/* detection functions */
int rule16370eval(void *p) {
const uint8_t *cursor_normal = 0;
SFSnortPacket *sp = (SFSnortPacket *) p;
const uint8_t *beg_of_payload, *end_of_payload;
uint16_t Csiz;
uint16_t atomlen;
uint16_t Crgn;
if(sp == NULL)
return RULE_NOMATCH;
if(sp->payload == NULL)
return RULE_NOMATCH;
// flow:established, to_client;
if (checkFlow(p, rule16370options[0]->option_u.flowFlags) > 0 ) {
// flowbits:isset "file.pdf";
if (processFlowbits(p, rule16370options[1]->option_u.flowBit) > 0) {
// content:"jP ", depth 0, fast_pattern;
if (contentMatch(p, rule16370options[2]->option_u.content, &cursor_normal) > 0) {
// content:"|FF|O|FF|Q", depth 0;
if (contentMatch(p, rule16370options[3]->option_u.content, &cursor_normal) > 0) {
if(getBuffer(sp, CONTENT_BUF_NORMALIZED, &beg_of_payload, &end_of_payload) <= 0)
return RULE_NOMATCH;
//Make sure at least the entire atom is present, as well as
//the atom signature and length of the following atom
if(cursor_normal + 47 + 4 > end_of_payload)
return RULE_NOMATCH;
// Now make sure this atomlen is 47
if(*cursor_normal != 0 || *(cursor_normal + 1) != 47)
return RULE_NOMATCH;
//Extract the value of Csiz
Csiz = read_big_16(cursor_normal + 36);
//Jump to the next atom, just before the signature
cursor_normal += 47; //atomlen;
//Check to see if the following byte is FF (eg:the first byte of a signature)
//and that we haven't ended up in no man's land
while((cursor_normal + 4 < end_of_payload) && (*cursor_normal == 255)) {
//Extract the length of next atom
atomlen = read_big_16(cursor_normal+2);
//Make sure the whole atom is present. Atom length is atomlen + file signature (2 bytes)
if ((cursor_normal + atomlen + 2) > end_of_payload)
return RULE_NOMATCH;
//Check second byte of atom signature
//A FF5E is the Region-of-interest atom
if (*(cursor_normal+1) == '\x5e') {
//This atom can only be either 5 or 6 bytes long, but no other value.
//Crgn will be either 1 or 2 bytes depending on this length.
//Exit if you some unexpected value.
if (atomlen == 5)
Crgn = *(cursor_normal+4);
else if (atomlen == 6) {
Crgn = read_big_16(cursor_normal+4);
}
else
return RULE_NOMATCH;
//Fire if Crgn >= Csiz
if (Crgn >= Csiz)
return RULE_MATCH;
}
//Skip to next atom
cursor_normal += atomlen + 2;
}
}
}
}
}
return RULE_NOMATCH;
}
bool roomba_t::parse_sensor_packet_m()
{
size_t index=0;
sensor_t temp_packet;
while(index<serial_size_m)
{
uint8_t sensor=serial_buffer_m[index++];
if(sensor==ROOMBA_ID_SENSOR_BUMPER_DROP)
{
temp_packet.bumper=*(uint8_t*)(serial_buffer_m+index);
index+=sizeof(uint8_t);
}
else if(sensor==ROOMBA_ID_SENSOR_CHARGE_STATE)
{
temp_packet.battery.state=*(uint8_t*)(serial_buffer_m+index);
index+=sizeof(uint8_t);
}
else if(sensor==ROOMBA_ID_SENSOR_BATT_TEMP)
{
temp_packet.battery.temperature=*(int8_t*)(serial_buffer_m+index);
index+=sizeof(int8_t);
}
else if(sensor==ROOMBA_ID_SENSOR_BATT_CHARGE)
{
temp_packet.battery.charge=read_big_16(serial_buffer_m+index);
index+=sizeof(uint16_t);
}
else if(sensor==ROOMBA_ID_SENSOR_ENCODER_L)
{
temp_packet.encoder.L=read_big_16(serial_buffer_m+index);
index+=sizeof(uint16_t);
}
else if(sensor==ROOMBA_ID_SENSOR_ENCODER_R)
{
temp_packet.encoder.R=read_big_16(serial_buffer_m+index);
index+=sizeof(uint16_t);
}
else if(sensor==ROOMBA_ID_SENSOR_CLIFF_L)
{
temp_packet.floor[0]=adapt_floor(read_big_16(serial_buffer_m+index));
index+=sizeof(uint16_t);
}
else if(sensor==ROOMBA_ID_SENSOR_CLIFF_FL)
{
temp_packet.floor[1]=adapt_floor(read_big_16(serial_buffer_m+index));
index+=sizeof(uint16_t);
}
else if(sensor==ROOMBA_ID_SENSOR_CLIFF_FR)
{
temp_packet.floor[2]=adapt_floor(read_big_16(serial_buffer_m+index));
index+=sizeof(uint16_t);
}
else if(sensor==ROOMBA_ID_SENSOR_CLIFF_R)
{
temp_packet.floor[3]=adapt_floor(read_big_16(serial_buffer_m+index));
index+=sizeof(uint16_t);
}
else if(sensor==ROOMBA_ID_SENSOR_MODE)
{
temp_packet.mode=*(uint8_t*)(serial_buffer_m+index);
index+=sizeof(uint8_t);
}
else if(sensor==ROOMBA_ID_SENSOR_LIGHT_FIELD)
{
temp_packet.light_field=*(uint8_t*)(serial_buffer_m+index);
index+=sizeof(uint8_t);
}
else if(sensor==ROOMBA_ID_SENSOR_LIGHT_L)
{
temp_packet.light[0]=adapt_light(read_big_16(serial_buffer_m+index));
index+=sizeof(uint16_t);
}
else if(sensor==ROOMBA_ID_SENSOR_LIGHT_FL)
{
temp_packet.light[1]=adapt_light(read_big_16(serial_buffer_m+index));
index+=sizeof(uint16_t);
}
else if(sensor==ROOMBA_ID_SENSOR_LIGHT_CL)
{
temp_packet.light[2]=adapt_light(read_big_16(serial_buffer_m+index));
index+=sizeof(uint16_t);
}
else if(sensor==ROOMBA_ID_SENSOR_LIGHT_CR)
{
temp_packet.light[3]=adapt_light(read_big_16(serial_buffer_m+index));
index+=sizeof(uint16_t);
}
else if(sensor==ROOMBA_ID_SENSOR_LIGHT_FR)
{
temp_packet.light[4]=adapt_light(read_big_16(serial_buffer_m+index));
index+=sizeof(uint16_t);
}
else if(sensor==ROOMBA_ID_SENSOR_LIGHT_R)
{
temp_packet.light[5]=adapt_light(read_big_16(serial_buffer_m+index));
index+=sizeof(uint16_t);
}
else if (sensor==ROOMBA_ID_SENSOR_BUTTONS)
{
temp_packet.buttons=*(uint8_t*)(serial_buffer_m+index);
index+=sizeof(uint8_t);
}
else
{
return false;
}
}
sensor_packet_m=temp_packet;
return true;
}
/* detection functions */
int rule15327eval(void *p) {
const uint8_t *cursor_normal = 0;
const uint8_t *end_of_payload;
uint16_t numanswers;
uint16_t numqueries;
uint16_t len;
uint32_t total = 0;
int i;
SFSnortPacket *sp = (SFSnortPacket *) p;
if(sp == NULL)
return RULE_NOMATCH;
if(sp->payload == NULL)
return RULE_NOMATCH;
// flow:to_client;
if (checkFlow(p, rule15327options[0]->option_u.flowFlags) > 0 ) {
// byte_test:size 2, value 7999, operator >, offset 2;
if (byteTest(p, rule15327options[1]->option_u.byte, cursor_normal) > 0) {
if(getBuffer(sp, CONTENT_BUF_NORMALIZED, &cursor_normal, &end_of_payload) <= 0)
return RULE_NOMATCH;
if ((cursor_normal+12) > end_of_payload)
return RULE_NOMATCH;
// Extract number of query and answer records
numqueries = read_big_16(cursor_normal+4);
numanswers = read_big_16(cursor_normal+6);
cursor_normal += 12;
// Iterate through variable-sized query records to skip to the answer records.
for(i = 0; i < numqueries; i++)
{
while(cursor_normal < end_of_payload && *cursor_normal != 0 && !((*cursor_normal & 0xc0) == 0xc0)) {
cursor_normal += *cursor_normal + 1;
}
if (cursor_normal >= end_of_payload)
return RULE_NOMATCH;
cursor_normal += ((*cursor_normal & 0xc0) == 0xc0) ? 2 : 1 ;
cursor_normal += 2+2;
}
if(cursor_normal >= end_of_payload)
return RULE_NOMATCH;
// Iterate through answer records
for(i = 0; i < numanswers; i++)
{
// Reset the counter used to detect the overflow for each new answer record
total = 0;
while(cursor_normal < end_of_payload && *cursor_normal != 0 && !((*cursor_normal & 0xc0) == 0xc0)) {
cursor_normal += *cursor_normal + 1;
}
if(cursor_normal >= end_of_payload)
return RULE_NOMATCH;
cursor_normal += ((*cursor_normal & 0xc0) == 0xc0) ? 2 : 1 ;
if ((cursor_normal + 1) >= end_of_payload)
return RULE_NOMATCH;
// Check that the record type is TXT, that is, 0x10
if (*(cursor_normal + 1) != 0x10)
return RULE_NOMATCH;
cursor_normal += 2+2+4;
if (cursor_normal + 1 >= end_of_payload)
return RULE_NOMATCH;
// Extract the length field
len = read_big_16_inc(cursor_normal);
// Iterate through the byte[data] section and add each of the
// individual string lengths together
while(cursor_normal < end_of_payload && total < len) {
total += *cursor_normal + 1;
cursor_normal += *cursor_normal + 1;
}
// Alert if the sum (total) of the inidividual string lengths
// exceeds the length field for the entire data section
if(cursor_normal >= end_of_payload)
return RULE_NOMATCH;
else if(total > len)
return RULE_MATCH;
}
}
}
return RULE_NOMATCH;
}
