Hi,
I am developing a new Matcher, I would like the matcher to take in a sticky buffer.
ex: (dns.query; mymatcher: mymatcherparam)
mymatcher simply needs to return if it has a match or not based on the buffer exposed by dns.query.
My unit test setup a rule like this
s = DetectEngineAppendSig(de_ctx, "alert dns any any → any any "
"(msg:"Test dns_query option"; "
“dns.query; domain_detect: domain_detect_param; sid:1;)”);
The domain_detect setup function gets called when I run the test.
But validation fails:
Error: detect-parse: rule 1 setup buffer dns_query but didn’t add matches to it [SigValidate:detect-parse.c:1832]
If I remove "dns.query; " from “dns.query; domain_detect: domain_detect_param; sid:1;”,
mymatcher gets triggered.
My setup function looks like this
static int DetectDomainDetectSetup(DetectEngineCtx *de_ctx, Signature *s, const char *domain_detect_param)
{
size_t slen = strlen(domain_detect_param);
if (slen == 0)
return -1;char input[slen + 1]; strlcpy(input, domain_detect_param, slen + 1); char *str = input; DetectDetectData *domainDetectData = NULL; SigMatch *sm = NULL; domainDetectData = SCMalloc(sizeof(DetectDetectData)); if (unlikely(domainDetectData == NULL)) goto error; domainDetectData->detectoption = SCStrdup(str); if (domainDetectData->detectoption == NULL) goto error; Dataset* dataset = DatasetFind(domainDetectData->detectoption, DATASET_TYPE_STRING); if (unlikely(dataset == NULL)) goto error; sm = SigMatchAlloc(); if (sm == NULL) goto error; sm->type = DETECT_DOMAIN_DETECT; sm->ctx = (void *)domainDetectData; SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH); return 0;error:
if (domainDetectData != NULL)
DetectDomainDetectFree(de_ctx, domainDetectData);
if (sm != NULL)
SigMatchFree(de_ctx, sm);
return -1;
}
Does anyone have any advice how to address this, or documentation to help figure this out?
And don’t mind the module naming and dataset reference, it is still work-in progress.
Thank you!