aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect/stream_size: apply rule to packets & stream

Browse Source 
The use of stream_size in combination with raw content matches is an
indication that the rule needs to be evaluated per packet, not just
per reassembled stream chunk.
pull/3472/head
Victor Julien 7 years ago
parent bff3c662f5
commit 747f042ad6
1 changed files with 25 additions and 11 deletions
Show Stats Download Patch File Download Diff File

36
src/detect-parse.c
Unescape Escape View File

@ -1550,19 +1550,33 @@ static int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
}
}
/* TCP: pkt vs stream vs depth/offset */
/* TCP: corner cases:
* - pkt vs stream vs depth/offset
* - pkt vs stream vs stream_size
*/
if (s->proto.proto[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) {
if (!(s->flags & (SIG_FLAG_REQUIRE_PACKET | SIG_FLAG_REQUIRE_STREAM))) {
s->flags |= SIG_FLAG_REQUIRE_STREAM;
sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
while (sm != NULL) {
if (sm->type == DETECT_CONTENT &&
(((DetectContentData *)(sm->ctx))->flags &
(DETECT_CONTENT_DEPTH | DETECT_CONTENT_OFFSET))) {
s->flags |= SIG_FLAG_REQUIRE_PACKET;
break;
if (s->init_data->smlists[DETECT_SM_LIST_PMATCH]) {
if (!(s->flags & (SIG_FLAG_REQUIRE_PACKET | SIG_FLAG_REQUIRE_STREAM))) {
s->flags |= SIG_FLAG_REQUIRE_STREAM;
sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
while (sm != NULL) {
if (sm->type == DETECT_CONTENT &&
(((DetectContentData *)(sm->ctx))->flags &
(DETECT_CONTENT_DEPTH | DETECT_CONTENT_OFFSET))) {
s->flags |= SIG_FLAG_REQUIRE_PACKET;
break;
}
sm = sm->next;
}
/* if stream_size is in use, also inspect packets */
sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
while (sm != NULL) {
if (sm->type == DETECT_STREAM_SIZE) {
s->flags |= SIG_FLAG_REQUIRE_PACKET;
break;
}
sm = sm->next;
}
sm = sm->next;
}
}
}

Write Preview
Loading…
Cancel
Save