"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "tools/snort2lua/rule_states/rule_sd_pattern.cc" between
snort3-3.1.36.0.tar.gz and snort3-3.1.38.0.tar.gz

About: Snort 3 is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.

rule_sd_pattern.cc  (snort3-3.1.36.0):rule_sd_pattern.cc  (snort3-3.1.38.0)
skipping to change at line 37 skipping to change at line 37
namespace rules namespace rules
{ {
namespace namespace
{ {
class SDPattern : public ConversionState class SDPattern : public ConversionState
{ {
public: public:
SDPattern(Converter& c) : ConversionState(c) { } SDPattern(Converter& c) : ConversionState(c) { }
bool convert(std::istringstream& data) override; bool convert(std::istringstream& data) override;
private:
std::string convert_pattern(const std::string& pattern);
}; };
} // namespace } // namespace
bool SDPattern::convert(std::istringstream& stream) std::string SDPattern::convert_pattern(const std::string& pattern)
{ {
std::string count; const std::string unused_pcre_tokens("()[].+*^$|");
std::string pattern;
std::string s3_pattern;
for (unsigned i = 0; i < pattern.size(); ++i)
{
char sym = pattern[i];
switch (sym)
{
case '\\':
{
if (i + 1 < pattern.size())
sym = pattern[++i];
else
{
// if backslash placed at the end of the pattern
// Snort2 will process it as a usual symbol
s3_pattern.append("\\\\");
break;
}
switch (sym)
{
case 'l':
s3_pattern.append("\\p{L}");
break;
case 'L':
s3_pattern.append("[^\\p{L}]");
break;
case 'w':
case 'W':
case 'd':
case 'D':
case '\\':
case '{':
case '}':
case '?':
s3_pattern.push_back('\\');
s3_pattern.push_back(sym);
break;
default:
// Snort2 ignores unknown escape sequences
break;
}
break;
}
case '{':
case '}':
case '?':
s3_pattern.push_back(sym);
break;
default:
if (unused_pcre_tokens.find(sym) != std::string::npos)
s3_pattern.push_back('\\');
s3_pattern.push_back(sym);
break;
}
}
return s3_pattern;
}
bool SDPattern::convert(std::istringstream& stream)
{
std::string args = util::get_rule_option_args(stream); std::string args = util::get_rule_option_args(stream);
std::istringstream arg_stream(args); std::istringstream arg_stream(args);
if ( !util::get_string(arg_stream, count, ",") std::string count;
|| !util::get_string(arg_stream, pattern, ","))
if ( !util::get_string(arg_stream, count, ",") )
{ {
rule_api.bad_rule(stream, "sd_pattern missing arguments"); rule_api.bad_rule(stream, "sd_pattern missing threshold argument");
return set_next_rule_state(stream); return set_next_rule_state(stream);
} }
rule_api.add_option("sd_pattern", "\"" + pattern + "\""); std::string pattern = util::get_remain_data(arg_stream, false);
if ( pattern.empty() )
{
rule_api.bad_rule(stream, "sd_pattern missing pattern argument");
return set_next_rule_state(stream);
}
std::string s3_pattern = convert_pattern(pattern);
rule_api.add_option("sd_pattern", "\"" + s3_pattern + "\"");
rule_api.add_suboption("threshold", count); rule_api.add_suboption("threshold", count);
rule_api.bad_rule(stream, "sd_pattern: rules should be written with Snort3 "
"functionality in mind");
return set_next_rule_state(stream); return set_next_rule_state(stream);
} }
/************************** /**************************
******* A P I *********** ******* A P I ***********
**************************/ **************************/
static ConversionState* ctor(Converter& c) static ConversionState* ctor(Converter& c)
{ {
 End of changes. 8 change blocks. 
7 lines changed or deleted 90 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)