From b1a0d3510633531b5340003944ca502e98d78437 Mon Sep 17 00:00:00 2001 From: Anoop Saldanha Date: Mon, 20 Feb 2012 11:17:51 +0530 Subject: [PATCH] All http_http_cookie modified patterns now are DETECT_CONTENT and not DETECT_AL_HTTP_COOKIE --- src/detect-depth.c | 44 +--------------- src/detect-distance.c | 64 +---------------------- src/detect-engine-content-inspection.c | 1 - src/detect-fast-pattern.c | 4 +- src/detect-http-cookie.c | 10 ++-- src/detect-isdataat.c | 3 +- src/detect-nocase.c | 3 +- src/detect-offset.c | 46 +---------------- src/detect-pcre.c | 4 +- src/detect-within.c | 70 +------------------------- src/detect.c | 1 - 11 files changed, 14 insertions(+), 236 deletions(-) diff --git a/src/detect-depth.c b/src/detect-depth.c index c33c82a955..c5e69aefce 100644 --- a/src/detect-depth.c +++ b/src/detect-depth.c @@ -94,7 +94,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_AL_HTTP_COOKIE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]); if (pm == NULL) { @@ -162,48 +162,6 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths break; - case DETECT_AL_HTTP_COOKIE: - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in depth - %s\n", str); - goto error; - } - cd->depth = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_DEPTH_BE; - } else { - cd->depth = (uint32_t)atoi(str); - if (cd->depth < cd->content_len) { - cd->depth = cd->content_len; - SCLogDebug("depth increased to %"PRIu32" to match pattern len ", - cd->depth); - } - /* Now update the real limit, as depth is relative to the offset */ - cd->depth += cd->offset; - } - - cd->flags |= DETECT_CONTENT_DEPTH; - - break; - case DETECT_AL_HTTP_RAW_URI: cd = (DetectContentData *)pm->ctx; if (cd->flags & DETECT_CONTENT_NEGATED) { diff --git a/src/detect-distance.c b/src/detect-distance.c index 44912fff0a..03751ff342 100644 --- a/src/detect-distance.c +++ b/src/detect-distance.c @@ -169,7 +169,7 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_AL_HTTP_COOKIE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]); if (pm == NULL) { @@ -291,68 +291,6 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, break; - case DETECT_AL_HTTP_COOKIE: - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in distance - %s\n", str); - goto error; - } - cd->distance = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_DISTANCE_BE; - } else { - cd->distance = strtol(str, NULL, 10); - } - - cd->flags |= DETECT_CONTENT_DISTANCE; - - /* reassigning pm */ - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_AL_HTTP_COOKIE, pm->prev, - DETECT_PCRE, pm->prev); - if (pm == NULL) { - SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for " - "http_cookie needs preceeding http_cookie " - "content"); - goto error; - } - - if (pm->type == DETECT_PCRE) { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } else { - /* reassigning cd */ - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword " - "has a fast_pattern:only; set. You can't " - "have relative keywords around a fast_pattern " - "only content"); - goto error; - } - cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } - - break; - case DETECT_AL_HTTP_RAW_URI: cd = (DetectContentData *)pm->ctx; if (cd->flags & DETECT_CONTENT_NEGATED) { diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c index 628334d9c1..7d0f8a8c28 100644 --- a/src/detect-engine-content-inspection.c +++ b/src/detect-engine-content-inspection.c @@ -109,7 +109,6 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx /* \todo unify this which is phase 2 of payload inspection unification */ if (sm->type == DETECT_CONTENT || sm->type == DETECT_AL_HTTP_RAW_URI || - sm->type == DETECT_AL_HTTP_COOKIE || sm->type == DETECT_AL_HTTP_STAT_CODE || sm->type == DETECT_AL_HTTP_STAT_MSG) { diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index 90510bb364..ca637f67d5 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -140,7 +140,7 @@ void SupportFastPatternForSigMatchTypes(void) SupportFastPatternForSigMatchType(DETECT_CONTENT); SupportFastPatternForSigMatchList(DETECT_SM_LIST_HMDMATCH); - SupportFastPatternForSigMatchType(DETECT_AL_HTTP_COOKIE); + SupportFastPatternForSigMatchType(DETECT_CONTENT); SupportFastPatternForSigMatchList(DETECT_SM_LIST_HCDMATCH); SupportFastPatternForSigMatchType(DETECT_AL_HTTP_RAW_URI); @@ -244,7 +244,7 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_AL_HTTP_COOKIE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]); diff --git a/src/detect-http-cookie.c b/src/detect-http-cookie.c index f995d60fab..40a6283101 100644 --- a/src/detect-http-cookie.c +++ b/src/detect-http-cookie.c @@ -163,7 +163,7 @@ static int DetectHttpCookieSetup (DetectEngineCtx *de_ctx, Signature *s, char *s /* please note. reassigning pm */ pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_AL_HTTP_COOKIE, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]); @@ -182,7 +182,7 @@ static int DetectHttpCookieSetup (DetectEngineCtx *de_ctx, Signature *s, char *s } } cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HCDMATCH); - sm->type = DETECT_AL_HTTP_COOKIE; + sm->type = DETECT_CONTENT; /* transfer the sm from the pmatch list to hcdmatch list */ SigMatchTransferSigMatchAcrossLists(sm, @@ -287,10 +287,10 @@ int DetectHttpCookieTest03(void) } while (sm != NULL) { - if (sm->type == DETECT_AL_HTTP_COOKIE) { + if (sm->type == DETECT_CONTENT) { result = 1; } else { - printf("expected DETECT_AL_HTTP_COOKIE, got %d: ", sm->type); + printf("expected DETECT_CONTENT for http_cookie, got %d: ", sm->type); goto end; } sm = sm->next; @@ -375,7 +375,7 @@ int DetectHttpCookieTest06(void) BUG_ON(s->sm_lists[DETECT_SM_LIST_HCDMATCH] == NULL); - if (s->sm_lists[DETECT_SM_LIST_HCDMATCH]->type != DETECT_AL_HTTP_COOKIE) + if (s->sm_lists[DETECT_SM_LIST_HCDMATCH]->type != DETECT_CONTENT) goto end; if (s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL) { diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index aedb7d1e09..d843fdb699 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -359,7 +359,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], /* 5 */ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_AL_HTTP_COOKIE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], @@ -419,7 +419,6 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst switch (prev_pm->type) { case DETECT_CONTENT: - case DETECT_AL_HTTP_COOKIE: case DETECT_AL_HTTP_RAW_URI: case DETECT_AL_HTTP_STAT_MSG: case DETECT_AL_HTTP_STAT_CODE: diff --git a/src/detect-nocase.c b/src/detect-nocase.c index a3695a0a6c..03a5b6bae9 100644 --- a/src/detect-nocase.c +++ b/src/detect-nocase.c @@ -85,7 +85,7 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_AL_HTTP_COOKIE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]); + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]); if (pm == NULL) { SCLogError(SC_ERR_NOCASE_MISSING_PATTERN, "\"nocase\" needs a preceeding " "content, uricontent, http_client_body, http_server_body, " @@ -98,7 +98,6 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls switch (pm->type) { case DETECT_CONTENT: - case DETECT_AL_HTTP_COOKIE: case DETECT_AL_HTTP_RAW_URI: case DETECT_AL_HTTP_STAT_MSG: case DETECT_AL_HTTP_STAT_CODE: diff --git a/src/detect-offset.c b/src/detect-offset.c index 98763ec28b..b9ea9ab6a9 100644 --- a/src/detect-offset.c +++ b/src/detect-offset.c @@ -91,7 +91,7 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_AL_HTTP_COOKIE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]); @@ -163,50 +163,6 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) break; - case DETECT_AL_HTTP_COOKIE: - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in offset - %s\n", str); - goto error; - } - cd->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_OFFSET_BE; - } else { - cd->offset = (uint32_t)atoi(str); - if (cd->depth != 0) { - if (cd->depth < cd->content_len) { - SCLogDebug("depth increased to %"PRIu32" to match pattern len", - cd->content_len); - cd->depth = cd->content_len; - } - /* Updating the depth as is relative to the offset */ - cd->depth += cd->offset; - } - } - - cd->flags |= DETECT_CONTENT_OFFSET; - - break; - case DETECT_AL_HTTP_RAW_URI: cd = (DetectContentData *)pm->ctx; if (cd->flags & DETECT_CONTENT_NEGATED) { diff --git a/src/detect-pcre.c b/src/detect-pcre.c index f5ff694f37..71cf8435f4 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -1201,10 +1201,9 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst SCReturnInt(0); } - prev_sm = SigMatchGetLastSMFromLists(s, 12, + prev_sm = SigMatchGetLastSMFromLists(s, 10, DETECT_CONTENT, sm->prev, DETECT_AL_HTTP_RAW_URI, sm->prev, - DETECT_AL_HTTP_COOKIE, sm->prev, DETECT_PCRE, sm->prev, DETECT_AL_HTTP_STAT_MSG, sm->prev, DETECT_AL_HTTP_STAT_CODE, sm->prev); @@ -1234,7 +1233,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst case DETECT_AL_HTTP_STAT_MSG: case DETECT_AL_HTTP_STAT_CODE: case DETECT_AL_HTTP_RAW_URI: - case DETECT_AL_HTTP_COOKIE: /* Set the relative next flag on the prev sigmatch */ cd = (DetectContentData *)prev_sm->ctx; if (cd == NULL) { diff --git a/src/detect-within.c b/src/detect-within.c index b62b646417..72a3a856e5 100644 --- a/src/detect-within.c +++ b/src/detect-within.c @@ -171,7 +171,7 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_AL_HTTP_COOKIE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_AL_HTTP_STAT_MSG, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], DETECT_AL_HTTP_STAT_CODE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]); @@ -300,74 +300,6 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi break; - case DETECT_AL_HTTP_COOKIE: - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_NEGATED) { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "negated keyword set along with a fast_pattern"); - goto error; - } - } else { - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " - "keyword set along with a fast_pattern:only;"); - goto error; - } - } - - if (str[0] != '-' && isalpha(str[0])) { - SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, - SigMatchListSMBelongsTo(s, pm)); - if (bed_sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " - "seen in within - %s\n", str); - goto error; - } - cd->within = ((DetectByteExtractData *)bed_sm->ctx)->local_id; - cd->flags |= DETECT_CONTENT_WITHIN_BE; - } else { - cd->within = strtol(str, NULL, 10); - if (cd->within < (int32_t)cd->content_len) { - SCLogError(SC_ERR_WITHIN_INVALID, "within argument \"%"PRIi32"\" is " - "less than the content length \"%"PRIu32"\" which is invalid, since " - "this will never match. Invalidating signature", cd->within, - cd->content_len); - goto error; - } - } - - cd->flags |= DETECT_CONTENT_WITHIN; - - /* reassigning pm */ - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_AL_HTTP_COOKIE, pm->prev, - DETECT_PCRE, pm->prev); - if (pm == NULL) { - SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for http_cookie " - "needs preceeding http_cookie content"); - goto error; - } - - if (pm->type == DETECT_PCRE) { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } else { - /* reassigning cd */ - cd = (DetectContentData *)pm->ctx; - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword " - "has a fast_pattern:only; set. You can't " - "have relative keywords around a fast_pattern " - "only content"); - goto error; - } - cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } - - break; - case DETECT_AL_HTTP_RAW_URI: cd = (DetectContentData *)pm->ctx; if (cd->flags & DETECT_CONTENT_NEGATED) { diff --git a/src/detect.c b/src/detect.c index acd42426eb..667d258122 100644 --- a/src/detect.c +++ b/src/detect.c @@ -2209,7 +2209,6 @@ static int SignatureCreateMask(Signature *s) { SigMatch *sm; for (sm = s->sm_lists[DETECT_SM_LIST_AMATCH] ; sm != NULL; sm = sm->next) { switch(sm->type) { - case DETECT_AL_HTTP_COOKIE: case DETECT_AL_URILEN: case DETECT_AL_HTTP_URI: case DETECT_AL_HTTP_RAW_URI: