aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

All http_client_body modified patterns now are DETECT_CONTENT and not DETECT_AL_HTTP_CLIENT_BODY

Browse Source
remotes/origin/HEAD
Anoop Saldanha 14 years ago committed by Victor Julien
parent 4810ee9c5f
commit a5b46e727c
11 changed files with 41 additions and 251 deletions
Show Stats Download Patch File Download Diff File

44
src/detect-depth.c
Unescape Escape View File

@ -89,7 +89,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
@ -162,48 +162,6 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
break;
case DETECT_AL_HTTP_CLIENT_BODY:
cd = (DetectContentData *)pm->ctx;
if (cd->flags & DETECT_CONTENT_NEGATED) {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"negated keyword set along with a fast_pattern");
goto error;
}
} else {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"keyword set along with a fast_pattern:only;");
goto error;
}
}
if (str[0] != '-' && isalpha(str[0])) {
SigMatch *bed_sm =
DetectByteExtractRetrieveSMVar(str, s,
SigMatchListSMBelongsTo(s, pm));
if (bed_sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in depth - %s\n", str);
goto error;
}
cd->depth = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
cd->flags |= DETECT_CONTENT_DEPTH_BE;
} else {
cd->depth = (uint32_t)atoi(str);
if (cd->depth < cd->content_len) {
cd->depth = cd->content_len;
SCLogDebug("depth increased to %"PRIu32" to match pattern len ",
cd->depth);
}
/* Now update the real limit, as depth is relative to the offset */
cd->depth += cd->offset;
}
cd->flags |= DETECT_CONTENT_DEPTH;
break;
case DETECT_AL_HTTP_SERVER_BODY:
cd = (DetectContentData *)pm->ctx;
if (cd->flags & DETECT_CONTENT_NEGATED) {

64
src/detect-distance.c
Unescape Escape View File

@ -164,7 +164,7 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
@ -291,68 +291,6 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
break;
case DETECT_AL_HTTP_CLIENT_BODY:
cd = (DetectContentData *)pm->ctx;
if (str[0] != '-' && isalpha(str[0])) {
SigMatch *bed_sm =
DetectByteExtractRetrieveSMVar(str, s,
SigMatchListSMBelongsTo(s, pm));
if (bed_sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in distance - %s\n", str);
goto error;
}
cd->distance = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
cd->flags |= DETECT_CONTENT_DISTANCE_BE;
} else {
cd->distance = strtol(str, NULL, 10);
}
if (cd->flags & DETECT_CONTENT_NEGATED) {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"negated keyword set along with a fast_pattern");
goto error;
}
} else {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"keyword set along with a fast_pattern:only;");
goto error;
}
}
cd->flags |= DETECT_CONTENT_DISTANCE;
/* reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_AL_HTTP_CLIENT_BODY, pm->prev,
DETECT_PCRE, pm->prev);
if (pm == NULL) {
SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for http_client_body "
"needs preceeding http_client_body content");
goto error;
}
if (pm->type == DETECT_PCRE) {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
} else {
/* reassigning cd */
cd = (DetectContentData *)pm->ctx;
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword "
"has a fast_pattern:only; set. You can't "
"have relative keywords around a fast_pattern "
"only content");
goto error;
}
cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
}
break;
case DETECT_AL_HTTP_SERVER_BODY:
cd = (DetectContentData *)pm->ctx;

1
src/detect-engine-content-inspection.c
Unescape Escape View File

@ -111,7 +111,6 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
sm->type == DETECT_AL_HTTP_RAW_URI ||
sm->type == DETECT_AL_HTTP_HEADER ||
sm->type == DETECT_AL_HTTP_RAW_HEADER ||
sm->type == DETECT_AL_HTTP_CLIENT_BODY ||
sm->type == DETECT_AL_HTTP_SERVER_BODY ||
sm->type == DETECT_AL_HTTP_COOKIE ||
sm->type == DETECT_AL_HTTP_METHOD ||

4
src/detect-fast-pattern.c
Unescape Escape View File

@ -125,7 +125,7 @@ void SupportFastPatternForSigMatchTypes(void)
SupportFastPatternForSigMatchType(DETECT_CONTENT);
SupportFastPatternForSigMatchList(DETECT_SM_LIST_UMATCH);
SupportFastPatternForSigMatchType(DETECT_AL_HTTP_CLIENT_BODY);
SupportFastPatternForSigMatchType(DETECT_CONTENT);
SupportFastPatternForSigMatchList(DETECT_SM_LIST_HCBDMATCH);
SupportFastPatternForSigMatchType(DETECT_AL_HTTP_SERVER_BODY);
@ -239,7 +239,7 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a
SigMatch *pm = SigMatchGetLastSMFromLists(s, 22,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],

18
src/detect-http-client-body.c
Unescape Escape View File

@ -147,7 +147,7 @@ int DetectHttpClientBodySetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
/* reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_client_body seen with a "
@ -164,7 +164,7 @@ int DetectHttpClientBodySetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
}
}
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HCBDMATCH);
sm->type = DETECT_AL_HTTP_CLIENT_BODY;
sm->type = DETECT_CONTENT;
/* transfer the sm from the pmatch list to hcbdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
@ -243,7 +243,7 @@ static int DetectHttpClientBodyTest01(void)
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_MATCH];
if (sm != NULL) {
result &= (sm->type == DETECT_AL_HTTP_CLIENT_BODY);
result &= (sm->type == DETECT_CONTENT);
result &= (sm->next == NULL);
}
@ -2182,8 +2182,8 @@ int DetectHttpClientBodyTest27(void)
"(content:\"one\"; offset:10; http_client_body; pcre:/two/; distance:10; "
"content:\"three\"; distance:10; http_client_body; depth:10; "
"content:\"four\"; distance:10; sid:1;)");
if (de_ctx->sig_list != NULL) {
printf("de_ctx->sig_list != NULL\n");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
}
@ -2374,7 +2374,7 @@ int DetectHttpClientBodyTest32(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_client_body; within:5; sid:1;)");
if (de_ctx->sig_list != NULL) {
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list != NULL\n");
goto end;
}
@ -2439,7 +2439,7 @@ int DetectHttpClientBodyTest34(void)
}
if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH] == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->type != DETECT_AL_HTTP_CLIENT_BODY ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->type != DETECT_CONTENT ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->type != DETECT_PCRE) {
@ -2492,7 +2492,7 @@ int DetectHttpClientBodyTest35(void)
if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH] == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->type != DETECT_PCRE ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->type != DETECT_AL_HTTP_CLIENT_BODY) {
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->type != DETECT_CONTENT) {
goto end;
}
@ -2541,7 +2541,7 @@ int DetectHttpClientBodyTest36(void)
}
if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH] == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->type != DETECT_AL_HTTP_CLIENT_BODY ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->type != DETECT_CONTENT ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev == NULL ||
de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->type != DETECT_PCRE) {

3
src/detect-isdataat.c
Unescape Escape View File

@ -354,7 +354,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
pm = SigMatchGetLastSMFromLists(s, 54,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], /* 1 */
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], /* 5 */
DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
@ -419,7 +419,6 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
switch (prev_pm->type) {
case DETECT_CONTENT:
case DETECT_AL_HTTP_CLIENT_BODY:
case DETECT_AL_HTTP_SERVER_BODY:
case DETECT_AL_HTTP_HEADER:
case DETECT_AL_HTTP_RAW_HEADER:

3
src/detect-nocase.c
Unescape Escape View File

@ -77,7 +77,7 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
SigMatch *pm = SigMatchGetLastSMFromLists(s, 22,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
@ -98,7 +98,6 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
switch (pm->type) {
case DETECT_CONTENT:
case DETECT_AL_HTTP_CLIENT_BODY:
case DETECT_AL_HTTP_SERVER_BODY:
case DETECT_AL_HTTP_HEADER:
case DETECT_AL_HTTP_RAW_HEADER:

46
src/detect-offset.c
Unescape Escape View File

@ -86,7 +86,7 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
pm = SigMatchGetLastSMFromLists(s, 22,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
@ -163,50 +163,6 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
break;
case DETECT_AL_HTTP_CLIENT_BODY:
cd = (DetectContentData *)pm->ctx;
if (cd->flags & DETECT_CONTENT_NEGATED) {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"negated keyword set along with a fast_pattern");
goto error;
}
} else {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"keyword set along with a fast_pattern:only;");
goto error;
}
}
if (str[0] != '-' && isalpha(str[0])) {
SigMatch *bed_sm =
DetectByteExtractRetrieveSMVar(str, s,
SigMatchListSMBelongsTo(s, pm));
if (bed_sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in offset - %s\n", str);
goto error;
}
cd->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
cd->flags |= DETECT_CONTENT_OFFSET_BE;
} else {
cd->offset = (uint32_t)atoi(str);
if (cd->depth != 0) {
if (cd->depth < cd->content_len) {
SCLogDebug("depth increased to %"PRIu32" to match pattern len",
cd->content_len);
cd->depth = cd->content_len;
}
/* Updating the depth as is relative to the offset */
cd->depth += cd->offset;
}
}
cd->flags |= DETECT_CONTENT_OFFSET;
break;
case DETECT_AL_HTTP_SERVER_BODY:
cd = (DetectContentData *)pm->ctx;
if (cd->flags & DETECT_CONTENT_NEGATED) {

5
src/detect-pcre.c
Unescape Escape View File

@ -1201,10 +1201,8 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
SCReturnInt(0);
}
prev_sm = SigMatchGetLastSMFromLists(s, 24,
prev_sm = SigMatchGetLastSMFromLists(s, 20,
DETECT_CONTENT, sm->prev,
DETECT_CONTENT, sm->prev,
DETECT_AL_HTTP_CLIENT_BODY, sm->prev,
DETECT_AL_HTTP_SERVER_BODY, sm->prev,
DETECT_AL_HTTP_HEADER, sm->prev,
DETECT_AL_HTTP_RAW_HEADER, sm->prev,
@ -1237,7 +1235,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
switch (prev_sm->type) {
case DETECT_CONTENT:
case DETECT_AL_HTTP_CLIENT_BODY:
case DETECT_AL_HTTP_SERVER_BODY:
case DETECT_AL_HTTP_HEADER:
case DETECT_AL_HTTP_RAW_HEADER:

71
src/detect-within.c
Unescape Escape View File

@ -166,7 +166,7 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
pm = SigMatchGetLastSMFromLists(s, 22,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
@ -300,75 +300,6 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
break;
case DETECT_AL_HTTP_CLIENT_BODY:
cd = (DetectContentData *)pm->ctx;
if (str[0] != '-' && isalpha(str[0])) {
SigMatch *bed_sm =
DetectByteExtractRetrieveSMVar(str, s,
SigMatchListSMBelongsTo(s, pm));
if (bed_sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
"seen in within - %s\n", str);
goto error;
}
cd->within = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
cd->flags |= DETECT_CONTENT_WITHIN_BE;
} else {
cd->within = strtol(str, NULL, 10);
if (cd->within < (int32_t)cd->content_len) {
SCLogError(SC_ERR_WITHIN_INVALID, "within argument \"%"PRIi32"\" is "
"less than the content length \"%"PRIu32"\" which is invalid, since "
"this will never match. Invalidating signature", cd->within,
cd->content_len);
goto error;
}
}
if (cd->flags & DETECT_CONTENT_NEGATED) {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"negated keyword set along with a fast_pattern");
goto error;
}
} else {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
"keyword set along with a fast_pattern:only;");
goto error;
}
}
cd->flags |= DETECT_CONTENT_WITHIN;
/* reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_AL_HTTP_CLIENT_BODY, pm->prev,
DETECT_PCRE, pm->prev);
if (pm == NULL) {
SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for http_client_body "
"needs preceeding http_client_body content");
goto error;
}
if (pm->type == DETECT_PCRE) {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
} else {
/* reassigning cd */
cd = (DetectContentData *)pm->ctx;
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword "
"has a fast_pattern:only; set. You can't "
"have relative keywords around a fast_pattern "
"only content");
goto error;
}
cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
}
break;
case DETECT_AL_HTTP_SERVER_BODY:
cd = (DetectContentData *)pm->ctx;

33
src/detect.c
Unescape Escape View File

@ -271,16 +271,30 @@ static inline void EngineAnalysisWriteFastPattern(Signature *s, SigMatch *mpm_sm
fprintf(fp_engine_analysis_FD, "== Sid: %u ==\n", s->id);
fprintf(fp_engine_analysis_FD, " Fast pattern matcher: ");
if (mpm_sm->type == DETECT_CONTENT)
int list_type = SigMatchListSMBelongsTo(s, mpm_sm);
if (list_type == DETECT_SM_LIST_PMATCH)
fprintf(fp_engine_analysis_FD, "content\n");
else if (mpm_sm->type == DETECT_CONTENT)
fprintf(fp_engine_analysis_FD, "uricontent\n");
else if (mpm_sm->type == DETECT_AL_HTTP_CLIENT_BODY)
fprintf(fp_engine_analysis_FD, "http_client_body\n");
else if (mpm_sm->type == DETECT_AL_HTTP_HEADER)
fprintf(fp_engine_analysis_FD, "http_header\n");
else if (mpm_sm->type == DETECT_AL_HTTP_RAW_HEADER)
fprintf(fp_engine_analysis_FD, "http_raw_header\n");
else if (list_type == DETECT_SM_LIST_UMATCH)
fprintf(fp_engine_analysis_FD, "http uri content\n");
else if (list_type == DETECT_SM_LIST_HRUDMATCH)
fprintf(fp_engine_analysis_FD, "http raw uri content\n");
else if (list_type == DETECT_SM_LIST_HHDMATCH)
fprintf(fp_engine_analysis_FD, "http header content\n");
else if (list_type == DETECT_SM_LIST_HRHDMATCH)
fprintf(fp_engine_analysis_FD, "http raw header content\n");
else if (list_type == DETECT_SM_LIST_HMDMATCH)
fprintf(fp_engine_analysis_FD, "http method content\n");
else if (list_type == DETECT_SM_LIST_HCDMATCH)
fprintf(fp_engine_analysis_FD, "http cookie content\n");
else if (list_type == DETECT_SM_LIST_HCBDMATCH)
fprintf(fp_engine_analysis_FD, "http client body content\n");
else if (list_type == DETECT_SM_LIST_HSBDMATCH)
fprintf(fp_engine_analysis_FD, "http server body content\n");
else if (list_type == DETECT_SM_LIST_HSCDMATCH)
fprintf(fp_engine_analysis_FD, "http stat code content\n");
else if (list_type == DETECT_SM_LIST_HSMDMATCH)
fprintf(fp_engine_analysis_FD, "http stat msg content\n");
fprintf(fp_engine_analysis_FD, " Fast pattern set: %s\n", fast_pattern_set ? "yes" : "no");
fprintf(fp_engine_analysis_FD, " Fast pattern only set: %s\n",
fast_pattern_only_set ? "yes" : "no");
@ -2198,7 +2212,6 @@ static int SignatureCreateMask(Signature *s) {
case DETECT_AL_HTTP_COOKIE:
case DETECT_AL_HTTP_METHOD:
case DETECT_AL_URILEN:
case DETECT_AL_HTTP_CLIENT_BODY:
case DETECT_AL_HTTP_HEADER:
case DETECT_AL_HTTP_RAW_HEADER:
case DETECT_AL_HTTP_URI:

Write Preview
Loading…
Cancel
Save