;
r = DetectAddressCut(cur->ad,new,&c);
r = DetectAddressCut(cur->ad, new, &c);
if (r == -1)
goto error;
@ -582,7 +582,7 @@ int DetectAddressInsert(DetectAddressGroupsHead *gh, DetectAddressData *new) {
}
head->ad = new;
if (SetHeadPtr(gh,head) < 0)
if (SetHeadPtr(gh, head) < 0)
goto error;
}
@ -610,7 +610,7 @@ int DetectAddressGroupSetup(DetectAddressGroupsHead *gh, char *s) {
if (ad->flags & ADDRESS_FLAG_NOT) {
DetectAddressData *ad2 = NULL;
if (DetectAddressCutNot(ad,&ad2) < 0) {
if (DetectAddressCutNot(ad, &ad2) < 0) {
goto error;
}
@ -938,9 +938,9 @@ int DetectAddressGroupCut(DetectEngineCtx *de_ctx, DetectAddressGroup *a, Detect
* \retval -1 error */
int DetectAddressCut(DetectAddressData *a, DetectAddressData *b, DetectAddressData **c) {
if (a->family == AF_INET) {
return DetectAddressCutIPv4(a,b,c);
return DetectAddressCutIPv4(a, b, c);
} else if (a->family == AF_INET6) {
return DetectAddressCutIPv6(a,b,c);
return DetectAddressCutIPv6(a, b, c);
}
return -1;
@ -966,9 +966,9 @@ int DetectAddressCmp(DetectAddressData *a, DetectAddressData *b) {
if (a->flags & ADDRESS_FLAG_ANY && b->flags & ADDRESS_FLAG_ANY)
return ADDRESS_EQ;
else if (a->family == AF_INET)
return DetectAddressCmpIPv4(a,b);
return DetectAddressCmpIPv4(a, b);
else if (a->family == AF_INET6)
return DetectAddressCmpIPv6(a,b);
return DetectAddressCmpIPv6(a, b);
return ADDRESS_ER;
}

5
src/detect-engine-iponly.c
Unescape Escape View File

@ -216,7 +216,10 @@ void IPOnlyInit(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx) {
io_ctx->ht24_dst = HashListTableInit(65536, IPOnlyHashFunc24, IPOnlyCompareFunc, NULL);
*/
io_ctx->sig_init_size = DetectEngineGetMaxSigId(de_ctx) / 8 + 1;
io_ctx->sig_init_array = malloc(io_ctx->sig_init_size);
if ( (io_ctx->sig_init_array = malloc(io_ctx->sig_init_size)) == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
exit(EXIT_FAILURE);
}
memset(io_ctx->sig_init_array, 0, io_ctx->sig_init_size);
}

73
src/detect-engine-port.c
Unescape Escape View File

@ -51,7 +51,7 @@ DetectPort *DetectPortInit(void) {
if (dp == NULL) {
return NULL;
}
memset(dp,0,sizeof(DetectPort));
memset(dp, 0, sizeof(DetectPort));
detect_port_memory += sizeof(DetectPort);
detect_port_init_cnt++;
@ -228,7 +228,7 @@ int DetectPortInsert(DetectEngineCtx *de_ctx, DetectPort **head, DetectPort *new
SCLogDebug("PORT_EQ %p %p", cur, new);
/* exact overlap/match */
if (cur != new) {
SigGroupHeadCopySigs(de_ctx,new->sh,&cur->sh);
SigGroupHeadCopySigs(de_ctx, new->sh, &cur->sh);
cur->cnt += new->cnt;
DetectPortFree(new);
return 0;
@ -372,7 +372,7 @@ static int DetectPortCut(DetectEngineCtx *de_ctx, DetectPort *a, DetectPort *b,
if (tmp == NULL) {
goto error;
}
memset(tmp,0,sizeof(DetectPort));
memset(tmp, 0, sizeof(DetectPort));
/* we have 3 parts: [aaa[abab]bbb]
* part a: a_port1 <-> b_port1 - 1
@ -730,11 +730,11 @@ DetectPort *DetectPortCopy(DetectEngineCtx *de_ctx, DetectPort *src) {
goto error;
}
memcpy(dst,src,sizeof(DetectPort));
memcpy(dst, src, sizeof(DetectPort));
dst->sh = NULL;
if (src->next != NULL)
dst->next = DetectPortCopy(de_ctx,src->next);
dst->next = DetectPortCopy(de_ctx, src->next);
return dst;
error:
@ -830,7 +830,7 @@ static int DetectPortParseInsert(DetectPort **head, DetectPort *new) {
}
static int DetectPortParseInsertString(DetectPort **head, char *s) {
DetectPort *ad = NULL;
DetectPort *ad = NULL;
int r = 0;
SCLogDebug("head %p, *head %p, s %s", head, *head, s);
@ -842,22 +842,21 @@ static int DetectPortParseInsertString(DetectPort **head, char *s) {
goto error;
}
/* handle the not case, we apply the negation
* then insert the part(s) */
/* handle the not case, we apply the negation then insert the part(s) */
if (ad->flags & PORT_FLAG_NOT) {
DetectPort *ad2 = NULL;
if (DetectPortCutNot(ad,&ad2) < 0) {
if (DetectPortCutNot(ad, &ad2) < 0) {
goto error;
}
/* normally a 'not' will result in two ad's
* unless the 'not' is on the start or end
* of the address space (e.g. 0.0.0.0 or
* 255.255.255.255). */
/* normally a 'not' will result in two ad's unless the 'not' is on the
* start or end of the address space(e.g. 0.0.0.0 or 255.255.255.255) */
if (ad2 != NULL) {
if (DetectPortParseInsert(head, ad2) < 0)
if (DetectPortParseInsert(head, ad2) < 0) {
if (ad2 != NULL) free(ad2);
goto error;
}
}
}
@ -879,12 +878,13 @@ static int DetectPortParseInsertString(DetectPort **head, char *s) {
error:
printf("DetectPortParseInsertString error\n");
/* XXX cleanup */
if (ad != NULL) free(ad);
return -1;
}
/* XXX error handling */
static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,int negate) {
static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,
int negate) {
int i, x;
int o_set = 0, n_set = 0;
int range = 0;
@ -898,9 +898,8 @@ static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,int
address[x] = s[i];
x++;
if (s[i] == ':') {
if (s[i] == ':')
range = 1;
}
if (range == 1 && s[i] == '!') {
printf("Can't have a negated value in a range.\n");
@ -916,11 +915,11 @@ static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,int
depth++;
} else if (s[i] == ']') {
if (depth == 1) {
address[x-1] = '\0';
SCLogDebug("%s", address);
address[x - 1] = '\0';
SCLogDebug("Parsed port from DetectPortParseDo - %s", address);
x = 0;
DetectPortParseDo(head,nhead,address,negate ? negate : n_set);
DetectPortParseDo(head, nhead, address, negate? negate: n_set);
n_set = 0;
}
depth--;
@ -929,13 +928,13 @@ static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,int
if (o_set == 1) {
o_set = 0;
} else {
address[x-1] = '\0';
SCLogDebug("%s", address);
address[x - 1] = '\0';
SCLogDebug("Parsed port from DetectPortParseDo - %s", address);
if (negate == 0 && n_set == 0) {
DetectPortParseInsertString(head,address);
DetectPortParseInsertString(head, address);
} else {
DetectPortParseInsertString(nhead,address);
DetectPortParseInsertString(nhead, address);
}
n_set = 0;
}
@ -1026,7 +1025,7 @@ int DetectPortParseMergeNotPorts(DetectPort **head, DetectPort **nhead) {
for (ag = *nhead; ag != NULL; ag = ag->next) {
/* work with a copy of the ad so we can easily clean up
* the ghn group later. */
ad = DetectPortCopy(NULL,ag);
ad = DetectPortCopy(NULL, ag);
if (ad == NULL) {
goto error;
}
@ -1045,7 +1044,7 @@ int DetectPortParseMergeNotPorts(DetectPort **head, DetectPort **nhead) {
SCLogDebug("ag2 %p", ag2);
DetectPortPrint(ag2);
r = DetectPortCmp(ag,ag2);
r = DetectPortCmp(ag, ag2);
if (r == PORT_EQ || r == PORT_EB) { /* XXX more ??? */
if (ag2->prev == NULL) {
*head = ag2->next;
@ -1084,26 +1083,25 @@ error:
int DetectPortParse(DetectPort **head, char *str) {
int r;
SCLogDebug("str %s", str);
SCLogDebug("Port string to be parsed - str %s", str);
/* negate port list */
DetectPort *nhead = NULL;
r = DetectPortParseDo(head,&nhead,str,/* start with negate no */0);
if (r < 0) {
r = DetectPortParseDo(head, &nhead, str,/* start with negate no */0);
if (r < 0)
goto error;
}
SCLogDebug("head %p %p, nhead %p", head, *head, nhead);
/* merge the 'not' address groups */
if (DetectPortParseMergeNotPorts(head,&nhead) < 0) {
if (DetectPortParseMergeNotPorts(head, &nhead) < 0)
goto error;
}
/* free the temp negate head */
DetectPortFree(nhead);
return 0;
error:
DetectPortFree(nhead);
return -1;
@ -1131,7 +1129,7 @@ DetectPort *PortParse(char *str) {
/* see if the address is an ipv4 or ipv6 address */
if ((port2 = strchr(port, ':')) != NULL) {
/* 80:81 range format */
port[port2 - port] = '\0';
port2[0] = '\0';
port2++;
if(DetectPortIsValidRange(port))
@ -1139,8 +1137,8 @@ DetectPort *PortParse(char *str) {
else
goto error;
if (strcmp(port2,"") != 0){
if(DetectPortIsValidRange(port2))
if (strcmp(port2, "") != 0) {
if (DetectPortIsValidRange(port2))
dp->port2 = atoi(port2);
else
goto error;
@ -1148,10 +1146,9 @@ DetectPort *PortParse(char *str) {
dp->port2 = 65535;
}
/* a>b is illegal, a=b is ok */
/* a > b is illegal, a == b is ok */
if (dp->port > dp->port2)
goto error;
} else {
if (strcasecmp(port,"any") == 0) {
dp->port = 0;

18
src/detect-engine-siggroup.c
Unescape Escape View File

@ -36,9 +36,14 @@ static uint32_t detect_siggroup_matcharray_memory = 0;
static uint32_t detect_siggroup_matcharray_init_cnt = 0;
static uint32_t detect_siggroup_matcharray_free_cnt = 0;
/** \brief alloc a sig group head and it's sig_array
* \param size size of the sig array
* \retval sgh or NULL in case of error */
/**
* \brief Alloc a sig group head and it's sig_array
*
* \param size Size of the sig array
* \retval sgh Pointer to newly init SigGroupHead on succuess; or NULL in case
* of error
*/
static SigGroupHead *SigGroupHeadAlloc(uint32_t size) {
SigGroupHead *sgh = malloc(sizeof(SigGroupHead));
if (sgh == NULL) {
@ -54,7 +59,7 @@ static SigGroupHead *SigGroupHeadAlloc(uint32_t size) {
sgh->sig_array = malloc(sgh->sig_size);
if (sgh->sig_array == NULL)
goto error;
memset(sgh->sig_array,0,sgh->sig_size);
memset(sgh->sig_array, 0, sgh->sig_size);
detect_siggroup_sigarray_init_cnt++;
detect_siggroup_sigarray_memory += sgh->sig_size;
@ -441,13 +446,12 @@ int SigGroupHeadAppendSig(DetectEngineCtx *de_ctx, SigGroupHead **sgh, Signature
/* see if we have a head already */
if (*sgh == NULL) {
*sgh = SigGroupHeadAlloc(DetectEngineGetMaxSigId(de_ctx) / 8 + 1);
if (*sgh == NULL) {
if (*sgh == NULL)
goto error;
}
}
/* enable the sig in the bitarray */
(*sgh)->sig_array[(s->num/8)] |= 1<<(s->num%8);
(*sgh)->sig_array[s->num / 8] |= 1 << (s->num % 8);
return 0;
error:

37
src/detect-parse.c
Unescape Escape View File

@ -297,15 +297,23 @@ error:
*/
int SigParseProto(Signature *s, const char *protostr) {
int r = DetectProtoParse(&s->proto, (char *)protostr);
if (r < 0) {
if (r < 0)
return -1;
}
return 0;
}
/* src: flag = 0, dst: flag = 1
/**
* \brief Parses the port(source or destination) field, from a Signature
*
* \param s Pointer to the signature which has to be updated with the
* port information
* \param portstr Pointer to the character string containing the port info
* \param Flag which indicates if the portstr received is sort or dst
* port. For src port: flag = 0, dst port: flag = 1
*
* \retval 0 On success
* \retval -1 On failure
*/
int SigParsePort(Signature *s, const char *portstr, char flag) {
int r = 0;
@ -320,15 +328,15 @@ int SigParsePort(Signature *s, const char *portstr, char flag) {
negate = 1;
}
if (strcmp(portstr,"$HTTP_PORTS") == 0) {
if (strcmp(portstr, "$HTTP_PORTS") == 0) {
if (negate) port = "![80:81,88]";
else port = "80:81,88";
} else if (strcmp(portstr,"$SHELLCODE_PORTS") == 0) {
} else if (strcmp(portstr, "$SHELLCODE_PORTS") == 0) {
port = "!80";
} else if (strcmp(portstr,"$ORACLE_PORTS") == 0) {
} else if (strcmp(portstr, "$ORACLE_PORTS") == 0) {
if (negate) port = "!1521";
else port = "1521";
} else if (strcmp(portstr,"$SSH_PORTS") == 0) {
} else if (strcmp(portstr, "$SSH_PORTS") == 0) {
if (negate) port = "!22";
else port = "22";
} else {
@ -336,22 +344,19 @@ int SigParsePort(Signature *s, const char *portstr, char flag) {
}
if (flag == 0) {
if (strcasecmp(port,"any") == 0) {
if (strcasecmp(port, "any") == 0)
s->flags |= SIG_FLAG_SP_ANY;
}
r = DetectPortParse(&s->sp,(char *)port);
r = DetectPortParse(&s->sp, (char *)port);
} else if (flag == 1) {
if (strcasecmp(port,"any") == 0)
if (strcasecmp(port, "any") == 0)
s->flags |= SIG_FLAG_DP_ANY;
r = DetectPortParse(&s->dp,(char *)port);
//DetectPortPrint(s->dp);
r = DetectPortParse(&s->dp, (char *)port);
}
if (r < 0) {
if (r < 0)
return -1;
}
return 0;
}

52
src/detect.c
Unescape Escape View File

@ -244,13 +244,20 @@ int SigLoadSignatures (DetectEngineCtx *de_ctx, char *sig_file)
SCSigOrderSignatures(de_ctx);
SCSigSignatureOrderingModuleCleanup(de_ctx);
/* Setup the signature group lookup structure and
* pattern matchers */
/* Setup the signature group lookup structure and pattern matchers */
SigGroupBuild(de_ctx);
return 0;
}
/* check if a certain sid alerted, this is used in the test functions */
/**
* \brief Check if a certain sid alerted, this is used in the test functions
*
* \param p Packet on which we want to check if the signature alerted or not
* \param sid Signature id of the signature that thas to be checked for a match
*
* \retval match A value > 0 on a match; 0 on no match
*/
int PacketAlertCheck(Packet *p, uint32_t sid)
{
uint16_t i = 0;
@ -578,11 +585,10 @@ void SigCleanSignatures(DetectEngineCtx *de_ctx)
* \retval 0 sig is not ip only
*/
static int SignatureIsIPOnly(DetectEngineCtx *de_ctx, Signature *s) {
/* in the case of tcp/udp, only consider sigs that
* don't have ports set ip-only. */
/* for tcp/udp, only consider sigs that don't have ports set, as ip-only */
if (!(s->proto.flags & DETECT_PROTO_ANY)) {
if (s->proto.proto[(IPPROTO_TCP/8)] & (1<<(IPPROTO_TCP%8)) ||
s->proto.proto[(IPPROTO_UDP/8)] & (1<<(IPPROTO_UDP%8))) {
if (s->proto.proto[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8)) ||
s->proto.proto[IPPROTO_UDP / 8] & (1 << (IPPROTO_UDP % 8))) {
if (!(s->flags & SIG_FLAG_SP_ANY))
return 0;
@ -595,8 +601,8 @@ static int SignatureIsIPOnly(DetectEngineCtx *de_ctx, Signature *s) {
if (sm == NULL)
goto iponly;
for ( ;sm != NULL ;sm = sm->next) {
if (!( sigmatch_table[sm->type].flags & SIGMATCH_IPONLY_COMPAT))
for ( ;sm != NULL; sm = sm->next) {
if ( !(sigmatch_table[sm->type].flags & SIGMATCH_IPONLY_COMPAT))
return 0;
}
@ -716,19 +722,19 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) {
for (gr = tmp_s->src.ipv4_head; gr != NULL; gr = gr->next) {
//printf("Stage1: ip4 ");DetectAddressDataPrint(gr->ad);printf("\n");
if (SigGroupHeadAppendSig(de_ctx, &gr->sh,tmp_s) < 0) {
if (SigGroupHeadAppendSig(de_ctx, &gr->sh, tmp_s) < 0) {
goto error;
}
cnt++;
}
for (gr = tmp_s->src.ipv6_head; gr != NULL; gr = gr->next) {
if (SigGroupHeadAppendSig(de_ctx, &gr->sh,tmp_s) < 0) {
if (SigGroupHeadAppendSig(de_ctx, &gr->sh, tmp_s) < 0) {
goto error;
}
cnt++;
}
for (gr = tmp_s->src.any_head; gr != NULL; gr = gr->next) {
if (SigGroupHeadAppendSig(de_ctx, &gr->sh,tmp_s) < 0) {
if (SigGroupHeadAppendSig(de_ctx, &gr->sh, tmp_s) < 0) {
goto error;
}
cnt++;
@ -1367,7 +1373,15 @@ error:
return -1;
}
/* fill the global src group head, with the sigs included */
/**
* \brief Fill the global src group head, with the sigs included
*
* \param de_ctx Pointer to the Detection Engine Context whose Signatures have
* to be processed
*
* \retval 0 On success
* \retval -1 On failure
*/
int SigAddressPrepareStage2(DetectEngineCtx *de_ctx) {
Signature *tmp_s = NULL;
DetectAddressGroup *gr = NULL;
@ -1375,7 +1389,7 @@ int SigAddressPrepareStage2(DetectEngineCtx *de_ctx) {
if (!(de_ctx->flags & DE_QUIET)) {
SCLogInfo("building signature grouping structure, stage 2: "
"building source address list...");
"building source address list...");
}
IPOnlyInit(de_ctx, &de_ctx->io_ctx);
@ -2508,8 +2522,14 @@ int SigAddressPrepareStage5(DetectEngineCtx *de_ctx) {
return 0;
}
/** \brief Convert the signature list into the runtime
* match structure. */
/**
* \brief Convert the signature list into the runtime match structure.
*
* \param de_ctx Pointer to the Detection Engine Context whose Signatures have
* to be processed
*
* \retval 0 Always
*/
int SigGroupBuild (DetectEngineCtx *de_ctx) {
SigAddressPrepareStage1(de_ctx);
SigAddressPrepareStage2(de_ctx);

Write Preview
Loading…
Cancel
Save