aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Clean up signature flags creating room for merging flags and mpm_flags. Merge flags and mpm_flags. Move new mpm id's into signature header. Get rid of full signature access in signature prefiltering.

Browse Source
remotes/origin/master-1.1.x
Victor Julien 15 years ago
parent 169aa5581a
commit 435d0fb327
5 changed files with 68 additions and 72 deletions
Show Stats Download Patch File Download Diff File

12
src/detect-engine-mpm.c
Unescape Escape View File

@ -858,10 +858,10 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
}
}
/* tell matcher we are inspecting uri */
s->mpm_flags |= SIG_FLAG_MPM_HCBDCONTENT;
s->flags |= SIG_FLAG_MPM_HCBDCONTENT;
s->mpm_hcbdpattern_id = hcbd->id;
if (hcbd->flags & DETECT_CONTENT_NEGATED)
s->mpm_flags |= SIG_FLAG_MPM_HCBDCONTENT_NEG;
s->flags |= SIG_FLAG_MPM_HCBDCONTENT_NEG;
sgh->flags |= SIG_GROUP_HEAD_MPM_HCBD;
@ -913,10 +913,10 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
}
}
/* tell matcher we are inspecting uri */
s->mpm_flags |= SIG_FLAG_MPM_HHDCONTENT;
s->flags |= SIG_FLAG_MPM_HHDCONTENT;
s->mpm_hhdpattern_id = hhd->id;
if (hhd->flags & DETECT_CONTENT_NEGATED)
s->mpm_flags |= SIG_FLAG_MPM_HHDCONTENT_NEG;
s->flags |= SIG_FLAG_MPM_HHDCONTENT_NEG;
sgh->flags |= SIG_GROUP_HEAD_MPM_HHD;
@ -968,10 +968,10 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
}
}
/* tell matcher we are inspecting uri */
s->mpm_flags |= SIG_FLAG_MPM_HRHDCONTENT;
s->flags |= SIG_FLAG_MPM_HRHDCONTENT;
s->mpm_hrhdpattern_id = hrhd->id;
if (hrhd->flags & DETECT_CONTENT_NEGATED)
s->mpm_flags |= SIG_FLAG_MPM_HRHDCONTENT_NEG;
s->flags |= SIG_FLAG_MPM_HRHDCONTENT_NEG;
sgh->flags |= SIG_GROUP_HEAD_MPM_HRHD;

1
src/detect-engine-siggroup.c
Unescape Escape View File

@ -1596,6 +1596,7 @@ int SigGroupHeadBuildHeadArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
sgh->head_array[idx].hdr_copy1 = s->hdr_copy1;
sgh->head_array[idx].hdr_copy2 = s->hdr_copy2;
sgh->head_array[idx].hdr_copy3 = s->hdr_copy3;
sgh->head_array[idx].full_sig = s;
idx++;

8
src/detect-parse.c
Unescape Escape View File

@ -1324,10 +1324,6 @@ Signature *SigInit(DetectEngineCtx *de_ctx, char *sigstr) {
continue;
sig->flags |= SIG_FLAG_MPM_URI;
if (ud->flags & DETECT_CONTENT_NEGATED) {
sig->flags |= SIG_FLAG_MPM_URI_NEG;
}
}
}
@ -1472,10 +1468,6 @@ Signature *SigInitReal(DetectEngineCtx *de_ctx, char *sigstr) {
continue;
sig->flags |= SIG_FLAG_MPM_URI;
if (ud->flags & DETECT_CONTENT_NEGATED) {
sig->flags |= SIG_FLAG_MPM_URI_NEG;
}
}
}

28
src/detect.c
Unescape Escape View File

@ -693,36 +693,36 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx,
}
if (s->full_sig->flags & SIG_FLAG_MPM_URICONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->full_sig->mpm_uripattern_id / 8)] &
(1 << (s->full_sig->mpm_uripattern_id % 8)))) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_uripattern_id / 8)] &
(1 << (s->mpm_uripattern_id % 8)))) {
if (!(s->full_sig->flags & SIG_FLAG_MPM_URICONTENT_NEG)) {
continue;
}
}
}
if (s->full_sig->mpm_flags & SIG_FLAG_MPM_HCBDCONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->full_sig->mpm_hcbdpattern_id / 8)] &
(1 << (s->full_sig->mpm_hcbdpattern_id % 8)))) {
if (!(s->full_sig->mpm_flags & SIG_FLAG_MPM_HCBDCONTENT_NEG)) {
if (s->flags & SIG_FLAG_MPM_HCBDCONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_hcbdpattern_id / 8)] &
(1 << (s->mpm_hcbdpattern_id % 8)))) {
if (!(s->flags & SIG_FLAG_MPM_HCBDCONTENT_NEG)) {
continue;
}
}
}
if (s->full_sig->mpm_flags & SIG_FLAG_MPM_HHDCONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->full_sig->mpm_hhdpattern_id / 8)] &
(1 << (s->full_sig->mpm_hhdpattern_id % 8)))) {
if (!(s->full_sig->mpm_flags & SIG_FLAG_MPM_HHDCONTENT_NEG)) {
if (s->flags & SIG_FLAG_MPM_HHDCONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_hhdpattern_id / 8)] &
(1 << (s->mpm_hhdpattern_id % 8)))) {
if (!(s->flags & SIG_FLAG_MPM_HHDCONTENT_NEG)) {
continue;
}
}
}
if (s->full_sig->mpm_flags & SIG_FLAG_MPM_HRHDCONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->full_sig->mpm_hrhdpattern_id / 8)] &
(1 << (s->full_sig->mpm_hrhdpattern_id % 8)))) {
if (!(s->full_sig->mpm_flags & SIG_FLAG_MPM_HRHDCONTENT_NEG)) {
if (s->flags & SIG_FLAG_MPM_HRHDCONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_hrhdpattern_id / 8)] &
(1 << (s->mpm_hrhdpattern_id % 8)))) {
if (!(s->flags & SIG_FLAG_MPM_HRHDCONTENT_NEG)) {
continue;
}
}

91
src/detect.h
Unescape Escape View File

@ -218,41 +218,32 @@ typedef struct DetectPort_ {
#define SIG_FLAG_DEONLY 0x00000080 /**< decode event only signature */
#define SIG_FLAG_MPM 0x00000100 /**< sig has mpm portion (content) */
#define SIG_FLAG_MPM_NEGCONTENT 0x00000200 /**< sig has negative mpm portion(!content) */
#define SIG_FLAG_MPM_URI 0x00000400 /**< sig has mpm portion (uricontent) */
#define SIG_FLAG_MPM_URI_NEG 0x00000800 /**< sig has negative mpm portion(!uricontent) */
#define SIG_FLAG_PAYLOAD 0x00001000 /**< signature is inspecting the packet payload */
#define SIG_FLAG_DSIZE 0x00002000 /**< signature has a dsize setting */
#define SIG_FLAG_FLOW 0x00004000 /**< signature has a flow setting */
#define SIG_FLAG_APPLAYER 0x00008000 /**< signature applies to app layer instead of packets */
#define SIG_FLAG_BIDIREC 0x00010000 /**< signature has bidirectional operator */
#define SIG_FLAG_PACKET 0x00020000 /**< signature has matches against a packet (as opposed to app layer) */
// 0x00040000 unused
#define SIG_FLAG_STATE_MATCH 0x00080000 /**< signature has matches that require stateful inspection */
// 0x00100000 unused
// 0x00200000 unused
// 0x00400000 unused
// 0x00800000 unused
#define SIG_FLAG_MPM_PACKET 0x01000000
#define SIG_FLAG_MPM_PACKET_NEG 0x02000000
#define SIG_FLAG_MPM_STREAM 0x04000000
#define SIG_FLAG_MPM_STREAM_NEG 0x08000000
#define SIG_FLAG_MPM_URICONTENT 0x10000000
#define SIG_FLAG_MPM_URICONTENT_NEG 0x20000000
#define SIG_FLAG_HAS_NO_PKT_AND_STREAM_CONTENT 0x40000000
/* the mpm specific flags in Signature, held in Signature->mpm_flags */
#define SIG_FLAG_MPM_HHDCONTENT 0x00000001
#define SIG_FLAG_MPM_HHDCONTENT_NEG 0x00000002
#define SIG_FLAG_MPM_HRHDCONTENT 0x00000004
#define SIG_FLAG_MPM_HRHDCONTENT_NEG 0x00000008
#define SIG_FLAG_MPM_HCBDCONTENT 0x00000010
#define SIG_FLAG_MPM_HCBDCONTENT_NEG 0x00000020
#define SIG_FLAG_MPM_URI 0x00000200 /**< sig has mpm portion (uricontent) */
#define SIG_FLAG_PAYLOAD 0x00000400 /**< signature is inspecting the packet payload */
#define SIG_FLAG_DSIZE 0x00000800 /**< signature has a dsize setting */
#define SIG_FLAG_FLOW 0x00001000 /**< signature has a flow setting */
#define SIG_FLAG_APPLAYER 0x00002000 /**< signature applies to app layer instead of packets */
#define SIG_FLAG_BIDIREC 0x00004000 /**< signature has bidirectional operator */
#define SIG_FLAG_PACKET 0x00008000 /**< signature has matches against a packet (as opposed to app layer) */
#define SIG_FLAG_STATE_MATCH 0x00010000 /**< signature has matches that require stateful inspection */
#define SIG_FLAG_HAS_NO_PKT_AND_STREAM_CONTENT 0x00020000
#define SIG_FLAG_MPM_PACKET 0x00040000
#define SIG_FLAG_MPM_PACKET_NEG 0x00080000
#define SIG_FLAG_MPM_STREAM 0x00100000
#define SIG_FLAG_MPM_STREAM_NEG 0x00200000
#define SIG_FLAG_MPM_URICONTENT 0x00400000
#define SIG_FLAG_MPM_URICONTENT_NEG 0x00800000
#define SIG_FLAG_MPM_HHDCONTENT 0x01000000
#define SIG_FLAG_MPM_HHDCONTENT_NEG 0x02000000
#define SIG_FLAG_MPM_HRHDCONTENT 0x04000000
#define SIG_FLAG_MPM_HRHDCONTENT_NEG 0x08000000
#define SIG_FLAG_MPM_HCBDCONTENT 0x10000000
#define SIG_FLAG_MPM_HCBDCONTENT_NEG 0x20000000
/* signature mask flags */
@ -314,9 +305,16 @@ typedef struct SignatureHeader_ {
};
uint64_t hdr_copy2;
};
//PatIntId mpm_pattern_id;
//PatIntId mpm_stream_pattern_id;
union {
struct {
/** pattern in the mpm matcher */
PatIntId mpm_uripattern_id;
PatIntId mpm_hcbdpattern_id;
PatIntId mpm_hhdpattern_id;
PatIntId mpm_hrhdpattern_id;
};
uint64_t hdr_copy3;
};
/** pointer to the full signature */
struct Signature_ *full_sig;
@ -351,9 +349,19 @@ typedef struct Signature_ {
};
uint64_t hdr_copy2;
};
union {
struct {
/** pattern in the mpm matcher */
PatIntId mpm_uripattern_id;
PatIntId mpm_hcbdpattern_id;
PatIntId mpm_hhdpattern_id;
PatIntId mpm_hrhdpattern_id;
};
uint64_t hdr_copy3;
};
/* mpm flags */
uint32_t mpm_flags;
// uint32_t mpm_flags;
//PatIntId mpm_pattern_id;
//PatIntId mpm_stream_pattern_id;
@ -370,11 +378,6 @@ typedef struct Signature_ {
uint8_t mpm_stream_pattern_id_mod_8;
uint8_t pad1;
*/
/** pattern in the mpm matcher */
PatIntId mpm_uripattern_id;
PatIntId mpm_hcbdpattern_id;
PatIntId mpm_hhdpattern_id;
PatIntId mpm_hrhdpattern_id;
/* the fast pattern added from this signature */
SigMatch *mpm_sm;

Write Preview
Loading…
Cancel
Save