From c038937b0a236b710856a696ddb34e6391d6ddb0 Mon Sep 17 00:00:00 2001 From: Martin Mathieson Date: Thu, 22 Jun 2017 13:36:33 +0100 Subject: Snort content matching fixes Cope with a space between colon and start of options value. When there are no constraining modifiers, let match for next content or pcre field start from beginning of payload again. Change-Id: Ie1267a0a38143cbe9f0444945f78708bbefaa270 Reviewed-on: https://code.wireshark.org/review/22365 Petri-Dish: Martin Mathieson Tested-by: Petri Dish Buildbot Reviewed-by: Martin Mathieson (cherry picked from commit 8a3e4650674a36fdfe7b38c60c8d83b4dfec0d11) Reviewed-on: https://code.wireshark.org/review/22369 Reviewed-by: Pascal Quantin --- epan/dissectors/packet-snort.c | 14 ++++++++++---- epan/dissectors/snort-config.c | 13 +++++++++---- 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/epan/dissectors/packet-snort.c b/epan/dissectors/packet-snort.c index 4c054582c7..27a90a4d78 100644 --- a/epan/dissectors/packet-snort.c +++ b/epan/dissectors/packet-snort.c @@ -934,16 +934,19 @@ static void snort_show_alert(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo a negated content entry (i.e. beginning with '!') */ if (attempt_match && !rule->contents[n].negation) { /* Look up offset of match. N.B. would only expect to see on first content... */ - guint offset_to_add = 0; + guint distance_to_add = 0; /* May need to start looking from absolute offset into packet... */ if (rule->contents[n].offset_set) { content_start_match = payload_start + rule->contents[n].offset; - offset_to_add = 0; } /* ... or a number of bytes beyond the previous content match */ else if (rule->contents[n].distance_set) { - offset_to_add = (content_last_match_end-content_start_match) + rule->contents[n].distance; + distance_to_add = (content_last_match_end-content_start_match) + rule->contents[n].distance; + } + else { + /* No constraints about where it appears - go back to the start of the frame. */ + content_start_match = payload_start; } @@ -951,7 +954,7 @@ static void snort_show_alert(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo /* TODO: could take 'depth' and 'within' into account to limit extent of search, but OK if just trying to verify what Snort already found. */ match_found = get_content_match(alert, n, - tvb, content_start_match+offset_to_add, + tvb, content_start_match+distance_to_add, &content_offset, &converted_content_length); if (match_found) { content_last_match_end = content_offset + converted_content_length; @@ -1018,6 +1021,9 @@ static void snort_show_alert(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo if (attempt_match && !rule->contents[n].negation && !match_found) { /* Useful for debugging, may also happen when Snort is reassembling.. */ + /* TODO: not sure why, but PCREs might not be found first time through, but will be + * found later, with the result that there will be 'not located' expert warnings, + * but when you click on the packet, it is matched after all... */ proto_item_append_text(ti, " - not located"); expert_add_info_format(pinfo, ti, &ei_snort_content_not_matched, "%s \"%s\" not found in frame", diff --git a/epan/dissectors/snort-config.c b/epan/dissectors/snort-config.c index b8d17dcfe8..7b5ea08019 100644 --- a/epan/dissectors/snort-config.c +++ b/epan/dissectors/snort-config.c @@ -611,11 +611,16 @@ static void process_rule_option(Rule_t *rule, char *options, int option_start_of value[0] = '\0'; gint value_length = 0; guint32 value32 = 0; + gint spaces_after_colon = 0; if (colon_offset != 0) { /* Name and value */ g_snprintf(name, colon_offset-option_start_offset, "%s", options+option_start_offset); - g_snprintf(value, options_end_offset-colon_offset, "%s", options+colon_offset); + if (options[colon_offset] == ' ') { + spaces_after_colon = 1; + } + g_snprintf(value, options_end_offset-spaces_after_colon-colon_offset, "%s", + options+colon_offset+spaces_after_colon); value_length = (gint)strlen(value); } else { @@ -657,7 +662,7 @@ static void process_rule_option(Rule_t *rule, char *options, int option_start_of } } - value[options_end_offset-colon_offset-2] = '\0'; + value[options_end_offset-colon_offset-spaces_after_colon-2] = '\0'; rule_add_content(rule, value+value_start+1, value_start == 1); } else if (strcmp(name, "uricontent") == 0) { @@ -675,7 +680,7 @@ static void process_rule_option(Rule_t *rule, char *options, int option_start_of } } - value[options_end_offset-colon_offset-2] = '\0'; + value[options_end_offset-colon_offset-spaces_after_colon-2] = '\0'; rule_add_uricontent(rule, value+value_start+1, value_start == 1); } else if (strcmp(name, "http_uri") == 0) { @@ -691,7 +696,7 @@ static void process_rule_option(Rule_t *rule, char *options, int option_start_of /* Not expecting negation (!)... */ - value[options_end_offset-colon_offset-2] = '\0'; + value[options_end_offset-colon_offset-spaces_after_colon-2] = '\0'; rule_add_pcre(rule, value+value_start+1); } else if (strcmp(name, "nocase") == 0) { -- cgit v1.2.1