Feature #423
closedpkt_data keyword
Description
Should be simple as file_data just sets a flag during parsing, so pkt_data should unset this flag.
Updated by Victor Julien almost 13 years ago
- Due date set to 03/27/2012
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Xavier Lange
DetectFiledataSetup sets the per signature flag SIG_FLAG_INIT_FILE_DATA when "file_data" is encountered in a rule. The pkt_data code should simply unset it.
Please add some unittests that show this parsing in action.
Updated by Victor Julien almost 13 years ago
- Tracker changed from Bug to Feature
Updated by Victor Julien over 12 years ago
- Target version changed from 1.3beta1 to 1.3beta2
Updated by Victor Julien over 12 years ago
- Target version changed from 1.3beta2 to 1.4
Updated by Victor Julien over 12 years ago
- Target version changed from 1.4 to 1.4beta2
Updated by Victor Julien over 12 years ago
- Due date changed from 03/27/2012 to 08/31/2012
Updated by Xavier Lange over 12 years ago
This is a feature request for something done in Snort and it essentially forces pattern match from the beginning of a stream, not it's "body".
As for unit testing this rule, from Victor:
check for example DetectHttpServerBodyTest01. It parses a
sig and checks the internal state of the Signature structure. In such a
test you can for example test 'file_data; content:"http"; pkt_data;
content:"packet";'
This should result in 2 sigmatches, one in the http server body list,
the other in the pattern list.
Updated by Xavier Lange over 12 years ago
Getting closer. I have a pkt-data.c in place and compiling but I need to get a handle on the sig (out of the engine) so I can check that the flag is set properly. Any tips on that?
Updated by Victor Julien over 12 years ago
What are you trying to do? Can you show some code?
Updated by Xavier Lange over 12 years ago
Hey Victor, why do you think the engine is not loading the rule in to sig_lists? Do I need to do something else after calling SigInit?
Take a look at the most recent branch diff. It shows a fully-registered unit test. https://github.com/xrl/suricata/compare/keyword-pkt_data
I run the unit test with this command: "./src/suricata -u -U PktData"
Updated by Victor Julien over 12 years ago
Right, SigInit doesn't do that. Other tests use it like this:
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:39; sid:1;)"); if (de_ctx->sig_list == NULL) {
Updated by Victor Julien about 12 years ago
- Due date changed from 08/31/2012 to 10/05/2012
- Target version changed from 1.4beta2 to 1.4beta3
Updated by Victor Julien about 12 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Merged https://github.com/inliniac/suricata/pull/191, thanks Xavier.