aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make mpm-algo use the mpm_table that has the actual mpm's registered. Clean up dead code.

Browse Source
remotes/origin/master-1.1.x
Victor Julien 15 years ago
parent 6131dec8a1
commit 18b4e3380f
3 changed files with 21 additions and 1212 deletions
Show Stats Download Patch File Download Diff File

978
src/detect-engine-mpm.c
View File

File diff suppressed because it is too large Load Diff

102
src/detect-http-client-body.c
Unescape Escape View File

@ -51,9 +51,6 @@
#include "detect-http-client-body.h"
#include "stream-tcp.h"
int DetectHttpClientBodyMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Flow *f, uint8_t flags, void *state, Signature *s,
SigMatch *m);
int DetectHttpClientBodySetup(DetectEngineCtx *, Signature *, char *);
void DetectHttpClientBodyRegisterTests(void);
void DetectHttpClientBodyFree(void *);
@ -74,105 +71,6 @@ void DetectHttpClientBodyRegister(void)
sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].flags |= SIGMATCH_PAYLOAD ;
}
/**
* \brief App layer match function for the "http_client_body" keyword.
*
* \param t Pointer to the ThreadVars instance.
* \param det_ctx Pointer to the DetectEngineThreadCtx.
* \param f Pointer to the flow.
* \param flags Pointer to the flags indicating the flow direction.
* \param state Pointer to the app layer state data.
* \param s Pointer to the Signature instance.
* \param m Pointer to the SigMatch.
*
* \retval 1 On Match.
* \retval 0 On no match.
*/
int DetectHttpClientBodyMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Flow *f, uint8_t flags, void *state, Signature *s,
SigMatch *m)
{
int result = 0;
DetectContentData *hcbd = (DetectContentData *)m->ctx;
HtpState *htp_state = (HtpState *)state;
SCMutexLock(&f->m);
if (htp_state == NULL) {
SCLogDebug("No htp state, no match at http body data");
goto end;
}
htp_tx_t *tx = NULL;
size_t idx = 0;
for (idx = 0;//hs->new_in_tx_index;
idx < list_size(htp_state->connp->conn->transactions); idx++)
{
tx = list_get(htp_state->connp->conn->transactions, idx);
if (tx == NULL)
continue;
SCHtpTxUserData *htud = (SCHtpTxUserData *) htp_tx_get_user_data(tx);
if (htud == NULL)
continue;
HtpBodyChunk *cur = htud->body.first;
if (htud->body.nchunks == 0) {
SCLogDebug("No http chunks to inspect");
goto end;
} else {
/* no chunks?!! get out of here */
if (cur == NULL) {
SCLogDebug("No http chunks to inspect");
goto end;
}
/* this applies only for the client request body like the keyword name says */
if (htud->body.operation != HTP_BODY_REQUEST) {
SCLogDebug("htp chunk not a request chunk");
goto end;
}
/* this is not how we do it now. We can rather hold the PM state from
* the previous chunk that was matched, and continue right from where
* we left off. We need to devise a scheme to do that, not just for
* this keyword, but other keywords need it as well */
uint8_t *chunks_buffer = NULL;
uint32_t total_chunks_len = 0;
/* club all the chunks into one whole buffer and call the SPM on the buffer */
while (cur != NULL) {
total_chunks_len += cur->len;
if ( (chunks_buffer = SCRealloc(chunks_buffer, total_chunks_len)) == NULL) {
return 0;
}
memcpy(chunks_buffer + total_chunks_len - cur->len, cur->data, cur->len);
cur = cur->next;
}
/* call the case insensitive version if nocase has been specified in the sig */
if (hcbd->flags & DETECT_CONTENT_NOCASE) {
result = (BoyerMooreNocase(hcbd->content, hcbd->content_len, chunks_buffer,
total_chunks_len, hcbd->bm_ctx->bmGs,
hcbd->bm_ctx->bmBc) != NULL);
/* call the case sensitive version if nocase has been specified in the sig */
} else {
result = (BoyerMoore(hcbd->content, hcbd->content_len, chunks_buffer,
total_chunks_len, hcbd->bm_ctx->bmGs,
hcbd->bm_ctx->bmBc) != NULL);
}
SCFree(chunks_buffer);
}
}
SCMutexUnlock(&f->m);
return result ^ ((hcbd->flags & DETECT_CONTENT_NEGATED) ? 1 : 0);
end:
SCMutexUnlock(&f->m);
return result;
}
/**
* \brief The setup function for the http_client_body keyword for a signature.
*

153
src/detect.c
Unescape Escape View File

@ -187,39 +187,6 @@ void DetectExitPrintStats(ThreadVars *tv, void *data) {
DetectEngineThreadCtx *det_ctx = (DetectEngineThreadCtx *)data;
if (det_ctx == NULL)
return;
#if 0
SCLogInfo("(%s) (1byte) Pkts %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
tv->name, det_ctx->pkts, det_ctx->pkts_searched1,
(float)(det_ctx->pkts_searched1/(float)(det_ctx->pkts)*100));
SCLogInfo("(%s) (2byte) Pkts %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
tv->name, det_ctx->pkts, det_ctx->pkts_searched2,
(float)(det_ctx->pkts_searched2/(float)(det_ctx->pkts)*100));
SCLogInfo("(%s) (3byte) Pkts %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
tv->name, det_ctx->pkts, det_ctx->pkts_searched3,
(float)(det_ctx->pkts_searched3/(float)(det_ctx->pkts)*100));
SCLogInfo("(%s) (4byte) Pkts %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
tv->name, det_ctx->pkts, det_ctx->pkts_searched4,
(float)(det_ctx->pkts_searched4/(float)(det_ctx->pkts)*100));
SCLogInfo("(%s) (+byte) Pkts %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
tv->name, det_ctx->pkts, det_ctx->pkts_searched,
(float)(det_ctx->pkts_searched/(float)(det_ctx->pkts)*100));
SCLogInfo("(%s) URI (1byte) Uri's %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
tv->name, det_ctx->uris, det_ctx->pkts_uri_searched1,
(float)(det_ctx->pkts_uri_searched1/(float)(det_ctx->uris)*100));
SCLogInfo("(%s) URI (2byte) Uri's %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
tv->name, det_ctx->uris, det_ctx->pkts_uri_searched2,
(float)(det_ctx->pkts_uri_searched2/(float)(det_ctx->uris)*100));
SCLogInfo("(%s) URI (3byte) Uri's %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
tv->name, det_ctx->uris, det_ctx->pkts_uri_searched3,
(float)(det_ctx->pkts_uri_searched3/(float)(det_ctx->uris)*100));
SCLogInfo("(%s) URI (4byte) Uri's %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
tv->name, det_ctx->uris, det_ctx->pkts_uri_searched4,
(float)(det_ctx->pkts_uri_searched4/(float)(det_ctx->uris)*100));
SCLogInfo("(%s) URI (+byte) Uri's %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
tv->name, det_ctx->uris, det_ctx->pkts_uri_searched,
(float)(det_ctx->pkts_uri_searched/(float)(det_ctx->uris)*100));
#endif
}
/** \brief Create the path if default-rule-path was specified
@ -2815,65 +2782,6 @@ int BuildDestinationAddressHeads(DetectEngineCtx *de_ctx, DetectAddressHead *hea
SigGroupHeadSetSigCnt(sgr->sh, max_idx);
SigGroupHeadBuildMatchArray(de_ctx, sgr->sh, max_idx);
/* content */
//SigGroupHeadLoadContent(de_ctx, sgr->sh);
//if (sgr->sh->init->content_size == 0) {
// de_ctx->mpm_none++;
//} else {
// /* now have a look if we can reuse a mpm ctx */
// SigGroupHead *mpmsh = SigGroupHeadMpmHashLookup(de_ctx, sgr->sh);
// if (mpmsh == NULL) {
// SigGroupHeadMpmHashAdd(de_ctx, sgr->sh);
//
// de_ctx->mpm_unique++;
// } else {
// sgr->sh->mpm_ctx = mpmsh->mpm_ctx;
// sgr->sh->flags |= SIG_GROUP_HEAD_MPM_COPY;
// SigGroupHeadClearContent(sgr->sh);
//
// de_ctx->mpm_reuse++;
// }
//}
//
///* content */
//SigGroupHeadLoadStreamContent(de_ctx, sgr->sh);
//if (sgr->sh->init->stream_content_size == 0) {
// de_ctx->mpm_none++;
//} else {
// /* now have a look if we can reuse a mpm ctx */
// SigGroupHead *mpmsh = SigGroupHeadMpmStreamHashLookup(de_ctx, sgr->sh);
// if (mpmsh == NULL) {
// SigGroupHeadMpmStreamHashAdd(de_ctx, sgr->sh);
//
// de_ctx->mpm_unique++;
// } else {
// sgr->sh->mpm_stream_ctx = mpmsh->mpm_stream_ctx;
// sgr->sh->flags |= SIG_GROUP_HEAD_MPM_STREAM_COPY;
// SigGroupHeadClearStreamContent(sgr->sh);
//
// de_ctx->mpm_reuse++;
// }
//}
//
///* uricontent */
//SigGroupHeadLoadUricontent(de_ctx, sgr->sh);
//if (sgr->sh->init->uri_content_size == 0) {
// de_ctx->mpm_uri_none++;
//} else {
// /* now have a look if we can reuse a uri mpm ctx */
// SigGroupHead *mpmsh = SigGroupHeadMpmUriHashLookup(de_ctx, sgr->sh);
// if (mpmsh == NULL) {
// SigGroupHeadMpmUriHashAdd(de_ctx, sgr->sh);
// de_ctx->mpm_uri_unique++;
// } else {
// sgr->sh->mpm_uri_ctx = mpmsh->mpm_uri_ctx;
// sgr->sh->flags |= SIG_GROUP_HEAD_MPM_URI_COPY;
// SigGroupHeadClearUricontent(sgr->sh);
//
// de_ctx->mpm_uri_reuse++;
// }
//}
/* init the pattern matcher, this will respect the copy
* setting */
if (PatternMatchPrepareGroup(de_ctx, sgr->sh) < 0) {
@ -3125,67 +3033,6 @@ int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, DetectAdd
SigGroupHeadSetSigCnt(dp->sh, max_idx);
SigGroupHeadBuildMatchArray(de_ctx,dp->sh, max_idx);
//SigGroupHeadLoadContent(de_ctx, dp->sh);
//if (dp->sh->init->content_size == 0) {
// de_ctx->mpm_none++;
//} else {
// /* now have a look if we can reuse a mpm ctx */
// SigGroupHead *mpmsh = SigGroupHeadMpmHashLookup(de_ctx, dp->sh);
// if (mpmsh == NULL) {
// SigGroupHeadMpmHashAdd(de_ctx, dp->sh);
//
// de_ctx->mpm_unique++;
// } else {
// /* XXX write dedicated function for this */
// dp->sh->mpm_ctx = mpmsh->mpm_ctx;
// //SCLogDebug("replacing dp->sh, so setting mpm_content_maxlen to %u (was %u)", mpmsh->mpm_content_maxlen, dp->sh->mpm_content_maxlen);
// //dp->sh->mpm_content_maxlen = mpmsh->mpm_content_maxlen;
// dp->sh->flags |= SIG_GROUP_HEAD_MPM_COPY;
// SigGroupHeadClearContent(dp->sh);
//
// de_ctx->mpm_reuse++;
// }
//}
//
///* content */
//SigGroupHeadLoadStreamContent(de_ctx, dp->sh);
//if (dp->sh->init->stream_content_size == 0) {
// de_ctx->mpm_none++;
//} else {
// /* now have a look if we can reuse a mpm ctx */
// SigGroupHead *mpmsh = SigGroupHeadMpmStreamHashLookup(de_ctx, dp->sh);
// if (mpmsh == NULL) {
// SigGroupHeadMpmStreamHashAdd(de_ctx, dp->sh);
//
// de_ctx->mpm_unique++;
// } else {
// SCLogDebug("replacing mpm_stream_ctx %p by %p", dp->sh->mpm_stream_ctx, mpmsh->mpm_stream_ctx);
// dp->sh->mpm_stream_ctx = mpmsh->mpm_stream_ctx;
// dp->sh->flags |= SIG_GROUP_HEAD_MPM_STREAM_COPY;
// SigGroupHeadClearStreamContent(dp->sh);
//
// de_ctx->mpm_reuse++;
// }
//}
//
//SigGroupHeadLoadUricontent(de_ctx, dp->sh);
//if (dp->sh->init->uri_content_size == 0) {
// de_ctx->mpm_uri_none++;
//} else {
// /* now have a look if we can reuse a uri mpm ctx */
// SigGroupHead *mpmsh = SigGroupHeadMpmUriHashLookup(de_ctx, dp->sh);
// if (mpmsh == NULL) {
// SigGroupHeadMpmUriHashAdd(de_ctx, dp->sh);
//
// de_ctx->mpm_uri_unique++;
// } else {
// dp->sh->mpm_uri_ctx = mpmsh->mpm_uri_ctx;
// dp->sh->flags |= SIG_GROUP_HEAD_MPM_URI_COPY;
// SigGroupHeadClearUricontent(dp->sh);
//
// de_ctx->mpm_uri_reuse++;
// }
//}
/* init the pattern matcher, this will respect the copy
* setting */
if (PatternMatchPrepareGroup(de_ctx, dp->sh) < 0) {

Write Preview
Loading…
Cancel
Save