/**
* \internal
* \brief this function is used to add the seq option into the signature
*
* \param de_ctx pointer to the Detection Engine Context
* \param s pointer to the Current Signature
* \param optstr pointer to the user provided options
*
* \retval 0 on Success
* \retval -1 on Failure
*/
static int DetectSeqSetup (DetectEngineCtx *de_ctx, Signature *s, char *optstr)
{
DetectSeqData *data = NULL;
SigMatch *sm = NULL;
data = SCMalloc(sizeof(DetectSeqData));
if (unlikely(data == NULL))
goto error;
sm = SigMatchAlloc();
if (sm == NULL)
goto error;
sm->type = DETECT_SEQ;
if (-1 == ByteExtractStringUint32(&data->seq, 10, 0, optstr)) {
goto error;
}
sm->ctx = data;
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
s->flags |= SIG_FLAG_REQUIRE_PACKET;
return 0;
error:
if (data)
SCFree(data);
if (sm)
SigMatchFree(sm);
return -1;
}
int DetectAppLayerEventSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
DetectAppLayerEventData *data = NULL;
SigMatch *sm = NULL;
AppLayerEventType event_type;
data = DetectAppLayerEventParse(arg, &event_type);
if (data == NULL)
goto error;
sm = SigMatchAlloc();
if (sm == NULL)
goto error;
sm->type = DETECT_AL_APP_LAYER_EVENT;
sm->ctx = (void *)data;
if (s->alproto != ALPROTO_UNKNOWN) {
if (s->alproto == ALPROTO_DNS &&
(data->alproto == ALPROTO_DNS_UDP || data->alproto == ALPROTO_DNS_TCP))
{
SCLogDebug("DNS app layer event");
} else if (s->alproto != data->alproto) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains "
"conflicting keywords needing different alprotos");
goto error;
}
} else {
s->alproto = data->alproto;
}
if (event_type == APP_LAYER_EVENT_TYPE_PACKET) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
} else if (event_type == APP_LAYER_EVENT_TYPE_GENERAL) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
s->flags |= SIG_FLAG_APPLAYER;
} else {
/* implied APP_LAYER_EVENT_TYPE_TRANSACTION */
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_APP_EVENT);
s->flags |= SIG_FLAG_APPLAYER;
}
return 0;
error:
if (data)
SCFree(data);
if (sm) {
sm->ctx = NULL;
SigMatchFree(sm);
}
return -1;
}
static int DetectAppLayerEventSetupP1(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
DetectAppLayerEventData *data = NULL;
SigMatch *sm = NULL;
AppLayerEventType event_type;
data = DetectAppLayerEventParse(arg, &event_type);
if (data == NULL)
goto error;
sm = SigMatchAlloc();
if (sm == NULL)
goto error;
sm->type = DETECT_AL_APP_LAYER_EVENT;
sm->ctx = (void *)data;
if (s->alproto != ALPROTO_UNKNOWN) {
if (s->alproto != data->alproto) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains "
"conflicting keywords needing different alprotos");
goto error;
}
} else {
s->alproto = data->alproto;
}
if (event_type == APP_LAYER_EVENT_TYPE_PACKET) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
} else {
/* We push it to this list temporarily. We deal with
* these in DetectAppLayerEventPrepare(). */
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_APP_EVENT);
s->flags |= SIG_FLAG_APPLAYER;
}
return 0;
error:
if (data)
SCFree(data);
if (sm) {
sm->ctx = NULL;
SigMatchFree(sm);
}
return -1;
}
/**
* \brief this function is used to add the parsed ftpbounce
*
* \param de_ctx pointer to the Detection Engine Context
* \param s pointer to the Current Signature
* \param m pointer to the Current SigMatch
* \param ftpbouncestr pointer to the user provided ftpbounce options
* currently there are no options.
*
* \retval 0 on Success
* \retval -1 on Failure
*/
int DetectFtpbounceSetup(DetectEngineCtx *de_ctx, Signature *s, char *ftpbouncestr)
{
SCEnter();
SigMatch *sm = NULL;
sm = SigMatchAlloc();
if (sm == NULL) {
goto error;;
}
sm->type = DETECT_FTPBOUNCE;
/* We don't need to allocate any data for ftpbounce here.
*
* TODO: As a suggestion, maybe we can add a flag in the flow
* to set the stream as "bounce detected" for fast Match.
* When you do a ftp bounce attack you usually use the same
* communication control stream to "setup" various destinations
* whithout breaking the connection, so I guess we can make it a bit faster
* with a flow flag set lookup in the Match function.
*/
sm->ctx = NULL;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_FTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
goto error;
}
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
s->alproto = ALPROTO_FTP;
s->flags |= SIG_FLAG_APPLAYER;
SCReturnInt(0);
error:
if (sm != NULL) {
SigMatchFree(sm);
}
SCReturnInt(-1);
}