Snort: map more pcre modifiers to GRegexCompileFlags

Change-Id: I5df8cb794b7b76b708448ae4b74b7481bdd8faff Reviewed-on: https://code.wireshark.org/review/21097 Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com> Reviewed-by: Michael Mann <mmann78@netscape.net> Petri-Dish: Michael Mann <mmann78@netscape.net> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
author: Martin Mathieson <martin.r.mathieson@googlemail.com> 2017-04-14 22:37:10 +0100
committer: Martin Mathieson <martin.r.mathieson@googlemail.com> 2017-04-16 08:59:32 +0000
commit: cb1967a98209abf2c37c6e4504c6d27e65614de0 (patch)
tree: 7deec43137774f2a3467764ae7e00df69eb0e433 /epan/dissectors
parent: 581db4c2b82601a93023fb3ce214b4171d7e14d9 (diff)
3 files changed, 43 insertions, 8 deletions
diff --git a/epan/dissectors/packet-snort.c b/epan/dissectors/packet-snort.c
index b45d9c206d..d6c8894099 100644
--- a/epan/dissectors/packet-snort.c
+++ b/epan/dissectors/packet-snort.c
@@ -49,7 +49,6 @@
 #include <epan/packet.h>
 #include <epan/prefs.h>
 #include <epan/expert.h>
-#include <wsutil/report_message.h>
 #include <epan/wmem/wmem.h>
 #include <wiretap/wtap-int.h>
 
@@ -296,6 +295,7 @@ static gboolean look_for_pcre(content_t *content, tvbuff_t *tvb, guint start_off
     GRegex *regex;
     GMatchInfo *match_info;
     gboolean match_found = FALSE;
+    GRegexCompileFlags regex_compile_flags = (GRegexCompileFlags)0;
 
     /* Make sure pcre string is ready for regex library. */
     if (!content_convert_pcre_for_regex(content)) {
@@ -308,10 +308,25 @@ static gboolean look_for_pcre(content_t *content, tvbuff_t *tvb, guint start_off
     tvb_memcpy(tvb, (void*)string, start_offset, length_remaining);
     string[length_remaining] = '\0';
 
-    /* Create regex */
     /* For pcre, translated_str already has / /[modifiers] removed.. */
+
+    /* Apply any set modifier flags */
+    if (content->pcre_case_insensitive) {
+        regex_compile_flags = (GRegexCompileFlags)(regex_compile_flags | G_REGEX_CASELESS);
+    }
+    if (content->pcre_dot_includes_newline) {
+        regex_compile_flags = (GRegexCompileFlags)(regex_compile_flags | G_REGEX_DOTALL);
+    }
+    if (content->pcre_raw) {
+        regex_compile_flags = (GRegexCompileFlags)(regex_compile_flags | G_REGEX_RAW);
+    }
+    if (content->pcre_multiline) {
+        regex_compile_flags = (GRegexCompileFlags)(regex_compile_flags | G_REGEX_MULTILINE);
+    }
+
+    /* Create regex */
     regex = g_regex_new(content->translated_str,
-                        content->pcre_case_insensitive ? G_REGEX_CASELESS : (GRegexCompileFlags)0,
+                        regex_compile_flags,
                         (GRegexMatchFlags)0, NULL);
 
     /* Lookup PCRE match */
@@ -982,7 +997,8 @@ static void snort_show_alert(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo
                 /* Useful for debugging, may also happen when Snort is reassembling.. */
                 proto_item_append_text(ti, " - not located");
                 expert_add_info_format(pinfo, ti, &ei_snort_content_not_matched,
-                                       "Content   \"%s\"   not found in frame",
+                                       "%s   \"%s\"   not found in frame",
+                                       rule->contents[n].content_type==Pcre ? "PCRE" : "Content",
                                        rule->contents[n].str);
             }
         }
diff --git a/epan/dissectors/snort-config.c b/epan/dissectors/snort-config.c
index 7e7955f3ee..ccf4126559 100644
--- a/epan/dissectors/snort-config.c
+++ b/epan/dissectors/snort-config.c
@@ -1141,12 +1141,28 @@ gboolean content_convert_pcre_for_regex(content_t *content)
             break;
         }
         else {
-            if (content->str[i] == 'i') {
-                content->pcre_case_insensitive = TRUE;
+            switch (content->str[i]) {
+                case 'i':
+                    content->pcre_case_insensitive = TRUE;
+                    break;
+                case 's':
+                    content->pcre_dot_includes_newline = TRUE;
+                    break;
+                case 'B':
+                    content->pcre_raw = TRUE;
+                    break;
+                case 'm':
+                    content->pcre_multiline = TRUE;
+                    break;
+
+                default:
+                    /* TODO: handle other modifiers that will get seen? */
+                    /* N.B. 'U' (match in decoded URI buffers) can't be handled, so don't store in flag. */
+                    /* N.B. not sure if/how to handle 'R' (effectively distance:0) */
+                    snort_debug_printf("Unhandled pcre modifier '%c'\n", content->str[i]);
+                    break;
             }
-            /* TODO: note/handle other common modifiers (s/m/?) */
         }
-
     }
     if (end_delimiter_offset == 0) {
         /* Didn't find it */
diff --git a/epan/dissectors/snort-config.h b/epan/dissectors/snort-config.h
index 42543aba72..076e645aae 100644
--- a/epan/dissectors/snort-config.h
+++ b/epan/dissectors/snort-config.h
@@ -69,6 +69,9 @@ typedef struct content_t {
     guint    translated_length;
 
     gboolean pcre_case_insensitive;
+    gboolean pcre_dot_includes_newline;
+    gboolean pcre_raw;
+    gboolean pcre_multiline;
 } content_t;
 
 /* This is to keep track of a variable referenced by a rule */
author	Martin Mathieson <martin.r.mathieson@googlemail.com>	2017-04-14 22:37:10 +0100
committer	Martin Mathieson <martin.r.mathieson@googlemail.com>	2017-04-16 08:59:32 +0000
commit	cb1967a98209abf2c37c6e4504c6d27e65614de0 (patch)
tree	7deec43137774f2a3467764ae7e00df69eb0e433 /epan/dissectors
parent	581db4c2b82601a93023fb3ce214b4171d7e14d9 (diff)