aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add the support for >= and <= operator for byte_test

Browse Source
remotes/origin/master-1.1.x
Gurvinder Singh 15 years ago committed by Victor Julien
parent 412498f4e4
commit f92ba23331
2 changed files with 83 additions and 5 deletions
Show Stats Download Patch File Download Diff File

76
src/detect-bytetest.c
Unescape Escape View File

@ -224,6 +224,16 @@ int DetectBytetestDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, SigMatch
match = 1; match = 1;
} }
break; break;
case DETECT_BYTETEST_OP_GE:
if (val >= data->value) {
match = 1;
}
break;
case DETECT_BYTETEST_OP_LE:
if (val <= data->value) {
match = 1;
}
break;
default: default:
/* Should never get here as we handle this in parsing. */ /* Should never get here as we handle this in parsing. */
SCReturnInt(-1); SCReturnInt(-1);
@ -436,6 +446,10 @@ DetectBytetestData *DetectBytetestParse(char *optstr)
data->op |= DETECT_BYTETEST_OP_AND; data->op |= DETECT_BYTETEST_OP_AND;
} else if (strcmp("^", args[2]) == 0) { } else if (strcmp("^", args[2]) == 0) {
data->op |= DETECT_BYTETEST_OP_OR; data->op |= DETECT_BYTETEST_OP_OR;
} else if (strcmp(">=", args[2]) == 0) {
data->op |= DETECT_BYTETEST_OP_GE;
} else if (strcmp("<=", args[2]) == 0) {
data->op |= DETECT_BYTETEST_OP_LE;
} else { } else {
SCLogError(SC_ERR_INVALID_OPERATOR, "Invalid operator"); SCLogError(SC_ERR_INVALID_OPERATOR, "Invalid operator");
goto error; goto error;
@ -1400,6 +1414,66 @@ end:
return result; return result;
} }
/** \test Test the byte_test signature matching with operator <= */
int DetectByteTestTestPacket04(void)
{
int result = 0;
uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
"User-Agent: Wget/1.11.4"
"Accept: */*"
"Host: www.google.com"
"Connection: Keep-Alive"
"Date: Mon, 04 Jan 2010 17:29:39 GMT";
uint16_t buflen = strlen((char *)buf);
Packet *p;
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
if (p == NULL)
goto end;
char sig[] = "alert tcp any any -> any any (msg:\"content + byte_test +"
"relative\"; content:\"GET \"; depth:4; content:\"HTTP/1.\"; "
"byte_test:1,<=,0,0,relative,string,dec; sid:124; rev:1;)";
result = UTHPacketMatchSig(p, sig);
UTHFreePacket(p);
end:
return result;
}
/** \test Test the byte_test signature matching with operator >= */
int DetectByteTestTestPacket05(void)
{
int result = 0;
uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
"User-Agent: Wget/1.11.4"
"Accept: */*"
"Host: www.google.com"
"Connection: Keep-Alive"
"Date: Mon, 04 Jan 2010 17:29:39 GMT";
uint16_t buflen = strlen((char *)buf);
Packet *p;
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
if (p == NULL)
goto end;
char sig[] = "alert tcp any any -> any any (msg:\"content + byte_test +"
"relative\"; content:\"GET \"; depth:4; content:\"HTTP/1.\"; "
"byte_test:1,>=,0,0,relative,string,dec; sid:125; rev:1;)";
result = UTHPacketMatchSig(p, sig);
UTHFreePacket(p);
end:
return result;
}
#endif /* UNITTESTS */ #endif /* UNITTESTS */
@ -1431,6 +1505,8 @@ void DetectBytetestRegisterTests(void) {
UtRegisterTest("DetectByteTestTestPacket01", DetectByteTestTestPacket01, 1); UtRegisterTest("DetectByteTestTestPacket01", DetectByteTestTestPacket01, 1);
UtRegisterTest("DetectByteTestTestPacket02", DetectByteTestTestPacket02, 1); UtRegisterTest("DetectByteTestTestPacket02", DetectByteTestTestPacket02, 1);
UtRegisterTest("DetectByteTestTestPacket03", DetectByteTestTestPacket03, 1); UtRegisterTest("DetectByteTestTestPacket03", DetectByteTestTestPacket03, 1);
UtRegisterTest("DetectByteTestTestPacket04", DetectByteTestTestPacket04, 1);
UtRegisterTest("DetectByteTestTestPacket05", DetectByteTestTestPacket05, 1);
#endif /* UNITTESTS */ #endif /* UNITTESTS */
} }

12
src/detect-bytetest.h
Unescape Escape View File

@ -25,11 +25,13 @@
#define __DETECT_BYTETEST_H__ #define __DETECT_BYTETEST_H__
/** Bytetest Operators */ /** Bytetest Operators */
#define DETECT_BYTETEST_OP_LT '<' /**< "less than" operator */ #define DETECT_BYTETEST_OP_LT 1 /**< "less than" operator */
#define DETECT_BYTETEST_OP_GT '>' /**< "greater than" operator */ #define DETECT_BYTETEST_OP_GT 2 /**< "greater than" operator */
#define DETECT_BYTETEST_OP_EQ '=' /**< "equals" operator */ #define DETECT_BYTETEST_OP_EQ 3 /**< "equals" operator */
#define DETECT_BYTETEST_OP_AND '&' /**< "bitwise and" operator */ #define DETECT_BYTETEST_OP_AND 4 /**< "bitwise and" operator */
#define DETECT_BYTETEST_OP_OR '^' /**< "bitwise or" operator */ #define DETECT_BYTETEST_OP_OR 5 /**< "bitwise or" operator */
#define DETECT_BYTETEST_OP_GE 6 /**< greater than equal operator */
#define DETECT_BYTETEST_OP_LE 7 /**< less than equal operator */
/** Bytetest Base */ /** Bytetest Base */
#define DETECT_BYTETEST_BASE_UNSET 0 /**< Unset type value string (automatic)*/ #define DETECT_BYTETEST_BASE_UNSET 0 /**< Unset type value string (automatic)*/

Write Preview
Loading…
Cancel
Save