aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect/stream_size: apply rule to packets & stream

Browse Source 
The use of stream_size in combination with raw content matches is an
indication that the rule needs to be evaluated per packet, not just
per reassembled stream chunk.
pull/3472/head
Victor Julien 7 years ago
parent bff3c662f5
commit 747f042ad6
1 changed files with 25 additions and 11 deletions
Show Stats Download Patch File Download Diff File

16
src/detect-parse.c
Unescape Escape View File

@ -1550,8 +1550,12 @@ static int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
} }
} }
/* TCP: pkt vs stream vs depth/offset */ /* TCP: corner cases:
* - pkt vs stream vs depth/offset
* - pkt vs stream vs stream_size
*/
if (s->proto.proto[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) { if (s->proto.proto[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) {
if (s->init_data->smlists[DETECT_SM_LIST_PMATCH]) {
if (!(s->flags & (SIG_FLAG_REQUIRE_PACKET | SIG_FLAG_REQUIRE_STREAM))) { if (!(s->flags & (SIG_FLAG_REQUIRE_PACKET | SIG_FLAG_REQUIRE_STREAM))) {
s->flags |= SIG_FLAG_REQUIRE_STREAM; s->flags |= SIG_FLAG_REQUIRE_STREAM;
sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH]; sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
@ -1564,6 +1568,16 @@ static int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
} }
sm = sm->next; sm = sm->next;
} }
/* if stream_size is in use, also inspect packets */
sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
while (sm != NULL) {
if (sm->type == DETECT_STREAM_SIZE) {
s->flags |= SIG_FLAG_REQUIRE_PACKET;
break;
}
sm = sm->next;
}
}
} }
} }

Write Preview
Loading…
Cancel
Save