Project

General

Profile

Bug #292 ยป 0001-add-flowbits-set-only-sigs-to-be-treated-as-ip-only.patch

Victor Julien, 07/14/2011 04:03 AM

View differences:

src/detect-engine-iponly.c
48 48
#include "util-classification-config.h"
49 49
#include "util-rule-vars.h"
50 50

  
51
#include "flow-util.h"
51 52
#include "util-debug.h"
52 53
#include "util-unittest.h"
53 54
#include "util-unittest-helper.h"
......
919 920
    SCFree(io_tctx->sig_match_array);
920 921
}
921 922

  
923
static inline
924
int IPOnlyMatchCompatSMs(ThreadVars *tv,
925
                         DetectEngineThreadCtx *det_ctx,
926
                         Signature *s, Packet *p)
927
{
928
    SigMatch *sm = s->sm_lists[DETECT_SM_LIST_MATCH];
929
    int match;
930

  
931
    while (sm != NULL) {
932
        if (sm->type != DETECT_FLOWBITS) {
933
            sm = sm->next;
934
            continue;
935
        }
936

  
937
        match = sigmatch_table[sm->type].Match(tv, det_ctx, p, s, sm);
938
        if (match > 0) {
939
            sm = sm->next;
940
            continue;
941
        }
942
        return 0;
943
    }
944

  
945
    return 1;
946
}
947

  
922 948
/**
923 949
 * \brief Match a packet against the IP Only detection engine contexts
924 950
 *
......
927 953
 * \param io_ctx Pointer to the current ip only thread detection engine
928 954
 * \param p Pointer to the Packet to match against
929 955
 */
930
void IPOnlyMatchPacket(DetectEngineCtx *de_ctx,
956
void IPOnlyMatchPacket(ThreadVars *tv,
957
                       DetectEngineCtx *de_ctx,
931 958
                       DetectEngineThreadCtx *det_ctx,
932 959
                       DetectEngineIPOnlyCtx *io_ctx,
933 960
                       DetectEngineIPOnlyThreadCtx *io_tctx, Packet *p)
......
1002 1029
                    if (!(s->proto.proto[(IP_GET_IPPROTO(p)/8)] & (1 << (IP_GET_IPPROTO(p) % 8))))
1003 1030
                        continue;
1004 1031

  
1032
                    if (!IPOnlyMatchCompatSMs(tv, det_ctx, s, p)) {
1033
                        continue;
1034
                    }
1035

  
1005 1036
                    SCLogDebug("Signum %"PRIu16" match (sid: %"PRIu16", msg: %s)",
1006 1037
                               u * 8 + i, s->id, s->msg);
1007 1038

  
......
1998 2029
    return result;
1999 2030
}
2000 2031

  
2032
static int IPOnlyTestSig13(void)
2033
{
2034
    int result = 0;
2035
    DetectEngineCtx de_ctx;
2036

  
2037
    memset(&de_ctx, 0, sizeof(DetectEngineCtx));
2038

  
2039
    de_ctx.flags |= DE_QUIET;
2040

  
2041
    Signature *s = SigInit(&de_ctx,
2042
                           "alert tcp any any -> any any (msg:\"Test flowbits ip only\"; "
2043
                           "flowbits:set,myflow1; sid:1; rev:1;)");
2044
    if (s == NULL) {
2045
        goto end;
2046
    }
2047
    if (SignatureIsIPOnly(&de_ctx, s))
2048
        result = 1;
2049
    else
2050
        printf("expected a IPOnly signature: ");
2051

  
2052
    SigFree(s);
2053
end:
2054
    return result;
2055
}
2056

  
2057
static int IPOnlyTestSig14(void)
2058
{
2059
    int result = 0;
2060
    DetectEngineCtx de_ctx;
2061

  
2062
    memset(&de_ctx, 0, sizeof(DetectEngineCtx));
2063

  
2064
    de_ctx.flags |= DE_QUIET;
2065

  
2066
    Signature *s = SigInit(&de_ctx,
2067
                           "alert tcp any any -> any any (msg:\"Test flowbits ip only\"; "
2068
                           "flowbits:set,myflow1; flowbits:isset,myflow2; sid:1; rev:1;)");
2069
    if (s == NULL) {
2070
        goto end;
2071
    }
2072
    if (SignatureIsIPOnly(&de_ctx, s))
2073
        printf("expected a IPOnly signature: ");
2074
    else
2075
        result = 1;
2076

  
2077
    SigFree(s);
2078
end:
2079
    return result;
2080
}
2081

  
2082
int IPOnlyTestSig15(void)
2083
{
2084
    int result = 0;
2085
    uint8_t *buf = (uint8_t *)"Hi all!";
2086
    uint16_t buflen = strlen((char *)buf);
2087

  
2088
    uint8_t numpkts = 1;
2089
    uint8_t numsigs = 7;
2090

  
2091
    Packet *p[1];
2092
    Flow f;
2093
    GenericVar flowvar;
2094
    memset(&f, 0, sizeof(Flow));
2095
    memset(&flowvar, 0, sizeof(GenericVar));
2096
    FLOW_INITIALIZE(&f);
2097

  
2098
    p[0] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
2099

  
2100
    p[0]->flow = &f;
2101
    p[0]->flow->flowvar = &flowvar;
2102
    p[0]->flags |= PKT_HAS_FLOW;
2103
    p[0]->flowflags |= FLOW_PKT_TOSERVER;
2104

  
2105
    char *sigs[numsigs];
2106
    sigs[0]= "alert tcp 192.168.1.5 any -> any any (msg:\"Testing src ip (sid 1)\"; "
2107
        "flowbits:set,one; sid:1;)";
2108
    sigs[1]= "alert tcp any any -> 192.168.1.1 any (msg:\"Testing dst ip (sid 2)\"; "
2109
        "flowbits:set,two; sid:2;)";
2110
    sigs[2]= "alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; "
2111
        "flowbits:set,three; sid:3;)";
2112
    sigs[3]= "alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 4)\"; "
2113
        "flowbits:set,four; sid:4;)";
2114
    sigs[4]= "alert tcp 192.168.1.0/24 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; "
2115
        "flowbits:set,five; sid:5;)";
2116
    sigs[5]= "alert tcp any any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 6)\"; "
2117
        "flowbits:set,six; sid:6;)";
2118
    sigs[6]= "alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; "
2119
        "flowbits:set,seven; content:\"Hi all\"; sid:7;)";
2120

  
2121
    /* Sid numbers (we could extract them from the sig) */
2122
    uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2123
    uint32_t results[7] = { 1, 1, 1, 1, 1, 1, 1};
2124

  
2125
    result = UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
2126

  
2127
    UTHFreePackets(p, numpkts);
2128

  
2129
    FLOW_DESTROY(&f);
2130
    return result;
2131
}
2132

  
2001 2133
#endif /* UNITTESTS */
2002 2134

  
2003 2135
void IPOnlyRegisterTests(void) {
......
2016 2148
    UtRegisterTest("IPOnlyTestSig10", IPOnlyTestSig10, 1);
2017 2149
    UtRegisterTest("IPOnlyTestSig11", IPOnlyTestSig11, 1);
2018 2150
    UtRegisterTest("IPOnlyTestSig12", IPOnlyTestSig12, 1);
2151
    UtRegisterTest("IPOnlyTestSig13", IPOnlyTestSig13, 1);
2152
    UtRegisterTest("IPOnlyTestSig14", IPOnlyTestSig14, 1);
2153
    UtRegisterTest("IPOnlyTestSig15", IPOnlyTestSig15, 1);
2019 2154
#endif
2155

  
2156
    return;
2020 2157
}
2021 2158

  
src/detect-engine-iponly.h
51 51
int IPOnlyCIDRItemSetup(IPOnlyCIDRItem *gh, char *s);
52 52

  
53 53
void IPOnlyCIDRListPrint(IPOnlyCIDRItem *);
54
void IPOnlyMatchPacket(DetectEngineCtx *, DetectEngineThreadCtx *,
55
                       DetectEngineIPOnlyCtx *, DetectEngineIPOnlyThreadCtx *,
56
                       Packet *);
54
void IPOnlyMatchPacket(ThreadVars *tv, DetectEngineCtx *,
55
                       DetectEngineThreadCtx *, DetectEngineIPOnlyCtx *,
56
                       DetectEngineIPOnlyThreadCtx *, Packet *);
57 57
void IPOnlyInit(DetectEngineCtx *, DetectEngineIPOnlyCtx *);
58 58
void IPOnlyPrint(DetectEngineCtx *, DetectEngineIPOnlyCtx *);
59 59
void IPOnlyDeinit(DetectEngineCtx *, DetectEngineIPOnlyCtx *);
src/detect-flowbits.c
61 61
    sigmatch_table[DETECT_FLOWBITS].Setup = DetectFlowbitSetup;
62 62
    sigmatch_table[DETECT_FLOWBITS].Free  = DetectFlowbitFree;
63 63
    sigmatch_table[DETECT_FLOWBITS].RegisterTests = FlowBitsRegisterTests;
64
    /* this is compatible to ip-only signatures */
65
    sigmatch_table[DETECT_FLOWBITS].flags |= SIGMATCH_IPONLY_COMPAT;
64 66

  
65 67
    const char *eb;
66 68
    int eo;
......
750 752
    p->payload_len = buflen;
751 753
    p->proto = IPPROTO_TCP;
752 754
    p->flags |= PKT_HAS_FLOW;
755
    p->flowflags |= FLOW_PKT_TOSERVER;
753 756

  
754 757
    de_ctx = DetectEngineCtxInit();
755 758

  
src/detect.c
1352 1352
        {
1353 1353
            SCLogDebug("testing against \"ip-only\" signatures");
1354 1354

  
1355
            IPOnlyMatchPacket(de_ctx, det_ctx, &de_ctx->io_ctx, &det_ctx->io_ctx, p);
1355
            IPOnlyMatchPacket(th_v, de_ctx, det_ctx, &de_ctx->io_ctx, &det_ctx->io_ctx, p);
1356 1356
            /* save in the flow that we scanned this direction... locking is
1357 1357
             * done in the FlowSetIPOnlyFlag function. */
1358 1358
            FlowSetIPOnlyFlag(p->flow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0);
......
1383 1383
    } else {
1384 1384
        /* no flow */
1385 1385
        /* Even without flow we should match the packet src/dst */
1386
        IPOnlyMatchPacket(de_ctx, det_ctx, &de_ctx->io_ctx, &det_ctx->io_ctx, p);
1386
        IPOnlyMatchPacket(th_v, de_ctx, det_ctx, &de_ctx->io_ctx,
1387
                          &det_ctx->io_ctx, p);
1387 1388

  
1388 1389
        det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
1389 1390
    }
......
1914 1915
    if (sm == NULL)
1915 1916
        goto iponly;
1916 1917

  
1917
    for ( ;sm != NULL; sm = sm->next) {
1918
    for ( ; sm != NULL; sm = sm->next) {
1918 1919
        if ( !(sigmatch_table[sm->type].flags & SIGMATCH_IPONLY_COMPAT))
1919 1920
            return 0;
1921
        /* we have enabled flowbits to be compatible with ip only sigs, as long
1922
         * as the sig only has a "set" flowbits */
1923
        if (sm->type == DETECT_FLOWBITS &&
1924
            (((DetectFlowbitsData *)sm->ctx)->cmd != DETECT_FLOWBITS_CMD_SET) ) {
1925
            return 0;
1926
        }
1920 1927
    }
1921 1928

  
1922 1929
iponly:
src/util-var-name.c
121 121
    if (variable_names != NULL) {
122 122
        HashListTableFree(variable_names);
123 123
        HashListTableFree(variable_idxs);
124
        variable_names = NULL;
125
        variable_idxs = NULL;
124 126
    }
125 127
}
126 128

  
......
195 197
error:
196 198
    VariableNameFree(fn);
197 199
    return NULL;
198
}
200
}
    (1-1/1)