Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 10:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

GH-779: Add "udp-state" signature condition

Browse source 
It accepts "originator" or "responder" states as a way to enforce that
the signature only matches packets in the associated direction.
The "established" state is rejected as an error since it doesn't
have a useful meaning like it does for the "tcp-state" condition.
This commit is contained in:
Jon Siwek 2020-10-09 13:43:17 -07:00
parent 7556beac20
commit 5904d0708f
7 changed files with 97 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

25
src/RuleCondition.cc
View file

@ -54,6 +54,31 @@ void RuleConditionTCPState::PrintDebug()
fprintf(stderr, " RuleConditionTCPState: 0x%x\n", tcpstates);
}
bool RuleConditionUDPState::DoMatch(Rule* rule, RuleEndpointState* state,
const u_char* data, int len)
{
analyzer::Analyzer* root = state->GetAnalyzer()->Conn()->GetRootAnalyzer();
if ( ! root || ! root->IsAnalyzer("UDP") )
return false;
if ( states & RULE_STATE_STATELESS )
return true;
if ( (states & RULE_STATE_ORIG) && ! state->IsOrig() )
return false;
if ( (states & RULE_STATE_RESP) && state->IsOrig() )
return false;
return true;
}
void RuleConditionUDPState::PrintDebug()
{
fprintf(stderr, " RuleConditionUDPState: 0x%x\n", states);
}
void RuleConditionIPOptions::PrintDebug()
{
fprintf(stderr, " RuleConditionIPOptions: 0x%x\n", options);