Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-17 05:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

GH-779: Add "udp-state" signature condition

Browse source 
It accepts "originator" or "responder" states as a way to enforce that
the signature only matches packets in the associated direction.
The "established" state is rejected as an error since it doesn't
have a useful meaning like it does for the "tcp-state" condition.
This commit is contained in:
Jon Siwek 2020-10-09 13:43:17 -07:00
parent 7556beac20
commit 5904d0708f
7 changed files with 97 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/rule-parse.y
View file

@ -58,6 +58,7 @@ static uint8_t ip4_mask_to_len(uint32_t mask)
%token TOK_SRC_IP
%token TOK_SRC_PORT
%token TOK_TCP_STATE
%token TOK_UDP_STATE
%token TOK_STRING
%token TOK_STATE_SYM
%token TOK_ACTIVE
@ -251,6 +252,14 @@ rule_attr:
current_rule->AddCondition(new zeek::detail::RuleConditionTCPState($2));
}
| TOK_UDP_STATE state_list
{
if ( $2 & zeek::detail::RULE_STATE_ESTABLISHED )
rules_error("'established' is not a valid 'udp-state'");
current_rule->AddCondition(new zeek::detail::RuleConditionUDPState($2));
}
| TOK_ACTIVE TOK_BOOL
{ current_rule->SetActiveStatus($2); }
;