|
|
|
|
@ -189,163 +189,6 @@ void SigMatchRemoveSMFromList(Signature *s, SigMatch *sm, int sm_list)
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \brief Pull a content 'old' from the pmatch list, append 'new' to amatch list.
|
|
|
|
|
* Used for replacing contents that have http_cookie, etc modifiers.
|
|
|
|
|
*/
|
|
|
|
|
void SigMatchReplaceContent(Signature *s, SigMatch *old, SigMatch *new) {
|
|
|
|
|
BUG_ON(old == NULL);
|
|
|
|
|
|
|
|
|
|
SigMatch *m = s->sm_lists[DETECT_SM_LIST_PMATCH];
|
|
|
|
|
SigMatch *pm = m;
|
|
|
|
|
|
|
|
|
|
for ( ; m != NULL; m = m->next) {
|
|
|
|
|
if (m == old) {
|
|
|
|
|
if (m == s->sm_lists[DETECT_SM_LIST_PMATCH]) {
|
|
|
|
|
s->sm_lists[DETECT_SM_LIST_PMATCH] = m->next;
|
|
|
|
|
if (m->next != NULL) {
|
|
|
|
|
m->next->prev = NULL;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
pm->next = m->next;
|
|
|
|
|
if (m->next != NULL) {
|
|
|
|
|
m->next->prev = pm;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (m == s->sm_lists_tail[DETECT_SM_LIST_PMATCH]) {
|
|
|
|
|
if (pm == m) {
|
|
|
|
|
s->sm_lists_tail[DETECT_SM_LIST_PMATCH] = NULL;
|
|
|
|
|
} else {
|
|
|
|
|
s->sm_lists_tail[DETECT_SM_LIST_PMATCH] = pm;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//printf("m %p s->sm_lists[DETECT_SM_LIST_PMATCH] %p s->sm_lists_tail[DETECT_SM_LIST_PMATCH] %p\n", m, s->sm_lists[DETECT_SM_LIST_PMATCH], s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pm = m;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* finally append the "new" sig match to the app layer list */
|
|
|
|
|
/** \todo if the app layer gets it's own list, adapt this code */
|
|
|
|
|
if (s->sm_lists[DETECT_SM_LIST_AMATCH] == NULL) {
|
|
|
|
|
s->sm_lists[DETECT_SM_LIST_AMATCH] = new;
|
|
|
|
|
s->sm_lists_tail[DETECT_SM_LIST_AMATCH] = new;
|
|
|
|
|
new->next = NULL;
|
|
|
|
|
new->prev = NULL;
|
|
|
|
|
} else {
|
|
|
|
|
SigMatch *cur = s->sm_lists[DETECT_SM_LIST_AMATCH];
|
|
|
|
|
|
|
|
|
|
for ( ; cur->next != NULL; cur = cur->next);
|
|
|
|
|
|
|
|
|
|
cur->next = new;
|
|
|
|
|
new->next = NULL;
|
|
|
|
|
new->prev = cur;
|
|
|
|
|
s->sm_lists_tail[DETECT_SM_LIST_AMATCH] = new;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* move over the idx */
|
|
|
|
|
if (pm != NULL)
|
|
|
|
|
new->idx = pm->idx;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief Pull a content 'old' from the pmatch list, append 'new' to umatch list.
|
|
|
|
|
*
|
|
|
|
|
* Used for replacing contents that have the http_uri modifier that need to be
|
|
|
|
|
* moved to the uri inspection list.
|
|
|
|
|
*/
|
|
|
|
|
void SigMatchReplaceContentToUricontent(Signature *s, SigMatch *old, SigMatch *new) {
|
|
|
|
|
BUG_ON(old == NULL);
|
|
|
|
|
|
|
|
|
|
SigMatch *m = s->sm_lists[DETECT_SM_LIST_PMATCH];
|
|
|
|
|
SigMatch *pm = m;
|
|
|
|
|
|
|
|
|
|
for ( ; m != NULL; m = m->next) {
|
|
|
|
|
if (m == old) {
|
|
|
|
|
if (m == s->sm_lists[DETECT_SM_LIST_PMATCH]) {
|
|
|
|
|
s->sm_lists[DETECT_SM_LIST_PMATCH] = m->next;
|
|
|
|
|
if (m->next != NULL) {
|
|
|
|
|
m->next->prev = NULL;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
pm->next = m->next;
|
|
|
|
|
if (m->next != NULL) {
|
|
|
|
|
m->next->prev = pm;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (m == s->sm_lists_tail[DETECT_SM_LIST_PMATCH]) {
|
|
|
|
|
if (pm == m) {
|
|
|
|
|
s->sm_lists_tail[DETECT_SM_LIST_PMATCH] = NULL;
|
|
|
|
|
} else {
|
|
|
|
|
s->sm_lists_tail[DETECT_SM_LIST_PMATCH] = pm;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//printf("m %p s->sm_lists[DETECT_SM_LIST_PMATCH] %p s->sm_lists_tail[DETECT_SM_LIST_PMATCH] %p\n", m, s->sm_lists[DETECT_SM_LIST_PMATCH], s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pm = m;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* finally append the "new" sig match to the app layer list */
|
|
|
|
|
/** \todo if the app layer gets it's own list, adapt this code */
|
|
|
|
|
if (s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL) {
|
|
|
|
|
s->sm_lists[DETECT_SM_LIST_UMATCH] = new;
|
|
|
|
|
s->sm_lists_tail[DETECT_SM_LIST_UMATCH] = new;
|
|
|
|
|
new->next = NULL;
|
|
|
|
|
new->prev = NULL;
|
|
|
|
|
} else {
|
|
|
|
|
SigMatch *cur = s->sm_lists[DETECT_SM_LIST_UMATCH];
|
|
|
|
|
|
|
|
|
|
for ( ; cur->next != NULL; cur = cur->next);
|
|
|
|
|
|
|
|
|
|
cur->next = new;
|
|
|
|
|
new->next = NULL;
|
|
|
|
|
new->prev = cur;
|
|
|
|
|
s->sm_lists_tail[DETECT_SM_LIST_UMATCH] = new;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* move over the idx */
|
|
|
|
|
if (pm != NULL)
|
|
|
|
|
new->idx = pm->idx;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief Replaces the old sigmatch with the new sigmatch in the current
|
|
|
|
|
* signature.
|
|
|
|
|
*
|
|
|
|
|
* \param s pointer to the current signature
|
|
|
|
|
* \param m pointer to the old sigmatch
|
|
|
|
|
* \param new pointer to the new sigmatch, which will replace m
|
|
|
|
|
*/
|
|
|
|
|
void SigMatchReplace(Signature *s, SigMatch *m, SigMatch *new) {
|
|
|
|
|
if (s->sm_lists[DETECT_SM_LIST_MATCH] == NULL) {
|
|
|
|
|
s->sm_lists[DETECT_SM_LIST_MATCH] = new;
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (m == NULL) {
|
|
|
|
|
s->sm_lists[DETECT_SM_LIST_MATCH] = new;
|
|
|
|
|
} else if (m->prev == NULL) {
|
|
|
|
|
if (m->next != NULL) {
|
|
|
|
|
m->next->prev = new;
|
|
|
|
|
new->next = m->next;
|
|
|
|
|
}
|
|
|
|
|
s->sm_lists[DETECT_SM_LIST_MATCH] = new;
|
|
|
|
|
} else {
|
|
|
|
|
m->prev->next = new;
|
|
|
|
|
new->prev = m->prev;
|
|
|
|
|
if (m->next != NULL) {
|
|
|
|
|
m->next->prev = new;
|
|
|
|
|
new->next = m->next;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief Returns a pointer to the last SigMatch instance of a particular type
|
|
|
|
|
* in a Signature of the payload list.
|
|
|
|
|
|
Anoop Saldanha
14 years ago
committed by
Victor Julien