static int DetectFilesizeInitTest(DetectEngineCtx **de_ctx, Signature **sig, DetectFilesizeData **fsd, char *str) { char fullstr[1024]; int result = 0; *de_ctx = NULL; *sig = NULL; if (snprintf(fullstr, 1024, "alert http any any -> any any (msg:\"Filesize " "test\"; filesize:%s; sid:1;)", str) >= 1024) { goto end; } *de_ctx = DetectEngineCtxInit(); if (*de_ctx == NULL) { goto end; } (*de_ctx)->flags |= DE_QUIET; (*de_ctx)->sig_list = SigInit(*de_ctx, fullstr); if ((*de_ctx)->sig_list == NULL) { goto end; } *sig = (*de_ctx)->sig_list; *fsd = DetectFilesizeParse(str); result = 1; end: return result; }
/** * \brief this function is used to parse filesize data into the current signature * * \param de_ctx pointer to the Detection Engine Context * \param s pointer to the Current Signature * \param str pointer to the user provided options * * \retval 0 on Success * \retval -1 on Failure */ static int DetectFilesizeSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) { SCEnter(); DetectFilesizeData *fsd = NULL; SigMatch *sm = NULL; fsd = DetectFilesizeParse(str); if (fsd == NULL) goto error; sm = SigMatchAlloc(); if (sm == NULL) goto error; sm->type = DETECT_FILESIZE; sm->ctx = (SigMatchCtx *)fsd; SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_FILEMATCH); s->file_flags |= (FILE_SIG_NEED_FILE|FILE_SIG_NEED_SIZE); SCReturnInt(0); error: if (fsd != NULL) DetectFilesizeFree(fsd); if (sm != NULL) SCFree(sm); SCReturnInt(-1); }
/** \test Test the Filesize keyword setup */ static int DetectFilesizeParseTest03(void) { int ret = 0; DetectFilesizeData *fsd = NULL; fsd = DetectFilesizeParse(" > 10 "); if (fsd != NULL) { if (fsd->size1 == 10 && fsd->mode == DETECT_FILESIZE_GT) ret = 1; DetectFilesizeFree(fsd); } return ret; }
/** * \brief this function is used to parse filesize data into the current signature * * \param de_ctx pointer to the Detection Engine Context * \param s pointer to the Current Signature * \param str pointer to the user provided options * * \retval 0 on Success * \retval -1 on Failure */ static int DetectFilesizeSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) { SCEnter(); DetectFilesizeData *fsd = NULL; SigMatch *sm = NULL; fsd = DetectFilesizeParse(str); if (fsd == NULL) goto error; sm = SigMatchAlloc(); if (sm == NULL) goto error; sm->type = DETECT_FILESIZE; sm->ctx = (void *)fsd; SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_FILEMATCH); if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); goto error; } AppLayerHtpNeedFileInspection(); /** \todo remove this once we support more than http */ s->alproto = ALPROTO_HTTP; s->file_flags |= (FILE_SIG_NEED_FILE|FILE_SIG_NEED_SIZE); SCReturnInt(0); error: if (fsd != NULL) DetectFilesizeFree(fsd); if (sm != NULL) SCFree(sm); SCReturnInt(-1); }