From e10f9e40475bf23e96790ad06a168052e08a5592 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Wed, 22 May 2019 14:04:59 -0700 Subject: [PATCH] GH-173: Support ranges of values for value_list elements in the signature parser This adds support for ranged values everywhere a value_list is used, not just for source port fields. --- src/rule-parse.y | 29 ++++++++++++++++++ .../src-port-range.out | 3 ++ .../Traces/udp-multiple-source-ports.pcap | Bin 0 -> 183 bytes .../signatures/src-port-header-condition.zeek | 11 +++++++ 4 files changed, 43 insertions(+) create mode 100644 testing/btest/Baseline/signatures.src-port-header-condition/src-port-range.out create mode 100644 testing/btest/Traces/udp-multiple-source-ports.pcap diff --git a/src/rule-parse.y b/src/rule-parse.y index 769fb503e6..8a1e7bb5ed 100644 --- a/src/rule-parse.y +++ b/src/rule-parse.y @@ -70,6 +70,7 @@ static uint8_t ip4_mask_to_len(uint32_t mask) %type value_list %type prefix_value_list %type TOK_IP value +%type ranged_value %type TOK_IP6 prefix_value %type TOK_PROT %type TOK_PATTERN_TYPE @@ -274,6 +275,16 @@ hdr_expr: value_list: value_list ',' value { $1->append(new MaskedValue($3)); $$ = $1; } + | value_list ',' ranged_value + { + int numVals = $3->length(); + for (int idx = 0; idx < numVals; idx++) + { + MaskedValue* val = $3->remove_nth(0); + $1->append(val); + } + $$ = $1; + } | value_list ',' TOK_IDENT { id_to_maskedvallist($3, $1); $$ = $1; } | value @@ -281,6 +292,10 @@ value_list: $$ = new maskedvalue_list(); $$->append(new MaskedValue($1)); } + | ranged_value + { + $$ = $1; + } | TOK_IDENT { $$ = new maskedvalue_list(); @@ -320,6 +335,20 @@ prefix_value: | TOK_IP6 ; +ranged_value: + TOK_INT '-' TOK_INT + { + $$ = new maskedvalue_list(); + for (int val = $1; val <= $3; val++) + { + MaskedValue* masked = new MaskedValue(); + masked->val = val; + masked->mask = 0xffffffff; + $$->append(masked); + } + } + ; + value: TOK_INT { $$.val = $1; $$.mask = 0xffffffff; } diff --git a/testing/btest/Baseline/signatures.src-port-header-condition/src-port-range.out b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-range.out new file mode 100644 index 0000000000..e3df5bf1e7 --- /dev/null +++ b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-range.out @@ -0,0 +1,3 @@ +signature_match [orig_h=127.0.0.1, orig_p=29998/udp, resp_h=127.0.0.1, resp_p=13000/udp] - src-port-range +signature_match [orig_h=127.0.0.1, orig_p=30001/udp, resp_h=127.0.0.1, resp_p=13000/udp] - src-port-range +signature_match [orig_h=127.0.0.1, orig_p=30003/udp, resp_h=127.0.0.1, resp_p=13000/udp] - src-port-range diff --git a/testing/btest/Traces/udp-multiple-source-ports.pcap b/testing/btest/Traces/udp-multiple-source-ports.pcap new file mode 100644 index 0000000000000000000000000000000000000000..340fa19ce8a6250e0bfcc4ba68743626ca4ee66e GIT binary patch literal 183 zcmca|c+)~A1{MYcfUvh5d>WI$&CQ?+lmKBSAa-S7P@MLbfx$uW>79B821XDr)iXN5 z!27zy(8$src-port-gte2.out # @TEST-EXEC: zeek -b -s src-port-gte-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-gte-nomatch.out +# @TEST-EXEC: zeek -b -s src-port-range -r $TRACES/udp-multiple-source-ports.pcap %INPUT >src-port-range.out + # @TEST-EXEC: btest-diff src-port-eq.out # @TEST-EXEC: btest-diff src-port-eq-nomatch.out # @TEST-EXEC: btest-diff src-port-eq-list.out @@ -39,6 +41,8 @@ # @TEST-EXEC: btest-diff src-port-gte2.out # @TEST-EXEC: btest-diff src-port-gte-nomatch.out +# @TEST-EXEC: btest-diff src-port-range.out + @TEST-START-FILE src-port-eq.sig signature id { src-port == 30000 @@ -158,6 +162,13 @@ signature id { } @TEST-END-FILE +@TEST-START-FILE src-port-range.sig +signature id { + src-port == 29997-29999,30001-30002,30003 + event "src-port-range" +} +@TEST-END-FILE + event signature_match(state: signature_state, msg: string, data: string) { print fmt("signature_match %s - %s", state$conn$id, msg);