/**
* \brief this function is used to add the parsed fragoffset data into the current signature
*
* \param de_ctx pointer to the Detection Engine Context
* \param s pointer to the Current Signature
* \param fragoffsetstr pointer to the user provided fragoffset option
*
* \retval 0 on Success
* \retval -1 on Failure
*/
static int DetectFragOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *fragoffsetstr)
{
DetectFragOffsetData *fragoff = NULL;
SigMatch *sm = NULL;
fragoff = DetectFragOffsetParse(fragoffsetstr);
if (fragoff == NULL) goto error;
sm = SigMatchAlloc();
if (sm == NULL) goto error;
sm->type = DETECT_FRAGOFFSET;
sm->ctx = (SigMatchCtx *)fragoff;
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
s->flags |= SIG_FLAG_REQUIRE_PACKET;
return 0;
error:
if (fragoff != NULL) DetectFragOffsetFree(fragoff);
if (sm != NULL) SCFree(sm);
return -1;
}
/**
* \test DetectFragOffsetParseTest02 is a test for setting a valid fragoffset value
* with spaces all around
*/
int DetectFragOffsetParseTest02 (void) {
DetectFragOffsetData *fragoff = NULL;
fragoff = DetectFragOffsetParse(">300");
if (fragoff != NULL && fragoff->frag_off == 300 && fragoff->mode == FRAG_MORE) {
DetectFragOffsetFree(fragoff);
return 1;
}
return 0;
}
/**
* \test DetectFragOffsetParseTest03 is a test for setting an invalid fragoffset value
*/
int DetectFragOffsetParseTest03 (void) {
DetectFragOffsetData *fragoff = NULL;
fragoff = DetectFragOffsetParse("badc");
if (fragoff != NULL) {
DetectFragOffsetFree(fragoff);
return 1;
}
return 0;
}
/**
* \test DetectFragOffsetParseTest01 is a test for setting a valid fragoffset value
*/
int DetectFragOffsetParseTest01 (void) {
DetectFragOffsetData *fragoff = NULL;
fragoff = DetectFragOffsetParse("300");
if (fragoff != NULL && fragoff->frag_off == 300) {
DetectFragOffsetFree(fragoff);
return 1;
}
return 0;
}
/**
* \brief This function is used to parse fragoffset option passed via fragoffset: keyword
*
* \param fragoffsetstr Pointer to the user provided fragoffset options
*
* \retval fragoff pointer to DetectFragOffsetData on success
* \retval NULL on failure
*/
DetectFragOffsetData *DetectFragOffsetParse (char *fragoffsetstr)
{
DetectFragOffsetData *fragoff = NULL;
char *substr[3] = {NULL, NULL, NULL};
#define MAX_SUBSTRINGS 30
int ret = 0, res = 0;
int ov[MAX_SUBSTRINGS];
int i;
const char *str_ptr;
char *mode = NULL;
ret = pcre_exec(parse_regex, parse_regex_study, fragoffsetstr, strlen(fragoffsetstr), 0, 0, ov, MAX_SUBSTRINGS);
if (ret < 1 || ret > 4) {
SCLogError(SC_ERR_PCRE_MATCH,"Parse error %s", fragoffsetstr);
goto error;
}
for (i = 1; i < ret; i++) {
res = pcre_get_substring((char *)fragoffsetstr, ov, MAX_SUBSTRINGS, i, &str_ptr);
if (res < 0) {
SCLogError(SC_ERR_PCRE_GET_SUBSTRING,"pcre_get_substring failed");
goto error;
}
substr[i-1] = (char *)str_ptr;
}
fragoff = SCMalloc(sizeof(DetectFragOffsetData));
if (unlikely(fragoff == NULL))
goto error;
fragoff->frag_off = 0;
fragoff->mode = 0;
mode = substr[0];
if(mode != NULL) {
while(*mode != '\0') {
switch(*mode) {
case '>':
fragoff->mode = FRAG_MORE;
break;
case '<':
fragoff->mode = FRAG_LESS;
break;
}
mode++;
}
}
if (ByteExtractStringUint16(&fragoff->frag_off, 10, 0, substr[1]) < 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "specified frag offset %s is not "
"valid", substr[1]);
goto error;
}
for (i = 0; i < 3; i++) {
if (substr[i] != NULL) SCFree(substr[i]);
}
return fragoff;
error:
for (i = 0; i < 3; i++) {
if (substr[i] != NULL) SCFree(substr[i]);
}
if (fragoff != NULL) DetectFragOffsetFree(fragoff);
return NULL;
}