From 0b5d27725499b7f139d0e9db3adc46dd33a716ef Mon Sep 17 00:00:00 2001 From: Anoop Saldanha Date: Sat, 23 Feb 2013 15:36:00 +0530 Subject: [PATCH] code cleanup for all content based keywords. --- src/detect-byte-extract.c | 307 ++++++++++++++++++-------------- src/detect-bytejump.c | 287 ++++++++++++++++++------------ src/detect-bytetest.c | 301 ++++++++++++++++++------------- src/detect-content.c | 69 +++----- src/detect-content.h | 1 + src/detect-depth.c | 170 ++++++++---------- src/detect-distance.c | 234 ++++++++++-------------- src/detect-engine-dcepayload.c | 22 +-- src/detect-engine-mpm.c | 90 +++++----- src/detect-engine-mpm.h | 2 +- src/detect-http-client-body.c | 106 +++++------ src/detect-http-cookie.c | 98 +++++----- src/detect-http-header.c | 101 +++++------ src/detect-http-hh.c | 97 +++++----- src/detect-http-hrh.c | 97 +++++----- src/detect-http-method.c | 99 +++++------ src/detect-http-raw-header.c | 100 +++++------ src/detect-http-raw-uri.c | 88 +++++---- src/detect-http-server-body.c | 105 +++++------ src/detect-http-stat-code.c | 92 +++++----- src/detect-http-stat-msg.c | 94 +++++----- src/detect-http-ua.c | 95 +++++----- src/detect-http-uri.c | 94 +++++----- src/detect-isdataat.c | 291 ++++++++++++++---------------- src/detect-nocase.c | 101 +++++------ src/detect-offset.c | 178 +++++++++---------- src/detect-parse.c | 20 +++ src/detect-pcre.c | 314 ++++++++++++--------------------- src/detect-uricontent.c | 11 +- src/detect-urilen.c | 21 +-- src/detect-within.c | 251 +++++++++++--------------- 31 files changed, 1850 insertions(+), 2086 deletions(-) diff --git a/src/detect-byte-extract.c b/src/detect-byte-extract.c index 993ec24c83..f70dc79ac0 100644 --- a/src/detect-byte-extract.c +++ b/src/detect-byte-extract.c @@ -536,162 +536,211 @@ static inline DetectByteExtractData *DetectByteExtractParse(char *arg) */ int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { - DetectByteExtractData *data = NULL; SigMatch *sm = NULL; + SigMatch *prev_pm = NULL; + DetectByteExtractData *data = NULL; + int ret = -1; data = DetectByteExtractParse(arg); if (data == NULL) goto error; - sm = SigMatchAlloc(); - if (sm == NULL) - goto error; - - sm->type = DETECT_BYTE_EXTRACT; - sm->ctx = (void *)data; - - /* assign a local id for the byte extract var */ - DetectByteExtractData *bed = (DetectByteExtractData *)sm->ctx; - SigMatch *prev_bed_sm = - SigMatchGetLastSMFromLists(s, 6, - DETECT_BYTE_EXTRACT, - s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTE_EXTRACT, - s->sm_lists_tail[DETECT_SM_LIST_DMATCH], - DETECT_BYTE_EXTRACT, - s->sm_lists_tail[DETECT_SM_LIST_UMATCH]); - if (prev_bed_sm == NULL) { - /* first one */ - bed->local_id = 0; - } else { - bed->local_id = ((DetectByteExtractData *)prev_bed_sm->ctx)->local_id + 1; - } - if (bed->local_id > de_ctx->byte_extract_max_local_id) - de_ctx->byte_extract_max_local_id = bed->local_id; - - /* check bytetest modifiers against the signature alproto. In case they conflict - * chuck out invalid signature */ - if ((data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE)) { - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has " - "bytetest with dce enabled"); - goto error; - } - s->alproto = ALPROTO_DCERPC; - } - - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || - s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) { - int sm_list; + int sm_list; + if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { + if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "dce byte_extract specified " + "with file_data option set."); + goto error; + } AppLayerHtpEnableResponseBodyCallback(); sm_list = DETECT_SM_LIST_HSBDMATCH; } else { sm_list = DETECT_SM_LIST_DMATCH; } - + s->flags |= SIG_FLAG_APPLAYER; if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) { - SigMatch *prev_sm = NULL; - prev_sm = SigMatchGetLastSMFromLists(s, 8, + prev_pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, s->sm_lists_tail[sm_list], - DETECT_BYTETEST, s->sm_lists_tail[sm_list], - DETECT_BYTEJUMP, s->sm_lists_tail[sm_list], DETECT_PCRE, s->sm_lists_tail[sm_list]); - if (prev_sm == NULL) { - data->flags &= ~DETECT_BYTE_EXTRACT_FLAG_RELATIVE; - } } - s->flags |= SIG_FLAG_APPLAYER; - SigMatchAppendSMToList(s, sm, sm_list); - } else { + } else if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) { if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) { - SigMatch *pm = - SigMatchGetLastSMFromLists(s, 20, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], - DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], - DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], - DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - if (pm == NULL) { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); - return 0; + prev_pm = SigMatchGetLastSMFromLists(s, 12, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); + if (prev_pm == NULL) { + sm_list = DETECT_SM_LIST_PMATCH; + } else { + sm_list = SigMatchListSMBelongsTo(s, prev_pm); } - int list = SigMatchListSMBelongsTo(s, pm); - SigMatchAppendSMToList(s, sm, list); } else { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); + sm_list = DETECT_SM_LIST_PMATCH; } - } - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { - return 0; - } + s->alproto = ALPROTO_DCERPC; + s->flags |= SIG_FLAG_APPLAYER; - if ( !(data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE)) { - return 0; - } + } else if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) { + prev_pm = SigMatchGetLastSMFromLists(s, 168, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], + + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], + + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], + + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], + + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], + + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); + if (prev_pm == NULL) { + sm_list = DETECT_SM_LIST_PMATCH; + } else { + sm_list = SigMatchListSMBelongsTo(s, prev_pm); + } - SigMatch *prev_sm = NULL; - prev_sm = SigMatchGetLastSMFromLists(s, 6, - DETECT_CONTENT, sm->prev, - DETECT_BYTEJUMP, sm->prev, - DETECT_PCRE, sm->prev); - if (prev_sm == NULL) - return 0; + } else { + sm_list = DETECT_SM_LIST_PMATCH; + } - DetectContentData *cd = NULL; - DetectPcreData *pe = NULL; - - switch (prev_sm->type) { - case DETECT_CONTENT: - /* Set the relative next flag on the prev sigmatch */ - cd = (DetectContentData *)prev_sm->ctx; - if (cd == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" - "previous keyword!"); - return -1; - } - cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) { + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has " + "byte_extract with dce enabled"); + goto error; + } + s->alproto = ALPROTO_DCERPC; + if ((data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) || + (data->base == DETECT_BYTE_EXTRACT_BASE_DEC) || + (data->base == DETECT_BYTE_EXTRACT_BASE_HEX) || + (data->base == DETECT_BYTE_EXTRACT_BASE_OCT) ) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. " + "A byte_jump keyword with dce holds other invalid modifiers."); + goto error; + } + } - break; + SigMatch *prev_bed_sm = SigMatchGetLastSMFromLists(s, 2, + DETECT_BYTE_EXTRACT, s->sm_lists_tail[sm_list]); + if (prev_bed_sm == NULL) + data->local_id = 0; + else + data->local_id = ((DetectByteExtractData *)prev_bed_sm->ctx)->local_id + 1; + if (data->local_id > de_ctx->byte_extract_max_local_id) + de_ctx->byte_extract_max_local_id = data->local_id; - case DETECT_PCRE: - pe = (DetectPcreData *)prev_sm->ctx; - if (pe == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" - "previous keyword!"); - return -1; - } - pe->flags |= DETECT_PCRE_RELATIVE_NEXT; - break; + sm = SigMatchAlloc(); + if (sm == NULL) + goto error; + sm->type = DETECT_BYTE_EXTRACT; + sm->ctx = (void *)data; + SigMatchAppendSMToList(s, sm, sm_list); - case DETECT_BYTEJUMP: - SCLogDebug("No setting relative_next for bytejump. We " - "have no use for it"); - break; + if (!(data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE)) + goto okay; - default: - /* this will never hit */ - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" - "previous keyword!"); - return -1; - } /* switch */ + if (prev_pm == NULL) + goto okay; - return 0; + if (prev_pm->type == DETECT_CONTENT) { + DetectContentData *cd = (DetectContentData *)prev_pm->ctx; + cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + } else if (prev_pm->type == DETECT_PCRE) { + DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx; + pd->flags |= DETECT_PCRE_RELATIVE_NEXT; + } -error: - if (data != NULL) - DetectByteExtractFree(data); - if (sm != NULL) - SCFree(sm); - return -1; + okay: + ret = 0; + return ret; + error: + DetectByteExtractFree(data); + return ret; } /** @@ -2292,7 +2341,7 @@ int DetectByteExtractTest42(void) bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) { goto end; } - if (bed->local_id != 2) { + if (bed->local_id != 1) { result = 0; goto end; } @@ -2336,7 +2385,7 @@ int DetectByteExtractTest42(void) bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) { goto end; } - if (bed->local_id != 1) { + if (bed->local_id != 0) { result = 0; goto end; } @@ -4509,7 +4558,7 @@ int DetectByteExtractTest60(void) bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) { goto end; } - if (bed1->local_id != 1) { + if (bed1->local_id != 0) { result = 0; goto end; } @@ -4639,7 +4688,7 @@ int DetectByteExtractTest61(void) bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) { goto end; } - if (bed1->local_id != 1) { + if (bed1->local_id != 0) { result = 0; goto end; } @@ -4704,7 +4753,7 @@ static int DetectByteExtractTest62(void) if (bed->nbytes != 4 || bed->offset != 2 || strncmp(bed->name, "two", 3) != 0 || - bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING) || + bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_RELATIVE) || bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE || bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 || diff --git a/src/detect-bytejump.c b/src/detect-bytejump.c index 6576039e0a..185089445b 100644 --- a/src/detect-bytejump.c +++ b/src/detect-bytejump.c @@ -527,150 +527,216 @@ error: int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) { - DetectBytejumpData *data = NULL; SigMatch *sm = NULL; + SigMatch *prev_pm = NULL; + DetectBytejumpData *data = NULL; char *offset = NULL; + int ret = -1; data = DetectBytejumpParse(optstr, &offset); if (data == NULL) goto error; - sm = SigMatchAlloc(); - if (sm == NULL) - goto error; - - sm->type = DETECT_BYTEJUMP; - sm->ctx = (void *)data; - - /* check bytejump modifiers against the signature alproto. In case they conflict - * chuck out invalid signature */ - if (data->flags & DETECT_BYTEJUMP_DCE) { - if (s->alproto != ALPROTO_DCERPC) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has " - "bytetest with dce enabled"); - goto error; - } - if ( (data->flags & DETECT_BYTEJUMP_STRING) || - (data->flags & DETECT_BYTEJUMP_LITTLE) || - (data->flags & DETECT_BYTEJUMP_BIG) || - (data->flags & DETECT_BYTEJUMP_BEGIN) || - (data->base == DETECT_BYTEJUMP_BASE_DEC) || - (data->base == DETECT_BYTEJUMP_BASE_HEX) || - (data->base == DETECT_BYTEJUMP_BASE_OCT) ) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. " - "DCERPC rule holds an invalid modifier for bytejump."); - goto error; - } - s->alproto = ALPROTO_DCERPC; - } - - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || - s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) { - int sm_list; + int sm_list; + if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { + if (data->flags & DETECT_BYTEJUMP_DCE) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "dce bytejump specified " + "with file_data option set."); + goto error; + } AppLayerHtpEnableResponseBodyCallback(); sm_list = DETECT_SM_LIST_HSBDMATCH; } else { sm_list = DETECT_SM_LIST_DMATCH; } - + s->flags |= SIG_FLAG_APPLAYER; if (data->flags & DETECT_BYTEJUMP_RELATIVE) { - SigMatch *prev_sm = NULL; - prev_sm = SigMatchGetLastSMFromLists(s, 8, + prev_pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, s->sm_lists_tail[sm_list], - DETECT_BYTETEST, s->sm_lists_tail[sm_list], - DETECT_BYTEJUMP, s->sm_lists_tail[sm_list], DETECT_PCRE, s->sm_lists_tail[sm_list]); - if (prev_sm == NULL) { - data->flags &= ~DETECT_BYTEJUMP_RELATIVE; + + } + } else if (data->flags & DETECT_BYTEJUMP_DCE) { + if (data->flags & DETECT_BYTEJUMP_RELATIVE) { + prev_pm = SigMatchGetLastSMFromLists(s, 12, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); + if (prev_pm == NULL) { + sm_list = DETECT_SM_LIST_PMATCH; + } else { + sm_list = SigMatchListSMBelongsTo(s, prev_pm); } + } else { + sm_list = DETECT_SM_LIST_PMATCH; } + + s->alproto = ALPROTO_DCERPC; s->flags |= SIG_FLAG_APPLAYER; - SigMatchAppendSMToList(s, sm, sm_list); + + } else if (data->flags & DETECT_BYTEJUMP_RELATIVE) { + prev_pm = SigMatchGetLastSMFromLists(s, 168, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], + + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], + + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], + + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], + + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], + + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); + if (prev_pm == NULL) { + sm_list = DETECT_SM_LIST_PMATCH; + } else { + sm_list = SigMatchListSMBelongsTo(s, prev_pm); + } + } else { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); + sm_list = DETECT_SM_LIST_PMATCH; + } + + if (data->flags & DETECT_BYTEJUMP_DCE) { + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has " + "bytejump with dce enabled"); + goto error; + } + if ((data->flags & DETECT_BYTEJUMP_STRING) || + (data->flags & DETECT_BYTEJUMP_LITTLE) || + (data->flags & DETECT_BYTEJUMP_BIG) || + (data->flags & DETECT_BYTEJUMP_BEGIN) || + (data->base == DETECT_BYTEJUMP_BASE_DEC) || + (data->base == DETECT_BYTEJUMP_BASE_HEX) || + (data->base == DETECT_BYTEJUMP_BASE_OCT) ) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. " + "A byte_jump keyword with dce holds other invalid modifiers."); + goto error; + } } if (offset != NULL) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(offset, s, - SigMatchListSMBelongsTo(s, sm)); + SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(offset, s, sm_list); if (bed_sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " "seen in byte_jump - %s\n", offset); goto error; } - DetectBytejumpData *bjd = sm->ctx; - bjd->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - bjd->flags |= DETECT_BYTEJUMP_OFFSET_BE; + data->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id; + data->flags |= DETECT_BYTEJUMP_OFFSET_BE; SCFree(offset); } - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { - return 0; - } - - if ( !(data->flags & DETECT_BYTEJUMP_RELATIVE)) { - return(0); - } - - SigMatch *prev_sm = NULL; - prev_sm = SigMatchGetLastSMFromLists(s, 6, - DETECT_CONTENT, sm->prev, - DETECT_BYTEJUMP, sm->prev, - DETECT_PCRE, sm->prev); - if (prev_sm == NULL) { - return 0; - } - - DetectContentData *cd = NULL; - DetectPcreData *pe = NULL; - - switch (prev_sm->type) { - case DETECT_CONTENT: - /* Set the relative next flag on the prev sigmatch */ - cd = (DetectContentData *)prev_sm->ctx; - if (cd == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" - "previous keyword!"); - return -1; - } - cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - - break; - - case DETECT_PCRE: - pe = (DetectPcreData *)prev_sm->ctx; - if (pe == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" - "previous keyword!"); - return -1; - } - pe->flags |= DETECT_PCRE_RELATIVE_NEXT; - - break; - - case DETECT_BYTEJUMP: - SCLogDebug("No setting relative_next for bytejump. We " - "have no use for it"); + sm = SigMatchAlloc(); + if (sm == NULL) + goto error; + sm->type = DETECT_BYTEJUMP; + sm->ctx = (void *)data; + SigMatchAppendSMToList(s, sm, sm_list); - break; + if (!(data->flags & DETECT_BYTEJUMP_RELATIVE)) + goto okay; - default: - /* this will never hit */ - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" - "previous keyword!"); - return -1; - } /* switch */ + if (prev_pm == NULL) + goto okay; - return 0; + if (prev_pm->type == DETECT_CONTENT) { + DetectContentData *cd = (DetectContentData *)prev_pm->ctx; + cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + } else if (prev_pm->type == DETECT_PCRE) { + DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx; + pd->flags |= DETECT_PCRE_RELATIVE_NEXT; + } -error: - if (data != NULL) - DetectBytejumpFree(data); - if (sm != NULL) - SCFree(sm); - return -1; + okay: + ret = 0; + return ret; + error: + DetectBytejumpFree(data); + return ret; } /** @@ -680,6 +746,9 @@ error: */ void DetectBytejumpFree(void *ptr) { + if (ptr == NULL) + return; + DetectBytejumpData *data = (DetectBytejumpData *)ptr; SCFree(data); } diff --git a/src/detect-bytetest.c b/src/detect-bytetest.c index b12d6f068f..5acd1c2790 100644 --- a/src/detect-bytetest.c +++ b/src/detect-bytetest.c @@ -448,165 +448,227 @@ error: int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) { - DetectBytetestData *data = NULL; SigMatch *sm = NULL; + SigMatch *prev_pm = NULL; + DetectBytetestData *data = NULL; char *value = NULL; char *offset = NULL; + int ret = -1; data = DetectBytetestParse(optstr, &value, &offset); if (data == NULL) goto error; - sm = SigMatchAlloc(); - if (sm == NULL) - goto error; - - sm->type = DETECT_BYTETEST; - sm->ctx = (void *)data; - - /* check bytetest modifiers against the signature alproto. In case they conflict - * chuck out invalid signature */ - if (data->flags & DETECT_BYTETEST_DCE) { - if (s->alproto != ALPROTO_DCERPC) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has " - "bytetest with dce enabled"); - goto error; - } - if ( (data->flags & DETECT_BYTETEST_STRING) || - (data->flags & DETECT_BYTETEST_LITTLE) || - (data->flags & DETECT_BYTETEST_BIG) || - (data->base == DETECT_BYTETEST_BASE_DEC) || - (data->base == DETECT_BYTETEST_BASE_HEX) || - (data->base == DETECT_BYTETEST_BASE_OCT) ) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. " - "a byte_test keyword with dce holds other invalid modifiers."); - goto error; - } - s->alproto = ALPROTO_DCERPC; - } - - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || - s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) { - int sm_list; + int sm_list; + if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { + if (data->flags & DETECT_BYTETEST_DCE) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "dce bytetest specified " + "with file_data option set."); + goto error; + } AppLayerHtpEnableResponseBodyCallback(); sm_list = DETECT_SM_LIST_HSBDMATCH; } else { sm_list = DETECT_SM_LIST_DMATCH; } - + s->flags |= SIG_FLAG_APPLAYER; if (data->flags & DETECT_BYTETEST_RELATIVE) { - SigMatch *prev_sm = NULL; - prev_sm = SigMatchGetLastSMFromLists(s, 8, + prev_pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, s->sm_lists_tail[sm_list], - DETECT_BYTETEST, s->sm_lists_tail[sm_list], - DETECT_BYTEJUMP, s->sm_lists_tail[sm_list], DETECT_PCRE, s->sm_lists_tail[sm_list]); - if (prev_sm == NULL) { - data->flags &= ~DETECT_BYTETEST_RELATIVE; + } + + } else if (data->flags & DETECT_BYTETEST_DCE) { + if (data->flags & DETECT_BYTETEST_RELATIVE) { + prev_pm = SigMatchGetLastSMFromLists(s, 12, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); + if (prev_pm == NULL) { + sm_list = DETECT_SM_LIST_PMATCH; + } else { + sm_list = SigMatchListSMBelongsTo(s, prev_pm); } + } else { + sm_list = DETECT_SM_LIST_PMATCH; } + + s->alproto = ALPROTO_DCERPC; s->flags |= SIG_FLAG_APPLAYER; - SigMatchAppendSMToList(s, sm, sm_list); + + } else if (data->flags & DETECT_BYTETEST_RELATIVE) { + prev_pm = SigMatchGetLastSMFromLists(s, 168, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], + + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], + + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], + + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], + + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], + + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); + if (prev_pm == NULL) { + sm_list = DETECT_SM_LIST_PMATCH; + } else { + sm_list = SigMatchListSMBelongsTo(s, prev_pm); + } + } else { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); + sm_list = DETECT_SM_LIST_PMATCH; + } + + if (data->flags & DETECT_BYTETEST_DCE) { + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has " + "bytetest with dce enabled"); + goto error; + } + if ((data->flags & DETECT_BYTETEST_STRING) || + (data->flags & DETECT_BYTETEST_LITTLE) || + (data->flags & DETECT_BYTETEST_BIG) || + (data->base == DETECT_BYTETEST_BASE_DEC) || + (data->base == DETECT_BYTETEST_BASE_HEX) || + (data->base == DETECT_BYTETEST_BASE_OCT) ) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. " + "A byte_test keyword with dce holds other invalid modifiers."); + goto error; + } } if (value != NULL) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(value, s, - SigMatchListSMBelongsTo(s, sm)); + SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(value, s, sm_list); if (bed_sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " "seen in byte_test - %s\n", value); goto error; } - DetectBytetestData *btd = sm->ctx; - btd->value = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - btd->flags |= DETECT_BYTETEST_VALUE_BE; + data->value = ((DetectByteExtractData *)bed_sm->ctx)->local_id; + data->flags |= DETECT_BYTETEST_VALUE_BE; SCFree(value); } if (offset != NULL) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(offset, s, - SigMatchListSMBelongsTo(s, sm)); + SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(offset, s, sm_list); if (bed_sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " "seen in byte_test - %s\n", offset); goto error; } - DetectBytetestData *btd = sm->ctx; - btd->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - btd->flags |= DETECT_BYTETEST_OFFSET_BE; + data->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id; + data->flags |= DETECT_BYTETEST_OFFSET_BE; SCFree(offset); } - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { - return 0; - } - - if ( !(data->flags & DETECT_BYTETEST_RELATIVE)) { - return 0; - } - - SigMatch *prev_sm = NULL; - prev_sm = SigMatchGetLastSMFromLists(s, 6, - DETECT_CONTENT, sm->prev, - DETECT_BYTEJUMP, sm->prev, - DETECT_PCRE, sm->prev); - if (prev_sm == NULL) { - return 0; - } - - DetectContentData *cd = NULL; - DetectPcreData *pe = NULL; - - switch (prev_sm->type) { - case DETECT_CONTENT: - /* Set the relative next flag on the prev sigmatch */ - cd = (DetectContentData *)prev_sm->ctx; - if (cd == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" - "previous keyword!"); - return -1; - } - cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - - break; - - case DETECT_PCRE: - pe = (DetectPcreData *)prev_sm->ctx; - if (pe == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" - "previous keyword!"); - return -1; - } - pe->flags |= DETECT_PCRE_RELATIVE_NEXT; - - break; - - case DETECT_BYTEJUMP: - SCLogDebug("No setting relative_next for bytejump. We " - "have no use for it"); - - break; - - default: - /* this will never hit */ - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" - "previous keyword!"); - return -1; - } /* switch */ - - return 0; - -error: - //if (data != NULL) - // DetectBytetestFree(data); - //if (sm != NULL) - // SCFree(sm); - return -1; + sm = SigMatchAlloc(); + if (sm == NULL) + goto error; + sm->type = DETECT_BYTETEST; + sm->ctx = (void *)data; + SigMatchAppendSMToList(s, sm, sm_list); + + if (!(data->flags & DETECT_BYTETEST_RELATIVE)) + goto okay; + + if (prev_pm == NULL) + goto okay; + if (prev_pm->type == DETECT_CONTENT) { + DetectContentData *cd = (DetectContentData *)prev_pm->ctx; + cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + } else if (prev_pm->type == DETECT_PCRE) { + DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx; + pd->flags |= DETECT_PCRE_RELATIVE_NEXT; + } + + okay: + ret = 0; + return ret; + error: + DetectBytetestFree(data); + return ret; } /** @@ -616,6 +678,9 @@ error: */ void DetectBytetestFree(void *ptr) { + if (ptr == NULL) + return; + DetectBytetestData *data = (DetectBytetestData *)ptr; SCFree(data); } diff --git a/src/detect-content.c b/src/detect-content.c index 6094de913f..724f79d890 100644 --- a/src/detect-content.c +++ b/src/detect-content.c @@ -46,7 +46,7 @@ #include "util-unittest-helper.h" int DetectContentMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *); -static int DetectContentSetup (DetectEngineCtx *, Signature *, char *); +int DetectContentSetup(DetectEngineCtx *, Signature *, char *); void DetectContentRegisterTests(void); void DetectContentRegister (void) { @@ -365,66 +365,43 @@ void DetectContentPrintAll(SigMatch *sm) * \retval -1 if error * \retval 0 if all was ok */ -static int DetectContentSetup (DetectEngineCtx *de_ctx, Signature *s, char *contentstr) +int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, char *contentstr) { DetectContentData *cd = NULL; SigMatch *sm = NULL; cd = DetectContentParse(contentstr); - if (cd == NULL) goto error; - - sm = SigMatchAlloc(); - if (sm == NULL) + if (cd == NULL) goto error; - - sm->type = DETECT_CONTENT; - sm->ctx = (void *)cd; - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_PMATCH); - DetectContentPrint(cd); - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); - - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HSBDMATCH); - sm->type = DETECT_CONTENT; - - /* transfer the sm from the pmatch list to hsbdmatch list */ - SigMatchTransferSigMatchAcrossLists(sm, - &s->sm_lists[DETECT_SM_LIST_PMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - &s->sm_lists[DETECT_SM_LIST_HSBDMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]); + int sm_list; + if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { + if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { + AppLayerHtpEnableResponseBodyCallback(); + s->alproto = ALPROTO_HTTP; + sm_list = DETECT_SM_LIST_HSBDMATCH; + } else { + sm_list = DETECT_SM_LIST_DMATCH; + } - /* flag the signature to indicate that we scan the app layer data */ - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - /* enable http request body callback in the http app layer parser */ - AppLayerHtpEnableResponseBodyCallback(); - } else if (s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) { - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_DMATCH); - sm->type = DETECT_CONTENT; - - /* transfer the sm from the pmatch list to hsbdmatch list */ - SigMatchTransferSigMatchAcrossLists(sm, - &s->sm_lists[DETECT_SM_LIST_PMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - &s->sm_lists[DETECT_SM_LIST_DMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); - - /* flag the signature to indicate that we scan the app layer data */ s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_DCERPC; + } else { + sm_list = DETECT_SM_LIST_PMATCH; } + sm = SigMatchAlloc(); + if (sm == NULL) + goto error; + sm->ctx = (void *)cd; + sm->type = DETECT_CONTENT; + cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, sm_list); + SigMatchAppendSMToList(s, sm, sm_list); + return 0; error: - if (cd != NULL) - DetectContentFree(cd); - if (sm != NULL) - SCFree(sm); + DetectContentFree(cd); return -1; } diff --git a/src/detect-content.h b/src/detect-content.h index 0c1246edeb..51a04df951 100644 --- a/src/detect-content.h +++ b/src/detect-content.h @@ -93,6 +93,7 @@ DetectContentData *DetectContentParse (char *contentstr); int DetectContentDataParse(char *keyword, char *contentstr, char** pstr, uint16_t *plen, int *flags); DetectContentData *DetectContentParseEncloseQuotes(char *); +int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, char *contentstr); void DetectContentPrint(DetectContentData *); void DetectContentFree(void *); diff --git a/src/detect-depth.c b/src/detect-depth.c index f591fc9604..6473ae8583 100644 --- a/src/detect-depth.c +++ b/src/detect-depth.c @@ -59,33 +59,40 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths char *str = depthstr; char dubbed = 0; SigMatch *pm = NULL; - DetectContentData *cd = NULL; + int ret = -1; /* strip "'s */ if (depthstr[0] == '\"' && depthstr[strlen(depthstr) - 1] == '\"') { str = SCStrdup(depthstr + 1); if (unlikely(str == NULL)) - goto error; + goto end; str[strlen(depthstr) - 2] = '\0'; dubbed = 1; } - pm = SigMatchGetLastSMFromLists(s, 30, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); + /* retrive the sm to apply the depth against */ + if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) { + if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) + pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]); + else + pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); + } else { + pm = SigMatchGetLastSMFromLists(s, 28, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); + } if (pm == NULL) { SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs " "preceding content, uricontent option, http_client_body, " @@ -94,91 +101,58 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths "http_stat_msg, http_stat_code, http_user_agent, " "http_host, http_raw_host or " "file_data/dce_stub_data sticky buffer options"); - if (dubbed) - SCFree(str); - return -1; + goto end; } - switch (pm->type) { - case DETECT_CONTENT: - cd = (DetectContentData *)pm->ctx; - if (cd == NULL) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument"); - if (dubbed) SCFree(str); - return -1; - } - - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a relative keyword " - "with a non-relative keyword for the same content." ); - goto error; - } - - if (cd->flags & DETECT_CONTENT_DEPTH) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use multiple depths for the same content."); - goto error; - } - - if (str[0] != '-' && isalpha((unsigned char)str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var " - "seen in depth - %s\n", str); - goto error; - } - cd->depth = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_DEPTH_BE; - } else { - int depth = atoi(str); - if (depth < 0) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Negative depth " - "not allowed - %d.", depth); - goto error; - } - if (depth < cd->content_len) { - uint32_t content_len = cd->content_len; - SCLogError(SC_ERR_INVALID_SIGNATURE, "depth - %"PRIu16 - " smaller than content length - %"PRIu32, - cd->depth, content_len); - goto error; - } - cd->depth = depth; - /* Now update the real limit, as depth is relative to the offset */ - cd->depth += cd->offset; - } - - cd->flags |= DETECT_CONTENT_DEPTH; - - break; + /* verify other conditions. */ + DetectContentData *cd = (DetectContentData *)pm->ctx; - default: - SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs a preceding " - "content (or uricontent) option"); - goto error; + if (cd->flags & DETECT_CONTENT_DEPTH) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use multiple depths for the same content."); + goto end; } + if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a relative " + "keyword like within/distance with a absolute " + "relative keyword like depth/offset for the same " + "content." ); + goto end; + } + if (cd->flags & DETECT_CONTENT_NEGATED && cd->flags & DETECT_CONTENT_FAST_PATTERN) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative " + "negated keyword set along with a fast_pattern"); + goto end; + } + if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative " + "keyword set along with a fast_pattern:only;"); + goto end; + } + if (str[0] != '-' && isalpha((unsigned char)str[0])) { + SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(str, s, SigMatchListSMBelongsTo(s, pm)); + if (bed_sm == NULL) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var " + "seen in depth - %s\n", str); + goto end; + } + cd->depth = ((DetectByteExtractData *)bed_sm->ctx)->local_id; + cd->flags |= DETECT_CONTENT_DEPTH_BE; + } else { + cd->depth = (uint32_t)atoi(str); + if (cd->depth < cd->content_len) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "depth - %"PRIu16 + " smaller than content length - %"PRIu32, + cd->depth, cd->content_len); + goto end; + } + /* Now update the real limit, as depth is relative to the offset */ + cd->depth += cd->offset; + } + cd->flags |= DETECT_CONTENT_DEPTH; + ret = 0; + end: if (dubbed) SCFree(str); - return 0; - -error: - if (dubbed) - SCFree(str); - return -1; + return ret; } diff --git a/src/detect-distance.c b/src/detect-distance.c index d351dbb4c9..b0cf071cd0 100644 --- a/src/detect-distance.c +++ b/src/detect-distance.c @@ -49,7 +49,8 @@ static int DetectDistanceSetup(DetectEngineCtx *, Signature *, char *); void DetectDistanceRegisterTests(void); -void DetectDistanceRegister (void) { +void DetectDistanceRegister(void) +{ sigmatch_table[DETECT_DISTANCE].name = "distance"; sigmatch_table[DETECT_DISTANCE].desc = "indicates a relation between this content keyword and the content preceding it"; sigmatch_table[DETECT_DISTANCE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Distance"; @@ -67,165 +68,114 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, char *str = distancestr; char dubbed = 0; SigMatch *pm = NULL; + int ret = -1; /* strip "'s */ if (distancestr[0] == '\"' && distancestr[strlen(distancestr) - 1] == '\"') { str = SCStrdup(distancestr + 1); if (unlikely(str == NULL)) - goto error; + goto end; str[strlen(distancestr) - 2] = '\0'; dubbed = 1; } - pm = SigMatchGetLastSMFromLists(s, 30, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); + /* retrive the sm to apply the depth against */ + if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) { + if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) + pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]); + else + pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); + } else { + pm = SigMatchGetLastSMFromLists(s, 28, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); + } if (pm == NULL) { - SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs " + SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "distance needs " "preceding content, uricontent option, http_client_body, " - "http_server_body, http_header, http_raw_header, http_method, " - "http_cookie, http_raw_uri, http_stat_msg, http_stat_code, " - "http_host, http_raw_host or " - "http_user_agent or file_data/dce_stub_data option"); - if (dubbed) - SCFree(str); - return -1; + "http_server_body, http_header option, http_raw_header option, " + "http_method option, http_cookie, http_raw_uri, " + "http_stat_msg, http_stat_code, http_user_agent or " + "file_data/dce_stub_data sticky buffer option"); + goto end; } - DetectContentData *cd = NULL; - DetectPcreData *pe = NULL; - - switch (pm->type) { - case DETECT_CONTENT: - cd = (DetectContentData *)pm->ctx; - if (cd == NULL) { - SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance needs two " - "preceding content or uricontent options"); - goto error; - } - - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if ((cd->flags & DETECT_CONTENT_DEPTH) || (cd->flags & DETECT_CONTENT_OFFSET)) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a relative keyword " - "with a non-relative keyword for the same content." ); - goto error; - } - - if (cd->flags & DETECT_CONTENT_DISTANCE) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use multiple distances with the same content. "); - goto error; - } - - if (str[0] != '-' && isalpha((unsigned char)str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var " - "seen in distance - %s\n", str); - goto error; - } - cd->distance = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_DISTANCE_BE; - } else { - cd->distance = strtol(str, NULL, 10); - } - - cd->flags |= DETECT_CONTENT_DISTANCE; - - pm = SigMatchGetLastSMFromLists(s, 6, - DETECT_CONTENT, pm->prev, - DETECT_PCRE, pm->prev, - DETECT_BYTEJUMP, pm->prev); - if (pm != NULL) { - switch (pm->type) { - case DETECT_CONTENT: - /* Set the relative next flag on the prev sigmatch */ - cd = (DetectContentData *)pm->ctx; - if (cd == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown previous-" - "previous keyword!"); - goto error; - } - cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "previous keyword " - "has a fast_pattern:only; set. Can't have " - "relative keywords around a fast_pattern " - "only content"); - goto error; - } - - break; - - case DETECT_PCRE: - pe = (DetectPcreData *) pm->ctx; - if (pe == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown previous-" - "previous keyword!"); - goto error; - } - pe->flags |= DETECT_PCRE_RELATIVE_NEXT; - - break; - - case DETECT_BYTEJUMP: - SCLogDebug("no setting relative_next for bytejump. We " - "have no use for it"); - - break; - - default: - /* this will never hit */ - SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown previous-" - "previous keyword!"); - break; - } - } - - break; - - default: - SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance needs two " - "preceding content or uricontent options"); - goto error; + /* verify other conditions */ + DetectContentData *cd = (DetectContentData *)pm->ctx; + if (cd->flags & DETECT_CONTENT_DISTANCE) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use multiple distances for the same content."); + goto end; + } + if ((cd->flags & DETECT_CONTENT_DEPTH) || (cd->flags & DETECT_CONTENT_OFFSET)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a relative " + "keyword like within/distance with a absolute " + "relative keyword like depth/offset for the same " + "content." ); + goto end; + } + if (cd->flags & DETECT_CONTENT_NEGATED && cd->flags & DETECT_CONTENT_FAST_PATTERN) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative " + "negated keyword set along with a fast_pattern"); + goto end; } + if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative " + "keyword set along with a fast_pattern:only;"); + goto end; + } + if (str[0] != '-' && isalpha((unsigned char)str[0])) { + SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(str, s, SigMatchListSMBelongsTo(s, pm)); + if (bed_sm == NULL) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var " + "seen in distance - %s\n", str); + goto end; + } + cd->distance = ((DetectByteExtractData *)bed_sm->ctx)->local_id; + cd->flags |= DETECT_CONTENT_DISTANCE_BE; + } else { + cd->distance = strtol(str, NULL, 10); + } + cd->flags |= DETECT_CONTENT_DISTANCE; - if (dubbed) - SCFree(str); - return 0; + SigMatch *prev_pm = SigMatchGetLastSMFromLists(s, 4, + DETECT_CONTENT, pm->prev, + DETECT_PCRE, pm->prev); + if (prev_pm == NULL) { + ret = 0; + goto end; + } + if (prev_pm->type == DETECT_CONTENT) { + DetectContentData *cd = (DetectContentData *)prev_pm->ctx; + if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "previous keyword " + "has a fast_pattern:only; set. Can't " + "have relative keywords around a fast_pattern " + "only content"); + goto end; + } + cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + } else if (prev_pm->type == DETECT_PCRE) { + DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx; + pd->flags |= DETECT_PCRE_RELATIVE_NEXT; + } -error: + ret = 0; + end: if (dubbed) SCFree(str); - return -1; + return ret; } #ifdef UNITTESTS diff --git a/src/detect-engine-dcepayload.c b/src/detect-engine-dcepayload.c index dac52009e7..adca45ce2b 100644 --- a/src/detect-engine-dcepayload.c +++ b/src/detect-engine-dcepayload.c @@ -8174,7 +8174,7 @@ int DcePayloadParseTest31(void) bd->flags & DETECT_BYTEJUMP_LITTLE || bd->flags & DETECT_BYTEJUMP_BIG || bd->flags & DETECT_BYTEJUMP_STRING || - bd->flags & DETECT_BYTEJUMP_RELATIVE || + !(bd->flags & DETECT_BYTEJUMP_RELATIVE) || bd->flags & DETECT_BYTEJUMP_ALIGN || bd->flags & DETECT_BYTEJUMP_DCE ) { result = 0; @@ -8321,7 +8321,7 @@ int DcePayloadParseTest32(void) bd->flags & DETECT_BYTEJUMP_LITTLE || bd->flags & DETECT_BYTEJUMP_BIG || bd->flags & DETECT_BYTEJUMP_STRING || - bd->flags & DETECT_BYTEJUMP_RELATIVE || + !(bd->flags & DETECT_BYTEJUMP_RELATIVE) || bd->flags & DETECT_BYTEJUMP_ALIGN || bd->flags & DETECT_BYTEJUMP_DCE ) { result = 0; @@ -8465,7 +8465,7 @@ int DcePayloadParseTest33(void) } pd = (DetectPcreData *)sm->ctx; if ( pd->flags & DETECT_PCRE_RAWBYTES || - pd->flags & DETECT_PCRE_RELATIVE) { + !(pd->flags & DETECT_PCRE_RELATIVE)) { result = 0; printf("one failed\n"); goto end; @@ -8608,7 +8608,7 @@ int DcePayloadParseTest34(void) } pd = (DetectPcreData *)sm->ctx; if ( pd->flags & DETECT_PCRE_RAWBYTES || - pd->flags & DETECT_PCRE_RELATIVE) { + !(pd->flags & DETECT_PCRE_RELATIVE)) { result = 0; goto end; } @@ -8731,7 +8731,7 @@ int DcePayloadParseTest35(void) if (bd->flags & DETECT_BYTETEST_LITTLE || bd->flags & DETECT_BYTETEST_BIG || bd->flags & DETECT_BYTETEST_STRING || - bd->flags & DETECT_BYTETEST_RELATIVE || + !(bd->flags & DETECT_BYTEJUMP_RELATIVE) || !(bd->flags & DETECT_BYTETEST_DCE) ) { result = 0; printf("one failed\n"); @@ -8817,7 +8817,7 @@ int DcePayloadParseTest36(void) } isd = (DetectIsdataatData *)sm->ctx; if ( isd->flags & ISDATAAT_RAWBYTES || - isd->flags & ISDATAAT_RELATIVE) { + !(isd->flags & ISDATAAT_RELATIVE)) { result = 0; goto end; } @@ -8925,7 +8925,7 @@ int DcePayloadParseTest37(void) bjd->flags & DETECT_BYTEJUMP_LITTLE || bjd->flags & DETECT_BYTEJUMP_BIG || bjd->flags & DETECT_BYTEJUMP_STRING || - bjd->flags & DETECT_BYTEJUMP_RELATIVE || + !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) || !(bjd->flags & DETECT_BYTEJUMP_ALIGN) || !(bjd->flags & DETECT_BYTEJUMP_DCE) ) { result = 0; @@ -9031,7 +9031,7 @@ int DcePayloadParseTest38(void) } pd = (DetectPcreData *)sm->ctx; if ( pd->flags & DETECT_PCRE_RAWBYTES || - pd->flags & DETECT_PCRE_RELATIVE) { + !(pd->flags & DETECT_PCRE_RELATIVE)) { result = 0; printf("one failed\n"); goto end; @@ -9685,7 +9685,7 @@ int DcePayloadParseTest44(void) } isd = (DetectIsdataatData *)sm->ctx; if ( isd->flags & ISDATAAT_RAWBYTES || - isd->flags & ISDATAAT_RELATIVE) { + !(isd->flags & ISDATAAT_RELATIVE)) { result = 0; goto end; } @@ -9814,7 +9814,7 @@ int DcePayloadParseTest45(void) bjd->flags & DETECT_BYTEJUMP_LITTLE || bjd->flags & DETECT_BYTEJUMP_BIG || bjd->flags & DETECT_BYTEJUMP_STRING || - bjd->flags & DETECT_BYTEJUMP_RELATIVE || + !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) || !(bjd->flags & DETECT_BYTEJUMP_ALIGN) || !(bjd->flags & DETECT_BYTEJUMP_DCE) ) { result = 0; @@ -9925,7 +9925,7 @@ int DcePayloadParseTest46(void) if (btd->flags & DETECT_BYTETEST_LITTLE || btd->flags & DETECT_BYTETEST_BIG || btd->flags & DETECT_BYTETEST_STRING || - btd->flags & DETECT_BYTETEST_RELATIVE || + !(btd->flags & DETECT_BYTETEST_RELATIVE) || !(btd->flags & DETECT_BYTETEST_DCE) ) { result = 0; printf("one failed\n"); diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index de07883aa1..74c77fe46c 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -3050,7 +3050,7 @@ uint32_t DetectUricontentGetId(MpmPatternIdStore *ht, DetectContentData *co) { * * \retval id Pattern id. */ -uint32_t DetectPatternGetId(MpmPatternIdStore *ht, void *ctx, uint8_t sm_list) +uint32_t DetectPatternGetId(MpmPatternIdStore *ht, void *ctx, Signature *s, uint8_t sm_list) { SCEnter(); @@ -3076,58 +3076,64 @@ uint32_t DetectPatternGetId(MpmPatternIdStore *ht, void *ctx, uint8_t sm_list) r = HashTableLookup(ht->hash, (void *)e, sizeof(MpmPatternIdTableElmt)); if (r == NULL) { - /* we don't have a duplicate with this pattern + id type. If the id is - * for content, then it is the first entry for such a - * pattern + id combination. Let us create an entry for it */ - if (sm_list == DETECT_SM_LIST_PMATCH) { + if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { + BUG_ON((sm_list != DETECT_SM_LIST_HSBDMATCH) & (sm_list != DETECT_SM_LIST_DMATCH)); e->id = ht->max_id; ht->max_id++; id = e->id; - int ret = HashTableAdd(ht->hash, e, sizeof(MpmPatternIdTableElmt)); BUG_ON(ret != 0); - e = NULL; - - /* the id type is not content or uricontent. It would be one of - * those http_ modifiers against content then */ } else { - /* we know that this is one of those http_ modifiers against content. - * So we would have seen a content before coming across this http_ - * modifier. Let's retrieve this content entry that has already - * been registered. */ - e->sm_list = DETECT_SM_LIST_PMATCH; - MpmPatternIdTableElmt *tmp_r = HashTableLookup(ht->hash, (void *)e, sizeof(MpmPatternIdTableElmt)); - if (tmp_r == NULL) { - SCLogError(SC_ERR_FATAL, "How can this happen? We have to have " - "a content of type DETECT_CONTENT already registered " - "at this point. Impossible"); - exit(EXIT_FAILURE); - } - - /* we have retrieved the content, and the content registered was the - * first entry made(dup_count is 1) for that content. Let us just - * reset the sm_type to the http_ keyword's sm_type */ - if (tmp_r->dup_count == 1) { - tmp_r->sm_list = sm_list; - id = tmp_r->id; - - /* interestingly we have more than one entry for this content. - * Out of these tmp_r->dup_count entries, one would be for the content - * entry made for this http_ modifier. Erase this entry and make - * a separate entry for the http_ modifier(of course with a new id) */ - } else { - tmp_r->dup_count--; - /* reset the sm_type, since we changed it to DETECT_CONTENT prev */ - e->sm_list = sm_list; + /* we don't have a duplicate with this pattern + id type. If the id is + * for content, then it is the first entry for such a + * pattern + id combination. Let us create an entry for it */ + if (sm_list == DETECT_SM_LIST_PMATCH) { e->id = ht->max_id; ht->max_id++; id = e->id; - int ret = HashTableAdd(ht->hash, e, sizeof(MpmPatternIdTableElmt)); BUG_ON(ret != 0); - e = NULL; + + /* the id type is not content or uricontent. It would be one of + * those http_ modifiers against content then */ + } else { + /* we know that this is one of those http_ modifiers against content. + * So we would have seen a content before coming across this http_ + * modifier. Let's retrieve this content entry that has already + * been registered. */ + e->sm_list = DETECT_SM_LIST_PMATCH; + MpmPatternIdTableElmt *tmp_r = HashTableLookup(ht->hash, (void *)e, sizeof(MpmPatternIdTableElmt)); + if (tmp_r == NULL) { + SCLogError(SC_ERR_FATAL, "How can this happen? We have to have " + "a content of type DETECT_CONTENT already registered " + "at this point. Impossible"); + exit(EXIT_FAILURE); + } + + /* we have retrieved the content, and the content registered was the + * first entry made(dup_count is 1) for that content. Let us just + * reset the sm_type to the http_ keyword's sm_type */ + if (tmp_r->dup_count == 1) { + tmp_r->sm_list = sm_list; + id = tmp_r->id; + + /* interestingly we have more than one entry for this content. + * Out of these tmp_r->dup_count entries, one would be for the content + * entry made for this http_ modifier. Erase this entry and make + * a separate entry for the http_ modifier(of course with a new id) */ + } else { + tmp_r->dup_count--; + /* reset the sm_type, since we changed it to DETECT_CONTENT prev */ + e->sm_list = sm_list; + e->id = ht->max_id; + ht->max_id++; + id = e->id; + int ret = HashTableAdd(ht->hash, e, sizeof(MpmPatternIdTableElmt)); + BUG_ON(ret != 0); + e = NULL; + } } } @@ -3135,7 +3141,9 @@ uint32_t DetectPatternGetId(MpmPatternIdStore *ht, void *ctx, uint8_t sm_list) } else { /* oh cool! It is a duplicate for content, uricontent types. Update the * dup_count and get out */ - if (sm_list == DETECT_SM_LIST_PMATCH) { + if ((s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) || + sm_list == DETECT_SM_LIST_PMATCH) { + /* we have a duplicate */ r->dup_count++; id = r->id; goto end; diff --git a/src/detect-engine-mpm.h b/src/detect-engine-mpm.h index c9488ea90b..05b74c8c5b 100644 --- a/src/detect-engine-mpm.h +++ b/src/detect-engine-mpm.h @@ -76,7 +76,7 @@ void MpmPatternIdTableFreeHash(MpmPatternIdStore *); uint32_t MpmPatternIdStoreGetMaxId(MpmPatternIdStore *); uint32_t DetectContentGetId(MpmPatternIdStore *, DetectContentData *); uint32_t DetectUricontentGetId(MpmPatternIdStore *, DetectContentData *); -uint32_t DetectPatternGetId(MpmPatternIdStore *, void *, uint8_t); +uint32_t DetectPatternGetId(MpmPatternIdStore *, void *, Signature *s, uint8_t); int SignatureHasPacketContent(Signature *); int SignatureHasStreamContent(Signature *); diff --git a/src/detect-http-client-body.c b/src/detect-http-client-body.c index 4fd876722b..5dec75356e 100644 --- a/src/detect-http-client-body.c +++ b/src/detect-http-client-body.c @@ -94,83 +94,75 @@ void DetectHttpClientBodyRegister(void) */ int DetectHttpClientBodySetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { - DetectContentData *cd = NULL; SigMatch *sm = NULL; + int ret = -1; if (arg != NULL && strcmp(arg, "") != 0) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "http_client_body supplied with args"); - return -1; + SCLogError(SC_ERR_INVALID_ARGUMENT, "http_client_body shouldn't be supplied " + "with an argument"); + goto end; } - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - /* if still we are unable to find any content previous keywords, it is an - * invalid rule */ + if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_client_body\" keyword seen " + "with a sticky buffer still set. Reset sticky buffer " + "with pkt_data before using the modifier."); + goto end; + } + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " + "alproto set"); + goto end; + } + s->flags &= ~SIG_FLAG_TOCLIENT; + s->flags |= SIG_FLAG_TOSERVER; + + sm = SigMatchGetLastSMFromLists(s, 2, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); if (sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_client_body\" keyword " "found inside the rule without a content context. " "Please use a \"content\" keyword before using the " "\"http_client_body\" keyword"); - return -1; + goto end; } - - cd = (DetectContentData *)sm->ctx; - - /* http_client_body should not be used with the rawbytes rule */ + DetectContentData *cd = (DetectContentData *)sm->ctx; if (cd->flags & DETECT_CONTENT_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "http_client_body rule can not " "be used with the rawbytes rule keyword"); - return -1; - } - - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto error; - } - - if (s->flags & SIG_FLAG_TOCLIENT) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_client_body can not be used with flow:to_client or flow:from_server. "); - goto error; + goto end; } - - if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) { + if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, sm->prev, DETECT_PCRE, sm->prev); - /* pm can be NULL now. To accomodate parsing sigs like - - * content:one; http_modifier; content:two; distance:0; http_modifier */ if (pm != NULL) { if (pm->type == DETECT_CONTENT) { DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; } else { DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags &= ~ DETECT_PCRE_RELATIVE_NEXT; + tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; } + } - } /* if (pm != NULL) */ - - /* reassigning pm */ pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]); - if (pm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_client_body seen with a " - "distance or within without a previous http_client_body " - "content. Invalidating signature."); - goto error; - } - if (pm->type == DETECT_PCRE) { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } else { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + if (pm != NULL) { + if (pm->type == DETECT_CONTENT) { + DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; + tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + } else { + DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; + tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; + } } } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HCBDMATCH); - sm->type = DETECT_CONTENT; + cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HCBDMATCH); + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_HTTP; + AppLayerHtpEnableRequestBodyCallback(); /* transfer the sm from the pmatch list to hcbdmatch list */ SigMatchTransferSigMatchAcrossLists(sm, @@ -179,21 +171,9 @@ int DetectHttpClientBodySetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) &s->sm_lists[DETECT_SM_LIST_HCBDMATCH], &s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]); - /* flag the signature to indicate that we scan the app layer data */ - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - /* enable http request body callback in the http app layer parser */ - AppLayerHtpEnableRequestBodyCallback(); - - return 0; - -error: - //if (cd != NULL) - // DetectHttpClientBodyFree(cd); - //if (sm != NULL) - // SCFree(sm); - - return -1; + ret = 0; + end: + return ret; } /** @@ -2357,8 +2337,8 @@ int DetectHttpClientBodyTest31(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " "(content:\"one\"; within:5; http_client_body; sid:1;)"); - if (de_ctx->sig_list != NULL) { - printf("de_ctx->sig_list != NULL\n"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); goto end; } diff --git a/src/detect-http-cookie.c b/src/detect-http-cookie.c index 6126746f14..fa3ca504bb 100644 --- a/src/detect-http-cookie.c +++ b/src/detect-http-cookie.c @@ -66,7 +66,8 @@ void DetectHttpCookieFree(void *); /** * \brief Registration function for keyword: http_cookie */ -void DetectHttpCookieRegister (void) { +void DetectHttpCookieRegister(void) +{ sigmatch_table[DETECT_AL_HTTP_COOKIE].name = "http_cookie"; sigmatch_table[DETECT_AL_HTTP_COOKIE].desc = "content modifier to match only on the HTTP cookie-buffer"; sigmatch_table[DETECT_AL_HTTP_COOKIE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_cookie"; @@ -106,53 +107,49 @@ void DetectHttpCookieFree(void *ptr) * \retval -1 On failure */ -static int DetectHttpCookieSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) +static int DetectHttpCookieSetup(DetectEngineCtx *de_ctx, Signature *s, char *str) { - DetectContentData *cd = NULL; SigMatch *sm = NULL; + int ret = -1; if (str != NULL && strcmp(str, "") != 0) { SCLogError(SC_ERR_INVALID_ARGUMENT, "http_cookie shouldn't be supplied " "with an argument"); - return -1; + goto end; } - if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) { - SCLogError(SC_ERR_HTTP_COOKIE_NEEDS_PRECEEDING_CONTENT, "http_cookie " - "found inside the rule, without any preceding content keywords"); - return -1; + if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_cookie\" keyword seen " + "with a sticky buffer still set. Reset sticky buffer " + "with pkt_data before using the modifier."); + goto end; + } + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " + "alproto set"); + goto end; } - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); + sm = SigMatchGetLastSMFromLists(s, 2, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); if (sm == NULL) { - SCLogWarning(SC_ERR_HTTP_COOKIE_NEEDS_PRECEEDING_CONTENT, "http_cookie " - "found inside the rule, without a content context. Please use a " - "content keyword before using http_cookie"); - return -1; + SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_cookie\" keyword " + "found inside the rule without a content context. " + "Please use a \"content\" keyword before using the " + "\"http_cookie\" keyword"); + goto end; } - - cd = (DetectContentData *)sm->ctx; - - /* http_cookie should not be used with the rawbytes rule */ + DetectContentData *cd = (DetectContentData *)sm->ctx; if (cd->flags & DETECT_CONTENT_RAWBYTES) { SCLogError(SC_ERR_HTTP_COOKIE_INCOMPATIBLE_WITH_RAWBYTES, "http_cookie " "rule can not be used with the rawbytes rule keyword"); - return -1; - } - - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains keywords" - "that conflict with http_cookie"); - goto error; + goto end; } - - if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) { + if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, sm->prev, DETECT_PCRE, sm->prev); if (pm != NULL) { - /* pm is never NULL. So no NULL check */ if (pm->type == DETECT_CONTENT) { DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; @@ -160,30 +157,24 @@ static int DetectHttpCookieSetup (DetectEngineCtx *de_ctx, Signature *s, char *s DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; } - } /* if (pm != NULL) */ + } - /* please note. reassigning pm */ pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, - s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_PCRE, - s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]); - if (pm == NULL) { - SCLogError(SC_ERR_HTTP_COOKIE_RELATIVE_MISSING, "http_cookie with " - "a distance or within requires preceding http_cookie " - "content, but none was found"); - goto error; - } - if (pm->type == DETECT_PCRE) { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } else { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]); + if (pm != NULL) { + if (pm->type == DETECT_CONTENT) { + DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; + tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + } else { + DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; + tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; + } } } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HCDMATCH); - sm->type = DETECT_CONTENT; + cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HCDMATCH); + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_HTTP; /* transfer the sm from the pmatch list to hcdmatch list */ SigMatchTransferSigMatchAcrossLists(sm, @@ -192,14 +183,9 @@ static int DetectHttpCookieSetup (DetectEngineCtx *de_ctx, Signature *s, char *s &s->sm_lists[DETECT_SM_LIST_HCDMATCH], &s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]); - /* flag the signature to indicate that we scan the app layer data */ - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - return 0; - -error: - return -1; + ret = 0; + end: + return ret; } /******************************** UNITESTS **********************************/ diff --git a/src/detect-http-header.c b/src/detect-http-header.c index 79c5d6460d..1ad8cf0d06 100644 --- a/src/detect-http-header.c +++ b/src/detect-http-header.c @@ -115,48 +115,47 @@ void DetectHttpHeaderFree(void *ptr) */ int DetectHttpHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { - DetectContentData *cd = NULL; SigMatch *sm = NULL; + int ret = -1; if (arg != NULL && strcmp(arg, "") != 0) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "http_header supplied with args"); - return -1; + SCLogError(SC_ERR_INVALID_ARGUMENT, "http_header shouldn't be supplied with " + "an argument"); + goto end; + } + + if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_header\" keyword seen " + "with a sticky buffer still set. Reset sticky buffer " + "with pkt_data before using the modifier."); + goto end; + } + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " + "alproto set"); + goto end; } - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - /* if still we are unable to find any content previous keywords, it is an - * invalid rule */ + sm = SigMatchGetLastSMFromLists(s, 2, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); if (sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_header\" keyword " "found inside the rule without a content context. " "Please use a \"content\" keyword before using the " "\"http_header\" keyword"); - return -1; + goto end; } - - /* cast for further use */ - cd = (DetectContentData *)sm->ctx; - - /* http_header should not be used with the rawbytes rule */ + DetectContentData *cd = (DetectContentData *)sm->ctx; if (cd->flags & DETECT_CONTENT_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "http_header rule can not " "be used with the rawbytes rule keyword"); - return -1; - } - - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto error; + goto end; } - - if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) { + if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, sm->prev, DETECT_PCRE, sm->prev); if (pm != NULL) { - /* pm is never NULL. So no NULL check */ if (pm->type == DETECT_CONTENT) { DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; @@ -164,31 +163,24 @@ int DetectHttpHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; } - } /* if (pm != NULL) */ + } - /* please note. reassigning pm */ pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, - s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_PCRE, - s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]); - - if (pm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_header seen with a " - "distance or within without a previous http_header " - "content. Invalidating signature."); - goto error; - } - if (pm->type == DETECT_PCRE) { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } else { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]); + if (pm != NULL) { + if (pm->type == DETECT_CONTENT) { + DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; + tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + } else { + DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; + tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; + } } } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HHDMATCH); - sm->type = DETECT_CONTENT; + cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HHDMATCH); + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_HTTP; /* transfer the sm from the pmatch list to hhdmatch list */ SigMatchTransferSigMatchAcrossLists(sm, @@ -197,20 +189,9 @@ int DetectHttpHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) &s->sm_lists[DETECT_SM_LIST_HHDMATCH], &s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]); - /* flag the signature to indicate that we scan the app layer data */ - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - return 0; - -error: - //if (cd != NULL) - // DetectHttpHeaderFree(cd); - // - //if (sm != NULL) - // SCFree(sm); - - return -1; + ret = 0; + end: + return ret; } /************************************Unittests*********************************/ @@ -1569,8 +1550,8 @@ int DetectHttpHeaderTest22(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " "(content:\"one\"; within:5; http_header; sid:1;)"); - if (de_ctx->sig_list != NULL) { - printf("de_ctx->sig_list != NULL\n"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); goto end; } diff --git a/src/detect-http-hh.c b/src/detect-http-hh.c index 00bab6a1cf..d28d388278 100644 --- a/src/detect-http-hh.c +++ b/src/detect-http-hh.c @@ -95,84 +95,72 @@ void DetectHttpHHRegister(void) */ int DetectHttpHHSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { - DetectContentData *cd = NULL; SigMatch *sm = NULL; + int ret = -1; if (arg != NULL && strcmp(arg, "") != 0) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "http_host not supplied with args"); - goto error; + SCLogError(SC_ERR_INVALID_ARGUMENT, "http_host shouldn't be supplied " + "with an argument"); + goto end; + } + + if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_host\" keyword seen " + "with a sticky buffer still set. Reset sticky buffer " + "with pkt_data before using the modifier."); + goto end; + } + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " + "alproto set"); + goto end; } sm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - /* if we still can't find any previous content keywords, it's an invalid - * rule */ if (sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_host\" keyword " "found inside the rule without a content context. " "Please use a \"content\" keyword before using the " "\"http_host\" keyword"); - goto error; + goto end; } - - cd = (DetectContentData *)sm->ctx; - - /* http_host should not be used with the rawbytes rule */ + DetectContentData *cd = (DetectContentData *)sm->ctx; if (cd->flags & DETECT_CONTENT_RAWBYTES) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_host rule can not " - "be used with the rawbytes rule keyword"); - goto error; - } - - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto error; - } - - if (s->flags & SIG_FLAG_TOCLIENT) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_host can not be used " - "with flow:to_client or flow:from_server. "); - goto error; + SCLogError(SC_ERR_INVALID_SIGNATURE, "http_host " + "rule can not be used with the rawbytes rule keyword"); + goto end; } - - if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) { + if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, sm->prev, DETECT_PCRE, sm->prev); - /* pm can be NULL now. To accomodate parsing sigs like - - * content:one; http_modifier; content:two; distance:0; http_modifier */ if (pm != NULL) { if (pm->type == DETECT_CONTENT) { DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; } else { DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags &= ~ DETECT_PCRE_RELATIVE_NEXT; + tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; } + } - } /* if (pm != NULL) */ - - /* reassigning pm */ pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]); - if (pm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_host seen with a " - "distance or within without a previous http_host " - "content. Invalidating signature."); - goto error; - } - if (pm->type == DETECT_PCRE) { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } else { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + if (pm != NULL) { + if (pm->type == DETECT_CONTENT) { + DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; + tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + } else { + DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; + tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; + } } } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HHHDMATCH); - sm->type = DETECT_CONTENT; + cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HHHDMATCH); + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_HTTP; /* transfer the sm from the pmatch list to hhhdmatch list */ SigMatchTransferSigMatchAcrossLists(sm, @@ -181,14 +169,9 @@ int DetectHttpHHSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) &s->sm_lists[DETECT_SM_LIST_HHHDMATCH], &s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]); - /* flag the signature to indicate that we scan the app layer data */ - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - return 0; - -error: - return -1; + ret = 0; + end: + return ret; } /** @@ -2089,8 +2072,8 @@ int DetectHttpHHTest31(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " "(content:\"one\"; within:5; http_host; nocase; sid:1;)"); - if (de_ctx->sig_list != NULL) { - printf("de_ctx->sig_list != NULL\n"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); goto end; } diff --git a/src/detect-http-hrh.c b/src/detect-http-hrh.c index 84a37b6cd0..87e4cc370d 100644 --- a/src/detect-http-hrh.c +++ b/src/detect-http-hrh.c @@ -95,84 +95,72 @@ void DetectHttpHRHRegister(void) */ int DetectHttpHRHSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { - DetectContentData *cd = NULL; SigMatch *sm = NULL; + int ret = -1; if (arg != NULL && strcmp(arg, "") != 0) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "http_raw_host not supplied with args"); - goto error; + SCLogError(SC_ERR_INVALID_ARGUMENT, "http_raw_host shouldn't be supplied " + "with an argument"); + goto end; + } + + if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_raw_host\" keyword seen " + "with a sticky buffer still set. Reset sticky buffer " + "with pkt_data before using the modifier."); + goto end; + } + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " + "alproto set"); + goto end; } sm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - /* if we still can't find any previous content keywords, it's an invalid - * rule */ if (sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_raw_host\" keyword " "found inside the rule without a content context. " "Please use a \"content\" keyword before using the " "\"http_raw_host\" keyword"); - goto error; + goto end; } - - cd = (DetectContentData *)sm->ctx; - - /* http_raw_host should not be used with the rawbytes rule */ + DetectContentData *cd = (DetectContentData *)sm->ctx; if (cd->flags & DETECT_CONTENT_RAWBYTES) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_raw_host rule can not " - "be used with the rawbytes rule keyword"); - goto error; - } - - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto error; - } - - if (s->flags & SIG_FLAG_TOCLIENT) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_raw_host can not be used " - "with flow:to_client or flow:from_server. "); - goto error; + SCLogError(SC_ERR_INVALID_SIGNATURE, "http_raw_host " + "rule can not be used with the rawbytes rule keyword"); + goto end; } - - if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) { + if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, sm->prev, DETECT_PCRE, sm->prev); - /* pm can be NULL now. To accomodate parsing sigs like - - * content:one; http_modifier; content:two; distance:0; http_modifier */ if (pm != NULL) { if (pm->type == DETECT_CONTENT) { DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; } else { DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags &= ~ DETECT_PCRE_RELATIVE_NEXT; + tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; } + } - } /* if (pm != NULL) */ - - /* reassigning pm */ pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); - if (pm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_raw_host seen with a " - "distance or within without a previous http_raw_host " - "content. Invalidating signature."); - goto error; - } - if (pm->type == DETECT_PCRE) { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } else { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + if (pm != NULL) { + if (pm->type == DETECT_CONTENT) { + DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; + tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + } else { + DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; + tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; + } } } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HRHHDMATCH); - sm->type = DETECT_CONTENT; + cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HRHHDMATCH); + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_HTTP; /* transfer the sm from the pmatch list to hrhhdmatch list */ SigMatchTransferSigMatchAcrossLists(sm, @@ -181,14 +169,9 @@ int DetectHttpHRHSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) &s->sm_lists[DETECT_SM_LIST_HRHHDMATCH], &s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); - /* flag the signature to indicate that we scan the app layer data */ - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - return 0; - -error: - return -1; + ret = 0; + end: + return ret; } /** @@ -2089,8 +2072,8 @@ int DetectHttpHRHTest31(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " "(content:\"one\"; within:5; http_raw_host; sid:1;)"); - if (de_ctx->sig_list != NULL) { - printf("de_ctx->sig_list != NULL\n"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); goto end; } diff --git a/src/detect-http-method.c b/src/detect-http-method.c index 4d8accb1ae..5306da6820 100644 --- a/src/detect-http-method.c +++ b/src/detect-http-method.c @@ -95,47 +95,49 @@ void DetectHttpMethodRegister(void) { static int DetectHttpMethodSetup(DetectEngineCtx *de_ctx, Signature *s, char *str) { SCEnter(); - DetectContentData *cd = NULL; + SigMatch *sm = NULL; + int ret = -1; if ((str != NULL) && (strcmp(str, "") != 0)) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "http_method does not take an argument"); - SCReturnInt(-1); + SCLogError(SC_ERR_INVALID_ARGUMENT, "http_method shouldn't be supplied " + "with an argument"); + goto end; } - if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) { - SCLogError(SC_ERR_HTTP_METHOD_NEEDS_PRECEEDING_CONTENT, "http_method " - "modifies preceding \"content\", but none was found"); - SCReturnInt(-1); + if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_method\" keyword seen " + "with a sticky buffer still set. Reset sticky buffer " + "with pkt_data before using the modifier."); + goto end; } + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " + "alproto set"); + goto end; + } + s->flags &= ~SIG_FLAG_TOCLIENT; + s->flags |= SIG_FLAG_TOSERVER; - SigMatch *sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); + sm = SigMatchGetLastSMFromLists(s, 2, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); if (sm == NULL) { - SCLogError(SC_ERR_HTTP_METHOD_NEEDS_PRECEEDING_CONTENT, "http_method " - "modifies preceding \"content\", but none was found"); - SCReturnInt(-1); + SCLogError(SC_ERR_HTTP_METHOD_NEEDS_PRECEEDING_CONTENT, + "\"http_method\" keyword found inside the rule without " + "a content context. Please use a \"content\" keyword " + "before using the \"http_cookie\" keyword"); + goto end; } - - cd = (DetectContentData *)sm->ctx; - + DetectContentData *cd = (DetectContentData *)sm->ctx; if (cd->flags & DETECT_CONTENT_RAWBYTES) { SCLogError(SC_ERR_HTTP_METHOD_INCOMPATIBLE_WITH_RAWBYTES, "http_method " - "cannot be used with \"rawbytes\""); - SCReturnInt(-1); - } - - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains keywords" - "that conflict with http_method"); - goto error; + "cannot be used with \"rawbytes\""); + goto end; } - - if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) { + if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, sm->prev, DETECT_PCRE, sm->prev); if (pm != NULL) { - /* pm is never NULL. So no NULL check */ if (pm->type == DETECT_CONTENT) { DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; @@ -143,30 +145,24 @@ static int DetectHttpMethodSetup(DetectEngineCtx *de_ctx, Signature *s, char *st DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; } - } /* if (pm != NULL) */ + } - /* please note. reassigning pm */ pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, - s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_PCRE, - s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]); - if (pm == NULL) { - SCLogError(SC_ERR_HTTP_METHOD_RELATIVE_MISSING, "http_method with " - "a distance or within requires preceding http_method " - "content, but none was found"); - goto error; - } - if (pm->type == DETECT_PCRE) { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } else { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]); + if (pm != NULL) { + if (pm->type == DETECT_CONTENT) { + DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; + tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + } else { + DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; + tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; + } } } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HMDMATCH); - sm->type = DETECT_CONTENT; + cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HMDMATCH); + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_HTTP; /* transfer the sm from the pmatch list to hmdmatch list */ SigMatchTransferSigMatchAcrossLists(sm, @@ -175,14 +171,9 @@ static int DetectHttpMethodSetup(DetectEngineCtx *de_ctx, Signature *s, char *st &s->sm_lists[DETECT_SM_LIST_HMDMATCH], &s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]); - /* flag the signature to indicate that we scan the app layer data */ - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - SCReturnInt(0); - -error: - SCReturnInt(-1); + ret = 0; + end: + SCReturnInt(ret); } /** diff --git a/src/detect-http-raw-header.c b/src/detect-http-raw-header.c index 417aaf0fd7..4e94cf4fb9 100644 --- a/src/detect-http-raw-header.c +++ b/src/detect-http-raw-header.c @@ -114,47 +114,47 @@ void DetectHttpRawHeaderFree(void *ptr) */ int DetectHttpRawHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { - DetectContentData *cd = NULL; SigMatch *sm = NULL; + int ret = -1; if (arg != NULL && strcmp(arg, "") != 0) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "http_raw_header supplied with no args"); - return -1; + SCLogError(SC_ERR_INVALID_ARGUMENT, "http_raw_header shouldn't be supplied with " + "an argument"); + goto end; + } + + if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_rheader\" keyword seen " + "with a sticky buffer still set. Reset sticky buffer " + "with pkt_data before using the modifier."); + goto end; + } + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " + "alproto set"); + goto end; } - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - /* if still we are unable to find any previous content keywords, it is an - * invalid rule */ + sm = SigMatchGetLastSMFromLists(s, 2, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); if (sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_raw_header\" keyword " "found inside the rule without a content context. " "Please use a \"content\" keyword before using the " "\"http_header\" keyword"); - return -1; + goto end; } - - cd = (DetectContentData *)sm->ctx; - - /* http_header should not be used with the rawbytes rule */ + DetectContentData *cd = (DetectContentData *)sm->ctx; if (cd->flags & DETECT_CONTENT_RAWBYTES) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_header rule can not " + SCLogError(SC_ERR_INVALID_SIGNATURE, "http_raw_header rule can not " "be used with the rawbytes rule keyword"); - return -1; - } - - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto error; + goto end; } - - if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) { + if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, sm->prev, DETECT_PCRE, sm->prev); if (pm != NULL) { - /* pm is never NULL. So no NULL check */ if (pm->type == DETECT_CONTENT) { DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; @@ -162,30 +162,24 @@ int DetectHttpRawHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; } - } /* if (pm != NULL) */ + } - /* please note. reassigning pm */ pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, - s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_PCRE, - s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]); - if (pm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_raw_header seen with a " - "distance or within without a previous http_raw_header " - "content. Invalidating signature."); - goto error; - } - if (pm->type == DETECT_PCRE) { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } else { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]); + if (pm != NULL) { + if (pm->type == DETECT_CONTENT) { + DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; + tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + } else { + DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; + tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; + } } } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HRUDMATCH); - sm->type = DETECT_CONTENT; + cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HRUDMATCH); + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_HTTP; /* transfer the sm from the pmatch list to hrhdmatch list */ SigMatchTransferSigMatchAcrossLists(sm, @@ -194,19 +188,9 @@ int DetectHttpRawHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) &s->sm_lists[DETECT_SM_LIST_HRHDMATCH], &s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]); - /* flag the signature to indicate that we scan the app layer data */ - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - return 0; - -error: - //if (cd != NULL) - // DetectHttpRawHeaderFree(cd); - //if (sm != NULL) - // SCFree(sm); - - return -1; + ret = 0; + end: + return ret; } /************************************Unittests*********************************/ @@ -1564,8 +1548,8 @@ int DetectHttpRawHeaderTest22(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " "(flow:to_server; content:\"one\"; within:5; http_raw_header; sid:1;)"); - if (de_ctx->sig_list != NULL) { - printf("de_ctx->sig_list != NULL\n"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); goto end; } diff --git a/src/detect-http-raw-uri.c b/src/detect-http-raw-uri.c index bf0edb4e2f..adf701bfdc 100644 --- a/src/detect-http-raw-uri.c +++ b/src/detect-http-raw-uri.c @@ -88,15 +88,30 @@ void DetectHttpRawUriRegister(void) */ static int DetectHttpRawUriSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { - DetectContentData *cd = NULL; SigMatch *sm = NULL; + int ret = -1; if (arg != NULL && strcmp(arg, "") != 0) { SCLogError(SC_ERR_INVALID_ARGUMENT, "http_raw_uri shouldn't be " "supplied with an argument"); - goto error; + goto end; + } + + if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_uri\" keyword seen " + "with a sticky buffer still set. Reset sticky buffer " + "with pkt_data before using the modifier."); + goto end; + } + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " + "alproto set"); + goto end; } + s->flags &= ~SIG_FLAG_TOCLIENT; + s->flags |= SIG_FLAG_TOSERVER; + /* retrieve the content to apply it against */ sm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); if (sm == NULL) { @@ -104,30 +119,18 @@ static int DetectHttpRawUriSetup(DetectEngineCtx *de_ctx, Signature *s, char *ar "found inside the rule without a content context. " "Please use a \"content\" keyword before using the " "\"http_raw_uri\" keyword"); - goto error; + goto end; } - - cd = (DetectContentData *)sm->ctx; - - /* http_raw_uri should not be used with the rawbytes rule */ + DetectContentData *cd = (DetectContentData *)sm->ctx; if (cd->flags & DETECT_CONTENT_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "http_raw_uri rule can not " "be used with the rawbytes rule keyword"); - goto error; - } - - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto error; + goto end; } - - if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) { + if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, sm->prev, DETECT_PCRE, sm->prev); - /* pm can be NULL now. To accomodate parsing sigs like - - * content:one; http_modifier; content:two; distance:0; http_modifier */ if (pm != NULL) { if (pm->type == DETECT_CONTENT) { DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; @@ -136,30 +139,25 @@ static int DetectHttpRawUriSetup(DetectEngineCtx *de_ctx, Signature *s, char *ar DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; } - } /* if (pm != NULL) */ + } - /* reassigning pm */ pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, - s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_PCRE, - s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]); - if (pm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "rawuricontent seen with a " - "distance or within without a previous http_raw_uri " - "content. Invalidating signature."); - goto error; - } - if (pm->type == DETECT_PCRE) { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } else { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]); + if (pm != NULL) { + if (pm->type == DETECT_CONTENT) { + DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; + tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + } else { + DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; + tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; + } } } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HRUDMATCH); - sm->type = DETECT_CONTENT; + cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HRUDMATCH); + /* Flagged the signature as to inspect the app layer data */ + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_HTTP; /* transfer the sm from the pmatch list to hrudmatch list */ SigMatchTransferSigMatchAcrossLists(sm, @@ -168,14 +166,10 @@ static int DetectHttpRawUriSetup(DetectEngineCtx *de_ctx, Signature *s, char *ar &s->sm_lists[DETECT_SM_LIST_HRUDMATCH], &s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]); - /* Flagged the signature as to inspect the app layer data */ - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; + ret = 0; - return 0; - -error: - return -1; + end: + return ret; } @@ -726,8 +720,8 @@ int DetectHttpRawUriTest14(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " "(content:\"one\"; within:5; http_raw_uri; sid:1;)"); - if (de_ctx->sig_list != NULL) { - printf("de_ctx->sig_list != NULL\n"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); goto end; } diff --git a/src/detect-http-server-body.c b/src/detect-http-server-body.c index 9c417def01..7c3ce4792b 100644 --- a/src/detect-http-server-body.c +++ b/src/detect-http-server-body.c @@ -95,81 +95,75 @@ void DetectHttpServerBodyRegister(void) */ int DetectHttpServerBodySetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { - DetectContentData *cd = NULL; SigMatch *sm = NULL; + int ret = -1; if (arg != NULL && strcmp(arg, "") != 0) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "http_server_body supplied with args"); - return -1; + SCLogError(SC_ERR_INVALID_ARGUMENT, "http_server_body shouldn't be supplied with " + "an argument"); + goto end; } - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - /* if still we are unable to find any content previous keywords, it is an - * invalid rule */ + if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_server_body\" keyword seen " + "with a sticky buffer still set. Reset sticky buffer " + "with pkt_data before using the modifier."); + goto end; + } + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " + "alproto set"); + goto end; + } + s->flags &= ~SIG_FLAG_TOSERVER; + s->flags |= SIG_FLAG_TOCLIENT; + + sm = SigMatchGetLastSMFromLists(s, 2, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); if (sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_server_body\" keyword " "found inside the rule without a content context. " "Please use a \"content\" keyword before using the " "\"http_server_body\" keyword"); - return -1; + goto end; } - - cd = (DetectContentData *)sm->ctx; - - /* http_server_body should not be used with the rawbytes rule */ + DetectContentData *cd = (DetectContentData *)sm->ctx; if (cd->flags & DETECT_CONTENT_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "http_server_body rule can not " "be used with the rawbytes rule keyword"); - return -1; - } - if ((s->init_flags & SIG_FLAG_INIT_FLOW) && (s->flags & SIG_FLAG_TOSERVER) && !(s->flags & SIG_FLAG_TOCLIENT)) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_server_body cannot be used with flow:to_server or from_client"); - return -1; - } - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto error; + goto end; } - - if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) { + if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, sm->prev, DETECT_PCRE, sm->prev); - /* pm can be NULL now. To accomodate parsing sigs like - - * content:one; http_modifier; content:two; distance:0; http_modifier */ if (pm != NULL) { if (pm->type == DETECT_CONTENT) { DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; } else { DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags &= ~ DETECT_PCRE_RELATIVE_NEXT; + tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; } + } - } /* if (pm != NULL) */ - - /* reassigning pm */ pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]); - if (pm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_server_body seen with a " - "distance or within without a previous http_server_body " - "content. Invalidating signature."); - goto error; - } - if (pm->type == DETECT_PCRE) { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } else { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + if (pm != NULL) { + if (pm->type == DETECT_CONTENT) { + DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; + tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + } else { + DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; + tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; + } } } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HSBDMATCH); - sm->type = DETECT_CONTENT; + cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HSBDMATCH); + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_HTTP; + AppLayerHtpEnableResponseBodyCallback(); /* transfer the sm from the pmatch list to hsbdmatch list */ SigMatchTransferSigMatchAcrossLists(sm, @@ -178,22 +172,9 @@ int DetectHttpServerBodySetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) &s->sm_lists[DETECT_SM_LIST_HSBDMATCH], &s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]); - /* flag the signature to indicate that we scan the app layer data */ - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - /* enable http request body callback in the http app layer parser */ - AppLayerHtpEnableResponseBodyCallback(); - - return 0; - -error: - //if (cd != NULL) - // DetectHttpServerBodyFree(cd); - //if (sm != NULL) - // SCFree(sm); - - return -1; + ret = 0; + end: + return ret; } /** @@ -2393,8 +2374,8 @@ int DetectHttpServerBodyTest31(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " "(content:\"one\"; within:5; http_server_body; sid:1;)"); - if (de_ctx->sig_list != NULL) { - printf("de_ctx->sig_list != NULL\n"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); goto end; } diff --git a/src/detect-http-stat-code.c b/src/detect-http-stat-code.c index 5030ceeb6c..f28c67f47a 100644 --- a/src/detect-http-stat-code.c +++ b/src/detect-http-stat-code.c @@ -96,80 +96,76 @@ void DetectHttpStatCodeRegister (void) { * \retval -1 On failure */ -static int DetectHttpStatCodeSetup (DetectEngineCtx *de_ctx, Signature *s, char *arg) +static int DetectHttpStatCodeSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { - DetectContentData *cd = NULL; SigMatch *sm = NULL; + int ret = -1; if (arg != NULL && strcmp(arg, "") != 0) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "http_stat_code supplied with args"); - return -1; + SCLogError(SC_ERR_INVALID_ARGUMENT, "http_stat_code shouldn't be supplied with " + "an argument"); + goto end; + } + + if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_stat_code\" keyword seen " + "with a sticky buffer still set. Reset sticky buffer " + "with pkt_data before using the modifier."); + goto end; + } + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " + "alproto set"); + goto end; } + s->flags &= ~SIG_FLAG_TOSERVER; + s->flags |= SIG_FLAG_TOCLIENT; - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - /* if still we are unable to find any content previous keywords, it is an - * invalid rule */ + sm = SigMatchGetLastSMFromLists(s, 2, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); if (sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_stat_code\" keyword " "found inside the rule without a content context. " "Please use a \"content\" keyword before using the " "\"http_stat_code\" keyword"); - return -1; + goto end; } - - cd = (DetectContentData *)sm->ctx; - - /* http_stat_msg should not be used with the rawbytes rule */ + DetectContentData *cd = (DetectContentData *)sm->ctx; if (cd->flags & DETECT_CONTENT_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "http_stat_code rule can not " "be used with the rawbytes rule keyword"); - return -1; - } - - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto error; + goto end; } - - if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) { + if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, sm->prev, DETECT_PCRE, sm->prev); - /* pm can be NULL now. To accomodate parsing sigs like - - * content:one; http_modifier; content:two; distance:0; http_modifier */ if (pm != NULL) { if (pm->type == DETECT_CONTENT) { DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; } else { DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags &= ~ DETECT_PCRE_RELATIVE_NEXT; + tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; } + } - } /* if (pm != NULL) */ - - /* reassigning pm */ pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]); - if (pm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_stat_code seen with a " - "distance or within without a previous http_stat_code " - "content. Invalidating signature."); - goto error; - } - if (pm->type == DETECT_PCRE) { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } else { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + if (pm != NULL) { + if (pm->type == DETECT_CONTENT) { + DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; + tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + } else { + DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; + tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; + } } } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HSCDMATCH); - sm->type = DETECT_CONTENT; + cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HSCDMATCH); + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_HTTP; /* transfer the sm from the pmatch list to hcbdmatch list */ SigMatchTransferSigMatchAcrossLists(sm, @@ -178,15 +174,9 @@ static int DetectHttpStatCodeSetup (DetectEngineCtx *de_ctx, Signature *s, char &s->sm_lists[DETECT_SM_LIST_HSCDMATCH], &s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]); - /* flag the signature to indicate that we scan the app layer data */ - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - return 0; - -error: - - return -1; + ret = 0; + end: + return ret; } #ifdef UNITTESTS diff --git a/src/detect-http-stat-msg.c b/src/detect-http-stat-msg.c index 5d729b38fb..662e54cda7 100644 --- a/src/detect-http-stat-msg.c +++ b/src/detect-http-stat-msg.c @@ -64,7 +64,7 @@ int DetectHttpStatMsgMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t , void *, Signature *, SigMatch *); -static int DetectHttpStatMsgSetup (DetectEngineCtx *, Signature *, char *); +static int DetectHttpStatMsgSetup(DetectEngineCtx *, Signature *, char *); void DetectHttpStatMsgRegisterTests(void); void DetectHttpStatMsgFree(void *); @@ -96,80 +96,76 @@ void DetectHttpStatMsgRegister (void) { * \retval -1 On failure */ -static int DetectHttpStatMsgSetup (DetectEngineCtx *de_ctx, Signature *s, char *arg) +static int DetectHttpStatMsgSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { - DetectContentData *cd = NULL; SigMatch *sm = NULL; + int ret = -1; if (arg != NULL && strcmp(arg, "") != 0) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "http_stat_msg supplied with args"); - return -1; + SCLogError(SC_ERR_INVALID_ARGUMENT, "http_stat_msg shouldn't be supplied with " + "an argument"); + goto end; + } + + if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_stat_msg\" keyword seen " + "with a sticky buffer still set. Reset sticky buffer " + "with pkt_data before using the modifier."); + goto end; + } + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " + "alproto set"); + goto end; } + s->flags &= ~SIG_FLAG_TOSERVER; + s->flags |= SIG_FLAG_TOCLIENT; - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - /* if still we are unable to find any content previous keywords, it is an - * invalid rule */ + sm = SigMatchGetLastSMFromLists(s, 2, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); if (sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_stat_msg\" keyword " "found inside the rule without a content context. " "Please use a \"content\" keyword before using the " "\"http_stat_msg\" keyword"); - return -1; + goto end; } - - cd = (DetectContentData *)sm->ctx; - - /* http_stat_msg should not be used with the rawbytes rule */ + DetectContentData *cd = (DetectContentData *)sm->ctx; if (cd->flags & DETECT_CONTENT_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "http_stat_msg rule can not " "be used with the rawbytes rule keyword"); - return -1; - } - - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto error; + goto end; } - - if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) { + if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, sm->prev, DETECT_PCRE, sm->prev); - /* pm can be NULL now. To accomodate parsing sigs like - - * content:one; http_modifier; content:two; distance:0; http_modifier */ if (pm != NULL) { if (pm->type == DETECT_CONTENT) { DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; } else { DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags &= ~ DETECT_PCRE_RELATIVE_NEXT; + tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; } + } - } /* if (pm != NULL) */ - - /* reassigning pm */ pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]); - if (pm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_stat_msg seen with a " - "distance or within without a previous http_stat_msg " - "content. Invalidating signature."); - goto error; - } - if (pm->type == DETECT_PCRE) { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } else { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + if (pm != NULL) { + if (pm->type == DETECT_CONTENT) { + DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; + tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + } else { + DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; + tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; + } } } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HSMDMATCH); - sm->type = DETECT_CONTENT; + cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HSMDMATCH); + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_HTTP; /* transfer the sm from the pmatch list to hcbdmatch list */ SigMatchTransferSigMatchAcrossLists(sm, @@ -178,15 +174,9 @@ static int DetectHttpStatMsgSetup (DetectEngineCtx *de_ctx, Signature *s, char * &s->sm_lists[DETECT_SM_LIST_HSMDMATCH], &s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]); - /* flag the signature to indicate that we scan the app layer data */ - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - return 0; - -error: - - return -1; + ret = 0; + end: + return ret; } #ifdef UNITTESTS diff --git a/src/detect-http-ua.c b/src/detect-http-ua.c index 9e361763e9..ef8e720392 100644 --- a/src/detect-http-ua.c +++ b/src/detect-http-ua.c @@ -96,84 +96,74 @@ void DetectHttpUARegister(void) */ int DetectHttpUASetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { - DetectContentData *cd = NULL; SigMatch *sm = NULL; + int ret = -1; if (arg != NULL && strcmp(arg, "") != 0) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "http_user_agent supplied with args"); - goto error; + SCLogError(SC_ERR_INVALID_ARGUMENT, "http_user_agent shouldn't be supplied " + "with an argument"); + goto end; } + if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_user_agent\" keyword seen " + "with a sticky buffer still set. Reset sticky buffer " + "with pkt_data before using the modifier."); + goto end; + } + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " + "alproto set"); + goto end; + } + s->flags &= ~SIG_FLAG_TOCLIENT; + s->flags |= SIG_FLAG_TOSERVER; + sm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - /* if we still can't find any previous content keywords, it's an invalid - * rule */ if (sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_user_agent\" keyword " "found inside the rule without a content context. " "Please use a \"content\" keyword before using the " "\"http_user_agent\" keyword"); - goto error; + goto end; } - - cd = (DetectContentData *)sm->ctx; - - /* http_user_agent should not be used with the rawbytes rule */ + DetectContentData *cd = (DetectContentData *)sm->ctx; if (cd->flags & DETECT_CONTENT_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "http_user_agent rule can not " "be used with the rawbytes rule keyword"); - goto error; - } - - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto error; - } - - if (s->flags & SIG_FLAG_TOCLIENT) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_user_agent can not be used " - "with flow:to_client or flow:from_server. "); - goto error; + goto end; } - - if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) { + if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, sm->prev, DETECT_PCRE, sm->prev); - /* pm can be NULL now. To accomodate parsing sigs like - - * content:one; http_modifier; content:two; distance:0; http_modifier */ if (pm != NULL) { if (pm->type == DETECT_CONTENT) { DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; } else { DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags &= ~ DETECT_PCRE_RELATIVE_NEXT; + tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; } + } - } /* if (pm != NULL) */ - - /* reassigning pm */ pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]); - if (pm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_user_agent seen with a " - "distance or within without a previous http_user_agent " - "content. Invalidating signature."); - goto error; - } - if (pm->type == DETECT_PCRE) { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } else { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + if (pm != NULL) { + if (pm->type == DETECT_CONTENT) { + DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; + tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + } else { + DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; + tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; + } } } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HUADMATCH); - sm->type = DETECT_CONTENT; + cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HUADMATCH); + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_HTTP; /* transfer the sm from the pmatch list to huadmatch list */ SigMatchTransferSigMatchAcrossLists(sm, @@ -182,14 +172,9 @@ int DetectHttpUASetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) &s->sm_lists[DETECT_SM_LIST_HUADMATCH], &s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]); - /* flag the signature to indicate that we scan the app layer data */ - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - return 0; - -error: - return -1; + ret = 0; + end: + return ret; } /** @@ -2090,8 +2075,8 @@ int DetectHttpUATest31(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " "(content:\"one\"; within:5; http_user_agent; sid:1;)"); - if (de_ctx->sig_list != NULL) { - printf("de_ctx->sig_list != NULL\n"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); goto end; } diff --git a/src/detect-http-uri.c b/src/detect-http-uri.c index 1fcb302030..3390f7317a 100644 --- a/src/detect-http-uri.c +++ b/src/detect-http-uri.c @@ -55,7 +55,7 @@ #include "detect-uricontent.h" #include "stream-tcp.h" -static int DetectHttpUriSetup (DetectEngineCtx *, Signature *, char *); +int DetectHttpUriSetup (DetectEngineCtx *, Signature *, char *); void DetectHttpUriRegisterTests(void); /** @@ -87,48 +87,50 @@ void DetectHttpUriRegister (void) { * \retval -1 On failure */ -static int DetectHttpUriSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) +int DetectHttpUriSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) { - DetectContentData *cd = NULL; SigMatch *sm = NULL; + int ret = -1; if (str != NULL && strcmp(str, "") != 0) { SCLogError(SC_ERR_INVALID_ARGUMENT, "http_uri shouldn't be supplied with " - " an argument"); - return -1; + "an argument"); + goto end; + } + + if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_uri\" keyword seen " + "with a sticky buffer still set. Reset sticky buffer " + "with pkt_data before using the modifier."); + goto end; + } + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " + "alproto set"); + goto end; } + s->flags &= ~SIG_FLAG_TOCLIENT; + s->flags |= SIG_FLAG_TOSERVER; - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); + sm = SigMatchGetLastSMFromLists(s, 2, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); if (sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_uri\" keyword " "found inside the rule without a content context. " "Please use a \"content\" keyword before using the " "\"http_uri\" keyword"); - return -1; + goto end; } - - cd = (DetectContentData *)sm->ctx; - - /* http_uri should not be used with the rawbytes rule */ + DetectContentData *cd = (DetectContentData *)sm->ctx; if (cd->flags & DETECT_CONTENT_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "http_uri rule can not " "be used with the rawbytes rule keyword"); - return -1; - } - - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto error; + goto end; } - - if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) { + if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, sm->prev, DETECT_PCRE, sm->prev); - /* pm can be NULL now. To accomodate parsing sigs like - - * content:one; http_modifier; content:two; distance:0; http_modifier */ if (pm != NULL) { if (pm->type == DETECT_CONTENT) { DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; @@ -137,38 +139,36 @@ static int DetectHttpUriSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; } - } /* if (pm != NULL) */ - - /* reassigning pm */ - pm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH]); - if (pm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "uricontent seen with a " - "distance or within without a previous http_uri " - "content. Invalidating signature."); - goto error; } - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + + pm = SigMatchGetLastSMFromLists(s, 4, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH]); + if (pm != NULL) { + if (pm->type == DETECT_CONTENT) { + DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; + tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + } else { + DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; + tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; + } + } } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_UMATCH); - sm->type = DETECT_CONTENT; + cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_UMATCH); + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_HTTP; - /* transfer the sm from the pmatch list to hcbdmatch list */ + /* transfer the sm from the pmatch list to umatch list */ SigMatchTransferSigMatchAcrossLists(sm, &s->sm_lists[DETECT_SM_LIST_PMATCH], &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], &s->sm_lists[DETECT_SM_LIST_UMATCH], &s->sm_lists_tail[DETECT_SM_LIST_UMATCH]); - /* Flagged the signature as to inspect the app layer data */ - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - return 0; + ret = 0; -error: - return -1; + end: + return ret; } @@ -679,8 +679,8 @@ int DetectHttpUriTest14(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " "(content:\"one\"; within:5; http_uri; sid:1;)"); - if (de_ctx->sig_list != NULL) { - printf("de_ctx->sig_list != NULL\n"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); goto end; } diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index 6d1bb58d0a..9e2d31cd32 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -63,7 +63,8 @@ void DetectIsdataatFree(void *); /** * \brief Registration function for isdataat: keyword */ -void DetectIsdataatRegister (void) { +void DetectIsdataatRegister(void) +{ sigmatch_table[DETECT_ISDATAAT].name = "isdataat"; sigmatch_table[DETECT_ISDATAAT].desc = "check if there is still data at a specific part of the payload"; sigmatch_table[DETECT_ISDATAAT].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Isadataat"; @@ -248,191 +249,171 @@ error: */ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatstr) { - DetectIsdataatData *idad = NULL; SigMatch *sm = NULL; SigMatch *prev_pm = NULL; + DetectIsdataatData *idad = NULL; char *offset = NULL; + int ret = -1; idad = DetectIsdataatParse(isdataatstr, &offset); if (idad == NULL) - goto error; - - sm = SigMatchAlloc(); - if (sm == NULL) - goto error; - - sm->type = DETECT_ISDATAAT; - sm->ctx = (void *)idad; + goto end; - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) { - int sm_list; + int sm_list; + if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { AppLayerHtpEnableResponseBodyCallback(); + s->alproto = ALPROTO_HTTP; sm_list = DETECT_SM_LIST_HSBDMATCH; } else { sm_list = DETECT_SM_LIST_DMATCH; } - + s->flags |= SIG_FLAG_APPLAYER; if (idad->flags & ISDATAAT_RELATIVE) { - s->flags |= SIG_FLAG_APPLAYER; - SigMatchAppendSMToList(s, sm, sm_list); - prev_pm = SigMatchGetLastSMFromLists(s, 10, + prev_pm = SigMatchGetLastSMFromLists(s, 4, DETECT_CONTENT, s->sm_lists_tail[sm_list], - DETECT_PCRE, s->sm_lists_tail[sm_list], - DETECT_BYTEJUMP, s->sm_lists_tail[sm_list], - DETECT_BYTE_EXTRACT, s->sm_lists_tail[sm_list], - DETECT_BYTETEST, s->sm_lists_tail[sm_list]); - if (prev_pm == NULL) { - SCLogDebug("No preceding content or pcre keyword. Possible " - "since this is a file_data sig."); - if (offset != NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in isdataat - %s", offset); - goto error; - } - idad->flags &= ~ISDATAAT_RELATIVE; - return 0; - } + DETECT_PCRE, s->sm_lists_tail[sm_list]); } + } else if (idad->flags & ISDATAAT_RELATIVE) { + prev_pm = SigMatchGetLastSMFromLists(s, 168, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], + + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], + + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], + + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], + + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], + + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); + if (prev_pm == NULL) + sm_list = DETECT_SM_LIST_PMATCH; + else + sm_list = SigMatchListSMBelongsTo(s, prev_pm); } else { - if (!(idad->flags & ISDATAAT_RELATIVE)) { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); - if (offset != NULL) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(offset, s, - SigMatchListSMBelongsTo(s, sm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in isdataat - %s\n", offset); - goto error; - } - DetectIsdataatData *isdd = sm->ctx; - isdd->dataat = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - isdd->flags |= ISDATAAT_OFFSET_BE; - SCFree(offset); - } - return 0; - } - prev_pm = SigMatchGetLastSMFromLists(s, 66, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], - DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], - DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], - DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], - DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH]); - if (prev_pm == NULL) { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); - if (offset != NULL) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(offset, s, - SigMatchListSMBelongsTo(s, sm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in isdataat - %s\n", offset); - goto error; - } - DetectIsdataatData *isdd = sm->ctx; - isdd->dataat = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - isdd->flags |= ISDATAAT_OFFSET_BE; - SCFree(offset); - } - SCReturnInt(0); - } else { - int list_type = SigMatchListSMBelongsTo(s, prev_pm); - if (list_type == -1) { - goto error; - } - - SigMatchAppendSMToList(s, sm, list_type); - } /* else - if (prev_pm == NULL) */ + sm_list = DETECT_SM_LIST_PMATCH; } if (offset != NULL) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(offset, s, - SigMatchListSMBelongsTo(s, sm)); + SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(offset, s, sm_list); if (bed_sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " "seen in isdataat - %s\n", offset); - goto error; + goto end; } - DetectIsdataatData *isdd = sm->ctx; - isdd->dataat = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - isdd->flags |= ISDATAAT_OFFSET_BE; + idad->dataat = ((DetectByteExtractData *)bed_sm->ctx)->local_id; + idad->flags |= ISDATAAT_OFFSET_BE; SCFree(offset); } - DetectContentData *cd = NULL; - DetectPcreData *pe = NULL; - - switch (prev_pm->type) { - case DETECT_CONTENT: - /* Set the relative next flag on the prev sigmatch */ - cd = (DetectContentData *)prev_pm->ctx; - if (cd == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" - "previous keyword!"); - return -1; - } - cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - - break; - - case DETECT_PCRE: - pe = (DetectPcreData *)prev_pm->ctx; - if (pe == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" - "previous keyword!"); - return -1; - } - pe->flags |= DETECT_PCRE_RELATIVE_NEXT; + sm = SigMatchAlloc(); + if (sm == NULL) + goto end; + sm->type = DETECT_ISDATAAT; + sm->ctx = (void *)idad; + SigMatchAppendSMToList(s, sm, sm_list); - break; + if (!(idad->flags & ISDATAAT_RELATIVE)) { + ret = 0; + goto end; + } - case DETECT_BYTEJUMP: - case DETECT_BYTETEST: - case DETECT_BYTE_EXTRACT: - SCLogDebug("Do nothing for byte_jump, byte_test, byte_extract"); - break; + if (prev_pm == NULL) { + ret = 0; + goto end; + } - default: - /* this will never hit */ - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" - "previous keyword!"); - return -1; - } /* switch */ + if (prev_pm->type == DETECT_CONTENT) { + DetectContentData *cd = (DetectContentData *)prev_pm->ctx; + cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + } else if (prev_pm->type == DETECT_PCRE) { + DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx; + pd->flags |= DETECT_PCRE_RELATIVE_NEXT; + } - return 0; + ret = 0; -error: - return -1; +end: + return ret; } /** @@ -1060,7 +1041,7 @@ static int DetectIsdataatTestParse15(void) } data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->ctx; - if ( (data->flags & ISDATAAT_RELATIVE) || + if ( !(data->flags & ISDATAAT_RELATIVE) || (data->flags & ISDATAAT_RAWBYTES) || !(data->flags & ISDATAAT_NEGATED) ) { goto end; diff --git a/src/detect-nocase.c b/src/detect-nocase.c index 4325aff66e..6bab8f271e 100644 --- a/src/detect-nocase.c +++ b/src/detect-nocase.c @@ -44,7 +44,8 @@ static int DetectNocaseSetup (DetectEngineCtx *, Signature *, char *); -void DetectNocaseRegister (void) { +void DetectNocaseRegister(void) +{ sigmatch_table[DETECT_NOCASE].name = "nocase"; sigmatch_table[DETECT_NOCASE].desc = "modify content match to be case insensitive"; sigmatch_table[DETECT_NOCASE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Nocase"; @@ -70,64 +71,60 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls { SCEnter(); + SigMatch *pm = NULL; + int ret = -1; + if (nullstr != NULL) { SCLogError(SC_ERR_INVALID_VALUE, "nocase has value"); - SCReturnInt(-1); + goto end; } - /* Search for the first previous SigMatch that supports nocase */ - SigMatch *pm = SigMatchGetLastSMFromLists(s, 30, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); + /* retrive the sm to apply the depth against */ + if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) { + if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) + pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]); + else + pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); + } else { + pm = SigMatchGetLastSMFromLists(s, 28, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); + } if (pm == NULL) { - SCLogError(SC_ERR_NOCASE_MISSING_PATTERN, "\"nocase\" needs a preceding " - "content, uricontent, http_client_body, http_server_body, " - "http_header, http_method, http_uri, http_cookie, " - "http_raw_uri, http_stat_msg, http_stat_code, " - "http_user_agent, http_host or http_raw_host option or " - "file_data/dce_stub_data sticky buffer option"); - SCReturnInt(-1); + SCLogError(SC_ERR_NOCASE_MISSING_PATTERN, "nocase needs " + "preceding content, uricontent option, http_client_body, " + "http_server_body, http_header option, http_raw_header option, " + "http_method option, http_cookie, http_raw_uri, " + "http_stat_msg, http_stat_code, http_user_agent or " + "file_data/dce_stub_data sticky buffer options"); + goto end; } - DetectContentData *cd = NULL; - - switch (pm->type) { - case DETECT_CONTENT: - cd = (DetectContentData *)pm->ctx; - if (cd == NULL) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument"); - SCReturnInt(-1); - } - if (cd->flags & DETECT_CONTENT_NOCASE) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use multiple nocase modifiers with the same content"); - SCReturnInt(-1); - } - cd->flags |= DETECT_CONTENT_NOCASE; - /* Recreate the context with nocase chars */ - BoyerMooreCtxToNocase(cd->bm_ctx, cd->content, cd->content_len); - break; - /* should never happen */ - default: - SCLogError(SC_ERR_NOCASE_MISSING_PATTERN, "\"nocase\" needs a preceding " - "content, uricontent, http_client_body, http_server_body, " - "http_header, http_method, http_uri, http_cookie or " - "http_raw_uri option"); - SCReturnInt(-1); - break; + + /* verify other conditions. */ + DetectContentData *cd = (DetectContentData *)pm->ctx;; + + if (cd->flags & DETECT_CONTENT_NOCASE) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use multiple nocase modifiers with the same content"); + goto end; } + cd->flags |= DETECT_CONTENT_NOCASE; + /* Recreate the context with nocase chars */ + BoyerMooreCtxToNocase(cd->bm_ctx, cd->content, cd->content_len); - SCReturnInt(0); + ret = 0; + end: + SCReturnInt(ret); } diff --git a/src/detect-offset.c b/src/detect-offset.c index 84e17ce4f2..afbe44cf6b 100644 --- a/src/detect-offset.c +++ b/src/detect-offset.c @@ -39,7 +39,7 @@ #include "util-debug.h" -static int DetectOffsetSetup (DetectEngineCtx *, Signature *, char *); +static int DetectOffsetSetup(DetectEngineCtx *, Signature *, char *); void DetectOffsetRegister (void) { sigmatch_table[DETECT_OFFSET].name = "offset"; @@ -58,121 +58,103 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) char *str = offsetstr; char dubbed = 0; SigMatch *pm = NULL; + int ret = -1; /* strip "'s */ - if (offsetstr[0] == '\"' && offsetstr[strlen(offsetstr)-1] == '\"') { + if (offsetstr[0] == '\"' && offsetstr[strlen(offsetstr)-1] == '\"') { str = SCStrdup(offsetstr+1); if (unlikely(str == NULL)) - goto error; - str[strlen(offsetstr)-2] = '\0'; + goto end; + str[strlen(offsetstr) - 2] = '\0'; dubbed = 1; } - pm = SigMatchGetLastSMFromLists(s, 30, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); + /* retrive the sm to apply the depth against */ + if (s->init_flags & SIG_FLAG_INIT_FILE_DATA || s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) { + if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) + pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]); + else + pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); + } else { + pm = SigMatchGetLastSMFromLists(s, 28, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); + } if (pm == NULL) { SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs " "preceding content, uricontent option, http_client_body, " - "http_header, http_raw_header, http_method, " - "http_cookie, http_raw_uri, http_stat_msg, " - "http_stat_code, http_user_agent or " - "file_data/dce_stub_data sticky buffers"); - if (dubbed) - SCFree(str); - return -1; + "http_server_body, http_header option, http_raw_header option, " + "http_method option, http_cookie, http_raw_uri, " + "http_stat_msg, http_stat_code, http_user_agent or " + "file_data/dce_stub_data sticky buffer options"); + goto end; } - DetectContentData *cd = NULL; - switch (pm->type) { - case DETECT_CONTENT: - cd = (DetectContentData *)pm->ctx; - if (cd == NULL) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument"); - if (dubbed) - SCFree(str); - return -1; - } - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a relative keyword " - "with a non-relative keyword for the same content." ); - goto error; - } + /* verify other conditions */ + DetectContentData *cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_OFFSET) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use multiple offsets for the same content. "); - goto error; - } - - if (str[0] != '-' && isalpha((unsigned char)str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var " - "seen in offset - %s\n", str); - goto error; - } - cd->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_OFFSET_BE; - } else { - cd->offset = (uint32_t)atoi(str); - if (cd->depth != 0) { - if (cd->depth < cd->content_len) { - SCLogDebug("depth increased to %"PRIu32" to match pattern len", - cd->content_len); - cd->depth = cd->content_len; - } - /* Updating the depth as is relative to the offset */ - cd->depth += cd->offset; - } + if (cd->flags & DETECT_CONTENT_OFFSET) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use multiple offsets for the same content. "); + goto end; + } + if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a relative " + "keyword like within/distance with a absolute " + "relative keyword like depth/offset for the same " + "content." ); + goto end; + } + if (cd->flags & DETECT_CONTENT_NEGATED && cd->flags & DETECT_CONTENT_FAST_PATTERN) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative " + "negated keyword set along with a fast_pattern"); + goto end; + } + if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative " + "keyword set along with a fast_pattern:only;"); + goto end; + } + if (str[0] != '-' && isalpha((unsigned char)str[0])) { + SigMatch *bed_sm = + DetectByteExtractRetrieveSMVar(str, s, SigMatchListSMBelongsTo(s, pm)); + if (bed_sm == NULL) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var " + "seen in offset - %s\n", str); + goto end; + } + cd->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id; + cd->flags |= DETECT_CONTENT_OFFSET_BE; + } else { + cd->offset = (uint32_t)atoi(str); + if (cd->depth != 0) { + if (cd->depth < cd->content_len) { + SCLogDebug("depth increased to %"PRIu32" to match pattern len", + cd->content_len); + cd->depth = cd->content_len; } - - cd->flags |= DETECT_CONTENT_OFFSET; - - break; - - default: - SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs a preceding" - " content keyword"); - goto error; + /* Updating the depth as is relative to the offset */ + cd->depth += cd->offset; + } } + cd->flags |= DETECT_CONTENT_OFFSET; + ret = 0; + end: if (dubbed) SCFree(str); - return 0; - -error: - if (dubbed) - SCFree(str); - return -1; + return ret; } diff --git a/src/detect-parse.c b/src/detect-parse.c index ccae056039..7176d0a4d9 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -1034,6 +1034,26 @@ static int SigValidate(Signature *s) { } } + uint32_t sig_flags = 0; + if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL || + s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL || + s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL || + s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL || + s->sm_lists[DETECT_SM_LIST_HUADMATCH] != NULL) { + sig_flags |= SIG_FLAG_TOSERVER; + } + if (s->sm_lists[DETECT_SM_LIST_HSBDMATCH] != NULL || + s->sm_lists[DETECT_SM_LIST_HSMDMATCH] != NULL || + s->sm_lists[DETECT_SM_LIST_HSCDMATCH] != NULL) { + sig_flags |= SIG_FLAG_TOCLIENT; + } + if ((sig_flags & (SIG_FLAG_TOCLIENT | SIG_FLAG_TOSERVER)) == (SIG_FLAG_TOCLIENT | SIG_FLAG_TOSERVER)) { + SCLogError(SC_ERR_INVALID_SIGNATURE,"You seem to have mixed keywords " + "that require inspection in both directions. Atm we only " + "support keywords in one direction within a rule."); + SCReturnInt(0); + } + if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) { if ((s->flags & (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) == (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) { SCLogError(SC_ERR_INVALID_SIGNATURE,"http_raw_header signature " diff --git a/src/detect-pcre.c b/src/detect-pcre.c index 9620945eec..33d40daf03 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -620,253 +620,155 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst SCEnter(); DetectPcreData *pd = NULL; SigMatch *sm = NULL; - SigMatch *prev_sm = NULL; + int ret = -1; pd = DetectPcreParse(de_ctx, regexstr); if (pd == NULL) goto error; - - if ((pd->flags & DETECT_PCRE_HTTP_CLIENT_BODY) && (s->init_flags & SIG_FLAG_INIT_FLOW) - && (s->flags & SIG_FLAG_TOCLIENT) && !(s->flags & SIG_FLAG_TOSERVER)) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Can't use pcre /P with flow:from_server or flow:to_client"); - goto error; - } - if (((pd->flags & DETECT_PCRE_URI) || (pd->flags & DETECT_PCRE_HTTP_RAW_URI)) - && (s->init_flags & SIG_FLAG_INIT_FLOW) && (s->flags & SIG_FLAG_TOCLIENT) && !(s->flags & SIG_FLAG_TOSERVER)) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Can't use pcre /U or /I with flow:from_server or flow:to_client"); - goto error; - } - - /* check pcre modifiers against the signature alproto. In case they conflict - * chuck out invalid signature */ - switch (s->alproto) { - case ALPROTO_DCERPC: - if ( (pd->flags & DETECT_PCRE_URI) || - (pd->flags & DETECT_PCRE_METHOD) || - (pd->flags & DETECT_PCRE_HEADER) || - (pd->flags & DETECT_PCRE_RAW_HEADER) || - (pd->flags & DETECT_PCRE_COOKIE) || - (pd->flags & DETECT_PCRE_HTTP_STAT_MSG) || - (pd->flags & DETECT_PCRE_HTTP_STAT_CODE) || - (pd->flags & DETECT_PCRE_HTTP_CLIENT_BODY) || - (pd->flags & DETECT_PCRE_HTTP_SERVER_BODY) || - (pd->flags & DETECT_PCRE_HTTP_RAW_URI) || - (pd->flags & DETECT_PCRE_HTTP_USER_AGENT) || - (pd->flags & DETECT_PCRE_HTTP_HOST) || - (pd->flags & DETECT_PCRE_HTTP_RAW_HOST) ) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. " - "DCERPC rule has pcre keyword with http related modifier."); - goto error; - } - break; - - default: - break; - } - pd = DetectPcreParseCapture(regexstr, de_ctx, pd); if (pd == NULL) goto error; - sm = SigMatchAlloc(); - if (sm == NULL) - goto error; - - sm->type = DETECT_PCRE; - sm->ctx = (void *)pd; - - if (pd->flags & DETECT_PCRE_HEADER) { - SCLogDebug("Header inspection modifier set"); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HHDMATCH); - } else if (pd->flags & DETECT_PCRE_RAW_HEADER) { - SCLogDebug("Raw header inspection modifier set"); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRHDMATCH); - } else if (pd->flags & DETECT_PCRE_COOKIE) { - //sm->type = DETECT_PCRE_HTTPCOOKIE; - - SCLogDebug("Cookie inspection modifier set"); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HCDMATCH); - } else if (pd->flags & DETECT_PCRE_HTTP_USER_AGENT) { - SCLogDebug("User-Agent inspection modifier set on pcre"); + if ((pd->flags & DETECT_PCRE_URI) || + (pd->flags & DETECT_PCRE_METHOD) || + (pd->flags & DETECT_PCRE_HEADER) || + (pd->flags & DETECT_PCRE_RAW_HEADER) || + (pd->flags & DETECT_PCRE_COOKIE) || + (pd->flags & DETECT_PCRE_HTTP_STAT_MSG) || + (pd->flags & DETECT_PCRE_HTTP_STAT_CODE) || + (pd->flags & DETECT_PCRE_HTTP_CLIENT_BODY) || + (pd->flags & DETECT_PCRE_HTTP_SERVER_BODY) || + (pd->flags & DETECT_PCRE_HTTP_RAW_URI) || + (pd->flags & DETECT_PCRE_HTTP_USER_AGENT) || + (pd->flags & DETECT_PCRE_HTTP_HOST) || + (pd->flags & DETECT_PCRE_HTTP_RAW_HOST)) { if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains " - "conflicting keywords."); + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. " + "Conflicting alprotos detected for this rule. Http " + "pcre modifier found along with a different protocol " + "for the rule."); goto error; } - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HUADMATCH); - } else if (pd->flags & DETECT_PCRE_HTTP_HOST) { - SCLogDebug("Host inspection modifier set on pcre"); - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains " - "conflicting keywords."); + if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre found with http " + "modifier set, with file_data/dce_stub_data sticky " + "option set."); goto error; } + } + + int sm_list; + if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { + SCLogDebug("adding to http server body list because of file data"); + s->flags |= SIG_FLAG_APPLAYER; + AppLayerHtpEnableResponseBodyCallback(); + sm_list = DETECT_SM_LIST_HSBDMATCH; + } else if (s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) { + SCLogDebug("adding to dmatch list because of dce_stub_data"); + s->flags |= SIG_FLAG_APPLAYER; + sm_list = DETECT_SM_LIST_DMATCH; + } else if (pd->flags & DETECT_PCRE_URI) { s->flags |= SIG_FLAG_APPLAYER; s->alproto = ALPROTO_HTTP; - - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HHHDMATCH); - } else if (pd->flags & DETECT_PCRE_HTTP_RAW_HOST) { - SCLogDebug("Raw Host inspection modifier set on pcre"); - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains " - "conflicting keywords."); - goto error; - } + sm_list = DETECT_SM_LIST_UMATCH; + } else if (pd->flags & DETECT_PCRE_HTTP_RAW_URI) { s->flags |= SIG_FLAG_APPLAYER; s->alproto = ALPROTO_HTTP; - - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRHHDMATCH); - } else if (pd->flags & DETECT_PCRE_METHOD) { - //sm->type = DETECT_PCRE_HTTPMETHOD; - - SCLogDebug("Method inspection modifier set"); + sm_list = DETECT_SM_LIST_HRUDMATCH; + } else if (pd->flags & DETECT_PCRE_HEADER) { + SCLogDebug("Header inspection modifier set"); s->flags |= SIG_FLAG_APPLAYER; s->alproto = ALPROTO_HTTP; - - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HMDMATCH); + sm_list = DETECT_SM_LIST_HHDMATCH; + } else if (pd->flags & DETECT_PCRE_RAW_HEADER) { + SCLogDebug("Raw header inspection modifier set"); + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_HTTP; + sm_list = DETECT_SM_LIST_HRHDMATCH; } else if (pd->flags & DETECT_PCRE_HTTP_CLIENT_BODY) { SCLogDebug("Request body inspection modifier set"); s->flags |= SIG_FLAG_APPLAYER; s->alproto = ALPROTO_HTTP; AppLayerHtpEnableRequestBodyCallback(); - - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HCBDMATCH); + sm_list = DETECT_SM_LIST_HCBDMATCH; } else if (pd->flags & DETECT_PCRE_HTTP_SERVER_BODY) { SCLogDebug("Response body inspection modifier set"); s->flags |= SIG_FLAG_APPLAYER; s->alproto = ALPROTO_HTTP; + sm_list = DETECT_SM_LIST_HSBDMATCH; AppLayerHtpEnableResponseBodyCallback(); - - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH); - } else if (pd->flags & DETECT_PCRE_URI) { + } else if (pd->flags & DETECT_PCRE_HTTP_HOST) { + SCLogDebug("Host inspection modifier set on pcre"); s->flags |= SIG_FLAG_APPLAYER; - - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting" - " keywords."); - goto error; - } - s->alproto = ALPROTO_HTTP; - - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_UMATCH); - } else if (pd->flags & DETECT_PCRE_HTTP_RAW_URI) { + sm_list = DETECT_SM_LIST_HHHDMATCH; + } else if (pd->flags & DETECT_PCRE_HTTP_RAW_HOST) { + SCLogDebug("Raw Host inspection modifier set on pcre"); s->flags |= SIG_FLAG_APPLAYER; - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting" - " keywords."); - goto error; - } s->alproto = ALPROTO_HTTP; - - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRUDMATCH); + sm_list = DETECT_SM_LIST_HRHHDMATCH; } else if (pd->flags & DETECT_PCRE_HTTP_STAT_MSG) { s->flags |= SIG_FLAG_APPLAYER; - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting" - " keywords."); - goto error; - } s->alproto = ALPROTO_HTTP; - - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSMDMATCH); + sm_list = DETECT_SM_LIST_HSMDMATCH; } else if (pd->flags & DETECT_PCRE_HTTP_STAT_CODE) { s->flags |= SIG_FLAG_APPLAYER; - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting" - " keywords."); - goto error; - } s->alproto = ALPROTO_HTTP; - - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSCDMATCH); + sm_list = DETECT_SM_LIST_HSCDMATCH; + } else if (pd->flags & DETECT_PCRE_COOKIE) { + SCLogDebug("Cookie inspection modifier set"); + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_HTTP; + sm_list = DETECT_SM_LIST_HCDMATCH; + } else if (pd->flags & DETECT_PCRE_METHOD) { + SCLogDebug("Method inspection modifier set"); + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_HTTP; + sm_list = DETECT_SM_LIST_HMDMATCH; + } else if (pd->flags & DETECT_PCRE_HTTP_USER_AGENT) { + SCLogDebug("User-Agent inspection modifier set on pcre"); + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_HTTP; + sm_list = DETECT_SM_LIST_HUADMATCH; } else { - if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) { - SCLogDebug("adding to http server body list because of file data"); - s->flags |= SIG_FLAG_APPLAYER; - AppLayerHtpEnableResponseBodyCallback(); - - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HSBDMATCH); - } else if (s->init_flags & SIG_FLAG_INIT_DCE_STUB_DATA) { - SCLogDebug("adding to dmatch list because of dce_stub_data"); - s->flags |= SIG_FLAG_APPLAYER; - AppLayerHtpEnableResponseBodyCallback(); - - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DMATCH); - } else { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_PMATCH); - } - } - - if (!(pd->flags & DETECT_PCRE_RELATIVE)) { - SCReturnInt(0); - } - - prev_sm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, sm->prev, - DETECT_PCRE, sm->prev); - if (prev_sm == NULL) { - pd->flags &= ~DETECT_PCRE_RELATIVE; - SCReturnInt(0); + sm_list = DETECT_SM_LIST_PMATCH; } - DetectContentData *cd = NULL; - DetectPcreData *pe = NULL; - - switch (prev_sm->type) { - case DETECT_CONTENT: - /* Set the relative next flag on the prev sigmatch */ - cd = (DetectContentData *)prev_sm->ctx; - if (cd == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "content not setup properly"); - SCReturnInt(-1); - } - cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - - break; - - case DETECT_PCRE: - pe = (DetectPcreData *) prev_sm->ctx; - if (pe == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre not setup properly"); - SCReturnInt(-1); - } - pe->flags |= DETECT_PCRE_RELATIVE_NEXT; - - break; - - default: - /* this will never hit */ - SCLogError(SC_ERR_INVALID_SIGNATURE, "prev sigmatch has unknown type: %"PRIu16, - prev_sm->type); - SCReturnInt(-1); - break; - } /* switch (prev_sm->type) */ - - SCReturnInt(0); - -error: - if (pd != NULL) - DetectPcreFree(pd); - if (sm != NULL) - SCFree(sm); - - SCReturnInt(-1); + sm = SigMatchAlloc(); + if (sm == NULL) + goto error; + sm->type = DETECT_PCRE; + sm->ctx = (void *)pd; + SigMatchAppendSMToList(s, sm, sm_list); + + if (!(pd->flags & DETECT_PCRE_RELATIVE)) + goto okay; + + SigMatch *prev_pm = SigMatchGetLastSMFromLists(s, 4, + DETECT_CONTENT, sm->prev, + DETECT_PCRE, sm->prev); + if (prev_pm == NULL) + goto okay; + if (prev_pm->type == DETECT_CONTENT) { + DetectContentData *cd = (DetectContentData *)prev_pm->ctx; + cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + } else if (prev_pm->type == DETECT_PCRE) { + DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx; + pd->flags |= DETECT_PCRE_RELATIVE_NEXT; + } + + okay: + ret = 0; + SCReturnInt(ret); + error: + DetectPcreFree(pd); + SCReturnInt(ret); } void DetectPcreFree(void *ptr) { + if (ptr == NULL) + return; + DetectPcreData *pd = (DetectPcreData *)ptr; if (pd->capname != NULL) @@ -1143,7 +1045,7 @@ int DetectPcreParseTest11(void) result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE); data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; if (data->flags & DETECT_PCRE_RAWBYTES || - data->flags & DETECT_PCRE_RELATIVE || + !(data->flags & DETECT_PCRE_RELATIVE) || data->flags & DETECT_PCRE_URI) { result = 0; goto end; @@ -1166,7 +1068,7 @@ int DetectPcreParseTest11(void) result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE); data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; if (data->flags & DETECT_PCRE_RAWBYTES || - data->flags & DETECT_PCRE_RELATIVE || + !(data->flags & DETECT_PCRE_RELATIVE) || data->flags & DETECT_PCRE_URI) { result = 0; goto end; @@ -1189,7 +1091,7 @@ int DetectPcreParseTest11(void) result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_PCRE); data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx; if (!(data->flags & DETECT_PCRE_RAWBYTES) || - data->flags & DETECT_PCRE_RELATIVE || + !(data->flags & DETECT_PCRE_RELATIVE) || data->flags & DETECT_PCRE_URI) { result = 0; goto end; @@ -1252,7 +1154,7 @@ static int DetectPcreParseTest12(void) data = (DetectPcreData *)s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]->ctx; if (data->flags & DETECT_PCRE_RAWBYTES || - data->flags & DETECT_PCRE_RELATIVE || + !(data->flags & DETECT_PCRE_RELATIVE) || data->flags & DETECT_PCRE_URI) { printf("flags not right: "); goto end; diff --git a/src/detect-uricontent.c b/src/detect-uricontent.c index e1d258b1b0..49fb704566 100644 --- a/src/detect-uricontent.c +++ b/src/detect-uricontent.c @@ -214,8 +214,8 @@ int DetectUricontentSetup (DetectEngineCtx *de_ctx, Signature *s, char *contents SigMatch *sm = NULL; if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting" - " keywords."); + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains " + "conflicting keywords."); goto error; } @@ -223,8 +223,6 @@ int DetectUricontentSetup (DetectEngineCtx *de_ctx, Signature *s, char *contents if (cd == NULL) goto error; - /* Okay so far so good, lets get this into a SigMatch - * and put it in the Signature. */ sm = SigMatchAlloc(); if (sm == NULL) goto error; @@ -232,13 +230,12 @@ int DetectUricontentSetup (DetectEngineCtx *de_ctx, Signature *s, char *contents sm->type = DETECT_CONTENT; sm->ctx = (void *)cd; - cd->id = DetectUricontentGetId(de_ctx->mpm_pattern_id_store, cd); - /* Flagged the signature as to inspect the app layer data */ s->flags |= SIG_FLAG_APPLAYER; s->alproto = ALPROTO_HTTP; + cd->id = DetectUricontentGetId(de_ctx->mpm_pattern_id_store, cd); SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_UMATCH); SCReturnInt(0); @@ -611,7 +608,7 @@ int DetectUriSigTest01(void) s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:" "\" Test uricontent\"; " - "uricontent:\"me\"; sid:1;)"); + "content:\"me\"; uricontent:\"me\"; sid:1;)"); if (s == NULL) { goto end; } diff --git a/src/detect-urilen.c b/src/detect-urilen.c index 80c20a218b..b667917f9d 100644 --- a/src/detect-urilen.c +++ b/src/detect-urilen.c @@ -331,14 +331,18 @@ static int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, char *urile DetectUrilenData *urilend = NULL; SigMatch *sm = NULL; + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " + "alproto set"); + goto error; + } + urilend = DetectUrilenParse(urilenstr); if (urilend == NULL) goto error; - sm = SigMatchAlloc(); if (sm == NULL) goto error; - sm->type = DETECT_AL_URILEN; sm->ctx = (void *)urilend; @@ -347,20 +351,14 @@ static int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, char *urile else SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_UMATCH); - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto error; - } - /* Flagged the signature as to inspect the app layer data */ s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_HTTP; SCReturnInt(0); error: - if (urilend != NULL) DetectUrilenFree(urilend); - if (sm != NULL) SCFree(sm); + DetectUrilenFree(urilend); SCReturnInt(-1); } @@ -371,6 +369,9 @@ error: */ void DetectUrilenFree(void *ptr) { + if (ptr != NULL) + return; + DetectUrilenData *urilend = (DetectUrilenData *)ptr; SCFree(urilend); } diff --git a/src/detect-within.c b/src/detect-within.c index d5768db673..0f6d9265c3 100644 --- a/src/detect-within.c +++ b/src/detect-within.c @@ -43,10 +43,11 @@ #include "detect-pcre.h" #include "util-unittest.h" -static int DetectWithinSetup (DetectEngineCtx *, Signature *, char *); +static int DetectWithinSetup(DetectEngineCtx *, Signature *, char *); void DetectWithinRegisterTests(void); -void DetectWithinRegister (void) { +void DetectWithinRegister(void) +{ sigmatch_table[DETECT_WITHIN].name = "within"; sigmatch_table[DETECT_WITHIN].desc = "indicate that this content match has to be within a certain distance of the previous content keyword match"; sigmatch_table[DETECT_WITHIN].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Within"; @@ -65,168 +66,130 @@ void DetectWithinRegister (void) { * \retval 0 ok * \retval -1 error, sig needs to be invalidated */ -static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withinstr) +static int DetectWithinSetup(DetectEngineCtx *de_ctx, Signature *s, char *withinstr) { char *str = withinstr; char dubbed = 0; SigMatch *pm = NULL; + int ret = -1; /* strip "'s */ if (withinstr[0] == '\"' && withinstr[strlen(withinstr)-1] == '\"') { str = SCStrdup(withinstr+1); if (unlikely(str == NULL)) - goto error; - str[strlen(withinstr)-2] = '\0'; + goto end; + str[strlen(withinstr) - 2] = '\0'; dubbed = 1; } - pm = SigMatchGetLastSMFromLists(s, 30, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); + /* retrive the sm to apply the depth against */ + if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { + if (s->init_flags & SIG_FLAG_INIT_FILE_DATA) + pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]); + else + pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]); + } else { + pm = SigMatchGetLastSMFromLists(s, 28, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); + } if (pm == NULL) { - SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "\"within\" requires " - "preceding content, uricontent, http_client_body, " - "http_server_body, http_header, http_raw_header, " - "http_method, http_cookie, http_raw_uri, " - "http_stat_msg, http_stat_code or http_user_agent " - "option"); - if (dubbed) - SCFree(str); - return -1; + SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "within needs " + "preceding content, uricontent option, http_client_body, " + "http_server_body, http_header option, http_raw_header option, " + "http_method option, http_cookie, http_raw_uri, " + "http_stat_msg, http_stat_code, http_user_agent or " + "file_data/dce_stub_data sticky buffer option"); + goto end; } - DetectContentData *cd = NULL; - DetectPcreData *pe = NULL; - - switch (pm->type) { - case DETECT_CONTENT: - cd = (DetectContentData *)pm->ctx; - if (cd == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "content error"); - goto error; - } - - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative " - "keyword set along with a fast_pattern:only"); - goto error; - } - } - - if ((cd->flags & DETECT_CONTENT_DEPTH) || (cd->flags & DETECT_CONTENT_OFFSET)) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a relative keyword " - "with a non-relative keyword for the same content" ); - goto error; - } - - if (str[0] != '-' && isalpha((unsigned char)str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var " - "seen in within - %s\n", str); - goto error; - } - cd->within = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_WITHIN_BE; - } else { - cd->within = strtol(str, NULL, 10); - if (cd->within < (int32_t)cd->content_len) { - SCLogError(SC_ERR_WITHIN_INVALID, "within argument \"%"PRIi32"\" is " - "less than the content length \"%"PRIu32"\" which is invalid, since " - "this will never match. Invalidating signature", cd->within, - cd->content_len); - goto error; - } - } - - cd->flags |= DETECT_CONTENT_WITHIN; - - pm = SigMatchGetLastSMFromLists(s, 6, - DETECT_CONTENT, pm->prev, - DETECT_PCRE, pm->prev, - DETECT_BYTEJUMP, pm->prev); - if (pm != NULL) { - switch (pm->type) { - case DETECT_CONTENT: - /* Set the relative next flag on the prev sigmatch */ - cd = (DetectContentData *)pm->ctx; - if (cd == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "content error"); - goto error; - } - cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "previous keyword " - "has a fast_pattern:only; set. Can't " - "have relative keywords around a fast_pattern " - "only content"); - goto error; - } - - break; - - case DETECT_PCRE: - pe = (DetectPcreData *) pm->ctx; - if (pe == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre error"); - goto error; - } - pe->flags |= DETECT_PCRE_RELATIVE_NEXT; - - break; - - case DETECT_BYTEJUMP: - SCLogDebug("no setting relative_next for bytejump. We " - "have no use for it"); - - break; - - default: - /* this will never hit */ - SCLogError(SC_ERR_INVALID_SIGNATURE, "unsupported type %d", pm->type); - break; - } - } - break; - - default: - SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs two " - "preceding content or uricontent options"); - goto error; + /* verify other conditions */ + DetectContentData *cd = (DetectContentData *)pm->ctx; + if (cd->flags & DETECT_CONTENT_WITHIN) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use multiple withins for the same content."); + goto end; + } + if ((cd->flags & DETECT_CONTENT_DEPTH) || (cd->flags & DETECT_CONTENT_OFFSET)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a relative " + "keyword like within/distance with a absolute " + "relative keyword like depth/offset for the same " + "content." ); + goto end; + } + if (cd->flags & DETECT_CONTENT_NEGATED && cd->flags & DETECT_CONTENT_FAST_PATTERN) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative " + "negated keyword set along with a fast_pattern"); + goto end; + } + if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative " + "keyword set along with a fast_pattern:only;"); + goto end; + } + if (str[0] != '-' && isalpha((unsigned char)str[0])) { + SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(str, s, SigMatchListSMBelongsTo(s, pm)); + if (bed_sm == NULL) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var " + "seen in within - %s\n", str); + goto end; + } + cd->within = ((DetectByteExtractData *)bed_sm->ctx)->local_id; + cd->flags |= DETECT_CONTENT_WITHIN_BE; + } else { + cd->within = strtol(str, NULL, 10); + if (cd->within < (int32_t)cd->content_len) { + SCLogError(SC_ERR_WITHIN_INVALID, "within argument \"%"PRIi32"\" is " + "less than the content length \"%"PRIu32"\" which is invalid, since " + "this will never match. Invalidating signature", cd->within, + cd->content_len); + goto end; + } + } + cd->flags |= DETECT_CONTENT_WITHIN; + + /* these are the only ones against which we set a flag. We have other + * relative keywords like byttest, isdataat, bytejump, but we don't + * set a flag against them */ + SigMatch *prev_pm = SigMatchGetLastSMFromLists(s, 4, + DETECT_CONTENT, pm->prev, + DETECT_PCRE, pm->prev); + if (prev_pm == NULL) { + ret = 0; + goto end; + } + if (prev_pm->type == DETECT_CONTENT) { + DetectContentData *cd = (DetectContentData *)prev_pm->ctx; + if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "previous keyword " + "has a fast_pattern:only; set. Can't " + "have relative keywords around a fast_pattern " + "only content"); + goto end; + } + cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + } else if (prev_pm->type == DETECT_PCRE) { + DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx; + pd->flags |= DETECT_PCRE_RELATIVE_NEXT; } + ret = 0; + end: if (dubbed) SCFree(str); - return 0; - -error: - if (dubbed) - SCFree(str); - return -1; + return ret; } /***********************************Unittests**********************************/