aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Different approach to the reference keyword. Lots of cleanups, bug fixes in reference keyword code and tests.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 16 years ago
parent 89baf93a40
commit fe7ece997a
10 changed files with 182 additions and 264 deletions
Show Stats Download Patch File Download Diff File

17
src/alert-fastlog.c
Unescape Escape View File

@ -101,7 +101,7 @@ TmEcode AlertFastLogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
{
AlertFastLogThread *aft = (AlertFastLogThread *)data;
int i;
References *sref = NULL;
Reference *ref = NULL;
char timebuf[64];
if (p->alerts.cnt == 0)
@ -123,9 +123,10 @@ TmEcode AlertFastLogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
fprintf(aft->file_ctx->fp, "%s [**] [%" PRIu32 ":%" PRIu32 ":%" PRIu32 "] %s [**] [Classification: %s] [Priority: %" PRIu32 "] {%" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 " ",
timebuf, pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg, pa->prio, IPV4_GET_IPPROTO(p), srcip, p->sp, dstip, p->dp);
if(pa->sigref != NULL) {
for (sref = pa->sigref; sref != NULL; sref = sref->next) {
fprintf(aft->file_ctx->fp,"[Xref => %s]",sref->reference);
if(pa->references != NULL) {
for (ref = pa->references; ref != NULL; ref = ref->next) {
fprintf(aft->file_ctx->fp,"[Xref => %s%s]", ref->key, ref->reference);
}
}
@ -142,7 +143,7 @@ TmEcode AlertFastLogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
{
AlertFastLogThread *aft = (AlertFastLogThread *)data;
int i;
References *sref = NULL;
Reference *ref = NULL;
char timebuf[64];
if (p->alerts.cnt == 0)
@ -164,9 +165,9 @@ TmEcode AlertFastLogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
fprintf(aft->file_ctx->fp, "%s [**] [%" PRIu32 ":%" PRIu32 ":%" PRIu32 "] %s [**] [Classification: %s] [Priority: %" PRIu32 "] {%" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 " ",
timebuf, pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg, pa->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp);
if(pa->sigref != NULL) {
for (sref = pa->sigref; sref != NULL; sref = sref->next) {
fprintf(aft->file_ctx->fp,"[Xref => %s]",sref->reference);
if(pa->references != NULL) {
for (ref = pa->references; ref != NULL; ref = ref->next) {
fprintf(aft->file_ctx->fp,"[Xref => %s%s]", ref->key, ref->reference);
}
}

2
src/decode.h
Unescape Escape View File

@ -172,7 +172,7 @@ typedef struct PacketAlert_ {
uint8_t prio;
char *msg;
char *class_msg;
References *sigref;
Reference *references;
} PacketAlert;
#define PACKET_ALERT_MAX 256

20
src/detect-engine-threshold.c
Unescape Escape View File

@ -53,7 +53,7 @@ void PacketAlertHandle(DetectEngineCtx *de_ctx, Signature *sig, Packet *p)
/* if have none just alert, otherwise handle thresholding */
if (td == NULL) {
PacketAlertAppend(p, sig->gid, sig->id, sig->rev, sig->prio, sig->msg, sig->class_msg, sig->sigref);
PacketAlertAppend(p, sig->gid, sig->id, sig->rev, sig->prio, sig->msg, sig->class_msg, sig->references);
} else {
PacketAlertThreshold(de_ctx, td, p, sig);
}
@ -277,20 +277,20 @@ void PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectThresholdData *td, Pack
if (lookup_tsh != NULL) {
if ((ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) {
if (lookup_tsh->current_count < td->count) {
PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg, s->class_msg, s->sigref);
PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg, s->class_msg, s->references);
}
lookup_tsh->current_count++;
} else {
lookup_tsh->tv_sec1 = ts.tv_sec;
lookup_tsh->current_count = 1;
PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg, s->class_msg, s->sigref);
PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg, s->class_msg, s->references);
}
} else {
ste->tv_sec1 = ts.tv_sec;
ste->current_count = 1;
PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg, s->class_msg, s->sigref);
PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg, s->class_msg, s->references);
ThresholdHashAdd(de_ctx, ste, p);
ste = NULL;
@ -307,7 +307,7 @@ void PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectThresholdData *td, Pack
lookup_tsh->current_count++;
if (lookup_tsh->current_count >= td->count) {
PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg, s->class_msg, s->sigref);
PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg, s->class_msg, s->references);
lookup_tsh->current_count = 0;
}
} else {
@ -319,7 +319,7 @@ void PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectThresholdData *td, Pack
ste->tv_sec1 = ts.tv_sec;
if (td->count == 1) {
PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg, s->class_msg, s->sigref);
PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg, s->class_msg, s->references);
ste->current_count = 0;
} else {
ThresholdHashAdd(de_ctx,ste,p);
@ -337,7 +337,7 @@ void PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectThresholdData *td, Pack
if ((ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) {
lookup_tsh->current_count++;
if (lookup_tsh->current_count == td->count) {
PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg, s->class_msg, s->sigref);
PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg, s->class_msg, s->references);
}
} else {
lookup_tsh->tv_sec1 = ts.tv_sec;
@ -348,7 +348,7 @@ void PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectThresholdData *td, Pack
ste->tv_sec1 = ts.tv_sec;
if (td->count == 1) {
PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg, s->class_msg, s->sigref);
PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg, s->class_msg, s->references);
ste->current_count = 0;
} else {
ThresholdHashAdd(de_ctx,ste,p);
@ -367,7 +367,7 @@ void PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectThresholdData *td, Pack
if ((ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) {
lookup_tsh->current_count++;
if (lookup_tsh->current_count >= td->count) {
PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg, s->class_msg, s->sigref);
PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg, s->class_msg, s->references);
}
} else {
lookup_tsh->tv_sec1 = ts.tv_sec;
@ -378,7 +378,7 @@ void PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectThresholdData *td, Pack
ste->tv_sec1 = ts.tv_sec;
if (td->count == 1) {
PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg, s->class_msg, s->sigref);
PacketAlertAppend(p, s->gid, s->id, s->rev, s->prio, s->msg, s->class_msg, s->references);
}
ThresholdHashAdd(de_ctx, ste, p);
ste = NULL;

31
src/detect-parse.c
Unescape Escape View File

@ -685,20 +685,32 @@ Signature *SigAlloc (void) {
}
/**
* \internal
* \brief Free Reference list
*
* \param s Pointer to the signature
*/
void SigRefFree(Signature *s) {
References *sref = NULL;
if (s == NULL)
return;
static void SigRefFree (Signature *s) {
SCEnter();
if(s->sigref != NULL) {
for (sref = s->sigref; sref != NULL; sref = sref->next) {
SCFree(sref);
}
Reference *ref = NULL;
Reference *next_ref = NULL;
if (s == NULL) {
SCReturn;
}
SCLogDebug("s %p, s->references %p", s, s->references);
for (ref = s->references; ref != NULL;) {
next_ref = ref->next;
DetectReferenceFree(ref);
ref = next_ref;
}
s->references = NULL;
SCReturn;
}
void SigFree(Signature *s) {
@ -728,7 +740,8 @@ void SigFree(Signature *s) {
DetectPortCleanupList(s->dp);
}
if (s->msg != NULL) SCFree(s->msg);
if (s->msg != NULL)
SCFree(s->msg);
SigRefFree(s);

334
src/detect-reference.c
Unescape Escape View File

@ -1,6 +1,7 @@
/* Copyright (c) 2009 Open Information Security Foundation */
/* Copyright (c) 2009, 2010 Open Information Security Foundation */
/** \file
/**
* \file
* \author Breno Silva <breno.silva@gmail.com>
*/
@ -23,7 +24,7 @@
#include "util-byte.h"
#include "util-debug.h"
#define PARSE_REGEX "^\\s*(cve|nessus|url|mcafee|bugtraq|arachnids)\\s*,\\s*([a-zA-Z0-9\\-_\\.\\/\\?\\=]+)\\s*"
#define PARSE_REGEX "^\\s*(cve|nessus|url|mcafee|bugtraq|arachnids)\\s*,\"?\\s*\"?\\s*([a-zA-Z0-9\\-_\\.\\/\\?\\=]+)\"?\\s*\"?"
/* Static prefix for references - Maybe we should move them to reference.config in the future */
char REFERENCE_BUGTRAQ[] = "http://www.securityfocus.com/bid/";
@ -53,6 +54,8 @@ void DetectReferenceRegister (void) {
int opts = 0;
int eo;
opts |= PCRE_CASELESS;
parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL);
if (parse_regex == NULL)
{
@ -72,50 +75,61 @@ error:
}
/**
* \brief Free a Reference object
*/
void DetectReferenceFree(Reference *ref) {
SCEnter();
if (ref->reference != NULL) {
SCFree(ref->reference);
}
SCFree(ref);
SCReturn;
}
/**
* \internal
* \brief This function is used to parse reference options passed via reference: keyword
*
* \param rawstr Pointer to the user provided reference options
*
* \retval sigref pointer to signature reference on success
* \retval ref pointer to signature reference on success
* \retval NULL on failure
*/
static char *DetectReferenceParse (char *rawstr)
static Reference *DetectReferenceParse (char *rawstr)
{
DetectReferenceData *ref = NULL;
char *sigref = NULL;
SCEnter();
Reference *ref = NULL;
char *str = NULL;
#define MAX_SUBSTRINGS 30
int ret = 0, res = 0;
int ov[MAX_SUBSTRINGS];
const char *ref_key = NULL;
const char *ref_content = NULL;
int sig_len = 0;
ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS);
if (ret < 2) {
SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
goto error;
}
ref = SCMalloc(sizeof(DetectReferenceData));
ref = SCMalloc(sizeof(Reference));
if (ref == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "malloc failed");
SCLogError(SC_ERR_MEM_ALLOC, "malloc failed: %s", strerror(errno));
goto error;
}
memset(ref,0,sizeof(DetectReferenceData));
memset(ref, 0, sizeof(Reference));
res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS,1, &ref_key);
if (res < 0) {
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
goto error;
}
res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS,2, &ref_content);
if (res < 0) {
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
goto error;
@ -125,46 +139,52 @@ static char *DetectReferenceParse (char *rawstr)
goto error;
if (strcasecmp(ref_key,"cve") == 0) {
ref->reference = REFERENCE_CVE;
ref->key = REFERENCE_CVE;
} else if (strcasecmp(ref_key,"bugtraq") == 0) {
ref->reference = REFERENCE_BUGTRAQ;
ref->key = REFERENCE_BUGTRAQ;
} else if (strcasecmp(ref_key,"nessus") == 0) {
ref->reference = REFERENCE_NESSUS;
ref->key = REFERENCE_NESSUS;
} else if (strcasecmp(ref_key,"url") == 0) {
ref->reference = REFERENCE_URL;
ref->key = REFERENCE_URL;
} else if (strcasecmp(ref_key,"mcafee") == 0) {
ref->reference = REFERENCE_MCAFEE;
ref->key = REFERENCE_MCAFEE;
} else if (strcasecmp(ref_key,"arachnids") == 0) {
ref->reference = REFERENCE_ARACHNIDS;
ref->key = REFERENCE_ARACHNIDS;
} else {
SCLogError(SC_ERR_REFERENCE_UNKNOWN, "unknown reference key \"%s\". "
"Supported keys are cve, bugtraq, nessus, url, mcafee, "
"arachnids.", ref_key);
goto error;
}
sig_len = (strlen(ref->reference) + strlen(ref_content)+1);
sigref = SCMalloc(sig_len+1);
if (sigref == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "malloc failed");
/* make a copy so we can free pcre's substring */
str = SCStrdup((char *)ref_content);
if (str == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "strdup failed: %s", strerror(errno));
goto error;
}
memset(sigref,0,sig_len);
strlcpy(sigref,ref->reference,strlen(ref->reference)+1);
strlcat(sigref,ref_content,sig_len);
ref->reference = str;
sigref[strlen(sigref)] = '\0';
/* free the substrings */
pcre_free_substring(ref_key);
pcre_free_substring(ref_content);
if (ref) SCFree(ref);
if (ref_key) SCFree((char *)ref_key);
if (ref_content) SCFree((char *)ref_content);
return sigref;
SCReturnPtr(ref, "Reference");
error:
if (ref_key != NULL) {
pcre_free_substring(ref_key);
}
if (ref_content != NULL) {
pcre_free_substring(ref_content);
}
if (ref_key) SCFree((char *)ref_key);
if (ref_content) SCFree((char *)ref_content);
if (ref) SCFree(ref);
if (ref != NULL) {
DetectReferenceFree(ref);
}
return NULL;
SCReturnPtr(NULL, "Reference");
}
/**
@ -181,51 +201,40 @@ error:
*/
static int DetectReferenceSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
{
char *ref = NULL;
References *sref = NULL;
References *actual_reference = NULL;
SCEnter();
Reference *ref = NULL;
Reference *actual_reference = NULL;
ref = DetectReferenceParse(rawstr);
if (ref == NULL)
goto error;
if(s->sigref == NULL) {
s->sigref = SCMalloc(sizeof(References));
if (s->sigref == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "malloc failed");
goto error;
}
s->sigref->reference = ref;
s->sigref->next = NULL;
SCLogDebug("ref %s %s", ref->key, ref->reference);
if (s->references == NULL) {
s->references = ref;
ref->next = NULL;
} else {
sref = SCMalloc(sizeof(References));
if (sref == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "malloc failed");
goto error;
}
sref->reference = ref;
sref->next = NULL;
actual_reference = s->sigref;
actual_reference = s->references;
while (actual_reference->next != NULL) {
actual_reference = actual_reference->next;
}
actual_reference->next = sref;
actual_reference->next = ref;
ref->next = NULL;
}
return 0;
SCLogDebug("s->references %p", s->references);
SCReturnInt(0);
error:
if (ref) SCFree(ref);
if (sref) SCFree(sref);
return -1;
if (ref != NULL) {
DetectReferenceFree(ref);
}
SCReturnInt(-1);
}
/*
@ -234,7 +243,7 @@ error:
#ifdef UNITTESTS
/**
* \test DetectReferenceParseTest01 is a test for one valid reference.
* \test one valid reference.
*
* \retval 1 on succces
* \retval 0 on failure
@ -242,42 +251,12 @@ error:
static int DetectReferenceParseTest01(void)
{
int result = 0;
uint8_t raw_icmpv4[] = {
0x08, 0x00, 0x42, 0xb4, 0x02, 0x00, 0x08, 0xa8,
0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68,
0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x61,
0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69};
Packet p;
Signature *s = NULL;
DecodeThreadVars dtv;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
IPV4Hdr ip4h;
References *sref = NULL;
memset(&p, 0, sizeof(Packet));
memset(&ip4h, 0, sizeof(IPV4Hdr));
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&th_v, 0, sizeof(ThreadVars));
FlowInitConfig(FLOW_QUIET);
p.src.family = AF_INET;
p.dst.family = AF_INET;
p.src.addr_data32[0] = 0x01020304;
p.dst.addr_data32[0] = 0x04030201;
ip4h.ip_src.s_addr = p.src.addr_data32[0];
ip4h.ip_dst.s_addr = p.dst.addr_data32[0];
p.ip4h = &ip4h;
DecodeICMPV4(&th_v, &dtv, &p, raw_icmpv4, sizeof(raw_icmpv4), NULL);
Reference *ref = NULL;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
goto cleanup;
}
de_ctx->flags |= DE_QUIET;
@ -285,33 +264,31 @@ static int DetectReferenceParseTest01(void)
s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (msg:\"One reference\"; reference:cve,001-2010; sid:2;)");
if (s == NULL) {
goto end;
goto cleanup;
}
if (s->sigref == NULL) {
if (s->references == NULL) {
goto cleanup;
}
for (sref = s->sigref; sref != NULL; sref = sref->next) {
if (strcmp(sref->reference,"http://cve.mitre.org/cgi-bin/cvename.cgi?name=001-2010") != 0) {
goto cleanup;
}
ref = s->references;
if (strcmp(ref->key,"http://cve.mitre.org/cgi-bin/cvename.cgi?name=") != 0 ||
strcmp(ref->reference,"001-2010") != 0) {
goto cleanup;
}
result = 1;
cleanup:
if (s) SigFree(s);
if (det_ctx) DetectEngineCtxFree(de_ctx);
FlowShutdown();
end:
if (de_ctx != NULL) {
DetectEngineCtxFree(de_ctx);
}
return result;
}
/**
* \test DetectReferenceParseTest02 is a test for two valid references.
* \test for two valid references.
*
* \retval 1 on succces
* \retval 0 on failure
@ -319,83 +296,53 @@ end:
static int DetectReferenceParseTest02(void)
{
int result = 0;
uint8_t raw_icmpv4[] = {
0x08, 0x00, 0x42, 0xb4, 0x02, 0x00, 0x08, 0xa8,
0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68,
0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x61,
0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69};
Packet p;
Signature *s = NULL;
DecodeThreadVars dtv;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
IPV4Hdr ip4h;
References *sref = NULL;
memset(&p, 0, sizeof(Packet));
memset(&ip4h, 0, sizeof(IPV4Hdr));
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&th_v, 0, sizeof(ThreadVars));
FlowInitConfig(FLOW_QUIET);
p.src.family = AF_INET;
p.dst.family = AF_INET;
p.src.addr_data32[0] = 0x01020304;
p.dst.addr_data32[0] = 0x04030201;
ip4h.ip_src.s_addr = p.src.addr_data32[0];
ip4h.ip_dst.s_addr = p.dst.addr_data32[0];
p.ip4h = &ip4h;
DecodeICMPV4(&th_v, &dtv, &p, raw_icmpv4, sizeof(raw_icmpv4), NULL);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
goto cleanup;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (msg:\"Two references\"; reference:url,www.openinfosecfoundation.org; reference:cve,001-2010; sid:2;)");
if (s == NULL) {
goto end;
printf("sig parse failed: ");
goto cleanup;
}
if (s->sigref == NULL) {
if (s->references == NULL || s->references->next == NULL) {
printf("no ref or not enough refs: ");
goto cleanup;
}
for (sref = s->sigref; sref != NULL; sref = sref->next) {
if (strcmp(sref->reference,"http://www.openinfosecfoundation.org") == 0) {
result++;
}
if (strcmp(s->references->key, "http://") != 0 ||
strcmp(s->references->reference, "www.openinfosecfoundation.org") != 0) {
printf("first ref failed: ");
goto cleanup;
if (strcmp(sref->reference,"http://cve.mitre.org/cgi-bin/cvename.cgi?name=001-2010") == 0) {
result++;
}
}
if (result == 2) {
result = 1;
if (strcmp(s->references->next->key,
"http://cve.mitre.org/cgi-bin/cvename.cgi?name=") != 0 ||
strcmp(s->references->next->reference, "001-2010") != 0) {
printf("second ref failed: ");
goto cleanup;
}
cleanup:
if (s) SigFree(s);
if (det_ctx) DetectEngineCtxFree(de_ctx);
result = 1;
FlowShutdown();
end:
cleanup:
if (de_ctx != NULL) {
DetectEngineCtxFree(de_ctx);
}
return result;
}
/**
* \test DetectReferenceParseTest03 is a test for one invalid reference.
* \test parsing: invalid reference
*
* \retval 1 on succces
* \retval 0 on failure
@ -403,68 +350,27 @@ end:
static int DetectReferenceParseTest03(void)
{
int result = 0;
uint8_t raw_icmpv4[] = {
0x08, 0x00, 0x42, 0xb4, 0x02, 0x00, 0x08, 0xa8,
0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68,
0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x61,
0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69};
Packet p;
Signature *s = NULL;
DecodeThreadVars dtv;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
IPV4Hdr ip4h;
References *sref = NULL;
memset(&p, 0, sizeof(Packet));
memset(&ip4h, 0, sizeof(IPV4Hdr));
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&th_v, 0, sizeof(ThreadVars));
FlowInitConfig(FLOW_QUIET);
p.src.family = AF_INET;
p.dst.family = AF_INET;
p.src.addr_data32[0] = 0x01020304;
p.dst.addr_data32[0] = 0x04030201;
ip4h.ip_src.s_addr = p.src.addr_data32[0];
ip4h.ip_dst.s_addr = p.dst.addr_data32[0];
p.ip4h = &ip4h;
DecodeICMPV4(&th_v, &dtv, &p, raw_icmpv4, sizeof(raw_icmpv4), NULL);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
goto cleanup;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (msg:\"Two references\"; reference:url,www.openinfosecfoundation.org; reference:oisf,001-2010; sid:2;)");
if (s == NULL) {
goto end;
}
if (s->sigref == NULL) {
s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (msg:\"invalid ref\"; reference:unknownkey,001-2010; sid:2;)");
if (s != NULL) {
printf("sig parsed even though it's invalid: ");
goto cleanup;
}
for (sref = s->sigref; sref != NULL; sref = sref->next) {
result++;
}
result = 1;
cleanup:
if (s) SigFree(s);
if (det_ctx) DetectEngineCtxFree(de_ctx);
if (de_ctx != NULL) {
DetectEngineCtxFree(de_ctx);
}
FlowShutdown();
end:
return result;
}
#endif /* UNITTESTS */
@ -472,6 +378,6 @@ void ReferenceRegisterTests(void) {
#ifdef UNITTESTS
UtRegisterTest("DetectReferenceParseTest01", DetectReferenceParseTest01, 1);
UtRegisterTest("DetectReferenceParseTest02", DetectReferenceParseTest02, 1);
UtRegisterTest("DetectReferenceParseTest03", DetectReferenceParseTest03, 0);
UtRegisterTest("DetectReferenceParseTest03", DetectReferenceParseTest03, 1);
#endif /* UNITTESTS */
}

32
src/detect-reference.h
Unescape Escape View File

@ -1,6 +1,7 @@
/* Copyright (c) 2009 Open Information Security Foundation */
/* Copyright (c) 2009, 2010 Open Information Security Foundation */
/** \file
/**
* \file
* \author Breno Silva <breno.silva@gmail.com>
*/
@ -12,31 +13,26 @@
#include "decode-tcp.h"
/** Signature reference list */
typedef struct References_ {
char *reference; /**< reference data */
struct References_ *next; /**< next reference in the signature */
} References;
/**
* \typedef DetectReferenceData
* A typedef for DetectReferenceData_
*/
typedef struct DetectReferenceData_ {
char *reference; /**< 0 reference prefix 1 - reference data */
} DetectReferenceData;
typedef struct Reference_ {
char *key; /**< pointer to key */
char *reference; /**< reference data */
struct Reference_ *next; /**< next reference in the signature */
} Reference;
/**
* Registration function for reference: keyword
*/
void DetectReferenceRegister (void);
/**
* This function registers unit tests for Reference
*/
void ReferenceRegisterTests(void);
/**
* Free function for a Reference object
*/
void DetectReferenceFree(Reference *);
#endif /*__DETECT_REFERENCE_H__ */

4
src/detect.c
Unescape Escape View File

@ -389,7 +389,7 @@ int PacketAlertCheck(Packet *p, uint32_t sid)
}
int PacketAlertAppend(Packet *p, uint32_t gid, uint32_t sid, uint8_t rev,
uint8_t prio, char *msg, char *class_msg, References *sigref)
uint8_t prio, char *msg, char *class_msg, Reference *references)
{
if (p->alerts.cnt == PACKET_ALERT_MAX)
return 0;
@ -406,7 +406,7 @@ int PacketAlertAppend(Packet *p, uint32_t gid, uint32_t sid, uint8_t rev,
p->alerts.alerts[p->alerts.cnt].prio = prio;
p->alerts.alerts[p->alerts.cnt].msg = msg;
p->alerts.alerts[p->alerts.cnt].class_msg = class_msg;
p->alerts.alerts[p->alerts.cnt].sigref = sigref;
p->alerts.alerts[p->alerts.cnt].references = references;
p->alerts.cnt++;
return 0;

4
src/detect.h
Unescape Escape View File

@ -210,7 +210,7 @@ typedef struct Signature_ {
char *class_msg;
/** Reference */
References *sigref;
Reference *references;
/** addresses, ports and proto this sig matches on */
DetectAddressHead src, dst;
@ -664,7 +664,7 @@ int SigGroupCleanup();
void SigAddressPrepareBidirectionals (DetectEngineCtx *);
int PacketAlertAppend(Packet *, uint32_t, uint32_t, uint8_t, uint8_t, char *,
char *, References *);
char *, Reference *);
int SigLoadSignatures (DetectEngineCtx *, char *);
void SigTableSetup(void);

1
src/util-error.c
Unescape Escape View File

@ -138,6 +138,7 @@ const char * SCErrorToString(SCError err)
CASE_CODE (SC_ERR_LIBNET_WRITE_FAILED);
CASE_CODE (SC_ERR_LIBNET_NOT_ENABLED);
CASE_CODE (SC_ERR_UNIFIED_LOG_FILE_HEADER);
CASE_CODE (SC_ERR_REFERENCE_UNKNOWN);
default:
return "UNKNOWN_ERROR";

1
src/util-error.h
Unescape Escape View File

@ -156,6 +156,7 @@ typedef enum {
SC_ERR_UNIFIED_LOG_FILE_HEADER, /**< Error to indicate the unified file
header writing function has been
failed */
SC_ERR_REFERENCE_UNKNOWN, /**< unknown reference key (cve, url, etc) */
} SCError;

Write Preview
Loading…
Cancel
Save