OISF · victorjulien · Dec 11, 2023 · Dec 7, 2023 · Dec 7, 2023 · Dec 7, 2023
@@ -32,10 +32,10 @@ Example:
 
 This rule will alert when a system in $HOME_NET acts as a client while communicating with any IP in the CnC category that has a reputation score set to greater than 30.
 
-IP-only
-~~~~~~~
+Compatibility with IP-only
+~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-The "iprep" keyword is compatible to "IP-only" rules. This means that a rule like:
+The "iprep" keyword is compatible with "IP-only" rules. This means that a rule like:
 
 ::
 

@@ -811,7 +811,7 @@ static bool TestLastContent(const Signature *s, uint16_t o, uint16_t d)
         snprintf(rule, sizeof(rule), "alert tcp any any -> any any (%s sid:1; rev:1;)", (sig));    \
         Signature *s = DetectEngineAppendSig(de_ctx, rule);                                        \
         FAIL_IF_NULL(s);                                                                           \
-        SigAddressPrepareStage1(de_ctx);                                                           \
+        SigPrepareStage1(de_ctx);                                                                  \
         bool res = TestLastContent(s, (o), (d));                                                   \
         FAIL_IF(res == false);                                                                     \
         DetectEngineCtxFree(de_ctx);                                                               \

@@ -598,11 +598,11 @@ static void SigInitStandardMpmFactoryContexts(DetectEngineCtx *de_ctx)
 }
 
 /** \brief Pure-PCRE or bytetest rule */
-static int RuleInspectsPayloadHasNoMpm(const Signature *s)
+static bool RuleInspectsPayloadHasNoMpm(const Signature *s)
 {
     if (s->init_data->mpm_sm == NULL && s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL)
-        return 1;
-    return 0;
+        return true;
+    return false;
 }
 
 static int RuleGetMpmPatternSize(const Signature *s)
@@ -618,17 +618,19 @@ static int RuleGetMpmPatternSize(const Signature *s)
     return (int)cd->content_len;
 }
 
-static int RuleMpmIsNegated(const Signature *s)
+static bool RuleMpmIsNegated(const Signature *s)
 {
+    if (s->flags & SIG_FLAG_MPM_NEG)
+        return true;
     if (s->init_data->mpm_sm == NULL)
-        return 0;
+        return false;
     int mpm_list = s->init_data->mpm_sm_list;
     if (mpm_list < 0)
-        return 0;
+        return false;
     const DetectContentData *cd = (const DetectContentData *)s->init_data->mpm_sm->ctx;
     if (cd == NULL)
-        return 0;
-    return (cd->flags & DETECT_CONTENT_NEGATED);
+        return false;
+    return (cd->flags & DETECT_CONTENT_NEGATED) ? true : false;
 }
 
 static json_t *RulesGroupPrintSghStats(const DetectEngineCtx *de_ctx, const SigGroupHead *sgh,
@@ -1377,7 +1379,7 @@ void SignatureSetType(DetectEngineCtx *de_ctx, Signature *s)
  * \retval  0 on success
  * \retval -1 on failure
  */
-int SigAddressPrepareStage1(DetectEngineCtx *de_ctx)
+int SigPrepareStage1(DetectEngineCtx *de_ctx)
 {
     uint32_t cnt_iponly = 0;
     uint32_t cnt_payload = 0;
@@ -1720,7 +1722,7 @@ static void DetectEngineAddDecoderEventSig(DetectEngineCtx *de_ctx, Signature *s
  * \retval  0 On success
  * \retval -1 On failure
  */
-int SigAddressPrepareStage2(DetectEngineCtx *de_ctx)
+int SigPrepareStage2(DetectEngineCtx *de_ctx)
 {
     SCLogDebug("building signature grouping structure, stage 2: "
             "building source address lists...");
@@ -1760,7 +1762,7 @@ static void DetectEngineBuildDecoderEventSgh(DetectEngineCtx *de_ctx)
     SigGroupHeadBuildMatchArray(de_ctx, de_ctx->decoder_event_sgh, max_idx);
 }
 
-int SigAddressPrepareStage3(DetectEngineCtx *de_ctx)
+int SigPrepareStage3(DetectEngineCtx *de_ctx)
 {
     /* prepare the decoder event sgh */
     DetectEngineBuildDecoderEventSgh(de_ctx);
@@ -1841,7 +1843,7 @@ static void DbgPrintSigs2(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 #endif
 
 /** \brief finalize preparing sgh's */
-int SigAddressPrepareStage4(DetectEngineCtx *de_ctx)
+int SigPrepareStage4(DetectEngineCtx *de_ctx)
 {
     SCEnter();
 
@@ -2002,18 +2004,18 @@ int SigGroupBuild(DetectEngineCtx *de_ctx)
 
     SigInitStandardMpmFactoryContexts(de_ctx);
 
-    if (SigAddressPrepareStage1(de_ctx) != 0) {
+    if (SigPrepareStage1(de_ctx) != 0) {
         FatalError("initializing the detection engine failed");
     }
 
-    if (SigAddressPrepareStage2(de_ctx) != 0) {
+    if (SigPrepareStage2(de_ctx) != 0) {
         FatalError("initializing the detection engine failed");
     }
 
-    if (SigAddressPrepareStage3(de_ctx) != 0) {
+    if (SigPrepareStage3(de_ctx) != 0) {
         FatalError("initializing the detection engine failed");
     }
-    if (SigAddressPrepareStage4(de_ctx) != 0) {
+    if (SigPrepareStage4(de_ctx) != 0) {
         FatalError("initializing the detection engine failed");
     }
 

@@ -29,10 +29,10 @@ int SignatureIsFileSha256Inspecting(const Signature *s);
 int SignatureIsFilesizeInspecting(const Signature *);
 void SignatureSetType(DetectEngineCtx *de_ctx, Signature *s);
 
-int SigAddressPrepareStage1(DetectEngineCtx *de_ctx);
-int SigAddressPrepareStage2(DetectEngineCtx *de_ctx);
-int SigAddressPrepareStage3(DetectEngineCtx *de_ctx);
-int SigAddressPrepareStage4(DetectEngineCtx *de_ctx);
+int SigPrepareStage1(DetectEngineCtx *de_ctx);
+int SigPrepareStage2(DetectEngineCtx *de_ctx);
+int SigPrepareStage3(DetectEngineCtx *de_ctx);
+int SigPrepareStage4(DetectEngineCtx *de_ctx);
 int SigAddressCleanupStage1(DetectEngineCtx *de_ctx);
 
 void SigCleanSignatures(DetectEngineCtx *);

@@ -766,7 +766,7 @@ int SigGroupHeadContainsSigId(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
 
 #ifdef UNITTESTS
 
-int SigAddressPrepareStage1(DetectEngineCtx *);
+int SigPrepareStage1(DetectEngineCtx *);
 
 /**
  * \test Check if a SigGroupHead hash table is properly allocated and
@@ -823,7 +823,7 @@ static int SigGroupHeadTest02(void)
                                       "content:\"test2\"; content:\"test3\"; sid:5;)");
     FAIL_IF_NULL(s);
 
-    SigAddressPrepareStage1(de_ctx);
+    SigPrepareStage1(de_ctx);
 
     SigGroupHeadAppendSig(de_ctx, &sh, de_ctx->sig_list);
     SigGroupHeadAppendSig(de_ctx, &sh, de_ctx->sig_list->next->next);
@@ -883,7 +883,7 @@ static int SigGroupHeadTest03(void)
                                       "content:\"test2\"; content:\"test3\"; sid:5;)");
     FAIL_IF_NULL(s);
 
-    SigAddressPrepareStage1(de_ctx);
+    SigPrepareStage1(de_ctx);
 
     SigGroupHeadAppendSig(de_ctx, &sh, de_ctx->sig_list);
     SigGroupHeadAppendSig(de_ctx, &sh, de_ctx->sig_list->next->next);
@@ -951,7 +951,7 @@ static int SigGroupHeadTest04(void)
                                       "content:\"test2\"; content:\"test3\"; sid:5;)");
     FAIL_IF_NULL(s);
 
-    SigAddressPrepareStage1(de_ctx);
+    SigPrepareStage1(de_ctx);
 
     SigGroupHeadAppendSig(de_ctx, &src_sh, de_ctx->sig_list);
     SigGroupHeadAppendSig(de_ctx, &src_sh, de_ctx->sig_list->next->next);
@@ -1021,7 +1021,7 @@ static int SigGroupHeadTest05(void)
                                       "content:\"test2\"; content:\"test3\"; sid:5;)");
     FAIL_IF_NULL(s);
 
-    SigAddressPrepareStage1(de_ctx);
+    SigPrepareStage1(de_ctx);
 
     SigGroupHeadAppendSig(de_ctx, &sh, de_ctx->sig_list);
     SigGroupHeadAppendSig(de_ctx, &sh, de_ctx->sig_list->next->next);

@@ -285,7 +285,10 @@ int DetectFlowbitSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawst
     }
 
     if (strcmp(fb_cmd_str,"noalert") == 0) {
-        fb_cmd = DETECT_FLOWBITS_CMD_NOALERT;
+        if (strlen(fb_name) != 0)
+            goto error;
+        s->flags |= SIG_FLAG_NOALERT;
+        return 0;
     } else if (strcmp(fb_cmd_str,"isset") == 0) {
         fb_cmd = DETECT_FLOWBITS_CMD_ISSET;
     } else if (strcmp(fb_cmd_str,"isnotset") == 0) {
@@ -302,11 +305,6 @@ int DetectFlowbitSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawst
     }
 
     switch (fb_cmd) {
-        case DETECT_FLOWBITS_CMD_NOALERT:
-            if (strlen(fb_name) != 0)
-                goto error;
-            s->flags |= SIG_FLAG_NOALERT;
-            return 0;
         case DETECT_FLOWBITS_CMD_ISNOTSET:
         case DETECT_FLOWBITS_CMD_ISSET:
         case DETECT_FLOWBITS_CMD_SET:
@@ -340,8 +338,7 @@ int DetectFlowbitSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawst
      * and put it in the Signature. */
 
     switch (fb_cmd) {
-        /* case DETECT_FLOWBITS_CMD_NOALERT can't happen here */
-
+        /* noalert can't happen here */
         case DETECT_FLOWBITS_CMD_ISNOTSET:
         case DETECT_FLOWBITS_CMD_ISSET:
             /* checks, so packet list */

@@ -30,8 +30,7 @@
 #define DETECT_FLOWBITS_CMD_UNSET    2
 #define DETECT_FLOWBITS_CMD_ISNOTSET 3
 #define DETECT_FLOWBITS_CMD_ISSET    4
-#define DETECT_FLOWBITS_CMD_NOALERT  5
-#define DETECT_FLOWBITS_CMD_MAX      6
+#define DETECT_FLOWBITS_CMD_MAX      5
 
 typedef struct DetectFlowbitsData_ {
     uint32_t idx;