aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge DetectAddressData and DetectAddressGroup

Browse Source
remotes/origin/master-1.0.x
Victor Julien 15 years ago
parent 15ab5d7003
commit e4c98c562c
11 changed files with 953 additions and 1376 deletions
Show Stats Download Patch File Download Diff File

598
src/detect-engine-address-ipv4.c
Unescape Escape View File

@ -18,7 +18,7 @@
#include "detect-engine-siggroup.h"
#include "detect-engine-port.h"
int DetectAddressCmpIPv4(DetectAddressData *a, DetectAddressData *b) {
int DetectAddressGroupCmpIPv4(DetectAddressGroup *a, DetectAddressGroup *b) {
uint32_t a_ip1 = ntohl(a->ip[0]);
uint32_t a_ip2 = ntohl(a->ip2[0]);
uint32_t b_ip1 = ntohl(b->ip[0]);
@ -72,17 +72,17 @@ int DetectAddressCmpIPv4(DetectAddressData *a, DetectAddressData *b) {
* must result in: a == 1.2.3.0-1.2.3.3, b == 1.2.3.4, c == 1.2.3.5-1.2.3.255
*/
int DetectAddressGroupCutIPv4(DetectEngineCtx *de_ctx, DetectAddressGroup *a, DetectAddressGroup *b, DetectAddressGroup **c) {
uint32_t a_ip1 = ntohl(a->ad->ip[0]);
uint32_t a_ip2 = ntohl(a->ad->ip2[0]);
uint32_t b_ip1 = ntohl(b->ad->ip[0]);
uint32_t b_ip2 = ntohl(b->ad->ip2[0]);
uint32_t a_ip1 = ntohl(a->ip[0]);
uint32_t a_ip2 = ntohl(a->ip2[0]);
uint32_t b_ip1 = ntohl(b->ip[0]);
uint32_t b_ip2 = ntohl(b->ip2[0]);
DetectPort *port = NULL;
DetectAddressGroup *tmp = NULL;
/* default to NULL */
*c = NULL;
int r = DetectAddressCmpIPv4(a->ad,b->ad);
int r = DetectAddressGroupCmpIPv4(a,b);
if (r != ADDRESS_ES && r != ADDRESS_EB && r != ADDRESS_LE && r != ADDRESS_GE) {
printf("we shouldn't be here\n");
goto error;
@ -93,7 +93,6 @@ int DetectAddressGroupCutIPv4(DetectEngineCtx *de_ctx, DetectAddressGroup *a, De
if (tmp == NULL) {
goto error;
}
memset(tmp,0,sizeof(DetectAddressGroup));
/* we have 3 parts: [aaa[abab]bbb]
* part a: a_ip1 <-> b_ip1 - 1
@ -104,39 +103,37 @@ int DetectAddressGroupCutIPv4(DetectEngineCtx *de_ctx, DetectAddressGroup *a, De
#ifdef DBG
printf("DetectAddressGroupCutIPv4: r == ADDRESS_LE\n");
#endif
a->ad->ip[0] = htonl(a_ip1);
a->ad->ip2[0] = htonl(b_ip1 - 1);
a->ip[0] = htonl(a_ip1);
a->ip2[0] = htonl(b_ip1 - 1);
b->ad->ip[0] = htonl(b_ip1);
b->ad->ip2[0] = htonl(a_ip2);
b->ip[0] = htonl(b_ip1);
b->ip2[0] = htonl(a_ip2);
DetectAddressGroup *tmp_c;
tmp_c = DetectAddressGroupInit();
if (tmp_c == NULL) {
goto error;
}
tmp_c->ad = DetectAddressDataInit();
if (tmp_c->ad == NULL) {
goto error;
}
tmp_c->ad->family = AF_INET;
tmp_c->ad->ip[0] = htonl(a_ip2 + 1);
tmp_c->ad->ip2[0] = htonl(b_ip2);
tmp_c->family = AF_INET;
tmp_c->ip[0] = htonl(a_ip2 + 1);
tmp_c->ip2[0] = htonl(b_ip2);
*c = tmp_c;
SigGroupHeadCopySigs(de_ctx, b->sh,&tmp_c->sh);
SigGroupHeadCopySigs(de_ctx, a->sh,&b->sh);
if (de_ctx != NULL) {
SigGroupHeadCopySigs(de_ctx, b->sh,&tmp_c->sh);
SigGroupHeadCopySigs(de_ctx, a->sh,&b->sh);
for (port = b->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &tmp_c->port, port);
}
for (port = a->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &b->port, port);
}
for (port = b->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &tmp_c->port, port);
}
for (port = a->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &b->port, port);
}
tmp_c->cnt += b->cnt;
b->cnt += a->cnt;
tmp_c->cnt += b->cnt;
b->cnt += a->cnt;
}
/* we have 3 parts: [bbb[baba]aaa]
* part a: b_ip1 <-> a_ip1 - 1
@ -147,162 +144,30 @@ int DetectAddressGroupCutIPv4(DetectEngineCtx *de_ctx, DetectAddressGroup *a, De
#ifdef DBG
printf("DetectAddressGroupCutIPv4: r == ADDRESS_GE\n");
#endif
a->ad->ip[0] = htonl(b_ip1);
a->ad->ip2[0] = htonl(a_ip1 - 1);
a->ip[0] = htonl(b_ip1);
a->ip2[0] = htonl(a_ip1 - 1);
b->ad->ip[0] = htonl(a_ip1);
b->ad->ip2[0] = htonl(b_ip2);
b->ip[0] = htonl(a_ip1);
b->ip2[0] = htonl(b_ip2);
DetectAddressGroup *tmp_c;
tmp_c = DetectAddressGroupInit();
if (tmp_c == NULL) {
goto error;
}
tmp_c->ad = DetectAddressDataInit();
if (tmp_c->ad == NULL) {
goto error;
}
tmp_c->ad->family = AF_INET;
tmp_c->ad->ip[0] = htonl(b_ip2 + 1);
tmp_c->ad->ip2[0] = htonl(a_ip2);
tmp_c->family = AF_INET;
tmp_c->ip[0] = htonl(b_ip2 + 1);
tmp_c->ip2[0] = htonl(a_ip2);
*c = tmp_c;
/* 'a' gets clean and then 'b' sigs
* 'b' gets clean, then 'a' then 'b' sigs
* 'c' gets 'a' sigs */
SigGroupHeadCopySigs(de_ctx, a->sh, &tmp->sh); /* store old a list */
SigGroupHeadClearSigs(a->sh); /* clean a list */
SigGroupHeadCopySigs(de_ctx, tmp->sh, &tmp_c->sh); /* copy old b to c */
SigGroupHeadCopySigs(de_ctx, b->sh, &a->sh); /* copy old b to a */
SigGroupHeadCopySigs(de_ctx, tmp->sh, &b->sh); /* prepend old a before b */
SigGroupHeadClearSigs(tmp->sh); /* clean tmp list */
for (port = a->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &tmp->port, port);
}
for (port = b->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &a->port, port);
}
for (port = tmp->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &b->port, port);
}
for (port = tmp->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &tmp_c->port, port);
}
tmp->cnt += a->cnt;
a->cnt = 0;
tmp_c->cnt += tmp->cnt;
a->cnt += b->cnt;
b->cnt += tmp->cnt;
tmp->cnt = 0;
/* we have 2 or three parts:
*
* 2 part: [[abab]bbb] or [bbb[baba]]
* part a: a_ip1 <-> a_ip2
* part b: a_ip2 + 1 <-> b_ip2
*
* part a: b_ip1 <-> a_ip1 - 1
* part b: a_ip1 <-> a_ip2
*
* 3 part [bbb[aaa]bbb]
* becomes[aaa[bbb]ccc]
*
* part a: b_ip1 <-> a_ip1 - 1
* part b: a_ip1 <-> a_ip2
* part c: a_ip2 + 1 <-> b_ip2
*/
} else if (r == ADDRESS_ES) {
#ifdef DBG
printf("DetectAddressGroupCutIPv4: r == ADDRESS_ES\n");
#endif
if (a_ip1 == b_ip1) {
#ifdef DBG
printf("DetectAddressGroupCutIPv4: 1\n");
#endif
a->ad->ip[0] = htonl(a_ip1);
a->ad->ip2[0] = htonl(a_ip2);
b->ad->ip[0] = htonl(a_ip2 + 1);
b->ad->ip2[0] = htonl(b_ip2);
/* 'b' overlaps 'a' so 'a' needs the 'b' sigs */
SigGroupHeadCopySigs(de_ctx, b->sh, &a->sh);
//printf("a: "); DetectAddressDataPrint(a->ad); printf(": "); DbgPrintSigs2(a->sh);
//printf("b: "); DetectAddressDataPrint(b->ad); printf(": "); DbgPrintSigs2(b->sh);
for (port = b->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &a->port, port);
}
a->cnt += b->cnt;
} else if (a_ip2 == b_ip2) {
#ifdef DBG
printf("DetectAddressGroupCutIPv4: 2\n");
#endif
//printf("1a: "); DetectAddressDataPrint(a->ad); printf(": "); DbgPrintSigs2(a->sh);
//printf("1b: "); DetectAddressDataPrint(b->ad); printf(": "); DbgPrintSigs2(b->sh);
a->ad->ip[0] = htonl(b_ip1);
a->ad->ip2[0] = htonl(a_ip1 - 1);
b->ad->ip[0] = htonl(a_ip1);
b->ad->ip2[0] = htonl(a_ip2);
/* 'a' overlaps 'b' so 'b' needs the 'a' sigs */
SigGroupHeadCopySigs(de_ctx, a->sh, &tmp->sh);
SigGroupHeadClearSigs(a->sh);
SigGroupHeadCopySigs(de_ctx, b->sh, &a->sh);
SigGroupHeadCopySigs(de_ctx, tmp->sh, &b->sh);
SigGroupHeadClearSigs(tmp->sh);
for (port = a->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &tmp->port, a->port);
}
for (port = b->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &a->port, port);
}
for (port = tmp->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &b->port, port);
}
tmp->cnt += a->cnt;
a->cnt = 0;
a->cnt += b->cnt;
b->cnt += tmp->cnt;
tmp->cnt = 0;
} else {
#ifdef DBG
printf("3\n");
#endif
a->ad->ip[0] = htonl(b_ip1);
a->ad->ip2[0] = htonl(a_ip1 - 1);
b->ad->ip[0] = htonl(a_ip1);
b->ad->ip2[0] = htonl(a_ip2);
DetectAddressGroup *tmp_c;
tmp_c = DetectAddressGroupInit();
if (tmp_c == NULL) {
goto error;
}
tmp_c->ad = DetectAddressDataInit();
if (tmp_c->ad == NULL) {
goto error;
}
tmp_c->ad->family = AF_INET;
tmp_c->ad->ip[0] = htonl(a_ip2 + 1);
tmp_c->ad->ip2[0] = htonl(b_ip2);
*c = tmp_c;
if (de_ctx != NULL) {
/* 'a' gets clean and then 'b' sigs
* 'b' gets clean, then 'a' then 'b' sigs
* 'c' gets 'b' sigs */
* 'c' gets 'a' sigs */
SigGroupHeadCopySigs(de_ctx, a->sh, &tmp->sh); /* store old a list */
SigGroupHeadClearSigs(a->sh); /* clean a list */
SigGroupHeadCopySigs(de_ctx, b->sh, &tmp_c->sh); /* copy old b to c */
SigGroupHeadCopySigs(de_ctx, tmp->sh, &tmp_c->sh); /* copy old b to c */
SigGroupHeadCopySigs(de_ctx, b->sh, &a->sh); /* copy old b to a */
SigGroupHeadCopySigs(de_ctx, tmp->sh, &b->sh); /* prepend old a before b */
SigGroupHeadClearSigs(tmp->sh); /* clean tmp list */
@ -310,213 +175,23 @@ int DetectAddressGroupCutIPv4(DetectEngineCtx *de_ctx, DetectAddressGroup *a, De
for (port = a->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &tmp->port, port);
}
for (port = b->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &tmp_c->port, port);
}
for (port = b->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &a->port, port);
}
for (port = tmp->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &b->port, port);
}
for (port = tmp->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &tmp_c->port, port);
}
tmp->cnt += a->cnt;
a->cnt = 0;
tmp_c->cnt += b->cnt;
tmp_c->cnt += tmp->cnt;
a->cnt += b->cnt;
b->cnt += tmp->cnt;
tmp->cnt = 0;
}
/* we have 2 or three parts:
*
* 2 part: [[baba]aaa] or [aaa[abab]]
* part a: b_ip1 <-> b_ip2
* part b: b_ip2 + 1 <-> a_ip2
*
* part a: a_ip1 <-> b_ip1 - 1
* part b: b_ip1 <-> b_ip2
*
* 3 part [aaa[bbb]aaa]
* becomes[aaa[bbb]ccc]
*
* part a: a_ip1 <-> b_ip2 - 1
* part b: b_ip1 <-> b_ip2
* part c: b_ip2 + 1 <-> a_ip2
*/
} else if (r == ADDRESS_EB) {
#ifdef DBG
printf("DetectAddressGroupCutIPv4: r == ADDRESS_EB\n");
#endif
if (a_ip1 == b_ip1) {
#ifdef DBG
printf("DetectAddressGroupCutIPv4: 1\n");
#endif
a->ad->ip[0] = htonl(b_ip1);
a->ad->ip2[0] = htonl(b_ip2);
b->ad->ip[0] = htonl(b_ip2 + 1);
b->ad->ip2[0] = htonl(a_ip2);
/* 'b' overlaps 'a' so a needs the 'b' sigs */
SigGroupHeadCopySigs(de_ctx, b->sh, &tmp->sh);
SigGroupHeadClearSigs(b->sh);
SigGroupHeadCopySigs(de_ctx, a->sh, &b->sh);
SigGroupHeadCopySigs(de_ctx, tmp->sh, &a->sh);
SigGroupHeadClearSigs(tmp->sh);
for (port = b->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &tmp->port, b->port);
}
for (port = a->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &b->port, port);
}
for (port = tmp->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &a->port, port);
}
tmp->cnt += b->cnt;
b->cnt = 0;
b->cnt += a->cnt;
a->cnt += tmp->cnt;
tmp->cnt = 0;
} else if (a_ip2 == b_ip2) {
#ifdef DBG
printf("DetectAddressGroupCutIPv4: 2\n");
#endif
a->ad->ip[0] = htonl(a_ip1);
a->ad->ip2[0] = htonl(b_ip1 - 1);
b->ad->ip[0] = htonl(b_ip1);
b->ad->ip2[0] = htonl(b_ip2);
/* 'a' overlaps 'b' so a needs the 'a' sigs */
SigGroupHeadCopySigs(de_ctx, a->sh, &b->sh);
for (port = a->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &b->port, port);
}
b->cnt += a->cnt;
} else {
#ifdef DBG
printf("DetectAddressGroupCutIPv4: 3\n");
#endif
a->ad->ip[0] = htonl(a_ip1);
a->ad->ip2[0] = htonl(b_ip1 - 1);
b->ad->ip[0] = htonl(b_ip1);
b->ad->ip2[0] = htonl(b_ip2);
DetectAddressGroup *tmp_c;
tmp_c = DetectAddressGroupInit();
if (tmp_c == NULL) {
goto error;
}
tmp_c->ad = DetectAddressDataInit();
if (tmp_c->ad == NULL) {
goto error;
}
tmp_c->ad->family = AF_INET;
tmp_c->ad->ip[0] = htonl(b_ip2 + 1);
tmp_c->ad->ip2[0] = htonl(a_ip2);
*c = tmp_c;
/* 'a' stays the same wrt sigs
* 'b' keeps it's own sigs and gets a's sigs prepended
* 'c' gets 'a' sigs */
SigGroupHeadCopySigs(de_ctx, a->sh, &b->sh);
SigGroupHeadCopySigs(de_ctx, a->sh, &tmp_c->sh);
for (port = a->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &b->port, port);
}
for (port = a->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &tmp_c->port, port);
}
b->cnt += a->cnt;
tmp_c->cnt += a->cnt;
}
}
if (tmp != NULL)
DetectAddressGroupFree(tmp);
return 0;
error:
if (tmp != NULL)
DetectAddressGroupFree(tmp);
return -1;
}
/* a = 1.2.3.4, b = 1.2.3.4-1.2.3.5
* must result in: a == 1.2.3.4, b == 1.2.3.5, c == NULL
*
* a = 1.2.3.4, b = 1.2.3.3-1.2.3.5
* must result in: a == 1.2.3.3, b == 1.2.3.4, c == 1.2.3.5
*
* a = 1.2.3.0/24 b = 1.2.3.128-1.2.4.10
* must result in: a == 1.2.3.0/24, b == 1.2.4.0-1.2.4.10, c == NULL
*
* a = 1.2.3.4, b = 1.2.3.0/24
* must result in: a == 1.2.3.0-1.2.3.3, b == 1.2.3.4, c == 1.2.3.5-1.2.3.255
*/
int DetectAddressCutIPv4(DetectAddressData *a, DetectAddressData *b, DetectAddressData **c) {
uint32_t a_ip1 = ntohl(a->ip[0]);
uint32_t a_ip2 = ntohl(a->ip2[0]);
uint32_t b_ip1 = ntohl(b->ip[0]);
uint32_t b_ip2 = ntohl(b->ip2[0]);
/* default to NULL */
*c = NULL;
int r = DetectAddressCmpIPv4(a,b);
if (r != ADDRESS_ES && r != ADDRESS_EB && r != ADDRESS_LE && r != ADDRESS_GE) {
goto error;
}
/* we have 3 parts: [aaa[abab]bbb]
* part a: a_ip1 <-> b_ip1 - 1
* part b: b_ip1 <-> a_ip2
* part c: a_ip2 + 1 <-> b_ip2
*/
if (r == ADDRESS_LE) {
a->ip[0] = htonl(a_ip1);
a->ip2[0] = htonl(b_ip1 - 1);
b->ip[0] = htonl(b_ip1);
b->ip2[0] = htonl(a_ip2);
DetectAddressData *tmp_c;
tmp_c = DetectAddressDataInit();
if (tmp_c == NULL) {
goto error;
}
tmp_c->family = AF_INET;
tmp_c->ip[0] = htonl(a_ip2 + 1);
tmp_c->ip2[0] = htonl(b_ip2);
*c = tmp_c;
/* we have 3 parts: [bbb[baba]aaa]
* part a: b_ip1 <-> a_ip1 - 1
* part b: a_ip1 <-> b_ip2
* part c: b_ip2 + 1 <-> a_ip2
*/
} else if (r == ADDRESS_GE) {
a->ip[0] = htonl(b_ip1);
a->ip2[0] = htonl(a_ip1 - 1);
b->ip[0] = htonl(a_ip1);
b->ip2[0] = htonl(b_ip2);
DetectAddressData *tmp_c;
tmp_c = DetectAddressDataInit();
if (tmp_c == NULL) {
goto error;
}
tmp_c->family = AF_INET;
tmp_c->ip[0] = htonl(b_ip2 + 1);
tmp_c->ip2[0] = htonl(a_ip2);
*c = tmp_c;
/* we have 2 or three parts:
*
@ -528,39 +203,119 @@ int DetectAddressCutIPv4(DetectAddressData *a, DetectAddressData *b, DetectAddre
* part b: a_ip1 <-> a_ip2
*
* 3 part [bbb[aaa]bbb]
* becomes[aaa[bbb]ccc]
*
* part a: b_ip1 <-> a_ip1 - 1
* part b: a_ip1 <-> a_ip2
* part c: a_ip2 + 1 <-> b_ip2
*/
} else if (r == ADDRESS_ES) {
#ifdef DBG
printf("DetectAddressGroupCutIPv4: r == ADDRESS_ES\n");
#endif
if (a_ip1 == b_ip1) {
#ifdef DBG
printf("DetectAddressGroupCutIPv4: 1\n");
#endif
a->ip[0] = htonl(a_ip1);
a->ip2[0] = htonl(a_ip2);
b->ip[0] = htonl(a_ip2 + 1);
b->ip2[0] = htonl(b_ip2);
if (de_ctx != NULL) {
/* 'b' overlaps 'a' so 'a' needs the 'b' sigs */
SigGroupHeadCopySigs(de_ctx, b->sh, &a->sh);
for (port = b->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &a->port, port);
}
a->cnt += b->cnt;
}
} else if (a_ip2 == b_ip2) {
#ifdef DBG
printf("DetectAddressGroupCutIPv4: 2\n");
#endif
a->ip[0] = htonl(b_ip1);
a->ip2[0] = htonl(a_ip1 - 1);
b->ip[0] = htonl(a_ip1);
b->ip2[0] = htonl(a_ip2);
if (de_ctx != NULL) {
/* 'a' overlaps 'b' so 'b' needs the 'a' sigs */
SigGroupHeadCopySigs(de_ctx, a->sh, &tmp->sh);
SigGroupHeadClearSigs(a->sh);
SigGroupHeadCopySigs(de_ctx, b->sh, &a->sh);
SigGroupHeadCopySigs(de_ctx, tmp->sh, &b->sh);
SigGroupHeadClearSigs(tmp->sh);
for (port = a->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &tmp->port, a->port);
}
for (port = b->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &a->port, port);
}
for (port = tmp->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &b->port, port);
}
tmp->cnt += a->cnt;
a->cnt = 0;
a->cnt += b->cnt;
b->cnt += tmp->cnt;
tmp->cnt = 0;
}
} else {
#ifdef DBG
printf("3\n");
#endif
a->ip[0] = htonl(b_ip1);
a->ip2[0] = htonl(a_ip1 - 1);
b->ip[0] = htonl(a_ip1);
b->ip2[0] = htonl(a_ip2);
DetectAddressData *tmp_c;
tmp_c = DetectAddressDataInit();
DetectAddressGroup *tmp_c;
tmp_c = DetectAddressGroupInit();
if (tmp_c == NULL) {
goto error;
}
tmp_c->family = AF_INET;
tmp_c->ip[0] = htonl(a_ip2 + 1);
tmp_c->ip2[0] = htonl(b_ip2);
*c = tmp_c;
if (de_ctx != NULL) {
/* 'a' gets clean and then 'b' sigs
* 'b' gets clean, then 'a' then 'b' sigs
* 'c' gets 'b' sigs */
SigGroupHeadCopySigs(de_ctx, a->sh, &tmp->sh); /* store old a list */
SigGroupHeadClearSigs(a->sh); /* clean a list */
SigGroupHeadCopySigs(de_ctx, b->sh, &tmp_c->sh); /* copy old b to c */
SigGroupHeadCopySigs(de_ctx, b->sh, &a->sh); /* copy old b to a */
SigGroupHeadCopySigs(de_ctx, tmp->sh, &b->sh); /* prepend old a before b */
SigGroupHeadClearSigs(tmp->sh); /* clean tmp list */
for (port = a->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &tmp->port, port);
}
for (port = b->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &tmp_c->port, port);
}
for (port = b->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &a->port, port);
}
for (port = tmp->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &b->port, port);
}
tmp->cnt += a->cnt;
a->cnt = 0;
tmp_c->cnt += b->cnt;
a->cnt += b->cnt;
b->cnt += tmp->cnt;
tmp->cnt = 0;
}
}
/* we have 2 or three parts:
*
@ -572,45 +327,117 @@ int DetectAddressCutIPv4(DetectAddressData *a, DetectAddressData *b, DetectAddre
* part b: b_ip1 <-> b_ip2
*
* 3 part [aaa[bbb]aaa]
* becomes[aaa[bbb]ccc]
*
* part a: a_ip1 <-> b_ip2 - 1
* part b: b_ip1 <-> b_ip2
* part c: b_ip2 + 1 <-> a_ip2
*/
} else if (r == ADDRESS_EB) {
#ifdef DBG
printf("DetectAddressGroupCutIPv4: r == ADDRESS_EB\n");
#endif
if (a_ip1 == b_ip1) {
#ifdef DBG
printf("DetectAddressGroupCutIPv4: 1\n");
#endif
a->ip[0] = htonl(b_ip1);
a->ip2[0] = htonl(b_ip2);
b->ip[0] = htonl(b_ip2 + 1);
b->ip2[0] = htonl(a_ip2);
if (de_ctx != NULL) {
/* 'b' overlaps 'a' so a needs the 'b' sigs */
SigGroupHeadCopySigs(de_ctx, b->sh, &tmp->sh);
SigGroupHeadClearSigs(b->sh);
SigGroupHeadCopySigs(de_ctx, a->sh, &b->sh);
SigGroupHeadCopySigs(de_ctx, tmp->sh, &a->sh);
SigGroupHeadClearSigs(tmp->sh);
for (port = b->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &tmp->port, b->port);
}
for (port = a->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &b->port, port);
}
for (port = tmp->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &a->port, port);
}
tmp->cnt += b->cnt;
b->cnt = 0;
b->cnt += a->cnt;
a->cnt += tmp->cnt;
tmp->cnt = 0;
}
} else if (a_ip2 == b_ip2) {
#ifdef DBG
printf("DetectAddressGroupCutIPv4: 2\n");
#endif
a->ip[0] = htonl(a_ip1);
a->ip2[0] = htonl(b_ip1 - 1);
b->ip[0] = htonl(b_ip1);
b->ip2[0] = htonl(b_ip2);
if (de_ctx != NULL) {
/* 'a' overlaps 'b' so a needs the 'a' sigs */
SigGroupHeadCopySigs(de_ctx, a->sh, &b->sh);
for (port = a->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &b->port, port);
}
b->cnt += a->cnt;
}
} else {
#ifdef DBG
printf("DetectAddressGroupCutIPv4: 3\n");
#endif
a->ip[0] = htonl(a_ip1);
a->ip2[0] = htonl(b_ip1 - 1);
b->ip[0] = htonl(b_ip1);
b->ip2[0] = htonl(b_ip2);
DetectAddressData *tmp_c;
tmp_c = DetectAddressDataInit();
DetectAddressGroup *tmp_c;
tmp_c = DetectAddressGroupInit();
if (tmp_c == NULL) {
goto error;
}
tmp_c->family = AF_INET;
tmp_c->ip[0] = htonl(b_ip2 + 1);
tmp_c->ip2[0] = htonl(a_ip2);
*c = tmp_c;
if (de_ctx != NULL) {
/* 'a' stays the same wrt sigs
* 'b' keeps it's own sigs and gets a's sigs prepended
* 'c' gets 'a' sigs */
SigGroupHeadCopySigs(de_ctx, a->sh, &b->sh);
SigGroupHeadCopySigs(de_ctx, a->sh, &tmp_c->sh);
for (port = a->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &b->port, port);
}
for (port = a->port; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &tmp_c->port, port);
}
b->cnt += a->cnt;
tmp_c->cnt += a->cnt;
}
}
}
if (tmp != NULL)
DetectAddressGroupFree(tmp);
return 0;
error:
if (tmp != NULL)
DetectAddressGroupFree(tmp);
return -1;
}
@ -622,32 +449,32 @@ error:
int DetectAddressGroupIsCompleteIPSpaceIPv4(DetectAddressGroup *ag) {
uint32_t next_ip = 0;
if (ag == NULL || ag->ad == NULL)
if (ag == NULL)
return 0;
/* if we don't start with 0.0.0.0 we know we're good */
if (ntohl(ag->ad->ip[0]) != 0x00000000)
if (ntohl(ag->ip[0]) != 0x00000000)
return 0;
/* if we're ending with 255.255.255.255 while we know
we started with 0.0.0.0 it's the complete space */
if (ntohl(ag->ad->ip2[0]) == 0xFFFFFFFF)
if (ntohl(ag->ip2[0]) == 0xFFFFFFFF)
return 1;
next_ip = htonl(ntohl(ag->ad->ip2[0]) + 1);
next_ip = htonl(ntohl(ag->ip2[0]) + 1);
ag = ag->next;
for ( ; ag != NULL; ag = ag->next) {
if (ag == NULL || ag->ad == NULL)
if (ag == NULL)
return 0;
if (ag->ad->ip[0] != next_ip)
if (ag->ip[0] != next_ip)
return 0;
if (ntohl(ag->ad->ip2[0]) == 0xFFFFFFFF)
if (ntohl(ag->ip2[0]) == 0xFFFFFFFF)
return 1;
next_ip = htonl(ntohl(ag->ad->ip2[0]) + 1);
next_ip = htonl(ntohl(ag->ip2[0]) + 1);
}
return 0;
@ -663,7 +490,7 @@ int DetectAddressGroupIsCompleteIPSpaceIPv4(DetectAddressGroup *ag) {
* must result in: a == 0.0.0.0-255.255.255.254, b == NULL
*
*/
int DetectAddressCutNotIPv4(DetectAddressData *a, DetectAddressData **b) {
int DetectAddressGroupCutNotIPv4(DetectAddressGroup *a, DetectAddressGroup **b) {
uint32_t a_ip1 = ntohl(a->ip[0]);
uint32_t a_ip2 = ntohl(a->ip2[0]);
@ -674,8 +501,7 @@ int DetectAddressCutNotIPv4(DetectAddressData *a, DetectAddressData **b) {
a->ip[0] = htonl(0x00000000);
a->ip2[0] = htonl(a_ip1 - 1);
DetectAddressData *tmp_b;
tmp_b = DetectAddressDataInit();
DetectAddressGroup *tmp_b = DetectAddressGroupInit();
if (tmp_b == NULL) {
goto error;
}
@ -685,11 +511,11 @@ int DetectAddressCutNotIPv4(DetectAddressData *a, DetectAddressData **b) {
*b = tmp_b;
} else if (a_ip1 == 0x00000000 && a_ip2 != 0xFFFFFFFF) {
a->ip[0] = htonl(a_ip2 + 1);
a->ip[0] = htonl(a_ip2 + 1);
a->ip2[0] = htonl(0xFFFFFFFF);
} else if (a_ip1 != 0x00000000 && a_ip2 == 0xFFFFFFFF) {
a->ip[0] = htonl(0x00000000);
a->ip[0] = htonl(0x00000000);
a->ip2[0] = htonl(a_ip1 - 1);
} else {
goto error;
@ -702,11 +528,11 @@ error:
}
int DetectAddressGroupJoinIPv4(DetectEngineCtx *de_ctx, DetectAddressGroup *target, DetectAddressGroup *source) {
if (ntohl(source->ad->ip[0]) < ntohl(target->ad->ip[0]))
target->ad->ip[0] = source->ad->ip[0];
if (ntohl(source->ip[0]) < ntohl(target->ip[0]))
target->ip[0] = source->ip[0];
if (ntohl(source->ad->ip2[0]) > ntohl(target->ad->ip2[0]))
target->ad->ip2[0] = source->ad->ip2[0];
if (ntohl(source->ip2[0]) > ntohl(target->ip2[0]))
target->ip2[0] = source->ip2[0];
return 0;
}

7
src/detect-engine-address-ipv4.h
Unescape Escape View File

@ -6,9 +6,10 @@
#ifndef __DETECT_ENGINE_ADDRESS_IPV4_H__
#define __DETECT_ENGINE_ADDRESS_IPV4_H__
int DetectAddressCmpIPv4(DetectAddressData *, DetectAddressData *);
int DetectAddressCutIPv4(DetectAddressData *, DetectAddressData *, DetectAddressData **);
int DetectAddressCutNotIPv4(DetectAddressData *, DetectAddressData **);
//int DetectAddressCmpIPv4(DetectAddressData *, DetectAddressData *);
//int DetectAddressCutIPv4(DetectAddressData *, DetectAddressData *, DetectAddressData **);
int DetectAddressGroupCutNotIPv4(DetectAddressGroup *, DetectAddressGroup **);
int DetectAddressGroupCmpIPv4(DetectAddressGroup *a, DetectAddressGroup *b);
int DetectAddressGroupCutIPv4(DetectEngineCtx *, DetectAddressGroup *, DetectAddressGroup *, DetectAddressGroup **);
int DetectAddressGroupJoinIPv4(DetectEngineCtx *, DetectAddressGroup *target, DetectAddressGroup *source);

153
src/detect-engine-address-ipv6.c
Unescape Escape View File

@ -81,7 +81,7 @@ int AddressIPv6Ge(uint32_t *a, uint32_t *b) {
return 0;
}
int DetectAddressCmpIPv6(DetectAddressData *a, DetectAddressData *b) {
int DetectAddressGroupCmpIPv6(DetectAddressGroup *a, DetectAddressGroup *b) {
/* ADDRESS_EQ */
if (AddressIPv6Eq(a->ip, b->ip) == 1 &&
AddressIPv6Eq(a->ip2, b->ip2) == 1) {
@ -193,21 +193,21 @@ static void AddressCutIPv6Copy(uint32_t *a, uint32_t *b) {
}
int DetectAddressGroupCutIPv6(DetectEngineCtx *de_ctx, DetectAddressGroup *a, DetectAddressGroup *b, DetectAddressGroup **c) {
uint32_t a_ip1[4] = { ntohl(a->ad->ip[0]), ntohl(a->ad->ip[1]),
ntohl(a->ad->ip[2]), ntohl(a->ad->ip[3]) };
uint32_t a_ip2[4] = { ntohl(a->ad->ip2[0]), ntohl(a->ad->ip2[1]),
ntohl(a->ad->ip2[2]), ntohl(a->ad->ip2[3]) };
uint32_t b_ip1[4] = { ntohl(b->ad->ip[0]), ntohl(b->ad->ip[1]),
ntohl(b->ad->ip[2]), ntohl(b->ad->ip[3]) };
uint32_t b_ip2[4] = { ntohl(b->ad->ip2[0]), ntohl(b->ad->ip2[1]),
ntohl(b->ad->ip2[2]), ntohl(b->ad->ip2[3]) };
uint32_t a_ip1[4] = { ntohl(a->ip[0]), ntohl(a->ip[1]),
ntohl(a->ip[2]), ntohl(a->ip[3]) };
uint32_t a_ip2[4] = { ntohl(a->ip2[0]), ntohl(a->ip2[1]),
ntohl(a->ip2[2]), ntohl(a->ip2[3]) };
uint32_t b_ip1[4] = { ntohl(b->ip[0]), ntohl(b->ip[1]),
ntohl(b->ip[2]), ntohl(b->ip[3]) };
uint32_t b_ip2[4] = { ntohl(b->ip2[0]), ntohl(b->ip2[1]),
ntohl(b->ip2[2]), ntohl(b->ip2[3]) };
DetectPort *port = NULL;
DetectAddressGroup *tmp = NULL;
/* default to NULL */
*c = NULL;
int r = DetectAddressCmpIPv6(a->ad,b->ad);
int r = DetectAddressGroupCmpIPv6(a,b);
if (r != ADDRESS_ES && r != ADDRESS_EB && r != ADDRESS_LE && r != ADDRESS_GE) {
goto error;
}
@ -225,24 +225,20 @@ int DetectAddressGroupCutIPv6(DetectEngineCtx *de_ctx, DetectAddressGroup *a, De
* part c: a_ip2 + 1 <-> b_ip2
*/
if (r == ADDRESS_LE) {
AddressCutIPv6Copy(a_ip1, a->ad->ip);
AddressCutIPv6CopySubOne(b_ip1, a->ad->ip2);
AddressCutIPv6Copy(a_ip1, a->ip);
AddressCutIPv6CopySubOne(b_ip1, a->ip2);
AddressCutIPv6Copy(b_ip1, b->ad->ip);
AddressCutIPv6Copy(a_ip2, b->ad->ip2);
AddressCutIPv6Copy(b_ip1, b->ip);
AddressCutIPv6Copy(a_ip2, b->ip2);
DetectAddressGroup *tmp_c;
tmp_c = DetectAddressGroupInit();
if (tmp_c == NULL) {
goto error;
}
tmp_c->ad = DetectAddressDataInit();
if (tmp_c->ad == NULL) {
goto error;
}
tmp_c->ad->family = AF_INET6;
AddressCutIPv6CopyAddOne(a_ip2, tmp_c->ad->ip);
AddressCutIPv6Copy(b_ip2, tmp_c->ad->ip2);
tmp_c->family = AF_INET6;
AddressCutIPv6CopyAddOne(a_ip2, tmp_c->ip);
AddressCutIPv6Copy(b_ip2, tmp_c->ip2);
*c = tmp_c;
SigGroupHeadCopySigs(de_ctx, b->sh, &tmp_c->sh); /* copy old b to c */
@ -264,24 +260,20 @@ int DetectAddressGroupCutIPv6(DetectEngineCtx *de_ctx, DetectAddressGroup *a, De
* part c: b_ip2 + 1 <-> a_ip2
*/
} else if (r == ADDRESS_GE) {
AddressCutIPv6Copy(b_ip1, a->ad->ip);
AddressCutIPv6CopySubOne(a_ip1, a->ad->ip2);
AddressCutIPv6Copy(b_ip1, a->ip);
AddressCutIPv6CopySubOne(a_ip1, a->ip2);
AddressCutIPv6Copy(a_ip1, b->ad->ip);
AddressCutIPv6Copy(b_ip2, b->ad->ip2);
AddressCutIPv6Copy(a_ip1, b->ip);
AddressCutIPv6Copy(b_ip2, b->ip2);
DetectAddressGroup *tmp_c;
tmp_c = DetectAddressGroupInit();
if (tmp_c == NULL) {
goto error;
}
tmp_c->ad = DetectAddressDataInit();
if (tmp_c->ad == NULL) {
goto error;
}
tmp_c->ad->family = AF_INET6;
AddressCutIPv6CopyAddOne(b_ip2, tmp_c->ad->ip);
AddressCutIPv6Copy(a_ip2, tmp_c->ad->ip2);
tmp_c->family = AF_INET6;
AddressCutIPv6CopyAddOne(b_ip2, tmp_c->ip);
AddressCutIPv6Copy(a_ip2, tmp_c->ip2);
*c = tmp_c;
/* 'a' gets clean and then 'b' sigs
@ -331,11 +323,11 @@ int DetectAddressGroupCutIPv6(DetectEngineCtx *de_ctx, DetectAddressGroup *a, De
*/
} else if (r == ADDRESS_ES) {
if (AddressIPv6Eq(a_ip1,b_ip1) == 1) {
AddressCutIPv6Copy(a_ip1, a->ad->ip);
AddressCutIPv6Copy(a_ip2, a->ad->ip2);
AddressCutIPv6Copy(a_ip1, a->ip);
AddressCutIPv6Copy(a_ip2, a->ip2);
AddressCutIPv6CopyAddOne(a_ip2, b->ad->ip);
AddressCutIPv6Copy(b_ip2, b->ad->ip2);
AddressCutIPv6CopyAddOne(a_ip2, b->ip);
AddressCutIPv6Copy(b_ip2, b->ip2);
/* 'b' overlaps 'a' so 'a' needs the 'b' sigs */
SigGroupHeadCopySigs(de_ctx, b->sh,&a->sh);
@ -346,11 +338,11 @@ int DetectAddressGroupCutIPv6(DetectEngineCtx *de_ctx, DetectAddressGroup *a, De
a->cnt += b->cnt;
} else if (AddressIPv6Eq(a_ip2, b_ip2) == 1) {
AddressCutIPv6Copy(b_ip1, a->ad->ip);
AddressCutIPv6CopySubOne(a_ip1, a->ad->ip2);
AddressCutIPv6Copy(b_ip1, a->ip);
AddressCutIPv6CopySubOne(a_ip1, a->ip2);
AddressCutIPv6Copy(a_ip1, b->ad->ip);
AddressCutIPv6Copy(a_ip2, b->ad->ip2);
AddressCutIPv6Copy(a_ip1, b->ip);
AddressCutIPv6Copy(a_ip2, b->ip2);
/* 'a' overlaps 'b' so 'b' needs the 'a' sigs */
SigGroupHeadCopySigs(de_ctx, a->sh, &tmp->sh);
@ -374,24 +366,20 @@ int DetectAddressGroupCutIPv6(DetectEngineCtx *de_ctx, DetectAddressGroup *a, De
b->cnt += tmp->cnt;
tmp->cnt = 0;
} else {
AddressCutIPv6Copy(b_ip1, a->ad->ip);
AddressCutIPv6CopySubOne(a_ip1, a->ad->ip2);
AddressCutIPv6Copy(b_ip1, a->ip);
AddressCutIPv6CopySubOne(a_ip1, a->ip2);
AddressCutIPv6Copy(a_ip1, b->ad->ip);
AddressCutIPv6Copy(a_ip2, b->ad->ip2);
AddressCutIPv6Copy(a_ip1, b->ip);
AddressCutIPv6Copy(a_ip2, b->ip2);
DetectAddressGroup *tmp_c;
tmp_c = DetectAddressGroupInit();
if (tmp_c == NULL) {
goto error;
}
tmp_c->ad = DetectAddressDataInit();
if (tmp_c->ad == NULL) {
goto error;
}
tmp_c->ad->family = AF_INET6;
AddressCutIPv6CopyAddOne(a_ip2, tmp_c->ad->ip);
AddressCutIPv6Copy(b_ip2, tmp_c->ad->ip2);
tmp_c->family = AF_INET6;
AddressCutIPv6CopyAddOne(a_ip2, tmp_c->ip);
AddressCutIPv6Copy(b_ip2, tmp_c->ip2);
*c = tmp_c;
/* 'a' gets clean and then 'b' sigs
@ -440,11 +428,11 @@ int DetectAddressGroupCutIPv6(DetectEngineCtx *de_ctx, DetectAddressGroup *a, De
*/
} else if (r == ADDRESS_EB) {
if (AddressIPv6Eq(a_ip1, b_ip1) == 1) {
AddressCutIPv6Copy(b_ip1, a->ad->ip);
AddressCutIPv6Copy(b_ip2, a->ad->ip2);
AddressCutIPv6Copy(b_ip1, a->ip);
AddressCutIPv6Copy(b_ip2, a->ip2);
AddressCutIPv6CopyAddOne(b_ip2, b->ad->ip);
AddressCutIPv6Copy(a_ip2, b->ad->ip2);
AddressCutIPv6CopyAddOne(b_ip2, b->ip);
AddressCutIPv6Copy(a_ip2, b->ip2);
/* 'b' overlaps 'a' so a needs the 'b' sigs */
SigGroupHeadCopySigs(de_ctx, b->sh, &tmp->sh);
@ -468,11 +456,11 @@ int DetectAddressGroupCutIPv6(DetectEngineCtx *de_ctx, DetectAddressGroup *a, De
a->cnt += tmp->cnt;
tmp->cnt = 0;
} else if (AddressIPv6Eq(a_ip2, b_ip2) == 1) {
AddressCutIPv6Copy(a_ip1, a->ad->ip);
AddressCutIPv6CopySubOne(b_ip1, a->ad->ip2);
AddressCutIPv6Copy(a_ip1, a->ip);
AddressCutIPv6CopySubOne(b_ip1, a->ip2);
AddressCutIPv6Copy(b_ip1, b->ad->ip);
AddressCutIPv6Copy(b_ip2, b->ad->ip2);
AddressCutIPv6Copy(b_ip1, b->ip);
AddressCutIPv6Copy(b_ip2, b->ip2);
/* 'a' overlaps 'b' so a needs the 'a' sigs */
SigGroupHeadCopySigs(de_ctx, a->sh, &b->sh);
@ -483,24 +471,20 @@ int DetectAddressGroupCutIPv6(DetectEngineCtx *de_ctx, DetectAddressGroup *a, De
b->cnt += a->cnt;
} else {
AddressCutIPv6Copy(a_ip1, a->ad->ip);
AddressCutIPv6CopySubOne(b_ip1, a->ad->ip2);
AddressCutIPv6Copy(a_ip1, a->ip);
AddressCutIPv6CopySubOne(b_ip1, a->ip2);
AddressCutIPv6Copy(b_ip1, b->ad->ip);
AddressCutIPv6Copy(b_ip2, b->ad->ip2);
AddressCutIPv6Copy(b_ip1, b->ip);
AddressCutIPv6Copy(b_ip2, b->ip2);
DetectAddressGroup *tmp_c;
tmp_c = DetectAddressGroupInit();
if (tmp_c == NULL) {
goto error;
}
tmp_c->ad = DetectAddressDataInit();
if (tmp_c->ad == NULL) {
goto error;
}
tmp_c->ad->family = AF_INET6;
AddressCutIPv6CopyAddOne(b_ip2, tmp_c->ad->ip);
AddressCutIPv6Copy(a_ip2, tmp_c->ad->ip2);
tmp_c->family = AF_INET6;
AddressCutIPv6CopyAddOne(b_ip2, tmp_c->ip);
AddressCutIPv6Copy(a_ip2, tmp_c->ip2);
*c = tmp_c;
/* 'a' stays the same wrt sigs
@ -530,7 +514,7 @@ error:
DetectAddressGroupFree(tmp);
return -1;
}
#if 0
int DetectAddressCutIPv6(DetectAddressData *a, DetectAddressData *b, DetectAddressData **c) {
uint32_t a_ip1[4] = { ntohl(a->ip[0]), ntohl(a->ip[1]), ntohl(a->ip[2]), ntohl(a->ip[3]) };
uint32_t a_ip2[4] = { ntohl(a->ip2[0]), ntohl(a->ip2[1]), ntohl(a->ip2[2]), ntohl(a->ip2[3]) };
@ -684,7 +668,7 @@ int DetectAddressCutIPv6(DetectAddressData *a, DetectAddressData *b, DetectAddre
error:
return -1;
}
#endif
/* a = 1.2.3.4
* must result in: a == 0.0.0.0-1.2.3.3, b == 1.2.3.5-255.255.255.255
*
@ -695,7 +679,7 @@ error:
* must result in: a == 0.0.0.0-255.255.255.254, b == NULL
*
*/
int DetectAddressCutNotIPv6(DetectAddressData *a, DetectAddressData **b) {
int DetectAddressGroupCutNotIPv6(DetectAddressGroup *a, DetectAddressGroup **b) {
uint32_t a_ip1[4] = { ntohl(a->ip[0]), ntohl(a->ip[1]), ntohl(a->ip[2]), ntohl(a->ip[3]) };
uint32_t a_ip2[4] = { ntohl(a->ip2[0]), ntohl(a->ip2[1]), ntohl(a->ip2[2]), ntohl(a->ip2[3]) };
uint32_t ip_nul[4] = { 0x00000000, 0x00000000, 0x00000000, 0x00000000 };
@ -712,8 +696,7 @@ int DetectAddressCutNotIPv6(DetectAddressData *a, DetectAddressData **b) {
AddressCutIPv6Copy(ip_nul, a->ip);
AddressCutIPv6CopySubOne(a_ip1, a->ip2);
DetectAddressData *tmp_b;
tmp_b = DetectAddressDataInit();
DetectAddressGroup *tmp_b = DetectAddressGroupInit();
if (tmp_b == NULL) {
goto error;
}
@ -749,18 +732,18 @@ error:
}
int DetectAddressGroupJoinIPv6(DetectEngineCtx *de_ctx, DetectAddressGroup *target, DetectAddressGroup *source) {
if (AddressIPv6Lt(source->ad->ip,target->ad->ip)) {
target->ad->ip[0] = source->ad->ip[0];
target->ad->ip[1] = source->ad->ip[1];
target->ad->ip[2] = source->ad->ip[2];
target->ad->ip[3] = source->ad->ip[3];
if (AddressIPv6Lt(source->ip,target->ip)) {
target->ip[0] = source->ip[0];
target->ip[1] = source->ip[1];
target->ip[2] = source->ip[2];
target->ip[3] = source->ip[3];
}
if (AddressIPv6Gt(source->ad->ip,target->ad->ip)) {
target->ad->ip2[0] = source->ad->ip2[0];
target->ad->ip2[1] = source->ad->ip2[1];
target->ad->ip2[2] = source->ad->ip2[2];
target->ad->ip2[3] = source->ad->ip2[3];
if (AddressIPv6Gt(source->ip,target->ip)) {
target->ip2[0] = source->ip2[0];
target->ip2[1] = source->ip2[1];
target->ip2[2] = source->ip2[2];
target->ip2[3] = source->ip2[3];
}
return 0;

6
src/detect-engine-address-ipv6.h
Unescape Escape View File

@ -12,9 +12,9 @@ int AddressIPv6Eq(uint32_t *, uint32_t *);
int AddressIPv6Le(uint32_t *, uint32_t *);
int AddressIPv6Ge(uint32_t *, uint32_t *);
int DetectAddressCutIPv6(DetectAddressData *, DetectAddressData *, DetectAddressData **);
int DetectAddressCutNotIPv6(DetectAddressData *, DetectAddressData **);
int DetectAddressCmpIPv6(DetectAddressData *, DetectAddressData *);
//int DetectAddressCutIPv6(DetectAddressData *, DetectAddressData *, DetectAddressData **);
int DetectAddressGroupCutNotIPv6(DetectAddressGroup *, DetectAddressGroup **);
int DetectAddressGroupCmpIPv6(DetectAddressGroup *a, DetectAddressGroup *b);
int DetectAddressGroupCutIPv6(DetectEngineCtx *, DetectAddressGroup *, DetectAddressGroup *, DetectAddressGroup **);
int DetectAddressGroupJoinIPv6(DetectEngineCtx *, DetectAddressGroup *, DetectAddressGroup *);

1308
src/detect-engine-address.c
View File

File diff suppressed because it is too large Load Diff

19
src/detect-engine-address.h
Unescape Escape View File

@ -6,18 +6,10 @@ void DetectAddressRegister (void);
DetectAddressGroupsHead *DetectAddressGroupsHeadInit();
void DetectAddressGroupsHeadFree(DetectAddressGroupsHead *);
void DetectAddressGroupsHeadCleanup(DetectAddressGroupsHead *);
DetectAddressData *DetectAddressDataInit(void);
void DetectAddressDataFree(DetectAddressData *);
void DetectAddressDataPrint(DetectAddressData *);
DetectAddressData *DetectAddressDataCopy(DetectAddressData *);
int DetectAddressGroupSetup(DetectAddressGroupsHead *, char *);
int DetectAddressCmp(DetectAddressData *, DetectAddressData *);
DetectAddressData *DetectAddressParse(char *);
DetectAddressGroup *DetectAddressLookupGroup(DetectAddressGroupsHead *, Address *);
int DetectAddressGroupParse(DetectAddressGroupsHead *, char *);
DetectAddressGroup *DetectAddressGroupInit(void);
int DetectAddressGroupAdd(DetectAddressGroup **, DetectAddressGroup *);
DetectAddressGroup *DetectAddressGroupLookup(DetectAddressGroup *, DetectAddressData *);
void DetectAddressGroupPrintList(DetectAddressGroup *);
void DetectAddressGroupFree(DetectAddressGroup *);
int DetectAddressGroupInsert(DetectEngineCtx *, DetectAddressGroupsHead *, DetectAddressGroup *);
@ -25,5 +17,16 @@ void DetectAddressGroupPrintMemory(void);
void DetectAddressGroupCleanupList (DetectAddressGroup *);
int DetectAddressGroupJoin(DetectEngineCtx *, DetectAddressGroup *target, DetectAddressGroup *source);
DetectAddressGroup *DetectAddressLookupGroup(DetectAddressGroupsHead *, Address *);
DetectAddressGroup *DetectAddressGroupLookup(DetectAddressGroup *, DetectAddressGroup *);
/** \brief address only copy of ag */
DetectAddressGroup *DetectAddressGroupCopy(DetectAddressGroup *);
/** \brief debugging: print a detect address */
void DetectAddressPrint(DetectAddressGroup *);
/** \brief compare the address part of two DetectAddress objects */
int DetectAddressCmp(DetectAddressGroup *, DetectAddressGroup *);
/** \brief parse a address string */
DetectAddressGroup *DetectAddressParse(char *);
#endif /* __DETECT_ADDRESS_H__ */

51
src/detect-engine-iponly.c
Unescape Escape View File

@ -40,7 +40,7 @@
static uint32_t IPOnlyHashFunc16(HashListTable *ht, void *data, uint16_t len) {
DetectAddressGroup *gr = (DetectAddressGroup *) data;
uint32_t hash = IPONLY_EXTRACT_16(gr->ad) % ht->array_size;
uint32_t hash = IPONLY_EXTRACT_16(gr) % ht->array_size;
return hash;
}
@ -54,10 +54,10 @@ static uint32_t IPOnlyHashFunc24(HashListTable *ht, void *data, uint16_t len) {
*/
static void IPOnlyAddSlash16(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx, HashListTable *ht, DetectAddressGroup *gr, char direction, Signature *s) {
uint32_t high = ntohl(gr->ad->ip2[0]);
uint32_t low = ntohl(gr->ad->ip[0]);
uint32_t high = ntohl(gr->ip2[0]);
uint32_t low = ntohl(gr->ip[0]);
if ((ntohl(gr->ad->ip2[0]) - ntohl(gr->ad->ip[0])) > 65536) {
if ((ntohl(gr->ip2[0]) - ntohl(gr->ip[0])) > 65536) {
//printf("Bigger than a class/16:\n"); DetectAddressDataPrint(gr->ad);
uint32_t s16_cnt = 0;
@ -65,18 +65,12 @@ static void IPOnlyAddSlash16(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_
while (high > low) {
s16_cnt++;
DetectAddressGroup *grtmp = DetectAddressGroupInit();
DetectAddressGroup *grtmp = DetectAddressGroupCopy(gr);
if (grtmp == NULL) {
goto error;
}
DetectAddressData *adtmp = DetectAddressDataCopy(gr->ad);
if (adtmp == NULL) {
goto error;
}
adtmp->ip[0] = htonl(high - 65535);
adtmp->ip2[0] = htonl(high);
grtmp->ad = adtmp;
grtmp->cnt = 1;
grtmp->ip[0] = htonl(high - 65535);
grtmp->ip2[0] = htonl(high);
SigGroupHeadAppendSig(de_ctx, &grtmp->sh, s);
@ -99,18 +93,12 @@ static void IPOnlyAddSlash16(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_
high = 0;
}
} else {
DetectAddressGroup *grtmp = DetectAddressGroupInit();
DetectAddressGroup *grtmp = DetectAddressGroupCopy(gr);
if (grtmp == NULL) {
goto error;
}
DetectAddressData *adtmp = DetectAddressDataCopy(gr->ad);
if (adtmp == NULL) {
goto error;
}
adtmp->ip[0] = IPONLY_EXTRACT_16(gr->ad);
adtmp->ip2[0] = IPONLY_EXTRACT_16(gr->ad) | IPONLY_HTONL_65535;
grtmp->ad = adtmp;
grtmp->cnt = 1;
grtmp->ip[0] = IPONLY_EXTRACT_16(gr);
grtmp->ip2[0] = IPONLY_EXTRACT_16(gr) | IPONLY_HTONL_65535;
DetectAddressGroup *rgr = HashListTableLookup(ht,grtmp,0);
if (rgr == NULL) {
@ -195,7 +183,7 @@ static char IPOnlyCompareFunc(void *data1, uint16_t len1, void *data2, uint16_t
//printf("IPOnlyCompareFunc: "); DetectAddressDataPrint(a1->ad);
//printf(" "); DetectAddressDataPrint(a2->ad); printf("\n");
if (DetectAddressCmp(a1->ad,a2->ad) != ADDRESS_EQ)
if (DetectAddressCmp(a1,a2) != ADDRESS_EQ)
return 0;
return 1;
@ -228,15 +216,10 @@ void IPOnlyInit(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx) {
/* XXX error checking */
void DetectEngineIPOnlyThreadInit(DetectEngineCtx *de_ctx, DetectEngineIPOnlyThreadCtx *io_tctx) {
DetectAddressData *sad = DetectAddressDataInit();
sad->family = AF_INET;
DetectAddressData *dad = DetectAddressDataInit();
dad->family = AF_INET;
io_tctx->src = DetectAddressGroupInit();
io_tctx->src->ad = sad;
io_tctx->src->family = AF_INET;
io_tctx->dst = DetectAddressGroupInit();
io_tctx->dst->ad = dad;
io_tctx->dst->family = AF_INET;
/* initialize the signature bitarray */
io_tctx->sig_match_size = de_ctx->io_ctx.max_idx / 8 + 1;
@ -285,8 +268,8 @@ void DetectEngineIPOnlyThreadDeinit(DetectEngineIPOnlyThreadCtx *io_tctx) {
}
DetectAddressGroup *IPOnlyLookupSrc16(DetectEngineCtx *de_ctx, DetectEngineIPOnlyThreadCtx *io_tctx, Packet *p) {
io_tctx->src->ad->ip[0] = GET_IPV4_SRC_ADDR_U32(p) & 0x0000ffff;
io_tctx->src->ad->ip2[0] = (GET_IPV4_SRC_ADDR_U32(p) & 0x0000ffff) | IPONLY_HTONL_65535;
io_tctx->src->ip[0] = GET_IPV4_SRC_ADDR_U32(p) & 0x0000ffff;
io_tctx->src->ip2[0] = (GET_IPV4_SRC_ADDR_U32(p) & 0x0000ffff) | IPONLY_HTONL_65535;
//printf("IPOnlyLookupSrc16: "); DetectAddressDataPrint(io_tctx->src->ad); printf("\n");
@ -296,8 +279,8 @@ DetectAddressGroup *IPOnlyLookupSrc16(DetectEngineCtx *de_ctx, DetectEngineIPOnl
}
DetectAddressGroup *IPOnlyLookupDst16(DetectEngineCtx *de_ctx, DetectEngineIPOnlyThreadCtx *io_tctx, Packet *p) {
io_tctx->dst->ad->ip[0] = GET_IPV4_DST_ADDR_U32(p) & 0x0000ffff;
io_tctx->dst->ad->ip2[0] = (GET_IPV4_DST_ADDR_U32(p) & 0x0000ffff) | IPONLY_HTONL_65535;
io_tctx->dst->ip[0] = GET_IPV4_DST_ADDR_U32(p) & 0x0000ffff;
io_tctx->dst->ip2[0] = (GET_IPV4_DST_ADDR_U32(p) & 0x0000ffff) | IPONLY_HTONL_65535;
//printf("IPOnlyLookupDst16: "); DetectAddressDataPrint(io_tctx->dst->ad); printf("\n");

8
src/detect-engine.c
Unescape Escape View File

@ -71,16 +71,16 @@ void DetectEngineCtxFree(DetectEngineCtx *de_ctx) {
free(de_ctx->sig_array);
free(de_ctx);
DetectAddressGroupPrintMemory();
DetectSigGroupPrintMemory();
DetectPortPrintMemory();
//DetectAddressGroupPrintMemory();
//DetectSigGroupPrintMemory();
//DetectPortPrintMemory();
}
/*
* getting & (re)setting the internal sig i
*/
uint32_t DetectEngineGetMaxSigId(DetectEngineCtx *de_ctx) {
inline uint32_t DetectEngineGetMaxSigId(DetectEngineCtx *de_ctx) {
return de_ctx->signum;
}

2
src/detect-engine.h
Unescape Escape View File

@ -7,7 +7,7 @@
DetectEngineCtx *DetectEngineCtxInit(void);
void DetectEngineCtxFree(DetectEngineCtx *);
uint32_t DetectEngineGetMaxSigId(DetectEngineCtx *);
inline uint32_t DetectEngineGetMaxSigId(DetectEngineCtx *);
void DetectEngineResetMaxSigId(DetectEngineCtx *);
#endif /* __DETECT_ENGINE_H__ */

155
src/detect.c
Unescape Escape View File

@ -733,7 +733,6 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) {
for (gr = tmp_s->src.ipv4_head; gr != NULL; gr = gr->next) {
//printf("Stage1: ip4 ");DetectAddressDataPrint(gr->ad);printf("\n");
if (SigGroupHeadAppendSig(de_ctx, &gr->sh, tmp_s) < 0) {
goto error;
}
@ -786,29 +785,29 @@ static int DetectEngineLookupBuildSourceAddressList(DetectEngineCtx *de_ctx, Det
/* for each source address group in the signature... */
for (gr = head; gr != NULL; gr = gr->next) {
BUG_ON(gr->family == 0 && !(gr->flags & ADDRESS_FLAG_ANY));
/* ...and each protocol the signature matches on... */
for (proto = 0; proto < 256; proto++) {
if ((s->proto.proto[(proto/8)] & (1<<(proto%8))) || (s->proto.flags & DETECT_PROTO_ANY)) {
/* ...see if the group is in the tmp list, and if not add it. */
if (family == AF_INET) {
lookup_gr = DetectAddressGroupLookup(flow_gh->tmp_gh[proto]->ipv4_head,gr->ad);
lookup_gr = DetectAddressGroupLookup(flow_gh->tmp_gh[proto]->ipv4_head,gr);
} else if (family == AF_INET6) {
lookup_gr = DetectAddressGroupLookup(flow_gh->tmp_gh[proto]->ipv6_head,gr->ad);
lookup_gr = DetectAddressGroupLookup(flow_gh->tmp_gh[proto]->ipv6_head,gr);
} else {
lookup_gr = DetectAddressGroupLookup(flow_gh->tmp_gh[proto]->any_head,gr->ad);
lookup_gr = DetectAddressGroupLookup(flow_gh->tmp_gh[proto]->any_head,gr);
}
if (lookup_gr == NULL) {
DetectAddressGroup *grtmp = DetectAddressGroupInit();
BUG_ON(gr->family == 0 && !(gr->flags & ADDRESS_FLAG_ANY));
DetectAddressGroup *grtmp = DetectAddressGroupCopy(gr);
if (grtmp == NULL) {
goto error;
}
DetectAddressData *adtmp = DetectAddressDataCopy(gr->ad);
if (adtmp == NULL) {
goto error;
}
grtmp->ad = adtmp;
grtmp->cnt = 1;
BUG_ON(grtmp->family == 0 && !(grtmp->flags & ADDRESS_FLAG_ANY));
SigGroupHeadAppendSig(de_ctx, &grtmp->sh, s);
@ -821,6 +820,8 @@ static int DetectEngineLookupBuildSourceAddressList(DetectEngineCtx *de_ctx, Det
DetectAddressGroupAdd(&flow_gh->tmp_gh[proto]->any_head, grtmp);
}
} else {
BUG_ON(lookup_gr->family == 0 && !(lookup_gr->flags & ADDRESS_FLAG_ANY));
/* our group will only have one sig, this one. So add that. */
SigGroupHeadAppendSig(de_ctx, &lookup_gr->sh, s);
lookup_gr->cnt++;
@ -1049,33 +1050,26 @@ int CreateGroupedAddrList(DetectEngineCtx *de_ctx, DetectAddressGroup *srchead,
/* insert the addresses into the tmplist, where it will
* be sorted descending on 'cnt'. */
for (gr = srchead; gr != NULL; gr = gr->next) {
BUG_ON(gr->family == 0 && !(gr->flags & ADDRESS_FLAG_ANY));
SigGroupHeadSetMpmMaxlen(de_ctx, gr->sh);
if (SMALL_MPM(gr->sh->mpm_content_maxlen) && unique_groups > 0)
unique_groups++;
//printf(" 1 -= Address "); DetectAddressDataPrint(gr->ad); printf("\n");
//printf(" : "); DbgPrintSigs2(de_ctx, gr->sh);
groups++;
/* alloc a copy */
DetectAddressGroup *newtmp = DetectAddressGroupInit();
DetectAddressGroup *newtmp = DetectAddressGroupCopy(gr);
if (newtmp == NULL) {
goto error;
}
DetectAddressData *adtmp = DetectAddressDataCopy(gr->ad);
if (adtmp == NULL) {
goto error;
}
newtmp->ad = adtmp;
newtmp->cnt = gr->cnt;
SigGroupHeadCopySigs(de_ctx, gr->sh,&newtmp->sh);
DetectPort *port = gr->port;
for ( ; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx,&newtmp->port, port);
newtmp->flags |= ADDRESS_GROUP_HAVEPORT;
newtmp->flags |= ADDRESS_HAVEPORT;
}
/* insert it */
@ -1111,47 +1105,37 @@ int CreateGroupedAddrList(DetectEngineCtx *de_ctx, DetectAddressGroup *srchead,
if (i == 0) i = groups;
for (gr = tmplist; gr != NULL; ) {
BUG_ON(gr->family == 0 && !(gr->flags & ADDRESS_FLAG_ANY));
if (i == 0) {
if (joingr == NULL) {
joingr = DetectAddressGroupInit();
joingr = DetectAddressGroupCopy(gr);
if (joingr == NULL) {
goto error;
}
DetectAddressData *adtmp = DetectAddressDataCopy(gr->ad);
if (adtmp == NULL) {
goto error;
}
joingr->ad = adtmp;
joingr->cnt = gr->cnt;
SigGroupHeadCopySigs(de_ctx,gr->sh,&joingr->sh);
DetectPort *port = gr->port;
for ( ; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx,&joingr->port, port);
joingr->flags |= ADDRESS_GROUP_HAVEPORT;
joingr->flags |= ADDRESS_HAVEPORT;
}
} else {
DetectAddressGroupJoin(de_ctx, joingr, gr);
}
} else {
DetectAddressGroup *newtmp = DetectAddressGroupInit();
DetectAddressGroup *newtmp = DetectAddressGroupCopy(gr);
if (newtmp == NULL) {
goto error;
}
DetectAddressData *adtmp = DetectAddressDataCopy(gr->ad);
if (adtmp == NULL) {
goto error;
}
newtmp->ad = adtmp;
newtmp->cnt = gr->cnt;
SigGroupHeadCopySigs(de_ctx,gr->sh,&newtmp->sh);
DetectPort *port = gr->port;
for ( ; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx,&newtmp->port, port);
newtmp->flags |= ADDRESS_GROUP_HAVEPORT;
newtmp->flags |= ADDRESS_HAVEPORT;
}
if (tmplist2 == NULL) {
@ -1174,23 +1158,19 @@ int CreateGroupedAddrList(DetectEngineCtx *de_ctx, DetectAddressGroup *srchead,
*
* Start with inserting the unique groups */
for (gr = tmplist2; gr != NULL; ) {
DetectAddressGroup *newtmp = DetectAddressGroupInit();
BUG_ON(gr->family == 0 && !(gr->flags & ADDRESS_FLAG_ANY));
DetectAddressGroup *newtmp = DetectAddressGroupCopy(gr);
if (newtmp == NULL) {
goto error;
}
DetectAddressData *adtmp = DetectAddressDataCopy(gr->ad);
if (adtmp == NULL) {
goto error;
}
newtmp->ad = adtmp;
newtmp->cnt = gr->cnt;
SigGroupHeadCopySigs(de_ctx, gr->sh,&newtmp->sh);
DetectPort *port = gr->port;
for ( ; port != NULL; port = port->next) {
DetectPortInsertCopy(de_ctx, &newtmp->port, port);
newtmp->flags |= ADDRESS_GROUP_HAVEPORT;
newtmp->flags |= ADDRESS_HAVEPORT;
}
DetectAddressGroupInsert(de_ctx, newhead, newtmp);
@ -1574,7 +1554,7 @@ int BuildDestinationAddressHeads(DetectEngineCtx *de_ctx, DetectAddressGroupsHea
/* loop through the global source address list */
for (gr = grhead; gr != NULL; gr = gr->next) {
//printf(" * Source group: "); DetectAddressDataPrint(gr->ad); printf("\n");
//printf(" * Source group: "); DetectAddressPrint(gr); printf("\n");
/* initialize the destination group head */
gr->dst_gh = DetectAddressGroupsHeadInit();
@ -1601,21 +1581,14 @@ int BuildDestinationAddressHeads(DetectEngineCtx *de_ctx, DetectAddressGroupsHea
/* build the temp list */
grsighead = GetHeadPtr(&tmp_s->dst, family);
for (sgr = grsighead; sgr != NULL; sgr = sgr->next) {
if ((lookup_gr = DetectAddressGroupLookup(tmp_gr_list,sgr->ad)) == NULL) {
DetectAddressGroup *grtmp = DetectAddressGroupInit();
if ((lookup_gr = DetectAddressGroupLookup(tmp_gr_list, sgr)) == NULL) {
DetectAddressGroup *grtmp = DetectAddressGroupCopy(gr);
if (grtmp == NULL) {
goto error;
}
DetectAddressData *adtmp = DetectAddressDataCopy(sgr->ad);
if (adtmp == NULL) {
goto error;
}
grtmp->ad = adtmp;
SigGroupHeadAppendSig(de_ctx,&grtmp->sh,tmp_s);
DetectAddressGroupAdd(&tmp_gr_list,grtmp);
SigGroupHeadAppendSig(de_ctx,&grtmp->sh,tmp_s);
grtmp->cnt = 1;
} else {
/* our group will only have one sig, this one. So add that. */
SigGroupHeadAppendSig(de_ctx,&lookup_gr->sh,tmp_s);
@ -1637,7 +1610,7 @@ int BuildDestinationAddressHeads(DetectEngineCtx *de_ctx, DetectAddressGroupsHea
*/
grdsthead = GetHeadPtr(gr->dst_gh, family);
for (sgr = grdsthead; sgr != NULL; sgr = sgr->next) {
//printf(" * Destination group: "); DetectAddressDataPrint(sgr->ad); printf("\n");
//printf(" * Destination group: "); DetectAddressPrint(sgr); printf("\n");
/* Because a pattern matcher context uses quite some
* memory, we first check if we can reuse it from
@ -1721,7 +1694,7 @@ int BuildDestinationAddressHeads(DetectEngineCtx *de_ctx, DetectAddressGroupsHea
sgr->sh = sgh;
de_ctx->gh_reuse++;
sgr->flags |= ADDRESS_GROUP_SIGGROUPHEAD_COPY;
sgr->flags |= ADDRESS_SIGGROUPHEAD_COPY;
sgr->sh->refcnt++;
}
}
@ -1748,7 +1721,7 @@ static int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, De
/* loop through the global source address list */
src_gr_head = GetHeadPtr(head,family);
for (src_gr = src_gr_head; src_gr != NULL; src_gr = src_gr->next) {
//printf(" * Source group: "); DetectAddressDataPrint(src_gr->ad); printf("\n");
//printf(" * Source group: "); DetectAddressPrint(src_gr); printf("\n");
/* initialize the destination group head */
src_gr->dst_gh = DetectAddressGroupsHeadInit();
@ -1770,27 +1743,21 @@ static int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, De
if (tmp_s == NULL)
continue;
//printf(" * Source group: "); DetectAddressDataPrint(src_gr->ad); printf("\n");
//printf(" * Source group: "); DetectAddressPrint(src_gr); printf("\n");
max_idx = sig;
/* build the temp list */
sig_gr_head = GetHeadPtr(&tmp_s->dst,family);
for (sig_gr = sig_gr_head; sig_gr != NULL; sig_gr = sig_gr->next) {
//printf(" * Sig dst addr: "); DetectAddressDataPrint(sig_gr->ad); printf("\n");
//printf(" * Sig dst addr: "); DetectAddressPrint(sig_gr); printf("\n");
if ((lookup_gr = DetectAddressGroupLookup(tmp_gr_list, sig_gr->ad)) == NULL) {
DetectAddressGroup *grtmp = DetectAddressGroupInit();
if ((lookup_gr = DetectAddressGroupLookup(tmp_gr_list, sig_gr)) == NULL) {
DetectAddressGroup *grtmp = DetectAddressGroupCopy(sig_gr);
if (grtmp == NULL) {
goto error;
}
DetectAddressData *adtmp = DetectAddressDataCopy(sig_gr->ad);
if (adtmp == NULL) {
goto error;
}
grtmp->ad = adtmp;
SigGroupHeadAppendSig(de_ctx, &grtmp->sh, tmp_s);
grtmp->cnt = 1;
DetectAddressGroupAdd(&tmp_gr_list,grtmp);
} else {
@ -1815,9 +1782,9 @@ static int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, De
* to the ports */
dst_gr_head = GetHeadPtr(src_gr->dst_gh,family);
for (dst_gr = dst_gr_head; dst_gr != NULL; dst_gr = dst_gr->next) {
//printf(" * Destination group: "); DetectAddressDataPrint(dst_gr->ad); printf("\n");
//printf(" * Destination group: "); DetectAddressPrint(dst_gr); printf("\n");
dst_gr->flags |= ADDRESS_GROUP_HAVEPORT;
dst_gr->flags |= ADDRESS_HAVEPORT;
if (dst_gr->sh == NULL)
continue;
@ -1838,7 +1805,7 @@ static int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, De
if (s == NULL)
continue;
//printf(" + Destination group (grouped): "); DetectAddressDataPrint(dst_gr->ad); printf("\n");
//printf(" + Destination group (grouped): "); DetectAddressPrint(dst_gr); printf("\n");
DetectPort *sdp = s->sp;
for ( ; sdp != NULL; sdp = sdp->next) {
@ -2038,19 +2005,19 @@ static int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, De
} else {
SigGroupHeadFree(dst_gr->sh);
dst_gr->sh = lookup_sgh;
dst_gr->flags |= ADDRESS_GROUP_SIGGROUPHEAD_COPY;
dst_gr->flags |= ADDRESS_SIGGROUPHEAD_COPY;
dst_gr->sh->refcnt++;
SCLogDebug("replacing dst_gr->port %p with lookup_sgh->port %p", dst_gr->port, lookup_sgh->port);
DetectPortCleanupList(dst_gr->port);
dst_gr->port = lookup_sgh->port;
dst_gr->flags |= ADDRESS_GROUP_PORTS_COPY;
dst_gr->flags |= ADDRESS_PORTS_COPY;
de_ctx->gh_reuse++;
}
/* free source port sgh's */
if (!(dst_gr->flags & ADDRESS_GROUP_PORTS_COPY)) {
if (!(dst_gr->flags & ADDRESS_PORTS_COPY)) {
DetectPort *sp = dst_gr->port;
for ( ; sp != NULL; sp = sp->next) {
if (!(sp->flags & PORT_SIGGROUPHEAD_COPY)) {
@ -2075,7 +2042,7 @@ static int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, De
/* free dst addr sgh's */
dst_gr_head = GetHeadPtr(src_gr->dst_gh,family);
for (dst_gr = dst_gr_head; dst_gr != NULL; dst_gr = dst_gr->next) {
if (!(dst_gr->flags & ADDRESS_GROUP_SIGGROUPHEAD_COPY)) {
if (!(dst_gr->flags & ADDRESS_SIGGROUPHEAD_COPY)) {
if (dst_gr->sh->refcnt == 0) {
if (SigGroupHeadHashRemove(de_ctx,dst_gr->sh) == 0) {
//printf("BothPorts: removed sgh %p\n", dst_gr->sh);
@ -2301,7 +2268,7 @@ int SigAddressPrepareStage5(DetectEngineCtx *de_ctx) {
for (global_src_gr = de_ctx->dsize_gh[ds].flow_gh[f].src_gh[proto]->ipv4_head; global_src_gr != NULL;
global_src_gr = global_src_gr->next)
{
printf("1 Src Addr: "); DetectAddressDataPrint(global_src_gr->ad);
printf("1 Src Addr: "); DetectAddressPrint(global_src_gr);
//printf(" (sh %p)\n", global_src_gr->sh);
printf("\n");
@ -2313,10 +2280,10 @@ int SigAddressPrepareStage5(DetectEngineCtx *de_ctx) {
global_dst_gr != NULL;
global_dst_gr = global_dst_gr->next)
{
printf(" 2 Dst Addr: "); DetectAddressDataPrint(global_dst_gr->ad);
printf(" 2 Dst Addr: "); DetectAddressPrint(global_dst_gr);
//printf(" (sh %p) ", global_dst_gr->sh);
if (global_dst_gr->sh) {
if (global_dst_gr->sh->flags & ADDRESS_GROUP_SIGGROUPHEAD_COPY) {
if (global_dst_gr->sh->flags & ADDRESS_SIGGROUPHEAD_COPY) {
printf("(COPY)\n");
} else {
printf("\n");
@ -2346,10 +2313,10 @@ int SigAddressPrepareStage5(DetectEngineCtx *de_ctx) {
global_dst_gr != NULL;
global_dst_gr = global_dst_gr->next)
{
printf(" - "); DetectAddressDataPrint(global_dst_gr->ad);
printf(" - "); DetectAddressPrint(global_dst_gr);
//printf(" (sh %p) ", global_dst_gr->sh);
if (global_dst_gr->sh) {
if (global_dst_gr->sh->flags & ADDRESS_GROUP_SIGGROUPHEAD_COPY) {
if (global_dst_gr->sh->flags & ADDRESS_SIGGROUPHEAD_COPY) {
printf("(COPY)\n");
} else {
printf("\n");
@ -2378,7 +2345,7 @@ int SigAddressPrepareStage5(DetectEngineCtx *de_ctx) {
for (global_src_gr = de_ctx->dsize_gh[ds].flow_gh[f].src_gh[proto]->ipv6_head; global_src_gr != NULL;
global_src_gr = global_src_gr->next)
{
printf("- "); DetectAddressDataPrint(global_src_gr->ad);
printf("- "); DetectAddressPrint(global_src_gr);
//printf(" (sh %p)\n", global_src_gr->sh);
global_dst_gh = global_src_gr->dst_gh;
@ -2389,10 +2356,10 @@ int SigAddressPrepareStage5(DetectEngineCtx *de_ctx) {
global_dst_gr != NULL;
global_dst_gr = global_dst_gr->next)
{
printf(" - "); DetectAddressDataPrint(global_dst_gr->ad);
printf(" - "); DetectAddressPrint(global_dst_gr);
//printf(" (sh %p) ", global_dst_gr->sh);
if (global_dst_gr->sh) {
if (global_dst_gr->sh->flags & ADDRESS_GROUP_SIGGROUPHEAD_COPY) {
if (global_dst_gr->sh->flags & ADDRESS_SIGGROUPHEAD_COPY) {
printf("(COPY)\n");
} else {
printf("\n");
@ -2420,10 +2387,10 @@ int SigAddressPrepareStage5(DetectEngineCtx *de_ctx) {
global_dst_gr != NULL;
global_dst_gr = global_dst_gr->next)
{
printf(" - "); DetectAddressDataPrint(global_dst_gr->ad);
printf(" - "); DetectAddressPrint(global_dst_gr);
//printf(" (sh %p) ", global_dst_gr->sh);
if (global_dst_gr->sh) {
if (global_dst_gr->sh->flags & ADDRESS_GROUP_SIGGROUPHEAD_COPY) {
if (global_dst_gr->sh->flags & ADDRESS_SIGGROUPHEAD_COPY) {
printf("(COPY)\n");
} else {
printf("\n");
@ -2452,7 +2419,7 @@ int SigAddressPrepareStage5(DetectEngineCtx *de_ctx) {
for (global_src_gr = de_ctx->dsize_gh[ds].flow_gh[f].src_gh[proto]->any_head; global_src_gr != NULL;
global_src_gr = global_src_gr->next)
{
printf("- "); DetectAddressDataPrint(global_src_gr->ad);
printf("- "); DetectAddressPrint(global_src_gr);
//printf(" (sh %p)\n", global_src_gr->sh);
global_dst_gh = global_src_gr->dst_gh;
@ -2463,10 +2430,10 @@ int SigAddressPrepareStage5(DetectEngineCtx *de_ctx) {
global_dst_gr != NULL;
global_dst_gr = global_dst_gr->next)
{
printf(" - "); DetectAddressDataPrint(global_dst_gr->ad);
printf(" - "); DetectAddressPrint(global_dst_gr);
//printf(" (sh %p) ", global_dst_gr->sh);
if (global_dst_gr->sh) {
if (global_dst_gr->sh->flags & ADDRESS_GROUP_SIGGROUPHEAD_COPY) {
if (global_dst_gr->sh->flags & ADDRESS_SIGGROUPHEAD_COPY) {
printf("(COPY)\n");
} else {
printf("\n");
@ -2494,10 +2461,10 @@ int SigAddressPrepareStage5(DetectEngineCtx *de_ctx) {
global_dst_gr != NULL;
global_dst_gr = global_dst_gr->next)
{
printf(" - "); DetectAddressDataPrint(global_dst_gr->ad);
printf(" - "); DetectAddressPrint(global_dst_gr);
//printf(" (sh %p) ", global_dst_gr->sh);
if (global_dst_gr->sh) {
if (global_dst_gr->sh->flags & ADDRESS_GROUP_SIGGROUPHEAD_COPY) {
if (global_dst_gr->sh->flags & ADDRESS_SIGGROUPHEAD_COPY) {
printf("(COPY)\n");
} else {
printf("\n");
@ -2525,10 +2492,10 @@ int SigAddressPrepareStage5(DetectEngineCtx *de_ctx) {
global_dst_gr != NULL;
global_dst_gr = global_dst_gr->next)
{
printf(" - "); DetectAddressDataPrint(global_dst_gr->ad);
printf(" - "); DetectAddressPrint(global_dst_gr);
//printf(" (sh %p) ", global_dst_gr->sh);
if (global_dst_gr->sh) {
if (global_dst_gr->sh->flags & ADDRESS_GROUP_SIGGROUPHEAD_COPY) {
if (global_dst_gr->sh->flags & ADDRESS_SIGGROUPHEAD_COPY) {
printf("(COPY)\n");
} else {
printf("\n");

22
src/detect.h
Unescape Escape View File

@ -32,25 +32,19 @@ enum {
ADDRESS_GT, /* bigger [bbb] [aaa] */
};
#define ADDRESS_FLAG_ANY 0x1
#define ADDRESS_FLAG_NOT 0x2
#define ADDRESS_FLAG_ANY 0x01
#define ADDRESS_FLAG_NOT 0x02
#define ADDRESS_GROUP_SIGGROUPHEAD_COPY 0x01
#define ADDRESS_GROUP_PORTS_COPY 0x02
#define ADDRESS_GROUP_PORTS_NOTUNIQ 0x04
#define ADDRESS_GROUP_HAVEPORT 0x08
#define ADDRESS_SIGGROUPHEAD_COPY 0x04
#define ADDRESS_PORTS_COPY 0x08
#define ADDRESS_PORTS_NOTUNIQ 0x10
#define ADDRESS_HAVEPORT 0x20
typedef struct DetectAddressData_ {
/* XXX convert to use a Address datatype to replace family, ip,ip2*/
typedef struct DetectAddressGroup_ {
/* address data for this group */
uint8_t family;
uint32_t ip[4];
uint32_t ip2[4];
uint8_t flags;
} DetectAddressData;
typedef struct DetectAddressGroup_ {
/* address data for this group */
DetectAddressData *ad;
/* XXX ptr to rules, or PortGroup or whatever */
union {

Write Preview
Loading…
Cancel
Save