📄 sp_pattern_match.c
字号:
if(hexmode) { if(isxdigit((int) *idx)) { hexsize++; if(!pending) { hex_buf[7] = *idx; pending++; } else { hex_buf[8] = *idx; pending--; if(dummy_idx < dummy_end) { tmp_buf[dummy_size] = (u_char) strtol(hex_buf, (char **) NULL, 16); dummy_size++; bzero(hex_buf, 9); memset(hex_buf, '0', 8); } else { FatalError("ERROR => ParsePattern() dummy buffer overflow, make a smaller pattern please! (Max size = 2048)\n"); } } } else { if(*idx != ' ') { FatalError("ERROR Line %d => What is this \"%c\"(0x%X) doing in your binary buffer? Valid hex values only please! (0x0 - 0xF) Position: %d\n", file_line, (char) *idx, (char) *idx, cnt); } } } else { if(*idx >= 0x1F && *idx <= 0x7e) { if(dummy_idx < dummy_end) { tmp_buf[dummy_size] = start_ptr[cnt]; dummy_size++; } else { FatalError("ERROR Line %d=> ParsePattern() dummy buffer overflow!\n", file_line); } if(literal) { literal = 0; } } else { if(literal) { tmp_buf[dummy_size] = start_ptr[cnt]; dummy_size++;#ifdef DEBUG printf("Clearing literal\n");#endif literal = 0; } else { FatalError("ERROR Line %d=> character value out of range, try a binary buffer dude\n", file_line); } } } break; } dummy_idx++; idx++; cnt++; } /* ...END BAD JUJU */ ds_idx = (PatternMatchData *) otn->ds_list[PLUGIN_PATTERN_MATCH]; while(ds_idx->next != NULL) ds_idx = ds_idx->next; if((ds_idx->pattern_buf = (char *) malloc(sizeof(char) * dummy_size)) == NULL) { FatalError("ERROR => ParsePattern() pattern_buf malloc filed!\n"); } memcpy(ds_idx->pattern_buf, tmp_buf, dummy_size); ds_idx->pattern_size = dummy_size; ds_idx->search = mSearch; ds_idx->skip_stride = make_skip(ds_idx->pattern_buf, ds_idx->pattern_size); ds_idx->shift_stride = make_shift(ds_idx->pattern_buf, ds_idx->pattern_size); return;}int CheckORPatternMatch(Packet * p, struct _OptTreeNode * otn_idx, OptFpList * fp_list){ int sub_depth; int found = 0; PatternMatchData *idx;#ifdef DEBUG printf("CheckPatternMatch: ");#endif idx = otn_idx->ds_list[PLUGIN_PATTERN_MATCH]; while(idx != NULL) { if(idx->offset > p->dsize) {#ifdef DEBUG printf("Initial offset larger than payload!\n");#endif return 0; } else { /* do some tests to make sure we stay in bounds */ if((idx->depth + idx->offset) > p->dsize) { /* we want to check only depth bytes anyway */ sub_depth = p->dsize - idx->offset; if((sub_depth > 0) && (sub_depth >= (int)idx->pattern_size)) {#ifdef DEBUG printf("testing pattern: %s\n", idx->pattern_buf);#endif found = idx->search((char *)(p->data + idx->offset), sub_depth, idx->pattern_buf, idx->pattern_size, idx->skip_stride, idx->shift_stride);#ifdef DEBUG if(!found) { printf("Pattern Match failed!\n"); }#endif } } else {#ifdef DEBUG printf("Testing pattern (lower section): %s\n", idx->pattern_buf);#endif if(idx->depth && (p->dsize-idx->offset> idx->depth)) { found = idx->search((char *)(p->data + idx->offset), idx->depth, idx->pattern_buf, idx->pattern_size, idx->skip_stride, idx->shift_stride); } else { found = idx->search((char *)(p->data + idx->offset), p->dsize - idx->offset , idx->pattern_buf, idx->pattern_size, idx->skip_stride, idx->shift_stride); } if(!found) {#ifdef DEBUG printf("Pattern Match failed! Exit the loop.\n");#endif } } }#ifdef DEBUG printf("Checking the results\n");#endif if(found) {#ifdef DEBUG printf("Pattern Match successful:i %s!\n", idx->pattern_buf);#endif return fp_list->next->OptTestFunc(p, otn_idx, fp_list->next); }#ifdef DEBUG else { printf("Pattern match failed\n"); }#endif#ifdef DEBUG printf("Stepping to next content keyword...\n");#endif idx = idx->next; }#ifdef DEBUG printf("No more keywords, exiting... \n");#endif return 0;}int CheckANDPatternMatch(Packet *p, struct _OptTreeNode *otn_idx, OptFpList *fp_list){ int sub_depth; int found = 0; PatternMatchData *idx;#ifdef DEBUG printf("CheckPatternMatch: ");#endif idx = otn_idx->ds_list[PLUGIN_PATTERN_MATCH]; while(idx != NULL) { if(idx->offset > p->dsize) {#ifdef DEBUG printf("Initial offset larger than payload!\n");#endif return 0; } else { /* do some tests to make sure we stay in bounds */ if((idx->depth + idx->offset) > p->dsize) { /* we want to match depth bytes anyway */ sub_depth = p->dsize - idx->offset; if((sub_depth > 0) && (sub_depth >= (int)idx->pattern_size)) {#ifdef DEBUG printf("testing pattern: %s\n", idx->pattern_buf);#endif found = idx->search((char *)(p->data+idx->offset), sub_depth,idx->pattern_buf, idx->pattern_size, idx->skip_stride, idx->shift_stride); if(!found) {#ifdef DEBUG printf("Pattern Match failed!\n");#endif return 0; } } } else {#ifdef DEBUG printf("Testing pattern (lower section): %s\n", idx->pattern_buf);#endif /* if depth field is present and we don't go over the dsize boundary with it */ if(idx->depth && (p->dsize-idx->offset> idx->depth)) { found = idx->search((char *)(p->data+idx->offset), idx->depth, idx->pattern_buf, idx->pattern_size, idx->skip_stride, idx->shift_stride); } else { found = idx->search((char *)(p->data+idx->offset), p->dsize - idx->offset, idx->pattern_buf, idx->pattern_size, idx->skip_stride, idx->shift_stride); } if(!found) {#ifdef DEBUG printf("Pattern Match failed!\n");#endif return 0; } } } idx = idx->next;#ifdef DEBUG printf("Stepping to next content keyword...\n");#endif } if(found) {#ifdef DEBUG printf("Pattern Match successful!\n");#endif return fp_list->next->OptTestFunc(p, otn_idx, fp_list->next); }#ifdef DEBUG else { printf("Pattern match failed\n"); }#endif return 0;}/**************************************************************************** * * Function: ParseContentListFile(char *, OptTreeNode *, int protocol) * * Purpose: Read the content_list file a line at a time, put the content of * the line into buffer * * Arguments:otn => rule including the list * file => list file filename * protocol => protocol * * Returns: void function * ***************************************************************************/void ParseContentListFile(char *file, OptTreeNode * otn, int protocol){ FILE *thefp; /* file pointer for the content_list file */ char buf[STD_BUF+1]; /* file read buffer */ char rule_buf[STD_BUF+1]; /* content keyword buffer */ int frazes_count; /* frazes counter */#ifdef DEBUG printf("Opening content_list file: %s\n", file);#endif /* open the list file */ if((thefp = fopen(file, "r")) == NULL) { FatalError("Unable to open list file: %s\n", file); } /* clear the line and rule buffers */ bzero((char *) buf, STD_BUF); bzero((char *) rule_buf, STD_BUF); frazes_count = 0; /* loop thru each list_file line and content to the rule */ while((fgets(buf, STD_BUF-2, thefp)) != NULL) { /* inc the line counter */ list_file_line++;#ifdef DEBUG2 printf("Got line %d: %s", list_file_line, buf);#endif /* if it's not a comment or a <CR>, send it to the parser */ if((buf[0] != '#') && (buf[0] != 0x0a) && (buf[0] != ';')) {#ifdef DEBUG printf("Adding content keyword: %s", buf);#endif frazes_count++; strip(buf); snprintf(rule_buf, STD_BUF, "\"%s\"",buf); /* check and add content keyword */ ParsePattern(rule_buf, otn);#ifdef DEBUG printf("Content keyword %s\" added!\n", rule_buf);#endif } }#ifdef DEBUG printf("%d frazes read...\n", frazes_count);#endif fclose(thefp); return;}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -