Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detect/dns: fix misdetection on dns_query on udp #2982

Merged
merged 1 commit into from
Nov 8, 2017
Merged

detect/dns: fix misdetection on dns_query on udp #2982

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
51 changes: 49 additions & 2 deletions src/detect-engine-payload.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,48 @@ int DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx,
SCReturnInt(0);
}

/**
* \brief Do the content inspection & validation for a sigmatch list
*
* \param de_ctx Detection engine context
* \param det_ctx Detection engine thread context
* \param s Signature to inspect
* \param smd array of matches to eval
* \param f flow (for pcre flowvar storage)
* \param p Packet
*
* \retval 0 no match
* \retval 1 match
*/
static int DetectEngineInspectStreamUDPPayload(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx,
const Signature *s, const SigMatchData *smd,
Flow *f, Packet *p)
{
SCEnter();
int r = 0;

if (smd == NULL) {
SCReturnInt(0);
}
#ifdef DEBUG
det_ctx->payload_persig_cnt++;
det_ctx->payload_persig_size += p->payload_len;
#endif
det_ctx->buffer_offset = 0;
det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0;
det_ctx->replist = NULL;

r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd,
f, p->payload, p->payload_len, 0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD, p);
if (r == 1) {
SCReturnInt(1);
}
SCReturnInt(0);
}

struct StreamContentInspectData {
DetectEngineCtx *de_ctx;
DetectEngineThreadCtx *det_ctx;
Expand Down Expand Up @@ -282,9 +324,14 @@ int DetectEngineInspectStream(ThreadVars *tv,
Packet *p = det_ctx->p; /* TODO: get rid of this HACK */

/* in certain sigs, e.g. 'alert dns', which apply to both tcp and udp
* we can get called for UDP. */
if (p->proto != IPPROTO_TCP)
* we can get called for UDP. Then we simply inspect the packet payload */
if (p->proto == IPPROTO_UDP) {
return DetectEngineInspectStreamUDPPayload(de_ctx,
det_ctx, s, smd, f, p);
/* for other non-TCP protocols we assume match */
} else if (p->proto != IPPROTO_TCP)
return DETECT_ENGINE_INSPECT_SIG_MATCH;

TcpSession *ssn = f->protoctx;
if (ssn == NULL)
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
Expand Down