diff --git a/src/detect-engine-address.c b/src/detect-engine-address.c index 7a0dd04c72..65d5079634 100644 --- a/src/detect-engine-address.c +++ b/src/detect-engine-address.c @@ -653,7 +653,9 @@ error: } /* XXX error handling */ -int DetectAddressParse2(DetectAddressGroupsHead *gh, DetectAddressGroupsHead *ghn, char *s,int negate) { +int DetectAddressParse2(DetectAddressGroupsHead *gh, + DetectAddressGroupsHead *ghn, + char *s, int negate) { int i, x; int o_set = 0, n_set = 0; int depth = 0; @@ -675,10 +677,10 @@ int DetectAddressParse2(DetectAddressGroupsHead *gh, DetectAddressGroupsHead *gh depth++; } else if (s[i] == ']') { if (depth == 1) { - address[x-1] = '\0'; + address[x - 1] = '\0'; x = 0; - DetectAddressParse2(gh,ghn,address,negate ? negate : n_set); + DetectAddressParse2(gh, ghn, address, negate? negate: n_set); n_set = 0; } depth--; @@ -686,24 +688,24 @@ int DetectAddressParse2(DetectAddressGroupsHead *gh, DetectAddressGroupsHead *gh if (o_set == 1) { o_set = 0; } else { - address[x-1] = '\0'; + address[x - 1] = '\0'; if (negate == 0 && n_set == 0) { - DetectAddressGroupSetup(gh,address); + DetectAddressGroupSetup(gh, address); } else { - DetectAddressGroupSetup(ghn,address); + DetectAddressGroupSetup(ghn, address); } n_set = 0; } x = 0; - } else if (depth == 0 && i == size-1) { + } else if (depth == 0 && i == size - 1) { address[x] = '\0'; x = 0; if (negate == 0 && n_set == 0) { - DetectAddressGroupSetup(gh,address); + DetectAddressGroupSetup(gh, address); } else { - DetectAddressGroupSetup(ghn,address); + DetectAddressGroupSetup(ghn, address); } n_set = 0; } @@ -867,19 +869,20 @@ int DetectAddressGroupParse(DetectAddressGroupsHead *gh, char *str) { goto error; } - r = DetectAddressParse2(gh,ghn,str,/* start with negate no */0); + r = DetectAddressParse2(gh, ghn, str,/* start with negate no */0); if (r < 0) { goto error; } /* merge the 'not' address groups */ - if (DetectAddressGroupMergeNot(gh,ghn) < 0) { + if (DetectAddressGroupMergeNot(gh, ghn) < 0) { goto error; } /* free the temp negate head */ DetectAddressGroupsHeadFree(ghn); return 0; + error: DetectAddressGroupsHeadFree(ghn); return -1; @@ -887,14 +890,15 @@ error: DetectAddressGroupsHead *DetectAddressGroupsHeadInit(void) { DetectAddressGroupsHead *gh = malloc(sizeof(DetectAddressGroupsHead)); - if (gh == NULL) { + if (gh == NULL) return NULL; - } - memset(gh,0,sizeof(DetectAddressGroupsHead)); + memset(gh, 0, sizeof(DetectAddressGroupsHead)); + #ifdef DEBUG detect_address_group_head_init_cnt++; detect_address_group_head_memory += sizeof(DetectAddressGroupsHead); #endif + return gh; } diff --git a/src/detect-engine-proto.c b/src/detect-engine-proto.c index 35cd453b08..280d855644 100644 --- a/src/detect-engine-proto.c +++ b/src/detect-engine-proto.c @@ -36,7 +36,11 @@ DetectProto *DetectProtoInit(void) { return dp; } -/* free a DetectAddressGroup object */ +/** + * \brief Free a DetectAddressGroup object + * + * \param dp Pointer to the DetectProto instance to be freed + */ void DetectProtoFree(DetectProto *dp) { if (dp == NULL) return; @@ -44,24 +48,33 @@ void DetectProtoFree(DetectProto *dp) { free(dp); } +/** + * \brief Parses a protocol sent as a string. + * + * \param dp Pointer to the DetectProto instance which will be updated with the + * incoming protocol information. + * \param str Pointer to the string containing the protocol name. + * + * \retval 0 Always return 0. + */ int DetectProtoParse(DetectProto *dp, char *str) { int proto; - if (strcasecmp(str,"tcp") == 0) { + if (strcasecmp(str, "tcp") == 0) { proto = IPPROTO_TCP; - dp->proto[(proto/8)] |= 1<<(proto%8); - } else if (strcasecmp(str,"udp") == 0) { + dp->proto[proto / 8] |= 1 << (proto % 8); + } else if (strcasecmp(str, "udp") == 0) { proto = IPPROTO_UDP; - dp->proto[(proto/8)] |= 1<<(proto%8); - } else if (strcasecmp(str,"icmp") == 0) { + dp->proto[proto / 8] |= 1 << (proto % 8); + } else if (strcasecmp(str, "icmp") == 0) { proto = IPPROTO_ICMP; - dp->proto[(proto/8)] |= 1<<(proto%8); - } else if (strcasecmp(str,"ip") == 0) { + dp->proto[proto / 8] |= 1 << (proto % 8); + } else if (strcasecmp(str, "ip") == 0) { dp->flags |= DETECT_PROTO_ANY; - memset(&dp->proto,0xFF,sizeof(dp->proto)); + memset(&dp->proto, 0xFF, sizeof(dp->proto)); } else { proto = atoi(str); - dp->proto[(proto/8)] |= 1<<(proto%8); + dp->proto[proto / 8] |= 1 << (proto % 8); } return 0; diff --git a/src/detect-parse.c b/src/detect-parse.c index 20e43331d1..1127861ea3 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -238,24 +238,24 @@ error: int SigParseAddress(Signature *s, const char *addrstr, char flag) { char *addr = NULL; - if (strcmp(addrstr,"$HOME_NET") == 0) { + if (strcmp(addrstr, "$HOME_NET") == 0) { addr = "[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:13c5:5AFE::/64,2001:888:13c5:CAFE::/64]"; -// addr = "[192.168.0.0/16,10.8.0.0/16,2001:888:13c5:5AFE::/64,2001:888:13c5:CAFE::/64]"; - } else if (strcmp(addrstr,"$EXTERNAL_NET") == 0) { + //addr = "[192.168.0.0/16,10.8.0.0/16,2001:888:13c5:5AFE::/64,2001:888:13c5:CAFE::/64]"; + } else if (strcmp(addrstr, "$EXTERNAL_NET") == 0) { addr = "[!192.168.0.0/16,2000::/3]"; - } else if (strcmp(addrstr,"$HTTP_SERVERS") == 0) { + } else if (strcmp(addrstr, "$HTTP_SERVERS") == 0) { addr = "!192.168.0.0/16"; - } else if (strcmp(addrstr,"$SMTP_SERVERS") == 0) { + } else if (strcmp(addrstr, "$SMTP_SERVERS") == 0) { addr = "!192.168.0.0/16"; - } else if (strcmp(addrstr,"$SQL_SERVERS") == 0) { + } else if (strcmp(addrstr, "$SQL_SERVERS") == 0) { addr = "!192.168.0.0/16"; - } else if (strcmp(addrstr,"$DNS_SERVERS") == 0) { + } else if (strcmp(addrstr, "$DNS_SERVERS") == 0) { addr = "any"; - } else if (strcmp(addrstr,"$TELNET_SERVERS") == 0) { + } else if (strcmp(addrstr, "$TELNET_SERVERS") == 0) { addr = "any"; - } else if (strcmp(addrstr,"$AIM_SERVERS") == 0) { + } else if (strcmp(addrstr, "$AIM_SERVERS") == 0) { addr = "any"; - } else if (strcmp(addrstr,"any") == 0) { + } else if (strcmp(addrstr, "any") == 0) { addr = "any"; } else { addr = (char *)addrstr; @@ -264,32 +264,39 @@ int SigParseAddress(Signature *s, const char *addrstr, char flag) { /* pass on to the address(list) parser */ if (flag == 0) { - if (strcasecmp(addrstr,"any") == 0) + if (strcasecmp(addrstr, "any") == 0) s->flags |= SIG_FLAG_SRC_ANY; - if (DetectAddressGroupParse(&s->src,addr) < 0) { + if (DetectAddressGroupParse(&s->src, addr) < 0) goto error; - } } else { - if (strcasecmp(addrstr,"any") == 0) + if (strcasecmp(addrstr, "any") == 0) s->flags |= SIG_FLAG_DST_ANY; - if (DetectAddressGroupParse(&s->dst,addr) < 0) { + if (DetectAddressGroupParse(&s->dst, addr) < 0) goto error; - } } - return 0; + error: return -1; } -/* http://www.iana.org/assignments/protocol-numbers +/** + * \brief Parses the protocol supplied by the Signature. * + * http://www.iana.org/assignments/protocol-numbers + * + * \param s Pointer to the Signature instance to which the parsed + * protocol has to be added. + * \param protostr Pointer to the character string containing the protocol name. + * + * \retval 0 On successfully parsing the protocl sent as the argument. + * \retval -1 On failure */ int SigParseProto(Signature *s, const char *protostr) { - int r = DetectProtoParse(&s->proto,(char *)protostr); + int r = DetectProtoParse(&s->proto, (char *)protostr); if (r < 0) { return -1; } @@ -349,6 +356,17 @@ int SigParsePort(Signature *s, const char *portstr, char flag) { return 0; } +/** + * \brief Parses the action that has been used by the Signature and allots it + * to its Signatue instance. + * + * \param s Pointer to the Signatue instance to which the action belongs. + * \param action Pointer to the action string used by the Signature. + * + * \retval 0 On successfully parsing the action string and adding it to the + * Signature. + * \retval -1 On failure. + */ int SigParseAction(Signature *s, const char *action) { if (strcasecmp(action, "alert") == 0) { s->action = ACTION_ALERT; @@ -381,7 +399,7 @@ int SigParseBasics(Signature *s, char *sigstr, char ***result) { int ov[MAX_SUBSTRINGS]; int ret = 0, i = 0; - const char **arr = calloc(CONFIG_PARTS+1, sizeof(char *)); + const char **arr = calloc(CONFIG_PARTS + 1, sizeof(char *)); if (arr == NULL) return -1; @@ -391,11 +409,11 @@ int SigParseBasics(Signature *s, char *sigstr, char ***result) { goto error; } - for (i = 1; i <= ret-1; i++) { - pcre_get_substring(sigstr, ov, MAX_SUBSTRINGS, i, &arr[i-1]); + for (i = 1; i <= ret - 1; i++) { + pcre_get_substring(sigstr, ov, MAX_SUBSTRINGS, i, &arr[i - 1]); //printf("SigParseBasics: arr[%" PRId32 "] = \"%s\"\n", i-1, arr[i-1]); } - arr[i-1]=NULL; + arr[i - 1] = NULL; /* Parse Action */ if (SigParseAction(s, arr[CONFIG_ACTION]) < 0) @@ -409,9 +427,8 @@ int SigParseBasics(Signature *s, char *sigstr, char ***result) { if (SigParseAddress(s, arr[CONFIG_SRC], 0) < 0) goto error; - /* For "ip" we parse the ports as well, even though they will - be just "any". We do this for later sgh building for the - tcp and udp protocols. */ + /* For "ip" we parse the ports as well, even though they will be just "any". + * We do this for later sgh building for the tcp and udp protocols. */ if (strcasecmp(arr[CONFIG_PROTO],"tcp") == 0 || strcasecmp(arr[CONFIG_PROTO],"udp") == 0 || strcasecmp(arr[CONFIG_PROTO],"ip") == 0) { @@ -456,7 +473,7 @@ int SigParse(DetectEngineCtx *de_ctx, Signature *s, char *sigstr) { } /* cleanup */ - if (basics) { + if (basics != NULL) { int i = 0; while (basics[i] != NULL) { free(basics[i]); @@ -464,6 +481,7 @@ int SigParse(DetectEngineCtx *de_ctx, Signature *s, char *sigstr) { } free(basics); } + return ret; } @@ -495,6 +513,15 @@ void SigFree(Signature *s) { free(s); } +/** + * \brief Parses a signature and adds it to the Detection Engine Context + * + * \param de_ctx Pointer to the Detection Engine Context + * \param sigstr Pointer to a character string containing the signature to be + * parsed + * + * \retval Pointer to the Signature instance on success; NULL on failure + */ Signature *SigInit(DetectEngineCtx *de_ctx, char *sigstr) { Signature *sig = SigAlloc(); if (sig == NULL) diff --git a/src/detect.c b/src/detect.c index 3e8694c4ce..ce70e5a425 100644 --- a/src/detect.c +++ b/src/detect.c @@ -594,15 +594,16 @@ static int SignatureIsIPOnly(DetectEngineCtx *de_ctx, Signature *s) { if (sm == NULL) goto iponly; - for ( ; sm != NULL ; sm = sm->next) - if(!( sigmatch_table[sm->type].flags & SIGMATCH_IPONLY_COMPAT)) + for ( ;sm != NULL ;sm = sm->next) { + if (!( sigmatch_table[sm->type].flags & SIGMATCH_IPONLY_COMPAT)) return 0; + } iponly: if (!(de_ctx->flags & DE_QUIET)) { SCLogDebug("IP-ONLY (%" PRIu32 "): source %s, dest %s", s->id, - s->flags & SIG_FLAG_SRC_ANY ? "ANY" : "SET", - s->flags & SIG_FLAG_DST_ANY ? "ANY" : "SET"); + s->flags & SIG_FLAG_SRC_ANY ? "ANY" : "SET", + s->flags & SIG_FLAG_DST_ANY ? "ANY" : "SET"); } return 1; } @@ -630,7 +631,14 @@ static int SignatureIsInspectingPayload(DetectEngineCtx *de_ctx, Signature *s) { return 0; } -/* add all signatures to their own source address group */ +/** + * \brief Add all signatures to their own source address group + * + * \param de_ctx Pointer to the Detection Engine Context + * + * \retval 0 on success + * \retval -1 on failure + */ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) { Signature *tmp_s = NULL; DetectAddressGroup *gr = NULL; @@ -643,7 +651,7 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) { if (!(de_ctx->flags & DE_QUIET)) { SCLogDebug("building signature grouping structure, stage 1: " - "adding signatures to signature source addresses..."); + "adding signatures to signature source addresses..."); } de_ctx->sig_array_len = DetectEngineGetMaxSigId(de_ctx); @@ -654,7 +662,7 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) { memset(de_ctx->sig_array,0,de_ctx->sig_array_size); SCLogDebug("signature lookup array: %" PRIu32 " sigs, %" PRIu32 " bytes", - de_ctx->sig_array_len, de_ctx->sig_array_size); + de_ctx->sig_array_len, de_ctx->sig_array_size); /* now for every rule add the source group */ for (tmp_s = de_ctx->sig_list; tmp_s != NULL; tmp_s = tmp_s->next) {