aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Detection improvements: uricontent escaping now working, better negated pattern (content) handling.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 16 years ago
parent 154a8b1ed9
commit 393acd77d2
4 changed files with 79 additions and 45 deletions
Show Stats Download Patch File Download Diff File

26
src/detect-engine-mpm.c
Unescape Escape View File

@ -546,7 +546,7 @@ static int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead
/* now determine which one to add to the mpm phase */
for (sig = 0; sig < sgh->sig_cnt; sig++) {
Signature *s = sgh->match_array[sig];
if (s == NULL)
if (s == NULL || s->pmatch == NULL)
continue;
ContentHash *mpm_ch = NULL;
@ -602,6 +602,7 @@ static int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead
ContentHashFree(ch);
}
}
/* now add the mpm_ch to the mpm ctx */
if (mpm_ch != NULL) {
DetectContentData *co = mpm_ch->ptr;
@ -610,9 +611,26 @@ static int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead
offset = mpm_ch->cnt ? 0 : offset;
depth = mpm_ch->cnt ? 0 : depth;
uint8_t flags = 0;
char scan_packet = 0;
char scan_stream = 0;
char scan_negated = 0;
SigMatch *tmpsm = s->pmatch;
for ( ; tmpsm != NULL; tmpsm = tmpsm->next) {
if (tmpsm->type != DETECT_CONTENT)
continue;
DetectContentData *tmp = (DetectContentData *)tmpsm->ctx;
if (tmp == NULL)
continue;
if (co->id == tmp->id) {
if (tmp->flags & DETECT_CONTENT_NEGATED) {
scan_negated = 1;
}
break;
}
}
if (s->flags & SIG_FLAG_DSIZE) {
scan_packet = 1;
@ -647,6 +665,10 @@ static int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead
}
s->mpm_pattern_id = co->id;
if (scan_negated) {
SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id);
s->flags |= SIG_FLAG_MPM_NEGCONTENT;
}
SCLogDebug("%"PRIu32" adding co->id %"PRIu32" to the mpm phase (s->num %"PRIu32")", s->id, co->id, s->num);
} else {

9
src/detect-parse.c
Unescape Escape View File

@ -1060,10 +1060,6 @@ Signature *SigInit(DetectEngineCtx *de_ctx, char *sigstr) {
continue;
sig->flags |= SIG_FLAG_MPM;
if (cd->flags & DETECT_CONTENT_NEGATED) {
sig->flags |= SIG_FLAG_MPM_NEGCONTENT;
}
}
}
for (sm = sig->umatch; sm != NULL; sm = sm->next) {
@ -1194,13 +1190,8 @@ Signature *SigInitReal(DetectEngineCtx *de_ctx, char *sigstr) {
continue;
sig->flags |= SIG_FLAG_MPM;
if (cd->flags & DETECT_CONTENT_NEGATED) {
sig->flags |= SIG_FLAG_MPM_NEGCONTENT;
}
}
}
for (sm = sig->umatch; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_URICONTENT) {
DetectUricontentData *ud = (DetectUricontentData *)sm->ctx;

17
src/detect-uricontent.c
Unescape Escape View File

@ -234,6 +234,7 @@ DetectUricontentData *DoDetectUricontentSetup (char * contentstr)
char converted = 0;
{
uint8_t escape = 0;
uint16_t i, x;
uint8_t bin = 0, binstr[3] = "", binpos = 0;
for (i = 0, x = 0; i < len; i++) {
@ -244,6 +245,8 @@ DetectUricontentData *DoDetectUricontentSetup (char * contentstr)
} else {
bin = 1;
}
} else if(!escape && str[i] == '\\') {
escape = 1;
} else {
if (bin) {
if (isdigit(str[i]) ||
@ -269,6 +272,20 @@ DetectUricontentData *DoDetectUricontentSetup (char * contentstr)
} else if (str[i] == ' ') {
SCLogDebug("space as part of binary string");
}
} else if (escape) {
if (str[i] == ':' ||
str[i] == ';' ||
str[i] == '\\' ||
str[i] == '\"')
{
str[x] = str[i];
x++;
} else {
//SCLogDebug("Can't escape %c", str[i]);
goto error;
}
escape = 0;
converted = 1;
} else {
str[x] = str[i];
x++;

72
src/detect.c
Unescape Escape View File

@ -464,20 +464,24 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx,
}
/* check for a pattern match of the one pattern in this sig. */
if (s->flags & SIG_FLAG_MPM && !(s->flags & SIG_FLAG_MPM_NEGCONTENT)) {
if (s->flags & SIG_FLAG_MPM) {
/* filter out sigs that want pattern matches, but
* have no matches */
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id / 8)] & (1<<(s->mpm_pattern_id % 8)))) {
SCLogDebug("mpm sig without matches (pat id %"PRIu32" check in content).", s->mpm_pattern_id);
/* pattern didn't match. There is one case where we will inspect
* the signature anyway: if the packet payload was added to the
* stream it is not scanned itself: the stream data is inspected.
* Inspecting both would result in duplicated alerts. There is
* one case where we are going to inspect the packet payload
* anyway: if a signature has the dsize option. */
if (!((p->flags & PKT_STREAM_ADD) && (s->flags & SIG_FLAG_DSIZE))) {
continue;
if (!(s->flags & SIG_FLAG_MPM_NEGCONTENT)) {
/* pattern didn't match. There is one case where we will inspect
* the signature anyway: if the packet payload was added to the
* stream it is not scanned itself: the stream data is inspected.
* Inspecting both would result in duplicated alerts. There is
* one case where we are going to inspect the packet payload
* anyway: if a signature has the dsize option. */
if (!((p->flags & PKT_STREAM_ADD) && (s->flags & SIG_FLAG_DSIZE))) {
continue;
}
} else {
SCLogDebug("but thats okay, we are looking for neg-content");
}
}
}
@ -852,31 +856,6 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
}
}
SCLogDebug("s->amatch %p, s->umatch %p, s->dmatch %p",
s->amatch, s->umatch, s->dmatch);
if (s->amatch != NULL || s->umatch != NULL || s->dmatch != NULL) {
if (alstate == NULL) {
SCLogDebug("state matches but no state, we can't match");
goto next;
}
if (de_state_start == TRUE) {
SCLogDebug("stateful app layer match inspection starting");
if (DeStateDetectStartDetection(th_v, de_ctx, det_ctx, s,
p->flow, flags, alstate, alproto) != 1)
goto next;
} else {
SCLogDebug("signature %"PRIu32" (%"PRIuMAX"): %s",
s->id, (uintmax_t)s->num, DeStateMatchResultToString(det_ctx->de_state_sig_array[s->num]));
if (det_ctx->de_state_sig_array[s->num] != DE_STATE_MATCH_NEW) {
if (s->pmatch == NULL && s->dmatch == NULL) {
goto next;
}
}
}
}
if (s->flags & SIG_FLAG_DSIZE && s->dsize_sm != NULL) {
if (sigmatch_table[DETECT_DSIZE].Match(th_v, det_ctx, p, s, s->dsize_sm) == 0)
continue;
@ -927,6 +906,31 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
}
}
SCLogDebug("s->amatch %p, s->umatch %p, s->dmatch %p",
s->amatch, s->umatch, s->dmatch);
if (s->amatch != NULL || s->umatch != NULL || s->dmatch != NULL) {
if (alstate == NULL) {
SCLogDebug("state matches but no state, we can't match");
goto next;
}
if (de_state_start == TRUE) {
SCLogDebug("stateful app layer match inspection starting");
if (DeStateDetectStartDetection(th_v, de_ctx, det_ctx, s,
p->flow, flags, alstate, alproto) != 1)
goto next;
} else {
SCLogDebug("signature %"PRIu32" (%"PRIuMAX"): %s",
s->id, (uintmax_t)s->num, DeStateMatchResultToString(det_ctx->de_state_sig_array[s->num]));
if (det_ctx->de_state_sig_array[s->num] != DE_STATE_MATCH_NEW) {
if (s->pmatch == NULL && s->dmatch == NULL) {
goto next;
}
}
}
}
/* if we get here but have no sigmatches to match against,
* we consider the sig matched. */
if (s->match == NULL) {

Write Preview
Loading…
Cancel
Save