aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect/stream_size: apply rule to packets & stream

Browse Source 
The use of stream_size in combination with raw content matches is an
indication that the rule needs to be evaluated per packet, not just
per reassembled stream chunk.
pull/3472/head
Victor Julien 7 years ago
parent bff3c662f5
commit 747f042ad6
1 changed files with 25 additions and 11 deletions
Show Stats Download Patch File Download Diff File

36
src/detect-parse.c
Unescape Escape View File

@ -1550,19 +1550,33 @@ static int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
} }
} }
/* TCP: pkt vs stream vs depth/offset */ /* TCP: corner cases:
* - pkt vs stream vs depth/offset
* - pkt vs stream vs stream_size
*/
if (s->proto.proto[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) { if (s->proto.proto[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) {
if (!(s->flags & (SIG_FLAG_REQUIRE_PACKET | SIG_FLAG_REQUIRE_STREAM))) { if (s->init_data->smlists[DETECT_SM_LIST_PMATCH]) {
s->flags |= SIG_FLAG_REQUIRE_STREAM; if (!(s->flags & (SIG_FLAG_REQUIRE_PACKET | SIG_FLAG_REQUIRE_STREAM))) {
sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH]; s->flags |= SIG_FLAG_REQUIRE_STREAM;
while (sm != NULL) { sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
if (sm->type == DETECT_CONTENT && while (sm != NULL) {
(((DetectContentData *)(sm->ctx))->flags & if (sm->type == DETECT_CONTENT &&
(DETECT_CONTENT_DEPTH | DETECT_CONTENT_OFFSET))) { (((DetectContentData *)(sm->ctx))->flags &
s->flags |= SIG_FLAG_REQUIRE_PACKET; (DETECT_CONTENT_DEPTH | DETECT_CONTENT_OFFSET))) {
break; s->flags |= SIG_FLAG_REQUIRE_PACKET;
break;
}
sm = sm->next;
}
/* if stream_size is in use, also inspect packets */
sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
while (sm != NULL) {
if (sm->type == DETECT_STREAM_SIZE) {
s->flags |= SIG_FLAG_REQUIRE_PACKET;
break;
}
sm = sm->next;
} }
sm = sm->next;
} }
} }
} }

Write Preview
Loading…
Cancel
Save