aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect/isdataat: optimize recursion mismatches

Browse Source 
Since recursive content matching goes through the buffer from left to
right, it is possible to bail early when isdataat is part of the
recursive checking. If `isdataat:50,relative` fails for offset 10, it
will surely also fail for offset 20. So break inspection in such cases.

The exception is for dynamic isdataat, where the value is determined
by a prior byte_extract that may be updated during the recursion.
pull/9999/head
Victor Julien 1 year ago committed by Victor Julien
parent c19d11ff0d
commit 6db02563f1
2 changed files with 22 additions and 2 deletions
Show Stats Download Patch File Download Diff File

15
src/detect-engine-content-inspection.c
Unescape Escape View File

@ -408,23 +408,34 @@ static int DetectEngineContentInspectionInternal(DetectEngineThreadCtx *det_ctx,
SCLogDebug("det_ctx->buffer_offset + dataat %"PRIu32" > %"PRIu32, det_ctx->buffer_offset + dataat, buffer_len);
if (id->flags & ISDATAAT_NEGATED)
goto match;
if ((id->flags & ISDATAAT_OFFSET_VAR) == 0) {
goto no_match_discontinue;
}
goto no_match;
} else {
SCLogDebug("relative isdataat match");
if (id->flags & ISDATAAT_NEGATED)
if (id->flags & ISDATAAT_NEGATED) {
goto no_match;
}
goto match;
}
} else {
if (dataat < buffer_len) {
SCLogDebug("absolute isdataat match");
if (id->flags & ISDATAAT_NEGATED)
if (id->flags & ISDATAAT_NEGATED) {
if ((id->flags & ISDATAAT_OFFSET_VAR) == 0) {
goto no_match_discontinue;
}
goto no_match;
}
goto match;
} else {
SCLogDebug("absolute isdataat mismatch, id->isdataat %"PRIu32", buffer_len %"PRIu32"", dataat, buffer_len);
if (id->flags & ISDATAAT_NEGATED)
goto match;
if ((id->flags & ISDATAAT_OFFSET_VAR) == 0) {
goto no_match_discontinue;
}
goto no_match;
}
}

9
src/tests/detect-engine-content-inspection.c
Unescape Escape View File

@ -143,6 +143,10 @@ static int DetectEngineContentInspectionTest06(void) {
// 6 steps: (1) a, (2) 1st b, (3) c not found, (4) 2nd b, (5) c found, isdataat
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; distance:0; within:1; content:\"c\"; distance:0; within:1; isdataat:!1,relative;", true, 5);
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; distance:0; within:1; content:\"c\"; distance:0; within:1; isdataat:1,relative;", false, 6);
TEST_RUN("abcabc", 6,
"content:\"a\"; content:\"b\"; distance:0; within:1; content:\"c\"; distance:0; "
"within:1; isdataat:10,relative;",
false, 4);
TEST_RUN("ababcabc", 8, "content:\"a\"; content:\"b\"; distance:0; within:1; content:\"c\"; distance:0; within:1; isdataat:!1,relative;", true, 7);
TEST_RUN("ababcabc", 8, "content:\"a\"; content:\"b\"; distance:0; within:1; content:\"c\"; distance:0; within:1; isdataat:1,relative;", true, 6);
@ -228,6 +232,11 @@ static int DetectEngineContentInspectionTest10(void) {
TEST_RUN("x9x9abcdefghi", 13, "content:\"x\"; byte_extract:1,0,data_size,string,relative; isdataat:data_size,relative;", true, 3);
TEST_RUN("x9x9abcdefgh", 12, "content:\"x\"; byte_extract:1,0,data_size,string,relative; isdataat:!data_size,relative;", true, 5);
TEST_RUN("x9x9abcdefgh", 12, "content:\"x\"; depth:1; byte_extract:1,0,data_size,string,relative; isdataat:!data_size,relative;", false, 3);
/* first isdataat should fail, second succeed */
TEST_RUN("x9x5abcdef", 10,
"content:\"x\"; byte_extract:1,0,data_size,string,relative; "
"isdataat:data_size,relative;",
true, 5);
/* check for super high extracted values */
TEST_RUN("100000000abcdefghi", 18, "byte_extract:0,0,data_size,string; isdataat:data_size;", false, 2);
TEST_RUN("100000000abcdefghi", 18, "byte_extract:0,0,data_size,string; isdataat:!data_size;", true, 2);

Write Preview
Loading…
Cancel
Save