Introduce new API to allow case insensitive protocol detection patterns.

pull/600/head
Anoop Saldanha 12 years ago
parent 90827ea990
commit 36bd444406

@ -148,6 +148,7 @@ static uint16_t AlpProtoMatchSignature(AlpProtoSignature *s, uint8_t *buf,
{ {
SCEnter(); SCEnter();
uint16_t proto = ALPROTO_UNKNOWN; uint16_t proto = ALPROTO_UNKNOWN;
uint8_t *found = NULL;
if (s->ip_proto != ip_proto) { if (s->ip_proto != ip_proto) {
goto end; goto end;
@ -170,10 +171,12 @@ static uint16_t AlpProtoMatchSignature(AlpProtoSignature *s, uint8_t *buf,
SCLogDebug("s->co->offset (%"PRIu16") s->co->depth (%"PRIu16")", SCLogDebug("s->co->offset (%"PRIu16") s->co->depth (%"PRIu16")",
s->co->offset, s->co->depth); s->co->offset, s->co->depth);
uint8_t *found = SpmSearch(sbuf, sbuflen, s->co->content, s->co->content_len); if (s->co->flags & DETECT_CONTENT_NOCASE)
if (found != NULL) { found = SpmNocaseSearch(sbuf, sbuflen, s->co->content, s->co->content_len);
else
found = SpmSearch(sbuf, sbuflen, s->co->content, s->co->content_len);
if (found != NULL)
proto = s->proto; proto = s->proto;
}
end: end:
SCReturnInt(proto); SCReturnInt(proto);
@ -189,8 +192,11 @@ end:
* \param depth Depth setting for the content. E.g. 4 means that the content has to match in the first 4 bytes of the stream. * \param depth Depth setting for the content. E.g. 4 means that the content has to match in the first 4 bytes of the stream.
* \param offset Offset setting for the content. E.g. 4 mean that the content has to match after the first 4 bytes of the stream. * \param offset Offset setting for the content. E.g. 4 mean that the content has to match after the first 4 bytes of the stream.
* \param flags Set STREAM_TOCLIENT or STREAM_TOSERVER for the direction in which to try to match the content. * \param flags Set STREAM_TOCLIENT or STREAM_TOSERVER for the direction in which to try to match the content.
* \param ci Pattern is case-insensitive.
*/ */
void AlpProtoAdd(AlpProtoDetectCtx *ctx, char *name, uint16_t ip_proto, uint16_t al_proto, char *content, uint16_t depth, uint16_t offset, uint8_t flags) void AlpProtoAddPattern(AlpProtoDetectCtx *ctx, char *name, uint16_t ip_proto,
uint16_t al_proto, char *content, uint16_t depth,
uint16_t offset, uint8_t flags, uint8_t ci)
{ {
if (al_proto_table[al_proto].name != NULL) { if (al_proto_table[al_proto].name != NULL) {
BUG_ON(strcmp(al_proto_table[al_proto].name, name) != 0); BUG_ON(strcmp(al_proto_table[al_proto].name, name) != 0);
@ -218,8 +224,17 @@ void AlpProtoAdd(AlpProtoDetectCtx *ctx, char *name, uint16_t ip_proto, uint16_t
dir = &ctx->toserver; dir = &ctx->toserver;
} }
mpm_table[dir->mpm_ctx.mpm_type].AddPattern(&dir->mpm_ctx, cd->content, cd->content_len, if (ci == 1) {
cd->offset, cd->depth, cd->id, cd->id, 0); cd->flags |= DETECT_CONTENT_NOCASE;
mpm_table[dir->mpm_ctx.mpm_type].
AddPatternNocase(&dir->mpm_ctx, cd->content, cd->content_len,
cd->offset, cd->depth, cd->id, cd->id, 0);
} else {
mpm_table[dir->mpm_ctx.mpm_type].
AddPattern(&dir->mpm_ctx, cd->content, cd->content_len,
cd->offset, cd->depth, cd->id, cd->id, 0);
}
BUG_ON(dir->id == ALP_DETECT_MAX); BUG_ON(dir->id == ALP_DETECT_MAX);
dir->map[dir->id] = al_proto; dir->map[dir->id] = al_proto;
dir->id++; dir->id++;
@ -236,6 +251,27 @@ void AlpProtoAdd(AlpProtoDetectCtx *ctx, char *name, uint16_t ip_proto, uint16_t
AlpProtoAddSignature(ctx, cd, ip_proto, al_proto); AlpProtoAddSignature(ctx, cd, ip_proto, al_proto);
} }
void AlpProtoAddCI(AlpProtoDetectCtx *ctx, char *name, uint16_t ip_proto,
uint16_t al_proto, char *content, uint16_t depth,
uint16_t offset, uint8_t flags)
{
AlpProtoAddPattern(ctx, name, ip_proto, al_proto, content, depth,
offset, flags, 1);
return;
}
void AlpProtoAdd(AlpProtoDetectCtx *ctx, char *name, uint16_t ip_proto,
uint16_t al_proto, char *content, uint16_t depth,
uint16_t offset, uint8_t flags)
{
AlpProtoAddPattern(ctx, name, ip_proto, al_proto, content, depth,
offset, flags, 0);
return;
}
#ifdef UNITTESTS #ifdef UNITTESTS
void AlpProtoTestDestroy(AlpProtoDetectCtx *ctx) { void AlpProtoTestDestroy(AlpProtoDetectCtx *ctx) {
mpm_table[ctx->toserver.mpm_ctx.mpm_type].DestroyCtx(&ctx->toserver.mpm_ctx); mpm_table[ctx->toserver.mpm_ctx.mpm_type].DestroyCtx(&ctx->toserver.mpm_ctx);

@ -98,6 +98,7 @@ uint16_t AppLayerDetectGetProtoProbingParser(AlpProtoDetectCtx *, Flow *,
uint16_t AppLayerDetectGetProto(AlpProtoDetectCtx *, AlpProtoDetectThreadCtx *, uint16_t AppLayerDetectGetProto(AlpProtoDetectCtx *, AlpProtoDetectThreadCtx *,
Flow *, uint8_t *, uint32_t, Flow *, uint8_t *, uint32_t,
uint8_t, uint8_t); uint8_t, uint8_t);
void AlpProtoAddCI(AlpProtoDetectCtx *, char *, uint16_t, uint16_t, char *, uint16_t, uint16_t, uint8_t);
void AlpProtoAdd(AlpProtoDetectCtx *, char *, uint16_t, uint16_t, char *, uint16_t, uint16_t, uint8_t); void AlpProtoAdd(AlpProtoDetectCtx *, char *, uint16_t, uint16_t, char *, uint16_t, uint16_t, uint8_t);
void AppLayerDetectProtoThreadSpawn(void); void AppLayerDetectProtoThreadSpawn(void);

Loading…
Cancel
Save