diff --git a/src/detect-engine-hhd.c b/src/detect-engine-hhd.c index e5f1840387..e527197767 100644 --- a/src/detect-engine-hhd.c +++ b/src/detect-engine-hhd.c @@ -320,7 +320,7 @@ match: * \warning Make sure flow is locked. */ static void DetectEngineBufferHttpHeaders(DetectEngineThreadCtx *det_ctx, Flow *f, - HtpState *htp_state) + HtpState *htp_state, uint8_t flags) { int idx = 0; htp_tx_t *tx = NULL; @@ -374,12 +374,19 @@ static void DetectEngineBufferHttpHeaders(DetectEngineThreadCtx *det_ctx, Flow * if (tx == NULL) continue; + table_t *headers; + if (flags & STREAM_TOSERVER) { + headers = tx->request_headers; + } else { + headers = tx->response_headers; + } + htp_header_t *h = NULL; uint8_t *headers_buffer = NULL; size_t headers_buffer_len = 0; - table_iterator_reset(tx->request_headers); - while (table_iterator_next(tx->request_headers, (void **)&h) != NULL) { + table_iterator_reset(headers); + while (table_iterator_next(headers, (void **)&h) != NULL) { size_t size1 = bstr_size(h->name); size_t size2 = bstr_size(h->value); @@ -416,14 +423,15 @@ end: * \brief run the mpm against the assembled http header buffer(s) * \retval cnt Number of matches reported by the mpm algo. */ -int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state) +int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f, + HtpState *htp_state, uint8_t flags) { int i; uint32_t cnt = 0; if (det_ctx->hhd_buffers_list_len == 0) { SCMutexLock(&f->m); - DetectEngineBufferHttpHeaders(det_ctx, f, htp_state); + DetectEngineBufferHttpHeaders(det_ctx, f, htp_state, flags); SCMutexUnlock(&f->m); } @@ -460,7 +468,7 @@ int DetectEngineInspectHttpHeader(DetectEngineCtx *de_ctx, if (det_ctx->hhd_buffers_list_len == 0) { SCMutexLock(&f->m); - DetectEngineBufferHttpHeaders(det_ctx, f, alstate); + DetectEngineBufferHttpHeaders(det_ctx, f, alstate, flags); SCMutexUnlock(&f->m); } diff --git a/src/detect-engine-hhd.h b/src/detect-engine-hhd.h index 0777735c8e..0fb0569593 100644 --- a/src/detect-engine-hhd.h +++ b/src/detect-engine-hhd.h @@ -25,7 +25,8 @@ #include "app-layer-htp.h" -int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *, Flow *, HtpState *); +int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *, Flow *, HtpState *, + uint8_t); int DetectEngineInspectHttpHeader(DetectEngineCtx *, DetectEngineThreadCtx *, Signature *, Flow *, uint8_t, void *); void DetectEngineCleanHHDBuffers(DetectEngineThreadCtx *); diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c index 8afe7da8c4..2c1cdaaae3 100644 --- a/src/detect-engine-state.c +++ b/src/detect-engine-state.c @@ -912,20 +912,24 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete } } if (s->sm_lists[DETECT_SM_LIST_HHDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HHD_INSPECT; - if (DetectEngineInspectHttpHeader(de_ctx, det_ctx, s, f, - flags, alstate) == 1) { - match_flags |= DE_STATE_FLAG_HHD_MATCH; + if (!(item->flags & DE_STATE_FLAG_HHD_MATCH)) { + inspect_flags |= DE_STATE_FLAG_HHD_INSPECT; + if (DetectEngineInspectHttpHeader(de_ctx, det_ctx, s, f, + flags, alstate) == 1) { + match_flags |= DE_STATE_FLAG_HHD_MATCH; + } } SCLogDebug("inspecting http header"); } if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HRHD_INSPECT; - if (DetectEngineInspectHttpRawHeader(de_ctx, det_ctx, s, f, - flags, alstate) == 1) { - match_flags |= DE_STATE_FLAG_HRHD_MATCH; + if (!(item->flags & DE_STATE_FLAG_HRHD_MATCH)) { + inspect_flags |= DE_STATE_FLAG_HRHD_INSPECT; + if (DetectEngineInspectHttpRawHeader(de_ctx, det_ctx, s, f, + flags, alstate) == 1) { + match_flags |= DE_STATE_FLAG_HRHD_MATCH; + } + SCLogDebug("inspecting http raw header"); } - SCLogDebug("inspecting http raw header"); } if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL) { if (!(item->flags & DE_STATE_FLAG_HMD_MATCH)) { @@ -933,12 +937,14 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete } } if (s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HCD_INSPECT; - if (DetectEngineInspectHttpCookie(de_ctx, det_ctx, s, f, - flags, alstate) == 1) { - match_flags |= DE_STATE_FLAG_HCD_MATCH; + if (!(item->flags & DE_STATE_FLAG_HCD_MATCH)) { + inspect_flags |= DE_STATE_FLAG_HCD_INSPECT; + if (DetectEngineInspectHttpCookie(de_ctx, det_ctx, s, f, + flags, alstate) == 1) { + match_flags |= DE_STATE_FLAG_HCD_MATCH; + } + SCLogDebug("inspecting http cookie"); } - SCLogDebug("inspecting http cookie"); } if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL) { if (!(item->flags & DE_STATE_FLAG_HRUD_MATCH)) { diff --git a/src/detect.c b/src/detect.c index 0adb0ec9b0..bfcb174e7f 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1162,7 +1162,7 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx, } if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HHD) { PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HHD); - DetectEngineRunHttpHeaderMpm(det_ctx, p->flow, alstate); + DetectEngineRunHttpHeaderMpm(det_ctx, p->flow, alstate, flags); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HHD); } if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRHD) {