📄 sp_pattern_match.c
字号:
} if(literal) { literal = 0; } } else { if(literal) { tmp_buf[dummy_size] = start_ptr[cnt]; dummy_size++; DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Clearing literal\n");); literal = 0; } else { FatalError("%s(%d)=> character value out " "of range, try a binary buffer\n", file_name, file_line); } } } break; } dummy_idx++; idx++; cnt++; } /* ...END BAD JUJU */ /* error prunning */ if (literal) { FatalError("%s(%d)=> backslash escape is not " "completed\n", file_name, file_line); } if (hexmode) { FatalError("%s(%d)=> hexmode is not " "completed\n", file_name, file_line); } ds_idx = (PatternMatchData *) otn->ds_list[type]; while(ds_idx->next != NULL) ds_idx = ds_idx->next; if((ds_idx->pattern_buf = (char *) calloc(dummy_size+1, sizeof(char))) == NULL) { FatalError("ParsePattern() pattern_buf malloc failed!\n"); } memcpy(ds_idx->pattern_buf, tmp_buf, dummy_size); ds_idx->pattern_size = dummy_size; ds_idx->search = uniSearch; make_precomp(ds_idx); ds_idx->exception_flag = exception_flag; ds_idx->pattern_max_jump_size = GetMaxJumpSize(ds_idx->pattern_buf, ds_idx->pattern_size); return;}#if 0static int CheckORPatternMatch(Packet * p, struct _OptTreeNode * otn_idx, OptFpList * fp_list){ int found = 0; int dsize; char *dp; PatternMatchData *idx; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "CheckPatternORMatch: ");); idx = otn_idx->ds_list[PLUGIN_PATTERN_MATCH_OR]; while(idx != NULL) { if((p->packet_flags & PKT_ALT_DECODE) && (idx->rawbytes == 0)) { dsize = p->alt_dsize; dp = (char *) DecodeBuffer; /* decode.c */ DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Using Alternative Decode buffer!\n");); } else { dsize = p->dsize; dp = (char *) p->data; } if(idx->offset > dsize) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Initial offset larger than payload!\n");); goto sizetoosmall; } else { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "testing pattern: %s\n", idx->pattern_buf);); found = idx->search(dp, dsize, idx); if(!found) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern Match failed!\n");); } } DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Checking the results\n");); if(found) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern Match " "successful: %s!\n", idx->pattern_buf);); return fp_list->next->OptTestFunc(p, otn_idx, fp_list->next); } else { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern match failed\n");); } DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Stepping to next content keyword\n");); sizetoosmall: idx = idx->next; } DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "No more keywords, exiting... \n");); return 0;}#endifstatic int CheckANDPatternMatch(Packet *p, struct _OptTreeNode *otn_idx, OptFpList *fp_list){ int found = 0; int next_found; int dsize; char *dp; int origUseDoe; char *tmp_doe, *orig_doe, *start_doe; int ret; PatternMatchData *idx; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "CheckPatternANDMatch: ");); idx = fp_list->context; origUseDoe = idx->use_doe; if((p->packet_flags & PKT_ALT_DECODE) && (idx->rawbytes == 0)) { dsize = p->alt_dsize; dp = (char *) DecodeBuffer; /* decode.c */ DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Using Alternative Decode buffer!\n");); } else { dsize = p->dsize; dp = (char *) p->data; } /* this now takes care of all the special cases where we'd run * over the buffer */ orig_doe = (char *)doe_ptr;#ifndef NO_FOUND_ERROR found = idx->search(dp, dsize, idx); if ( found == -1 ) { /* On error, mark as not found. This is necessary to handle !content cases. In that case, a search that is outside the given buffer will return 0, and !0 is 1, so a !content out of bounds will return true, which is not what we want. */ found = 0; } else { found = found ^ idx->exception_flag; }#else /* Original code. Does not account for searching outside the buffer. */ found = (idx->search(dp, dsize, idx) ^ idx->exception_flag);#endif if (InlineMode() && found && idx->replace_buf) { //fix the packet buffer to have the new string detect_depth = (char *)doe_ptr - idx->pattern_size - dp; ret = PayloadReplace(p, otn_idx, fp_list, detect_depth); if (ret == 0) return 0; } while (found) { /* save where we last did the pattern match */ tmp_doe = (char *)doe_ptr; /* save start doe as beginning of this pattern + non-repeating length*/ start_doe = (char *)doe_ptr - idx->pattern_size + idx->pattern_max_jump_size; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern Match successful!\n");); DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Check next functions!\n");); /* Try evaluating the rest of the rules chain */ next_found= fp_list->next->OptTestFunc(p, otn_idx, fp_list->next); if(next_found != 0) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Next functions matched!\n");); /* We found a successful match, return that this rule has fired off */ return next_found; } else if(tmp_doe != NULL) { int new_dsize = dsize-(start_doe-dp); /* if the next option isn't relative and it failed, we're done */ if (fp_list->next->isRelative == 0) return 0; if(new_dsize <= 0 || new_dsize > dsize) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "The new dsize is less than <= 0 or > " "the the original dsize;returning " "false\n");); idx->use_doe = origUseDoe; return 0; } if (orig_doe) { /* relative to a previously found pattern */ if (((idx->distance != 0) && (start_doe - orig_doe > idx->distance)) || ((idx->offset != 0) && (start_doe - orig_doe > idx->offset)) ) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "The next starting point to search " "from is beyond the original " "distance;returning false\n");); idx->use_doe = origUseDoe; return 0; } if (((idx->within != 0) && (start_doe - orig_doe + idx->pattern_size > (unsigned int)idx->within)) || ((idx->depth != 0) && (start_doe - orig_doe + idx->pattern_size > (unsigned int)idx->depth)) ) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "The next starting point to search " "from is beyond the original " "within;returning false\n");); idx->use_doe = origUseDoe; return 0; } } else { /* relative to beginning of data */ if (((idx->distance != 0) && (start_doe - dp > idx->distance)) || ((idx->offset != 0) && (start_doe - dp > idx->offset)) ) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "The next starting point to search " "from is beyond the original " "distance;returning false\n");); idx->use_doe = origUseDoe; return 0; } if (((idx->within != 0) && (start_doe - dp + idx->pattern_size > (unsigned int)idx->within)) || ((idx->depth != 0) && (start_doe - dp + idx->pattern_size > (unsigned int)idx->depth)) ) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "The next starting point to search " "from is beyond the original " "within;returning false\n");); idx->use_doe = origUseDoe; return 0; } } DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "At least ONE of the next functions does to match!\n");); DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Start search again from a next point!\n");); /* Start the search again from the last set of contents, with a new depth and dsize */ doe_ptr = (u_int8_t *)start_doe; idx->use_doe = 1; found = (idx->search(start_doe, new_dsize,idx) ^ idx->exception_flag); /* ** If we haven't updated doe since we set it at the beginning ** of the loop, then that means we have already done the exact ** same search previously, and have nothing else to gain from ** doing the same search again. */ if(start_doe == (char *)doe_ptr) { idx->use_doe = origUseDoe; return 0; } } else { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Returning 0 because tmp_doe is NULL\n");); idx->use_doe = origUseDoe; return 0; } } idx->use_doe = origUseDoe; DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Pattern match failed\n");); return 0;}/************************************************************************//************************************************************************//************************************************************************/static int CheckUriPatternMatch(Packet *p, struct _OptTreeNode *otn_idx, OptFpList *fp_list){ int found = 0; int i; PatternMatchData *idx; if(p->uri_count <= 0) { DEBUG_WRAP(DebugMessage(DEBUG_HTTP_DECODE, "CheckUriPatternMatch: p->uri_count is %d. Returning", p->uri_count);); return 0; } DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "CheckUriPatternMatch: ");); idx = fp_list->context; for(i=0;i < p->uri_count; i++) {#ifdef DEBUG /* for variable declaration */ int j; DebugMessage(DEBUG_HTTP_DECODE,"Checking against URL: "); for(j=0; j<=UriBufs[i].length; j++) { DebugMessage(DEBUG_HTTP_DECODE, "%c", UriBufs[i].uri[j]); } DebugMessage(DEBUG_HTTP_DECODE,"\n");#endif /* DEBUG */ DEBUG_WRAP(DebugMessage(DEBUG_HTTP_DECODE,"Checking for %s pattern in " "buffer %d: ", idx->uri_buffer == HTTP_BUFFER_CLIENT_BODY ? "http_client_body" : "http_uri", i);); if (idx->uri_buffer != i) { DEBUG_WRAP(DebugMessage(DEBUG_HTTP_DECODE,"Continuing past buffer " "for %s, looking for buffer %s\n", i == HTTP_BUFFER_CLIENT_BODY ? "http_client_body" : "http_uri", idx->uri_buffer == HTTP_BUFFER_CLIENT_BODY ? "http_client_body" : "http_uri");); continue; } /* * have to reset the doe_ptr for each new UriBuf */ doe_ptr = NULL; /* this now takes care of all the special cases where we'd run * over the buffer */ found = (idx->search((const char *)UriBufs[i].uri, UriBufs[i].length, idx) ^ idx->exception_flag); if(found) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern Match successful!\n");); /* call the next function in the OTN */ return fp_list->next->OptTestFunc(p, otn_idx, fp_list->next); } } DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Pattern match failed\n");); return 0;}#if 0/**************************************************************************** * * Function: ParseContentListFile(char *, OptTreeNode *, int protocol) * * Purpose: Read the content_list file a line at a time, put the content of * the line into buffer * * Arguments:otn => rule including the list * file => ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -