/**
* \brief this function is used to add the parsed icode data into the current signature
*
* \param de_ctx pointer to the Detection Engine Context
* \param s pointer to the Current Signature
* \param icodestr pointer to the user provided icode options
*
* \retval 0 on Success
* \retval -1 on Failure
*/
static int DetectICodeSetup(DetectEngineCtx *de_ctx, Signature *s, char *icodestr)
{
DetectICodeData *icd = NULL;
SigMatch *sm = NULL;
icd = DetectICodeParse(icodestr);
if (icd == NULL) goto error;
sm = SigMatchAlloc();
if (sm == NULL) goto error;
sm->type = DETECT_ICODE;
sm->ctx = (SigMatchCtx *)icd;
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
s->flags |= SIG_FLAG_REQUIRE_PACKET;
return 0;
error:
if (icd != NULL) DetectICodeFree(icd);
if (sm != NULL) SCFree(sm);
return -1;
}
/**
* \test DetectICodeParseTest08 is a test for setting an invalid icode value
*/
int DetectICodeParseTest08(void) {
DetectICodeData *icd = NULL;
icd = DetectICodeParse("> 8 <> 20");
if (icd == NULL)
return 1;
DetectICodeFree(icd);
return 0;
}
/**
* \test DetectICodeParseTest07 is a test for setting a valid icode value
* with "<>" operator and spaces all around
*/
int DetectICodeParseTest07(void) {
DetectICodeData *icd = NULL;
int result = 0;
icd = DetectICodeParse(" 8 <> 20 ");
if (icd != NULL) {
if (icd->code1 == 8 && icd->code2 == 20 && icd->mode == DETECT_ICODE_RN)
result = 1;
DetectICodeFree(icd);
}
return result;
}
/**
* \brief This function is used to parse icode options passed via icode: keyword
*
* \param icodestr Pointer to the user provided icode options
*
* \retval icd pointer to DetectICodeData on success
* \retval NULL on failure
*/
DetectICodeData *DetectICodeParse(char *icodestr) {
DetectICodeData *icd = NULL;
char *args[3] = {NULL, NULL, NULL};
#define MAX_SUBSTRINGS 30
int ret = 0, res = 0;
int ov[MAX_SUBSTRINGS];
ret = pcre_exec(parse_regex, parse_regex_study, icodestr, strlen(icodestr), 0, 0, ov, MAX_SUBSTRINGS);
if (ret < 1 || ret > 4) {
SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, icodestr);
goto error;
}
int i;
const char *str_ptr;
for (i = 1; i < ret; i++) {
res = pcre_get_substring((char *)icodestr, ov, MAX_SUBSTRINGS, i, &str_ptr);
if (res < 0) {
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
goto error;
}
args[i-1] = (char *)str_ptr;
}
icd = SCMalloc(sizeof(DetectICodeData));
if (unlikely(icd == NULL))
goto error;
icd->code1 = 0;
icd->code2 = 0;
icd->mode = 0;
/* we have either "<" or ">" */
if (args[0] != NULL && strlen(args[0]) != 0) {
/* we have a third part ("<> y"), therefore it's invalid */
if (args[2] != NULL) {
SCLogError(SC_ERR_INVALID_VALUE, "icode: invalid value");
goto error;
}
/* we have only a comparison ("<", ">") */
if (ByteExtractStringUint8(&icd->code1, 10, 0, args[1]) < 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp code %s is not "
"valid", args[1]);
goto error;
}
if ((strcmp(args[0], ">")) == 0) icd->mode = DETECT_ICODE_GT;
else icd->mode = DETECT_ICODE_LT;
} else { /* no "<", ">" */
/* we have a range ("<>") */
if (args[2] != NULL) {
icd->mode = (uint8_t) DETECT_ICODE_RN;
if (ByteExtractStringUint8(&icd->code1, 10, 0, args[1]) < 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp code %s is not "
"valid", args[1]);
goto error;
}
if (ByteExtractStringUint8(&icd->code2, 10, 0, args[2]) < 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp code %s is not "
"valid", args[2]);
goto error;
}
/* we check that the first given value in the range is less than
the second, otherwise we swap them */
if (icd->code1 > icd->code2) {
uint8_t temp = icd->code1;
icd->code1 = icd->code2;
icd->code2 = temp;
}
} else { /* we have an equality */
icd->mode = DETECT_ICODE_EQ;
if (ByteExtractStringUint8(&icd->code1, 10, 0, args[1]) < 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp code %s is not "
"valid", args[1]);
goto error;
}
}
}
for (i = 0; i < (ret-1); i++) {
if (args[i] != NULL)
SCFree(args[i]);
}
return icd;
error:
for (i = 0; i < (ret-1) && i < 3; i++) {
if (args[i] != NULL)
SCFree(args[i]);
}
if (icd != NULL)
DetectICodeFree(icd);
return NULL;
}