aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '77b94b8713'
${ noResults }
suricata/src/detect-flowvar.c

360 lines
10 KiB
C
Raw Normal View History Unescape Escape

detect/flowvar: Fix memory leaks from pcre_get_substring This commit replaces usages of pcre_get_substring with pcre_copy_substring to avoid leaking memory on error conditions.
6 years ago
/* Copyright (C) 2007-2020 Open Information Security Foundation
Initial add of the files.
17 years ago
*
Import of GPLv2 Header 050410
16 years ago
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Victor Julien <victor@inliniac.net>
*
* Simple flowvar content match part of the detection engine.
*/
Initial add of the files.
17 years ago
Rename to Suricata.
16 years ago
#include "suricata-common.h"
Initial add of the files.
17 years ago
#include "decode.h"
Convert uricontent to use new scanning methods as well. Move http_method and http_cookie keywords out of pmatch list for now.
16 years ago
Initial add of the files.
17 years ago
#include "detect.h"
Convert uricontent to use new scanning methods as well. Move http_method and http_cookie keywords out of pmatch list for now.
16 years ago
#include "detect-parse.h"
http_cookie keywork support
16 years ago
#include "detect-content.h"
Initial add of the files.
17 years ago
#include "threads.h"
#include "flow.h"
#include "flow-var.h"
pkt-var: abuse flowvar postmatch logic for pktvars Flowvars were already using a temporary store in the detect thread ctx. Use the same facility for pktvars. The reasons are: 1. packet is not always available, e.g. when running pcre on http buffers. 2. setting of vars should be done post match. Until now it was also possible that it is done on a partial match.
9 years ago
#include "pkt-var.h"
Initial add of the files.
17 years ago
#include "detect-flowvar.h"
luajit flowvar support This patch adds flowvar support to luajit. It does so by exposing two special C functions to the luajit scripts: ScFlowvarGet and ScFlowvarSet.
13 years ago
Adding single pattern matcher algorithms. If you cannot store a context for the patterns, use SpmSearch() macro. Adding unittests and stats
16 years ago
#include "util-spm.h"
Fix Flowvar idx retrieval.
17 years ago
#include "util-var-name.h"
More logging API usage. Changed logging macro's slightly so the vars inside them won't conflict with vars used by the calling function.
16 years ago
#include "util-debug.h"
luajit flowvar support This patch adds flowvar support to luajit. It does so by exposing two special C functions to the luajit scripts: ScFlowvarGet and ScFlowvarSet.
13 years ago
#include "util-print.h"
Initial add of the files.
17 years ago
#define PARSE_REGEX "(.*),(.*)"
detect: Update to take advantage of PCRE refactor This commit changes the keyword detectors to use the refactored PCRE modifications from detect-parse.[ch]
6 years ago
static DetectParseRegex parse_regex;
Initial add of the files.
17 years ago
detect: remove Threadvars argument from API calls Remove it as it's (almost) never used. If it is really needed it can be accessed through DetectEngineThreadCtx::tv as well.
6 years ago
int DetectFlowvarMatch (DetectEngineThreadCtx *, Packet *,
detect: constify Signature/SigMatch use at runtime
9 years ago
const Signature *, const SigMatchCtx *);
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
static int DetectFlowvarSetup (DetectEngineCtx *, Signature *, const char *);
detect: remove Threadvars argument from API calls Remove it as it's (almost) never used. If it is really needed it can be accessed through DetectEngineThreadCtx::tv as well.
6 years ago
static int DetectFlowvarPostMatch(DetectEngineThreadCtx *det_ctx,
detect: constify Signature/SigMatch use at runtime
9 years ago
Packet *p, const Signature *s, const SigMatchCtx *ctx);
detect: Provide `de_ctx` to free functions This commit makes sure that the `DetectEngineCtx *` is available to each detector's "free" function.
5 years ago
static void DetectFlowvarDataFree(DetectEngineCtx *, void *ptr);
Initial add of the files.
17 years ago
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
void DetectFlowvarRegister (void)
{
Initial add of the files.
17 years ago
sigmatch_table[DETECT_FLOWVAR].name = "flowvar";
sigmatch_table[DETECT_FLOWVAR].Match = DetectFlowvarMatch;
sigmatch_table[DETECT_FLOWVAR].Setup = DetectFlowvarSetup;
flowvar: clean up properly on signature clean up.
13 years ago
sigmatch_table[DETECT_FLOWVAR].Free = DetectFlowvarDataFree;
Initial add of the files.
17 years ago
flowvar: fix deadlock with http buffers Bug #802 Flowvars are set from pcre, and lock the flow when being set. However when HTTP buffers were inspected, flow was already locked: deadlock. This patch introduces a post-match list in the detection engine thread ctx, where store candidates are kept. Then a post-match function is used to finalize the storing if the rule matches. Solves the deadlock and brings the handling of flowvars more in line with flowbits and flowints.
13 years ago
/* post-match for flowvar storage */
sigmatch_table[DETECT_FLOWVAR_POSTMATCH].name = "__flowvar__postmatch__";
sigmatch_table[DETECT_FLOWVAR_POSTMATCH].Match = DetectFlowvarPostMatch;
sigmatch_table[DETECT_FLOWVAR_POSTMATCH].Setup = NULL;
flowvar: clean up properly on signature clean up.
13 years ago
sigmatch_table[DETECT_FLOWVAR_POSTMATCH].Free = DetectFlowvarDataFree;
flowvar: fix deadlock with http buffers Bug #802 Flowvars are set from pcre, and lock the flow when being set. However when HTTP buffers were inspected, flow was already locked: deadlock. This patch introduces a post-match list in the detection engine thread ctx, where store candidates are kept. Then a post-match function is used to finalize the storing if the rule matches. Solves the deadlock and brings the handling of flowvars more in line with flowbits and flowints.
13 years ago
detect: Update to take advantage of PCRE refactor This commit changes the keyword detectors to use the refactored PCRE modifications from detect-parse.[ch]
6 years ago
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
Initial add of the files.
17 years ago
}
flowvar: clean up properly on signature clean up.
13 years ago
/**
* \brief this function will SCFree memory associated with DetectFlowvarData
*
detect: spelling
2 years ago
* \param cd pointer to DetectContentData
flowvar: clean up properly on signature clean up.
13 years ago
*/
detect: Provide `de_ctx` to free functions This commit makes sure that the `DetectEngineCtx *` is available to each detector's "free" function.
5 years ago
static void DetectFlowvarDataFree(DetectEngineCtx *de_ctx, void *ptr)
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
{
flowvar: clean up properly on signature clean up.
13 years ago
if (ptr == NULL)
SCReturn;
DetectFlowvarData *fd = (DetectFlowvarData *)ptr;
var-names: reimplement var name handling Implement a new design for handling var name id's. The old logic was aware of detection engine versions and generally didn't work well for multi-tenancy cases. Other than memory leaks and crashes, logging of var names worked or failed based on which tenant was loaded last. This patch implements a new approach, where there is a global store of vars and their id's for the lifetime of the program. Overall Design: Base Store: "base" Used during keyword registration. Operates under lock. Base is shared between all detect engines, detect engine versions and tenants. Each variable name is ref counted. During the freeing of a detect engine / tenant, unregistration decreases the ref cnt. Base has both a string to id and a id to string hash table. String to id is used during parsing/registration. id to string during unregistration. Active Store Pointer (atomic) The "active" store atomic pointer points to the active lookup store. The call to `VarNameStoreActivate` will build a new lookup store and hot swap the pointer. Ensuring memory safety. During the hot swap, the pointer is replaced, so any new call to the lookup functions will automatically use the new store. This leaves the case of any lookup happening concurrently with the pointer swap. For this case we add the old store to a free list. It gets a timestamp before which it cannot be freed. Free List The free list contains old stores that are waiting to get removed. They contain a timestamp that is checked before they are freed. Bug: #6044. Bug: #6201.
2 years ago
/* leave unregistration to pcre keyword */
if (!fd->post_match)
VarNameStoreUnregister(fd->idx, VAR_TYPE_FLOW_VAR);
flowvar: clean up properly on signature clean up.
13 years ago
if (fd->name)
SCFree(fd->name);
if (fd->content)
SCFree(fd->content);
SCFree(fd);
}
Initial add of the files.
17 years ago
/*
* returns 0: no match
* 1: match
* -1: error
*/
detect: remove Threadvars argument from API calls Remove it as it's (almost) never used. If it is really needed it can be accessed through DetectEngineThreadCtx::tv as well.
6 years ago
int DetectFlowvarMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
detect: constify Signature/SigMatch use at runtime
9 years ago
const Signature *s, const SigMatchCtx *ctx)
Initial add of the files.
17 years ago
{
int ret = 0;
Change Match() function to take const SigMatchCtx* The Match functions don't need a pointer to the SigMatch object, just the context pointer contained inside, so pass the Context to the Match function rather than the SigMatch object. This allows for further optimization. Change SigMatch->ctx to have type SigMatchCtx* rather than void* for better type checking. This requires adding type casts when using or assigning it. The SigMatch contex should not be changed by the Match() funciton, so pass it as a const SigMatchCtx*.
11 years ago
DetectFlowvarData *fd = (DetectFlowvarData *)ctx;
Initial add of the files.
17 years ago
Add support for flowbits.
17 years ago
FlowVar *fv = FlowVarGet(p->flow, fd->idx);
Initial add of the files.
17 years ago
if (fv != NULL) {
Adding single pattern matcher algorithms. If you cannot store a context for the patterns, use SpmSearch() macro. Adding unittests and stats
16 years ago
uint8_t *ptr = SpmSearch(fv->data.fv_str.value,
First version of flowints
16 years ago
fv->data.fv_str.value_len,
fd->content, fd->content_len);
Initial add of the files.
17 years ago
if (ptr != NULL)
ret = 1;
}
return ret;
}
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
static int DetectFlowvarSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
Initial add of the files.
17 years ago
{
flowvar: cleanup keyword argument parsing. Should also address Coverity 400655.
13 years ago
DetectFlowvarData *fd = NULL;
detect/flowvar: Fix memory leaks from pcre_get_substring This commit replaces usages of pcre_get_substring with pcre_copy_substring to avoid leaking memory on error conditions.
6 years ago
char varname[64], varcontent[64];
detect/pcre: Use local match variables pcre2 is not thread-safe wrt match objects so use locally scoped objects. Issue: 4797
2 years ago
int res = 0;
pcre2: migrate keywords parsing
4 years ago
size_t pcre2len;
Update DetectContentDataParse to reflect the actual data types content uses.
13 years ago
uint8_t *content = NULL;
flowvar: cleanup keyword argument parsing. Should also address Coverity 400655.
13 years ago
uint16_t contentlen = 0;
detect-parse: improve common parser In preparation of turning input to keyword parsers to const add options to the common rule parser to enforce and strip double quotes and parse negation support. At registration, the keyword can register 3 extra flags: SIGMATCH_QUOTES_MANDATORY: value to keyword must be quoted SIGMATCH_QUOTES_OPTIONAL: value to keyword may be quoted SIGMATCH_HANDLE_NEGATION: leading ! is parsed In all cases leading spaces are removed. If the 'quote' flags are set, the quotes are removed from the input as well.
8 years ago
uint32_t contentflags = s->init_data->negated ? DETECT_CONTENT_NEGATED : 0;
detect/pcre: Use local match variables pcre2 is not thread-safe wrt match objects so use locally scoped objects. Issue: 4797
2 years ago
pcre2_match_data *match = NULL;
Initial add of the files.
17 years ago
detect/pcre: Use local match variables pcre2 is not thread-safe wrt match objects so use locally scoped objects. Issue: 4797
2 years ago
int ret = DetectParsePcreExec(&parse_regex, &match, rawstr, 0, 0);
2nd try of fixing some bugs reported by static code analysis tool.
16 years ago
if (ret != 3) {
output: remove error codes from output
3 years ago
SCLogError("\"%s\" is not a valid setting for flowvar.", rawstr);
detect/pcre: Use local match variables pcre2 is not thread-safe wrt match objects so use locally scoped objects. Issue: 4797
2 years ago
if (match) {
pcre2_match_data_free(match);
}
2nd try of fixing some bugs reported by static code analysis tool.
16 years ago
return -1;
}
pcre2: migrate keywords parsing
4 years ago
pcre2len = sizeof(varname);
detect/pcre: Use local match variables pcre2 is not thread-safe wrt match objects so use locally scoped objects. Issue: 4797
2 years ago
res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)varname, &pcre2len);
2nd try of fixing some bugs reported by static code analysis tool.
16 years ago
if (res < 0) {
detect/pcre: Use local match variables pcre2 is not thread-safe wrt match objects so use locally scoped objects. Issue: 4797
2 years ago
pcre2_match_data_free(match);
output: remove error codes from output
3 years ago
SCLogError("pcre2_substring_copy_bynumber failed");
2nd try of fixing some bugs reported by static code analysis tool.
16 years ago
return -1;
}
pcre2: migrate keywords parsing
4 years ago
pcre2len = sizeof(varcontent);
detect/pcre: Use local match variables pcre2 is not thread-safe wrt match objects so use locally scoped objects. Issue: 4797
2 years ago
res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)varcontent, &pcre2len);
pcre2_match_data_free(match);
flowvar: cleanup keyword argument parsing. Should also address Coverity 400655.
13 years ago
if (res < 0) {
output: remove error codes from output
3 years ago
SCLogError("pcre2_substring_copy_bynumber failed");
Initial add of the files.
17 years ago
return -1;
Memory leak cleanup in detectors Hello, I ran the code through an analysis program and found several leaks that should be cleaned up. *In src/detect-engine-address-ipv4.c at line 472, the test for ag == NULL will never be true since that is the loop entry test. *In src/detect-engine-port.c at line 1133, the test for p == NULL will never be true since that is the loop entry test. *In src/detect-engine-mpm.c at line 263 is a return without freeing fast_pattern *In src/detect-ack.c at line 80 and 85, data catches the return from malloc. One of them should be deleted. *In src/detect-seq.c at line 81 and 86, data catches the return from malloc. One of them should be deleted. *In src/detect-content.c at line 749, many of the paths that lead to the error exit still has temp pointing to allocated memory. To clean this up, temp should be set to NULL if not immediately assigning and new value. *In src/detect-uricontent.c at line 319, both cd and str needto be freed. At lines 344, str needs to be freed. And at line 347 str and temp need to be freed. *In src/detect-flowbits.c at line 231 and 235, str was not being freed. cd was not being freed at line 235. *In src/detect-flowvar.c at line 127, str was not being freed. At line 194, cd and str were not being freed. *In src/detect-flowint.c at line 277, sfd was not being freed. At line 315, str was not being freed. *In src/detect-pktvar.c at line 121, str was not being freed. At line 188, str and cd was not being freed. *In src/detect-pcre.c at line 389, there is an extra free of "re" that should be deleted. *In src/detect-depth.c at line 42 & 48, str has not been freed. *In src/detect-distance.c at line 49 and 55, str has not been freed *In src/detect-offset.c at line 45, str has not been freed. The patch below fixes these issues. -Steve
16 years ago
}
Initial add of the files.
17 years ago
detect/flowvar: Fix memory leaks from pcre_get_substring This commit replaces usages of pcre_get_substring with pcre_copy_substring to avoid leaking memory on error conditions.
6 years ago
int varcontent_index = 0;
detect-parse: improve common parser In preparation of turning input to keyword parsers to const add options to the common rule parser to enforce and strip double quotes and parse negation support. At registration, the keyword can register 3 extra flags: SIGMATCH_QUOTES_MANDATORY: value to keyword must be quoted SIGMATCH_QUOTES_OPTIONAL: value to keyword may be quoted SIGMATCH_HANDLE_NEGATION: leading ! is parsed In all cases leading spaces are removed. If the 'quote' flags are set, the quotes are removed from the input as well.
8 years ago
if (strlen(varcontent) >= 2) {
if (varcontent[0] == '"')
detect/flowvar: Fix memory leaks from pcre_get_substring This commit replaces usages of pcre_get_substring with pcre_copy_substring to avoid leaking memory on error conditions.
6 years ago
varcontent_index++;
detect-parse: improve common parser In preparation of turning input to keyword parsers to const add options to the common rule parser to enforce and strip double quotes and parse negation support. At registration, the keyword can register 3 extra flags: SIGMATCH_QUOTES_MANDATORY: value to keyword must be quoted SIGMATCH_QUOTES_OPTIONAL: value to keyword may be quoted SIGMATCH_HANDLE_NEGATION: leading ! is parsed In all cases leading spaces are removed. If the 'quote' flags are set, the quotes are removed from the input as well.
8 years ago
if (varcontent[strlen(varcontent)-1] == '"')
varcontent[strlen(varcontent)-1] = '\0';
}
detect/flowvar: Fix memory leaks from pcre_get_substring This commit replaces usages of pcre_get_substring with pcre_copy_substring to avoid leaking memory on error conditions.
6 years ago
SCLogDebug("varcontent %s", &varcontent[varcontent_index]);
detect-parse: improve common parser In preparation of turning input to keyword parsers to const add options to the common rule parser to enforce and strip double quotes and parse negation support. At registration, the keyword can register 3 extra flags: SIGMATCH_QUOTES_MANDATORY: value to keyword must be quoted SIGMATCH_QUOTES_OPTIONAL: value to keyword may be quoted SIGMATCH_HANDLE_NEGATION: leading ! is parsed In all cases leading spaces are removed. If the 'quote' flags are set, the quotes are removed from the input as well.
8 years ago
detect/flowvar: Fix memory leaks from pcre_get_substring This commit replaces usages of pcre_get_substring with pcre_copy_substring to avoid leaking memory on error conditions.
6 years ago
res = DetectContentDataParse("flowvar", &varcontent[varcontent_index], &content, &contentlen);
flowvar: cleanup keyword argument parsing. Should also address Coverity 400655.
13 years ago
if (res == -1)
Initial add of the files.
17 years ago
goto error;
memory/alloc: Use SCCalloc instead of malloc/memset
2 years ago
fd = SCCalloc(1, sizeof(DetectFlowvarData));
flowvar: cleanup keyword argument parsing. Should also address Coverity 400655.
13 years ago
if (unlikely(fd == NULL))
goto error;
Initial add of the files.
17 years ago
flowvar: cleanup keyword argument parsing. Should also address Coverity 400655.
13 years ago
fd->content = SCMalloc(contentlen);
if (unlikely(fd->content == NULL))
goto error;
Initial add of the files.
17 years ago
Update DetectContentDataParse to reflect the actual data types content uses.
13 years ago
memcpy(fd->content, content, contentlen);
flowvar: cleanup keyword argument parsing. Should also address Coverity 400655.
13 years ago
fd->content_len = contentlen;
fd->flags = contentflags;
Initial add of the files.
17 years ago
flowvar: cleanup keyword argument parsing. Should also address Coverity 400655.
13 years ago
fd->name = SCStrdup(varname);
error checking: add missing alloc error treatment The return of some malloc like functions was not treated in some places of the code.
12 years ago
if (unlikely(fd->name == NULL))
goto error;
var-names: reimplement var name handling Implement a new design for handling var name id's. The old logic was aware of detection engine versions and generally didn't work well for multi-tenancy cases. Other than memory leaks and crashes, logging of var names worked or failed based on which tenant was loaded last. This patch implements a new approach, where there is a global store of vars and their id's for the lifetime of the program. Overall Design: Base Store: "base" Used during keyword registration. Operates under lock. Base is shared between all detect engines, detect engine versions and tenants. Each variable name is ref counted. During the freeing of a detect engine / tenant, unregistration decreases the ref cnt. Base has both a string to id and a id to string hash table. String to id is used during parsing/registration. id to string during unregistration. Active Store Pointer (atomic) The "active" store atomic pointer points to the active lookup store. The call to `VarNameStoreActivate` will build a new lookup store and hot swap the pointer. Ensuring memory safety. During the hot swap, the pointer is replaced, so any new call to the lookup functions will automatically use the new store. This leaves the case of any lookup happening concurrently with the pointer swap. For this case we add the old store to a free list. It gets a timestamp before which it cannot be freed. Free List The free list contains old stores that are waiting to get removed. They contain a timestamp that is checked before they are freed. Bug: #6044. Bug: #6201.
2 years ago
fd->idx = VarNameStoreRegister(varname, VAR_TYPE_FLOW_VAR);
Initial add of the files.
17 years ago
/* Okay so far so good, lets get this into a SigMatch
* and put it in the Signature. */
detect: SigMatchAppendSMToList can fail Ticket: #6104 And failures should be handled to say that the rule failed to load Reverts the fix by 299ee6ed5561f01575150b436d5db31485dab146 that was simple, but not complete (memory leak), to have this bigger API change which simplifies code.
2 years ago
if (SigMatchAppendSMToList(
de_ctx, s, DETECT_FLOWVAR, (SigMatchCtx *)fd, DETECT_SM_LIST_MATCH) == NULL) {
goto error;
}
Initial add of the files.
17 years ago
Update DetectContentDataParse to reflect the actual data types content uses.
13 years ago
SCFree(content);
Initial add of the files.
17 years ago
return 0;
error:
flowvar: cleanup keyword argument parsing. Should also address Coverity 400655.
13 years ago
if (fd != NULL)
detect: Provide `de_ctx` to free functions This commit makes sure that the `DetectEngineCtx *` is available to each detector's "free" function.
5 years ago
DetectFlowvarDataFree(de_ctx, fd);
Update DetectContentDataParse to reflect the actual data types content uses.
13 years ago
if (content != NULL)
SCFree(content);
Initial add of the files.
17 years ago
return -1;
}
pktvars: same name pktvars, key-value vars
9 years ago
/** \brief Store flowvar in det_ctx so we can exec it post-match */
var: Use 16-bit container for type Issue: 6855: Match sigmatch type field in var and bit structs Align the size and datatype of type, idx, and next members across: - FlowVarThreshold - FlowBit - FlowVar - GenericVar - XBit - DetectVarList Note that the FlowVar structure has been intentionally constrained to match the structure size prior to this commit. To achieve this, the keylen member was restricted to 8 bits after it was confirmed its value is checked against a max of 0xff.
10 months ago
int DetectVarStoreMatchKeyValue(DetectEngineThreadCtx *det_ctx, uint8_t *key, uint16_t key_len,
uint8_t *buffer, uint16_t len, uint16_t type)
pktvars: same name pktvars, key-value vars
9 years ago
{
DetectVarList *fs = SCCalloc(1, sizeof(*fs));
if (unlikely(fs == NULL))
return -1;
fs->len = len;
fs->type = type;
fs->buffer = buffer;
fs->key = key;
fs->key_len = key_len;
fs->next = det_ctx->varlist;
det_ctx->varlist = fs;
return 0;
}
Initial add of the files.
17 years ago
flowvar: fix deadlock with http buffers Bug #802 Flowvars are set from pcre, and lock the flow when being set. However when HTTP buffers were inspected, flow was already locked: deadlock. This patch introduces a post-match list in the detection engine thread ctx, where store candidates are kept. Then a post-match function is used to finalize the storing if the rule matches. Solves the deadlock and brings the handling of flowvars more in line with flowbits and flowints.
13 years ago
/** \brief Store flowvar in det_ctx so we can exec it post-match */
var: Use 16-bit container for type Issue: 6855: Match sigmatch type field in var and bit structs Align the size and datatype of type, idx, and next members across: - FlowVarThreshold - FlowBit - FlowVar - GenericVar - XBit - DetectVarList Note that the FlowVar structure has been intentionally constrained to match the structure size prior to this commit. To achieve this, the keylen member was restricted to 8 bits after it was confirmed its value is checked against a max of 0xff.
10 months ago
int DetectVarStoreMatch(
DetectEngineThreadCtx *det_ctx, uint32_t idx, uint8_t *buffer, uint16_t len, uint16_t type)
luajit flowvar support This patch adds flowvar support to luajit. It does so by exposing two special C functions to the luajit scripts: ScFlowvarGet and ScFlowvarSet.
13 years ago
{
pkt-var: abuse flowvar postmatch logic for pktvars Flowvars were already using a temporary store in the detect thread ctx. Use the same facility for pktvars. The reasons are: 1. packet is not always available, e.g. when running pcre on http buffers. 2. setting of vars should be done post match. Until now it was also possible that it is done on a partial match.
9 years ago
DetectVarList *fs = det_ctx->varlist;
flowvar: fix deadlock with http buffers Bug #802 Flowvars are set from pcre, and lock the flow when being set. However when HTTP buffers were inspected, flow was already locked: deadlock. This patch introduces a post-match list in the detection engine thread ctx, where store candidates are kept. Then a post-match function is used to finalize the storing if the rule matches. Solves the deadlock and brings the handling of flowvars more in line with flowbits and flowints.
13 years ago
/* first check if we have had a previous match for this idx */
for ( ; fs != NULL; fs = fs->next) {
if (fs->idx == idx) {
/* we're replacing the older store */
SCFree(fs->buffer);
fs->buffer = NULL;
break;
}
}
if (fs == NULL) {
pktvars: same name pktvars, key-value vars
9 years ago
fs = SCCalloc(1, sizeof(*fs));
flowvar: fix deadlock with http buffers Bug #802 Flowvars are set from pcre, and lock the flow when being set. However when HTTP buffers were inspected, flow was already locked: deadlock. This patch introduces a post-match list in the detection engine thread ctx, where store candidates are kept. Then a post-match function is used to finalize the storing if the rule matches. Solves the deadlock and brings the handling of flowvars more in line with flowbits and flowints.
13 years ago
if (unlikely(fs == NULL))
return -1;
fs->idx = idx;
pkt-var: abuse flowvar postmatch logic for pktvars Flowvars were already using a temporary store in the detect thread ctx. Use the same facility for pktvars. The reasons are: 1. packet is not always available, e.g. when running pcre on http buffers. 2. setting of vars should be done post match. Until now it was also possible that it is done on a partial match.
9 years ago
fs->next = det_ctx->varlist;
det_ctx->varlist = fs;
flowvar: fix deadlock with http buffers Bug #802 Flowvars are set from pcre, and lock the flow when being set. However when HTTP buffers were inspected, flow was already locked: deadlock. This patch introduces a post-match list in the detection engine thread ctx, where store candidates are kept. Then a post-match function is used to finalize the storing if the rule matches. Solves the deadlock and brings the handling of flowvars more in line with flowbits and flowints.
13 years ago
}
fs->len = len;
luajit flowvar support This patch adds flowvar support to luajit. It does so by exposing two special C functions to the luajit scripts: ScFlowvarGet and ScFlowvarSet.
13 years ago
fs->type = type;
flowvar: fix deadlock with http buffers Bug #802 Flowvars are set from pcre, and lock the flow when being set. However when HTTP buffers were inspected, flow was already locked: deadlock. This patch introduces a post-match list in the detection engine thread ctx, where store candidates are kept. Then a post-match function is used to finalize the storing if the rule matches. Solves the deadlock and brings the handling of flowvars more in line with flowbits and flowints.
13 years ago
fs->buffer = buffer;
return 0;
}
/** \brief Setup a post-match for flowvar storage
* We're piggyback riding the DetectFlowvarData struct
*/
detect: Provide `de_ctx` to free functions This commit makes sure that the `DetectEngineCtx *` is available to each detector's "free" function.
5 years ago
int DetectFlowvarPostMatchSetup(DetectEngineCtx *de_ctx, Signature *s, uint32_t idx)
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
{
flowvar: fix deadlock with http buffers Bug #802 Flowvars are set from pcre, and lock the flow when being set. However when HTTP buffers were inspected, flow was already locked: deadlock. This patch introduces a post-match list in the detection engine thread ctx, where store candidates are kept. Then a post-match function is used to finalize the storing if the rule matches. Solves the deadlock and brings the handling of flowvars more in line with flowbits and flowints.
13 years ago
DetectFlowvarData *fv = NULL;
memory/alloc: Use SCCalloc instead of malloc/memset
2 years ago
fv = SCCalloc(1, sizeof(DetectFlowvarData));
flowvar: fix deadlock with http buffers Bug #802 Flowvars are set from pcre, and lock the flow when being set. However when HTTP buffers were inspected, flow was already locked: deadlock. This patch introduces a post-match list in the detection engine thread ctx, where store candidates are kept. Then a post-match function is used to finalize the storing if the rule matches. Solves the deadlock and brings the handling of flowvars more in line with flowbits and flowints.
13 years ago
if (unlikely(fv == NULL))
goto error;
/* we only need the idx */
fv->idx = idx;
var-names: reimplement var name handling Implement a new design for handling var name id's. The old logic was aware of detection engine versions and generally didn't work well for multi-tenancy cases. Other than memory leaks and crashes, logging of var names worked or failed based on which tenant was loaded last. This patch implements a new approach, where there is a global store of vars and their id's for the lifetime of the program. Overall Design: Base Store: "base" Used during keyword registration. Operates under lock. Base is shared between all detect engines, detect engine versions and tenants. Each variable name is ref counted. During the freeing of a detect engine / tenant, unregistration decreases the ref cnt. Base has both a string to id and a id to string hash table. String to id is used during parsing/registration. id to string during unregistration. Active Store Pointer (atomic) The "active" store atomic pointer points to the active lookup store. The call to `VarNameStoreActivate` will build a new lookup store and hot swap the pointer. Ensuring memory safety. During the hot swap, the pointer is replaced, so any new call to the lookup functions will automatically use the new store. This leaves the case of any lookup happening concurrently with the pointer swap. For this case we add the old store to a free list. It gets a timestamp before which it cannot be freed. Free List The free list contains old stores that are waiting to get removed. They contain a timestamp that is checked before they are freed. Bug: #6044. Bug: #6201.
2 years ago
fv->post_match = true;
flowvar: fix deadlock with http buffers Bug #802 Flowvars are set from pcre, and lock the flow when being set. However when HTTP buffers were inspected, flow was already locked: deadlock. This patch introduces a post-match list in the detection engine thread ctx, where store candidates are kept. Then a post-match function is used to finalize the storing if the rule matches. Solves the deadlock and brings the handling of flowvars more in line with flowbits and flowints.
13 years ago
detect: SigMatchAppendSMToList can fail Ticket: #6104 And failures should be handled to say that the rule failed to load Reverts the fix by 299ee6ed5561f01575150b436d5db31485dab146 that was simple, but not complete (memory leak), to have this bigger API change which simplifies code.
2 years ago
if (SigMatchAppendSMToList(de_ctx, s, DETECT_FLOWVAR_POSTMATCH, (SigMatchCtx *)fv,
DETECT_SM_LIST_POSTMATCH) == NULL) {
flowvar: fix deadlock with http buffers Bug #802 Flowvars are set from pcre, and lock the flow when being set. However when HTTP buffers were inspected, flow was already locked: deadlock. This patch introduces a post-match list in the detection engine thread ctx, where store candidates are kept. Then a post-match function is used to finalize the storing if the rule matches. Solves the deadlock and brings the handling of flowvars more in line with flowbits and flowints.
13 years ago
goto error;
detect: SigMatchAppendSMToList can fail Ticket: #6104 And failures should be handled to say that the rule failed to load Reverts the fix by 299ee6ed5561f01575150b436d5db31485dab146 that was simple, but not complete (memory leak), to have this bigger API change which simplifies code.
2 years ago
}
flowvar: fix deadlock with http buffers Bug #802 Flowvars are set from pcre, and lock the flow when being set. However when HTTP buffers were inspected, flow was already locked: deadlock. This patch introduces a post-match list in the detection engine thread ctx, where store candidates are kept. Then a post-match function is used to finalize the storing if the rule matches. Solves the deadlock and brings the handling of flowvars more in line with flowbits and flowints.
13 years ago
return 0;
error:
Coverity 1005134: fix minor memory leak on flowvar rule setup errors.
13 years ago
if (fv != NULL)
detect: Provide `de_ctx` to free functions This commit makes sure that the `DetectEngineCtx *` is available to each detector's "free" function.
5 years ago
DetectFlowvarDataFree(de_ctx, fv);
flowvar: fix deadlock with http buffers Bug #802 Flowvars are set from pcre, and lock the flow when being set. However when HTTP buffers were inspected, flow was already locked: deadlock. This patch introduces a post-match list in the detection engine thread ctx, where store candidates are kept. Then a post-match function is used to finalize the storing if the rule matches. Solves the deadlock and brings the handling of flowvars more in line with flowbits and flowints.
13 years ago
return -1;
}
/** \internal
* \brief post-match func to store flowvars in the flow
* \param sm sigmatch containing the idx to store
* \retval 1 or -1 in case of error
*/
detect: remove Threadvars argument from API calls Remove it as it's (almost) never used. If it is really needed it can be accessed through DetectEngineThreadCtx::tv as well.
6 years ago
static int DetectFlowvarPostMatch(
flowvar: cleanups
9 years ago
DetectEngineThreadCtx *det_ctx,
detect: constify Signature/SigMatch use at runtime
9 years ago
Packet *p, const Signature *s, const SigMatchCtx *ctx)
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
{
pkt-var: abuse flowvar postmatch logic for pktvars Flowvars were already using a temporary store in the detect thread ctx. Use the same facility for pktvars. The reasons are: 1. packet is not always available, e.g. when running pcre on http buffers. 2. setting of vars should be done post match. Until now it was also possible that it is done on a partial match.
9 years ago
DetectVarList *fs, *prev;
Change Match() function to take const SigMatchCtx* The Match functions don't need a pointer to the SigMatch object, just the context pointer contained inside, so pass the Context to the Match function rather than the SigMatch object. This allows for further optimization. Change SigMatch->ctx to have type SigMatchCtx* rather than void* for better type checking. This requires adding type casts when using or assigning it. The SigMatch contex should not be changed by the Match() funciton, so pass it as a const SigMatchCtx*.
11 years ago
const DetectFlowvarData *fd;
flowvar: fix deadlock with http buffers Bug #802 Flowvars are set from pcre, and lock the flow when being set. However when HTTP buffers were inspected, flow was already locked: deadlock. This patch introduces a post-match list in the detection engine thread ctx, where store candidates are kept. Then a post-match function is used to finalize the storing if the rule matches. Solves the deadlock and brings the handling of flowvars more in line with flowbits and flowints.
13 years ago
pkt-var: abuse flowvar postmatch logic for pktvars Flowvars were already using a temporary store in the detect thread ctx. Use the same facility for pktvars. The reasons are: 1. packet is not always available, e.g. when running pcre on http buffers. 2. setting of vars should be done post match. Until now it was also possible that it is done on a partial match.
9 years ago
if (det_ctx->varlist == NULL)
flowvar: fix deadlock with http buffers Bug #802 Flowvars are set from pcre, and lock the flow when being set. However when HTTP buffers were inspected, flow was already locked: deadlock. This patch introduces a post-match list in the detection engine thread ctx, where store candidates are kept. Then a post-match function is used to finalize the storing if the rule matches. Solves the deadlock and brings the handling of flowvars more in line with flowbits and flowints.
13 years ago
return 1;
Change Match() function to take const SigMatchCtx* The Match functions don't need a pointer to the SigMatch object, just the context pointer contained inside, so pass the Context to the Match function rather than the SigMatch object. This allows for further optimization. Change SigMatch->ctx to have type SigMatchCtx* rather than void* for better type checking. This requires adding type casts when using or assigning it. The SigMatch contex should not be changed by the Match() funciton, so pass it as a const SigMatchCtx*.
11 years ago
fd = (const DetectFlowvarData *)ctx;
flowvar: fix deadlock with http buffers Bug #802 Flowvars are set from pcre, and lock the flow when being set. However when HTTP buffers were inspected, flow was already locked: deadlock. This patch introduces a post-match list in the detection engine thread ctx, where store candidates are kept. Then a post-match function is used to finalize the storing if the rule matches. Solves the deadlock and brings the handling of flowvars more in line with flowbits and flowints.
13 years ago
prev = NULL;
pkt-var: abuse flowvar postmatch logic for pktvars Flowvars were already using a temporary store in the detect thread ctx. Use the same facility for pktvars. The reasons are: 1. packet is not always available, e.g. when running pcre on http buffers. 2. setting of vars should be done post match. Until now it was also possible that it is done on a partial match.
9 years ago
fs = det_ctx->varlist;
flowvar: fix deadlock with http buffers Bug #802 Flowvars are set from pcre, and lock the flow when being set. However when HTTP buffers were inspected, flow was already locked: deadlock. This patch introduces a post-match list in the detection engine thread ctx, where store candidates are kept. Then a post-match function is used to finalize the storing if the rule matches. Solves the deadlock and brings the handling of flowvars more in line with flowbits and flowints.
13 years ago
while (fs != NULL) {
pktvars: same name pktvars, key-value vars
9 years ago
if (fd->idx == 0 || fd->idx == fs->idx) {
luajit flowvar support This patch adds flowvar support to luajit. It does so by exposing two special C functions to the luajit scripts: ScFlowvarGet and ScFlowvarSet.
13 years ago
SCLogDebug("adding to the flow %u:", fs->idx);
//PrintRawDataFp(stdout, fs->buffer, fs->len);
pkt-var: abuse flowvar postmatch logic for pktvars Flowvars were already using a temporary store in the detect thread ctx. Use the same facility for pktvars. The reasons are: 1. packet is not always available, e.g. when running pcre on http buffers. 2. setting of vars should be done post match. Until now it was also possible that it is done on a partial match.
9 years ago
if (fs->type == DETECT_VAR_TYPE_FLOW_POSTMATCH && p && p->flow) {
lua: support key/value flowvars in lua
9 years ago
FlowVarAddIdValue(p->flow, fs->idx, fs->buffer, fs->len);
pkt-var: abuse flowvar postmatch logic for pktvars Flowvars were already using a temporary store in the detect thread ctx. Use the same facility for pktvars. The reasons are: 1. packet is not always available, e.g. when running pcre on http buffers. 2. setting of vars should be done post match. Until now it was also possible that it is done on a partial match.
9 years ago
/* memory at fs->buffer is now the responsibility of
* the flowvar code. */
pktvars: same name pktvars, key-value vars
9 years ago
} else if (fs->type == DETECT_VAR_TYPE_PKT_POSTMATCH && fs->key && p) {
/* pkt key/value */
if (PktVarAddKeyValue(p, (uint8_t *)fs->key, fs->key_len,
(uint8_t *)fs->buffer, fs->len) == -1)
{
SCFree(fs->key);
SCFree(fs->buffer);
/* the rest of fs is freed below */
}
pkt-var: abuse flowvar postmatch logic for pktvars Flowvars were already using a temporary store in the detect thread ctx. Use the same facility for pktvars. The reasons are: 1. packet is not always available, e.g. when running pcre on http buffers. 2. setting of vars should be done post match. Until now it was also possible that it is done on a partial match.
9 years ago
} else if (fs->type == DETECT_VAR_TYPE_PKT_POSTMATCH && p) {
pktvars: same name pktvars, key-value vars
9 years ago
if (PktVarAdd(p, fs->idx, fs->buffer, fs->len) == -1) {
SCFree(fs->buffer);
/* the rest of fs is freed below */
}
pkt-var: abuse flowvar postmatch logic for pktvars Flowvars were already using a temporary store in the detect thread ctx. Use the same facility for pktvars. The reasons are: 1. packet is not always available, e.g. when running pcre on http buffers. 2. setting of vars should be done post match. Until now it was also possible that it is done on a partial match.
9 years ago
}
flowvar: fix deadlock with http buffers Bug #802 Flowvars are set from pcre, and lock the flow when being set. However when HTTP buffers were inspected, flow was already locked: deadlock. This patch introduces a post-match list in the detection engine thread ctx, where store candidates are kept. Then a post-match function is used to finalize the storing if the rule matches. Solves the deadlock and brings the handling of flowvars more in line with flowbits and flowints.
13 years ago
pkt-var: abuse flowvar postmatch logic for pktvars Flowvars were already using a temporary store in the detect thread ctx. Use the same facility for pktvars. The reasons are: 1. packet is not always available, e.g. when running pcre on http buffers. 2. setting of vars should be done post match. Until now it was also possible that it is done on a partial match.
9 years ago
if (fs == det_ctx->varlist) {
det_ctx->varlist = fs->next;
flowvar: fix deadlock with http buffers Bug #802 Flowvars are set from pcre, and lock the flow when being set. However when HTTP buffers were inspected, flow was already locked: deadlock. This patch introduces a post-match list in the detection engine thread ctx, where store candidates are kept. Then a post-match function is used to finalize the storing if the rule matches. Solves the deadlock and brings the handling of flowvars more in line with flowbits and flowints.
13 years ago
SCFree(fs);
pkt-var: abuse flowvar postmatch logic for pktvars Flowvars were already using a temporary store in the detect thread ctx. Use the same facility for pktvars. The reasons are: 1. packet is not always available, e.g. when running pcre on http buffers. 2. setting of vars should be done post match. Until now it was also possible that it is done on a partial match.
9 years ago
fs = det_ctx->varlist;
flowvar: fix deadlock with http buffers Bug #802 Flowvars are set from pcre, and lock the flow when being set. However when HTTP buffers were inspected, flow was already locked: deadlock. This patch introduces a post-match list in the detection engine thread ctx, where store candidates are kept. Then a post-match function is used to finalize the storing if the rule matches. Solves the deadlock and brings the handling of flowvars more in line with flowbits and flowints.
13 years ago
} else {
prev->next = fs->next;
SCFree(fs);
fs = prev->next;
}
} else {
prev = fs;
fs = fs->next;
}
}
return 1;
}
flowvar: remove unused DETECT_VAR_TYPE_ALWAYS
9 years ago
/** \brief Handle flowvar candidate list in det_ctx: clean up the list
*
* Only called from DetectVarProcessList() when varlist is not NULL.
Create a wrapper around DetectFlowvarProcessList() to check for empty list Creates an inline wrapper to check for flowvarlist == NULL before calling DetectFlowvarProcessList() to remove the overhead of checking since the list is usually empty.
11 years ago
*/
pkt-var: abuse flowvar postmatch logic for pktvars Flowvars were already using a temporary store in the detect thread ctx. Use the same facility for pktvars. The reasons are: 1. packet is not always available, e.g. when running pcre on http buffers. 2. setting of vars should be done post match. Until now it was also possible that it is done on a partial match.
9 years ago
void DetectVarProcessListInternal(DetectVarList *fs, Flow *f, Packet *p)
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
{
pkt-var: abuse flowvar postmatch logic for pktvars Flowvars were already using a temporary store in the detect thread ctx. Use the same facility for pktvars. The reasons are: 1. packet is not always available, e.g. when running pcre on http buffers. 2. setting of vars should be done post match. Until now it was also possible that it is done on a partial match.
9 years ago
DetectVarList *next;
luajit flowvar support This patch adds flowvar support to luajit. It does so by exposing two special C functions to the luajit scripts: ScFlowvarGet and ScFlowvarSet.
13 years ago
Create a wrapper around DetectFlowvarProcessList() to check for empty list Creates an inline wrapper to check for flowvarlist == NULL before calling DetectFlowvarProcessList() to remove the overhead of checking since the list is usually empty.
11 years ago
do {
next = fs->next;
luajit flowvar support This patch adds flowvar support to luajit. It does so by exposing two special C functions to the luajit scripts: ScFlowvarGet and ScFlowvarSet.
13 years ago
flowvar: remove unused DETECT_VAR_TYPE_ALWAYS
9 years ago
if (fs->key) {
SCFree(fs->key);
flowvar: cleanups
9 years ago
}
flowvar: remove unused DETECT_VAR_TYPE_ALWAYS
9 years ago
SCFree(fs->buffer);
Create a wrapper around DetectFlowvarProcessList() to check for empty list Creates an inline wrapper to check for flowvarlist == NULL before calling DetectFlowvarProcessList() to remove the overhead of checking since the list is usually empty.
11 years ago
SCFree(fs);
fs = next;
} while (fs != NULL);
flowvar: fix deadlock with http buffers Bug #802 Flowvars are set from pcre, and lock the flow when being set. However when HTTP buffers were inspected, flow was already locked: deadlock. This patch introduces a post-match list in the detection engine thread ctx, where store candidates are kept. Then a post-match function is used to finalize the storing if the rule matches. Solves the deadlock and brings the handling of flowvars more in line with flowbits and flowints.
13 years ago
}