aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Convert flowbits keyword parsing to use pcre_copy_substring

Browse Source
pull/665/head
Victor Julien 12 years ago
parent beab8d401c
commit 9d35855a95
1 changed files with 8 additions and 20 deletions
Show Stats Download Patch File Download Diff File

28
src/detect-flowbits.c
Unescape Escape View File

@ -164,11 +164,11 @@ int DetectFlowbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
{ {
DetectFlowbitsData *cd = NULL; DetectFlowbitsData *cd = NULL;
SigMatch *sm = NULL; SigMatch *sm = NULL;
char *fb_cmd_str = NULL, *fb_name = NULL;
uint8_t fb_cmd = 0; uint8_t fb_cmd = 0;
#define MAX_SUBSTRINGS 30 #define MAX_SUBSTRINGS 30
int ret = 0, res = 0; int ret = 0, res = 0;
int ov[MAX_SUBSTRINGS]; int ov[MAX_SUBSTRINGS];
char fb_cmd_str[16] = "", fb_name[256] = "";
ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS); ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS);
if (ret != 2 && ret != 3) { if (ret != 2 && ret != 3) {
@ -176,21 +176,18 @@ int DetectFlowbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
return -1; return -1;
} }
const char *str_ptr; res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, fb_cmd_str, sizeof(fb_cmd_str));
res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
if (res < 0) { if (res < 0) {
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed"); SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
return -1; return -1;
} }
fb_cmd_str = (char *)str_ptr;
if (ret == 3) { if (ret == 3) {
res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, &str_ptr); res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, fb_name, sizeof(fb_name));
if (res < 0) { if (res < 0) {
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed"); SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
goto error; goto error;
} }
fb_name = (char *)str_ptr;
} }
if (strcmp(fb_cmd_str,"noalert") == 0) { if (strcmp(fb_cmd_str,"noalert") == 0) {
@ -212,7 +209,7 @@ int DetectFlowbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
switch (fb_cmd) { switch (fb_cmd) {
case DETECT_FLOWBITS_CMD_NOALERT: case DETECT_FLOWBITS_CMD_NOALERT:
if(fb_name != NULL) if (strlen(fb_name) != 0)
goto error; goto error;
s->flags |= SIG_FLAG_NOALERT; s->flags |= SIG_FLAG_NOALERT;
return 0; return 0;
@ -222,7 +219,7 @@ int DetectFlowbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
case DETECT_FLOWBITS_CMD_UNSET: case DETECT_FLOWBITS_CMD_UNSET:
case DETECT_FLOWBITS_CMD_TOGGLE: case DETECT_FLOWBITS_CMD_TOGGLE:
default: default:
if(fb_name == NULL) if (strlen(fb_name) == 0)
goto error; goto error;
break; break;
} }
@ -235,12 +232,7 @@ int DetectFlowbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
cd->cmd = fb_cmd; cd->cmd = fb_cmd;
SCLogDebug("idx %" PRIu32 ", cmd %s, name %s", SCLogDebug("idx %" PRIu32 ", cmd %s, name %s",
cd->idx, fb_cmd_str, fb_name ? fb_name : "(null)"); cd->idx, fb_cmd_str, strlen(fb_name) ? fb_name : "(none)");
pcre_free_substring(fb_name);
fb_name = NULL;
pcre_free_substring(fb_cmd_str);
fb_cmd_str = NULL;
/* Okay so far so good, lets get this into a SigMatch /* Okay so far so good, lets get this into a SigMatch
* and put it in the Signature. */ * and put it in the Signature. */
@ -273,10 +265,6 @@ int DetectFlowbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
return 0; return 0;
error: error:
if (fb_name != NULL)
pcre_free_substring(fb_name);
if (fb_cmd_str != NULL)
pcre_free_substring(fb_cmd_str);
if (cd != NULL) if (cd != NULL)
SCFree(cd); SCFree(cd);
if (sm != NULL) if (sm != NULL)

Write Preview
Loading…
Cancel
Save