detect: add and use util func for alproto sets

OISF · Feb 16, 2017 · cc40103 · cc40103
1 parent c477c43
commit cc40103
Show file tree

Hide file tree

Showing 20 changed files with 69 additions and 185 deletions.
diff --git a/src/detect-app-layer-event.c b/src/detect-app-layer-event.c
@@ -336,23 +336,13 @@ static int DetectAppLayerEventSetupP1(DetectEngineCtx *de_ctx, Signature *s, cha
     sm->type = DETECT_AL_APP_LAYER_EVENT;
     sm->ctx = (SigMatchCtx *)data;
 
-    if (s->alproto != ALPROTO_UNKNOWN) {
-        if (s->alproto != data->alproto) {
-            SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains "
-                       "conflicting keywords needing different alprotos");
-            goto error;
-        }
-    } else {
-        s->alproto = data->alproto;
-    }
-
     if (event_type == APP_LAYER_EVENT_TYPE_PACKET) {
         SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
     } else {
-        /* We push it to this list temporarily.  We deal with
-         * these in DetectAppLayerEventPrepare(). */
+        if (DetectSignatureSetAppProto(s, data->alproto) != 0)
+            goto error;
+
         SigMatchAppendSMToList(s, sm, g_applayer_events_list_id);
-        s->flags |= SIG_FLAG_APPLAYER;
     }
 
     return 0;

diff --git a/src/detect-byte-extract.c b/src/detect-byte-extract.c
@@ -561,12 +561,9 @@ static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *a
     }
 
     if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
-        if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
-            SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has "
-                       "byte_extract with dce enabled");
+        if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
             goto error;
-        }
-        s->alproto = ALPROTO_DCERPC;
+
         if ((data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) ||
             (data->base == DETECT_BYTE_EXTRACT_BASE_DEC) ||
             (data->base == DETECT_BYTE_EXTRACT_BASE_HEX) ||

diff --git a/src/detect-bytejump.c b/src/detect-bytejump.c
@@ -539,8 +539,8 @@ static int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts
             sm_list = DETECT_SM_LIST_PMATCH;
         }
 
-        s->alproto = ALPROTO_DCERPC;
-        s->flags |= SIG_FLAG_APPLAYER;
+        if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
+            goto error;
 
     } else if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
         prev_pm = DetectGetLastSMFromLists(s,
@@ -560,11 +560,6 @@ static int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts
     }
 
     if (data->flags & DETECT_BYTEJUMP_DCE) {
-        if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
-            SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has "
-                       "bytejump with dce enabled");
-            goto error;
-        }
         if ((data->flags & DETECT_BYTEJUMP_STRING) ||
             (data->flags & DETECT_BYTEJUMP_LITTLE) ||
             (data->flags & DETECT_BYTEJUMP_BIG) ||

diff --git a/src/detect-bytetest.c b/src/detect-bytetest.c
@@ -467,8 +467,8 @@ static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts
             sm_list = DETECT_SM_LIST_PMATCH;
         }
 
-        s->alproto = ALPROTO_DCERPC;
-        s->flags |= SIG_FLAG_APPLAYER;
+        if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
+            goto error;
 
     } else if (data->flags & DETECT_BYTETEST_RELATIVE) {
         prev_pm = DetectGetLastSMFromLists(s,
@@ -488,11 +488,6 @@ static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts
     }
 
     if (data->flags & DETECT_BYTETEST_DCE) {
-        if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
-            SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has "
-                       "bytetest with dce enabled");
-            goto error;
-        }
         if ((data->flags & DETECT_BYTETEST_STRING) ||
             (data->flags & DETECT_BYTETEST_LITTLE) ||
             (data->flags & DETECT_BYTETEST_BIG) ||

diff --git a/src/detect-cipservice.c b/src/detect-cipservice.c
@@ -207,12 +207,8 @@ static int DetectCipServiceSetup(DetectEngineCtx *de_ctx, Signature *s,
     DetectCipServiceData *cipserviced = NULL;
     SigMatch *sm = NULL;
 
-    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_ENIP)
-    {
-        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
-                "rule contains conflicting keywords.");
-        goto error;
-    }
+    if (DetectSignatureSetAppProto(s, ALPROTO_ENIP) != 0)
+        return -1;
 
     cipserviced = DetectCipServiceParse(rulestr);
     if (cipserviced == NULL)
@@ -225,10 +221,7 @@ static int DetectCipServiceSetup(DetectEngineCtx *de_ctx, Signature *s,
     sm->type = DETECT_CIPSERVICE;
     sm->ctx = (void *) cipserviced;
 
-    s->alproto = ALPROTO_ENIP;
-
     SigMatchAppendSMToList(s, sm, g_cip_buffer_id);
-
     SCReturnInt(0);
 
 error:
@@ -384,12 +377,8 @@ static int DetectEnipCommandSetup(DetectEngineCtx *de_ctx, Signature *s,
     DetectEnipCommandData *enipcmdd = NULL;
     SigMatch *sm = NULL;
 
-    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_ENIP)
-    {
-        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
-                "rule contains conflicting keywords.");
-        goto error;
-    }
+    if (DetectSignatureSetAppProto(s, ALPROTO_ENIP) != 0)
+        return -1;
 
     enipcmdd = DetectEnipCommandParse(rulestr);
     if (enipcmdd == NULL)
@@ -402,9 +391,7 @@ static int DetectEnipCommandSetup(DetectEngineCtx *de_ctx, Signature *s,
     sm->type = DETECT_ENIPCOMMAND;
     sm->ctx = (void *) enipcmdd;
 
-    s->alproto = ALPROTO_ENIP;
     SigMatchAppendSMToList(s, sm, g_enip_buffer_id);
-
     SCReturnInt(0);
 
 error:

diff --git a/src/detect-dce-iface.c b/src/detect-dce-iface.c
@@ -370,10 +370,8 @@ static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
     DetectDceIfaceData *did = NULL;
     SigMatch *sm = NULL;
 
-    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
-        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+    if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
         return -1;
-    }
 
     did = DetectDceIfaceArgParse(arg);
     if (did == NULL) {
@@ -390,10 +388,6 @@ static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
     sm->ctx = (void *)did;
 
     SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
-
-    s->alproto = ALPROTO_DCERPC;
-    /* Flagged the signature as to inspect the app layer data */
-    s->flags |= SIG_FLAG_APPLAYER;
     return 0;
 
  error:

diff --git a/src/detect-dce-opnum.c b/src/detect-dce-opnum.c
@@ -296,10 +296,8 @@ static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
         return -1;
     }
 
-    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
-        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+    if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
         return -1;
-    }
 
     dod = DetectDceOpnumArgParse(arg);
     if (dod == NULL) {
@@ -316,10 +314,6 @@ static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
     sm->ctx = (void *)dod;
 
     SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
-
-    s->alproto = ALPROTO_DCERPC;
-    /* Flagged the signature as to inspect the app layer data */
-    s->flags |= SIG_FLAG_APPLAYER;
     return 0;
 
  error:

diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c
@@ -237,19 +237,11 @@ void DetectDceStubDataRegister(void)
 
 static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
 {
-    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
-        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
-                   "rule contains conflicting keywords.");
-        goto error;
-    }
+    if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
+        return -1;
 
     s->init_data->list = g_dce_stub_data_buffer_id;
-    s->alproto = ALPROTO_DCERPC;
-    s->flags |= SIG_FLAG_APPLAYER;
     return 0;
-
- error:
-    return -1;
 }
 
 /************************************Unittests*********************************/

diff --git a/src/detect-ftpbounce.c b/src/detect-ftpbounce.c
@@ -225,10 +225,8 @@ int DetectFtpbounceSetup(DetectEngineCtx *de_ctx, Signature *s, char *ftpbounces
 
     SigMatch *sm = NULL;
 
-    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_FTP) {
-        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+    if (DetectSignatureSetAppProto(s, ALPROTO_FTP) != 0)
         return -1;
-    }
 
     sm = SigMatchAlloc();
     if (sm == NULL) {
@@ -249,9 +247,6 @@ int DetectFtpbounceSetup(DetectEngineCtx *de_ctx, Signature *s, char *ftpbounces
     sm->ctx = NULL;
 
     SigMatchAppendSMToList(s, sm, g_ftp_request_list_id);
-
-    s->alproto = ALPROTO_FTP;
-    s->flags |= SIG_FLAG_APPLAYER;
     SCReturnInt(0);
 }
 

diff --git a/src/detect-modbus.c b/src/detect-modbus.c
@@ -366,10 +366,8 @@ static int DetectModbusSetup(DetectEngineCtx *de_ctx, Signature *s, char *str)
     DetectModbus    *modbus = NULL;
     SigMatch        *sm = NULL;
 
-    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_MODBUS) {
-        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
-        goto error;
-    }
+    if (DetectSignatureSetAppProto(s, ALPROTO_MODBUS) != 0)
+        return -1;
 
     if ((modbus = DetectModbusFunctionParse(str)) == NULL) {
         if ((modbus = DetectModbusAccessParse(str)) == NULL) {
@@ -387,7 +385,6 @@ static int DetectModbusSetup(DetectEngineCtx *de_ctx, Signature *s, char *str)
     sm->ctx     = (void *) modbus;
 
     SigMatchAppendSMToList(s, sm, g_modbus_buffer_id);
-    s->alproto = ALPROTO_MODBUS;
 
     SCReturnInt(0);
 

diff --git a/src/detect-parse.c b/src/detect-parse.c
@@ -1193,6 +1193,26 @@ void SigFree(Signature *s)
     SCFree(s);
 }
 
+int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
+{
+    if (alproto == ALPROTO_UNKNOWN ||
+        alproto >= ALPROTO_FAILED) {
+        SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid alproto %u", alproto);
+        return -1;
+    }
+
+    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != alproto) {
+        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
+            "can't set rule app proto to %s: already set to %s",
+            AppProtoToString(alproto), AppProtoToString(s->alproto));
+        return -1;
+    }
+
+    s->alproto = alproto;
+    s->flags |= SIG_FLAG_APPLAYER;
+    return 0;
+}
+
 /**
  *  \internal
  *  \brief build address match array for cache efficient matching

diff --git a/src/detect-parse.h b/src/detect-parse.h
@@ -70,6 +70,8 @@ SigMatch *DetectGetLastSMFromLists(const Signature *s, ...);
 SigMatch *DetectGetLastSMByListPtr(const Signature *s, SigMatch *sm_list, ...);
 SigMatch *DetectGetLastSMByListId(const Signature *s, int list_id, ...);
 
+int DetectSignatureSetAppProto(Signature *s, AppProto alproto);
+
 /* parse regex setup and free util funcs */
 
 void DetectSetupParseRegexes(const char *parse_str,

diff --git a/src/detect-ssh-proto-version.c b/src/detect-ssh-proto-version.c
@@ -217,10 +217,8 @@ static int DetectSshVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *s
     DetectSshVersionData *ssh = NULL;
     SigMatch *sm = NULL;
 
-    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_SSH) {
-        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+    if (DetectSignatureSetAppProto(s, ALPROTO_SSH) != 0)
         return -1;
-    }
 
     ssh = DetectSshVersionParse(str);
     if (ssh == NULL)
@@ -236,9 +234,6 @@ static int DetectSshVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *s
     sm->ctx = (void *)ssh;
 
     SigMatchAppendSMToList(s, sm, g_ssh_banner_list_id);
-
-    s->flags |= SIG_FLAG_APPLAYER;
-    s->alproto = ALPROTO_SSH;
     return 0;
 
 error:

diff --git a/src/detect-ssh-software-version.c b/src/detect-ssh-software-version.c
@@ -212,10 +212,8 @@ static int DetectSshSoftwareVersionSetup (DetectEngineCtx *de_ctx, Signature *s,
     DetectSshSoftwareVersionData *ssh = NULL;
     SigMatch *sm = NULL;
 
-    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_SSH) {
-        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+    if (DetectSignatureSetAppProto(s, ALPROTO_SSH) != 0)
         return -1;
-    }
 
     ssh = DetectSshSoftwareVersionParse(str);
     if (ssh == NULL)
@@ -230,11 +228,7 @@ static int DetectSshSoftwareVersionSetup (DetectEngineCtx *de_ctx, Signature *s,
     sm->type = DETECT_AL_SSH_SOFTWAREVERSION;
     sm->ctx = (void *)ssh;
 
-    s->flags |= SIG_FLAG_APPLAYER;
-    s->alproto = ALPROTO_SSH;
-
     SigMatchAppendSMToList(s, sm, g_ssh_banner_list_id);
-
     return 0;
 
 error:

diff --git a/src/detect-ssl-state.c b/src/detect-ssl-state.c
@@ -308,12 +308,9 @@ static int DetectSslStateSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
     DetectSslStateData *ssd = NULL;
     SigMatch *sm = NULL;
 
-    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
-        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
-                   "Rule contains conflicting keywords.  Have non-tls alproto "
-                   "set for a rule containing \"ssl_state\" keyword");
-        goto error;
-    }
+    if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
+        return -1;
+
     ssd = DetectSslStateParse(arg);
     if (ssd == NULL)
         goto error;
@@ -325,10 +322,7 @@ static int DetectSslStateSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
     sm->type = DETECT_AL_SSL_STATE;
     sm->ctx = (SigMatchCtx*)ssd;
 
-    s->alproto = ALPROTO_TLS;
-
     SigMatchAppendSMToList(s, sm, g_tls_generic_list_id);
-
     return 0;
 
 error:

diff --git a/src/detect-ssl-version.c b/src/detect-ssl-version.c
@@ -282,10 +282,8 @@ static int DetectSslVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *s
     DetectSslVersionData *ssl = NULL;
     SigMatch *sm = NULL;
 
-    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
-        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
-        goto error;
-    }
+    if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
+        return -1;
 
     ssl = DetectSslVersionParse(str);
     if (ssl == NULL)
@@ -301,8 +299,6 @@ static int DetectSslVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *s
     sm->ctx = (void *)ssl;
 
     SigMatchAppendSMToList(s, sm, g_tls_generic_list_id);
-
-    s->alproto = ALPROTO_TLS;
     return 0;
 
 error: