aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'de4e2221d8'
${ noResults }
suricata/src/detect-engine-mpm.c

2918 lines
106 KiB
C
Raw Normal View History Unescape Escape

When assigning Pattern IDs pids, check Case flags This fixes bug 1110. When assigning PIDs, use the NO_CASE flag when comparing for duplicates. The state of the flag must be the same, but also use the same type of comparisons when checking for duplicates. Previously, "foo":CS would match with "foo":CI when it should not. and "foo":CI would not match "FoO":CI when it should. Both of those cases are fixed with this change. This then allows simplifying the use of pid in MPMs because now if they pids match, then so do the flags, so checking the flags is not required.
12 years ago
/* Copyright (C) 2007-2014 Open Information Security Foundation
Import of GPLv2 Header 050410
15 years ago
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Victor Julien <victor@inliniac.net>
refactor all http mpm engine code
14 years ago
* \author Anoop Saldanha <anoopsaldanha@gmail.com>
Import of GPLv2 Header 050410
15 years ago
*
* Multi pattern matcher
*/
Initial add of the files.
17 years ago
Changed the way cuda dispatcher passes back results. Now each detection thread has it's own queue to which the dispatcher can pump packets back to the detect thread. Also, with cuda enabled and a non-cuda mpm being used, we won't create a dispatcher and instead call the b2g scan/search funtions directly instead of using the dispatcher.
16 years ago
#include "suricata.h"
Rename to Suricata.
16 years ago
#include "suricata-common.h"
Initial add of the files.
17 years ago
Moving the stream content scanning to have it's own mpm ctx.
15 years ago
#include "app-layer-protos.h"
Initial add of the files.
17 years ago
#include "decode.h"
#include "detect.h"
Put all globals in the detection engine ctx. Add HashList type, a hash that also stores the items ina list to it can be traversed. Many cleanups.
17 years ago
#include "detect-engine.h"
Large detection engine update.
17 years ago
#include "detect-engine-siggroup.h"
#include "detect-engine-mpm.h"
Fix iponly matching.
17 years ago
#include "detect-engine-iponly.h"
support for fast_pattern only and fast_pattern:offset,length. Also support the new option for engine-analysis
15 years ago
#include "detect-parse.h"
Initial add of the files.
17 years ago
#include "util-mpm.h"
Move memcpy_lower() into new util-memcpy.h Remove local copies from each MPM file and use include file instead. Might be better to also add util-memcpy.c rather than inlining it each time, to get smaller code, since only seems to be used at initialization.
12 years ago
#include "util-memcmp.h"
#include "util-memcpy.h"
pattern matcher options support
16 years ago
#include "conf.h"
use a single populatempm() function to add the right content for mpm
15 years ago
#include "detect-fast-pattern.h"
Initial add of the files.
17 years ago
#include "flow.h"
#include "flow-var.h"
#include "detect-flow.h"
#include "detect-content.h"
#include "detect-uricontent.h"
Inspect the reassembled stream together with the packet payload in the same direction.
15 years ago
#include "stream.h"
handle the cuda cleanup at shutdown. should get rid of any errors from the call to SigGroupCleanup
16 years ago
#include "util-enum.h"
Bunch of mostly unittest related memleak fixes.
16 years ago
#include "util-debug.h"
Fixes to stream pattern matching.
15 years ago
#include "util-print.h"
Add memcmp api with a plain memcmp function and a SSE3 accelerated memcmp.
15 years ago
#include "util-memcmp.h"
Version 1 of AC Cuda.
12 years ago
#ifdef __SC_CUDA_SUPPORT__
#include "util-mpm-ac.h"
#endif
Bunch of mostly unittest related memleak fixes.
16 years ago
Cleanups
16 years ago
/** \todo make it possible to use multiple pattern matcher algorithms next to
New Multi-pattern matcher, ac-tile, optimized for Tile architecture. Aho-Corasick mpm optimized for Tilera Tile-Gx architecture. Based on the util-mpm-ac.c code base. The primary optimizations are: 1) Matching function used Tilera specific instructions. 2) Alphabet compression to reduce delta table size to increase cache utilization and performance. The basic observation is that not all 256 ASCII characters are used by the set of multiple patterns in a group for which a DFA is created. The first reason is that Suricata's pattern matching is case-insensitive, so all uppercase characters are converted to lowercase, leaving a hole of 26 characters in the alphabet. Previously, this hole was simply left in the middle of the alphabet and thus in the generated Next State (delta) tables. A new, smaller, alphabet is created using a translation table of 256 bytes per mpm group. Previously, there was one global translation table for converting upper case to lowercase. Additional, unused characters are found by creating a histogram of all the characters in all the patterns. Then all the characters with zero counts are mapped to one character (0) in the new alphabet. Since These characters appear in no pattern, they can all be mapped to a single character and still result in the same matches being found. Zero was chosen for the value in the new alphabet since this "character" is more likely to appear in the input. The unused character always results in the next state being state zero, but that fact is not currently used by the code, since special casing takes additional instructions. The characters that do appear in some pattern are mapped to consecutive characters in the new alphabet, starting at 1. This results in a dense packing of next state values in the delta tables and additionally can allow for a smaller number of columns in that table, thus using less memory and better packing into the cache. The size of the new alphabet is the number of used characters plus 1 for the unused catch-all character. The alphabet size is rounded up to the next larger power-of-2 so that multiplication by the alphabet size can be done with a shift. It might be possible to use a multiply instruction, so that the exact alphabet size could be used, which would further reduce the size of the delta tables, increase cache density and not require the specialized search functions. The multiply would likely add 1 cycle to the inner search loop. Since the multiply by alphabet-size is cleverly merged with a mask instruction (in the SINDEX macro), specialized versions of the SCACSearch function are generated for alphabet sizes 256, 128, 64, 32 and 16. This is done by including the file util-mpm-ac-small.c multiple times with a redefined SINDEX macro. A function pointer is then stored in the mpm context for the search function. For alpha bit sizes of 8 or smaller, the number of states usually small, so the DFA is already very small, so there is little difference using the 16 state search function. The SCACSearch function is also specialized by the size of the value stored in the next state (delta) tables, either 16-bits or 32-bits. This removes a conditional inside the Search function. That conditional is only called once, but doesn't hurt to remove it. 16-bits are used for up to 32K states, with the sign bit set for states with matches. Future optimization: The state-has-match values is only needed per state, not per next state, so checking the next-state sign bit could be replaced with reading a different value, at the cost of an additional load, but increasing the 16-bit next state span to 64K. Since the order of the characters in the new alphabet doesn't matter, the new alphabet could be sorted by the frequency of the characters in the expected input stream for that multi-pattern matcher. This would group more frequent characters into the same cache lines, thus increasing the probability of reusing a cache-line. All the next state values for each state live in their own set of cache-lines. With power-of-two sizes alphabets, these don't overlap. So either 32 or 16 character's next states are loaded in each cache line load. If the alphabet size is not an exact power-of-2, then the last cache-line is not completely full and up to 31*2 bytes of that line could be wasted per state. The next state table could be transposed, so that all the next states for a specific character are stored sequentially, this could be better if some characters, for example the unused character, are much more frequent.
12 years ago
each other. */
Add b3g 3gram BNDM pattern matcher. Fix multi queue nfq initialization. Improve speed of b2g and wumanber.
17 years ago
use a single populatempm() function to add the right content for mpm
15 years ago
#define POPULATE_MPM_AVOID_PACKET_MPM_PATTERNS 0x01
#define POPULATE_MPM_AVOID_STREAM_MPM_PATTERNS 0x02
#define POPULATE_MPM_AVOID_URI_MPM_PATTERNS 0x04
Fix a content pattern matching bug related to signature grouping and mpm_ctx sharing. In certain conditions (signature combinations) the mpm_stream_ctx (the ctx that handles stream pattern scanning) wasn't properly setup.
15 years ago
/**
* \brief check if a signature has patterns that are to be inspected
* against a packets payload (as opposed to the stream payload)
*
* \param s signature
*
* \retval 1 true
* \retval 0 false
*/
int SignatureHasPacketContent(Signature *s) {
SCEnter();
if (s == NULL) {
SCReturnInt(0);
}
if a signature is non-tcp, it's always a packet sig
14 years ago
if (!(s->proto.proto[6 / 8] & 1 << (6 % 8))) {
SCReturnInt(1);
}
Remove SIG_FLAG_MPM flag.
14 years ago
if (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) {
Fix a content pattern matching bug related to signature grouping and mpm_ctx sharing. In certain conditions (signature combinations) the mpm_stream_ctx (the ctx that handles stream pattern scanning) wasn't properly setup.
15 years ago
SCLogDebug("no mpm");
SCReturnInt(0);
}
packet keywords only added for packet mpm. Rest in stream mpm. Update detection engine to handle the same
14 years ago
if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) {
Fix a content pattern matching bug related to signature grouping and mpm_ctx sharing. In certain conditions (signature combinations) the mpm_stream_ctx (the ctx that handles stream pattern scanning) wasn't properly setup.
15 years ago
SCReturnInt(0);
}
packet keywords only added for packet mpm. Rest in stream mpm. Update detection engine to handle the same
14 years ago
SCReturnInt(1);
Fix a content pattern matching bug related to signature grouping and mpm_ctx sharing. In certain conditions (signature combinations) the mpm_stream_ctx (the ctx that handles stream pattern scanning) wasn't properly setup.
15 years ago
}
/**
* \brief check if a signature has patterns that are to be inspected
* against the stream payload (as opposed to the individual packets
* payload(s))
*
* \param s signature
*
* \retval 1 true
* \retval 0 false
*/
int SignatureHasStreamContent(Signature *s) {
SCEnter();
if (s == NULL) {
SCReturnInt(0);
}
we now support offset, depth inspection against all packet payloads and stream messages
13 years ago
if (!(s->proto.proto[6 / 8] & 1 << (6 % 8))) {
Fix a content pattern matching bug related to signature grouping and mpm_ctx sharing. In certain conditions (signature combinations) the mpm_stream_ctx (the ctx that handles stream pattern scanning) wasn't properly setup.
15 years ago
SCReturnInt(0);
}
Remove SIG_FLAG_MPM flag.
14 years ago
if (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) {
packet keywords only added for packet mpm. Rest in stream mpm. Update detection engine to handle the same
14 years ago
SCLogDebug("no mpm");
Fix a content pattern matching bug related to signature grouping and mpm_ctx sharing. In certain conditions (signature combinations) the mpm_stream_ctx (the ctx that handles stream pattern scanning) wasn't properly setup.
15 years ago
SCReturnInt(0);
}
we now support offset, depth inspection against all packet payloads and stream messages
13 years ago
if (!(s->flags & SIG_FLAG_REQUIRE_STREAM)) {
SCReturnInt(0);
}
packet keywords only added for packet mpm. Rest in stream mpm. Update detection engine to handle the same
14 years ago
SCReturnInt(1);
Fix a content pattern matching bug related to signature grouping and mpm_ctx sharing. In certain conditions (signature combinations) the mpm_stream_ctx (the ctx that handles stream pattern scanning) wasn't properly setup.
15 years ago
}
handle the cuda cleanup at shutdown. should get rid of any errors from the call to SigGroupCleanup
16 years ago
Make mpm-algo use the mpm_table that has the actual mpm's registered. Clean up dead code.
15 years ago
/**
* \brief Function to return the multi pattern matcher algorithm to be
* used by the engine, based on the mpm-algo setting in yaml
New Multi-pattern matcher, ac-tile, optimized for Tile architecture. Aho-Corasick mpm optimized for Tilera Tile-Gx architecture. Based on the util-mpm-ac.c code base. The primary optimizations are: 1) Matching function used Tilera specific instructions. 2) Alphabet compression to reduce delta table size to increase cache utilization and performance. The basic observation is that not all 256 ASCII characters are used by the set of multiple patterns in a group for which a DFA is created. The first reason is that Suricata's pattern matching is case-insensitive, so all uppercase characters are converted to lowercase, leaving a hole of 26 characters in the alphabet. Previously, this hole was simply left in the middle of the alphabet and thus in the generated Next State (delta) tables. A new, smaller, alphabet is created using a translation table of 256 bytes per mpm group. Previously, there was one global translation table for converting upper case to lowercase. Additional, unused characters are found by creating a histogram of all the characters in all the patterns. Then all the characters with zero counts are mapped to one character (0) in the new alphabet. Since These characters appear in no pattern, they can all be mapped to a single character and still result in the same matches being found. Zero was chosen for the value in the new alphabet since this "character" is more likely to appear in the input. The unused character always results in the next state being state zero, but that fact is not currently used by the code, since special casing takes additional instructions. The characters that do appear in some pattern are mapped to consecutive characters in the new alphabet, starting at 1. This results in a dense packing of next state values in the delta tables and additionally can allow for a smaller number of columns in that table, thus using less memory and better packing into the cache. The size of the new alphabet is the number of used characters plus 1 for the unused catch-all character. The alphabet size is rounded up to the next larger power-of-2 so that multiplication by the alphabet size can be done with a shift. It might be possible to use a multiply instruction, so that the exact alphabet size could be used, which would further reduce the size of the delta tables, increase cache density and not require the specialized search functions. The multiply would likely add 1 cycle to the inner search loop. Since the multiply by alphabet-size is cleverly merged with a mask instruction (in the SINDEX macro), specialized versions of the SCACSearch function are generated for alphabet sizes 256, 128, 64, 32 and 16. This is done by including the file util-mpm-ac-small.c multiple times with a redefined SINDEX macro. A function pointer is then stored in the mpm context for the search function. For alpha bit sizes of 8 or smaller, the number of states usually small, so the DFA is already very small, so there is little difference using the 16 state search function. The SCACSearch function is also specialized by the size of the value stored in the next state (delta) tables, either 16-bits or 32-bits. This removes a conditional inside the Search function. That conditional is only called once, but doesn't hurt to remove it. 16-bits are used for up to 32K states, with the sign bit set for states with matches. Future optimization: The state-has-match values is only needed per state, not per next state, so checking the next-state sign bit could be replaced with reading a different value, at the cost of an additional load, but increasing the 16-bit next state span to 64K. Since the order of the characters in the new alphabet doesn't matter, the new alphabet could be sorted by the frequency of the characters in the expected input stream for that multi-pattern matcher. This would group more frequent characters into the same cache lines, thus increasing the probability of reusing a cache-line. All the next state values for each state live in their own set of cache-lines. With power-of-two sizes alphabets, these don't overlap. So either 32 or 16 character's next states are loaded in each cache line load. If the alphabet size is not an exact power-of-2, then the last cache-line is not completely full and up to 31*2 bytes of that line could be wasted per state. The next state table could be transposed, so that all the next states for a specific character are stored sequentially, this could be better if some characters, for example the unused character, are much more frequent.
12 years ago
* Use the default mpm if none is specified in the yaml file.
Make mpm-algo use the mpm_table that has the actual mpm's registered. Clean up dead code.
15 years ago
*
pattern matcher options support
16 years ago
* \retval mpm algo value
*/
Get rid of global mpm_ctx.
16 years ago
uint16_t PatternMatchDefaultMatcher(void) {
pattern matcher options support
16 years ago
char *mpm_algo;
New Multi-pattern matcher, ac-tile, optimized for Tile architecture. Aho-Corasick mpm optimized for Tilera Tile-Gx architecture. Based on the util-mpm-ac.c code base. The primary optimizations are: 1) Matching function used Tilera specific instructions. 2) Alphabet compression to reduce delta table size to increase cache utilization and performance. The basic observation is that not all 256 ASCII characters are used by the set of multiple patterns in a group for which a DFA is created. The first reason is that Suricata's pattern matching is case-insensitive, so all uppercase characters are converted to lowercase, leaving a hole of 26 characters in the alphabet. Previously, this hole was simply left in the middle of the alphabet and thus in the generated Next State (delta) tables. A new, smaller, alphabet is created using a translation table of 256 bytes per mpm group. Previously, there was one global translation table for converting upper case to lowercase. Additional, unused characters are found by creating a histogram of all the characters in all the patterns. Then all the characters with zero counts are mapped to one character (0) in the new alphabet. Since These characters appear in no pattern, they can all be mapped to a single character and still result in the same matches being found. Zero was chosen for the value in the new alphabet since this "character" is more likely to appear in the input. The unused character always results in the next state being state zero, but that fact is not currently used by the code, since special casing takes additional instructions. The characters that do appear in some pattern are mapped to consecutive characters in the new alphabet, starting at 1. This results in a dense packing of next state values in the delta tables and additionally can allow for a smaller number of columns in that table, thus using less memory and better packing into the cache. The size of the new alphabet is the number of used characters plus 1 for the unused catch-all character. The alphabet size is rounded up to the next larger power-of-2 so that multiplication by the alphabet size can be done with a shift. It might be possible to use a multiply instruction, so that the exact alphabet size could be used, which would further reduce the size of the delta tables, increase cache density and not require the specialized search functions. The multiply would likely add 1 cycle to the inner search loop. Since the multiply by alphabet-size is cleverly merged with a mask instruction (in the SINDEX macro), specialized versions of the SCACSearch function are generated for alphabet sizes 256, 128, 64, 32 and 16. This is done by including the file util-mpm-ac-small.c multiple times with a redefined SINDEX macro. A function pointer is then stored in the mpm context for the search function. For alpha bit sizes of 8 or smaller, the number of states usually small, so the DFA is already very small, so there is little difference using the 16 state search function. The SCACSearch function is also specialized by the size of the value stored in the next state (delta) tables, either 16-bits or 32-bits. This removes a conditional inside the Search function. That conditional is only called once, but doesn't hurt to remove it. 16-bits are used for up to 32K states, with the sign bit set for states with matches. Future optimization: The state-has-match values is only needed per state, not per next state, so checking the next-state sign bit could be replaced with reading a different value, at the cost of an additional load, but increasing the 16-bit next state span to 64K. Since the order of the characters in the new alphabet doesn't matter, the new alphabet could be sorted by the frequency of the characters in the expected input stream for that multi-pattern matcher. This would group more frequent characters into the same cache lines, thus increasing the probability of reusing a cache-line. All the next state values for each state live in their own set of cache-lines. With power-of-two sizes alphabets, these don't overlap. So either 32 or 16 character's next states are loaded in each cache line load. If the alphabet size is not an exact power-of-2, then the last cache-line is not completely full and up to 31*2 bytes of that line could be wasted per state. The next state table could be transposed, so that all the next states for a specific character are stored sequentially, this could be better if some characters, for example the unused character, are much more frequent.
12 years ago
uint16_t mpm_algo_val = DEFAULT_MPM;
pattern matcher options support
16 years ago
/* Get the mpm algo defined in config file by the user */
if ((ConfGet("mpm-algo", &mpm_algo)) == 1) {
Make mpm-algo use the mpm_table that has the actual mpm's registered. Clean up dead code.
15 years ago
uint16_t u;
if (mpm_algo != NULL) {
for (u = 0; u < MPM_TABLE_SIZE; u++) {
if (mpm_table[u].name == NULL)
continue;
if (strcmp(mpm_table[u].name, mpm_algo) == 0) {
New Multi-pattern matcher, ac-tile, optimized for Tile architecture. Aho-Corasick mpm optimized for Tilera Tile-Gx architecture. Based on the util-mpm-ac.c code base. The primary optimizations are: 1) Matching function used Tilera specific instructions. 2) Alphabet compression to reduce delta table size to increase cache utilization and performance. The basic observation is that not all 256 ASCII characters are used by the set of multiple patterns in a group for which a DFA is created. The first reason is that Suricata's pattern matching is case-insensitive, so all uppercase characters are converted to lowercase, leaving a hole of 26 characters in the alphabet. Previously, this hole was simply left in the middle of the alphabet and thus in the generated Next State (delta) tables. A new, smaller, alphabet is created using a translation table of 256 bytes per mpm group. Previously, there was one global translation table for converting upper case to lowercase. Additional, unused characters are found by creating a histogram of all the characters in all the patterns. Then all the characters with zero counts are mapped to one character (0) in the new alphabet. Since These characters appear in no pattern, they can all be mapped to a single character and still result in the same matches being found. Zero was chosen for the value in the new alphabet since this "character" is more likely to appear in the input. The unused character always results in the next state being state zero, but that fact is not currently used by the code, since special casing takes additional instructions. The characters that do appear in some pattern are mapped to consecutive characters in the new alphabet, starting at 1. This results in a dense packing of next state values in the delta tables and additionally can allow for a smaller number of columns in that table, thus using less memory and better packing into the cache. The size of the new alphabet is the number of used characters plus 1 for the unused catch-all character. The alphabet size is rounded up to the next larger power-of-2 so that multiplication by the alphabet size can be done with a shift. It might be possible to use a multiply instruction, so that the exact alphabet size could be used, which would further reduce the size of the delta tables, increase cache density and not require the specialized search functions. The multiply would likely add 1 cycle to the inner search loop. Since the multiply by alphabet-size is cleverly merged with a mask instruction (in the SINDEX macro), specialized versions of the SCACSearch function are generated for alphabet sizes 256, 128, 64, 32 and 16. This is done by including the file util-mpm-ac-small.c multiple times with a redefined SINDEX macro. A function pointer is then stored in the mpm context for the search function. For alpha bit sizes of 8 or smaller, the number of states usually small, so the DFA is already very small, so there is little difference using the 16 state search function. The SCACSearch function is also specialized by the size of the value stored in the next state (delta) tables, either 16-bits or 32-bits. This removes a conditional inside the Search function. That conditional is only called once, but doesn't hurt to remove it. 16-bits are used for up to 32K states, with the sign bit set for states with matches. Future optimization: The state-has-match values is only needed per state, not per next state, so checking the next-state sign bit could be replaced with reading a different value, at the cost of an additional load, but increasing the 16-bit next state span to 64K. Since the order of the characters in the new alphabet doesn't matter, the new alphabet could be sorted by the frequency of the characters in the expected input stream for that multi-pattern matcher. This would group more frequent characters into the same cache lines, thus increasing the probability of reusing a cache-line. All the next state values for each state live in their own set of cache-lines. With power-of-two sizes alphabets, these don't overlap. So either 32 or 16 character's next states are loaded in each cache line load. If the alphabet size is not an exact power-of-2, then the last cache-line is not completely full and up to 31*2 bytes of that line could be wasted per state. The next state table could be transposed, so that all the next states for a specific character are stored sequentially, this could be better if some characters, for example the unused character, are much more frequent.
12 years ago
mpm_algo_val = u;
goto done;
Make mpm-algo use the mpm_table that has the actual mpm's registered. Clean up dead code.
15 years ago
}
}
pattern matcher options support
16 years ago
}
Make mpm-algo use the mpm_table that has the actual mpm's registered. Clean up dead code.
15 years ago
SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Invalid mpm algo supplied "
"in the yaml conf file: \"%s\"", mpm_algo);
exit(EXIT_FAILURE);
pattern matcher options support
16 years ago
}
New Multi-pattern matcher, ac-tile, optimized for Tile architecture. Aho-Corasick mpm optimized for Tilera Tile-Gx architecture. Based on the util-mpm-ac.c code base. The primary optimizations are: 1) Matching function used Tilera specific instructions. 2) Alphabet compression to reduce delta table size to increase cache utilization and performance. The basic observation is that not all 256 ASCII characters are used by the set of multiple patterns in a group for which a DFA is created. The first reason is that Suricata's pattern matching is case-insensitive, so all uppercase characters are converted to lowercase, leaving a hole of 26 characters in the alphabet. Previously, this hole was simply left in the middle of the alphabet and thus in the generated Next State (delta) tables. A new, smaller, alphabet is created using a translation table of 256 bytes per mpm group. Previously, there was one global translation table for converting upper case to lowercase. Additional, unused characters are found by creating a histogram of all the characters in all the patterns. Then all the characters with zero counts are mapped to one character (0) in the new alphabet. Since These characters appear in no pattern, they can all be mapped to a single character and still result in the same matches being found. Zero was chosen for the value in the new alphabet since this "character" is more likely to appear in the input. The unused character always results in the next state being state zero, but that fact is not currently used by the code, since special casing takes additional instructions. The characters that do appear in some pattern are mapped to consecutive characters in the new alphabet, starting at 1. This results in a dense packing of next state values in the delta tables and additionally can allow for a smaller number of columns in that table, thus using less memory and better packing into the cache. The size of the new alphabet is the number of used characters plus 1 for the unused catch-all character. The alphabet size is rounded up to the next larger power-of-2 so that multiplication by the alphabet size can be done with a shift. It might be possible to use a multiply instruction, so that the exact alphabet size could be used, which would further reduce the size of the delta tables, increase cache density and not require the specialized search functions. The multiply would likely add 1 cycle to the inner search loop. Since the multiply by alphabet-size is cleverly merged with a mask instruction (in the SINDEX macro), specialized versions of the SCACSearch function are generated for alphabet sizes 256, 128, 64, 32 and 16. This is done by including the file util-mpm-ac-small.c multiple times with a redefined SINDEX macro. A function pointer is then stored in the mpm context for the search function. For alpha bit sizes of 8 or smaller, the number of states usually small, so the DFA is already very small, so there is little difference using the 16 state search function. The SCACSearch function is also specialized by the size of the value stored in the next state (delta) tables, either 16-bits or 32-bits. This removes a conditional inside the Search function. That conditional is only called once, but doesn't hurt to remove it. 16-bits are used for up to 32K states, with the sign bit set for states with matches. Future optimization: The state-has-match values is only needed per state, not per next state, so checking the next-state sign bit could be replaced with reading a different value, at the cost of an additional load, but increasing the 16-bit next state span to 64K. Since the order of the characters in the new alphabet doesn't matter, the new alphabet could be sorted by the frequency of the characters in the expected input stream for that multi-pattern matcher. This would group more frequent characters into the same cache lines, thus increasing the probability of reusing a cache-line. All the next state values for each state live in their own set of cache-lines. With power-of-two sizes alphabets, these don't overlap. So either 32 or 16 character's next states are loaded in each cache line load. If the alphabet size is not an exact power-of-2, then the last cache-line is not completely full and up to 31*2 bytes of that line could be wasted per state. The next state table could be transposed, so that all the next states for a specific character are stored sequentially, this could be better if some characters, for example the unused character, are much more frequent.
12 years ago
done:
#ifdef __tile__
if (mpm_algo_val == MPM_AC)
mpm_algo_val = MPM_AC_TILE;
#endif
pattern matcher options support
16 years ago
return mpm_algo_val;
Get rid of global mpm_ctx.
16 years ago
}
packet keywords only added for packet mpm. Rest in stream mpm. Update detection engine to handle the same
14 years ago
uint32_t PacketPatternSearchWithStreamCtx(DetectEngineThreadCtx *det_ctx,
Packet *p)
{
SCEnter();
Fix compiler warning and silence complaining unittests.
14 years ago
uint32_t ret = 0;
if (p->flowflags & FLOW_PKT_TOSERVER) {
if (det_ctx->sgh->mpm_stream_ctx_ts == NULL)
SCReturnInt(0);
packet keywords only added for packet mpm. Rest in stream mpm. Update detection engine to handle the same
14 years ago
support splitting mpm ctxs based on direction v2
14 years ago
ret = mpm_table[det_ctx->sgh->mpm_stream_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_stream_ctx_ts, &det_ctx->mtc, &det_ctx->pmq,
p->payload, p->payload_len);
Fix compiler warning and silence complaining unittests.
14 years ago
} else {
if (det_ctx->sgh->mpm_stream_ctx_tc == NULL)
SCReturnInt(0);
support splitting mpm ctxs based on direction v2
14 years ago
ret = mpm_table[det_ctx->sgh->mpm_stream_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_stream_ctx_tc, &det_ctx->mtc, &det_ctx->pmq,
p->payload, p->payload_len);
}
packet keywords only added for packet mpm. Rest in stream mpm. Update detection engine to handle the same
14 years ago
SCReturnInt(ret);
}
Remove more scan references.
16 years ago
/** \brief Pattern match -- searches for only one pattern per signature.
*
Cleanups
16 years ago
* \param det_ctx detection engine thread ctx
Remove more scan references.
16 years ago
* \param p packet to inspect
*
* \retval ret number of matches
Cleanups
16 years ago
*/
modify detection engine to carry out uri mpm run before build match array if alproto is http and if sgh has atleast one sig with uri mpm set
15 years ago
uint32_t PacketPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p)
applayer uri match and modified http handling
16 years ago
{
Only inspect http flows against uri sigs, clean up uri scanning code.
16 years ago
SCEnter();
Add Scan before Search to the detection engine.
17 years ago
mpm b2g cuda support added
16 years ago
uint32_t ret;
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
MpmCtx *mpm_ctx = NULL;
if (p->proto == IPPROTO_TCP) {
support splitting mpm ctxs based on direction v2
14 years ago
if (p->flowflags & FLOW_PKT_TOSERVER) {
mpm_ctx = det_ctx->sgh->mpm_proto_tcp_ctx_ts;
code cleanup over last 2 commits
14 years ago
} else {
support splitting mpm ctxs based on direction v2
14 years ago
mpm_ctx = det_ctx->sgh->mpm_proto_tcp_ctx_tc;
}
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
} else if (p->proto == IPPROTO_UDP) {
support splitting mpm ctxs based on direction v2
14 years ago
if (p->flowflags & FLOW_PKT_TOSERVER) {
mpm_ctx = det_ctx->sgh->mpm_proto_udp_ctx_ts;
code cleanup over last 2 commits
14 years ago
} else {
support splitting mpm ctxs based on direction v2
14 years ago
mpm_ctx = det_ctx->sgh->mpm_proto_udp_ctx_tc;
}
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
} else {
mpm_ctx = det_ctx->sgh->mpm_proto_other_ctx;
}
if (mpm_ctx == NULL)
SCReturnInt(0);
Version 1 of AC Cuda.
12 years ago
#ifdef __SC_CUDA_SUPPORT__
Minor cosmetic changes to the cuda code. Moved a couple of functions to more cuda relevant files; Re-structured some data types.
12 years ago
if (p->cuda_pkt_vars.cuda_mpm_enabled && p->pkt_src == PKT_SRC_WIRE) {
Version 1 of AC Cuda.
12 years ago
ret = SCACCudaPacketResultsProcessing(p, mpm_ctx, &det_ctx->pmq);
} else {
ret = mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
&det_ctx->mtc,
&det_ctx->pmq,
p->payload,
p->payload_len);
}
#else
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
ret = mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
&det_ctx->mtc,
&det_ctx->pmq,
p->payload,
p->payload_len);
Version 1 of AC Cuda.
12 years ago
#endif
mpm b2g cuda support added
16 years ago
pack all the packet pattern scan and search packet setup for cuda into a function inside util-cuda-handlers.[ch]
16 years ago
SCReturnInt(ret);
Add Scan before Search to the detection engine.
17 years ago
}
Remove more scan references.
16 years ago
/** \brief Uri Pattern match -- searches for one pattern per signature.
*
applayer uri match and modified http handling
16 years ago
* \param det_ctx detection engine thread ctx
Remove more scan references.
16 years ago
* \param p packet to inspect
*
* \retval ret number of matches
applayer uri match and modified http handling
16 years ago
*/
Scan uricontent mpm on demand.
15 years ago
uint32_t UriPatternSearch(DetectEngineThreadCtx *det_ctx,
support splitting mpm ctxs based on direction v2
14 years ago
uint8_t *uri, uint16_t uri_len, uint8_t flags)
applayer uri match and modified http handling
16 years ago
{
Only inspect http flows against uri sigs, clean up uri scanning code.
16 years ago
SCEnter();
applayer uri match and modified http handling
16 years ago
support splitting mpm ctxs based on direction v2
14 years ago
uint32_t ret;
if (flags & STREAM_TOSERVER) {
if (det_ctx->sgh->mpm_uri_ctx_ts == NULL)
SCReturnUInt(0U);
ret = mpm_table[det_ctx->sgh->mpm_uri_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_uri_ctx_ts,
&det_ctx->mtcu, &det_ctx->pmq, uri, uri_len);
code cleanup over last 2 commits
14 years ago
} else {
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
BUG_ON(1);
support splitting mpm ctxs based on direction v2
14 years ago
}
First stage of detect engine redesign: equal patterns share id's, search phase no longer used, new match verification phase.
16 years ago
Fix tcp connections that are reset (RST packet) not always inspecting the reassembled stream. Update transaction id code to make sure both directions of a transaction are inspected before incrementing the inspect_id.
15 years ago
//PrintRawDataFp(stdout, uri, uri_len);
First stage of detect engine redesign: equal patterns share id's, search phase no longer used, new match verification phase.
16 years ago
SCReturnUInt(ret);
applayer uri match and modified http handling
16 years ago
}
mpm and fast pattern support for http_header. Also support relative modifiers for http_header
15 years ago
/** \brief Http client body pattern match -- searches for one pattern per
* signature.
fast pattern support for http_client_body keyword added. Also mpm support for http_client_body added
15 years ago
*
mpm and fast pattern support for http_header. Also support relative modifiers for http_header
15 years ago
* \param det_ctx Detection engine thread ctx.
* \param body The request body to inspect.
* \param body_len Body length.
fast pattern support for http_client_body keyword added. Also mpm support for http_client_body added
15 years ago
*
mpm and fast pattern support for http_header. Also support relative modifiers for http_header
15 years ago
* \retval ret Number of matches.
fast pattern support for http_client_body keyword added. Also mpm support for http_client_body added
15 years ago
*/
uint32_t HttpClientBodyPatternSearch(DetectEngineThreadCtx *det_ctx,
support splitting mpm ctxs based on direction v2
14 years ago
uint8_t *body, uint32_t body_len, uint8_t flags)
fast pattern support for http_client_body keyword added. Also mpm support for http_client_body added
15 years ago
{
SCEnter();
uint32_t ret;
support splitting mpm ctxs based on direction v2
14 years ago
if (flags & STREAM_TOSERVER) {
if (det_ctx->sgh->mpm_hcbd_ctx_ts == NULL)
SCReturnUInt(0);
ret = mpm_table[det_ctx->sgh->mpm_hcbd_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hcbd_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, body, body_len);
code cleanup over last 2 commits
14 years ago
} else {
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
BUG_ON(1);
support splitting mpm ctxs based on direction v2
14 years ago
}
fast pattern support for http_client_body keyword added. Also mpm support for http_client_body added
15 years ago
SCReturnUInt(ret);
}
Introduce http_server_body keyword. The http_server_body content modifier modifies the previous content to inspect the normalized (dechunked, unzipped) http_server_body. The workings are similar to http_client_body. Additionally, a new pcre flag was introduced "/S". To facilitate this change the signature flags field was changed to be 64 bit.
14 years ago
/** \brief Http server body pattern match -- searches for one pattern per
* signature.
*
* \param det_ctx Detection engine thread ctx.
* \param body The request body to inspect.
* \param body_len Body length.
*
* \retval ret Number of matches.
*/
uint32_t HttpServerBodyPatternSearch(DetectEngineThreadCtx *det_ctx,
support splitting mpm ctxs based on direction v2
14 years ago
uint8_t *body, uint32_t body_len, uint8_t flags)
Introduce http_server_body keyword. The http_server_body content modifier modifies the previous content to inspect the normalized (dechunked, unzipped) http_server_body. The workings are similar to http_client_body. Additionally, a new pcre flag was introduced "/S". To facilitate this change the signature flags field was changed to be 64 bit.
14 years ago
{
SCEnter();
uint32_t ret;
support splitting mpm ctxs based on direction v2
14 years ago
if (flags & STREAM_TOSERVER) {
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
BUG_ON(1);
code cleanup over last 2 commits
14 years ago
} else {
support splitting mpm ctxs based on direction v2
14 years ago
if (det_ctx->sgh->mpm_hsbd_ctx_tc == NULL)
SCReturnUInt(0);
ret = mpm_table[det_ctx->sgh->mpm_hsbd_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_hsbd_ctx_tc, &det_ctx->mtcu,
&det_ctx->pmq, body, body_len);
}
Introduce http_server_body keyword. The http_server_body content modifier modifies the previous content to inspect the normalized (dechunked, unzipped) http_server_body. The workings are similar to http_client_body. Additionally, a new pcre flag was introduced "/S". To facilitate this change the signature flags field was changed to be 64 bit.
14 years ago
SCReturnUInt(ret);
}
mpm and fast pattern support for http_header. Also support relative modifiers for http_header
15 years ago
/**
* \brief Http header match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param headers Headers to inspect.
* \param headers_len Headers length.
*
* \retval ret Number of matches.
*/
uint32_t HttpHeaderPatternSearch(DetectEngineThreadCtx *det_ctx,
support splitting mpm ctxs based on direction v2
14 years ago
uint8_t *headers, uint32_t headers_len, uint8_t flags)
mpm and fast pattern support for http_header. Also support relative modifiers for http_header
15 years ago
{
SCEnter();
uint32_t ret;
support splitting mpm ctxs based on direction v2
14 years ago
if (flags & STREAM_TOSERVER) {
if (det_ctx->sgh->mpm_hhd_ctx_ts == NULL)
SCReturnUInt(0);
ret = mpm_table[det_ctx->sgh->mpm_hhd_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hhd_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, headers, headers_len);
code cleanup over last 2 commits
14 years ago
} else {
support splitting mpm ctxs based on direction v2
14 years ago
if (det_ctx->sgh->mpm_hhd_ctx_tc == NULL)
SCReturnUInt(0);
ret = mpm_table[det_ctx->sgh->mpm_hhd_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_hhd_ctx_tc, &det_ctx->mtcu,
&det_ctx->pmq, headers, headers_len);
}
mpm and fast pattern support for http_header. Also support relative modifiers for http_header
15 years ago
SCReturnUInt(ret);
}
support fast pattern for http raw header. Also support relative modifiers for http raw header
15 years ago
/**
* \brief Http raw header match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param headers Raw headers to inspect.
* \param headers_len Raw headers length.
*
* \retval ret Number of matches.
*/
uint32_t HttpRawHeaderPatternSearch(DetectEngineThreadCtx *det_ctx,
support splitting mpm ctxs based on direction v2
14 years ago
uint8_t *raw_headers, uint32_t raw_headers_len, uint8_t flags)
support fast pattern for http raw header. Also support relative modifiers for http raw header
15 years ago
{
SCEnter();
uint32_t ret;
support splitting mpm ctxs based on direction v2
14 years ago
if (flags & STREAM_TOSERVER) {
if (det_ctx->sgh->mpm_hrhd_ctx_ts == NULL)
SCReturnUInt(0);
ret = mpm_table[det_ctx->sgh->mpm_hrhd_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hrhd_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, raw_headers, raw_headers_len);
code cleanup over last 2 commits
14 years ago
} else {
support splitting mpm ctxs based on direction v2
14 years ago
if (det_ctx->sgh->mpm_hrhd_ctx_tc == NULL)
SCReturnUInt(0);
ret = mpm_table[det_ctx->sgh->mpm_hrhd_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_hrhd_ctx_tc, &det_ctx->mtcu,
&det_ctx->pmq, raw_headers, raw_headers_len);
}
support fast pattern for http raw header. Also support relative modifiers for http raw header
15 years ago
SCReturnUInt(ret);
}
fast pattern support for http_method. Also support relative modifiers
15 years ago
/**
* \brief Http method match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param method Method to inspect.
* \param method_len Method length.
*
* \retval ret Number of matches.
*/
uint32_t HttpMethodPatternSearch(DetectEngineThreadCtx *det_ctx,
support splitting mpm ctxs based on direction v2
14 years ago
uint8_t *raw_method, uint32_t raw_method_len, uint8_t flags)
fast pattern support for http_method. Also support relative modifiers
15 years ago
{
SCEnter();
uint32_t ret;
support splitting mpm ctxs based on direction v2
14 years ago
if (flags & STREAM_TOSERVER) {
if (det_ctx->sgh->mpm_hmd_ctx_ts == NULL)
SCReturnUInt(0);
ret = mpm_table[det_ctx->sgh->mpm_hmd_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hmd_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, raw_method, raw_method_len);
code cleanup over last 2 commits
14 years ago
} else {
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
BUG_ON(1);
support splitting mpm ctxs based on direction v2
14 years ago
}
fast pattern support for http_method. Also support relative modifiers
15 years ago
SCReturnUInt(ret);
}
fast pattern support for http_cookie. Also support relative modifiers
15 years ago
/**
* \brief Http cookie match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param cookie Cookie to inspect.
* \param cookie_len Cookie length.
*
* \retval ret Number of matches.
*/
uint32_t HttpCookiePatternSearch(DetectEngineThreadCtx *det_ctx,
support splitting mpm ctxs based on direction v2
14 years ago
uint8_t *cookie, uint32_t cookie_len, uint8_t flags)
fast pattern support for http_cookie. Also support relative modifiers
15 years ago
{
SCEnter();
uint32_t ret;
support splitting mpm ctxs based on direction v2
14 years ago
if (flags & STREAM_TOSERVER) {
if (det_ctx->sgh->mpm_hcd_ctx_ts == NULL)
SCReturnUInt(0);
ret = mpm_table[det_ctx->sgh->mpm_hcd_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hcd_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, cookie, cookie_len);
code cleanup over last 2 commits
14 years ago
} else {
support splitting mpm ctxs based on direction v2
14 years ago
if (det_ctx->sgh->mpm_hcd_ctx_tc == NULL)
SCReturnUInt(0);
ret = mpm_table[det_ctx->sgh->mpm_hcd_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_hcd_ctx_tc, &det_ctx->mtcu,
&det_ctx->pmq, cookie, cookie_len);
}
fast pattern support for http_cookie. Also support relative modifiers
15 years ago
SCReturnUInt(ret);
}
support for http_raw_uri keyword + mpm engine
14 years ago
/**
* \brief Http raw uri match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param uri Raw uri to inspect.
* \param uri_len Raw uri length.
*
* \retval ret Number of matches.
*/
uint32_t HttpRawUriPatternSearch(DetectEngineThreadCtx *det_ctx,
support splitting mpm ctxs based on direction v2
14 years ago
uint8_t *uri, uint32_t uri_len, uint8_t flags)
support for http_raw_uri keyword + mpm engine
14 years ago
{
SCEnter();
uint32_t ret;
support splitting mpm ctxs based on direction v2
14 years ago
if (flags & STREAM_TOSERVER) {
if (det_ctx->sgh->mpm_hrud_ctx_ts == NULL)
SCReturnUInt(0);
ret = mpm_table[det_ctx->sgh->mpm_hrud_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hrud_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, uri, uri_len);
code cleanup over last 2 commits
14 years ago
} else {
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
BUG_ON(1);
support splitting mpm ctxs based on direction v2
14 years ago
}
support for http_raw_uri keyword + mpm engine
14 years ago
SCReturnUInt(ret);
}
Support http stat msg detection engine, fast pattern(mpm engine included). Fix http stat msg setup function. Fix pcre option for stat msg keyword
14 years ago
/**
* \brief Http stat msg match -- searches for one pattern per signature.
*
Support http stat code detection engine, fast pattern(mpm engine included). Fix http stat code setup function. Fix pcre option for stat msg keyword. With this the pcre options for server_body is Q, for stat_msg is Y and for stat_code is S
14 years ago
* \param det_ctx Detection engine thread ctx.
* \param stat_msg Stat msg to inspect.
* \param stat_msg_len Stat msg length.
Support http stat msg detection engine, fast pattern(mpm engine included). Fix http stat msg setup function. Fix pcre option for stat msg keyword
14 years ago
*
* \retval ret Number of matches.
*/
uint32_t HttpStatMsgPatternSearch(DetectEngineThreadCtx *det_ctx,
rebase commit for hscd and hsmd patches
14 years ago
uint8_t *stat_msg, uint32_t stat_msg_len, uint8_t flags)
Support http stat msg detection engine, fast pattern(mpm engine included). Fix http stat msg setup function. Fix pcre option for stat msg keyword
14 years ago
{
SCEnter();
uint32_t ret;
rebase commit for hscd and hsmd patches
14 years ago
if (flags & STREAM_TOSERVER) {
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
BUG_ON(1);
rebase commit for hscd and hsmd patches
14 years ago
} else {
if (det_ctx->sgh->mpm_hsmd_ctx_tc == NULL)
SCReturnUInt(0);
ret = mpm_table[det_ctx->sgh->mpm_hsmd_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_hsmd_ctx_tc, &det_ctx->mtcu,
&det_ctx->pmq, stat_msg, stat_msg_len);
}
Support http stat msg detection engine, fast pattern(mpm engine included). Fix http stat msg setup function. Fix pcre option for stat msg keyword
14 years ago
SCReturnUInt(ret);
}
Support http stat code detection engine, fast pattern(mpm engine included). Fix http stat code setup function. Fix pcre option for stat msg keyword. With this the pcre options for server_body is Q, for stat_msg is Y and for stat_code is S
14 years ago
/**
* \brief Http stat code match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param stat_code Stat code to inspect.
* \param stat_code_len Stat code length.
*
* \retval ret Number of matches.
*/
uint32_t HttpStatCodePatternSearch(DetectEngineThreadCtx *det_ctx,
rebase commit for hscd and hsmd patches
14 years ago
uint8_t *stat_code, uint32_t stat_code_len, uint8_t flags)
Support http stat code detection engine, fast pattern(mpm engine included). Fix http stat code setup function. Fix pcre option for stat msg keyword. With this the pcre options for server_body is Q, for stat_msg is Y and for stat_code is S
14 years ago
{
SCEnter();
uint32_t ret;
rebase commit for hscd and hsmd patches
14 years ago
if (flags & STREAM_TOSERVER) {
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
BUG_ON(1);
rebase commit for hscd and hsmd patches
14 years ago
} else {
if (det_ctx->sgh->mpm_hscd_ctx_tc == NULL)
SCReturnUInt(0);
ret = mpm_table[det_ctx->sgh->mpm_hscd_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_hscd_ctx_tc, &det_ctx->mtcu,
&det_ctx->pmq, stat_code, stat_code_len);
}
Support http stat code detection engine, fast pattern(mpm engine included). Fix http stat code setup function. Fix pcre option for stat msg keyword. With this the pcre options for server_body is Q, for stat_msg is Y and for stat_code is S
14 years ago
SCReturnUInt(ret);
}
http user agent keyword + mpm + inspection + fast pattern support added
13 years ago
/**
* \brief Http user agent match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param cookie User-Agent to inspect.
* \param cookie_len User-Agent buffer length.
*
* \retval ret Number of matches.
*/
uint32_t HttpUAPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *ua, uint32_t ua_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
if (flags & STREAM_TOSERVER) {
if (det_ctx->sgh->mpm_huad_ctx_ts == NULL)
SCReturnUInt(0);
ret = mpm_table[det_ctx->sgh->mpm_huad_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_huad_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, ua, ua_len);
} else {
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
BUG_ON(1);
http user agent keyword + mpm + inspection + fast pattern support added
13 years ago
}
SCReturnUInt(ret);
}
Add support for a new keyword to inspect http_host header. The corresponding content keyword would now be - http_host. The corresponding pcre modifier would be W.
13 years ago
/**
* \brief Http host header match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param hh Host header to inspect.
* \param hh_len Host header buffer length.
* \param flags Flags
*
* \retval ret Number of matches.
*/
uint32_t HttpHHPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *hh, uint32_t hh_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
if (flags & STREAM_TOSERVER) {
if (det_ctx->sgh->mpm_hhhd_ctx_ts == NULL)
SCReturnUInt(0);
ret = mpm_table[det_ctx->sgh->mpm_hhhd_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hhhd_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, hh, hh_len);
} else {
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
BUG_ON(1);
Add support for a new keyword to inspect http_host header. The corresponding content keyword would now be - http_host. The corresponding pcre modifier would be W.
13 years ago
}
SCReturnUInt(ret);
}
Add support for the new keyword - http_raw_host header. The corresponding pcre modifier would be 'Z'.
13 years ago
/**
* \brief Http raw host header match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param hrh Raw hostname to inspect.
* \param hrh_len Raw hostname buffer length.
* \param flags Flags
*
* \retval ret Number of matches.
*/
uint32_t HttpHRHPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *hrh, uint32_t hrh_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
if (flags & STREAM_TOSERVER) {
if (det_ctx->sgh->mpm_hrhhd_ctx_ts == NULL)
SCReturnUInt(0);
ret = mpm_table[det_ctx->sgh->mpm_hrhhd_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hrhhd_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, hrh, hrh_len);
} else {
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
BUG_ON(1);
Add support for the new keyword - http_raw_host header. The corresponding pcre modifier would be 'Z'.
13 years ago
}
SCReturnUInt(ret);
}
DNS: enable mpm/fast_pattern support for dns_query
12 years ago
/**
* \brief DNS query match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param hrh Buffer to inspect.
* \param hrh_len buffer length.
* \param flags Flags
*
* \retval ret Number of matches.
*/
uint32_t DnsQueryPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *buffer, uint32_t buffer_len,
uint8_t flags)
{
SCEnter();
Coverity 1038959: DNS mpm might use initialized variable
12 years ago
uint32_t ret = 0;
DNS: enable mpm/fast_pattern support for dns_query
12 years ago
if (flags & STREAM_TOSERVER) {
if (det_ctx->sgh->mpm_dnsquery_ctx_ts == NULL)
SCReturnUInt(0);
ret = mpm_table[det_ctx->sgh->mpm_dnsquery_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_dnsquery_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, buffer, buffer_len);
}
SCReturnUInt(ret);
}
Inspect the reassembled stream together with the packet payload in the same direction.
15 years ago
/** \brief Pattern match -- searches for only one pattern per signature.
*
* \param det_ctx detection engine thread ctx
Don't scan TCP packet payload if it was added to the stream. Inspect the tcp stream with the correct packet. Should fix #184 and #185.
15 years ago
* \param p packet
Inspect the reassembled stream together with the packet payload in the same direction.
15 years ago
* \param smsg stream msg (reassembled stream data)
Don't scan TCP packet payload if it was added to the stream. Inspect the tcp stream with the correct packet. Should fix #184 and #185.
15 years ago
* \param flags stream flags
Inspect the reassembled stream together with the packet payload in the same direction.
15 years ago
*
* \retval ret number of matches
*/
modify detection engine to carry out uri mpm run before build match array if alproto is http and if sgh has atleast one sig with uri mpm set
15 years ago
uint32_t StreamPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p,
StreamMsg *smsg, uint8_t flags)
Inspect the reassembled stream together with the packet payload in the same direction.
15 years ago
{
SCEnter();
uint32_t ret = 0;
uint8_t cnt = 0;
support splitting mpm ctxs based on direction v2
14 years ago
//PrintRawDataFp(stdout, smsg->data.data, smsg->data.data_len);
uint32_t r;
if (flags & STREAM_TOSERVER) {
for ( ; smsg != NULL; smsg = smsg->next) {
r = mpm_table[det_ctx->sgh->mpm_stream_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_stream_ctx_ts, &det_ctx->mtcs,
stream msg: remove structure
12 years ago
&det_ctx->smsg_pmq[cnt], smsg->data, smsg->data_len);
support splitting mpm ctxs based on direction v2
14 years ago
if (r > 0) {
ret += r;
Fixes to stream pattern matching.
15 years ago
support splitting mpm ctxs based on direction v2
14 years ago
SCLogDebug("smsg match stored in det_ctx->smsg_pmq[%u]", cnt);
Inspect the reassembled stream together with the packet payload in the same direction.
15 years ago
support splitting mpm ctxs based on direction v2
14 years ago
/* merge results with overall pmq */
PmqMerge(&det_ctx->smsg_pmq[cnt], &det_ctx->pmq);
}
Fixes to stream pattern matching.
15 years ago
support splitting mpm ctxs based on direction v2
14 years ago
cnt++;
Inspect the reassembled stream together with the packet payload in the same direction.
15 years ago
}
code cleanup over last 2 commits
14 years ago
} else {
support splitting mpm ctxs based on direction v2
14 years ago
for ( ; smsg != NULL; smsg = smsg->next) {
r = mpm_table[det_ctx->sgh->mpm_stream_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_stream_ctx_tc, &det_ctx->mtcs,
stream msg: remove structure
12 years ago
&det_ctx->smsg_pmq[cnt], smsg->data, smsg->data_len);
support splitting mpm ctxs based on direction v2
14 years ago
if (r > 0) {
ret += r;
SCLogDebug("smsg match stored in det_ctx->smsg_pmq[%u]", cnt);
/* merge results with overall pmq */
PmqMerge(&det_ctx->smsg_pmq[cnt], &det_ctx->pmq);
}
Inspect the reassembled stream together with the packet payload in the same direction.
15 years ago
support splitting mpm ctxs based on direction v2
14 years ago
cnt++;
}
Inspect the reassembled stream together with the packet payload in the same direction.
15 years ago
}
SCReturnInt(ret);
}
Cleanups
16 years ago
/** \brief cleans up the mpm instance after a match */
Rename all pmt->det_ctx.
16 years ago
void PacketPatternCleanup(ThreadVars *t, DetectEngineThreadCtx *det_ctx) {
PmqReset(&det_ctx->pmq);
big update
17 years ago
Rename all pmt->det_ctx.
16 years ago
if (det_ctx->sgh == NULL)
Put all globals in the detection engine ctx. Add HashList type, a hash that also stores the items ina list to it can be traversed. Many cleanups.
17 years ago
return;
Large update containing the first step to making the detection engine use rule groups. Address based rule groups are now implemented.
17 years ago
/* content */
support splitting mpm ctxs based on direction v2
14 years ago
if (det_ctx->sgh->mpm_proto_tcp_ctx_ts != NULL &&
mpm_table[det_ctx->sgh->mpm_proto_tcp_ctx_ts->mpm_type].Cleanup != NULL) {
mpm_table[det_ctx->sgh->mpm_proto_tcp_ctx_ts->mpm_type].Cleanup(&det_ctx->mtc);
}
if (det_ctx->sgh->mpm_proto_tcp_ctx_tc != NULL &&
mpm_table[det_ctx->sgh->mpm_proto_tcp_ctx_tc->mpm_type].Cleanup != NULL) {
mpm_table[det_ctx->sgh->mpm_proto_tcp_ctx_tc->mpm_type].Cleanup(&det_ctx->mtc);
}
if (det_ctx->sgh->mpm_proto_udp_ctx_ts != NULL &&
mpm_table[det_ctx->sgh->mpm_proto_udp_ctx_ts->mpm_type].Cleanup != NULL) {
mpm_table[det_ctx->sgh->mpm_proto_udp_ctx_ts->mpm_type].Cleanup(&det_ctx->mtc);
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
}
support splitting mpm ctxs based on direction v2
14 years ago
if (det_ctx->sgh->mpm_proto_udp_ctx_tc != NULL &&
mpm_table[det_ctx->sgh->mpm_proto_udp_ctx_tc->mpm_type].Cleanup != NULL) {
mpm_table[det_ctx->sgh->mpm_proto_udp_ctx_tc->mpm_type].Cleanup(&det_ctx->mtc);
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
}
support splitting mpm ctxs based on direction v2
14 years ago
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
if (det_ctx->sgh->mpm_proto_other_ctx != NULL &&
mpm_table[det_ctx->sgh->mpm_proto_other_ctx->mpm_type].Cleanup != NULL) {
mpm_table[det_ctx->sgh->mpm_proto_other_ctx->mpm_type].Cleanup(&det_ctx->mtc);
Initial add of the files.
17 years ago
}
support splitting mpm ctxs based on direction v2
14 years ago
Large update containing the first step to making the detection engine use rule groups. Address based rule groups are now implemented.
17 years ago
/* uricontent */
support splitting mpm ctxs based on direction v2
14 years ago
if (det_ctx->sgh->mpm_uri_ctx_ts != NULL && mpm_table[det_ctx->sgh->mpm_uri_ctx_ts->mpm_type].Cleanup != NULL) {
mpm_table[det_ctx->sgh->mpm_uri_ctx_ts->mpm_type].Cleanup(&det_ctx->mtcu);
}
Moving the stream content scanning to have it's own mpm ctx.
15 years ago
/* stream content */
support splitting mpm ctxs based on direction v2
14 years ago
if (det_ctx->sgh->mpm_stream_ctx_ts != NULL && mpm_table[det_ctx->sgh->mpm_stream_ctx_ts->mpm_type].Cleanup != NULL) {
mpm_table[det_ctx->sgh->mpm_stream_ctx_ts->mpm_type].Cleanup(&det_ctx->mtcs);
}
if (det_ctx->sgh->mpm_stream_ctx_tc != NULL && mpm_table[det_ctx->sgh->mpm_stream_ctx_tc->mpm_type].Cleanup != NULL) {
mpm_table[det_ctx->sgh->mpm_stream_ctx_tc->mpm_type].Cleanup(&det_ctx->mtcs);
Moving the stream content scanning to have it's own mpm ctx.
15 years ago
}
support splitting mpm ctxs based on direction v2
14 years ago
return;
Moving the stream content scanning to have it's own mpm ctx.
15 years ago
}
void StreamPatternCleanup(ThreadVars *t, DetectEngineThreadCtx *det_ctx, StreamMsg *smsg) {
uint8_t cnt = 0;
while (smsg != NULL) {
PmqReset(&det_ctx->smsg_pmq[cnt]);
smsg = smsg->next;
cnt++;
}
Large update containing the first step to making the detection engine use rule groups. Address based rule groups are now implemented.
17 years ago
}
Get rid of global mpm_ctx.
16 years ago
void PatternMatchDestroy(MpmCtx *mpm_ctx, uint16_t mpm_matcher) {
SCLogDebug("mpm_ctx %p, mpm_matcher %"PRIu16"", mpm_ctx, mpm_matcher);
mpm_table[mpm_matcher].DestroyCtx(mpm_ctx);
}
void PatternMatchPrepare(MpmCtx *mpm_ctx, uint16_t mpm_matcher) {
SCLogDebug("mpm_ctx %p, mpm_matcher %"PRIu16"", mpm_ctx, mpm_matcher);
Update mpm init ctx to not accept the final cuda_rc_module argument. It was a part of our older architecture and is no longer used.
12 years ago
MpmInitCtx(mpm_ctx, mpm_matcher);
Initial add of the files.
17 years ago
}
Get rid of global mpm_ctx.
16 years ago
void PatternMatchThreadPrint(MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher) {
SCLogDebug("mpm_thread_ctx %p, mpm_matcher %"PRIu16" defunct", mpm_thread_ctx, mpm_matcher);
//mpm_table[mpm_matcher].PrintThreadCtx(mpm_thread_ctx);
}
void PatternMatchThreadDestroy(MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher) {
SCLogDebug("mpm_thread_ctx %p, mpm_matcher %"PRIu16"", mpm_thread_ctx, mpm_matcher);
mpm_table[mpm_matcher].DestroyThreadCtx(NULL, mpm_thread_ctx);
}
void PatternMatchThreadPrepare(MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher, uint32_t max_id) {
SCLogDebug("mpm_thread_ctx %p, type %"PRIu16", max_id %"PRIu32"", mpm_thread_ctx, mpm_matcher, max_id);
MpmInitThreadCtx(mpm_thread_ctx, mpm_matcher, max_id);
Large update containing the first step to making the detection engine use rule groups. Address based rule groups are now implemented.
17 years ago
}
/* free the pattern matcher part of a SigGroupHead */
void PatternMatchDestroyGroup(SigGroupHead *sh) {
/* content */
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (!(sh->flags & SIG_GROUP_HEAD_MPM_COPY)) {
update cuda mpm to support per proto mpm contexts. Fix faulty stream mpm usage of cuda
14 years ago
SCLogDebug("destroying mpm_ctx %p (sh %p)",
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_proto_tcp_ctx_ts, sh);
if (sh->mpm_proto_tcp_ctx_ts != NULL &&
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
!sh->mpm_proto_tcp_ctx_ts->global) {
support splitting mpm ctxs based on direction v2
14 years ago
mpm_table[sh->mpm_proto_tcp_ctx_ts->mpm_type].
DestroyCtx(sh->mpm_proto_tcp_ctx_ts);
SCFree(sh->mpm_proto_tcp_ctx_ts);
}
/* ready for reuse */
sh->mpm_proto_tcp_ctx_ts = NULL;
SCLogDebug("destroying mpm_ctx %p (sh %p)",
sh->mpm_proto_tcp_ctx_tc, sh);
if (sh->mpm_proto_tcp_ctx_tc != NULL &&
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
!sh->mpm_proto_tcp_ctx_tc->global) {
support splitting mpm ctxs based on direction v2
14 years ago
mpm_table[sh->mpm_proto_tcp_ctx_tc->mpm_type].
DestroyCtx(sh->mpm_proto_tcp_ctx_tc);
SCFree(sh->mpm_proto_tcp_ctx_tc);
}
/* ready for reuse */
sh->mpm_proto_tcp_ctx_tc = NULL;
SCLogDebug("destroying mpm_ctx %p (sh %p)",
sh->mpm_proto_udp_ctx_ts, sh);
if (sh->mpm_proto_udp_ctx_ts != NULL &&
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
!sh->mpm_proto_udp_ctx_ts->global) {
support splitting mpm ctxs based on direction v2
14 years ago
mpm_table[sh->mpm_proto_udp_ctx_ts->mpm_type].
DestroyCtx(sh->mpm_proto_udp_ctx_ts);
SCFree(sh->mpm_proto_udp_ctx_ts);
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
}
/* ready for reuse */
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_proto_udp_ctx_ts = NULL;
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
update cuda mpm to support per proto mpm contexts. Fix faulty stream mpm usage of cuda
14 years ago
SCLogDebug("destroying mpm_ctx %p (sh %p)",
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_proto_udp_ctx_tc, sh);
if (sh->mpm_proto_udp_ctx_tc != NULL &&
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
!sh->mpm_proto_udp_ctx_tc->global) {
support splitting mpm ctxs based on direction v2
14 years ago
mpm_table[sh->mpm_proto_udp_ctx_tc->mpm_type].
DestroyCtx(sh->mpm_proto_udp_ctx_tc);
SCFree(sh->mpm_proto_udp_ctx_tc);
support single mpm context distribution across sghs in staging. Also see to it that ac works fine with this setup
15 years ago
}
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
/* ready for reuse */
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_proto_udp_ctx_tc = NULL;
Large update containing the first step to making the detection engine use rule groups. Address based rule groups are now implemented.
17 years ago
update cuda mpm to support per proto mpm contexts. Fix faulty stream mpm usage of cuda
14 years ago
SCLogDebug("destroying mpm_ctx %p (sh %p)",
sh->mpm_proto_other_ctx, sh);
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
if (sh->mpm_proto_other_ctx != NULL &&
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
!sh->mpm_proto_other_ctx->global) {
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
mpm_table[sh->mpm_proto_other_ctx->mpm_type].
DestroyCtx(sh->mpm_proto_other_ctx);
SCFree(sh->mpm_proto_other_ctx);
}
Large update containing the first step to making the detection engine use rule groups. Address based rule groups are now implemented.
17 years ago
/* ready for reuse */
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
sh->mpm_proto_other_ctx = NULL;
Large update containing the first step to making the detection engine use rule groups. Address based rule groups are now implemented.
17 years ago
}
/* uricontent */
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
if ((sh->mpm_uri_ctx_ts != NULL) && !(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY)) {
support splitting mpm ctxs based on direction v2
14 years ago
if (sh->mpm_uri_ctx_ts != NULL) {
SCLogDebug("destroying mpm_uri_ctx %p (sh %p)", sh->mpm_uri_ctx_ts, sh);
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
if (!sh->mpm_uri_ctx_ts->global) {
support splitting mpm ctxs based on direction v2
14 years ago
mpm_table[sh->mpm_uri_ctx_ts->mpm_type].DestroyCtx(sh->mpm_uri_ctx_ts);
SCFree(sh->mpm_uri_ctx_ts);
}
/* ready for reuse */
sh->mpm_uri_ctx_ts = NULL;
}
Initial add of the files.
17 years ago
}
Moving the stream content scanning to have it's own mpm ctx.
15 years ago
/* stream content */
mpm engine cleanup. Remove unnecessary flags
13 years ago
if ((sh->mpm_stream_ctx_ts != NULL || sh->mpm_stream_ctx_tc != NULL) &&
!(sh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY)) {
if (sh->mpm_stream_ctx_ts != NULL) {
SCLogDebug("destroying mpm_stream_ctx %p (sh %p)", sh->mpm_stream_ctx_ts, sh);
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
if (!sh->mpm_stream_ctx_ts->global) {
mpm engine cleanup. Remove unnecessary flags
13 years ago
mpm_table[sh->mpm_stream_ctx_ts->mpm_type].DestroyCtx(sh->mpm_stream_ctx_ts);
SCFree(sh->mpm_stream_ctx_ts);
Fix a content pattern matching bug related to signature grouping and mpm_ctx sharing. In certain conditions (signature combinations) the mpm_stream_ctx (the ctx that handles stream pattern scanning) wasn't properly setup.
15 years ago
}
mpm engine cleanup. Remove unnecessary flags
13 years ago
/* ready for reuse */
sh->mpm_stream_ctx_ts = NULL;
}
if (sh->mpm_stream_ctx_tc != NULL) {
SCLogDebug("destroying mpm_stream_ctx %p (sh %p)", sh->mpm_stream_ctx_tc, sh);
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
if (!sh->mpm_stream_ctx_tc->global) {
mpm engine cleanup. Remove unnecessary flags
13 years ago
mpm_table[sh->mpm_stream_ctx_tc->mpm_type].DestroyCtx(sh->mpm_stream_ctx_tc);
SCFree(sh->mpm_stream_ctx_tc);
support splitting mpm ctxs based on direction v2
14 years ago
}
mpm engine cleanup. Remove unnecessary flags
13 years ago
/* ready for reuse */
sh->mpm_stream_ctx_tc = NULL;
Fix a content pattern matching bug related to signature grouping and mpm_ctx sharing. In certain conditions (signature combinations) the mpm_stream_ctx (the ctx that handles stream pattern scanning) wasn't properly setup.
15 years ago
}
Moving the stream content scanning to have it's own mpm ctx.
15 years ago
}
support splitting mpm ctxs based on direction v2
14 years ago
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
if (sh->mpm_hcbd_ctx_ts != NULL) {
mpm engine and ac mem free fixes
13 years ago
if (sh->mpm_hcbd_ctx_ts != NULL) {
if (!sh->mpm_hcbd_ctx_ts->global) {
mpm_table[sh->mpm_hcbd_ctx_ts->mpm_type].DestroyCtx(sh->mpm_hcbd_ctx_ts);
SCFree(sh->mpm_hcbd_ctx_ts);
}
sh->mpm_hcbd_ctx_ts = NULL;
}
}
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
if (sh->mpm_hsbd_ctx_tc != NULL) {
mpm engine and ac mem free fixes
13 years ago
if (sh->mpm_hsbd_ctx_tc != NULL) {
if (!sh->mpm_hsbd_ctx_tc->global) {
mpm_table[sh->mpm_hsbd_ctx_tc->mpm_type].DestroyCtx(sh->mpm_hsbd_ctx_tc);
SCFree(sh->mpm_hsbd_ctx_tc);
}
sh->mpm_hsbd_ctx_tc = NULL;
}
}
if (sh->mpm_hhd_ctx_ts != NULL || sh->mpm_hhd_ctx_tc != NULL) {
if (sh->mpm_hhd_ctx_ts != NULL) {
if (!sh->mpm_hhd_ctx_ts->global) {
mpm_table[sh->mpm_hhd_ctx_ts->mpm_type].DestroyCtx(sh->mpm_hhd_ctx_ts);
SCFree(sh->mpm_hhd_ctx_ts);
}
sh->mpm_hhd_ctx_ts = NULL;
}
if (sh->mpm_hhd_ctx_tc != NULL) {
if (!sh->mpm_hhd_ctx_tc->global) {
mpm_table[sh->mpm_hhd_ctx_tc->mpm_type].DestroyCtx(sh->mpm_hhd_ctx_tc);
SCFree(sh->mpm_hhd_ctx_tc);
}
sh->mpm_hhd_ctx_tc = NULL;
}
}
if (sh->mpm_hrhd_ctx_ts != NULL || sh->mpm_hrhd_ctx_tc != NULL) {
if (sh->mpm_hrhd_ctx_ts != NULL) {
if (!sh->mpm_hrhd_ctx_ts->global) {
mpm_table[sh->mpm_hrhd_ctx_ts->mpm_type].DestroyCtx(sh->mpm_hrhd_ctx_ts);
SCFree(sh->mpm_hrhd_ctx_ts);
}
sh->mpm_hrhd_ctx_ts = NULL;
}
if (sh->mpm_hrhd_ctx_tc != NULL) {
if (!sh->mpm_hrhd_ctx_tc->global) {
mpm_table[sh->mpm_hrhd_ctx_tc->mpm_type].DestroyCtx(sh->mpm_hrhd_ctx_tc);
SCFree(sh->mpm_hrhd_ctx_tc);
}
sh->mpm_hrhd_ctx_tc = NULL;
}
}
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
if (sh->mpm_hmd_ctx_ts != NULL) {
mpm engine and ac mem free fixes
13 years ago
if (sh->mpm_hmd_ctx_ts != NULL) {
if (!sh->mpm_hmd_ctx_ts->global) {
mpm_table[sh->mpm_hmd_ctx_ts->mpm_type].DestroyCtx(sh->mpm_hmd_ctx_ts);
SCFree(sh->mpm_hmd_ctx_ts);
}
sh->mpm_hmd_ctx_ts = NULL;
}
}
if (sh->mpm_hcd_ctx_ts != NULL || sh->mpm_hcd_ctx_tc != NULL) {
if (sh->mpm_hcd_ctx_ts != NULL) {
if (!sh->mpm_hcd_ctx_ts->global) {
mpm_table[sh->mpm_hcd_ctx_ts->mpm_type].DestroyCtx(sh->mpm_hcd_ctx_ts);
SCFree(sh->mpm_hcd_ctx_ts);
}
sh->mpm_hcd_ctx_ts = NULL;
}
if (sh->mpm_hcd_ctx_tc != NULL) {
if (!sh->mpm_hcd_ctx_tc->global) {
mpm_table[sh->mpm_hcd_ctx_tc->mpm_type].DestroyCtx(sh->mpm_hcd_ctx_tc);
SCFree(sh->mpm_hcd_ctx_tc);
}
sh->mpm_hcd_ctx_tc = NULL;
}
}
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
if (sh->mpm_hrud_ctx_ts != NULL) {
mpm engine and ac mem free fixes
13 years ago
if (sh->mpm_hrud_ctx_ts != NULL) {
if (!sh->mpm_hrud_ctx_ts->global) {
mpm_table[sh->mpm_hrud_ctx_ts->mpm_type].DestroyCtx(sh->mpm_hrud_ctx_ts);
SCFree(sh->mpm_hrud_ctx_ts);
}
sh->mpm_hrud_ctx_ts = NULL;
}
}
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
if (sh->mpm_hsmd_ctx_tc != NULL) {
mpm engine and ac mem free fixes
13 years ago
if (sh->mpm_hsmd_ctx_tc != NULL) {
if (!sh->mpm_hsmd_ctx_tc->global) {
mpm_table[sh->mpm_hsmd_ctx_tc->mpm_type].DestroyCtx(sh->mpm_hsmd_ctx_tc);
SCFree(sh->mpm_hsmd_ctx_tc);
}
sh->mpm_hsmd_ctx_tc = NULL;
}
}
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
if (sh->mpm_hscd_ctx_tc != NULL) {
mpm engine and ac mem free fixes
13 years ago
if (sh->mpm_hscd_ctx_tc != NULL) {
if (!sh->mpm_hscd_ctx_tc->global) {
mpm_table[sh->mpm_hscd_ctx_tc->mpm_type].DestroyCtx(sh->mpm_hscd_ctx_tc);
SCFree(sh->mpm_hscd_ctx_tc);
}
sh->mpm_hscd_ctx_tc = NULL;
}
}
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
if (sh->mpm_huad_ctx_ts != NULL) {
mpm engine and ac mem free fixes
13 years ago
if (sh->mpm_huad_ctx_ts != NULL) {
if (!sh->mpm_huad_ctx_ts->global) {
mpm_table[sh->mpm_huad_ctx_ts->mpm_type].DestroyCtx(sh->mpm_huad_ctx_ts);
SCFree(sh->mpm_huad_ctx_ts);
}
sh->mpm_huad_ctx_ts = NULL;
}
}
DNS: enable mpm/fast_pattern support for dns_query
12 years ago
/* dns query */
if (sh->mpm_dnsquery_ctx_ts != NULL) {
if (!sh->mpm_dnsquery_ctx_ts->global) {
mpm_table[sh->mpm_dnsquery_ctx_ts->mpm_type].DestroyCtx(sh->mpm_dnsquery_ctx_ts);
SCFree(sh->mpm_dnsquery_ctx_ts);
}
sh->mpm_dnsquery_ctx_ts = NULL;
}
support splitting mpm ctxs based on direction v2
14 years ago
return;
Initial add of the files.
17 years ago
}
Cleanups
16 years ago
/** \brief Hash for looking up contents that are most used,
* always used, etc. */
Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore.
16 years ago
typedef struct ContentHash_ {
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
DetectContentData *ptr;
64 bit cleanup part2
16 years ago
uint16_t cnt;
uint8_t use; /* use no matter what */
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
} ContentHash;
Use same mpm prepare procedure for uricontent as for normal content. More cleanups.
15 years ago
typedef struct UricontentHash_ {
unifying content structure - uricontent now uses DetectContentData
15 years ago
DetectContentData *ptr;
Use same mpm prepare procedure for uricontent as for normal content. More cleanups.
15 years ago
uint16_t cnt;
uint8_t use; /* use no matter what */
} UricontentHash;
64 bit cleanup part2
16 years ago
uint32_t ContentHashFunc(HashTable *ht, void *data, uint16_t datalen) {
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
ContentHash *ch = (ContentHash *)data;
DetectContentData *co = ch->ptr;
64 bit cleanup part2
16 years ago
uint32_t hash = 0;
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
int i;
for (i = 0; i < co->content_len; i++) {
hash += co->content[i];
}
hash = hash % ht->array_size;
support for sslv2/sslv3 their unit tests and better stream no reassembly flag handling
15 years ago
SCLogDebug("hash %" PRIu32 "", hash);
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
return hash;
}
Use same mpm prepare procedure for uricontent as for normal content. More cleanups.
15 years ago
uint32_t UricontentHashFunc(HashTable *ht, void *data, uint16_t datalen) {
UricontentHash *ch = (UricontentHash *)data;
unifying content structure - uricontent now uses DetectContentData
15 years ago
DetectContentData *ud = ch->ptr;
Use same mpm prepare procedure for uricontent as for normal content. More cleanups.
15 years ago
uint32_t hash = 0;
int i;
Change the struct members uricontent and uricontent_len in DetectUricontentData to content and content_len. Make replacements everywhere else in the codebase to accomodate these changes
15 years ago
for (i = 0; i < ud->content_len; i++) {
hash += ud->content[i];
Use same mpm prepare procedure for uricontent as for normal content. More cleanups.
15 years ago
}
hash = hash % ht->array_size;
SCLogDebug("hash %" PRIu32 "", hash);
return hash;
}
64 bit cleanup part2
16 years ago
char ContentHashCompareFunc(void *data1, uint16_t len1, void *data2, uint16_t len2) {
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
ContentHash *ch1 = (ContentHash *)data1;
ContentHash *ch2 = (ContentHash *)data2;
DetectContentData *co1 = ch1->ptr;
DetectContentData *co2 = ch2->ptr;
if (co1->content_len == co2->content_len &&
hash fix in staging to differentiate nocase duplicate patterns from case-senstive ones
15 years ago
((co1->flags & DETECT_CONTENT_NOCASE) == (co2->flags & DETECT_CONTENT_NOCASE)) &&
Add memcmp api with a plain memcmp function and a SSE3 accelerated memcmp.
15 years ago
SCMemcmp(co1->content, co2->content, co1->content_len) == 0)
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
return 1;
return 0;
}
Use same mpm prepare procedure for uricontent as for normal content. More cleanups.
15 years ago
char UricontentHashCompareFunc(void *data1, uint16_t len1, void *data2, uint16_t len2) {
UricontentHash *ch1 = (UricontentHash *)data1;
UricontentHash *ch2 = (UricontentHash *)data2;
unifying content structure - uricontent now uses DetectContentData
15 years ago
DetectContentData *ud1 = ch1->ptr;
DetectContentData *ud2 = ch2->ptr;
Use same mpm prepare procedure for uricontent as for normal content. More cleanups.
15 years ago
Change the struct members uricontent and uricontent_len in DetectUricontentData to content and content_len. Make replacements everywhere else in the codebase to accomodate these changes
15 years ago
if (ud1->content_len == ud2->content_len &&
unifying content structure - uricontent now uses DetectContentData
15 years ago
((ud1->flags & DETECT_CONTENT_NOCASE) == (ud2->flags & DETECT_CONTENT_NOCASE)) &&
Change the struct members uricontent and uricontent_len in DetectUricontentData to content and content_len. Make replacements everywhere else in the codebase to accomodate these changes
15 years ago
SCMemcmp(ud1->content, ud2->content, ud1->content_len) == 0)
Use same mpm prepare procedure for uricontent as for normal content. More cleanups.
15 years ago
return 1;
return 0;
}
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
ContentHash *ContentHashAlloc(DetectContentData *ptr) {
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
ContentHash *ch = SCMalloc(sizeof(ContentHash));
Use unlikely for error treatment. When handling error case on SCMallog, SCCalloc or SCStrdup we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc. This patch has been obtained via coccinelle. The transformation is the following: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
13 years ago
if (unlikely(ch == NULL))
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
return NULL;
ch->ptr = ptr;
ch->cnt = 1;
ch->use = 0;
return ch;
}
unifying content structure - uricontent now uses DetectContentData
15 years ago
UricontentHash *UricontentHashAlloc(DetectContentData *ptr) {
Use same mpm prepare procedure for uricontent as for normal content. More cleanups.
15 years ago
UricontentHash *ch = SCMalloc(sizeof(UricontentHash));
Use unlikely for error treatment. When handling error case on SCMallog, SCCalloc or SCStrdup we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc. This patch has been obtained via coccinelle. The transformation is the following: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
13 years ago
if (unlikely(ch == NULL))
Use same mpm prepare procedure for uricontent as for normal content. More cleanups.
15 years ago
return NULL;
ch->ptr = ptr;
ch->cnt = 1;
ch->use = 0;
return ch;
}
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
void ContentHashFree(void *ch) {
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
SCFree(ch);
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
}
Use same mpm prepare procedure for uricontent as for normal content. More cleanups.
15 years ago
void UricontentHashFree(void *ch) {
SCFree(ch);
}
Cleanups
16 years ago
/** \brief Predict a strength value for patterns
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
*
Remove more scan references.
16 years ago
* Patterns with high character diversity score higher.
* Alpha chars score not so high
* Other printable + a few common codes a little higher
* Everything else highest.
* Longer patterns score better than short patters.
*
* \param pat pattern
* \param patlen length of the patternn
*
* \retval s pattern score
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
*/
Remove more scan references.
16 years ago
uint32_t PatternStrength(uint8_t *pat, uint16_t patlen) {
64 bit cleanup part2
16 years ago
uint8_t a[256];
Remove more scan references.
16 years ago
memset(&a, 0 ,sizeof(a));
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
64 bit cleanup part2
16 years ago
uint32_t s = 0;
uint16_t u = 0;
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
for (u = 0; u < patlen; u++) {
if (a[pat[u]] == 0) {
if (isalpha(pat[u]))
Remove more scan references.
16 years ago
s += 3;
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
else if (isprint(pat[u]) || pat[u] == 0x00 || pat[u] == 0x01 || pat[u] == 0xFF)
Remove more scan references.
16 years ago
s += 4;
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
else
Remove more scan references.
16 years ago
s += 6;
Big detection engine update: scan improvements, b2g/b3g updates, bloom fixes, iponly detection implementation, dsize/flow grouping.
17 years ago
a[pat[u]] = 1;
} else {
s++;
}
}
return s;
}
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
static void PopulateMpmHelperAddPatternToPktCtx(MpmCtx *mpm_ctx,
DetectContentData *cd,
Signature *s, uint8_t flags,
int chop)
{
if (cd->flags & DETECT_CONTENT_NOCASE) {
if (chop) {
Code cleanup. Use the MpmAddPattern[CS|CI] wrapper to add patterns to the mpm context. Also use MpmInitCtx() to init the mpm context.
12 years ago
MpmAddPatternCI(mpm_ctx,
cd->content + cd->fp_chop_offset, cd->fp_chop_len,
0, 0,
cd->id, s->num, flags);
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
} else {
Code cleanup. Use the MpmAddPattern[CS|CI] wrapper to add patterns to the mpm context. Also use MpmInitCtx() to init the mpm context.
12 years ago
MpmAddPatternCI(mpm_ctx,
cd->content, cd->content_len,
0, 0,
cd->id, s->num, flags);
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
}
} else {
if (chop) {
Code cleanup. Use the MpmAddPattern[CS|CI] wrapper to add patterns to the mpm context. Also use MpmInitCtx() to init the mpm context.
12 years ago
MpmAddPatternCS(mpm_ctx,
cd->content + cd->fp_chop_offset, cd->fp_chop_len,
0, 0,
cd->id, s->num, flags);
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
} else {
Code cleanup. Use the MpmAddPattern[CS|CI] wrapper to add patterns to the mpm context. Also use MpmInitCtx() to init the mpm context.
12 years ago
MpmAddPatternCS(mpm_ctx,
cd->content, cd->content_len,
0, 0,
cd->id, s->num, flags);
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
}
}
return;
}
make some name changes. break PopulateMpm(). Set the avoid mpm double check flags
15 years ago
static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
SigGroupHead *sgh, Signature *s,
SigMatch *mpm_sm)
use a single populatempm() function to add the right content for mpm
15 years ago
{
store the content added for mpm inside Signature. also carry out an unconditional cleanup of packet pattern matcher pmq det_ctx->pmq
15 years ago
s->mpm_sm = mpm_sm;
remove unnecessary if/else checks
14 years ago
if (mpm_sm == NULL) {
SCLogDebug("%"PRIu32" no mpm pattern selected", s->id);
return;
}
All uricontent modified patterns now are DETECT_CONTENT and not DETECT_URICONTENT. Step towards unifying all content based patterns. Makes way for easier management of patterns
14 years ago
int sm_list = SigMatchListSMBelongsTo(s, mpm_sm);
if (sm_list == -1)
BUG_ON(SigMatchListSMBelongsTo(s, mpm_sm) == -1);
fix indentation
14 years ago
uint8_t flags = 0;
DetectContentData *cd = NULL;
refactor all http mpm engine code
14 years ago
All uricontent modified patterns now are DETECT_CONTENT and not DETECT_URICONTENT. Step towards unifying all content based patterns. Makes way for easier management of patterns
14 years ago
switch (sm_list) {
case DETECT_SM_LIST_PMATCH:
fix indentation
14 years ago
{
cd = (DetectContentData *)mpm_sm->ctx;
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
fix for bug #577. If a pattern has matched on mpm, don't re-inspect it later, subject to certain conditions met by the pattern - namely, not negated, right chop, no replacet attached to it.
13 years ago
if (DETECT_CONTENT_IS_SINGLE(cd) &&
!(cd->flags & DETECT_CONTENT_NEGATED) &&
!(cd->flags & DETECT_CONTENT_REPLACE) &&
cd->content_len == cd->fp_chop_len) {
cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
}
fix indentation
14 years ago
/* add the content to the "packet" mpm */
if (SignatureHasPacketContent(s)) {
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
if (s->proto.proto[6 / 8] & 1 << (6 % 8)) {
support splitting mpm ctxs based on direction v2
14 years ago
if (s->flags & SIG_FLAG_TOSERVER) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_tcp_ctx_ts,
cd, s, flags, 1);
}
if (s->flags & SIG_FLAG_TOCLIENT) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_tcp_ctx_tc,
cd, s, flags, 1);
}
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
}
if (s->proto.proto[17 / 8] & 1 << (17 % 8)) {
support splitting mpm ctxs based on direction v2
14 years ago
if (s->flags & SIG_FLAG_TOSERVER) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_udp_ctx_ts,
cd, s, flags, 1);
}
if (s->flags & SIG_FLAG_TOCLIENT) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_udp_ctx_tc,
cd, s, flags, 1);
}
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
}
int i;
for (i = 0; i < 256; i++) {
if (i == 6 || i == 17)
continue;
if (s->proto.proto[i / 8] & (1 << (i % 8))) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_other_ctx,
cd, s, flags, 1);
break;
}
Add unittests for checking content flags. Fix indentation in PopulateMpmAddPatternToMpm(). Also fix DETECT_CONTENT_IS_SINGLE
15 years ago
}
fix indentation
14 years ago
/* tell matcher we are inspecting packet */
s->flags |= SIG_FLAG_MPM_PACKET;
s->mpm_pattern_id_div_8 = cd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8);
if (cd->flags & DETECT_CONTENT_NEGATED) {
SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id);
s->flags |= SIG_FLAG_MPM_PACKET_NEG;
use a single populatempm() function to add the right content for mpm
15 years ago
}
Add unittests for checking content flags. Fix indentation in PopulateMpmAddPatternToMpm(). Also fix DETECT_CONTENT_IS_SINGLE
15 years ago
}
modify detection engine to carry out uri mpm run before build match array if alproto is http and if sgh has atleast one sig with uri mpm set
15 years ago
if (SignatureHasStreamContent(s)) {
fix indentation
14 years ago
if (cd->flags & DETECT_CONTENT_NOCASE) {
support splitting mpm ctxs based on direction v2
14 years ago
if (s->flags & SIG_FLAG_TOSERVER) {
Code cleanup. Use the MpmAddPattern[CS|CI] wrapper to add patterns to the mpm context. Also use MpmInitCtx() to init the mpm context.
12 years ago
MpmAddPatternCI(sgh->mpm_stream_ctx_ts,
cd->content + cd->fp_chop_offset, cd->fp_chop_len,
0, 0,
cd->id, s->num, flags);
support splitting mpm ctxs based on direction v2
14 years ago
}
if (s->flags & SIG_FLAG_TOCLIENT) {
Code cleanup. Use the MpmAddPattern[CS|CI] wrapper to add patterns to the mpm context. Also use MpmInitCtx() to init the mpm context.
12 years ago
MpmAddPatternCI(sgh->mpm_stream_ctx_tc,
cd->content + cd->fp_chop_offset, cd->fp_chop_len,
0, 0,
cd->id, s->num, flags);
support splitting mpm ctxs based on direction v2
14 years ago
}
Add unittests for checking content flags. Fix indentation in PopulateMpmAddPatternToMpm(). Also fix DETECT_CONTENT_IS_SINGLE
15 years ago
} else {
support splitting mpm ctxs based on direction v2
14 years ago
if (s->flags & SIG_FLAG_TOSERVER) {
Code cleanup. Use the MpmAddPattern[CS|CI] wrapper to add patterns to the mpm context. Also use MpmInitCtx() to init the mpm context.
12 years ago
MpmAddPatternCS(sgh->mpm_stream_ctx_ts,
cd->content + cd->fp_chop_offset, cd->fp_chop_len,
0, 0,
cd->id, s->num, flags);
support splitting mpm ctxs based on direction v2
14 years ago
}
if (s->flags & SIG_FLAG_TOCLIENT) {
Code cleanup. Use the MpmAddPattern[CS|CI] wrapper to add patterns to the mpm context. Also use MpmInitCtx() to init the mpm context.
12 years ago
MpmAddPatternCS(sgh->mpm_stream_ctx_tc,
cd->content + cd->fp_chop_offset, cd->fp_chop_len,
0, 0,
cd->id, s->num, flags);
support splitting mpm ctxs based on direction v2
14 years ago
}
Add unittests for checking content flags. Fix indentation in PopulateMpmAddPatternToMpm(). Also fix DETECT_CONTENT_IS_SINGLE
15 years ago
}
fix indentation
14 years ago
/* tell matcher we are inspecting stream */
s->flags |= SIG_FLAG_MPM_STREAM;
s->mpm_pattern_id_div_8 = cd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8);
if (cd->flags & DETECT_CONTENT_NEGATED) {
SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id);
s->flags |= SIG_FLAG_MPM_STREAM_NEG;
Add unittests for checking content flags. Fix indentation in PopulateMpmAddPatternToMpm(). Also fix DETECT_CONTENT_IS_SINGLE
15 years ago
}
}
fix indentation
14 years ago
} else {
fix for bug #577. If a pattern has matched on mpm, don't re-inspect it later, subject to certain conditions met by the pattern - namely, not negated, right chop, no replacet attached to it.
13 years ago
if (DETECT_CONTENT_IS_SINGLE(cd) &&
!(cd->flags & DETECT_CONTENT_NEGATED) &&
!(cd->flags & DETECT_CONTENT_REPLACE)) {
cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
}
fast pattern support for http_client_body keyword added. Also mpm support for http_client_body added
15 years ago
fix indentation
14 years ago
if (SignatureHasPacketContent(s)) {
/* add the content to the "packet" mpm */
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
if (s->proto.proto[6 / 8] & 1 << (6 % 8)) {
support splitting mpm ctxs based on direction v2
14 years ago
if (s->flags & SIG_FLAG_TOSERVER) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_tcp_ctx_ts,
cd, s, flags, 0);
}
if (s->flags & SIG_FLAG_TOCLIENT) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_tcp_ctx_tc,
cd, s, flags, 0);
}
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
}
if (s->proto.proto[17 / 8] & 1 << (17 % 8)) {
support splitting mpm ctxs based on direction v2
14 years ago
if (s->flags & SIG_FLAG_TOSERVER) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_udp_ctx_ts,
cd, s, flags, 0);
}
if (s->flags & SIG_FLAG_TOCLIENT) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_udp_ctx_tc,
cd, s, flags, 0);
}
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
}
int i;
for (i = 0; i < 256; i++) {
if (i == 6 || i == 17)
continue;
if (s->proto.proto[i / 8] & (1 << (i % 8))) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_other_ctx,
cd, s, flags, 0);
break;
}
fix indentation
14 years ago
}
/* tell matcher we are inspecting packet */
s->flags |= SIG_FLAG_MPM_PACKET;
s->mpm_pattern_id_div_8 = cd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8);
if (cd->flags & DETECT_CONTENT_NEGATED) {
SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id);
s->flags |= SIG_FLAG_MPM_PACKET_NEG;
fast pattern support for http_client_body keyword added. Also mpm support for http_client_body added
15 years ago
}
}
fix indentation
14 years ago
if (SignatureHasStreamContent(s)) {
/* add the content to the "packet" mpm */
if (cd->flags & DETECT_CONTENT_NOCASE) {
support splitting mpm ctxs based on direction v2
14 years ago
if (s->flags & SIG_FLAG_TOSERVER) {
Code cleanup. Use the MpmAddPattern[CS|CI] wrapper to add patterns to the mpm context. Also use MpmInitCtx() to init the mpm context.
12 years ago
MpmAddPatternCI(sgh->mpm_stream_ctx_ts,
cd->content, cd->content_len,
0, 0,
cd->id, s->num, flags);
support splitting mpm ctxs based on direction v2
14 years ago
}
if (s->flags & SIG_FLAG_TOCLIENT) {
Code cleanup. Use the MpmAddPattern[CS|CI] wrapper to add patterns to the mpm context. Also use MpmInitCtx() to init the mpm context.
12 years ago
MpmAddPatternCI(sgh->mpm_stream_ctx_tc,
cd->content, cd->content_len,
0, 0,
cd->id, s->num, flags);
support splitting mpm ctxs based on direction v2
14 years ago
}
Introduce http_server_body keyword. The http_server_body content modifier modifies the previous content to inspect the normalized (dechunked, unzipped) http_server_body. The workings are similar to http_client_body. Additionally, a new pcre flag was introduced "/S". To facilitate this change the signature flags field was changed to be 64 bit.
14 years ago
} else {
support splitting mpm ctxs based on direction v2
14 years ago
if (s->flags & SIG_FLAG_TOSERVER) {
Code cleanup. Use the MpmAddPattern[CS|CI] wrapper to add patterns to the mpm context. Also use MpmInitCtx() to init the mpm context.
12 years ago
MpmAddPatternCS(sgh->mpm_stream_ctx_ts,
cd->content, cd->content_len,
0, 0,
cd->id, s->num, flags);
support splitting mpm ctxs based on direction v2
14 years ago
}
if (s->flags & SIG_FLAG_TOCLIENT) {
Code cleanup. Use the MpmAddPattern[CS|CI] wrapper to add patterns to the mpm context. Also use MpmInitCtx() to init the mpm context.
12 years ago
MpmAddPatternCS(sgh->mpm_stream_ctx_tc,
cd->content, cd->content_len,
0, 0,
cd->id, s->num, flags);
support splitting mpm ctxs based on direction v2
14 years ago
}
fix indentation
14 years ago
}
/* tell matcher we are inspecting stream */
s->flags |= SIG_FLAG_MPM_STREAM;
s->mpm_pattern_id_div_8 = cd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8);
if (cd->flags & DETECT_CONTENT_NEGATED) {
SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id);
s->flags |= SIG_FLAG_MPM_STREAM_NEG;
Introduce http_server_body keyword. The http_server_body content modifier modifies the previous content to inspect the normalized (dechunked, unzipped) http_server_body. The workings are similar to http_client_body. Additionally, a new pcre flag was introduced "/S". To facilitate this change the signature flags field was changed to be 64 bit.
14 years ago
}
fix indentation
14 years ago
}
}
if (SignatureHasPacketContent(s)) {
sgh->flags |= SIG_GROUP_HEAD_MPM_PACKET;
}
if (SignatureHasStreamContent(s)) {
sgh->flags |= SIG_GROUP_HEAD_MPM_STREAM;
}
break;
} /* case DETECT_CONTENT */
All uricontent modified patterns now are DETECT_CONTENT and not DETECT_URICONTENT. Step towards unifying all content based patterns. Makes way for easier management of patterns
14 years ago
case DETECT_SM_LIST_UMATCH:
case DETECT_SM_LIST_HRUDMATCH:
case DETECT_SM_LIST_HCBDMATCH:
case DETECT_SM_LIST_HSBDMATCH:
case DETECT_SM_LIST_HHDMATCH:
case DETECT_SM_LIST_HRHDMATCH:
case DETECT_SM_LIST_HMDMATCH:
case DETECT_SM_LIST_HCDMATCH:
case DETECT_SM_LIST_HSMDMATCH:
case DETECT_SM_LIST_HSCDMATCH:
http user agent keyword + mpm + inspection + fast pattern support added
13 years ago
case DETECT_SM_LIST_HUADMATCH:
Add support for a new keyword to inspect http_host header. The corresponding content keyword would now be - http_host. The corresponding pcre modifier would be W.
13 years ago
case DETECT_SM_LIST_HHHDMATCH:
Add support for the new keyword - http_raw_host header. The corresponding pcre modifier would be 'Z'.
13 years ago
case DETECT_SM_LIST_HRHHDMATCH:
DNS: enable mpm/fast_pattern support for dns_query
12 years ago
case DETECT_SM_LIST_DNSQUERY_MATCH:
fix indentation
14 years ago
{
support splitting mpm ctxs based on direction v2
14 years ago
MpmCtx *mpm_ctx_ts = NULL;
MpmCtx *mpm_ctx_tc = NULL;
some more mpm engine cleanup
13 years ago
cd = (DetectContentData *)mpm_sm->ctx;
refactor all http mpm engine code
14 years ago
All uricontent modified patterns now are DETECT_CONTENT and not DETECT_URICONTENT. Step towards unifying all content based patterns. Makes way for easier management of patterns
14 years ago
if (sm_list == DETECT_SM_LIST_UMATCH) {
support splitting mpm ctxs based on direction v2
14 years ago
if (s->flags & SIG_FLAG_TOSERVER)
mpm_ctx_ts = sgh->mpm_uri_ctx_ts;
Fix sgh mpm flags assignment
12 years ago
sgh->flags |= SIG_GROUP_HEAD_MPM_URI;
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER;
some more mpm engine cleanup
13 years ago
if (cd->flags & DETECT_CONTENT_NEGATED)
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER_NEG;
All uricontent modified patterns now are DETECT_CONTENT and not DETECT_URICONTENT. Step towards unifying all content based patterns. Makes way for easier management of patterns
14 years ago
} else if (sm_list == DETECT_SM_LIST_HCBDMATCH) {
support splitting mpm ctxs based on direction v2
14 years ago
if (s->flags & SIG_FLAG_TOSERVER)
mpm_ctx_ts = sgh->mpm_hcbd_ctx_ts;
Fix sgh mpm flags assignment
12 years ago
sgh->flags |= SIG_GROUP_HEAD_MPM_HCBD;
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER;
some more mpm engine cleanup
13 years ago
if (cd->flags & DETECT_CONTENT_NEGATED)
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER_NEG;
All uricontent modified patterns now are DETECT_CONTENT and not DETECT_URICONTENT. Step towards unifying all content based patterns. Makes way for easier management of patterns
14 years ago
} else if (sm_list == DETECT_SM_LIST_HSBDMATCH) {
support splitting mpm ctxs based on direction v2
14 years ago
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hsbd_ctx_tc;
Fix sgh mpm flags assignment
12 years ago
sgh->flags |= SIG_GROUP_HEAD_MPM_HSBD;
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER;
some more mpm engine cleanup
13 years ago
if (cd->flags & DETECT_CONTENT_NEGATED)
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER_NEG;
All uricontent modified patterns now are DETECT_CONTENT and not DETECT_URICONTENT. Step towards unifying all content based patterns. Makes way for easier management of patterns
14 years ago
} else if (sm_list == DETECT_SM_LIST_HHDMATCH) {
support splitting mpm ctxs based on direction v2
14 years ago
if (s->flags & SIG_FLAG_TOSERVER)
mpm_ctx_ts = sgh->mpm_hhd_ctx_ts;
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hhd_ctx_tc;
Fix sgh mpm flags assignment
12 years ago
sgh->flags |= SIG_GROUP_HEAD_MPM_HHD;
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER;
some more mpm engine cleanup
13 years ago
if (cd->flags & DETECT_CONTENT_NEGATED)
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER_NEG;
All uricontent modified patterns now are DETECT_CONTENT and not DETECT_URICONTENT. Step towards unifying all content based patterns. Makes way for easier management of patterns
14 years ago
} else if (sm_list == DETECT_SM_LIST_HRHDMATCH) {
support splitting mpm ctxs based on direction v2
14 years ago
if (s->flags & SIG_FLAG_TOSERVER)
mpm_ctx_ts = sgh->mpm_hrhd_ctx_ts;
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hrhd_ctx_tc;
Fix sgh mpm flags assignment
12 years ago
sgh->flags |= SIG_GROUP_HEAD_MPM_HRHD;
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER;
some more mpm engine cleanup
13 years ago
if (cd->flags & DETECT_CONTENT_NEGATED)
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER_NEG;
All uricontent modified patterns now are DETECT_CONTENT and not DETECT_URICONTENT. Step towards unifying all content based patterns. Makes way for easier management of patterns
14 years ago
} else if (sm_list == DETECT_SM_LIST_HMDMATCH) {
support splitting mpm ctxs based on direction v2
14 years ago
if (s->flags & SIG_FLAG_TOSERVER)
mpm_ctx_ts = sgh->mpm_hmd_ctx_ts;
Fix sgh mpm flags assignment
12 years ago
sgh->flags |= SIG_GROUP_HEAD_MPM_HMD;
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER;
some more mpm engine cleanup
13 years ago
if (cd->flags & DETECT_CONTENT_NEGATED)
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER_NEG;
All uricontent modified patterns now are DETECT_CONTENT and not DETECT_URICONTENT. Step towards unifying all content based patterns. Makes way for easier management of patterns
14 years ago
} else if (sm_list == DETECT_SM_LIST_HCDMATCH) {
support splitting mpm ctxs based on direction v2
14 years ago
if (s->flags & SIG_FLAG_TOSERVER)
mpm_ctx_ts = sgh->mpm_hcd_ctx_ts;
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hcd_ctx_tc;
Fix sgh mpm flags assignment
12 years ago
sgh->flags |= SIG_GROUP_HEAD_MPM_HCD;
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER;
some more mpm engine cleanup
13 years ago
if (cd->flags & DETECT_CONTENT_NEGATED)
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER_NEG;
All uricontent modified patterns now are DETECT_CONTENT and not DETECT_URICONTENT. Step towards unifying all content based patterns. Makes way for easier management of patterns
14 years ago
} else if (sm_list == DETECT_SM_LIST_HRUDMATCH) {
support splitting mpm ctxs based on direction v2
14 years ago
if (s->flags & SIG_FLAG_TOSERVER)
mpm_ctx_ts = sgh->mpm_hrud_ctx_ts;
Fix sgh mpm flags assignment
12 years ago
sgh->flags |= SIG_GROUP_HEAD_MPM_HRUD;
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER;
some more mpm engine cleanup
13 years ago
if (cd->flags & DETECT_CONTENT_NEGATED)
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER_NEG;
All uricontent modified patterns now are DETECT_CONTENT and not DETECT_URICONTENT. Step towards unifying all content based patterns. Makes way for easier management of patterns
14 years ago
} else if (sm_list == DETECT_SM_LIST_HSMDMATCH) {
rebase commit for hscd and hsmd patches
14 years ago
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hsmd_ctx_tc;
Fix sgh mpm flags assignment
12 years ago
sgh->flags |= SIG_GROUP_HEAD_MPM_HSMD;
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER;
some more mpm engine cleanup
13 years ago
if (cd->flags & DETECT_CONTENT_NEGATED)
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER_NEG;
All uricontent modified patterns now are DETECT_CONTENT and not DETECT_URICONTENT. Step towards unifying all content based patterns. Makes way for easier management of patterns
14 years ago
} else if (sm_list == DETECT_SM_LIST_HSCDMATCH) {
rebase commit for hscd and hsmd patches
14 years ago
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hscd_ctx_tc;
Fix sgh mpm flags assignment
12 years ago
sgh->flags |= SIG_GROUP_HEAD_MPM_HSCD;
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER;
some more mpm engine cleanup
13 years ago
if (cd->flags & DETECT_CONTENT_NEGATED)
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER_NEG;
http user agent keyword + mpm + inspection + fast pattern support added
13 years ago
} else if (sm_list == DETECT_SM_LIST_HUADMATCH) {
if (s->flags & SIG_FLAG_TOSERVER)
mpm_ctx_ts = sgh->mpm_huad_ctx_ts;
Fix sgh mpm flags assignment
12 years ago
sgh->flags |= SIG_GROUP_HEAD_MPM_HUAD;
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER;
some more mpm engine cleanup
13 years ago
if (cd->flags & DETECT_CONTENT_NEGATED)
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER_NEG;
Add support for a new keyword to inspect http_host header. The corresponding content keyword would now be - http_host. The corresponding pcre modifier would be W.
13 years ago
} else if (sm_list == DETECT_SM_LIST_HHHDMATCH) {
if (s->flags & SIG_FLAG_TOSERVER)
mpm_ctx_ts = sgh->mpm_hhhd_ctx_ts;
Fix sgh mpm flags assignment
12 years ago
sgh->flags |= SIG_GROUP_HEAD_MPM_HHHD;
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER;
Add support for a new keyword to inspect http_host header. The corresponding content keyword would now be - http_host. The corresponding pcre modifier would be W.
13 years ago
if (cd->flags & DETECT_CONTENT_NEGATED)
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER_NEG;
Add support for the new keyword - http_raw_host header. The corresponding pcre modifier would be 'Z'.
13 years ago
} else if (sm_list == DETECT_SM_LIST_HRHHDMATCH) {
if (s->flags & SIG_FLAG_TOSERVER)
mpm_ctx_ts = sgh->mpm_hrhhd_ctx_ts;
Fix sgh mpm flags assignment
12 years ago
sgh->flags |= SIG_GROUP_HEAD_MPM_HRHHD;
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER;
Add support for the new keyword - http_raw_host header. The corresponding pcre modifier would be 'Z'.
13 years ago
if (cd->flags & DETECT_CONTENT_NEGATED)
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER_NEG;
DNS: enable mpm/fast_pattern support for dns_query
12 years ago
} else if (sm_list == DETECT_SM_LIST_DNSQUERY_MATCH) {
if (s->flags & SIG_FLAG_TOSERVER)
mpm_ctx_ts = sgh->mpm_dnsquery_ctx_ts;
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = NULL;
Fix sgh mpm flags assignment
12 years ago
sgh->flags |= SIG_GROUP_HEAD_MPM_DNSQUERY;
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER;
DNS: enable mpm/fast_pattern support for dns_query
12 years ago
if (cd->flags & DETECT_CONTENT_NEGATED)
detect-engine: do a direct update of flag There is no reason not to update the flag directly. So do it to avoid to crash the test.
12 years ago
s->flags |= SIG_FLAG_MPM_APPLAYER_NEG;
fix indentation
14 years ago
}
refactor all http mpm engine code
14 years ago
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
fix for bug #577. If a pattern has matched on mpm, don't re-inspect it later, subject to certain conditions met by the pattern - namely, not negated, right chop, no replacet attached to it.
13 years ago
if (DETECT_CONTENT_IS_SINGLE(cd) &&
!(cd->flags & DETECT_CONTENT_NEGATED) &&
!(cd->flags & DETECT_CONTENT_REPLACE) &&
cd->content_len == cd->fp_chop_len) {
cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
}
refactor all http mpm engine code
14 years ago
/* add the content to the mpm */
if (cd->flags & DETECT_CONTENT_NOCASE) {
support splitting mpm ctxs based on direction v2
14 years ago
if (mpm_ctx_ts != NULL) {
Code cleanup. Use the MpmAddPattern[CS|CI] wrapper to add patterns to the mpm context. Also use MpmInitCtx() to init the mpm context.
12 years ago
MpmAddPatternCI(mpm_ctx_ts,
cd->content + cd->fp_chop_offset, cd->fp_chop_len,
0, 0,
cd->id, s->num, flags);
support splitting mpm ctxs based on direction v2
14 years ago
}
if (mpm_ctx_tc != NULL) {
Code cleanup. Use the MpmAddPattern[CS|CI] wrapper to add patterns to the mpm context. Also use MpmInitCtx() to init the mpm context.
12 years ago
MpmAddPatternCI(mpm_ctx_tc,
cd->content + cd->fp_chop_offset, cd->fp_chop_len,
0, 0,
cd->id, s->num, flags);
support splitting mpm ctxs based on direction v2
14 years ago
}
fix indentation
14 years ago
} else {
support splitting mpm ctxs based on direction v2
14 years ago
if (mpm_ctx_ts != NULL) {
Code cleanup. Use the MpmAddPattern[CS|CI] wrapper to add patterns to the mpm context. Also use MpmInitCtx() to init the mpm context.
12 years ago
MpmAddPatternCS(mpm_ctx_ts,
cd->content + cd->fp_chop_offset,
cd->fp_chop_len,
0, 0, cd->id, s->num, flags);
support splitting mpm ctxs based on direction v2
14 years ago
}
if (mpm_ctx_tc != NULL) {
Code cleanup. Use the MpmAddPattern[CS|CI] wrapper to add patterns to the mpm context. Also use MpmInitCtx() to init the mpm context.
12 years ago
MpmAddPatternCS(mpm_ctx_tc,
cd->content + cd->fp_chop_offset,
cd->fp_chop_len,
0, 0, cd->id, s->num, flags);
support splitting mpm ctxs based on direction v2
14 years ago
}
fix indentation
14 years ago
}
} else {
fix for bug #577. If a pattern has matched on mpm, don't re-inspect it later, subject to certain conditions met by the pattern - namely, not negated, right chop, no replacet attached to it.
13 years ago
if (DETECT_CONTENT_IS_SINGLE(cd) &&
!(cd->flags & DETECT_CONTENT_NEGATED) &&
!(cd->flags & DETECT_CONTENT_REPLACE)) {
cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
}
refactor all http mpm engine code
14 years ago
/* add the content to the "uri" mpm */
if (cd->flags & DETECT_CONTENT_NOCASE) {
support splitting mpm ctxs based on direction v2
14 years ago
if (mpm_ctx_ts != NULL) {
Code cleanup. Use the MpmAddPattern[CS|CI] wrapper to add patterns to the mpm context. Also use MpmInitCtx() to init the mpm context.
12 years ago
MpmAddPatternCI(mpm_ctx_ts,
cd->content, cd->content_len,
0, 0,
cd->id, s->num, flags);
support splitting mpm ctxs based on direction v2
14 years ago
}
if (mpm_ctx_tc != NULL) {
Code cleanup. Use the MpmAddPattern[CS|CI] wrapper to add patterns to the mpm context. Also use MpmInitCtx() to init the mpm context.
12 years ago
MpmAddPatternCI(mpm_ctx_tc,
cd->content, cd->content_len,
0, 0,
cd->id, s->num, flags);
support splitting mpm ctxs based on direction v2
14 years ago
}
fix indentation
14 years ago
} else {
support splitting mpm ctxs based on direction v2
14 years ago
if (mpm_ctx_ts != NULL) {
Code cleanup. Use the MpmAddPattern[CS|CI] wrapper to add patterns to the mpm context. Also use MpmInitCtx() to init the mpm context.
12 years ago
MpmAddPatternCS(mpm_ctx_ts,
cd->content, cd->content_len,
0, 0,
cd->id, s->num, flags);
support splitting mpm ctxs based on direction v2
14 years ago
}
if (mpm_ctx_tc != NULL) {
Code cleanup. Use the MpmAddPattern[CS|CI] wrapper to add patterns to the mpm context. Also use MpmInitCtx() to init the mpm context.
12 years ago
MpmAddPatternCS(mpm_ctx_tc,
cd->content, cd->content_len,
0, 0,
cd->id, s->num, flags);
support splitting mpm ctxs based on direction v2
14 years ago
}
support for http_raw_uri keyword + mpm engine
14 years ago
}
fix indentation
14 years ago
}
refactor all http mpm engine code
14 years ago
/* tell matcher we are inspecting uri */
s->mpm_pattern_id_div_8 = cd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8);
support for http_raw_uri keyword + mpm engine
14 years ago
fix indentation
14 years ago
break;
refactor all http mpm engine code
14 years ago
}
fix indentation
14 years ago
} /* switch (mpm_sm->type) */
Add unittests for checking content flags. Fix indentation in PopulateMpmAddPatternToMpm(). Also fix DETECT_CONTENT_IS_SINGLE
15 years ago
fix indentation
14 years ago
SCLogDebug("%"PRIu32" adding cd->id %"PRIu32" to the mpm phase "
"(s->num %"PRIu32")", s->id,
((DetectContentData *)mpm_sm->ctx)->id, s->num);
make some name changes. break PopulateMpm(). Set the avoid mpm double check flags
15 years ago
Add unittests for checking content flags. Fix indentation in PopulateMpmAddPatternToMpm(). Also fix DETECT_CONTENT_IS_SINGLE
15 years ago
return;
make some name changes. break PopulateMpm(). Set the avoid mpm double check flags
15 years ago
}
feature #558. Print FP info in rule analysis + other cleanup.
13 years ago
SigMatch *RetrieveFPForSig(Signature *s)
make some name changes. break PopulateMpm(). Set the avoid mpm double check flags
15 years ago
{
After some discussion we decided that var declarations inside a for statement are not in line with our coding style. So removing a bunch. Decision was not unanimous ^^.
13 years ago
SigMatch *mpm_sm = NULL, *sm = NULL;
feature #558. Print FP info in rule analysis + other cleanup.
13 years ago
uint8_t has_non_negated_non_stream_pattern = 0;
make some name changes. break PopulateMpm(). Set the avoid mpm double check flags
15 years ago
feature #558. Print FP info in rule analysis + other cleanup.
13 years ago
if (s->mpm_sm != NULL)
return s->mpm_sm;
make some name changes. break PopulateMpm(). Set the avoid mpm double check flags
15 years ago
After some discussion we decided that var declarations inside a for statement are not in line with our coding style. So removing a bunch. Decision was not unanimous ^^.
13 years ago
int list_id;
for (list_id = 0 ; list_id < DETECT_SM_LIST_MAX; list_id++) {
feature #558. Print FP info in rule analysis + other cleanup.
13 years ago
/* we have no keywords that support fp in this Signature sm list */
if (!FastPatternSupportEnabledForSigMatchList(list_id))
store the content added for mpm inside Signature. also carry out an unconditional cleanup of packet pattern matcher pmq det_ctx->pmq
15 years ago
continue;
After some discussion we decided that var declarations inside a for statement are not in line with our coding style. So removing a bunch. Decision was not unanimous ^^.
13 years ago
for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) {
feature #558. Print FP info in rule analysis + other cleanup.
13 years ago
/* this keyword isn't registered for fp support */
if (sm->type != DETECT_CONTENT)
make some name changes. break PopulateMpm(). Set the avoid mpm double check flags
15 years ago
continue;
feature #558. Print FP info in rule analysis + other cleanup.
13 years ago
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_FAST_PATTERN)
return sm;
if (!(cd->flags & DETECT_CONTENT_NEGATED) &&
(list_id != DETECT_SM_LIST_PMATCH) &&
(list_id != DETECT_SM_LIST_HMDMATCH) &&
(list_id != DETECT_SM_LIST_HSMDMATCH) &&
(list_id != DETECT_SM_LIST_HSCDMATCH)) {
has_non_negated_non_stream_pattern = 1;
}
}
}
make some name changes. break PopulateMpm(). Set the avoid mpm double check flags
15 years ago
feature #558. Print FP info in rule analysis + other cleanup.
13 years ago
int max_len = 0;
int max_len_negated = 0;
int max_len_non_negated = 0;
After some discussion we decided that var declarations inside a for statement are not in line with our coding style. So removing a bunch. Decision was not unanimous ^^.
13 years ago
for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) {
feature #558. Print FP info in rule analysis + other cleanup.
13 years ago
if (!FastPatternSupportEnabledForSigMatchList(list_id))
make some name changes. break PopulateMpm(). Set the avoid mpm double check flags
15 years ago
continue;
feature #558. Print FP info in rule analysis + other cleanup.
13 years ago
if (has_non_negated_non_stream_pattern &&
((list_id == DETECT_SM_LIST_PMATCH) ||
(list_id == DETECT_SM_LIST_HMDMATCH) ||
(list_id == DETECT_SM_LIST_HSMDMATCH) ||
(list_id == DETECT_SM_LIST_HSCDMATCH))) {
store the content added for mpm inside Signature. also carry out an unconditional cleanup of packet pattern matcher pmq det_ctx->pmq
15 years ago
continue;
}
After some discussion we decided that var declarations inside a for statement are not in line with our coding style. So removing a bunch. Decision was not unanimous ^^.
13 years ago
for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) {
feature #558. Print FP info in rule analysis + other cleanup.
13 years ago
if (sm->type != DETECT_CONTENT)
continue;
store the content added for mpm inside Signature. also carry out an unconditional cleanup of packet pattern matcher pmq det_ctx->pmq
15 years ago
feature #558. Print FP info in rule analysis + other cleanup.
13 years ago
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_NEGATED) {
if (max_len_negated < cd->content_len)
max_len_negated = cd->content_len;
} else {
if (max_len_non_negated < cd->content_len)
max_len_non_negated = cd->content_len;
}
}
}
Give priority to non stream content over stream content when selecting fast pattern.
13 years ago
feature #558. Print FP info in rule analysis + other cleanup.
13 years ago
int skip_negated_content = 0;
if (max_len_non_negated == 0) {
max_len = max_len_negated;
skip_negated_content = 0;
} else {
max_len = max_len_non_negated;
skip_negated_content = 1;
}
store the content added for mpm inside Signature. also carry out an unconditional cleanup of packet pattern matcher pmq det_ctx->pmq
15 years ago
After some discussion we decided that var declarations inside a for statement are not in line with our coding style. So removing a bunch. Decision was not unanimous ^^.
13 years ago
for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) {
feature #558. Print FP info in rule analysis + other cleanup.
13 years ago
if (!FastPatternSupportEnabledForSigMatchList(list_id))
continue;
store the content added for mpm inside Signature. also carry out an unconditional cleanup of packet pattern matcher pmq det_ctx->pmq
15 years ago
feature #558. Print FP info in rule analysis + other cleanup.
13 years ago
if (has_non_negated_non_stream_pattern &&
((list_id == DETECT_SM_LIST_PMATCH) ||
(list_id == DETECT_SM_LIST_HMDMATCH) ||
(list_id == DETECT_SM_LIST_HSMDMATCH) ||
(list_id == DETECT_SM_LIST_HSCDMATCH))) {
continue;
store the content added for mpm inside Signature. also carry out an unconditional cleanup of packet pattern matcher pmq det_ctx->pmq
15 years ago
}
After some discussion we decided that var declarations inside a for statement are not in line with our coding style. So removing a bunch. Decision was not unanimous ^^.
13 years ago
for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) {
feature #558. Print FP info in rule analysis + other cleanup.
13 years ago
if (sm->type != DETECT_CONTENT)
make some name changes. break PopulateMpm(). Set the avoid mpm double check flags
15 years ago
continue;
feature #558. Print FP info in rule analysis + other cleanup.
13 years ago
DetectContentData *cd = (DetectContentData *)sm->ctx;
if ((cd->flags & DETECT_CONTENT_NEGATED) && skip_negated_content)
continue;
if (cd->content_len < max_len)
Give priority to non stream content over stream content when selecting fast pattern.
13 years ago
continue;
make some name changes. break PopulateMpm(). Set the avoid mpm double check flags
15 years ago
feature #558. Print FP info in rule analysis + other cleanup.
13 years ago
if (mpm_sm == NULL) {
mpm_sm = sm;
} else {
DetectContentData *data1 = (DetectContentData *)sm->ctx;
DetectContentData *data2 = (DetectContentData *)mpm_sm->ctx;
uint32_t ls = PatternStrength(data1->content, data1->content_len);
uint32_t ss = PatternStrength(data2->content, data2->content_len);
if (ls > ss) {
make some name changes. break PopulateMpm(). Set the avoid mpm double check flags
15 years ago
mpm_sm = sm;
feature #558. Print FP info in rule analysis + other cleanup.
13 years ago
} else if (ls == ss) {
/* if 2 patterns are of equal strength, we pick the longest */
if (data1->content_len > data2->content_len)
make some name changes. break PopulateMpm(). Set the avoid mpm double check flags
15 years ago
mpm_sm = sm;
feature #558. Print FP info in rule analysis + other cleanup.
13 years ago
} else {
SCLogDebug("sticking with mpm_sm");
}
} /* else - if (mpm == NULL) */
} /* for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) */
} /* for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) */
make some name changes. break PopulateMpm(). Set the avoid mpm double check flags
15 years ago
feature #558. Print FP info in rule analysis + other cleanup.
13 years ago
return mpm_sm;
}
Clean up detection engine mpm initialization phase.
15 years ago
Fast pattern setup now configurable in our code. You can either enable/disable fp for a particular type + set priority.
13 years ago
SigMatch *RetrieveFPForSigV2(Signature *s)
{
if (s->mpm_sm != NULL)
return s->mpm_sm;
After some discussion we decided that var declarations inside a for statement are not in line with our coding style. So removing a bunch. Decision was not unanimous ^^.
13 years ago
SigMatch *mpm_sm = NULL, *sm = NULL;
Fast pattern setup now configurable in our code. You can either enable/disable fp for a particular type + set priority.
13 years ago
int nn_sm_list[DETECT_SM_LIST_MAX];
int n_sm_list[DETECT_SM_LIST_MAX];
memset(nn_sm_list, 0, sizeof(nn_sm_list));
memset(n_sm_list, 0, sizeof(n_sm_list));
int count_nn_sm_list = 0;
int count_n_sm_list = 0;
After some discussion we decided that var declarations inside a for statement are not in line with our coding style. So removing a bunch. Decision was not unanimous ^^.
13 years ago
int list_id;
Fast pattern setup now configurable in our code. You can either enable/disable fp for a particular type + set priority.
13 years ago
After some discussion we decided that var declarations inside a for statement are not in line with our coding style. So removing a bunch. Decision was not unanimous ^^.
13 years ago
for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) {
Fast pattern setup now configurable in our code. You can either enable/disable fp for a particular type + set priority.
13 years ago
if (!FastPatternSupportEnabledForSigMatchList(list_id))
continue;
After some discussion we decided that var declarations inside a for statement are not in line with our coding style. So removing a bunch. Decision was not unanimous ^^.
13 years ago
for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) {
Fast pattern setup now configurable in our code. You can either enable/disable fp for a particular type + set priority.
13 years ago
if (sm->type != DETECT_CONTENT)
continue;
DetectContentData *cd = (DetectContentData *)sm->ctx;
if ((cd->flags & DETECT_CONTENT_FAST_PATTERN))
return sm;
if (cd->flags & DETECT_CONTENT_NEGATED) {
n_sm_list[list_id] = 1;
count_n_sm_list++;
} else {
nn_sm_list[list_id] = 1;
count_nn_sm_list++;
}
} /* for */
} /* for */
int *curr_sm_list = NULL;
int skip_negated_content = 1;
if (count_nn_sm_list > 0) {
curr_sm_list = nn_sm_list;
} else if (count_n_sm_list > 0) {
curr_sm_list = n_sm_list;
skip_negated_content = 0;
} else {
return NULL;
}
int final_sm_list[DETECT_SM_LIST_MAX];
int count_final_sm_list = 0;
After some discussion we decided that var declarations inside a for statement are not in line with our coding style. So removing a bunch. Decision was not unanimous ^^.
13 years ago
int priority;
Fast pattern setup now configurable in our code. You can either enable/disable fp for a particular type + set priority.
13 years ago
SCFPSupportSMList *tmp = sm_fp_support_smlist_list;
while (tmp != NULL) {
After some discussion we decided that var declarations inside a for statement are not in line with our coding style. So removing a bunch. Decision was not unanimous ^^.
13 years ago
for (priority = tmp->priority;
Fast pattern setup now configurable in our code. You can either enable/disable fp for a particular type + set priority.
13 years ago
tmp != NULL && priority == tmp->priority;
tmp = tmp->next) {
if (curr_sm_list[tmp->list_id] == 0)
continue;
final_sm_list[count_final_sm_list++] = tmp->list_id;
}
if (count_final_sm_list != 0)
break;
}
BUG_ON(count_final_sm_list == 0);
int max_len = 0;
After some discussion we decided that var declarations inside a for statement are not in line with our coding style. So removing a bunch. Decision was not unanimous ^^.
13 years ago
int i;
for (i = 0; i < count_final_sm_list; i++) {
for (sm = s->sm_lists[final_sm_list[i]]; sm != NULL; sm = sm->next) {
Fast pattern setup now configurable in our code. You can either enable/disable fp for a particular type + set priority.
13 years ago
if (sm->type != DETECT_CONTENT)
continue;
DetectContentData *cd = (DetectContentData *)sm->ctx;
/* skip_negated_content is only set if there's absolutely no
* non-negated content present in the sig */
if ((cd->flags & DETECT_CONTENT_NEGATED) && skip_negated_content)
continue;
if (max_len < cd->content_len)
max_len = cd->content_len;
}
}
After some discussion we decided that var declarations inside a for statement are not in line with our coding style. So removing a bunch. Decision was not unanimous ^^.
13 years ago
for (i = 0; i < count_final_sm_list; i++) {
for (sm = s->sm_lists[final_sm_list[i]]; sm != NULL; sm = sm->next) {
Fast pattern setup now configurable in our code. You can either enable/disable fp for a particular type + set priority.
13 years ago
if (sm->type != DETECT_CONTENT)
continue;
DetectContentData *cd = (DetectContentData *)sm->ctx;
/* skip_negated_content is only set if there's absolutely no
* non-negated content present in the sig */
if ((cd->flags & DETECT_CONTENT_NEGATED) && skip_negated_content)
continue;
if (cd->content_len != max_len)
continue;
if (mpm_sm == NULL) {
mpm_sm = sm;
} else {
DetectContentData *data1 = (DetectContentData *)sm->ctx;
DetectContentData *data2 = (DetectContentData *)mpm_sm->ctx;
uint32_t ls = PatternStrength(data1->content, data1->content_len);
uint32_t ss = PatternStrength(data2->content, data2->content_len);
if (ls > ss) {
mpm_sm = sm;
} else if (ls == ss) {
/* if 2 patterns are of equal strength, we pick the longest */
if (data1->content_len > data2->content_len)
mpm_sm = sm;
} else {
SCLogDebug("sticking with mpm_sm");
}
} /* else - if */
} /* for */
} /* for */
return mpm_sm;
}
feature #558. Print FP info in rule analysis + other cleanup.
13 years ago
/**
* \internal
* \brief Setup the mpm content.
*
* \param de_ctx Pointer to the detect engine context.
* \param sgh Pointer to the signature group head against which we are
* adding patterns to the mpm ctx.
*
* \retval 0 Always.
*/
static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx,
SigGroupHead *sgh)
{
After some discussion we decided that var declarations inside a for statement are not in line with our coding style. So removing a bunch. Decision was not unanimous ^^.
13 years ago
uint32_t sig = 0;
for (sig = 0; sig < sgh->sig_cnt; sig++) {
feature #558. Print FP info in rule analysis + other cleanup.
13 years ago
Signature *s = sgh->match_array[sig];
if (s == NULL)
continue;
Figure out sig fp during validation stage, instead of staging stage.
13 years ago
PopulateMpmAddPatternToMpm(de_ctx, sgh, s, s->mpm_sm);
feature #558. Print FP info in rule analysis + other cleanup.
13 years ago
} /* for (sig = 0; sig < sgh->sig_cnt; sig++) */
Clean up detection engine mpm initialization phase.
15 years ago
return 0;
}
Fixes for issues found by static code analyzer.
16 years ago
/** \brief Prepare the pattern matcher ctx in a sig group head.
Initial add of the files.
17 years ago
*
Fixes for issues found by static code analyzer.
16 years ago
* \todo determine if a content match can set the 'single' flag
* \todo do error checking
* \todo rewrite the COPY stuff
Initial add of the files.
17 years ago
*/
Rename some detection engine related files.
17 years ago
int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
Initial add of the files.
17 years ago
{
Fixes for issues found by static code analyzer.
16 years ago
Signature *s = NULL;
Fix a content pattern matching bug related to signature grouping and mpm_ctx sharing. In certain conditions (signature combinations) the mpm_stream_ctx (the ctx that handles stream pattern scanning) wasn't properly setup.
15 years ago
uint32_t has_co_packet = 0; /**< our sgh has packet payload inspecting content */
Clean up detection engine mpm initialization phase.
15 years ago
uint32_t has_co_stream = 0; /**< our sgh has stream inspecting content */
uint32_t has_co_uri = 0; /**< our sgh has uri inspecting content */
mpm and fast pattern support for http_header. Also support relative modifiers for http_header
15 years ago
/* used to indicate if sgh has atleast one sig with http_client_body */
fast pattern support for http_client_body keyword added. Also mpm support for http_client_body added
15 years ago
uint32_t has_co_hcbd = 0;
Introduce http_server_body keyword. The http_server_body content modifier modifies the previous content to inspect the normalized (dechunked, unzipped) http_server_body. The workings are similar to http_client_body. Additionally, a new pcre flag was introduced "/S". To facilitate this change the signature flags field was changed to be 64 bit.
14 years ago
/* used to indicate if sgh has atleast one sig with http_server_body */
uint32_t has_co_hsbd = 0;
mpm and fast pattern support for http_header. Also support relative modifiers for http_header
15 years ago
/* used to indicate if sgh has atleast one sig with http_header */
uint32_t has_co_hhd = 0;
support fast pattern for http raw header. Also support relative modifiers for http raw header
15 years ago
/* used to indicate if sgh has atleast one sig with http_raw_header */
uint32_t has_co_hrhd = 0;
fast pattern support for http_method. Also support relative modifiers
15 years ago
/* used to indicate if sgh has atleast one sig with http_method */
uint32_t has_co_hmd = 0;
fast pattern support for http_cookie. Also support relative modifiers
15 years ago
/* used to indicate if sgh has atleast one sig with http_cookie */
uint32_t has_co_hcd = 0;
support for http_raw_uri keyword + mpm engine
14 years ago
/* used to indicate if sgh has atleast one sig with http_raw_uri */
uint32_t has_co_hrud = 0;
Support http stat msg detection engine, fast pattern(mpm engine included). Fix http stat msg setup function. Fix pcre option for stat msg keyword
14 years ago
/* used to indicate if sgh has atleast one sig with http_stat_msg */
uint32_t has_co_hsmd = 0;
Support http stat code detection engine, fast pattern(mpm engine included). Fix http stat code setup function. Fix pcre option for stat msg keyword. With this the pcre options for server_body is Q, for stat_msg is Y and for stat_code is S
14 years ago
/* used to indicate if sgh has atleast one sig with http_stat_code */
uint32_t has_co_hscd = 0;
http user agent keyword + mpm + inspection + fast pattern support added
13 years ago
/* used to indicate if sgh has atleast one sig with http_user_agent */
uint32_t has_co_huad = 0;
Add support for a new keyword to inspect http_host header. The corresponding content keyword would now be - http_host. The corresponding pcre modifier would be W.
13 years ago
/* used to indicate if sgh has atleast one sig with http_host */
uint32_t has_co_hhhd = 0;
Add support for the new keyword - http_raw_host header. The corresponding pcre modifier would be 'Z'.
13 years ago
/* used to indicate if sgh has atleast one sig with http_raw_host */
uint32_t has_co_hrhhd = 0;
store the content added for mpm inside Signature. also carry out an unconditional cleanup of packet pattern matcher pmq det_ctx->pmq
15 years ago
//uint32_t cnt = 0;
Fixes for issues found by static code analyzer.
16 years ago
uint32_t sig = 0;
DNS: enable mpm/fast_pattern support for dns_query
12 years ago
/* sgh has at least one sig with dns_query */
int has_co_dnsquery = 0;
Large update containing the first step to making the detection engine use rule groups. Address based rule groups are now implemented.
17 years ago
Clean up detection engine mpm initialization phase.
15 years ago
/* see if this head has content and/or uricontent */
Rename some detection engine related files.
17 years ago
for (sig = 0; sig < sh->sig_cnt; sig++) {
Improve stateful uri detection code.
15 years ago
s = sh->match_array[sig];
Rename some detection engine related files.
17 years ago
if (s == NULL)
continue;
Large update containing the first step to making the detection engine use rule groups. Address based rule groups are now implemented.
17 years ago
Fix a content pattern matching bug related to signature grouping and mpm_ctx sharing. In certain conditions (signature combinations) the mpm_stream_ctx (the ctx that handles stream pattern scanning) wasn't properly setup.
15 years ago
if (SignatureHasPacketContent(s) == 1) {
has_co_packet = 1;
}
if (SignatureHasStreamContent(s) == 1) {
has_co_stream = 1;
Convert uricontent to use new scanning methods as well. Move http_method and http_cookie keywords out of pmatch list for now.
16 years ago
}
All uricontent modified patterns now are DETECT_CONTENT and not DETECT_URICONTENT. Step towards unifying all content based patterns. Makes way for easier management of patterns
14 years ago
if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL) {
has_co_uri = 1;
Large update containing the first step to making the detection engine use rule groups. Address based rule groups are now implemented.
17 years ago
}
fast pattern support for http_client_body keyword added. Also mpm support for http_client_body added
15 years ago
if (s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL) {
has_co_hcbd = 1;
}
mpm and fast pattern support for http_header. Also support relative modifiers for http_header
15 years ago
Introduce http_server_body keyword. The http_server_body content modifier modifies the previous content to inspect the normalized (dechunked, unzipped) http_server_body. The workings are similar to http_client_body. Additionally, a new pcre flag was introduced "/S". To facilitate this change the signature flags field was changed to be 64 bit.
14 years ago
if (s->sm_lists[DETECT_SM_LIST_HSBDMATCH] != NULL) {
has_co_hsbd = 1;
}
mpm and fast pattern support for http_header. Also support relative modifiers for http_header
15 years ago
if (s->sm_lists[DETECT_SM_LIST_HHDMATCH] != NULL) {
has_co_hhd = 1;
}
support fast pattern for http raw header. Also support relative modifiers for http raw header
15 years ago
if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) {
has_co_hrhd = 1;
}
fast pattern support for http_method. Also support relative modifiers
15 years ago
if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL) {
has_co_hmd = 1;
}
fast pattern support for http_cookie. Also support relative modifiers
15 years ago
if (s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL) {
has_co_hcd = 1;
}
support for http_raw_uri keyword + mpm engine
14 years ago
if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL) {
has_co_hrud = 1;
}
Support http stat msg detection engine, fast pattern(mpm engine included). Fix http stat msg setup function. Fix pcre option for stat msg keyword
14 years ago
if (s->sm_lists[DETECT_SM_LIST_HSMDMATCH] != NULL) {
has_co_hsmd = 1;
}
Support http stat code detection engine, fast pattern(mpm engine included). Fix http stat code setup function. Fix pcre option for stat msg keyword. With this the pcre options for server_body is Q, for stat_msg is Y and for stat_code is S
14 years ago
if (s->sm_lists[DETECT_SM_LIST_HSCDMATCH] != NULL) {
has_co_hscd = 1;
}
http user agent keyword + mpm + inspection + fast pattern support added
13 years ago
if (s->sm_lists[DETECT_SM_LIST_HUADMATCH] != NULL) {
has_co_huad = 1;
}
Add support for a new keyword to inspect http_host header. The corresponding content keyword would now be - http_host. The corresponding pcre modifier would be W.
13 years ago
if (s->sm_lists[DETECT_SM_LIST_HHHDMATCH] != NULL) {
has_co_hhhd = 1;
}
Add support for the new keyword - http_raw_host header. The corresponding pcre modifier would be 'Z'.
13 years ago
if (s->sm_lists[DETECT_SM_LIST_HRHHDMATCH] != NULL) {
has_co_hrhhd = 1;
}
DNS: enable mpm/fast_pattern support for dns_query
12 years ago
if (s->sm_lists[DETECT_SM_LIST_DNSQUERY_MATCH] != NULL) {
has_co_dnsquery = 1;
}
Large update containing the first step to making the detection engine use rule groups. Address based rule groups are now implemented.
17 years ago
}
Initial add of the files.
17 years ago
/* intialize contexes */
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (has_co_packet) {
support single mpm context distribution across sghs in staging. Also see to it that ac works fine with this setup
15 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_proto_tcp_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_proto_tcp_packet, 0);
sh->mpm_proto_tcp_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_proto_tcp_packet, 1);
support single mpm context distribution across sghs in staging. Also see to it that ac works fine with this setup
15 years ago
} else {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_proto_tcp_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0);
sh->mpm_proto_tcp_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1);
support single mpm context distribution across sghs in staging. Also see to it that ac works fine with this setup
15 years ago
}
support splitting mpm ctxs based on direction v2
14 years ago
if (sh->mpm_proto_tcp_ctx_ts == NULL || sh->mpm_proto_tcp_ctx_tc == NULL) {
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
SCLogDebug("sh->mpm_proto_tcp_ctx == NULL. This should never happen");
fast pattern support for http_client_body keyword added. Also mpm support for http_client_body added
15 years ago
exit(EXIT_FAILURE);
}
Update mpm init ctx to not accept the final cuda_rc_module argument. It was a part of our older architecture and is no longer used.
12 years ago
MpmInitCtx(sh->mpm_proto_tcp_ctx_ts, de_ctx->mpm_matcher);
MpmInitCtx(sh->mpm_proto_tcp_ctx_tc, de_ctx->mpm_matcher);
Large update containing the first step to making the detection engine use rule groups. Address based rule groups are now implemented.
17 years ago
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_proto_udp_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_proto_udp_packet, 0);
sh->mpm_proto_udp_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_proto_udp_packet, 1);
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
} else {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_proto_udp_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0);
sh->mpm_proto_udp_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1);
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
}
support splitting mpm ctxs based on direction v2
14 years ago
if (sh->mpm_proto_udp_ctx_ts == NULL || sh->mpm_proto_udp_ctx_tc == NULL) {
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
SCLogDebug("sh->mpm_proto_udp_ctx == NULL. This should never happen");
exit(EXIT_FAILURE);
}
Update mpm init ctx to not accept the final cuda_rc_module argument. It was a part of our older architecture and is no longer used.
12 years ago
MpmInitCtx(sh->mpm_proto_udp_ctx_ts, de_ctx->mpm_matcher);
MpmInitCtx(sh->mpm_proto_udp_ctx_tc, de_ctx->mpm_matcher);
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
sh->mpm_proto_other_ctx =
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_proto_other_packet, 0);
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
} else {
sh->mpm_proto_other_ctx =
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0);
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
}
if (sh->mpm_proto_other_ctx == NULL) {
SCLogDebug("sh->mpm_proto_other_ctx == NULL. This should never happen");
exit(EXIT_FAILURE);
}
Update mpm init ctx to not accept the final cuda_rc_module argument. It was a part of our older architecture and is no longer used.
12 years ago
MpmInitCtx(sh->mpm_proto_other_ctx, de_ctx->mpm_matcher);
mpm engine cleanup. Remove unnecessary flags
13 years ago
} /* if (has_co_packet) */
Moving the stream content scanning to have it's own mpm ctx.
15 years ago
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (has_co_stream) {
support single mpm context distribution across sghs in staging. Also see to it that ac works fine with this setup
15 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_stream_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_stream, 0);
sh->mpm_stream_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_stream, 1);
support single mpm context distribution across sghs in staging. Also see to it that ac works fine with this setup
15 years ago
} else {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_stream_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0);
sh->mpm_stream_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1);
support single mpm context distribution across sghs in staging. Also see to it that ac works fine with this setup
15 years ago
}
Minor fix for detection engine setup error check cppcheck said: [detect-engine-mpm.c:2075] -> [detect-engine-mpm.c:2075]: (style) Same expression on both sides of '||'.
12 years ago
if (sh->mpm_stream_ctx_tc == NULL || sh->mpm_stream_ctx_ts == NULL) {
fast pattern support for http_client_body keyword added. Also mpm support for http_client_body added
15 years ago
SCLogDebug("sh->mpm_stream_ctx == NULL. This should never happen");
exit(EXIT_FAILURE);
}
Update mpm init ctx to not accept the final cuda_rc_module argument. It was a part of our older architecture and is no longer used.
12 years ago
MpmInitCtx(sh->mpm_stream_ctx_ts, de_ctx->mpm_matcher);
MpmInitCtx(sh->mpm_stream_ctx_tc, de_ctx->mpm_matcher);
Initial add of the files.
17 years ago
}
Fix a content pattern matching bug related to signature grouping and mpm_ctx sharing. In certain conditions (signature combinations) the mpm_stream_ctx (the ctx that handles stream pattern scanning) wasn't properly setup.
15 years ago
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (has_co_uri) {
support single mpm context distribution across sghs in staging. Also see to it that ac works fine with this setup
15 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_uri_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_uri, 0);
support single mpm context distribution across sghs in staging. Also see to it that ac works fine with this setup
15 years ago
} else {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_uri_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0);
support single mpm context distribution across sghs in staging. Also see to it that ac works fine with this setup
15 years ago
}
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
if (sh->mpm_uri_ctx_ts == NULL) {
fast pattern support for http_client_body keyword added. Also mpm support for http_client_body added
15 years ago
SCLogDebug("sh->mpm_uri_ctx == NULL. This should never happen");
exit(EXIT_FAILURE);
}
Initial add of the files.
17 years ago
Update mpm init ctx to not accept the final cuda_rc_module argument. It was a part of our older architecture and is no longer used.
12 years ago
MpmInitCtx(sh->mpm_uri_ctx_ts, de_ctx->mpm_matcher);
Large update containing the first step to making the detection engine use rule groups. Address based rule groups are now implemented.
17 years ago
}
Initial add of the files.
17 years ago
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (has_co_hcbd) {
fast pattern support for http_client_body keyword added. Also mpm support for http_client_body added
15 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_hcbd_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_hcbd, 0);
fast pattern support for http_client_body keyword added. Also mpm support for http_client_body added
15 years ago
} else {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_hcbd_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0);
fast pattern support for http_client_body keyword added. Also mpm support for http_client_body added
15 years ago
}
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
if (sh->mpm_hcbd_ctx_ts == NULL) {
mpm and fast pattern support for http_header. Also support relative modifiers for http_header
15 years ago
SCLogDebug("sh->mpm_hcbd_ctx == NULL. This should never happen");
fast pattern support for http_client_body keyword added. Also mpm support for http_client_body added
15 years ago
exit(EXIT_FAILURE);
}
Update mpm init ctx to not accept the final cuda_rc_module argument. It was a part of our older architecture and is no longer used.
12 years ago
MpmInitCtx(sh->mpm_hcbd_ctx_ts, de_ctx->mpm_matcher);
fast pattern support for http_client_body keyword added. Also mpm support for http_client_body added
15 years ago
}
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (has_co_hsbd) {
Introduce http_server_body keyword. The http_server_body content modifier modifies the previous content to inspect the normalized (dechunked, unzipped) http_server_body. The workings are similar to http_client_body. Additionally, a new pcre flag was introduced "/S". To facilitate this change the signature flags field was changed to be 64 bit.
14 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_hsbd_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_hsbd, 1);
Introduce http_server_body keyword. The http_server_body content modifier modifies the previous content to inspect the normalized (dechunked, unzipped) http_server_body. The workings are similar to http_client_body. Additionally, a new pcre flag was introduced "/S". To facilitate this change the signature flags field was changed to be 64 bit.
14 years ago
} else {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_hsbd_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1);
Introduce http_server_body keyword. The http_server_body content modifier modifies the previous content to inspect the normalized (dechunked, unzipped) http_server_body. The workings are similar to http_client_body. Additionally, a new pcre flag was introduced "/S". To facilitate this change the signature flags field was changed to be 64 bit.
14 years ago
}
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
if (sh->mpm_hsbd_ctx_tc == NULL) {
Introduce http_server_body keyword. The http_server_body content modifier modifies the previous content to inspect the normalized (dechunked, unzipped) http_server_body. The workings are similar to http_client_body. Additionally, a new pcre flag was introduced "/S". To facilitate this change the signature flags field was changed to be 64 bit.
14 years ago
SCLogDebug("sh->mpm_hsbd_ctx == NULL. This should never happen");
exit(EXIT_FAILURE);
}
Update mpm init ctx to not accept the final cuda_rc_module argument. It was a part of our older architecture and is no longer used.
12 years ago
MpmInitCtx(sh->mpm_hsbd_ctx_tc, de_ctx->mpm_matcher);
Introduce http_server_body keyword. The http_server_body content modifier modifies the previous content to inspect the normalized (dechunked, unzipped) http_server_body. The workings are similar to http_client_body. Additionally, a new pcre flag was introduced "/S". To facilitate this change the signature flags field was changed to be 64 bit.
14 years ago
}
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (has_co_hhd) {
mpm and fast pattern support for http_header. Also support relative modifiers for http_header
15 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_hhd_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_hhd, 0);
sh->mpm_hhd_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_hhd, 1);
mpm and fast pattern support for http_header. Also support relative modifiers for http_header
15 years ago
} else {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_hhd_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0);
sh->mpm_hhd_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1);
mpm and fast pattern support for http_header. Also support relative modifiers for http_header
15 years ago
}
support splitting mpm ctxs based on direction v2
14 years ago
if (sh->mpm_hhd_ctx_ts == NULL || sh->mpm_hhd_ctx_tc == NULL) {
mpm and fast pattern support for http_header. Also support relative modifiers for http_header
15 years ago
SCLogDebug("sh->mpm_hhd_ctx == NULL. This should never happen");
exit(EXIT_FAILURE);
}
Update mpm init ctx to not accept the final cuda_rc_module argument. It was a part of our older architecture and is no longer used.
12 years ago
MpmInitCtx(sh->mpm_hhd_ctx_ts, de_ctx->mpm_matcher);
MpmInitCtx(sh->mpm_hhd_ctx_tc, de_ctx->mpm_matcher);
mpm and fast pattern support for http_header. Also support relative modifiers for http_header
15 years ago
}
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (has_co_hrhd) {
support fast pattern for http raw header. Also support relative modifiers for http raw header
15 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_hrhd_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_hrhd, 0);
sh->mpm_hrhd_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_hrhd, 1);
support fast pattern for http raw header. Also support relative modifiers for http raw header
15 years ago
} else {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_hrhd_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0);
sh->mpm_hrhd_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1);
support fast pattern for http raw header. Also support relative modifiers for http raw header
15 years ago
}
support splitting mpm ctxs based on direction v2
14 years ago
if (sh->mpm_hrhd_ctx_ts == NULL || sh->mpm_hrhd_ctx_tc == NULL) {
support fast pattern for http raw header. Also support relative modifiers for http raw header
15 years ago
SCLogDebug("sh->mpm_hrhd_ctx == NULL. This should never happen");
exit(EXIT_FAILURE);
}
Update mpm init ctx to not accept the final cuda_rc_module argument. It was a part of our older architecture and is no longer used.
12 years ago
MpmInitCtx(sh->mpm_hrhd_ctx_ts, de_ctx->mpm_matcher);
MpmInitCtx(sh->mpm_hrhd_ctx_tc, de_ctx->mpm_matcher);
support fast pattern for http raw header. Also support relative modifiers for http raw header
15 years ago
}
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (has_co_hmd) {
fast pattern support for http_method. Also support relative modifiers
15 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_hmd_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_hmd, 0);
fast pattern support for http_method. Also support relative modifiers
15 years ago
} else {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_hmd_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0);
fast pattern support for http_method. Also support relative modifiers
15 years ago
}
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
if (sh->mpm_hmd_ctx_ts == NULL) {
fast pattern support for http_method. Also support relative modifiers
15 years ago
SCLogDebug("sh->mpm_hmd_ctx == NULL. This should never happen");
exit(EXIT_FAILURE);
}
Update mpm init ctx to not accept the final cuda_rc_module argument. It was a part of our older architecture and is no longer used.
12 years ago
MpmInitCtx(sh->mpm_hmd_ctx_ts, de_ctx->mpm_matcher);
fast pattern support for http_method. Also support relative modifiers
15 years ago
}
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (has_co_hcd) {
fast pattern support for http_cookie. Also support relative modifiers
15 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_hcd_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_hcd, 0);
sh->mpm_hcd_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_hcd, 1);
fast pattern support for http_cookie. Also support relative modifiers
15 years ago
} else {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_hcd_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0);
sh->mpm_hcd_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1);
fast pattern support for http_cookie. Also support relative modifiers
15 years ago
}
support splitting mpm ctxs based on direction v2
14 years ago
if (sh->mpm_hcd_ctx_ts == NULL || sh->mpm_hcd_ctx_tc == NULL) {
fast pattern support for http_cookie. Also support relative modifiers
15 years ago
SCLogDebug("sh->mpm_hcd_ctx == NULL. This should never happen");
exit(EXIT_FAILURE);
}
Update mpm init ctx to not accept the final cuda_rc_module argument. It was a part of our older architecture and is no longer used.
12 years ago
MpmInitCtx(sh->mpm_hcd_ctx_ts, de_ctx->mpm_matcher);
MpmInitCtx(sh->mpm_hcd_ctx_tc, de_ctx->mpm_matcher);
fast pattern support for http_cookie. Also support relative modifiers
15 years ago
}
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (has_co_hrud) {
support for http_raw_uri keyword + mpm engine
14 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_hrud_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_hrud, 0);
support for http_raw_uri keyword + mpm engine
14 years ago
} else {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_hrud_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0);
support for http_raw_uri keyword + mpm engine
14 years ago
}
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
if (sh->mpm_hrud_ctx_ts == NULL) {
support for http_raw_uri keyword + mpm engine
14 years ago
SCLogDebug("sh->mpm_hrud_ctx == NULL. This should never happen");
exit(EXIT_FAILURE);
}
Update mpm init ctx to not accept the final cuda_rc_module argument. It was a part of our older architecture and is no longer used.
12 years ago
MpmInitCtx(sh->mpm_hrud_ctx_ts, de_ctx->mpm_matcher);
support for http_raw_uri keyword + mpm engine
14 years ago
}
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (has_co_hsmd) {
Support http stat msg detection engine, fast pattern(mpm engine included). Fix http stat msg setup function. Fix pcre option for stat msg keyword
14 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_hsmd_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_hsmd, 1);
Support http stat msg detection engine, fast pattern(mpm engine included). Fix http stat msg setup function. Fix pcre option for stat msg keyword
14 years ago
} else {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_hsmd_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1);
Support http stat msg detection engine, fast pattern(mpm engine included). Fix http stat msg setup function. Fix pcre option for stat msg keyword
14 years ago
}
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
if (sh->mpm_hsmd_ctx_tc == NULL) {
Support http stat msg detection engine, fast pattern(mpm engine included). Fix http stat msg setup function. Fix pcre option for stat msg keyword
14 years ago
SCLogDebug("sh->mpm_hsmd_ctx == NULL. This should never happen");
exit(EXIT_FAILURE);
}
Update mpm init ctx to not accept the final cuda_rc_module argument. It was a part of our older architecture and is no longer used.
12 years ago
MpmInitCtx(sh->mpm_hsmd_ctx_tc, de_ctx->mpm_matcher);
Support http stat msg detection engine, fast pattern(mpm engine included). Fix http stat msg setup function. Fix pcre option for stat msg keyword
14 years ago
}
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (has_co_hscd) {
Support http stat code detection engine, fast pattern(mpm engine included). Fix http stat code setup function. Fix pcre option for stat msg keyword. With this the pcre options for server_body is Q, for stat_msg is Y and for stat_code is S
14 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_hscd_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_hscd, 1);
Support http stat code detection engine, fast pattern(mpm engine included). Fix http stat code setup function. Fix pcre option for stat msg keyword. With this the pcre options for server_body is Q, for stat_msg is Y and for stat_code is S
14 years ago
} else {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_hscd_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1);
Support http stat code detection engine, fast pattern(mpm engine included). Fix http stat code setup function. Fix pcre option for stat msg keyword. With this the pcre options for server_body is Q, for stat_msg is Y and for stat_code is S
14 years ago
}
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
if (sh->mpm_hscd_ctx_tc == NULL) {
Support http stat code detection engine, fast pattern(mpm engine included). Fix http stat code setup function. Fix pcre option for stat msg keyword. With this the pcre options for server_body is Q, for stat_msg is Y and for stat_code is S
14 years ago
SCLogDebug("sh->mpm_hscd_ctx == NULL. This should never happen");
exit(EXIT_FAILURE);
}
Update mpm init ctx to not accept the final cuda_rc_module argument. It was a part of our older architecture and is no longer used.
12 years ago
MpmInitCtx(sh->mpm_hscd_ctx_tc, de_ctx->mpm_matcher);
Support http stat code detection engine, fast pattern(mpm engine included). Fix http stat code setup function. Fix pcre option for stat msg keyword. With this the pcre options for server_body is Q, for stat_msg is Y and for stat_code is S
14 years ago
}
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (has_co_huad) {
http user agent keyword + mpm + inspection + fast pattern support added
13 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_huad_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_huad, 0);
http user agent keyword + mpm + inspection + fast pattern support added
13 years ago
} else {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
sh->mpm_huad_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0);
http user agent keyword + mpm + inspection + fast pattern support added
13 years ago
}
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
if (sh->mpm_huad_ctx_ts == NULL) {
http user agent keyword + mpm + inspection + fast pattern support added
13 years ago
SCLogDebug("sh->mpm_huad_ctx == NULL. This should never happen");
exit(EXIT_FAILURE);
}
Update mpm init ctx to not accept the final cuda_rc_module argument. It was a part of our older architecture and is no longer used.
12 years ago
MpmInitCtx(sh->mpm_huad_ctx_ts, de_ctx->mpm_matcher);
http user agent keyword + mpm + inspection + fast pattern support added
13 years ago
}
Add support for a new keyword to inspect http_host header. The corresponding content keyword would now be - http_host. The corresponding pcre modifier would be W.
13 years ago
if (has_co_hhhd) {
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
sh->mpm_hhhd_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_hhhd, 0);
} else {
sh->mpm_hhhd_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0);
}
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
if (sh->mpm_hhhd_ctx_ts == NULL) {
Add support for a new keyword to inspect http_host header. The corresponding content keyword would now be - http_host. The corresponding pcre modifier would be W.
13 years ago
SCLogDebug("sh->mpm_hhhd_ctx == NULL. This should never happen");
exit(EXIT_FAILURE);
}
Update mpm init ctx to not accept the final cuda_rc_module argument. It was a part of our older architecture and is no longer used.
12 years ago
MpmInitCtx(sh->mpm_hhhd_ctx_ts, de_ctx->mpm_matcher);
Add support for a new keyword to inspect http_host header. The corresponding content keyword would now be - http_host. The corresponding pcre modifier would be W.
13 years ago
}
Add support for the new keyword - http_raw_host header. The corresponding pcre modifier would be 'Z'.
13 years ago
if (has_co_hrhhd) {
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
sh->mpm_hrhhd_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_hrhhd, 0);
} else {
sh->mpm_hrhhd_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0);
}
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
if (sh->mpm_hrhhd_ctx_ts == NULL) {
Add support for the new keyword - http_raw_host header. The corresponding pcre modifier would be 'Z'.
13 years ago
SCLogDebug("sh->mpm_hrhhd_ctx == NULL. This should never happen");
exit(EXIT_FAILURE);
}
Update mpm init ctx to not accept the final cuda_rc_module argument. It was a part of our older architecture and is no longer used.
12 years ago
MpmInitCtx(sh->mpm_hrhhd_ctx_ts, de_ctx->mpm_matcher);
Add support for the new keyword - http_raw_host header. The corresponding pcre modifier would be 'Z'.
13 years ago
}
DNS: enable mpm/fast_pattern support for dns_query
12 years ago
if (has_co_dnsquery) {
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
sh->mpm_dnsquery_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_dnsquery, 0);
} else {
sh->mpm_dnsquery_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0);
}
if (sh->mpm_dnsquery_ctx_ts == NULL) {
SCLogDebug("sh->mpm_hrhhd_ctx == NULL. This should never happen");
exit(EXIT_FAILURE);
}
Update mpm init ctx to not accept the final cuda_rc_module argument. It was a part of our older architecture and is no longer used.
12 years ago
MpmInitCtx(sh->mpm_dnsquery_ctx_ts, de_ctx->mpm_matcher);
DNS: enable mpm/fast_pattern support for dns_query
12 years ago
}
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (has_co_packet ||
has_co_stream ||
has_co_uri ||
has_co_hcbd ||
has_co_hsbd ||
has_co_hhd ||
has_co_hrhd ||
has_co_hmd ||
has_co_hcd ||
has_co_hsmd ||
has_co_hscd ||
has_co_hrud ||
Add support for a new keyword to inspect http_host header. The corresponding content keyword would now be - http_host. The corresponding pcre modifier would be W.
13 years ago
has_co_huad ||
Add support for the new keyword - http_raw_host header. The corresponding pcre modifier would be 'Z'.
13 years ago
has_co_hhhd ||
DNS: enable mpm/fast_pattern support for dns_query
12 years ago
has_co_hrhhd ||
has_co_dnsquery) {
Use same mpm prepare procedure for uricontent as for normal content. More cleanups.
15 years ago
remove populate_mpm_flags from inside PatternMatchPreparePopulateMpm()
15 years ago
PatternMatchPreparePopulateMpm(de_ctx, sh);
Fix a content pattern matching bug related to signature grouping and mpm_ctx sharing. In certain conditions (signature combinations) the mpm_stream_ctx (the ctx that handles stream pattern scanning) wasn't properly setup.
15 years ago
reclaim mpm contexts if no patterns are added to it, even in non-full mode
14 years ago
//if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
support splitting mpm ctxs based on direction v2
14 years ago
if (sh->mpm_proto_tcp_ctx_ts != NULL) {
if (sh->mpm_proto_tcp_ctx_ts->pattern_cnt == 0) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_proto_tcp_ctx_ts);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_proto_tcp_ctx_ts = NULL;
} else {
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
support splitting mpm ctxs based on direction v2
14 years ago
if (mpm_table[sh->mpm_proto_tcp_ctx_ts->mpm_type].Prepare != NULL) {
mpm_table[sh->mpm_proto_tcp_ctx_ts->mpm_type].
Prepare(sh->mpm_proto_tcp_ctx_ts);
}
}
}
}
if (sh->mpm_proto_tcp_ctx_tc != NULL) {
if (sh->mpm_proto_tcp_ctx_tc->pattern_cnt == 0) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_proto_tcp_ctx_tc);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_proto_tcp_ctx_tc = NULL;
indendation fix
14 years ago
} else {
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
support splitting mpm ctxs based on direction v2
14 years ago
if (mpm_table[sh->mpm_proto_tcp_ctx_tc->mpm_type].Prepare != NULL) {
mpm_table[sh->mpm_proto_tcp_ctx_tc->mpm_type].
Prepare(sh->mpm_proto_tcp_ctx_tc);
indendation fix
14 years ago
}
}
}
}
support splitting mpm ctxs based on direction v2
14 years ago
if (sh->mpm_proto_udp_ctx_ts != NULL) {
if (sh->mpm_proto_udp_ctx_ts->pattern_cnt == 0) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_proto_udp_ctx_ts);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_proto_udp_ctx_ts = NULL;
indendation fix
14 years ago
} else {
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
support splitting mpm ctxs based on direction v2
14 years ago
if (mpm_table[sh->mpm_proto_udp_ctx_ts->mpm_type].Prepare != NULL) {
mpm_table[sh->mpm_proto_udp_ctx_ts->mpm_type].
Prepare(sh->mpm_proto_udp_ctx_ts);
indendation fix
14 years ago
}
}
}
}
support splitting mpm ctxs based on direction v2
14 years ago
if (sh->mpm_proto_udp_ctx_tc != NULL) {
if (sh->mpm_proto_udp_ctx_tc->pattern_cnt == 0) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_proto_udp_ctx_tc);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_proto_udp_ctx_tc = NULL;
} else {
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
support splitting mpm ctxs based on direction v2
14 years ago
if (mpm_table[sh->mpm_proto_udp_ctx_tc->mpm_type].Prepare != NULL) {
mpm_table[sh->mpm_proto_udp_ctx_tc->mpm_type].
Prepare(sh->mpm_proto_udp_ctx_tc);
}
}
}
}
indendation fix
14 years ago
if (sh->mpm_proto_other_ctx != NULL) {
if (sh->mpm_proto_other_ctx->pattern_cnt == 0) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_proto_other_ctx);
indendation fix
14 years ago
sh->mpm_proto_other_ctx = NULL;
} else {
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
indendation fix
14 years ago
if (mpm_table[sh->mpm_proto_other_ctx->mpm_type].Prepare != NULL) {
mpm_table[sh->mpm_proto_other_ctx->mpm_type].
Prepare(sh->mpm_proto_other_ctx);
}
}
}
}
support splitting mpm ctxs based on direction v2
14 years ago
if (sh->mpm_stream_ctx_ts != NULL) {
if (sh->mpm_stream_ctx_ts->pattern_cnt == 0) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_stream_ctx_ts);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_stream_ctx_ts = NULL;
indendation fix
14 years ago
} else {
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
support splitting mpm ctxs based on direction v2
14 years ago
if (mpm_table[sh->mpm_stream_ctx_ts->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_stream_ctx_ts->mpm_type].Prepare(sh->mpm_stream_ctx_ts);
indendation fix
14 years ago
}
}
}
support splitting mpm ctxs based on direction v2
14 years ago
if (sh->mpm_stream_ctx_tc != NULL) {
if (sh->mpm_stream_ctx_tc->pattern_cnt == 0) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_stream_ctx_tc);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_stream_ctx_tc = NULL;
} else {
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
support splitting mpm ctxs based on direction v2
14 years ago
if (mpm_table[sh->mpm_stream_ctx_tc->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_stream_ctx_tc->mpm_type].Prepare(sh->mpm_stream_ctx_tc);
}
}
}
if (sh->mpm_uri_ctx_ts != NULL) {
if (sh->mpm_uri_ctx_ts->pattern_cnt == 0) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_uri_ctx_ts);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_uri_ctx_ts = NULL;
} else {
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
support splitting mpm ctxs based on direction v2
14 years ago
if (mpm_table[sh->mpm_uri_ctx_ts->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_uri_ctx_ts->mpm_type].Prepare(sh->mpm_uri_ctx_ts);
}
}
}
if (sh->mpm_hcbd_ctx_ts != NULL) {
if (sh->mpm_hcbd_ctx_ts->pattern_cnt == 0) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hcbd_ctx_ts);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_hcbd_ctx_ts = NULL;
indendation fix
14 years ago
} else {
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
support splitting mpm ctxs based on direction v2
14 years ago
if (mpm_table[sh->mpm_hcbd_ctx_ts->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_hcbd_ctx_ts->mpm_type].Prepare(sh->mpm_hcbd_ctx_ts);
indendation fix
14 years ago
}
}
}
support splitting mpm ctxs based on direction v2
14 years ago
if (sh->mpm_hsbd_ctx_tc != NULL) {
if (sh->mpm_hsbd_ctx_tc->pattern_cnt == 0) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hsbd_ctx_tc);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_hsbd_ctx_tc = NULL;
} else {
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
support splitting mpm ctxs based on direction v2
14 years ago
if (mpm_table[sh->mpm_hsbd_ctx_tc->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_hsbd_ctx_tc->mpm_type].Prepare(sh->mpm_hsbd_ctx_tc);
}
}
}
if (sh->mpm_hhd_ctx_ts != NULL) {
if (sh->mpm_hhd_ctx_ts->pattern_cnt == 0) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hhd_ctx_ts);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_hhd_ctx_ts = NULL;
} else {
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
support splitting mpm ctxs based on direction v2
14 years ago
if (mpm_table[sh->mpm_hhd_ctx_ts->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_hhd_ctx_ts->mpm_type].Prepare(sh->mpm_hhd_ctx_ts);
}
}
}
if (sh->mpm_hhd_ctx_tc != NULL) {
if (sh->mpm_hhd_ctx_tc->pattern_cnt == 0) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hhd_ctx_tc);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_hhd_ctx_tc = NULL;
indendation fix
14 years ago
} else {
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
support splitting mpm ctxs based on direction v2
14 years ago
if (mpm_table[sh->mpm_hhd_ctx_tc->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_hhd_ctx_tc->mpm_type].Prepare(sh->mpm_hhd_ctx_tc);
indendation fix
14 years ago
}
}
}
support splitting mpm ctxs based on direction v2
14 years ago
if (sh->mpm_hrhd_ctx_ts != NULL) {
if (sh->mpm_hrhd_ctx_ts->pattern_cnt == 0) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hrhd_ctx_ts);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_hrhd_ctx_ts = NULL;
indendation fix
14 years ago
} else {
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
support splitting mpm ctxs based on direction v2
14 years ago
if (mpm_table[sh->mpm_hrhd_ctx_ts->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_hrhd_ctx_ts->mpm_type].Prepare(sh->mpm_hrhd_ctx_ts);
indendation fix
14 years ago
}
}
}
support splitting mpm ctxs based on direction v2
14 years ago
if (sh->mpm_hrhd_ctx_tc != NULL) {
if (sh->mpm_hrhd_ctx_tc->pattern_cnt == 0) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hrhd_ctx_tc);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_hrhd_ctx_tc = NULL;
} else {
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
support splitting mpm ctxs based on direction v2
14 years ago
if (mpm_table[sh->mpm_hrhd_ctx_tc->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_hrhd_ctx_tc->mpm_type].Prepare(sh->mpm_hrhd_ctx_tc);
}
}
}
if (sh->mpm_hmd_ctx_ts != NULL) {
if (sh->mpm_hmd_ctx_ts->pattern_cnt == 0) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hmd_ctx_ts);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_hmd_ctx_ts = NULL;
} else {
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
support splitting mpm ctxs based on direction v2
14 years ago
if (mpm_table[sh->mpm_hmd_ctx_ts->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_hmd_ctx_ts->mpm_type].Prepare(sh->mpm_hmd_ctx_ts);
}
}
}
if (sh->mpm_hcd_ctx_ts != NULL) {
if (sh->mpm_hcd_ctx_ts->pattern_cnt == 0) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hcd_ctx_ts);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_hcd_ctx_ts = NULL;
} else {
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
support splitting mpm ctxs based on direction v2
14 years ago
if (mpm_table[sh->mpm_hcd_ctx_ts->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_hcd_ctx_ts->mpm_type].Prepare(sh->mpm_hcd_ctx_ts);
indendation fix
14 years ago
}
}
}
support splitting mpm ctxs based on direction v2
14 years ago
if (sh->mpm_hcd_ctx_tc != NULL) {
if (sh->mpm_hcd_ctx_tc->pattern_cnt == 0) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hcd_ctx_tc);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_hcd_ctx_tc = NULL;
indendation fix
14 years ago
} else {
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
support splitting mpm ctxs based on direction v2
14 years ago
if (mpm_table[sh->mpm_hcd_ctx_tc->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_hcd_ctx_tc->mpm_type].Prepare(sh->mpm_hcd_ctx_tc);
}
}
}
if (sh->mpm_hrud_ctx_ts != NULL) {
if (sh->mpm_hrud_ctx_ts->pattern_cnt == 0) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hrud_ctx_ts);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_hrud_ctx_ts = NULL;
} else {
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
support splitting mpm ctxs based on direction v2
14 years ago
if (mpm_table[sh->mpm_hrud_ctx_ts->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_hrud_ctx_ts->mpm_type].Prepare(sh->mpm_hrud_ctx_ts);
indendation fix
14 years ago
}
}
}
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
rebase commit for hscd and hsmd patches
14 years ago
if (sh->mpm_hsmd_ctx_tc != NULL) {
if (sh->mpm_hsmd_ctx_tc->pattern_cnt == 0) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hsmd_ctx_tc);
rebase commit for hscd and hsmd patches
14 years ago
sh->mpm_hsmd_ctx_tc = NULL;
Support http stat msg detection engine, fast pattern(mpm engine included). Fix http stat msg setup function. Fix pcre option for stat msg keyword
14 years ago
} else {
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
rebase commit for hscd and hsmd patches
14 years ago
if (mpm_table[sh->mpm_hsmd_ctx_tc->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_hsmd_ctx_tc->mpm_type].Prepare(sh->mpm_hsmd_ctx_tc);
}
}
}
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
rebase commit for hscd and hsmd patches
14 years ago
if (sh->mpm_hscd_ctx_tc != NULL) {
if (sh->mpm_hscd_ctx_tc->pattern_cnt == 0) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hscd_ctx_tc);
rebase commit for hscd and hsmd patches
14 years ago
sh->mpm_hscd_ctx_tc = NULL;
Support http stat code detection engine, fast pattern(mpm engine included). Fix http stat code setup function. Fix pcre option for stat msg keyword. With this the pcre options for server_body is Q, for stat_msg is Y and for stat_code is S
14 years ago
} else {
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
rebase commit for hscd and hsmd patches
14 years ago
if (mpm_table[sh->mpm_hscd_ctx_tc->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_hscd_ctx_tc->mpm_type].Prepare(sh->mpm_hscd_ctx_tc);
Support http stat code detection engine, fast pattern(mpm engine included). Fix http stat code setup function. Fix pcre option for stat msg keyword. With this the pcre options for server_body is Q, for stat_msg is Y and for stat_code is S
14 years ago
}
}
}
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
http user agent keyword + mpm + inspection + fast pattern support added
13 years ago
if (sh->mpm_huad_ctx_ts != NULL) {
if (sh->mpm_huad_ctx_ts->pattern_cnt == 0) {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_huad_ctx_ts);
http user agent keyword + mpm + inspection + fast pattern support added
13 years ago
sh->mpm_huad_ctx_ts = NULL;
} else {
mpm engine cleanup. Remove unnecessary flags
13 years ago
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
http user agent keyword + mpm + inspection + fast pattern support added
13 years ago
if (mpm_table[sh->mpm_huad_ctx_ts->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_huad_ctx_ts->mpm_type].Prepare(sh->mpm_huad_ctx_ts);
}
}
}
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
Add support for a new keyword to inspect http_host header. The corresponding content keyword would now be - http_host. The corresponding pcre modifier would be W.
13 years ago
if (sh->mpm_hhhd_ctx_ts != NULL) {
if (sh->mpm_hhhd_ctx_ts->pattern_cnt == 0) {
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hhhd_ctx_ts);
sh->mpm_hhhd_ctx_ts = NULL;
} else {
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
if (mpm_table[sh->mpm_hhhd_ctx_ts->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_hhhd_ctx_ts->mpm_type].Prepare(sh->mpm_hhhd_ctx_ts);
}
}
}
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
Add support for the new keyword - http_raw_host header. The corresponding pcre modifier would be 'Z'.
13 years ago
if (sh->mpm_hrhhd_ctx_ts != NULL) {
if (sh->mpm_hrhhd_ctx_ts->pattern_cnt == 0) {
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hrhhd_ctx_ts);
sh->mpm_hrhhd_ctx_ts = NULL;
} else {
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
if (mpm_table[sh->mpm_hrhhd_ctx_ts->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_hrhhd_ctx_ts->mpm_type].Prepare(sh->mpm_hrhhd_ctx_ts);
}
}
}
Remove mpm ctxs in the wrong direction. A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
DNS: enable mpm/fast_pattern support for dns_query
12 years ago
if (sh->mpm_dnsquery_ctx_ts != NULL) {
if (sh->mpm_dnsquery_ctx_ts->pattern_cnt == 0) {
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_dnsquery_ctx_ts);
sh->mpm_dnsquery_ctx_ts = NULL;
} else {
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
if (mpm_table[sh->mpm_dnsquery_ctx_ts->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_dnsquery_ctx_ts->mpm_type].Prepare(sh->mpm_dnsquery_ctx_ts);
}
}
}
reclaim mpm contexts if no patterns are added to it, even in non-full mode
14 years ago
//} /* if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) */
store the content added for mpm inside Signature. also carry out an unconditional cleanup of packet pattern matcher pmq det_ctx->pmq
15 years ago
} else {
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_proto_other_ctx);
introduce separate mpm ctxs for tcp/udp/other_protos
14 years ago
sh->mpm_proto_other_ctx = NULL;
support splitting mpm ctxs based on direction v2
14 years ago
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_proto_tcp_ctx_ts);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_proto_tcp_ctx_ts = NULL;
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_proto_udp_ctx_ts);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_proto_udp_ctx_ts = NULL;
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_stream_ctx_ts);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_stream_ctx_ts = NULL;
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_uri_ctx_ts);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_uri_ctx_ts = NULL;
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hcbd_ctx_ts);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_hcbd_ctx_ts = NULL;
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hhd_ctx_ts);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_hhd_ctx_ts = NULL;
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hrhd_ctx_ts);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_hrhd_ctx_ts = NULL;
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hmd_ctx_ts);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_hmd_ctx_ts = NULL;
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hcd_ctx_ts);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_hcd_ctx_ts = NULL;
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hrud_ctx_ts);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_hrud_ctx_ts = NULL;
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_huad_ctx_ts);
http user agent keyword + mpm + inspection + fast pattern support added
13 years ago
sh->mpm_huad_ctx_ts = NULL;
Add support for a new keyword to inspect http_host header. The corresponding content keyword would now be - http_host. The corresponding pcre modifier would be W.
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hhhd_ctx_ts);
sh->mpm_hhhd_ctx_ts = NULL;
Add support for the new keyword - http_raw_host header. The corresponding pcre modifier would be 'Z'.
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hrhhd_ctx_ts);
sh->mpm_hrhhd_ctx_ts = NULL;
DNS: enable mpm/fast_pattern support for dns_query
12 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_dnsquery_ctx_ts);
sh->mpm_dnsquery_ctx_ts = NULL;
support splitting mpm ctxs based on direction v2
14 years ago
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_proto_tcp_ctx_tc);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_proto_tcp_ctx_tc = NULL;
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_proto_udp_ctx_tc);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_proto_udp_ctx_tc = NULL;
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_stream_ctx_tc);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_stream_ctx_tc = NULL;
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hhd_ctx_tc);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_hhd_ctx_tc = NULL;
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hrhd_ctx_tc);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_hrhd_ctx_tc = NULL;
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hcd_ctx_tc);
support splitting mpm ctxs based on direction v2
14 years ago
sh->mpm_hcd_ctx_tc = NULL;
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hsmd_ctx_tc);
Support http stat msg detection engine, fast pattern(mpm engine included). Fix http stat msg setup function. Fix pcre option for stat msg keyword
14 years ago
sh->mpm_hsmd_ctx_tc = NULL;
make mpm ctx container de_ctx specific. Also introduce global variable in mpm_ctx. this is a workaround for cleaning non global mpm_ctx's since we now don't supply the de_ctx around the detection engine API
13 years ago
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hscd_ctx_tc);
Support http stat code detection engine, fast pattern(mpm engine included). Fix http stat code setup function. Fix pcre option for stat msg keyword. With this the pcre options for server_body is Q, for stat_msg is Y and for stat_code is S
14 years ago
sh->mpm_hscd_ctx_tc = NULL;
Initial add of the files.
17 years ago
}
Large update containing the first step to making the detection engine use rule groups. Address based rule groups are now implemented.
17 years ago
return 0;
Initial add of the files.
17 years ago
}
Switch to pattern id based results checking in the mpm. Move app layer proto detection towards a more signature based approach.
15 years ago
/** \brief Pattern ID Hash for sharing pattern id's
*
* A per detection engine hash to make sure each pattern has a unique
* global id but patterns that are the same share id's.
*/
typedef struct MpmPatternIdTableElmt_ {
uint8_t *pattern; /**< ptr to the pattern */
uint16_t pattern_len; /**< pattern len */
provide separate ids for content, uricontent, http_(client_body_data|cookie|header|method|uri), when they share the same pattern
15 years ago
PatIntId id; /**< pattern id */
uint16_t dup_count; /**< duplicate count */
Use sm_list to differentiate between different content types while retrieving pattern ids instead of sm_type
14 years ago
uint8_t sm_list; /**< SigMatch list */
Switch to pattern id based results checking in the mpm. Move app layer proto detection towards a more signature based approach.
15 years ago
} MpmPatternIdTableElmt;
/** \brief Hash compare func for MpmPatternId api
* \retval 1 patterns are the same
* \retval 0 patterns are not the same
**/
static char MpmPatternIdCompare(void *p1, uint16_t len1, void *p2, uint16_t len2) {
SCEnter();
BUG_ON(len1 < sizeof(MpmPatternIdTableElmt));
BUG_ON(len2 < sizeof(MpmPatternIdTableElmt));
MpmPatternIdTableElmt *e1 = (MpmPatternIdTableElmt *)p1;
MpmPatternIdTableElmt *e2 = (MpmPatternIdTableElmt *)p2;
provide separate ids for content, uricontent, http_(client_body_data|cookie|header|method|uri), when they share the same pattern
15 years ago
if (e1->pattern_len != e2->pattern_len ||
Use sm_list to differentiate between different content types while retrieving pattern ids instead of sm_type
14 years ago
e1->sm_list != e2->sm_list) {
Switch to pattern id based results checking in the mpm. Move app layer proto detection towards a more signature based approach.
15 years ago
SCReturnInt(0);
}
Add memcmp api with a plain memcmp function and a SSE3 accelerated memcmp.
15 years ago
if (SCMemcmp(e1->pattern, e2->pattern, e1->pattern_len) != 0) {
Switch to pattern id based results checking in the mpm. Move app layer proto detection towards a more signature based approach.
15 years ago
SCReturnInt(0);
}
SCReturnInt(1);
}
/** \brief Hash func for MpmPatternId api
* \retval hash hash value
*/
static uint32_t MpmPatternIdHashFunc(HashTable *ht, void *p, uint16_t len) {
SCEnter();
BUG_ON(len < sizeof(MpmPatternIdTableElmt));
MpmPatternIdTableElmt *e = (MpmPatternIdTableElmt *)p;
uint32_t hash = e->pattern_len;
uint16_t u = 0;
for (u = 0; u < e->pattern_len; u++) {
hash += e->pattern[u];
}
SCReturnUInt(hash % ht->array_size);
}
/** \brief free a MpmPatternIdTableElmt */
static void MpmPatternIdTableElmtFree(void *e) {
memroy leaks fixes in detection module, app layer and counters
15 years ago
SCEnter();
Switch to pattern id based results checking in the mpm. Move app layer proto detection towards a more signature based approach.
15 years ago
MpmPatternIdTableElmt *c = (MpmPatternIdTableElmt *)e;
memroy leaks fixes in detection module, app layer and counters
15 years ago
SCFree(c->pattern);
SCFree(c);
SCReturn;
Switch to pattern id based results checking in the mpm. Move app layer proto detection towards a more signature based approach.
15 years ago
}
/** \brief alloc initialize the MpmPatternIdHash */
MpmPatternIdStore *MpmPatternIdTableInitHash(void) {
SCEnter();
MpmPatternIdStore *ht = SCMalloc(sizeof(MpmPatternIdStore));
BUG_ON(ht == NULL);
memset(ht, 0x00, sizeof(MpmPatternIdStore));
ht->hash = HashTableInit(65536, MpmPatternIdHashFunc, MpmPatternIdCompare, MpmPatternIdTableElmtFree);
BUG_ON(ht->hash == NULL);
SCReturnPtr(ht, "MpmPatternIdStore");
}
void MpmPatternIdTableFreeHash(MpmPatternIdStore *ht) {
SCEnter();
if (ht == NULL) {
SCReturn;
}
if (ht->hash != NULL) {
HashTableFree(ht->hash);
}
SCFree(ht);
SCReturn;
}
uint32_t MpmPatternIdStoreGetMaxId(MpmPatternIdStore *ht) {
if (ht == NULL) {
return 0;
}
return ht->max_id;
}
/**
* \brief Get the pattern id for a content pattern
*
* \param ht mpm pattern id hash table store
* \param co content pattern data
*
* \retval id pattern id
Make malloc errors on initialization stage a fatal error, resulting on a exit() call
15 years ago
* \initonly
Switch to pattern id based results checking in the mpm. Move app layer proto detection towards a more signature based approach.
15 years ago
*/
uint32_t DetectContentGetId(MpmPatternIdStore *ht, DetectContentData *co) {
SCEnter();
BUG_ON(ht == NULL || ht->hash == NULL);
MpmPatternIdTableElmt *e = NULL;
MpmPatternIdTableElmt *r = NULL;
uint32_t id = 0;
make client body buffer limit configurable. Also some minor changes
15 years ago
e = SCMalloc(sizeof(MpmPatternIdTableElmt));
Switch to pattern id based results checking in the mpm. Move app layer proto detection towards a more signature based approach.
15 years ago
BUG_ON(e == NULL);
make client body buffer limit configurable. Also some minor changes
15 years ago
memset(e, 0, sizeof(MpmPatternIdTableElmt));
Switch to pattern id based results checking in the mpm. Move app layer proto detection towards a more signature based approach.
15 years ago
e->pattern = SCMalloc(co->content_len);
BUG_ON(e->pattern == NULL);
memcpy(e->pattern, co->content, co->content_len);
e->pattern_len = co->content_len;
e->id = 0;
r = HashTableLookup(ht->hash, (void *)e, sizeof(MpmPatternIdTableElmt));
if (r == NULL) {
e->id = ht->max_id;
ht->max_id++;
id = e->id;
int ret = HashTableAdd(ht->hash, e, sizeof(MpmPatternIdTableElmt));
BUG_ON(ret != 0);
e = NULL;
ht->unique_patterns++;
} else {
id = r->id;
ht->shared_patterns++;
}
if (e != NULL)
memroy leaks fixes in detection module, app layer and counters
15 years ago
MpmPatternIdTableElmtFree(e);
Switch to pattern id based results checking in the mpm. Move app layer proto detection towards a more signature based approach.
15 years ago
SCReturnUInt(id);
}
Minor fixes against the last set of patches for #564, 565, 581 + fp automation. Rename struct DetectFigureFPAndId_t_ to DetectFPAndItsId_ and move it's definition from inside the function where it's used to the global namespace, as requested on #suricata. Rename DetectEngineContentModifiedBufferSetup to DetectEngineContentModifierBufferSetup. Also rename DetectFigureFPAndId() to DetectSetFastPatternAndItsId(). Updated DetectSetFastPatternAndItsId() to not exit on failure and return error.
13 years ago
typedef struct DetectFPAndItsId_ {
PatIntId id;
uint16_t content_len;
uint32_t flags;
int sm_list;
fix for #564. Get rid of the hash table, and use a single-one_time_alloc'ed array for pattern id assignment.
13 years ago
Minor fixes against the last set of patches for #564, 565, 581 + fp automation. Rename struct DetectFigureFPAndId_t_ to DetectFPAndItsId_ and move it's definition from inside the function where it's used to the global namespace, as requested on #suricata. Rename DetectEngineContentModifiedBufferSetup to DetectEngineContentModifierBufferSetup. Also rename DetectFigureFPAndId() to DetectSetFastPatternAndItsId(). Updated DetectSetFastPatternAndItsId() to not exit on failure and return error.
13 years ago
uint8_t *content;
} DetectFPAndItsId;
fix for #564. Get rid of the hash table, and use a single-one_time_alloc'ed array for pattern id assignment.
13 years ago
Minor fixes against the last set of patches for #564, 565, 581 + fp automation. Rename struct DetectFigureFPAndId_t_ to DetectFPAndItsId_ and move it's definition from inside the function where it's used to the global namespace, as requested on #suricata. Rename DetectEngineContentModifiedBufferSetup to DetectEngineContentModifierBufferSetup. Also rename DetectFigureFPAndId() to DetectSetFastPatternAndItsId(). Updated DetectSetFastPatternAndItsId() to not exit on failure and return error.
13 years ago
/**
* \brief Figured out the FP and their respective content ids for all the
* sigs in the engine.
*
* \param de_ctx Detection engine context.
*
* \retval 0 On success.
* \retval -1 On failure.
*/
int DetectSetFastPatternAndItsId(DetectEngineCtx *de_ctx)
{
fix for #564. Get rid of the hash table, and use a single-one_time_alloc'ed array for pattern id assignment.
13 years ago
uint32_t struct_total_size = 0;
uint32_t content_total_size = 0;
Signature *s = NULL;
When assigning Pattern IDs pids, check Case flags This fixes bug 1110. When assigning PIDs, use the NO_CASE flag when comparing for duplicates. The state of the flag must be the same, but also use the same type of comparisons when checking for duplicates. Previously, "foo":CS would match with "foo":CI when it should not. and "foo":CI would not match "FoO":CI when it should. Both of those cases are fixed with this change. This then allows simplifying the use of pid in MPMs because now if they pids match, then so do the flags, so checking the flags is not required.
12 years ago
/* Count the amount of memory needed to store all the structures
* and the content of those structures. This will over estimate the
* true size, since duplicates are removed below, but counted here.
*/
fix for #564. Get rid of the hash table, and use a single-one_time_alloc'ed array for pattern id assignment.
13 years ago
for (s = de_ctx->sig_list; s != NULL; s = s->next) {
s->mpm_sm = RetrieveFPForSigV2(s);
if (s->mpm_sm != NULL) {
DetectContentData *cd = (DetectContentData *)s->mpm_sm->ctx;
Minor fixes against the last set of patches for #564, 565, 581 + fp automation. Rename struct DetectFigureFPAndId_t_ to DetectFPAndItsId_ and move it's definition from inside the function where it's used to the global namespace, as requested on #suricata. Rename DetectEngineContentModifiedBufferSetup to DetectEngineContentModifierBufferSetup. Also rename DetectFigureFPAndId() to DetectSetFastPatternAndItsId(). Updated DetectSetFastPatternAndItsId() to not exit on failure and return error.
13 years ago
struct_total_size += sizeof(DetectFPAndItsId);
fix for #564. Get rid of the hash table, and use a single-one_time_alloc'ed array for pattern id assignment.
13 years ago
content_total_size += cd->content_len;
}
}
/* array hash buffer - i've run out of ideas to name it */
uint8_t *ahb = SCMalloc(sizeof(uint8_t) * (struct_total_size + content_total_size));
Use unlikely in malloc failure test. This patch is a result of applying the following coccinelle transformation to suricata sources: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc|SCMallocAligned|SCRealloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
12 years ago
if (unlikely(ahb == NULL))
Minor fixes against the last set of patches for #564, 565, 581 + fp automation. Rename struct DetectFigureFPAndId_t_ to DetectFPAndItsId_ and move it's definition from inside the function where it's used to the global namespace, as requested on #suricata. Rename DetectEngineContentModifiedBufferSetup to DetectEngineContentModifierBufferSetup. Also rename DetectFigureFPAndId() to DetectSetFastPatternAndItsId(). Updated DetectSetFastPatternAndItsId() to not exit on failure and return error.
13 years ago
return -1;
fix for #564. Get rid of the hash table, and use a single-one_time_alloc'ed array for pattern id assignment.
13 years ago
fix for bug #973. An alternative solution for bug #970. For chopped patterns, which in it's whole is a duplicate of another pattern we assign an unique content id.
12 years ago
uint8_t *content = NULL;
uint8_t content_len = 0;
fix for #564. Get rid of the hash table, and use a single-one_time_alloc'ed array for pattern id assignment.
13 years ago
PatIntId max_id = 0;
Minor fixes against the last set of patches for #564, 565, 581 + fp automation. Rename struct DetectFigureFPAndId_t_ to DetectFPAndItsId_ and move it's definition from inside the function where it's used to the global namespace, as requested on #suricata. Rename DetectEngineContentModifiedBufferSetup to DetectEngineContentModifierBufferSetup. Also rename DetectFigureFPAndId() to DetectSetFastPatternAndItsId(). Updated DetectSetFastPatternAndItsId() to not exit on failure and return error.
13 years ago
DetectFPAndItsId *struct_offset = (DetectFPAndItsId *)ahb;
fix for #564. Get rid of the hash table, and use a single-one_time_alloc'ed array for pattern id assignment.
13 years ago
uint8_t *content_offset = ahb + struct_total_size;
for (s = de_ctx->sig_list; s != NULL; s = s->next) {
if (s->mpm_sm != NULL) {
int sm_list = SigMatchListSMBelongsTo(s, s->mpm_sm);
BUG_ON(sm_list == -1);
Suricata upgrade to libhtp 0.5.x. Remove the support for now unsupported personalities from libhtp - TOMCAT_6_0, APACHE and APACHE_2_2. We instead use the APACHE_2 personality.
12 years ago
fix for #564. Get rid of the hash table, and use a single-one_time_alloc'ed array for pattern id assignment.
13 years ago
DetectContentData *cd = (DetectContentData *)s->mpm_sm->ctx;
Minor fixes against the last set of patches for #564, 565, 581 + fp automation. Rename struct DetectFigureFPAndId_t_ to DetectFPAndItsId_ and move it's definition from inside the function where it's used to the global namespace, as requested on #suricata. Rename DetectEngineContentModifiedBufferSetup to DetectEngineContentModifierBufferSetup. Also rename DetectFigureFPAndId() to DetectSetFastPatternAndItsId(). Updated DetectSetFastPatternAndItsId() to not exit on failure and return error.
13 years ago
DetectFPAndItsId *dup = (DetectFPAndItsId *)ahb;
fix for bug #973. An alternative solution for bug #970. For chopped patterns, which in it's whole is a duplicate of another pattern we assign an unique content id.
12 years ago
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
content = cd->content + cd->fp_chop_offset;
content_len = cd->fp_chop_len;
} else {
content = cd->content;
content_len = cd->content_len;
}
When assigning Pattern IDs pids, check Case flags This fixes bug 1110. When assigning PIDs, use the NO_CASE flag when comparing for duplicates. The state of the flag must be the same, but also use the same type of comparisons when checking for duplicates. Previously, "foo":CS would match with "foo":CI when it should not. and "foo":CI would not match "FoO":CI when it should. Both of those cases are fixed with this change. This then allows simplifying the use of pid in MPMs because now if they pids match, then so do the flags, so checking the flags is not required.
12 years ago
uint32_t flags = cd->flags & DETECT_CONTENT_NOCASE;
/* Check for content already found on the same list */
fix for #564. Get rid of the hash table, and use a single-one_time_alloc'ed array for pattern id assignment.
13 years ago
for (; dup != struct_offset; dup++) {
When assigning Pattern IDs pids, check Case flags This fixes bug 1110. When assigning PIDs, use the NO_CASE flag when comparing for duplicates. The state of the flag must be the same, but also use the same type of comparisons when checking for duplicates. Previously, "foo":CS would match with "foo":CI when it should not. and "foo":CI would not match "FoO":CI when it should. Both of those cases are fixed with this change. This then allows simplifying the use of pid in MPMs because now if they pids match, then so do the flags, so checking the flags is not required.
12 years ago
if (dup->content_len != content_len)
fix for #564. Get rid of the hash table, and use a single-one_time_alloc'ed array for pattern id assignment.
13 years ago
continue;
When assigning Pattern IDs pids, check Case flags This fixes bug 1110. When assigning PIDs, use the NO_CASE flag when comparing for duplicates. The state of the flag must be the same, but also use the same type of comparisons when checking for duplicates. Previously, "foo":CS would match with "foo":CI when it should not. and "foo":CI would not match "FoO":CI when it should. Both of those cases are fixed with this change. This then allows simplifying the use of pid in MPMs because now if they pids match, then so do the flags, so checking the flags is not required.
12 years ago
if (dup->sm_list != sm_list)
continue;
if (dup->flags != flags)
continue;
/* Check for pattern matching a duplicate. Use case insensitive matching
* for case insensitive patterns. */
if (flags & DETECT_CONTENT_NOCASE) {
if (SCMemcmpLowercase(dup->content, content, content_len) != 0)
continue;
} else {
Store case-insensitive patterns as lowercase. This is required because SCMemcmpLowercase() expects it first argument to be already lowercase for the comparison. This is done by using memcpy_tolower() for NO_CASE patterns. This addresses code review comments from Victor.
12 years ago
/* Case sensitive matching */
When assigning Pattern IDs pids, check Case flags This fixes bug 1110. When assigning PIDs, use the NO_CASE flag when comparing for duplicates. The state of the flag must be the same, but also use the same type of comparisons when checking for duplicates. Previously, "foo":CS would match with "foo":CI when it should not. and "foo":CI would not match "FoO":CI when it should. Both of those cases are fixed with this change. This then allows simplifying the use of pid in MPMs because now if they pids match, then so do the flags, so checking the flags is not required.
12 years ago
if (SCMemcmp(dup->content, content, content_len) != 0)
continue;
fix for #564. Get rid of the hash table, and use a single-one_time_alloc'ed array for pattern id assignment.
13 years ago
}
When assigning Pattern IDs pids, check Case flags This fixes bug 1110. When assigning PIDs, use the NO_CASE flag when comparing for duplicates. The state of the flag must be the same, but also use the same type of comparisons when checking for duplicates. Previously, "foo":CS would match with "foo":CI when it should not. and "foo":CI would not match "FoO":CI when it should. Both of those cases are fixed with this change. This then allows simplifying the use of pid in MPMs because now if they pids match, then so do the flags, so checking the flags is not required.
12 years ago
/* Found a match with a previous pattern. */
fix for #564. Get rid of the hash table, and use a single-one_time_alloc'ed array for pattern id assignment.
13 years ago
break;
}
if (dup != struct_offset) {
When assigning Pattern IDs pids, check Case flags This fixes bug 1110. When assigning PIDs, use the NO_CASE flag when comparing for duplicates. The state of the flag must be the same, but also use the same type of comparisons when checking for duplicates. Previously, "foo":CS would match with "foo":CI when it should not. and "foo":CI would not match "FoO":CI when it should. Both of those cases are fixed with this change. This then allows simplifying the use of pid in MPMs because now if they pids match, then so do the flags, so checking the flags is not required.
12 years ago
/* Exited for-loop before the end, so found an existing match.
* Use its ID. */
fix for #564. Get rid of the hash table, and use a single-one_time_alloc'ed array for pattern id assignment.
13 years ago
cd->id = dup->id;
continue;
}
Store case-insensitive patterns as lowercase. This is required because SCMemcmpLowercase() expects it first argument to be already lowercase for the comparison. This is done by using memcpy_tolower() for NO_CASE patterns. This addresses code review comments from Victor.
12 years ago
/* Not found, so new content. Give it a new ID and add it
* to the array. Copy the content at the end of the
* content array.
*/
fix for #564. Get rid of the hash table, and use a single-one_time_alloc'ed array for pattern id assignment.
13 years ago
struct_offset->id = max_id++;
cd->id = struct_offset->id;
fix for bug #973. An alternative solution for bug #970. For chopped patterns, which in it's whole is a duplicate of another pattern we assign an unique content id.
12 years ago
struct_offset->content_len = content_len;
fix for #564. Get rid of the hash table, and use a single-one_time_alloc'ed array for pattern id assignment.
13 years ago
struct_offset->sm_list = sm_list;
struct_offset->content = content_offset;
When assigning Pattern IDs pids, check Case flags This fixes bug 1110. When assigning PIDs, use the NO_CASE flag when comparing for duplicates. The state of the flag must be the same, but also use the same type of comparisons when checking for duplicates. Previously, "foo":CS would match with "foo":CI when it should not. and "foo":CI would not match "FoO":CI when it should. Both of those cases are fixed with this change. This then allows simplifying the use of pid in MPMs because now if they pids match, then so do the flags, so checking the flags is not required.
12 years ago
struct_offset->flags = flags;
fix for bug #973. An alternative solution for bug #970. For chopped patterns, which in it's whole is a duplicate of another pattern we assign an unique content id.
12 years ago
content_offset += content_len;
Store case-insensitive patterns as lowercase. This is required because SCMemcmpLowercase() expects it first argument to be already lowercase for the comparison. This is done by using memcpy_tolower() for NO_CASE patterns. This addresses code review comments from Victor.
12 years ago
if (flags & DETECT_CONTENT_NOCASE) {
/* Need to store case-insensitive patterns as lower case
* because SCMemcmpLowercase() above assumes that all
* patterns are stored lower case so that it doesn't
* need to relower its first argument.
*/
memcpy_tolower(struct_offset->content, content, content_len);
} else {
memcpy(struct_offset->content, content, content_len);
}
fix for #564. Get rid of the hash table, and use a single-one_time_alloc'ed array for pattern id assignment.
13 years ago
struct_offset++;
} /* if (s->mpm_sm != NULL) */
} /* for */
de_ctx->max_fp_id = max_id;
SCFree(ahb);
Suricata upgrade to libhtp 0.5.x. Remove the support for now unsupported personalities from libhtp - TOMCAT_6_0, APACHE and APACHE_2_2. We instead use the APACHE_2 personality.
12 years ago
Minor fixes against the last set of patches for #564, 565, 581 + fp automation. Rename struct DetectFigureFPAndId_t_ to DetectFPAndItsId_ and move it's definition from inside the function where it's used to the global namespace, as requested on #suricata. Rename DetectEngineContentModifiedBufferSetup to DetectEngineContentModifierBufferSetup. Also rename DetectFigureFPAndId() to DetectSetFastPatternAndItsId(). Updated DetectSetFastPatternAndItsId() to not exit on failure and return error.
13 years ago
return 0;
fix for #564. Get rid of the hash table, and use a single-one_time_alloc'ed array for pattern id assignment.
13 years ago
}