Snort content matching fixes
Cope with a space between colon and start of options value. When there are no constraining modifiers, let match for next content or pcre field start from beginning of payload again. Change-Id: Ie1267a0a38143cbe9f0444945f78708bbefaa270 Reviewed-on: https://code.wireshark.org/review/22365 Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
This commit is contained in:
parent
082e3e346f
commit
8a3e465067
|
@ -934,16 +934,19 @@ static void snort_show_alert(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo
|
|||
a negated content entry (i.e. beginning with '!') */
|
||||
if (attempt_match && !rule->contents[n].negation) {
|
||||
/* Look up offset of match. N.B. would only expect to see on first content... */
|
||||
guint offset_to_add = 0;
|
||||
guint distance_to_add = 0;
|
||||
|
||||
/* May need to start looking from absolute offset into packet... */
|
||||
if (rule->contents[n].offset_set) {
|
||||
content_start_match = payload_start + rule->contents[n].offset;
|
||||
offset_to_add = 0;
|
||||
}
|
||||
/* ... or a number of bytes beyond the previous content match */
|
||||
else if (rule->contents[n].distance_set) {
|
||||
offset_to_add = (content_last_match_end-content_start_match) + rule->contents[n].distance;
|
||||
distance_to_add = (content_last_match_end-content_start_match) + rule->contents[n].distance;
|
||||
}
|
||||
else {
|
||||
/* No constraints about where it appears - go back to the start of the frame. */
|
||||
content_start_match = payload_start;
|
||||
}
|
||||
|
||||
|
||||
|
@ -951,7 +954,7 @@ static void snort_show_alert(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo
|
|||
/* TODO: could take 'depth' and 'within' into account to limit extent of search,
|
||||
but OK if just trying to verify what Snort already found. */
|
||||
match_found = get_content_match(alert, n,
|
||||
tvb, content_start_match+offset_to_add,
|
||||
tvb, content_start_match+distance_to_add,
|
||||
&content_offset, &converted_content_length);
|
||||
if (match_found) {
|
||||
content_last_match_end = content_offset + converted_content_length;
|
||||
|
@ -1018,6 +1021,9 @@ static void snort_show_alert(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo
|
|||
|
||||
if (attempt_match && !rule->contents[n].negation && !match_found) {
|
||||
/* Useful for debugging, may also happen when Snort is reassembling.. */
|
||||
/* TODO: not sure why, but PCREs might not be found first time through, but will be
|
||||
* found later, with the result that there will be 'not located' expert warnings,
|
||||
* but when you click on the packet, it is matched after all... */
|
||||
proto_item_append_text(ti, " - not located");
|
||||
expert_add_info_format(pinfo, ti, &ei_snort_content_not_matched,
|
||||
"%s \"%s\" not found in frame",
|
||||
|
|
|
@ -611,11 +611,16 @@ static void process_rule_option(Rule_t *rule, char *options, int option_start_of
|
|||
value[0] = '\0';
|
||||
gint value_length = 0;
|
||||
guint32 value32 = 0;
|
||||
gint spaces_after_colon = 0;
|
||||
|
||||
if (colon_offset != 0) {
|
||||
/* Name and value */
|
||||
g_snprintf(name, colon_offset-option_start_offset, "%s", options+option_start_offset);
|
||||
g_snprintf(value, options_end_offset-colon_offset, "%s", options+colon_offset);
|
||||
if (options[colon_offset] == ' ') {
|
||||
spaces_after_colon = 1;
|
||||
}
|
||||
g_snprintf(value, options_end_offset-spaces_after_colon-colon_offset, "%s",
|
||||
options+colon_offset+spaces_after_colon);
|
||||
value_length = (gint)strlen(value);
|
||||
}
|
||||
else {
|
||||
|
@ -657,7 +662,7 @@ static void process_rule_option(Rule_t *rule, char *options, int option_start_of
|
|||
}
|
||||
}
|
||||
|
||||
value[options_end_offset-colon_offset-2] = '\0';
|
||||
value[options_end_offset-colon_offset-spaces_after_colon-2] = '\0';
|
||||
rule_add_content(rule, value+value_start+1, value_start == 1);
|
||||
}
|
||||
else if (strcmp(name, "uricontent") == 0) {
|
||||
|
@ -675,7 +680,7 @@ static void process_rule_option(Rule_t *rule, char *options, int option_start_of
|
|||
}
|
||||
}
|
||||
|
||||
value[options_end_offset-colon_offset-2] = '\0';
|
||||
value[options_end_offset-colon_offset-spaces_after_colon-2] = '\0';
|
||||
rule_add_uricontent(rule, value+value_start+1, value_start == 1);
|
||||
}
|
||||
else if (strcmp(name, "http_uri") == 0) {
|
||||
|
@ -691,7 +696,7 @@ static void process_rule_option(Rule_t *rule, char *options, int option_start_of
|
|||
|
||||
/* Not expecting negation (!)... */
|
||||
|
||||
value[options_end_offset-colon_offset-2] = '\0';
|
||||
value[options_end_offset-colon_offset-spaces_after_colon-2] = '\0';
|
||||
rule_add_pcre(rule, value+value_start+1);
|
||||
}
|
||||
else if (strcmp(name, "nocase") == 0) {
|
||||
|
|
Loading…
Reference in New Issue