245
245
sm->type = DETECT_ISDATAAT;
246
246
sm->ctx = (void *)idad;
248
if (idad->flags & ISDATAAT_RELATIVE) {
249
SCLogDebug("Set it in the last parsed content because it is relative "
250
"to that content based keyword");
253
if (s->alproto == ALPROTO_DCERPC) {
254
m = SigMatchGetLastSMFromLists(s, 12,
255
DETECT_CONTENT, s->pmatch_tail,
256
DETECT_PCRE, s->pmatch_tail,
257
DETECT_BYTEJUMP, s->pmatch_tail,
258
DETECT_CONTENT, s->dmatch_tail,
259
DETECT_PCRE, s->dmatch_tail,
260
DETECT_BYTEJUMP, s->dmatch_tail);
262
m = SigMatchGetLastSMFromLists(s, 6,
263
DETECT_CONTENT, s->pmatch_tail,
264
DETECT_PCRE, s->pmatch_tail,
265
DETECT_BYTEJUMP, s->pmatch_tail);
269
if (s->alproto == ALPROTO_DCERPC) {
270
SCLogDebug("isdataat-relative without a previous content based "
271
"keyword. Holds good only in the case of DCERPC "
272
"alproto like now.");
274
SCLogError(SC_ERR_INVALID_SIGNATURE, "No related "
275
"previous-previous content or pcre keyword");
279
DetectPcreData *pe = NULL;
282
/* Set the relative next flag on the prev sigmatch */
283
cd = (DetectContentData *)m->ctx;
285
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
286
"previous keyword!");
289
cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
294
pe = (DetectPcreData *) m->ctx;
296
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
297
"previous keyword!");
300
pe->flags |= DETECT_PCRE_RELATIVE_NEXT;
304
case DETECT_BYTEJUMP:
305
SCLogDebug("No setting relative_next for bytejump. We "
306
"have no use for it");
311
/* this will never hit */
312
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
313
"previous keyword!");
316
} /* else for if (m == NULL) */
317
} /* if (idad->flags & ISDATAAT_RELATIVE) */
319
248
if (s->alproto == ALPROTO_DCERPC &&
320
249
idad->flags & ISDATAAT_RELATIVE) {
321
250
SigMatch *pm = NULL;
343
272
SigMatchAppendPayload(s, sm);
275
if ( !(idad->flags & ISDATAAT_RELATIVE)) {
279
SigMatch *prev_sm = NULL;
280
prev_sm = SigMatchGetLastSMFromLists(s, 8,
281
DETECT_CONTENT, sm->prev,
282
DETECT_URICONTENT, sm->prev,
283
DETECT_BYTEJUMP, sm->prev,
284
DETECT_PCRE, sm->prev);
285
if (prev_sm == NULL) {
286
if (s->alproto == ALPROTO_DCERPC) {
287
SCLogDebug("No preceding content or pcre keyword. Possible "
288
"since this is an alproto sig.");
291
SCLogError(SC_ERR_INVALID_SIGNATURE, "No preceding content "
292
"or uricontent or pcre option");
297
DetectContentData *cd = NULL;
298
DetectUricontentData *ud = NULL;
299
DetectPcreData *pe = NULL;
301
switch (prev_sm->type) {
303
/* Set the relative next flag on the prev sigmatch */
304
cd = (DetectContentData *)prev_sm->ctx;
306
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
307
"previous keyword!");
310
cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
314
case DETECT_URICONTENT:
315
/* Set the relative next flag on the prev sigmatch */
316
ud = (DetectUricontentData *)prev_sm->ctx;
318
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
319
"previous keyword!");
322
ud->flags |= DETECT_URICONTENT_RELATIVE_NEXT;
327
pe = (DetectPcreData *)prev_sm->ctx;
329
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
330
"previous keyword!");
333
pe->flags |= DETECT_PCRE_RELATIVE_NEXT;
337
case DETECT_BYTEJUMP:
338
SCLogDebug("No setting relative_next for bytejump. We "
339
"have no use for it");
344
/* this will never hit */
345
SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
346
"previous keyword!");