|
|
|
|
@ -1,4 +1,4 @@
|
|
|
|
|
/* Copyright (C) 2007-2014 Open Information Security Foundation
|
|
|
|
|
/* Copyright (C) 2007-2020 Open Information Security Foundation
|
|
|
|
|
*
|
|
|
|
|
* You can copy, redistribute or modify this Program under the terms of
|
|
|
|
|
* the GNU General Public License version 2 as published by the Free
|
|
|
|
|
@ -118,11 +118,10 @@ static int DetectFlowvarSetup (DetectEngineCtx *de_ctx, Signature *s, const char
|
|
|
|
|
{
|
|
|
|
|
DetectFlowvarData *fd = NULL;
|
|
|
|
|
SigMatch *sm = NULL;
|
|
|
|
|
char *varname = NULL, *varcontent = NULL;
|
|
|
|
|
char varname[64], varcontent[64];
|
|
|
|
|
#define MAX_SUBSTRINGS 30
|
|
|
|
|
int ret = 0, res = 0;
|
|
|
|
|
int ov[MAX_SUBSTRINGS];
|
|
|
|
|
const char *str_ptr;
|
|
|
|
|
uint8_t *content = NULL;
|
|
|
|
|
uint16_t contentlen = 0;
|
|
|
|
|
uint32_t contentflags = s->init_data->negated ? DETECT_CONTENT_NEGATED : 0;
|
|
|
|
|
@ -133,29 +132,28 @@ static int DetectFlowvarSetup (DetectEngineCtx *de_ctx, Signature *s, const char
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
|
|
|
|
|
res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, varname, sizeof(varname));
|
|
|
|
|
if (res < 0) {
|
|
|
|
|
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
|
|
|
|
|
SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre_copy_substring failed");
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
varname = (char *)str_ptr;
|
|
|
|
|
|
|
|
|
|
res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, &str_ptr);
|
|
|
|
|
res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, varcontent, sizeof(varcontent));
|
|
|
|
|
if (res < 0) {
|
|
|
|
|
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
|
|
|
|
|
SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre_copy_substring failed");
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
varcontent = (char *)str_ptr;
|
|
|
|
|
|
|
|
|
|
int varcontent_index = 0;
|
|
|
|
|
if (strlen(varcontent) >= 2) {
|
|
|
|
|
if (varcontent[0] == '"')
|
|
|
|
|
varcontent++;
|
|
|
|
|
varcontent_index++;
|
|
|
|
|
if (varcontent[strlen(varcontent)-1] == '"')
|
|
|
|
|
varcontent[strlen(varcontent)-1] = '\0';
|
|
|
|
|
}
|
|
|
|
|
SCLogDebug("varcontent %s", varcontent);
|
|
|
|
|
SCLogDebug("varcontent %s", &varcontent[varcontent_index]);
|
|
|
|
|
|
|
|
|
|
res = DetectContentDataParse("flowvar", varcontent, &content, &contentlen);
|
|
|
|
|
res = DetectContentDataParse("flowvar", &varcontent[varcontent_index], &content, &contentlen);
|
|
|
|
|
if (res == -1)
|
|
|
|
|
goto error;
|
|
|
|
|
|
|
|
|
|
|
Jeff Lucovsky
5 years ago
committed by
Victor Julien