|
|
|
|
@ -181,11 +181,21 @@ static void OnThreadInit(ThreadVars *tv, void *_data)
|
|
|
|
|
static int DetectnDPIProtocolPacketMatch(
|
|
|
|
|
DetectEngineThreadCtx *det_ctx, Packet *p, const Signature *s, const SigMatchCtx *ctx)
|
|
|
|
|
{
|
|
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
const Flow *f = p->flow;
|
|
|
|
|
if (f == NULL) {
|
|
|
|
|
SCLogDebug("packet %" PRIu64 ": no flow", p->pcap_cnt);
|
|
|
|
|
SCReturnInt(0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct NdpiFlowContext *flowctx = FlowGetStorageById(f, flow_storage_id);
|
|
|
|
|
const DetectnDPIProtocolData *data = (const DetectnDPIProtocolData *)ctx;
|
|
|
|
|
if (flowctx == NULL) {
|
|
|
|
|
SCLogDebug("packet %" PRIu64 ": no flowctx", PcapPacketCntGet(p));
|
|
|
|
|
SCReturnInt(0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SCEnter();
|
|
|
|
|
const DetectnDPIProtocolData *data = (const DetectnDPIProtocolData *)ctx;
|
|
|
|
|
|
|
|
|
|
/* if the sig is PD-only we only match when PD packet flags are set */
|
|
|
|
|
/*
|
|
|
|
|
@ -201,11 +211,6 @@ static int DetectnDPIProtocolPacketMatch(
|
|
|
|
|
SCReturnInt(0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (f == NULL) {
|
|
|
|
|
SCLogDebug("packet %" PRIu64 ": no flow", p->pcap_cnt);
|
|
|
|
|
SCReturnInt(0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool r = ndpi_is_proto_equals(flowctx->detected_l7_protocol.proto, data->l7_protocol, false);
|
|
|
|
|
r = r ^ data->negated;
|
|
|
|
|
|
|
|
|
|
@ -311,22 +316,27 @@ static void DetectnDPIProtocolFree(DetectEngineCtx *de_ctx, void *ptr)
|
|
|
|
|
static int DetectnDPIRiskPacketMatch(
|
|
|
|
|
DetectEngineThreadCtx *det_ctx, Packet *p, const Signature *s, const SigMatchCtx *ctx)
|
|
|
|
|
{
|
|
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
const Flow *f = p->flow;
|
|
|
|
|
if (f == NULL) {
|
|
|
|
|
SCLogDebug("packet %" PRIu64 ": no flow", p->pcap_cnt);
|
|
|
|
|
SCReturnInt(0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct NdpiFlowContext *flowctx = FlowGetStorageById(f, flow_storage_id);
|
|
|
|
|
const DetectnDPIRiskData *data = (const DetectnDPIRiskData *)ctx;
|
|
|
|
|
if (flowctx == NULL) {
|
|
|
|
|
SCLogDebug("packet %" PRIu64 ": no flowctx", p->pcap_cnt);
|
|
|
|
|
SCReturnInt(0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SCEnter();
|
|
|
|
|
const DetectnDPIRiskData *data = (const DetectnDPIRiskData *)ctx;
|
|
|
|
|
|
|
|
|
|
if (!flowctx->detection_completed) {
|
|
|
|
|
SCLogDebug("packet %" PRIu64 ": ndpi risks not yet detected", p->pcap_cnt);
|
|
|
|
|
SCReturnInt(0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (f == NULL) {
|
|
|
|
|
SCLogDebug("packet %" PRIu64 ": no flow", p->pcap_cnt);
|
|
|
|
|
SCReturnInt(0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool r = ((flowctx->ndpi_flow->risk & data->risk_mask) == data->risk_mask);
|
|
|
|
|
r = r ^ data->negated;
|
|
|
|
|
|
|
|
|
|
|
Victor Julien
2 months ago