aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect/files: support protocols only over udp

Browse Source 
Ticket: 7973

Files were supported on both TCP and UDP. But file detection keywords
such as file.data made signatures loading fail if the signature
was using an app-layer protocol that enabled on udp only, even
if the signatures could run smoothly.
pull/13979/head
Philippe Antoine 2 months ago committed by Victor Julien
parent 5e2dc9ace3
commit c99e159341
2 changed files with 7 additions and 9 deletions
Show Stats Download Patch File Download Diff File

10
src/detect-file-data.c
Unescape Escape View File

@ -207,13 +207,9 @@ static int DetectFiledataSetup (DetectEngineCtx *de_ctx, Signature *s, const cha
{
SCEnter();
if (!DetectProtoContainsProto(&s->proto, IPPROTO_TCP)) {
SCLogError("The 'file_data' keyword cannot be used with non-TCP protocols");
return -1;
}
if (s->alproto != ALPROTO_UNKNOWN && !AppLayerParserSupportsFiles(IPPROTO_TCP, s->alproto)) {
SCLogError("The 'file_data' keyword cannot be used with TCP protocol %s",
if (s->alproto != ALPROTO_UNKNOWN && !AppLayerParserSupportsFiles(IPPROTO_TCP, s->alproto) &&
!AppLayerParserSupportsFiles(IPPROTO_UDP, s->alproto)) {
SCLogError("The 'file_data' keyword cannot be used with protocol %s",
AppLayerGetProtoName(s->alproto));
return -1;
}

6
src/detect-parse.c
Unescape Escape View File

@ -2764,7 +2764,8 @@ static int SigValidateFileHandling(const Signature *s)
SCReturnInt(1);
}
if (s->alproto != ALPROTO_UNKNOWN && !AppLayerParserSupportsFiles(IPPROTO_TCP, s->alproto)) {
if (s->alproto != ALPROTO_UNKNOWN && !AppLayerParserSupportsFiles(IPPROTO_TCP, s->alproto) &&
!AppLayerParserSupportsFiles(IPPROTO_UDP, s->alproto)) {
SCLogError("protocol %s doesn't "
"support file matching",
AppProtoToString(s->alproto));
@ -2776,7 +2777,8 @@ static int SigValidateFileHandling(const Signature *s)
if (s->init_data->alprotos[i] == ALPROTO_UNKNOWN) {
break;
}
if (AppLayerParserSupportsFiles(IPPROTO_TCP, s->init_data->alprotos[i])) {
if (AppLayerParserSupportsFiles(IPPROTO_TCP, s->init_data->alprotos[i]) ||
AppLayerParserSupportsFiles(IPPROTO_UDP, s->init_data->alprotos[i])) {
found = true;
break;
}

Write Preview
Loading…
Cancel
Save