Feature #423
closedpkt_data keyword
Added by Victor Julien about 14 years ago. Updated over 13 years ago.
Description
Should be simple as file_data just sets a flag during parsing, so pkt_data should unset this flag.
VJ Updated by Victor Julien about 14 years ago Actions #1
- Due date set to 03/27/2012
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Xavier Lange
DetectFiledataSetup sets the per signature flag SIG_FLAG_INIT_FILE_DATA when "file_data" is encountered in a rule. The pkt_data code should simply unset it.
Please add some unittests that show this parsing in action.
VJ Updated by Victor Julien about 14 years ago Actions #2
- Tracker changed from Bug to Feature
VJ Updated by Victor Julien about 14 years ago Actions #3
- Target version changed from 1.3beta1 to 1.3beta2
VJ Updated by Victor Julien almost 14 years ago Actions #4
- Target version changed from 1.3beta2 to 1.4
VJ Updated by Victor Julien over 13 years ago Actions #5
- Target version changed from 1.4 to 1.4beta2
VJ Updated by Victor Julien over 13 years ago Actions #6
- Due date changed from 03/27/2012 to 08/31/2012
XL Updated by Xavier Lange over 13 years ago Actions #7
This is a feature request for something done in Snort and it essentially forces pattern match from the beginning of a stream, not it's "body".
As for unit testing this rule, from Victor:
check for example DetectHttpServerBodyTest01. It parses a
sig and checks the internal state of the Signature structure. In such a
test you can for example test 'file_data; content:"http"; pkt_data;
content:"packet";'This should result in 2 sigmatches, one in the http server body list,
the other in the pattern list.XL Updated by Xavier Lange over 13 years ago Actions #8
Getting closer. I have a pkt-data.c in place and compiling but I need to get a handle on the sig (out of the engine) so I can check that the flag is set properly. Any tips on that?
VJ Updated by Victor Julien over 13 years ago Actions #9
What are you trying to do? Can you show some code?
XL Updated by Xavier Lange over 13 years ago Actions #10
Hey Victor, why do you think the engine is not loading the rule in to sig_lists? Do I need to do something else after calling SigInit?
Take a look at the most recent branch diff. It shows a fully-registered unit test. https://github.com/xrl/suricata/compare/keyword-pkt_data
I run the unit test with this command: "./src/suricata -u -U PktData"
VJ Updated by Victor Julien over 13 years ago Actions #11
Right, SigInit doesn't do that. Other tests use it like this:
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:39; sid:1;)");
if (de_ctx->sig_list == NULL) {
VJ Updated by Victor Julien over 13 years ago Actions #12
- Due date changed from 08/31/2012 to 10/05/2012
- Target version changed from 1.4beta2 to 1.4beta3
VJ Updated by Victor Julien over 13 years ago Actions #13
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Merged https://github.com/inliniac/suricata/pull/191, thanks Xavier.