Bug #1 » 0001-Fix-for-bug-1.-Fixes-the-conflict-between-distance.patch
| src/detect-content.c | ||
|---|---|---|
|
}
|
||
|
/**
|
||
|
* \brief Validates the modifiers for a "content" keyword.
|
||
|
*
|
||
|
* \param m Pointer to the SigMatch corresponding to the content keyword that
|
||
|
* has to be checked.
|
||
|
*
|
||
|
* \retval 1 If all the modifiers and their arguments agree with each other.
|
||
|
* \retval 0 If some modifier(s) hold values that don't agree with others.
|
||
|
*/
|
||
|
int DetectContentValidateModifiers(SigMatch *m)
|
||
|
{
|
||
|
DetectContentData *cd = (DetectContentData *)m->ctx;
|
||
|
int result = 0;
|
||
|
/* if the content keyword has both the distance and within keywords, check
|
||
|
* that the values specified for these keywords don't conflict with each
|
||
|
* other */
|
||
|
if ((cd->flags & DETECT_CONTENT_WITHIN) &&
|
||
|
(cd->flags & DETECT_CONTENT_DISTANCE)) {
|
||
|
if (((int)cd->within - (int)cd->distance) < (int)cd->content_len) {
|
||
|
SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid signature. The "
|
||
|
"distance and the within do not agree with each other. "
|
||
|
"Invalidating signature");
|
||
|
goto end;
|
||
|
}
|
||
|
}
|
||
|
/* if we have passed all validations successfully, we return a success */
|
||
|
result = 1;
|
||
|
end:
|
||
|
return result;
|
||
|
}
|
||
|
/**
|
||
|
* \brief Function to setup a content pattern. Patterns that doesn't fit the
|
||
|
* current max_pattern_length, are splitted into multiple chunks in independent
|
||
|
* DetectContentData structures with it's own modifiers. Each modifier must be
|
||
| ... | ... | |
|
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:\"!PASS\"; sid:1;)", (uint8_t *)"USER !PASS");
|
||
|
}
|
||
|
int DetectContentTestDistanceWithinConflict(void)
|
||
|
{
|
||
|
Signature *s = NULL;
|
||
|
int result = 0;
|
||
|
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
|
||
|
if (de_ctx == NULL)
|
||
|
goto end;
|
||
|
de_ctx->mpm_matcher = MPM_B2G;
|
||
|
char *sigstr = "alert tcp any any -> any any (msg:\"distance within conflict test\"; "
|
||
|
"content:one; content:two; distance:1; within:3; sid:1;)";
|
||
|
s = SigInit(de_ctx, sigstr);
|
||
|
if (s != NULL)
|
||
|
goto end;
|
||
|
result = 1;
|
||
|
end:
|
||
|
SigCleanSignatures(de_ctx);
|
||
|
if (de_ctx != NULL)
|
||
|
DetectEngineCtxFree(de_ctx);
|
||
|
return result;
|
||
|
}
|
||
|
#endif /* UNITTESTS */
|
||
|
/**
|
||
| ... | ... | |
|
UtRegisterTest("SigTest74TestNegatedContent", SigTest74TestNegatedContent, 1);
|
||
|
UtRegisterTest("SigTest75TestNegatedContent", SigTest75TestNegatedContent, 1);
|
||
|
UtRegisterTest("DetectContentTestDistanceWithinConflict",
|
||
|
DetectContentTestDistanceWithinConflict, 1);
|
||
|
#endif /* UNITTESTS */
|
||
|
}
|
||
| src/detect-content.h | ||
|---|---|---|
|
int DetectContentPropagateDistance(SigMatch *);
|
||
|
int DetectContentPropagateIsdataat(SigMatch *);
|
||
|
int DetectContentValidateModifiers(SigMatch *);
|
||
|
/** This shall not be called from outside detect-content.c (used internally)*/
|
||
|
int DetectContentPropagateModifiers(SigMatch *);
|
||
| src/detect-distance.c | ||
|---|---|---|
|
cd->distance = strtol(str, NULL, 10);
|
||
|
cd->flags |= DETECT_CONTENT_DISTANCE;
|
||
|
if (!DetectContentValidateModifiers(pm))
|
||
|
goto error;
|
||
|
/** Propagate the modifiers through the first chunk
|
||
|
* (SigMatch) if we're dealing with chunks */
|
||
|
if (cd->flags & DETECT_CONTENT_IS_CHUNK)
|
||
| src/detect-within.c | ||
|---|---|---|
|
cd->within = strtol(str, NULL, 10);
|
||
|
cd->flags |= DETECT_CONTENT_WITHIN;
|
||
|
if (!DetectContentValidateModifiers(pm))
|
||
|
goto error;
|
||
|
/** Propagate the modifiers through the first chunk
|
||
|
* (SigMatch) if we're dealing with chunks */
|
||
|
if (cd->flags & DETECT_CONTENT_IS_CHUNK)
|
||