Project

General

Profile

Actions

Feature #423

closed

pkt_data keyword

Added by Victor Julien over 12 years ago. Updated about 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Should be simple as file_data just sets a flag during parsing, so pkt_data should unset this flag.

Actions #1

Updated by Victor Julien over 12 years ago

  • Due date set to 03/27/2012
  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Xavier Lange

DetectFiledataSetup sets the per signature flag SIG_FLAG_INIT_FILE_DATA when "file_data" is encountered in a rule. The pkt_data code should simply unset it.

Please add some unittests that show this parsing in action.

Actions #2

Updated by Victor Julien over 12 years ago

  • Tracker changed from Bug to Feature
Actions #3

Updated by Victor Julien over 12 years ago

  • Target version changed from 1.3beta1 to 1.3beta2
Actions #4

Updated by Victor Julien over 12 years ago

  • Target version changed from 1.3beta2 to 1.4
Actions #5

Updated by Victor Julien over 12 years ago

  • Target version changed from 1.4 to 1.4beta2
Actions #6

Updated by Victor Julien over 12 years ago

  • Due date changed from 03/27/2012 to 08/31/2012
Actions #7

Updated by Xavier Lange about 12 years ago

This is a feature request for something done in Snort and it essentially forces pattern match from the beginning of a stream, not it's "body".

As for unit testing this rule, from Victor:

check for example DetectHttpServerBodyTest01. It parses a
sig and checks the internal state of the Signature structure. In such a
test you can for example test 'file_data; content:"http"; pkt_data;
content:"packet";'
This should result in 2 sigmatches, one in the http server body list,
the other in the pattern list.
Actions #8

Updated by Xavier Lange about 12 years ago

Getting closer. I have a pkt-data.c in place and compiling but I need to get a handle on the sig (out of the engine) so I can check that the flag is set properly. Any tips on that?

Actions #9

Updated by Victor Julien about 12 years ago

What are you trying to do? Can you show some code?

Actions #10

Updated by Xavier Lange about 12 years ago

Hey Victor, why do you think the engine is not loading the rule in to sig_lists? Do I need to do something else after calling SigInit?

Take a look at the most recent branch diff. It shows a fully-registered unit test. https://github.com/xrl/suricata/compare/keyword-pkt_data

I run the unit test with this command: "./src/suricata -u -U PktData"

Actions #11

Updated by Victor Julien about 12 years ago

Right, SigInit doesn't do that. Other tests use it like this:

    de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:39; sid:1;)");
    if (de_ctx->sig_list == NULL) {
Actions #12

Updated by Victor Julien about 12 years ago

  • Due date changed from 08/31/2012 to 10/05/2012
  • Target version changed from 1.4beta2 to 1.4beta3
Actions #13

Updated by Victor Julien about 12 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF