From 17e363752030654d1cd725a8b0ea93bb28d1263e Mon Sep 17 00:00:00 2001 From: Anoop Saldanha Date: Thu, 2 Sep 2010 16:09:29 +0530 Subject: [PATCH 2/2] throw out contents/uricnotents with invalid hex assembly --- src/detect-content.c | 340 ++++++++++++++++++++++++++++++++++++++++++++++- src/detect-uricontent.c | 342 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 681 insertions(+), 1 deletions(-) diff --git a/src/detect-content.c b/src/detect-content.c index 6c96057..cced9b6 100644 --- a/src/detect-content.c +++ b/src/detect-content.c @@ -147,10 +147,12 @@ DetectContentData *DetectContentParse (char *contentstr) uint8_t escape = 0; uint8_t binstr[3] = ""; uint8_t binpos = 0; + uint16_t bin_count = 0; for (i = 0, x = 0; i < len; i++) { // SCLogDebug("str[%02u]: %c", i, str[i]); if (str[i] == '|') { + bin_count++; if (bin) { bin = 0; } else { @@ -203,6 +205,13 @@ DetectContentData *DetectContentParse (char *contentstr) } } } + + if (bin_count % 2 != 0) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid hex code assembly in " + "content - %s. Invalidating signature", str); + goto error; + } + #if 0//def DEBUG if (SCLogDebugEnabled()) { for (i = 0; i < x; i++) { @@ -1472,7 +1481,6 @@ int DetectContentParseTest22(void) return result; } - /** * \test Parsing test */ @@ -1543,6 +1551,325 @@ int DetectContentParseTest24(void) return result; } +/** + * \test Parsing test + */ +int DetectContentParseTest25(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert udp any any -> any any " + "(msg:\"test\"; content:|; sid:1;)"); + if (de_ctx->sig_list != NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Parsing test + */ +int DetectContentParseTest26(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert udp any any -> any any " + "(msg:\"test\"; content:|af; sid:1;)"); + if (de_ctx->sig_list != NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Parsing test + */ +int DetectContentParseTest27(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert udp any any -> any any " + "(msg:\"test\"; content:af|; sid:1;)"); + if (de_ctx->sig_list != NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Parsing test + */ +int DetectContentParseTest28(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert udp any any -> any any " + "(msg:\"test\"; content:|af|; sid:1;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Parsing test + */ +int DetectContentParseTest29(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert udp any any -> any any " + "(msg:\"test\"; content:aast|; sid:1;)"); + if (de_ctx->sig_list != NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Parsing test + */ +int DetectContentParseTest30(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert udp any any -> any any " + "(msg:\"test\"; content:aast|af; sid:1;)"); + if (de_ctx->sig_list != NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Parsing test + */ +int DetectContentParseTest31(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert udp any any -> any any " + "(msg:\"test\"; content:aast|af|; sid:1;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Parsing test + */ +int DetectContentParseTest32(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert udp any any -> any any " + "(msg:\"test\"; content:|af|asdf; sid:1;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Parsing test + */ +int DetectContentParseTest33(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert udp any any -> any any " + "(msg:\"test\"; content:|af|af|; sid:1;)"); + if (de_ctx->sig_list != NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Parsing test + */ +int DetectContentParseTest34(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert udp any any -> any any " + "(msg:\"test\"; content:|af|af|af; sid:1;)"); + if (de_ctx->sig_list != NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Parsing test + */ +int DetectContentParseTest35(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert udp any any -> any any " + "(msg:\"test\"; content:|af|af|af|; sid:1;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + static int SigTestPositiveTestContent(char *rule, uint8_t *buf) { uint16_t buflen = strlen((char *)buf); @@ -1994,6 +2321,17 @@ void DetectContentRegisterTests(void) UtRegisterTest("DetectContentParseTest22", DetectContentParseTest22, 1); UtRegisterTest("DetectContentParseTest23", DetectContentParseTest23, 1); UtRegisterTest("DetectContentParseTest24", DetectContentParseTest24, 1); + UtRegisterTest("DetectContentParseTest25", DetectContentParseTest25, 1); + UtRegisterTest("DetectContentParseTest26", DetectContentParseTest26, 1); + UtRegisterTest("DetectContentParseTest27", DetectContentParseTest27, 1); + UtRegisterTest("DetectContentParseTest28", DetectContentParseTest28, 1); + UtRegisterTest("DetectContentParseTest29", DetectContentParseTest29, 1); + UtRegisterTest("DetectContentParseTest30", DetectContentParseTest30, 1); + UtRegisterTest("DetectContentParseTest31", DetectContentParseTest31, 1); + UtRegisterTest("DetectContentParseTest32", DetectContentParseTest32, 1); + UtRegisterTest("DetectContentParseTest33", DetectContentParseTest33, 1); + UtRegisterTest("DetectContentParseTest34", DetectContentParseTest34, 1); + UtRegisterTest("DetectContentParseTest35", DetectContentParseTest35, 1); /* The reals */ UtRegisterTest("DetectContentLongPatternMatchTest01", DetectContentLongPatternMatchTest01, 1); diff --git a/src/detect-uricontent.c b/src/detect-uricontent.c index e06a1dc..91b99aa 100644 --- a/src/detect-uricontent.c +++ b/src/detect-uricontent.c @@ -243,9 +243,12 @@ DetectUricontentData *DoDetectUricontentSetup (char * contentstr) uint8_t escape = 0; uint16_t i, x; uint8_t bin = 0, binstr[3] = "", binpos = 0; + uint16_t bin_count = 0; + for (i = 0, x = 0; i < len; i++) { SCLogDebug("str[%02u]: %c", i, str[i]); if (str[i] == '|') { + bin_count++; if (bin) { bin = 0; } else { @@ -298,6 +301,13 @@ DetectUricontentData *DoDetectUricontentSetup (char * contentstr) } } } + + if (bin_count % 2 != 0) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid hex code assembly in " + "content - %s. Invalidating signature", str); + goto error; + } + #ifdef DEBUG if (SCLogDebugEnabled()) { for (i = 0; i < x; i++) { @@ -1777,6 +1787,326 @@ int DetectUriSigTest12(void) return result; } + +/** + * \test Parsing test + */ +int DetectUriContentParseTest13(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert udp any any -> any any " + "(msg:\"test\"; uricontent:|; sid:1;)"); + if (de_ctx->sig_list != NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Parsing test + */ +int DetectUriContentParseTest14(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert udp any any -> any any " + "(msg:\"test\"; uricontent:|af; sid:1;)"); + if (de_ctx->sig_list != NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Parsing test + */ +int DetectUriContentParseTest15(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert udp any any -> any any " + "(msg:\"test\"; uricontent:af|; sid:1;)"); + if (de_ctx->sig_list != NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Parsing test + */ +int DetectUriContentParseTest16(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert udp any any -> any any " + "(msg:\"test\"; uricontent:|af|; sid:1;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Parsing test + */ +int DetectUriContentParseTest17(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert udp any any -> any any " + "(msg:\"test\"; uricontent:aast|; sid:1;)"); + if (de_ctx->sig_list != NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Parsing test + */ +int DetectUriContentParseTest18(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert udp any any -> any any " + "(msg:\"test\"; uricontent:aast|af; sid:1;)"); + if (de_ctx->sig_list != NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Parsing test + */ +int DetectUriContentParseTest19(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert udp any any -> any any " + "(msg:\"test\"; uricontent:aast|af|; sid:1;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Parsing test + */ +int DetectUriContentParseTest20(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert udp any any -> any any " + "(msg:\"test\"; uricontent:|af|asdf; sid:1;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Parsing test + */ +int DetectUriContentParseTest21(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert udp any any -> any any " + "(msg:\"test\"; uricontent:|af|af|; sid:1;)"); + if (de_ctx->sig_list != NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Parsing test + */ +int DetectUriContentParseTest22(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert udp any any -> any any " + "(msg:\"test\"; uricontent:|af|af|af; sid:1;)"); + if (de_ctx->sig_list != NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Parsing test + */ +int DetectUriContentParseTest23(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, + "alert udp any any -> any any " + "(msg:\"test\"; uricontent:|af|af|af|; sid:1;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + #endif /* UNITTESTS */ void HttpUriRegisterTests(void) { @@ -1797,5 +2127,17 @@ void HttpUriRegisterTests(void) { UtRegisterTest("DetectUriSigTest10", DetectUriSigTest10, 1); UtRegisterTest("DetectUriSigTest11", DetectUriSigTest11, 1); UtRegisterTest("DetectUriSigTest12", DetectUriSigTest12, 1); + + UtRegisterTest("DetectUriContentParseTest13", DetectUriContentParseTest13, 1); + UtRegisterTest("DetectUriContentParseTest14", DetectUriContentParseTest14, 1); + UtRegisterTest("DetectUriContentParseTest15", DetectUriContentParseTest15, 1); + UtRegisterTest("DetectUriContentParseTest16", DetectUriContentParseTest16, 1); + UtRegisterTest("DetectUriContentParseTest17", DetectUriContentParseTest17, 1); + UtRegisterTest("DetectUriContentParseTest18", DetectUriContentParseTest18, 1); + UtRegisterTest("DetectUriContentParseTest19", DetectUriContentParseTest19, 1); + UtRegisterTest("DetectUriContentParseTest20", DetectUriContentParseTest20, 1); + UtRegisterTest("DetectUriContentParseTest21", DetectUriContentParseTest21, 1); + UtRegisterTest("DetectUriContentParseTest22", DetectUriContentParseTest22, 1); + UtRegisterTest("DetectUriContentParseTest23", DetectUriContentParseTest23, 1); #endif /* UNITTESTS */ } -- 1.7.1