📄 sp_pattern_match.c
字号:
} } } else { if(*idx != ' ') { FatalError("%s(%d) => What is this " "\"%c\"(0x%X) doing in your binary " "buffer? Valid hex values only please! " "(0x0 - 0xF) Position: %d\n", file_name, file_line, (char) *idx, (char) *idx, cnt); } } } else { if(*idx >= 0x1F && *idx <= 0x7e) { if(dummy_idx < dummy_end) { tmp_buf[dummy_size] = start_ptr[cnt]; dummy_size++; } else { FatalError("%s(%d)=> ParsePattern() " "dummy buffer overflow!\n", file_name, file_line); } if(literal) { literal = 0; } } else { if(literal) { tmp_buf[dummy_size] = start_ptr[cnt]; dummy_size++; DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Clearing literal\n");); literal = 0; } else { FatalError("%s(%d)=> character value out " "of range, try a binary buffer\n", file_name, file_line); } } } break; } dummy_idx++; idx++; cnt++; } /* ...END BAD JUJU */ /* error prunning */ if (literal) { FatalError("%s(%d)=> backslash escape is not " "completed\n", file_name, file_line); } if (hexmode) { FatalError("%s(%d)=> hexmode is not " "completed\n", file_name, file_line); } ds_idx = (PatternMatchData *) otn->ds_list[type]; while(ds_idx->next != NULL) ds_idx = ds_idx->next; if((ds_idx->pattern_buf = (char *) calloc(dummy_size+1, sizeof(char))) == NULL) { FatalError("ParsePattern() pattern_buf malloc failed!\n"); } memcpy(ds_idx->pattern_buf, tmp_buf, dummy_size); ds_idx->pattern_size = dummy_size; ds_idx->search = uniSearch; make_precomp(ds_idx); ds_idx->exception_flag = exception_flag; ds_idx->pattern_max_jump_size = GetMaxJumpSize(ds_idx->pattern_buf, ds_idx->pattern_size); return;}static int CheckORPatternMatch(Packet * p, struct _OptTreeNode * otn_idx, OptFpList * fp_list){ int found = 0; int dsize; char *dp; PatternMatchData *idx; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "CheckPatternORMatch: ");); idx = otn_idx->ds_list[PLUGIN_PATTERN_MATCH_OR]; while(idx != NULL) { if((p->packet_flags & PKT_ALT_DECODE) && (idx->rawbytes == 0)) { dsize = p->alt_dsize; dp = (char *) DecodeBuffer; /* decode.c */ DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Using Alternative Decode buffer!\n");); } else { dsize = p->dsize; dp = (char *) p->data; } if(idx->offset > dsize) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Initial offset larger than payload!\n");); goto sizetoosmall; } else { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "testing pattern: %s\n", idx->pattern_buf);); found = idx->search(dp, dsize, idx); if(!found) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern Match failed!\n");); } } DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Checking the results\n");); if(found) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern Match " "successful: %s!\n", idx->pattern_buf);); return fp_list->next->OptTestFunc(p, otn_idx, fp_list->next); } else { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern match failed\n");); } DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Stepping to next content keyword\n");); sizetoosmall: idx = idx->next; } DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "No more keywords, exiting... \n");); return 0;}static int CheckANDPatternMatch(Packet *p, struct _OptTreeNode *otn_idx, OptFpList *fp_list){ int found = 0; int next_found; int dsize; char *dp; int origUseDoe; char *tmp_doe, *orig_doe, *start_doe; PatternMatchData *idx; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "CheckPatternANDMatch: ");); idx = fp_list->context; origUseDoe = idx->use_doe; if((p->packet_flags & PKT_ALT_DECODE) && (idx->rawbytes == 0)) { dsize = p->alt_dsize; dp = (char *) DecodeBuffer; /* decode.c */ DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Using Alternative Decode buffer!\n");); } else { dsize = p->dsize; dp = (char *) p->data; } /* this now takes care of all the special cases where we'd run * over the buffer */ orig_doe = doe_ptr; found = (idx->search(dp, dsize, idx) ^ idx->exception_flag); if (InlineMode() && found && idx->replace_buf) { //fix the packet buffer to have the new string PayloadReplace(p, otn_idx, fp_list, detect_depth); } while (found) { /* save where we last did the pattern match */ tmp_doe = doe_ptr; /* save start doe as beginning of this pattern + non-repeating length*/ start_doe = doe_ptr - idx->pattern_size + idx->pattern_max_jump_size; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern Match successful!\n");); DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Check next functions!\n");); /* Try evaluating the rest of the rules chain */ next_found= fp_list->next->OptTestFunc(p, otn_idx, fp_list->next); if(next_found != 0) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Next functions matched!\n");); /* We found a successful match, return that this rule has fired off */ return next_found; } else if(tmp_doe != NULL) { int new_dsize = dsize-(start_doe-dp); if(new_dsize <= 0 || new_dsize > dsize) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "The new dsize is less than <= 0 or > " "the the original dsize;returning " "false\n");); idx->use_doe = origUseDoe; return 0; } if (orig_doe) { /* relative to a previously found pattern */ if (((idx->distance != 0) && (start_doe - orig_doe > idx->distance)) || ((idx->offset != 0) && (start_doe - orig_doe > idx->offset)) ) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "The next starting point to search " "from is beyond the original " "distance;returning false\n");); idx->use_doe = origUseDoe; return 0; } if (((idx->within != 0) && (start_doe - orig_doe + idx->pattern_size > (unsigned int)idx->within)) || ((idx->depth != 0) && (start_doe - orig_doe + idx->pattern_size > (unsigned int)idx->depth)) ) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "The next starting point to search " "from is beyond the original " "within;returning false\n");); idx->use_doe = origUseDoe; return 0; } } else { /* relative to beginning of data */ if (((idx->distance != 0) && (start_doe - dp > idx->distance)) || ((idx->offset != 0) && (start_doe - dp > idx->offset)) ) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "The next starting point to search " "from is beyond the original " "distance;returning false\n");); idx->use_doe = origUseDoe; return 0; } if (((idx->within != 0) && (start_doe - dp + idx->pattern_size > (unsigned int)idx->within)) || ((idx->depth != 0) && (start_doe - dp + idx->pattern_size > (unsigned int)idx->depth)) ) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "The next starting point to search " "from is beyond the original " "within;returning false\n");); idx->use_doe = origUseDoe; return 0; } } DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "At least ONE of the next functions does to match!\n");); DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Start search again from a next point!\n");); /* Start the search again from the last set of contents, with a new depth and dsize */ doe_ptr = start_doe; idx->use_doe = 1; found = (idx->search(start_doe, new_dsize,idx) ^ idx->exception_flag); /* ** If we haven't updated doe since we set it at the beginning ** of the loop, then that means we have already done the exact ** same search previously, and have nothing else to gain from ** doing the same search again. */ if(start_doe == (char *)doe_ptr) { idx->use_doe = origUseDoe; return 0; } } else { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Returning 0 because tmp_doe is NULL\n");); idx->use_doe = origUseDoe; return 0; } } idx->use_doe = origUseDoe; DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Pattern match failed\n");); return 0;}/************************************************************************//************************************************************************//************************************************************************/static int CheckUriPatternMatch(Packet *p, struct _OptTreeNode *otn_idx, OptFpList *fp_list){ int found = 0; int i; PatternMatchData *idx; if(p->uri_count <= 0) { DEBUG_WRAP(DebugMessage(DEBUG_HTTP_DECODE, "CheckUriPatternMatch: p->uri_count is %d. Returning", p->uri_count);); return 0; } DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "CheckUriPatternMatch: ");); idx = fp_list->context; for(i=0;i < p->uri_count; i++) {#ifdef DEBUG /* for variable declaration */ int j; DebugMessage(DEBUG_HTTP_DECODE,"Checking against URL: "); for(j=0; j<=UriBufs[i].length; j++) { DebugMessage(DEBUG_HTTP_DECODE, "%c", UriBufs[i].uri[j]); } DebugMessage(DEBUG_HTTP_DECODE,"\n");#endif /* DEBUG */ /* * have to reset the doe_ptr for each new UriBuf */ doe_ptr = NULL; /* this now takes care of all the special cases where we'd run * over the buffer */ found = (idx->search(UriBufs[i].uri, UriBufs[i].length, idx) ^ idx->exception_flag); if(found) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern Match successful!\n");); /* call the next function in the OTN */ return fp_list->next->OptTestFunc(p, otn_idx, fp_list->next); } } DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Pattern match failed\n");); return 0;}/**************************************************************************** * * Function: ParseContentListFile(char *, OptTreeNode *, int protocol) * * Purpose: Read the content_list file a line at a time, put the content of * the line into buffer * * Arguments:otn => rule including the list * file => list file filename * protocol => protocol * * Returns: void function * ***************************************************************************/static void ParseContentListFile(char *file, OptTreeNode * otn, int protocol){ FILE *thefp; /* file pointer for the content_list file */ char buf[STD_BUF+1]; /* file read buffer */ char rule_buf[STD_BUF+1]; /* content keyword buffer */ int frazes_count; /* frazes counter */#ifdef DEBUG PatternMatchData *idx; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Opening content_list file: %s\n", file););#endif /* DEBUG */ /* open the list file */ if((thefp = fopen(file, "r")) == NULL) { FatalError("Unable to open list file: %s\n", file); } /* clear the line and rule buffers */ bzero((char *) buf, STD_BUF); bzero((char *) rule_buf, STD_BUF); frazes_count = 0; /* loop thru each list_file line and content to the rule */ while((fgets(buf, STD_BUF-2, thefp)) != NULL) { /* inc the line counter */ list_file_line++; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Got line %d: %s", list_file_line, buf);); /* if it's not a comment or a <CR>, send it to the parser */ if((buf[0] != '#') && (buf[0] != 0x0a) && (buf[0] != ';')) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Adding content keyword: %s", buf);); frazes_count++; strip(buf); NewNode(otn, PLUGIN_PATTERN_MATCH_OR); /* check and add content keyword */ ParsePattern(buf, otn, PLUGIN_PATTERN_MATCH_OR); DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Content keyword %s\" added!\n", buf);); } }#ifdef DEBUG DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "%d frazes read...\n", frazes_count);); idx = (PatternMatchData *) otn->ds_list[PLUGIN_PATTERN_MATCH_OR]; if(idx == NULL) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "No patterns loaded\n");); } else { while(idx != NULL) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern = %s\n", idx->pattern_buf);); idx = idx->next; } }#endif /* DEBUG */ fclose(thefp); return;}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -