Bug #212 » 0001-fix-false-positives-for-a-negated-content-case.patch
| src/detect-engine-payload.c | ||
|---|---|---|
|
* \retval 1 match
|
||
|
*/
|
||
|
static int DoInspectPacketPayload(DetectEngineCtx *de_ctx,
|
||
|
DetectEngineThreadCtx *det_ctx, Signature *s, SigMatch *sm,
|
||
|
Packet *p, Flow *f, uint8_t *payload, uint32_t payload_len)
|
||
|
DetectEngineThreadCtx *det_ctx, Signature *s, SigMatch *sm,
|
||
|
Packet *p, Flow *f, uint8_t *payload, uint32_t payload_len)
|
||
|
{
|
||
|
SCEnter();
|
||
| ... | ... | |
|
} else if (found == NULL && cd->flags & DETECT_CONTENT_NEGATED) {
|
||
|
goto match;
|
||
|
} else if (found != NULL && cd->flags & DETECT_CONTENT_NEGATED) {
|
||
|
match_offset = (uint32_t)((found - payload) + cd->content_len);
|
||
|
SCLogDebug("content %"PRIu32" matched at offset %"PRIu32", but negated so no match", cd->id, match_offset);
|
||
|
/* don't bother carrying recursive matches now, for preceding
|
||
|
* relative keywords */
|
||
|
det_ctx->discontinue_matching = 1;
|
||
|
SCReturnInt(0);
|
||
|
} else {
|
||
|
match_offset = (uint32_t)((found - payload) + cd->content_len);
|
||
| ... | ... | |
|
SCReturnInt(1);
|
||
|
}
|
||
|
if (det_ctx->discontinue_matching)
|
||
|
SCReturnInt(0);
|
||
|
/* set the previous match offset to the start of this match + 1 */
|
||
|
prev_offset = (match_offset - (cd->content_len - 1));
|
||
|
SCLogDebug("trying to see if there is another match after prev_offset %"PRIu32, prev_offset);
|
||
| ... | ... | |
|
}
|
||
|
det_ctx->payload_offset = 0;
|
||
|
det_ctx->discontinue_matching = 0;
|
||
|
r = DoInspectPacketPayload(de_ctx, det_ctx, s, s->pmatch, p, f, p->payload, p->payload_len);
|
||
|
if (r == 1) {
|
||
| ... | ... | |
|
return result;
|
||
|
}
|
||
|
/**
|
||
|
* \test Test multiple relative matches with negative matches
|
||
|
* and show the need for det_ctx->discontinue_matching.
|
||
|
*/
|
||
|
static int PayloadTestSig08(void)
|
||
|
{
|
||
|
uint8_t *buf = (uint8_t *)"we need to fix this and yes fix this now";
|
||
|
uint16_t buflen = strlen((char *)buf);
|
||
|
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
|
||
|
int result = 0;
|
||
|
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
|
||
|
"content:fix; content:this; within:6; content:!\"and\"; distance:0; sid:1;)";
|
||
|
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 1) {
|
||
|
result = 0;
|
||
|
goto end;
|
||
|
}
|
||
|
result = 1;
|
||
|
end:
|
||
|
if (p != NULL)
|
||
|
UTHFreePacket(p);
|
||
|
return result;
|
||
|
}
|
||
|
#endif /* UNITTESTS */
|
||
|
void PayloadRegisterTests(void) {
|
||
| ... | ... | |
|
UtRegisterTest("PayloadTestSig05", PayloadTestSig05, 1);
|
||
|
UtRegisterTest("PayloadTestSig06", PayloadTestSig06, 1);
|
||
|
UtRegisterTest("PayloadTestSig07", PayloadTestSig07, 1);
|
||
|
UtRegisterTest("PayloadTestSig08", PayloadTestSig08, 1);
|
||
|
#endif /* UNITTESTS */
|
||
|
}
|
||
| src/detect.h | ||
|---|---|---|
|
* uricontent */
|
||
|
uint32_t uricontent_payload_offset;
|
||
|
/* used to discontinue any more matching */
|
||
|
int discontinue_matching;
|
||
|
/* dce stub data */
|
||
|
uint8_t *dce_stub_data;
|
||
|
/* dce stub data len */
|
||