Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Detect analyze/v25 #6319

Closed
wants to merge 15 commits into from
Closed

Detect analyze/v25 #6319

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
b930feb
detect/analyzer: support buffer names in sgh dump
victorjulien Feb 6, 2021
1fdc12f
detect/analyzer: add per rule mpm block to rules.json
victorjulien Feb 6, 2021
7d990d9
detect/analyzer: count prefilter per rule group
victorjulien Feb 8, 2021
d5678dd
detect/analyzer: display per rule prefilter details
victorjulien Feb 8, 2021
f4857c9
detect/analyzer: add icmp to rule group output
victorjulien Feb 8, 2021
64c36ea
detect/analyzer: show payload separately in group dumping
victorjulien Feb 8, 2021
05f9b45
detect/analyzer: count mpm with depth, endswith
victorjulien Feb 6, 2021
f38a301
detect/mpm: turn factory array into list
victorjulien Feb 8, 2021
13627a7
detect/dsize: set depth flag when applying dsize as depth
victorjulien Feb 5, 2021
b45fb47
detect/content: add some more dsize tests
victorjulien Feb 15, 2021
fd2c336
detect/analyze: dump patterns facility
victorjulien Feb 16, 2021
655b08d
detect/profile: add support for tx inspection
victorjulien Feb 18, 2021
6d39562
detect/content: generalize pattern pretty printing
victorjulien Feb 18, 2021
b61d2e7
detect/analyzer: use rule style pretty print for patterns
victorjulien Feb 18, 2021
6da0c33
detect: move init only array to init data
victorjulien Feb 19, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 58 additions & 14 deletions src/detect-content.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -627,6 +627,47 @@ void DetectContentPropagateLimits(Signature *s)
}
}

static inline bool NeedsAsHex(uint8_t c)
{
if (!isprint(c))
return true;

switch (c) {
case '/':
case ';':
case ':':
case '\\':
case ' ':
case '|':
case '"':
case '`':
case '\'':
return true;
}
return false;
}

void DetectContentPatternPrettyPrint(const DetectContentData *cd, char *str, size_t str_len)
{
bool hex = false;
for (uint16_t i = 0; i < cd->content_len; i++) {
if (NeedsAsHex(cd->content[i])) {
char hex_str[4];
snprintf(hex_str, sizeof(hex_str), "%s%02X", !hex ? "|" : " ", cd->content[i]);
strlcat(str, hex_str, str_len);
hex = true;
} else {
char p_str[3];
snprintf(p_str, sizeof(p_str), "%s%c", hex ? "|" : "", cd->content[i]);
strlcat(str, p_str, str_len);
hex = false;
}
}
if (hex) {
strlcat(str, "|", str_len);
}
}

#ifdef UNITTESTS /* UNITTESTS */

static bool TestLastContent(const Signature *s, uint16_t o, uint16_t d)
Expand All @@ -652,20 +693,21 @@ static bool TestLastContent(const Signature *s, uint16_t o, uint16_t d)
return true;
}

#define TEST_RUN(sig, o, d) \
{ \
SCLogDebug("TEST_RUN start: '%s'", (sig)); \
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
FAIL_IF_NULL(de_ctx); \
char rule[2048]; \
snprintf(rule, sizeof(rule), "alert tcp any any -> any any (%s sid:1; rev:1;)", (sig)); \
Signature *s = DetectEngineAppendSig(de_ctx, rule); \
FAIL_IF_NULL(s); \
SigAddressPrepareStage1(de_ctx); \
bool res = TestLastContent(s, (o), (d)); \
FAIL_IF(res == false); \
DetectEngineCtxFree(de_ctx); \
}
#define TEST_RUN(sig, o, d) \
{ \
SCLogDebug("TEST_RUN start: '%s'", (sig)); \
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
FAIL_IF_NULL(de_ctx); \
de_ctx->flags |= DE_QUIET; \
char rule[2048]; \
snprintf(rule, sizeof(rule), "alert tcp any any -> any any (%s sid:1; rev:1;)", (sig)); \
Signature *s = DetectEngineAppendSig(de_ctx, rule); \
FAIL_IF_NULL(s); \
SigAddressPrepareStage1(de_ctx); \
bool res = TestLastContent(s, (o), (d)); \
FAIL_IF(res == false); \
DetectEngineCtxFree(de_ctx); \
}

#define TEST_DONE \
PASS
Expand All @@ -677,6 +719,8 @@ static int DetectContentDepthTest01(void)
TEST_RUN("content:\"abc\"; offset:1; depth:3;", 1, 4);
// dsize applied as depth
TEST_RUN("dsize:10; content:\"abc\";", 0, 10);
TEST_RUN("dsize:<10; content:\"abc\";", 0, 10);
TEST_RUN("dsize:5<>10; content:\"abc\";", 0, 10);

// relative match, directly following anchored content
TEST_RUN("content:\"abc\"; depth:3; content:\"xyz\"; distance:0; within:3; ", 3, 6);
Expand Down
2 changes: 2 additions & 0 deletions src/detect-content.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,4 +123,6 @@ void DetectContentFree(DetectEngineCtx *, void *);
bool DetectContentPMATCHValidateCallback(const Signature *s);
void DetectContentPropagateLimits(Signature *s);

void DetectContentPatternPrettyPrint(const DetectContentData *cd, char *str, size_t str_len);

#endif /* __DETECT_CONTENT_H__ */
1 change: 1 addition & 0 deletions src/detect-dsize.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -463,6 +463,7 @@ void SigParseApplyDsizeToContent(Signature *s)
}

if (cd->depth == 0 || cd->depth >= dsize) {
cd->flags |= DETECT_CONTENT_DEPTH;
cd->depth = (uint16_t)dsize;
SCLogDebug("updated %u, content %u to have depth %u "
"because of dsize.", s->id, cd->id, cd->depth);
Expand Down
Loading