From 0bcbd233434e9dd34d03c2457788de11835e2d85 Mon Sep 17 00:00:00 2001
From: Eileen Donlon <emdonlo@gmail.com>
Date: Thu, 26 Jan 2012 13:06:03 -0500
Subject: [PATCH] reject mixed relative and non-relative keywords

reject signatures using relative and non-relative positional keywords for the same content (depth or offset with distance or within)
---
 src/detect-depth.c    | 6 ++++++
 src/detect-distance.c | 6 ++++++
 src/detect-offset.c   | 7 ++++++-
 src/detect-within.c   | 6 ++++++
 4 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/src/detect-depth.c b/src/detect-depth.c
index 8c393a50e8..e7afbbb397 100644
--- a/src/detect-depth.c
+++ b/src/detect-depth.c
@@ -136,6 +136,12 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
                 }
             }
 
+            if (cd->flags & DETECT_CONTENT_WITHIN || cd->flags & DETECT_CONTENT_DISTANCE) {
+                SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't use a relative keyword "
+                               "with a non-relative keyword for the same content." );
+                goto error;
+            }
+
             if (str[0] != '-' && isalpha(str[0])) {
                 SigMatch *bed_sm =
                     DetectByteExtractRetrieveSMVar(str, s,
diff --git a/src/detect-distance.c b/src/detect-distance.c
index 5600bb7a98..37f85b25e7 100644
--- a/src/detect-distance.c
+++ b/src/detect-distance.c
@@ -210,6 +210,12 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
                 }
             }
 
+            if (cd->flags & DETECT_CONTENT_DEPTH || cd->flags & DETECT_CONTENT_OFFSET) {
+                SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't use a relative keyword "
+                               "with a non-relative keyword for the same content." );
+                goto error;
+            }
+
             if (str[0] != '-' && isalpha(str[0])) {
                 SigMatch *bed_sm =
                     DetectByteExtractRetrieveSMVar(str, s,
diff --git a/src/detect-offset.c b/src/detect-offset.c
index dec956b517..15c241313e 100644
--- a/src/detect-offset.c
+++ b/src/detect-offset.c
@@ -135,6 +135,12 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
                 }
             }
 
+            if (cd->flags & DETECT_CONTENT_WITHIN || cd->flags & DETECT_CONTENT_DISTANCE) {
+                SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't use a relative keyword "
+                               "with a non-relative keyword for the same content." );
+                goto error;
+            }
+
             if (str[0] != '-' && isalpha(str[0])) {
                 SigMatch *bed_sm =
                     DetectByteExtractRetrieveSMVar(str, s,
@@ -163,7 +169,6 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
 
             break;
 
-
         default:
             SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs a preceeding"
                     " content or uricontent option");
diff --git a/src/detect-within.c b/src/detect-within.c
index 525422f46a..96a644ccdd 100644
--- a/src/detect-within.c
+++ b/src/detect-within.c
@@ -212,6 +212,12 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
                 }
             }
 
+            if (cd->flags & DETECT_CONTENT_DEPTH || cd->flags & DETECT_CONTENT_OFFSET) {
+                SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't use a relative keyword "
+                               "with a non-relative keyword for the same content." );
+                goto error;
+            }
+
             if (str[0] != '-' && isalpha(str[0])) {
                 SigMatch *bed_sm =
                     DetectByteExtractRetrieveSMVar(str, s,