Fixes for issues found by static code analyzer.

remotes/origin/master-1.0.x
Victor Julien 16 years ago
parent 85b1fd7dfc
commit 6eaff4be12

@ -91,7 +91,7 @@ void DecodeGRE(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, u
header_len += GRE_SRE_HDR_LEN;
if (gsre && (ntohs(gsre->af) == 0) && (gsre->sre_length == 0))
if (gsre != NULL && (ntohs(gsre->af) == 0) && (gsre->sre_length == 0))
break;
header_len += gsre->sre_length;

@ -34,7 +34,11 @@ int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, cha
}
SigMatch *pm = m;
if (pm != NULL) {
if (pm == NULL) {
printf("DetectDistanceSetup: No previous match!\n");
goto error;
}
if (pm->type == DETECT_PCRE) {
DetectPcreData *pe = (DetectPcreData *)pm->ctx;
@ -58,12 +62,15 @@ int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, cha
//printf("DetectDistanceSetup: set distance %" PRId32 " for previous content\n", cd->distance);
} else {
printf("DetectDistanceSetup: Unknown previous keyword!\n");
goto error;
}
} else {
printf("DetectDistanceSetup: No previous match!\n");
}
pm = m->prev;
if (pm != NULL) {
if (pm == NULL) {
printf("DetectDistanceSetup: No previous-previous match!\n");
goto error;
}
if (pm->type == DETECT_PCRE) {
DetectPcreData *pe = (DetectPcreData *)pm->ctx;
pe->flags |= DETECT_PCRE_DISTANCE_NEXT;
@ -75,12 +82,13 @@ int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, cha
cd->flags |= DETECT_URICONTENT_DISTANCE_NEXT;
} else {
printf("DetectDistanceSetup: Unknown previous-previous keyword!\n");
}
} else {
printf("DetectDistanceSetup: No previous-previous match!\n");
goto error;
}
if (dubbed) free(str);
return 0;
error:
if (dubbed) free(str);
return -1;
}

@ -35,9 +35,9 @@ void DetectAddressRegister (void) {
/* prototypes */
void DetectAddressDataPrint(DetectAddressData *);
int DetectAddressCut(DetectAddressData *, DetectAddressData *, DetectAddressData **);
int DetectAddressCutNot(DetectAddressData *, DetectAddressData **);
int DetectAddressGroupCut(DetectEngineCtx *, DetectAddressGroup *, DetectAddressGroup *, DetectAddressGroup **);
static int DetectAddressCut(DetectAddressData *, DetectAddressData *, DetectAddressData **);
static int DetectAddressCutNot(DetectAddressData *, DetectAddressData **);
static int DetectAddressGroupCut(DetectEngineCtx *, DetectAddressGroup *, DetectAddressGroup *, DetectAddressGroup **);
/* memory usage counters */
static uint32_t detect_address_group_memory = 0;
@ -195,6 +195,7 @@ int DetectAddressGroupAdd(DetectAddressGroup **head, DetectAddressGroup *ag) {
}
//printf("default append\n");
ag->prev = prev_cur;
if (prev_cur != NULL)
prev_cur->next = ag;
} else {
*head = ag;
@ -330,8 +331,11 @@ int DetectAddressGroupInsert(DetectEngineCtx *de_ctx, DetectAddressGroupsHead *g
#endif
DetectAddressGroup *c = NULL;
r = DetectAddressGroupCut(de_ctx, cur,new,&c);
if (r == -1)
goto error;
DetectAddressGroupInsert(de_ctx, gh, new);
if (c) {
if (c != NULL) {
#ifdef DBG
printf("DetectAddressGroupInsert: inserting C "); DetectAddressDataPrint(c->ad); printf("\n");
#endif
@ -344,9 +348,12 @@ int DetectAddressGroupInsert(DetectEngineCtx *de_ctx, DetectAddressGroupsHead *g
#endif
DetectAddressGroup *c = NULL;
r = DetectAddressGroupCut(de_ctx, cur,new,&c);
if (r == -1)
goto error;
//printf("DetectAddressGroupCut returned %" PRId32 "\n", r);
DetectAddressGroupInsert(de_ctx, gh, new);
if (c) {
if (c != NULL) {
#ifdef DBG
printf("DetectAddressGroupInsert: inserting C "); DetectAddressDataPrint(c->ad); printf("\n");
#endif
@ -359,8 +366,11 @@ int DetectAddressGroupInsert(DetectEngineCtx *de_ctx, DetectAddressGroupsHead *g
#endif
DetectAddressGroup *c = NULL;
r = DetectAddressGroupCut(de_ctx, cur,new,&c);
if (r == -1)
goto error;
DetectAddressGroupInsert(de_ctx, gh, new);
if (c) {
if (c != NULL) {
#ifdef DBG
printf("DetectAddressGroupInsert: inserting C "); DetectAddressDataPrint(c->ad); printf("\n");
#endif
@ -373,8 +383,11 @@ int DetectAddressGroupInsert(DetectEngineCtx *de_ctx, DetectAddressGroupsHead *g
#endif
DetectAddressGroup *c = NULL;
r = DetectAddressGroupCut(de_ctx, cur,new,&c);
if (r == -1)
goto error;
DetectAddressGroupInsert(de_ctx, gh, new);
if (c) {
if (c != NULL) {
#ifdef DBG
printf("DetectAddressGroupInsert: inserting C "); DetectAddressDataPrint(c->ad); printf("\n");
#endif
@ -400,6 +413,7 @@ error:
return -1;
}
/** \brief Join two addresses together */
int DetectAddressGroupJoin(DetectEngineCtx *de_ctx, DetectAddressGroup *target, DetectAddressGroup *source) {
if (target == NULL || source == NULL)
return -1;
@ -424,11 +438,10 @@ int DetectAddressGroupJoin(DetectEngineCtx *de_ctx, DetectAddressGroup *target,
return -1;
}
/*
* return codes:
* 1: inserted
* 0: not inserted (no error), memory is cleared
* -1: error
/**
* \retval 1 inserted
* \retval 0 not inserted (no error), memory is cleared
* \retval -1 error
*/
int DetectAddressInsert(DetectAddressGroupsHead *gh, DetectAddressData *new) {
DetectAddressGroup *head = NULL;
@ -506,26 +519,46 @@ int DetectAddressInsert(DetectAddressGroupsHead *gh, DetectAddressData *new) {
} else if (r == ADDRESS_ES) {
DetectAddressData *c = NULL;
r = DetectAddressCut(cur->ad,new,&c);
if (r == -1)
goto error;
DetectAddressInsert(gh, new);
if (c) DetectAddressInsert(gh, c);
if (c != NULL)
DetectAddressInsert(gh, c);
return 1;
} else if (r == ADDRESS_EB) {
DetectAddressData *c = NULL;
r = DetectAddressCut(cur->ad,new,&c);
if (r == -1)
goto error;
DetectAddressInsert(gh, new);
if (c) DetectAddressInsert(gh, c);
if (c != NULL)
DetectAddressInsert(gh, c);
return 1;
} else if (r == ADDRESS_LE) {
DetectAddressData *c = NULL;
r = DetectAddressCut(cur->ad,new,&c);
if (r == -1)
goto error;
DetectAddressInsert(gh, new);
if (c) DetectAddressInsert(gh, c);
if (c != NULL)
DetectAddressInsert(gh, c);
return 1;
} else if (r == ADDRESS_GE) {
DetectAddressData *c = NULL;
r = DetectAddressCut(cur->ad,new,&c);
if (r == -1)
goto error;
DetectAddressInsert(gh, new);
if (c) DetectAddressInsert(gh, c);
if (c != NULL)
DetectAddressInsert(gh, c);
return 1;
}
}
@ -837,6 +870,8 @@ int DetectAddressGroupCut(DetectEngineCtx *de_ctx, DetectAddressGroup *a, Detect
return -1;
}
/** \retval 0 ok
* \retval -1 error */
int DetectAddressCut(DetectAddressData *a, DetectAddressData *b, DetectAddressData **c) {
if (a->family == AF_INET) {
return DetectAddressCutIPv4(a,b,c);
@ -847,6 +882,8 @@ int DetectAddressCut(DetectAddressData *a, DetectAddressData *b, DetectAddressDa
return -1;
}
/** \retval 0 ok
* \retval -1 error */
int DetectAddressCutNot(DetectAddressData *a, DetectAddressData **b) {
if (a->family == AF_INET) {
return DetectAddressCutNotIPv4(a,b);
@ -896,7 +933,6 @@ int AddressParse(DetectAddressData *dd, char *str) {
char *ipdup = strdup(str);
char *ip2 = NULL;
char *mask = NULL;
char *ip6 = NULL;
int r = 0;
/* first handle 'any' */
@ -916,7 +952,7 @@ int AddressParse(DetectAddressData *dd, char *str) {
}
/* see if the address is an ipv4 or ipv6 address */
if ((ip6 = strchr(str,':')) == NULL) {
if ((strchr(str,':')) == NULL) {
/* IPv4 Address */
struct in_addr in;
@ -929,8 +965,7 @@ int AddressParse(DetectAddressData *dd, char *str) {
uint32_t ip4addr = 0;
uint32_t netmask = 0;
char *t = NULL;
if ((t = strchr (mask,'.')) == NULL) {
if ((strchr (mask,'.')) == NULL) {
/* 1.2.3.4/24 format */
int cidr = atoi(mask);

@ -274,7 +274,8 @@ uint32_t PatternStrength(uint8_t *pat, uint16_t patlen, uint16_t len) {
return s;
}
int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead *sgh) {
/** \brief Setup the content portion of the sig group head */
static int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead *sgh) {
uint32_t sig;
HashTable *ht = HashTableInit(4096, ContentHashFunc, ContentHashCompareFunc, ContentHashFree);
@ -447,23 +448,20 @@ error:
return -1;
}
/*
/** \brief Prepare the pattern matcher ctx in a sig group head.
*
* TODO
* - determine if a content match can set the 'single' flag
*
*
* XXX do error checking
* XXX rewrite the COPY stuff
* \todo determine if a content match can set the 'single' flag
* \todo do error checking
* \todo rewrite the COPY stuff
*/
int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
{
Signature *s;
SigMatch *sm;
Signature *s = NULL;
SigMatch *sm = NULL;
uint32_t co_cnt = 0;
uint32_t ur_cnt = 0;
uint32_t cnt = 0;
uint32_t sig;
uint32_t sig = 0;
g_content_sigcnt++;
@ -473,7 +471,8 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
if (!(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY))
sh->mpm_uricontent_maxlen = 0;
/* see if this head has content and/or uricontent */
/** see if this head has content and/or uricontent
* \todo we can move this to the signature init phase */
for (sig = 0; sig < sh->sig_cnt; sig++) {
uint32_t num = sh->match_array[sig];
@ -517,7 +516,6 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
MpmInitCtx(sh->mpm_uri_ctx, PM);
}
//uint16_t mpm_content_scan_maxlen = 65535, mpm_uricontent_scan_maxlen = 65535;
uint32_t mpm_content_cnt = 0, mpm_uricontent_cnt = 0;
uint16_t mpm_content_maxdepth = 65535, mpm_content_minoffset = 65535;
uint16_t mpm_content_maxdepth_one = 65535, mpm_content_minoffset_one = 65535;
@ -593,6 +591,7 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
} else if (sm->type == DETECT_URICONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY)) {
DetectUricontentData *ud = (DetectUricontentData *)sm->ctx;
if (ud->uricontent_len == uricontent_maxlen) {
/** \todo we don't support offset in uricontent */
}
}
}
@ -674,14 +673,7 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
if (sh->mpm_content_maxlen >= 5) g_content_sigcnt5++;
if (sh->mpm_content_maxlen >= 10) g_content_sigcnt10++;
/* see if we will use the scanning phase */
// if (sh->mpm_content_maxlen == 1) {
// sh->flags |= SIG_GROUP_HEAD_MPM_NOSCAN;
// printf("(%p) noscan set (%s)\n", sh, sh->flags & SIG_GROUP_HEAD_MPM_NOSCAN ? "TRUE":"FALSE");
// }
// if (sh->mpm_uricontent_maxlen < 4) sh->flags |= SIG_GROUP_HEAD_MPM_URI_NOSCAN;
/* add the signatures */
/* add the patterns for uricontent signatures */
for (sig = 0; sig < sh->sig_cnt; sig++) {
uint32_t num = sh->match_array[sig];
@ -713,21 +705,22 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
uricontent_minlen = ud->uricontent_len;
}
}
char content_scanadded = 0, uricontent_scanadded = 0;
char uricontent_scanadded = 0;
for (sm = s->match; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_URICONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY)) {
DetectUricontentData *ud = (DetectUricontentData *)sm->ctx;
/* only add the pattern if:
* noscan is not set, we didn't add a pattern already, length
* is the same as maxlen (ie we only add the longest pattern) */
if (!(sh->flags & SIG_GROUP_HEAD_MPM_URI_NOSCAN) && !uricontent_scanadded && uricontent_maxlen == ud->uricontent_len) {
/* only add the pattern if: we didn't add a pattern already,
* length is the same as maxlen (ie we only add the longest pattern) */
if (!uricontent_scanadded && uricontent_maxlen == ud->uricontent_len) {
if (ud->flags & DETECT_URICONTENT_NOCASE) {
sh->mpm_uri_ctx->AddScanPatternNocase(sh->mpm_uri_ctx, ud->uricontent, ud->uricontent_len, 0, 0, ud->id, s->num, 0);
} else {
sh->mpm_uri_ctx->AddScanPattern(sh->mpm_uri_ctx, ud->uricontent, ud->uricontent_len, 0, 0, ud->id, s->num, 0);
}
uricontent_scanadded = 1;
/* otherwise it's a 'search' pattern */
} else {
if (ud->flags & DETECT_URICONTENT_NOCASE) {
sh->mpm_uri_ctx->AddPatternNocase(sh->mpm_uri_ctx, ud->uricontent, ud->uricontent_len, 0, 0, ud->id, s->num);
@ -737,13 +730,11 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
}
}
}
content_scanadded = 0;
uricontent_scanadded = 0;
}
/* content */
if (sh->flags & SIG_GROUP_HAVECONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_COPY)) {
/* load the patterns */
PatternMatchPreprarePopulateMpm(de_ctx, sh);
if (sh->mpm_ctx->Prepare != NULL) {
@ -762,7 +753,6 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
//if (mpm_content_depth_present) printf("(sh %p) at least one depth: %" PRId32 ", depth %" PRIu32 "\n", sh, mpm_content_depth_present, mpm_content_maxdepth_one);
//if (mpm_content_offset_present) printf("(sh %p) at least one offset: %" PRId32 ", offset %" PRIu32 "\n", sh, mpm_content_offset_present, mpm_content_minoffset_one);
//sh->mpm_ctx->PrintCtx(sh->mpm_ctx);
}

@ -32,8 +32,8 @@ void DetectPortRegister (void) {
}
/* prototypes */
int DetectPortCutNot(DetectPort *, DetectPort **);
int DetectPortCut(DetectEngineCtx *, DetectPort *, DetectPort *, DetectPort **);
static int DetectPortCutNot(DetectPort *, DetectPort **);
static int DetectPortCut(DetectEngineCtx *, DetectPort *, DetectPort *, DetectPort **);
DetectPort *PortParse(char *str);
/* memory usage counters */
@ -161,6 +161,7 @@ int DetectPortAdd(DetectPort **head, DetectPort *dp) {
}
}
dp->prev = prev_cur;
if (prev_cur != NULL)
prev_cur->next = dp;
} else {
*head = dp;
@ -282,8 +283,11 @@ int DetectPortInsert(DetectEngineCtx *de_ctx, DetectPort **head, DetectPort *new
#endif
DetectPort *c = NULL;
r = DetectPortCut(de_ctx,cur,new,&c);
if (r == -1)
goto error;
DetectPortInsert(de_ctx, head, new);
if (c) {
if (c != NULL) {
#ifdef DBG
printf("DetectPortInsert: inserting C (%p) ",c); DetectPortPrint(c); printf("\n");
#endif
@ -296,9 +300,11 @@ int DetectPortInsert(DetectEngineCtx *de_ctx, DetectPort **head, DetectPort *new
#endif
DetectPort *c = NULL;
r = DetectPortCut(de_ctx,cur,new,&c);
//printf("DetectPortCut returned %" PRId32 "\n", r);
if (r == -1)
goto error;
DetectPortInsert(de_ctx, head, new);
if (c) {
if (c != NULL) {
#ifdef DBG
printf("DetectPortInsert: inserting C "); DetectPortPrint(c); printf("\n");
#endif
@ -311,8 +317,11 @@ int DetectPortInsert(DetectEngineCtx *de_ctx, DetectPort **head, DetectPort *new
#endif
DetectPort *c = NULL;
r = DetectPortCut(de_ctx,cur,new,&c);
if (r == -1)
goto error;
DetectPortInsert(de_ctx, head, new);
if (c) {
if (c != NULL) {
#ifdef DBG
printf("DetectPortInsert: inserting C "); DetectPortPrint(c); printf("\n");
#endif
@ -325,8 +334,11 @@ int DetectPortInsert(DetectEngineCtx *de_ctx, DetectPort **head, DetectPort *new
#endif
DetectPort *c = NULL;
r = DetectPortCut(de_ctx,cur,new,&c);
if (r == -1)
goto error;
DetectPortInsert(de_ctx, head, new);
if (c) {
if (c != NULL) {
#ifdef DBG
printf("DetectPortInsert: inserting C "); DetectPortPrint(c); printf("\n");
#endif
@ -350,7 +362,9 @@ error:
return -1;
}
int DetectPortCut(DetectEngineCtx *de_ctx, DetectPort *a, DetectPort *b, DetectPort **c) {
/** \retval 0 ok
* \retval -1 error */
static int DetectPortCut(DetectEngineCtx *de_ctx, DetectPort *a, DetectPort *b, DetectPort **c) {
uint32_t a_port1 = a->port;
uint32_t a_port2 = a->port2;
uint32_t b_port1 = b->port;
@ -635,11 +649,11 @@ error:
if (tmp != NULL)
DetectPortFree(tmp);
return -1;
return -1;
}
int DetectPortCutNot(DetectPort *a, DetectPort **b) {
/** \retval 0 ok
* \retval -1 error */
static int DetectPortCutNot(DetectPort *a, DetectPort **b) {
uint16_t a_port1 = a->port;
uint16_t a_port2 = a->port2;
@ -675,8 +689,6 @@ int DetectPortCutNot(DetectPort *a, DetectPort **b) {
error:
return -1;
return -1;
}
int DetectPortCmp(DetectPort *a, DetectPort *b) {

@ -156,6 +156,9 @@ int DetectFlowbitSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char
}
fb_name = (char *)str_ptr;
}
} else {
printf("ERROR: \"%s\" is not a valid setting for flowbits.\n", rawstr);
return -1;
}
if (strcmp(fb_cmd_str,"noalert") == 0) {

@ -108,6 +108,9 @@ int DetectFlowvarSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char
}
varcontent = (char *)str_ptr;
}
} else {
printf("ERROR: \"%s\" is not a valid setting for flowvar.\n", rawstr);
return -1;
}
printf("DetectFlowvarSetup: varname %s, varcontent %s\n", varname, varcontent);

@ -16,7 +16,7 @@ void DetectMsgRegister (void) {
int DetectMsgSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *msgstr)
{
char *str = msgstr;
char *str = NULL;
/* strip "'s */
if (msgstr[0] == '\"' && msgstr[strlen(msgstr)-1] == '\"') {

@ -102,6 +102,9 @@ int DetectPktvarSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char
}
varcontent = (char *)str_ptr;
}
} else {
printf("ERROR: \"%s\" is not a valid setting for pktvar.\n", rawstr);
return -1;
}
printf("DetectPktvarSetup: varname %s, varcontent %s\n", varname, varcontent);

@ -1,5 +1,9 @@
/* WITHIN part of the detection engine. */
/** \file
* \author Victor Julien <victor@inliniac.net>
* \todo within logic is not Snort compat atm: it is applied to pcre and uricontent as well */
#include "decode.h"
#include "detect.h"
#include "flow-var.h"
@ -34,7 +38,12 @@ int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char
}
SigMatch *pm = m;
if (pm != NULL) {
if (pm == NULL) {
printf("DetectWithinSetup: No previous match!\n");
goto error;
}
/* Set the within flag on the Sigmatch */
if (pm->type == DETECT_PCRE) {
DetectPcreData *pe = (DetectPcreData *)pm->ctx;
@ -58,12 +67,16 @@ int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char
//printf("DetectWithinSetup: set within %" PRId32 " for previous content\n", cd->within);
} else {
printf("DetectWithinSetup: Unknown previous keyword!\n");
goto error;
}
} else {
printf("DetectWithinSetup: No previous match!\n");
}
pm = m->prev;
if (pm != NULL) {
if (pm == NULL) {
printf("DetectWithinSetup: No previous-previous match!\n");
goto error;
}
/* Set the within next flag on the prev sigmatch */
if (pm->type == DETECT_PCRE) {
DetectPcreData *pe = (DetectPcreData *)pm->ctx;
pe->flags |= DETECT_PCRE_WITHIN_NEXT;
@ -75,12 +88,13 @@ int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char
ud->flags |= DETECT_URICONTENT_WITHIN_NEXT;
} else {
printf("DetectWithinSetup: Unknown previous-previous keyword!\n");
}
} else {
printf("DetectWithinSetup: No previous-previous match!\n");
goto error;
}
if (dubbed) free(str);
return 0;
error:
if (dubbed) free(str);
return -1;
}

@ -196,10 +196,12 @@ int SigLoadSignatures (DetectEngineCtx *de_ctx, char *sig_file)
/* http_uri -- for uricontent */
sig = SigInit(de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP GET URI cap\"; flow:to_server; content:\"GET \"; depth:4; pcre:\"/^GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:1;)");
if (sig) {
if (sig == NULL)
return -1;
prevsig = sig;
de_ctx->sig_list = sig;
}
sig = SigInit(de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP POST URI cap\"; flow:to_server; content:\"POST \"; depth:5; pcre:\"/^POST (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:2;)");
if (sig == NULL)
return -1;
@ -218,109 +220,6 @@ int SigLoadSignatures (DetectEngineCtx *de_ctx, char *sig_file)
if (sig == NULL)
return -1;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"ipv4 pkt too small\"; decode-event:ipv4.pkt_too_small; sid:5;)");
if (sig == NULL)
return -1;
prevsig->next = sig;
prevsig = sig;
/*
sig = SigInit(de_ctx,"alert udp any any -> any any (msg:\"ViCtOr nocase test\"; sid:4; rev:13; content:\"ViCtOr!!\"; offset:100; depth:150; nocase; content:\"ViCtOr!!\"; nocase; offset:99; depth:150;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(de_ctx,"alert ip any any -> 1.2.3.4 any (msg:\"ViCtOr case test\"; sid:2001; content:\"ViCtOr\"; depth:150;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(de_ctx,"alert ip any any -> 1.2.3.4 any (msg:\"IP ONLY\"; sid:2002;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(de_ctx,"alert ip ANY any -> 192.168.0.0/16 any (msg:\"offset, depth, within test\"; flow:to_client; sid:2002; content:HTTP; depth:4; content:Server:; offset:15; within:100; depth:200;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(de_ctx,"alert ip 1.2.3.4 any -> any any (msg:\"Inliniac blog within test\"; flow:to_client; sid:2003; content:inliniac; content:blog; within:9;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(de_ctx,"alert ip 2001::1 any -> 2001::3 any (msg:\"abcdefg distance 1 test\"; flow:to_server; sid:2004; content:abcd; content:efgh; within:4; distance:0; content:ijkl; within:4; distance:0;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(de_ctx,"alert ip 2001::5 any -> 2001::7 any (msg:\"abcdef distance 0 test\"; flow:to_server; sid:2005; content:abcdef; content:ghijklmnop; distance:0;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(de_ctx,"alert ip 10.0.0.0/8 any -> 4.3.2.1 any (msg:\"abcdefg distance 1 test\"; flow:to_server; sid:2006; content:abcdef; content:ghijklmnop; distance:1;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(de_ctx,"alert tcp 172.16.1.0/24 any -> 0.0.0.0/0 any (msg:\"HTTP response code cap\"; flow:to_client; content:HTTP; depth:4; pcre:\"/^HTTP\\/\\d\\.\\d (?<http_response>[0-9]+) [A-z\\s]+\\r\\n/\"; depth:50; sid:3;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(de_ctx,"alert tcp 172.16.2.0/24 any -> 10.10.10.10 any (msg:\"HTTP server code cap\"; flow:to_client; content:Server:; depth:500; pcre:\"/^Server: (?<http_server>.*)\\r\\n/m\"; sid:4;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(de_ctx,"alert tcp 192.168.0.1 any -> 1.0.2.1 any (msg:\"\to_client nocase test\"; flow:to_client; content:Servere:; nocase; sid:400;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(de_ctx,"alert tcp 192.168.0.4 any -> 1.2.0.1 any (msg:\"HTTP UA code cap\"; flow:to_server; content:User-Agent:; depth:300; pcre:\"/^User-Agent: (?<http_ua>.*)\\r\\n/m\"; sid:5;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(de_ctx,"alert tcp 192.168.0.12 any -> 0.0.0.0/0 any (msg:\"HTTP http_host flowvar www.inliniac.net\"; flow:to_server; flowvar:http_host,\"www.inliniac.net\"; sid:7;)");
if (sig) {
prevsig->next = sig;
prevsig = sig;
}
sig = SigInit(de_ctx,"alert tcp 192.168.0.0/16 any -> 0.0.0.0/0 any (msg:\"HTTP http_uri flowvar MattJonkman\"; flow:to_server; flowvar:http_uri,\"MattJonkman\"; sid:8;)");
if (sig) {
prevsig->next = sig;
prevsig = sig;
}
sig = SigInit(de_ctx,"alert tcp 0.0.0.0/0 any -> 0.0.0.0/0 any (msg:\"HTTP uricontent VictorJulien\"; flow:to_server; uricontent:\"VictorJulien\"; nocase; sid:9;)");
if (sig) {
prevsig->next = sig;
prevsig = sig;
}
sig = SigInit(de_ctx,"alert tcp 0.0.0.0/0 any -> 10.0.0.0/8 any (msg:\"HTTP uricontent VictorJulien\"; flow:to_server; uricontent:\"VictorJulien\"; nocase; sid:5;)");
if (sig) {
prevsig->next = sig;
prevsig = sig;
}
*/
if(sig_file != NULL){
int r = DetectLoadSigFile(de_ctx, sig_file);
@ -444,7 +343,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
uint32_t cnt = 0;
//printf("scan: (%p, maxlen %" PRIu32 ", cnt %" PRIu32 ")\n", det_ctx->sgh, det_ctx->sgh->mpm_content_maxlen, det_ctx->sgh->sig_cnt);
/* scan, but only if the noscan flag isn't set */
if (!(det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_NOSCAN)) {
if (det_ctx->sgh->mpm_content_maxlen == 1) det_ctx->pkts_scanned1++;
else if (det_ctx->sgh->mpm_content_maxlen == 2) det_ctx->pkts_scanned2++;
else if (det_ctx->sgh->mpm_content_maxlen == 3) det_ctx->pkts_scanned3++;
@ -452,10 +351,10 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
else det_ctx->pkts_scanned++;
cnt += PacketPatternScan(th_v, det_ctx, p);
}
//if (cnt != det_ctx->pmq.searchable)
//printf("post scan: cnt %" PRIu32 ", searchable %" PRIu32 "\n", cnt, det_ctx->pmq.searchable);
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_NOSCAN || det_ctx->pmq.searchable > 0) {
if (det_ctx->pmq.searchable > 0) {
//printf("now search\n");
if (det_ctx->sgh->mpm_content_maxlen == 1) det_ctx->pkts_searched1++;
else if (det_ctx->sgh->mpm_content_maxlen == 2) det_ctx->pkts_searched2++;
@ -1966,8 +1865,6 @@ static int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, De
} else {
/* XXX write dedicated function for this */
dp->sh->mpm_ctx = mpmsh->mpm_ctx;
if (mpmsh->flags & SIG_GROUP_HEAD_MPM_NOSCAN)
dp->sh->flags |= SIG_GROUP_HEAD_MPM_NOSCAN;
dp->sh->mpm_content_maxlen = mpmsh->mpm_content_maxlen;
dp->sh->flags |= SIG_GROUP_HEAD_MPM_COPY;
SigGroupHeadClearContent(dp->sh);

@ -328,8 +328,6 @@ typedef struct SigTableElmt_ {
#define SIG_GROUP_HEAD_MPM_COPY 0x04
#define SIG_GROUP_HEAD_MPM_URI_COPY 0x08
#define SIG_GROUP_HEAD_FREE 0x10
#define SIG_GROUP_HEAD_MPM_NOSCAN 0x20
#define SIG_GROUP_HEAD_MPM_URI_NOSCAN 0x40
/** \brief head of the list of containers. */
typedef struct SigGroupHead_ {

@ -49,10 +49,8 @@ typedef struct Libnet11Packet_
int RejectSendLibnet11L3IPv4TCP(ThreadVars *tv, Packet *p, void *data, int dir) {
Libnet11Packet lpacket;
libnet_t *c; /* libnet context */
char ebuf[LIBNET_ERRBUF_SIZE];
libnet_ptag_t t;
int result;
/* fill in struct defaults */
@ -107,7 +105,8 @@ int RejectSendLibnet11L3IPv4TCP(ThreadVars *tv, Packet *p, void *data, int dir)
lpacket.ttl = 64;
/* build the package */
if ((t = libnet_build_tcp (lpacket.sp, /* source port */
if ((libnet_build_tcp (
lpacket.sp, /* source port */
lpacket.dp, /* dst port */
lpacket.seq, /* seq number */
lpacket.ack, /* ack number */
@ -125,7 +124,7 @@ int RejectSendLibnet11L3IPv4TCP(ThreadVars *tv, Packet *p, void *data, int dir)
goto cleanup;
}
if((t = libnet_build_ipv4(
if((libnet_build_ipv4(
LIBNET_TCP_H + LIBNET_IPV4_H, /* entire packet length */
0, /* tos */
lpacket.id, /* ID */
@ -158,10 +157,8 @@ cleanup:
int RejectSendLibnet11L3IPv4ICMP(ThreadVars *tv, Packet *p, void *data, int dir) {
//printf("going to send a ICMP host unreachable\n");
Libnet11Packet lpacket;
libnet_t *c; /* libnet context */
char ebuf[LIBNET_ERRBUF_SIZE];
libnet_ptag_t t;
int result;
/* fill in struct defaults */
@ -193,7 +190,7 @@ int RejectSendLibnet11L3IPv4ICMP(ThreadVars *tv, Packet *p, void *data, int dir)
lpacket.ttl = 64;
/* build the package */
if ((t = libnet_build_icmpv4_unreach (
if ((libnet_build_icmpv4_unreach (
ICMP_DEST_UNREACH, /* type */
ICMP_HOST_ANO, /* code */
0, /* checksum */
@ -206,7 +203,7 @@ int RejectSendLibnet11L3IPv4ICMP(ThreadVars *tv, Packet *p, void *data, int dir)
goto cleanup;
}
if((t = libnet_build_ipv4(
if((libnet_build_ipv4(
LIBNET_ICMPV4_H + LIBNET_IPV4_H +
lpacket.len, /* entire packet length */
0, /* tos */

@ -150,6 +150,7 @@ static inline B2gPattern *B2gAllocPattern(MpmCtx *mpm_ctx) {
B2gPattern *p = malloc(sizeof(B2gPattern));
if (p == NULL) {
printf("ERROR: B2gAllocPattern: malloc failed\n");
exit(EXIT_FAILURE);
}
memset(p,0,sizeof(B2gPattern));
@ -163,6 +164,7 @@ B2gAllocHashItem(MpmCtx *mpm_ctx) {
B2gHashItem *hi = malloc(sizeof(B2gHashItem));
if (hi == NULL) {
printf("ERROR: B2gAllocHashItem: malloc failed\n");
exit(EXIT_FAILURE);
}
memset(hi,0,sizeof(B2gHashItem));
@ -220,13 +222,18 @@ static inline int B2gInitHashAdd(B2gCtx *ctx, B2gPattern *p) {
return 0;
}
B2gPattern *t = ctx->init_hash[hash], *tt = NULL;
for ( ; t != NULL; t = t->next) {
B2gPattern *tt = NULL;
B2gPattern *t = ctx->init_hash[hash];
/* get the list tail */
do {
tt = t;
}
t = t->next;
} while (t != NULL);
tt->next = p;
//printf("B2gInitHashAdd: hash %" PRIu32 ", head %p\n", hash, ctx->init_hash[hash]);
//printf("B2gInitHashAdd: hash %" PRIu32 ", head %p\n", hash, ctx->init_hash[hash]);
return 0;
}

@ -144,6 +144,7 @@ static inline B3gPattern *B3gAllocPattern(MpmCtx *mpm_ctx) {
B3gPattern *p = malloc(sizeof(B3gPattern));
if (p == NULL) {
printf("ERROR: B3gAllocPattern: malloc failed\n");
exit(EXIT_FAILURE);
}
memset(p,0,sizeof(B3gPattern));
@ -157,6 +158,7 @@ B3gAllocHashItem(MpmCtx *mpm_ctx) {
B3gHashItem *hi = malloc(sizeof(B3gHashItem));
if (hi == NULL) {
printf("ERROR: B3gAllocHashItem: malloc failed\n");
exit(EXIT_FAILURE);
}
memset(hi,0,sizeof(B3gHashItem));
@ -214,10 +216,15 @@ static inline int B3gInitHashAdd(B3gCtx *ctx, B3gPattern *p) {
return 0;
}
B3gPattern *t = ctx->init_hash[hash], *tt = NULL;
for ( ; t != NULL; t = t->next) {
B3gPattern *tt = NULL;
B3gPattern *t = ctx->init_hash[hash];
/* get the list tail */
do {
tt = t;
}
t = t->next;
} while (t != NULL);
tt->next = p;
//printf("B3gInitHashAdd: hash %" PRIu32 ", head %p\n", hash, ctx->init_hash[hash]);

@ -209,6 +209,7 @@ static inline WmPattern *WmAllocPattern(MpmCtx *mpm_ctx) {
WmPattern *p = malloc(sizeof(WmPattern));
if (p == NULL) {
printf("ERROR: WmAllocPattern: malloc failed\n");
exit(EXIT_FAILURE);
}
memset(p,0,sizeof(WmPattern));
@ -222,6 +223,7 @@ WmAllocHashItem(MpmCtx *mpm_ctx) {
WmHashItem *hi = malloc(sizeof(WmHashItem));
if (hi == NULL) {
printf("ERROR: WmAllocHashItem: malloc failed\n");
exit(EXIT_FAILURE);
}
memset(hi,0,sizeof(WmHashItem));
@ -279,10 +281,15 @@ static inline int WmInitHashAdd(WmCtx *ctx, WmPattern *p) {
return 0;
}
WmPattern *t = ctx->init_hash[hash], *tt = NULL;
for ( ; t != NULL; t = t->next) {
WmPattern *tt = NULL;
WmPattern *t = ctx->init_hash[hash];
/* get the list tail */
do {
tt = t;
}
t = t->next;
} while (t != NULL);
tt->next = p;
//printf("WmInitHashAdd: hash %" PRIu32 ", head %p\n", hash, ctx->init_hash[hash]);

@ -183,8 +183,6 @@ static int PoolTestInit02 (void) {
p->alloc_list, p->empty_list);
retval = 0;
goto end;
} else {
retval = 1;
}
if (p->Alloc != PoolTestAlloc) {
@ -192,8 +190,6 @@ static int PoolTestInit02 (void) {
p->Alloc, PoolTestAlloc);
retval = 0;
goto end;
} else {
retval = 1;
}
if (p->Free != PoolTestFree) {
@ -201,9 +197,9 @@ static int PoolTestInit02 (void) {
p->Free, PoolTestFree);
retval = 0;
goto end;
} else {
retval = 1;
}
retval = 1;
end:
if (p != NULL)
PoolFree(p);

@ -37,7 +37,6 @@ void PrintRawDataFp(FILE *fp, uint8_t *buf, uint32_t buflen) {
for ( ; s < spaces; s++) fprintf(fp, " ");
}
ch = 0;
for (ch = 0; (i+ch) < buflen && ch < 16; ch++) {
fprintf(fp, "%c", isprint((uint8_t)buf[i+ch]) ? (uint8_t)buf[i+ch] : '.');

Loading…
Cancel
Save