|
|
|
@ -495,6 +495,40 @@ static inline int DetectRunInspectRuleHeader(
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* returns 0 if no match, 1 if match */
|
|
|
|
|
static inline int DetectRunInspectRulePacketMatches(
|
|
|
|
|
ThreadVars *tv,
|
|
|
|
|
DetectEngineThreadCtx *det_ctx,
|
|
|
|
|
Packet *p,
|
|
|
|
|
const Flow *f,
|
|
|
|
|
const Signature *s)
|
|
|
|
|
{
|
|
|
|
|
/* run the packet match functions */
|
|
|
|
|
if (s->sm_arrays[DETECT_SM_LIST_MATCH] != NULL) {
|
|
|
|
|
KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_MATCH);
|
|
|
|
|
SigMatchData *smd = s->sm_arrays[DETECT_SM_LIST_MATCH];
|
|
|
|
|
|
|
|
|
|
SCLogDebug("running match functions, sm %p", smd);
|
|
|
|
|
if (smd != NULL) {
|
|
|
|
|
while (1) {
|
|
|
|
|
KEYWORD_PROFILING_START;
|
|
|
|
|
if (sigmatch_table[smd->type].Match(tv, det_ctx, p, s, smd->ctx) <= 0) {
|
|
|
|
|
KEYWORD_PROFILING_END(det_ctx, smd->type, 0);
|
|
|
|
|
SCLogDebug("no match");
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
|
|
|
|
|
if (smd->is_last) {
|
|
|
|
|
SCLogDebug("match and is_last");
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
smd++;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief Signature match function
|
|
|
|
|
*/
|
|
|
|
@ -844,29 +878,8 @@ void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineT
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* run the packet match functions */
|
|
|
|
|
if (s->sm_arrays[DETECT_SM_LIST_MATCH] != NULL) {
|
|
|
|
|
KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_MATCH);
|
|
|
|
|
SigMatchData *smd = s->sm_arrays[DETECT_SM_LIST_MATCH];
|
|
|
|
|
|
|
|
|
|
SCLogDebug("running match functions, sm %p", smd);
|
|
|
|
|
if (smd != NULL) {
|
|
|
|
|
while (1) {
|
|
|
|
|
KEYWORD_PROFILING_START;
|
|
|
|
|
if (sigmatch_table[smd->type].Match(th_v, det_ctx, p, s, smd->ctx) <= 0) {
|
|
|
|
|
KEYWORD_PROFILING_END(det_ctx, smd->type, 0);
|
|
|
|
|
SCLogDebug("no match");
|
|
|
|
|
goto next;
|
|
|
|
|
}
|
|
|
|
|
KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
|
|
|
|
|
if (smd->is_last) {
|
|
|
|
|
SCLogDebug("match and is_last");
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
smd++;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (DetectRunInspectRulePacketMatches(th_v, det_ctx, p, pflow, s) == 0)
|
|
|
|
|
goto next;
|
|
|
|
|
|
|
|
|
|
/* consider stateful sig matches */
|
|
|
|
|
if (sflags & SIG_FLAG_STATE_MATCH) {
|
|
|
|
|