diff --git a/src/detect-dce-iface.c b/src/detect-dce-iface.c index 0fe3b680fa..88f4226fc1 100644 --- a/src/detect-dce-iface.c +++ b/src/detect-dce-iface.c @@ -853,6 +853,7 @@ static int DetectDceIfaceTestParse12(void) f.protoctx = (void *)&ssn; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); @@ -1070,6 +1071,7 @@ static int DetectDceIfaceTestParse13(void) f.proto = IPPROTO_TCP; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); @@ -1303,6 +1305,7 @@ static int DetectDceIfaceTestParse14(void) f.protoctx = (void *)&ssn; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); diff --git a/src/detect-dce-opnum.c b/src/detect-dce-opnum.c index 81a3497e6b..3e99a83445 100644 --- a/src/detect-dce-opnum.c +++ b/src/detect-dce-opnum.c @@ -1137,6 +1137,7 @@ static int DetectDceOpnumTestParse08(void) f.protoctx = (void *)&ssn; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); @@ -1664,6 +1665,7 @@ static int DetectDceOpnumTestParse09(void) f.protoctx = (void *)&ssn; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); @@ -1862,6 +1864,7 @@ static int DetectDceOpnumTestParse10(void) f.proto = IPPROTO_TCP; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); @@ -2139,6 +2142,7 @@ static int DetectDceOpnumTestParse11(void) f.proto = IPPROTO_TCP; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); @@ -2403,6 +2407,7 @@ static int DetectDceOpnumTestParse12(void) f.proto = IPPROTO_TCP; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); @@ -2676,6 +2681,7 @@ static int DetectDceOpnumTestParse13(void) f.proto = IPPROTO_TCP; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c index f4cabba26c..ceb6c93115 100644 --- a/src/detect-dce-stub-data.c +++ b/src/detect-dce-stub-data.c @@ -649,6 +649,7 @@ static int DetectDceStubDataTestParse02(void) f.protoctx = (void *)&ssn; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); @@ -1186,6 +1187,7 @@ static int DetectDceStubDataTestParse03(void) f.protoctx = (void *)&ssn; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); @@ -1380,6 +1382,7 @@ static int DetectDceStubDataTestParse04(void) f.proto = IPPROTO_TCP; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); @@ -1631,6 +1634,7 @@ static int DetectDceStubDataTestParse05(void) f.proto = IPPROTO_TCP; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); diff --git a/src/detect-engine-dcepayload.c b/src/detect-engine-dcepayload.c index f0d72476ba..b1fa168801 100644 --- a/src/detect-engine-dcepayload.c +++ b/src/detect-engine-dcepayload.c @@ -1547,6 +1547,7 @@ int DcePayloadTest01(void) p[i].proto = IPPROTO_TCP; p[i].flow = &f; p[i].flowflags |= FLOW_PKT_TOSERVER; + p[i].flowflags |= FLOW_PKT_ESTABLISHED; } p[1].flowflags |= FLOW_PKT_TOCLIENT; @@ -2413,6 +2414,7 @@ int DcePayloadTest02(void) p[i].proto = IPPROTO_TCP; p[i].flow = &f; p[i].flowflags |= FLOW_PKT_TOSERVER; + p[i].flowflags |= FLOW_PKT_ESTABLISHED; } p[1].flowflags |= FLOW_PKT_TOCLIENT; @@ -2861,6 +2863,7 @@ int DcePayloadTest03(void) p[i].proto = IPPROTO_TCP; p[i].flow = &f; p[i].flowflags |= FLOW_PKT_TOSERVER; + p[i].flowflags |= FLOW_PKT_ESTABLISHED; } p[1].flowflags |= FLOW_PKT_TOCLIENT; @@ -3309,6 +3312,7 @@ int DcePayloadTest04(void) p[i].proto = IPPROTO_TCP; p[i].flow = &f; p[i].flowflags |= FLOW_PKT_TOSERVER; + p[i].flowflags |= FLOW_PKT_ESTABLISHED; } p[1].flowflags |= FLOW_PKT_TOCLIENT; @@ -3756,6 +3760,7 @@ int DcePayloadTest05(void) p[i].proto = IPPROTO_TCP; p[i].flow = &f; p[i].flowflags |= FLOW_PKT_TOSERVER; + p[i].flowflags |= FLOW_PKT_ESTABLISHED; } p[1].flowflags |= FLOW_PKT_TOCLIENT; @@ -4204,6 +4209,7 @@ int DcePayloadTest06(void) p[i].proto = IPPROTO_TCP; p[i].flow = &f; p[i].flowflags |= FLOW_PKT_TOSERVER; + p[i].flowflags |= FLOW_PKT_ESTABLISHED; } p[1].flowflags |= FLOW_PKT_TOCLIENT; @@ -4651,6 +4657,7 @@ int DcePayloadTest07(void) p[i].proto = IPPROTO_TCP; p[i].flow = &f; p[i].flowflags |= FLOW_PKT_TOSERVER; + p[i].flowflags |= FLOW_PKT_ESTABLISHED; } p[1].flowflags |= FLOW_PKT_TOCLIENT; @@ -4936,6 +4943,7 @@ int DcePayloadTest08(void) p[i].proto = IPPROTO_TCP; p[i].flow = &f; p[i].flowflags |= FLOW_PKT_TOSERVER; + p[i].flowflags |= FLOW_PKT_ESTABLISHED; } FLOW_INITIALIZE(&f); @@ -5160,6 +5168,7 @@ int DcePayloadTest09(void) p[i].proto = IPPROTO_TCP; p[i].flow = &f; p[i].flowflags |= FLOW_PKT_TOSERVER; + p[i].flowflags |= FLOW_PKT_ESTABLISHED; } FLOW_INITIALIZE(&f); @@ -5384,6 +5393,7 @@ int DcePayloadTest10(void) p[i].proto = IPPROTO_TCP; p[i].flow = &f; p[i].flowflags |= FLOW_PKT_TOSERVER; + p[i].flowflags |= FLOW_PKT_ESTABLISHED; } FLOW_INITIALIZE(&f); @@ -5743,6 +5753,7 @@ int DcePayloadTest11(void) p[i].proto = IPPROTO_TCP; p[i].flow = &f; p[i].flowflags |= FLOW_PKT_TOSERVER; + p[i].flowflags |= FLOW_PKT_ESTABLISHED; } FLOW_INITIALIZE(&f); @@ -6116,6 +6127,7 @@ int DcePayloadTest12(void) p[i].proto = IPPROTO_TCP; p[i].flow = &f; p[i].flowflags |= FLOW_PKT_TOSERVER; + p[i].flowflags |= FLOW_PKT_ESTABLISHED; } FLOW_INITIALIZE(&f); @@ -6298,6 +6310,7 @@ int DcePayloadTest13(void) p[i].proto = IPPROTO_TCP; p[i].flow = &f; p[i].flowflags |= FLOW_PKT_TOSERVER; + p[i].flowflags |= FLOW_PKT_ESTABLISHED; } p[1].flowflags |= FLOW_PKT_TOCLIENT; p[3].flowflags |= FLOW_PKT_TOCLIENT; @@ -6539,6 +6552,7 @@ int DcePayloadTest14(void) p[i].proto = IPPROTO_TCP; p[i].flow = &f; p[i].flowflags |= FLOW_PKT_TOSERVER; + p[i].flowflags |= FLOW_PKT_ESTABLISHED; } p[3].flowflags |= FLOW_PKT_TOCLIENT; p[5].flowflags |= FLOW_PKT_TOCLIENT; diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c index 2c129a39e2..8ce76bcb3f 100644 --- a/src/detect-engine-state.c +++ b/src/detect-engine-state.c @@ -282,7 +282,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, SCLogDebug("s->id %"PRIu32, s->id); /* Check the uricontent keywords here. */ - if (alproto == ALPROTO_HTTP) { + if (alproto == ALPROTO_HTTP && (flags & STREAM_TOSERVER)) { if (s->umatch != NULL) { uinspect = 1; @@ -421,7 +421,7 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete /* let's continue detection */ /* first, check uricontent */ - if (alproto == ALPROTO_HTTP) { + if (alproto == ALPROTO_HTTP && (flags & STREAM_TOSERVER)) { if (s->umatch != NULL) { if (!(item->flags & DE_STATE_FLAG_URI_MATCH)) { SCLogDebug("inspecting uri"); @@ -731,6 +731,7 @@ static int DeStateSigTest01(void) { p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -866,6 +867,7 @@ static int DeStateSigTest02(void) { p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); diff --git a/src/detect-flow.c b/src/detect-flow.c index 6605c5e982..52a9a6f9dd 100644 --- a/src/detect-flow.c +++ b/src/detect-flow.c @@ -108,6 +108,20 @@ int DetectFlowMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, S { SCEnter(); + SCLogDebug("pkt %p", p); + + if (p->flowflags & FLOW_PKT_TOSERVER) { + SCLogDebug("FLOW_PKT_TOSERVER"); + } else if (p->flowflags & FLOW_PKT_TOCLIENT) { + SCLogDebug("FLOW_PKT_TOCLIENT"); + } + + if (p->flowflags & FLOW_PKT_ESTABLISHED) { + SCLogDebug("FLOW_PKT_ESTABLISHED"); + } else if (p->flowflags & FLOW_PKT_STATELESS) { + SCLogDebug("FLOW_PKT_STATELESS"); + } + uint8_t cnt = 0; DetectFlowData *fd = (DetectFlowData *)m->ctx; diff --git a/src/detect-ftpbounce.c b/src/detect-ftpbounce.c index 2aa4a80d89..b736ff6e33 100644 --- a/src/detect-ftpbounce.c +++ b/src/detect-ftpbounce.c @@ -346,6 +346,7 @@ static int DetectFtpbounceTestALMatch02(void) { p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_FTP; StreamTcpInitConfig(TRUE); @@ -471,6 +472,7 @@ static int DetectFtpbounceTestALMatch03(void) { p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_FTP; StreamTcpInitConfig(TRUE); diff --git a/src/detect-http-client-body.c b/src/detect-http-client-body.c index 1e0db899a5..5955097a90 100644 --- a/src/detect-http-client-body.c +++ b/src/detect-http-client-body.c @@ -479,6 +479,7 @@ static int DetectHttpClientBodyTest06(void) p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -590,8 +591,10 @@ static int DetectHttpClientBodyTest07(void) p1.flow = &f; p1.flowflags |= FLOW_PKT_TOSERVER; + p1.flowflags |= FLOW_PKT_ESTABLISHED; p2.flow = &f; p2.flowflags |= FLOW_PKT_TOSERVER; + p2.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -717,8 +720,10 @@ static int DetectHttpClientBodyTest08(void) p1.flow = &f; p1.flowflags |= FLOW_PKT_TOSERVER; + p1.flowflags |= FLOW_PKT_ESTABLISHED; p2.flow = &f; p2.flowflags |= FLOW_PKT_TOSERVER; + p2.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -845,8 +850,10 @@ static int DetectHttpClientBodyTest09(void) p1.flow = &f; p1.flowflags |= FLOW_PKT_TOSERVER; + p1.flowflags |= FLOW_PKT_ESTABLISHED; p2.flow = &f; p2.flowflags |= FLOW_PKT_TOSERVER; + p2.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -973,8 +980,10 @@ static int DetectHttpClientBodyTest10(void) p1.flow = &f; p1.flowflags |= FLOW_PKT_TOSERVER; + p1.flowflags |= FLOW_PKT_ESTABLISHED; p2.flow = &f; p2.flowflags |= FLOW_PKT_TOSERVER; + p2.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1090,6 +1099,7 @@ static int DetectHttpClientBodyTest11(void) p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1190,6 +1200,7 @@ static int DetectHttpClientBodyTest12(void) p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1290,6 +1301,7 @@ static int DetectHttpClientBodyTest13(void) p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); diff --git a/src/detect-http-cookie.c b/src/detect-http-cookie.c index 5a9bd8413c..55dc8075de 100644 --- a/src/detect-http-cookie.c +++ b/src/detect-http-cookie.c @@ -507,6 +507,7 @@ static int DetectHttpCookieSigTest01(void) { p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -608,6 +609,7 @@ static int DetectHttpCookieSigTest02(void) { p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -698,6 +700,7 @@ static int DetectHttpCookieSigTest03(void) { p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -788,6 +791,7 @@ static int DetectHttpCookieSigTest04(void) { p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -878,6 +882,7 @@ static int DetectHttpCookieSigTest05(void) { p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -968,6 +973,7 @@ static int DetectHttpCookieSigTest06(void) { p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1058,6 +1064,7 @@ static int DetectHttpCookieSigTest07(void) { p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); diff --git a/src/detect-http-header.c b/src/detect-http-header.c index f4fb86ebf3..1bd6e903d7 100644 --- a/src/detect-http-header.c +++ b/src/detect-http-header.c @@ -474,6 +474,7 @@ static int DetectHttpHeaderTest06(void) f.dst.family = AF_INET; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -583,8 +584,10 @@ static int DetectHttpHeaderTest07(void) f.dst.family = AF_INET; p1.flow = &f; p1.flowflags |= FLOW_PKT_TOSERVER; + p1.flowflags |= FLOW_PKT_ESTABLISHED; p2.flow = &f; p2.flowflags |= FLOW_PKT_TOSERVER; + p2.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -708,8 +711,10 @@ static int DetectHttpHeaderTest08(void) f.dst.family = AF_INET; p1.flow = &f; p1.flowflags |= FLOW_PKT_TOSERVER; + p1.flowflags |= FLOW_PKT_ESTABLISHED; p2.flow = &f; p2.flowflags |= FLOW_PKT_TOSERVER; + p2.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -834,8 +839,10 @@ static int DetectHttpHeaderTest09(void) f.dst.family = AF_INET; p1.flow = &f; p1.flowflags |= FLOW_PKT_TOSERVER; + p1.flowflags |= FLOW_PKT_ESTABLISHED; p2.flow = &f; p2.flowflags |= FLOW_PKT_TOSERVER; + p2.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -960,8 +967,10 @@ static int DetectHttpHeaderTest10(void) f.dst.family = AF_INET; p1.flow = &f; p1.flowflags |= FLOW_PKT_TOSERVER; + p1.flowflags |= FLOW_PKT_ESTABLISHED; p2.flow = &f; p2.flowflags |= FLOW_PKT_TOSERVER; + p2.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1076,6 +1085,7 @@ static int DetectHttpHeaderTest11(void) f.dst.family = AF_INET; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1175,6 +1185,7 @@ static int DetectHttpHeaderTest12(void) f.dst.family = AF_INET; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1275,6 +1286,7 @@ static int DetectHttpHeaderTest13(void) p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); diff --git a/src/detect-http-method.c b/src/detect-http-method.c index 75f0f1e13c..5a3f4d2d8a 100644 --- a/src/detect-http-method.c +++ b/src/detect-http-method.c @@ -423,6 +423,7 @@ static int DetectHttpMethodSigTest01(void) p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -524,6 +525,7 @@ static int DetectHttpMethodSigTest02(void) p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -624,6 +626,7 @@ static int DetectHttpMethodSigTest03(void) p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); diff --git a/src/detect-pcre.c b/src/detect-pcre.c index aee7e9c9bc..7e801eb582 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -1434,6 +1434,7 @@ static int DetectPcreModifPTest04(void) { p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1569,8 +1570,10 @@ static int DetectPcreModifPTest05(void) { p1.flow = &f; p1.flowflags |= FLOW_PKT_TOSERVER; + p1.flowflags |= FLOW_PKT_ESTABLISHED; p2.flow = &f; p2.flowflags |= FLOW_PKT_TOSERVER; + p2.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); diff --git a/src/detect-tls-version.c b/src/detect-tls-version.c index f41faf9ebb..ab843ccee3 100644 --- a/src/detect-tls-version.c +++ b/src/detect-tls-version.c @@ -339,6 +339,7 @@ static int DetectTlsVersionTestDetect01(void) { f.protoctx = (void *)&ssn; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_TLS; StreamTcpInitConfig(TRUE); @@ -454,6 +455,7 @@ static int DetectTlsVersionTestDetect02(void) { f.protoctx = (void *)&ssn; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_TLS; StreamTcpInitConfig(TRUE); @@ -567,6 +569,7 @@ static int DetectTlsVersionTestDetect03(void) { f.protoctx = (void *)&ssn; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_TLS; StreamTcpInitConfig(TRUE); diff --git a/src/detect-uricontent.c b/src/detect-uricontent.c index 0915f83a0c..3b8e7a62a7 100644 --- a/src/detect-uricontent.c +++ b/src/detect-uricontent.c @@ -819,6 +819,7 @@ static int DetectUriSigTest02(void) { p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -931,6 +932,7 @@ static int DetectUriSigTest03(void) { p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1259,6 +1261,7 @@ static int DetectUriSigTest05(void) { p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1317,7 +1320,7 @@ static int DetectUriSigTest05(void) { goto end; } - /* do detect */ + /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); http_state = f.aldata[AlpGetStateIdx(ALPROTO_HTTP)]; @@ -1383,6 +1386,7 @@ static int DetectUriSigTest06(void) { p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1461,10 +1465,10 @@ static int DetectUriSigTest06(void) { printf("sig: 1 alerted, but it should not:"); goto end; } else if (! PacketAlertCheck(&p, 2)) { - printf("sig: 2 did not alerted, but it should:"); + printf("sig: 2 did not alert, but it should:"); goto end; } else if (! (PacketAlertCheck(&p, 3))) { - printf("sig: 3 did not alerted, but it should:"); + printf("sig: 3 did not alert, but it should:"); goto end; } @@ -1515,6 +1519,7 @@ static int DetectUriSigTest07(void) { p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); diff --git a/src/detect-urilen.c b/src/detect-urilen.c index ae94fd8368..31d6fb27c0 100644 --- a/src/detect-urilen.c +++ b/src/detect-urilen.c @@ -511,6 +511,7 @@ static int DetectUrilenSigTest01(void) p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); diff --git a/src/detect.c b/src/detect.c index 2a8a3ba8cd..3b4cadf59b 100644 --- a/src/detect.c +++ b/src/detect.c @@ -439,6 +439,7 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx, SignatureHeader *s = &det_ctx->sgh->head_array[i]; if (s->flags & SIG_FLAG_FLOW && !p->flow) { + SCLogDebug("flow in sig but not in packet"); continue; } @@ -452,6 +453,7 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx, /* if the sig has alproto and the session as well they should match */ if (s->alproto != ALPROTO_UNKNOWN && alproto != ALPROTO_UNKNOWN) { if (s->alproto != alproto) { + SCLogDebug("alproto mismatch"); continue; } } @@ -472,6 +474,7 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx, { if (de_state_start == FALSE) { if (det_ctx->de_state_sig_array[s->num] != DE_STATE_MATCH_NEW) { + SCLogDebug("not a new match, ignoring"); continue; } } @@ -571,8 +574,14 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh FlowIncrUsecnt(p->flow); SCMutexLock(&p->flow->m); - alstate = AppLayerGetProtoStateFromPacket(p); - alproto = AppLayerGetProtoFromPacket(p); + if (p->flowflags & FLOW_PKT_ESTABLISHED) { + alstate = AppLayerGetProtoStateFromPacket(p); + alproto = AppLayerGetProtoFromPacket(p); + SCLogDebug("alstate %p, alproto %u", alstate, alproto); + } else { + SCLogDebug("packet doesn't have established flag set"); + } + if (p->flowflags & FLOW_PKT_TOSERVER && p->flow->flags & FLOW_SGH_TOSERVER) { sgh = p->flow->sgh_toserver; use_flow_sgh = TRUE; @@ -580,6 +589,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh sgh = p->flow->sgh_toclient; use_flow_sgh = TRUE; } + if (p->proto == IPPROTO_TCP) { TcpSession *ssn = (TcpSession *)p->flow->protoctx; if (ssn != NULL) { @@ -589,7 +599,6 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh ssn->toserver_smsg_head = NULL; ssn->toserver_smsg_tail = NULL; - //BUG_ON(ssn->toclient_smsg_head != NULL); SCLogDebug("to_server smsg %p", smsg); } else { smsg = ssn->toclient_smsg_head; @@ -597,19 +606,18 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh ssn->toclient_smsg_head = NULL; ssn->toclient_smsg_tail = NULL; - //BUG_ON(ssn->toserver_smsg_head != NULL); - SCLogDebug("to_client smsg %p", smsg); } - } } SCMutexUnlock(&p->flow->m); if (p->flowflags & FLOW_PKT_TOSERVER) { flags |= STREAM_TOSERVER; + SCLogDebug("flag STREAM_TOSERVER set"); } else if (p->flowflags & FLOW_PKT_TOCLIENT) { flags |= STREAM_TOCLIENT; + SCLogDebug("flag STREAM_TOCLIENT set"); } SCLogDebug("p->flowflags 0x%02x", p->flowflags); } @@ -655,9 +663,11 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh } /* have a look at the reassembled stream (if any) */ - if (smsg != NULL && det_ctx->sgh->mpm_stream_ctx != NULL) { - cnt = StreamPatternSearch(th_v, det_ctx, smsg); - SCLogDebug("cnt %u", cnt); + if (p->flowflags & FLOW_PKT_ESTABLISHED) { + if (smsg != NULL && det_ctx->sgh->mpm_stream_ctx != NULL) { + cnt = StreamPatternSearch(th_v, det_ctx, smsg); + SCLogDebug("cnt %u", cnt); + } } if (p->payload_len > 0 && det_ctx->sgh->mpm_ctx != NULL && @@ -719,14 +729,14 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh DetectPort *dport = DetectPortLookupGroup(s->dp,p->dp); if (dport == NULL) { SCLogDebug("dport didn't match."); - continue; + goto next; } } if (!(s->flags & SIG_FLAG_SP_ANY)) { DetectPort *sport = DetectPortLookupGroup(s->sp,p->sp); if (sport == NULL) { SCLogDebug("sport didn't match."); - continue; + goto next; } } } @@ -736,7 +746,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh DetectAddress *daddr = DetectAddressLookupInHead(&s->dst,&p->dst); if (daddr == NULL) { SCLogDebug("dst addr didn't match."); - continue; + goto next; } } /* check the source address */ @@ -744,12 +754,19 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh DetectAddress *saddr = DetectAddressLookupInHead(&s->src,&p->src); if (saddr == NULL) { SCLogDebug("src addr didn't match."); - continue; + goto next; } } - SCLogDebug("s->amatch %p, s->umatch %p", s->amatch, s->umatch); - if ((s->amatch != NULL || s->umatch != NULL || s->dmatch != NULL) && p->flow != NULL) { + SCLogDebug("s->amatch %p, s->umatch %p, s->dmatch %p", + s->amatch, s->umatch, s->dmatch); + + if (s->amatch != NULL || s->umatch != NULL || s->dmatch != NULL) { + if (alstate == NULL) { + SCLogDebug("state matches but no state, we can't match"); + goto next; + } + if (de_state_start == TRUE) { SCLogDebug("stateful app layer match inspection starting"); if (DeStateDetectStartDetection(th_v, de_ctx, det_ctx, s, @@ -3443,6 +3460,7 @@ static int SigTest06Real (int mpm_type) { f.dst.family = AF_INET; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -3540,6 +3558,7 @@ static int SigTest07Real (int mpm_type) { f.dst.family = AF_INET; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -3637,6 +3656,7 @@ static int SigTest08Real (int mpm_type) { f.dst.family = AF_INET; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -3735,6 +3755,7 @@ static int SigTest09Real (int mpm_type) { f.dst.family = AF_INET; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -3825,6 +3846,7 @@ static int SigTest10Real (int mpm_type) { f.dst.family = AF_INET; p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; + p.flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); diff --git a/src/flow.c b/src/flow.c index 4b19ca8aad..437cb805d1 100644 --- a/src/flow.c +++ b/src/flow.c @@ -709,6 +709,7 @@ void FlowHandlePacket (ThreadVars *tv, Packet *p) f->bytecnt += p->pktlen; if (f->flags & FLOW_TO_DST_SEEN && f->flags & FLOW_TO_SRC_SEEN) { + SCLogDebug("pkt %p FLOW_PKT_ESTABLISHED", p); p->flowflags |= FLOW_PKT_ESTABLISHED; }