is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.
| sp_pattern_match.c (snort-2.9.16.1) | : | sp_pattern_match.c (snort-2.9.17) |
|---|
| | |
| skipping to change at line 586 | | skipping to change at line 586 |
|---|
| | |
| if (data == NULL) | | if (data == NULL) |
| ParseError("Missing argument to 'offset' option"); | | ParseError("Missing argument to 'offset' option"); |
| | |
| if (isdigit(data[0]) || data[0] == '-') | | if (isdigit(data[0]) || data[0] == '-') |
| { | | { |
| pmd->offset = ParseInt(data, "offset"); | | pmd->offset = ParseInt(data, "offset"); |
| } | | } |
| else | | else |
| { | | { |
|
| if (bytemath_variable_name && (strcmp(bytemath_variable_name,data) == 0) | | pmd->offset_var = find_value(data); |
| ) | | if (pmd->offset_var == BYTE_EXTRACT_NO_VAR) |
| pmd->offset_var= BYTE_MATH_VAR_INDEX; | | |
| else | | |
| { | | { |
|
| pmd->offset_var = GetVarByName(data); | | ParseError(BYTE_EXTRACT_INVALID_ERR_FMT, "offset", data); |
| if (pmd->offset_var == BYTE_EXTRACT_NO_VAR) | | } |
| ParseError(BYTE_EXTRACT_INVALID_ERR_FMT, "offset", data); | | |
| } | | |
| } | | } |
| | |
| DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Pattern offset = %d\n", | | DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Pattern offset = %d\n", |
| pmd->offset);); | | pmd->offset);); |
| } | | } |
| | |
| static void PayloadSearchDepth(struct _SnortConfig *sc, char *data, OptTreeNode
* otn, int protocol) | | static void PayloadSearchDepth(struct _SnortConfig *sc, char *data, OptTreeNode
* otn, int protocol) |
| { | | { |
| PatternMatchData *pmd = GetLastPmdError(otn, lastType, "depth"); | | PatternMatchData *pmd = GetLastPmdError(otn, lastType, "depth"); |
| | |
| | |
| skipping to change at line 623 | | skipping to change at line 620 |
|---|
| | |
| /* check to make sure that this the depth allows this rule to fire */ | | /* check to make sure that this the depth allows this rule to fire */ |
| if ((!pmd->protected_pattern) && (pmd->depth < (int)pmd->pattern_size)) | | if ((!pmd->protected_pattern) && (pmd->depth < (int)pmd->pattern_size)) |
| { | | { |
| ParseError("The depth (%d) is less than the size of the content(%u)!
", | | ParseError("The depth (%d) is less than the size of the content(%u)!
", |
| pmd->depth, pmd->pattern_size); | | pmd->depth, pmd->pattern_size); |
| } | | } |
| } | | } |
| else | | else |
| { | | { |
|
| if (bytemath_variable_name && (strcmp(bytemath_variable_name,data) == 0) | | pmd->depth_var = find_value(data); |
| ) | | if (pmd->depth_var == BYTE_EXTRACT_NO_VAR) |
| pmd->depth_var= BYTE_MATH_VAR_INDEX; | | |
| else | | |
| { | | { |
|
| pmd->depth_var = GetVarByName(data); | | ParseError(BYTE_EXTRACT_INVALID_ERR_FMT, "depth", data); |
| if (pmd->depth_var == BYTE_EXTRACT_NO_VAR) | | |
| ParseError(BYTE_EXTRACT_INVALID_ERR_FMT, "depth", data); | | |
| } | | } |
| } | | } |
| | |
| DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern depth = %d\n", | | DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern depth = %d\n", |
| pmd->depth);); | | pmd->depth);); |
| } | | } |
| | |
| static void PayloadSearchDistance(struct _SnortConfig *sc, char *data, OptTreeNo
de *otn, int protocol) | | static void PayloadSearchDistance(struct _SnortConfig *sc, char *data, OptTreeNo
de *otn, int protocol) |
| { | | { |
| PatternMatchData *pmd = GetLastPmdError(otn, lastType, "distance"); | | PatternMatchData *pmd = GetLastPmdError(otn, lastType, "distance"); |
| | |
| skipping to change at line 653 | | skipping to change at line 647 |
|---|
| | |
| if (data == NULL) | | if (data == NULL) |
| ParseError("Missing argument to 'distance' option"); | | ParseError("Missing argument to 'distance' option"); |
| | |
| if (isdigit(data[0]) || data[0] == '-') | | if (isdigit(data[0]) || data[0] == '-') |
| { | | { |
| pmd->distance = ParseInt(data, "distance"); | | pmd->distance = ParseInt(data, "distance"); |
| } | | } |
| else | | else |
| { | | { |
|
| if (bytemath_variable_name && (strcmp(bytemath_variable_name,data) == 0) | | pmd->distance_var = find_value(data); |
| ) | | if (pmd->distance_var == BYTE_EXTRACT_NO_VAR) |
| pmd->distance_var= BYTE_MATH_VAR_INDEX; | | |
| else | | |
| { | | { |
|
| pmd->distance_var = GetVarByName(data); | | ParseError(BYTE_EXTRACT_INVALID_ERR_FMT, "distance", data); |
| if (pmd->distance_var == BYTE_EXTRACT_NO_VAR) | | |
| ParseError(BYTE_EXTRACT_INVALID_ERR_FMT, "distance", data); | | |
| } | | } |
| } | | } |
| | |
| DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern distance = %d\n", | | DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern distance = %d\n", |
| pmd->distance);); | | pmd->distance);); |
| | |
| /* Only do a relative search if this is a normal content match. */ | | /* Only do a relative search if this is a normal content match. */ |
| if (lastType == PLUGIN_PATTERN_MATCH || lastType == PLUGIN_PATTERN_MATCH_UR
I) | | if (lastType == PLUGIN_PATTERN_MATCH || lastType == PLUGIN_PATTERN_MATCH_UR
I) |
| { | | { |
| pmd->use_doe = 1; | | pmd->use_doe = 1; |
| | |
| skipping to change at line 693 | | skipping to change at line 684 |
|---|
| | |
| if (isdigit(data[0]) || data[0] == '-') | | if (isdigit(data[0]) || data[0] == '-') |
| { | | { |
| pmd->within = ParseInt(data, "within"); | | pmd->within = ParseInt(data, "within"); |
| | |
| if (!pmd->protected_pattern && (pmd->within < pmd->pattern_size)) | | if (!pmd->protected_pattern && (pmd->within < pmd->pattern_size)) |
| ParseError("within (%d) is smaller than size of pattern", pmd->withi
n); | | ParseError("within (%d) is smaller than size of pattern", pmd->withi
n); |
| } | | } |
| else | | else |
| { | | { |
|
| if (bytemath_variable_name && (strcmp(bytemath_variable_name,data) == 0) | | pmd->within_var = find_value(data); |
| ) | | if (pmd->within_var == BYTE_EXTRACT_NO_VAR) |
| pmd->within_var= BYTE_MATH_VAR_INDEX; | | |
| else | | |
| { | | { |
|
| pmd->within_var = GetVarByName(data); | | ParseError(BYTE_EXTRACT_INVALID_ERR_FMT, "within", data); |
| if (pmd->within_var == BYTE_EXTRACT_NO_VAR) | | |
| ParseError(BYTE_EXTRACT_INVALID_ERR_FMT, "within", data); | | |
| } | | } |
| } | | } |
| | |
| DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern within = %d\n", | | DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern within = %d\n", |
| pmd->within);); | | pmd->within);); |
| | |
| /* Only do a relative search if this is a normal content match. */ | | /* Only do a relative search if this is a normal content match. */ |
| if (lastType == PLUGIN_PATTERN_MATCH || lastType == PLUGIN_PATTERN_MATCH_URI
) | | if (lastType == PLUGIN_PATTERN_MATCH || lastType == PLUGIN_PATTERN_MATCH_URI
) |
| { | | { |
| pmd->use_doe = 1; | | pmd->use_doe = 1; |
| | |
| skipping to change at line 2063 | | skipping to change at line 2051 |
|---|
| | |
| if(pmd->use_doe != 1) | | if(pmd->use_doe != 1) |
| { | | { |
| DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "NOT Using Doe Ptr\n");); | | DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "NOT Using Doe Ptr\n");); |
| UpdateDoePtr(NULL, 0); /* get rid of all our pattern match state */ | | UpdateDoePtr(NULL, 0); /* get rid of all our pattern match state */ |
| } | | } |
| | |
| /* Get byte_math/byte_extract variables */ | | /* Get byte_math/byte_extract variables */ |
| if (pmd->offset_var >= 0 ) | | if (pmd->offset_var >= 0 ) |
| { | | { |
|
| if(pmd->offset_var == BYTE_MATH_VAR_INDEX ) | | if(pmd->offset_var == BYTE_MATH_VAR_INDEX) |
| pmd->offset = (int32_t) bytemath_variable; | | |
| else | | |
| { | | { |
|
| if (pmd->offset_var < NUM_BYTE_EXTRACT_VARS) | | pmd->offset = (int32_t) bytemath_variable; |
| { | | } |
| GetByteExtractValue(&extract_offset, pmd->offset_var); | | else if(pmd->offset_var == COMMON_VAR_INDEX) |
| pmd->offset = (int32_t) extract_offset; | | { |
| } | | pmd->offset = (int32_t) common_var; |
| | } |
| | else if (pmd->offset_var < NUM_BYTE_EXTRACT_VARS) |
| | { |
| | GetByteExtractValue(&extract_offset, pmd->offset_var); |
| | pmd->offset = (int32_t) extract_offset; |
| } | | } |
| } | | } |
| if (pmd->distance_var >= 0 ) | | if (pmd->distance_var >= 0 ) |
| { | | { |
|
| if(pmd->distance_var == BYTE_MATH_VAR_INDEX ) | | if(pmd->distance_var == BYTE_MATH_VAR_INDEX) |
| pmd->distance = (int32_t) bytemath_variable; | | |
| else | | |
| { | | { |
|
| if (pmd->distance_var < NUM_BYTE_EXTRACT_VARS) | | pmd->distance = (int32_t) bytemath_variable; |
| { | | } |
| GetByteExtractValue(&extract_distance, pmd->distance_var); | | else if(pmd->distance_var == COMMON_VAR_INDEX) |
| pmd->distance = (int32_t) extract_distance; | | { |
| } | | pmd->distance = (int32_t) common_var; |
| | } |
| | else if (pmd->distance_var < NUM_BYTE_EXTRACT_VARS) |
| | { |
| | GetByteExtractValue(&extract_distance, pmd->distance_var); |
| | pmd->distance = (int32_t) extract_distance; |
| } | | } |
| } | | } |
| | |
| // Set our initial starting point | | // Set our initial starting point |
| if (doe_ptr) | | if (doe_ptr) |
| { | | { |
| // Sanity check to make sure the doe_ptr is within the buffer we're | | // Sanity check to make sure the doe_ptr is within the buffer we're |
| // searching. It could be at the very end of the buffer due to a | | // searching. It could be at the very end of the buffer due to a |
| // previous match, but may have a negative distance here. | | // previous match, but may have a negative distance here. |
| if (((char *)doe_ptr < start_ptr) || ((char *)doe_ptr > end_ptr)) | | if (((char *)doe_ptr < start_ptr) || ((char *)doe_ptr > end_ptr)) |
| | |
| skipping to change at line 2278 | | skipping to change at line 2272 |
|---|
| uint32_t extract_offset, extract_depth, extract_distance, extract_within; | | uint32_t extract_offset, extract_depth, extract_distance, extract_within; |
| int search_start = 0; | | int search_start = 0; |
| | |
| if(pmd->use_doe != 1) | | if(pmd->use_doe != 1) |
| { | | { |
| DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "NOT Using Doe Ptr\n");); | | DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "NOT Using Doe Ptr\n");); |
| UpdateDoePtr(NULL, 0); /* get rid of all our pattern match state */ | | UpdateDoePtr(NULL, 0); /* get rid of all our pattern match state */ |
| } | | } |
| | |
| /* Get byte_math/byte_extract variables */ | | /* Get byte_math/byte_extract variables */ |
|
| if (pmd->offset_var >= 0 ) | | if (pmd->offset_var >= 0) |
| { | | { |
|
| if(pmd->offset_var == BYTE_MATH_VAR_INDEX ) | | if(pmd->offset_var == BYTE_MATH_VAR_INDEX) |
| pmd->offset = (int32_t) bytemath_variable; | | |
| else | | |
| { | | { |
|
| if (pmd->offset_var < NUM_BYTE_EXTRACT_VARS) | | pmd->offset = (int32_t) bytemath_variable; |
| { | | } |
| GetByteExtractValue(&extract_offset, pmd->offset_var); | | else if(pmd->offset_var == COMMON_VAR_INDEX) |
| pmd->offset = (int32_t) extract_offset; | | { |
| } | | pmd->offset = (int32_t) common_var; |
| | } |
| | else if (pmd->offset_var < NUM_BYTE_EXTRACT_VARS) |
| | { |
| | GetByteExtractValue(&extract_offset, pmd->offset_var); |
| | pmd->offset = (int32_t) extract_offset; |
| } | | } |
| } | | } |
|
| if (pmd->depth_var >= 0 ) | | if (pmd->depth_var >= 0) |
| { | | { |
|
| if(pmd->depth_var == BYTE_MATH_VAR_INDEX ) | | if(pmd->depth_var == BYTE_MATH_VAR_INDEX) |
| pmd->depth = (int32_t) bytemath_variable; | | |
| else | | |
| { | | { |
|
| if (pmd->depth_var < NUM_BYTE_EXTRACT_VARS) | | pmd->depth = (int32_t) bytemath_variable; |
| { | | } |
| GetByteExtractValue(&extract_depth, pmd->depth_var); | | else if(pmd->depth_var == COMMON_VAR_INDEX) |
| pmd->depth = (int32_t) extract_depth; | | { |
| } | | pmd->depth = (int32_t) common_var; |
| | } |
| | else if (pmd->depth_var < NUM_BYTE_EXTRACT_VARS) |
| | { |
| | GetByteExtractValue(&extract_depth, pmd->depth_var); |
| | pmd->depth = (int32_t) extract_depth; |
| } | | } |
| } | | } |
|
| if (pmd->distance_var >= 0 ) | | if (pmd->distance_var >= 0) |
| { | | { |
|
| if(pmd->distance_var == BYTE_MATH_VAR_INDEX ) | | if(pmd->distance_var == BYTE_MATH_VAR_INDEX) |
| pmd->distance = (int32_t) bytemath_variable; | | |
| else | | |
| { | | { |
|
| if (pmd->distance_var < NUM_BYTE_EXTRACT_VARS) | | pmd->distance = (int32_t) bytemath_variable; |
| { | | } |
| GetByteExtractValue(&extract_distance, pmd->distance_var); | | else if(pmd->distance == COMMON_VAR_INDEX) |
| pmd->distance = (int32_t) extract_distance; | | { |
| } | | pmd->distance = (int32_t) common_var; |
| | } |
| | else if (pmd->distance_var < NUM_BYTE_EXTRACT_VARS) |
| | { |
| | GetByteExtractValue(&extract_distance, pmd->distance_var); |
| | pmd->distance = (int32_t) extract_distance; |
| } | | } |
| } | | } |
|
| if (pmd->within_var >= 0 ) | | if (pmd->within_var >= 0) |
| { | | { |
|
| if(pmd->within_var == BYTE_MATH_VAR_INDEX ) | | if(pmd->within_var == BYTE_MATH_VAR_INDEX) |
| pmd->within = (int32_t) bytemath_variable; | | |
| else | | |
| { | | { |
|
| if (pmd->within_var < NUM_BYTE_EXTRACT_VARS) | | pmd->within = (int32_t) bytemath_variable; |
| { | | } |
| GetByteExtractValue(&extract_within, pmd->within_var); | | else if(pmd->within_var == COMMON_VAR_INDEX) |
| pmd->within = (int32_t) extract_within; | | { |
| } | | pmd->within = (int32_t) common_var; |
| | } |
| | else if (pmd->within_var < NUM_BYTE_EXTRACT_VARS) |
| | { |
| | GetByteExtractValue(&extract_within, pmd->within_var); |
| | pmd->within = (int32_t) extract_within; |
| } | | } |
| } | | } |
| | |
| // Set our initial starting point | | // Set our initial starting point |
| if (doe_ptr) | | if (doe_ptr) |
| { | | { |
| // Sanity check to make sure the doe_ptr is within the buffer we're | | // Sanity check to make sure the doe_ptr is within the buffer we're |
| // searching. It could be at the very end of the buffer due to a | | // searching. It could be at the very end of the buffer due to a |
| // previous match, but may have a negative distance here. | | // previous match, but may have a negative distance here. |
| if (((char *)doe_ptr < start_ptr) || ((char *)doe_ptr > end_ptr)) | | if (((char *)doe_ptr < start_ptr) || ((char *)doe_ptr > end_ptr)) |
| | | |
| End of changes. 24 change blocks. |
|---|
| 81 lines changed or deleted | | 83 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 