aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Large detection engine update.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 17 years ago
parent 8b3d06fd92
commit 54ffe2053e
16 changed files with 779 additions and 381 deletions
Show Stats Download Patch File Download Diff File

2
src/detect-content.c
Unescape Escape View File

@ -32,7 +32,7 @@
#include "detect-content.h"
#include "detect-uricontent.h"
#include "detect-mpm.h"
#include "detect-engine-mpm.h"
#include "util-mpm.h"
#include "flow.h"

126
src/detect-engine-address-ipv4.c
Unescape Escape View File

@ -10,8 +10,8 @@
#include "util-cidr.h"
#include "util-unittest.h"
#include "detect-address.h"
#include "detect-siggroup.h"
#include "detect-engine-address.h"
#include "detect-engine-siggroup.h"
int DetectAddressCmpIPv4(DetectAddressData *a, DetectAddressData *b) {
u_int32_t a_ip1 = ntohl(a->ip[0]);
@ -75,17 +75,7 @@ int DetectAddressGroupCutIPv4(DetectAddressGroup *a, DetectAddressGroup *b, Dete
/* default to NULL */
*c = NULL;
#ifdef DBG
printf("DetectAddressGroupCutIPv4: a "); DetectAddressDataPrint(a->ad); printf("\n");
printf("DetectAddressGroupCutIPv4: b "); DetectAddressDataPrint(b->ad); printf("\n");
printf("DetectAddressGroupCutIPv4: a sigs: ");
SigGroupContainer *sgc = a->sh ? a->sh->head : NULL;
for ( ; sgc != NULL; sgc = sgc->next) printf("%u ",sgc->s->id);
printf("\nDetectAddressGroupCutIPv4: b sigs: ");
sgc = b->sh ? b->sh->head : NULL;
for ( ; sgc != NULL; sgc = sgc->next) printf("%u ",sgc->s->id);
printf("\n");
#endif
int r = DetectAddressCmpIPv4(a->ad,b->ad);
if (r != ADDRESS_ES && r != ADDRESS_EB && r != ADDRESS_LE && r != ADDRESS_GE) {
printf("we shouldn't be here\n");
@ -129,8 +119,8 @@ int DetectAddressGroupCutIPv4(DetectAddressGroup *a, DetectAddressGroup *b, Dete
tmp_c->ad->ip2[0] = htonl(b_ip2);
*c = tmp_c;
SigGroupListCopy(b->sh,&tmp_c->sh);
SigGroupListCopy(a->sh,&b->sh);
SigGroupHeadCopySigs(b->sh,&tmp_c->sh);
SigGroupHeadCopySigs(a->sh,&b->sh);
for (port = b->port; port != NULL; port = port->next) {
DetectPortInsertCopy(&tmp_c->port, port);
@ -139,15 +129,6 @@ int DetectAddressGroupCutIPv4(DetectAddressGroup *a, DetectAddressGroup *b, Dete
DetectPortInsertCopy(&b->port, port);
}
#ifdef DBG
SigGroupContainer *sg;
printf("DetectAddressGroupCutIPv4: A "); DetectAddressDataPrint(a->ad); printf(" ");
for(sg = a->sh ? a->sh->head : NULL; sg != NULL; sg = sg->next) printf("%u ", sg->s->id); printf("\n");
printf("DetectAddressGroupCutIPv4: B "); DetectAddressDataPrint(b->ad); printf(" ");
for(sg = b->sh ? b->sh->head : NULL; sg != NULL; sg = sg->next) printf("%u ", sg->s->id); printf("\n");
printf("DetectAddressGroupCutIPv4: C "); DetectAddressDataPrint(tmp_c->ad); printf(" ");
for(sg = tmp_c->sh ? b->sh->head : NULL; sg != NULL; sg = sg->next) printf("%u ", sg->s->id); printf("\n\n");
#endif
/* we have 3 parts: [bbb[baba]aaa]
* part a: b_ip1 <-> a_ip1 - 1
* part b: a_ip1 <-> b_ip2
@ -181,19 +162,12 @@ for(sg = tmp_c->sh ? b->sh->head : NULL; sg != NULL; sg = sg->next) printf("%u "
/* 'a' gets clean and then 'b' sigs
* 'b' gets clean, then 'a' then 'b' sigs
* 'c' gets 'a' sigs */
SigGroupListCopy(a->sh,&tmp->sh); /* store old a list */
SigGroupListClean(a->sh); /* clean a list */
SigGroupListCopy(tmp->sh,&tmp_c->sh); /* copy old b to c */
SigGroupListCopy(b->sh,&a->sh); /* copy old b to a */
SigGroupListCopy(tmp->sh,&b->sh); /* prepend old a before b */
SigGroupListClean(tmp->sh); /* clean tmp list */
//SigGroupListCopy(a->sh,&tmp->sh); /* store old a list */
//SigGroupListClean(a->sh); /* clean a list */
//SigGroupListCopy(tmp->sh,&tmp_c->sh); /* copy old b to c */
//SigGroupListCopy(b->sh,&a->sh); /* copy old b to a */
//SigGroupListCopy(tmp->sh,&b->sh); /* prepend old a before b */
//SigGroupListClean(tmp->sh); /* clean tmp list */
SigGroupHeadCopySigs(a->sh,&tmp->sh); /* store old a list */
SigGroupHeadClearSigs(a->sh); /* clean a list */
SigGroupHeadCopySigs(tmp->sh,&tmp_c->sh); /* copy old b to c */
SigGroupHeadCopySigs(b->sh,&a->sh); /* copy old b to a */
SigGroupHeadCopySigs(tmp->sh,&b->sh); /* prepend old a before b */
SigGroupHeadClearSigs(tmp->sh); /* clean tmp list */
for (port = a->port; port != NULL; port = port->next) {
DetectPortInsertCopy(&tmp->port, port);
@ -239,19 +213,12 @@ for(sg = tmp_c->sh ? b->sh->head : NULL; sg != NULL; sg = sg->next) printf("%u "
b->ad->ip2[0] = htonl(b_ip2);
/* 'b' overlaps 'a' so 'a' needs the 'b' sigs */
SigGroupListCopy(b->sh,&a->sh);
SigGroupHeadCopySigs(b->sh,&a->sh);
for (port = b->port; port != NULL; port = port->next) {
DetectPortInsertCopy(&a->port, port);
}
#ifdef DBG
SigGroupContainer *sg;
printf("DetectAddressGroupCutIPv4: A "); DetectAddressDataPrint(a->ad); printf(" ");
for(sg = a->sh ? a->sh->head : NULL; sg != NULL; sg = sg->next) printf("%u ", sg->s->id); printf("\n");
printf("DetectAddressGroupCutIPv4: B "); DetectAddressDataPrint(b->ad); printf(" ");
for(sg = b->sh ? b->sh->head : NULL; sg != NULL; sg = sg->next) printf("%u ", sg->s->id); printf("\n\n");
#endif
} else if (a_ip2 == b_ip2) {
#ifdef DBG
printf("DetectAddressGroupCutIPv4: 2\n");
@ -263,18 +230,11 @@ for(sg = b->sh ? b->sh->head : NULL; sg != NULL; sg = sg->next) printf("%u ", sg
b->ad->ip2[0] = htonl(a_ip2);
/* 'a' overlaps 'b' so a needs the 'a' sigs */
SigGroupListCopy(a->sh,&b->sh);
SigGroupHeadCopySigs(a->sh,&b->sh);
for (port = a->port; port != NULL; port = port->next) {
DetectPortInsertCopy(&b->port, port);
}
#ifdef DBG
SigGroupContainer *sg;
printf("DetectAddressGroupCutIPv4: A "); DetectAddressDataPrint(a->ad); printf(" ");
for(sg = a->sh ? a->sh->head : NULL; sg != NULL; sg = sg->next) printf("%u ", sg->s->id); printf("\n");
printf("DetectAddressGroupCutIPv4: B "); DetectAddressDataPrint(b->ad); printf(" ");
for(sg = b->sh ? b->sh->head : NULL; sg != NULL; sg = sg->next) printf("%u ", sg->s->id); printf("\n\n");
#endif
} else {
#ifdef DBG
printf("3\n");
@ -303,19 +263,12 @@ for(sg = b->sh ? b->sh->head : NULL; sg != NULL; sg = sg->next) printf("%u ", sg
/* 'a' gets clean and then 'b' sigs
* 'b' gets clean, then 'a' then 'b' sigs
* 'c' gets 'b' sigs */
SigGroupListCopy(a->sh,&tmp->sh); /* store old a list */
SigGroupListClean(a->sh); /* clean a list */
SigGroupListCopy(b->sh,&tmp_c->sh); /* copy old b to c */
SigGroupListCopy(b->sh,&a->sh); /* copy old b to a */
SigGroupListCopy(tmp->sh,&b->sh); /* prepend old a before b */
SigGroupListClean(tmp->sh); /* clean tmp list */
//SigGroupListCopy(a->sh,&tmp->sh); /* store old a list */
//SigGroupListClean(a->sh); /* clean a list */
//SigGroupListCopy(b->sh,&tmp_c->sh); /* copy old b to c */
//SigGroupListCopy(b->sh,&a->sh); /* copy old b to a */
//SigGroupListCopy(tmp->sh,&b->sh); /* prepend old a before b */
//SigGroupListClean(tmp->sh); /* clean tmp list */
SigGroupHeadCopySigs(a->sh,&tmp->sh); /* store old a list */
SigGroupHeadClearSigs(a->sh); /* clean a list */
SigGroupHeadCopySigs(b->sh,&tmp_c->sh); /* copy old b to c */
SigGroupHeadCopySigs(b->sh,&a->sh); /* copy old b to a */
SigGroupHeadCopySigs(tmp->sh,&b->sh); /* prepend old a before b */
SigGroupHeadClearSigs(tmp->sh); /* clean tmp list */
for (port = a->port; port != NULL; port = port->next) {
DetectPortInsertCopy(&tmp->port, port);
@ -370,11 +323,11 @@ for(sg = tmp_c->sh ? b->sh->head : NULL; sg != NULL; sg = sg->next) printf("%u "
b->ad->ip2[0] = htonl(a_ip2);
/* 'b' overlaps 'a' so a needs the 'b' sigs */
SigGroupListCopy(b->sh,&tmp->sh);
SigGroupListClean(b->sh);
SigGroupListCopy(a->sh,&b->sh);
SigGroupListCopy(tmp->sh,&a->sh);
SigGroupListClean(tmp->sh);
SigGroupHeadCopySigs(b->sh,&tmp->sh);
SigGroupHeadClearSigs(b->sh);
SigGroupHeadCopySigs(a->sh,&b->sh);
SigGroupHeadCopySigs(tmp->sh,&a->sh);
SigGroupHeadClearSigs(tmp->sh);
for (port = b->port; port != NULL; port = port->next) {
DetectPortInsertCopy(&tmp->port, b->port);
@ -385,13 +338,6 @@ for(sg = tmp_c->sh ? b->sh->head : NULL; sg != NULL; sg = sg->next) printf("%u "
for (port = tmp->port; port != NULL; port = port->next) {
DetectPortInsertCopy(&a->port, port);
}
#ifdef DBG
SigGroupContainer *sg;
printf("DetectAddressGroupCutIPv4: A "); DetectAddressDataPrint(a->ad); printf(" ");
for(sg = a->sh ? a->sh->head : NULL; sg != NULL; sg = sg->next) printf("%u ", sg->s->id); printf("\n");
printf("DetectAddressGroupCutIPv4: B "); DetectAddressDataPrint(b->ad); printf(" ");
for(sg = b->sh ? b->sh->head : NULL; sg != NULL; sg = sg->next) printf("%u ", sg->s->id); printf("\n\n");
#endif
} else if (a_ip2 == b_ip2) {
#ifdef DBG
printf("DetectAddressGroupCutIPv4: 2\n");
@ -403,18 +349,11 @@ for(sg = b->sh ? b->sh->head : NULL; sg != NULL; sg = sg->next) printf("%u ", sg
b->ad->ip2[0] = htonl(b_ip2);
/* 'a' overlaps 'b' so a needs the 'a' sigs */
SigGroupListCopy(a->sh,&b->sh);
SigGroupHeadCopySigs(a->sh,&b->sh);
for (port = a->port; port != NULL; port = port->next) {
DetectPortInsertCopy(&b->port, port);
}
#ifdef DBG
SigGroupContainer *sg;
printf("DetectAddressGroupCutIPv4: A "); DetectAddressDataPrint(a->ad); printf(" ");
for(sg = a->sh ? a->sh->head : NULL; sg != NULL; sg = sg->next) printf("%u ", sg->s->id); printf("\n");
printf("DetectAddressGroupCutIPv4: B "); DetectAddressDataPrint(b->ad); printf(" ");
for(sg = b->sh ? b->sh->head : NULL; sg != NULL; sg = sg->next) printf("%u ", sg->s->id); printf("\n\n");
#endif
} else {
#ifdef DBG
printf("DetectAddressGroupCutIPv4: 3\n");
@ -443,8 +382,8 @@ for(sg = b->sh ? b->sh->head : NULL; sg != NULL; sg = sg->next) printf("%u ", sg
/* 'a' stays the same wrt sigs
* 'b' keeps it's own sigs and gets a's sigs prepended
* 'c' gets 'a' sigs */
SigGroupListCopy(a->sh,&b->sh);
SigGroupListCopy(a->sh,&tmp_c->sh);
SigGroupHeadCopySigs(a->sh,&b->sh);
SigGroupHeadCopySigs(a->sh,&tmp_c->sh);
for (port = a->port; port != NULL; port = port->next) {
DetectPortInsertCopy(&b->port, port);
@ -452,24 +391,13 @@ for(sg = b->sh ? b->sh->head : NULL; sg != NULL; sg = sg->next) printf("%u ", sg
for (port = a->port; port != NULL; port = port->next) {
DetectPortInsertCopy(&tmp_c->port, port);
}
#ifdef DBG
SigGroupContainer *sg;
printf("DetectAddressGroupCutIPv4: A "); DetectAddressDataPrint(a->ad); printf(" ");
for(sg = a->sh ? a->sh->head : NULL; sg != NULL; sg = sg->next) printf("%u ", sg->s->id); printf("\n");
printf("DetectAddressGroupCutIPv4: B "); DetectAddressDataPrint(b->ad); printf(" ");
for(sg = b->sh ? b->sh->head : NULL; sg != NULL; sg = sg->next) printf("%u ", sg->s->id); printf("\n");
printf("DetectAddressGroupCutIPv4: C "); DetectAddressDataPrint(tmp_c->ad); printf(" ");
for(sg = tmp_c->sh ? b->sh->head : NULL; sg != NULL; sg = sg->next) printf("%u ", sg->s->id); printf("\n\n");
#endif
}
}
/* XXX free tmp */
DetectAddressGroupFree(tmp);
return 0;
error:
/* XXX free tmp */
DetectAddressGroupFree(tmp);
return -1;
}

52
src/detect-engine-address-ipv6.c
Unescape Escape View File

@ -10,8 +10,8 @@
#include "util-cidr.h"
#include "util-unittest.h"
#include "detect-address.h"
#include "detect-siggroup.h"
#include "detect-engine-address.h"
#include "detect-engine-siggroup.h"
/* return: 1 lt, 0 not lt */
@ -238,8 +238,8 @@ int DetectAddressGroupCutIPv6(DetectAddressGroup *a, DetectAddressGroup *b, Dete
AddressCutIPv6Copy(b_ip2, tmp_c->ad->ip2);
*c = tmp_c;
SigGroupListCopy(b->sh,&tmp_c->sh); /* copy old b to c */
SigGroupListCopy(a->sh,&b->sh); /* copy old b to a */
SigGroupHeadCopySigs(b->sh,&tmp_c->sh); /* copy old b to c */
SigGroupHeadCopySigs(a->sh,&b->sh); /* copy old b to a */
/* we have 3 parts: [bbb[baba]aaa]
* part a: b_ip1 <-> a_ip1 - 1
@ -270,13 +270,13 @@ int DetectAddressGroupCutIPv6(DetectAddressGroup *a, DetectAddressGroup *b, Dete
/* 'a' gets clean and then 'b' sigs
* 'b' gets clean, then 'a' then 'b' sigs
* 'c' gets 'a' sigs */
SigGroupListCopy(a->sh,&tmp->sh); /* store old a list */
SigGroupListClean(a->sh); /* clean a list */
SigGroupListCopy(tmp->sh,&tmp_c->sh); /* copy old b to c */
SigGroupListCopy(b->sh,&a->sh); /* copy old b to a */
SigGroupListCopy(tmp->sh,&b->sh); /* prepend old a before b */
SigGroupHeadCopySigs(a->sh,&tmp->sh); /* store old a list */
SigGroupHeadClearSigs(a->sh); /* clean a list */
SigGroupHeadCopySigs(tmp->sh,&tmp_c->sh); /* copy old b to c */
SigGroupHeadCopySigs(b->sh,&a->sh); /* copy old b to a */
SigGroupHeadCopySigs(tmp->sh,&b->sh); /* prepend old a before b */
SigGroupListClean(tmp->sh); /* clean tmp list */
SigGroupHeadClearSigs(tmp->sh); /* clean tmp list */
/* we have 2 or three parts:
*
@ -301,7 +301,7 @@ int DetectAddressGroupCutIPv6(DetectAddressGroup *a, DetectAddressGroup *b, Dete
AddressCutIPv6Copy(b_ip2, b->ad->ip2);
/* 'b' overlaps 'a' so 'a' needs the 'b' sigs */
SigGroupListCopy(b->sh,&a->sh);
SigGroupHeadCopySigs(b->sh,&a->sh);
} else if (AddressIPv6Eq(a_ip2, b_ip2) == 1) {
AddressCutIPv6Copy(b_ip1, a->ad->ip);
AddressCutIPv6CopySubOne(a_ip1, a->ad->ip2);
@ -310,7 +310,7 @@ int DetectAddressGroupCutIPv6(DetectAddressGroup *a, DetectAddressGroup *b, Dete
AddressCutIPv6Copy(a_ip2, b->ad->ip2);
/* 'a' overlaps 'b' so a needs the 'a' sigs */
SigGroupListCopy(a->sh,&b->sh);
SigGroupHeadCopySigs(a->sh,&b->sh);
} else {
AddressCutIPv6Copy(b_ip1, a->ad->ip);
AddressCutIPv6CopySubOne(a_ip1, a->ad->ip2);
@ -335,13 +335,13 @@ int DetectAddressGroupCutIPv6(DetectAddressGroup *a, DetectAddressGroup *b, Dete
/* 'a' gets clean and then 'b' sigs
* 'b' gets clean, then 'a' then 'b' sigs
* 'c' gets 'b' sigs */
SigGroupListCopy(a->sh,&tmp->sh); /* store old a list */
SigGroupListClean(a->sh); /* clean a list */
SigGroupListCopy(b->sh,&tmp_c->sh); /* copy old b to c */
SigGroupListCopy(b->sh,&a->sh); /* copy old b to a */
SigGroupListCopy(tmp->sh,&b->sh); /* prepend old a before b */
SigGroupHeadCopySigs(a->sh,&tmp->sh); /* store old a list */
SigGroupHeadClearSigs(a->sh); /* clean a list */
SigGroupHeadCopySigs(b->sh,&tmp_c->sh); /* copy old b to c */
SigGroupHeadCopySigs(b->sh,&a->sh); /* copy old b to a */
SigGroupHeadCopySigs(tmp->sh,&b->sh); /* prepend old a before b */
SigGroupListClean(tmp->sh); /* clean tmp list */
SigGroupHeadClearSigs(tmp->sh); /* clean tmp list */
}
/* we have 2 or three parts:
*
@ -366,11 +366,11 @@ int DetectAddressGroupCutIPv6(DetectAddressGroup *a, DetectAddressGroup *b, Dete
AddressCutIPv6Copy(a_ip2, b->ad->ip2);
/* 'b' overlaps 'a' so a needs the 'b' sigs */
SigGroupListCopy(b->sh,&tmp->sh);
SigGroupListClean(b->sh);
SigGroupListCopy(a->sh,&b->sh);
SigGroupListCopy(tmp->sh,&a->sh);
SigGroupListClean(tmp->sh);
SigGroupHeadCopySigs(b->sh,&tmp->sh);
SigGroupHeadClearSigs(b->sh);
SigGroupHeadCopySigs(a->sh,&b->sh);
SigGroupHeadCopySigs(tmp->sh,&a->sh);
SigGroupHeadClearSigs(tmp->sh);
} else if (AddressIPv6Eq(a_ip2, b_ip2) == 1) {
AddressCutIPv6Copy(a_ip1, a->ad->ip);
AddressCutIPv6CopySubOne(b_ip1, a->ad->ip2);
@ -379,7 +379,7 @@ int DetectAddressGroupCutIPv6(DetectAddressGroup *a, DetectAddressGroup *b, Dete
AddressCutIPv6Copy(b_ip2, b->ad->ip2);
/* 'a' overlaps 'b' so a needs the 'a' sigs */
SigGroupListCopy(a->sh,&b->sh);
SigGroupHeadCopySigs(a->sh,&b->sh);
} else {
AddressCutIPv6Copy(a_ip1, a->ad->ip);
AddressCutIPv6CopySubOne(b_ip1, a->ad->ip2);
@ -404,8 +404,8 @@ int DetectAddressGroupCutIPv6(DetectAddressGroup *a, DetectAddressGroup *b, Dete
/* 'a' stays the same wrt sigs
* 'b' keeps it's own sigs and gets a's sigs prepended
* 'c' gets 'a' sigs */
SigGroupListCopy(a->sh,&b->sh);
SigGroupListCopy(a->sh,&tmp_c->sh);
SigGroupHeadCopySigs(a->sh,&b->sh);
SigGroupHeadCopySigs(a->sh,&tmp_c->sh);
}
}

10
src/detect-engine-address.c
Unescape Escape View File

@ -15,10 +15,10 @@
#include "util-cidr.h"
#include "util-unittest.h"
#include "detect-siggroup.h"
#include "detect-address.h"
#include "detect-address-ipv4.h"
#include "detect-address-ipv6.h"
#include "detect-engine-siggroup.h"
#include "detect-engine-address.h"
#include "detect-engine-address-ipv4.h"
#include "detect-engine-address-ipv6.h"
int DetectAddressSetup (Signature *s, SigMatch *m, char *sidstr);
void DetectAddressTests (void);
@ -277,7 +277,7 @@ int DetectAddressGroupInsert(DetectAddressGroupsHead *gh, DetectAddressGroup *ne
for ( ; port != NULL; port = port->next) {
DetectPortInsertCopy(&cur->port,port);
}
SigGroupListCopy(new->sh,&cur->sh);
SigGroupHeadCopySigs(new->sh,&cur->sh);
DetectAddressGroupFree(new);
return 0;
}

4
src/detect-engine-mpm.c
Unescape Escape View File

@ -7,8 +7,8 @@
#include "decode.h"
#include "detect.h"
#include "detect-siggroup.h"
#include "detect-mpm.h"
#include "detect-engine-siggroup.h"
#include "detect-engine-mpm.h"
#include "util-mpm.h"
#include "flow.h"

11
src/detect-engine-proto.c
Unescape Escape View File

@ -11,7 +11,7 @@
#include "util-cidr.h"
#include "util-unittest.h"
#include "detect-siggroup.h"
#include "detect-engine-siggroup.h"
int DetectProtoSetup (Signature *s, SigMatch *m, char *sidstr);
void DetectProtoTests (void);
@ -75,15 +75,14 @@ int DetectProtoSetup (Signature *s, SigMatch *m, char *str)
/* TESTS */
int ProtoTestParse01 (void) {
/*
DetectProto dp;
memset(&dp,0,sizeof(DetectProto));
dp = DetectProtoParse("6");
if (dp) {
DetectProtoFree(dp);
int r = DetectProtoParse(&dp, "6");
if (r == 0) {
return 1;
}
*/
return 0;
}

1
src/detect-engine-proto.h
Unescape Escape View File

@ -10,6 +10,7 @@ typedef struct DetectProto_ {
/* prototypes */
void DetectProtoRegister (void);
int DetectProtoParse(DetectProto *dp, char *str);
#endif /* __DETECT_PROTO_H__ */

2
src/detect-engine-siggroup.c
Unescape Escape View File

@ -8,7 +8,7 @@
#include "detect.h"
#include "detect-engine-address.h"
#include "detect-mpm.h"
#include "detect-engine-mpm.h"
/* prototypes */
int SigGroupHeadClearSigs(SigGroupHead *);

8
src/detect-engine.c
Unescape Escape View File

@ -6,9 +6,9 @@
#include "flow.h"
#include "detect-parse.h"
#include "detect-siggroup.h"
#include "detect-address.h"
#include "detect-engine-siggroup.h"
#include "detect-engine-address.h"
DetectEngineCtx *DetectEngineCtxInit(void) {
DetectEngineCtx *de_ctx;
@ -25,3 +25,7 @@ error:
return NULL;
}
void DetectEngineCtxFree(DetectEngineCtx *de_ctx) {
free(de_ctx);
}

3
src/detect-engine.h
Unescape Escape View File

@ -2,7 +2,8 @@
#define __DETECT_ENGINE_H__
/* prototypes */
DetectEngineCtx *DetectEngineCtxInit();
DetectEngineCtx *DetectEngineCtxInit(void);
void DetectEngineCtxFree(DetectEngineCtx *);
#endif /* __DETECT_ENGINE_H__ */

55
src/detect-parse.c
Unescape Escape View File

@ -14,6 +14,9 @@ static pcre *option_pcre = NULL;
static pcre_extra *config_pcre_extra = NULL;
static pcre_extra *option_pcre_extra = NULL;
/* XXX this should be part of the DE */
static u_int32_t signum = 0;
#define CONFIG_PARTS 8
#define CONFIG_ACTION 0
@ -30,6 +33,14 @@ static pcre_extra *option_pcre_extra = NULL;
#define OPTION_PARTS 3
#define OPTION_PCRE "^\\s*([A-z_0-9]+)(?:\\s*\\:\\s*(.*)(?<!\\\\))?\\s*;\\s*(?:\\s*(.*))?\\s*$"
u_int32_t SigGetMaxId(void) {
return signum;
}
void SigResetMaxId(void) {
signum = 0;
}
SigMatch *SigMatchAlloc(void) {
SigMatch *sm = malloc(sizeof(SigMatch));
if (sm == NULL)
@ -258,7 +269,7 @@ error:
*
*/
int SigParseProto(Signature *s, const char *protostr) {
int r = DetectProtoParse(&s->proto,protostr);
int r = DetectProtoParse(&s->proto,(char *)protostr);
if (r < 0) {
return -1;
}
@ -270,24 +281,32 @@ int SigParseProto(Signature *s, const char *protostr) {
*
*/
int SigParsePort(Signature *s, const char *portstr, char flag) {
SigPort p;
if (strcasecmp(portstr, "any") == 0) {
if (flag == 0) {
s->sp = 0;
s->flags |= SIG_FLAG_SP_ANY;
} else {
s->dp = 0;
s->flags |= SIG_FLAG_DP_ANY;
}
int r = 0;
char *port;
/* XXX VJ exclude handling this for none UDP/TCP proto's */
if (strcmp(portstr,"$HTTP_PORTS") == 0) {
port = "80:81,88";
} else if (strcmp(portstr,"$SHELLCODE_PORTS") == 0) {
port = "!80";
} else if (strcmp(portstr,"$ORACLE_PORTS") == 0) {
port = "1521";
} else if (strcmp(portstr,"$SSH_PORTS") == 0) {
port = "22";
} else {
p = atoi(portstr);
port = (char *)portstr;
}
if (flag == 0) {
s->sp = p;
} else {
s->dp = p;
}
if (flag == 0) {
r = DetectPortParse(&s->sp,(char *)port);
} else if (flag == 1) {
r = DetectPortParse(&s->dp,(char *)port);
//DetectPortPrintList(s->dp);
}
if (r < 0) {
printf("SigParsePort: DetectPortParse \"%s\" failed\n", portstr);
return -1;
}
return 0;
@ -442,6 +461,8 @@ Signature *SigInit(char *sigstr) {
if (SigParse(sig, sigstr) < 0)
goto error;
sig->num = signum;
signum++;
return sig;
error:

2
src/detect-pcre.c
Unescape Escape View File

@ -9,7 +9,7 @@
#include "detect-pcre.h"
#include "detect-mpm.h"
#include "detect-engine-mpm.h"
#define PARSE_CAPTURE_REGEX "\\(\\?P\\<([A-z0-9_]+)\\>"
#define PARSE_REGEX "(?<!\\\\)/(.*)(?<!\\\\)/([A-z]*)"

2
src/detect-uricontent.c
Unescape Escape View File

@ -21,7 +21,7 @@
#include "decode.h"
#include "detect.h"
#include "detect-uricontent.h"
#include "detect-mpm.h"
#include "detect-engine-mpm.h"
#include "flow.h"
#include "detect-flow.h"
#include "flow-var.h"

794
src/detect.c
View File

File diff suppressed because it is too large Load Diff

70
src/detect.h
Unescape Escape View File

@ -2,7 +2,9 @@
#define __DETECT_H__
#include "detect-engine-proto.h"
#include "detect-address.h"
#include "detect-engine-port.h"
#include "detect-engine-address.h"
#include "detect-content.h"
#include "detect-uricontent.h"
@ -12,6 +14,8 @@
#define SIG_FLAG_NOALERT 0x08
#define SIG_FLAG_IPONLY 0x10 /* ip only signature */
#define DE_QUIET 0x01
typedef struct _PatternMatcherThread {
/* detection engine variables */
u_int8_t *pkt_ptr; /* ptr to the current position in the pkt */
@ -36,22 +40,20 @@ typedef struct _PatternMatcherThread {
MpmThreadCtx mtcu;
} PatternMatcherThread;
/* for now typedef them to known types, we will implement
* our types later... */
typedef Port SigPort;
typedef Address SigAddress;
typedef struct _Signature {
u_int32_t num; /* signature number */
u_int32_t id;
u_int8_t rev;
u_int8_t prio;
char *msg;
u_int8_t flags;
u_int8_t action;
DetectAddressGroupsHead src, dst;
SigPort sp, dp;
DetectProto proto;
u_int32_t rulegroup_refcnt;
DetectPort *sp, *dp;
//u_int32_t rulegroup_refcnt;
struct _SigMatch *match;
struct _Signature *next;
} Signature;
@ -74,9 +76,15 @@ typedef struct SigTableElmt {
} SigTableElmt;
typedef struct DetectEngineCtx_ {
u_int8_t flags;
Signature *sig_list;
u_int32_t sig_cnt;
Signature **sig_array;
u_int32_t sig_array_size; /* size in bytes */
u_int32_t sig_array_len; /* size in array members */
/* ip only sigs: we only add 'alert ip' without
* an ip_proto setting here, so no need to look
* at the proto */
@ -93,24 +101,6 @@ typedef struct DetectEngineCtx_ {
} DetectEngineCtx;
#define SIGGROUP_PROTO 1
#define SIGGROUP_SP 2
#define SIGGROUP_DP 3
#define SIGGROUP_SRC 4
#define SIGGROUP_DST 5
#define SIGGROUP_FLOW 6
#define SIGGROUP_DSIZE 7
/* XXX more? */
/* list container for signatures in the rule groups */
typedef struct _SigGroupContainer {
/* ptr to the signature */
Signature *s;
/* list */
struct _SigGroupContainer *next;
} SigGroupContainer;
/* container for content matches... we use this to compare
* group heads for contents
* XXX name */
@ -131,11 +121,12 @@ typedef struct _SigGroupUricontent {
#define SIG_GROUP_HAVEURICONTENT 0x2
/* XXX rename */
#define SIG_GROUP_INITIALIZED 0x4
#define SIG_GROUP_COPY 0x8
//#define SIG_GROUP_INITIALIZED 0x4
//#define SIG_GROUP_COPY 0x8
#define SIG_GROUP_HEAD_MPM_COPY 0x4
#define SIG_GROUP_HEAD_MPM_URI_COPY 0x8
#define SIG_GROUP_HEAD_FREE 0x10
/* head of the list of containers. */
typedef struct _SigGroupHead {
@ -145,21 +136,30 @@ typedef struct _SigGroupHead {
MpmCtx *mpm_ctx;
MpmCtx *mpm_uri_ctx;
/* number of sigs in this head */
u_int32_t sig_cnt;
u_int8_t *sig_array; /* bit array of sig nums */
u_int32_t sig_size; /* size in bytes */
/* array with sig nums... size is sig_cnt * sizeof(u_int32_t) */
u_int32_t *match_array;
/* list of content containers
* XXX move into a separate data struct
* with only a ptr to it. Saves some memory
* after initialization
* XXX use a bitarray to save 7/8 of the mem*/
*/
u_int32_t *content_array;
u_int32_t content_size;
u_int32_t *uri_content_array;
u_int32_t uri_content_size;
/* list of signature containers */
SigGroupContainer *head;
SigGroupContainer *tail;
u_int32_t sig_cnt;
/* port ptr */
struct DetectPort_ *port;
struct _SigGroupHead *mpm_next; /* mpm and mpm_uri hash */
struct _SigGroupHead *mpm_uri_next; /* mpm and mpm_uri hash */
struct _SigGroupHead *next;
} SigGroupHead;
@ -190,9 +190,11 @@ enum {
DETECT_FLOW,
DETECT_DSIZE,
DETECT_FLOWVAR,
DETECT_NOALERT,
DETECT_ADDRESS,
DETECT_PROTO,
DETECT_NOALERT,
DETECT_PORT,
/* make sure this stays last */
DETECT_TBLSIZE,

18
src/util-mpm.h
Unescape Escape View File

@ -3,22 +3,6 @@
#ifndef __UTIL_MPM_H__
#define __UTIL_MPM_H__
#define MPM_INSTANCE_CONTENT 0 /* content match */
#define MPM_INSTANCE_URICONTENT 1
#define MPM_INSTANCE_MAX 2
#define MPM_INSTANCE_URIOFFSET 1
#if 0
#define MPM_INSTANCE_TOSERVER 0 /* content match */
#define MPM_INSTANCE_TOCLIENT 1
#define MPM_INSTANCE_URI_TOSERVER 2 /* uricontent match */
#define MPM_INSTANCE_URI_TOCLIENT 3
#define MPM_INSTANCE_MAX 4
#define MPM_INSTANCE_BOTH 5
#define MPM_INSTANCE_URIOFFSET 2
#endif
#define MPM_ENDMATCH_SINGLE 0x01 /* A single match is sufficient */
#define MPM_ENDMATCH_OFFSET 0x02 /* has offset setting */
#define MPM_ENDMATCH_DEPTH 0x04 /* has depth setting */
@ -27,7 +11,7 @@ enum {
MPM_TRIE,
MPM_WUMANBER,
/* tble size */
/* table size */
MPM_TABLE_SIZE,
};

Write Preview
Loading…
Cancel
Save