Feature #494 » 0002-sig-add-l3_proto-keyword.patch
| src/Makefile.am | ||
|---|---|---|
|
detect-bytetest.c detect-bytetest.h \
|
||
|
detect-bytejump.c detect-bytejump.h \
|
||
|
detect-sameip.c detect-sameip.h \
|
||
|
detect-l3proto.c detect-l3proto.h \
|
||
|
detect-ipproto.c detect-ipproto.h \
|
||
|
detect-within.c detect-within.h \
|
||
|
detect-distance.c detect-distance.h \
|
||
| src/detect-l3proto.c | ||
|---|---|---|
|
/* Copyright (C) 2012 Open Information Security Foundation
|
||
|
*
|
||
|
* You can copy, redistribute or modify this Program under the terms of
|
||
|
* the GNU General Public License version 2 as published by the Free
|
||
|
* Software Foundation.
|
||
|
*
|
||
|
* This program is distributed in the hope that it will be useful,
|
||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
|
* GNU General Public License for more details.
|
||
|
*
|
||
|
* You should have received a copy of the GNU General Public License
|
||
|
* version 2 along with this program; if not, write to the Free Software
|
||
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||
|
* 02110-1301, USA.
|
||
|
*/
|
||
|
/**
|
||
|
* \file
|
||
|
*
|
||
|
* \author Eric Leblond <eric@regit.org>
|
||
|
*
|
||
|
*
|
||
|
* Implements the l3_proto keyword
|
||
|
*/
|
||
|
#include "suricata-common.h"
|
||
|
#include "debug.h"
|
||
|
#include "decode.h"
|
||
|
#include "detect.h"
|
||
|
#include "detect-ipproto.h"
|
||
|
#include "detect-parse.h"
|
||
|
#include "detect-engine.h"
|
||
|
#include "detect-engine-mpm.h"
|
||
|
#include "detect-engine-siggroup.h"
|
||
|
#include "detect-engine-address.h"
|
||
|
#include "util-byte.h"
|
||
|
#include "util-unittest.h"
|
||
|
#include "util-unittest-helper.h"
|
||
|
#include "util-debug.h"
|
||
|
static int DetectL3ProtoSetup(DetectEngineCtx *, Signature *, char *);
|
||
|
void DetectL3ProtoRegister(void)
|
||
|
{
|
||
|
sigmatch_table[DETECT_L3PROTO].name = "l3_proto";
|
||
|
sigmatch_table[DETECT_L3PROTO].Match = NULL;
|
||
|
sigmatch_table[DETECT_L3PROTO].Setup = DetectL3ProtoSetup;
|
||
|
sigmatch_table[DETECT_L3PROTO].Free = NULL;
|
||
|
sigmatch_table[DETECT_L3PROTO].RegisterTests = NULL;
|
||
|
return;
|
||
|
}
|
||
|
/**
|
||
|
* \internal
|
||
|
* \brief Setup l3_proto keyword.
|
||
|
*
|
||
|
* \param de_ctx Detection engine context
|
||
|
* \param s Signature
|
||
|
* \param optstr Options string
|
||
|
*
|
||
|
* \return Non-zero on error
|
||
|
*/
|
||
|
static int DetectL3ProtoSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr)
|
||
|
{
|
||
|
char *str = optstr;
|
||
|
char dubbed = 0;
|
||
|
/* strip "'s */
|
||
|
if (optstr[0] == '\"' && optstr[strlen(optstr) - 1] == '\"') {
|
||
|
str = SCStrdup(optstr + 1);
|
||
|
if (str == NULL)
|
||
|
goto error;
|
||
|
str[strlen(optstr) - 2] = '\0';
|
||
|
dubbed = 1;
|
||
|
}
|
||
|
/* reset possible any value */
|
||
|
if (s->proto.flags & DETECT_PROTO_ANY) {
|
||
|
s->proto.flags &= ~DETECT_PROTO_ANY;
|
||
|
}
|
||
|
/* authorized value, ip, any, ip4, ipv4, ip6, ipv6 */
|
||
|
if (strcasecmp(str,"ipv4") == 0 ||
|
||
|
strcasecmp(str,"ip4") == 0 ) {
|
||
|
if (s->proto.flags & DETECT_PROTO_IPV6) {
|
||
|
SCLogError(SC_ERR_INVALID_SIGNATURE, "Conflicting l3 proto specified");
|
||
|
goto error;
|
||
|
}
|
||
|
s->proto.flags |= DETECT_PROTO_IPV4;
|
||
|
SCLogDebug("IPv4 protocol detected");
|
||
|
} else if (strcasecmp(str,"ipv6") == 0 ||
|
||
|
strcasecmp(str,"ip6") == 0 ) {
|
||
|
if (s->proto.flags & DETECT_PROTO_IPV6) {
|
||
|
SCLogError(SC_ERR_INVALID_SIGNATURE, "Conflicting l3 proto specified");
|
||
|
goto error;
|
||
|
}
|
||
|
s->proto.flags |= DETECT_PROTO_IPV6;
|
||
|
SCLogDebug("IPv6 protocol detected");
|
||
|
} else if ((strcasecmp(str,"ip") == 0) ||
|
||
|
strcasecmp(str,"any") == 0 ) {
|
||
|
/* Proto "ip" is treated as an "any" */
|
||
|
s->proto.flags |= DETECT_PROTO_ANY;
|
||
|
SCLogDebug("IP protocol detected");
|
||
|
} else {
|
||
|
SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid l3 proto: \"%s\"", str);
|
||
|
goto error;
|
||
|
}
|
||
|
if (dubbed)
|
||
|
SCFree(str);
|
||
|
return 0;
|
||
|
error:
|
||
|
if (dubbed)
|
||
|
SCFree(str);
|
||
|
return -1;
|
||
|
}
|
||
| src/detect-l3proto.h | ||
|---|---|---|
|
/* Copyright (C) 2012 Open Information Security Foundation
|
||
|
*
|
||
|
* You can copy, redistribute or modify this Program under the terms of
|
||
|
* the GNU General Public License version 2 as published by the Free
|
||
|
* Software Foundation.
|
||
|
*
|
||
|
* This program is distributed in the hope that it will be useful,
|
||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
|
* GNU General Public License for more details.
|
||
|
*
|
||
|
* You should have received a copy of the GNU General Public License
|
||
|
* version 2 along with this program; if not, write to the Free Software
|
||
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||
|
* 02110-1301, USA.
|
||
|
*/
|
||
|
/**
|
||
|
* \file
|
||
|
*
|
||
|
* \author Eric Leblond <eric@regit.org>
|
||
|
*
|
||
|
*/
|
||
|
#ifndef __DETECT_L3PROTO_H__
|
||
|
#define __DETECT_L3PROTO_H__
|
||
|
/**
|
||
|
* \brief Registration function for ip_proto keyword.
|
||
|
*/
|
||
|
void DetectL3ProtoRegister (void);
|
||
|
#endif /* __DETECT_L3PROTO_H__ */
|
||
| src/detect.c | ||
|---|---|---|
|
#include "detect-bytetest.h"
|
||
|
#include "detect-bytejump.h"
|
||
|
#include "detect-sameip.h"
|
||
|
#include "detect-l3proto.h"
|
||
|
#include "detect-ipproto.h"
|
||
|
#include "detect-within.h"
|
||
|
#include "detect-distance.h"
|
||
| ... | ... | |
|
DetectBytetestRegister();
|
||
|
DetectBytejumpRegister();
|
||
|
DetectSameipRegister();
|
||
|
DetectL3ProtoRegister();
|
||
|
DetectIPProtoRegister();
|
||
|
DetectWithinRegister();
|
||
|
DetectDistanceRegister();
|
||
| src/detect.h | ||
|---|---|---|
|
DETECT_FILEMAGIC,
|
||
|
DETECT_FILEMD5,
|
||
|
DETECT_L3PROTO,
|
||
|
/* make sure this stays last */
|
||
|
DETECT_TBLSIZE,
|
||
|
};
|
||
- « Previous
- 1
- 2
- Next »