diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc index ca08388b10..7b86ecbe45 100644 --- a/src/RuleMatcher.cc +++ b/src/RuleMatcher.cc @@ -1113,12 +1113,7 @@ void RuleMatcher::ClearEndpointState(RuleEndpointState* state) if ( rule_bench == 3 ) return; - ExecPureRules(state, 1); state->payload_size = -1; - state->matched_by_patterns.clear(); - loop_over_list(state->matched_text, i) - delete state->matched_text[i]; - state->matched_text.clear(); loop_over_list(state->matchers, j) state->matchers[j]->state->Clear(); @@ -1496,8 +1491,11 @@ void RuleMatcherState::ClearMatchState(bool orig) if ( ! rule_matcher ) return; - if ( orig_match_state ) - rule_matcher->ClearEndpointState(orig_match_state); - if ( resp_match_state ) + if ( orig ) + { + if ( orig_match_state ) + rule_matcher->ClearEndpointState(orig_match_state); + } + else if ( resp_match_state ) rule_matcher->ClearEndpointState(resp_match_state); } diff --git a/src/analyzer/protocol/pia/PIA.cc b/src/analyzer/protocol/pia/PIA.cc index 69a0c5d312..1adeb54a2d 100644 --- a/src/analyzer/protocol/pia/PIA.cc +++ b/src/analyzer/protocol/pia/PIA.cc @@ -81,7 +81,7 @@ void PIA::PIA_Done() } void PIA::PIA_DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq, - const IP_Hdr* ip, int caplen) + const IP_Hdr* ip, int caplen, bool clear_state) { if ( pkt_buffer.state == SKIPPING ) return; @@ -108,6 +108,9 @@ void PIA::PIA_DeliverPacket(int len, const u_char* data, bool is_orig, uint64 se // FIXME: I'm not sure why it does not work with eol=true... DoMatch(data, len, is_orig, true, false, false, ip); + if ( clear_state ) + RuleMatcherState::ClearMatchState(is_orig); + pkt_buffer.state = new_state; current_packet.data = 0; diff --git a/src/analyzer/protocol/pia/PIA.h b/src/analyzer/protocol/pia/PIA.h index d6e07f68c3..85683289a9 100644 --- a/src/analyzer/protocol/pia/PIA.h +++ b/src/analyzer/protocol/pia/PIA.h @@ -42,7 +42,7 @@ public: protected: void PIA_Done(); void PIA_DeliverPacket(int len, const u_char* data, bool is_orig, - uint64 seq, const IP_Hdr* ip, int caplen); + uint64 seq, const IP_Hdr* ip, int caplen, bool clear_state); enum State { INIT, BUFFERING, MATCHING_ONLY, SKIPPING } state; @@ -109,7 +109,7 @@ protected: uint64 seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); - PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen); + PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, true); } virtual void ActivateAnalyzer(analyzer::Tag tag, const Rule* rule); @@ -154,7 +154,7 @@ protected: uint64 seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); - PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen); + PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, false); } virtual void DeliverStream(int len, const u_char* data, bool is_orig); diff --git a/testing/btest/Baseline/signatures.udp-packetwise-match/out b/testing/btest/Baseline/signatures.udp-packetwise-match/out new file mode 100644 index 0000000000..f0ea6c449e --- /dev/null +++ b/testing/btest/Baseline/signatures.udp-packetwise-match/out @@ -0,0 +1,6 @@ +signature match, Found XXXX, XXXX +signature match, Found ^XXXX, XXXX +signature match, Found .*XXXX, XXXX +signature match, Found YYYY, YYYY +signature match, Found ^YYYY, YYYY +signature match, Found .*YYYY, YYYY diff --git a/testing/btest/Traces/udp-signature-test.pcap b/testing/btest/Traces/udp-signature-test.pcap new file mode 100644 index 0000000000..01a880fae1 Binary files /dev/null and b/testing/btest/Traces/udp-signature-test.pcap differ diff --git a/testing/btest/signatures/udp-packetwise-match.bro b/testing/btest/signatures/udp-packetwise-match.bro new file mode 100644 index 0000000000..66551afee3 --- /dev/null +++ b/testing/btest/signatures/udp-packetwise-match.bro @@ -0,0 +1,53 @@ +# @TEST-EXEC: bro -r $TRACES/udp-signature-test.pcap %INPUT >out +# @TEST-EXEC: btest-diff out + +@load-sigs test.sig + +@TEST-START-FILE test.sig +signature xxxx { + ip-proto = udp + payload /XXXX/ + event "Found XXXX" +} + +signature axxxx { + ip-proto = udp + payload /^XXXX/ + event "Found ^XXXX" +} + +signature sxxxx { + ip-proto = udp + payload /.*XXXX/ + event "Found .*XXXX" +} + +signature yyyy { + ip-proto = udp + payload /YYYY/ + event "Found YYYY" +} + +signature ayyyy { + ip-proto = udp + payload /^YYYY/ + event "Found ^YYYY" +} + +signature syyyy { + ip-proto = udp + payload /.*YYYY/ + event "Found .*YYYY" +} + +signature nope { + ip-proto = udp + payload /.*nope/ + event "Found .*nope" +} +@TEST-END-FILE + +event signature_match(state: signature_state, msg: string, data: string) + { + print "signature match", msg, data; + }