detect/proto: reduce size for common sigs

Make `Signature::proto` an optional member, meaning that if it is
NULL we can skip the check. This can be done for `alert ip`, as no check
is needed, and for `alert tcp` and `alert udp` as having a rule in a sgh
for those means that the protocol matches.

Some exceptions are rules that require:
- ipv4/ipv6 specific matching
- frames, due to sharing prefilter between tcp and udp
- ip-only rules, due to those not being per sgh
pull/15127/head
Victor Julien 2 years ago
parent dc814aa595
commit d4f005933a

@ -234,9 +234,9 @@ static int DetectAppLayerEventSetup(DetectEngineCtx *de_ctx, Signature *s, const
}
uint8_t ipproto = 0;
if (s->proto.proto[IPPROTO_TCP / 8] & 1 << (IPPROTO_TCP % 8)) {
if (DetectProtoContainsProto(&s->init_data->proto, IPPROTO_TCP)) {
ipproto = IPPROTO_TCP;
} else if (s->proto.proto[IPPROTO_UDP / 8] & 1 << (IPPROTO_UDP % 8)) {
} else if (DetectProtoContainsProto(&s->init_data->proto, IPPROTO_UDP)) {
ipproto = IPPROTO_UDP;
} else {
SCLogError("protocol %s is disabled", alproto_name);

@ -254,10 +254,10 @@ static int DetectDetectionFilterSetup(DetectEngineCtx *de_ctx, Signature *s, con
/* unique_on requires a ported L4 protocol: tcp/udp/sctp */
if (df->unique_on != DF_UNIQUE_NONE) {
const int has_tcp = DetectProtoContainsProto(&s->proto, IPPROTO_TCP);
const int has_udp = DetectProtoContainsProto(&s->proto, IPPROTO_UDP);
const int has_sctp = DetectProtoContainsProto(&s->proto, IPPROTO_SCTP);
if (!(has_tcp || has_udp || has_sctp) || (s->proto.flags & DETECT_PROTO_ANY)) {
const bool has_tcp = DetectProtoHasExplicitProto(&s->init_data->proto, IPPROTO_TCP);
const bool has_udp = DetectProtoHasExplicitProto(&s->init_data->proto, IPPROTO_UDP);
const bool has_sctp = DetectProtoHasExplicitProto(&s->init_data->proto, IPPROTO_SCTP);
if (!(has_tcp || has_udp || has_sctp)) {
SCLogError("detection_filter unique_on requires protocol tcp/udp/sctp");
goto error;
}

@ -1756,10 +1756,10 @@ void EngineAnalysisRules(const DetectEngineCtx *de_ctx,
stream_buf += 1;
}
if (s->proto.flags & DETECT_PROTO_IPV4) {
if (s->proto && s->proto->flags & DETECT_PROTO_IPV4) {
rule_ipv4_only += 1;
}
if (s->proto.flags & DETECT_PROTO_IPV6) {
if (s->proto && s->proto->flags & DETECT_PROTO_IPV6) {
rule_ipv6_only += 1;
}
@ -1860,8 +1860,8 @@ void EngineAnalysisRules(const DetectEngineCtx *de_ctx,
if (rule_content == 1) {
//todo: warning if content is weak, separate warning for pcre + weak content
}
if (rule_flow == 0 && rule_flags == 0 && !(s->proto.flags & DETECT_PROTO_ANY) &&
DetectProtoContainsProto(&s->proto, IPPROTO_TCP) &&
if (rule_flow == 0 && rule_flags == 0 && !(s->init_data->proto.flags & DETECT_PROTO_ANY) &&
DetectProtoContainsProto(&s->init_data->proto, IPPROTO_TCP) &&
(rule_content || rule_content_http || rule_pcre || rule_pcre_http || rule_flowbits ||
rule_flowint)) {
rule_warning += 1;
@ -1914,7 +1914,8 @@ void EngineAnalysisRules(const DetectEngineCtx *de_ctx,
}
/* No warning about direction for ICMP protos */
if (!(DetectProtoContainsProto(&s->proto, IPPROTO_ICMPV6) && DetectProtoContainsProto(&s->proto, IPPROTO_ICMP))) {
if (!(DetectProtoContainsProto(&s->init_data->proto, IPPROTO_ICMPV6) &&
DetectProtoContainsProto(&s->init_data->proto, IPPROTO_ICMP))) {
if ((s->flags & (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)) == (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)) {
warn_both_direction += 1;
rule_warning += 1;

@ -650,7 +650,7 @@ static SCJsonBuilder *RulesGroupPrintSghStats(const DetectEngineCtx *de_ctx,
continue;
int any = 0;
if (s->proto.flags & DETECT_PROTO_ANY) {
if (s->proto == NULL || s->proto->flags & DETECT_PROTO_ANY) {
any++;
}
if (s->flags & SIG_FLAG_DST_ANY) {
@ -970,7 +970,8 @@ static int RulesGroupByIPProto(DetectEngineCtx *de_ctx)
if (p == IPPROTO_TCP || p == IPPROTO_UDP) {
continue;
}
if (!(s->proto.proto[p / 8] & (1<<(p % 8)) || (s->proto.flags & DETECT_PROTO_ANY))) {
if (!DetectProtoContainsProto(&s->init_data->proto, p)) {
continue;
}
@ -1487,7 +1488,7 @@ static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, uint8_t ipproto, u
if (s->type == SIG_TYPE_IPONLY)
goto next;
/* Protocol does not match the Signature protocol and is neither IP or pkthdr */
if (!(s->proto.proto[ipproto / 8] & (1<<(ipproto % 8)) || (s->proto.flags & DETECT_PROTO_ANY)))
if (!DetectProtoContainsProto(&s->init_data->proto, ipproto))
goto next;
/* Direction does not match Signature direction */
if (direction == SIG_FLAG_TOSERVER) {
@ -1785,7 +1786,7 @@ int SigPrepareStage1(DetectEngineCtx *de_ctx)
if (copresent && colen == 1) {
SCLogDebug("signature %8u content maxlen 1", s->id);
for (int proto = 0; proto < 256; proto++) {
if (s->proto.proto[(proto/8)] & (1<<(proto%8)))
if (s->init_data->proto.proto[(proto / 8)] & (1 << (proto % 8)))
SCLogDebug("=> proto %" PRId32 "", proto);
}
}

@ -1044,18 +1044,20 @@ void IPOnlyMatchPacket(ThreadVars *tv, const DetectEngineCtx *de_ctx,
for (uint8_t i = 0; i < 8; i++, bitarray = bitarray >> 1) {
if (bitarray & 0x01) {
const Signature *s = de_ctx->sig_array[io_ctx->sig_mapping[u * 8 + i]];
if (s->proto) {
if ((s->proto->flags & DETECT_PROTO_IPV4) && !PacketIsIPv4(p)) {
SCLogDebug("ip version didn't match");
continue;
}
if ((s->proto->flags & DETECT_PROTO_IPV6) && !PacketIsIPv6(p)) {
SCLogDebug("ip version didn't match");
continue;
}
if ((s->proto.flags & DETECT_PROTO_IPV4) && !PacketIsIPv4(p)) {
SCLogDebug("ip version didn't match");
continue;
}
if ((s->proto.flags & DETECT_PROTO_IPV6) && !PacketIsIPv6(p)) {
SCLogDebug("ip version didn't match");
continue;
}
if (DetectProtoContainsProto(&s->proto, PacketGetIPProto(p)) == 0) {
SCLogDebug("proto didn't match");
continue;
if (DetectProtoContainsProto(s->proto, PacketGetIPProto(p)) == 0) {
SCLogDebug("proto didn't match");
continue;
}
}
/* check the source & dst port in the sig */

@ -854,7 +854,7 @@ int SignatureHasPacketContent(const Signature *s)
{
SCEnter();
if (!(s->proto.proto[IPPROTO_TCP / 8] & 1 << (IPPROTO_TCP % 8))) {
if (!DetectProtoContainsProto(&s->init_data->proto, IPPROTO_TCP)) {
SCReturnInt(1);
}
@ -884,7 +884,7 @@ int SignatureHasStreamContent(const Signature *s)
{
SCEnter();
if (!(s->proto.proto[IPPROTO_TCP / 8] & 1 << (IPPROTO_TCP % 8))) {
if (!DetectProtoContainsProto(&s->init_data->proto, IPPROTO_TCP)) {
SCReturnInt(0);
}

@ -109,7 +109,7 @@ int DetectProtoParse(DetectProto *dp, const char *str)
* \retval 1 protocol is in the set */
int DetectProtoContainsProto(const DetectProto *dp, int proto)
{
if (dp->flags & DETECT_PROTO_ANY)
if (dp == NULL || dp->flags & DETECT_PROTO_ANY)
return 1;
if (dp->proto[proto / 8] & (1<<(proto % 8)))
@ -118,6 +118,74 @@ int DetectProtoContainsProto(const DetectProto *dp, int proto)
return 0;
}
/** \brief see if a DetectProto explicitly a certain proto
* Explicit means the protocol was explicitly set, so "any"
* doesn't qualify.
* \param dp detect proto to inspect
* \param proto protocol (such as IPPROTO_TCP) to look for
* \retval false protocol not in the set
* \retval true protocol is in the set */
bool DetectProtoHasExplicitProto(const DetectProto *dp, const uint8_t proto)
{
if (dp == NULL || dp->flags & DETECT_PROTO_ANY)
return false;
return ((dp->proto[proto / 8] & (1 << (proto % 8))));
}
/* return true if protocols enabled are only TCP and/or UDP */
static int DetectProtoIsOnlyTCPUDP(const DetectProto *dp)
{
uint8_t protos[256 / 8];
memset(protos, 0x00, sizeof(protos));
protos[IPPROTO_TCP / 8] |= (1 << (IPPROTO_TCP % 8));
protos[IPPROTO_UDP / 8] |= (1 << (IPPROTO_UDP % 8));
int cnt = 0;
for (size_t i = 0; i < sizeof(protos); i++) {
if ((dp->proto[i] & protos[i]) != 0)
cnt++;
}
return cnt != 0;
}
int DetectProtoFinalizeSignature(Signature *s)
{
BUG_ON(s->proto);
/* IP-only sigs are not per SGH, so need full proto */
if (s->type == SIG_TYPE_IPONLY && !(s->init_data->proto.flags & DETECT_PROTO_ANY))
goto full;
/* Frames like the dns.pdu are registered for UDP and TCP, and share a MPM. So
* a UDP rule can become a match candidate for a TCP sgh, meaning we need to
* evaluate the rule's proto. */
if ((s->init_data->init_flags & SIG_FLAG_INIT_FRAME) != 0 &&
!(s->init_data->proto.flags & DETECT_PROTO_ANY))
goto full;
/* for now, we use the full protocol logic for DETECT_PROTO_IPV4/DETECT_PROTO_IPV6,
* but we should address that as well. */
if (s->init_data->proto.flags & (DETECT_PROTO_IPV4 | DETECT_PROTO_IPV6)) {
SCLogDebug("sid %u has IPV4 or IPV6 flag set, so need full protocol", s->id);
goto full;
}
/* no need to set up Signature::proto if sig needs any protocol,
* or only TCP and/or UDP, as for those the SGH is per TCP/UDP */
if ((s->init_data->proto.flags & DETECT_PROTO_ANY) ||
DetectProtoIsOnlyTCPUDP(&s->init_data->proto)) {
s->proto = NULL;
return 0;
}
full:
s->proto = SCCalloc(1, sizeof(*s->proto));
if (s->proto == NULL)
return -1;
memcpy(s->proto, &s->init_data->proto, sizeof(*s->proto));
return 0;
}
/* TESTS */
#ifdef UNITTESTS
@ -298,10 +366,10 @@ static int DetectProtoTestSetup01(void)
FAIL_IF_NOT(DetectProtoInitTest(&de_ctx, &sig, &dp, "tcp"));
/* The signature proto should be TCP */
FAIL_IF_NOT(sig->proto.proto[(IPPROTO_TCP / 8)] & (1 << (IPPROTO_TCP % 8)));
FAIL_IF_NOT(sig->init_data->proto.proto[(IPPROTO_TCP / 8)] & (1 << (IPPROTO_TCP % 8)));
for (i = 2; i < 256 / 8; i++) {
FAIL_IF(sig->proto.proto[i] != 0);
FAIL_IF(sig->init_data->proto.proto[i] != 0);
}
DetectEngineCtxFree(de_ctx);
@ -327,11 +395,12 @@ static int DetectProtoTestSetup02(void)
FAIL_IF(DetectProtoInitTest(&de_ctx, &sig_icmpv6, &dp, "icmpv6") == 0);
FAIL_IF(DetectProtoInitTest(&de_ctx, &sig_icmp, &dp, "icmp") == 0);
FAIL_IF_NOT(sig_icmpv4->proto.proto[IPPROTO_ICMP / 8] & (1 << (IPPROTO_ICMP % 8)));
FAIL_IF_NOT(sig_icmpv6->proto.proto[IPPROTO_ICMPV6 / 8] & (1 << (IPPROTO_ICMPV6 % 8)));
FAIL_IF_NOT(sig_icmpv4->init_data->proto.proto[IPPROTO_ICMP / 8] & (1 << (IPPROTO_ICMP % 8)));
FAIL_IF_NOT(
sig_icmpv6->init_data->proto.proto[IPPROTO_ICMPV6 / 8] & (1 << (IPPROTO_ICMPV6 % 8)));
FAIL_IF_NOT(sig_icmp->proto.proto[IPPROTO_ICMP / 8] & (1 << (IPPROTO_ICMP % 8)));
FAIL_IF_NOT(sig_icmp->proto.proto[IPPROTO_ICMPV6 / 8] & (1 << (IPPROTO_ICMPV6 % 8)));
FAIL_IF_NOT(sig_icmp->init_data->proto.proto[IPPROTO_ICMP / 8] & (1 << (IPPROTO_ICMP % 8)));
FAIL_IF_NOT(sig_icmp->init_data->proto.proto[IPPROTO_ICMPV6 / 8] & (1 << (IPPROTO_ICMPV6 % 8)));
DetectEngineCtxFree(de_ctx);

@ -40,7 +40,9 @@ typedef struct DetectProto_ {
/* prototypes */
int DetectProtoParse(DetectProto *dp, const char *str);
int DetectProtoContainsProto(const DetectProto *, int);
bool DetectProtoHasExplicitProto(const DetectProto *dp, const uint8_t proto);
void DetectEngineProtoList(void);
int DetectProtoFinalizeSignature(struct Signature_ *s);
void DetectProtoTests(void);

@ -67,8 +67,8 @@ static int DetectFrameSetup(DetectEngineCtx *de_ctx, Signature *s, const char *s
strlcpy(value, str, sizeof(value));
char buffer_name[512] = ""; // for registering in detect API we always need <proto>.<frame>.
const bool is_tcp = DetectProtoContainsProto(&s->proto, IPPROTO_TCP);
const bool is_udp = DetectProtoContainsProto(&s->proto, IPPROTO_UDP);
const bool is_tcp = DetectProtoContainsProto(&s->init_data->proto, IPPROTO_TCP);
const bool is_udp = DetectProtoContainsProto(&s->init_data->proto, IPPROTO_UDP);
if (!(is_tcp || is_udp)) {
SCLogError("'frame' keyword only supported for TCP and UDP");
return -1;

@ -78,10 +78,10 @@ void DetectIcmpv4HdrRegister(void)
*/
static int DetectIcmpv4HdrSetup(DetectEngineCtx *de_ctx, Signature *s, const char *_unused)
{
if (!(DetectProtoContainsProto(&s->proto, IPPROTO_ICMP)))
if (!(DetectProtoContainsProto(&s->init_data->proto, IPPROTO_ICMP)))
return -1;
s->proto.flags |= DETECT_PROTO_IPV4;
s->init_data->proto.flags |= DETECT_PROTO_IPV4;
s->flags |= SIG_FLAG_REQUIRE_PACKET;
if (SCDetectBufferSetActiveList(de_ctx, s, g_icmpv4hdr_buffer_id) < 0)

@ -123,7 +123,7 @@ static int DetectICMPv6mtuSetup (DetectEngineCtx *de_ctx, Signature *s, const ch
return -1;
}
s->flags |= SIG_FLAG_REQUIRE_PACKET;
s->proto.flags |= DETECT_PROTO_IPV6;
s->init_data->proto.flags |= DETECT_PROTO_IPV6;
return 0;
}

@ -83,8 +83,8 @@ void DetectICMPv6hdrRegister(void)
static int DetectICMPv6hdrSetup (DetectEngineCtx *de_ctx, Signature *s, const char *_unused)
{
// ICMPv6 comes only with IPv6
s->proto.flags |= DETECT_PROTO_IPV6;
if (!(DetectProtoContainsProto(&s->proto, IPPROTO_ICMPV6)))
s->init_data->proto.flags |= DETECT_PROTO_IPV6;
if (!(DetectProtoContainsProto(&s->init_data->proto, IPPROTO_ICMPV6)))
return -1;
s->flags |= SIG_FLAG_REQUIRE_PACKET;

@ -100,7 +100,7 @@ static int DetectIGMPTypeMatch(
*/
static int DetectIGMPTypeSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
if (!(DetectProtoContainsProto(&s->proto, IPPROTO_IGMP)))
if (!(DetectProtoContainsProto(&s->init_data->proto, IPPROTO_IGMP)))
return -1;
DetectU8Data *itd = DetectU8Parse(str);
@ -112,7 +112,7 @@ static int DetectIGMPTypeSetup(DetectEngineCtx *de_ctx, Signature *s, const char
DetectIGMPTypeFree(de_ctx, itd);
return -1;
}
s->proto.flags |= DETECT_PROTO_IPV4;
s->init_data->proto.flags |= DETECT_PROTO_IPV4;
s->flags |= SIG_FLAG_REQUIRE_PACKET;
return 0;

@ -76,10 +76,10 @@ void DetectIGMPHdrRegister(void)
*/
static int DetectIGMPHdrSetup(DetectEngineCtx *de_ctx, Signature *s, const char *_unused)
{
if (!(DetectProtoContainsProto(&s->proto, IPPROTO_IGMP)))
if (!(DetectProtoContainsProto(&s->init_data->proto, IPPROTO_IGMP)))
return -1;
s->proto.flags |= DETECT_PROTO_IPV4;
s->init_data->proto.flags |= DETECT_PROTO_IPV4;
s->flags |= SIG_FLAG_REQUIRE_PACKET;
if (SCDetectBufferSetActiveList(de_ctx, s, g_igmphdr_buffer_id) < 0)

@ -200,9 +200,9 @@ static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char
* will refined the protocol list and thus it needs to reset the bitfield to zero
* before setting the value specified by the ip_proto keyword.
*/
if (s->proto.flags & (DETECT_PROTO_ANY | DETECT_PROTO_IPV6 | DETECT_PROTO_IPV4)) {
s->proto.flags &= ~DETECT_PROTO_ANY;
memset(s->proto.proto, 0x00, sizeof(s->proto.proto));
if (s->init_data->proto.flags & (DETECT_PROTO_ANY | DETECT_PROTO_IPV6 | DETECT_PROTO_IPV4)) {
s->init_data->proto.flags &= ~DETECT_PROTO_ANY;
memset(s->init_data->proto.proto, 0x00, sizeof(s->init_data->proto.proto));
s->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
} else {
/* The ipproto engine has a relationship with the protocol that is
@ -233,7 +233,7 @@ static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char
"them in the same sig");
goto error;
}
s->proto.proto[data->proto / 8] |= 1 << (data->proto % 8);
s->init_data->proto.proto[data->proto / 8] |= 1 << (data->proto % 8);
break;
case DETECT_IPPROTO_OP_GT:
@ -244,9 +244,9 @@ static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char
goto error;
}
if (!lt_set && !not_set) {
s->proto.proto[data->proto / 8] = (uint8_t)(0xfe << (data->proto % 8));
s->init_data->proto.proto[data->proto / 8] = (uint8_t)(0xfe << (data->proto % 8));
for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
s->proto.proto[i] = 0xff;
s->init_data->proto.proto[i] = 0xff;
}
} else if (lt_set && !not_set) {
SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
@ -265,21 +265,21 @@ static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char
goto error;
} else {
for (i = 0; i < (data->proto / 8); i++) {
s->proto.proto[i] = 0;
s->init_data->proto.proto[i] = 0;
}
s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
s->init_data->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
s->proto.proto[i] &= 0xff;
s->init_data->proto.proto[i] &= 0xff;
}
}
}
} else if (!lt_set && not_set) {
for (i = 0; i < (data->proto / 8); i++) {
s->proto.proto[i] = 0;
s->init_data->proto.proto[i] = 0;
}
s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
s->init_data->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
s->proto.proto[i] &= 0xff;
s->init_data->proto.proto[i] &= 0xff;
}
} else {
DetectIPProtoData *data_temp;
@ -300,11 +300,11 @@ static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char
goto error;
} else {
for (i = 0; i < (data->proto / 8); i++) {
s->proto.proto[i] = 0;
s->init_data->proto.proto[i] = 0;
}
s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
s->init_data->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
s->proto.proto[i] &= 0xff;
s->init_data->proto.proto[i] &= 0xff;
}
}
}
@ -320,9 +320,10 @@ static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char
}
if (!gt_set && !not_set) {
for (i = 0; i < (data->proto / 8); i++) {
s->proto.proto[i] = 0xff;
s->init_data->proto.proto[i] = 0xff;
}
s->proto.proto[data->proto / 8] = (uint8_t)(~(0xff << (data->proto % 8)));
s->init_data->proto.proto[data->proto / 8] =
(uint8_t)(~(0xff << (data->proto % 8)));
} else if (gt_set && !not_set) {
SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
while (temp_sm != NULL) {
@ -340,21 +341,21 @@ static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char
goto error;
} else {
for (i = 0; i < (data->proto / 8); i++) {
s->proto.proto[i] &= 0xff;
s->init_data->proto.proto[i] &= 0xff;
}
s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
s->init_data->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
for (i = (data->proto / 8) + 1; i < 256 / 8; i++) {
s->proto.proto[i] = 0;
s->init_data->proto.proto[i] = 0;
}
}
}
} else if (!gt_set && not_set) {
for (i = 0; i < (data->proto / 8); i++) {
s->proto.proto[i] &= 0xFF;
s->init_data->proto.proto[i] &= 0xFF;
}
s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
s->init_data->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
s->proto.proto[i] = 0;
s->init_data->proto.proto[i] = 0;
}
} else {
DetectIPProtoData *data_temp;
@ -375,11 +376,11 @@ static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char
goto error;
} else {
for (i = 0; i < (data->proto / 8); i++) {
s->proto.proto[i] &= 0xFF;
s->init_data->proto.proto[i] &= 0xFF;
}
s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
s->init_data->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
s->proto.proto[i] = 0;
s->init_data->proto.proto[i] = 0;
}
}
}
@ -395,19 +396,19 @@ static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char
}
if (!gt_set && !lt_set && !not_set) {
for (i = 0; i < (data->proto / 8); i++) {
s->proto.proto[i] = 0xff;
s->init_data->proto.proto[i] = 0xff;
}
s->proto.proto[data->proto / 8] = (uint8_t)(~(1 << (data->proto % 8)));
s->init_data->proto.proto[data->proto / 8] = (uint8_t)(~(1 << (data->proto % 8)));
for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
s->proto.proto[i] = 0xff;
s->init_data->proto.proto[i] = 0xff;
}
} else {
for (i = 0; i < (data->proto / 8); i++) {
s->proto.proto[i] &= 0xff;
s->init_data->proto.proto[i] &= 0xff;
}
s->proto.proto[data->proto / 8] &= ~(1 << (data->proto % 8));
s->init_data->proto.proto[data->proto / 8] &= ~(1 << (data->proto % 8));
for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
s->proto.proto[i] &= 0xff;
s->init_data->proto.proto[i] &= 0xff;
}
}
break;
@ -489,14 +490,14 @@ static int DetectIPProtoTestSetup01(void)
FAIL_IF_NULL(sig);
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
DetectIPProtoSetup(NULL, sig, value_str);
for (i = 0; i < (value / 8); i++) {
FAIL_IF(sig->proto.proto[i] != 0);
FAIL_IF(sig->init_data->proto.proto[i] != 0);
}
FAIL_IF(sig->proto.proto[value / 8] != 0x40);
FAIL_IF(sig->init_data->proto.proto[value / 8] != 0x40);
for (i = (value / 8) + 1; i < (256 / 8); i++) {
FAIL_IF(sig->proto.proto[i] != 0);
FAIL_IF(sig->init_data->proto.proto[i] != 0);
}
SigFree(NULL, sig);
PASS;
@ -521,17 +522,17 @@ static int DetectIPProtoTestSetup02(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
DetectIPProtoSetup(NULL, sig, value_str);
for (i = 0; i < (value / 8); i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
if (sig->proto.proto[value / 8] != 0x40) {
if (sig->init_data->proto.proto[value / 8] != 0x40) {
goto end;
}
for (i = (value / 8) + 1; i < (256 / 8); i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
@ -558,17 +559,17 @@ static int DetectIPProtoTestSetup03(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
DetectIPProtoSetup(NULL, sig, value_str);
for (i = 0; i < (value / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
if (sig->proto.proto[value / 8] != 0x3F) {
if (sig->init_data->proto.proto[value / 8] != 0x3F) {
goto end;
}
for (i = (value / 8) + 1; i < (256 / 8); i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
@ -594,17 +595,17 @@ static int DetectIPProtoTestSetup04(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
DetectIPProtoSetup(NULL, sig, value_str);
for (i = 0; i < (value / 8); i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
if (sig->proto.proto[value / 8] != 0x80) {
if (sig->init_data->proto.proto[value / 8] != 0x80) {
goto end;
}
for (i = (value / 8) + 1; i < (256 / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
@ -630,17 +631,17 @@ static int DetectIPProtoTestSetup05(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
DetectIPProtoSetup(NULL, sig, value_str);
for (i = 0; i < (value / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
if (sig->proto.proto[value / 8] != 0xBF) {
if (sig->init_data->proto.proto[value / 8] != 0xBF) {
goto end;
}
for (i = (value / 8) + 1; i < (256 / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
@ -665,7 +666,7 @@ static int DetectIPProtoTestSetup06(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
@ -692,7 +693,7 @@ static int DetectIPProtoTestSetup07(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
@ -719,7 +720,7 @@ static int DetectIPProtoTestSetup08(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
@ -746,7 +747,7 @@ static int DetectIPProtoTestSetup09(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
@ -773,7 +774,7 @@ static int DetectIPProtoTestSetup10(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
@ -800,7 +801,7 @@ static int DetectIPProtoTestSetup11(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
@ -827,7 +828,7 @@ static int DetectIPProtoTestSetup12(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
@ -854,7 +855,7 @@ static int DetectIPProtoTestSetup13(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
@ -878,7 +879,7 @@ static int DetectIPProtoTestSetup14(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
@ -904,18 +905,18 @@ static int DetectIPProtoTestSetup15(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
for (i = 0; i < (value1 / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
if (sig->proto.proto[value1 / 8] != 0x3F) {
if (sig->init_data->proto.proto[value1 / 8] != 0x3F) {
goto end;
}
for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
@ -941,18 +942,18 @@ static int DetectIPProtoTestSetup16(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
goto end;
for (i = 0; i < (value2 / 8); i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
if (sig->proto.proto[value2 / 8] != 0xF8) {
if (sig->init_data->proto.proto[value2 / 8] != 0xF8) {
goto end;
}
for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
@ -978,18 +979,18 @@ static int DetectIPProtoTestSetup17(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
for (i = 0; i < (value1 / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
if (sig->proto.proto[value1 / 8] != 0x07) {
if (sig->init_data->proto.proto[value1 / 8] != 0x07) {
goto end;
}
for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
@ -1015,18 +1016,18 @@ static int DetectIPProtoTestSetup18(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
goto end;
for (i = 0; i < (value2 / 8); i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
if (sig->proto.proto[value2 / 8] != 0xC0) {
if (sig->init_data->proto.proto[value2 / 8] != 0xC0) {
goto end;
}
for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
@ -1053,20 +1054,20 @@ static int DetectIPProtoTestSetup19(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
goto end;
for (i = 0; i < (value1 / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
if (sig->proto.proto[value1 / 8] != 0x07) {
if (sig->init_data->proto.proto[value1 / 8] != 0x07) {
goto end;
}
for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
@ -1092,18 +1093,18 @@ static int DetectIPProtoTestSetup20(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
for (i = 0; i < (value1 / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
if (sig->proto.proto[value1 / 8] != 0x07) {
if (sig->init_data->proto.proto[value1 / 8] != 0x07) {
goto end;
}
for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
@ -1130,20 +1131,20 @@ static int DetectIPProtoTestSetup21(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
for (i = 0; i < (value1 / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
if (sig->proto.proto[value1 / 8] != 0x07) {
if (sig->init_data->proto.proto[value1 / 8] != 0x07) {
goto end;
}
for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
@ -1170,20 +1171,20 @@ static int DetectIPProtoTestSetup22(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
goto end;
for (i = 0; i < (value3 / 8); i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
if (sig->proto.proto[value3 / 8] != 0xE0) {
if (sig->init_data->proto.proto[value3 / 8] != 0xE0) {
goto end;
}
for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
@ -1209,18 +1210,18 @@ static int DetectIPProtoTestSetup23(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
goto end;
for (i = 0; i < (value3 / 8); i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
if (sig->proto.proto[value3 / 8] != 0xE0) {
if (sig->init_data->proto.proto[value3 / 8] != 0xE0) {
goto end;
}
for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
@ -1247,20 +1248,20 @@ static int DetectIPProtoTestSetup24(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
goto end;
for (i = 0; i < (value3 / 8); i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
if (sig->proto.proto[value3 / 8] != 0xE0) {
if (sig->init_data->proto.proto[value3 / 8] != 0xE0) {
goto end;
}
for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
@ -1287,20 +1288,20 @@ static int DetectIPProtoTestSetup33(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
for (i = 0; i < (value1 / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
if (sig->proto.proto[value1 / 8] != 0x07) {
if (sig->init_data->proto.proto[value1 / 8] != 0x07) {
goto end;
}
for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
@ -1328,20 +1329,20 @@ static int DetectIPProtoTestSetup34(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
goto end;
for (i = 0; i < (value1 / 8); i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
if (sig->proto.proto[value3 / 8] != 0xE0) {
if (sig->init_data->proto.proto[value3 / 8] != 0xE0) {
goto end;
}
for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
@ -1368,20 +1369,20 @@ static int DetectIPProtoTestSetup36(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
goto end;
for (i = 0; i < (value3 / 8); i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
if (sig->proto.proto[value3 / 8] != 0xE0) {
if (sig->init_data->proto.proto[value3 / 8] != 0xE0) {
goto end;
}
for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
@ -1409,23 +1410,23 @@ static int DetectIPProtoTestSetup43(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
goto end;
if (sig->proto.proto[value1 / 8] != 0xEF) {
if (sig->init_data->proto.proto[value1 / 8] != 0xEF) {
goto end;
}
for (i = (value1 / 8) + 1; i < (value2 / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
if (sig->proto.proto[value2 / 8] != 0x1F) {
if (sig->init_data->proto.proto[value2 / 8] != 0x1F) {
goto end;
}
for (i = (value2 / 8) + 1; i < 256 / 8; i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
@ -1452,20 +1453,20 @@ static int DetectIPProtoTestSetup44(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
goto end;
for (i = 0; i < (value3 / 8); i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
if (sig->proto.proto[value3 / 8] != 0xF8) {
if (sig->init_data->proto.proto[value3 / 8] != 0xF8) {
goto end;
}
for (i = (value3 / 8) + 1; i < 256 / 8; i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
@ -1493,23 +1494,23 @@ static int DetectIPProtoTestSetup45(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
if (sig->proto.proto[value1 / 8] != 0xEF) {
if (sig->init_data->proto.proto[value1 / 8] != 0xEF) {
goto end;
}
for (i = (value1 / 8) + 1; i < (value2 / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
if (sig->proto.proto[value2 / 8] != 0x1F) {
if (sig->init_data->proto.proto[value2 / 8] != 0x1F) {
goto end;
}
for (i = (value2 / 8) + 1; i < 256 / 8; i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
@ -1536,20 +1537,20 @@ static int DetectIPProtoTestSetup56(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
goto end;
for (i = 0; i < (value1 / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
if (sig->proto.proto[value1 / 8] != 0x1F) {
if (sig->init_data->proto.proto[value1 / 8] != 0x1F) {
goto end;
}
for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
@ -1575,20 +1576,20 @@ static int DetectIPProtoTestSetup75(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
goto end;
for (i = 0; i < (value2 / 8); i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
if (sig->proto.proto[value2 / 8] != 0xF8) {
if (sig->init_data->proto.proto[value2 / 8] != 0xF8) {
goto end;
}
for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
@ -1612,20 +1613,20 @@ static int DetectIPProtoTestSetup76(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
for (i = 0; i < (value2 / 8); i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
if (sig->proto.proto[value2 / 8] != 0xF8) {
if (sig->init_data->proto.proto[value2 / 8] != 0xF8) {
goto end;
}
for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
@ -1649,18 +1650,18 @@ static int DetectIPProtoTestSetup129(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
for (i = 0; i < (value1 / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
if (sig->proto.proto[value1 / 8] != 0x03) {
if (sig->init_data->proto.proto[value1 / 8] != 0x03) {
goto end;
}
for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
@ -1686,20 +1687,20 @@ static int DetectIPProtoTestSetup130(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
goto end;
for (i = 0; i < (value2 / 8); i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}
if (sig->proto.proto[value2 / 8] != 0xF8) {
if (sig->init_data->proto.proto[value2 / 8] != 0xF8) {
goto end;
}
for (i = (value2 / 8) + 1; i < 256 / 8; i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
@ -1723,20 +1724,20 @@ static int DetectIPProtoTestSetup131(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
goto end;
for (i = 0; i < (value1 / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
if (sig->proto.proto[value1 / 8] != 0x03) {
if (sig->init_data->proto.proto[value1 / 8] != 0x03) {
goto end;
}
for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
if (sig->proto.proto[i] != 0x0)
if (sig->init_data->proto.proto[i] != 0x0)
goto end;
}
@ -1760,20 +1761,20 @@ static int DetectIPProtoTestSetup132(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
goto end;
for (i = 0; i < (value1 / 8); i++) {
if (sig->proto.proto[i] != 0xFF)
if (sig->init_data->proto.proto[i] != 0xFF)
goto end;
}
if (sig->proto.proto[value1 / 8] != 0x03) {
if (sig->init_data->proto.proto[value1 / 8] != 0x03) {
goto end;
}
for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
if (sig->proto.proto[i] != 0x0)
if (sig->init_data->proto.proto[i] != 0x0)
goto end;
}
@ -1806,7 +1807,7 @@ static int DetectIPProtoTestSetup145(void)
goto end;
sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
sig->proto.flags |= DETECT_PROTO_ANY;
sig->init_data->proto.flags |= DETECT_PROTO_ANY;
if (DetectIPProtoSetup(NULL, sig, value5_str) != 0)
goto end;
if (DetectIPProtoSetup(NULL, sig, value8_str) != 0)
@ -1827,23 +1828,23 @@ static int DetectIPProtoTestSetup145(void)
goto end;
if (DetectIPProtoSetup(NULL, sig, value7_str) != 0)
goto end;
if (sig->proto.proto[0] != 0) {
if (sig->init_data->proto.proto[0] != 0) {
goto end;
}
if (sig->proto.proto[1] != 0xBA) {
if (sig->init_data->proto.proto[1] != 0xBA) {
goto end;
}
if (sig->proto.proto[2] != 0xFF) {
if (sig->init_data->proto.proto[2] != 0xFF) {
goto end;
}
if (sig->proto.proto[3] != 0x97) {
if (sig->init_data->proto.proto[3] != 0x97) {
goto end;
}
if (sig->proto.proto[4] != 0x0B) {
if (sig->init_data->proto.proto[4] != 0x0B) {
goto end;
}
for (i = (value10 / 8) + 1; i < 256 / 8; i++) {
if (sig->proto.proto[i] != 0)
if (sig->init_data->proto.proto[i] != 0)
goto end;
}

@ -81,7 +81,7 @@ void DetectIpv4hdrRegister(void)
*/
static int DetectIpv4hdrSetup (DetectEngineCtx *de_ctx, Signature *s, const char *_unused)
{
s->proto.flags |= DETECT_PROTO_IPV4; // TODO
s->init_data->proto.flags |= DETECT_PROTO_IPV4; // TODO
s->flags |= SIG_FLAG_REQUIRE_PACKET;

@ -81,7 +81,7 @@ void DetectIpv6hdrRegister(void)
*/
static int DetectIpv6hdrSetup (DetectEngineCtx *de_ctx, Signature *s, const char *_unused)
{
s->proto.flags |= DETECT_PROTO_IPV6; // TODO
s->init_data->proto.flags |= DETECT_PROTO_IPV6; // TODO
s->flags |= SIG_FLAG_REQUIRE_PACKET;

@ -76,26 +76,26 @@ static int DetectL3ProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char
const char *str = optstr;
/* reset possible any value */
if (s->proto.flags & DETECT_PROTO_ANY) {
s->proto.flags &= ~DETECT_PROTO_ANY;
if (s->init_data->proto.flags & DETECT_PROTO_ANY) {
s->init_data->proto.flags &= ~DETECT_PROTO_ANY;
}
/* authorized value, ip, any, ip4, ipv4, ip6, ipv6 */
if (strcasecmp(str,"ipv4") == 0 ||
strcasecmp(str,"ip4") == 0 ) {
if (s->proto.flags & DETECT_PROTO_IPV6) {
if (s->init_data->proto.flags & DETECT_PROTO_IPV6) {
SCLogError("Conflicting l3 proto specified");
goto error;
}
s->proto.flags |= DETECT_PROTO_IPV4;
s->init_data->proto.flags |= DETECT_PROTO_IPV4;
SCLogDebug("IPv4 protocol detected");
} else if (strcasecmp(str,"ipv6") == 0 ||
strcasecmp(str,"ip6") == 0 ) {
if (s->proto.flags & DETECT_PROTO_IPV6) {
if (s->init_data->proto.flags & DETECT_PROTO_IPV6) {
SCLogError("Conflicting l3 proto specified");
goto error;
}
s->proto.flags |= DETECT_PROTO_IPV6;
s->init_data->proto.flags |= DETECT_PROTO_IPV6;
SCLogDebug("IPv6 protocol detected");
} else {
SCLogError("Invalid l3 proto: \"%s\"", str);

@ -1401,14 +1401,14 @@ static int SigParseProto(Signature *s, const char *protostr)
return -1;
}
int r = DetectProtoParse(&s->proto, p);
int r = DetectProtoParse(&s->init_data->proto, (char *)p);
if (r < 0) {
s->alproto = AppLayerGetProtoByName(p);
/* indicate that the signature is app-layer */
if (s->alproto != ALPROTO_UNKNOWN) {
s->flags |= SIG_FLAG_APPLAYER;
AppLayerProtoDetectSupportedIpprotos(s->alproto, s->proto.proto);
AppLayerProtoDetectSupportedIpprotos(s->alproto, s->init_data->proto.proto);
if (h) {
if (SigParseProtoHookApp(s, protostr, p, h) < 0) {
@ -1437,9 +1437,9 @@ static int SigParseProto(Signature *s, const char *protostr)
/* if any of these flags are set they are set in a mutually exclusive
* manner */
if (s->proto.flags & DETECT_PROTO_ONLY_PKT) {
if (s->init_data->proto.flags & DETECT_PROTO_ONLY_PKT) {
s->flags |= SIG_FLAG_REQUIRE_PACKET;
} else if (s->proto.flags & DETECT_PROTO_ONLY_STREAM) {
} else if (s->init_data->proto.flags & DETECT_PROTO_ONLY_STREAM) {
s->flags |= SIG_FLAG_REQUIRE_STREAM;
}
@ -2112,6 +2112,9 @@ void SigFree(DetectEngineCtx *de_ctx, Signature *s)
if (s->dp != NULL) {
DetectPortCleanupList(NULL, s->dp);
}
if (s->proto) {
SCFree(s->proto);
}
if (s->msg != NULL)
SCFree(s->msg);
@ -2724,7 +2727,7 @@ static void SigConsolidateTcpBuffer(Signature *s)
* - pkt vs stream vs depth/offset
* - pkt vs stream vs stream_size
*/
if (s->proto.proto[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) {
if (DetectProtoContainsProto(&s->init_data->proto, IPPROTO_TCP)) {
if (s->init_data->smlists[DETECT_SM_LIST_PMATCH]) {
if (!(s->flags & (SIG_FLAG_REQUIRE_PACKET | SIG_FLAG_REQUIRE_STREAM))) {
s->flags |= SIG_FLAG_REQUIRE_STREAM;
@ -2837,6 +2840,9 @@ static int SigValidateConsolidate(
SignatureSetType(de_ctx, s);
DetectRuleSetTable(s);
if (DetectProtoFinalizeSignature(s) != 0)
SCReturnInt(0);
int r = SigValidateFileHandling(s);
if (r == 0) {
SCReturnInt(0);
@ -2931,15 +2937,15 @@ static Signature *SigInitHelper(
if (sig->alproto != ALPROTO_UNKNOWN) {
int override_needed = 0;
if (sig->proto.flags & DETECT_PROTO_ANY) {
sig->proto.flags &= ~DETECT_PROTO_ANY;
memset(sig->proto.proto, 0x00, sizeof(sig->proto.proto));
if (sig->init_data->proto.flags & DETECT_PROTO_ANY) {
sig->init_data->proto.flags &= ~DETECT_PROTO_ANY;
memset(sig->init_data->proto.proto, 0x00, sizeof(sig->init_data->proto.proto));
override_needed = 1;
} else {
override_needed = 1;
size_t s = 0;
for (s = 0; s < sizeof(sig->proto.proto); s++) {
if (sig->proto.proto[s] != 0x00) {
for (s = 0; s < sizeof(sig->init_data->proto.proto); s++) {
if (sig->init_data->proto.proto[s] != 0x00) {
override_needed = 0;
break;
}
@ -2950,7 +2956,7 @@ static Signature *SigInitHelper(
* overridden, we use the ip proto that has been configured
* against the app proto in use. */
if (override_needed)
AppLayerProtoDetectSupportedIpprotos(sig->alproto, sig->proto.proto);
AppLayerProtoDetectSupportedIpprotos(sig->alproto, sig->init_data->proto.proto);
}
/* set the packet and app layer flags, but only if the

@ -81,7 +81,7 @@ void DetectTcphdrRegister(void)
*/
static int DetectTcphdrSetup (DetectEngineCtx *de_ctx, Signature *s, const char *_unused)
{
if (!(DetectProtoContainsProto(&s->proto, IPPROTO_TCP)))
if (!(DetectProtoContainsProto(&s->init_data->proto, IPPROTO_TCP)))
return -1;
s->flags |= SIG_FLAG_REQUIRE_PACKET;

@ -80,7 +80,7 @@ void DetectUdphdrRegister(void)
*/
static int DetectUdphdrSetup (DetectEngineCtx *de_ctx, Signature *s, const char *_unused)
{
if (!(DetectProtoContainsProto(&s->proto, IPPROTO_UDP)))
if (!(DetectProtoContainsProto(&s->init_data->proto, IPPROTO_UDP)))
return -1;
s->flags |= SIG_FLAG_REQUIRE_PACKET;

@ -505,8 +505,8 @@ static void DetectRunInspectIPOnly(ThreadVars *tv, const DetectEngineCtx *de_ctx
/** \internal
* \brief inspect the rule header: protocol, ports, etc
* \retval bool false if no match, true if match */
static inline bool DetectRunInspectRuleHeader(const Packet *p, const Flow *f, const Signature *s,
const uint32_t sflags, const uint8_t s_proto_flags)
static inline bool DetectRunInspectRuleHeader(
const Packet *p, const Flow *f, const Signature *s, const uint32_t sflags)
{
/* check if this signature has a requirement for flowvars of some type
* and if so, if we actually have any in the flow. If not, the sig
@ -523,18 +523,21 @@ static inline bool DetectRunInspectRuleHeader(const Packet *p, const Flow *f, co
}
}
if ((s_proto_flags & DETECT_PROTO_IPV4) && !PacketIsIPv4(p)) {
SCLogDebug("ip version didn't match");
return false;
}
if ((s_proto_flags & DETECT_PROTO_IPV6) && !PacketIsIPv6(p)) {
SCLogDebug("ip version didn't match");
return false;
}
if (DetectProtoContainsProto(&s->proto, PacketGetIPProto(p)) == 0) {
SCLogDebug("proto didn't match");
return false;
if (!(s->proto == NULL)) {
const uint8_t s_proto_flags = s->proto->flags;
/* TODO does it make sense to move these flags to s->flags? */
if ((s_proto_flags & DETECT_PROTO_IPV4) && !PacketIsIPv4(p)) {
SCLogDebug("ip version didn't match");
return false;
}
if ((s_proto_flags & DETECT_PROTO_IPV6) && !PacketIsIPv6(p)) {
SCLogDebug("ip version didn't match");
return false;
}
if (DetectProtoContainsProto(s->proto, PacketGetIPProto(p)) == 0) {
SCLogDebug("proto didn't match");
return false;
}
}
/* check the source & dst port in the sig */
@ -695,7 +698,6 @@ static inline uint8_t DetectRulePacketRules(ThreadVars *const tv,
next_s = *match_array++;
next_sflags = next_s->flags;
}
const uint8_t s_proto_flags = s->proto.flags;
SCLogDebug("packet %" PRIu64 ": inspecting signature id %" PRIu32 "", PcapPacketCntGet(p),
s->id);
@ -747,7 +749,7 @@ static inline uint8_t DetectRulePacketRules(ThreadVars *const tv,
}
}
if (!DetectRunInspectRuleHeader(p, pflow, s, sflags, s_proto_flags)) {
if (DetectRunInspectRuleHeader(p, pflow, s, sflags) == false) {
goto next;
}
@ -1202,7 +1204,7 @@ static bool DetectRunTxInspectRule(ThreadVars *tv,
/* for a new inspection we inspect pkt header and packet matches */
if (likely(stored_flags == NULL)) {
TRACE_SID_TXS(s->id, tx, "first inspect, run packet matches");
if (!DetectRunInspectRuleHeader(p, f, s, s->flags, s->proto.flags)) {
if (DetectRunInspectRuleHeader(p, f, s, s->flags) == false) {
TRACE_SID_TXS(s->id, tx, "DetectRunInspectRuleHeader() no match");
return false;
}
@ -2200,7 +2202,7 @@ static void DetectRunFrames(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngin
/* call individual rule inspection */
RULE_PROFILING_START(p);
bool r = DetectRunInspectRuleHeader(p, f, s, s->flags, s->proto.flags);
bool r = DetectRunInspectRuleHeader(p, f, s, s->flags);
if (r) {
r = DetectRunFrameInspectRule(tv, det_ctx, s, f, p, frames, frame);
if (r) {

@ -631,6 +631,9 @@ typedef struct SignatureInitData_ {
DetectEngineTransforms transforms;
/** rule protocol settings */
DetectProto proto;
/** score to influence rule grouping. A higher value leads to a higher
* likelihood of a rulegroup with this sig ending up as a contained
* group. */
@ -684,8 +687,8 @@ typedef struct Signature_ {
uint8_t action;
uint8_t file_flags;
/** addresses, ports and proto this sig matches on */
DetectProto proto;
/** rule protocol: can be NULL if the check can be skipped */
DetectProto *proto;
/* scope setting for the action: enum ActionScope */
uint8_t action_scope;

Loading…
Cancel
Save