← Back to branch summary

~ubuntu-branches/ubuntu/saucy/suricata/saucy-proposed

« back to all changes in this revision

Viewing changes to src/detect-isdataat.c

  • Committer: Bazaar Package Importer
  • Author(s): Pierre Chifflier
  • Date: 2010-08-11 14:45:14 UTC
  • mfrom: (1.1.5 upstream)
  • Revision ID: james.westby@ubuntu.com-20100811144514-zgibko2uougimv49
Tags: 1.0.1-1
http://bugs.debian.org/591559
http://bugs.debian.org/590861
* Imported Upstream version 1.0.1 (Closes: #591559)
* Bump Standards version to 3.9.1
* Create /var/log/suricata (Closes: #590861)

Show diffs side-by-side

added added

removed removed

Lines of Context:
src/detect-isdataat.c
36
36
 
37
37
#include "detect-isdataat.h"
38
38
#include "detect-content.h"
 
39
#include "detect-uricontent.h"
39
40
 
40
41
#include "flow.h"
41
42
#include "flow-var.h"
232
233
{
233
234
    DetectIsdataatData *idad = NULL;
234
235
    SigMatch *sm = NULL;
235
 
    DetectContentData *cd = NULL;
236
236
 
237
237
    idad = DetectIsdataatParse(isdataatstr);
238
238
    if (idad == NULL)
245
245
    sm->type = DETECT_ISDATAAT;
246
246
    sm->ctx = (void *)idad;
247
247
 
248
 
    if (idad->flags & ISDATAAT_RELATIVE) {
249
 
        SCLogDebug("Set it in the last parsed content because it is relative "
250
 
                   "to that content based keyword");
251
 
 
252
 
        SigMatch *m = NULL;
253
 
        if (s->alproto == ALPROTO_DCERPC) {
254
 
            m = SigMatchGetLastSMFromLists(s, 12,
255
 
                                           DETECT_CONTENT, s->pmatch_tail,
256
 
                                           DETECT_PCRE, s->pmatch_tail,
257
 
                                           DETECT_BYTEJUMP, s->pmatch_tail,
258
 
                                           DETECT_CONTENT, s->dmatch_tail,
259
 
                                           DETECT_PCRE, s->dmatch_tail,
260
 
                                           DETECT_BYTEJUMP, s->dmatch_tail);
261
 
        } else {
262
 
            m = SigMatchGetLastSMFromLists(s, 6,
263
 
                                           DETECT_CONTENT, s->pmatch_tail,
264
 
                                           DETECT_PCRE, s->pmatch_tail,
265
 
                                           DETECT_BYTEJUMP, s->pmatch_tail);
266
 
        }
267
 
 
268
 
        if (m == NULL) {
269
 
            if (s->alproto == ALPROTO_DCERPC) {
270
 
                SCLogDebug("isdataat-relative without a previous content based "
271
 
                           "keyword.  Holds good only in the case of DCERPC "
272
 
                           "alproto like now.");
273
 
            } else {
274
 
                SCLogError(SC_ERR_INVALID_SIGNATURE, "No related "
275
 
                           "previous-previous content or pcre keyword");
276
 
                goto error;
277
 
            }
278
 
        } else {
279
 
            DetectPcreData *pe = NULL;
280
 
            switch (m->type) {
281
 
                case DETECT_CONTENT:
282
 
                    /* Set the relative next flag on the prev sigmatch */
283
 
                    cd = (DetectContentData *)m->ctx;
284
 
                    if (cd == NULL) {
285
 
                        SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
286
 
                                   "previous keyword!");
287
 
                        goto error;
288
 
                    }
289
 
                    cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
290
 
 
291
 
                    break;
292
 
 
293
 
                case DETECT_PCRE:
294
 
                    pe = (DetectPcreData *) m->ctx;
295
 
                    if (pe == NULL) {
296
 
                        SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
297
 
                                   "previous keyword!");
298
 
                        goto error;
299
 
                    }
300
 
                    pe->flags |= DETECT_PCRE_RELATIVE_NEXT;
301
 
 
302
 
                    break;
303
 
 
304
 
                case DETECT_BYTEJUMP:
305
 
                    SCLogDebug("No setting relative_next for bytejump.  We "
306
 
                               "have no use for it");
307
 
 
308
 
                    break;
309
 
 
310
 
                default:
311
 
                    /* this will never hit */
312
 
                    SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
313
 
                               "previous keyword!");
314
 
                    break;
315
 
            } /* switch */
316
 
        } /* else for if (m == NULL) */
317
 
    } /* if (idad->flags & ISDATAAT_RELATIVE) */
318
 
 
319
248
    if (s->alproto == ALPROTO_DCERPC &&
320
249
        idad->flags & ISDATAAT_RELATIVE) {
321
250
        SigMatch *pm = NULL;
343
272
        SigMatchAppendPayload(s, sm);
344
273
    }
345
274
 
 
275
    if ( !(idad->flags & ISDATAAT_RELATIVE)) {
 
276
        return 0;
 
277
    }
 
278
 
 
279
    SigMatch *prev_sm = NULL;
 
280
    prev_sm = SigMatchGetLastSMFromLists(s, 8,
 
281
                                         DETECT_CONTENT, sm->prev,
 
282
                                         DETECT_URICONTENT, sm->prev,
 
283
                                         DETECT_BYTEJUMP, sm->prev,
 
284
                                         DETECT_PCRE, sm->prev);
 
285
    if (prev_sm == NULL) {
 
286
        if (s->alproto == ALPROTO_DCERPC) {
 
287
            SCLogDebug("No preceding content or pcre keyword.  Possible "
 
288
                       "since this is an alproto sig.");
 
289
            return 0;
 
290
        } else {
 
291
            SCLogError(SC_ERR_INVALID_SIGNATURE, "No preceding content "
 
292
                       "or uricontent or pcre option");
 
293
            return -1;
 
294
        }
 
295
    }
 
296
 
 
297
    DetectContentData *cd = NULL;
 
298
    DetectUricontentData *ud = NULL;
 
299
    DetectPcreData *pe = NULL;
 
300
 
 
301
    switch (prev_sm->type) {
 
302
        case DETECT_CONTENT:
 
303
            /* Set the relative next flag on the prev sigmatch */
 
304
            cd = (DetectContentData *)prev_sm->ctx;
 
305
            if (cd == NULL) {
 
306
                SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
 
307
                           "previous keyword!");
 
308
                return -1;
 
309
            }
 
310
            cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
 
311
 
 
312
            break;
 
313
 
 
314
        case DETECT_URICONTENT:
 
315
            /* Set the relative next flag on the prev sigmatch */
 
316
            ud = (DetectUricontentData *)prev_sm->ctx;
 
317
            if (ud == NULL) {
 
318
                SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
 
319
                           "previous keyword!");
 
320
                return -1;
 
321
            }
 
322
            ud->flags |= DETECT_URICONTENT_RELATIVE_NEXT;
 
323
 
 
324
            break;
 
325
 
 
326
        case DETECT_PCRE:
 
327
            pe = (DetectPcreData *)prev_sm->ctx;
 
328
            if (pe == NULL) {
 
329
                SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
 
330
                           "previous keyword!");
 
331
                return -1;
 
332
            }
 
333
            pe->flags |= DETECT_PCRE_RELATIVE_NEXT;
 
334
 
 
335
            break;
 
336
 
 
337
        case DETECT_BYTEJUMP:
 
338
            SCLogDebug("No setting relative_next for bytejump.  We "
 
339
                       "have no use for it");
 
340
 
 
341
            break;
 
342
 
 
343
        default:
 
344
            /* this will never hit */
 
345
            SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"
 
346
                       "previous keyword!");
 
347
            return -1;
 
348
    } /* switch */
 
349
 
346
350
    return 0;
347
351
 
348
352
error: