From 97d8fc9cbac65f9c81df7e5d87172fb81fe88dfb Mon Sep 17 00:00:00 2001 From: Anoop Saldanha Date: Sun, 19 Feb 2012 23:19:52 +0530 Subject: [PATCH] All http_http_raw_header modified patterns now are DETECT_CONTENT and not DETECT_AL_HTTP_RAW_HEADER --- src/detect-depth.c | 44 +--------------- src/detect-distance.c | 64 +---------------------- src/detect-engine-content-inspection.c | 1 - src/detect-fast-pattern.c | 4 +- src/detect-http-raw-header.c | 16 +++--- src/detect-isdataat.c | 3 +- src/detect-nocase.c | 3 +- src/detect-offset.c | 46 +---------------- src/detect-pcre.c | 4 +- src/detect-within.c | 70 +------------------------- src/detect.c | 1 - 11 files changed, 17 insertions(+), 239 deletions(-) diff --git a/src/detect-depth.c b/src/detect-depth.c index 217da4af42..13a06d3611 100644 --- a/src/detect-depth.c +++ b/src/detect-depth.c @@ -92,7 +92,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_AL_HTTP_METHOD, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_AL_HTTP_COOKIE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], @@ -162,48 +162,6 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths break; - case DETECT_AL_HTTP_RAW_HEADER: - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in depth - %s\n", str); - goto error; - } - cd->depth = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_DEPTH_BE; - } else { - cd->depth = (uint32_t)atoi(str); - if (cd->depth < cd->content_len) { - cd->depth = cd->content_len; - SCLogDebug("depth increased to %"PRIu32" to match pattern len ", - cd->depth); - } - /* Now update the real limit, as depth is relative to the offset */ - cd->depth += cd->offset; - } - - cd->flags |= DETECT_CONTENT_DEPTH; - - break; - case DETECT_AL_HTTP_METHOD: cd = (DetectContentData *)pm->ctx; if (cd->flags & DETECT_CONTENT_NEGATED) { diff --git a/src/detect-distance.c b/src/detect-distance.c index effb507641..f66d2dd960 100644 --- a/src/detect-distance.c +++ b/src/detect-distance.c @@ -167,7 +167,7 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_AL_HTTP_METHOD, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_AL_HTTP_COOKIE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], @@ -291,68 +291,6 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, break; - case DETECT_AL_HTTP_RAW_HEADER: - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in distance - %s\n", str); - goto error; - } - cd->distance = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_DISTANCE_BE; - } else { - cd->distance = strtol(str, NULL, 10); - } - - cd->flags |= DETECT_CONTENT_DISTANCE; - - /* reassigning pm */ - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_AL_HTTP_RAW_HEADER, pm->prev, - DETECT_PCRE, pm->prev); - if (pm == NULL) { - SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for " - "http_raw_header needs preceeding http_raw_header " - "content"); - goto error; - } - - if (pm->type == DETECT_PCRE) { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } else { - /* reassigning cd */ - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword " - "has a fast_pattern:only; set. You can't " - "have relative keywords around a fast_pattern " - "only content"); - goto error; - } - cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } - - break; - case DETECT_AL_HTTP_METHOD: cd = (DetectContentData *)pm->ctx; if (cd->flags & DETECT_CONTENT_NEGATED) { diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c index 23acaf92a0..59c19b5d5e 100644 --- a/src/detect-engine-content-inspection.c +++ b/src/detect-engine-content-inspection.c @@ -109,7 +109,6 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx /* \todo unify this which is phase 2 of payload inspection unification */ if (sm->type == DETECT_CONTENT || sm->type == DETECT_AL_HTTP_RAW_URI || - sm->type == DETECT_AL_HTTP_RAW_HEADER || sm->type == DETECT_AL_HTTP_COOKIE || sm->type == DETECT_AL_HTTP_METHOD || sm->type == DETECT_AL_HTTP_STAT_CODE || diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index b3efee0054..460058f8a2 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -134,7 +134,7 @@ void SupportFastPatternForSigMatchTypes(void) SupportFastPatternForSigMatchType(DETECT_CONTENT); SupportFastPatternForSigMatchList(DETECT_SM_LIST_HHDMATCH); - SupportFastPatternForSigMatchType(DETECT_AL_HTTP_RAW_HEADER); + SupportFastPatternForSigMatchType(DETECT_CONTENT); SupportFastPatternForSigMatchList(DETECT_SM_LIST_HRHDMATCH); SupportFastPatternForSigMatchType(DETECT_AL_HTTP_METHOD); @@ -242,7 +242,7 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_AL_HTTP_METHOD, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_AL_HTTP_COOKIE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], diff --git a/src/detect-http-raw-header.c b/src/detect-http-raw-header.c index fffc14d04f..8f5ad07f24 100644 --- a/src/detect-http-raw-header.c +++ b/src/detect-http-raw-header.c @@ -167,7 +167,7 @@ int DetectHttpRawHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) /* please note. reassigning pm */ pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_AL_HTTP_RAW_HEADER, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]); @@ -186,7 +186,7 @@ int DetectHttpRawHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) } } cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HRUDMATCH); - sm->type = DETECT_AL_HTTP_RAW_HEADER; + sm->type = DETECT_CONTENT; /* transfer the sm from the pmatch list to hrhdmatch list */ SigMatchTransferSigMatchAcrossLists(sm, @@ -243,7 +243,7 @@ static int DetectHttpRawHeaderTest01(void) sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH]; if (sm != NULL) { - result &= (sm->type == DETECT_AL_HTTP_RAW_HEADER); + result &= (sm->type == DETECT_CONTENT); result &= (sm->next == NULL); } else { result = 0; @@ -1589,8 +1589,8 @@ int DetectHttpRawHeaderTest23(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any " "(flow:to_server; content:\"one\"; http_raw_header; within:5; sid:1;)"); - if (de_ctx->sig_list != NULL) { - printf("de_ctx->sig_list != NULL\n"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); goto end; } @@ -1654,7 +1654,7 @@ int DetectHttpRawHeaderTest25(void) } if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH] == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->type != DETECT_AL_HTTP_RAW_HEADER || + de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->type != DETECT_CONTENT || de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev == NULL || de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->type != DETECT_PCRE) { @@ -1707,7 +1707,7 @@ int DetectHttpRawHeaderTest26(void) if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH] == NULL || de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->type != DETECT_PCRE || de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->type != DETECT_AL_HTTP_RAW_HEADER) { + de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->type != DETECT_CONTENT) { goto end; } @@ -1756,7 +1756,7 @@ int DetectHttpRawHeaderTest27(void) } if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH] == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->type != DETECT_AL_HTTP_RAW_HEADER || + de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->type != DETECT_CONTENT || de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev == NULL || de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->type != DETECT_PCRE) { diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index be2009ac7c..47facb4a07 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -357,7 +357,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], /* 5 */ - DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_AL_HTTP_METHOD, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_AL_HTTP_COOKIE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], @@ -419,7 +419,6 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst switch (prev_pm->type) { case DETECT_CONTENT: - case DETECT_AL_HTTP_RAW_HEADER: case DETECT_AL_HTTP_METHOD: case DETECT_AL_HTTP_COOKIE: case DETECT_AL_HTTP_RAW_URI: diff --git a/src/detect-nocase.c b/src/detect-nocase.c index d87b53b409..1092597f3c 100644 --- a/src/detect-nocase.c +++ b/src/detect-nocase.c @@ -80,7 +80,7 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_AL_HTTP_METHOD, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], @@ -98,7 +98,6 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls switch (pm->type) { case DETECT_CONTENT: - case DETECT_AL_HTTP_RAW_HEADER: case DETECT_AL_HTTP_METHOD: case DETECT_AL_HTTP_COOKIE: case DETECT_AL_HTTP_RAW_URI: diff --git a/src/detect-offset.c b/src/detect-offset.c index 2a5f6013b3..62ead6f064 100644 --- a/src/detect-offset.c +++ b/src/detect-offset.c @@ -89,7 +89,7 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_AL_HTTP_METHOD, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_AL_HTTP_COOKIE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], @@ -163,50 +163,6 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) break; - case DETECT_AL_HTTP_RAW_HEADER: - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in offset - %s\n", str); - goto error; - } - cd->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_OFFSET_BE; - } else { - cd->offset = (uint32_t)atoi(str); - if (cd->depth != 0) { - if (cd->depth < cd->content_len) { - SCLogDebug("depth increased to %"PRIu32" to match pattern len", - cd->content_len); - cd->depth = cd->content_len; - } - /* Updating the depth as is relative to the offset */ - cd->depth += cd->offset; - } - } - - cd->flags |= DETECT_CONTENT_OFFSET; - - break; - case DETECT_AL_HTTP_METHOD: cd = (DetectContentData *)pm->ctx; if (cd->flags & DETECT_CONTENT_NEGATED) { diff --git a/src/detect-pcre.c b/src/detect-pcre.c index 1093e8cd35..e4edb4396c 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -1201,9 +1201,8 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst SCReturnInt(0); } - prev_sm = SigMatchGetLastSMFromLists(s, 16, + prev_sm = SigMatchGetLastSMFromLists(s, 14, DETECT_CONTENT, sm->prev, - DETECT_AL_HTTP_RAW_HEADER, sm->prev, DETECT_AL_HTTP_RAW_URI, sm->prev, DETECT_AL_HTTP_COOKIE, sm->prev, DETECT_AL_HTTP_METHOD, sm->prev, @@ -1233,7 +1232,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst switch (prev_sm->type) { case DETECT_CONTENT: - case DETECT_AL_HTTP_RAW_HEADER: case DETECT_AL_HTTP_STAT_MSG: case DETECT_AL_HTTP_STAT_CODE: case DETECT_AL_HTTP_RAW_URI: diff --git a/src/detect-within.c b/src/detect-within.c index 492fb6ee39..bfa2feda4a 100644 --- a/src/detect-within.c +++ b/src/detect-within.c @@ -169,7 +169,7 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_AL_HTTP_METHOD, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_AL_HTTP_COOKIE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], @@ -300,74 +300,6 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi break; - case DETECT_AL_HTTP_RAW_HEADER: - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in within - %s\n", str); - goto error; - } - cd->within = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_WITHIN_BE; - } else { - cd->within = strtol(str, NULL, 10); - if (cd->within < (int32_t)cd->content_len) { - SCLogError(SC_ERR_WITHIN_INVALID, "within argument \"%"PRIi32"\" is " - "less than the content length \"%"PRIu32"\" which is invalid, since " - "this will never match. Invalidating signature", cd->within, - cd->content_len); - goto error; - } - } - - cd->flags |= DETECT_CONTENT_WITHIN; - - /* reassigning pm */ - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_AL_HTTP_RAW_HEADER, pm->prev, - DETECT_PCRE, pm->prev); - if (pm == NULL) { - SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for http_raw_header " - "needs preceeding http_raw_header content"); - goto error; - } - - if (pm->type == DETECT_PCRE) { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } else { - /* reassigning cd */ - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword " - "has a fast_pattern:only; set. You can't " - "have relative keywords around a fast_pattern " - "only content"); - goto error; - } - cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } - - break; - case DETECT_AL_HTTP_METHOD: cd = (DetectContentData *)pm->ctx; if (cd->flags & DETECT_CONTENT_NEGATED) { diff --git a/src/detect.c b/src/detect.c index c0feff9dfc..4cc62cdd99 100644 --- a/src/detect.c +++ b/src/detect.c @@ -2212,7 +2212,6 @@ static int SignatureCreateMask(Signature *s) { case DETECT_AL_HTTP_COOKIE: case DETECT_AL_HTTP_METHOD: case DETECT_AL_URILEN: - case DETECT_AL_HTTP_RAW_HEADER: case DETECT_AL_HTTP_URI: case DETECT_AL_HTTP_RAW_URI: s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;