aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

keyword-filesize: add units

Browse Source
pull/2871/merge
Andreas Herz 8 years ago committed by Victor Julien
parent 3ab9120821
commit 6f0794c16f
2 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File

6
doc/userguide/rules/file-keywords.rst
Unescape Escape View File

@ -124,12 +124,14 @@ Syntax::
filesize:<value>; filesize:<value>;
Possible units are KB, MB and GB, without any unit the default is bytes.
Examples:: Examples::
filesize:100; # exactly 100 bytes filesize:100; # exactly 100 bytes
filesize:100<>200; # greater than 100 and smaller than 200 filesize:100<>200; # greater than 100 and smaller than 200
filesize:>100; # greater than 100 filesize:>100MB; # greater than 100 megabytes
filesize:<100; # smaller than 100 filesize:<100MB; # smaller than 100 megabytes
**Note**: For files that are not completely tracked because of packet **Note**: For files that are not completely tracked because of packet
loss or stream.depth being reached on the "greater than" is loss or stream.depth being reached on the "greater than" is

12
src/detect-filesize.c
Unescape Escape View File

@ -28,6 +28,7 @@
#include "app-layer-htp.h" #include "app-layer-htp.h"
#include "util-unittest.h" #include "util-unittest.h"
#include "util-unittest-helper.h" #include "util-unittest-helper.h"
#include "util-misc.h"
#include "detect.h" #include "detect.h"
#include "detect-parse.h" #include "detect-parse.h"
@ -43,7 +44,7 @@
/** /**
* \brief Regex for parsing our filesize * \brief Regex for parsing our filesize
*/ */
#define PARSE_REGEX "^(?:\\s*)(<|>)?(?:\\s*)([0-9]{1,23})(?:\\s*)(?:(<>)(?:\\s*)([0-9]{1,23}))?\\s*$" #define PARSE_REGEX "^(?:\\s*)(<|>)?(?:\\s*)([0-9]{1,23}[a-zA-Z]{0,2})(?:\\s*)(?:(<>)(?:\\s*)([0-9]{1,23}[a-zA-Z]{0,2}))?\\s*$"
static pcre *parse_regex; static pcre *parse_regex;
static pcre_extra *parse_regex_study; static pcre_extra *parse_regex_study;
@ -214,8 +215,8 @@ static DetectFilesizeData *DetectFilesizeParse (const char *str)
} }
/** set the first value */ /** set the first value */
if (ByteExtractStringUint64(&fsd->size1,10,strlen(arg2),arg2) <= 0){ if (ParseSizeStringU64(arg2, &fsd->size1) < 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT,"Invalid size :\"%s\"",arg2); SCLogError(SC_ERR_SIZE_PARSE, "Error parsing filesize value - %s", arg2);
goto error; goto error;
} }
@ -227,9 +228,8 @@ static DetectFilesizeData *DetectFilesizeParse (const char *str)
goto error; goto error;
} }
if(ByteExtractStringUint64(&fsd->size2,10,strlen(arg4),arg4) <= 0) if (ParseSizeStringU64(arg4, &fsd->size2) < 0) {
{ SCLogError(SC_ERR_SIZE_PARSE, "Error parsing filesize value - %s", arg4);
SCLogError(SC_ERR_INVALID_ARGUMENT,"Invalid size :\"%s\"",arg4);
goto error; goto error;
} }

Write Preview
Loading…
Cancel
Save