aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

pkt-var: use id instead of name pointer

Browse Source
pull/2559/head
Victor Julien 9 years ago
parent a0bd15a1c4
commit 5e39486399
8 changed files with 40 additions and 84 deletions
Show Stats Download Patch File Download Diff File

5
src/alert-debuglog.c
Unescape Escape View File

@ -125,8 +125,9 @@ static void AlertDebugLogPktVars(AlertDebugLogThread *aft, const Packet *p)
{ {
const PktVar *pv = p->pktvar; const PktVar *pv = p->pktvar;
while(pv != NULL) { while (pv != NULL) {
MemBufferWriteString(aft->buffer, "PKTVAR: %s\n", pv->name); const char *varname = VarNameStoreLookupById(pv->id, VAR_TYPE_PKT_VAR);
MemBufferWriteString(aft->buffer, "PKTVAR: %s\n", varname);
PrintRawDataToBuffer(aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size, PrintRawDataToBuffer(aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
pv->value, pv->value_len); pv->value, pv->value_len);
pv = pv->next; pv = pv->next;

2
src/decode.h
Unescape Escape View File

@ -298,7 +298,7 @@ typedef struct PacketEngineEvents_ {
} PacketEngineEvents; } PacketEngineEvents;
typedef struct PktVar_ { typedef struct PktVar_ {
const char *name; uint32_t id;
struct PktVar_ *next; /* right now just implement this as a list, struct PktVar_ *next; /* right now just implement this as a list,
* in the long run we have thing of something * in the long run we have thing of something
* faster. */ * faster. */

4
src/detect-pcre.c
Unescape Escape View File

@ -226,9 +226,7 @@ int DetectPcrePayloadMatch(DetectEngineThreadCtx *det_ctx, const Signature *s,
continue; continue;
if (pe->captypes[x] == VAR_TYPE_PKT_VAR && p != NULL) { if (pe->captypes[x] == VAR_TYPE_PKT_VAR && p != NULL) {
const char *varname = VarNameStoreLookupById(pe->capids[x], PktVarAdd(p, pe->capids[x], (uint8_t *)str_ptr, ret);
VAR_TYPE_PKT_VAR);
PktVarAdd(p, varname, (uint8_t *)str_ptr, ret);
} else if (pe->captypes[x] == VAR_TYPE_FLOW_VAR && f != NULL) { } else if (pe->captypes[x] == VAR_TYPE_FLOW_VAR && f != NULL) {
/* store max 64k. Errors are ignored */ /* store max 64k. Errors are ignored */

12
src/detect-pktvar.c
Unescape Escape View File

@ -66,7 +66,7 @@ static int DetectPktvarMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Pac
int ret = 0; int ret = 0;
const DetectPktvarData *pd = (const DetectPktvarData *)ctx; const DetectPktvarData *pd = (const DetectPktvarData *)ctx;
PktVar *pv = PktVarGet(p, pd->name); PktVar *pv = PktVarGet(p, pd->id);
if (pv != NULL) { if (pv != NULL) {
uint8_t *ptr = SpmSearch(pv->value, pv->value_len, pd->content, pd->content_len); uint8_t *ptr = SpmSearch(pv->value, pv->value_len, pd->content, pd->content_len);
if (ptr != NULL) if (ptr != NULL)
@ -92,7 +92,6 @@ static int DetectPktvarSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawst
if (ret != 3) { if (ret != 3) {
SCLogError(SC_ERR_PCRE_MATCH, "\"%s\" is not a valid setting for pktvar.", rawstr); SCLogError(SC_ERR_PCRE_MATCH, "\"%s\" is not a valid setting for pktvar.", rawstr);
return -1; return -1;
} }
const char *str_ptr; const char *str_ptr;
@ -199,12 +198,7 @@ static int DetectPktvarSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawst
return -1; return -1;
} }
cd->name = SCStrdup(varname); cd->id = VarNameStoreSetupAdd(varname, VAR_TYPE_PKT_VAR);
if (cd->name == NULL) {
SCFree(cd);
if (dubbed) SCFree(str);
return -1;
}
memcpy(cd->content, str, len); memcpy(cd->content, str, len);
cd->content_len = len; cd->content_len = len;
@ -228,8 +222,6 @@ error:
if (dubbed) if (dubbed)
SCFree(str); SCFree(str);
if (cd) { if (cd) {
if (cd->name)
SCFree(cd->name);
SCFree(cd); SCFree(cd);
} }
if (sm) if (sm)

4
src/detect-pktvar.h
Unescape Escape View File

@ -25,10 +25,10 @@
#define __DETECT_PKTVAR_H__ #define __DETECT_PKTVAR_H__
typedef struct DetectPktvarData_ { typedef struct DetectPktvarData_ {
char *name; uint32_t id;
uint8_t *content;
uint8_t content_len; uint8_t content_len;
uint8_t flags; uint8_t flags;
uint8_t *content;
} DetectPktvarData; } DetectPktvarData;
/* prototypes */ /* prototypes */

47
src/detect.c
Unescape Escape View File

@ -5133,59 +5133,42 @@ static int SigTest17 (void)
Packet *p = NULL; Packet *p = NULL;
ThreadVars th_v; ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL; DetectEngineThreadCtx *det_ctx = NULL;
int result = 0;
memset(&th_v, 0, sizeof(th_v)); memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 80); p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 80);
FAIL_IF_NULL(p);
ConfCreateContextBackup(); ConfCreateContextBackup();
ConfInit(); ConfInit();
ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string)); ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) { FAIL_IF_NULL(de_ctx);
goto end;
}
de_ctx->flags |= DE_QUIET; de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; content:\"Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:1;)"); Signature *s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; content:\"Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:1;)");
if (de_ctx->sig_list == NULL) { FAIL_IF_NULL(s);
result = 0;
goto end;
}
SigGroupBuild(de_ctx); SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p); SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
PktVar *pv_hn = PktVarGet(p, "http_host");
if (pv_hn != NULL) {
if (memcmp(pv_hn->value, "one.example.org", pv_hn->value_len < 15 ? pv_hn->value_len : 15) == 0)
result = 1;
else {
printf("\"");
PrintRawUriFp(stdout, pv_hn->value, pv_hn->value_len);
printf("\" != \"one.example.org\": ");
}
PktVarFree(pv_hn);
} else {
printf("Pkt var http_host not captured: ");
}
end: uint32_t capid = VarNameStoreLookupByName("http_host", VAR_TYPE_PKT_VAR);
if (de_ctx != NULL) {
SigGroupCleanup(de_ctx); PktVar *pv_hn = PktVarGet(p, capid);
SigCleanSignatures(de_ctx); FAIL_IF_NULL(pv_hn);
if (det_ctx != NULL)
FAIL_IF(pv_hn->value_len != 15);
FAIL_IF_NOT(memcmp(pv_hn->value, "one.example.org", pv_hn->value_len) == 0);
PktVarFree(pv_hn);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx); DetectEngineCtxFree(de_ctx);
}
ConfDeInit(); ConfDeInit();
ConfRestoreContextBackup(); ConfRestoreContextBackup();
UTHFreePackets(&p, 1); UTHFreePackets(&p, 1);
return result;
PASS;
} }
static int SigTest18 (void) static int SigTest18 (void)

39
src/pkt-var.c
Unescape Escape View File

@ -1,4 +1,4 @@
/* Copyright (C) 2007-2010 Open Information Security Foundation /* Copyright (C) 2007-2016 Open Information Security Foundation
* *
* You can copy, redistribute or modify this Program under the terms of * You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free * the GNU General Public License version 2 as published by the Free
@ -35,9 +35,10 @@
#include "util-debug.h" #include "util-debug.h"
/* puts a new value into a pktvar */ /* puts a new value into a pktvar */
void PktVarUpdate(PktVar *pv, uint8_t *value, uint16_t size) static void PktVarUpdate(PktVar *pv, uint8_t *value, uint16_t size)
{ {
if (pv->value) SCFree(pv->value); if (pv->value)
SCFree(pv->value);
pv->value = value; pv->value = value;
pv->value_len = size; pv->value_len = size;
} }
@ -45,12 +46,12 @@ void PktVarUpdate(PktVar *pv, uint8_t *value, uint16_t size)
/* get the pktvar with name 'name' from the pkt /* get the pktvar with name 'name' from the pkt
* *
* name is a normal string*/ * name is a normal string*/
PktVar *PktVarGet(Packet *p, const char *name) PktVar *PktVarGet(Packet *p, uint32_t id)
{ {
PktVar *pv = p->pktvar; PktVar *pv = p->pktvar;
for (;pv != NULL; pv = pv->next) { for (;pv != NULL; pv = pv->next) {
if (pv->name && strcmp(pv->name, name) == 0) if (pv->id == id)
return pv; return pv;
} }
@ -58,23 +59,24 @@ PktVar *PktVarGet(Packet *p, const char *name)
} }
/* add a pktvar to the pkt, or update it */ /* add a pktvar to the pkt, or update it */
void PktVarAdd(Packet *p, const char *name, uint8_t *value, uint16_t size) void PktVarAdd(Packet *p, uint32_t id, uint8_t *value, uint16_t size)
{ {
//printf("Adding packet var \"%s\" with value(%" PRId32 ") \"%s\"\n", name, size, value); //printf("Adding packet var \"%s\" with value(%" PRId32 ") \"%s\"\n", name, size, value);
PktVar *pv = PktVarGet(p, name); PktVar *pv = PktVarGet(p, id);
if (pv == NULL) { if (pv == NULL) {
pv = SCMalloc(sizeof(PktVar)); pv = SCMalloc(sizeof(PktVar));
if (unlikely(pv == NULL)) if (unlikely(pv == NULL))
return; return;
pv->name = name; pv->id = id;
pv->value = value; pv->value = value;
pv->value_len = size; pv->value_len = size;
pv->next = NULL; pv->next = NULL;
PktVar *tpv = p->pktvar; PktVar *tpv = p->pktvar;
if (p->pktvar == NULL) p->pktvar = pv; if (p->pktvar == NULL)
p->pktvar = pv;
else { else {
while(tpv) { while(tpv) {
if (tpv->next == NULL) { if (tpv->next == NULL) {
@ -94,7 +96,6 @@ void PktVarFree(PktVar *pv)
if (pv == NULL) if (pv == NULL)
return; return;
pv->name = NULL;
if (pv->value != NULL) if (pv->value != NULL)
SCFree(pv->value); SCFree(pv->value);
PktVar *pv_next = pv->next; PktVar *pv_next = pv->next;
@ -104,21 +105,3 @@ void PktVarFree(PktVar *pv)
if (pv_next != NULL) if (pv_next != NULL)
PktVarFree(pv_next); PktVarFree(pv_next);
} }
void PktVarPrint(PktVar *pv)
{
uint16_t i;
if (pv == NULL)
return;
printf("Name \"%s\", Value \"", pv->name);
for (i = 0; i < pv->value_len; i++) {
if (isprint(pv->value[i])) printf("%c", pv->value[i]);
else printf("\\%02X", pv->value[i]);
}
printf("\", Len \"%" PRIu32 "\"\n", pv->value_len);
PktVarPrint(pv->next);
}

7
src/pkt-var.h
Unescape Escape View File

@ -1,4 +1,4 @@
/* Copyright (C) 2007-2010 Open Information Security Foundation /* Copyright (C) 2007-2016 Open Information Security Foundation
* *
* You can copy, redistribute or modify this Program under the terms of * You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free * the GNU General Public License version 2 as published by the Free
@ -24,10 +24,9 @@
#ifndef __PKT_VAR_H__ #ifndef __PKT_VAR_H__
#define __PKT_VAR_H__ #define __PKT_VAR_H__
void PktVarAdd(Packet *, const char *, uint8_t *, uint16_t); void PktVarAdd(Packet *, uint32_t id, uint8_t *, uint16_t);
PktVar *PktVarGet(Packet *, const char *); PktVar *PktVarGet(Packet *, uint32_t id);
void PktVarFree(PktVar *); void PktVarFree(PktVar *);
void PktVarPrint(PktVar *);
#endif /* __PKT_VAR_H__ */ #endif /* __PKT_VAR_H__ */

Write Preview
Loading…
Cancel
Save