aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ccf202a4f0'
${ noResults }
suricata/src/detect.c

1116 lines
40 KiB
C
Raw Normal View History Unescape Escape

detect: move keyword registration into own file
8 years ago
/* Copyright (C) 2007-2017 Open Information Security Foundation
Import of GPLv2 Header 050410
15 years ago
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Victor Julien <victor@inliniac.net>
*
* Basic detection engine
*/
Initial add of the files.
17 years ago
Rename to Suricata.
16 years ago
#include "suricata-common.h"
#include "suricata.h"
detect: move rule loading into loader files
8 years ago
#include "conf.h"
detect: move keyword registration into own file
8 years ago
#include "decode.h"
Initial add of the files.
17 years ago
#include "flow.h"
detect: move keyword registration into own file
8 years ago
#include "stream-tcp.h"
#include "app-layer.h"
#include "app-layer-parser.h"
#include "detect.h"
Switch to using a detection engine ctx.
17 years ago
#include "detect-engine.h"
profiling: output post-prefilter matches Dump a json record containing all sigs that need to be inspected after prefilter. Part of profiling. Only dump if threshold is met, which is currently set by: --set detect.profiling.inspect-logging-threshold=200 A file called packet_inspected_rules.json is created in the default log dir.
10 years ago
#include "detect-engine-profile.h"
Cleanup signature parsing and other detect.c parts.
17 years ago
Changing threshold logic
15 years ago
#include "detect-engine-alert.h"
Large detection engine update.
17 years ago
#include "detect-engine-siggroup.h"
#include "detect-engine-address.h"
Properly support 'alert ip' rules. Add support for handling ip only rules differently.
17 years ago
#include "detect-engine-proto.h"
Large detection engine update.
17 years ago
#include "detect-engine-port.h"
#include "detect-engine-mpm.h"
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
#include "detect-engine-iponly.h"
Threshold Rule
16 years ago
#include "detect-engine-threshold.h"
prefilter: introduce prefilter engines Introduce abstraction layer for prefilter engines.
9 years ago
#include "detect-engine-prefilter.h"
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
#include "detect-engine-state.h"
feature 349 rule analyzer v1
13 years ago
#include "detect-engine-analyzer.h"
detect: move rule loading into loader files
8 years ago
detect: move keyword registration into own file
8 years ago
#include "detect-engine-payload.h"
mpm: implement prefiltering for smtp
11 years ago
#include "detect-engine-filedata-smtp.h"
Rename detect-decode-event to detect-engine-event This patch does a simple renaming of detect-decode-event file to the more global detect-engine-event name.
14 years ago
#include "detect-engine-event.h"
make client body buffer limit configurable. Also some minor changes
15 years ago
#include "detect-engine-hcbd.h"
Optimize detection engine prefiltering logic.
14 years ago
#include "detect-engine-hsbd.h"
support fast pattern for http raw header. Also support relative modifiers for http raw header
15 years ago
#include "detect-engine-hrhd.h"
fast pattern support for http_method. Also support relative modifiers
15 years ago
#include "detect-engine-hmd.h"
fast pattern support for http_cookie. Also support relative modifiers
15 years ago
#include "detect-engine-hcd.h"
support for http_raw_uri keyword + mpm engine
14 years ago
#include "detect-engine-hrud.h"
Support http stat msg detection engine, fast pattern(mpm engine included). Fix http stat msg setup function. Fix pcre option for stat msg keyword
14 years ago
#include "detect-engine-hsmd.h"
Support http stat code detection engine, fast pattern(mpm engine included). Fix http stat code setup function. Fix pcre option for stat msg keyword. With this the pcre options for server_body is Q, for stat_msg is Y and for stat_code is S
14 years ago
#include "detect-engine-hscd.h"
http user agent keyword + mpm + inspection + fast pattern support added
13 years ago
#include "detect-engine-hua.h"
Add support for a new keyword to inspect http_host header. The corresponding content keyword would now be - http_host. The corresponding pcre modifier would be W.
13 years ago
#include "detect-engine-hhhd.h"
Add support for the new keyword - http_raw_host header. The corresponding pcre modifier would be 'Z'.
13 years ago
#include "detect-engine-hrhhd.h"
Cleanup signature parsing and other detect.c parts.
17 years ago
detect: move keyword registration into own file
8 years ago
#include "detect-filestore.h"
#include "detect-flowvar.h"
#include "detect-replace.h"
Stream engine memory handling update The stream engine memory handling needed updating as it didn't scale. Changes: - pools can now be initialized to size 0, meaning unlimited - stream engine uses a memcap setting. Sessions, segments and aldata is part of this, app layer state isn't. - memory is accounted using a global int that is spinlocked. - a counter for sessions that have not been picked up because of memcap was added. - all reassembly errors are converted to debug msgs.
16 years ago
Add optional structure validation code.
15 years ago
#include "util-validate.h"
detect: save invalid rules This keeps the invalid rules in string format into a list, added in DetectEngineCtx.
10 years ago
#include "util-detect.h"
free flowvar entries in flow after live rule swap. Sync flowbits entries into packet struct to be used by alert debuglog when alert debuglog is enabled
13 years ago
Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.
12 years ago
int SigMatchSignaturesRunPostMatch(ThreadVars *tv,
DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p,
detect: constify Signature/SigMatch use at runtime
9 years ago
const Signature *s)
Add post-match list, move flowbits set, etc functions to it. Move flowint set, etc functions to it as well.
14 years ago
{
/* run the packet match functions */
pkt-var: abuse flowvar postmatch logic for pktvars Flowvars were already using a temporary store in the detect thread ctx. Use the same facility for pktvars. The reasons are: 1. packet is not always available, e.g. when running pcre on http buffers. 2. setting of vars should be done post match. Until now it was also possible that it is done on a partial match.
9 years ago
SigMatchData *smd = s->sm_arrays[DETECT_SM_LIST_POSTMATCH];
if (smd != NULL) {
profiling: per buffer profiling
12 years ago
KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_POSTMATCH);
Add post-match list, move flowbits set, etc functions to it. Move flowint set, etc functions to it as well.
14 years ago
Create optimized sig_arrays from sig_lists Create a copy of the SigMatch data in the sig_lists linked-lists and store it in an array for faster access and not next and previous pointers. The array is then used when calling the Match() functions. Gives a 7.7% speed up on one test.
11 years ago
SCLogDebug("running match functions, sm %p", smd);
Add post-match list, move flowbits set, etc functions to it. Move flowint set, etc functions to it as well.
14 years ago
pkt-var: abuse flowvar postmatch logic for pktvars Flowvars were already using a temporary store in the detect thread ctx. Use the same facility for pktvars. The reasons are: 1. packet is not always available, e.g. when running pcre on http buffers. 2. setting of vars should be done post match. Until now it was also possible that it is done on a partial match.
9 years ago
while (1) {
KEYWORD_PROFILING_START;
(void)sigmatch_table[smd->type].Match(tv, det_ctx, p, s, smd->ctx);
KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
if (smd->is_last)
break;
smd++;
Add post-match list, move flowbits set, etc functions to it. Move flowint set, etc functions to it as well.
14 years ago
}
}
Check replist is not NULL inline before doing any processing. The replist is often NULL, so it is worth checking that case before making the function call do perform work on the list.
11 years ago
DetectReplaceExecute(p, det_ctx);
filestore: fix a case where a matching non-filestore sig could trigger the store of a partially matching filestore sig.
13 years ago
if (s->flags & SIG_FLAG_FILESTORE)
filestore: fix logic flag in continued stateful detection
13 years ago
DetectFilestorePostMatch(tv, det_ctx, p, s);
Add post-match list, move flowbits set, etc functions to it. Move flowint set, etc functions to it as well.
14 years ago
return 1;
}
Remove dsize grouping from detection engine grouping reducing memory usage. Store sgh in flow to reduce lookups. Reduce locking in alert handling. Increase default grouping values as we use less memory.
15 years ago
/**
* \brief Get the SigGroupHead for a packet.
*
* \param de_ctx detection engine context
* \param p packet
*
* \retval sgh the SigGroupHead or NULL if non applies to the packet
*/
detect: constify rule group lookup
8 years ago
const SigGroupHead *SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx,
const Packet *p)
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
{
Fix app layer detect to actually work.
16 years ago
SCEnter();
Remove dsize grouping from detection engine grouping reducing memory usage. Store sgh in flow to reduce lookups. Reduce locking in alert handling. Increase default grouping values as we use less memory.
15 years ago
int f;
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
SigGroupHead *sgh = NULL;
Initial add of the files.
17 years ago
Make sure decoder event rules are inspected even if the packet is invalid and has no addesses or proto. Update fast log and alert debug log to display the alerts. Fixes #179.
15 years ago
/* if the packet proto is 0 (not set), we're inspecting it against
* the decoder events sgh we have. */
if (p->proto == 0 && p->events.cnt > 0) {
SCReturnPtr(de_ctx->decoder_event_sgh, "SigGroupHead");
detect: don't run IP inspection on non-IP packets The code to get the rule group (sgh) would return the group for IP proto 0 instead of nothing. This lead to certain types of rules unintentionally matching (False Positive). Since the packets weren't actually IP, the logged alert records were missing the IP header. Bug #2017.
9 years ago
} else if (p->proto == 0) {
if (!(PKT_IS_IPV4(p) || PKT_IS_IPV6(p))) {
/* not IP, so nothing to do */
SCReturnPtr(NULL, "SigGroupHead");
}
Make sure decoder event rules are inspected even if the packet is invalid and has no addesses or proto. Update fast log and alert debug log to display the alerts. Fixes #179.
15 years ago
}
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
/* select the flow_gh */
if (p->flowflags & FLOW_PKT_TOCLIENT)
f = 0;
else
f = 1;
Initial add of the files.
17 years ago
detect: per port and proto rule grouping Replace tree based approach for rule grouping with a per port (tcp/udp) and per protocol approach. Grouping now looks like: +----+ |icmp+---> +----+ |gre +---> +----+ |esp +---> +----+ other|... | +----->-----+ | |N +---> | +----+ | | tcp +----+ +----+ +----->+ 80 +-->+ 139+--> | +----+ +----+ | | udp +----+ +----+ +---+----->+ 53 +-->+ 135+--> | +----+ +----+ |toserver +---> |toclient | +---> So the first 'split' in the rules is the direction: toserver or toclient. Rules that don't have a direction, are in both branches. Then the split is between tcp/udp and the other protocols. For tcp and udp port lists are used. For the other protocols, grouping is simply per protocol. The ports used are the destination ports for toserver sigs and source ports for toclient sigs.
11 years ago
int proto = IP_GET_IPPROTO(p);
if (proto == IPPROTO_TCP) {
DetectPort *list = de_ctx->flow_gh[f].tcp;
detect: debug output
10 years ago
SCLogDebug("tcp toserver %p, tcp toclient %p: going to use %p",
de_ctx->flow_gh[1].tcp, de_ctx->flow_gh[0].tcp, de_ctx->flow_gh[f].tcp);
detect: per port and proto rule grouping Replace tree based approach for rule grouping with a per port (tcp/udp) and per protocol approach. Grouping now looks like: +----+ |icmp+---> +----+ |gre +---> +----+ |esp +---> +----+ other|... | +----->-----+ | |N +---> | +----+ | | tcp +----+ +----+ +----->+ 80 +-->+ 139+--> | +----+ +----+ | | udp +----+ +----+ +---+----->+ 53 +-->+ 135+--> | +----+ +----+ |toserver +---> |toclient | +---> So the first 'split' in the rules is the direction: toserver or toclient. Rules that don't have a direction, are in both branches. Then the split is between tcp/udp and the other protocols. For tcp and udp port lists are used. For the other protocols, grouping is simply per protocol. The ports used are the destination ports for toserver sigs and source ports for toclient sigs.
11 years ago
uint16_t port = f ? p->dp : p->sp;
detect: debug output
10 years ago
SCLogDebug("tcp port %u -> %u:%u", port, p->sp, p->dp);
detect: per port and proto rule grouping Replace tree based approach for rule grouping with a per port (tcp/udp) and per protocol approach. Grouping now looks like: +----+ |icmp+---> +----+ |gre +---> +----+ |esp +---> +----+ other|... | +----->-----+ | |N +---> | +----+ | | tcp +----+ +----+ +----->+ 80 +-->+ 139+--> | +----+ +----+ | | udp +----+ +----+ +---+----->+ 53 +-->+ 135+--> | +----+ +----+ |toserver +---> |toclient | +---> So the first 'split' in the rules is the direction: toserver or toclient. Rules that don't have a direction, are in both branches. Then the split is between tcp/udp and the other protocols. For tcp and udp port lists are used. For the other protocols, grouping is simply per protocol. The ports used are the destination ports for toserver sigs and source ports for toclient sigs.
11 years ago
DetectPort *sghport = DetectPortLookupGroup(list, port);
if (sghport != NULL)
sgh = sghport->sh;
detect: debug output
10 years ago
SCLogDebug("TCP list %p, port %u, direction %s, sghport %p, sgh %p",
list, port, f ? "toserver" : "toclient", sghport, sgh);
detect: per port and proto rule grouping Replace tree based approach for rule grouping with a per port (tcp/udp) and per protocol approach. Grouping now looks like: +----+ |icmp+---> +----+ |gre +---> +----+ |esp +---> +----+ other|... | +----->-----+ | |N +---> | +----+ | | tcp +----+ +----+ +----->+ 80 +-->+ 139+--> | +----+ +----+ | | udp +----+ +----+ +---+----->+ 53 +-->+ 135+--> | +----+ +----+ |toserver +---> |toclient | +---> So the first 'split' in the rules is the direction: toserver or toclient. Rules that don't have a direction, are in both branches. Then the split is between tcp/udp and the other protocols. For tcp and udp port lists are used. For the other protocols, grouping is simply per protocol. The ports used are the destination ports for toserver sigs and source ports for toclient sigs.
11 years ago
} else if (proto == IPPROTO_UDP) {
DetectPort *list = de_ctx->flow_gh[f].udp;
uint16_t port = f ? p->dp : p->sp;
DetectPort *sghport = DetectPortLookupGroup(list, port);
if (sghport != NULL)
sgh = sghport->sh;
detect: debug output
10 years ago
SCLogDebug("UDP list %p, port %u, direction %s, sghport %p, sgh %p",
list, port, f ? "toserver" : "toclient", sghport, sgh);
Fix app layer detect to actually work.
16 years ago
} else {
detect: per port and proto rule grouping Replace tree based approach for rule grouping with a per port (tcp/udp) and per protocol approach. Grouping now looks like: +----+ |icmp+---> +----+ |gre +---> +----+ |esp +---> +----+ other|... | +----->-----+ | |N +---> | +----+ | | tcp +----+ +----+ +----->+ 80 +-->+ 139+--> | +----+ +----+ | | udp +----+ +----+ +---+----->+ 53 +-->+ 135+--> | +----+ +----+ |toserver +---> |toclient | +---> So the first 'split' in the rules is the direction: toserver or toclient. Rules that don't have a direction, are in both branches. Then the split is between tcp/udp and the other protocols. For tcp and udp port lists are used. For the other protocols, grouping is simply per protocol. The ports used are the destination ports for toserver sigs and source ports for toclient sigs.
11 years ago
sgh = de_ctx->flow_gh[f].sgh[proto];
Large update containing the first step to making the detection engine use rule groups. Address based rule groups are now implemented.
17 years ago
}
Cleanups
16 years ago
Fix app layer detect to actually work.
16 years ago
SCReturnPtr(sgh, "SigGroupHead");
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
}
Replace build match array with new filter logic Use MPM and non-MPM lists to build our match array. Both lists are sorted, and are merged and sorted into the match array. This disables the old match array building code and thus also bypasses the mask checking.
11 years ago
static inline void DetectPrefilterMergeSort(DetectEngineCtx *de_ctx,
detect: add mask check prefilter for non mpm list Add mask array for non_mpm sigs, so that we can exclude many sigs before we merge sort. Shows 50% less non mpm sigs inspected on average.
11 years ago
DetectEngineThreadCtx *det_ctx)
Replace build match array with new filter logic Use MPM and non-MPM lists to build our match array. Both lists are sorted, and are merged and sorted into the match array. This disables the old match array building code and thus also bypasses the mask checking.
11 years ago
{
Further optimize merging mpm and non-mpm rule ID lists. When reaching the end of either list, merging is no longer required, simply walk down the other list. If the non-MPM list can't have duplicates, it would be worth removing the duplicate check for the non-MPM list when it is the only non-empty list remaining.
11 years ago
SigIntId mpm, nonmpm;
Replace build match array with new filter logic Use MPM and non-MPM lists to build our match array. Both lists are sorted, and are merged and sorted into the match array. This disables the old match array building code and thus also bypasses the mask checking.
11 years ago
det_ctx->match_array_cnt = 0;
Use SigIntId as the type for storing signature IDs (Internal) Previously using uint32_t, but SigIntId is currently uint16_t, so arrays will take less memory.
11 years ago
SigIntId *mpm_ptr = det_ctx->pmq.rule_id_array;
detect: rename non_mpm lists/vars to non_pf Rename to non_pf: non prefilter.
9 years ago
SigIntId *nonmpm_ptr = det_ctx->non_pf_id_array;
Optimize DetectPrefilterMergeSort Fixup rebase changes to remove debug code
11 years ago
uint32_t m_cnt = det_ctx->pmq.rule_id_array_cnt;
detect: rename non_mpm lists/vars to non_pf Rename to non_pf: non prefilter.
9 years ago
uint32_t n_cnt = det_ctx->non_pf_id_cnt;
Further optimize merging mpm and non-mpm rule ID lists. When reaching the end of either list, merging is no longer required, simply walk down the other list. If the non-MPM list can't have duplicates, it would be worth removing the duplicate check for the non-MPM list when it is the only non-empty list remaining.
11 years ago
SigIntId *final_ptr;
uint32_t final_cnt;
SigIntId id;
SigIntId previous_id = (SigIntId)-1;
Signature **sig_array = de_ctx->sig_array;
Signature **match_array = det_ctx->match_array;
Signature *s;
Optimize DetectPrefilterMergeSort Fixup rebase changes to remove debug code
11 years ago
detect: minor cleanup
9 years ago
SCLogDebug("PMQ rule id array count %d", det_ctx->pmq.rule_id_array_cnt);
Optimize DetectPrefilterMergeSort Fixup rebase changes to remove debug code
11 years ago
/* Load first values. */
if (likely(m_cnt)) {
Further optimize merging mpm and non-mpm rule ID lists. When reaching the end of either list, merging is no longer required, simply walk down the other list. If the non-MPM list can't have duplicates, it would be worth removing the duplicate check for the non-MPM list when it is the only non-empty list remaining.
11 years ago
mpm = *mpm_ptr;
} else {
/* mpm list is empty */
final_ptr = nonmpm_ptr;
final_cnt = n_cnt;
goto final;
}
Optimize DetectPrefilterMergeSort Fixup rebase changes to remove debug code
11 years ago
if (likely(n_cnt)) {
Further optimize merging mpm and non-mpm rule ID lists. When reaching the end of either list, merging is no longer required, simply walk down the other list. If the non-MPM list can't have duplicates, it would be worth removing the duplicate check for the non-MPM list when it is the only non-empty list remaining.
11 years ago
nonmpm = *nonmpm_ptr;
} else {
/* non-mpm list is empty. */
final_ptr = mpm_ptr;
final_cnt = m_cnt;
goto final;
}
while (1) {
mpm: improve negated mpm The idea is: if mpm is negated, it's both on mpm and nonmpm sid lists and we can kick it out in that case during the merge sort. It only works for patterns that are 'independent'. This means that the rule doesn't need to only match if the negated mpm pattern is limited to the first 10 bytes for example. Or more generally, an negated mpm pattern that has depth, offset, distance or within settings can't be handled this way. These patterns are not added to the mpm at all, but just to to non-mpm list. This makes sense as they will *always* need manual inspection. Similarly, a pattern that is 'chopped' always needs validation. This is because in this case we only inspect a part of the final pattern.
10 years ago
if (mpm < nonmpm) {
Indentation clean up
11 years ago
/* Take from mpm list */
id = mpm;
s = sig_array[id];
/* As the mpm list can contain duplicates, check for that here. */
if (likely(id != previous_id)) {
*match_array++ = s;
previous_id = id;
}
if (unlikely(--m_cnt == 0)) {
/* mpm list is now empty */
final_ptr = nonmpm_ptr;
mpm: improve negated mpm The idea is: if mpm is negated, it's both on mpm and nonmpm sid lists and we can kick it out in that case during the merge sort. It only works for patterns that are 'independent'. This means that the rule doesn't need to only match if the negated mpm pattern is limited to the first 10 bytes for example. Or more generally, an negated mpm pattern that has depth, offset, distance or within settings can't be handled this way. These patterns are not added to the mpm at all, but just to to non-mpm list. This makes sense as they will *always* need manual inspection. Similarly, a pattern that is 'chopped' always needs validation. This is because in this case we only inspect a part of the final pattern.
10 years ago
final_cnt = n_cnt;
goto final;
Further optimize merging mpm and non-mpm rule ID lists. When reaching the end of either list, merging is no longer required, simply walk down the other list. If the non-MPM list can't have duplicates, it would be worth removing the duplicate check for the non-MPM list when it is the only non-empty list remaining.
11 years ago
}
mpm_ptr++;
mpm = *mpm_ptr;
mpm: improve negated mpm The idea is: if mpm is negated, it's both on mpm and nonmpm sid lists and we can kick it out in that case during the merge sort. It only works for patterns that are 'independent'. This means that the rule doesn't need to only match if the negated mpm pattern is limited to the first 10 bytes for example. Or more generally, an negated mpm pattern that has depth, offset, distance or within settings can't be handled this way. These patterns are not added to the mpm at all, but just to to non-mpm list. This makes sense as they will *always* need manual inspection. Similarly, a pattern that is 'chopped' always needs validation. This is because in this case we only inspect a part of the final pattern.
10 years ago
} else if (mpm > nonmpm) {
Further optimize merging mpm and non-mpm rule ID lists. When reaching the end of either list, merging is no longer required, simply walk down the other list. If the non-MPM list can't have duplicates, it would be worth removing the duplicate check for the non-MPM list when it is the only non-empty list remaining.
11 years ago
id = nonmpm;
s = sig_array[id];
/* As the mpm list can contain duplicates, check for that here. */
if (likely(id != previous_id)) {
*match_array++ = s;
previous_id = id;
}
if (unlikely(--n_cnt == 0)) {
final_ptr = mpm_ptr;
final_cnt = m_cnt;
goto final;
}
nonmpm_ptr++;
nonmpm = *nonmpm_ptr;
mpm: improve negated mpm The idea is: if mpm is negated, it's both on mpm and nonmpm sid lists and we can kick it out in that case during the merge sort. It only works for patterns that are 'independent'. This means that the rule doesn't need to only match if the negated mpm pattern is limited to the first 10 bytes for example. Or more generally, an negated mpm pattern that has depth, offset, distance or within settings can't be handled this way. These patterns are not added to the mpm at all, but just to to non-mpm list. This makes sense as they will *always* need manual inspection. Similarly, a pattern that is 'chopped' always needs validation. This is because in this case we only inspect a part of the final pattern.
10 years ago
} else { /* implied mpm == nonmpm */
/* special case: if on both lists, it's a negated mpm pattern */
/* mpm list may have dups, so skip past them here */
while (--m_cnt != 0) {
mpm_ptr++;
mpm = *mpm_ptr;
if (mpm != nonmpm)
break;
}
/* if mpm is done, update nonmpm_ptrs and jump to final */
if (unlikely(m_cnt == 0)) {
n_cnt--;
/* mpm list is now empty */
final_ptr = ++nonmpm_ptr;
final_cnt = n_cnt;
goto final;
}
/* otherwise, if nonmpm is done jump to final for mpm
* mpm ptrs alrady updated */
if (unlikely(--n_cnt == 0)) {
final_ptr = mpm_ptr;
final_cnt = m_cnt;
goto final;
}
/* not at end of the lists, update nonmpm. Mpm already
* updated in while loop above. */
nonmpm_ptr++;
nonmpm = *nonmpm_ptr;
Indentation clean up
11 years ago
}
Further optimize merging mpm and non-mpm rule ID lists. When reaching the end of either list, merging is no longer required, simply walk down the other list. If the non-MPM list can't have duplicates, it would be worth removing the duplicate check for the non-MPM list when it is the only non-empty list remaining.
11 years ago
}
final: /* Only one list remaining. Just walk that list. */
while (final_cnt-- > 0) {
id = *final_ptr++;
s = sig_array[id];
Replace build match array with new filter logic Use MPM and non-MPM lists to build our match array. Both lists are sorted, and are merged and sorted into the match array. This disables the old match array building code and thus also bypasses the mask checking.
11 years ago
Optimize DetectPrefilterMergeSort Fixup rebase changes to remove debug code
11 years ago
/* As the mpm list can contain duplicates, check for that here. */
if (likely(id != previous_id)) {
*match_array++ = s;
previous_id = id;
}
Replace build match array with new filter logic Use MPM and non-MPM lists to build our match array. Both lists are sorted, and are merged and sorted into the match array. This disables the old match array building code and thus also bypasses the mask checking.
11 years ago
}
Further optimize merging mpm and non-mpm rule ID lists. When reaching the end of either list, merging is no longer required, simply walk down the other list. If the non-MPM list can't have duplicates, it would be worth removing the duplicate check for the non-MPM list when it is the only non-empty list remaining.
11 years ago
Optimize DetectPrefilterMergeSort Fixup rebase changes to remove debug code
11 years ago
det_ctx->match_array_cnt = match_array - det_ctx->match_array;
detect: rename non_mpm lists/vars to non_pf Rename to non_pf: non prefilter.
9 years ago
BUG_ON((det_ctx->pmq.rule_id_array_cnt + det_ctx->non_pf_id_cnt) < det_ctx->match_array_cnt);
Replace build match array with new filter logic Use MPM and non-MPM lists to build our match array. Both lists are sorted, and are merged and sorted into the match array. This disables the old match array building code and thus also bypasses the mask checking.
11 years ago
}
detect: rename non_mpm lists/vars to non_pf Rename to non_pf: non prefilter.
9 years ago
static inline void
DetectPrefilterBuildNonPrefilterList(DetectEngineThreadCtx *det_ctx, SignatureMask mask)
detect: introduce DetectPrefilterBuildNonMpmList Move building of non-mpm list into a separate function, that is inlined for performance reasons.
11 years ago
{
uint32_t x = 0;
detect: rename non_mpm lists/vars to non_pf Rename to non_pf: non prefilter.
9 years ago
for (x = 0; x < det_ctx->non_pf_store_cnt; x++) {
detect: introduce DetectPrefilterBuildNonMpmList Move building of non-mpm list into a separate function, that is inlined for performance reasons.
11 years ago
/* only if the mask matches this rule can possibly match,
* so build the non_mpm array only for match candidates */
detect: rename non_mpm lists/vars to non_pf Rename to non_pf: non prefilter.
9 years ago
SignatureMask rule_mask = det_ctx->non_pf_store_ptr[x].mask;
detect: introduce DetectPrefilterBuildNonMpmList Move building of non-mpm list into a separate function, that is inlined for performance reasons.
11 years ago
if ((rule_mask & mask) == rule_mask) {
detect: rename non_mpm lists/vars to non_pf Rename to non_pf: non prefilter.
9 years ago
det_ctx->non_pf_id_array[det_ctx->non_pf_id_cnt++] = det_ctx->non_pf_store_ptr[x].id;
detect: introduce DetectPrefilterBuildNonMpmList Move building of non-mpm list into a separate function, that is inlined for performance reasons.
11 years ago
}
}
}
detect: split non-mpm list into syn/nosyn Since SYN inspecting rules are expensive, this patch splits the 'non-mpm' list (i.e. the rules that are always considered) into a 'syn' and 'non-syn' list. The SYN list is only inspected if the packet has the SYN flag set, otherwise the non-syn list is used. The syn-list contains _all_ rules. The non-syn list contains all minus the rules requiring the SYN bit in a packet.
10 years ago
/** \internal
* \brief select non-mpm list
* Based on the packet properties, select the non-mpm list to use */
detect: rename non_mpm lists/vars to non_pf Rename to non_pf: non prefilter.
9 years ago
static inline void
DetectPrefilterSetNonPrefilterList(const Packet *p, DetectEngineThreadCtx *det_ctx)
detect: split non-mpm list into syn/nosyn Since SYN inspecting rules are expensive, this patch splits the 'non-mpm' list (i.e. the rules that are always considered) into a 'syn' and 'non-syn' list. The SYN list is only inspected if the packet has the SYN flag set, otherwise the non-syn list is used. The syn-list contains _all_ rules. The non-syn list contains all minus the rules requiring the SYN bit in a packet.
10 years ago
{
if ((p->proto == IPPROTO_TCP) && (p->tcph != NULL) && (p->tcph->th_flags & TH_SYN)) {
detect: rename non_mpm lists/vars to non_pf Rename to non_pf: non prefilter.
9 years ago
det_ctx->non_pf_store_ptr = det_ctx->sgh->non_pf_syn_store_array;
det_ctx->non_pf_store_cnt = det_ctx->sgh->non_pf_syn_store_cnt;
detect: split non-mpm list into syn/nosyn Since SYN inspecting rules are expensive, this patch splits the 'non-mpm' list (i.e. the rules that are always considered) into a 'syn' and 'non-syn' list. The SYN list is only inspected if the packet has the SYN flag set, otherwise the non-syn list is used. The syn-list contains _all_ rules. The non-syn list contains all minus the rules requiring the SYN bit in a packet.
10 years ago
} else {
detect: rename non_mpm lists/vars to non_pf Rename to non_pf: non prefilter.
9 years ago
det_ctx->non_pf_store_ptr = det_ctx->sgh->non_pf_other_store_array;
det_ctx->non_pf_store_cnt = det_ctx->sgh->non_pf_other_store_cnt;
detect: split non-mpm list into syn/nosyn Since SYN inspecting rules are expensive, this patch splits the 'non-mpm' list (i.e. the rules that are always considered) into a 'syn' and 'non-syn' list. The SYN list is only inspected if the packet has the SYN flag set, otherwise the non-syn list is used. The syn-list contains _all_ rules. The non-syn list contains all minus the rules requiring the SYN bit in a packet.
10 years ago
}
detect: rename non_mpm lists/vars to non_pf Rename to non_pf: non prefilter.
9 years ago
SCLogDebug("sgh non_pf ptr %p cnt %u (syn %p/%u, other %p/%u)",
det_ctx->non_pf_store_ptr, det_ctx->non_pf_store_cnt,
det_ctx->sgh->non_pf_syn_store_array, det_ctx->sgh->non_pf_syn_store_cnt,
det_ctx->sgh->non_pf_other_store_array, det_ctx->sgh->non_pf_other_store_cnt);
detect: split non-mpm list into syn/nosyn Since SYN inspecting rules are expensive, this patch splits the 'non-mpm' list (i.e. the rules that are always considered) into a 'syn' and 'non-syn' list. The SYN list is only inspected if the packet has the SYN flag set, otherwise the non-syn list is used. The syn-list contains _all_ rules. The non-syn list contains all minus the rules requiring the SYN bit in a packet.
10 years ago
}
detect: move file flags update into it's own function
9 years ago
/** \internal
* \brief update flow's file tracking flags based on the detection engine
*/
static inline void
DetectPostInspectFileFlagsUpdate(Flow *pflow, const SigGroupHead *sgh, uint8_t direction)
{
/* see if this sgh requires us to consider file storing */
file-store: fix force store
9 years ago
if (!FileForceFilestore() && (sgh == NULL ||
sgh->filestore_cnt == 0))
{
detect: move file flags update into it's own function
9 years ago
FileDisableStoring(pflow, direction);
}
magic: make optional Make libmagic optional. If installed it will be enabled by default in configure. Use --disable-libmagic to disable.
9 years ago
#ifdef HAVE_MAGIC
detect: move file flags update into it's own function
9 years ago
/* see if this sgh requires us to consider file magic */
if (!FileForceMagic() && (sgh == NULL ||
!(sgh->flags & SIG_GROUP_HEAD_HAVEFILEMAGIC)))
{
SCLogDebug("disabling magic for flow");
FileDisableMagic(pflow, direction);
}
magic: make optional Make libmagic optional. If installed it will be enabled by default in configure. Use --disable-libmagic to disable.
9 years ago
#endif
detect: move file flags update into it's own function
9 years ago
/* see if this sgh requires us to consider file md5 */
if (!FileForceMd5() && (sgh == NULL ||
!(sgh->flags & SIG_GROUP_HEAD_HAVEFILEMD5)))
{
SCLogDebug("disabling md5 for flow");
FileDisableMd5(pflow, direction);
}
/* see if this sgh requires us to consider file sha1 */
if (!FileForceSha1() && (sgh == NULL ||
!(sgh->flags & SIG_GROUP_HEAD_HAVEFILESHA1)))
{
SCLogDebug("disabling sha1 for flow");
FileDisableSha1(pflow, direction);
}
/* see if this sgh requires us to consider file sha256 */
if (!FileForceSha256() && (sgh == NULL ||
!(sgh->flags & SIG_GROUP_HEAD_HAVEFILESHA256)))
{
SCLogDebug("disabling sha256 for flow");
FileDisableSha256(pflow, direction);
}
/* see if this sgh requires us to consider filesize */
if (sgh == NULL || !(sgh->flags & SIG_GROUP_HEAD_HAVEFILESIZE))
{
SCLogDebug("disabling filesize for flow");
FileDisableFilesize(pflow, direction);
}
}
detect: add util func for post-inspect tasks on first sgh
9 years ago
static inline void
detect: during detection sgh is read only so turn into const
9 years ago
DetectPostInspectFirstSGH(const Packet *p, Flow *pflow, const SigGroupHead *sgh)
detect: add util func for post-inspect tasks on first sgh
9 years ago
{
if ((p->flowflags & FLOW_PKT_TOSERVER) && !(pflow->flags & FLOW_SGH_TOSERVER)) {
/* first time we see this toserver sgh, store it */
pflow->sgh_toserver = sgh;
pflow->flags |= FLOW_SGH_TOSERVER;
stream: handle no stream scanning case Now that detect moves the raw progress forward, it's important to deal with the case where detect don't consider raw inspection. If no 'stream' rules are active, disable raw. For this the disable raw flag is now per stream.
9 years ago
if (p->proto == IPPROTO_TCP && (sgh == NULL || !(sgh->flags & SIG_GROUP_HEAD_HAVERAWSTREAM))) {
if (pflow->protoctx != NULL) {
TcpSession *ssn = pflow->protoctx;
SCLogDebug("STREAMTCP_STREAM_FLAG_DISABLE_RAW ssn.client");
ssn->client.flags |= STREAMTCP_STREAM_FLAG_DISABLE_RAW;
}
}
detect: add util func for post-inspect tasks on first sgh
9 years ago
DetectPostInspectFileFlagsUpdate(pflow,
pflow->sgh_toserver, STREAM_TOSERVER);
} else if ((p->flowflags & FLOW_PKT_TOCLIENT) && !(pflow->flags & FLOW_SGH_TOCLIENT)) {
pflow->sgh_toclient = sgh;
pflow->flags |= FLOW_SGH_TOCLIENT;
stream: handle no stream scanning case Now that detect moves the raw progress forward, it's important to deal with the case where detect don't consider raw inspection. If no 'stream' rules are active, disable raw. For this the disable raw flag is now per stream.
9 years ago
if (p->proto == IPPROTO_TCP && (sgh == NULL || !(sgh->flags & SIG_GROUP_HEAD_HAVERAWSTREAM))) {
if (pflow->protoctx != NULL) {
TcpSession *ssn = pflow->protoctx;
SCLogDebug("STREAMTCP_STREAM_FLAG_DISABLE_RAW ssn.server");
ssn->server.flags |= STREAMTCP_STREAM_FLAG_DISABLE_RAW;
}
}
detect: add util func for post-inspect tasks on first sgh
9 years ago
DetectPostInspectFileFlagsUpdate(pflow,
pflow->sgh_toclient, STREAM_TOCLIENT);
}
}
Inspect the reassembled stream together with the packet payload in the same direction.
15 years ago
/**
* \brief Signature match function
Comment SigMatchSignatures a bit.
16 years ago
*/
detect: make SigMatchSignatures void None of the callers cared for it's retval, so get rid of it.
9 years ago
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
{
detect: turn single detect flag into bool
9 years ago
bool use_flow_sgh = false;
Reorganize SigMatchSignatures.
15 years ago
uint8_t alert_flags = 0;
app layer: uint16_t alproto -> AppProto alproto This conversion was missing in a couple of places.
12 years ago
AppProto alproto = ALPROTO_UNKNOWN;
detect: clean up flag usage
10 years ago
uint8_t flow_flags = 0; /* flow/state flags */
detect: constify Signature/SigMatch use at runtime
9 years ago
const Signature *s = NULL;
const Signature *next_s = NULL;
app-layer: use bool for 'HasDecoderEvents'
8 years ago
bool app_decoder_events = false;
detect / stream: new 'raw' stream inspection Remove the 'StreamMsg' approach from the engine. In this approach the stream engine would create a list of chunks for inspection by the detection engine. There were several issues: 1. the messages had a fixed size, so blocks of data bigger than ~4k would be cut into multiple messages 2. it lead to lots of data copying and unnecessary memory use 3. the StreamMsgs used a central pool The Stream engine switched over to the streaming buffer API, which means that the reassembled data is always available. This made the StreamMsg approach even clunkier. The new approach exposes the streaming buffer data to the detection engine. It has to pay attention to an important issue though: packet loss. The data may have gaps. The streaming buffer API tracks the blocks of continuous data. To access the data for inspection a callback approach is used. The 'StreamReassembleRaw' function is called with a callback and data. This way it runs the MPM and individual rule inspection code. At the end of each detection run the stream engine is notified that it can move forward it's 'progress'.
9 years ago
bool has_state = false; /* do we have an alstate to work with? */
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
Fix signatures with ports and/or addresses but without sigmatches.
16 years ago
SCEnter();
Cleanup and rearrange detection code slightly.
15 years ago
SCLogDebug("pcap_cnt %"PRIu64, p->pcap_cnt);
detect: make SigMatchSignatures void None of the callers cared for it's retval, so get rid of it.
9 years ago
#ifdef UNITTESTS
Always reset alert cnt and always increment det_ctx->pkts.
14 years ago
p->alerts.cnt = 0;
detect: make SigMatchSignatures void None of the callers cared for it's retval, so get rid of it.
9 years ago
#endif
det_ctx->ticker++;
file store: respect flowbits and other keywords The filestore keyword until now flagged a file, tx or ssn for storage as soon as the keyword was inspected. This happens before flowbits and some other keywords, so files were stored that weren't supposed to. This patch makes the filestore keyword fill an array in the detect engine thread ctx. Then if the full signature matches, a post-match filestore function makes the store final.
14 years ago
det_ctx->filestore_cnt = 0;
base64_decode, base64_data: decode and match base64
10 years ago
det_ctx->base64_decoded_len = 0;
detect / stream: new 'raw' stream inspection Remove the 'StreamMsg' approach from the engine. In this approach the stream engine would create a list of chunks for inspection by the detection engine. There were several issues: 1. the messages had a fixed size, so blocks of data bigger than ~4k would be cut into multiple messages 2. it lead to lots of data copying and unnecessary memory use 3. the StreamMsgs used a central pool The Stream engine switched over to the streaming buffer API, which means that the reassembled data is always available. This made the StreamMsg approach even clunkier. The new approach exposes the streaming buffer data to the detection engine. It has to pay attention to an important issue though: packet loss. The data may have gaps. The streaming buffer API tracks the blocks of continuous data. To access the data for inspection a callback approach is used. The 'StreamReassembleRaw' function is called with a callback and data. This way it runs the MPM and individual rule inspection code. At the end of each detection run the stream engine is notified that it can move forward it's 'progress'.
9 years ago
det_ctx->raw_stream_progress = 0;
base64_decode, base64_data: decode and match base64
10 years ago
stream inspection: add debug counters
8 years ago
#ifdef DEBUG
if (p->flags & PKT_STREAM_ADD) {
det_ctx->pkt_stream_add_cnt++;
}
#endif
Reorganize SigMatchSignatures.
15 years ago
/* No need to perform any detection on this packet, if the the given flag is set.*/
if (p->flags & PKT_NOPACKET_INSPECTION) {
detect: make SigMatchSignatures void None of the callers cared for it's retval, so get rid of it.
9 years ago
SCReturn;
Reorganize SigMatchSignatures.
15 years ago
}
Mark pflow as a constant pointer. Address review comment from Victor that the pflow pointer is constant, so it can be marked as such.
12 years ago
/* Load the Packet's flow early, even though it might not be needed.
* Mark as a constant pointer, although the flow can change.
*/
Flow * const pflow = p->flow;
Use pflow variable in place of p->flow to prevent reloading. In SigMatchSignatures, the value p->flow doens't change, but GCC can't figure that out, so it reloads p->flow many times during the function. When p->flow is loaded into the variable pflow once at the start of the function, the compile then doesn't need to reload it.
12 years ago
Merge applayer detect function into normal match function. Should speed up detection.
16 years ago
/* grab the protocol state we will detect on */
Many small performance updates.
15 years ago
if (p->flags & PKT_HAS_FLOW) {
detect: clean up flag usage
10 years ago
if (p->flowflags & FLOW_PKT_TOSERVER) {
flow_flags = STREAM_TOSERVER;
SCLogDebug("flag STREAM_TOSERVER set");
} else if (p->flowflags & FLOW_PKT_TOCLIENT) {
flow_flags = STREAM_TOCLIENT;
SCLogDebug("flag STREAM_TOCLIENT set");
}
SCLogDebug("p->flowflags 0x%02x", p->flowflags);
Make sure we inspect all outstanding reassembled stream chunks (smsg) if the stream is shutting down. Make sure to do inspect signatures that use dsize against the tcp packet payload, even if that payload was already added to the stream. Likewise, the dsize signatures are not inspected against the reassembled stream.
15 years ago
if (p->flags & PKT_STREAM_EOF) {
detect: clean up flag usage
10 years ago
flow_flags |= STREAM_EOF;
Make sure we inspect all outstanding reassembled stream chunks (smsg) if the stream is shutting down. Make sure to do inspect signatures that use dsize against the tcp packet payload, even if that payload was already added to the stream. Likewise, the dsize signatures are not inspected against the reassembled stream.
15 years ago
SCLogDebug("STREAM_EOF set");
}
detect: style cleanup
8 years ago
/* store tenant_id in the flow so that we can use it
* for creating pseudo packets */
if (p->tenant_id > 0 && pflow->tenant_id == 0) {
pflow->tenant_id = p->tenant_id;
}
multi-detect: set tenant id on pseudo packets Store the tenant id in the flow and use the stored id when setting up pesudo packets. For tunnel and defrag packets, get tenant from parent. This will only pass tenant_id's set at capture time. For defrag packets, the tenant selector based on vlan id will still work as the vlan id(s) are stored in the defrag tracker before being passed on.
10 years ago
detect: style cleanup
8 years ago
/* live ruleswap check for flow updates */
if (pflow->de_ctx_version == 0) {
/* first time this flow is inspected, set id */
pflow->de_ctx_version = de_ctx->version;
} else if (pflow->de_ctx_version != de_ctx->version) {
/* first time we inspect flow with this de_ctx, reset */
pflow->flags &= ~FLOW_SGH_TOSERVER;
pflow->flags &= ~FLOW_SGH_TOCLIENT;
pflow->sgh_toserver = NULL;
pflow->sgh_toclient = NULL;
pflow->de_ctx_version = de_ctx->version;
GenericVarFree(pflow->flowvar);
pflow->flowvar = NULL;
DetectEngineStateResetTxs(pflow);
}
Simplify flow resetting on de_ctx update. Detect ctx id starts at 1. So in a flow 0 means uninitialized (thus set) and if we detect flow is not equal to detect id, we reset the sgh storage and de_state.
14 years ago
detect: style cleanup
8 years ago
/* set the iponly stuff */
if (pflow->flags & FLOW_TOCLIENT_IPONLY_SET)
p->flowflags |= FLOW_PKT_TOCLIENT_IPONLY_SET;
if (pflow->flags & FLOW_TOSERVER_IPONLY_SET)
p->flowflags |= FLOW_PKT_TOSERVER_IPONLY_SET;
/* Get the stored sgh from the flow (if any). Make sure we're not using
* the sgh for icmp error packets part of the same stream. */
if (IP_GET_IPPROTO(p) == pflow->proto) { /* filter out icmp */
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_GETSGH);
if ((p->flowflags & FLOW_PKT_TOSERVER) && (pflow->flags & FLOW_SGH_TOSERVER)) {
det_ctx->sgh = pflow->sgh_toserver;
SCLogDebug("det_ctx->sgh = pflow->sgh_toserver; => %p", det_ctx->sgh);
use_flow_sgh = true;
} else if ((p->flowflags & FLOW_PKT_TOCLIENT) && (pflow->flags & FLOW_SGH_TOCLIENT)) {
det_ctx->sgh = pflow->sgh_toclient;
SCLogDebug("det_ctx->sgh = pflow->sgh_toclient; => %p", det_ctx->sgh);
use_flow_sgh = true;
Make sure ICMP unreach packets are not inspected against the flow sgh as it's for the original protocol, not for the ICMP packet. Fixes #174.
15 years ago
}
detect: style cleanup
8 years ago
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_GETSGH);
}
Make sure we inspect all outstanding reassembled stream chunks (smsg) if the stream is shutting down. Make sure to do inspect signatures that use dsize against the tcp packet payload, even if that payload was already added to the stream. Likewise, the dsize signatures are not inspected against the reassembled stream.
15 years ago
detect: style cleanup
8 years ago
/* Retrieve the app layer state and protocol and the tcp reassembled
* stream chunks. */
if ((p->proto == IPPROTO_TCP && (p->flags & PKT_STREAM_EST)) ||
UDP: inspection app layer state as soon as we have it.
12 years ago
(p->proto == IPPROTO_UDP) ||
Added parentheses to fix Eclipse static code analysis Fixed bug in action priority (REJECT_DST had lowest prio)
13 years ago
(p->proto == IPPROTO_SCTP && (p->flowflags & FLOW_PKT_ESTABLISHED)))
detect: style cleanup
8 years ago
{
/* update flow flags with knowledge on disruptions */
flow_flags = FlowGetDisruptionFlags(pflow, flow_flags);
has_state = (FlowGetAppState(pflow) != NULL);
alproto = FlowGetAppProtocol(pflow);
if (p->proto == IPPROTO_TCP && pflow->protoctx &&
detect / stream: new 'raw' stream inspection Remove the 'StreamMsg' approach from the engine. In this approach the stream engine would create a list of chunks for inspection by the detection engine. There were several issues: 1. the messages had a fixed size, so blocks of data bigger than ~4k would be cut into multiple messages 2. it lead to lots of data copying and unnecessary memory use 3. the StreamMsgs used a central pool The Stream engine switched over to the streaming buffer API, which means that the reassembled data is always available. This made the StreamMsg approach even clunkier. The new approach exposes the streaming buffer data to the detection engine. It has to pay attention to an important issue though: packet loss. The data may have gaps. The streaming buffer API tracks the blocks of continuous data. To access the data for inspection a callback approach is used. The 'StreamReassembleRaw' function is called with a callback and data. This way it runs the MPM and individual rule inspection code. At the end of each detection run the stream engine is notified that it can move forward it's 'progress'.
9 years ago
StreamReassembleRawHasDataReady(pflow->protoctx, p)) {
detect: style cleanup
8 years ago
p->flags |= PKT_DETECT_HAS_STREAMDATA;
Reorganize SigMatchSignatures.
15 years ago
}
detect: style cleanup
8 years ago
SCLogDebug("alstate %s, alproto %u", has_state ? "true" : "false", alproto);
} else {
SCLogDebug("packet doesn't have established flag set (proto %d)", p->proto);
Store stream msgs processed by the app layer in the tcp session so they can be inspected by the detection module as well. The detection module returns them to the pool.
15 years ago
}
Merge applayer detect function into normal match function. Should speed up detection.
16 years ago
detect: style cleanup
8 years ago
app_decoder_events = AppLayerParserHasDecoderEvents(pflow,
pflow->alstate,
pflow->alparser,
flow_flags);
Added parentheses to fix Eclipse static code analysis Fixed bug in action priority (REJECT_DST had lowest prio)
13 years ago
if (((p->flowflags & FLOW_PKT_TOSERVER) && !(p->flowflags & FLOW_PKT_TOSERVER_IPONLY_SET)) ||
((p->flowflags & FLOW_PKT_TOCLIENT) && !(p->flowflags & FLOW_PKT_TOCLIENT_IPONLY_SET)))
Reorganize SigMatchSignatures.
15 years ago
{
Many small performance updates.
15 years ago
SCLogDebug("testing against \"ip-only\" signatures");
Add icmp flow handling.
16 years ago
Profiling: add accounting for several detection phases.
14 years ago
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_IPONLY);
add flowbits:set; only sigs to be treated as ip only
14 years ago
IPOnlyMatchPacket(th_v, de_ctx, det_ctx, &de_ctx->io_ctx, &det_ctx->io_ctx, p);
Profiling: add accounting for several detection phases.
14 years ago
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_IPONLY);
detect: simplify flow locking To simplify locking, move all locking out of the individual detect code. Instead at the start of detection lock the flow, and at the end of detection unlock it. The lua code can be called without a lock still (from the output code paths), so still pass around a lock hint to take care of this.
9 years ago
/* save in the flow that we scanned this direction... */
Use pflow variable in place of p->flow to prevent reloading. In SigMatchSignatures, the value p->flow doens't change, but GCC can't figure that out, so it reloads p->flow many times during the function. When p->flow is loaded into the variable pflow once at the start of the function, the compile then doesn't need to reload it.
12 years ago
FlowSetIPOnlyFlag(pflow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0);
Reorganize SigMatchSignatures.
15 years ago
Added parentheses to fix Eclipse static code analysis Fixed bug in action priority (REJECT_DST had lowest prio)
13 years ago
} else if (((p->flowflags & FLOW_PKT_TOSERVER) &&
Use pflow variable in place of p->flow to prevent reloading. In SigMatchSignatures, the value p->flow doens't change, but GCC can't figure that out, so it reloads p->flow many times during the function. When p->flow is loaded into the variable pflow once at the start of the function, the compile then doesn't need to reload it.
12 years ago
(pflow->flags & FLOW_TOSERVER_IPONLY_SET)) ||
Added parentheses to fix Eclipse static code analysis Fixed bug in action priority (REJECT_DST had lowest prio)
13 years ago
((p->flowflags & FLOW_PKT_TOCLIENT) &&
Use pflow variable in place of p->flow to prevent reloading. In SigMatchSignatures, the value p->flow doens't change, but GCC can't figure that out, so it reloads p->flow many times during the function. When p->flow is loaded into the variable pflow once at the start of the function, the compile then doesn't need to reload it.
12 years ago
(pflow->flags & FLOW_TOCLIENT_IPONLY_SET)))
Reorganize SigMatchSignatures.
15 years ago
{
Many small performance updates.
15 years ago
/* If we have a drop from IP only module,
* we will drop the rest of the flow packets
* This will apply only to inline/IPS */
Use pflow variable in place of p->flow to prevent reloading. In SigMatchSignatures, the value p->flow doens't change, but GCC can't figure that out, so it reloads p->flow many times during the function. When p->flow is loaded into the variable pflow once at the start of the function, the compile then doesn't need to reload it.
12 years ago
if (pflow->flags & FLOW_ACTION_DROP)
Many small performance updates.
15 years ago
{
alert_flags = PACKET_ALERT_FLAG_DROP_FLOW;
Use PACKET_* macro instead of UPDATE Setting the ACTION_DROP flag can be done via PACKET_DROP instead of using PACKET_UPDATE_ACTION.
12 years ago
PACKET_DROP(p);
Many small performance updates.
15 years ago
}
Drop streams on inline mode when a drop rule match from a reassembled stream and/or app layer inspection
15 years ago
}
Reorganize SigMatchSignatures.
15 years ago
detect: turn single detect flag into bool
9 years ago
if (!(use_flow_sgh)) {
Profiling: add accounting for several detection phases.
14 years ago
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_GETSGH);
detect: constify rule group lookup
8 years ago
det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, p);
Profiling: add accounting for several detection phases.
14 years ago
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_GETSGH);
Reorganize SigMatchSignatures.
15 years ago
}
Fix HTTP state and raw stream not being inspected at the same time. Adds an exception to transaction id handling for HTTP.
14 years ago
doc: create http support group This patch create an httplayer group and adds related files to it. It also fixes some typo in documentation string and format.
14 years ago
} else { /* p->flags & PKT_HAS_FLOW */
Many small performance updates.
15 years ago
/* no flow */
Profiling: add accounting for several detection phases.
14 years ago
IP Only Engine using radix trees
16 years ago
/* Even without flow we should match the packet src/dst */
Profiling: add accounting for several detection phases.
14 years ago
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_IPONLY);
add flowbits:set; only sigs to be treated as ip only
14 years ago
IPOnlyMatchPacket(th_v, de_ctx, det_ctx, &de_ctx->io_ctx,
&det_ctx->io_ctx, p);
Profiling: add accounting for several detection phases.
14 years ago
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_IPONLY);
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
Profiling: add accounting for several detection phases.
14 years ago
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_GETSGH);
detect: constify rule group lookup
8 years ago
det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, p);
Profiling: add accounting for several detection phases.
14 years ago
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_GETSGH);
Remove dsize grouping from detection engine grouping reducing memory usage. Store sgh in flow to reduce lookups. Reduce locking in alert handling. Increase default grouping values as we use less memory.
15 years ago
}
Reorganize SigMatchSignatures.
15 years ago
Large detection engine update.
17 years ago
/* if we didn't get a sig group head, we
* have nothing to do.... */
Rename all pmt->det_ctx.
16 years ago
if (det_ctx->sgh == NULL) {
Fix signatures with ports and/or addresses but without sigmatches.
16 years ago
SCLogDebug("no sgh for this packet, nothing to match against");
Merge applayer detect function into normal match function. Should speed up detection.
16 years ago
goto end;
Large detection engine update.
17 years ago
}
detect: rename non_mpm lists/vars to non_pf Rename to non_pf: non prefilter.
9 years ago
DetectPrefilterSetNonPrefilterList(p, det_ctx);
detect: split non-mpm list into syn/nosyn Since SYN inspecting rules are expensive, this patch splits the 'non-mpm' list (i.e. the rules that are always considered) into a 'syn' and 'non-syn' list. The SYN list is only inspected if the packet has the SYN flag set, otherwise the non-syn list is used. The syn-list contains _all_ rules. The non-syn list contains all minus the rules requiring the SYN bit in a packet.
10 years ago
detect: more detailed state profiling
8 years ago
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_STATEFUL_CONT);
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
/* stateful app layer detection */
detect: fix alstate handling Previously, the alstate use in the main detect loop was unsafe. The alstate pointer would be set duing a lock, but it would again be used after one or more lock/unlock cycles. If the data pointed to would disappear, a dangling pointer would be the result. Due to they way flows are cleaned up using reference counting and such, changes of this happening were very small. However, at least one path can lead to this situation. So it had to be fixed.
11 years ago
if ((p->flags & PKT_HAS_FLOW) && has_state) {
Many small performance updates.
15 years ago
memset(det_ctx->de_state_sig_array, 0x00, det_ctx->de_state_sig_array_len);
detect: simplify state detect code: remove unused params
9 years ago
int has_inspectable_state = DeStateFlowHasInspectableState(pflow, flow_flags);
detect: fix alstate handling Previously, the alstate use in the main detect loop was unsafe. The alstate pointer would be set duing a lock, but it would again be used after one or more lock/unlock cycles. If the data pointed to would disappear, a dangling pointer would be the result. Due to they way flows are cleaned up using reference counting and such, changes of this happening were very small. However, at least one path can lead to this situation. So it had to be fixed.
11 years ago
if (has_inspectable_state == 1) {
detect-state: handle duplicate inspect/match If for a packet we have a TX N that has detect state and a TX N+1 that has no detect state, but does have 'progress', we have a corner case in stateful detection. ContinueDetection inspects TX N, but cannot flag the rule in the de_state_sig_array as the next (TX N+1) has already started and needs to be inspected. 'StartDetection' however, is then unaware of the fact that ContinueDetection already inspected the rule. It uses the per session 'inspect_id' that is only moved forward at the end of the detection run. This patch adds a workaround. It uses the DetectEngineThreadCtx:: de_state_sig_array to store an offset between the 'base' inspect_id and the inspect_id that StartDetection should use. The data type is limited, so if the offset would be too big, a search based fall back is implemented as well.
10 years ago
/* initialize to 0(DE_STATE_MATCH_HAS_NEW_STATE) */
Use pflow variable in place of p->flow to prevent reloading. In SigMatchSignatures, the value p->flow doens't change, but GCC can't figure that out, so it reloads p->flow many times during the function. When p->flow is loaded into the variable pflow once at the start of the function, the compile then doesn't need to reload it.
12 years ago
DeStateDetectContinueDetection(th_v, de_ctx, det_ctx, p, pflow,
detect: remove unused alversion logic
9 years ago
flow_flags, alproto);
Many small performance updates.
15 years ago
}
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
}
detect: more detailed state profiling
8 years ago
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_STATEFUL_CONT);
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
code refactoring. Call mpmprefilter slightly later than where it's called atm
13 years ago
/* create our prefilter mask */
SignatureMask mask = 0;
detect / stream: new 'raw' stream inspection Remove the 'StreamMsg' approach from the engine. In this approach the stream engine would create a list of chunks for inspection by the detection engine. There were several issues: 1. the messages had a fixed size, so blocks of data bigger than ~4k would be cut into multiple messages 2. it lead to lots of data copying and unnecessary memory use 3. the StreamMsgs used a central pool The Stream engine switched over to the streaming buffer API, which means that the reassembled data is always available. This made the StreamMsg approach even clunkier. The new approach exposes the streaming buffer data to the detection engine. It has to pay attention to an important issue though: packet loss. The data may have gaps. The streaming buffer API tracks the blocks of continuous data. To access the data for inspection a callback approach is used. The 'StreamReassembleRaw' function is called with a callback and data. This way it runs the MPM and individual rule inspection code. At the end of each detection run the stream engine is notified that it can move forward it's 'progress'.
9 years ago
PacketCreateMask(p, &mask, alproto, has_state, app_decoder_events);
code refactoring. Call mpmprefilter slightly later than where it's called atm
13 years ago
detect: rename non_mpm lists/vars to non_pf Rename to non_pf: non prefilter.
9 years ago
/* build and prefilter non_pf list against the mask of the packet */
detect: add profiling for non-mpm list build & filter
11 years ago
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_NONMPMLIST);
detect: rename non_mpm lists/vars to non_pf Rename to non_pf: non prefilter.
9 years ago
det_ctx->non_pf_id_cnt = 0;
if (likely(det_ctx->non_pf_store_cnt > 0)) {
DetectPrefilterBuildNonPrefilterList(det_ctx, mask);
detect: add mask check prefilter for non mpm list Add mask array for non_mpm sigs, so that we can exclude many sigs before we merge sort. Shows 50% less non mpm sigs inspected on average.
11 years ago
}
detect: add profiling for non-mpm list build & filter
11 years ago
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_NONMPMLIST);
detect: add mask check prefilter for non mpm list Add mask array for non_mpm sigs, so that we can exclude many sigs before we merge sort. Shows 50% less non mpm sigs inspected on average.
11 years ago
profiling: support prefilter engines
9 years ago
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_PREFILTER);
prefilter: introduce prefilter engines Introduce abstraction layer for prefilter engines.
9 years ago
/* run the prefilter engines */
Prefilter(det_ctx, det_ctx->sgh, p, flow_flags, has_state);
profiling: more prefilter profiling
9 years ago
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_PF_SORT2);
profiling: support prefilter engines
9 years ago
DetectPrefilterMergeSort(de_ctx, det_ctx);
profiling: more prefilter profiling
9 years ago
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_PF_SORT2);
profiling: support prefilter engines
9 years ago
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_PREFILTER);
prefilter: introduce prefilter engines Introduce abstraction layer for prefilter engines.
9 years ago
Conditionalize SigMatch performance counters. Only include the counters when PROFILING.
11 years ago
#ifdef PROFILING
if (th_v) {
counters: s/SCPerfCounterAddUI64/StatsAddUI64/g
10 years ago
StatsAddUI64(th_v, det_ctx->counter_mpm_list,
Conditionalize SigMatch performance counters. Only include the counters when PROFILING.
11 years ago
(uint64_t)det_ctx->pmq.rule_id_array_cnt);
counters: s/SCPerfCounterAddUI64/StatsAddUI64/g
10 years ago
StatsAddUI64(th_v, det_ctx->counter_nonmpm_list,
detect: rename non_mpm lists/vars to non_pf Rename to non_pf: non prefilter.
9 years ago
(uint64_t)det_ctx->non_pf_store_cnt);
detect: add mask check prefilter for non mpm list Add mask array for non_mpm sigs, so that we can exclude many sigs before we merge sort. Shows 50% less non mpm sigs inspected on average.
11 years ago
/* non mpm sigs after mask prefilter */
counters: s/SCPerfCounterAddUI64/StatsAddUI64/g
10 years ago
StatsAddUI64(th_v, det_ctx->counter_fnonmpm_list,
detect: rename non_mpm lists/vars to non_pf Rename to non_pf: non prefilter.
9 years ago
(uint64_t)det_ctx->non_pf_id_cnt);
Conditionalize SigMatch performance counters. Only include the counters when PROFILING.
11 years ago
}
#endif
Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.
12 years ago
Profiling: add accounting for several detection phases.
14 years ago
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_RULES);
Large update containing the first step to making the detection engine use rule groups. Address based rule groups are now implemented.
17 years ago
/* inspect the sigs against the packet */
Prefetch the next signature pointer Read one signature pointer ahead to prefetch the value. Use a variable, sflags, for s->flags, since it is used many times and the compiles doesn't know that the signatures structure doesn't change, so it will reload s->flags.
11 years ago
/* Prefetch the next signature. */
SigIntId match_cnt = det_ctx->match_array_cnt;
Conditionalize SigMatch performance counters. Only include the counters when PROFILING.
11 years ago
#ifdef PROFILING
if (th_v) {
counters: s/SCPerfCounterAddUI64/StatsAddUI64/g
10 years ago
StatsAddUI64(th_v, det_ctx->counter_match_list,
Conditionalize SigMatch performance counters. Only include the counters when PROFILING.
11 years ago
(uint64_t)match_cnt);
}
#endif
Prefetch the next signature pointer Read one signature pointer ahead to prefetch the value. Use a variable, sflags, for s->flags, since it is used many times and the compiles doesn't know that the signatures structure doesn't change, so it will reload s->flags.
11 years ago
Signature **match_array = det_ctx->match_array;
profiling: initial rulegroup tracking Per rule group tracking of checks, use of lists, mpm matches, post filter counts. Logs SGH id so it can be compared with the rule_group.json output. Implemented both in a human readable text format and a JSON format.
10 years ago
SGH_PROFILING_RECORD(det_ctx, det_ctx->sgh);
profiling: output post-prefilter matches Dump a json record containing all sigs that need to be inspected after prefilter. Part of profiling. Only dump if threshold is met, which is currently set by: --set detect.profiling.inspect-logging-threshold=200 A file called packet_inspected_rules.json is created in the default log dir.
10 years ago
#ifdef PROFILING
profiling: fix compilation if libjansson is missing
9 years ago
#ifdef HAVE_LIBJANSSON
profiling: output post-prefilter matches Dump a json record containing all sigs that need to be inspected after prefilter. Part of profiling. Only dump if threshold is met, which is currently set by: --set detect.profiling.inspect-logging-threshold=200 A file called packet_inspected_rules.json is created in the default log dir.
10 years ago
if (match_cnt >= de_ctx->profile_match_logging_threshold)
RulesDumpMatchArray(det_ctx, p);
profiling: fix compilation if libjansson is missing
9 years ago
#endif
profiling: output post-prefilter matches Dump a json record containing all sigs that need to be inspected after prefilter. Part of profiling. Only dump if threshold is met, which is currently set by: --set detect.profiling.inspect-logging-threshold=200 A file called packet_inspected_rules.json is created in the default log dir.
10 years ago
#endif
Prefetch the next signature pointer Read one signature pointer ahead to prefetch the value. Use a variable, sflags, for s->flags, since it is used many times and the compiles doesn't know that the signatures structure doesn't change, so it will reload s->flags.
11 years ago
uint32_t sflags, next_sflags = 0;
if (match_cnt) {
Indentation clean up
11 years ago
next_s = *match_array++;
next_sflags = next_s->flags;
Prefetch the next signature pointer Read one signature pointer ahead to prefetch the value. Use a variable, sflags, for s->flags, since it is used many times and the compiles doesn't know that the signatures structure doesn't change, so it will reload s->flags.
11 years ago
}
while (match_cnt--) {
profiling: conditional rule profiling Add support for conditional rule profiling. Currently only simple rate limiting is supported, but hardcoded to inspecting rules for each packet.
12 years ago
RULE_PROFILING_START(p);
detect: minor cleanup
8 years ago
bool state_alert = false;
profiling: fix 'match' counter sometimes not incrementing. #460.
13 years ago
#ifdef PROFILING
detect: minor profiling cleanup
8 years ago
bool smatch = false; /* signature match */
profiling: fix 'match' counter sometimes not incrementing. #460.
13 years ago
#endif
Prefetch the next signature pointer Read one signature pointer ahead to prefetch the value. Use a variable, sflags, for s->flags, since it is used many times and the compiles doesn't know that the signatures structure doesn't change, so it will reload s->flags.
11 years ago
s = next_s;
sflags = next_sflags;
if (match_cnt) {
Indentation clean up
11 years ago
next_s = *match_array++;
next_sflags = next_s->flags;
Prefetch the next signature pointer Read one signature pointer ahead to prefetch the value. Use a variable, sflags, for s->flags, since it is used many times and the compiles doesn't know that the signatures structure doesn't change, so it will reload s->flags.
11 years ago
}
detect: make SigMatchSignatures void None of the callers cared for it's retval, so get rid of it.
9 years ago
const uint8_t s_proto_flags = s->proto.flags;
Prefetch the next signature pointer Read one signature pointer ahead to prefetch the value. Use a variable, sflags, for s->flags, since it is used many times and the compiles doesn't know that the signatures structure doesn't change, so it will reload s->flags.
11 years ago
Fix signatures with ports and/or addresses but without sigmatches.
16 years ago
SCLogDebug("inspecting signature id %"PRIu32"", s->id);
Remove flowbits as a mask prefilter as they are dynamic. Add a dynamic check.
15 years ago
detect: change mask logic Previously the MPM/Prefilter engines would suggest the same rule candidates multiple times. For example, while processing the request body, the http headers would be inspected by MPM multiple times. The mask check was one way to quickly decide which rules could be skipped. Now that the MPM engines normally return a rule just once, this mask check no longer makes sense. If the rule meets the ip/port/ direction based conditions, it needs to be evaluated if the MPM said so. Even if not all conditions are yet true. WIP disable mask as it no longer makes sense WIP redo mask match
8 years ago
if (sflags & SIG_FLAG_STATE_MATCH) {
if (det_ctx->de_state_sig_array[s->num] & DE_STATE_MATCH_NO_NEW_STATE)
goto next;
} else {
/* don't run mask check for stateful rules.
* There we depend on prefilter */
if ((s->mask & mask) != s->mask) {
SCLogDebug("mask mismatch %x & %x != %x", s->mask, mask, s->mask);
goto next;
}
if (unlikely(sflags & SIG_FLAG_DSIZE)) {
if (likely(p->payload_len < s->dsize_low || p->payload_len > s->dsize_high)) {
SCLogDebug("kicked out as p->payload_len %u, dsize low %u, hi %u",
p->payload_len, s->dsize_low, s->dsize_high);
goto next;
}
}
}
Start rule inspect with mask check
11 years ago
detect: move checks from prefilter to rule detect Move the prefilter checks to the main detect loop.
11 years ago
/* if the sig has alproto and the session as well they should match */
Prefetch the next signature pointer Read one signature pointer ahead to prefetch the value. Use a variable, sflags, for s->flags, since it is used many times and the compiles doesn't know that the signatures structure doesn't change, so it will reload s->flags.
11 years ago
if (likely(sflags & SIG_FLAG_APPLAYER)) {
detect: move checks from prefilter to rule detect Move the prefilter checks to the main detect loop.
11 years ago
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != alproto) {
if (s->alproto == ALPROTO_DCERPC) {
if (alproto != ALPROTO_SMB && alproto != ALPROTO_SMB2) {
SCLogDebug("DCERPC sig, alproto not SMB or SMB2");
goto next;
}
} else {
SCLogDebug("alproto mismatch");
goto next;
}
}
}
Remove flowbits as a mask prefilter as they are dynamic. Add a dynamic check.
15 years ago
/* check if this signature has a requirement for flowvars of some type
* and if so, if we actually have any in the flow. If not, the sig
* can't match and we skip it. */
Prefetch the next signature pointer Read one signature pointer ahead to prefetch the value. Use a variable, sflags, for s->flags, since it is used many times and the compiles doesn't know that the signatures structure doesn't change, so it will reload s->flags.
11 years ago
if ((p->flags & PKT_HAS_FLOW) && (sflags & SIG_FLAG_REQUIRE_FLOWVAR)) {
Use pflow variable in place of p->flow to prevent reloading. In SigMatchSignatures, the value p->flow doens't change, but GCC can't figure that out, so it reloads p->flow many times during the function. When p->flow is loaded into the variable pflow once at the start of the function, the compile then doesn't need to reload it.
12 years ago
int m = pflow->flowvar ? 1 : 0;
Remove flowbits as a mask prefilter as they are dynamic. Add a dynamic check.
15 years ago
/* no flowvars? skip this sig */
if (m == 0) {
SCLogDebug("skipping sig as the flow has no flowvars and sig "
Indentation clean up
11 years ago
"has SIG_FLAG_REQUIRE_FLOWVAR flag set.");
Remove flowbits as a mask prefilter as they are dynamic. Add a dynamic check.
15 years ago
goto next;
}
Initial version of a new bitmask based signature pre-filtering method.
15 years ago
}
Remove flowbits as a mask prefilter as they are dynamic. Add a dynamic check.
15 years ago
Prefetch the next signature pointer Read one signature pointer ahead to prefetch the value. Use a variable, sflags, for s->flags, since it is used many times and the compiles doesn't know that the signatures structure doesn't change, so it will reload s->flags.
11 years ago
if ((s_proto_flags & DETECT_PROTO_IPV4) && !PKT_IS_IPV4(p)) {
sig: Add ipv6 and ipv4 to list of protocols With this patch it is possible to do: alert ipv6 any any -> any any or alert ip4 any any -> any any to match on IPv4 or IPv6 packets.
13 years ago
SCLogDebug("ip version didn't match");
goto next;
}
Prefetch the next signature pointer Read one signature pointer ahead to prefetch the value. Use a variable, sflags, for s->flags, since it is used many times and the compiles doesn't know that the signatures structure doesn't change, so it will reload s->flags.
11 years ago
if ((s_proto_flags & DETECT_PROTO_IPV6) && !PKT_IS_IPV6(p)) {
sig: Add ipv6 and ipv4 to list of protocols With this patch it is possible to do: alert ipv6 any any -> any any or alert ip4 any any -> any any to match on IPv4 or IPv6 packets.
13 years ago
SCLogDebug("ip version didn't match");
goto next;
}
Fix for bug 180 (check proto specified at the IP hdr)
15 years ago
if (DetectProtoContainsProto(&s->proto, IP_GET_IPPROTO(p)) == 0) {
Add missing protocol check in the sig matching process. This prevents FP's such as the one reported in bug #209.
15 years ago
SCLogDebug("proto didn't match");
goto next;
}
Prefilter signatures before fully scanning them.
15 years ago
/* check the source & dst port in the sig */
detect: Add sctp detection and parsing. This patch adds the support of SCTP in signature subsystem.
15 years ago
if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP || p->proto == IPPROTO_SCTP) {
Prefetch the next signature pointer Read one signature pointer ahead to prefetch the value. Use a variable, sflags, for s->flags, since it is used many times and the compiles doesn't know that the signatures structure doesn't change, so it will reload s->flags.
11 years ago
if (!(sflags & SIG_FLAG_DP_ANY)) {
In case of fragments, don't consider ports. Bug #847.
12 years ago
if (p->flags & PKT_IS_FRAGMENT)
goto next;
Prefilter signatures before fully scanning them.
15 years ago
DetectPort *dport = DetectPortLookupGroup(s->dp,p->dp);
if (dport == NULL) {
SCLogDebug("dport didn't match.");
Improve detection of app layer, making sure we only handle app layer on 'established' packets. Should really fix #166.
15 years ago
goto next;
Prefilter signatures before fully scanning them.
15 years ago
}
}
Prefetch the next signature pointer Read one signature pointer ahead to prefetch the value. Use a variable, sflags, for s->flags, since it is used many times and the compiles doesn't know that the signatures structure doesn't change, so it will reload s->flags.
11 years ago
if (!(sflags & SIG_FLAG_SP_ANY)) {
In case of fragments, don't consider ports. Bug #847.
12 years ago
if (p->flags & PKT_IS_FRAGMENT)
goto next;
Prefilter signatures before fully scanning them.
15 years ago
DetectPort *sport = DetectPortLookupGroup(s->sp,p->sp);
if (sport == NULL) {
SCLogDebug("sport didn't match.");
Improve detection of app layer, making sure we only handle app layer on 'established' packets. Should really fix #166.
15 years ago
goto next;
Prefilter signatures before fully scanning them.
15 years ago
}
}
Prefetch the next signature pointer Read one signature pointer ahead to prefetch the value. Use a variable, sflags, for s->flags, since it is used many times and the compiles doesn't know that the signatures structure doesn't change, so it will reload s->flags.
11 years ago
} else if ((sflags & (SIG_FLAG_DP_ANY|SIG_FLAG_SP_ANY)) != (SIG_FLAG_DP_ANY|SIG_FLAG_SP_ANY)) {
Fix False Positive of rules with ports on portless protocols In case of 'alert ip' rules that have ports, the port checks would be bypassed for non-port protocols, such as ICMP. This would lead to a rule matching: a false positive. This patch adds a check. If the rule has a port setting other than 'any' and the protocol is not TCP, UDP or SCTP, then we rule won't match. Rules with 'alert ip' and ports are rare, so the impact should be minimal. Bug #611.
12 years ago
SCLogDebug("port-less protocol and sig needs ports");
goto next;
Prefilter signatures before fully scanning them.
15 years ago
}
/* check the destination address */
Prefetch the next signature pointer Read one signature pointer ahead to prefetch the value. Use a variable, sflags, for s->flags, since it is used many times and the compiles doesn't know that the signatures structure doesn't change, so it will reload s->flags.
11 years ago
if (!(sflags & SIG_FLAG_DST_ANY)) {
Make signature address matching more cache efficient.
15 years ago
if (PKT_IS_IPV4(p)) {
if (DetectAddressMatchIPv4(s->addr_dst_match4, s->addr_dst_match4_cnt, &p->dst) == 0)
goto next;
} else if (PKT_IS_IPV6(p)) {
if (DetectAddressMatchIPv6(s->addr_dst_match6, s->addr_dst_match6_cnt, &p->dst) == 0)
goto next;
Prefilter signatures before fully scanning them.
15 years ago
}
}
/* check the source address */
Prefetch the next signature pointer Read one signature pointer ahead to prefetch the value. Use a variable, sflags, for s->flags, since it is used many times and the compiles doesn't know that the signatures structure doesn't change, so it will reload s->flags.
11 years ago
if (!(sflags & SIG_FLAG_SRC_ANY)) {
Make signature address matching more cache efficient.
15 years ago
if (PKT_IS_IPV4(p)) {
if (DetectAddressMatchIPv4(s->addr_src_match4, s->addr_src_match4_cnt, &p->src) == 0)
goto next;
} else if (PKT_IS_IPV6(p)) {
if (DetectAddressMatchIPv6(s->addr_src_match6, s->addr_src_match6_cnt, &p->src) == 0)
goto next;
Prefilter signatures before fully scanning them.
15 years ago
}
}
Remove dsize grouping from detection engine grouping reducing memory usage. Store sgh in flow to reduce lookups. Reduce locking in alert handling. Increase default grouping values as we use less memory.
15 years ago
/* Check the payload keywords. If we are a MPM sig and we've made
* to here, we've had at least one of the patterns match */
detect: improve stateful detection Now that MPM runs when the TX progress is right, stateful detection operates differently. Changes: 1. raw stream inspection is now also an inspect engine Since this engine doesn't take the transactions into account, it could potentially run multiple times on the same data. To avoid this, basic result caching is in place. 2. the engines are sorted by progress, but the 'MPM' engine is first even if the progress is higher If MPM flags a rule to be inspected, the inspect engine for that buffer runs first. If this step fails, the rule is no longer evaluated. No state is stored.
8 years ago
if (!(sflags & SIG_FLAG_STATE_MATCH) && s->sm_arrays[DETECT_SM_LIST_PMATCH] != NULL) {
profiling: per buffer profiling
12 years ago
KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_PMATCH);
Make sure we inspect all outstanding reassembled stream chunks (smsg) if the stream is shutting down. Make sure to do inspect signatures that use dsize against the tcp packet payload, even if that payload was already added to the stream. Likewise, the dsize signatures are not inspected against the reassembled stream.
15 years ago
/* if we have stream msgs, inspect against those first,
* but not for a "dsize" signature */
Prefetch the next signature pointer Read one signature pointer ahead to prefetch the value. Use a variable, sflags, for s->flags, since it is used many times and the compiles doesn't know that the signatures structure doesn't change, so it will reload s->flags.
11 years ago
if (sflags & SIG_FLAG_REQUIRE_STREAM) {
detect / stream: new 'raw' stream inspection Remove the 'StreamMsg' approach from the engine. In this approach the stream engine would create a list of chunks for inspection by the detection engine. There were several issues: 1. the messages had a fixed size, so blocks of data bigger than ~4k would be cut into multiple messages 2. it lead to lots of data copying and unnecessary memory use 3. the StreamMsgs used a central pool The Stream engine switched over to the streaming buffer API, which means that the reassembled data is always available. This made the StreamMsg approach even clunkier. The new approach exposes the streaming buffer data to the detection engine. It has to pay attention to an important issue though: packet loss. The data may have gaps. The streaming buffer API tracks the blocks of continuous data. To access the data for inspection a callback approach is used. The 'StreamReassembleRaw' function is called with a callback and data. This way it runs the MPM and individual rule inspection code. At the end of each detection run the stream engine is notified that it can move forward it's 'progress'.
9 years ago
int pmatch = 0;
if (p->flags & PKT_DETECT_HAS_STREAMDATA) {
pmatch = DetectEngineInspectStreamPayload(de_ctx, det_ctx, s, pflow, p);
if (pmatch) {
det_ctx->flags |= DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH;
/* Tell the engine that this reassembled stream can drop the
* rest of the pkts with no further inspection */
if (s->action & ACTION_DROP)
alert_flags |= PACKET_ALERT_FLAG_DROP_FLOW;
alert_flags |= PACKET_ALERT_FLAG_STREAM_MATCH;
Inspect the reassembled stream together with the packet payload in the same direction.
15 years ago
}
detect / stream: new 'raw' stream inspection Remove the 'StreamMsg' approach from the engine. In this approach the stream engine would create a list of chunks for inspection by the detection engine. There were several issues: 1. the messages had a fixed size, so blocks of data bigger than ~4k would be cut into multiple messages 2. it lead to lots of data copying and unnecessary memory use 3. the StreamMsgs used a central pool The Stream engine switched over to the streaming buffer API, which means that the reassembled data is always available. This made the StreamMsg approach even clunkier. The new approach exposes the streaming buffer data to the detection engine. It has to pay attention to an important issue though: packet loss. The data may have gaps. The streaming buffer API tracks the blocks of continuous data. To access the data for inspection a callback approach is used. The 'StreamReassembleRaw' function is called with a callback and data. This way it runs the MPM and individual rule inspection code. At the end of each detection run the stream engine is notified that it can move forward it's 'progress'.
9 years ago
}
Inspect the reassembled stream together with the packet payload in the same direction.
15 years ago
/* no match? then inspect packet payload */
if (pmatch == 0) {
stream: handle no stream scanning case Now that detect moves the raw progress forward, it's important to deal with the case where detect don't consider raw inspection. If no 'stream' rules are active, disable raw. For this the disable raw flag is now per stream.
9 years ago
SCLogDebug("no match in stream, fall back to packet payload");
Fixes to stream pattern matching.
15 years ago
stream: handle no stream scanning case Now that detect moves the raw progress forward, it's important to deal with the case where detect don't consider raw inspection. If no 'stream' rules are active, disable raw. For this the disable raw flag is now per stream.
9 years ago
/* skip if we don't have to inspect the packet and segment was
* added to stream */
detect / stream: new 'raw' stream inspection Remove the 'StreamMsg' approach from the engine. In this approach the stream engine would create a list of chunks for inspection by the detection engine. There were several issues: 1. the messages had a fixed size, so blocks of data bigger than ~4k would be cut into multiple messages 2. it lead to lots of data copying and unnecessary memory use 3. the StreamMsgs used a central pool The Stream engine switched over to the streaming buffer API, which means that the reassembled data is always available. This made the StreamMsg approach even clunkier. The new approach exposes the streaming buffer data to the detection engine. It has to pay attention to an important issue though: packet loss. The data may have gaps. The streaming buffer API tracks the blocks of continuous data. To access the data for inspection a callback approach is used. The 'StreamReassembleRaw' function is called with a callback and data. This way it runs the MPM and individual rule inspection code. At the end of each detection run the stream engine is notified that it can move forward it's 'progress'.
9 years ago
if (!(sflags & SIG_FLAG_REQUIRE_PACKET) && (p->flags & PKT_STREAM_ADD)) {
goto next;
we now support offset, depth inspection against all packet payloads and stream messages
13 years ago
}
fix detection engine for alert stability. Fix cases where we have multiple rules having same pattern. We should see good perf increase(~5%) with this change, now that we avoid unnecessary inspection"
14 years ago
detect: cleanup Remove unused alstate and app layer flags arguments from DetectEngineInspectPacketPayload()
11 years ago
if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, pflow, p) != 1) {
remove support for skipping reinspecting fast pattern contents once again during packet payload inspection. Also make some changes to our detection engine
15 years ago
goto next;
}
detect: simplify negated mpm handling
10 years ago
}
} else {
if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, pflow, p) != 1) {
goto next;
Inspect the reassembled stream together with the packet payload in the same direction.
15 years ago
}
}
Remove dsize grouping from detection engine grouping reducing memory usage. Store sgh in flow to reduce lookups. Reduce locking in alert handling. Increase default grouping values as we use less memory.
15 years ago
}
Simplify detection loop. Inspect packet keywords before the state.
14 years ago
/* run the packet match functions */
Create optimized sig_arrays from sig_lists Create a copy of the SigMatch data in the sig_lists linked-lists and store it in an array for faster access and not next and previous pointers. The array is then used when calling the Match() functions. Gives a 7.7% speed up on one test.
11 years ago
if (s->sm_arrays[DETECT_SM_LIST_MATCH] != NULL) {
profiling: per buffer profiling
12 years ago
KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_MATCH);
Create optimized sig_arrays from sig_lists Create a copy of the SigMatch data in the sig_lists linked-lists and store it in an array for faster access and not next and previous pointers. The array is then used when calling the Match() functions. Gives a 7.7% speed up on one test.
11 years ago
SigMatchData *smd = s->sm_arrays[DETECT_SM_LIST_MATCH];
SCLogDebug("running match functions, sm %p", smd);
if (smd != NULL) {
while (1) {
KEYWORD_PROFILING_START;
if (sigmatch_table[smd->type].Match(th_v, det_ctx, p, s, smd->ctx) <= 0) {
KEYWORD_PROFILING_END(det_ctx, smd->type, 0);
detect: debug output
10 years ago
SCLogDebug("no match");
Create optimized sig_arrays from sig_lists Create a copy of the SigMatch data in the sig_lists linked-lists and store it in an array for faster access and not next and previous pointers. The array is then used when calling the Match() functions. Gives a 7.7% speed up on one test.
11 years ago
goto next;
}
KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
detect: debug output
10 years ago
if (smd->is_last) {
SCLogDebug("match and is_last");
Create optimized sig_arrays from sig_lists Create a copy of the SigMatch data in the sig_lists linked-lists and store it in an array for faster access and not next and previous pointers. The array is then used when calling the Match() functions. Gives a 7.7% speed up on one test.
11 years ago
break;
detect: debug output
10 years ago
}
Create optimized sig_arrays from sig_lists Create a copy of the SigMatch data in the sig_lists linked-lists and store it in an array for faster access and not next and previous pointers. The array is then used when calling the Match() functions. Gives a 7.7% speed up on one test.
11 years ago
smd++;
Simplify detection loop. Inspect packet keywords before the state.
14 years ago
}
}
}
Consolidate several signature flags into one.
15 years ago
/* consider stateful sig matches */
Prefetch the next signature pointer Read one signature pointer ahead to prefetch the value. Use a variable, sflags, for s->flags, since it is used many times and the compiles doesn't know that the signatures structure doesn't change, so it will reload s->flags.
11 years ago
if (sflags & SIG_FLAG_STATE_MATCH) {
detect / stream: new 'raw' stream inspection Remove the 'StreamMsg' approach from the engine. In this approach the stream engine would create a list of chunks for inspection by the detection engine. There were several issues: 1. the messages had a fixed size, so blocks of data bigger than ~4k would be cut into multiple messages 2. it lead to lots of data copying and unnecessary memory use 3. the StreamMsgs used a central pool The Stream engine switched over to the streaming buffer API, which means that the reassembled data is always available. This made the StreamMsg approach even clunkier. The new approach exposes the streaming buffer data to the detection engine. It has to pay attention to an important issue though: packet loss. The data may have gaps. The streaming buffer API tracks the blocks of continuous data. To access the data for inspection a callback approach is used. The 'StreamReassembleRaw' function is called with a callback and data. This way it runs the MPM and individual rule inspection code. At the end of each detection run the stream engine is notified that it can move forward it's 'progress'.
9 years ago
if (has_state == false) {
Detection improvements: uricontent escaping now working, better negated pattern (content) handling.
15 years ago
SCLogDebug("state matches but no state, we can't match");
goto next;
}
Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.
12 years ago
SCLogDebug("stateful app layer match inspection starting");
Store TX id with alerts When generating an alert and storing it in the packet, store the tx_id as well. This way the output modules can log the tx_id and access the proper tx for logging. Issue #904.
12 years ago
/* if DeStateDetectStartDetection matches, it's a full
* signature match. It will then call PacketAlertAppend
* itself, so we can skip it below. This is done so it
* can store the tx_id with the alert */
detect: more detailed state profiling
8 years ago
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_STATEFUL_START);
Store TX id with alerts When generating an alert and storing it in the packet, store the tx_id as well. This way the output modules can log the tx_id and access the proper tx for logging. Issue #904.
12 years ago
state_alert = DeStateDetectStartDetection(th_v, de_ctx, det_ctx, s,
detect: remove unused alversion logic
9 years ago
p, pflow, flow_flags, alproto);
detect: more detailed state profiling
8 years ago
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_STATEFUL_START);
detect: minor cleanup
8 years ago
if (state_alert == false)
Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.
12 years ago
goto next;
Add packet alert flag to indicate a match happened (partly) in the app layer state. Make unified2 use this flag.
14 years ago
/* match */
Set DROP flag for reject action so in addition to sending the rst, in IPS mode also drop the offending packet.
14 years ago
if (s->action & ACTION_DROP)
Add packet alert flag to indicate a match happened (partly) in the app layer state. Make unified2 use this flag.
14 years ago
alert_flags |= PACKET_ALERT_FLAG_DROP_FLOW;
alert_flags |= PACKET_ALERT_FLAG_STATE_MATCH;
Detection improvements: uricontent escaping now working, better negated pattern (content) handling.
15 years ago
}
profiling: fix 'match' counter sometimes not incrementing. #460.
13 years ago
#ifdef PROFILING
detect: minor profiling cleanup
8 years ago
smatch = true;
profiling: fix 'match' counter sometimes not incrementing. #460.
13 years ago
#endif
Add post-match list, move flowbits set, etc functions to it. Move flowint set, etc functions to it as well.
14 years ago
SigMatchSignaturesRunPostMatch(th_v, de_ctx, det_ctx, p, s);
Adding actions order and suport for rule action "pass"
15 years ago
Prefetch the next signature pointer Read one signature pointer ahead to prefetch the value. Use a variable, sflags, for s->flags, since it is used many times and the compiles doesn't know that the signatures structure doesn't change, so it will reload s->flags.
11 years ago
if (!(sflags & SIG_FLAG_NOALERT)) {
Store TX id with alerts When generating an alert and storing it in the packet, store the tx_id as well. This way the output modules can log the tx_id and access the proper tx for logging. Issue #904.
12 years ago
/* stateful sigs call PacketAlertAppend from DeStateDetectStartDetection */
if (!state_alert)
PacketAlertAppend(det_ctx, s, p, 0, alert_flags);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
} else {
/* apply actions even if not alerting */
detect: fix mix of pass and noalert Noalert rules did not apply pass logic to the flow. Bug #1888.
8 years ago
DetectSignatureApplyActions(p, s, alert_flags);
Initial add of the files.
17 years ago
}
Simplify detection loop. Inspect packet keywords before the state.
14 years ago
next:
pkt-var: abuse flowvar postmatch logic for pktvars Flowvars were already using a temporary store in the detect thread ctx. Use the same facility for pktvars. The reasons are: 1. packet is not always available, e.g. when running pcre on http buffers. 2. setting of vars should be done post match. Until now it was also possible that it is done on a partial match.
9 years ago
DetectVarProcessList(det_ctx, pflow, p);
Check replist is not NULL inline before doing any processing. The replist is often NULL, so it is worth checking that case before making the function call do perform work on the list.
11 years ago
DetectReplaceFree(det_ctx);
profiling: conditional rule profiling Add support for conditional rule profiling. Currently only simple rate limiting is supported, but hardcoded to inspecting rules for each packet.
12 years ago
RULE_PROFILING_END(det_ctx, s, smatch, p);
code cleanup
13 years ago
det_ctx->flags = 0;
add profiling to stateful detection engine + other fixups.
15 years ago
continue;
Initial add of the files.
17 years ago
}
Profiling: add accounting for several detection phases.
14 years ago
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_RULES);
Initial add of the files.
17 years ago
Fix DCERPC over SMB/SMB2 detection issues. Fix not updating transaction id in a stream direction if there was no sgh.
15 years ago
end:
CUDA: Update the inspection engine to inform the cuda module that it doesn't need the gpu results and to release the packet for the next run. Previously the inspection engine wouldn't inform the cuda module, if it didn't need the results. As a consequence, when the packet is next taken for re-use, and if the packet is still being processed by the cuda module, the engine would wait till the cuda module frees the packet. This commits updates this functionality to inform the cuda module to release the packet for the afore-mentioned case.
11 years ago
#ifdef __SC_CUDA_SUPPORT__
CudaReleasePacket(p);
#endif
Fix HTTP state and raw stream not being inspected at the same time. Adds an exception to transaction id handling for HTTP.
14 years ago
/* see if we need to increment the inspect_id and reset the de_state */
detect: fix alstate handling Previously, the alstate use in the main detect loop was unsafe. The alstate pointer would be set duing a lock, but it would again be used after one or more lock/unlock cycles. If the data pointed to would disappear, a dangling pointer would be the result. Due to they way flows are cleaned up using reference counting and such, changes of this happening were very small. However, at least one path can lead to this situation. So it had to be fixed.
11 years ago
if (has_state && AppLayerParserProtocolSupportsTxs(p->proto, alproto)) {
detect: more detailed state profiling
8 years ago
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_STATEFUL_UPDATE);
detect: clean up flag usage
10 years ago
DeStateUpdateInspectTransactionId(pflow, flow_flags);
detect: more detailed state profiling
8 years ago
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_STATEFUL_UPDATE);
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
}
Moving alert logic to detect-engine-alert.c
15 years ago
/* so now let's iterate the alerts and remove the ones after a pass rule
Properly lock flow before setting IP only action flags. Small alert api cleanups.
15 years ago
* matched (if any). This is done inside PacketAlertFinalize() */
Adding tag keyword support
15 years ago
/* PR: installed "tag" keywords are handled after the threshold inspection */
Reorganize SigMatchSignatures.
15 years ago
Profiling: add accounting for several detection phases.
14 years ago
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_ALERT);
Properly lock flow before setting IP only action flags. Small alert api cleanups.
15 years ago
PacketAlertFinalize(de_ctx, det_ctx, p);
Have the detect.alerts counter count actual alerts.
15 years ago
if (p->alerts.cnt > 0) {
counters: s/SCPerfCounterAddUI64/StatsAddUI64/g
10 years ago
StatsAddUI64(th_v, det_ctx->counter_alerts, (uint64_t)p->alerts.cnt);
Have the detect.alerts counter count actual alerts.
15 years ago
}
Profiling: add accounting for several detection phases.
14 years ago
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_ALERT);
Adding actions order and suport for rule action "pass"
15 years ago
Profiling: add accounting for several detection phases.
14 years ago
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_CLEANUP);
Initial add of the files.
17 years ago
/* cleanup pkt specific part of the patternmatcher */
detect/mpm: minor cleanup: remove unused function arg
8 years ago
PacketPatternCleanup(det_ctx);
First iteration of doing app layer detection.
16 years ago
Make sure ICMP unreach packets are not inspected against the flow sgh as it's for the original protocol, not for the ICMP packet. Fixes #174.
15 years ago
/* store the found sgh (or NULL) in the flow to save us from looking it
* up again for the next packet. Also return any stream chunk we processed
* to the pool. */
Many small performance updates.
15 years ago
if (p->flags & PKT_HAS_FLOW) {
detect: fix ICMP error handling issue The first packet in both directions of a flow looks up the rule group (sgh) and stores it in the flow. This makes sure the lookup doesn't have to be performed for each packet. ICMPv4 error messages are connected to the TCP or UDP flow they apply to. In the case of such an ICMP error being the first packet in a flow's direction, this would lead to an issue. The packet would look up the rule group based on the ICMP protocol, not based on the embedded TCP/UDP. This makes sense, as the ICMP packet is inspected as ICMP packet. The consequence however, was that this rule group pointer (sgh) would be stored in the flow. This is wrong, as TCP/UDP packets that follow the ICMP packet would have no sgh or the wrong sgh. In normal traffic this shouldn't normally happen, but it could be used to evade Suricata's inspection.
9 years ago
/* HACK: prevent the wrong sgh (or NULL) from being stored in the
* flow's sgh pointers */
if (PKT_IS_ICMPV4(p) && ICMPV4_DEST_UNREACH_IS_VALID(p)) {
; /* no-op */
detect: turn single detect flag into bool
9 years ago
} else if (!(use_flow_sgh)) {
detect: add util func for post-inspect tasks on first sgh
9 years ago
DetectPostInspectFirstSGH(p, pflow, det_ctx->sgh);
Remove dsize grouping from detection engine grouping reducing memory usage. Store sgh in flow to reduce lookups. Reduce locking in alert handling. Increase default grouping values as we use less memory.
15 years ago
}
Moving the stream content scanning to have it's own mpm ctx.
15 years ago
detect / stream: new 'raw' stream inspection Remove the 'StreamMsg' approach from the engine. In this approach the stream engine would create a list of chunks for inspection by the detection engine. There were several issues: 1. the messages had a fixed size, so blocks of data bigger than ~4k would be cut into multiple messages 2. it lead to lots of data copying and unnecessary memory use 3. the StreamMsgs used a central pool The Stream engine switched over to the streaming buffer API, which means that the reassembled data is always available. This made the StreamMsg approach even clunkier. The new approach exposes the streaming buffer data to the detection engine. It has to pay attention to an important issue though: packet loss. The data may have gaps. The streaming buffer API tracks the blocks of continuous data. To access the data for inspection a callback approach is used. The 'StreamReassembleRaw' function is called with a callback and data. This way it runs the MPM and individual rule inspection code. At the end of each detection run the stream engine is notified that it can move forward it's 'progress'.
9 years ago
/* update inspected tracker for raw reassembly */
detect: only do flow dependent cleanup if a flow is present
9 years ago
if (p->proto == IPPROTO_TCP && pflow->protoctx != NULL) {
detect / stream: new 'raw' stream inspection Remove the 'StreamMsg' approach from the engine. In this approach the stream engine would create a list of chunks for inspection by the detection engine. There were several issues: 1. the messages had a fixed size, so blocks of data bigger than ~4k would be cut into multiple messages 2. it lead to lots of data copying and unnecessary memory use 3. the StreamMsgs used a central pool The Stream engine switched over to the streaming buffer API, which means that the reassembled data is always available. This made the StreamMsg approach even clunkier. The new approach exposes the streaming buffer data to the detection engine. It has to pay attention to an important issue though: packet loss. The data may have gaps. The streaming buffer API tracks the blocks of continuous data. To access the data for inspection a callback approach is used. The 'StreamReassembleRaw' function is called with a callback and data. This way it runs the MPM and individual rule inspection code. At the end of each detection run the stream engine is notified that it can move forward it's 'progress'.
9 years ago
StreamReassembleRawUpdateProgress(pflow->protoctx, p,
det_ctx->raw_stream_progress);
detect: only do flow dependent cleanup if a flow is present
9 years ago
DetectEngineCleanHCBDBuffers(det_ctx);
DetectEngineCleanHSBDBuffers(det_ctx);
DetectEngineCleanSMTPBuffers(det_ctx);
detect / stream: new 'raw' stream inspection Remove the 'StreamMsg' approach from the engine. In this approach the stream engine would create a list of chunks for inspection by the detection engine. There were several issues: 1. the messages had a fixed size, so blocks of data bigger than ~4k would be cut into multiple messages 2. it lead to lots of data copying and unnecessary memory use 3. the StreamMsgs used a central pool The Stream engine switched over to the streaming buffer API, which means that the reassembled data is always available. This made the StreamMsg approach even clunkier. The new approach exposes the streaming buffer data to the detection engine. It has to pay attention to an important issue though: packet loss. The data may have gaps. The streaming buffer API tracks the blocks of continuous data. To access the data for inspection a callback approach is used. The 'StreamReassembleRaw' function is called with a callback and data. This way it runs the MPM and individual rule inspection code. At the end of each detection run the stream engine is notified that it can move forward it's 'progress'.
9 years ago
}
First iteration of doing app layer detection.
16 years ago
}
Profiling: add accounting for several detection phases.
14 years ago
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_CLEANUP);
detect: make SigMatchSignatures void None of the callers cared for it's retval, so get rid of it.
9 years ago
SCReturn;
Initial add of the files.
17 years ago
}
detect: set action from utility function Set actions that are set directly from Signatures using the new utility function DetectSignatureApplyActions. This will apply the actions and also store info about the 'drop' that first made the rule drop.
11 years ago
/** \brief Apply action(s) and Set 'drop' sig info,
* if applicable */
detect: fix mix of pass and noalert Noalert rules did not apply pass logic to the flow. Bug #1888.
8 years ago
void DetectSignatureApplyActions(Packet *p,
const Signature *s, const uint8_t alert_flags)
detect: set action from utility function Set actions that are set directly from Signatures using the new utility function DetectSignatureApplyActions. This will apply the actions and also store info about the 'drop' that first made the rule drop.
11 years ago
{
PACKET_UPDATE_ACTION(p, s->action);
if (s->action & ACTION_DROP) {
if (p->alerts.drop.action == 0) {
p->alerts.drop.num = s->num;
p->alerts.drop.action = s->action;
p->alerts.drop.s = (Signature *)s;
}
detect: fix mix of pass and noalert Noalert rules did not apply pass logic to the flow. Bug #1888.
8 years ago
} else if (s->action & ACTION_PASS) {
/* if an stream/app-layer match we enforce the pass for the flow */
if ((p->flow != NULL) &&
(alert_flags & (PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_STREAM_MATCH)))
{
FlowSetNoPacketInspectionFlag(p->flow);
}
detect: set action from utility function Set actions that are set directly from Signatures using the new utility function DetectSignatureApplyActions. This will apply the actions and also store info about the 'drop' that first made the rule drop.
11 years ago
}
}
multi-detect: hash lookup for tenants Use hash for storing and looking up det_ctxs.
10 years ago
static DetectEngineThreadCtx *GetTenantById(HashTable *h, uint32_t id)
{
/* technically we need to pass a DetectEngineThreadCtx struct with the
* tentant_id member. But as that member is the first in the struct, we
* can use the id directly. */
return HashTableLookup(h, &id, 0);
}
detect: split detect entry into flow/noflow This is a preparation for flow locking updates.
9 years ago
static void DetectFlow(ThreadVars *tv,
DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
Packet *p)
Improve stateful uri detection code.
15 years ago
{
Move SCSetThreadName to proper functions.
15 years ago
/* No need to perform any detection on this packet, if the the given flag is set.*/
detect: fix pass transaction handling If a flow was 'pass'd, it means that no packet of it will flow be handled by the detection engine. A side effect of this was that the per flow inspect_id would never be moved forward. This in turn lead to a situation where transactions wouldn't be freed. This patch addresses this case by incrementing the inspect_id anyway for the pass case.
10 years ago
if ((p->flags & PKT_NOPACKET_INSPECTION) ||
(PACKET_TEST_ACTION(p, ACTION_DROP)))
{
/* hack: if we are in pass the entire flow mode, we need to still
* update the inspect_id forward. So test for the condition here,
* and call the update code if necessary. */
detect: fix flow bypass flag handling
8 years ago
const int pass = ((p->flow->flags & FLOW_NOPACKET_INSPECTION));
const AppProto alproto = FlowGetAppProtocol(p->flow);
detect: split detect entry into flow/noflow This is a preparation for flow locking updates.
9 years ago
if (pass && AppLayerParserProtocolSupportsTxs(p->proto, alproto)) {
detect: fix flow bypass flag handling
8 years ago
uint8_t flags;
detect: split detect entry into flow/noflow This is a preparation for flow locking updates.
9 years ago
if (p->flowflags & FLOW_PKT_TOSERVER) {
detect: fix flow bypass flag handling
8 years ago
flags = STREAM_TOSERVER;
detect: split detect entry into flow/noflow This is a preparation for flow locking updates.
9 years ago
} else {
detect: fix flow bypass flag handling
8 years ago
flags = STREAM_TOCLIENT;
detect: fix pass transaction handling If a flow was 'pass'd, it means that no packet of it will flow be handled by the detection engine. A side effect of this was that the per flow inspect_id would never be moved forward. This in turn lead to a situation where transactions wouldn't be freed. This patch addresses this case by incrementing the inspect_id anyway for the pass case.
10 years ago
}
detect: fix flow bypass flag handling
8 years ago
flags = FlowGetDisruptionFlags(p->flow, flags);
detect: split detect entry into flow/noflow This is a preparation for flow locking updates.
9 years ago
DeStateUpdateInspectTransactionId(p->flow, flags);
detect: fix pass transaction handling If a flow was 'pass'd, it means that no packet of it will flow be handled by the detection engine. A side effect of this was that the per flow inspect_id would never be moved forward. This in turn lead to a situation where transactions wouldn't be freed. This patch addresses this case by incrementing the inspect_id anyway for the pass case.
10 years ago
}
detect: split detect entry into flow/noflow This is a preparation for flow locking updates.
9 years ago
return;
}
/* see if the packet matches one or more of the sigs */
(void)SigMatchSignatures(tv,de_ctx,det_ctx,p);
}
static void DetectNoFlow(ThreadVars *tv,
DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
Packet *p)
{
/* No need to perform any detection on this packet, if the the given flag is set.*/
if ((p->flags & PKT_NOPACKET_INSPECTION) ||
(PACKET_TEST_ACTION(p, ACTION_DROP)))
{
return;
detect: fix pass transaction handling If a flow was 'pass'd, it means that no packet of it will flow be handled by the detection engine. A side effect of this was that the per flow inspect_id would never be moved forward. This in turn lead to a situation where transactions wouldn't be freed. This patch addresses this case by incrementing the inspect_id anyway for the pass case.
10 years ago
}
initial version to support detection byepass
16 years ago
detect: split detect entry into flow/noflow This is a preparation for flow locking updates.
9 years ago
/* see if the packet matches one or more of the sigs */
(void)SigMatchSignatures(tv,de_ctx,det_ctx,p);
return;
}
/** \brief Detection engine thread wrapper.
* \param tv thread vars
* \param p packet to inspect
* \param data thread specific data
* \param pq packet queue
* \retval TM_ECODE_FAILED error
* \retval TM_ECODE_OK ok
*/
TmEcode Detect(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
{
DEBUG_VALIDATE_PACKET(p);
detect: don't error out on no de_ctx This can happen on a multi-detect setup with no registered engines yet.
11 years ago
DetectEngineCtx *de_ctx = NULL;
Rename all pmt->det_ctx.
16 years ago
DetectEngineThreadCtx *det_ctx = (DetectEngineThreadCtx *)data;
Improve error checking in detect, add comments.
16 years ago
if (det_ctx == NULL) {
printf("ERROR: Detect has no thread ctx\n");
goto error;
}
detect: split detect entry into flow/noflow This is a preparation for flow locking updates.
9 years ago
if (unlikely(SC_ATOMIC_GET(det_ctx->so_far_used_by_detect) == 0)) {
detect: initial MT lookup logic In the DetectEngineThreadCtx, store another DetectEngineThreadCtx per tenant. Currently it's just a simple array indexed by the tenant id.
11 years ago
(void)SC_ATOMIC_SET(det_ctx->so_far_used_by_detect, 1);
SCLogDebug("Detect Engine using new det_ctx - %p",
det_ctx);
}
multi-detect: use default tenant The default detect engine can be used as 'default tenant'.
10 years ago
/* if in MT mode _and_ we have tenants registered, use
* MT logic. */
if (det_ctx->mt_det_ctxs_cnt > 0 && det_ctx->TenantGetId != NULL)
{
multi-detect: set tenant id on pseudo packets Store the tenant id in the flow and use the stored id when setting up pesudo packets. For tunnel and defrag packets, get tenant from parent. This will only pass tenant_id's set at capture time. For defrag packets, the tenant selector based on vlan id will still work as the vlan id(s) are stored in the defrag tracker before being passed on.
10 years ago
uint32_t tenant_id = p->tenant_id;
if (tenant_id == 0)
tenant_id = det_ctx->TenantGetId(det_ctx, p);
detect: select detect engine at Detect entry Limited to Pcap only currently.
11 years ago
if (tenant_id > 0 && tenant_id < det_ctx->mt_det_ctxs_cnt) {
multi-detect: store tenant id in packet Store tenant id in the packet so that the output API's can log it.
11 years ago
p->tenant_id = tenant_id;
multi-detect: hash lookup for tenants Use hash for storing and looking up det_ctxs.
10 years ago
det_ctx = GetTenantById(det_ctx->mt_det_ctxs_hash, tenant_id);
detect: don't error out on no de_ctx This can happen on a multi-detect setup with no registered engines yet.
11 years ago
if (det_ctx == NULL)
return TM_ECODE_OK;
detect: select detect engine at Detect entry Limited to Pcap only currently.
11 years ago
de_ctx = det_ctx->de_ctx;
detect: don't error out on no de_ctx This can happen on a multi-detect setup with no registered engines yet.
11 years ago
if (de_ctx == NULL)
return TM_ECODE_OK;
detect: split detect entry into flow/noflow This is a preparation for flow locking updates.
9 years ago
if (unlikely(SC_ATOMIC_GET(det_ctx->so_far_used_by_detect) == 0)) {
detect: select detect engine at Detect entry Limited to Pcap only currently.
11 years ago
(void)SC_ATOMIC_SET(det_ctx->so_far_used_by_detect, 1);
SCLogDebug("MT de_ctx %p det_ctx %p (tenant %u)", de_ctx, det_ctx, tenant_id);
}
} else {
multi-detect: use default tenant The default detect engine can be used as 'default tenant'.
10 years ago
/* use default if no tenants are registered for this packet */
de_ctx = det_ctx->de_ctx;
detect: initial MT lookup logic In the DetectEngineThreadCtx, store another DetectEngineThreadCtx per tenant. Currently it's just a simple array indexed by the tenant id.
11 years ago
}
detect: don't error out on no de_ctx This can happen on a multi-detect setup with no registered engines yet.
11 years ago
} else {
de_ctx = det_ctx->de_ctx;
live rule support added To reload ruleset during engine runtime, send the USR2 signal to the engine, and the ruleset would be reloaded from the same yaml file supplied at engine startup
13 years ago
}
detect: split detect entry into flow/noflow This is a preparation for flow locking updates.
9 years ago
if (p->flow) {
DetectFlow(tv, de_ctx, det_ctx, p);
} else {
DetectNoFlow(tv, de_ctx, det_ctx, p);
Improve the threading code to enable a single pcap file processing thread.
16 years ago
}
detect: split detect entry into flow/noflow This is a preparation for flow locking updates.
9 years ago
return TM_ECODE_OK;
Improve error checking in detect, add comments.
16 years ago
error:
support for thread exit constants
16 years ago
return TM_ECODE_FAILED;
Initial add of the files.
17 years ago
}
disable-detect: fix needless file hashing When detection is running flags are set on flows to indicate if file hashing is needed. This is based on global output settings and rules. In the case of --disable-detection this was not happening, so all files where hashed with all methods. This has a significant performance impact. This patch adds logic to set the flow flags in --disable-detect mode.
9 years ago
/** \brief disable file features we don't need
* Called if we have no detection engine.
*/
void DisableDetectFlowFileFlags(Flow *f)
{
DetectPostInspectFileFlagsUpdate(f, NULL /* no sgh */, STREAM_TOSERVER);
DetectPostInspectFileFlagsUpdate(f, NULL /* no sgh */, STREAM_TOCLIENT);
}
Initial add of the files.
17 years ago
/*
* TESTS
*/
added a small comment
16 years ago
#ifdef UNITTESTS
detect: move unittests into tests/
8 years ago
#include "tests/detect.c"
detect: Disable unused SignatureHeader code
11 years ago
#endif
Initial add of the files.
17 years ago