From 747f042ad6c5beda92763041b20bd14ec3afc63f Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Wed, 23 May 2018 13:55:30 +0200 Subject: [PATCH] detect/stream_size: apply rule to packets & stream The use of stream_size in combination with raw content matches is an indication that the rule needs to be evaluated per packet, not just per reassembled stream chunk. --- src/detect-parse.c | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/src/detect-parse.c b/src/detect-parse.c index 0310691282..00428374be 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -1550,19 +1550,33 @@ static int SigValidate(DetectEngineCtx *de_ctx, Signature *s) } } - /* TCP: pkt vs stream vs depth/offset */ + /* TCP: corner cases: + * - pkt vs stream vs depth/offset + * - pkt vs stream vs stream_size + */ if (s->proto.proto[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) { - if (!(s->flags & (SIG_FLAG_REQUIRE_PACKET | SIG_FLAG_REQUIRE_STREAM))) { - s->flags |= SIG_FLAG_REQUIRE_STREAM; - sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH]; - while (sm != NULL) { - if (sm->type == DETECT_CONTENT && - (((DetectContentData *)(sm->ctx))->flags & - (DETECT_CONTENT_DEPTH | DETECT_CONTENT_OFFSET))) { - s->flags |= SIG_FLAG_REQUIRE_PACKET; - break; + if (s->init_data->smlists[DETECT_SM_LIST_PMATCH]) { + if (!(s->flags & (SIG_FLAG_REQUIRE_PACKET | SIG_FLAG_REQUIRE_STREAM))) { + s->flags |= SIG_FLAG_REQUIRE_STREAM; + sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH]; + while (sm != NULL) { + if (sm->type == DETECT_CONTENT && + (((DetectContentData *)(sm->ctx))->flags & + (DETECT_CONTENT_DEPTH | DETECT_CONTENT_OFFSET))) { + s->flags |= SIG_FLAG_REQUIRE_PACKET; + break; + } + sm = sm->next; + } + /* if stream_size is in use, also inspect packets */ + sm = s->init_data->smlists[DETECT_SM_LIST_MATCH]; + while (sm != NULL) { + if (sm->type == DETECT_STREAM_SIZE) { + s->flags |= SIG_FLAG_REQUIRE_PACKET; + break; + } + sm = sm->next; } - sm = sm->next; } } }