[Oisf-devel] [PATCH 1/3] Add support for 'set_mark' keyword

Victor Julien victor at inliniac.net
Mon Mar 7 20:42:43 UTC 2011 

Hi Eric, the way the detection function is called in the detection
engine is not how it should be. It should be registered with the keyword
so it's only activated if the signature is inspected.

More inline...

On 03/07/2011 11:59 AM, Eric Leblond wrote:
> +/**
> + * \brief Registration function for set_mark: keyword
> + */
> +
> +void DetectMarkRegister (void) {
> +    sigmatch_table[DETECT_MARK].name = "set_mark";
> +    sigmatch_table[DETECT_MARK].Match = NULL;

The detection engine needs to be registered here ^^.

> +    sigmatch_table[DETECT_MARK].Setup = DetectMarkSetup;
> +    sigmatch_table[DETECT_MARK].Free  = NULL;
> +    sigmatch_table[DETECT_MARK].RegisterTests = MarkRegisterTests;
> +

> +++ b/src/detect-mark.h
> @@ -0,0 +1,61 @@
> +/* Copyright (C) 2007-2010 Open Information Security Foundation
> + *
> + * You can copy, redistribute or modify this Program under the terms of
> + * the GNU General Public License version 2 as published by the Free
> + * Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * version 2 along with this program; if not, write to the Free Software
> + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
> + * 02110-1301, USA.
> + */
> +
> +/**
> + * \file
> + *
> + * \author Breno Silva <breno.silva at gmail.com>
> + *
> + * Implements the gid keyword
> + */

Comment header seems wrong.

> diff --git a/src/detect.c b/src/detect.c
> index 7ec0ef2..e163168 100644
> --- a/src/detect.c
> +++ b/src/detect.c
> @@ -1423,6 +1423,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
>              SCLogDebug("signature matched without sigmatches");
>  
>              fmatch = 1;
> +	    DetectMarkPacket(p, s);

Can't call this here.

>              if (!(s->flags & SIG_FLAG_NOALERT)) {
>                  PacketAlertAppend(det_ctx, s, p, alert_flags);
>              }
> @@ -1448,6 +1449,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
>                                      }
>                                  }
>                                  rmatch = fmatch = 1;
> +                                DetectMarkPacket(p, s);

Dito.

>                                  recursion_cnt++;
>                              }
>                          } else {
> @@ -1476,6 +1478,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
>                          /* only if the last matched as well, we have a hit */
>                          if (sm == NULL) {
>                              fmatch = 1;
> +                            DetectMarkPacket(p, s);

Dito.

>                              if (!(s->flags & SIG_FLAG_NOALERT)) {
>                                  PacketAlertAppend(det_ctx, s, p, alert_flags);
>                              }

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list