...
|
...
|
@@ -1,5 +1,5 @@
|
1
|
1
|
/*
|
2
|
|
- * Copyright (C) 2007-2013 Sourcefire, Inc.
|
|
2
|
+ * Copyright (C) 2007-2009 Sourcefire, Inc.
|
3
|
3
|
*
|
4
|
4
|
* Authors: Tomasz Kojm
|
5
|
5
|
*
|
...
|
...
|
@@ -170,12 +170,8 @@ int cli_ac_addpatt(struct cli_matcher *root, struct cli_ac_patt *pattern)
|
170
|
170
|
while(ph) {
|
171
|
171
|
if(!ph_add_after && ph->partno <= pattern->partno && (!ph->next || ph->next->partno > pattern->partno))
|
172
|
172
|
ph_add_after = ph;
|
173
|
|
- if((ph->length == pattern->length) &&
|
174
|
|
- (ph->prefix_length == pattern->prefix_length) &&
|
175
|
|
- (ph->special_len == pattern->special_len) &&
|
176
|
|
- (ph->ch[0] == pattern->ch[0]) && (ph->ch[1] == pattern->ch[1])) {
|
177
|
|
- if(!memcmp(ph->pattern, pattern->pattern, ph->length * sizeof(uint16_t)) &&
|
178
|
|
- !memcmp(ph->prefix, pattern->prefix, ph->prefix_length * sizeof(uint16_t))) {
|
|
173
|
+ if((ph->length == pattern->length) && (ph->prefix_length == pattern->prefix_length) && (ph->ch[0] == pattern->ch[0]) && (ph->ch[1] == pattern->ch[1])) {
|
|
174
|
+ if(!memcmp(ph->pattern, pattern->pattern, ph->length * sizeof(uint16_t)) && !memcmp(ph->prefix, pattern->prefix, ph->prefix_length * sizeof(uint16_t))) {
|
179
|
175
|
if(!ph->special && !pattern->special) {
|
180
|
176
|
match = 1;
|
181
|
177
|
} else if(ph->special == pattern->special) {
|
...
|
...
|
@@ -815,13 +811,12 @@ int cli_ac_chklsig(const char *expr, const char *end, uint32_t *lsigcnt, unsigne
|
815
|
815
|
|
816
|
816
|
inline static int ac_findmatch(const unsigned char *buffer, uint32_t offset, uint32_t fileoffset, uint32_t length, const struct cli_ac_patt *pattern, uint32_t *end)
|
817
|
817
|
{
|
818
|
|
- uint32_t bp, match;
|
819
|
|
- uint16_t wc, i, j, specialcnt = pattern->special_pattern;
|
820
|
|
- struct cli_ac_special *special;
|
|
818
|
+ uint32_t bp, match;
|
|
819
|
+ uint16_t wc, i, j, specialcnt = pattern->special_pattern;
|
|
820
|
+ struct cli_ac_special *special;
|
821
|
821
|
|
822
|
822
|
|
823
|
|
- if ((offset + pattern->length + pattern->special_len > length) ||
|
824
|
|
- (pattern->prefix_length + pattern->special_len > offset))
|
|
823
|
+ if((offset + pattern->length > length) || (pattern->prefix_length > offset))
|
825
|
824
|
return 0;
|
826
|
825
|
|
827
|
826
|
bp = offset + pattern->depth;
|
...
|
...
|
@@ -884,7 +879,7 @@ inline static int ac_findmatch(const unsigned char *buffer, uint32_t offset, uin
|
884
|
884
|
|
885
|
885
|
if(pattern->prefix) {
|
886
|
886
|
specialcnt = 0;
|
887
|
|
- bp = offset - pattern->prefix_length - pattern->special_len;
|
|
887
|
+ bp = offset - pattern->prefix_length;
|
888
|
888
|
match = 1;
|
889
|
889
|
for(i = 0; i < pattern->prefix_length; i++) {
|
890
|
890
|
AC_MATCH_CHAR(pattern->prefix[i],buffer[bp]);
|
...
|
...
|
@@ -895,7 +890,7 @@ inline static int ac_findmatch(const unsigned char *buffer, uint32_t offset, uin
|
895
|
895
|
}
|
896
|
896
|
|
897
|
897
|
if(!(pattern->ch[0] & CLI_MATCH_IGNORE)) {
|
898
|
|
- bp = offset - pattern->prefix_length - pattern->special_len;
|
|
898
|
+ bp = offset - pattern->prefix_length;
|
899
|
899
|
if(pattern->ch_mindist[0] + (uint32_t) 1 > bp)
|
900
|
900
|
return 0;
|
901
|
901
|
bp -= pattern->ch_mindist[0] + 1;
|
...
|
...
|
@@ -1209,16 +1204,12 @@ int cli_ac_scanbuff(const unsigned char *buffer, uint32_t length, const char **v
|
1209
|
1209
|
continue;
|
1210
|
1210
|
}
|
1211
|
1211
|
bp = i + 1 - patt->depth;
|
1212
|
|
- if (patt->offdata[0] != CLI_OFF_VERSION &&
|
1213
|
|
- patt->offdata[0] != CLI_OFF_MACRO &&
|
1214
|
|
- !patt->next_same &&
|
1215
|
|
- (patt->offset_min != CLI_OFF_ANY) &&
|
1216
|
|
- (!patt->sigid || patt->partno == 1)) {
|
|
1212
|
+ if(patt->offdata[0] != CLI_OFF_VERSION && patt->offdata[0] != CLI_OFF_MACRO && !patt->next_same && (patt->offset_min != CLI_OFF_ANY) && (!patt->sigid || patt->partno == 1)) {
|
1217
|
1213
|
if(patt->offset_min == CLI_OFF_NONE) {
|
1218
|
1214
|
patt = patt->next;
|
1219
|
1215
|
continue;
|
1220
|
1216
|
}
|
1221
|
|
- realoff = offset + bp - patt->prefix_length - patt->special_len;
|
|
1217
|
+ realoff = offset + bp - patt->prefix_length;
|
1222
|
1218
|
if(patt->offdata[0] == CLI_OFF_ABSOLUTE) {
|
1223
|
1219
|
if(patt->offset_max < realoff || patt->offset_min > realoff) {
|
1224
|
1220
|
patt = patt->next;
|
...
|
...
|
@@ -1240,7 +1231,7 @@ int cli_ac_scanbuff(const unsigned char *buffer, uint32_t length, const char **v
|
1240
|
1240
|
pt = pt->next_same;
|
1241
|
1241
|
continue;
|
1242
|
1242
|
}
|
1243
|
|
- realoff = offset + bp - pt->prefix_length - patt->special_len;
|
|
1243
|
+ realoff = offset + bp - pt->prefix_length;
|
1244
|
1244
|
if(pt->offdata[0] == CLI_OFF_VERSION) {
|
1245
|
1245
|
if(!cli_hashset_contains_maybe_noalloc(mdata->vinfo, realoff)) {
|
1246
|
1246
|
pt = pt->next_same;
|
...
|
...
|
@@ -1373,10 +1364,9 @@ int cli_ac_scanbuff(const unsigned char *buffer, uint32_t length, const char **v
|
1373
|
1373
|
if(res) {
|
1374
|
1374
|
newres = (struct cli_ac_result *) malloc(sizeof(struct cli_ac_result));
|
1375
|
1375
|
if(!newres) {
|
1376
|
|
- cli_errmsg("cli_ac_scanbuff: Can't allocate memory for newres %u\n",
|
1377
|
|
- sizeof(struct cli_ac_result));
|
|
1376
|
+ cli_errmsg("cli_ac_scanbuff: Can't allocate memory for newres %u\n", sizeof(struct cli_ac_result));
|
1378
|
1377
|
return CL_EMEM;
|
1379
|
|
- }
|
|
1378
|
+ }
|
1380
|
1379
|
newres->virname = pt->virname;
|
1381
|
1380
|
newres->customdata = pt->customdata;
|
1382
|
1381
|
newres->next = *res;
|
...
|
...
|
@@ -1407,8 +1397,7 @@ int cli_ac_scanbuff(const unsigned char *buffer, uint32_t length, const char **v
|
1407
|
1407
|
if(pt->type == CL_TYPE_IGNORED && (!pt->rtype || ftype == pt->rtype))
|
1408
|
1408
|
return CL_TYPE_IGNORED;
|
1409
|
1409
|
|
1410
|
|
- if((pt->type > type || pt->type >= CL_TYPE_SFX || pt->type == CL_TYPE_MSEXE) &&
|
1411
|
|
- (!pt->rtype || ftype == pt->rtype)) {
|
|
1410
|
+ if((pt->type > type || pt->type >= CL_TYPE_SFX || pt->type == CL_TYPE_MSEXE) && (!pt->rtype || ftype == pt->rtype)) {
|
1412
|
1411
|
|
1413
|
1412
|
cli_dbgmsg("Matched signature for file type %s at %u\n", pt->virname, realoff);
|
1414
|
1413
|
type = pt->type;
|
...
|
...
|
@@ -1428,10 +1417,9 @@ int cli_ac_scanbuff(const unsigned char *buffer, uint32_t length, const char **v
|
1428
|
1428
|
if(res) {
|
1429
|
1429
|
newres = (struct cli_ac_result *) malloc(sizeof(struct cli_ac_result));
|
1430
|
1430
|
if(!newres) {
|
1431
|
|
- cli_errmsg("cli_ac_scanbuff: Can't allocate memory for newres %u\n",
|
1432
|
|
- sizeof(struct cli_ac_result));
|
1433
|
|
- return CL_EMEM;
|
1434
|
|
- }
|
|
1431
|
+ cli_errmsg("cli_ac_scanbuff: Can't allocate memory for newres %u\n", sizeof(struct cli_ac_result));
|
|
1432
|
+ return CL_EMEM;
|
|
1433
|
+ }
|
1435
|
1434
|
newres->virname = pt->virname;
|
1436
|
1435
|
newres->customdata = pt->customdata;
|
1437
|
1436
|
newres->offset = realoff;
|
...
|
...
|
@@ -1693,10 +1681,6 @@ int cli_ac_addsig(struct cli_matcher *root, const char *virname, const char *hex
|
1693
|
1693
|
newspecial->type = AC_SPECIAL_WHITE;
|
1694
|
1694
|
*/
|
1695
|
1695
|
} else {
|
1696
|
|
- /* This code block needs to be refactored to support alternate strings of varying lengths.
|
1697
|
|
- Only alternate strings of the same length are supported by this code block. A related
|
1698
|
|
- but different issue to resolve is mixing strings with individual characters
|
1699
|
|
- (ie, AC_SPECIAL_ALT_CHAR vs. AC_SPECIAL_ALT_STR). */
|
1700
|
1696
|
newspecial->num = 1;
|
1701
|
1697
|
for(i = 0; i < strlen(pt); i++)
|
1702
|
1698
|
if(pt[i] == '|')
|
...
|
...
|
@@ -1711,7 +1695,7 @@ int cli_ac_addsig(struct cli_matcher *root, const char *virname, const char *hex
|
1711
|
1711
|
break;
|
1712
|
1712
|
}
|
1713
|
1713
|
} else {
|
1714
|
|
- newspecial->type = AC_SPECIAL_ALT_STR;
|
|
1714
|
+ newspecial->type = AC_SPECIAL_ALT_STR;
|
1715
|
1715
|
}
|
1716
|
1716
|
|
1717
|
1717
|
for(i = 0; i < newspecial->num; i++) {
|
...
|
...
|
@@ -1752,16 +1736,9 @@ int cli_ac_addsig(struct cli_matcher *root, const char *virname, const char *hex
|
1752
|
1752
|
}
|
1753
|
1753
|
specialpt->next->str = (unsigned char *) c;
|
1754
|
1754
|
specialpt->next->len = clen;
|
1755
|
|
- specialpt->next->negative = specialpt->negative;
|
1756
|
|
- specialpt->next->type = specialpt->type;
|
1757
|
|
- /* following two lines are temporary to revert to previous behavior for
|
1758
|
|
- alternate string with varying lengths, which is not supported currently. */
|
1759
|
|
- if (clen-1 != new->special_len)
|
1760
|
|
- new->special_len = 0;
|
1761
|
1755
|
} else {
|
1762
|
1756
|
newspecial->str = (unsigned char *) c;
|
1763
|
1757
|
newspecial->len = clen;
|
1764
|
|
- new->special_len = clen-1;
|
1765
|
1758
|
}
|
1766
|
1759
|
}
|
1767
|
1760
|
}
|
...
|
...
|
@@ -1868,8 +1845,8 @@ int cli_ac_addsig(struct cli_matcher *root, const char *virname, const char *hex
|
1868
|
1868
|
new->special_pattern++;
|
1869
|
1869
|
}
|
1870
|
1870
|
|
1871
|
|
- if(new->length + new->prefix_length + new->special_len > root->maxpatlen)
|
1872
|
|
- root->maxpatlen = new->length + new->prefix_length + new->special_len;
|
|
1871
|
+ if(new->length + new->prefix_length > root->maxpatlen)
|
|
1872
|
+ root->maxpatlen = new->length + new->prefix_length;
|
1873
|
1873
|
|
1874
|
1874
|
new->virname = cli_mpool_virname(root->mempool, virname, options & CL_DB_OFFICIAL);
|
1875
|
1875
|
if(!new->virname) {
|