~ubuntu-branches/ubuntu/saucy/suricata/saucy-updates : contents of src/detect-flowvar.c at revision 27

~ubuntu-branches/ubuntu/saucy/suricata/saucy-updates : (revision 27)

/* Copyright (C) 2007-2010 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \file
 *
 * \author Victor Julien <victor@inliniac.net>
 *
 * Simple flowvar content match part of the detection engine.
 */

#include "suricata-common.h"
#include "decode.h"

#include "detect.h"
#include "detect-parse.h"

#include "detect-content.h"
#include "threads.h"
#include "flow.h"
#include "flow-var.h"
#include "detect-flowvar.h"
#include "util-spm.h"
#include "util-var-name.h"
#include "util-debug.h"

#define PARSE_REGEX         "(.*),(.*)"
static pcre *parse_regex;
static pcre_extra *parse_regex_study;

int DetectFlowvarMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
static int DetectFlowvarSetup (DetectEngineCtx *, Signature *, char *);
static int DetectFlowvarPostMatch(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, SigMatch *sm);
static void DetectFlowvarDataFree(void *ptr);

void DetectFlowvarRegister (void) {
    sigmatch_table[DETECT_FLOWVAR].name = "flowvar";
    sigmatch_table[DETECT_FLOWVAR].Match = DetectFlowvarMatch;
    sigmatch_table[DETECT_FLOWVAR].Setup = DetectFlowvarSetup;
    sigmatch_table[DETECT_FLOWVAR].Free  = DetectFlowvarDataFree;
    sigmatch_table[DETECT_FLOWVAR].RegisterTests  = NULL;

    /* post-match for flowvar storage */
    sigmatch_table[DETECT_FLOWVAR_POSTMATCH].name = "__flowvar__postmatch__";
    sigmatch_table[DETECT_FLOWVAR_POSTMATCH].Match = DetectFlowvarPostMatch;
    sigmatch_table[DETECT_FLOWVAR_POSTMATCH].Setup = NULL;
    sigmatch_table[DETECT_FLOWVAR_POSTMATCH].Free  = DetectFlowvarDataFree;
    sigmatch_table[DETECT_FLOWVAR_POSTMATCH].RegisterTests  = NULL;

    const char *eb;
    int eo;
    int opts = 0;

    parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL);
    if(parse_regex == NULL)
    {
        SCLogError(SC_ERR_PCRE_COMPILE, "pcre compile of \"%s\" failed at offset %" PRId32 ": %s", PARSE_REGEX, eo, eb);
        goto error;
    }

    parse_regex_study = pcre_study(parse_regex, 0, &eb);
    if(eb != NULL)
    {
        SCLogError(SC_ERR_PCRE_STUDY, "pcre study failed: %s", eb);
        goto error;
    }

    return;

error:
    return;
}

/**
 * \brief this function will SCFree memory associated with DetectFlowvarData
 *
 * \param cd pointer to DetectCotentData
 */
static void DetectFlowvarDataFree(void *ptr) {
    if (ptr == NULL)
        SCReturn;

    DetectFlowvarData *fd = (DetectFlowvarData *)ptr;

    if (fd->name)
        SCFree(fd->name);
    if (fd->content)
        SCFree(fd->content);

    SCFree(fd);
}

/*
 * returns 0: no match
 *         1: match
 *        -1: error
 */

int DetectFlowvarMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, SigMatch *m)
{
    int ret = 0;
    DetectFlowvarData *fd = (DetectFlowvarData *)m->ctx;

    /* we need a lock */
    FLOWLOCK_RDLOCK(p->flow);

    FlowVar *fv = FlowVarGet(p->flow, fd->idx);
    if (fv != NULL) {
        uint8_t *ptr = SpmSearch(fv->data.fv_str.value,
                                 fv->data.fv_str.value_len,
                                 fd->content, fd->content_len);
        if (ptr != NULL)
            ret = 1;
    }
    FLOWLOCK_UNLOCK(p->flow);

    return ret;
}

static int DetectFlowvarSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
{
    DetectFlowvarData *cd = NULL;
    SigMatch *sm = NULL;
    char *str = rawstr;
    char dubbed = 0;
    uint16_t len;
    char *varname = NULL, *varcontent = NULL;
#define MAX_SUBSTRINGS 30
    int ret = 0, res = 0;
    int ov[MAX_SUBSTRINGS];

    ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS);
    if (ret != 3) {
        SCLogError(SC_ERR_PCRE_MATCH, "\"%s\" is not a valid setting for flowvar.", rawstr);
        return -1;
    }

    const char *str_ptr;
    res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
    if (res < 0) {
        SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
        return -1;
    }
    varname = (char *)str_ptr;

    if (ret > 2) {
        res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, &str_ptr);
        if (res < 0) {
            SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
            return -1;
        }
        varcontent = (char *)str_ptr;
    }

    if (varcontent[0] == '\"' && varcontent[strlen(varcontent)-1] == '\"') {
        str = SCStrdup(varcontent+1);
        if (unlikely(str == NULL)) {
            return -1;
        }
        str[strlen(varcontent)-2] = '\0';
        dubbed = 1;
    }

    len = strlen(str);
    if (len == 0) {
        if (dubbed) SCFree(str);
        return -1;
    }

    cd = SCMalloc(sizeof(DetectFlowvarData));
    if (unlikely(cd == NULL))
        goto error;

    char converted = 0;

    {
        uint16_t i, x;
        uint8_t bin = 0, binstr[3] = "", binpos = 0;
        for (i = 0, x = 0; i < len; i++) {
            // printf("str[%02u]: %c\n", i, str[i]);
            if (str[i] == '|') {
                if (bin) {
                    bin = 0;
                } else {
                    bin = 1;
                }
            } else {
                if (bin) {
                    if (isdigit((unsigned char)str[i]) ||
                        str[i] == 'A' || str[i] == 'a' ||
                        str[i] == 'B' || str[i] == 'b' ||
                        str[i] == 'C' || str[i] == 'c' ||
                        str[i] == 'D' || str[i] == 'd' ||
                        str[i] == 'E' || str[i] == 'e' ||
                        str[i] == 'F' || str[i] == 'f') {
                        // printf("part of binary: %c\n", str[i]);

                        binstr[binpos] = (char)str[i];
                        binpos++;

                        if (binpos == 2) {
                            uint8_t c = strtol((char *)binstr, (char **) NULL, 16) & 0xFF;
                            binpos = 0;
                            str[x] = c;
                            x++;
                            converted = 1;
                        }
                    } else if (str[i] == ' ') {
                        // printf("space as part of binary string\n");
                    }
                } else {
                    str[x] = str[i];
                    x++;
                }
            }
        }
#ifdef DEBUG
        if (SCLogDebugEnabled()) {
            for (i = 0; i < x; i++) {
                if (isprint((unsigned char)str[i])) printf("%c", str[i]);
                else printf("\\x%02u", str[i]);
            }
            printf("\n");
        }
#endif

        if (converted)
            len = x;
    }

    cd->content = SCMalloc(len);
    if (cd->content == NULL) {
        if (dubbed) SCFree(str);
        SCFree(cd);
        return -1;
    }

    cd->name = SCStrdup(varname);
    cd->idx = VariableNameGetIdx(de_ctx, varname, DETECT_FLOWVAR);
    memcpy(cd->content, str, len);
    cd->content_len = len;
    cd->flags = 0;

    /* Okay so far so good, lets get this into a SigMatch
     * and put it in the Signature. */
    sm = SigMatchAlloc();
    if (sm == NULL)
        goto error;

    sm->type = DETECT_FLOWVAR;
    sm->ctx = (void *)cd;

    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);

    if (dubbed) SCFree(str);
    return 0;

error:
    if (dubbed) SCFree(str);
    if (cd) SCFree(cd);
    if (sm) SCFree(sm);
    return -1;
}


/** \brief Store flowvar in det_ctx so we can exec it post-match */
int DetectFlowvarStoreMatch(DetectEngineThreadCtx *det_ctx, uint16_t idx, uint8_t *buffer, uint16_t len) {
    DetectFlowvarList *fs = det_ctx->flowvarlist;

    /* first check if we have had a previous match for this idx */
    for ( ; fs != NULL; fs = fs->next) {
        if (fs->idx == idx) {
            /* we're replacing the older store */
            SCFree(fs->buffer);
            fs->buffer = NULL;
            break;
        }
    }

    if (fs == NULL) {
        fs = SCMalloc(sizeof(*fs));
        if (unlikely(fs == NULL))
            return -1;

        fs->idx = idx;

        fs->next = det_ctx->flowvarlist;
        det_ctx->flowvarlist = fs;
    }

    fs->len = len;
    fs->buffer = buffer;
    return 0;
}

/** \brief Setup a post-match for flowvar storage
 *  We're piggyback riding the DetectFlowvarData struct
 */
int DetectFlowvarPostMatchSetup(Signature *s, uint16_t idx) {
    SigMatch *sm = NULL;
    DetectFlowvarData *fv = NULL;

    fv = SCMalloc(sizeof(DetectFlowvarData));
    if (unlikely(fv == NULL))
        goto error;
    memset(fv, 0x00, sizeof(*fv));

    /* we only need the idx */
    fv->idx = idx;

    sm = SigMatchAlloc();
    if (sm == NULL)
        goto error;

    sm->type = DETECT_FLOWVAR_POSTMATCH;
    sm->ctx = (void *)fv;

    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH);
    return 0;
error:
    return -1;
}

/** \internal
 *  \brief post-match func to store flowvars in the flow
 *  \param sm sigmatch containing the idx to store
 *  \retval 1 or -1 in case of error
 */
static int DetectFlowvarPostMatch(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, SigMatch *sm) {
    DetectFlowvarList *fs, *prev;
    DetectFlowvarData *fd;

    if (det_ctx->flowvarlist == NULL || p->flow == NULL)
        return 1;

    fd = (DetectFlowvarData *)sm->ctx;

    prev = NULL;
    fs = det_ctx->flowvarlist;
    while (fs != NULL) {
        if (fd->idx == fs->idx) {
            FlowVarAddStr(p->flow, fs->idx, fs->buffer, fs->len);
            /* memory at fs->buffer is now the responsibility of
             * the flowvar code. */

            if (fs == det_ctx->flowvarlist) {
                det_ctx->flowvarlist = fs->next;
                SCFree(fs);
                fs = det_ctx->flowvarlist;
            } else {
                prev->next = fs->next;
                SCFree(fs);
                fs = prev->next;
            }
        } else {
            prev = fs;
            fs = fs->next;
        }
    }
    return 1;
}

/** \brief Clean flowvar candidate list in det_ctx */
void DetectFlowvarCleanupList(DetectEngineThreadCtx *det_ctx) {
    DetectFlowvarList *fs, *next;
    if (det_ctx->flowvarlist != NULL) {
        fs = det_ctx->flowvarlist;
        while (fs != NULL) {
            next = fs->next;
            SCFree(fs->buffer);
            SCFree(fs);
            fs = next;
        }

        det_ctx->flowvarlist = NULL;
    }
}


1.1.2 by Pierre Chifflier Import upstream version 0.9.1	1	/* Copyright (C) 2007-2010 Open Information Security Foundation
1.1.1 by Pierre Chifflier Import upstream version 0.9.0	2	*
	3	* You can copy, redistribute or modify this Program under the terms of
	4	* the GNU General Public License version 2 as published by the Free
	5	* Software Foundation.
	6	*
	7	* This program is distributed in the hope that it will be useful,
	8	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	9	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	10	* GNU General Public License for more details.
	11	*
	12	* You should have received a copy of the GNU General Public License
	13	* version 2 along with this program; if not, write to the Free Software
	14	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
	15	* 02110-1301, USA.
	16	*/
	17
	18	/**
	19	* \file
	20	*
	21	* \author Victor Julien <victor@inliniac.net>
	22	*
	23	* Simple flowvar content match part of the detection engine.
	24	*/
1 by Pierre Chifflier Import upstream version 0.8.0	25
	26	#include "suricata-common.h"
	27	#include "decode.h"
1.1.1 by Pierre Chifflier Import upstream version 0.9.0	28
1 by Pierre Chifflier Import upstream version 0.8.0	29	#include "detect.h"
1.1.1 by Pierre Chifflier Import upstream version 0.9.0	30	#include "detect-parse.h"
1.1.1 by Pierre Chifflier Import upstream version 0.9.0	31
1 by Pierre Chifflier Import upstream version 0.8.0	32	#include "detect-content.h"
	33	#include "threads.h"
	34	#include "flow.h"
	35	#include "flow-var.h"
	36	#include "detect-flowvar.h"
1.1.1 by Pierre Chifflier Import upstream version 0.9.0	37	#include "util-spm.h"
1 by Pierre Chifflier Import upstream version 0.8.0	38	#include "util-var-name.h"
	39	#include "util-debug.h"
	40
	41	#define PARSE_REGEX "(.),(.)"
	42	static pcre *parse_regex;
	43	static pcre_extra *parse_regex_study;
	44
	45	int DetectFlowvarMatch (ThreadVars , DetectEngineThreadCtx , Packet , Signature , SigMatch *);
1.1.1 by Pierre Chifflier Import upstream version 0.9.0	46	static int DetectFlowvarSetup (DetectEngineCtx , Signature , char *);
1.1.20 by Pierre Chifflier Import upstream version 1.4.2	47	static int DetectFlowvarPostMatch(ThreadVars tv, DetectEngineThreadCtx det_ctx, Packet p, Signature s, SigMatch *sm);
1.1.20 by Pierre Chifflier Import upstream version 1.4.2	48	static void DetectFlowvarDataFree(void *ptr);
1 by Pierre Chifflier Import upstream version 0.8.0	49
	50	void DetectFlowvarRegister (void) {
	51	sigmatch_table[DETECT_FLOWVAR].name = "flowvar";
	52	sigmatch_table[DETECT_FLOWVAR].Match = DetectFlowvarMatch;
	53	sigmatch_table[DETECT_FLOWVAR].Setup = DetectFlowvarSetup;
1.1.20 by Pierre Chifflier Import upstream version 1.4.2	54	sigmatch_table[DETECT_FLOWVAR].Free = DetectFlowvarDataFree;
1 by Pierre Chifflier Import upstream version 0.8.0	55	sigmatch_table[DETECT_FLOWVAR].RegisterTests = NULL;
1 by Pierre Chifflier Import upstream version 0.8.0	56
1.1.20 by Pierre Chifflier Import upstream version 1.4.2	57	/* post-match for flowvar storage */
	58	sigmatch_table[DETECT_FLOWVAR_POSTMATCH].name = "__flowvar__postmatch__";
	59	sigmatch_table[DETECT_FLOWVAR_POSTMATCH].Match = DetectFlowvarPostMatch;
	60	sigmatch_table[DETECT_FLOWVAR_POSTMATCH].Setup = NULL;
	61	sigmatch_table[DETECT_FLOWVAR_POSTMATCH].Free = DetectFlowvarDataFree;
	62	sigmatch_table[DETECT_FLOWVAR_POSTMATCH].RegisterTests = NULL;
	63
1 by Pierre Chifflier Import upstream version 0.8.0	64	const char *eb;
	65	int eo;
	66	int opts = 0;
	67
	68	parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL);
	69	if(parse_regex == NULL)
	70	{
1.1.1 by Pierre Chifflier Import upstream version 0.9.0	71	SCLogError(SC_ERR_PCRE_COMPILE, "pcre compile of \"%s\" failed at offset %" PRId32 ": %s", PARSE_REGEX, eo, eb);
1 by Pierre Chifflier Import upstream version 0.8.0	72	goto error;
	73	}
	74
	75	parse_regex_study = pcre_study(parse_regex, 0, &eb);
	76	if(eb != NULL)
	77	{
1.1.1 by Pierre Chifflier Import upstream version 0.9.0	78	SCLogError(SC_ERR_PCRE_STUDY, "pcre study failed: %s", eb);
1 by Pierre Chifflier Import upstream version 0.8.0	79	goto error;
	80	}
	81
	82	return;
	83
	84	error:
	85	return;
	86	}
	87
1.1.20 by Pierre Chifflier Import upstream version 1.4.2	88	/**
	89	* \brief this function will SCFree memory associated with DetectFlowvarData
	90	*
	91	* \param cd pointer to DetectCotentData
	92	*/
	93	static void DetectFlowvarDataFree(void *ptr) {
	94	if (ptr == NULL)
	95	SCReturn;
	96
	97	DetectFlowvarData fd = (DetectFlowvarData )ptr;
	98
	99	if (fd->name)
	100	SCFree(fd->name);
	101	if (fd->content)
	102	SCFree(fd->content);
	103
	104	SCFree(fd);
	105	}
	106
1 by Pierre Chifflier Import upstream version 0.8.0	107	/*
	108	* returns 0: no match
	109	* 1: match
	110	* -1: error
	111	*/
	112
	113	int DetectFlowvarMatch (ThreadVars t, DetectEngineThreadCtx det_ctx, Packet p, Signature s, SigMatch *m)
	114	{
	115	int ret = 0;
	116	DetectFlowvarData fd = (DetectFlowvarData )m->ctx;
	117
	118	/* we need a lock */
1.1.13 by Pierre Chifflier Import upstream version 1.3	119	FLOWLOCK_RDLOCK(p->flow);
1 by Pierre Chifflier Import upstream version 0.8.0	120
	121	FlowVar *fv = FlowVarGet(p->flow, fd->idx);
	122	if (fv != NULL) {
1.1.1 by Pierre Chifflier Import upstream version 0.9.0	123	uint8_t *ptr = SpmSearch(fv->data.fv_str.value,
1 by Pierre Chifflier Import upstream version 0.8.0	124	fv->data.fv_str.value_len,
	125	fd->content, fd->content_len);
	126	if (ptr != NULL)
	127	ret = 1;
	128	}
1.1.13 by Pierre Chifflier Import upstream version 1.3	129	FLOWLOCK_UNLOCK(p->flow);
1 by Pierre Chifflier Import upstream version 0.8.0	130
	131	return ret;
	132	}
	133
1.1.1 by Pierre Chifflier Import upstream version 0.9.0	134	static int DetectFlowvarSetup (DetectEngineCtx de_ctx, Signature s, char *rawstr)
1 by Pierre Chifflier Import upstream version 0.8.0	135	{
	136	DetectFlowvarData *cd = NULL;
	137	SigMatch *sm = NULL;
	138	char *str = rawstr;
	139	char dubbed = 0;
	140	uint16_t len;
	141	char varname = NULL, varcontent = NULL;
	142	#define MAX_SUBSTRINGS 30
	143	int ret = 0, res = 0;
	144	int ov[MAX_SUBSTRINGS];
	145
	146	ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS);
	147	if (ret != 3) {
1.1.1 by Pierre Chifflier Import upstream version 0.9.0	148	SCLogError(SC_ERR_PCRE_MATCH, "\"%s\" is not a valid setting for flowvar.", rawstr);
1 by Pierre Chifflier Import upstream version 0.8.0	149	return -1;
	150	}
	151
	152	const char *str_ptr;
	153	res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
	154	if (res < 0) {
1.1.1 by Pierre Chifflier Import upstream version 0.9.0	155	SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
1 by Pierre Chifflier Import upstream version 0.8.0	156	return -1;
	157	}
	158	varname = (char *)str_ptr;
	159
	160	if (ret > 2) {
	161	res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, &str_ptr);
	162	if (res < 0) {
1.1.1 by Pierre Chifflier Import upstream version 0.9.0	163	SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
1 by Pierre Chifflier Import upstream version 0.8.0	164	return -1;
	165	}
	166	varcontent = (char *)str_ptr;
	167	}
	168
	169	if (varcontent[0] == '\"' && varcontent[strlen(varcontent)-1] == '\"') {
1.1.1 by Pierre Chifflier Import upstream version 0.9.0	170	str = SCStrdup(varcontent+1);
1.1.18 by Pierre Chifflier Import upstream version 1.4	171	if (unlikely(str == NULL)) {
1.1.10 by Pierre Chifflier Import upstream version 1.1	172	return -1;
1.1.10 by Pierre Chifflier Import upstream version 1.1	173	}
1 by Pierre Chifflier Import upstream version 0.8.0	174	str[strlen(varcontent)-2] = '\0';
	175	dubbed = 1;
	176	}
	177
	178	len = strlen(str);
1.1.1 by Pierre Chifflier Import upstream version 0.9.0	179	if (len == 0) {
1.1.1 by Pierre Chifflier Import upstream version 0.9.0	180	if (dubbed) SCFree(str);
1 by Pierre Chifflier Import upstream version 0.8.0	181	return -1;
1.1.1 by Pierre Chifflier Import upstream version 0.9.0	182	}
1 by Pierre Chifflier Import upstream version 0.8.0	183
1.1.1 by Pierre Chifflier Import upstream version 0.9.0	184	cd = SCMalloc(sizeof(DetectFlowvarData));
1.1.18 by Pierre Chifflier Import upstream version 1.4	185	if (unlikely(cd == NULL))
1 by Pierre Chifflier Import upstream version 0.8.0	186	goto error;
1 by Pierre Chifflier Import upstream version 0.8.0	187
1.1.10 by Pierre Chifflier Import upstream version 1.1	188	char converted = 0;
1.1.10 by Pierre Chifflier Import upstream version 1.1	189
1 by Pierre Chifflier Import upstream version 0.8.0	190	{
	191	uint16_t i, x;
	192	uint8_t bin = 0, binstr[3] = "", binpos = 0;
	193	for (i = 0, x = 0; i < len; i++) {
	194	// printf("str[%02u]: %c\n", i, str[i]);
	195	if (str[i] == '\|') {
	196	if (bin) {
	197	bin = 0;
	198	} else {
	199	bin = 1;
	200	}
	201	} else {
	202	if (bin) {
1.1.18 by Pierre Chifflier Import upstream version 1.4	203	if (isdigit((unsigned char)str[i]) \|\|
1 by Pierre Chifflier Import upstream version 0.8.0	204	str[i] == 'A' \|\| str[i] == 'a' \|\|
	205	str[i] == 'B' \|\| str[i] == 'b' \|\|
	206	str[i] == 'C' \|\| str[i] == 'c' \|\|
	207	str[i] == 'D' \|\| str[i] == 'd' \|\|
	208	str[i] == 'E' \|\| str[i] == 'e' \|\|
	209	str[i] == 'F' \|\| str[i] == 'f') {
	210	// printf("part of binary: %c\n", str[i]);
	211
	212	binstr[binpos] = (char)str[i];
	213	binpos++;
	214
	215	if (binpos == 2) {
	216	uint8_t c = strtol((char )binstr, (char *) NULL, 16) & 0xFF;
	217	binpos = 0;
	218	str[x] = c;
	219	x++;
	220	converted = 1;
	221	}
	222	} else if (str[i] == ' ') {
	223	// printf("space as part of binary string\n");
	224	}
	225	} else {
	226	str[x] = str[i];
	227	x++;
	228	}
	229	}
	230	}
	231	#ifdef DEBUG
	232	if (SCLogDebugEnabled()) {
	233	for (i = 0; i < x; i++) {
1.1.18 by Pierre Chifflier Import upstream version 1.4	234	if (isprint((unsigned char)str[i])) printf("%c", str[i]);
1.1.18 by Pierre Chifflier Import upstream version 1.4	235	else printf("\\x%02u", str[i]);
1 by Pierre Chifflier Import upstream version 0.8.0	236	}
	237	printf("\n");
	238	}
	239	#endif
	240
	241	if (converted)
	242	len = x;
	243	}
	244
1.1.1 by Pierre Chifflier Import upstream version 0.9.0	245	cd->content = SCMalloc(len);
	246	if (cd->content == NULL) {
	247	if (dubbed) SCFree(str);
	248	SCFree(cd);
1 by Pierre Chifflier Import upstream version 0.8.0	249	return -1;
1.1.1 by Pierre Chifflier Import upstream version 0.9.0	250	}
1 by Pierre Chifflier Import upstream version 0.8.0	251
1.1.1 by Pierre Chifflier Import upstream version 0.9.0	252	cd->name = SCStrdup(varname);
1.1.13 by Pierre Chifflier Import upstream version 1.3	253	cd->idx = VariableNameGetIdx(de_ctx, varname, DETECT_FLOWVAR);
1 by Pierre Chifflier Import upstream version 0.8.0	254	memcpy(cd->content, str, len);
	255	cd->content_len = len;
	256	cd->flags = 0;
	257
	258	/* Okay so far so good, lets get this into a SigMatch
	259	* and put it in the Signature. */
	260	sm = SigMatchAlloc();
	261	if (sm == NULL)
	262	goto error;
	263
	264	sm->type = DETECT_FLOWVAR;
	265	sm->ctx = (void *)cd;
	266
1.1.13 by Pierre Chifflier Import upstream version 1.3	267	SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
1 by Pierre Chifflier Import upstream version 0.8.0	268
1.1.1 by Pierre Chifflier Import upstream version 0.9.0	269	if (dubbed) SCFree(str);
1 by Pierre Chifflier Import upstream version 0.8.0	270	return 0;
	271
	272	error:
1.1.1 by Pierre Chifflier Import upstream version 0.9.0	273	if (dubbed) SCFree(str);
	274	if (cd) SCFree(cd);
	275	if (sm) SCFree(sm);
1 by Pierre Chifflier Import upstream version 0.8.0	276	return -1;
	277	}
	278
	279
1.1.20 by Pierre Chifflier Import upstream version 1.4.2	280	/** \brief Store flowvar in det_ctx so we can exec it post-match */
	281	int DetectFlowvarStoreMatch(DetectEngineThreadCtx det_ctx, uint16_t idx, uint8_t buffer, uint16_t len) {
	282	DetectFlowvarList *fs = det_ctx->flowvarlist;
	283
	284	/* first check if we have had a previous match for this idx */
	285	for ( ; fs != NULL; fs = fs->next) {
	286	if (fs->idx == idx) {
	287	/* we're replacing the older store */
	288	SCFree(fs->buffer);
	289	fs->buffer = NULL;
	290	break;
	291	}
	292	}
	293
	294	if (fs == NULL) {
	295	fs = SCMalloc(sizeof(*fs));
	296	if (unlikely(fs == NULL))
	297	return -1;
	298
	299	fs->idx = idx;
	300
	301	fs->next = det_ctx->flowvarlist;
	302	det_ctx->flowvarlist = fs;
	303	}
	304
	305	fs->len = len;
	306	fs->buffer = buffer;
	307	return 0;
	308	}
	309
	310	/** \brief Setup a post-match for flowvar storage
	311	* We're piggyback riding the DetectFlowvarData struct
	312	*/
	313	int DetectFlowvarPostMatchSetup(Signature *s, uint16_t idx) {
	314	SigMatch *sm = NULL;
	315	DetectFlowvarData *fv = NULL;
	316
	317	fv = SCMalloc(sizeof(DetectFlowvarData));
	318	if (unlikely(fv == NULL))
	319	goto error;
	320	memset(fv, 0x00, sizeof(*fv));
	321
	322	/* we only need the idx */
	323	fv->idx = idx;
	324
	325	sm = SigMatchAlloc();
	326	if (sm == NULL)
	327	goto error;
	328
	329	sm->type = DETECT_FLOWVAR_POSTMATCH;
	330	sm->ctx = (void *)fv;
	331
	332	SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH);
	333	return 0;
	334	error:
	335	return -1;
	336	}
	337
	338	/** \internal
	339	* \brief post-match func to store flowvars in the flow
	340	* \param sm sigmatch containing the idx to store
	341	* \retval 1 or -1 in case of error
	342	*/
	343	static int DetectFlowvarPostMatch(ThreadVars tv, DetectEngineThreadCtx det_ctx, Packet p, Signature s, SigMatch *sm) {
344	DetectFlowvarList fs, prev;
345	DetectFlowvarData *fd;
346
347	if (det_ctx->flowvarlist == NULL \|\| p->flow == NULL)
348	return 1;
349
350	fd = (DetectFlowvarData *)sm->ctx;
351
352	prev = NULL;
353	fs = det_ctx->flowvarlist;
354	while (fs != NULL) {
355	if (fd->idx == fs->idx) {
356	FlowVarAddStr(p->flow, fs->idx, fs->buffer, fs->len);
357	/* memory at fs->buffer is now the responsibility of
358	* the flowvar code. */
359
360	if (fs == det_ctx->flowvarlist) {
361	det_ctx->flowvarlist = fs->next;
362	SCFree(fs);
363	fs = det_ctx->flowvarlist;
364	} else {
365	prev->next = fs->next;
366	SCFree(fs);
367	fs = prev->next;
368	}
369	} else {
370	prev = fs;
371	fs = fs->next;
372	}
373	}
374	return 1;
375	}
376
377	/** \brief Clean flowvar candidate list in det_ctx */
378	void DetectFlowvarCleanupList(DetectEngineThreadCtx *det_ctx) {
379	DetectFlowvarList fs, next;
380	if (det_ctx->flowvarlist != NULL) {
381	fs = det_ctx->flowvarlist;
382	while (fs != NULL) {
383	next = fs->next;
384	SCFree(fs->buffer);
385	SCFree(fs);
386	fs = next;
387	}
388
389	det_ctx->flowvarlist = NULL;
390	}
391	}
392