From 435d0fb327a46e0586733dd7a8beb7bb93439483 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Wed, 8 Dec 2010 12:22:22 +0100 Subject: [PATCH] Clean up signature flags creating room for merging flags and mpm_flags. Merge flags and mpm_flags. Move new mpm id's into signature header. Get rid of full signature access in signature prefiltering. --- src/detect-engine-mpm.c | 12 ++--- src/detect-engine-siggroup.c | 1 + src/detect-parse.c | 8 ---- src/detect.c | 28 +++++------ src/detect.h | 91 +++++++++++++++++++----------------- 5 files changed, 68 insertions(+), 72 deletions(-) diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 934af2e352..a78e7f2803 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -858,10 +858,10 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, } } /* tell matcher we are inspecting uri */ - s->mpm_flags |= SIG_FLAG_MPM_HCBDCONTENT; + s->flags |= SIG_FLAG_MPM_HCBDCONTENT; s->mpm_hcbdpattern_id = hcbd->id; if (hcbd->flags & DETECT_CONTENT_NEGATED) - s->mpm_flags |= SIG_FLAG_MPM_HCBDCONTENT_NEG; + s->flags |= SIG_FLAG_MPM_HCBDCONTENT_NEG; sgh->flags |= SIG_GROUP_HEAD_MPM_HCBD; @@ -913,10 +913,10 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, } } /* tell matcher we are inspecting uri */ - s->mpm_flags |= SIG_FLAG_MPM_HHDCONTENT; + s->flags |= SIG_FLAG_MPM_HHDCONTENT; s->mpm_hhdpattern_id = hhd->id; if (hhd->flags & DETECT_CONTENT_NEGATED) - s->mpm_flags |= SIG_FLAG_MPM_HHDCONTENT_NEG; + s->flags |= SIG_FLAG_MPM_HHDCONTENT_NEG; sgh->flags |= SIG_GROUP_HEAD_MPM_HHD; @@ -968,10 +968,10 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, } } /* tell matcher we are inspecting uri */ - s->mpm_flags |= SIG_FLAG_MPM_HRHDCONTENT; + s->flags |= SIG_FLAG_MPM_HRHDCONTENT; s->mpm_hrhdpattern_id = hrhd->id; if (hrhd->flags & DETECT_CONTENT_NEGATED) - s->mpm_flags |= SIG_FLAG_MPM_HRHDCONTENT_NEG; + s->flags |= SIG_FLAG_MPM_HRHDCONTENT_NEG; sgh->flags |= SIG_GROUP_HEAD_MPM_HRHD; diff --git a/src/detect-engine-siggroup.c b/src/detect-engine-siggroup.c index 8f916f9aed..0ff6a77121 100644 --- a/src/detect-engine-siggroup.c +++ b/src/detect-engine-siggroup.c @@ -1596,6 +1596,7 @@ int SigGroupHeadBuildHeadArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh) sgh->head_array[idx].hdr_copy1 = s->hdr_copy1; sgh->head_array[idx].hdr_copy2 = s->hdr_copy2; + sgh->head_array[idx].hdr_copy3 = s->hdr_copy3; sgh->head_array[idx].full_sig = s; idx++; diff --git a/src/detect-parse.c b/src/detect-parse.c index 1949282fba..4f8907f569 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -1324,10 +1324,6 @@ Signature *SigInit(DetectEngineCtx *de_ctx, char *sigstr) { continue; sig->flags |= SIG_FLAG_MPM_URI; - - if (ud->flags & DETECT_CONTENT_NEGATED) { - sig->flags |= SIG_FLAG_MPM_URI_NEG; - } } } @@ -1472,10 +1468,6 @@ Signature *SigInitReal(DetectEngineCtx *de_ctx, char *sigstr) { continue; sig->flags |= SIG_FLAG_MPM_URI; - - if (ud->flags & DETECT_CONTENT_NEGATED) { - sig->flags |= SIG_FLAG_MPM_URI_NEG; - } } } diff --git a/src/detect.c b/src/detect.c index 8729d03811..f01f6d5100 100644 --- a/src/detect.c +++ b/src/detect.c @@ -693,36 +693,36 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx, } if (s->full_sig->flags & SIG_FLAG_MPM_URICONTENT) { - if (!(det_ctx->pmq.pattern_id_bitarray[(s->full_sig->mpm_uripattern_id / 8)] & - (1 << (s->full_sig->mpm_uripattern_id % 8)))) { + if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_uripattern_id / 8)] & + (1 << (s->mpm_uripattern_id % 8)))) { if (!(s->full_sig->flags & SIG_FLAG_MPM_URICONTENT_NEG)) { continue; } } } - if (s->full_sig->mpm_flags & SIG_FLAG_MPM_HCBDCONTENT) { - if (!(det_ctx->pmq.pattern_id_bitarray[(s->full_sig->mpm_hcbdpattern_id / 8)] & - (1 << (s->full_sig->mpm_hcbdpattern_id % 8)))) { - if (!(s->full_sig->mpm_flags & SIG_FLAG_MPM_HCBDCONTENT_NEG)) { + if (s->flags & SIG_FLAG_MPM_HCBDCONTENT) { + if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_hcbdpattern_id / 8)] & + (1 << (s->mpm_hcbdpattern_id % 8)))) { + if (!(s->flags & SIG_FLAG_MPM_HCBDCONTENT_NEG)) { continue; } } } - if (s->full_sig->mpm_flags & SIG_FLAG_MPM_HHDCONTENT) { - if (!(det_ctx->pmq.pattern_id_bitarray[(s->full_sig->mpm_hhdpattern_id / 8)] & - (1 << (s->full_sig->mpm_hhdpattern_id % 8)))) { - if (!(s->full_sig->mpm_flags & SIG_FLAG_MPM_HHDCONTENT_NEG)) { + if (s->flags & SIG_FLAG_MPM_HHDCONTENT) { + if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_hhdpattern_id / 8)] & + (1 << (s->mpm_hhdpattern_id % 8)))) { + if (!(s->flags & SIG_FLAG_MPM_HHDCONTENT_NEG)) { continue; } } } - if (s->full_sig->mpm_flags & SIG_FLAG_MPM_HRHDCONTENT) { - if (!(det_ctx->pmq.pattern_id_bitarray[(s->full_sig->mpm_hrhdpattern_id / 8)] & - (1 << (s->full_sig->mpm_hrhdpattern_id % 8)))) { - if (!(s->full_sig->mpm_flags & SIG_FLAG_MPM_HRHDCONTENT_NEG)) { + if (s->flags & SIG_FLAG_MPM_HRHDCONTENT) { + if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_hrhdpattern_id / 8)] & + (1 << (s->mpm_hrhdpattern_id % 8)))) { + if (!(s->flags & SIG_FLAG_MPM_HRHDCONTENT_NEG)) { continue; } } diff --git a/src/detect.h b/src/detect.h index fb45ece324..4efb273304 100644 --- a/src/detect.h +++ b/src/detect.h @@ -218,41 +218,32 @@ typedef struct DetectPort_ { #define SIG_FLAG_DEONLY 0x00000080 /**< decode event only signature */ #define SIG_FLAG_MPM 0x00000100 /**< sig has mpm portion (content) */ -#define SIG_FLAG_MPM_NEGCONTENT 0x00000200 /**< sig has negative mpm portion(!content) */ -#define SIG_FLAG_MPM_URI 0x00000400 /**< sig has mpm portion (uricontent) */ -#define SIG_FLAG_MPM_URI_NEG 0x00000800 /**< sig has negative mpm portion(!uricontent) */ - -#define SIG_FLAG_PAYLOAD 0x00001000 /**< signature is inspecting the packet payload */ -#define SIG_FLAG_DSIZE 0x00002000 /**< signature has a dsize setting */ -#define SIG_FLAG_FLOW 0x00004000 /**< signature has a flow setting */ - -#define SIG_FLAG_APPLAYER 0x00008000 /**< signature applies to app layer instead of packets */ -#define SIG_FLAG_BIDIREC 0x00010000 /**< signature has bidirectional operator */ -#define SIG_FLAG_PACKET 0x00020000 /**< signature has matches against a packet (as opposed to app layer) */ - -// 0x00040000 unused -#define SIG_FLAG_STATE_MATCH 0x00080000 /**< signature has matches that require stateful inspection */ -// 0x00100000 unused -// 0x00200000 unused -// 0x00400000 unused -// 0x00800000 unused - -#define SIG_FLAG_MPM_PACKET 0x01000000 -#define SIG_FLAG_MPM_PACKET_NEG 0x02000000 -#define SIG_FLAG_MPM_STREAM 0x04000000 -#define SIG_FLAG_MPM_STREAM_NEG 0x08000000 -#define SIG_FLAG_MPM_URICONTENT 0x10000000 -#define SIG_FLAG_MPM_URICONTENT_NEG 0x20000000 - -#define SIG_FLAG_HAS_NO_PKT_AND_STREAM_CONTENT 0x40000000 - -/* the mpm specific flags in Signature, held in Signature->mpm_flags */ -#define SIG_FLAG_MPM_HHDCONTENT 0x00000001 -#define SIG_FLAG_MPM_HHDCONTENT_NEG 0x00000002 -#define SIG_FLAG_MPM_HRHDCONTENT 0x00000004 -#define SIG_FLAG_MPM_HRHDCONTENT_NEG 0x00000008 -#define SIG_FLAG_MPM_HCBDCONTENT 0x00000010 -#define SIG_FLAG_MPM_HCBDCONTENT_NEG 0x00000020 +#define SIG_FLAG_MPM_URI 0x00000200 /**< sig has mpm portion (uricontent) */ +#define SIG_FLAG_PAYLOAD 0x00000400 /**< signature is inspecting the packet payload */ +#define SIG_FLAG_DSIZE 0x00000800 /**< signature has a dsize setting */ + +#define SIG_FLAG_FLOW 0x00001000 /**< signature has a flow setting */ +#define SIG_FLAG_APPLAYER 0x00002000 /**< signature applies to app layer instead of packets */ +#define SIG_FLAG_BIDIREC 0x00004000 /**< signature has bidirectional operator */ +#define SIG_FLAG_PACKET 0x00008000 /**< signature has matches against a packet (as opposed to app layer) */ + +#define SIG_FLAG_STATE_MATCH 0x00010000 /**< signature has matches that require stateful inspection */ +#define SIG_FLAG_HAS_NO_PKT_AND_STREAM_CONTENT 0x00020000 +#define SIG_FLAG_MPM_PACKET 0x00040000 +#define SIG_FLAG_MPM_PACKET_NEG 0x00080000 + +#define SIG_FLAG_MPM_STREAM 0x00100000 +#define SIG_FLAG_MPM_STREAM_NEG 0x00200000 +#define SIG_FLAG_MPM_URICONTENT 0x00400000 +#define SIG_FLAG_MPM_URICONTENT_NEG 0x00800000 + +#define SIG_FLAG_MPM_HHDCONTENT 0x01000000 +#define SIG_FLAG_MPM_HHDCONTENT_NEG 0x02000000 +#define SIG_FLAG_MPM_HRHDCONTENT 0x04000000 +#define SIG_FLAG_MPM_HRHDCONTENT_NEG 0x08000000 + +#define SIG_FLAG_MPM_HCBDCONTENT 0x10000000 +#define SIG_FLAG_MPM_HCBDCONTENT_NEG 0x20000000 /* signature mask flags */ @@ -314,9 +305,16 @@ typedef struct SignatureHeader_ { }; uint64_t hdr_copy2; }; - - //PatIntId mpm_pattern_id; - //PatIntId mpm_stream_pattern_id; + union { + struct { + /** pattern in the mpm matcher */ + PatIntId mpm_uripattern_id; + PatIntId mpm_hcbdpattern_id; + PatIntId mpm_hhdpattern_id; + PatIntId mpm_hrhdpattern_id; + }; + uint64_t hdr_copy3; + }; /** pointer to the full signature */ struct Signature_ *full_sig; @@ -351,9 +349,19 @@ typedef struct Signature_ { }; uint64_t hdr_copy2; }; + union { + struct { + /** pattern in the mpm matcher */ + PatIntId mpm_uripattern_id; + PatIntId mpm_hcbdpattern_id; + PatIntId mpm_hhdpattern_id; + PatIntId mpm_hrhdpattern_id; + }; + uint64_t hdr_copy3; + }; /* mpm flags */ - uint32_t mpm_flags; +// uint32_t mpm_flags; //PatIntId mpm_pattern_id; //PatIntId mpm_stream_pattern_id; @@ -370,11 +378,6 @@ typedef struct Signature_ { uint8_t mpm_stream_pattern_id_mod_8; uint8_t pad1; */ - /** pattern in the mpm matcher */ - PatIntId mpm_uripattern_id; - PatIntId mpm_hcbdpattern_id; - PatIntId mpm_hhdpattern_id; - PatIntId mpm_hrhdpattern_id; /* the fast pattern added from this signature */ SigMatch *mpm_sm;