Project

General

Profile

Bug #1 » 0001-Fix-for-bug-1.-Fixes-the-conflict-between-distance.patch

Anoop Saldanha, 02/17/2010 07:23 AM

View differences:

src/detect-content.c
}
/**
* \brief Validates the modifiers for a "content" keyword.
*
* \param m Pointer to the SigMatch corresponding to the content keyword that
* has to be checked.
*
* \retval 1 If all the modifiers and their arguments agree with each other.
* \retval 0 If some modifier(s) hold values that don't agree with others.
*/
int DetectContentValidateModifiers(SigMatch *m)
{
DetectContentData *cd = (DetectContentData *)m->ctx;
int result = 0;
/* if the content keyword has both the distance and within keywords, check
* that the values specified for these keywords don't conflict with each
* other */
if ((cd->flags & DETECT_CONTENT_WITHIN) &&
(cd->flags & DETECT_CONTENT_DISTANCE)) {
if (((int)cd->within - (int)cd->distance) < (int)cd->content_len) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid signature. The "
"distance and the within do not agree with each other. "
"Invalidating signature");
goto end;
}
}
/* if we have passed all validations successfully, we return a success */
result = 1;
end:
return result;
}
/**
* \brief Function to setup a content pattern. Patterns that doesn't fit the
* current max_pattern_length, are splitted into multiple chunks in independent
* DetectContentData structures with it's own modifiers. Each modifier must be
......
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:\"!PASS\"; sid:1;)", (uint8_t *)"USER !PASS");
}
int DetectContentTestDistanceWithinConflict(void)
{
Signature *s = NULL;
int result = 0;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->mpm_matcher = MPM_B2G;
char *sigstr = "alert tcp any any -> any any (msg:\"distance within conflict test\"; "
"content:one; content:two; distance:1; within:3; sid:1;)";
s = SigInit(de_ctx, sigstr);
if (s != NULL)
goto end;
result = 1;
end:
SigCleanSignatures(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
#endif /* UNITTESTS */
/**
......
UtRegisterTest("SigTest74TestNegatedContent", SigTest74TestNegatedContent, 1);
UtRegisterTest("SigTest75TestNegatedContent", SigTest75TestNegatedContent, 1);
UtRegisterTest("DetectContentTestDistanceWithinConflict",
DetectContentTestDistanceWithinConflict, 1);
#endif /* UNITTESTS */
}
src/detect-content.h
int DetectContentPropagateDistance(SigMatch *);
int DetectContentPropagateIsdataat(SigMatch *);
int DetectContentValidateModifiers(SigMatch *);
/** This shall not be called from outside detect-content.c (used internally)*/
int DetectContentPropagateModifiers(SigMatch *);
src/detect-distance.c
cd->distance = strtol(str, NULL, 10);
cd->flags |= DETECT_CONTENT_DISTANCE;
if (!DetectContentValidateModifiers(pm))
goto error;
/** Propagate the modifiers through the first chunk
* (SigMatch) if we're dealing with chunks */
if (cd->flags & DETECT_CONTENT_IS_CHUNK)
src/detect-within.c
cd->within = strtol(str, NULL, 10);
cd->flags |= DETECT_CONTENT_WITHIN;
if (!DetectContentValidateModifiers(pm))
goto error;
/** Propagate the modifiers through the first chunk
* (SigMatch) if we're dealing with chunks */
if (cd->flags & DETECT_CONTENT_IS_CHUNK)
(1-1/3)