diff --git a/src/rule-parse.y b/src/rule-parse.y index 769fb503e6..8a1e7bb5ed 100644 --- a/src/rule-parse.y +++ b/src/rule-parse.y @@ -70,6 +70,7 @@ static uint8_t ip4_mask_to_len(uint32_t mask) %type value_list %type prefix_value_list %type TOK_IP value +%type ranged_value %type TOK_IP6 prefix_value %type TOK_PROT %type TOK_PATTERN_TYPE @@ -274,6 +275,16 @@ hdr_expr: value_list: value_list ',' value { $1->append(new MaskedValue($3)); $$ = $1; } + | value_list ',' ranged_value + { + int numVals = $3->length(); + for (int idx = 0; idx < numVals; idx++) + { + MaskedValue* val = $3->remove_nth(0); + $1->append(val); + } + $$ = $1; + } | value_list ',' TOK_IDENT { id_to_maskedvallist($3, $1); $$ = $1; } | value @@ -281,6 +292,10 @@ value_list: $$ = new maskedvalue_list(); $$->append(new MaskedValue($1)); } + | ranged_value + { + $$ = $1; + } | TOK_IDENT { $$ = new maskedvalue_list(); @@ -320,6 +335,20 @@ prefix_value: | TOK_IP6 ; +ranged_value: + TOK_INT '-' TOK_INT + { + $$ = new maskedvalue_list(); + for (int val = $1; val <= $3; val++) + { + MaskedValue* masked = new MaskedValue(); + masked->val = val; + masked->mask = 0xffffffff; + $$->append(masked); + } + } + ; + value: TOK_INT { $$.val = $1; $$.mask = 0xffffffff; } diff --git a/testing/btest/Baseline/signatures.src-port-header-condition/src-port-range.out b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-range.out new file mode 100644 index 0000000000..e3df5bf1e7 --- /dev/null +++ b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-range.out @@ -0,0 +1,3 @@ +signature_match [orig_h=127.0.0.1, orig_p=29998/udp, resp_h=127.0.0.1, resp_p=13000/udp] - src-port-range +signature_match [orig_h=127.0.0.1, orig_p=30001/udp, resp_h=127.0.0.1, resp_p=13000/udp] - src-port-range +signature_match [orig_h=127.0.0.1, orig_p=30003/udp, resp_h=127.0.0.1, resp_p=13000/udp] - src-port-range diff --git a/testing/btest/Traces/udp-multiple-source-ports.pcap b/testing/btest/Traces/udp-multiple-source-ports.pcap new file mode 100644 index 0000000000..340fa19ce8 Binary files /dev/null and b/testing/btest/Traces/udp-multiple-source-ports.pcap differ diff --git a/testing/btest/signatures/src-port-header-condition.zeek b/testing/btest/signatures/src-port-header-condition.zeek index 3fcd71308c..841817e79c 100644 --- a/testing/btest/signatures/src-port-header-condition.zeek +++ b/testing/btest/signatures/src-port-header-condition.zeek @@ -20,6 +20,8 @@ # @TEST-EXEC: zeek -b -s src-port-gte2 -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-gte2.out # @TEST-EXEC: zeek -b -s src-port-gte-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-gte-nomatch.out +# @TEST-EXEC: zeek -b -s src-port-range -r $TRACES/udp-multiple-source-ports.pcap %INPUT >src-port-range.out + # @TEST-EXEC: btest-diff src-port-eq.out # @TEST-EXEC: btest-diff src-port-eq-nomatch.out # @TEST-EXEC: btest-diff src-port-eq-list.out @@ -39,6 +41,8 @@ # @TEST-EXEC: btest-diff src-port-gte2.out # @TEST-EXEC: btest-diff src-port-gte-nomatch.out +# @TEST-EXEC: btest-diff src-port-range.out + @TEST-START-FILE src-port-eq.sig signature id { src-port == 30000 @@ -158,6 +162,13 @@ signature id { } @TEST-END-FILE +@TEST-START-FILE src-port-range.sig +signature id { + src-port == 29997-29999,30001-30002,30003 + event "src-port-range" +} +@TEST-END-FILE + event signature_match(state: signature_state, msg: string, data: string) { print fmt("signature_match %s - %s", state$conn$id, msg);