aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

modify detection engine to carry out hcbd mpm run before build match array if alproto is http and if sgh has atleast one sig with hcbd mpm set

Browse Source
remotes/origin/master-1.1.x
Anoop Saldanha 15 years ago committed by Victor Julien
parent 72b0fcf419
commit 4e273f2c8b
3 changed files with 114 additions and 95 deletions
Show Stats Download Patch File Download Diff File

172
src/detect-engine-hcbd.c
Unescape Escape View File

@ -252,38 +252,57 @@ match:
* \brief Helps buffer request bodies for different transactions and stores them * \brief Helps buffer request bodies for different transactions and stores them
* away in detection code. Also calls the mpm on the bodies. * away in detection code. Also calls the mpm on the bodies.
* *
* \param de_ctx Detection Engine ctx.
* \param det_ctx Detection engine thread ctx. * \param det_ctx Detection engine thread ctx.
* \param f Pointer to the flow. * \param f Pointer to the flow.
* \param htp_state http state. * \param htp_state http state.
* *
* \retval cnt The match count from the mpm call. If call_mpm is 0, the retval
* is ignored.
*
* \warning Make sure flow is locked. * \warning Make sure flow is locked.
*/ */
static uint32_t DetectEngineInspectHttpClientBodyMpmInspect(DetectEngineCtx *de_ctx, void DetectEngineBufferHttpClientBodies(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, DetectEngineThreadCtx *det_ctx,
Signature *s, Flow *f, Flow *f, HtpState *htp_state)
HtpState *htp_state)
{ {
uint32_t cnt = 0;
size_t idx = 0; size_t idx = 0;
htp_tx_t *tx = NULL; htp_tx_t *tx = NULL;
int i = 0; int i = 0;
for (idx = AppLayerTransactionGetInspectId(f); /* it is either the first entry into this function. If it is not,
i < det_ctx->hcbd_buffers_list_len; idx++, i++) { * then we just don't have any http transactions */
if (det_ctx->hcbd_buffers_list_len == 0) {
/* get the transaction id */
int tmp_idx = AppLayerTransactionGetInspectId(f);
/* error! get out of here */
if (tmp_idx == -1)
return;
/* if the buffer already exists, use it */ /* let's get the transaction count. We need this to hold the client body
if (det_ctx->hcbd_buffers[i] != NULL) { * buffer for each transaction */
/* we only call the mpm if the hcbd mpm has been set */ det_ctx->hcbd_buffers_list_len = list_size(htp_state->connp->conn->transactions) - tmp_idx;
if (s->mpm_flags & SIG_FLAG_MPM_HCBDCONTENT) { /* no transactions?! cool. get out of here */
cnt += HttpClientBodyPatternSearch(det_ctx, if (det_ctx->hcbd_buffers_list_len == 0)
det_ctx->hcbd_buffers[i], return;
det_ctx->hcbd_buffers_len[i]);
} /* assign space to hold buffers. Each per transaction */
continue; det_ctx->hcbd_buffers = SCMalloc(det_ctx->hcbd_buffers_list_len * sizeof(uint8_t *));
if (det_ctx->hcbd_buffers == NULL) {
return;
}
memset(det_ctx->hcbd_buffers, 0, det_ctx->hcbd_buffers_list_len * sizeof(uint8_t *));
det_ctx->hcbd_buffers_len = SCMalloc(det_ctx->hcbd_buffers_list_len * sizeof(uint32_t));
if (det_ctx->hcbd_buffers_len == NULL) {
return;
} }
memset(det_ctx->hcbd_buffers_len, 0, det_ctx->hcbd_buffers_list_len * sizeof(uint32_t));
} else {
/* we already have the buffer space alloted. Get out of there */
return;
}
for (idx = AppLayerTransactionGetInspectId(f);
i < det_ctx->hcbd_buffers_list_len; idx++, i++) {
tx = list_get(htp_state->connp->conn->transactions, idx); tx = list_get(htp_state->connp->conn->transactions, idx);
if (tx == NULL) if (tx == NULL)
@ -328,7 +347,7 @@ static uint32_t DetectEngineInspectHttpClientBodyMpmInspect(DetectEngineCtx *de_
chunks_buffer_len += cur->len; chunks_buffer_len += cur->len;
if ( (chunks_buffer = SCRealloc(chunks_buffer, chunks_buffer_len)) == NULL) { if ( (chunks_buffer = SCRealloc(chunks_buffer, chunks_buffer_len)) == NULL) {
goto end; return;
} }
memcpy(chunks_buffer + chunks_buffer_len - cur->len, cur->data, cur->len); memcpy(chunks_buffer + chunks_buffer_len - cur->len, cur->data, cur->len);
@ -338,16 +357,27 @@ static uint32_t DetectEngineInspectHttpClientBodyMpmInspect(DetectEngineCtx *de_
det_ctx->hcbd_buffers[i] = chunks_buffer; det_ctx->hcbd_buffers[i] = chunks_buffer;
det_ctx->hcbd_buffers_len[i] = chunks_buffer_len; det_ctx->hcbd_buffers_len[i] = chunks_buffer_len;
/* carry out the mpm if we have hcbd mpm set */
if (s->mpm_flags & SIG_FLAG_MPM_HCBDCONTENT)
cnt += HttpClientBodyPatternSearch(det_ctx, chunks_buffer, chunks_buffer_len);
} /* else - if (htud->body.nchunks == 0) */ } /* else - if (htud->body.nchunks == 0) */
} /* for (idx = AppLayerTransactionGetInspectId(f); .. */ } /* for (idx = AppLayerTransactionGetInspectId(f); .. */
end: return;
SCReturnUInt(cnt); }
int DetectEngineRunHttpClientBodyMpm(DetectEngineThreadCtx *det_ctx)
{
int i;
uint32_t cnt = 0;
for (i = 0; i < det_ctx->hcbd_buffers_list_len; i++) {
cnt += HttpClientBodyPatternSearch(det_ctx,
det_ctx->hcbd_buffers[i],
det_ctx->hcbd_buffers_len[i]);
}
return cnt;
} }
/** /**
* \brief Do the http_client_body content inspection for a signature. * \brief Do the http_client_body content inspection for a signature.
* *
@ -385,67 +415,37 @@ int DetectEngineInspectHttpClientBody(DetectEngineCtx *de_ctx,
goto end; goto end;
} }
/* it is either the first entry into this function. If it is not, DetectEngineBufferHttpClientBodies(de_ctx, det_ctx, f, htp_state);
* then we just don't have any http transactions */
if (det_ctx->hcbd_buffers_list_len == 0) { //if (s->mpm_flags & SIG_FLAG_MPM_HCBDCONTENT) {
/* get the transaction id */ // if (det_ctx->de_mpm_scanned_hcbd == FALSE) {
int tmp_idx = AppLayerTransactionGetInspectId(f); // uint32_t cnt = DetectEngineInspectHttpClientBodyMpmInspect(de_ctx,
/* error! get out of here */ // det_ctx, s,
if (tmp_idx == -1) // f, htp_state);
goto end; // if (cnt <= 0)
// det_ctx->de_have_hcbd = FALSE;
/* let's get the transaction count. We need this to hold the client body //
* buffer for each transaction */ // det_ctx->de_mpm_scanned_hcbd = TRUE;
det_ctx->hcbd_buffers_list_len = list_size(htp_state->connp->conn->transactions) - tmp_idx; // }
/* no transactions?! cool. get out of here */ //} else {
if (det_ctx->hcbd_buffers_list_len == 0) // DetectEngineInspectHttpClientBodyMpmInspect(de_ctx, det_ctx, s, f,
goto end; // htp_state);
//}
/* assign space to hold buffers. Each per transaction */
det_ctx->hcbd_buffers = SCMalloc(det_ctx->hcbd_buffers_list_len * sizeof(uint8_t *)); //if (det_ctx->de_have_hcbd == FALSE &&
if (det_ctx->hcbd_buffers == NULL) { // s->mpm_flags & SIG_FLAG_MPM_HCBDCONTENT &&
r = 0; // !(s->mpm_flags & SIG_FLAG_MPM_HCBDCONTENT_NEG)) {
goto end; // SCLogDebug("mpm results failure for client_body. Get out of here");
} // goto end;
memset(det_ctx->hcbd_buffers, 0, det_ctx->hcbd_buffers_list_len * sizeof(uint8_t *)); //}
//
det_ctx->hcbd_buffers_len = SCMalloc(det_ctx->hcbd_buffers_list_len * sizeof(uint32_t)); //if ((s->mpm_flags & SIG_FLAG_MPM_HCBDCONTENT) && (det_ctx->de_mpm_scanned_hcbd == TRUE)) {
if (det_ctx->hcbd_buffers_len == NULL) { // /* filter out the sig that needs a match, but have no matches */
r = 0; // if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_hcbdpattern_id / 8)] & (1 << (s->mpm_hcbdpattern_id % 8))) &&
goto end; // !(s->mpm_flags & SIG_FLAG_MPM_HCBDCONTENT_NEG)) {
} // goto end;
memset(det_ctx->hcbd_buffers_len, 0, det_ctx->hcbd_buffers_list_len * sizeof(uint32_t)); // }
} /* if (det_ctx->hcbd_buffers_list_len == 0) */ //}
if (s->mpm_flags & SIG_FLAG_MPM_HCBDCONTENT) {
if (det_ctx->de_mpm_scanned_hcbd == FALSE) {
uint32_t cnt = DetectEngineInspectHttpClientBodyMpmInspect(de_ctx,
det_ctx, s,
f, htp_state);
if (cnt <= 0)
det_ctx->de_have_hcbd = FALSE;
det_ctx->de_mpm_scanned_hcbd = TRUE;
}
} else {
DetectEngineInspectHttpClientBodyMpmInspect(de_ctx, det_ctx, s, f,
htp_state);
}
if (det_ctx->de_have_hcbd == FALSE &&
s->mpm_flags & SIG_FLAG_MPM_HCBDCONTENT &&
!(s->mpm_flags & SIG_FLAG_MPM_HCBDCONTENT_NEG)) {
SCLogDebug("mpm results failure for client_body. Get out of here");
goto end;
}
if ((s->mpm_flags & SIG_FLAG_MPM_HCBDCONTENT) && (det_ctx->de_mpm_scanned_hcbd == TRUE)) {
/* filter out the sig that needs a match, but have no matches */
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_hcbdpattern_id / 8)] & (1 << (s->mpm_hcbdpattern_id % 8))) &&
!(s->mpm_flags & SIG_FLAG_MPM_HCBDCONTENT_NEG)) {
goto end;
}
}
for (i = 0; i < det_ctx->hcbd_buffers_list_len; i++) { for (i = 0; i < det_ctx->hcbd_buffers_list_len; i++) {
uint8_t *hcbd_buffer = det_ctx->hcbd_buffers[i]; uint8_t *hcbd_buffer = det_ctx->hcbd_buffers[i];

13
src/detect-engine-hcbd.h
Unescape Escape View File

@ -25,8 +25,17 @@
#define ENGINE_HCBD_BUFFER_LIMIT 20000 #define ENGINE_HCBD_BUFFER_LIMIT 20000
int DetectEngineInspectHttpClientBody(DetectEngineCtx *, DetectEngineThreadCtx *, #include "app-layer-htp.h"
Signature *, Flow *, uint8_t, void *);
int DetectEngineRunHttpClientBodyMpm(DetectEngineThreadCtx *);
void DetectEngineBufferHttpClientBodies(DetectEngineCtx *,
DetectEngineThreadCtx *,
Flow *, HtpState *);
int DetectEngineInspectHttpClientBody(DetectEngineCtx *,
DetectEngineThreadCtx *,
Signature *, Flow *, uint8_t,
void *);
void DetectEngineCleanHCBDBuffers(DetectEngineThreadCtx *); void DetectEngineCleanHCBDBuffers(DetectEngineThreadCtx *);
void DetectEngineHttpClientBodyRegisterTests(void); void DetectEngineHttpClientBodyRegisterTests(void);

24
src/detect.c
Unescape Escape View File

@ -701,6 +701,15 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx,
} }
} }
if (s->full_sig->mpm_flags & SIG_FLAG_MPM_HCBDCONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->full_sig->mpm_hcbdpattern_id / 8)] &
(1 << (s->full_sig->mpm_hcbdpattern_id % 8)))) {
if (!(s->full_sig->mpm_flags & SIG_FLAG_MPM_HCBDCONTENT_NEG)) {
continue;
}
}
}
/* de_state check, filter out all signatures that already had a match before /* de_state check, filter out all signatures that already had a match before
* or just partially match */ * or just partially match */
if (s->flags & SIG_FLAG_AMATCH || s->flags & SIG_FLAG_UMATCH || if (s->flags & SIG_FLAG_AMATCH || s->flags & SIG_FLAG_UMATCH ||
@ -916,12 +925,13 @@ static inline void RunMpmsOnFlow(DetectEngineCtx *de_ctx,
cnt = DetectUricontentInspectMpm(det_ctx, p->flow, alstate); cnt = DetectUricontentInspectMpm(det_ctx, p->flow, alstate);
SCLogDebug("uri search: cnt %" PRIu32, cnt); SCLogDebug("uri search: cnt %" PRIu32, cnt);
} }
//if (sgh->flags & SIG_GROUP_HEAD_MPM_HCBD) { if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HCBD) {
// cnt = DetectEngineInspectHttpClientBodyMpmInspect(de_ctx, det_ctx, DetectEngineBufferHttpClientBodies(de_ctx, det_ctx, p->flow, alstate);
// f, htp_state); cnt = DetectEngineRunHttpClientBodyMpm(det_ctx);
// SCLogDebug("hcbd search: cnt %" PRIu32, cnt); SCLogDebug("hcbd search: cnt %" PRIu32, cnt);
//} }
//if (sgh->flags & SIG_GROUP_HEAD_MPM_HHD) { //if (sgh->flags & SIG_GROUP_HEAD_MPM_HHD) {
//
// cnt = DetectEngineInspectHttpHeaderMpmInspect(det_ctx, f, // cnt = DetectEngineInspectHttpHeaderMpmInspect(det_ctx, f,
// htp_state); // htp_state);
// SCLogDebug("hhd search: cnt %" PRIu32, cnt); // SCLogDebug("hhd search: cnt %" PRIu32, cnt);
@ -960,8 +970,8 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
Signature *s = NULL; Signature *s = NULL;
SigMatch *sm = NULL; SigMatch *sm = NULL;
det_ctx->de_have_hcbd = TRUE; //det_ctx->de_have_hcbd = TRUE;
det_ctx->de_mpm_scanned_hcbd = FALSE; //det_ctx->de_mpm_scanned_hcbd = FALSE;
det_ctx->de_have_hhd = TRUE; det_ctx->de_have_hhd = TRUE;
det_ctx->de_mpm_scanned_hhd = FALSE; det_ctx->de_mpm_scanned_hhd = FALSE;

Write Preview
Loading…
Cancel
Save