aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

support splitting mpm ctxs based on direction v2

Browse Source
remotes/origin/master
Anoop Saldanha 14 years ago committed by Victor Julien
parent 0a91d824bf
commit 419cdc8558
21 changed files with 1276 additions and 488 deletions
Show Stats Download Patch File Download Diff File

14
src/detect-engine-hcbd.c
Unescape Escape View File

@ -446,7 +446,8 @@ end:
} }
int DetectEngineRunHttpClientBodyMpm(DetectEngineCtx *de_ctx, int DetectEngineRunHttpClientBodyMpm(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state) DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags)
{ {
int i; int i;
uint32_t cnt = 0; uint32_t cnt = 0;
@ -461,7 +462,8 @@ int DetectEngineRunHttpClientBodyMpm(DetectEngineCtx *de_ctx,
for (i = 0; i < det_ctx->hcbd_buffers_list_len; i++) { for (i = 0; i < det_ctx->hcbd_buffers_list_len; i++) {
cnt += HttpClientBodyPatternSearch(det_ctx, cnt += HttpClientBodyPatternSearch(det_ctx,
det_ctx->hcbd_buffers[i], det_ctx->hcbd_buffers[i],
det_ctx->hcbd_buffers_len[i]); det_ctx->hcbd_buffers_len[i],
flags);
} }
return cnt; return cnt;
@ -2444,7 +2446,7 @@ static int DetectEngineHttpClientBodyTest17(void)
/* start the search phase */ /* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1); det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1);
uint32_t r = HttpClientBodyPatternSearch(det_ctx, http1_buf, http1_len); uint32_t r = HttpClientBodyPatternSearch(det_ctx, http1_buf, http1_len, STREAM_TOSERVER);
if (r != 1) { if (r != 1) {
printf("expected 1 result, got %"PRIu32": ", r); printf("expected 1 result, got %"PRIu32": ", r);
goto end; goto end;
@ -2515,7 +2517,7 @@ static int DetectEngineHttpClientBodyTest18(void)
/* start the search phase */ /* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1); det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1);
uint32_t r = HttpClientBodyPatternSearch(det_ctx, http1_buf, http1_len); uint32_t r = HttpClientBodyPatternSearch(det_ctx, http1_buf, http1_len, STREAM_TOSERVER);
if (r != 0) { if (r != 0) {
printf("expected 1 result, got %"PRIu32": ", r); printf("expected 1 result, got %"PRIu32": ", r);
goto end; goto end;
@ -2586,7 +2588,7 @@ static int DetectEngineHttpClientBodyTest19(void)
/* start the search phase */ /* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1); det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1);
uint32_t r = HttpClientBodyPatternSearch(det_ctx, http1_buf, http1_len); uint32_t r = HttpClientBodyPatternSearch(det_ctx, http1_buf, http1_len, STREAM_TOSERVER);
if (r != 0) { if (r != 0) {
printf("expected 1 result, got %"PRIu32": ", r); printf("expected 1 result, got %"PRIu32": ", r);
goto end; goto end;
@ -2657,7 +2659,7 @@ static int DetectEngineHttpClientBodyTest20(void)
/* start the search phase */ /* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1); det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1);
uint32_t r = HttpClientBodyPatternSearch(det_ctx, http1_buf, http1_len); uint32_t r = HttpClientBodyPatternSearch(det_ctx, http1_buf, http1_len, STREAM_TOSERVER);
if (r != 2) { if (r != 2) {
printf("expected 1 result, got %"PRIu32": ", r); printf("expected 1 result, got %"PRIu32": ", r);
goto end; goto end;

3
src/detect-engine-hcbd.h
Unescape Escape View File

@ -28,7 +28,8 @@
#include "app-layer-htp.h" #include "app-layer-htp.h"
int DetectEngineRunHttpClientBodyMpm(DetectEngineCtx *, int DetectEngineRunHttpClientBodyMpm(DetectEngineCtx *,
DetectEngineThreadCtx *, Flow *f, HtpState *); DetectEngineThreadCtx *, Flow *f,
HtpState *, uint8_t);
int DetectEngineInspectHttpClientBody(DetectEngineCtx *, int DetectEngineInspectHttpClientBody(DetectEngineCtx *,
DetectEngineThreadCtx *, Signature *, Flow *, uint8_t, void *); DetectEngineThreadCtx *, Signature *, Flow *, uint8_t, void *);

4
src/detect-engine-hcd.c
Unescape Escape View File

@ -309,7 +309,7 @@ match:
} }
int DetectEngineRunHttpCookieMpm(DetectEngineThreadCtx *det_ctx, Flow *f, int DetectEngineRunHttpCookieMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state) HtpState *htp_state, uint8_t flags)
{ {
htp_tx_t *tx = NULL; htp_tx_t *tx = NULL;
uint32_t cnt = 0; uint32_t cnt = 0;
@ -350,7 +350,7 @@ int DetectEngineRunHttpCookieMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
cnt += HttpCookiePatternSearch(det_ctx, cnt += HttpCookiePatternSearch(det_ctx,
(uint8_t *)bstr_ptr(h->value), (uint8_t *)bstr_ptr(h->value),
bstr_len(h->value)); bstr_len(h->value), flags);
} }
end: end:

2
src/detect-engine-hcd.h
Unescape Escape View File

@ -27,7 +27,7 @@
int DetectEngineInspectHttpCookie(DetectEngineCtx *, DetectEngineThreadCtx *, int DetectEngineInspectHttpCookie(DetectEngineCtx *, DetectEngineThreadCtx *,
Signature *, Flow *, uint8_t, void *); Signature *, Flow *, uint8_t, void *);
int DetectEngineRunHttpCookieMpm(DetectEngineThreadCtx *, Flow *, HtpState *); int DetectEngineRunHttpCookieMpm(DetectEngineThreadCtx *, Flow *, HtpState *, uint8_t);
void DetectEngineHttpCookieRegisterTests(void); void DetectEngineHttpCookieRegisterTests(void);
#endif /* __DETECT_ENGINE_HCD_H__ */ #endif /* __DETECT_ENGINE_HCD_H__ */

16
src/detect-engine-hhd.c
Unescape Escape View File

@ -438,7 +438,8 @@ int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) { for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) {
cnt += HttpHeaderPatternSearch(det_ctx, cnt += HttpHeaderPatternSearch(det_ctx,
det_ctx->hhd_buffers[i], det_ctx->hhd_buffers[i],
det_ctx->hhd_buffers_len[i]); det_ctx->hhd_buffers_len[i],
flags);
} }
DetectEngineCleanHHDBuffers(det_ctx); DetectEngineCleanHHDBuffers(det_ctx);
@ -450,13 +451,15 @@ int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) { for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) {
cnt += HttpHeaderPatternSearch(det_ctx, cnt += HttpHeaderPatternSearch(det_ctx,
det_ctx->hhd_buffers[i], det_ctx->hhd_buffers[i],
det_ctx->hhd_buffers_len[i]); det_ctx->hhd_buffers_len[i],
flags);
} }
} else { } else {
for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) { for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) {
cnt += HttpHeaderPatternSearch(det_ctx, cnt += HttpHeaderPatternSearch(det_ctx,
det_ctx->hhd_buffers[i], det_ctx->hhd_buffers[i],
det_ctx->hhd_buffers_len[i]); det_ctx->hhd_buffers_len[i],
flags);
} }
uint16_t hhd_buffers_list_len = det_ctx->hhd_buffers_list_len; uint16_t hhd_buffers_list_len = det_ctx->hhd_buffers_list_len;
@ -475,7 +478,8 @@ int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) { for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) {
cnt += HttpHeaderPatternSearch(det_ctx, cnt += HttpHeaderPatternSearch(det_ctx,
det_ctx->hhd_buffers[i], det_ctx->hhd_buffers[i],
det_ctx->hhd_buffers_len[i]); det_ctx->hhd_buffers_len[i],
flags);
} }
DetectEngineCleanHHDBuffers(det_ctx); DetectEngineCleanHHDBuffers(det_ctx);
@ -2129,7 +2133,7 @@ static int DetectEngineHttpHeaderTest18(void)
/* start the search phase */ /* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p); det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
uint32_t r = HttpHeaderPatternSearch(det_ctx, http_buf, http_len); uint32_t r = HttpHeaderPatternSearch(det_ctx, http_buf, http_len, STREAM_TOSERVER);
if (r != 2) { if (r != 2) {
printf("expected result 2, got %"PRIu32": ", r); printf("expected result 2, got %"PRIu32": ", r);
goto end; goto end;
@ -2203,7 +2207,7 @@ static int DetectEngineHttpHeaderTest19(void)
/* start the search phase */ /* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p); det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
uint32_t r = HttpHeaderPatternSearch(det_ctx, http_buf, http_len); uint32_t r = HttpHeaderPatternSearch(det_ctx, http_buf, http_len, STREAM_TOSERVER);
if (r != 1) { if (r != 1) {
printf("expected result 1, got %"PRIu32": ", r); printf("expected result 1, got %"PRIu32": ", r);
goto end; goto end;

5
src/detect-engine-hmd.c
Unescape Escape View File

@ -309,7 +309,7 @@ match:
} }
int DetectEngineRunHttpMethodMpm(DetectEngineThreadCtx *det_ctx, Flow *f, int DetectEngineRunHttpMethodMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state) HtpState *htp_state, uint8_t flags)
{ {
htp_tx_t *tx = NULL; htp_tx_t *tx = NULL;
uint32_t cnt = 0; uint32_t cnt = 0;
@ -343,7 +343,8 @@ int DetectEngineRunHttpMethodMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
cnt += HttpMethodPatternSearch(det_ctx, cnt += HttpMethodPatternSearch(det_ctx,
(uint8_t *)bstr_ptr(tx->request_method), (uint8_t *)bstr_ptr(tx->request_method),
bstr_len(tx->request_method)); bstr_len(tx->request_method),
flags);
} }
end: end:

2
src/detect-engine-hmd.h
Unescape Escape View File

@ -27,7 +27,7 @@
int DetectEngineInspectHttpMethod(DetectEngineCtx *, DetectEngineThreadCtx *, int DetectEngineInspectHttpMethod(DetectEngineCtx *, DetectEngineThreadCtx *,
Signature *, Flow *, uint8_t, void *); Signature *, Flow *, uint8_t, void *);
int DetectEngineRunHttpMethodMpm(DetectEngineThreadCtx *, Flow *, HtpState *); int DetectEngineRunHttpMethodMpm(DetectEngineThreadCtx *, Flow *, HtpState *, uint8_t);
void DetectEngineHttpMethodRegisterTests(void); void DetectEngineHttpMethodRegisterTests(void);
#endif /* __DETECT_ENGINE_HMD_H__ */ #endif /* __DETECT_ENGINE_HMD_H__ */

6
src/detect-engine-hrhd.c
Unescape Escape View File

@ -344,7 +344,7 @@ int DetectEngineRunHttpRawHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
if (raw_headers != NULL) { if (raw_headers != NULL) {
cnt += HttpRawHeaderPatternSearch(det_ctx, cnt += HttpRawHeaderPatternSearch(det_ctx,
(uint8_t *)bstr_ptr(raw_headers), (uint8_t *)bstr_ptr(raw_headers),
bstr_len(raw_headers)); bstr_len(raw_headers), flags);
} }
#ifdef HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW #ifdef HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
raw_headers = htp_tx_get_response_headers_raw(tx); raw_headers = htp_tx_get_response_headers_raw(tx);
@ -2003,7 +2003,7 @@ static int DetectEngineHttpRawHeaderTest18(void)
/* start the search phase */ /* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p); det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
uint32_t r = HttpRawHeaderPatternSearch(det_ctx, http_buf, http_len); uint32_t r = HttpRawHeaderPatternSearch(det_ctx, http_buf, http_len, STREAM_TOSERVER);
if (r != 2) { if (r != 2) {
printf("expected result 2, got %"PRIu32": ", r); printf("expected result 2, got %"PRIu32": ", r);
goto end; goto end;
@ -2077,7 +2077,7 @@ static int DetectEngineHttpRawHeaderTest19(void)
/* start the search phase */ /* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p); det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
uint32_t r = HttpRawHeaderPatternSearch(det_ctx, http_buf, http_len); uint32_t r = HttpRawHeaderPatternSearch(det_ctx, http_buf, http_len, STREAM_TOSERVER);
if (r != 1) { if (r != 1) {
printf("expected result 1, got %"PRIu32": ", r); printf("expected result 1, got %"PRIu32": ", r);
goto end; goto end;

12
src/detect-engine-hrud.c
Unescape Escape View File

@ -342,7 +342,7 @@ match:
* \retval cnt Number of matches reported by the mpm algo. * \retval cnt Number of matches reported by the mpm algo.
*/ */
int DetectEngineRunHttpRawUriMpm(DetectEngineThreadCtx *det_ctx, Flow *f, int DetectEngineRunHttpRawUriMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state) HtpState *htp_state, uint8_t flags)
{ {
SCEnter(); SCEnter();
@ -376,7 +376,7 @@ int DetectEngineRunHttpRawUriMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
cnt += HttpRawUriPatternSearch(det_ctx, cnt += HttpRawUriPatternSearch(det_ctx,
(uint8_t *)bstr_ptr(tx->request_uri), (uint8_t *)bstr_ptr(tx->request_uri),
bstr_len(tx->request_uri)); bstr_len(tx->request_uri), flags);
} }
end: end:
@ -2378,7 +2378,7 @@ static int DetectEngineHttpRawUriTest17(void)
/* start the search phase */ /* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1); det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1);
uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len); uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len, STREAM_TOSERVER);
if (r != 1) { if (r != 1) {
printf("expected 1 result, got %"PRIu32": ", r); printf("expected 1 result, got %"PRIu32": ", r);
goto end; goto end;
@ -2449,7 +2449,7 @@ static int DetectEngineHttpRawUriTest18(void)
/* start the search phase */ /* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1); det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1);
uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len); uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len, STREAM_TOSERVER);
if (r != 0) { if (r != 0) {
printf("expected 0 result, got %"PRIu32": ", r); printf("expected 0 result, got %"PRIu32": ", r);
goto end; goto end;
@ -2520,7 +2520,7 @@ static int DetectEngineHttpRawUriTest19(void)
/* start the search phase */ /* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1); det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1);
uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len); uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len, STREAM_TOSERVER);
if (r != 0) { if (r != 0) {
printf("expected 0 result, got %"PRIu32": ", r); printf("expected 0 result, got %"PRIu32": ", r);
goto end; goto end;
@ -2591,7 +2591,7 @@ static int DetectEngineHttpRawUriTest20(void)
/* start the search phase */ /* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1); det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1);
uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len); uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len, STREAM_TOSERVER);
if (r != 2) { if (r != 2) {
printf("expected 2 result, got %"PRIu32": ", r); printf("expected 2 result, got %"PRIu32": ", r);
goto end; goto end;

2
src/detect-engine-hrud.h
Unescape Escape View File

@ -27,7 +27,7 @@
#include "app-layer-htp.h" #include "app-layer-htp.h"
int DetectEngineRunHttpRawUriMpm(DetectEngineThreadCtx *, int DetectEngineRunHttpRawUriMpm(DetectEngineThreadCtx *,
Flow *f, HtpState *); Flow *f, HtpState *, uint8_t);
int DetectEngineInspectHttpRawUri(DetectEngineCtx *, DetectEngineThreadCtx *, int DetectEngineInspectHttpRawUri(DetectEngineCtx *, DetectEngineThreadCtx *,
Signature *, Flow *, uint8_t, void *); Signature *, Flow *, uint8_t, void *);
void DetectEngineHttpRawUriRegisterTests(void); void DetectEngineHttpRawUriRegisterTests(void);

6
src/detect-engine-hsbd.c
Unescape Escape View File

@ -521,7 +521,8 @@ end:
} }
int DetectEngineRunHttpServerBodyMpm(DetectEngineCtx *de_ctx, int DetectEngineRunHttpServerBodyMpm(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state) DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags)
{ {
int i; int i;
uint32_t cnt = 0; uint32_t cnt = 0;
@ -536,7 +537,8 @@ int DetectEngineRunHttpServerBodyMpm(DetectEngineCtx *de_ctx,
for (i = 0; i < det_ctx->hsbd_buffers_list_len; i++) { for (i = 0; i < det_ctx->hsbd_buffers_list_len; i++) {
cnt += HttpServerBodyPatternSearch(det_ctx, cnt += HttpServerBodyPatternSearch(det_ctx,
det_ctx->hsbd_buffers[i], det_ctx->hsbd_buffers[i],
det_ctx->hsbd_buffers_len[i]); det_ctx->hsbd_buffers_len[i],
flags);
} }
return cnt; return cnt;

3
src/detect-engine-hsbd.h
Unescape Escape View File

@ -28,7 +28,8 @@
#include "app-layer-htp.h" #include "app-layer-htp.h"
int DetectEngineRunHttpServerBodyMpm(DetectEngineCtx *, int DetectEngineRunHttpServerBodyMpm(DetectEngineCtx *,
DetectEngineThreadCtx *, Flow *f, HtpState *); DetectEngineThreadCtx *, Flow *f,
HtpState *, uint8_t);
int DetectEngineInspectHttpServerBody(DetectEngineCtx *, int DetectEngineInspectHttpServerBody(DetectEngineCtx *,
DetectEngineThreadCtx *, Signature *, Flow *, uint8_t, void *); DetectEngineThreadCtx *, Signature *, Flow *, uint8_t, void *);

1302
src/detect-engine-mpm.c
View File

File diff suppressed because it is too large Load Diff

16
src/detect-engine-mpm.h
Unescape Escape View File

@ -36,15 +36,15 @@ uint16_t PatternMatchDefaultMatcher(void);
uint32_t PatternStrength(uint8_t *, uint16_t); uint32_t PatternStrength(uint8_t *, uint16_t);
uint32_t PacketPatternSearchWithStreamCtx(DetectEngineThreadCtx *, Packet *); uint32_t PacketPatternSearchWithStreamCtx(DetectEngineThreadCtx *, Packet *);
uint32_t PacketPatternSearch(DetectEngineThreadCtx *, Packet *); uint32_t PacketPatternSearch(DetectEngineThreadCtx *, Packet *);
uint32_t UriPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint16_t); uint32_t UriPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint16_t, uint8_t);
uint32_t StreamPatternSearch(DetectEngineThreadCtx *, Packet *, StreamMsg *, uint8_t); uint32_t StreamPatternSearch(DetectEngineThreadCtx *, Packet *, StreamMsg *, uint8_t);
uint32_t HttpClientBodyPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t); uint32_t HttpClientBodyPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t HttpServerBodyPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t); uint32_t HttpServerBodyPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t HttpHeaderPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t); uint32_t HttpHeaderPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t HttpRawHeaderPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t); uint32_t HttpRawHeaderPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t HttpMethodPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t); uint32_t HttpMethodPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t HttpCookiePatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t); uint32_t HttpCookiePatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t HttpRawUriPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t); uint32_t HttpRawUriPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
void PacketPatternCleanup(ThreadVars *, DetectEngineThreadCtx *); void PacketPatternCleanup(ThreadVars *, DetectEngineThreadCtx *);
void StreamPatternCleanup(ThreadVars *t, DetectEngineThreadCtx *det_ctx, StreamMsg *smsg); void StreamPatternCleanup(ThreadVars *t, DetectEngineThreadCtx *det_ctx, StreamMsg *smsg);

13
src/detect-uricontent.c
Unescape Escape View File

@ -436,7 +436,7 @@ error:
* \retval 1 if the uri contents match; 0 no match * \retval 1 if the uri contents match; 0 no match
*/ */
static inline int DoDetectAppLayerUricontentMatch (DetectEngineThreadCtx *det_ctx, static inline int DoDetectAppLayerUricontentMatch (DetectEngineThreadCtx *det_ctx,
uint8_t *uri, uint16_t uri_len) uint8_t *uri, uint16_t uri_len, uint8_t flags)
{ {
int ret = 0; int ret = 0;
/* run the pattern matcher against the uri */ /* run the pattern matcher against the uri */
@ -456,7 +456,7 @@ static inline int DoDetectAppLayerUricontentMatch (DetectEngineThreadCtx *det_ct
else if (det_ctx->sgh->mpm_uricontent_maxlen == 4) det_ctx->pkts_uri_searched4++; else if (det_ctx->sgh->mpm_uricontent_maxlen == 4) det_ctx->pkts_uri_searched4++;
else det_ctx->pkts_uri_searched++; else det_ctx->pkts_uri_searched++;
ret += UriPatternSearch(det_ctx, uri, uri_len); ret += UriPatternSearch(det_ctx, uri, uri_len, flags);
SCLogDebug("post search: cnt %" PRIu32, ret); SCLogDebug("post search: cnt %" PRIu32, ret);
} }
@ -476,7 +476,9 @@ static inline int DoDetectAppLayerUricontentMatch (DetectEngineThreadCtx *det_ct
* \warning Make sure the flow/state is locked * \warning Make sure the flow/state is locked
* \todo what should we return? Just the fact that we matched? * \todo what should we return? Just the fact that we matched?
*/ */
uint32_t DetectUricontentInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state) { uint32_t DetectUricontentInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags)
{
SCEnter(); SCEnter();
uint32_t cnt = 0; uint32_t cnt = 0;
@ -505,8 +507,9 @@ uint32_t DetectUricontentInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f, Htp
continue; continue;
cnt += DoDetectAppLayerUricontentMatch(det_ctx, (uint8_t *) cnt += DoDetectAppLayerUricontentMatch(det_ctx, (uint8_t *)
bstr_ptr(tx->request_uri_normalized), bstr_ptr(tx->request_uri_normalized),
bstr_len(tx->request_uri_normalized)); bstr_len(tx->request_uri_normalized),
flags);
} }
end: end:
SCMutexUnlock(&f->m); SCMutexUnlock(&f->m);

2
src/detect-uricontent.h
Unescape Escape View File

@ -37,6 +37,6 @@ uint32_t DetectUricontentMaxId(DetectEngineCtx *);
SigMatch *DetectUricontentGetLastPattern(SigMatch *); SigMatch *DetectUricontentGetLastPattern(SigMatch *);
void DetectUricontentPrint(DetectContentData *); void DetectUricontentPrint(DetectContentData *);
uint32_t DetectUricontentInspectMpm(DetectEngineThreadCtx *, Flow *, HtpState *); uint32_t DetectUricontentInspectMpm(DetectEngineThreadCtx *, Flow *, HtpState *, uint8_t);
#endif /* __DETECT_URICONTENT_H__ */ #endif /* __DETECT_URICONTENT_H__ */

253
src/detect.c
Unescape Escape View File

@ -1169,17 +1169,17 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
if (alproto == ALPROTO_HTTP && alstate != NULL) { if (alproto == ALPROTO_HTTP && alstate != NULL) {
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_URI) { if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_URI) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_URI); PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_URI);
DetectUricontentInspectMpm(det_ctx, p->flow, alstate); DetectUricontentInspectMpm(det_ctx, p->flow, alstate, flags);
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_URI); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_URI);
} }
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HCBD) { if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HCBD) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HCBD); PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HCBD);
DetectEngineRunHttpClientBodyMpm(de_ctx, det_ctx, p->flow, alstate); DetectEngineRunHttpClientBodyMpm(de_ctx, det_ctx, p->flow, alstate, flags);
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HCBD); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HCBD);
} }
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HSBD) { if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HSBD) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HSBD); PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HSBD);
DetectEngineRunHttpServerBodyMpm(de_ctx, det_ctx, p->flow, alstate); DetectEngineRunHttpServerBodyMpm(de_ctx, det_ctx, p->flow, alstate, flags);
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HSBD); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HSBD);
} }
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HHD) { if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HHD) {
@ -1194,17 +1194,17 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
} }
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HMD) { if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HMD) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HMD); PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HMD);
DetectEngineRunHttpMethodMpm(det_ctx, p->flow, alstate); DetectEngineRunHttpMethodMpm(det_ctx, p->flow, alstate, flags);
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HMD); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HMD);
} }
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HCD) { if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HCD) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HCD); PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HCD);
DetectEngineRunHttpCookieMpm(det_ctx, p->flow, alstate); DetectEngineRunHttpCookieMpm(det_ctx, p->flow, alstate, flags);
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HCD); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HCD);
} }
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRUD) { if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRUD) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HRUD); PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HRUD);
DetectEngineRunHttpRawUriMpm(det_ctx, p->flow, alstate); DetectEngineRunHttpRawUriMpm(det_ctx, p->flow, alstate, flags);
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HRUD); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HRUD);
} }
} }
@ -3183,43 +3183,43 @@ int BuildDestinationAddressHeads(DetectEngineCtx *de_ctx, DetectAddressHead *hea
printf("PatternMatchPrepareGroup failed\n"); printf("PatternMatchPrepareGroup failed\n");
goto error; goto error;
} }
if (sgr->sh->mpm_proto_tcp_ctx != NULL) { //if (sgr->sh->mpm_proto_tcp_ctx != NULL) {
if (de_ctx->mpm_max_patcnt < sgr->sh->mpm_proto_tcp_ctx->pattern_cnt) // if (de_ctx->mpm_max_patcnt < sgr->sh->mpm_proto_tcp_ctx->pattern_cnt)
de_ctx->mpm_max_patcnt = sgr->sh->mpm_proto_tcp_ctx->pattern_cnt; // de_ctx->mpm_max_patcnt = sgr->sh->mpm_proto_tcp_ctx->pattern_cnt;
//
de_ctx->mpm_tot_patcnt += sgr->sh->mpm_proto_tcp_ctx->pattern_cnt; // de_ctx->mpm_tot_patcnt += sgr->sh->mpm_proto_tcp_ctx->pattern_cnt;
} //}
if (sgr->sh->mpm_proto_udp_ctx != NULL) { //if (sgr->sh->mpm_proto_udp_ctx != NULL) {
if (de_ctx->mpm_max_patcnt < sgr->sh->mpm_proto_udp_ctx->pattern_cnt) // if (de_ctx->mpm_max_patcnt < sgr->sh->mpm_proto_udp_ctx->pattern_cnt)
de_ctx->mpm_max_patcnt = sgr->sh->mpm_proto_udp_ctx->pattern_cnt; // de_ctx->mpm_max_patcnt = sgr->sh->mpm_proto_udp_ctx->pattern_cnt;
//
de_ctx->mpm_tot_patcnt += sgr->sh->mpm_proto_udp_ctx->pattern_cnt; // de_ctx->mpm_tot_patcnt += sgr->sh->mpm_proto_udp_ctx->pattern_cnt;
} //}
if (sgr->sh->mpm_proto_other_ctx != NULL) { //if (sgr->sh->mpm_proto_other_ctx != NULL) {
if (de_ctx->mpm_max_patcnt < sgr->sh->mpm_proto_other_ctx->pattern_cnt) // if (de_ctx->mpm_max_patcnt < sgr->sh->mpm_proto_other_ctx->pattern_cnt)
de_ctx->mpm_max_patcnt = sgr->sh->mpm_proto_other_ctx->pattern_cnt; // de_ctx->mpm_max_patcnt = sgr->sh->mpm_proto_other_ctx->pattern_cnt;
//
de_ctx->mpm_tot_patcnt += sgr->sh->mpm_proto_other_ctx->pattern_cnt; // de_ctx->mpm_tot_patcnt += sgr->sh->mpm_proto_other_ctx->pattern_cnt;
} //}
if (sgr->sh->mpm_uri_ctx != NULL) { //if (sgr->sh->mpm_uri_ctx != NULL) {
if (de_ctx->mpm_uri_max_patcnt < sgr->sh->mpm_uri_ctx->pattern_cnt) // if (de_ctx->mpm_uri_max_patcnt < sgr->sh->mpm_uri_ctx->pattern_cnt)
de_ctx->mpm_uri_max_patcnt = sgr->sh->mpm_uri_ctx->pattern_cnt; // de_ctx->mpm_uri_max_patcnt = sgr->sh->mpm_uri_ctx->pattern_cnt;
//
de_ctx->mpm_uri_tot_patcnt += sgr->sh->mpm_uri_ctx->pattern_cnt; // de_ctx->mpm_uri_tot_patcnt += sgr->sh->mpm_uri_ctx->pattern_cnt;
} //}
/* dbg */ ///* dbg */
if (!(sgr->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && sgr->sh->mpm_proto_tcp_ctx) { //if (!(sgr->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && sgr->sh->mpm_proto_tcp_ctx) {
de_ctx->mpm_memory_size += sgr->sh->mpm_proto_tcp_ctx->memory_size; // de_ctx->mpm_memory_size += sgr->sh->mpm_proto_tcp_ctx->memory_size;
} //}
if (!(sgr->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && sgr->sh->mpm_proto_udp_ctx) { //if (!(sgr->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && sgr->sh->mpm_proto_udp_ctx) {
de_ctx->mpm_memory_size += sgr->sh->mpm_proto_udp_ctx->memory_size; // de_ctx->mpm_memory_size += sgr->sh->mpm_proto_udp_ctx->memory_size;
} //}
if (!(sgr->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && sgr->sh->mpm_proto_other_ctx) { //if (!(sgr->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && sgr->sh->mpm_proto_other_ctx) {
de_ctx->mpm_memory_size += sgr->sh->mpm_proto_other_ctx->memory_size; // de_ctx->mpm_memory_size += sgr->sh->mpm_proto_other_ctx->memory_size;
} //}
if (!(sgr->sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY) && sgr->sh->mpm_uri_ctx) { //if (!(sgr->sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY) && sgr->sh->mpm_uri_ctx) {
de_ctx->mpm_memory_size += sgr->sh->mpm_uri_ctx->memory_size; // de_ctx->mpm_memory_size += sgr->sh->mpm_uri_ctx->memory_size;
} //}
SigGroupHeadHashAdd(de_ctx, sgr->sh); SigGroupHeadHashAdd(de_ctx, sgr->sh);
SigGroupHeadStore(de_ctx, sgr->sh); SigGroupHeadStore(de_ctx, sgr->sh);
@ -3452,43 +3452,43 @@ int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, DetectAdd
printf("PatternMatchPrepareGroup failed\n"); printf("PatternMatchPrepareGroup failed\n");
goto error; goto error;
} }
if (dp->sh->mpm_proto_tcp_ctx != NULL) { //if (dp->sh->mpm_proto_tcp_ctx != NULL) {
if (de_ctx->mpm_max_patcnt < dp->sh->mpm_proto_tcp_ctx->pattern_cnt) // if (de_ctx->mpm_max_patcnt < dp->sh->mpm_proto_tcp_ctx->pattern_cnt)
de_ctx->mpm_max_patcnt = dp->sh->mpm_proto_tcp_ctx->pattern_cnt; // de_ctx->mpm_max_patcnt = dp->sh->mpm_proto_tcp_ctx->pattern_cnt;
//
de_ctx->mpm_tot_patcnt += dp->sh->mpm_proto_tcp_ctx->pattern_cnt; // de_ctx->mpm_tot_patcnt += dp->sh->mpm_proto_tcp_ctx->pattern_cnt;
} //}
if (dp->sh->mpm_proto_udp_ctx != NULL) { //if (dp->sh->mpm_proto_udp_ctx != NULL) {
if (de_ctx->mpm_max_patcnt < dp->sh->mpm_proto_udp_ctx->pattern_cnt) // if (de_ctx->mpm_max_patcnt < dp->sh->mpm_proto_udp_ctx->pattern_cnt)
de_ctx->mpm_max_patcnt = dp->sh->mpm_proto_udp_ctx->pattern_cnt; // de_ctx->mpm_max_patcnt = dp->sh->mpm_proto_udp_ctx->pattern_cnt;
//
de_ctx->mpm_tot_patcnt += dp->sh->mpm_proto_udp_ctx->pattern_cnt; // de_ctx->mpm_tot_patcnt += dp->sh->mpm_proto_udp_ctx->pattern_cnt;
} //}
if (dp->sh->mpm_proto_other_ctx != NULL) { //if (dp->sh->mpm_proto_other_ctx != NULL) {
if (de_ctx->mpm_max_patcnt < dp->sh->mpm_proto_other_ctx->pattern_cnt) // if (de_ctx->mpm_max_patcnt < dp->sh->mpm_proto_other_ctx->pattern_cnt)
de_ctx->mpm_max_patcnt = dp->sh->mpm_proto_other_ctx->pattern_cnt; // de_ctx->mpm_max_patcnt = dp->sh->mpm_proto_other_ctx->pattern_cnt;
//
de_ctx->mpm_tot_patcnt += dp->sh->mpm_proto_other_ctx->pattern_cnt; // de_ctx->mpm_tot_patcnt += dp->sh->mpm_proto_other_ctx->pattern_cnt;
} //}
if (dp->sh->mpm_uri_ctx != NULL) { //if (dp->sh->mpm_uri_ctx != NULL) {
if (de_ctx->mpm_uri_max_patcnt < dp->sh->mpm_uri_ctx->pattern_cnt) // if (de_ctx->mpm_uri_max_patcnt < dp->sh->mpm_uri_ctx->pattern_cnt)
de_ctx->mpm_uri_max_patcnt = dp->sh->mpm_uri_ctx->pattern_cnt; // de_ctx->mpm_uri_max_patcnt = dp->sh->mpm_uri_ctx->pattern_cnt;
//
de_ctx->mpm_uri_tot_patcnt += dp->sh->mpm_uri_ctx->pattern_cnt; // de_ctx->mpm_uri_tot_patcnt += dp->sh->mpm_uri_ctx->pattern_cnt;
} //}
/* dbg */ ///* dbg */
if (!(dp->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && dp->sh->mpm_proto_tcp_ctx) { //if (!(dp->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && dp->sh->mpm_proto_tcp_ctx) {
de_ctx->mpm_memory_size += dp->sh->mpm_proto_tcp_ctx->memory_size; // de_ctx->mpm_memory_size += dp->sh->mpm_proto_tcp_ctx->memory_size;
} //}
if (!(dp->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && dp->sh->mpm_proto_udp_ctx) { //if (!(dp->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && dp->sh->mpm_proto_udp_ctx) {
de_ctx->mpm_memory_size += dp->sh->mpm_proto_udp_ctx->memory_size; // de_ctx->mpm_memory_size += dp->sh->mpm_proto_udp_ctx->memory_size;
} //}
if (!(dp->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && dp->sh->mpm_proto_other_ctx) { //if (!(dp->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && dp->sh->mpm_proto_other_ctx) {
de_ctx->mpm_memory_size += dp->sh->mpm_proto_other_ctx->memory_size; // de_ctx->mpm_memory_size += dp->sh->mpm_proto_other_ctx->memory_size;
} //}
if (!(dp->sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY) && dp->sh->mpm_uri_ctx) { //if (!(dp->sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY) && dp->sh->mpm_uri_ctx) {
de_ctx->mpm_memory_size += dp->sh->mpm_uri_ctx->memory_size; // de_ctx->mpm_memory_size += dp->sh->mpm_uri_ctx->memory_size;
} //}
SigGroupHeadDPortHashAdd(de_ctx, dp->sh); SigGroupHeadDPortHashAdd(de_ctx, dp->sh);
SigGroupHeadStore(de_ctx, dp->sh); SigGroupHeadStore(de_ctx, dp->sh);
@ -3883,13 +3883,13 @@ int SigAddressPrepareStage5(DetectEngineCtx *de_ctx) {
for ( ; dp != NULL; dp = dp->next) { for ( ; dp != NULL; dp = dp->next) {
printf(" 4 Dst port(range): "); DetectPortPrint(dp); printf(" 4 Dst port(range): "); DetectPortPrint(dp);
printf(" (sigs %" PRIu32 ", sgh %p, maxlen %" PRIu32 ")", dp->sh->sig_cnt, dp->sh, dp->sh->mpm_content_maxlen); printf(" (sigs %" PRIu32 ", sgh %p, maxlen %" PRIu32 ")", dp->sh->sig_cnt, dp->sh, dp->sh->mpm_content_maxlen);
printf(" mpm_proto_tcp_ctx %p, mpm_prooto_udp_ctx " //printf(" mpm_proto_tcp_ctx %p, mpm_prooto_udp_ctx "
"%p, mpm_proto_other_ctx %p mpm_stream_ctx " // "%p, mpm_proto_other_ctx %p mpm_stream_ctx "
"%p", // "%p",
dp->sh->mpm_proto_tcp_ctx, // dp->sh->mpm_proto_tcp_ctx,
dp->sh->mpm_proto_udp_ctx, // dp->sh->mpm_proto_udp_ctx,
dp->sh->mpm_proto_other_ctx, // dp->sh->mpm_proto_other_ctx,
dp->sh->mpm_stream_ctx); // dp->sh->mpm_stream_ctx);
#ifdef PRINTSIGS #ifdef PRINTSIGS
printf(" - "); printf(" - ");
for (u = 0; u < dp->sh->sig_cnt; u++) { for (u = 0; u < dp->sh->sig_cnt; u++) {
@ -4206,67 +4206,107 @@ int SigGroupBuild (DetectEngineCtx *de_ctx) {
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
MpmCtx *mpm_ctx = NULL; MpmCtx *mpm_ctx = NULL;
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_tcp_packet); mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_tcp_packet, 0);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
}
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_tcp_packet, 1);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
} }
//printf("packet- %d\n", mpm_ctx->pattern_cnt); //printf("packet- %d\n", mpm_ctx->pattern_cnt);
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_udp_packet); mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_udp_packet, 0);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
}
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_udp_packet, 1);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
} }
//printf("packet- %d\n", mpm_ctx->pattern_cnt); //printf("packet- %d\n", mpm_ctx->pattern_cnt);
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_other_packet); mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_proto_other_packet, 0);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
} }
//printf("packet- %d\n", mpm_ctx->pattern_cnt); //printf("packet- %d\n", mpm_ctx->pattern_cnt);
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_uri); mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_uri, 0);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
}
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_uri, 1);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
} }
//printf("uri- %d\n", mpm_ctx->pattern_cnt); //printf("uri- %d\n", mpm_ctx->pattern_cnt);
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hcbd); mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hcbd, 0);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
}
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hcbd, 1);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
} }
//printf("hcbd- %d\n", mpm_ctx->pattern_cnt); //printf("hcbd- %d\n", mpm_ctx->pattern_cnt);
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hhd); mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hhd, 0);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
}
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hhd, 1);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
} }
//printf("hhd- %d\n", mpm_ctx->pattern_cnt); //printf("hhd- %d\n", mpm_ctx->pattern_cnt);
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hrhd); mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hrhd, 0);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
}
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hrhd, 1);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
} }
//printf("hrhd- %d\n", mpm_ctx->pattern_cnt); //printf("hrhd- %d\n", mpm_ctx->pattern_cnt);
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hmd); mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hmd, 0);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
}
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hmd, 1);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
} }
//printf("hmd- %d\n", mpm_ctx->pattern_cnt); //printf("hmd- %d\n", mpm_ctx->pattern_cnt);
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hcd); mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hcd, 0);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
}
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hcd, 1);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
} }
//printf("hcd- %d\n", mpm_ctx->pattern_cnt); //printf("hcd- %d\n", mpm_ctx->pattern_cnt);
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hrud); mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hrud, 0);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
}
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hrud, 1);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
} }
//printf("hrud- %d\n", mpm_ctx->pattern_cnt); //printf("hrud- %d\n", mpm_ctx->pattern_cnt);
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_stream); mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_stream, 0);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
}
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_stream, 1);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) { if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
} }
@ -9354,21 +9394,22 @@ static int SigTestSgh05 (void) {
goto end; goto end;
} }
if (sgh->mpm_proto_tcp_ctx != NULL || if (sgh->mpm_proto_tcp_ctx_ts != NULL || sgh->mpm_proto_tcp_ctx_tc != NULL ||
sgh->mpm_proto_udp_ctx != NULL || sgh->mpm_proto_other_ctx != NULL) { sgh->mpm_proto_udp_ctx_ts != NULL || sgh->mpm_proto_udp_ctx_tc != NULL ||
printf("sgh->mpm_proto_tcp_ctx != NULL || " sgh->mpm_proto_other_ctx != NULL) {
"sgh->mpm_proto_udp_ctx != NULL || " printf("sgh->mpm_proto_tcp_ctx_ts != NULL || sgh->mpm_proto_tcp_ctx_tc != NULL"
"sgh->mpm_proto_udp_ctx_ts != NULL || sgh->mpm_proto_udp_ctx_tc != NULL"
"sgh->mpm_proto_other_ctx != NULL: "); "sgh->mpm_proto_other_ctx != NULL: ");
goto end; goto end;
} }
if (sgh->mpm_stream_ctx == NULL) { if (sgh->mpm_stream_ctx_ts == NULL || sgh->mpm_stream_ctx_tc == NULL) {
printf("sgh->mpm_stream_ctx == NULL: "); printf("sgh->mpm_stream_ctx == NULL || sgh->mpm_stream_ctx_tc == NULL: ");
goto end; goto end;
} }
if (sgh->mpm_stream_ctx->mpm_type != MPM_WUMANBER) { if (sgh->mpm_stream_ctx_ts->mpm_type != MPM_WUMANBER) {
printf("sgh->mpm_type != MPM_WUMANBER, expected %d, got %d: ", MPM_WUMANBER, sgh->mpm_stream_ctx->mpm_type); printf("sgh->mpm_type != MPM_WUMANBER, expected %d, got %d: ", MPM_WUMANBER, sgh->mpm_stream_ctx_ts->mpm_type);
goto end; goto end;
} }

35
src/detect.h
Unescape Escape View File

@ -881,17 +881,30 @@ typedef struct SigGroupHead_ {
/* pattern matcher instances */ /* pattern matcher instances */
MpmCtx *mpm_proto_other_ctx; MpmCtx *mpm_proto_other_ctx;
MpmCtx *mpm_proto_tcp_ctx;
MpmCtx *mpm_proto_udp_ctx; MpmCtx *mpm_proto_tcp_ctx_ts;
MpmCtx *mpm_stream_ctx; MpmCtx *mpm_proto_udp_ctx_ts;
MpmCtx *mpm_uri_ctx; MpmCtx *mpm_stream_ctx_ts;
MpmCtx *mpm_hcbd_ctx; MpmCtx *mpm_uri_ctx_ts;
MpmCtx *mpm_hsbd_ctx; MpmCtx *mpm_hcbd_ctx_ts;
MpmCtx *mpm_hhd_ctx; MpmCtx *mpm_hsbd_ctx_ts;
MpmCtx *mpm_hrhd_ctx; MpmCtx *mpm_hhd_ctx_ts;
MpmCtx *mpm_hmd_ctx; MpmCtx *mpm_hrhd_ctx_ts;
MpmCtx *mpm_hcd_ctx; MpmCtx *mpm_hmd_ctx_ts;
MpmCtx *mpm_hrud_ctx; MpmCtx *mpm_hcd_ctx_ts;
MpmCtx *mpm_hrud_ctx_ts;
MpmCtx *mpm_proto_tcp_ctx_tc;
MpmCtx *mpm_proto_udp_ctx_tc;
MpmCtx *mpm_stream_ctx_tc;
MpmCtx *mpm_uri_ctx_tc;
MpmCtx *mpm_hcbd_ctx_tc;
MpmCtx *mpm_hsbd_ctx_tc;
MpmCtx *mpm_hhd_ctx_tc;
MpmCtx *mpm_hrhd_ctx_tc;
MpmCtx *mpm_hmd_ctx_tc;
MpmCtx *mpm_hcd_ctx_tc;
MpmCtx *mpm_hrud_ctx_tc;
uint16_t mpm_uricontent_maxlen; uint16_t mpm_uricontent_maxlen;

1
src/util-mpm-ac-gfbs.c
Unescape Escape View File

@ -777,6 +777,7 @@ static inline void SCACGfbsCreateModGotoTable(MpmCtx *mpm_ctx)
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
memset(ctx->goto_table_mod, 0, size); memset(ctx->goto_table_mod, 0, size);
printf("size- %d\n", size);
mpm_ctx->memory_cnt++; mpm_ctx->memory_cnt++;
mpm_ctx->memory_size += size; mpm_ctx->memory_size += size;

62
src/util-mpm.c
Unescape Escape View File

@ -80,12 +80,21 @@ int32_t MpmFactoryRegisterMpmCtxProfile(const char *name, uint8_t flags)
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
item[0].mpm_ctx = SCMalloc(sizeof(MpmCtx)); /* toserver */
if (item[0].mpm_ctx == NULL) { item[0].mpm_ctx_ts = SCMalloc(sizeof(MpmCtx));
if (item[0].mpm_ctx_ts == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory"); SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
memset(item[0].mpm_ctx, 0, sizeof(MpmCtx)); memset(item[0].mpm_ctx_ts, 0, sizeof(MpmCtx));
/* toclient */
item[0].mpm_ctx_tc = SCMalloc(sizeof(MpmCtx));
if (item[0].mpm_ctx_tc == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
exit(EXIT_FAILURE);
}
memset(item[0].mpm_ctx_tc, 0, sizeof(MpmCtx));
/* our id starts from 0 always. Helps us with the ctx retrieval from /* our id starts from 0 always. Helps us with the ctx retrieval from
* the array */ * the array */
@ -106,13 +115,21 @@ int32_t MpmFactoryRegisterMpmCtxProfile(const char *name, uint8_t flags)
for (i = 0; i < mpm_ctx_factory_container->no_of_items; i++) { for (i = 0; i < mpm_ctx_factory_container->no_of_items; i++) {
if (items[i].name != NULL && strcmp(items[i].name, name) == 0) { if (items[i].name != NULL && strcmp(items[i].name, name) == 0) {
/* looks like we have this mpm_ctx freed */ /* looks like we have this mpm_ctx freed */
if (items[i].mpm_ctx == NULL) { if (items[i].mpm_ctx_ts == NULL) {
items[i].mpm_ctx = SCMalloc(sizeof(MpmCtx)); items[i].mpm_ctx_ts = SCMalloc(sizeof(MpmCtx));
if (items[i].mpm_ctx == NULL) { if (items[i].mpm_ctx_ts == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory"); SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
memset(items[i].mpm_ctx, 0, sizeof(MpmCtx)); memset(items[i].mpm_ctx_ts, 0, sizeof(MpmCtx));
}
if (items[i].mpm_ctx_tc == NULL) {
items[i].mpm_ctx_tc = SCMalloc(sizeof(MpmCtx));
if (items[i].mpm_ctx_tc == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
exit(EXIT_FAILURE);
}
memset(items[i].mpm_ctx_tc, 0, sizeof(MpmCtx));
} }
items[i].flags = flags; items[i].flags = flags;
return items[i].id; return items[i].id;
@ -136,12 +153,21 @@ int32_t MpmFactoryRegisterMpmCtxProfile(const char *name, uint8_t flags)
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
new_item[0].mpm_ctx = SCMalloc(sizeof(MpmCtx)); /* toserver */
if (new_item[0].mpm_ctx == NULL) { new_item[0].mpm_ctx_ts = SCMalloc(sizeof(MpmCtx));
if (new_item[0].mpm_ctx_ts == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
exit(EXIT_FAILURE);
}
memset(new_item[0].mpm_ctx_ts, 0, sizeof(MpmCtx));
/* toclient */
new_item[0].mpm_ctx_tc = SCMalloc(sizeof(MpmCtx));
if (new_item[0].mpm_ctx_tc == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory"); SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
memset(new_item[0].mpm_ctx, 0, sizeof(MpmCtx)); memset(new_item[0].mpm_ctx_tc, 0, sizeof(MpmCtx));
new_item[0].id = mpm_ctx_factory_container->no_of_items; new_item[0].id = mpm_ctx_factory_container->no_of_items;
new_item[0].flags = flags; new_item[0].flags = flags;
@ -162,14 +188,16 @@ int32_t MpmFactoryIsMpmCtxAvailable(MpmCtx *mpm_ctx)
} else { } else {
int i; int i;
for (i = 0; i < mpm_ctx_factory_container->no_of_items; i++) { for (i = 0; i < mpm_ctx_factory_container->no_of_items; i++) {
if (mpm_ctx == mpm_ctx_factory_container->items[i].mpm_ctx) if (mpm_ctx == mpm_ctx_factory_container->items[i].mpm_ctx_ts ||
mpm_ctx == mpm_ctx_factory_container->items[i].mpm_ctx_tc) {
return 1; return 1;
}
} }
return 0; return 0;
} }
} }
MpmCtx *MpmFactoryGetMpmCtxForProfile(int32_t id) MpmCtx *MpmFactoryGetMpmCtxForProfile(int32_t id, int direction)
{ {
if (id == MPM_CTX_FACTORY_UNIQUE_CONTEXT) { if (id == MPM_CTX_FACTORY_UNIQUE_CONTEXT) {
MpmCtx *mpm_ctx = SCMalloc(sizeof(MpmCtx)); MpmCtx *mpm_ctx = SCMalloc(sizeof(MpmCtx));
@ -186,7 +214,9 @@ MpmCtx *MpmFactoryGetMpmCtxForProfile(int32_t id)
/* this id does not exist */ /* this id does not exist */
return NULL; return NULL;
} else { } else {
return mpm_ctx_factory_container->items[id].mpm_ctx; return (direction == 0) ?
mpm_ctx_factory_container->items[id].mpm_ctx_ts :
mpm_ctx_factory_container->items[id].mpm_ctx_tc;
} }
} }
@ -211,8 +241,10 @@ void MpmFactoryDeRegisterAllMpmCtxProfiles(void)
for (i = 0; i < mpm_ctx_factory_container->no_of_items; i++) { for (i = 0; i < mpm_ctx_factory_container->no_of_items; i++) {
if (items[i].name != NULL) if (items[i].name != NULL)
SCFree(items[i].name); SCFree(items[i].name);
if (items[i].mpm_ctx != NULL) if (items[i].mpm_ctx_ts != NULL)
SCFree(items[i].mpm_ctx); SCFree(items[i].mpm_ctx_ts);
if (items[i].mpm_ctx_tc != NULL)
SCFree(items[i].mpm_ctx_tc);
} }
SCFree(mpm_ctx_factory_container->items); SCFree(mpm_ctx_factory_container->items);

5
src/util-mpm.h
Unescape Escape View File

@ -128,7 +128,8 @@ typedef struct MpmCtx_ {
typedef struct MpmCtxFactoryItem_ { typedef struct MpmCtxFactoryItem_ {
char *name; char *name;
MpmCtx *mpm_ctx; MpmCtx *mpm_ctx_ts;
MpmCtx *mpm_ctx_tc;
int32_t id; int32_t id;
uint8_t flags; uint8_t flags;
} MpmCtxFactoryItem; } MpmCtxFactoryItem;
@ -183,7 +184,7 @@ MpmTableElmt mpm_table[MPM_TABLE_SIZE];
int32_t MpmFactoryRegisterMpmCtxProfile(const char *, uint8_t); int32_t MpmFactoryRegisterMpmCtxProfile(const char *, uint8_t);
void MpmFactoryReClaimMpmCtx(MpmCtx *); void MpmFactoryReClaimMpmCtx(MpmCtx *);
MpmCtx *MpmFactoryGetMpmCtxForProfile(int32_t); MpmCtx *MpmFactoryGetMpmCtxForProfile(int32_t, int);
void MpmFactoryDeRegisterAllMpmCtxProfiles(void); void MpmFactoryDeRegisterAllMpmCtxProfiles(void);
int32_t MpmFactoryIsMpmCtxAvailable(MpmCtx *); int32_t MpmFactoryIsMpmCtxAvailable(MpmCtx *);

Write Preview
Loading…
Cancel
Save