From 37024f282947d95ecc8d23738fab3dfc51c0c553 Mon Sep 17 00:00:00 2001 From: Anoop Saldanha Date: Wed, 2 Dec 2009 11:51:53 +0530 Subject: [PATCH] Fix for handling negated content "\!CONTENT" --- src/detect-content.c | 40 ++++++++++++++++++++++++++++++++++++++++ 1 files changed, 40 insertions(+), 0 deletions(-) diff --git a/src/detect-content.c b/src/detect-content.c index 33df3d4..3737be7 100644 --- a/src/detect-content.c +++ b/src/detect-content.c @@ -612,6 +612,20 @@ DetectContentData *DetectContentParse (char *contentstr) free(temp); + if (str[0] == '!') { + if (cd->negated == 1) { + SCLogDebug("Invalid negated content. \"!\" located twice at the " + "start of the contet string: %s", contentstr); + goto error; + } else { + temp = str; + if ( (str = strdup(temp + 1)) == NULL) + goto error; + cd->negated = 1; + free(temp); + } + } + len = strlen(str); if (len == 0) goto error; @@ -2599,6 +2613,19 @@ int DetectContentParseNegTest12(void) { return result; } +int DetectContentParseNegTest13(void) { + int result = 0; + DetectContentData *cd = NULL; + char *teststring = "\"!boo\""; + + cd = DetectContentParse(teststring); + if (cd != NULL) { + result = (cd->negated == 1); + DetectContentFree(cd); + } + return result; +} + static int SigTestPositiveTestContent(char *rule, uint8_t *buf) { uint16_t buflen = strlen((char *)buf); @@ -2940,6 +2967,16 @@ static int SigTest73TestNegatedContent(void) return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:5; content:!twentythree; depth:35; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } +static int SigTest74TestNegatedContent(void) +{ + return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:!\"PASS\"; sid:1;)", (uint8_t *)"USER apple"); +} + +static int SigTest75TestNegatedContent(void) +{ + return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:\"!PASS\"; sid:1;)", (uint8_t *)"USER apple"); +} + #endif /* UNITTESTS */ /** @@ -2960,6 +2997,7 @@ void DetectContentRegisterTests(void) UtRegisterTest("DetectContentParseTest10", DetectContentParseTest10, 1); UtRegisterTest("DetectContentParseTest11", DetectContentParseNegTest11, 1); UtRegisterTest("DetectContentParseTest12", DetectContentParseNegTest12, 1); + UtRegisterTest("DetectContentParseTest13", DetectContentParseNegTest13, 1); UtRegisterTest("DetectContentChunkTestB2G01 l=32", DetectContentChunkTestB2G01, 1); UtRegisterTest("DetectContentChunkTestB3G01 l=32", DetectContentChunkTestB3G01, 1); @@ -3015,6 +3053,8 @@ void DetectContentRegisterTests(void) UtRegisterTest("SigTest71TestNegatedContent", SigTest71TestNegatedContent, 1); UtRegisterTest("SigTest72TestNegatedContent", SigTest72TestNegatedContent, 1); UtRegisterTest("SigTest73TestNegatedContent", SigTest73TestNegatedContent, 1); + UtRegisterTest("SigTest74TestNegatedContent", SigTest74TestNegatedContent, 1); + UtRegisterTest("SigTest75TestNegatedContent", SigTest75TestNegatedContent, 1); #endif /* UNITTESTS */ } -- 1.5.5