Improve distance/within/nocase handling, sig parsing error reporting.

src/detect-distance.c

@@ -7,6 +7,7 @@
 #include "detect-content.h"
 #include "detect-uricontent.h"
 #include "detect-pcre.h"
+#include "util-debug.h"
 
 int DetectDistanceSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *distancestr);
 
@@ -36,57 +37,38 @@ int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, cha
 
     SigMatch *pm = m;
     if (pm == NULL) {
-        printf("DetectDistanceSetup: No previous match!\n");
+        SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance needs two preceeding content options");
         goto error;
     }
 
-    if (pm->type == DETECT_PCRE) {
-        DetectPcreData *pe = (DetectPcreData *)pm->ctx;
-
-        pe->distance = strtol(str, NULL, 10);
-        pe->flags |= DETECT_PCRE_DISTANCE;
-        //printf("DetectDistanceSetup: set distance %" PRId32 " for previous pcre\n", pe->distance);
-
-    } else if (pm->type == DETECT_CONTENT) {
-        /** Search for the first previous DetectContent
-          * SigMatch (it can be the same as this one) */
-        pm = DetectContentFindPrevApplicableSM(m);
-        if (pm == NULL || DetectContentHasPrevSMPattern(pm) == NULL) {
-            printf("DetectDistanceSetup: Unknown previous keyword!\n");
-            return -1;
-        }
-
-        DetectContentData *cd = (DetectContentData *)pm->ctx;
-        if (cd == NULL) {
-            printf("DetectDistanceSetup: Unknown previous keyword!\n");
-            return -1;
-        }
-
-        cd->distance = strtol(str, NULL, 10);
-        cd->flags |= DETECT_CONTENT_DISTANCE;
+    /** Search for the first previous DetectContent
+     * SigMatch (it can be the same as this one) */
+    pm = DetectContentFindPrevApplicableSM(m);
+    if (pm == NULL || DetectContentHasPrevSMPattern(pm) == NULL) {
+        SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance needs two preceeding content options");
+        return -1;
+    }
 
-        /** Propagate the modifiers through the first chunk
-          * (SigMatch) if we're dealing with chunks */
-        if (cd->flags & DETECT_CONTENT_IS_CHUNK)
-            DetectContentPropagateDistance(pm);
+    DetectContentData *cd = (DetectContentData *)pm->ctx;
+    if (cd == NULL) {
+        printf("DetectDistanceSetup: Unknown previous keyword!\n");
+        return -1;
+    }
 
-        //DetectContentPrint(cd);
-        //printf("DetectDistanceSetup: set distance %" PRId32 " for previous content\n", cd->distance);
-    } else if (pm->type == DETECT_URICONTENT) {
-        DetectUricontentData *cd = (DetectUricontentData *)pm->ctx;
+    cd->distance = strtol(str, NULL, 10);
+    cd->flags |= DETECT_CONTENT_DISTANCE;
 
-        cd->distance = strtol(str, NULL, 10);
-        cd->flags |= DETECT_URICONTENT_DISTANCE;
+    /** Propagate the modifiers through the first chunk
+     * (SigMatch) if we're dealing with chunks */
+    if (cd->flags & DETECT_CONTENT_IS_CHUNK)
+        DetectContentPropagateDistance(pm);
 
-        //printf("DetectDistanceSetup: set distance %" PRId32 " for previous content\n", cd->distance);
-    } else {
-        printf("DetectDistanceSetup: Unknown previous keyword!\n");
-        goto error;
-    }
+    //DetectContentPrint(cd);
+    //printf("DetectDistanceSetup: set distance %" PRId32 " for previous content\n", cd->distance);
 
-    pm = m->prev;
+    pm = DetectContentFindPrevApplicableSM(m->prev);
     if (pm == NULL) {
-        printf("DetectDistanceSetup: No previous-previous match!\n");
+        SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance needs two preceeding content options");
         goto error;
     }
 

src/detect-nocase.c

@@ -24,7 +24,7 @@ void DetectNocaseRegister (void) {
 
 int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *nullstr)
 {
-    //printf("DetectNocaseSetup: s->match:%p,m:%p\n", s->match, m);
+    int ret = 0;
 
     if (nullstr != NULL) {
         printf("DetectNocaseSetup: nocase has no value\n");
@@ -32,30 +32,22 @@ int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char
     }
 
     SigMatch *pm = m;
-    if (pm != NULL) {
-#if 0
-        if (pm->type == DETECT_PCRE) {
-            DetectPcreData *pe = (DetectPcreData *)pm->ctx;
-            printf("DetectNocaseSetup: set depth %" PRIu32 " for previous pcre\n", pe->depth);
-        } else 
-#endif
+    for (; pm != NULL; pm = pm->prev) {
         if (pm->type == DETECT_CONTENT) {
             DetectContentData *cd = (DetectContentData *)pm->ctx;
             //printf("DetectNocaseSetup: set nocase for previous content\n");
             cd->flags |= DETECT_CONTENT_NOCASE;
+            goto end;
         } else if (pm->type == DETECT_URICONTENT) {
             DetectUricontentData *cd = (DetectUricontentData *)pm->ctx;
             //printf("DetectNocaseSetup: set nocase for previous content\n");
             cd->flags |= DETECT_URICONTENT_NOCASE;
-        } else {
-            printf("DetectNocaseSetup: Unknown previous keyword! (type %" PRIu32 ")\n", pm->type);
-            return -1;
+            goto end;
         }
-    } else {
-        printf("DetectNocaseSetup: No previous match! (pm == NULL)\n");
-        return -1;
     }
 
-    return 0;
+    ret = -1;
+end:
+    return ret;
 }
 

src/detect-parse.c

@@ -665,7 +665,7 @@ Signature *SigInit(DetectEngineCtx *de_ctx, char *sigstr) {
 error:
     if ( sig != NULL ) SigFree(sig);
     if (de_ctx->failure_fatal == 1) {
-        SCLogError(SC_ERR_INVALID_SIGNATURE,"Signature init failed %s ",sigstr);
+        SCLogError(SC_ERR_INVALID_SIGNATURE,"Signature parsing failed: \"%s\"", sigstr);
         exit(EXIT_FAILURE);
     }
     return NULL;
@@ -801,6 +801,10 @@ error:
             SigFree(sig->next);
         SigFree(sig);
     }
+    if (de_ctx->failure_fatal == 1) {
+        SCLogError(SC_ERR_INVALID_SIGNATURE,"Signature init failed \"%s\"",sigstr);
+        exit(EXIT_FAILURE);
+    }
     /* if something failed, restore the old signum count
      * since we didn't install it */
     de_ctx->signum = oldsignum;

src/detect-within.c

@@ -11,6 +11,7 @@
 #include "detect-content.h"
 #include "detect-uricontent.h"
 #include "detect-pcre.h"
+#include "util-debug.h"
 
 int DetectWithinSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *withinstr);
 
@@ -40,58 +41,38 @@ int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char
 
     SigMatch *pm = m;
     if (pm == NULL) {
-        printf("DetectWithinSetup: No previous match!\n");
+        SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs two preceeding content options");
         goto error;
     }
 
-    /* Set the within flag on the Sigmatch */
-    if (pm->type == DETECT_PCRE) {
-        DetectPcreData *pe = (DetectPcreData *)pm->ctx;
-
-        pe->within = strtol(str, NULL, 10);
-        pe->flags |= DETECT_PCRE_WITHIN;
-        //printf("DetectWithinSetup: set within %" PRId32 " for previous pcre\n", pe->within);
-
-    } else if (pm->type == DETECT_CONTENT) {
-        /** Search for the first previous DetectContent
-          * SigMatch (it can be the same as this one) */
-        pm = DetectContentFindPrevApplicableSM(m);
-        if (pm == NULL || DetectContentHasPrevSMPattern(pm) == NULL) {
-            printf("DetectWithinSetup: Unknown previous keyword!\n");
-            return -1;
-        }
-
-        DetectContentData *cd = (DetectContentData *)pm->ctx;
-        if (cd == NULL) {
-            printf("DetectWithinSetup: Unknown previous keyword!\n");
-            return -1;
-        }
-
-        cd->within = strtol(str, NULL, 10);
-        cd->flags |= DETECT_CONTENT_WITHIN;
-
-        /** Propagate the modifiers through the first chunk
-          * (SigMatch) if we're dealing with chunks */
-        if (cd->flags & DETECT_CONTENT_IS_CHUNK)
-            DetectContentPropagateWithin(pm);
-
-        //DetectContentPrint(cd);
-        //printf("DetectWithinSetup: set within %" PRId32 " for previous content\n", cd->within);
-    } else if (pm->type == DETECT_URICONTENT) {
-        DetectUricontentData *ud = (DetectUricontentData *)pm->ctx;
-
-        ud->within = strtol(str, NULL, 10);
-        ud->flags |= DETECT_URICONTENT_WITHIN;
+    /** Search for the first previous DetectContent
+     * SigMatch (it can be the same as this one) */
+    pm = DetectContentFindPrevApplicableSM(m);
+    if (pm == NULL || DetectContentHasPrevSMPattern(pm) == NULL) {
+        SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs two preceeding content options");
+        goto error;
+    }
 
-        //printf("DetectWithinSetup: set within %" PRId32 " for previous content\n", cd->within);
-    } else {
+    DetectContentData *cd = (DetectContentData *)pm->ctx;
+    if (cd == NULL) {
         printf("DetectWithinSetup: Unknown previous keyword!\n");
         goto error;
     }
 
-    pm = m->prev;
+    cd->within = strtol(str, NULL, 10);
+    cd->flags |= DETECT_CONTENT_WITHIN;
+
+    /** Propagate the modifiers through the first chunk
+     * (SigMatch) if we're dealing with chunks */
+    if (cd->flags & DETECT_CONTENT_IS_CHUNK)
+        DetectContentPropagateWithin(pm);
+
+    //DetectContentPrint(cd);
+    //printf("DetectWithinSetup: set within %" PRId32 " for previous content\n", cd->within);
+
+    pm = DetectContentFindPrevApplicableSM(m->prev);
     if (pm == NULL) {
-        printf("DetectWithinSetup: No previous-previous match!\n");
+        SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs two preceeding content options");
         goto error;
     }
 

src/util-error.c

@@ -66,6 +66,8 @@ const char * SCErrorToString(SCError err)
         CASE_CODE (SC_ERR_UNDEFINED_VAR);
         CASE_CODE (SC_RULE_KEYWORD_UNKNOWN);
         CASE_CODE (SC_ERR_FLAGS_MODIFIER);
+        CASE_CODE (SC_ERR_DISTANCE_MISSING_CONTENT);
+        CASE_CODE (SC_ERR_WITHIN_MISSING_CONTENT);
         default:
             return "UNKNOWN_ERROR";
     }

src/util-error.h

@@ -77,6 +77,8 @@ typedef enum {
     SC_ERR_UNDEFINED_VAR,
     SC_RULE_KEYWORD_UNKNOWN,
     SC_ERR_FLAGS_MODIFIER,
+    SC_ERR_DISTANCE_MISSING_CONTENT,
+    SC_ERR_WITHIN_MISSING_CONTENT,
 } SCError;
 
 const char *SCErrorToString(SCError);