|
|
|
|
@ -573,13 +573,11 @@ static void DetectRunInspectIPOnly(ThreadVars *tv, const DetectEngineCtx *de_ctx
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* returns 0 if no match, 1 if match */
|
|
|
|
|
static inline int DetectRunInspectRuleHeader(
|
|
|
|
|
const Packet *p,
|
|
|
|
|
const Flow *f,
|
|
|
|
|
const Signature *s,
|
|
|
|
|
const uint32_t sflags,
|
|
|
|
|
const uint8_t s_proto_flags)
|
|
|
|
|
/** \internal
|
|
|
|
|
* \brief inspect the rule header: protocol, ports, etc
|
|
|
|
|
* \retval bool false if no match, true if match */
|
|
|
|
|
static inline bool DetectRunInspectRuleHeader(const Packet *p, const Flow *f, const Signature *s,
|
|
|
|
|
const uint32_t sflags, const uint8_t s_proto_flags)
|
|
|
|
|
{
|
|
|
|
|
/* check if this signature has a requirement for flowvars of some type
|
|
|
|
|
* and if so, if we actually have any in the flow. If not, the sig
|
|
|
|
|
@ -592,71 +590,71 @@ static inline int DetectRunInspectRuleHeader(
|
|
|
|
|
if (fv == false) {
|
|
|
|
|
SCLogDebug("skipping sig as the flow has no flowvars and sig "
|
|
|
|
|
"has SIG_FLAG_REQUIRE_FLOWVAR flag set.");
|
|
|
|
|
return 0;
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ((s_proto_flags & DETECT_PROTO_IPV4) && !PKT_IS_IPV4(p)) {
|
|
|
|
|
SCLogDebug("ip version didn't match");
|
|
|
|
|
return 0;
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
if ((s_proto_flags & DETECT_PROTO_IPV6) && !PKT_IS_IPV6(p)) {
|
|
|
|
|
SCLogDebug("ip version didn't match");
|
|
|
|
|
return 0;
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (DetectProtoContainsProto(&s->proto, IP_GET_IPPROTO(p)) == 0) {
|
|
|
|
|
SCLogDebug("proto didn't match");
|
|
|
|
|
return 0;
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* check the source & dst port in the sig */
|
|
|
|
|
if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP || p->proto == IPPROTO_SCTP) {
|
|
|
|
|
if (!(sflags & SIG_FLAG_DP_ANY)) {
|
|
|
|
|
if (p->flags & PKT_IS_FRAGMENT)
|
|
|
|
|
return 0;
|
|
|
|
|
return false;
|
|
|
|
|
const DetectPort *dport = DetectPortLookupGroup(s->dp, p->dp);
|
|
|
|
|
if (dport == NULL) {
|
|
|
|
|
SCLogDebug("dport didn't match.");
|
|
|
|
|
return 0;
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (!(sflags & SIG_FLAG_SP_ANY)) {
|
|
|
|
|
if (p->flags & PKT_IS_FRAGMENT)
|
|
|
|
|
return 0;
|
|
|
|
|
return false;
|
|
|
|
|
const DetectPort *sport = DetectPortLookupGroup(s->sp, p->sp);
|
|
|
|
|
if (sport == NULL) {
|
|
|
|
|
SCLogDebug("sport didn't match.");
|
|
|
|
|
return 0;
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} else if ((sflags & (SIG_FLAG_DP_ANY|SIG_FLAG_SP_ANY)) != (SIG_FLAG_DP_ANY|SIG_FLAG_SP_ANY)) {
|
|
|
|
|
SCLogDebug("port-less protocol and sig needs ports");
|
|
|
|
|
return 0;
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* check the destination address */
|
|
|
|
|
if (!(sflags & SIG_FLAG_DST_ANY)) {
|
|
|
|
|
if (PKT_IS_IPV4(p)) {
|
|
|
|
|
if (DetectAddressMatchIPv4(s->addr_dst_match4, s->addr_dst_match4_cnt, &p->dst) == 0)
|
|
|
|
|
return 0;
|
|
|
|
|
return false;
|
|
|
|
|
} else if (PKT_IS_IPV6(p)) {
|
|
|
|
|
if (DetectAddressMatchIPv6(s->addr_dst_match6, s->addr_dst_match6_cnt, &p->dst) == 0)
|
|
|
|
|
return 0;
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
/* check the source address */
|
|
|
|
|
if (!(sflags & SIG_FLAG_SRC_ANY)) {
|
|
|
|
|
if (PKT_IS_IPV4(p)) {
|
|
|
|
|
if (DetectAddressMatchIPv4(s->addr_src_match4, s->addr_src_match4_cnt, &p->src) == 0)
|
|
|
|
|
return 0;
|
|
|
|
|
return false;
|
|
|
|
|
} else if (PKT_IS_IPV6(p)) {
|
|
|
|
|
if (DetectAddressMatchIPv6(s->addr_src_match6, s->addr_src_match6_cnt, &p->src) == 0)
|
|
|
|
|
return 0;
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \internal
|
|
|
|
|
@ -783,7 +781,7 @@ static inline void DetectRulePacketRules(
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (DetectRunInspectRuleHeader(p, pflow, s, sflags, s_proto_flags) == 0) {
|
|
|
|
|
if (DetectRunInspectRuleHeader(p, pflow, s, sflags, s_proto_flags) == false) {
|
|
|
|
|
goto next;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@ -1075,7 +1073,7 @@ static bool DetectRunTxInspectRule(ThreadVars *tv,
|
|
|
|
|
/* for a new inspection we inspect pkt header and packet matches */
|
|
|
|
|
if (likely(stored_flags == NULL)) {
|
|
|
|
|
TRACE_SID_TXS(s->id, tx, "first inspect, run packet matches");
|
|
|
|
|
if (DetectRunInspectRuleHeader(p, f, s, s->flags, s->proto.flags) == 0) {
|
|
|
|
|
if (DetectRunInspectRuleHeader(p, f, s, s->flags, s->proto.flags) == false) {
|
|
|
|
|
TRACE_SID_TXS(s->id, tx, "DetectRunInspectRuleHeader() no match");
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
@ -1637,10 +1635,10 @@ static void DetectRunFrames(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngin
|
|
|
|
|
|
|
|
|
|
/* call individual rule inspection */
|
|
|
|
|
RULE_PROFILING_START(p);
|
|
|
|
|
int r = DetectRunInspectRuleHeader(p, f, s, s->flags, s->proto.flags);
|
|
|
|
|
if (r == 1) {
|
|
|
|
|
bool r = DetectRunInspectRuleHeader(p, f, s, s->flags, s->proto.flags);
|
|
|
|
|
if (r == true) {
|
|
|
|
|
r = DetectRunFrameInspectRule(tv, det_ctx, s, f, p, frames, frame);
|
|
|
|
|
if (r == 1) {
|
|
|
|
|
if (r == true) {
|
|
|
|
|
/* match */
|
|
|
|
|
DetectRunPostMatch(tv, det_ctx, p, s);
|
|
|
|
|
|
|
|
|
|
|
Victor Julien
1 year ago
committed by
Victor Julien