Snort content matching fixes

Cope with a space between colon and start of options value.
When there are no constraining modifiers, let match for
next content or pcre field start from beginning of payload
again.

Change-Id: Ie1267a0a38143cbe9f0444945f78708bbefaa270
Reviewed-on: https://code.wireshark.org/review/22365
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>

epan/dissectors/packet-snort.c

@@ -934,16 +934,19 @@ static void snort_show_alert(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo
                a negated content entry (i.e. beginning with '!') */
             if (attempt_match && !rule->contents[n].negation) {
                 /* Look up offset of match. N.B. would only expect to see on first content... */
-                guint offset_to_add = 0;
+                guint distance_to_add = 0;
 
                 /* May need to start looking from absolute offset into packet... */
                 if (rule->contents[n].offset_set) {
                     content_start_match = payload_start + rule->contents[n].offset;
-                    offset_to_add = 0;
                 }
                 /* ... or a number of bytes beyond the previous content match */
                 else if (rule->contents[n].distance_set) {
-                    offset_to_add = (content_last_match_end-content_start_match) + rule->contents[n].distance;
+                    distance_to_add = (content_last_match_end-content_start_match) + rule->contents[n].distance;
+                }
+                else {
+                    /* No constraints about where it appears - go back to the start of the frame. */
+                    content_start_match = payload_start;
                 }
 
 
@@ -951,7 +954,7 @@ static void snort_show_alert(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo
                 /* TODO: could take 'depth' and 'within' into account to limit extent of search,
                    but OK if just trying to verify what Snort already found. */
                 match_found = get_content_match(alert, n,
-                                                tvb, content_start_match+offset_to_add,
+                                                tvb, content_start_match+distance_to_add,
                                                 &content_offset, &converted_content_length);
                 if (match_found) {
                     content_last_match_end = content_offset + converted_content_length;
@@ -1018,6 +1021,9 @@ static void snort_show_alert(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo
 
             if (attempt_match && !rule->contents[n].negation && !match_found) {
                 /* Useful for debugging, may also happen when Snort is reassembling.. */
+                /* TODO: not sure why, but PCREs might not be found first time through, but will be
+                 * found later, with the result that there will be 'not located' expert warnings,
+                 * but when you click on the packet, it is matched after all... */
                 proto_item_append_text(ti, " - not located");
                 expert_add_info_format(pinfo, ti, &ei_snort_content_not_matched,
                                        "%s   \"%s\"   not found in frame",

epan/dissectors/snort-config.c

@@ -611,11 +611,16 @@ static void process_rule_option(Rule_t *rule, char *options, int option_start_of
     value[0] = '\0';
     gint value_length = 0;
     guint32 value32 = 0;
+    gint spaces_after_colon = 0;
 
     if (colon_offset != 0) {
         /* Name and value */
         g_snprintf(name, colon_offset-option_start_offset, "%s", options+option_start_offset);
-        g_snprintf(value, options_end_offset-colon_offset, "%s", options+colon_offset);
+        if (options[colon_offset] == ' ') {
+            spaces_after_colon = 1;
+        }
+        g_snprintf(value, options_end_offset-spaces_after_colon-colon_offset, "%s",
+                   options+colon_offset+spaces_after_colon);
         value_length = (gint)strlen(value);
     }
     else {
@@ -657,7 +662,7 @@ static void process_rule_option(Rule_t *rule, char *options, int option_start_of
             }
         }
 
-        value[options_end_offset-colon_offset-2] = '\0';
+        value[options_end_offset-colon_offset-spaces_after_colon-2] = '\0';
         rule_add_content(rule, value+value_start+1, value_start == 1);
     }
     else if (strcmp(name, "uricontent") == 0) {
@@ -675,7 +680,7 @@ static void process_rule_option(Rule_t *rule, char *options, int option_start_of
             }
         }
 
-        value[options_end_offset-colon_offset-2] = '\0';
+        value[options_end_offset-colon_offset-spaces_after_colon-2] = '\0';
         rule_add_uricontent(rule, value+value_start+1, value_start == 1);
     }
     else if (strcmp(name, "http_uri") == 0) {
@@ -691,7 +696,7 @@ static void process_rule_option(Rule_t *rule, char *options, int option_start_of
 
         /* Not expecting negation (!)... */
 
-        value[options_end_offset-colon_offset-2] = '\0';
+        value[options_end_offset-colon_offset-spaces_after_colon-2] = '\0';
         rule_add_pcre(rule, value+value_start+1);
     }
     else if (strcmp(name, "nocase") == 0) {