aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

support relative pcre for http header. All pcre processing for http header moved to hhd engine

Browse Source
remotes/origin/master-1.1.x
Anoop Saldanha 15 years ago committed by Victor Julien
parent 2b781f00d7
commit 8bd6a38318
5 changed files with 1202 additions and 31 deletions
Show Stats Download Patch File Download Diff File

31
src/detect-distance.c
Unescape Escape View File

@ -395,7 +395,7 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
cd->flags |= DETECT_CONTENT_DISTANCE; cd->flags |= DETECT_CONTENT_DISTANCE;
/* reassigning pm */ /* reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 2, pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_AL_HTTP_CLIENT_BODY, pm->prev, DETECT_AL_HTTP_CLIENT_BODY, pm->prev,
DETECT_PCRE, pm->prev); DETECT_PCRE, pm->prev);
if (pm == NULL) { if (pm == NULL) {
@ -447,23 +447,30 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
cd->flags |= DETECT_CONTENT_DISTANCE; cd->flags |= DETECT_CONTENT_DISTANCE;
/* reassigning pm */ /* reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 2, pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_AL_HTTP_HEADER, pm->prev); DETECT_AL_HTTP_HEADER, pm->prev,
DETECT_PCRE, pm->prev);
if (pm == NULL) { if (pm == NULL) {
SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for http_header " SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for http_header "
"needs preceeding http_header content"); "needs preceeding http_header content");
goto error; goto error;
} }
/* reassigning cd */
cd = (DetectContentData *)pm->ctx; if (pm->type == DETECT_PCRE) {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword " tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
"has a fast_pattern:only; set. You can't " } else {
"have relative keywords around a fast_pattern " /* reassigning cd */
"only content"); cd = (DetectContentData *)pm->ctx;
goto error; if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword "
"has a fast_pattern:only; set. You can't "
"have relative keywords around a fast_pattern "
"only content");
goto error;
}
cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
} }
cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
break; break;

995
src/detect-engine-hhd.c
View File

File diff suppressed because it is too large Load Diff

170
src/detect-http-header.c
Unescape Escape View File

@ -230,17 +230,25 @@ int DetectHttpHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
} /* if (pm != NULL) */ } /* if (pm != NULL) */
/* please note. reassigning pm */ /* please note. reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 2, pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_AL_HTTP_HEADER, DETECT_AL_HTTP_HEADER,
s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_PCRE,
s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]); s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]);
if (pm == NULL) { if (pm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_header seen with a " SCLogError(SC_ERR_INVALID_SIGNATURE, "http_header seen with a "
"distance or within without a previous http_header " "distance or within without a previous http_header "
"content. Invalidating signature."); "content. Invalidating signature.");
goto error; goto error;
} }
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; if (pm->type == DETECT_PCRE) {
tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
} else {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
}
} }
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_AL_HTTP_HEADER); cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_AL_HTTP_HEADER);
sm->type = DETECT_AL_HTTP_HEADER; sm->type = DETECT_AL_HTTP_HEADER;
@ -1709,6 +1717,159 @@ int DetectHttpHeaderTest24(void)
return result; return result;
} }
int DetectHttpHeaderTest25(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(pcre:/one/H; "
"content:two; within:5; http_header; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL\n");
goto end;
}
if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH] == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->type != DETECT_AL_HTTP_HEADER ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->type != DETECT_PCRE) {
goto end;
}
DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx;
DetectContentData *hhd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HEADER) ||
hhd2->flags != DETECT_CONTENT_WITHIN ||
memcmp(hhd2->content, "two", hhd2->content_len) != 0) {
goto end;
}
result = 1;
end:
SigCleanSignatures(de_ctx);
DetectEngineCtxFree(de_ctx);
return result;
}
int DetectHttpHeaderTest26(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:two; http_header; "
"pcre:/one/HR; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL\n");
goto end;
}
if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH] == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->type != DETECT_PCRE ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->type != DETECT_AL_HTTP_HEADER) {
goto end;
}
DetectContentData *hhd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx;
DetectPcreData *pd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx;
if (pd2->flags != (DETECT_PCRE_RELATIVE | DETECT_PCRE_HEADER) ||
hhd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(hhd1->content, "two", hhd1->content_len) != 0) {
goto end;
}
result = 1;
end:
SigCleanSignatures(de_ctx);
DetectEngineCtxFree(de_ctx);
return result;
}
int DetectHttpHeaderTest27(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(pcre:/one/H; "
"content:two; distance:5; http_header; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL\n");
goto end;
}
if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH] == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->type != DETECT_AL_HTTP_HEADER ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->type != DETECT_PCRE) {
goto end;
}
DetectPcreData *pd1 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx;
DetectContentData *hhd2 = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT | DETECT_PCRE_HEADER) ||
hhd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(hhd2->content, "two", hhd2->content_len) != 0) {
goto end;
}
result = 1;
end:
SigCleanSignatures(de_ctx);
DetectEngineCtxFree(de_ctx);
return result;
}
#endif /* UNITTESTS */ #endif /* UNITTESTS */
void DetectHttpHeaderRegisterTests(void) void DetectHttpHeaderRegisterTests(void)
@ -1738,6 +1899,9 @@ void DetectHttpHeaderRegisterTests(void)
UtRegisterTest("DetectHttpHeaderTest22", DetectHttpHeaderTest22, 1); UtRegisterTest("DetectHttpHeaderTest22", DetectHttpHeaderTest22, 1);
UtRegisterTest("DetectHttpHeaderTest23", DetectHttpHeaderTest23, 1); UtRegisterTest("DetectHttpHeaderTest23", DetectHttpHeaderTest23, 1);
UtRegisterTest("DetectHttpHeaderTest24", DetectHttpHeaderTest24, 1); UtRegisterTest("DetectHttpHeaderTest24", DetectHttpHeaderTest24, 1);
UtRegisterTest("DetectHttpHeaderTest25", DetectHttpHeaderTest25, 1);
UtRegisterTest("DetectHttpHeaderTest26", DetectHttpHeaderTest26, 1);
UtRegisterTest("DetectHttpHeaderTest27", DetectHttpHeaderTest27, 1);
#endif /* UNITTESTS */ #endif /* UNITTESTS */
return; return;

8
src/detect-pcre.c
Unescape Escape View File

@ -1299,12 +1299,10 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
sm->ctx = (void *)pd; sm->ctx = (void *)pd;
if (pd->flags & DETECT_PCRE_HEADER) { if (pd->flags & DETECT_PCRE_HEADER) {
sm->type = DETECT_PCRE_HTTPHEADER;
SCLogDebug("Header inspection modifier set"); SCLogDebug("Header inspection modifier set");
s->flags |= SIG_FLAG_APPLAYER; s->flags |= SIG_FLAG_APPLAYER;
SigMatchAppendAppLayer(s, sm); SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HHDMATCH);
} else if (pd->flags & DETECT_PCRE_COOKIE) { } else if (pd->flags & DETECT_PCRE_COOKIE) {
sm->type = DETECT_PCRE_HTTPCOOKIE; sm->type = DETECT_PCRE_HTTPCOOKIE;
@ -1369,10 +1367,11 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
SCReturnInt(0); SCReturnInt(0);
} }
prev_sm = SigMatchGetLastSMFromLists(s, 8, prev_sm = SigMatchGetLastSMFromLists(s, 10,
DETECT_CONTENT, sm->prev, DETECT_CONTENT, sm->prev,
DETECT_URICONTENT, sm->prev, DETECT_URICONTENT, sm->prev,
DETECT_AL_HTTP_CLIENT_BODY, sm->prev, DETECT_AL_HTTP_CLIENT_BODY, sm->prev,
DETECT_AL_HTTP_HEADER, sm->prev,
DETECT_PCRE, sm->prev); DETECT_PCRE, sm->prev);
if (prev_sm == NULL) { if (prev_sm == NULL) {
if (s->alproto == ALPROTO_DCERPC) { if (s->alproto == ALPROTO_DCERPC) {
@ -1393,6 +1392,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
case DETECT_CONTENT: case DETECT_CONTENT:
case DETECT_URICONTENT: case DETECT_URICONTENT:
case DETECT_AL_HTTP_CLIENT_BODY: case DETECT_AL_HTTP_CLIENT_BODY:
case DETECT_AL_HTTP_HEADER:
/* Set the relative next flag on the prev sigmatch */ /* Set the relative next flag on the prev sigmatch */
cd = (DetectContentData *)prev_sm->ctx; cd = (DetectContentData *)prev_sm->ctx;
if (cd == NULL) { if (cd == NULL) {

29
src/detect-within.c
Unescape Escape View File

@ -471,23 +471,30 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
cd->flags |= DETECT_CONTENT_WITHIN; cd->flags |= DETECT_CONTENT_WITHIN;
/* reassigning pm */ /* reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 2, pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_AL_HTTP_HEADER, pm->prev); DETECT_AL_HTTP_HEADER, pm->prev,
DETECT_PCRE, pm->prev);
if (pm == NULL) { if (pm == NULL) {
SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for http_header " SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for http_header "
"needs preceeding http_header content"); "needs preceeding http_header content");
goto error; goto error;
} }
/* reassigning cd */
cd = (DetectContentData *)pm->ctx; if (pm->type == DETECT_PCRE) {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword " tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
"has a fast_pattern:only; set. You can't " } else {
"have relative keywords around a fast_pattern " /* reassigning cd */
"only content"); cd = (DetectContentData *)pm->ctx;
goto error; if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword "
"has a fast_pattern:only; set. You can't "
"have relative keywords around a fast_pattern "
"only content");
goto error;
}
cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
} }
cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
break; break;

Write Preview
Loading…
Cancel
Save