aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add signature direction (flow:toserver/flow:toclient) as a signature flag.

Browse Source
remotes/origin/master-1.2.x
Victor Julien 14 years ago
parent d5402d33d4
commit 21ee59e6f3
4 changed files with 38 additions and 33 deletions
Show Stats Download Patch File Download Diff File

18
src/detect-flow.c
Unescape Escape View File

@ -297,8 +297,6 @@ int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, char *flowstr)
DetectFlowData *fd = NULL;
SigMatch *sm = NULL;
//printf("DetectFlowSetup: \'%s\'\n", flowstr);
fd = DetectFlowParse(flowstr);
if (fd == NULL)
goto error;
@ -314,6 +312,16 @@ int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, char *flowstr)
SigMatchAppendPacket(s, sm);
/* set the signature direction flags */
if (fd->flags & FLOW_PKT_TOSERVER) {
s->flags |= SIG_FLAG_TOSERVER;
} else if (fd->flags & FLOW_PKT_TOCLIENT) {
s->flags |= SIG_FLAG_TOCLIENT;
} else {
s->flags |= SIG_FLAG_TOSERVER;
s->flags |= SIG_FLAG_TOCLIENT;
}
if (fd->flags & FLOW_PKT_ONLYSTREAM) {
s->flags |= SIG_FLAG_REQUIRE_STREAM;
}
@ -325,8 +333,10 @@ int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, char *flowstr)
return 0;
error:
if (fd != NULL) DetectFlowFree(fd);
if (sm != NULL) SCFree(sm);
if (fd != NULL)
DetectFlowFree(fd);
if (sm != NULL)
SCFree(sm);
return -1;
}

10
src/detect-parse.c
Unescape Escape View File

@ -1509,6 +1509,11 @@ Signature *SigInit(DetectEngineCtx *de_ctx, char *sigstr) {
if (sig->sm_lists[DETECT_SM_LIST_FILEMATCH])
sig->flags |= SIG_FLAG_STATE_MATCH;
if (!(sig->init_flags & SIG_FLAG_INIT_FLOW)) {
sig->flags |= SIG_FLAG_TOSERVER;
sig->flags |= SIG_FLAG_TOCLIENT;
}
SCLogDebug("sig %"PRIu32" SIG_FLAG_APPLAYER: %s, SIG_FLAG_PACKET: %s",
sig->id, sig->flags & SIG_FLAG_APPLAYER ? "set" : "not set",
sig->init_flags & SIG_FLAG_INIT_PACKET ? "set" : "not set");
@ -1695,6 +1700,11 @@ Signature *SigInitReal(DetectEngineCtx *de_ctx, char *sigstr) {
if (sig->sm_lists[DETECT_SM_LIST_FILEMATCH])
sig->flags |= SIG_FLAG_STATE_MATCH;
if (!(sig->init_flags & SIG_FLAG_INIT_FLOW)) {
sig->flags |= SIG_FLAG_TOSERVER;
sig->flags |= SIG_FLAG_TOCLIENT;
}
SigBuildAddressMatchArray(sig);
SCLogDebug("sig %"PRIu32" SIG_FLAG_APPLAYER: %s, SIG_FLAG_PACKET: %s",

40
src/detect.c
Unescape Escape View File

@ -2464,40 +2464,22 @@ error:
return -1;
}
/* add signature to the right flow groups
/**
* \brief add signature to the right flow group(s)
*/
static int DetectEngineLookupFlowAddSig(DetectEngineCtx *de_ctx, Signature *s, int family) {
uint8_t flags = 0;
if (s->init_flags & SIG_FLAG_INIT_FLOW) {
SigMatch *sm = s->sm_lists[DETECT_SM_LIST_MATCH];
for ( ; sm != NULL; sm = sm->next) {
if (sm->type != DETECT_FLOW)
continue;
DetectFlowData *df = (DetectFlowData *)sm->ctx;
if (df == NULL)
continue;
SCLogDebug("s->id %u", s->id);
flags = df->flags;
}
if (s->flags & SIG_FLAG_TOCLIENT) {
SCLogDebug("s->id %u (toclient)", s->id);
DetectEngineLookupBuildSourceAddressList(de_ctx,
&de_ctx->flow_gh[0], s, family);
}
if (flags & FLOW_PKT_TOCLIENT) {
/* only toclient */
DetectEngineLookupBuildSourceAddressList(de_ctx, &de_ctx->flow_gh[0], s, family);
} else if (flags & FLOW_PKT_TOSERVER) {
/* only toserver */
DetectEngineLookupBuildSourceAddressList(de_ctx, &de_ctx->flow_gh[1], s, family);
} else {
//printf("DetectEngineLookupFlowAddSig: s->id %"PRIu32"\n", s->id);
/* both */
DetectEngineLookupBuildSourceAddressList(de_ctx, &de_ctx->flow_gh[0], s, family);
DetectEngineLookupBuildSourceAddressList(de_ctx, &de_ctx->flow_gh[1], s, family);
if (s->flags & SIG_FLAG_TOSERVER) {
SCLogDebug("s->id %u (toserver)", s->id);
DetectEngineLookupBuildSourceAddressList(de_ctx,
&de_ctx->flow_gh[1], s, family);
}
return 0;

3
src/detect.h
Unescape Escape View File

@ -248,6 +248,9 @@ typedef struct DetectPort_ {
#define SIG_FLAG_FILESTORE (1<<19) /**< signature has filestore keyword */
#define SIG_FLAG_TOSERVER (1<<20)
#define SIG_FLAG_TOCLIENT (1<<21)
/* signature init flags */
#define SIG_FLAG_INIT_DEONLY 1 /**< decode event only signature */
#define SIG_FLAG_INIT_PACKET (1<<1) /**< signature has matches against a packet (as opposed to app layer) */

Write Preview
Loading…
Cancel
Save