diff --git a/src/detect-engine-hcbd.c b/src/detect-engine-hcbd.c index b98e74f32a..a5d1f30049 100644 --- a/src/detect-engine-hcbd.c +++ b/src/detect-engine-hcbd.c @@ -446,7 +446,8 @@ end: } int DetectEngineRunHttpClientBodyMpm(DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state) + DetectEngineThreadCtx *det_ctx, Flow *f, + HtpState *htp_state, uint8_t flags) { int i; uint32_t cnt = 0; @@ -461,7 +462,8 @@ int DetectEngineRunHttpClientBodyMpm(DetectEngineCtx *de_ctx, for (i = 0; i < det_ctx->hcbd_buffers_list_len; i++) { cnt += HttpClientBodyPatternSearch(det_ctx, det_ctx->hcbd_buffers[i], - det_ctx->hcbd_buffers_len[i]); + det_ctx->hcbd_buffers_len[i], + flags); } return cnt; @@ -2444,7 +2446,7 @@ static int DetectEngineHttpClientBodyTest17(void) /* start the search phase */ det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1); - uint32_t r = HttpClientBodyPatternSearch(det_ctx, http1_buf, http1_len); + uint32_t r = HttpClientBodyPatternSearch(det_ctx, http1_buf, http1_len, STREAM_TOSERVER); if (r != 1) { printf("expected 1 result, got %"PRIu32": ", r); goto end; @@ -2515,7 +2517,7 @@ static int DetectEngineHttpClientBodyTest18(void) /* start the search phase */ det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1); - uint32_t r = HttpClientBodyPatternSearch(det_ctx, http1_buf, http1_len); + uint32_t r = HttpClientBodyPatternSearch(det_ctx, http1_buf, http1_len, STREAM_TOSERVER); if (r != 0) { printf("expected 1 result, got %"PRIu32": ", r); goto end; @@ -2586,7 +2588,7 @@ static int DetectEngineHttpClientBodyTest19(void) /* start the search phase */ det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1); - uint32_t r = HttpClientBodyPatternSearch(det_ctx, http1_buf, http1_len); + uint32_t r = HttpClientBodyPatternSearch(det_ctx, http1_buf, http1_len, STREAM_TOSERVER); if (r != 0) { printf("expected 1 result, got %"PRIu32": ", r); goto end; @@ -2657,7 +2659,7 @@ static int DetectEngineHttpClientBodyTest20(void) /* start the search phase */ det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1); - uint32_t r = HttpClientBodyPatternSearch(det_ctx, http1_buf, http1_len); + uint32_t r = HttpClientBodyPatternSearch(det_ctx, http1_buf, http1_len, STREAM_TOSERVER); if (r != 2) { printf("expected 1 result, got %"PRIu32": ", r); goto end; diff --git a/src/detect-engine-hcbd.h b/src/detect-engine-hcbd.h index ecb260bcb3..438a69f2a7 100644 --- a/src/detect-engine-hcbd.h +++ b/src/detect-engine-hcbd.h @@ -28,7 +28,8 @@ #include "app-layer-htp.h" int DetectEngineRunHttpClientBodyMpm(DetectEngineCtx *, - DetectEngineThreadCtx *, Flow *f, HtpState *); + DetectEngineThreadCtx *, Flow *f, + HtpState *, uint8_t); int DetectEngineInspectHttpClientBody(DetectEngineCtx *, DetectEngineThreadCtx *, Signature *, Flow *, uint8_t, void *); diff --git a/src/detect-engine-hcd.c b/src/detect-engine-hcd.c index f819e99cbe..433d965517 100644 --- a/src/detect-engine-hcd.c +++ b/src/detect-engine-hcd.c @@ -309,7 +309,7 @@ match: } int DetectEngineRunHttpCookieMpm(DetectEngineThreadCtx *det_ctx, Flow *f, - HtpState *htp_state) + HtpState *htp_state, uint8_t flags) { htp_tx_t *tx = NULL; uint32_t cnt = 0; @@ -350,7 +350,7 @@ int DetectEngineRunHttpCookieMpm(DetectEngineThreadCtx *det_ctx, Flow *f, cnt += HttpCookiePatternSearch(det_ctx, (uint8_t *)bstr_ptr(h->value), - bstr_len(h->value)); + bstr_len(h->value), flags); } end: diff --git a/src/detect-engine-hcd.h b/src/detect-engine-hcd.h index e4d1f51fb0..e1028658d8 100644 --- a/src/detect-engine-hcd.h +++ b/src/detect-engine-hcd.h @@ -27,7 +27,7 @@ int DetectEngineInspectHttpCookie(DetectEngineCtx *, DetectEngineThreadCtx *, Signature *, Flow *, uint8_t, void *); -int DetectEngineRunHttpCookieMpm(DetectEngineThreadCtx *, Flow *, HtpState *); +int DetectEngineRunHttpCookieMpm(DetectEngineThreadCtx *, Flow *, HtpState *, uint8_t); void DetectEngineHttpCookieRegisterTests(void); #endif /* __DETECT_ENGINE_HCD_H__ */ diff --git a/src/detect-engine-hhd.c b/src/detect-engine-hhd.c index e484cc161d..175d407fe5 100644 --- a/src/detect-engine-hhd.c +++ b/src/detect-engine-hhd.c @@ -438,7 +438,8 @@ int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f, for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) { cnt += HttpHeaderPatternSearch(det_ctx, det_ctx->hhd_buffers[i], - det_ctx->hhd_buffers_len[i]); + det_ctx->hhd_buffers_len[i], + flags); } DetectEngineCleanHHDBuffers(det_ctx); @@ -450,13 +451,15 @@ int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f, for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) { cnt += HttpHeaderPatternSearch(det_ctx, det_ctx->hhd_buffers[i], - det_ctx->hhd_buffers_len[i]); + det_ctx->hhd_buffers_len[i], + flags); } } else { for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) { cnt += HttpHeaderPatternSearch(det_ctx, det_ctx->hhd_buffers[i], - det_ctx->hhd_buffers_len[i]); + det_ctx->hhd_buffers_len[i], + flags); } uint16_t hhd_buffers_list_len = det_ctx->hhd_buffers_list_len; @@ -475,7 +478,8 @@ int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f, for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) { cnt += HttpHeaderPatternSearch(det_ctx, det_ctx->hhd_buffers[i], - det_ctx->hhd_buffers_len[i]); + det_ctx->hhd_buffers_len[i], + flags); } DetectEngineCleanHHDBuffers(det_ctx); @@ -2129,7 +2133,7 @@ static int DetectEngineHttpHeaderTest18(void) /* start the search phase */ det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p); - uint32_t r = HttpHeaderPatternSearch(det_ctx, http_buf, http_len); + uint32_t r = HttpHeaderPatternSearch(det_ctx, http_buf, http_len, STREAM_TOSERVER); if (r != 2) { printf("expected result 2, got %"PRIu32": ", r); goto end; @@ -2203,7 +2207,7 @@ static int DetectEngineHttpHeaderTest19(void) /* start the search phase */ det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p); - uint32_t r = HttpHeaderPatternSearch(det_ctx, http_buf, http_len); + uint32_t r = HttpHeaderPatternSearch(det_ctx, http_buf, http_len, STREAM_TOSERVER); if (r != 1) { printf("expected result 1, got %"PRIu32": ", r); goto end; diff --git a/src/detect-engine-hmd.c b/src/detect-engine-hmd.c index 12a8df7226..39806f66bc 100644 --- a/src/detect-engine-hmd.c +++ b/src/detect-engine-hmd.c @@ -309,7 +309,7 @@ match: } int DetectEngineRunHttpMethodMpm(DetectEngineThreadCtx *det_ctx, Flow *f, - HtpState *htp_state) + HtpState *htp_state, uint8_t flags) { htp_tx_t *tx = NULL; uint32_t cnt = 0; @@ -343,7 +343,8 @@ int DetectEngineRunHttpMethodMpm(DetectEngineThreadCtx *det_ctx, Flow *f, cnt += HttpMethodPatternSearch(det_ctx, (uint8_t *)bstr_ptr(tx->request_method), - bstr_len(tx->request_method)); + bstr_len(tx->request_method), + flags); } end: diff --git a/src/detect-engine-hmd.h b/src/detect-engine-hmd.h index 2db6ca8c8a..a9a58d8a0d 100644 --- a/src/detect-engine-hmd.h +++ b/src/detect-engine-hmd.h @@ -27,7 +27,7 @@ int DetectEngineInspectHttpMethod(DetectEngineCtx *, DetectEngineThreadCtx *, Signature *, Flow *, uint8_t, void *); -int DetectEngineRunHttpMethodMpm(DetectEngineThreadCtx *, Flow *, HtpState *); +int DetectEngineRunHttpMethodMpm(DetectEngineThreadCtx *, Flow *, HtpState *, uint8_t); void DetectEngineHttpMethodRegisterTests(void); #endif /* __DETECT_ENGINE_HMD_H__ */ diff --git a/src/detect-engine-hrhd.c b/src/detect-engine-hrhd.c index ce926cde40..ebfacd39cf 100644 --- a/src/detect-engine-hrhd.c +++ b/src/detect-engine-hrhd.c @@ -344,7 +344,7 @@ int DetectEngineRunHttpRawHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f, if (raw_headers != NULL) { cnt += HttpRawHeaderPatternSearch(det_ctx, (uint8_t *)bstr_ptr(raw_headers), - bstr_len(raw_headers)); + bstr_len(raw_headers), flags); } #ifdef HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW raw_headers = htp_tx_get_response_headers_raw(tx); @@ -2003,7 +2003,7 @@ static int DetectEngineHttpRawHeaderTest18(void) /* start the search phase */ det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p); - uint32_t r = HttpRawHeaderPatternSearch(det_ctx, http_buf, http_len); + uint32_t r = HttpRawHeaderPatternSearch(det_ctx, http_buf, http_len, STREAM_TOSERVER); if (r != 2) { printf("expected result 2, got %"PRIu32": ", r); goto end; @@ -2077,7 +2077,7 @@ static int DetectEngineHttpRawHeaderTest19(void) /* start the search phase */ det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p); - uint32_t r = HttpRawHeaderPatternSearch(det_ctx, http_buf, http_len); + uint32_t r = HttpRawHeaderPatternSearch(det_ctx, http_buf, http_len, STREAM_TOSERVER); if (r != 1) { printf("expected result 1, got %"PRIu32": ", r); goto end; diff --git a/src/detect-engine-hrud.c b/src/detect-engine-hrud.c index 58d3e8b3b5..4b0185d80d 100644 --- a/src/detect-engine-hrud.c +++ b/src/detect-engine-hrud.c @@ -342,7 +342,7 @@ match: * \retval cnt Number of matches reported by the mpm algo. */ int DetectEngineRunHttpRawUriMpm(DetectEngineThreadCtx *det_ctx, Flow *f, - HtpState *htp_state) + HtpState *htp_state, uint8_t flags) { SCEnter(); @@ -376,7 +376,7 @@ int DetectEngineRunHttpRawUriMpm(DetectEngineThreadCtx *det_ctx, Flow *f, cnt += HttpRawUriPatternSearch(det_ctx, (uint8_t *)bstr_ptr(tx->request_uri), - bstr_len(tx->request_uri)); + bstr_len(tx->request_uri), flags); } end: @@ -2378,7 +2378,7 @@ static int DetectEngineHttpRawUriTest17(void) /* start the search phase */ det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1); - uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len); + uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len, STREAM_TOSERVER); if (r != 1) { printf("expected 1 result, got %"PRIu32": ", r); goto end; @@ -2449,7 +2449,7 @@ static int DetectEngineHttpRawUriTest18(void) /* start the search phase */ det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1); - uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len); + uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len, STREAM_TOSERVER); if (r != 0) { printf("expected 0 result, got %"PRIu32": ", r); goto end; @@ -2520,7 +2520,7 @@ static int DetectEngineHttpRawUriTest19(void) /* start the search phase */ det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1); - uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len); + uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len, STREAM_TOSERVER); if (r != 0) { printf("expected 0 result, got %"PRIu32": ", r); goto end; @@ -2591,7 +2591,7 @@ static int DetectEngineHttpRawUriTest20(void) /* start the search phase */ det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1); - uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len); + uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len, STREAM_TOSERVER); if (r != 2) { printf("expected 2 result, got %"PRIu32": ", r); goto end; diff --git a/src/detect-engine-hrud.h b/src/detect-engine-hrud.h index eea92982a8..6c5a7214e1 100644 --- a/src/detect-engine-hrud.h +++ b/src/detect-engine-hrud.h @@ -27,7 +27,7 @@ #include "app-layer-htp.h" int DetectEngineRunHttpRawUriMpm(DetectEngineThreadCtx *, - Flow *f, HtpState *); + Flow *f, HtpState *, uint8_t); int DetectEngineInspectHttpRawUri(DetectEngineCtx *, DetectEngineThreadCtx *, Signature *, Flow *, uint8_t, void *); void DetectEngineHttpRawUriRegisterTests(void); diff --git a/src/detect-engine-hsbd.c b/src/detect-engine-hsbd.c index 8e0998d987..04eb935bae 100644 --- a/src/detect-engine-hsbd.c +++ b/src/detect-engine-hsbd.c @@ -521,7 +521,8 @@ end: } int DetectEngineRunHttpServerBodyMpm(DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state) + DetectEngineThreadCtx *det_ctx, Flow *f, + HtpState *htp_state, uint8_t flags) { int i; uint32_t cnt = 0; @@ -536,7 +537,8 @@ int DetectEngineRunHttpServerBodyMpm(DetectEngineCtx *de_ctx, for (i = 0; i < det_ctx->hsbd_buffers_list_len; i++) { cnt += HttpServerBodyPatternSearch(det_ctx, det_ctx->hsbd_buffers[i], - det_ctx->hsbd_buffers_len[i]); + det_ctx->hsbd_buffers_len[i], + flags); } return cnt; diff --git a/src/detect-engine-hsbd.h b/src/detect-engine-hsbd.h index e27ca3c496..a4f8000871 100644 --- a/src/detect-engine-hsbd.h +++ b/src/detect-engine-hsbd.h @@ -28,7 +28,8 @@ #include "app-layer-htp.h" int DetectEngineRunHttpServerBodyMpm(DetectEngineCtx *, - DetectEngineThreadCtx *, Flow *f, HtpState *); + DetectEngineThreadCtx *, Flow *f, + HtpState *, uint8_t); int DetectEngineInspectHttpServerBody(DetectEngineCtx *, DetectEngineThreadCtx *, Signature *, Flow *, uint8_t, void *); diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index d3b03eb382..e6980f9d38 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -168,9 +168,25 @@ uint32_t PacketPatternSearchWithStreamCtx(DetectEngineThreadCtx *det_ctx, uint32_t ret; - ret = mpm_table[det_ctx->sgh->mpm_stream_ctx->mpm_type]. - Search(det_ctx->sgh->mpm_stream_ctx, &det_ctx->mtc, &det_ctx->pmq, - p->payload, p->payload_len); + if (p->flowflags & FLOW_PKT_TOSERVER) { + ret = mpm_table[det_ctx->sgh->mpm_stream_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_stream_ctx_ts, &det_ctx->mtc, &det_ctx->pmq, + p->payload, p->payload_len); + } else { //if (p->flowflags & FLOW_PKT_TOCLIENT) { + ret = mpm_table[det_ctx->sgh->mpm_stream_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_stream_ctx_tc, &det_ctx->mtc, &det_ctx->pmq, + p->payload, p->payload_len); + } + //else { + // printf("packet pattern search with stream ctx"); + // exit(0); + // ret = mpm_table[det_ctx->sgh->mpm_stream_ctx_ts->mpm_type]. + // Search(det_ctx->sgh->mpm_stream_ctx_ts, &det_ctx->mtc, &det_ctx->pmq, + // p->payload, p->payload_len); + // ret = mpm_table[det_ctx->sgh->mpm_stream_ctx_tc->mpm_type]. + // Search(det_ctx->sgh->mpm_stream_ctx_tc, &det_ctx->mtc, &det_ctx->pmq, + // p->payload, p->payload_len); + //} SCReturnInt(ret); } @@ -188,14 +204,38 @@ uint32_t PacketPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p) uint32_t ret; MpmCtx *mpm_ctx = NULL; + MpmCtx *mpm_ctx1 = NULL; if (p->proto == IPPROTO_TCP) { - mpm_ctx = det_ctx->sgh->mpm_proto_tcp_ctx; + if (p->flowflags & FLOW_PKT_TOSERVER) { + mpm_ctx = det_ctx->sgh->mpm_proto_tcp_ctx_ts; + } else { // if (p->flowflags & FLOW_PKT_TOCLIENT) { + mpm_ctx = det_ctx->sgh->mpm_proto_tcp_ctx_tc; + } + //else { + // mpm_ctx = det_ctx->sgh->mpm_proto_tcp_ctx_ts; + // mpm_ctx1 = det_ctx->sgh->mpm_proto_tcp_ctx_tc; + //} } else if (p->proto == IPPROTO_UDP) { - mpm_ctx = det_ctx->sgh->mpm_proto_udp_ctx; + if (p->flowflags & FLOW_PKT_TOSERVER) { + mpm_ctx = det_ctx->sgh->mpm_proto_udp_ctx_ts; + } else { //if (p->flowflags & FLOW_PKT_TOCLIENT) { + mpm_ctx = det_ctx->sgh->mpm_proto_udp_ctx_tc; + } + //else { + // mpm_ctx = det_ctx->sgh->mpm_proto_udp_ctx_ts; + // mpm_ctx1 = det_ctx->sgh->mpm_proto_udp_ctx_tc; + //} } else { mpm_ctx = det_ctx->sgh->mpm_proto_other_ctx; } + //else { + // printf("packet pattern search"); + // exit(0); + // mpm_ctx = det_ctx->sgh->mpm_proto_other_ctx_ts; + // mpm_ctx1 = det_ctx->sgh->mpm_proto_other_ctx_tc; + //} + if (mpm_ctx == NULL) SCReturnInt(0); @@ -206,6 +246,13 @@ uint32_t PacketPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p) &det_ctx->pmq, p->payload, p->payload_len); + if (mpm_ctx1 != NULL) { + ret += mpm_table[mpm_ctx1->mpm_type].Search(mpm_ctx1, + &det_ctx->mtc, + &det_ctx->pmq, + p->payload, + p->payload_len); + } #else /* if the user has enabled cuda support, but is not using the cuda mpm * algo, then we shouldn't take the path of the dispatcher. Call the mpm @@ -216,6 +263,13 @@ uint32_t PacketPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p) &det_ctx->pmq, p->payload, p->payload_len); + if (mpm_ctx1 != NULL) { + ret += mpm_table[mpm_ctx1->mpm_type].Search(mpm_ctx1, + &det_ctx->mtc, + &det_ctx->pmq, + p->payload, + p->payload_len); + } SCReturnInt(ret); } @@ -228,6 +282,13 @@ uint32_t PacketPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p) &det_ctx->pmq, p->payload, p->payload_len); + if (mpm_ctx1 != NULL) { + ret = mpm_table[mpm_ctx1->mpm_type].Search(mpm_ctx1, + &det_ctx->mtc, + &det_ctx->pmq, + p->payload, + p->payload_len); + } } #endif @@ -242,18 +303,43 @@ uint32_t PacketPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p) * \retval ret number of matches */ uint32_t UriPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *uri, uint16_t uri_len) + uint8_t *uri, uint16_t uri_len, uint8_t flags) { SCEnter(); - if (det_ctx->sgh->mpm_uri_ctx == NULL) - SCReturnUInt(0U); + uint32_t ret; + if (flags & STREAM_TOSERVER) { + if (det_ctx->sgh->mpm_uri_ctx_ts == NULL) + SCReturnUInt(0U); + + ret = mpm_table[det_ctx->sgh->mpm_uri_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_uri_ctx_ts, + &det_ctx->mtcu, &det_ctx->pmq, uri, uri_len); + } else { //if (flags & STREAM_TOCLIENT) { + if (det_ctx->sgh->mpm_uri_ctx_tc == NULL) + SCReturnUInt(0U); + + ret = mpm_table[det_ctx->sgh->mpm_uri_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_uri_ctx_tc, + &det_ctx->mtcu, &det_ctx->pmq, uri, uri_len); + } + //else { + // printf("uri pattern search"); + // exit(0); + // if (det_ctx->sgh->mpm_uri_ctx_ts != NULL) { + // ret = mpm_table[det_ctx->sgh->mpm_uri_ctx_ts->mpm_type]. + // Search(det_ctx->sgh->mpm_uri_ctx_ts, + // &det_ctx->mtcu, &det_ctx->pmq, uri, uri_len); + // } + // if (det_ctx->sgh->mpm_uri_ctx_tc != NULL) { + // ret += mpm_table[det_ctx->sgh->mpm_uri_ctx_tc->mpm_type]. + // Search(det_ctx->sgh->mpm_uri_ctx_tc, + // &det_ctx->mtcu, &det_ctx->pmq, uri, uri_len); + // } + //} //PrintRawDataFp(stdout, uri, uri_len); - uint32_t ret; - ret = mpm_table[det_ctx->sgh->mpm_uri_ctx->mpm_type].Search(det_ctx->sgh->mpm_uri_ctx, - &det_ctx->mtcu, &det_ctx->pmq, uri, uri_len); SCReturnUInt(ret); } @@ -268,17 +354,40 @@ uint32_t UriPatternSearch(DetectEngineThreadCtx *det_ctx, * \retval ret Number of matches. */ uint32_t HttpClientBodyPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *body, uint32_t body_len) + uint8_t *body, uint32_t body_len, uint8_t flags) { SCEnter(); - if (det_ctx->sgh->mpm_hcbd_ctx == NULL) - SCReturnUInt(0); - uint32_t ret; - ret = mpm_table[det_ctx->sgh->mpm_hcbd_ctx->mpm_type]. - Search(det_ctx->sgh->mpm_hcbd_ctx, &det_ctx->mtcu, - &det_ctx->pmq, body, body_len); + if (flags & STREAM_TOSERVER) { + if (det_ctx->sgh->mpm_hcbd_ctx_ts == NULL) + SCReturnUInt(0); + + ret = mpm_table[det_ctx->sgh->mpm_hcbd_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_hcbd_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, body, body_len); + } else { //if (flags & STREAM_TOCLIENT) { + if (det_ctx->sgh->mpm_hcbd_ctx_tc == NULL) + SCReturnUInt(0); + + ret = mpm_table[det_ctx->sgh->mpm_hcbd_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_hcbd_ctx_tc, &det_ctx->mtcu, + &det_ctx->pmq, body, body_len); + } + //else { + // printf("hcbd pattern search"); + // exit(0); + // if (det_ctx->sgh->mpm_hcbd_ctx_ts != NULL) { + // ret = mpm_table[det_ctx->sgh->mpm_hcbd_ctx_ts->mpm_type]. + // Search(det_ctx->sgh->mpm_hcbd_ctx_ts, &det_ctx->mtcu, + // &det_ctx->pmq, body, body_len); + // } + // if (det_ctx->sgh->mpm_hcbd_ctx_tc != NULL) { + // ret += mpm_table[det_ctx->sgh->mpm_hcbd_ctx_tc->mpm_type]. + // Search(det_ctx->sgh->mpm_hcbd_ctx_tc, &det_ctx->mtcu, + // &det_ctx->pmq, body, body_len); + // } + //} SCReturnUInt(ret); } @@ -293,17 +402,40 @@ uint32_t HttpClientBodyPatternSearch(DetectEngineThreadCtx *det_ctx, * \retval ret Number of matches. */ uint32_t HttpServerBodyPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *body, uint32_t body_len) + uint8_t *body, uint32_t body_len, uint8_t flags) { SCEnter(); - if (det_ctx->sgh->mpm_hsbd_ctx == NULL) - SCReturnUInt(0); - uint32_t ret; - ret = mpm_table[det_ctx->sgh->mpm_hsbd_ctx->mpm_type]. - Search(det_ctx->sgh->mpm_hsbd_ctx, &det_ctx->mtcu, - &det_ctx->pmq, body, body_len); + if (flags & STREAM_TOSERVER) { + if (det_ctx->sgh->mpm_hsbd_ctx_ts == NULL) + SCReturnUInt(0); + + ret = mpm_table[det_ctx->sgh->mpm_hsbd_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_hsbd_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, body, body_len); + } else { //if (flags & STREAM_TOCLIENT) { + if (det_ctx->sgh->mpm_hsbd_ctx_tc == NULL) + SCReturnUInt(0); + + ret = mpm_table[det_ctx->sgh->mpm_hsbd_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_hsbd_ctx_tc, &det_ctx->mtcu, + &det_ctx->pmq, body, body_len); + } + //else { + // printf("hsbd pattern search"); + // exit(0); + // if (det_ctx->sgh->mpm_hsbd_ctx_ts != NULL) { + // ret = mpm_table[det_ctx->sgh->mpm_hsbd_ctx_ts->mpm_type]. + // Search(det_ctx->sgh->mpm_hsbd_ctx_ts, &det_ctx->mtcu, + // &det_ctx->pmq, body, body_len); + // } + // if (det_ctx->sgh->mpm_hsbd_ctx_tc != NULL) { + // ret += mpm_table[det_ctx->sgh->mpm_hsbd_ctx_tc->mpm_type]. + // Search(det_ctx->sgh->mpm_hsbd_ctx_tc, &det_ctx->mtcu, + // &det_ctx->pmq, body, body_len); + // } + //} SCReturnUInt(ret); } @@ -318,17 +450,40 @@ uint32_t HttpServerBodyPatternSearch(DetectEngineThreadCtx *det_ctx, * \retval ret Number of matches. */ uint32_t HttpHeaderPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *headers, uint32_t headers_len) + uint8_t *headers, uint32_t headers_len, uint8_t flags) { SCEnter(); - if (det_ctx->sgh->mpm_hhd_ctx == NULL) - SCReturnUInt(0); - uint32_t ret; - ret = mpm_table[det_ctx->sgh->mpm_hhd_ctx->mpm_type]. - Search(det_ctx->sgh->mpm_hhd_ctx, &det_ctx->mtcu, - &det_ctx->pmq, headers, headers_len); + if (flags & STREAM_TOSERVER) { + if (det_ctx->sgh->mpm_hhd_ctx_ts == NULL) + SCReturnUInt(0); + + ret = mpm_table[det_ctx->sgh->mpm_hhd_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_hhd_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, headers, headers_len); + } else { //if (flags & STREAM_TOCLIENT) { + if (det_ctx->sgh->mpm_hhd_ctx_tc == NULL) + SCReturnUInt(0); + + ret = mpm_table[det_ctx->sgh->mpm_hhd_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_hhd_ctx_tc, &det_ctx->mtcu, + &det_ctx->pmq, headers, headers_len); + } + //else { + // printf("hhd pattern search"); + // exit(0); + // if (det_ctx->sgh->mpm_hhd_ctx_ts != NULL) { + // ret = mpm_table[det_ctx->sgh->mpm_hhd_ctx_ts->mpm_type]. + // Search(det_ctx->sgh->mpm_hhd_ctx_ts, &det_ctx->mtcu, + // &det_ctx->pmq, headers, headers_len); + // } + // if (det_ctx->sgh->mpm_hhd_ctx_tc != NULL) { + // ret += mpm_table[det_ctx->sgh->mpm_hhd_ctx_tc->mpm_type]. + // Search(det_ctx->sgh->mpm_hhd_ctx_tc, &det_ctx->mtcu, + // &det_ctx->pmq, headers, headers_len); + // } + //} SCReturnUInt(ret); } @@ -343,17 +498,40 @@ uint32_t HttpHeaderPatternSearch(DetectEngineThreadCtx *det_ctx, * \retval ret Number of matches. */ uint32_t HttpRawHeaderPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *raw_headers, uint32_t raw_headers_len) + uint8_t *raw_headers, uint32_t raw_headers_len, uint8_t flags) { SCEnter(); - if (det_ctx->sgh->mpm_hrhd_ctx == NULL) - SCReturnUInt(0); - uint32_t ret; - ret = mpm_table[det_ctx->sgh->mpm_hrhd_ctx->mpm_type]. - Search(det_ctx->sgh->mpm_hrhd_ctx, &det_ctx->mtcu, - &det_ctx->pmq, raw_headers, raw_headers_len); + if (flags & STREAM_TOSERVER) { + if (det_ctx->sgh->mpm_hrhd_ctx_ts == NULL) + SCReturnUInt(0); + + ret = mpm_table[det_ctx->sgh->mpm_hrhd_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_hrhd_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, raw_headers, raw_headers_len); + } else { //if (flags & STREAM_TOCLIENT) { + if (det_ctx->sgh->mpm_hrhd_ctx_tc == NULL) + SCReturnUInt(0); + + ret = mpm_table[det_ctx->sgh->mpm_hrhd_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_hrhd_ctx_tc, &det_ctx->mtcu, + &det_ctx->pmq, raw_headers, raw_headers_len); + } + //else { + // printf("hrhd pattern search"); + // exit(0); + // if (det_ctx->sgh->mpm_hrhd_ctx_ts != NULL) { + // ret = mpm_table[det_ctx->sgh->mpm_hrhd_ctx_ts->mpm_type]. + // Search(det_ctx->sgh->mpm_hrhd_ctx_ts, &det_ctx->mtcu, + // &det_ctx->pmq, raw_headers, raw_headers_len); + // } + // if (det_ctx->sgh->mpm_hrhd_ctx_tc != NULL) { + // ret += mpm_table[det_ctx->sgh->mpm_hrhd_ctx_tc->mpm_type]. + // Search(det_ctx->sgh->mpm_hrhd_ctx_tc, &det_ctx->mtcu, + // &det_ctx->pmq, raw_headers, raw_headers_len); + // } + //} SCReturnUInt(ret); } @@ -368,17 +546,40 @@ uint32_t HttpRawHeaderPatternSearch(DetectEngineThreadCtx *det_ctx, * \retval ret Number of matches. */ uint32_t HttpMethodPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *raw_method, uint32_t raw_method_len) + uint8_t *raw_method, uint32_t raw_method_len, uint8_t flags) { SCEnter(); - if (det_ctx->sgh->mpm_hmd_ctx == NULL) - SCReturnUInt(0); - uint32_t ret; - ret = mpm_table[det_ctx->sgh->mpm_hmd_ctx->mpm_type]. - Search(det_ctx->sgh->mpm_hmd_ctx, &det_ctx->mtcu, - &det_ctx->pmq, raw_method, raw_method_len); + if (flags & STREAM_TOSERVER) { + if (det_ctx->sgh->mpm_hmd_ctx_ts == NULL) + SCReturnUInt(0); + + ret = mpm_table[det_ctx->sgh->mpm_hmd_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_hmd_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, raw_method, raw_method_len); + } else { //if (flags & STREAM_TOCLIENT) { + if (det_ctx->sgh->mpm_hmd_ctx_tc == NULL) + SCReturnUInt(0); + + ret = mpm_table[det_ctx->sgh->mpm_hmd_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_hmd_ctx_tc, &det_ctx->mtcu, + &det_ctx->pmq, raw_method, raw_method_len); + } + //else { + // printf("hmd pattern search"); + // exit(0); + // if (det_ctx->sgh->mpm_hmd_ctx_ts != NULL) { + // ret = mpm_table[det_ctx->sgh->mpm_hmd_ctx_ts->mpm_type]. + // Search(det_ctx->sgh->mpm_hmd_ctx_ts, &det_ctx->mtcu, + // &det_ctx->pmq, raw_method, raw_method_len); + // } + // if (det_ctx->sgh->mpm_hmd_ctx_tc != NULL) { + // ret += mpm_table[det_ctx->sgh->mpm_hmd_ctx_tc->mpm_type]. + // Search(det_ctx->sgh->mpm_hmd_ctx_tc, &det_ctx->mtcu, + // &det_ctx->pmq, raw_method, raw_method_len); + // } + //} SCReturnUInt(ret); } @@ -393,17 +594,40 @@ uint32_t HttpMethodPatternSearch(DetectEngineThreadCtx *det_ctx, * \retval ret Number of matches. */ uint32_t HttpCookiePatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *cookie, uint32_t cookie_len) + uint8_t *cookie, uint32_t cookie_len, uint8_t flags) { SCEnter(); - if (det_ctx->sgh->mpm_hcd_ctx == NULL) - SCReturnUInt(0); - uint32_t ret; - ret = mpm_table[det_ctx->sgh->mpm_hcd_ctx->mpm_type]. - Search(det_ctx->sgh->mpm_hcd_ctx, &det_ctx->mtcu, - &det_ctx->pmq, cookie, cookie_len); + if (flags & STREAM_TOSERVER) { + if (det_ctx->sgh->mpm_hcd_ctx_ts == NULL) + SCReturnUInt(0); + + ret = mpm_table[det_ctx->sgh->mpm_hcd_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_hcd_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, cookie, cookie_len); + } else { //if (flags & STREAM_TOCLIENT) { + if (det_ctx->sgh->mpm_hcd_ctx_tc == NULL) + SCReturnUInt(0); + + ret = mpm_table[det_ctx->sgh->mpm_hcd_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_hcd_ctx_tc, &det_ctx->mtcu, + &det_ctx->pmq, cookie, cookie_len); + } + //else { + // printf("hcd pattern search"); + // exit(0); + // if (det_ctx->sgh->mpm_hcd_ctx_ts != NULL) { + // ret = mpm_table[det_ctx->sgh->mpm_hcd_ctx_ts->mpm_type]. + // Search(det_ctx->sgh->mpm_hcd_ctx_ts, &det_ctx->mtcu, + // &det_ctx->pmq, cookie, cookie_len); + // } + // if (det_ctx->sgh->mpm_hcd_ctx_tc != NULL) { + // ret += mpm_table[det_ctx->sgh->mpm_hcd_ctx_tc->mpm_type]. + // Search(det_ctx->sgh->mpm_hcd_ctx_tc, &det_ctx->mtcu, + // &det_ctx->pmq, cookie, cookie_len); + // } + //} SCReturnUInt(ret); } @@ -418,17 +642,40 @@ uint32_t HttpCookiePatternSearch(DetectEngineThreadCtx *det_ctx, * \retval ret Number of matches. */ uint32_t HttpRawUriPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *uri, uint32_t uri_len) + uint8_t *uri, uint32_t uri_len, uint8_t flags) { SCEnter(); - if (det_ctx->sgh->mpm_hrud_ctx == NULL) - SCReturnUInt(0); - uint32_t ret; - ret = mpm_table[det_ctx->sgh->mpm_hrud_ctx->mpm_type]. - Search(det_ctx->sgh->mpm_hrud_ctx, &det_ctx->mtcu, - &det_ctx->pmq, uri, uri_len); + if (flags & STREAM_TOSERVER) { + if (det_ctx->sgh->mpm_hrud_ctx_ts == NULL) + SCReturnUInt(0); + + ret = mpm_table[det_ctx->sgh->mpm_hrud_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_hrud_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, uri, uri_len); + } else { //if (flags & STREAM_TOCLIENT) { + if (det_ctx->sgh->mpm_hrud_ctx_tc == NULL) + SCReturnUInt(0); + + ret = mpm_table[det_ctx->sgh->mpm_hrud_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_hrud_ctx_tc, &det_ctx->mtcu, + &det_ctx->pmq, uri, uri_len); + } + //else { + // printf("hrud pattern search"); + // exit(0); + // if (det_ctx->sgh->mpm_hrud_ctx_ts == NULL) { + // ret = mpm_table[det_ctx->sgh->mpm_hrud_ctx_ts->mpm_type]. + // Search(det_ctx->sgh->mpm_hrud_ctx_ts, &det_ctx->mtcu, + // &det_ctx->pmq, uri, uri_len); + // } + // if (det_ctx->sgh->mpm_hrud_ctx_tc == NULL) { + // ret += mpm_table[det_ctx->sgh->mpm_hrud_ctx_tc->mpm_type]. + // Search(det_ctx->sgh->mpm_hrud_ctx_tc, &det_ctx->mtcu, + // &det_ctx->pmq, uri, uri_len); + // } + //} SCReturnUInt(ret); } @@ -450,22 +697,67 @@ uint32_t StreamPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p, uint32_t ret = 0; uint8_t cnt = 0; - for ( ; smsg != NULL; smsg = smsg->next) { - //PrintRawDataFp(stdout, smsg->data.data, smsg->data.data_len); + //PrintRawDataFp(stdout, smsg->data.data, smsg->data.data_len); + + uint32_t r; + if (flags & STREAM_TOSERVER) { + for ( ; smsg != NULL; smsg = smsg->next) { + r = mpm_table[det_ctx->sgh->mpm_stream_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_stream_ctx_ts, &det_ctx->mtcs, + &det_ctx->smsg_pmq[cnt], smsg->data.data, + smsg->data.data_len); + if (r > 0) { + ret += r; - uint32_t r = mpm_table[det_ctx->sgh->mpm_stream_ctx->mpm_type].Search(det_ctx->sgh->mpm_stream_ctx, - &det_ctx->mtcs, &det_ctx->smsg_pmq[cnt], smsg->data.data, smsg->data.data_len); - if (r > 0) { - ret += r; + SCLogDebug("smsg match stored in det_ctx->smsg_pmq[%u]", cnt); - SCLogDebug("smsg match stored in det_ctx->smsg_pmq[%u]", cnt); + /* merge results with overall pmq */ + PmqMerge(&det_ctx->smsg_pmq[cnt], &det_ctx->pmq); + } - /* merge results with overall pmq */ - PmqMerge(&det_ctx->smsg_pmq[cnt], &det_ctx->pmq); + cnt++; } + } else { //if (flags & STREAM_TOCLIENT) { + for ( ; smsg != NULL; smsg = smsg->next) { + r = mpm_table[det_ctx->sgh->mpm_stream_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_stream_ctx_tc, &det_ctx->mtcs, + &det_ctx->smsg_pmq[cnt], smsg->data.data, + smsg->data.data_len); + if (r > 0) { + ret += r; + + SCLogDebug("smsg match stored in det_ctx->smsg_pmq[%u]", cnt); + + /* merge results with overall pmq */ + PmqMerge(&det_ctx->smsg_pmq[cnt], &det_ctx->pmq); + } - cnt++; + cnt++; + } } + //else { + // printf("stream pattern search"); + // exit(0); + // for ( ; smsg != NULL; smsg = smsg->next) { + // r = mpm_table[det_ctx->sgh->mpm_stream_ctx_ts->mpm_type]. + // Search(det_ctx->sgh->mpm_stream_ctx_ts, &det_ctx->mtcs, + // &det_ctx->smsg_pmq[cnt], smsg->data.data, + // smsg->data.data_len); + // r += mpm_table[det_ctx->sgh->mpm_stream_ctx_tc->mpm_type]. + // Search(det_ctx->sgh->mpm_stream_ctx_tc, &det_ctx->mtcs, + // &det_ctx->smsg_pmq[cnt], smsg->data.data, + // smsg->data.data_len); + // if (r > 0) { + // ret += r; + // + // SCLogDebug("smsg match stored in det_ctx->smsg_pmq[%u]", cnt); + // + // /* merge results with overall pmq */ + // PmqMerge(&det_ctx->smsg_pmq[cnt], &det_ctx->pmq); + // } + // } /* for */ + // + //} /* else */ SCReturnInt(ret); } @@ -478,26 +770,46 @@ void PacketPatternCleanup(ThreadVars *t, DetectEngineThreadCtx *det_ctx) { return; /* content */ - if (det_ctx->sgh->mpm_proto_tcp_ctx != NULL && - mpm_table[det_ctx->sgh->mpm_proto_tcp_ctx->mpm_type].Cleanup != NULL) { - mpm_table[det_ctx->sgh->mpm_proto_tcp_ctx->mpm_type].Cleanup(&det_ctx->mtc); + if (det_ctx->sgh->mpm_proto_tcp_ctx_ts != NULL && + mpm_table[det_ctx->sgh->mpm_proto_tcp_ctx_ts->mpm_type].Cleanup != NULL) { + mpm_table[det_ctx->sgh->mpm_proto_tcp_ctx_ts->mpm_type].Cleanup(&det_ctx->mtc); + } + if (det_ctx->sgh->mpm_proto_tcp_ctx_tc != NULL && + mpm_table[det_ctx->sgh->mpm_proto_tcp_ctx_tc->mpm_type].Cleanup != NULL) { + mpm_table[det_ctx->sgh->mpm_proto_tcp_ctx_tc->mpm_type].Cleanup(&det_ctx->mtc); + } + + if (det_ctx->sgh->mpm_proto_udp_ctx_ts != NULL && + mpm_table[det_ctx->sgh->mpm_proto_udp_ctx_ts->mpm_type].Cleanup != NULL) { + mpm_table[det_ctx->sgh->mpm_proto_udp_ctx_ts->mpm_type].Cleanup(&det_ctx->mtc); } - if (det_ctx->sgh->mpm_proto_tcp_ctx != NULL && - mpm_table[det_ctx->sgh->mpm_proto_tcp_ctx->mpm_type].Cleanup != NULL) { - mpm_table[det_ctx->sgh->mpm_proto_udp_ctx->mpm_type].Cleanup(&det_ctx->mtc); + if (det_ctx->sgh->mpm_proto_udp_ctx_tc != NULL && + mpm_table[det_ctx->sgh->mpm_proto_udp_ctx_tc->mpm_type].Cleanup != NULL) { + mpm_table[det_ctx->sgh->mpm_proto_udp_ctx_tc->mpm_type].Cleanup(&det_ctx->mtc); } + if (det_ctx->sgh->mpm_proto_other_ctx != NULL && mpm_table[det_ctx->sgh->mpm_proto_other_ctx->mpm_type].Cleanup != NULL) { mpm_table[det_ctx->sgh->mpm_proto_other_ctx->mpm_type].Cleanup(&det_ctx->mtc); } + /* uricontent */ - if (det_ctx->sgh->mpm_uri_ctx != NULL && mpm_table[det_ctx->sgh->mpm_uri_ctx->mpm_type].Cleanup != NULL) { - mpm_table[det_ctx->sgh->mpm_uri_ctx->mpm_type].Cleanup(&det_ctx->mtcu); + if (det_ctx->sgh->mpm_uri_ctx_ts != NULL && mpm_table[det_ctx->sgh->mpm_uri_ctx_ts->mpm_type].Cleanup != NULL) { + mpm_table[det_ctx->sgh->mpm_uri_ctx_ts->mpm_type].Cleanup(&det_ctx->mtcu); + } + if (det_ctx->sgh->mpm_uri_ctx_tc != NULL && mpm_table[det_ctx->sgh->mpm_uri_ctx_tc->mpm_type].Cleanup != NULL) { + mpm_table[det_ctx->sgh->mpm_uri_ctx_tc->mpm_type].Cleanup(&det_ctx->mtcu); } + /* stream content */ - if (det_ctx->sgh->mpm_stream_ctx != NULL && mpm_table[det_ctx->sgh->mpm_stream_ctx->mpm_type].Cleanup != NULL) { - mpm_table[det_ctx->sgh->mpm_stream_ctx->mpm_type].Cleanup(&det_ctx->mtcs); + if (det_ctx->sgh->mpm_stream_ctx_ts != NULL && mpm_table[det_ctx->sgh->mpm_stream_ctx_ts->mpm_type].Cleanup != NULL) { + mpm_table[det_ctx->sgh->mpm_stream_ctx_ts->mpm_type].Cleanup(&det_ctx->mtcs); + } + if (det_ctx->sgh->mpm_stream_ctx_tc != NULL && mpm_table[det_ctx->sgh->mpm_stream_ctx_tc->mpm_type].Cleanup != NULL) { + mpm_table[det_ctx->sgh->mpm_stream_ctx_tc->mpm_type].Cleanup(&det_ctx->mtcs); } + + return; } void StreamPatternCleanup(ThreadVars *t, DetectEngineThreadCtx *det_ctx, StreamMsg *smsg) { @@ -542,26 +854,48 @@ void PatternMatchDestroyGroup(SigGroupHead *sh) { !(sh->flags & SIG_GROUP_HEAD_MPM_COPY)) { SCLogDebug("destroying mpm_ctx %p (sh %p)", - sh->mpm_proto_tcp_ctx, sh); - if (sh->mpm_proto_tcp_ctx != NULL && - !MpmFactoryIsMpmCtxAvailable(sh->mpm_proto_tcp_ctx)) { - mpm_table[sh->mpm_proto_tcp_ctx->mpm_type]. - DestroyCtx(sh->mpm_proto_tcp_ctx); - SCFree(sh->mpm_proto_tcp_ctx); + sh->mpm_proto_tcp_ctx_ts, sh); + if (sh->mpm_proto_tcp_ctx_ts != NULL && + !MpmFactoryIsMpmCtxAvailable(sh->mpm_proto_tcp_ctx_ts)) { + mpm_table[sh->mpm_proto_tcp_ctx_ts->mpm_type]. + DestroyCtx(sh->mpm_proto_tcp_ctx_ts); + SCFree(sh->mpm_proto_tcp_ctx_ts); + } + /* ready for reuse */ + sh->mpm_proto_tcp_ctx_ts = NULL; + + SCLogDebug("destroying mpm_ctx %p (sh %p)", + sh->mpm_proto_tcp_ctx_tc, sh); + if (sh->mpm_proto_tcp_ctx_tc != NULL && + !MpmFactoryIsMpmCtxAvailable(sh->mpm_proto_tcp_ctx_tc)) { + mpm_table[sh->mpm_proto_tcp_ctx_tc->mpm_type]. + DestroyCtx(sh->mpm_proto_tcp_ctx_tc); + SCFree(sh->mpm_proto_tcp_ctx_tc); + } + /* ready for reuse */ + sh->mpm_proto_tcp_ctx_tc = NULL; + + SCLogDebug("destroying mpm_ctx %p (sh %p)", + sh->mpm_proto_udp_ctx_ts, sh); + if (sh->mpm_proto_udp_ctx_ts != NULL && + !MpmFactoryIsMpmCtxAvailable(sh->mpm_proto_udp_ctx_ts)) { + mpm_table[sh->mpm_proto_udp_ctx_ts->mpm_type]. + DestroyCtx(sh->mpm_proto_udp_ctx_ts); + SCFree(sh->mpm_proto_udp_ctx_ts); } /* ready for reuse */ - sh->mpm_proto_tcp_ctx = NULL; + sh->mpm_proto_udp_ctx_ts = NULL; SCLogDebug("destroying mpm_ctx %p (sh %p)", - sh->mpm_proto_udp_ctx, sh); - if (sh->mpm_proto_udp_ctx != NULL && - !MpmFactoryIsMpmCtxAvailable(sh->mpm_proto_udp_ctx)) { - mpm_table[sh->mpm_proto_udp_ctx->mpm_type]. - DestroyCtx(sh->mpm_proto_udp_ctx); - SCFree(sh->mpm_proto_udp_ctx); + sh->mpm_proto_udp_ctx_tc, sh); + if (sh->mpm_proto_udp_ctx_tc != NULL && + !MpmFactoryIsMpmCtxAvailable(sh->mpm_proto_udp_ctx_tc)) { + mpm_table[sh->mpm_proto_udp_ctx_tc->mpm_type]. + DestroyCtx(sh->mpm_proto_udp_ctx_tc); + SCFree(sh->mpm_proto_udp_ctx_tc); } /* ready for reuse */ - sh->mpm_proto_udp_ctx = NULL; + sh->mpm_proto_udp_ctx_tc = NULL; SCLogDebug("destroying mpm_ctx %p (sh %p)", sh->mpm_proto_other_ctx, sh); @@ -578,35 +912,57 @@ void PatternMatchDestroyGroup(SigGroupHead *sh) { } /* uricontent */ - if (sh->flags & SIG_GROUP_HAVEURICONTENT && sh->mpm_uri_ctx != NULL && + if (sh->flags & SIG_GROUP_HAVEURICONTENT && + (sh->mpm_uri_ctx_ts != NULL || sh->mpm_uri_ctx_tc != NULL) && !(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY)) { - SCLogDebug("destroying mpm_uri_ctx %p (sh %p)", sh->mpm_uri_ctx, sh); - if (!MpmFactoryIsMpmCtxAvailable(sh->mpm_uri_ctx)) { - mpm_table[sh->mpm_uri_ctx->mpm_type].DestroyCtx(sh->mpm_uri_ctx); - SCFree(sh->mpm_uri_ctx); + if (sh->mpm_uri_ctx_ts != NULL) { + SCLogDebug("destroying mpm_uri_ctx %p (sh %p)", sh->mpm_uri_ctx_ts, sh); + if (!MpmFactoryIsMpmCtxAvailable(sh->mpm_uri_ctx_ts)) { + mpm_table[sh->mpm_uri_ctx_ts->mpm_type].DestroyCtx(sh->mpm_uri_ctx_ts); + SCFree(sh->mpm_uri_ctx_ts); + } + /* ready for reuse */ + sh->mpm_uri_ctx_ts = NULL; + } + if (sh->mpm_uri_ctx_tc != NULL) { + SCLogDebug("destroying mpm_uri_ctx %p (sh %p)", sh->mpm_uri_ctx_tc, sh); + if (!MpmFactoryIsMpmCtxAvailable(sh->mpm_uri_ctx_tc)) { + mpm_table[sh->mpm_uri_ctx_tc->mpm_type].DestroyCtx(sh->mpm_uri_ctx_tc); + SCFree(sh->mpm_uri_ctx_tc); + } + /* ready for reuse */ + sh->mpm_uri_ctx_tc = NULL; } - /* ready for reuse */ - sh->mpm_uri_ctx = NULL; sh->flags &= ~SIG_GROUP_HAVEURICONTENT; } /* stream content */ if (sh->flags & SIG_GROUP_HAVESTREAMCONTENT) { - if (sh->mpm_stream_ctx != NULL) { - if (!(sh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY)) { - SCLogDebug("destroying mpm_stream_ctx %p (sh %p)", sh->mpm_stream_ctx, sh); - if (!MpmFactoryIsMpmCtxAvailable(sh->mpm_stream_ctx)) { - mpm_table[sh->mpm_stream_ctx->mpm_type].DestroyCtx(sh->mpm_stream_ctx); - SCFree(sh->mpm_stream_ctx); + if (!(sh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY)) { + if (sh->mpm_stream_ctx_ts != NULL) { + SCLogDebug("destroying mpm_stream_ctx %p (sh %p)", sh->mpm_stream_ctx_ts, sh); + if (!MpmFactoryIsMpmCtxAvailable(sh->mpm_stream_ctx_ts)) { + mpm_table[sh->mpm_stream_ctx_ts->mpm_type].DestroyCtx(sh->mpm_stream_ctx_ts); + SCFree(sh->mpm_stream_ctx_ts); } - /* ready for reuse */ - sh->mpm_stream_ctx = NULL; - sh->flags &= ~SIG_GROUP_HAVESTREAMCONTENT; + sh->mpm_stream_ctx_ts = NULL; } + if (sh->mpm_stream_ctx_tc != NULL) { + SCLogDebug("destroying mpm_stream_ctx %p (sh %p)", sh->mpm_stream_ctx_tc, sh); + if (!MpmFactoryIsMpmCtxAvailable(sh->mpm_stream_ctx_tc)) { + mpm_table[sh->mpm_stream_ctx_tc->mpm_type].DestroyCtx(sh->mpm_stream_ctx_tc); + SCFree(sh->mpm_stream_ctx_tc); + } + /* ready for reuse */ + sh->mpm_stream_ctx_tc = NULL; + } + sh->flags &= ~SIG_GROUP_HAVESTREAMCONTENT; } } + + return; } /** \brief Hash for looking up contents that are most used, @@ -807,12 +1163,24 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, /* add the content to the "packet" mpm */ if (SignatureHasPacketContent(s)) { if (s->proto.proto[6 / 8] & 1 << (6 % 8)) { - PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_tcp_ctx, - cd, s, flags, 1); + if (s->flags & SIG_FLAG_TOSERVER) { + PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_tcp_ctx_ts, + cd, s, flags, 1); + } + if (s->flags & SIG_FLAG_TOCLIENT) { + PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_tcp_ctx_tc, + cd, s, flags, 1); + } } if (s->proto.proto[17 / 8] & 1 << (17 % 8)) { - PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_udp_ctx, - cd, s, flags, 1); + if (s->flags & SIG_FLAG_TOSERVER) { + PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_udp_ctx_ts, + cd, s, flags, 1); + } + if (s->flags & SIG_FLAG_TOCLIENT) { + PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_udp_ctx_tc, + cd, s, flags, 1); + } } int i; for (i = 0; i < 256; i++) { @@ -835,17 +1203,35 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, } if (SignatureHasStreamContent(s)) { if (cd->flags & DETECT_CONTENT_NOCASE) { - mpm_table[sgh->mpm_stream_ctx->mpm_type]. - AddPatternNocase(sgh->mpm_stream_ctx, - cd->content + cd->fp_chop_offset, - cd->fp_chop_len, - 0, 0, cd->id, s->num, flags); + if (s->flags & SIG_FLAG_TOSERVER) { + mpm_table[sgh->mpm_stream_ctx_ts->mpm_type]. + AddPatternNocase(sgh->mpm_stream_ctx_ts, + cd->content + cd->fp_chop_offset, + cd->fp_chop_len, + 0, 0, cd->id, s->num, flags); + } + if (s->flags & SIG_FLAG_TOCLIENT) { + mpm_table[sgh->mpm_stream_ctx_tc->mpm_type]. + AddPatternNocase(sgh->mpm_stream_ctx_tc, + cd->content + cd->fp_chop_offset, + cd->fp_chop_len, + 0, 0, cd->id, s->num, flags); + } } else { - mpm_table[sgh->mpm_stream_ctx->mpm_type]. - AddPattern(sgh->mpm_stream_ctx, - cd->content + cd->fp_chop_offset, - cd->fp_chop_len, - 0, 0, cd->id, s->num, flags); + if (s->flags & SIG_FLAG_TOSERVER) { + mpm_table[sgh->mpm_stream_ctx_ts->mpm_type]. + AddPattern(sgh->mpm_stream_ctx_ts, + cd->content + cd->fp_chop_offset, + cd->fp_chop_len, + 0, 0, cd->id, s->num, flags); + } + if (s->flags & SIG_FLAG_TOCLIENT) { + mpm_table[sgh->mpm_stream_ctx_tc->mpm_type]. + AddPattern(sgh->mpm_stream_ctx_tc, + cd->content + cd->fp_chop_offset, + cd->fp_chop_len, + 0, 0, cd->id, s->num, flags); + } } /* tell matcher we are inspecting stream */ s->flags |= SIG_FLAG_MPM_STREAM; @@ -878,12 +1264,24 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, if (SignatureHasPacketContent(s)) { /* add the content to the "packet" mpm */ if (s->proto.proto[6 / 8] & 1 << (6 % 8)) { - PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_tcp_ctx, - cd, s, flags, 0); + if (s->flags & SIG_FLAG_TOSERVER) { + PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_tcp_ctx_ts, + cd, s, flags, 0); + } + if (s->flags & SIG_FLAG_TOCLIENT) { + PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_tcp_ctx_tc, + cd, s, flags, 0); + } } if (s->proto.proto[17 / 8] & 1 << (17 % 8)) { - PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_udp_ctx, - cd, s, flags, 0); + if (s->flags & SIG_FLAG_TOSERVER) { + PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_udp_ctx_ts, + cd, s, flags, 0); + } + if (s->flags & SIG_FLAG_TOCLIENT) { + PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_udp_ctx_tc, + cd, s, flags, 0); + } } int i; for (i = 0; i < 256; i++) { @@ -907,15 +1305,31 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, if (SignatureHasStreamContent(s)) { /* add the content to the "packet" mpm */ if (cd->flags & DETECT_CONTENT_NOCASE) { - mpm_table[sgh->mpm_stream_ctx->mpm_type]. - AddPatternNocase(sgh->mpm_stream_ctx, - cd->content, cd->content_len, - 0, 0, cd->id, s->num, flags); + if (s->flags & SIG_FLAG_TOSERVER) { + mpm_table[sgh->mpm_stream_ctx_ts->mpm_type]. + AddPatternNocase(sgh->mpm_stream_ctx_ts, + cd->content, cd->content_len, + 0, 0, cd->id, s->num, flags); + } + if (s->flags & SIG_FLAG_TOCLIENT) { + mpm_table[sgh->mpm_stream_ctx_tc->mpm_type]. + AddPatternNocase(sgh->mpm_stream_ctx_tc, + cd->content, cd->content_len, + 0, 0, cd->id, s->num, flags); + } } else { - mpm_table[sgh->mpm_stream_ctx->mpm_type]. - AddPattern(sgh->mpm_stream_ctx, - cd->content, cd->content_len, - 0, 0, cd->id, s->num, flags); + if (s->flags & SIG_FLAG_TOSERVER) { + mpm_table[sgh->mpm_stream_ctx_ts->mpm_type]. + AddPattern(sgh->mpm_stream_ctx_ts, + cd->content, cd->content_len, + 0, 0, cd->id, s->num, flags); + } + if (s->flags & SIG_FLAG_TOCLIENT) { + mpm_table[sgh->mpm_stream_ctx_tc->mpm_type]. + AddPattern(sgh->mpm_stream_ctx_tc, + cd->content, cd->content_len, + 0, 0, cd->id, s->num, flags); + } } /* tell matcher we are inspecting stream */ s->flags |= SIG_FLAG_MPM_STREAM; @@ -946,40 +1360,65 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, case DETECT_AL_HTTP_METHOD: case DETECT_AL_HTTP_COOKIE: { - MpmCtx *mpm_ctx = NULL; + MpmCtx *mpm_ctx_ts = NULL; + MpmCtx *mpm_ctx_tc = NULL; uint32_t sgh_flags = 0; uint32_t cd_flags = 0; if (mpm_sm->type == DETECT_URICONTENT) { - mpm_ctx = sgh->mpm_uri_ctx; + if (s->flags & SIG_FLAG_TOSERVER) + mpm_ctx_ts = sgh->mpm_uri_ctx_ts; + if (s->flags & SIG_FLAG_TOCLIENT) + mpm_ctx_tc = sgh->mpm_uri_ctx_tc; sgh_flags = SIG_GROUP_HEAD_MPM_URI; cd_flags = DETECT_CONTENT_URI_MPM; } else if (mpm_sm->type == DETECT_AL_HTTP_CLIENT_BODY) { - mpm_ctx = sgh->mpm_hcbd_ctx; + if (s->flags & SIG_FLAG_TOSERVER) + mpm_ctx_ts = sgh->mpm_hcbd_ctx_ts; + if (s->flags & SIG_FLAG_TOCLIENT) + mpm_ctx_tc = sgh->mpm_hcbd_ctx_tc; sgh_flags = SIG_GROUP_HEAD_MPM_HCBD; cd_flags = DETECT_CONTENT_HCBD_MPM; } else if (mpm_sm->type == DETECT_AL_HTTP_SERVER_BODY) { - mpm_ctx = sgh->mpm_hsbd_ctx; + if (s->flags & SIG_FLAG_TOSERVER) + mpm_ctx_ts = sgh->mpm_hsbd_ctx_ts; + if (s->flags & SIG_FLAG_TOCLIENT) + mpm_ctx_tc = sgh->mpm_hsbd_ctx_tc; sgh_flags = SIG_GROUP_HEAD_MPM_HSBD; cd_flags = DETECT_CONTENT_HSBD_MPM; } else if (mpm_sm->type == DETECT_AL_HTTP_HEADER) { - mpm_ctx = sgh->mpm_hhd_ctx; + if (s->flags & SIG_FLAG_TOSERVER) + mpm_ctx_ts = sgh->mpm_hhd_ctx_ts; + if (s->flags & SIG_FLAG_TOCLIENT) + mpm_ctx_tc = sgh->mpm_hhd_ctx_tc; sgh_flags = SIG_GROUP_HEAD_MPM_HHD; cd_flags = DETECT_CONTENT_HHD_MPM; } else if (mpm_sm->type == DETECT_AL_HTTP_RAW_HEADER) { - mpm_ctx = sgh->mpm_hrhd_ctx; + if (s->flags & SIG_FLAG_TOSERVER) + mpm_ctx_ts = sgh->mpm_hrhd_ctx_ts; + if (s->flags & SIG_FLAG_TOCLIENT) + mpm_ctx_tc = sgh->mpm_hrhd_ctx_tc; sgh_flags = SIG_GROUP_HEAD_MPM_HRHD; cd_flags = DETECT_CONTENT_HRHD_MPM; } else if (mpm_sm->type == DETECT_AL_HTTP_METHOD) { - mpm_ctx = sgh->mpm_hmd_ctx; + if (s->flags & SIG_FLAG_TOSERVER) + mpm_ctx_ts = sgh->mpm_hmd_ctx_ts; + if (s->flags & SIG_FLAG_TOCLIENT) + mpm_ctx_tc = sgh->mpm_hmd_ctx_tc; sgh_flags = SIG_GROUP_HEAD_MPM_HMD; cd_flags = DETECT_CONTENT_HMD_MPM; } else if (mpm_sm->type == DETECT_AL_HTTP_COOKIE) { - mpm_ctx = sgh->mpm_hcd_ctx; + if (s->flags & SIG_FLAG_TOSERVER) + mpm_ctx_ts = sgh->mpm_hcd_ctx_ts; + if (s->flags & SIG_FLAG_TOCLIENT) + mpm_ctx_tc = sgh->mpm_hcd_ctx_tc; sgh_flags = SIG_GROUP_HEAD_MPM_HCD; cd_flags = DETECT_CONTENT_HCD_MPM; } else if (mpm_sm->type == DETECT_AL_HTTP_RAW_URI) { - mpm_ctx = sgh->mpm_hrud_ctx; + if (s->flags & SIG_FLAG_TOSERVER) + mpm_ctx_ts = sgh->mpm_hrud_ctx_ts; + if (s->flags & SIG_FLAG_TOCLIENT) + mpm_ctx_tc = sgh->mpm_hrud_ctx_tc; sgh_flags = SIG_GROUP_HEAD_MPM_HRUD; cd_flags = DETECT_CONTENT_HRUD_MPM; } @@ -988,17 +1427,35 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) { /* add the content to the mpm */ if (cd->flags & DETECT_CONTENT_NOCASE) { - mpm_table[mpm_ctx->mpm_type]. - AddPatternNocase(mpm_ctx, - cd->content + cd->fp_chop_offset, - cd->fp_chop_len, - 0, 0, cd->id, s->num, flags); + if (mpm_ctx_ts != NULL) { + mpm_table[mpm_ctx_ts->mpm_type]. + AddPatternNocase(mpm_ctx_ts, + cd->content + cd->fp_chop_offset, + cd->fp_chop_len, + 0, 0, cd->id, s->num, flags); + } + if (mpm_ctx_tc != NULL) { + mpm_table[mpm_ctx_tc->mpm_type]. + AddPatternNocase(mpm_ctx_tc, + cd->content + cd->fp_chop_offset, + cd->fp_chop_len, + 0, 0, cd->id, s->num, flags); + } } else { - mpm_table[mpm_ctx->mpm_type]. - AddPattern(mpm_ctx, - cd->content + cd->fp_chop_offset, - cd->fp_chop_len, - 0, 0, cd->id, s->num, flags); + if (mpm_ctx_ts != NULL) { + mpm_table[mpm_ctx_ts->mpm_type]. + AddPattern(mpm_ctx_ts, + cd->content + cd->fp_chop_offset, + cd->fp_chop_len, + 0, 0, cd->id, s->num, flags); + } + if (mpm_ctx_tc != NULL) { + mpm_table[mpm_ctx_tc->mpm_type]. + AddPattern(mpm_ctx_tc, + cd->content + cd->fp_chop_offset, + cd->fp_chop_len, + 0, 0, cd->id, s->num, flags); + } } } else { if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { @@ -1015,15 +1472,31 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, /* add the content to the "uri" mpm */ if (cd->flags & DETECT_CONTENT_NOCASE) { - mpm_table[mpm_ctx->mpm_type]. - AddPatternNocase(mpm_ctx, - cd->content, cd->content_len, - 0, 0, cd->id, s->num, flags); + if (mpm_ctx_ts != NULL) { + mpm_table[mpm_ctx_ts->mpm_type]. + AddPatternNocase(mpm_ctx_ts, + cd->content, cd->content_len, + 0, 0, cd->id, s->num, flags); + } + if (mpm_ctx_tc != NULL) { + mpm_table[mpm_ctx_tc->mpm_type]. + AddPatternNocase(mpm_ctx_tc, + cd->content, cd->content_len, + 0, 0, cd->id, s->num, flags); + } } else { - mpm_table[mpm_ctx->mpm_type]. - AddPattern(mpm_ctx, - cd->content, cd->content_len, - 0, 0, cd->id, s->num, flags); + if (mpm_ctx_ts != NULL) { + mpm_table[mpm_ctx_ts->mpm_type]. + AddPattern(mpm_ctx_ts, + cd->content, cd->content_len, + 0, 0, cd->id, s->num, flags); + } + if (mpm_ctx_tc != NULL) { + mpm_table[mpm_ctx_tc->mpm_type]. + AddPattern(mpm_ctx_tc, + cd->content, cd->content_len, + 0, 0, cd->id, s->num, flags); + } } } /* tell matcher we are inspecting uri */ @@ -1325,41 +1798,49 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh) /* intialize contexes */ if (sh->flags & SIG_GROUP_HAVECONTENT) { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) { - sh->mpm_proto_tcp_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_tcp_packet); + sh->mpm_proto_tcp_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_tcp_packet, 0); + sh->mpm_proto_tcp_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_tcp_packet, 1); } else { - sh->mpm_proto_tcp_ctx = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT); + sh->mpm_proto_tcp_ctx_ts = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0); + sh->mpm_proto_tcp_ctx_tc = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1); } - if (sh->mpm_proto_tcp_ctx == NULL) { + if (sh->mpm_proto_tcp_ctx_ts == NULL || sh->mpm_proto_tcp_ctx_tc == NULL) { SCLogDebug("sh->mpm_proto_tcp_ctx == NULL. This should never happen"); exit(EXIT_FAILURE); } #ifndef __SC_CUDA_SUPPORT__ - MpmInitCtx(sh->mpm_proto_tcp_ctx, de_ctx->mpm_matcher, -1); + MpmInitCtx(sh->mpm_proto_tcp_ctx_ts, de_ctx->mpm_matcher, -1); + MpmInitCtx(sh->mpm_proto_tcp_ctx_tc, de_ctx->mpm_matcher, -1); #else - MpmInitCtx(sh->mpm_proto_tcp_ctx, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); + MpmInitCtx(sh->mpm_proto_tcp_ctx_ts, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); + MpmInitCtx(sh->mpm_proto_tcp_ctx_tc, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); #endif if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) { - sh->mpm_proto_udp_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_udp_packet); + sh->mpm_proto_udp_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_udp_packet, 0); + sh->mpm_proto_udp_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_udp_packet, 1); } else { - sh->mpm_proto_udp_ctx = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT); + sh->mpm_proto_udp_ctx_ts = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0); + sh->mpm_proto_udp_ctx_tc = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1); } - if (sh->mpm_proto_udp_ctx == NULL) { + if (sh->mpm_proto_udp_ctx_ts == NULL || sh->mpm_proto_udp_ctx_tc == NULL) { SCLogDebug("sh->mpm_proto_udp_ctx == NULL. This should never happen"); exit(EXIT_FAILURE); } #ifndef __SC_CUDA_SUPPORT__ - MpmInitCtx(sh->mpm_proto_udp_ctx, de_ctx->mpm_matcher, -1); + MpmInitCtx(sh->mpm_proto_udp_ctx_ts, de_ctx->mpm_matcher, -1); + MpmInitCtx(sh->mpm_proto_udp_ctx_tc, de_ctx->mpm_matcher, -1); #else - MpmInitCtx(sh->mpm_proto_udp_ctx, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); + MpmInitCtx(sh->mpm_proto_udp_ctx_ts, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); + MpmInitCtx(sh->mpm_proto_udp_ctx_tc, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); #endif if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) { sh->mpm_proto_other_ctx = - MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_other_packet); + MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_other_packet, 0); } else { sh->mpm_proto_other_ctx = - MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT); + MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0); } if (sh->mpm_proto_other_ctx == NULL) { SCLogDebug("sh->mpm_proto_other_ctx == NULL. This should never happen"); @@ -1374,163 +1855,199 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh) if (sh->flags & SIG_GROUP_HAVESTREAMCONTENT) { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) { - sh->mpm_stream_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_stream); + sh->mpm_stream_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_stream, 0); + sh->mpm_stream_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_stream, 1); } else { - sh->mpm_stream_ctx = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT); + sh->mpm_stream_ctx_ts = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0); + sh->mpm_stream_ctx_tc = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1); } - if (sh->mpm_stream_ctx == NULL) { + if (sh->mpm_stream_ctx_tc == NULL || sh->mpm_stream_ctx_tc == NULL) { SCLogDebug("sh->mpm_stream_ctx == NULL. This should never happen"); exit(EXIT_FAILURE); } #ifndef __SC_CUDA_SUPPORT__ - MpmInitCtx(sh->mpm_stream_ctx, de_ctx->mpm_matcher, -1); + MpmInitCtx(sh->mpm_stream_ctx_ts, de_ctx->mpm_matcher, -1); + MpmInitCtx(sh->mpm_stream_ctx_tc, de_ctx->mpm_matcher, -1); #else - MpmInitCtx(sh->mpm_stream_ctx, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); + MpmInitCtx(sh->mpm_stream_ctx_ts, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); + MpmInitCtx(sh->mpm_stream_ctx_tc, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); #endif } if (sh->flags & SIG_GROUP_HAVEURICONTENT) { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) { - sh->mpm_uri_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_uri); + sh->mpm_uri_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_uri, 0); + sh->mpm_uri_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_uri, 1); } else { - sh->mpm_uri_ctx = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT); + sh->mpm_uri_ctx_ts = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0); + sh->mpm_uri_ctx_tc = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1); } - if (sh->mpm_uri_ctx == NULL) { + if (sh->mpm_uri_ctx_ts == NULL || sh->mpm_uri_ctx_tc == NULL) { SCLogDebug("sh->mpm_uri_ctx == NULL. This should never happen"); exit(EXIT_FAILURE); } #ifndef __SC_CUDA_SUPPORT__ - MpmInitCtx(sh->mpm_uri_ctx, de_ctx->mpm_matcher, -1); + MpmInitCtx(sh->mpm_uri_ctx_ts, de_ctx->mpm_matcher, -1); + MpmInitCtx(sh->mpm_uri_ctx_tc, de_ctx->mpm_matcher, -1); #else - MpmInitCtx(sh->mpm_uri_ctx, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); + MpmInitCtx(sh->mpm_uri_ctx_ts, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); + MpmInitCtx(sh->mpm_uri_ctx_tc, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); #endif } if (sh->flags & SIG_GROUP_HAVEHCBDCONTENT) { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) { - sh->mpm_hcbd_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hcbd); + sh->mpm_hcbd_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hcbd, 0); + sh->mpm_hcbd_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hcbd, 1); } else { - sh->mpm_hcbd_ctx = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT); + sh->mpm_hcbd_ctx_ts = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0); + sh->mpm_hcbd_ctx_tc = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1); } - if (sh->mpm_hcbd_ctx == NULL) { + if (sh->mpm_hcbd_ctx_ts == NULL || sh->mpm_hcbd_ctx_tc == NULL) { SCLogDebug("sh->mpm_hcbd_ctx == NULL. This should never happen"); exit(EXIT_FAILURE); } #ifndef __SC_CUDA_SUPPORT__ - MpmInitCtx(sh->mpm_hcbd_ctx, de_ctx->mpm_matcher, -1); + MpmInitCtx(sh->mpm_hcbd_ctx_ts, de_ctx->mpm_matcher, -1); + MpmInitCtx(sh->mpm_hcbd_ctx_tc, de_ctx->mpm_matcher, -1); #else - MpmInitCtx(sh->mpm_hcbd_ctx, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); + MpmInitCtx(sh->mpm_hcbd_ctx_ts, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); + MpmInitCtx(sh->mpm_hcbd_ctx_tc, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); #endif } if (sh->flags & SIG_GROUP_HAVEHSBDCONTENT) { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) { - sh->mpm_hsbd_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hsbd); + sh->mpm_hsbd_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hsbd, 0); + sh->mpm_hsbd_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hsbd, 1); } else { - sh->mpm_hsbd_ctx = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT); + sh->mpm_hsbd_ctx_ts = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0); + sh->mpm_hsbd_ctx_tc = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1); } - if (sh->mpm_hsbd_ctx == NULL) { + if (sh->mpm_hsbd_ctx_ts == NULL || sh->mpm_hsbd_ctx_tc == NULL) { SCLogDebug("sh->mpm_hsbd_ctx == NULL. This should never happen"); exit(EXIT_FAILURE); } #ifndef __SC_CUDA_SUPPORT__ - MpmInitCtx(sh->mpm_hsbd_ctx, de_ctx->mpm_matcher, -1); + MpmInitCtx(sh->mpm_hsbd_ctx_ts, de_ctx->mpm_matcher, -1); + MpmInitCtx(sh->mpm_hsbd_ctx_tc, de_ctx->mpm_matcher, -1); #else - MpmInitCtx(sh->mpm_hsbd_ctx, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); + MpmInitCtx(sh->mpm_hsbd_ctx_ts, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); + MpmInitCtx(sh->mpm_hsbd_ctx_tc, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); #endif } if (sh->flags & SIG_GROUP_HAVEHHDCONTENT) { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) { - sh->mpm_hhd_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hhd); + sh->mpm_hhd_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hhd, 0); + sh->mpm_hhd_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hhd, 1); } else { - sh->mpm_hhd_ctx = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT); + sh->mpm_hhd_ctx_ts = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0); + sh->mpm_hhd_ctx_tc = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1); } - if (sh->mpm_hhd_ctx == NULL) { + if (sh->mpm_hhd_ctx_ts == NULL || sh->mpm_hhd_ctx_tc == NULL) { SCLogDebug("sh->mpm_hhd_ctx == NULL. This should never happen"); exit(EXIT_FAILURE); } #ifndef __SC_CUDA_SUPPORT__ - MpmInitCtx(sh->mpm_hhd_ctx, de_ctx->mpm_matcher, -1); + MpmInitCtx(sh->mpm_hhd_ctx_ts, de_ctx->mpm_matcher, -1); + MpmInitCtx(sh->mpm_hhd_ctx_tc, de_ctx->mpm_matcher, -1); #else - MpmInitCtx(sh->mpm_hhd_ctx, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); + MpmInitCtx(sh->mpm_hhd_ctx_ts, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); + MpmInitCtx(sh->mpm_hhd_ctx_tc, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); #endif } if (sh->flags & SIG_GROUP_HAVEHRHDCONTENT) { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) { - sh->mpm_hrhd_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hrhd); + sh->mpm_hrhd_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hrhd, 0); + sh->mpm_hrhd_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hrhd, 1); } else { - sh->mpm_hrhd_ctx = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT); + sh->mpm_hrhd_ctx_ts = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0); + sh->mpm_hrhd_ctx_tc = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1); } - if (sh->mpm_hrhd_ctx == NULL) { + if (sh->mpm_hrhd_ctx_ts == NULL || sh->mpm_hrhd_ctx_tc == NULL) { SCLogDebug("sh->mpm_hrhd_ctx == NULL. This should never happen"); exit(EXIT_FAILURE); } #ifndef __SC_CUDA_SUPPORT__ - MpmInitCtx(sh->mpm_hrhd_ctx, de_ctx->mpm_matcher, -1); + MpmInitCtx(sh->mpm_hrhd_ctx_ts, de_ctx->mpm_matcher, -1); + MpmInitCtx(sh->mpm_hrhd_ctx_tc, de_ctx->mpm_matcher, -1); #else - MpmInitCtx(sh->mpm_hrhd_ctx, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); + MpmInitCtx(sh->mpm_hrhd_ctx_ts, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); + MpmInitCtx(sh->mpm_hrhd_ctx_tc, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); #endif } if (sh->flags & SIG_GROUP_HAVEHMDCONTENT) { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) { - sh->mpm_hmd_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hmd); + sh->mpm_hmd_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hmd, 0); + sh->mpm_hmd_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hmd, 1); } else { - sh->mpm_hmd_ctx = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT); + sh->mpm_hmd_ctx_ts = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0); + sh->mpm_hmd_ctx_tc = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1); } - if (sh->mpm_hmd_ctx == NULL) { + if (sh->mpm_hmd_ctx_ts == NULL || sh->mpm_hmd_ctx_tc == NULL) { SCLogDebug("sh->mpm_hmd_ctx == NULL. This should never happen"); exit(EXIT_FAILURE); } #ifndef __SC_CUDA_SUPPORT__ - MpmInitCtx(sh->mpm_hmd_ctx, de_ctx->mpm_matcher, -1); + MpmInitCtx(sh->mpm_hmd_ctx_ts, de_ctx->mpm_matcher, -1); + MpmInitCtx(sh->mpm_hmd_ctx_tc, de_ctx->mpm_matcher, -1); #else - MpmInitCtx(sh->mpm_hmd_ctx, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); + MpmInitCtx(sh->mpm_hmd_ctx_ts, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); + MpmInitCtx(sh->mpm_hmd_ctx_tc, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); #endif } if (sh->flags & SIG_GROUP_HAVEHCDCONTENT) { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) { - sh->mpm_hcd_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hcd); + sh->mpm_hcd_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hcd, 0); + sh->mpm_hcd_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hcd, 1); } else { - sh->mpm_hcd_ctx = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT); + sh->mpm_hcd_ctx_ts = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0); + sh->mpm_hcd_ctx_tc = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1); } - if (sh->mpm_hcd_ctx == NULL) { + if (sh->mpm_hcd_ctx_ts == NULL || sh->mpm_hcd_ctx_tc == NULL) { SCLogDebug("sh->mpm_hcd_ctx == NULL. This should never happen"); exit(EXIT_FAILURE); } #ifndef __SC_CUDA_SUPPORT__ - MpmInitCtx(sh->mpm_hcd_ctx, de_ctx->mpm_matcher, -1); + MpmInitCtx(sh->mpm_hcd_ctx_ts, de_ctx->mpm_matcher, -1); + MpmInitCtx(sh->mpm_hcd_ctx_tc, de_ctx->mpm_matcher, -1); #else - MpmInitCtx(sh->mpm_hcd_ctx, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); + MpmInitCtx(sh->mpm_hcd_ctx_ts, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); + MpmInitCtx(sh->mpm_hcd_ctx_tc, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); #endif } if (sh->flags & SIG_GROUP_HAVEHRUDCONTENT) { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) { - sh->mpm_hrud_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hrud); + sh->mpm_hrud_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hrud, 0); + sh->mpm_hrud_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hrud, 1); } else { - sh->mpm_hrud_ctx = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT); + sh->mpm_hrud_ctx_ts = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0); + sh->mpm_hrud_ctx_tc = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1); } - if (sh->mpm_hrud_ctx == NULL) { + if (sh->mpm_hrud_ctx_ts == NULL || sh->mpm_hrud_ctx_tc == NULL) { SCLogDebug("sh->mpm_hrud_ctx == NULL. This should never happen"); exit(EXIT_FAILURE); } #ifndef __SC_CUDA_SUPPORT__ - MpmInitCtx(sh->mpm_hrud_ctx, de_ctx->mpm_matcher, -1); + MpmInitCtx(sh->mpm_hrud_ctx_ts, de_ctx->mpm_matcher, -1); + MpmInitCtx(sh->mpm_hrud_ctx_tc, de_ctx->mpm_matcher, -1); #else - MpmInitCtx(sh->mpm_hrud_ctx, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); + MpmInitCtx(sh->mpm_hrud_ctx_ts, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); + MpmInitCtx(sh->mpm_hrud_ctx_tc, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle); #endif } @@ -1548,34 +2065,64 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh) PatternMatchPreparePopulateMpm(de_ctx, sh); //if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) { - if (sh->mpm_proto_tcp_ctx != NULL) { - if (sh->mpm_proto_tcp_ctx->pattern_cnt == 0) { - MpmFactoryReClaimMpmCtx(sh->mpm_proto_tcp_ctx); - sh->mpm_proto_tcp_ctx = NULL; + if (sh->mpm_proto_tcp_ctx_ts != NULL) { + if (sh->mpm_proto_tcp_ctx_ts->pattern_cnt == 0) { + MpmFactoryReClaimMpmCtx(sh->mpm_proto_tcp_ctx_ts); + sh->mpm_proto_tcp_ctx_ts = NULL; + } else { + if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL && + sh->flags & SIG_GROUP_HAVECONTENT) { + if (mpm_table[sh->mpm_proto_tcp_ctx_ts->mpm_type].Prepare != NULL) { + mpm_table[sh->mpm_proto_tcp_ctx_ts->mpm_type]. + Prepare(sh->mpm_proto_tcp_ctx_ts); + } + } + } + } + if (sh->mpm_proto_tcp_ctx_tc != NULL) { + if (sh->mpm_proto_tcp_ctx_tc->pattern_cnt == 0) { + MpmFactoryReClaimMpmCtx(sh->mpm_proto_tcp_ctx_tc); + sh->mpm_proto_tcp_ctx_tc = NULL; } else { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL && sh->flags & SIG_GROUP_HAVECONTENT) { - if (mpm_table[sh->mpm_proto_tcp_ctx->mpm_type].Prepare != NULL) { - mpm_table[sh->mpm_proto_tcp_ctx->mpm_type]. - Prepare(sh->mpm_proto_tcp_ctx); + if (mpm_table[sh->mpm_proto_tcp_ctx_tc->mpm_type].Prepare != NULL) { + mpm_table[sh->mpm_proto_tcp_ctx_tc->mpm_type]. + Prepare(sh->mpm_proto_tcp_ctx_tc); } } } } - if (sh->mpm_proto_udp_ctx != NULL) { - if (sh->mpm_proto_udp_ctx->pattern_cnt == 0) { - MpmFactoryReClaimMpmCtx(sh->mpm_proto_udp_ctx); - sh->mpm_proto_udp_ctx = NULL; + + if (sh->mpm_proto_udp_ctx_ts != NULL) { + if (sh->mpm_proto_udp_ctx_ts->pattern_cnt == 0) { + MpmFactoryReClaimMpmCtx(sh->mpm_proto_udp_ctx_ts); + sh->mpm_proto_udp_ctx_ts = NULL; } else { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL && sh->flags & SIG_GROUP_HAVECONTENT) { - if (mpm_table[sh->mpm_proto_udp_ctx->mpm_type].Prepare != NULL) { - mpm_table[sh->mpm_proto_udp_ctx->mpm_type]. - Prepare(sh->mpm_proto_udp_ctx); + if (mpm_table[sh->mpm_proto_udp_ctx_ts->mpm_type].Prepare != NULL) { + mpm_table[sh->mpm_proto_udp_ctx_ts->mpm_type]. + Prepare(sh->mpm_proto_udp_ctx_ts); } } } } + if (sh->mpm_proto_udp_ctx_tc != NULL) { + if (sh->mpm_proto_udp_ctx_tc->pattern_cnt == 0) { + MpmFactoryReClaimMpmCtx(sh->mpm_proto_udp_ctx_tc); + sh->mpm_proto_udp_ctx_tc = NULL; + } else { + if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL && + sh->flags & SIG_GROUP_HAVECONTENT) { + if (mpm_table[sh->mpm_proto_udp_ctx_tc->mpm_type].Prepare != NULL) { + mpm_table[sh->mpm_proto_udp_ctx_tc->mpm_type]. + Prepare(sh->mpm_proto_udp_ctx_tc); + } + } + } + } + if (sh->mpm_proto_other_ctx != NULL) { if (sh->mpm_proto_other_ctx->pattern_cnt == 0) { MpmFactoryReClaimMpmCtx(sh->mpm_proto_other_ctx); @@ -1590,138 +2137,277 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh) } } } - if (sh->mpm_stream_ctx != NULL) { - if (sh->mpm_stream_ctx->pattern_cnt == 0) { - MpmFactoryReClaimMpmCtx(sh->mpm_stream_ctx); - sh->mpm_stream_ctx = NULL; + + if (sh->mpm_stream_ctx_ts != NULL) { + if (sh->mpm_stream_ctx_ts->pattern_cnt == 0) { + MpmFactoryReClaimMpmCtx(sh->mpm_stream_ctx_ts); + sh->mpm_stream_ctx_ts = NULL; } else { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL && sh->flags & SIG_GROUP_HAVESTREAMCONTENT) { - if (mpm_table[sh->mpm_stream_ctx->mpm_type].Prepare != NULL) - mpm_table[sh->mpm_stream_ctx->mpm_type].Prepare(sh->mpm_stream_ctx); + if (mpm_table[sh->mpm_stream_ctx_ts->mpm_type].Prepare != NULL) + mpm_table[sh->mpm_stream_ctx_ts->mpm_type].Prepare(sh->mpm_stream_ctx_ts); } } } - if (sh->mpm_uri_ctx != NULL) { - if (sh->mpm_uri_ctx->pattern_cnt == 0) { - MpmFactoryReClaimMpmCtx(sh->mpm_uri_ctx); - sh->mpm_uri_ctx = NULL; + if (sh->mpm_stream_ctx_tc != NULL) { + if (sh->mpm_stream_ctx_tc->pattern_cnt == 0) { + MpmFactoryReClaimMpmCtx(sh->mpm_stream_ctx_tc); + sh->mpm_stream_ctx_tc = NULL; + } else { + if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL && + sh->flags & SIG_GROUP_HAVESTREAMCONTENT) { + if (mpm_table[sh->mpm_stream_ctx_tc->mpm_type].Prepare != NULL) + mpm_table[sh->mpm_stream_ctx_tc->mpm_type].Prepare(sh->mpm_stream_ctx_tc); + } + } + } + + if (sh->mpm_uri_ctx_ts != NULL) { + if (sh->mpm_uri_ctx_ts->pattern_cnt == 0) { + MpmFactoryReClaimMpmCtx(sh->mpm_uri_ctx_ts); + sh->mpm_uri_ctx_ts = NULL; + } else { + if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL && + sh->flags & SIG_GROUP_HAVEURICONTENT) { + if (mpm_table[sh->mpm_uri_ctx_ts->mpm_type].Prepare != NULL) + mpm_table[sh->mpm_uri_ctx_ts->mpm_type].Prepare(sh->mpm_uri_ctx_ts); + } + } + } + if (sh->mpm_uri_ctx_tc != NULL) { + if (sh->mpm_uri_ctx_tc->pattern_cnt == 0) { + MpmFactoryReClaimMpmCtx(sh->mpm_uri_ctx_tc); + sh->mpm_uri_ctx_tc = NULL; } else { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL && sh->flags & SIG_GROUP_HAVEURICONTENT) { - if (mpm_table[sh->mpm_uri_ctx->mpm_type].Prepare != NULL) - mpm_table[sh->mpm_uri_ctx->mpm_type].Prepare(sh->mpm_uri_ctx); + if (mpm_table[sh->mpm_uri_ctx_tc->mpm_type].Prepare != NULL) + mpm_table[sh->mpm_uri_ctx_tc->mpm_type].Prepare(sh->mpm_uri_ctx_tc); } } } - if (sh->mpm_hcbd_ctx != NULL) { - if (sh->mpm_hcbd_ctx->pattern_cnt == 0) { - MpmFactoryReClaimMpmCtx(sh->mpm_hcbd_ctx); - sh->mpm_hcbd_ctx = NULL; + + if (sh->mpm_hcbd_ctx_ts != NULL) { + if (sh->mpm_hcbd_ctx_ts->pattern_cnt == 0) { + MpmFactoryReClaimMpmCtx(sh->mpm_hcbd_ctx_ts); + sh->mpm_hcbd_ctx_ts = NULL; } else { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL && sh->flags & SIG_GROUP_HAVEHCBDCONTENT) { - if (mpm_table[sh->mpm_hcbd_ctx->mpm_type].Prepare != NULL) - mpm_table[sh->mpm_hcbd_ctx->mpm_type].Prepare(sh->mpm_hcbd_ctx); + if (mpm_table[sh->mpm_hcbd_ctx_ts->mpm_type].Prepare != NULL) + mpm_table[sh->mpm_hcbd_ctx_ts->mpm_type].Prepare(sh->mpm_hcbd_ctx_ts); } } } - if (sh->mpm_hsbd_ctx != NULL) { - if (sh->mpm_hsbd_ctx->pattern_cnt == 0) { - MpmFactoryReClaimMpmCtx(sh->mpm_hsbd_ctx); - sh->mpm_hsbd_ctx = NULL; + if (sh->mpm_hcbd_ctx_tc != NULL) { + if (sh->mpm_hcbd_ctx_tc->pattern_cnt == 0) { + MpmFactoryReClaimMpmCtx(sh->mpm_hcbd_ctx_tc); + sh->mpm_hcbd_ctx_tc = NULL; + } else { + if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL && + sh->flags & SIG_GROUP_HAVEHCBDCONTENT) { + if (mpm_table[sh->mpm_hcbd_ctx_tc->mpm_type].Prepare != NULL) + mpm_table[sh->mpm_hcbd_ctx_tc->mpm_type].Prepare(sh->mpm_hcbd_ctx_tc); + } + } + } + + if (sh->mpm_hsbd_ctx_ts != NULL) { + if (sh->mpm_hsbd_ctx_ts->pattern_cnt == 0) { + MpmFactoryReClaimMpmCtx(sh->mpm_hsbd_ctx_ts); + sh->mpm_hsbd_ctx_ts = NULL; } else { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL && sh->flags & SIG_GROUP_HAVEHSBDCONTENT) { - if (mpm_table[sh->mpm_hsbd_ctx->mpm_type].Prepare != NULL) - mpm_table[sh->mpm_hsbd_ctx->mpm_type].Prepare(sh->mpm_hsbd_ctx); + if (mpm_table[sh->mpm_hsbd_ctx_ts->mpm_type].Prepare != NULL) + mpm_table[sh->mpm_hsbd_ctx_ts->mpm_type].Prepare(sh->mpm_hsbd_ctx_ts); } } } - if (sh->mpm_hhd_ctx != NULL) { - if (sh->mpm_hhd_ctx->pattern_cnt == 0) { - MpmFactoryReClaimMpmCtx(sh->mpm_hhd_ctx); - sh->mpm_hhd_ctx = NULL; + if (sh->mpm_hsbd_ctx_tc != NULL) { + if (sh->mpm_hsbd_ctx_tc->pattern_cnt == 0) { + MpmFactoryReClaimMpmCtx(sh->mpm_hsbd_ctx_tc); + sh->mpm_hsbd_ctx_tc = NULL; + } else { + if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL && + sh->flags & SIG_GROUP_HAVEHSBDCONTENT) { + if (mpm_table[sh->mpm_hsbd_ctx_tc->mpm_type].Prepare != NULL) + mpm_table[sh->mpm_hsbd_ctx_tc->mpm_type].Prepare(sh->mpm_hsbd_ctx_tc); + } + } + } + + if (sh->mpm_hhd_ctx_ts != NULL) { + if (sh->mpm_hhd_ctx_ts->pattern_cnt == 0) { + MpmFactoryReClaimMpmCtx(sh->mpm_hhd_ctx_ts); + sh->mpm_hhd_ctx_ts = NULL; + } else { + if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL && + sh->flags & SIG_GROUP_HAVEHHDCONTENT) { + if (mpm_table[sh->mpm_hhd_ctx_ts->mpm_type].Prepare != NULL) + mpm_table[sh->mpm_hhd_ctx_ts->mpm_type].Prepare(sh->mpm_hhd_ctx_ts); + } + } + } + if (sh->mpm_hhd_ctx_tc != NULL) { + if (sh->mpm_hhd_ctx_tc->pattern_cnt == 0) { + MpmFactoryReClaimMpmCtx(sh->mpm_hhd_ctx_tc); + sh->mpm_hhd_ctx_tc = NULL; } else { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL && sh->flags & SIG_GROUP_HAVEHHDCONTENT) { - if (mpm_table[sh->mpm_hhd_ctx->mpm_type].Prepare != NULL) - mpm_table[sh->mpm_hhd_ctx->mpm_type].Prepare(sh->mpm_hhd_ctx); + if (mpm_table[sh->mpm_hhd_ctx_tc->mpm_type].Prepare != NULL) + mpm_table[sh->mpm_hhd_ctx_tc->mpm_type].Prepare(sh->mpm_hhd_ctx_tc); } } } - if (sh->mpm_hrhd_ctx != NULL) { - if (sh->mpm_hrhd_ctx->pattern_cnt == 0) { - MpmFactoryReClaimMpmCtx(sh->mpm_hrhd_ctx); - sh->mpm_hrhd_ctx = NULL; + + if (sh->mpm_hrhd_ctx_ts != NULL) { + if (sh->mpm_hrhd_ctx_ts->pattern_cnt == 0) { + MpmFactoryReClaimMpmCtx(sh->mpm_hrhd_ctx_ts); + sh->mpm_hrhd_ctx_ts = NULL; } else { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL && sh->flags & SIG_GROUP_HAVEHRHDCONTENT) { - if (mpm_table[sh->mpm_hrhd_ctx->mpm_type].Prepare != NULL) - mpm_table[sh->mpm_hrhd_ctx->mpm_type].Prepare(sh->mpm_hrhd_ctx); + if (mpm_table[sh->mpm_hrhd_ctx_ts->mpm_type].Prepare != NULL) + mpm_table[sh->mpm_hrhd_ctx_ts->mpm_type].Prepare(sh->mpm_hrhd_ctx_ts); } } } - if (sh->mpm_hmd_ctx != NULL) { - if (sh->mpm_hmd_ctx->pattern_cnt == 0) { - MpmFactoryReClaimMpmCtx(sh->mpm_hmd_ctx); - sh->mpm_hmd_ctx = NULL; + if (sh->mpm_hrhd_ctx_tc != NULL) { + if (sh->mpm_hrhd_ctx_tc->pattern_cnt == 0) { + MpmFactoryReClaimMpmCtx(sh->mpm_hrhd_ctx_tc); + sh->mpm_hrhd_ctx_tc = NULL; + } else { + if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL && + sh->flags & SIG_GROUP_HAVEHRHDCONTENT) { + if (mpm_table[sh->mpm_hrhd_ctx_tc->mpm_type].Prepare != NULL) + mpm_table[sh->mpm_hrhd_ctx_tc->mpm_type].Prepare(sh->mpm_hrhd_ctx_tc); + } + } + } + + if (sh->mpm_hmd_ctx_ts != NULL) { + if (sh->mpm_hmd_ctx_ts->pattern_cnt == 0) { + MpmFactoryReClaimMpmCtx(sh->mpm_hmd_ctx_ts); + sh->mpm_hmd_ctx_ts = NULL; + } else { + if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL && + sh->flags & SIG_GROUP_HAVEHMDCONTENT) { + if (mpm_table[sh->mpm_hmd_ctx_ts->mpm_type].Prepare != NULL) + mpm_table[sh->mpm_hmd_ctx_ts->mpm_type].Prepare(sh->mpm_hmd_ctx_ts); + } + } + } + if (sh->mpm_hmd_ctx_tc != NULL) { + if (sh->mpm_hmd_ctx_tc->pattern_cnt == 0) { + MpmFactoryReClaimMpmCtx(sh->mpm_hmd_ctx_tc); + sh->mpm_hmd_ctx_tc = NULL; } else { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL && sh->flags & SIG_GROUP_HAVEHMDCONTENT) { - if (mpm_table[sh->mpm_hmd_ctx->mpm_type].Prepare != NULL) - mpm_table[sh->mpm_hmd_ctx->mpm_type].Prepare(sh->mpm_hmd_ctx); + if (mpm_table[sh->mpm_hmd_ctx_tc->mpm_type].Prepare != NULL) + mpm_table[sh->mpm_hmd_ctx_tc->mpm_type].Prepare(sh->mpm_hmd_ctx_tc); + } + } + } + + if (sh->mpm_hcd_ctx_ts != NULL) { + if (sh->mpm_hcd_ctx_ts->pattern_cnt == 0) { + MpmFactoryReClaimMpmCtx(sh->mpm_hcd_ctx_ts); + sh->mpm_hcd_ctx_ts = NULL; + } else { + if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL && + sh->flags & SIG_GROUP_HAVEHCDCONTENT) { + if (mpm_table[sh->mpm_hcd_ctx_ts->mpm_type].Prepare != NULL) + mpm_table[sh->mpm_hcd_ctx_ts->mpm_type].Prepare(sh->mpm_hcd_ctx_ts); } } } - if (sh->mpm_hcd_ctx != NULL) { - if (sh->mpm_hcd_ctx->pattern_cnt == 0) { - MpmFactoryReClaimMpmCtx(sh->mpm_hcd_ctx); - sh->mpm_hcd_ctx = NULL; + if (sh->mpm_hcd_ctx_tc != NULL) { + if (sh->mpm_hcd_ctx_tc->pattern_cnt == 0) { + MpmFactoryReClaimMpmCtx(sh->mpm_hcd_ctx_tc); + sh->mpm_hcd_ctx_tc = NULL; } else { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL && sh->flags & SIG_GROUP_HAVEHCDCONTENT) { - if (mpm_table[sh->mpm_hcd_ctx->mpm_type].Prepare != NULL) - mpm_table[sh->mpm_hcd_ctx->mpm_type].Prepare(sh->mpm_hcd_ctx); + if (mpm_table[sh->mpm_hcd_ctx_tc->mpm_type].Prepare != NULL) + mpm_table[sh->mpm_hcd_ctx_tc->mpm_type].Prepare(sh->mpm_hcd_ctx_tc); + } + } + } + + if (sh->mpm_hrud_ctx_ts != NULL) { + if (sh->mpm_hrud_ctx_ts->pattern_cnt == 0) { + MpmFactoryReClaimMpmCtx(sh->mpm_hrud_ctx_ts); + sh->mpm_hrud_ctx_ts = NULL; + } else { + if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL && + sh->flags & SIG_GROUP_HAVEHRUDCONTENT) { + if (mpm_table[sh->mpm_hrud_ctx_ts->mpm_type].Prepare != NULL) + mpm_table[sh->mpm_hrud_ctx_ts->mpm_type].Prepare(sh->mpm_hrud_ctx_ts); } } } - if (sh->mpm_hrud_ctx != NULL) { - if (sh->mpm_hrud_ctx->pattern_cnt == 0) { - MpmFactoryReClaimMpmCtx(sh->mpm_hrud_ctx); - sh->mpm_hrud_ctx = NULL; + if (sh->mpm_hrud_ctx_tc != NULL) { + if (sh->mpm_hrud_ctx_tc->pattern_cnt == 0) { + MpmFactoryReClaimMpmCtx(sh->mpm_hrud_ctx_tc); + sh->mpm_hrud_ctx_tc = NULL; } else { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL && sh->flags & SIG_GROUP_HAVEHRUDCONTENT) { - if (mpm_table[sh->mpm_hrud_ctx->mpm_type].Prepare != NULL) - mpm_table[sh->mpm_hrud_ctx->mpm_type].Prepare(sh->mpm_hrud_ctx); + if (mpm_table[sh->mpm_hrud_ctx_tc->mpm_type].Prepare != NULL) + mpm_table[sh->mpm_hrud_ctx_tc->mpm_type].Prepare(sh->mpm_hrud_ctx_tc); } } } //} /* if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) */ } else { - MpmFactoryReClaimMpmCtx(sh->mpm_proto_tcp_ctx); - sh->mpm_proto_tcp_ctx = NULL; - MpmFactoryReClaimMpmCtx(sh->mpm_proto_udp_ctx); - sh->mpm_proto_udp_ctx = NULL; MpmFactoryReClaimMpmCtx(sh->mpm_proto_other_ctx); sh->mpm_proto_other_ctx = NULL; - MpmFactoryReClaimMpmCtx(sh->mpm_stream_ctx); - sh->mpm_stream_ctx = NULL; - MpmFactoryReClaimMpmCtx(sh->mpm_uri_ctx); - sh->mpm_uri_ctx = NULL; - MpmFactoryReClaimMpmCtx(sh->mpm_hcbd_ctx); - sh->mpm_hcbd_ctx = NULL; - MpmFactoryReClaimMpmCtx(sh->mpm_hhd_ctx); - sh->mpm_hhd_ctx = NULL; - MpmFactoryReClaimMpmCtx(sh->mpm_hrhd_ctx); - sh->mpm_hrhd_ctx = NULL; - MpmFactoryReClaimMpmCtx(sh->mpm_hmd_ctx); - sh->mpm_hmd_ctx = NULL; - MpmFactoryReClaimMpmCtx(sh->mpm_hcd_ctx); - sh->mpm_hcd_ctx = NULL; - MpmFactoryReClaimMpmCtx(sh->mpm_hrud_ctx); - sh->mpm_hrud_ctx = NULL; + + MpmFactoryReClaimMpmCtx(sh->mpm_proto_tcp_ctx_ts); + sh->mpm_proto_tcp_ctx_ts = NULL; + MpmFactoryReClaimMpmCtx(sh->mpm_proto_udp_ctx_ts); + sh->mpm_proto_udp_ctx_ts = NULL; + MpmFactoryReClaimMpmCtx(sh->mpm_stream_ctx_ts); + sh->mpm_stream_ctx_ts = NULL; + MpmFactoryReClaimMpmCtx(sh->mpm_uri_ctx_ts); + sh->mpm_uri_ctx_ts = NULL; + MpmFactoryReClaimMpmCtx(sh->mpm_hcbd_ctx_ts); + sh->mpm_hcbd_ctx_ts = NULL; + MpmFactoryReClaimMpmCtx(sh->mpm_hhd_ctx_ts); + sh->mpm_hhd_ctx_ts = NULL; + MpmFactoryReClaimMpmCtx(sh->mpm_hrhd_ctx_ts); + sh->mpm_hrhd_ctx_ts = NULL; + MpmFactoryReClaimMpmCtx(sh->mpm_hmd_ctx_ts); + sh->mpm_hmd_ctx_ts = NULL; + MpmFactoryReClaimMpmCtx(sh->mpm_hcd_ctx_ts); + sh->mpm_hcd_ctx_ts = NULL; + MpmFactoryReClaimMpmCtx(sh->mpm_hrud_ctx_ts); + sh->mpm_hrud_ctx_ts = NULL; + + MpmFactoryReClaimMpmCtx(sh->mpm_proto_tcp_ctx_tc); + sh->mpm_proto_tcp_ctx_tc = NULL; + MpmFactoryReClaimMpmCtx(sh->mpm_proto_udp_ctx_tc); + sh->mpm_proto_udp_ctx_tc = NULL; + MpmFactoryReClaimMpmCtx(sh->mpm_stream_ctx_tc); + sh->mpm_stream_ctx_tc = NULL; + MpmFactoryReClaimMpmCtx(sh->mpm_uri_ctx_tc); + sh->mpm_uri_ctx_tc = NULL; + MpmFactoryReClaimMpmCtx(sh->mpm_hcbd_ctx_tc); + sh->mpm_hcbd_ctx_tc = NULL; + MpmFactoryReClaimMpmCtx(sh->mpm_hhd_ctx_tc); + sh->mpm_hhd_ctx_tc = NULL; + MpmFactoryReClaimMpmCtx(sh->mpm_hrhd_ctx_tc); + sh->mpm_hrhd_ctx_tc = NULL; + MpmFactoryReClaimMpmCtx(sh->mpm_hmd_ctx_tc); + sh->mpm_hmd_ctx_tc = NULL; + MpmFactoryReClaimMpmCtx(sh->mpm_hcd_ctx_tc); + sh->mpm_hcd_ctx_tc = NULL; + MpmFactoryReClaimMpmCtx(sh->mpm_hrud_ctx_tc); + sh->mpm_hrud_ctx_tc = NULL; } return 0; diff --git a/src/detect-engine-mpm.h b/src/detect-engine-mpm.h index 164b6dfa38..d0c3a7dad3 100644 --- a/src/detect-engine-mpm.h +++ b/src/detect-engine-mpm.h @@ -36,15 +36,15 @@ uint16_t PatternMatchDefaultMatcher(void); uint32_t PatternStrength(uint8_t *, uint16_t); uint32_t PacketPatternSearchWithStreamCtx(DetectEngineThreadCtx *, Packet *); uint32_t PacketPatternSearch(DetectEngineThreadCtx *, Packet *); -uint32_t UriPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint16_t); +uint32_t UriPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint16_t, uint8_t); uint32_t StreamPatternSearch(DetectEngineThreadCtx *, Packet *, StreamMsg *, uint8_t); -uint32_t HttpClientBodyPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t); -uint32_t HttpServerBodyPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t); -uint32_t HttpHeaderPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t); -uint32_t HttpRawHeaderPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t); -uint32_t HttpMethodPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t); -uint32_t HttpCookiePatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t); -uint32_t HttpRawUriPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t); +uint32_t HttpClientBodyPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t); +uint32_t HttpServerBodyPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t); +uint32_t HttpHeaderPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t); +uint32_t HttpRawHeaderPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t); +uint32_t HttpMethodPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t); +uint32_t HttpCookiePatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t); +uint32_t HttpRawUriPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t); void PacketPatternCleanup(ThreadVars *, DetectEngineThreadCtx *); void StreamPatternCleanup(ThreadVars *t, DetectEngineThreadCtx *det_ctx, StreamMsg *smsg); diff --git a/src/detect-uricontent.c b/src/detect-uricontent.c index 9384184da4..53f7e6c1c2 100644 --- a/src/detect-uricontent.c +++ b/src/detect-uricontent.c @@ -436,7 +436,7 @@ error: * \retval 1 if the uri contents match; 0 no match */ static inline int DoDetectAppLayerUricontentMatch (DetectEngineThreadCtx *det_ctx, - uint8_t *uri, uint16_t uri_len) + uint8_t *uri, uint16_t uri_len, uint8_t flags) { int ret = 0; /* run the pattern matcher against the uri */ @@ -456,7 +456,7 @@ static inline int DoDetectAppLayerUricontentMatch (DetectEngineThreadCtx *det_ct else if (det_ctx->sgh->mpm_uricontent_maxlen == 4) det_ctx->pkts_uri_searched4++; else det_ctx->pkts_uri_searched++; - ret += UriPatternSearch(det_ctx, uri, uri_len); + ret += UriPatternSearch(det_ctx, uri, uri_len, flags); SCLogDebug("post search: cnt %" PRIu32, ret); } @@ -476,7 +476,9 @@ static inline int DoDetectAppLayerUricontentMatch (DetectEngineThreadCtx *det_ct * \warning Make sure the flow/state is locked * \todo what should we return? Just the fact that we matched? */ -uint32_t DetectUricontentInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state) { +uint32_t DetectUricontentInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f, + HtpState *htp_state, uint8_t flags) +{ SCEnter(); uint32_t cnt = 0; @@ -505,8 +507,9 @@ uint32_t DetectUricontentInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f, Htp continue; cnt += DoDetectAppLayerUricontentMatch(det_ctx, (uint8_t *) - bstr_ptr(tx->request_uri_normalized), - bstr_len(tx->request_uri_normalized)); + bstr_ptr(tx->request_uri_normalized), + bstr_len(tx->request_uri_normalized), + flags); } end: SCMutexUnlock(&f->m); diff --git a/src/detect-uricontent.h b/src/detect-uricontent.h index fb24cc825d..659de5c89c 100644 --- a/src/detect-uricontent.h +++ b/src/detect-uricontent.h @@ -37,6 +37,6 @@ uint32_t DetectUricontentMaxId(DetectEngineCtx *); SigMatch *DetectUricontentGetLastPattern(SigMatch *); void DetectUricontentPrint(DetectContentData *); -uint32_t DetectUricontentInspectMpm(DetectEngineThreadCtx *, Flow *, HtpState *); +uint32_t DetectUricontentInspectMpm(DetectEngineThreadCtx *, Flow *, HtpState *, uint8_t); #endif /* __DETECT_URICONTENT_H__ */ diff --git a/src/detect.c b/src/detect.c index 57415b676f..721e21c883 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1169,17 +1169,17 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx, if (alproto == ALPROTO_HTTP && alstate != NULL) { if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_URI) { PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_URI); - DetectUricontentInspectMpm(det_ctx, p->flow, alstate); + DetectUricontentInspectMpm(det_ctx, p->flow, alstate, flags); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_URI); } if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HCBD) { PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HCBD); - DetectEngineRunHttpClientBodyMpm(de_ctx, det_ctx, p->flow, alstate); + DetectEngineRunHttpClientBodyMpm(de_ctx, det_ctx, p->flow, alstate, flags); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HCBD); } if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HSBD) { PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HSBD); - DetectEngineRunHttpServerBodyMpm(de_ctx, det_ctx, p->flow, alstate); + DetectEngineRunHttpServerBodyMpm(de_ctx, det_ctx, p->flow, alstate, flags); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HSBD); } if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HHD) { @@ -1194,17 +1194,17 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx, } if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HMD) { PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HMD); - DetectEngineRunHttpMethodMpm(det_ctx, p->flow, alstate); + DetectEngineRunHttpMethodMpm(det_ctx, p->flow, alstate, flags); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HMD); } if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HCD) { PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HCD); - DetectEngineRunHttpCookieMpm(det_ctx, p->flow, alstate); + DetectEngineRunHttpCookieMpm(det_ctx, p->flow, alstate, flags); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HCD); } if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRUD) { PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HRUD); - DetectEngineRunHttpRawUriMpm(det_ctx, p->flow, alstate); + DetectEngineRunHttpRawUriMpm(det_ctx, p->flow, alstate, flags); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HRUD); } } @@ -3183,43 +3183,43 @@ int BuildDestinationAddressHeads(DetectEngineCtx *de_ctx, DetectAddressHead *hea printf("PatternMatchPrepareGroup failed\n"); goto error; } - if (sgr->sh->mpm_proto_tcp_ctx != NULL) { - if (de_ctx->mpm_max_patcnt < sgr->sh->mpm_proto_tcp_ctx->pattern_cnt) - de_ctx->mpm_max_patcnt = sgr->sh->mpm_proto_tcp_ctx->pattern_cnt; - - de_ctx->mpm_tot_patcnt += sgr->sh->mpm_proto_tcp_ctx->pattern_cnt; - } - if (sgr->sh->mpm_proto_udp_ctx != NULL) { - if (de_ctx->mpm_max_patcnt < sgr->sh->mpm_proto_udp_ctx->pattern_cnt) - de_ctx->mpm_max_patcnt = sgr->sh->mpm_proto_udp_ctx->pattern_cnt; - - de_ctx->mpm_tot_patcnt += sgr->sh->mpm_proto_udp_ctx->pattern_cnt; - } - if (sgr->sh->mpm_proto_other_ctx != NULL) { - if (de_ctx->mpm_max_patcnt < sgr->sh->mpm_proto_other_ctx->pattern_cnt) - de_ctx->mpm_max_patcnt = sgr->sh->mpm_proto_other_ctx->pattern_cnt; - - de_ctx->mpm_tot_patcnt += sgr->sh->mpm_proto_other_ctx->pattern_cnt; - } - if (sgr->sh->mpm_uri_ctx != NULL) { - if (de_ctx->mpm_uri_max_patcnt < sgr->sh->mpm_uri_ctx->pattern_cnt) - de_ctx->mpm_uri_max_patcnt = sgr->sh->mpm_uri_ctx->pattern_cnt; - - de_ctx->mpm_uri_tot_patcnt += sgr->sh->mpm_uri_ctx->pattern_cnt; - } - /* dbg */ - if (!(sgr->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && sgr->sh->mpm_proto_tcp_ctx) { - de_ctx->mpm_memory_size += sgr->sh->mpm_proto_tcp_ctx->memory_size; - } - if (!(sgr->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && sgr->sh->mpm_proto_udp_ctx) { - de_ctx->mpm_memory_size += sgr->sh->mpm_proto_udp_ctx->memory_size; - } - if (!(sgr->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && sgr->sh->mpm_proto_other_ctx) { - de_ctx->mpm_memory_size += sgr->sh->mpm_proto_other_ctx->memory_size; - } - if (!(sgr->sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY) && sgr->sh->mpm_uri_ctx) { - de_ctx->mpm_memory_size += sgr->sh->mpm_uri_ctx->memory_size; - } + //if (sgr->sh->mpm_proto_tcp_ctx != NULL) { + // if (de_ctx->mpm_max_patcnt < sgr->sh->mpm_proto_tcp_ctx->pattern_cnt) + // de_ctx->mpm_max_patcnt = sgr->sh->mpm_proto_tcp_ctx->pattern_cnt; + // + // de_ctx->mpm_tot_patcnt += sgr->sh->mpm_proto_tcp_ctx->pattern_cnt; + //} + //if (sgr->sh->mpm_proto_udp_ctx != NULL) { + // if (de_ctx->mpm_max_patcnt < sgr->sh->mpm_proto_udp_ctx->pattern_cnt) + // de_ctx->mpm_max_patcnt = sgr->sh->mpm_proto_udp_ctx->pattern_cnt; + // + // de_ctx->mpm_tot_patcnt += sgr->sh->mpm_proto_udp_ctx->pattern_cnt; + //} + //if (sgr->sh->mpm_proto_other_ctx != NULL) { + // if (de_ctx->mpm_max_patcnt < sgr->sh->mpm_proto_other_ctx->pattern_cnt) + // de_ctx->mpm_max_patcnt = sgr->sh->mpm_proto_other_ctx->pattern_cnt; + // + // de_ctx->mpm_tot_patcnt += sgr->sh->mpm_proto_other_ctx->pattern_cnt; + //} + //if (sgr->sh->mpm_uri_ctx != NULL) { + // if (de_ctx->mpm_uri_max_patcnt < sgr->sh->mpm_uri_ctx->pattern_cnt) + // de_ctx->mpm_uri_max_patcnt = sgr->sh->mpm_uri_ctx->pattern_cnt; + // + // de_ctx->mpm_uri_tot_patcnt += sgr->sh->mpm_uri_ctx->pattern_cnt; + //} + ///* dbg */ + //if (!(sgr->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && sgr->sh->mpm_proto_tcp_ctx) { + // de_ctx->mpm_memory_size += sgr->sh->mpm_proto_tcp_ctx->memory_size; + //} + //if (!(sgr->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && sgr->sh->mpm_proto_udp_ctx) { + // de_ctx->mpm_memory_size += sgr->sh->mpm_proto_udp_ctx->memory_size; + //} + //if (!(sgr->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && sgr->sh->mpm_proto_other_ctx) { + // de_ctx->mpm_memory_size += sgr->sh->mpm_proto_other_ctx->memory_size; + //} + //if (!(sgr->sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY) && sgr->sh->mpm_uri_ctx) { + // de_ctx->mpm_memory_size += sgr->sh->mpm_uri_ctx->memory_size; + //} SigGroupHeadHashAdd(de_ctx, sgr->sh); SigGroupHeadStore(de_ctx, sgr->sh); @@ -3452,43 +3452,43 @@ int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, DetectAdd printf("PatternMatchPrepareGroup failed\n"); goto error; } - if (dp->sh->mpm_proto_tcp_ctx != NULL) { - if (de_ctx->mpm_max_patcnt < dp->sh->mpm_proto_tcp_ctx->pattern_cnt) - de_ctx->mpm_max_patcnt = dp->sh->mpm_proto_tcp_ctx->pattern_cnt; - - de_ctx->mpm_tot_patcnt += dp->sh->mpm_proto_tcp_ctx->pattern_cnt; - } - if (dp->sh->mpm_proto_udp_ctx != NULL) { - if (de_ctx->mpm_max_patcnt < dp->sh->mpm_proto_udp_ctx->pattern_cnt) - de_ctx->mpm_max_patcnt = dp->sh->mpm_proto_udp_ctx->pattern_cnt; - - de_ctx->mpm_tot_patcnt += dp->sh->mpm_proto_udp_ctx->pattern_cnt; - } - if (dp->sh->mpm_proto_other_ctx != NULL) { - if (de_ctx->mpm_max_patcnt < dp->sh->mpm_proto_other_ctx->pattern_cnt) - de_ctx->mpm_max_patcnt = dp->sh->mpm_proto_other_ctx->pattern_cnt; - - de_ctx->mpm_tot_patcnt += dp->sh->mpm_proto_other_ctx->pattern_cnt; - } - if (dp->sh->mpm_uri_ctx != NULL) { - if (de_ctx->mpm_uri_max_patcnt < dp->sh->mpm_uri_ctx->pattern_cnt) - de_ctx->mpm_uri_max_patcnt = dp->sh->mpm_uri_ctx->pattern_cnt; - - de_ctx->mpm_uri_tot_patcnt += dp->sh->mpm_uri_ctx->pattern_cnt; - } - /* dbg */ - if (!(dp->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && dp->sh->mpm_proto_tcp_ctx) { - de_ctx->mpm_memory_size += dp->sh->mpm_proto_tcp_ctx->memory_size; - } - if (!(dp->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && dp->sh->mpm_proto_udp_ctx) { - de_ctx->mpm_memory_size += dp->sh->mpm_proto_udp_ctx->memory_size; - } - if (!(dp->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && dp->sh->mpm_proto_other_ctx) { - de_ctx->mpm_memory_size += dp->sh->mpm_proto_other_ctx->memory_size; - } - if (!(dp->sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY) && dp->sh->mpm_uri_ctx) { - de_ctx->mpm_memory_size += dp->sh->mpm_uri_ctx->memory_size; - } + //if (dp->sh->mpm_proto_tcp_ctx != NULL) { + // if (de_ctx->mpm_max_patcnt < dp->sh->mpm_proto_tcp_ctx->pattern_cnt) + // de_ctx->mpm_max_patcnt = dp->sh->mpm_proto_tcp_ctx->pattern_cnt; + // + // de_ctx->mpm_tot_patcnt += dp->sh->mpm_proto_tcp_ctx->pattern_cnt; + //} + //if (dp->sh->mpm_proto_udp_ctx != NULL) { + // if (de_ctx->mpm_max_patcnt < dp->sh->mpm_proto_udp_ctx->pattern_cnt) + // de_ctx->mpm_max_patcnt = dp->sh->mpm_proto_udp_ctx->pattern_cnt; + // + // de_ctx->mpm_tot_patcnt += dp->sh->mpm_proto_udp_ctx->pattern_cnt; + //} + //if (dp->sh->mpm_proto_other_ctx != NULL) { + // if (de_ctx->mpm_max_patcnt < dp->sh->mpm_proto_other_ctx->pattern_cnt) + // de_ctx->mpm_max_patcnt = dp->sh->mpm_proto_other_ctx->pattern_cnt; + // + // de_ctx->mpm_tot_patcnt += dp->sh->mpm_proto_other_ctx->pattern_cnt; + //} + //if (dp->sh->mpm_uri_ctx != NULL) { + // if (de_ctx->mpm_uri_max_patcnt < dp->sh->mpm_uri_ctx->pattern_cnt) + // de_ctx->mpm_uri_max_patcnt = dp->sh->mpm_uri_ctx->pattern_cnt; + // + // de_ctx->mpm_uri_tot_patcnt += dp->sh->mpm_uri_ctx->pattern_cnt; + //} + ///* dbg */ + //if (!(dp->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && dp->sh->mpm_proto_tcp_ctx) { + // de_ctx->mpm_memory_size += dp->sh->mpm_proto_tcp_ctx->memory_size; + //} + //if (!(dp->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && dp->sh->mpm_proto_udp_ctx) { + // de_ctx->mpm_memory_size += dp->sh->mpm_proto_udp_ctx->memory_size; + //} + //if (!(dp->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && dp->sh->mpm_proto_other_ctx) { + // de_ctx->mpm_memory_size += dp->sh->mpm_proto_other_ctx->memory_size; + //} + //if (!(dp->sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY) && dp->sh->mpm_uri_ctx) { + // de_ctx->mpm_memory_size += dp->sh->mpm_uri_ctx->memory_size; + //} SigGroupHeadDPortHashAdd(de_ctx, dp->sh); SigGroupHeadStore(de_ctx, dp->sh); @@ -3883,13 +3883,13 @@ int SigAddressPrepareStage5(DetectEngineCtx *de_ctx) { for ( ; dp != NULL; dp = dp->next) { printf(" 4 Dst port(range): "); DetectPortPrint(dp); printf(" (sigs %" PRIu32 ", sgh %p, maxlen %" PRIu32 ")", dp->sh->sig_cnt, dp->sh, dp->sh->mpm_content_maxlen); - printf(" mpm_proto_tcp_ctx %p, mpm_prooto_udp_ctx " - "%p, mpm_proto_other_ctx %p mpm_stream_ctx " - "%p", - dp->sh->mpm_proto_tcp_ctx, - dp->sh->mpm_proto_udp_ctx, - dp->sh->mpm_proto_other_ctx, - dp->sh->mpm_stream_ctx); + //printf(" mpm_proto_tcp_ctx %p, mpm_prooto_udp_ctx " + // "%p, mpm_proto_other_ctx %p mpm_stream_ctx " + // "%p", + // dp->sh->mpm_proto_tcp_ctx, + // dp->sh->mpm_proto_udp_ctx, + // dp->sh->mpm_proto_other_ctx, + // dp->sh->mpm_stream_ctx); #ifdef PRINTSIGS printf(" - "); for (u = 0; u < dp->sh->sig_cnt; u++) { @@ -4206,67 +4206,107 @@ int SigGroupBuild (DetectEngineCtx *de_ctx) { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) { MpmCtx *mpm_ctx = NULL; - mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_tcp_packet); + mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_tcp_packet, 0); + if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { + mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); + } + mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_tcp_packet, 1); if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); } //printf("packet- %d\n", mpm_ctx->pattern_cnt); - mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_udp_packet); + mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_udp_packet, 0); + if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { + mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); + } + mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_udp_packet, 1); if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); } //printf("packet- %d\n", mpm_ctx->pattern_cnt); - mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_other_packet); + mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_other_packet, 0); if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); } //printf("packet- %d\n", mpm_ctx->pattern_cnt); - mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_uri); + mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_uri, 0); + if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { + mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); + } + mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_uri, 1); if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); } //printf("uri- %d\n", mpm_ctx->pattern_cnt); - mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hcbd); + mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hcbd, 0); + if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { + mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); + } + mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hcbd, 1); if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); } //printf("hcbd- %d\n", mpm_ctx->pattern_cnt); - mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hhd); + mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hhd, 0); + if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { + mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); + } + mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hhd, 1); if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); } //printf("hhd- %d\n", mpm_ctx->pattern_cnt); - mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hrhd); + mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hrhd, 0); + if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { + mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); + } + mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hrhd, 1); if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); } //printf("hrhd- %d\n", mpm_ctx->pattern_cnt); - mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hmd); + mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hmd, 0); + if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { + mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); + } + mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hmd, 1); if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); } //printf("hmd- %d\n", mpm_ctx->pattern_cnt); - mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hcd); + mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hcd, 0); + if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { + mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); + } + mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hcd, 1); if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); } //printf("hcd- %d\n", mpm_ctx->pattern_cnt); - mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hrud); + mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hrud, 0); + if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { + mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); + } + mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hrud, 1); if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); } //printf("hrud- %d\n", mpm_ctx->pattern_cnt); - mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_stream); + mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_stream, 0); + if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { + mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); + } + mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_stream, 1); if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); } @@ -9354,21 +9394,22 @@ static int SigTestSgh05 (void) { goto end; } - if (sgh->mpm_proto_tcp_ctx != NULL || - sgh->mpm_proto_udp_ctx != NULL || sgh->mpm_proto_other_ctx != NULL) { - printf("sgh->mpm_proto_tcp_ctx != NULL || " - "sgh->mpm_proto_udp_ctx != NULL || " + if (sgh->mpm_proto_tcp_ctx_ts != NULL || sgh->mpm_proto_tcp_ctx_tc != NULL || + sgh->mpm_proto_udp_ctx_ts != NULL || sgh->mpm_proto_udp_ctx_tc != NULL || + sgh->mpm_proto_other_ctx != NULL) { + printf("sgh->mpm_proto_tcp_ctx_ts != NULL || sgh->mpm_proto_tcp_ctx_tc != NULL" + "sgh->mpm_proto_udp_ctx_ts != NULL || sgh->mpm_proto_udp_ctx_tc != NULL" "sgh->mpm_proto_other_ctx != NULL: "); goto end; } - if (sgh->mpm_stream_ctx == NULL) { - printf("sgh->mpm_stream_ctx == NULL: "); + if (sgh->mpm_stream_ctx_ts == NULL || sgh->mpm_stream_ctx_tc == NULL) { + printf("sgh->mpm_stream_ctx == NULL || sgh->mpm_stream_ctx_tc == NULL: "); goto end; } - if (sgh->mpm_stream_ctx->mpm_type != MPM_WUMANBER) { - printf("sgh->mpm_type != MPM_WUMANBER, expected %d, got %d: ", MPM_WUMANBER, sgh->mpm_stream_ctx->mpm_type); + if (sgh->mpm_stream_ctx_ts->mpm_type != MPM_WUMANBER) { + printf("sgh->mpm_type != MPM_WUMANBER, expected %d, got %d: ", MPM_WUMANBER, sgh->mpm_stream_ctx_ts->mpm_type); goto end; } diff --git a/src/detect.h b/src/detect.h index 1dfaabce46..3645bfa7b0 100644 --- a/src/detect.h +++ b/src/detect.h @@ -881,17 +881,30 @@ typedef struct SigGroupHead_ { /* pattern matcher instances */ MpmCtx *mpm_proto_other_ctx; - MpmCtx *mpm_proto_tcp_ctx; - MpmCtx *mpm_proto_udp_ctx; - MpmCtx *mpm_stream_ctx; - MpmCtx *mpm_uri_ctx; - MpmCtx *mpm_hcbd_ctx; - MpmCtx *mpm_hsbd_ctx; - MpmCtx *mpm_hhd_ctx; - MpmCtx *mpm_hrhd_ctx; - MpmCtx *mpm_hmd_ctx; - MpmCtx *mpm_hcd_ctx; - MpmCtx *mpm_hrud_ctx; + + MpmCtx *mpm_proto_tcp_ctx_ts; + MpmCtx *mpm_proto_udp_ctx_ts; + MpmCtx *mpm_stream_ctx_ts; + MpmCtx *mpm_uri_ctx_ts; + MpmCtx *mpm_hcbd_ctx_ts; + MpmCtx *mpm_hsbd_ctx_ts; + MpmCtx *mpm_hhd_ctx_ts; + MpmCtx *mpm_hrhd_ctx_ts; + MpmCtx *mpm_hmd_ctx_ts; + MpmCtx *mpm_hcd_ctx_ts; + MpmCtx *mpm_hrud_ctx_ts; + + MpmCtx *mpm_proto_tcp_ctx_tc; + MpmCtx *mpm_proto_udp_ctx_tc; + MpmCtx *mpm_stream_ctx_tc; + MpmCtx *mpm_uri_ctx_tc; + MpmCtx *mpm_hcbd_ctx_tc; + MpmCtx *mpm_hsbd_ctx_tc; + MpmCtx *mpm_hhd_ctx_tc; + MpmCtx *mpm_hrhd_ctx_tc; + MpmCtx *mpm_hmd_ctx_tc; + MpmCtx *mpm_hcd_ctx_tc; + MpmCtx *mpm_hrud_ctx_tc; uint16_t mpm_uricontent_maxlen; diff --git a/src/util-mpm-ac-gfbs.c b/src/util-mpm-ac-gfbs.c index 76f0865228..f26d7c82cc 100644 --- a/src/util-mpm-ac-gfbs.c +++ b/src/util-mpm-ac-gfbs.c @@ -777,6 +777,7 @@ static inline void SCACGfbsCreateModGotoTable(MpmCtx *mpm_ctx) exit(EXIT_FAILURE); } memset(ctx->goto_table_mod, 0, size); + printf("size- %d\n", size); mpm_ctx->memory_cnt++; mpm_ctx->memory_size += size; diff --git a/src/util-mpm.c b/src/util-mpm.c index 3882b856f9..463745d501 100644 --- a/src/util-mpm.c +++ b/src/util-mpm.c @@ -80,12 +80,21 @@ int32_t MpmFactoryRegisterMpmCtxProfile(const char *name, uint8_t flags) exit(EXIT_FAILURE); } - item[0].mpm_ctx = SCMalloc(sizeof(MpmCtx)); - if (item[0].mpm_ctx == NULL) { + /* toserver */ + item[0].mpm_ctx_ts = SCMalloc(sizeof(MpmCtx)); + if (item[0].mpm_ctx_ts == NULL) { SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory"); exit(EXIT_FAILURE); } - memset(item[0].mpm_ctx, 0, sizeof(MpmCtx)); + memset(item[0].mpm_ctx_ts, 0, sizeof(MpmCtx)); + + /* toclient */ + item[0].mpm_ctx_tc = SCMalloc(sizeof(MpmCtx)); + if (item[0].mpm_ctx_tc == NULL) { + SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory"); + exit(EXIT_FAILURE); + } + memset(item[0].mpm_ctx_tc, 0, sizeof(MpmCtx)); /* our id starts from 0 always. Helps us with the ctx retrieval from * the array */ @@ -106,13 +115,21 @@ int32_t MpmFactoryRegisterMpmCtxProfile(const char *name, uint8_t flags) for (i = 0; i < mpm_ctx_factory_container->no_of_items; i++) { if (items[i].name != NULL && strcmp(items[i].name, name) == 0) { /* looks like we have this mpm_ctx freed */ - if (items[i].mpm_ctx == NULL) { - items[i].mpm_ctx = SCMalloc(sizeof(MpmCtx)); - if (items[i].mpm_ctx == NULL) { + if (items[i].mpm_ctx_ts == NULL) { + items[i].mpm_ctx_ts = SCMalloc(sizeof(MpmCtx)); + if (items[i].mpm_ctx_ts == NULL) { SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory"); exit(EXIT_FAILURE); } - memset(items[i].mpm_ctx, 0, sizeof(MpmCtx)); + memset(items[i].mpm_ctx_ts, 0, sizeof(MpmCtx)); + } + if (items[i].mpm_ctx_tc == NULL) { + items[i].mpm_ctx_tc = SCMalloc(sizeof(MpmCtx)); + if (items[i].mpm_ctx_tc == NULL) { + SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory"); + exit(EXIT_FAILURE); + } + memset(items[i].mpm_ctx_tc, 0, sizeof(MpmCtx)); } items[i].flags = flags; return items[i].id; @@ -136,12 +153,21 @@ int32_t MpmFactoryRegisterMpmCtxProfile(const char *name, uint8_t flags) exit(EXIT_FAILURE); } - new_item[0].mpm_ctx = SCMalloc(sizeof(MpmCtx)); - if (new_item[0].mpm_ctx == NULL) { + /* toserver */ + new_item[0].mpm_ctx_ts = SCMalloc(sizeof(MpmCtx)); + if (new_item[0].mpm_ctx_ts == NULL) { + SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory"); + exit(EXIT_FAILURE); + } + memset(new_item[0].mpm_ctx_ts, 0, sizeof(MpmCtx)); + + /* toclient */ + new_item[0].mpm_ctx_tc = SCMalloc(sizeof(MpmCtx)); + if (new_item[0].mpm_ctx_tc == NULL) { SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory"); exit(EXIT_FAILURE); } - memset(new_item[0].mpm_ctx, 0, sizeof(MpmCtx)); + memset(new_item[0].mpm_ctx_tc, 0, sizeof(MpmCtx)); new_item[0].id = mpm_ctx_factory_container->no_of_items; new_item[0].flags = flags; @@ -162,14 +188,16 @@ int32_t MpmFactoryIsMpmCtxAvailable(MpmCtx *mpm_ctx) } else { int i; for (i = 0; i < mpm_ctx_factory_container->no_of_items; i++) { - if (mpm_ctx == mpm_ctx_factory_container->items[i].mpm_ctx) + if (mpm_ctx == mpm_ctx_factory_container->items[i].mpm_ctx_ts || + mpm_ctx == mpm_ctx_factory_container->items[i].mpm_ctx_tc) { return 1; + } } return 0; } } -MpmCtx *MpmFactoryGetMpmCtxForProfile(int32_t id) +MpmCtx *MpmFactoryGetMpmCtxForProfile(int32_t id, int direction) { if (id == MPM_CTX_FACTORY_UNIQUE_CONTEXT) { MpmCtx *mpm_ctx = SCMalloc(sizeof(MpmCtx)); @@ -186,7 +214,9 @@ MpmCtx *MpmFactoryGetMpmCtxForProfile(int32_t id) /* this id does not exist */ return NULL; } else { - return mpm_ctx_factory_container->items[id].mpm_ctx; + return (direction == 0) ? + mpm_ctx_factory_container->items[id].mpm_ctx_ts : + mpm_ctx_factory_container->items[id].mpm_ctx_tc; } } @@ -211,8 +241,10 @@ void MpmFactoryDeRegisterAllMpmCtxProfiles(void) for (i = 0; i < mpm_ctx_factory_container->no_of_items; i++) { if (items[i].name != NULL) SCFree(items[i].name); - if (items[i].mpm_ctx != NULL) - SCFree(items[i].mpm_ctx); + if (items[i].mpm_ctx_ts != NULL) + SCFree(items[i].mpm_ctx_ts); + if (items[i].mpm_ctx_tc != NULL) + SCFree(items[i].mpm_ctx_tc); } SCFree(mpm_ctx_factory_container->items); diff --git a/src/util-mpm.h b/src/util-mpm.h index 0b557fe7be..7732b3ca52 100644 --- a/src/util-mpm.h +++ b/src/util-mpm.h @@ -128,7 +128,8 @@ typedef struct MpmCtx_ { typedef struct MpmCtxFactoryItem_ { char *name; - MpmCtx *mpm_ctx; + MpmCtx *mpm_ctx_ts; + MpmCtx *mpm_ctx_tc; int32_t id; uint8_t flags; } MpmCtxFactoryItem; @@ -183,7 +184,7 @@ MpmTableElmt mpm_table[MPM_TABLE_SIZE]; int32_t MpmFactoryRegisterMpmCtxProfile(const char *, uint8_t); void MpmFactoryReClaimMpmCtx(MpmCtx *); -MpmCtx *MpmFactoryGetMpmCtxForProfile(int32_t); +MpmCtx *MpmFactoryGetMpmCtxForProfile(int32_t, int); void MpmFactoryDeRegisterAllMpmCtxProfiles(void); int32_t MpmFactoryIsMpmCtxAvailable(MpmCtx *);