"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/detection-plugins/sp_pattern_match.c" between
snort-2.9.16.1.tar.gz and snort-2.9.17.tar.gz

About: Snort is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.

sp_pattern_match.c  (snort-2.9.16.1):sp_pattern_match.c  (snort-2.9.17)
skipping to change at line 586 skipping to change at line 586
if (data == NULL) if (data == NULL)
ParseError("Missing argument to 'offset' option"); ParseError("Missing argument to 'offset' option");
if (isdigit(data[0]) || data[0] == '-') if (isdigit(data[0]) || data[0] == '-')
{ {
pmd->offset = ParseInt(data, "offset"); pmd->offset = ParseInt(data, "offset");
} }
else else
{ {
if (bytemath_variable_name && (strcmp(bytemath_variable_name,data) == 0) pmd->offset_var = find_value(data);
) if (pmd->offset_var == BYTE_EXTRACT_NO_VAR)
pmd->offset_var= BYTE_MATH_VAR_INDEX;
else
{ {
pmd->offset_var = GetVarByName(data); ParseError(BYTE_EXTRACT_INVALID_ERR_FMT, "offset", data);
if (pmd->offset_var == BYTE_EXTRACT_NO_VAR) }
ParseError(BYTE_EXTRACT_INVALID_ERR_FMT, "offset", data);
}
} }
DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Pattern offset = %d\n", DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Pattern offset = %d\n",
pmd->offset);); pmd->offset););
} }
static void PayloadSearchDepth(struct _SnortConfig *sc, char *data, OptTreeNode * otn, int protocol) static void PayloadSearchDepth(struct _SnortConfig *sc, char *data, OptTreeNode * otn, int protocol)
{ {
PatternMatchData *pmd = GetLastPmdError(otn, lastType, "depth"); PatternMatchData *pmd = GetLastPmdError(otn, lastType, "depth");
skipping to change at line 623 skipping to change at line 620
/* check to make sure that this the depth allows this rule to fire */ /* check to make sure that this the depth allows this rule to fire */
if ((!pmd->protected_pattern) && (pmd->depth < (int)pmd->pattern_size)) if ((!pmd->protected_pattern) && (pmd->depth < (int)pmd->pattern_size))
{ {
ParseError("The depth (%d) is less than the size of the content(%u)! ", ParseError("The depth (%d) is less than the size of the content(%u)! ",
pmd->depth, pmd->pattern_size); pmd->depth, pmd->pattern_size);
} }
} }
else else
{ {
if (bytemath_variable_name && (strcmp(bytemath_variable_name,data) == 0) pmd->depth_var = find_value(data);
) if (pmd->depth_var == BYTE_EXTRACT_NO_VAR)
pmd->depth_var= BYTE_MATH_VAR_INDEX;
else
{ {
pmd->depth_var = GetVarByName(data); ParseError(BYTE_EXTRACT_INVALID_ERR_FMT, "depth", data);
if (pmd->depth_var == BYTE_EXTRACT_NO_VAR)
ParseError(BYTE_EXTRACT_INVALID_ERR_FMT, "depth", data);
} }
} }
DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern depth = %d\n", DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern depth = %d\n",
pmd->depth);); pmd->depth););
} }
static void PayloadSearchDistance(struct _SnortConfig *sc, char *data, OptTreeNo de *otn, int protocol) static void PayloadSearchDistance(struct _SnortConfig *sc, char *data, OptTreeNo de *otn, int protocol)
{ {
PatternMatchData *pmd = GetLastPmdError(otn, lastType, "distance"); PatternMatchData *pmd = GetLastPmdError(otn, lastType, "distance");
skipping to change at line 653 skipping to change at line 647
if (data == NULL) if (data == NULL)
ParseError("Missing argument to 'distance' option"); ParseError("Missing argument to 'distance' option");
if (isdigit(data[0]) || data[0] == '-') if (isdigit(data[0]) || data[0] == '-')
{ {
pmd->distance = ParseInt(data, "distance"); pmd->distance = ParseInt(data, "distance");
} }
else else
{ {
if (bytemath_variable_name && (strcmp(bytemath_variable_name,data) == 0) pmd->distance_var = find_value(data);
) if (pmd->distance_var == BYTE_EXTRACT_NO_VAR)
pmd->distance_var= BYTE_MATH_VAR_INDEX;
else
{ {
pmd->distance_var = GetVarByName(data); ParseError(BYTE_EXTRACT_INVALID_ERR_FMT, "distance", data);
if (pmd->distance_var == BYTE_EXTRACT_NO_VAR)
ParseError(BYTE_EXTRACT_INVALID_ERR_FMT, "distance", data);
} }
} }
DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern distance = %d\n", DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern distance = %d\n",
pmd->distance);); pmd->distance););
/* Only do a relative search if this is a normal content match. */ /* Only do a relative search if this is a normal content match. */
if (lastType == PLUGIN_PATTERN_MATCH || lastType == PLUGIN_PATTERN_MATCH_UR I) if (lastType == PLUGIN_PATTERN_MATCH || lastType == PLUGIN_PATTERN_MATCH_UR I)
{ {
pmd->use_doe = 1; pmd->use_doe = 1;
skipping to change at line 693 skipping to change at line 684
if (isdigit(data[0]) || data[0] == '-') if (isdigit(data[0]) || data[0] == '-')
{ {
pmd->within = ParseInt(data, "within"); pmd->within = ParseInt(data, "within");
if (!pmd->protected_pattern && (pmd->within < pmd->pattern_size)) if (!pmd->protected_pattern && (pmd->within < pmd->pattern_size))
ParseError("within (%d) is smaller than size of pattern", pmd->withi n); ParseError("within (%d) is smaller than size of pattern", pmd->withi n);
} }
else else
{ {
if (bytemath_variable_name && (strcmp(bytemath_variable_name,data) == 0) pmd->within_var = find_value(data);
) if (pmd->within_var == BYTE_EXTRACT_NO_VAR)
pmd->within_var= BYTE_MATH_VAR_INDEX;
else
{ {
pmd->within_var = GetVarByName(data); ParseError(BYTE_EXTRACT_INVALID_ERR_FMT, "within", data);
if (pmd->within_var == BYTE_EXTRACT_NO_VAR)
ParseError(BYTE_EXTRACT_INVALID_ERR_FMT, "within", data);
} }
} }
DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern within = %d\n", DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern within = %d\n",
pmd->within);); pmd->within););
/* Only do a relative search if this is a normal content match. */ /* Only do a relative search if this is a normal content match. */
if (lastType == PLUGIN_PATTERN_MATCH || lastType == PLUGIN_PATTERN_MATCH_URI ) if (lastType == PLUGIN_PATTERN_MATCH || lastType == PLUGIN_PATTERN_MATCH_URI )
{ {
pmd->use_doe = 1; pmd->use_doe = 1;
skipping to change at line 2063 skipping to change at line 2051
if(pmd->use_doe != 1) if(pmd->use_doe != 1)
{ {
DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "NOT Using Doe Ptr\n");); DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "NOT Using Doe Ptr\n"););
UpdateDoePtr(NULL, 0); /* get rid of all our pattern match state */ UpdateDoePtr(NULL, 0); /* get rid of all our pattern match state */
} }
/* Get byte_math/byte_extract variables */ /* Get byte_math/byte_extract variables */
if (pmd->offset_var >= 0 ) if (pmd->offset_var >= 0 )
{ {
if(pmd->offset_var == BYTE_MATH_VAR_INDEX ) if(pmd->offset_var == BYTE_MATH_VAR_INDEX)
pmd->offset = (int32_t) bytemath_variable;
else
{ {
if (pmd->offset_var < NUM_BYTE_EXTRACT_VARS) pmd->offset = (int32_t) bytemath_variable;
{ }
GetByteExtractValue(&extract_offset, pmd->offset_var); else if(pmd->offset_var == COMMON_VAR_INDEX)
pmd->offset = (int32_t) extract_offset; {
} pmd->offset = (int32_t) common_var;
}
else if (pmd->offset_var < NUM_BYTE_EXTRACT_VARS)
{
GetByteExtractValue(&extract_offset, pmd->offset_var);
pmd->offset = (int32_t) extract_offset;
} }
} }
if (pmd->distance_var >= 0 ) if (pmd->distance_var >= 0 )
{ {
if(pmd->distance_var == BYTE_MATH_VAR_INDEX ) if(pmd->distance_var == BYTE_MATH_VAR_INDEX)
pmd->distance = (int32_t) bytemath_variable;
else
{ {
if (pmd->distance_var < NUM_BYTE_EXTRACT_VARS) pmd->distance = (int32_t) bytemath_variable;
{ }
GetByteExtractValue(&extract_distance, pmd->distance_var); else if(pmd->distance_var == COMMON_VAR_INDEX)
pmd->distance = (int32_t) extract_distance; {
} pmd->distance = (int32_t) common_var;
}
else if (pmd->distance_var < NUM_BYTE_EXTRACT_VARS)
{
GetByteExtractValue(&extract_distance, pmd->distance_var);
pmd->distance = (int32_t) extract_distance;
} }
} }
// Set our initial starting point // Set our initial starting point
if (doe_ptr) if (doe_ptr)
{ {
// Sanity check to make sure the doe_ptr is within the buffer we're // Sanity check to make sure the doe_ptr is within the buffer we're
// searching. It could be at the very end of the buffer due to a // searching. It could be at the very end of the buffer due to a
// previous match, but may have a negative distance here. // previous match, but may have a negative distance here.
if (((char *)doe_ptr < start_ptr) || ((char *)doe_ptr > end_ptr)) if (((char *)doe_ptr < start_ptr) || ((char *)doe_ptr > end_ptr))
skipping to change at line 2278 skipping to change at line 2272
uint32_t extract_offset, extract_depth, extract_distance, extract_within; uint32_t extract_offset, extract_depth, extract_distance, extract_within;
int search_start = 0; int search_start = 0;
if(pmd->use_doe != 1) if(pmd->use_doe != 1)
{ {
DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "NOT Using Doe Ptr\n");); DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "NOT Using Doe Ptr\n"););
UpdateDoePtr(NULL, 0); /* get rid of all our pattern match state */ UpdateDoePtr(NULL, 0); /* get rid of all our pattern match state */
} }
/* Get byte_math/byte_extract variables */ /* Get byte_math/byte_extract variables */
if (pmd->offset_var >= 0 ) if (pmd->offset_var >= 0)
{ {
if(pmd->offset_var == BYTE_MATH_VAR_INDEX ) if(pmd->offset_var == BYTE_MATH_VAR_INDEX)
pmd->offset = (int32_t) bytemath_variable;
else
{ {
if (pmd->offset_var < NUM_BYTE_EXTRACT_VARS) pmd->offset = (int32_t) bytemath_variable;
{ }
GetByteExtractValue(&extract_offset, pmd->offset_var); else if(pmd->offset_var == COMMON_VAR_INDEX)
pmd->offset = (int32_t) extract_offset; {
} pmd->offset = (int32_t) common_var;
}
else if (pmd->offset_var < NUM_BYTE_EXTRACT_VARS)
{
GetByteExtractValue(&extract_offset, pmd->offset_var);
pmd->offset = (int32_t) extract_offset;
} }
} }
if (pmd->depth_var >= 0 ) if (pmd->depth_var >= 0)
{ {
if(pmd->depth_var == BYTE_MATH_VAR_INDEX ) if(pmd->depth_var == BYTE_MATH_VAR_INDEX)
pmd->depth = (int32_t) bytemath_variable;
else
{ {
if (pmd->depth_var < NUM_BYTE_EXTRACT_VARS) pmd->depth = (int32_t) bytemath_variable;
{ }
GetByteExtractValue(&extract_depth, pmd->depth_var); else if(pmd->depth_var == COMMON_VAR_INDEX)
pmd->depth = (int32_t) extract_depth; {
} pmd->depth = (int32_t) common_var;
}
else if (pmd->depth_var < NUM_BYTE_EXTRACT_VARS)
{
GetByteExtractValue(&extract_depth, pmd->depth_var);
pmd->depth = (int32_t) extract_depth;
} }
} }
if (pmd->distance_var >= 0 ) if (pmd->distance_var >= 0)
{ {
if(pmd->distance_var == BYTE_MATH_VAR_INDEX ) if(pmd->distance_var == BYTE_MATH_VAR_INDEX)
pmd->distance = (int32_t) bytemath_variable;
else
{ {
if (pmd->distance_var < NUM_BYTE_EXTRACT_VARS) pmd->distance = (int32_t) bytemath_variable;
{ }
GetByteExtractValue(&extract_distance, pmd->distance_var); else if(pmd->distance == COMMON_VAR_INDEX)
pmd->distance = (int32_t) extract_distance; {
} pmd->distance = (int32_t) common_var;
}
else if (pmd->distance_var < NUM_BYTE_EXTRACT_VARS)
{
GetByteExtractValue(&extract_distance, pmd->distance_var);
pmd->distance = (int32_t) extract_distance;
} }
} }
if (pmd->within_var >= 0 ) if (pmd->within_var >= 0)
{ {
if(pmd->within_var == BYTE_MATH_VAR_INDEX ) if(pmd->within_var == BYTE_MATH_VAR_INDEX)
pmd->within = (int32_t) bytemath_variable;
else
{ {
if (pmd->within_var < NUM_BYTE_EXTRACT_VARS) pmd->within = (int32_t) bytemath_variable;
{ }
GetByteExtractValue(&extract_within, pmd->within_var); else if(pmd->within_var == COMMON_VAR_INDEX)
pmd->within = (int32_t) extract_within; {
} pmd->within = (int32_t) common_var;
}
else if (pmd->within_var < NUM_BYTE_EXTRACT_VARS)
{
GetByteExtractValue(&extract_within, pmd->within_var);
pmd->within = (int32_t) extract_within;
} }
} }
// Set our initial starting point // Set our initial starting point
if (doe_ptr) if (doe_ptr)
{ {
// Sanity check to make sure the doe_ptr is within the buffer we're // Sanity check to make sure the doe_ptr is within the buffer we're
// searching. It could be at the very end of the buffer due to a // searching. It could be at the very end of the buffer due to a
// previous match, but may have a negative distance here. // previous match, but may have a negative distance here.
if (((char *)doe_ptr < start_ptr) || ((char *)doe_ptr > end_ptr)) if (((char *)doe_ptr < start_ptr) || ((char *)doe_ptr > end_ptr))
 End of changes. 24 change blocks. 
81 lines changed or deleted 83 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)