|
|
|
@ -908,34 +908,17 @@ end:
|
|
|
|
* \param det_ctx Pointer to the detection engine thread context.
|
|
|
|
* \param det_ctx Pointer to the detection engine thread context.
|
|
|
|
* \param smsg The stream segment to inspect for stream mpm.
|
|
|
|
* \param smsg The stream segment to inspect for stream mpm.
|
|
|
|
* \param p Packet.
|
|
|
|
* \param p Packet.
|
|
|
|
* \param flags Not sure why I put this here. Don't seem to be using it.
|
|
|
|
* \param flags Flags.
|
|
|
|
* \param alproto Flow alproto.
|
|
|
|
* \param alproto Flow alproto.
|
|
|
|
* \param alstate Flow alstate.
|
|
|
|
* \param alstate Flow alstate.
|
|
|
|
* \param sms_runflags Used to store state by detection engine.
|
|
|
|
* \param sms_runflags Used to store state by detection engine.
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
static inline void RunMpmsOnFlow(DetectEngineCtx *de_ctx,
|
|
|
|
static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
|
|
|
|
DetectEngineThreadCtx *det_ctx,
|
|
|
|
DetectEngineThreadCtx *det_ctx, StreamMsg *smsg, Packet *p,
|
|
|
|
StreamMsg *smsg, Packet *p, uint8_t flags,
|
|
|
|
uint8_t flags, uint16_t alproto, void *alstate, uint8_t *sms_runflags)
|
|
|
|
uint16_t alproto, void *alstate,
|
|
|
|
|
|
|
|
uint8_t *sms_runflags)
|
|
|
|
|
|
|
|
{
|
|
|
|
{
|
|
|
|
uint32_t cnt = 0;
|
|
|
|
uint32_t cnt = 0;
|
|
|
|
|
|
|
|
|
|
|
|
/* have a look at the reassembled stream (if any) */
|
|
|
|
|
|
|
|
if (p->flowflags & FLOW_PKT_ESTABLISHED) {
|
|
|
|
|
|
|
|
SCLogDebug("p->flowflags & FLOW_PKT_ESTABLISHED");
|
|
|
|
|
|
|
|
if (smsg != NULL && det_ctx->sgh->mpm_stream_ctx != NULL) {
|
|
|
|
|
|
|
|
cnt = StreamPatternSearch(det_ctx, p, smsg, flags);
|
|
|
|
|
|
|
|
SCLogDebug("Stream Mpm cnt %u", cnt);
|
|
|
|
|
|
|
|
*sms_runflags |= SMS_USED_STREAM_PM;
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
|
|
|
SCLogDebug("smsg NULL (%p) or det_ctx->sgh->mpm_stream_ctx "
|
|
|
|
|
|
|
|
"NULL (%p)", smsg, det_ctx->sgh->mpm_stream_ctx);
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
|
|
|
SCLogDebug("NOT p->flowflags & FLOW_PKT_ESTABLISHED");
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if (p->payload_len > 0 && det_ctx->sgh->mpm_ctx != NULL &&
|
|
|
|
if (p->payload_len > 0 && det_ctx->sgh->mpm_ctx != NULL &&
|
|
|
|
(!(p->flags & PKT_NOPAYLOAD_INSPECTION) && !(p->flags & PKT_STREAM_ADD))) {
|
|
|
|
(!(p->flags & PKT_NOPAYLOAD_INSPECTION) && !(p->flags & PKT_STREAM_ADD))) {
|
|
|
|
|
|
|
|
|
|
|
|
@ -952,30 +935,43 @@ static inline void RunMpmsOnFlow(DetectEngineCtx *de_ctx,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* all http based mpms */
|
|
|
|
/* have a look at the reassembled stream (if any) */
|
|
|
|
if (alproto == ALPROTO_HTTP && alstate != NULL) {
|
|
|
|
if (p->flowflags & FLOW_PKT_ESTABLISHED) {
|
|
|
|
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_URI) {
|
|
|
|
SCLogDebug("p->flowflags & FLOW_PKT_ESTABLISHED");
|
|
|
|
cnt = DetectUricontentInspectMpm(det_ctx, p->flow, alstate);
|
|
|
|
if (smsg != NULL && det_ctx->sgh->mpm_stream_ctx != NULL) {
|
|
|
|
SCLogDebug("uri search: cnt %" PRIu32, cnt);
|
|
|
|
cnt = StreamPatternSearch(det_ctx, p, smsg, flags);
|
|
|
|
}
|
|
|
|
SCLogDebug("Stream Mpm cnt %u", cnt);
|
|
|
|
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HCBD) {
|
|
|
|
*sms_runflags |= SMS_USED_STREAM_PM;
|
|
|
|
DetectEngineBufferHttpClientBodies(de_ctx, det_ctx, p->flow, alstate);
|
|
|
|
} else {
|
|
|
|
cnt = DetectEngineRunHttpClientBodyMpm(det_ctx);
|
|
|
|
SCLogDebug("smsg NULL (%p) or det_ctx->sgh->mpm_stream_ctx "
|
|
|
|
SCLogDebug("hcbd search: cnt %" PRIu32, cnt);
|
|
|
|
"NULL (%p)", smsg, det_ctx->sgh->mpm_stream_ctx);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HHD) {
|
|
|
|
|
|
|
|
DetectEngineBufferHttpHeaders(det_ctx, p->flow, alstate);
|
|
|
|
|
|
|
|
cnt = DetectEngineRunHttpHeaderMpm(det_ctx);
|
|
|
|
|
|
|
|
SCLogDebug("hhd search: cnt %" PRIu32, cnt);
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRHD) {
|
|
|
|
|
|
|
|
DetectEngineBufferHttpRawHeaders(det_ctx, p->flow, alstate);
|
|
|
|
/* all http based mpms */
|
|
|
|
cnt = DetectEngineRunHttpRawHeaderMpm(det_ctx, p->flow);
|
|
|
|
if (alproto == ALPROTO_HTTP && alstate != NULL) {
|
|
|
|
SCLogDebug("hrhd search: cnt %" PRIu32, cnt);
|
|
|
|
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_URI) {
|
|
|
|
|
|
|
|
cnt = DetectUricontentInspectMpm(det_ctx, p->flow, alstate);
|
|
|
|
|
|
|
|
SCLogDebug("uri search: cnt %" PRIu32, cnt);
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HCBD) {
|
|
|
|
|
|
|
|
DetectEngineBufferHttpClientBodies(de_ctx, det_ctx, p->flow, alstate);
|
|
|
|
|
|
|
|
cnt = DetectEngineRunHttpClientBodyMpm(det_ctx);
|
|
|
|
|
|
|
|
SCLogDebug("hcbd search: cnt %" PRIu32, cnt);
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HHD) {
|
|
|
|
|
|
|
|
DetectEngineBufferHttpHeaders(det_ctx, p->flow, alstate);
|
|
|
|
|
|
|
|
cnt = DetectEngineRunHttpHeaderMpm(det_ctx);
|
|
|
|
|
|
|
|
SCLogDebug("hhd search: cnt %" PRIu32, cnt);
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRHD) {
|
|
|
|
|
|
|
|
DetectEngineBufferHttpRawHeaders(det_ctx, p->flow, alstate);
|
|
|
|
|
|
|
|
cnt = DetectEngineRunHttpRawHeaderMpm(det_ctx, p->flow);
|
|
|
|
|
|
|
|
SCLogDebug("hrhd search: cnt %" PRIu32, cnt);
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
|
|
|
SCLogDebug("NOT p->flowflags & FLOW_PKT_ESTABLISHED");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -991,35 +987,23 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
|
|
|
|
uint8_t alert_flags = 0;
|
|
|
|
uint8_t alert_flags = 0;
|
|
|
|
uint16_t alproto = ALPROTO_UNKNOWN;
|
|
|
|
uint16_t alproto = ALPROTO_UNKNOWN;
|
|
|
|
int match = 0;
|
|
|
|
int match = 0;
|
|
|
|
|
|
|
|
|
|
|
|
int fmatch = 0;
|
|
|
|
int fmatch = 0;
|
|
|
|
uint32_t idx;
|
|
|
|
uint32_t idx;
|
|
|
|
|
|
|
|
|
|
|
|
uint8_t flags = 0; /* flow/state flags */
|
|
|
|
uint8_t flags = 0; /* flow/state flags */
|
|
|
|
|
|
|
|
|
|
|
|
void *alstate = NULL;
|
|
|
|
void *alstate = NULL;
|
|
|
|
StreamMsg *smsg = NULL;
|
|
|
|
StreamMsg *smsg = NULL;
|
|
|
|
Signature *s = NULL;
|
|
|
|
Signature *s = NULL;
|
|
|
|
SigMatch *sm = NULL;
|
|
|
|
SigMatch *sm = NULL;
|
|
|
|
|
|
|
|
|
|
|
|
//det_ctx->de_have_hcbd = TRUE;
|
|
|
|
|
|
|
|
//det_ctx->de_mpm_scanned_hcbd = FALSE;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
//det_ctx->de_have_hhd = TRUE;
|
|
|
|
|
|
|
|
//det_ctx->de_mpm_scanned_hhd = FALSE;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
//det_ctx->de_have_hrhd = TRUE;
|
|
|
|
|
|
|
|
//det_ctx->de_mpm_scanned_hrhd = FALSE;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SCEnter();
|
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SCLogDebug("pcap_cnt %"PRIu64, p->pcap_cnt);
|
|
|
|
|
|
|
|
|
|
|
|
/* No need to perform any detection on this packet, if the the given flag is set.*/
|
|
|
|
/* No need to perform any detection on this packet, if the the given flag is set.*/
|
|
|
|
if (p->flags & PKT_NOPACKET_INSPECTION) {
|
|
|
|
if (p->flags & PKT_NOPACKET_INSPECTION) {
|
|
|
|
SCReturnInt(0);
|
|
|
|
SCReturnInt(0);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
SCLogDebug("pcap_cnt %"PRIu64, p->pcap_cnt);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
p->alerts.cnt = 0;
|
|
|
|
p->alerts.cnt = 0;
|
|
|
|
|
|
|
|
|
|
|
|
det_ctx->pkts++;
|
|
|
|
det_ctx->pkts++;
|
|
|
|
@ -1122,12 +1106,12 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
|
|
|
|
goto end;
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
RunMpmsOnFlow(de_ctx, det_ctx, smsg, p, flags, alproto, alstate, &sms_runflags);
|
|
|
|
/* run the mpm for each type */
|
|
|
|
|
|
|
|
DetectMpmPrefilter(de_ctx, det_ctx, smsg, p, flags, alproto,
|
|
|
|
|
|
|
|
alstate, &sms_runflags);
|
|
|
|
|
|
|
|
|
|
|
|
/* stateful app layer detection */
|
|
|
|
/* stateful app layer detection */
|
|
|
|
if (p->flags & PKT_HAS_FLOW && alstate != NULL) {
|
|
|
|
if (p->flags & PKT_HAS_FLOW && alstate != NULL) {
|
|
|
|
//det_ctx->de_mpm_scanned_uri = FALSE;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* initialize to 0 (DE_STATE_MATCH_NOSTATE) */
|
|
|
|
/* initialize to 0 (DE_STATE_MATCH_NOSTATE) */
|
|
|
|
memset(det_ctx->de_state_sig_array, 0x00, det_ctx->de_state_sig_array_len);
|
|
|
|
memset(det_ctx->de_state_sig_array, 0x00, det_ctx->de_state_sig_array_len);
|
|
|
|
|
|
|
|
|
|
|
|
|
Victor Julien
14 years ago