set the byte_jum/byte_test with relative keyword when pcre is previous keyword (bug 142)

16 years ago · 9378bdbad4
parent ea3165b198
commit 9378bdbad4
2 changed files with 119 additions and 18 deletions
--- a/src/detect-bytejump.c
+++ b/src/detect-bytejump.c
@ -35,6 +35,7 @@
 #include "util-byte.h"
 #include "util-unittest.h"
 #include "util-debug.h"
+#include "detect-pcre.h"

 /**
 * \brief Regex for parsing our options
@ -99,7 +100,9 @@ error:
 *  \retval 1 match
 *  \retval 0 no match
 */
-int DetectBytejumpDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, SigMatch *m, uint8_t *payload, uint32_t payload_len) {
+int DetectBytejumpDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s,
+        SigMatch *m, uint8_t *payload, uint32_t payload_len)
+{
    SCEnter();

    DetectBytejumpData *data = (DetectBytejumpData *)m->ctx;
@ -513,14 +516,31 @@ int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr)
    if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
        /** Search for the first previous DetectContent
         * SigMatch (it can be the same as this one) */
-        SigMatch *pm = DetectContentGetLastPattern(s->pmatch_tail);
-        if (pm == NULL) {
-            SCLogError(SC_ERR_BYTEJUMP_MISSING_CONTENT, "relative bytejump match needs a previous content option");
-            goto error;
+        SigMatch *pm = NULL;
+        pm = SigMatchGetLastSM(s->pmatch_tail, DETECT_CONTENT);
+        if (pm != NULL) {
+            DetectContentData *cd = (DetectContentData *)pm->ctx;
+            if (cd == NULL) {
+                SCLogError(SC_ERR_INVALID_SIGNATURE, "relative bytejump match "
+                        "needs a previous content option");
+                goto error;
+            }
+            cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+        } else {
+            pm = SigMatchGetLastSM(s->pmatch_tail, DETECT_PCRE);
+            if (pm == NULL) {
+                SCLogError(SC_ERR_INVALID_SIGNATURE, "relative bytejump match "
+                        "needs a previous content option");
+                goto error;
+            }
+            DetectPcreData *pe = NULL;
+            pe = (DetectPcreData *) pm->ctx;
+            if (pe == NULL) {
+                SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous keyword!");
+                goto error;
+            }
+            pe->flags |= DETECT_PCRE_RELATIVE;
        }
-
-        DetectContentData *cd = (DetectContentData *)pm->ctx;
-        cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
    }

    sm = SigMatchAlloc();
@ -554,7 +574,7 @@ void DetectBytejumpFree(void *ptr)

 /* UNITTESTS */
 #ifdef UNITTESTS
-
+#include "util-unittest-helper.h"
 /**
 * \test DetectBytejumpTestParse01 is a test to make sure that we return
 * "something" when given valid bytejump opt
@ -710,6 +730,37 @@ int DetectBytejumpTestParse08(void) {

    return result;
 }
+
+/**
+ * \test DetectByteJumpTestPacket01 is a test to check matches of
+ * byte_jump and byte_jump relative works if the previous keyword is pcre
+ * (bug 142)
+ */
+int DetectByteJumpTestPacket01 (void) {
+    int result = 0;
+    uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
+                    "User-Agent: Wget/1.11.4"
+                    "Accept: */*"
+                    "Host: www.google.com"
+                    "Connection: Keep-Alive"
+                    "Date: Mon, 04 Jan 2010 17:29:39 GMT";
+    uint16_t buflen = strlen((char *)buf);
+    Packet *p;
+    p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
+
+    if (p == NULL)
+        goto end;
+
+    char sig[] = "alert tcp any any -> any any (msg:\"pcre + byte_test + "
+    "relative\"; pcre:\"/AllWorkAndNoPlayMakesWillADullBoy/\"; byte_jump:1,6,"
+    "relative,string,dec; content:\"0\"; sid:134; rev:1;)";
+
+    result = UTHPacketMatchSig(p, sig);
+
+    UTHFreePacket(p);
+end:
+    return result;
+}
 #endif /* UNITTESTS */


@ -726,6 +777,7 @@ void DetectBytejumpRegisterTests(void) {
    UtRegisterTest("DetectBytejumpTestParse06", DetectBytejumpTestParse06, 1);
    UtRegisterTest("DetectBytejumpTestParse07", DetectBytejumpTestParse07, 1);
    UtRegisterTest("DetectBytejumpTestParse08", DetectBytejumpTestParse08, 1);
+    UtRegisterTest("DetectByteJumpTestPacket01", DetectByteJumpTestPacket01, 1);
 #endif /* UNITTESTS */
 }

--- a/src/detect-bytetest.c
+++ b/src/detect-bytetest.c
@ -35,6 +35,7 @@
 #include "util-byte.h"
 #include "util-unittest.h"
 #include "util-debug.h"
+#include "detect-pcre.h"


 /**
@ -533,14 +534,31 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr)
    if (data->flags & DETECT_BYTETEST_RELATIVE) {
        /** Search for the first previous DetectContent
         * SigMatch (it can be the same as this one) */
-        SigMatch *pm = DetectContentGetLastPattern(s->pmatch_tail);
-        if (pm == NULL) {
-            SCLogError(SC_ERR_BYTETEST_MISSING_CONTENT, "relative bytetest match needs a previous content option");
-            goto error;
+        SigMatch *pm = NULL;
+        pm = SigMatchGetLastSM(s->pmatch_tail, DETECT_CONTENT);
+        if (pm != NULL) {
+            DetectContentData *cd = (DetectContentData *) pm->ctx;
+            if (cd == NULL) {
+                SCLogError(SC_ERR_INVALID_SIGNATURE, "elative bytejump match "
+                        "needs a previous content option");
+                goto error;
+            }
+            cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+        } else {
+            pm = SigMatchGetLastSM(s->pmatch_tail, DETECT_PCRE);
+            if (pm == NULL) {
+                SCLogError(SC_ERR_INVALID_SIGNATURE, "relative bytejump match "
+                        "needs a previous content option");
+                goto error;
+            }
+            DetectPcreData *pe = NULL;
+            pe = (DetectPcreData *) pm->ctx;
+            if (pe == NULL) {
+                SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous keyword!");
+                goto error;
+            }
+            pe->flags |= DETECT_PCRE_RELATIVE;
        }
-
-        DetectContentData *cd = (DetectContentData *)pm->ctx;
-        cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
    }

    sm = SigMatchAlloc();
@ -574,7 +592,7 @@ void DetectBytetestFree(void *ptr)

 /* UNITTESTS */
 #ifdef UNITTESTS
-
+#include "util-unittest-helper.h"
 /**
 * \test DetectBytetestTestParse01 is a test to make sure that we return "something"
 *  when given valid bytetest opt
@ -904,6 +922,37 @@ int DetectBytetestTestParse16(void) {

    return result;
 }
+
+/**
+ * \test DetectByteTestTestPacket01 is a test to check matches of
+ * byte_test and byte_test relative works if the previous keyword is pcre
+ * (bug 142)
+ */
+int DetectByteTestTestPacket01 (void) {
+    int result = 0;
+    uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
+                    "User-Agent: Wget/1.11.4"
+                    "Accept: */*"
+                    "Host: www.google.com"
+                    "Connection: Keep-Alive"
+                    "Date: Mon, 04 Jan 2010 17:29:39 GMT";
+    uint16_t buflen = strlen((char *)buf);
+    Packet *p;
+    p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
+
+    if (p == NULL)
+        goto end;
+
+    char sig[] = "alert tcp any any -> any any (msg:\"pcre + byte_test + "
+    "relative\"; pcre:\"/AllWorkAndNoPlayMakesWillADullBoy/\"; byte_test:1,=,1"
+    ",6,relative,string,dec; sid:126; rev:1;)";
+
+    result = UTHPacketMatchSig(p, sig);
+
+    UTHFreePacket(p);
+end:
+    return result;
+}
 #endif /* UNITTESTS */


@ -927,7 +976,7 @@ void DetectBytetestRegisterTests(void) {
    UtRegisterTest("DetectBytetestTestParse13", DetectBytetestTestParse13, 1);
    UtRegisterTest("DetectBytetestTestParse14", DetectBytetestTestParse14, 1);
    UtRegisterTest("DetectBytetestTestParse15", DetectBytetestTestParse15, 1);
-    UtRegisterTest("DetectBytetestTestParse16", DetectBytetestTestParse16, 1);
+    UtRegisterTest("DetectByteTestTestPacket01", DetectByteTestTestPacket01, 1);
 #endif /* UNITTESTS */
 }