aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect/transform: Validator for compress-ws

Browse Source 
This commit adds a buffer validator for compress whitespace. Buffers
containing two or more consecutive whitespace characters are invalid
with this transform.
pull/5475/head
Jeff Lucovsky 5 years ago committed by Victor Julien
parent 30b1d7a9c1
commit 4624e66cdd
1 changed files with 62 additions and 3 deletions
Show Stats Download Patch File Download Diff File

65
src/detect-transform-compress-whitespace.c
Unescape Escape View File

@ -39,6 +39,8 @@ static int DetectTransformCompressWhitespaceSetup (DetectEngineCtx *, Signature
static void DetectTransformCompressWhitespaceRegisterTests(void); static void DetectTransformCompressWhitespaceRegisterTests(void);
#endif #endif
static void TransformCompressWhitespace(InspectionBuffer *buffer, void *options); static void TransformCompressWhitespace(InspectionBuffer *buffer, void *options);
static bool TransformCompressWhitespaceValidate(
const uint8_t *content, uint16_t content_len, void *options);
void DetectTransformCompressWhitespaceRegister(void) void DetectTransformCompressWhitespaceRegister(void)
{ {
@ -50,6 +52,8 @@ void DetectTransformCompressWhitespaceRegister(void)
"/rules/transforms.html#compress-whitespace"; "/rules/transforms.html#compress-whitespace";
sigmatch_table[DETECT_TRANSFORM_COMPRESS_WHITESPACE].Transform = sigmatch_table[DETECT_TRANSFORM_COMPRESS_WHITESPACE].Transform =
TransformCompressWhitespace; TransformCompressWhitespace;
sigmatch_table[DETECT_TRANSFORM_COMPRESS_WHITESPACE].TransformValidate =
TransformCompressWhitespaceValidate;
sigmatch_table[DETECT_TRANSFORM_COMPRESS_WHITESPACE].Setup = sigmatch_table[DETECT_TRANSFORM_COMPRESS_WHITESPACE].Setup =
DetectTransformCompressWhitespaceSetup; DetectTransformCompressWhitespaceSetup;
#ifdef UNITTESTS #ifdef UNITTESTS
@ -75,6 +79,30 @@ static int DetectTransformCompressWhitespaceSetup (DetectEngineCtx *de_ctx, Sign
SCReturnInt(r); SCReturnInt(r);
} }
/*
* \brief Validate content bytes to see if it's compatible with this transform
* \param content Byte array to check for compatibility
* \param content_len Number of bytes to check
* \param options Ignored
* \retval false If the string contains spaces
* \retval true Otherwise.
*/
static bool TransformCompressWhitespaceValidate(
const uint8_t *content, uint16_t content_len, void *options)
{
if (content) {
for (uint32_t i = 0; i < content_len; i++) {
if (!isspace(*content++)) {
continue;
}
if ((i + 1) < content_len && isspace(*content)) {
return false;
}
}
}
return true;
}
static void TransformCompressWhitespace(InspectionBuffer *buffer, void *options) static void TransformCompressWhitespace(InspectionBuffer *buffer, void *options)
{ {
const uint8_t *input = buffer->inspect; const uint8_t *input = buffer->inspect;
@ -132,7 +160,7 @@ static int DetectTransformCompressWhitespaceTest01(void)
uint32_t input_len = strlen((char *)input); uint32_t input_len = strlen((char *)input);
InspectionBuffer buffer; InspectionBuffer buffer;
InspectionBufferInit(&buffer, 8); InspectionBufferInit(&buffer, 9);
InspectionBufferSetup(&buffer, input, input_len); InspectionBufferSetup(&buffer, input, input_len);
PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
TransformCompressWhitespace(&buffer, NULL); TransformCompressWhitespace(&buffer, NULL);
@ -147,7 +175,7 @@ static int DetectTransformCompressWhitespaceTest02(void)
uint32_t input_len = strlen((char *)input); uint32_t input_len = strlen((char *)input);
InspectionBuffer buffer; InspectionBuffer buffer;
InspectionBufferInit(&buffer, 8); InspectionBufferInit(&buffer, 9);
InspectionBufferSetup(&buffer, input, input_len); InspectionBufferSetup(&buffer, input, input_len);
PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
TransformDoubleWhitespace(&buffer); TransformDoubleWhitespace(&buffer);
@ -160,11 +188,42 @@ static int DetectTransformCompressWhitespaceTest02(void)
PASS; PASS;
} }
static int DetectTransformCompressWhitespaceTest03(void)
{
const uint8_t *input = (const uint8_t *)" A B C D ";
uint32_t input_len = strlen((char *)input);
InspectionBuffer buffer;
InspectionBufferInit(&buffer, 10);
InspectionBufferSetup(&buffer, input, input_len);
PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
FAIL_IF(TransformCompressWhitespaceValidate(buffer.inspect, buffer.inspect_len, NULL));
PASS;
}
static int DetectTransformCompressWhitespaceTest04(void)
{
const uint8_t *input = (const uint8_t *)" A B C D ";
uint32_t input_len = strlen((char *)input);
InspectionBuffer buffer;
InspectionBufferInit(&buffer, 9);
InspectionBufferSetup(&buffer, input, input_len);
TransformDoubleWhitespace(&buffer);
PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
FAIL_IF(TransformCompressWhitespaceValidate(buffer.inspect, buffer.inspect_len, NULL));
PASS;
}
static void DetectTransformCompressWhitespaceRegisterTests(void) static void DetectTransformCompressWhitespaceRegisterTests(void)
{ {
UtRegisterTest("DetectTransformCompressWhitespaceTest01", UtRegisterTest("DetectTransformCompressWhitespaceTest01",
DetectTransformCompressWhitespaceTest01); DetectTransformCompressWhitespaceTest01);
UtRegisterTest("DetectTransformCompressWhitespaceTest02", UtRegisterTest("DetectTransformCompressWhitespaceTest02",
DetectTransformCompressWhitespaceTest02); DetectTransformCompressWhitespaceTest02);
UtRegisterTest(
"DetectTransformCompressWhitespaceTest03", DetectTransformCompressWhitespaceTest03);
UtRegisterTest(
"DetectTransformCompressWhitespaceTest04", DetectTransformCompressWhitespaceTest04);
} }
#endif #endif

Write Preview
Loading…
Cancel
Save