diff options
author | Martin Mathieson <martin.r.mathieson@googlemail.com> | 2017-06-22 13:36:33 +0100 |
---|---|---|
committer | Pascal Quantin <pascal.quantin@gmail.com> | 2017-06-23 15:33:38 +0000 |
commit | c038937b0a236b710856a696ddb34e6391d6ddb0 (patch) | |
tree | c5baff17430b7d63439efde0f58992f7fa6ddfcb /epan/dissectors/snort-config.c | |
parent | e958a26772eba0c0b5e15336ee703f62d6b825f6 (diff) | |
download | wireshark-c038937b0a236b710856a696ddb34e6391d6ddb0.tar.gz |
Snort content matching fixes
Cope with a space between colon and start of options value.
When there are no constraining modifiers, let match for
next content or pcre field start from beginning of payload
again.
Change-Id: Ie1267a0a38143cbe9f0444945f78708bbefaa270
Reviewed-on: https://code.wireshark.org/review/22365
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
(cherry picked from commit 8a3e4650674a36fdfe7b38c60c8d83b4dfec0d11)
Reviewed-on: https://code.wireshark.org/review/22369
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Diffstat (limited to 'epan/dissectors/snort-config.c')
-rw-r--r-- | epan/dissectors/snort-config.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/epan/dissectors/snort-config.c b/epan/dissectors/snort-config.c index b8d17dcfe8..7b5ea08019 100644 --- a/epan/dissectors/snort-config.c +++ b/epan/dissectors/snort-config.c @@ -611,11 +611,16 @@ static void process_rule_option(Rule_t *rule, char *options, int option_start_of value[0] = '\0'; gint value_length = 0; guint32 value32 = 0; + gint spaces_after_colon = 0; if (colon_offset != 0) { /* Name and value */ g_snprintf(name, colon_offset-option_start_offset, "%s", options+option_start_offset); - g_snprintf(value, options_end_offset-colon_offset, "%s", options+colon_offset); + if (options[colon_offset] == ' ') { + spaces_after_colon = 1; + } + g_snprintf(value, options_end_offset-spaces_after_colon-colon_offset, "%s", + options+colon_offset+spaces_after_colon); value_length = (gint)strlen(value); } else { @@ -657,7 +662,7 @@ static void process_rule_option(Rule_t *rule, char *options, int option_start_of } } - value[options_end_offset-colon_offset-2] = '\0'; + value[options_end_offset-colon_offset-spaces_after_colon-2] = '\0'; rule_add_content(rule, value+value_start+1, value_start == 1); } else if (strcmp(name, "uricontent") == 0) { @@ -675,7 +680,7 @@ static void process_rule_option(Rule_t *rule, char *options, int option_start_of } } - value[options_end_offset-colon_offset-2] = '\0'; + value[options_end_offset-colon_offset-spaces_after_colon-2] = '\0'; rule_add_uricontent(rule, value+value_start+1, value_start == 1); } else if (strcmp(name, "http_uri") == 0) { @@ -691,7 +696,7 @@ static void process_rule_option(Rule_t *rule, char *options, int option_start_of /* Not expecting negation (!)... */ - value[options_end_offset-colon_offset-2] = '\0'; + value[options_end_offset-colon_offset-spaces_after_colon-2] = '\0'; rule_add_pcre(rule, value+value_start+1); } else if (strcmp(name, "nocase") == 0) { |