aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Bug 1061: fix multiple vars per sig in ordering

Browse Source 
In sigordering rules that had multiple vars doing the same operation,
like setting multiple flowbits, would not be considered correctly.

Bug 1061.
pull/702/head
Victor Julien 11 years ago
parent b770fd2981
commit f6e37dcc90
1 changed files with 65 additions and 12 deletions
Show Stats Download Patch File Download Diff File

77
src/detect-engine-sigorder.c
Unescape Escape View File

@ -27,6 +27,7 @@
#include "detect.h"
#include "detect-flowbits.h"
#include "detect-flowint.h"
#include "detect-parse.h"
#include "detect-engine-sigorder.h"
#include "detect-pcre.h"
@ -162,11 +163,11 @@ static inline int SCSigGetFlowbitsType(Signature *sig)
sm = sm->next;
}
if (read == 1 && write == 0) {
if (read > 0 && write == 0) {
flowbits_user_type = DETECT_FLOWBITS_TYPE_READ;
} else if (read == 0 && write == 1) {
} else if (read == 0 && write > 0) {
flowbits_user_type = DETECT_FLOWBITS_TYPE_SET;
} else if (read == 1 && write == 1) {
} else if (read > 0 && write > 0) {
flowbits_user_type = DETECT_FLOWBITS_TYPE_SET_READ;
}
@ -222,11 +223,11 @@ static inline int SCSigGetFlowintType(Signature *sig)
sm = sm->next;
}
if (read == 1 && write == 0) {
if (read > 0 && write == 0) {
flowint_user_type = DETECT_FLOWINT_TYPE_READ;
} else if (read == 0 && write == 1) {
} else if (read == 0 && write > 0) {
flowint_user_type = DETECT_FLOWINT_TYPE_SET;
} else if (read == 1 && write == 1) {
} else if (read > 0 && write > 0) {
flowint_user_type = DETECT_FLOWINT_TYPE_SET_READ;
}
@ -276,11 +277,11 @@ static inline int SCSigGetFlowvarType(Signature *sig)
sm = sm->next;
}
if (read == 1 && write == 0) {
if (read > 0 && write == 0) {
type = DETECT_FLOWVAR_TYPE_READ;
} else if (read == 0 && write == 1) {
} else if (read == 0 && write > 0) {
type = DETECT_FLOWVAR_TYPE_SET;
} else if (read == 1 && write == 1) {
} else if (read > 0 && write > 0) {
type = DETECT_FLOWVAR_TYPE_SET_READ;
}
@ -328,11 +329,11 @@ static inline int SCSigGetPktvarType(Signature *sig)
sm = sm->next;
}
if (read == 1 && write == 0) {
if (read > 0 && write == 0) {
type = DETECT_PKTVAR_TYPE_READ;
} else if (read == 0 && write == 1) {
} else if (read == 0 && write > 0) {
type = DETECT_PKTVAR_TYPE_SET;
} else if (read == 1 && write == 1) {
} else if (read > 0 && write > 0) {
type = DETECT_PKTVAR_TYPE_SET_READ;
}
@ -1991,6 +1992,57 @@ end:
return result;
}
/** \test Bug 1061 */
static int SCSigOrderingTest13(void)
{
int result = 0;
Signature *sig = NULL;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flowbits:isset,bit1; flowbits:set,bit2; flowbits:set,bit3; sid:6;)");
if (sig == NULL) {
goto end;
}
sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flowbits:set,bit1; flowbits:set,bit2; sid:7;)");
if (sig == NULL) {
goto end;
}
sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flowbits:isset,bit1; flowbits:isset,bit2; flowbits:isset,bit3; sid:5;)");
if (sig == NULL) {
goto end;
}
SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
SCSigOrderSignatures(de_ctx);
result = 1;
#ifdef DEBUG
sig = de_ctx->sig_list;
while (sig != NULL) {
printf("sid: %d\n", sig->id);
sig = sig->next;
}
#endif
sig = de_ctx->sig_list;
result &= (sig->id == 7);
sig = sig->next;
result &= (sig->id == 6);
sig = sig->next;
result &= (sig->id == 5);
sig = sig->next;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
#endif
void SCSigRegisterSignatureOrderingTests(void)
@ -2009,5 +2061,6 @@ void SCSigRegisterSignatureOrderingTests(void)
UtRegisterTest("SCSigOrderingTest10", SCSigOrderingTest10, 1);
UtRegisterTest("SCSigOrderingTest11", SCSigOrderingTest11, 1);
UtRegisterTest("SCSigOrderingTest12", SCSigOrderingTest12, 1);
UtRegisterTest("SCSigOrderingTest13", SCSigOrderingTest13, 1);
#endif
}

Write Preview
Loading…
Cancel
Save