Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 02:28:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

GH-173: Support ranges of values for value_list elements in the signature parser

Browse source 
This adds support for ranged values everywhere a value_list is used, not just for source port fields.
This commit is contained in:
Tim Wojtulewicz 2019-05-22 14:04:59 -07:00
parent 42f7be0473
commit e10f9e4047
4 changed files with 43 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

29
src/rule-parse.y
View file

@ -70,6 +70,7 @@ static uint8_t ip4_mask_to_len(uint32_t mask)
%type <vallist> value_list %type <vallist> value_list
%type <prefix_val_list> prefix_value_list %type <prefix_val_list> prefix_value_list
%type <mval> TOK_IP value %type <mval> TOK_IP value
%type <vallist> ranged_value
%type <prefixval> TOK_IP6 prefix_value %type <prefixval> TOK_IP6 prefix_value
%type <prot> TOK_PROT %type <prot> TOK_PROT
%type <ptype> TOK_PATTERN_TYPE %type <ptype> TOK_PATTERN_TYPE
@ -274,6 +275,16 @@ hdr_expr:
value_list: value_list:
value_list ',' value value_list ',' value
{ $1->append(new MaskedValue($3)); $$ = $1; } { $1->append(new MaskedValue($3)); $$ = $1; }
| value_list ',' ranged_value
{
int numVals = $3->length();
for (int idx = 0; idx < numVals; idx++)
{
MaskedValue* val = $3->remove_nth(0);
$1->append(val);
}
$$ = $1;
}
| value_list ',' TOK_IDENT | value_list ',' TOK_IDENT
{ id_to_maskedvallist($3, $1); $$ = $1; } { id_to_maskedvallist($3, $1); $$ = $1; }
| value | value
@ -281,6 +292,10 @@ value_list:
$$ = new maskedvalue_list(); $$ = new maskedvalue_list();
$$->append(new MaskedValue($1)); $$->append(new MaskedValue($1));
} }
| ranged_value
{
$$ = $1;
}
| TOK_IDENT | TOK_IDENT
{ {
$$ = new maskedvalue_list(); $$ = new maskedvalue_list();
@ -320,6 +335,20 @@ prefix_value:
| TOK_IP6 | TOK_IP6
; ;
ranged_value:
TOK_INT '-' TOK_INT
{
$$ = new maskedvalue_list();
for (int val = $1; val <= $3; val++)
{
MaskedValue* masked = new MaskedValue();
masked->val = val;
masked->mask = 0xffffffff;
$$->append(masked);
}
}
;
value: value:
TOK_INT TOK_INT
{ $$.val = $1; $$.mask = 0xffffffff; } { $$.val = $1; $$.mask = 0xffffffff; }

3
testing/btest/Baseline/signatures.src-port-header-condition/src-port-range.out Normal file
View file

@ -0,0 +1,3 @@
signature_match [orig_h=127.0.0.1, orig_p=29998/udp, resp_h=127.0.0.1, resp_p=13000/udp] - src-port-range
signature_match [orig_h=127.0.0.1, orig_p=30001/udp, resp_h=127.0.0.1, resp_p=13000/udp] - src-port-range
signature_match [orig_h=127.0.0.1, orig_p=30003/udp, resp_h=127.0.0.1, resp_p=13000/udp] - src-port-range

BIN
testing/btest/Traces/udp-multiple-source-ports.pcap Normal file
View file

Binary file not shown.

11
testing/btest/signatures/src-port-header-condition.zeek
View file

@ -20,6 +20,8 @@
# @TEST-EXEC: zeek -b -s src-port-gte2 -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-gte2.out # @TEST-EXEC: zeek -b -s src-port-gte2 -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-gte2.out
# @TEST-EXEC: zeek -b -s src-port-gte-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-gte-nomatch.out # @TEST-EXEC: zeek -b -s src-port-gte-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-gte-nomatch.out
# @TEST-EXEC: zeek -b -s src-port-range -r $TRACES/udp-multiple-source-ports.pcap %INPUT >src-port-range.out
# @TEST-EXEC: btest-diff src-port-eq.out # @TEST-EXEC: btest-diff src-port-eq.out
# @TEST-EXEC: btest-diff src-port-eq-nomatch.out # @TEST-EXEC: btest-diff src-port-eq-nomatch.out
# @TEST-EXEC: btest-diff src-port-eq-list.out # @TEST-EXEC: btest-diff src-port-eq-list.out
@ -39,6 +41,8 @@
# @TEST-EXEC: btest-diff src-port-gte2.out # @TEST-EXEC: btest-diff src-port-gte2.out
# @TEST-EXEC: btest-diff src-port-gte-nomatch.out # @TEST-EXEC: btest-diff src-port-gte-nomatch.out
# @TEST-EXEC: btest-diff src-port-range.out
@TEST-START-FILE src-port-eq.sig @TEST-START-FILE src-port-eq.sig
signature id { signature id {
src-port == 30000 src-port == 30000
@ -158,6 +162,13 @@ signature id {
} }
@TEST-END-FILE @TEST-END-FILE
@TEST-START-FILE src-port-range.sig
signature id {
src-port == 29997-29999,30001-30002,30003
event "src-port-range"
}
@TEST-END-FILE
event signature_match(state: signature_state, msg: string, data: string) event signature_match(state: signature_state, msg: string, data: string)
{ {
print fmt("signature_match %s - %s", state$conn$id, msg); print fmt("signature_match %s - %s", state$conn$id, msg);