ip-only: added support for matching on ports.

14 years ago · e13181496c
parent 3d396e8b1e
commit e13181496c
3 changed files with 25 additions and 25 deletions
--- a/src/detect-engine-iponly.c
+++ b/src/detect-engine-iponly.c
@ -1026,9 +1026,28 @@ void IPOnlyMatchPacket(ThreadVars *tv,
                if (bitarray & 0x01) {
                    Signature *s = de_ctx->sig_array[u * 8 + i];

-                    /* Need to check the protocol first */
-                    if (!(s->proto.proto[(IP_GET_IPPROTO(p)/8)] & (1 << (IP_GET_IPPROTO(p) % 8))))
+                    if (DetectProtoContainsProto(&s->proto, IP_GET_IPPROTO(p)) == 0) {
+                        SCLogDebug("proto didn't match");
                        continue;
+                    }
+
+                    /* check the source & dst port in the sig */
+                    if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP || p->proto == IPPROTO_SCTP) {
+                        if (!(s->flags & SIG_FLAG_DP_ANY)) {
+                            DetectPort *dport = DetectPortLookupGroup(s->dp,p->dp);
+                            if (dport == NULL) {
+                                SCLogDebug("dport didn't match.");
+                                continue;
+                            }
+                        }
+                        if (!(s->flags & SIG_FLAG_SP_ANY)) {
+                            DetectPort *sport = DetectPortLookupGroup(s->sp,p->sp);
+                            if (sport == NULL) {
+                                SCLogDebug("sport didn't match.");
+                                continue;
+                            }
+                        }
+                    }

                    if (!IPOnlyMatchCompatSMs(tv, det_ctx, s, p)) {
                        continue;
@ -1534,10 +1553,10 @@ static int IPOnlyTestSig02 (void) {
    if (s == NULL) {
        goto end;
    }
-    if(!(SignatureIsIPOnly(&de_ctx, s)))
-        result=1;
+    if ((SignatureIsIPOnly(&de_ctx, s)))
+        result = 1;
    else
-        printf("got a IPOnly signature: ");
+        printf("got a non-IPOnly signature: ");

    SigFree(s);

--- a/src/detect-threshold.c
+++ b/src/detect-threshold.c
@ -411,7 +411,7 @@ static int DetectThresholdTestSig1(void) {

    de_ctx->flags |= DE_QUIET;

-    s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
+    s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; content:\"A\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
    if (s == NULL) {
        goto end;
    }
--- a/src/detect.c
+++ b/src/detect.c
@ -1917,25 +1917,6 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, Signature *s) {
    if (s->alproto != ALPROTO_UNKNOWN)
        return 0;

-    /* for tcp/udp, only consider sigs that don't have ports set, as ip-only */
-    if (!(s->proto.flags & DETECT_PROTO_ANY)) {
-        if (s->proto.proto[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8)) ||
-            s->proto.proto[IPPROTO_UDP / 8] & (1 << (IPPROTO_UDP % 8)) ||
-            s->proto.proto[IPPROTO_SCTP / 8] & (1 << (IPPROTO_SCTP % 8))) {
-            if (!(s->flags & SIG_FLAG_SP_ANY))
-                return 0;
-
-            if (!(s->flags & SIG_FLAG_DP_ANY))
-                return 0;
-/*
-        } else if ((s->proto.proto[IPPROTO_ICMP / 8] & (1 << (IPPROTO_ICMP % 8))) ||
-                   (s->proto.proto[IPPROTO_ICMPV6 / 8] & (1 << (IPPROTO_ICMPV6 % 8)))) {
-            SCLogDebug("ICMP sigs are not IP-Only until we support ICMP in flow.");
-            return 0;
-*/
-        }
-    }
-
    if (s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL)
        return 0;