static int DetectHttpStatMsgSetup (DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
DetectContentData *cd = NULL;
SigMatch *sm = NULL;
if (arg != NULL && strcmp(arg, "") != 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "http_stat_msg supplied with args");
return -1;
}
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
/* if still we are unable to find any content previous keywords, it is an
* invalid rule */
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_stat_msg\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_stat_msg\" keyword");
return -1;
}
cd = (DetectContentData *)sm->ctx;
/* http_stat_msg should not be used with the rawbytes rule */
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_stat_msg rule can not "
"be used with the rawbytes rule keyword");
return -1;
}
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
"alproto set");
goto error;
}
if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
/* pm can be NULL now. To accomodate parsing sigs like -
* content:one; http_modifier; content:two; distance:0; http_modifier */
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags &= ~ DETECT_PCRE_RELATIVE_NEXT;
}
} /* if (pm != NULL) */
/* reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_stat_msg seen with a "
"distance or within without a previous http_stat_msg "
"content. Invalidating signature.");
goto error;
}
if (pm->type == DETECT_PCRE) {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
} else {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
}
}
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HSMDMATCH);
sm->type = DETECT_CONTENT;
/* transfer the sm from the pmatch list to hcbdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_HSMDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]);
/* flag the signature to indicate that we scan the app layer data */
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
return 0;
error:
return -1;
}
/** \brief Setup within pattern (content/uricontent) modifier.
*
* \todo apply to uricontent
*
* \retval 0 ok
* \retval -1 error, sig needs to be invalidated
*/
static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withinstr)
{
char *str = withinstr;
char dubbed = 0;
SigMatch *pm = NULL;
/* strip "'s */
if (withinstr[0] == '\"' && withinstr[strlen(withinstr)-1] == '\"') {
str = SCStrdup(withinstr+1);
if (str == NULL)
goto error;
str[strlen(withinstr)-2] = '\0';
dubbed = 1;
}
/* if we still haven't found that the sig is related to DCERPC,
* it's a direct entry into Signature->[DETECT_SM_LIST_PMATCH] */
if (s->alproto == ALPROTO_DCERPC) {
SigMatch *dcem = NULL;
SigMatch *dm = NULL;
SigMatch *pm1 = NULL;
SigMatch *pm1_ots = NULL;
SigMatch *pm2_ots = NULL;
dcem = SigMatchGetLastSMFromLists(s, 6,
DETECT_DCE_IFACE, s->sm_lists_tail[DETECT_SM_LIST_AMATCH],
DETECT_DCE_OPNUM, s->sm_lists_tail[DETECT_SM_LIST_AMATCH],
DETECT_DCE_STUB_DATA, s->sm_lists_tail[DETECT_SM_LIST_AMATCH]);
pm1_ots = SigMatchGetLastSMFromLists(s, 6,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (pm1_ots != NULL && pm1_ots->prev != NULL) {
pm2_ots = SigMatchGetLastSMFromLists(s, 6,
DETECT_CONTENT, pm1_ots->prev,
DETECT_PCRE, pm1_ots->prev,
DETECT_BYTEJUMP, pm1_ots->prev);
}
dm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
pm1 = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (dm == NULL && pm1 == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"within\" requires a "
"preceding content keyword");
goto error;
}
if (dm == NULL) {
if (pm2_ots == NULL) {
if (pm1->idx > dcem->idx) {
/* transfer pm1 to dmatch list and within is against this */
SigMatchTransferSigMatchAcrossLists(pm1,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_DMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
pm = pm1;
} else {
/* within is against pm1 and we continue this way */
pm = pm1;
}
} else if (pm2_ots->idx > dcem->idx) {
/* within is against pm1, pm = pm1; */
pm = pm1;
} else if (pm1->idx > dcem->idx) {
/* transfer pm1 to dmatch list and within is against this */
SigMatchTransferSigMatchAcrossLists(pm1,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_DMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
pm = pm1;
} else {
/* within is against pm1 and we continue this way */
pm = pm1;
}
} else {
if (pm1 == NULL) {
/* within is against dm and continue this way */
pm = dm;
} else if (dm->idx > pm1->idx) {
/* within is against dm */
pm = dm;
} else if (pm2_ots == NULL || pm2_ots->idx < dcem->idx) {
/* trasnfer pm1 to dmatch list and pm = pm1 */
SigMatchTransferSigMatchAcrossLists(pm1,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_DMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_DMATCH]);
pm = pm1;
} else {
/* within is against pm1, pm = pm1 */
pm = pm1;
}
}
} else {
pm = SigMatchGetLastSMFromLists(s, 24,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "\"within\" requires "
"preceeding content, uricontent, http_client_body, "
"http_server_body, http_header, http_raw_header, "
"http_method, http_cookie, http_raw_uri, "
"http_stat_msg, http_stat_code or http_user_agent "
"option");
if (dubbed)
SCFree(str);
return -1;
}
}
DetectContentData *cd = NULL;
DetectPcreData *pe = NULL;
switch (pm->type) {
case DETECT_CONTENT:
cd = (DetectContentData *)pm->ctx;
if (cd == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "content error");
goto error;
}
if (cd->flags & DETECT_CONTENT_NEGATED) {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative "
"negated keyword set along with a fast_pattern");
goto error;
}
} else {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative "
"keyword set along with a fast_pattern:only");
goto error;
}
}
if (cd->flags & DETECT_CONTENT_DEPTH || cd->flags & DETECT_CONTENT_OFFSET) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a relative keyword "
"with a non-relative keyword for the same content" );
goto error;
}
if (str[0] != '-' && isalpha(str[0])) {
SigMatch *bed_sm =
DetectByteExtractRetrieveSMVar(str, s,
SigMatchListSMBelongsTo(s, pm));
if (bed_sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var "
"seen in within - %s\n", str);
goto error;
}
cd->within = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
cd->flags |= DETECT_CONTENT_WITHIN_BE;
} else {
cd->within = strtol(str, NULL, 10);
if (cd->within < (int32_t)cd->content_len) {
SCLogError(SC_ERR_WITHIN_INVALID, "within argument \"%"PRIi32"\" is "
"less than the content length \"%"PRIu32"\" which is invalid, since "
"this will never match. Invalidating signature", cd->within,
cd->content_len);
goto error;
}
}
cd->flags |= DETECT_CONTENT_WITHIN;
pm = SigMatchGetLastSMFromLists(s, 6,
DETECT_CONTENT, pm->prev,
DETECT_PCRE, pm->prev,
DETECT_BYTEJUMP, pm->prev);
if (pm == NULL) {
if (s->alproto == ALPROTO_DCERPC) {
SCLogDebug("content relative without a previous content based "
"keyword. Holds good only in the case of DCERPC "
"alproto like now.");
} else {
//SCLogError(SC_ERR_INVALID_SIGNATURE, "No related "
// "previous-previous content or pcre keyword");
//goto error;
;
}
} else {
switch (pm->type) {
case DETECT_CONTENT:
/* Set the relative next flag on the prev sigmatch */
cd = (DetectContentData *)pm->ctx;
if (cd == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "content error");
goto error;
}
cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "previous keyword "
"has a fast_pattern:only; set. Can't "
"have relative keywords around a fast_pattern "
"only content");
goto error;
}
break;
case DETECT_PCRE:
pe = (DetectPcreData *) pm->ctx;
if (pe == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre error");
goto error;
}
pe->flags |= DETECT_PCRE_RELATIVE_NEXT;
break;
case DETECT_BYTEJUMP:
SCLogDebug("no setting relative_next for bytejump. We "
"have no use for it");
break;
default:
/* this will never hit */
SCLogError(SC_ERR_INVALID_SIGNATURE, "unsupported type %d", pm->type);
break;
}
}
break;
default:
SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs two "
"preceeding content or uricontent options");
goto error;
}
if (dubbed)
SCFree(str);
return 0;
error:
if (dubbed)
SCFree(str);
return -1;
}
/**
* \brief This function is used to add the parsed "http_method" option
* into the current signature.
*
* \param de_ctx Pointer to the Detection Engine Context.
* \param s Pointer to the Current Signature.
* \param str Pointer to the user provided option string.
*
* \retval 0 on Success.
* \retval -1 on Failure.
*/
static int DetectHttpMethodSetup(DetectEngineCtx *de_ctx, Signature *s, char *str)
{
SCEnter();
DetectContentData *cd = NULL;
if ((str != NULL) && (strcmp(str, "") != 0)) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "http_method does not take an argument");
SCReturnInt(-1);
}
if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
SCLogError(SC_ERR_HTTP_METHOD_NEEDS_PRECEEDING_CONTENT, "http_method "
"modifies preceding \"content\", but none was found");
SCReturnInt(-1);
}
SigMatch *sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
SCLogError(SC_ERR_HTTP_METHOD_NEEDS_PRECEEDING_CONTENT, "http_method "
"modifies preceding \"content\", but none was found");
SCReturnInt(-1);
}
cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_HTTP_METHOD_INCOMPATIBLE_WITH_RAWBYTES, "http_method "
"cannot be used with \"rawbytes\"");
SCReturnInt(-1);
}
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains keywords"
"that conflict with http_method");
goto error;
}
if (cd->flags & DETECT_CONTENT_WITHIN || cd->flags & DETECT_CONTENT_DISTANCE) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
if (pm != NULL) {
/* pm is never NULL. So no NULL check */
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
} /* if (pm != NULL) */
/* please note. reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT,
s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_PCRE,
s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_HTTP_METHOD_RELATIVE_MISSING, "http_method with "
"a distance or within requires preceding http_method "
"content, but none was found");
goto error;
}
if (pm->type == DETECT_PCRE) {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
} else {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
}
}
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HMDMATCH);
sm->type = DETECT_CONTENT;
/* transfer the sm from the pmatch list to hmdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_HMDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]);
/* flag the signature to indicate that we scan the app layer data */
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
SCReturnInt(0);
error:
SCReturnInt(-1);
}
static int DetectHttpCookieSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
{
DetectContentData *cd = NULL;
SigMatch *sm = NULL;
if (str != NULL && strcmp(str, "") != 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "http_cookie shouldn't be supplied "
"with an argument");
return -1;
}
if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
SCLogError(SC_ERR_HTTP_COOKIE_NEEDS_PRECEEDING_CONTENT, "http_cookie "
"found inside the rule, without any preceding content keywords");
return -1;
}
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
SCLogWarning(SC_ERR_HTTP_COOKIE_NEEDS_PRECEEDING_CONTENT, "http_cookie "
"found inside the rule, without a content context. Please use a "
"content keyword before using http_cookie");
return -1;
}
cd = (DetectContentData *)sm->ctx;
/* http_cookie should not be used with the rawbytes rule */
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_HTTP_COOKIE_INCOMPATIBLE_WITH_RAWBYTES, "http_cookie "
"rule can not be used with the rawbytes rule keyword");
return -1;
}
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains keywords"
"that conflict with http_cookie");
goto error;
}
if ((cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
if (pm != NULL) {
/* pm is never NULL. So no NULL check */
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
} /* if (pm != NULL) */
/* please note. reassigning pm */
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT,
s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_PCRE,
s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_HTTP_COOKIE_RELATIVE_MISSING, "http_cookie with "
"a distance or within requires preceding http_cookie "
"content, but none was found");
goto error;
}
if (pm->type == DETECT_PCRE) {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
} else {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
}
}
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HCDMATCH);
sm->type = DETECT_CONTENT;
/* transfer the sm from the pmatch list to hcdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_HCDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]);
/* flag the signature to indicate that we scan the app layer data */
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
return 0;
error:
return -1;
}