Fix icmp_id keyword and improve icmp_seq keyword logic.

16 years ago · cec124df10
parent 18e00dc6d0
commit cec124df10
5 changed files with 44 additions and 25 deletions
--- a/src/decode-icmpv4.h
+++ b/src/decode-icmpv4.h
@ -190,15 +190,15 @@ typedef struct ICMPV4Vars_
 /** macro for icmpv4 "csum" access */
 #define ICMPV4_GET_CSUM(p)      (p)->icmpv4h->csum

-/** If message is informational */
+/* If message is informational */
+
 /** macro for icmpv4 "id" access */
-/* #define ICMPV4_GET_ID(p)        (p)->icmpv4h->icmpv4b.icmpv4i.id */
-#define ICMPV4_GET_ID(p)        (p)->icmpv4vars.id
+#define ICMPV4_GET_ID(p)        ((p)->icmpv4vars.id)
 /** macro for icmpv4 "seq" access */
-/* #define ICMPV4_GET_SEQ(p)       (p)->icmpv4h->icmpv4b.icmpv4i.seq */
-#define ICMPV4_GET_SEQ(p)       (ntohs((p)->icmpv4vars.seq))
+#define ICMPV4_GET_SEQ(p)       ((p)->icmpv4vars.seq)
+
+/* If message is Error */

-/** If message is Error */
 /** macro for icmpv4 "unused" access */
 #define ICMPV4_GET_UNUSED(p)       (p)->icmpv4h->icmpv4b.icmpv4e.unused
 /** macro for icmpv4 "error_ptr" access */
--- a/src/detect-icmp-id.c
+++ b/src/detect-icmp-id.c
@ -77,6 +77,10 @@ int DetectIcmpIdMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p,
    DetectIcmpIdData *iid = (DetectIcmpIdData *)m->ctx;

    if (PKT_IS_ICMPV4(p)) {
+        SCLogDebug("ICMPV4_GET_ID(p) %"PRIu16" (network byte order), "
+                "%"PRIu16" (host byte order)", ICMPV4_GET_ID(p),
+                ntohs(ICMPV4_GET_ID(p)));
+
        switch (ICMPV4_GET_TYPE(p)){
            case ICMP_ECHOREPLY:
            case ICMP_ECHO:
@ -107,7 +111,8 @@ int DetectIcmpIdMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p,
        return 0;
    }

-    if (pid == iid->id) return 1;
+    if (pid == iid->id)
+        return 1;

    return 0;
 }
@ -162,7 +167,11 @@ DetectIcmpIdData *DetectIcmpIdParse (char *icmpidstr) {
            goto error;
        }
    }
-    ByteExtractStringUint16(&iid->id, 10, 0, substr[1]);
+
+    /** \todo can ByteExtractStringUint16 do this? */
+    uint16_t id = 0;
+    ByteExtractStringUint16(&id, 10, 0, substr[1]);
+    iid->id = htons(id);

    for (i = 0; i < 3; i++) {
        if (substr[i] != NULL) SCFree(substr[i]);
@ -234,7 +243,7 @@ void DetectIcmpIdFree (void *ptr) {
 int DetectIcmpIdParseTest01 (void) {
    DetectIcmpIdData *iid = NULL;
    iid = DetectIcmpIdParse("300");
-    if (iid != NULL && iid->id == 300) {
+    if (iid != NULL && iid->id == htons(300)) {
        DetectIcmpIdFree(iid);
        return 1;
    }
@ -248,7 +257,7 @@ int DetectIcmpIdParseTest01 (void) {
 int DetectIcmpIdParseTest02 (void) {
    DetectIcmpIdData *iid = NULL;
    iid = DetectIcmpIdParse("  300  ");
-    if (iid != NULL && iid->id == 300) {
+    if (iid != NULL && iid->id == htons(300)) {
        DetectIcmpIdFree(iid);
        return 1;
    }
@ -262,7 +271,7 @@ int DetectIcmpIdParseTest02 (void) {
 int DetectIcmpIdParseTest03 (void) {
    DetectIcmpIdData *iid = NULL;
    iid = DetectIcmpIdParse("\"300\"");
-    if (iid != NULL && iid->id == 300) {
+    if (iid != NULL && iid->id == htons(300)) {
        DetectIcmpIdFree(iid);
        return 1;
    }
@ -276,7 +285,7 @@ int DetectIcmpIdParseTest03 (void) {
 int DetectIcmpIdParseTest04 (void) {
    DetectIcmpIdData *iid = NULL;
    iid = DetectIcmpIdParse("   \"   300 \"");
-    if (iid != NULL && iid->id == 300) {
+    if (iid != NULL && iid->id == htons(300)) {
        DetectIcmpIdFree(iid);
        return 1;
    }
@ -346,12 +355,12 @@ int DetectIcmpIdMatchTest01 (void) {

    de_ctx->flags |= DE_QUIET;

-    s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:5461; sid:1;)");
+    s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:21781; sid:1;)");
    if (s == NULL) {
        goto end;
    }

-    s = s->next = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:5000; sid:2;)");
+    s = s->next = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:21782; sid:2;)");
    if (s == NULL) {
        goto end;
    }
--- a/src/detect-icmp-id.h
+++ b/src/detect-icmp-id.h
@ -1,7 +1,7 @@
+/* Copyright (c) 2009 Open Information Security Foundation */
+
 /**
- * Copyright (c) 2009 Open Information Security Foundation
- *
- * \file detect-icmp-id.h
+ * \file
 * \author Gerardo Iglesias Galvan <iglesiasg@gmail.com>
 *
 */
@ -10,7 +10,7 @@
 #define __DETECT_ICMP_ID_H__

 typedef struct DetectIcmpIdData_ {
-    uint16_t id;
+    uint16_t id; /**< id in network byte error */
 } DetectIcmpIdData;

 /* prototypes */
--- a/src/detect-icmp-seq.c
+++ b/src/detect-icmp-seq.c
@ -1,6 +1,7 @@
 /* Copyright (c) 2009 Open Information Security Foundation */

-/** \file
+/**
+ *  \file
 *  \author Breno Silva <breno.silva@gmail.com>
 */

@ -74,6 +75,10 @@ int DetectIcmpSeqMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p
    DetectIcmpSeqData *iseq = (DetectIcmpSeqData *)m->ctx;

    if (PKT_IS_ICMPV4(p)) {
+        SCLogInfo("ICMPV4_GET_SEQ(p) %"PRIu16" (network byte order), "
+                "%"PRIu16" (host byte order)", ICMPV4_GET_SEQ(p),
+                ntohs(ICMPV4_GET_SEQ(p)));
+
        switch (ICMPV4_GET_TYPE(p)){
            case ICMP_ECHOREPLY:
            case ICMP_ECHO:
@ -104,7 +109,8 @@ int DetectIcmpSeqMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p
        return 0;
    }

-    if (seqn == iseq->seq) return 1;
+    if (seqn == iseq->seq)
+        return 1;

    return 0;
 }
@ -161,7 +167,9 @@ DetectIcmpSeqData *DetectIcmpSeqParse (char *icmpseqstr) {
        }
    }

-    ByteExtractStringUint16(&iseq->seq, 10, 0, substr[1]);
+    uint16_t seq = 0;
+    ByteExtractStringUint16(&seq, 10, 0, substr[1]);
+    iseq->seq = htons(seq);

    for (i = 0; i < 3; i++) {
        if (substr[i] != NULL) SCFree(substr[i]);
@ -234,7 +242,7 @@ void DetectIcmpSeqFree (void *ptr) {
 int DetectIcmpSeqParseTest01 (void) {
    DetectIcmpSeqData *iseq = NULL;
    iseq = DetectIcmpSeqParse("300");
-    if (iseq != NULL && iseq->seq == 300) {
+    if (iseq != NULL && iseq->seq == htons(300)) {
        DetectIcmpSeqFree(iseq);
        return 1;
    }
@ -248,7 +256,7 @@ int DetectIcmpSeqParseTest01 (void) {
 int DetectIcmpSeqParseTest02 (void) {
    DetectIcmpSeqData *iseq = NULL;
    iseq = DetectIcmpSeqParse("  300  ");
-    if (iseq != NULL && iseq->seq == 300) {
+    if (iseq != NULL && iseq->seq == htons(300)) {
        DetectIcmpSeqFree(iseq);
        return 1;
    }
--- a/src/detect-icmp-seq.h
+++ b/src/detect-icmp-seq.h
@ -1,6 +1,7 @@
 /* Copyright (c) 2009 Open Information Security Foundation */

-/** \file
+/**
+ *  \file
 *  \author Breno Silva <breno.silva@gmail.com>
 */

@ -8,10 +9,11 @@
 #define __DETECT_ICMP_SEQ_H__

 typedef struct DetectIcmpSeqData_ {
-    uint16_t seq;
+    uint16_t seq; /**< sequence value in network byte order */
 } DetectIcmpSeqData;

 /* prototypes */
 void DetectIcmpSeqRegister(void);

 #endif /* __DETECT_ICMP_SEQ__ */
+