osmocom
/
wireshark
11
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Snort: map more pcre modifiers to GRegexCompileFlags 

Change-Id: I5df8cb794b7b76b708448ae4b74b7481bdd8faff
Reviewed-on: https://code.wireshark.org/review/21097
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
This commit is contained in:
Martin Mathieson 2017-04-14 22:37:10 +01:00
parent 581db4c2b8
commit cb1967a982
3 changed files with 44 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
epan/dissectors/packet-snort.c
View File

@ -49,7 +49,6 @@
#include <epan/packet.h>
#include <epan/prefs.h>
#include <epan/expert.h>
#include <wsutil/report_message.h>
#include <epan/wmem/wmem.h>
#include <wiretap/wtap-int.h>
@ -296,6 +295,7 @@ static gboolean look_for_pcre(content_t *content, tvbuff_t *tvb, guint start_off
GRegex *regex;
GMatchInfo *match_info;
gboolean match_found = FALSE;
GRegexCompileFlags regex_compile_flags = (GRegexCompileFlags)0;
/* Make sure pcre string is ready for regex library. */
if (!content_convert_pcre_for_regex(content)) {
@ -308,10 +308,25 @@ static gboolean look_for_pcre(content_t *content, tvbuff_t *tvb, guint start_off
tvb_memcpy(tvb, (void*)string, start_offset, length_remaining);
string[length_remaining] = '\0';
/* Create regex */
/* For pcre, translated_str already has / /[modifiers] removed.. */
/* Apply any set modifier flags */
if (content->pcre_case_insensitive) {
regex_compile_flags = (GRegexCompileFlags)(regex_compile_flags | G_REGEX_CASELESS);
}
if (content->pcre_dot_includes_newline) {
regex_compile_flags = (GRegexCompileFlags)(regex_compile_flags | G_REGEX_DOTALL);
}
if (content->pcre_raw) {
regex_compile_flags = (GRegexCompileFlags)(regex_compile_flags | G_REGEX_RAW);
}
if (content->pcre_multiline) {
regex_compile_flags = (GRegexCompileFlags)(regex_compile_flags | G_REGEX_MULTILINE);
}
/* Create regex */
regex = g_regex_new(content->translated_str,
content->pcre_case_insensitive ? G_REGEX_CASELESS : (GRegexCompileFlags)0,
regex_compile_flags,
(GRegexMatchFlags)0, NULL);
/* Lookup PCRE match */
@ -982,7 +997,8 @@ static void snort_show_alert(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo
/* Useful for debugging, may also happen when Snort is reassembling.. */
proto_item_append_text(ti, " - not located");
expert_add_info_format(pinfo, ti, &ei_snort_content_not_matched,
"Content \"%s\" not found in frame",
"%s \"%s\" not found in frame",
rule->contents[n].content_type==Pcre ? "PCRE" : "Content",
rule->contents[n].str);
}
}

26
epan/dissectors/snort-config.c
View File

@ -1141,12 +1141,28 @@ gboolean content_convert_pcre_for_regex(content_t *content)
break;
}
else {
if (content->str[i] == 'i') {
content->pcre_case_insensitive = TRUE;
}
/* TODO: note/handle other common modifiers (s/m/?) */
}
switch (content->str[i]) {
case 'i':
content->pcre_case_insensitive = TRUE;
break;
case 's':
content->pcre_dot_includes_newline = TRUE;
break;
case 'B':
content->pcre_raw = TRUE;
break;
case 'm':
content->pcre_multiline = TRUE;
break;
default:
/* TODO: handle other modifiers that will get seen? */
/* N.B. 'U' (match in decoded URI buffers) can't be handled, so don't store in flag. */
/* N.B. not sure if/how to handle 'R' (effectively distance:0) */
snort_debug_printf("Unhandled pcre modifier '%c'\n", content->str[i]);
break;
}
}
}
if (end_delimiter_offset == 0) {
/* Didn't find it */

3
epan/dissectors/snort-config.h
View File

@ -69,6 +69,9 @@ typedef struct content_t {
guint translated_length;
gboolean pcre_case_insensitive;
gboolean pcre_dot_includes_newline;
gboolean pcre_raw;
gboolean pcre_multiline;
} content_t;
/* This is to keep track of a variable referenced by a rule */