aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix for bug #577.

Browse Source 
If a pattern has matched on mpm, don't re-inspect it later, subject to certain
conditions met by the pattern - namely, not negated, right chop, no replacet
attached to it.
pull/116/head
Anoop Saldanha 13 years ago committed by Victor Julien
parent 6e0f8a3cb5
commit 51c9955c79
3 changed files with 46 additions and 74 deletions
Show Stats Download Patch File Download Diff File

50
src/detect-content.h
Unescape Escape View File

@ -26,44 +26,34 @@
/* Flags affecting this content */
#define DETECT_CONTENT_NOCASE 0x00000001
#define DETECT_CONTENT_DISTANCE 0x00000002
#define DETECT_CONTENT_WITHIN 0x00000004
#define DETECT_CONTENT_OFFSET 0x00000008
#define DETECT_CONTENT_DEPTH 0x00000010
#define DETECT_CONTENT_FAST_PATTERN 0x00000020
#define DETECT_CONTENT_FAST_PATTERN_ONLY 0x00000040
#define DETECT_CONTENT_FAST_PATTERN_CHOP 0x00000080
#define DETECT_CONTENT_NOCASE (1)
#define DETECT_CONTENT_DISTANCE (1 << 1)
#define DETECT_CONTENT_WITHIN (1 << 2)
#define DETECT_CONTENT_OFFSET (1 << 3)
#define DETECT_CONTENT_DEPTH (1 << 4)
#define DETECT_CONTENT_FAST_PATTERN (1 << 5)
#define DETECT_CONTENT_FAST_PATTERN_ONLY (1 << 6)
#define DETECT_CONTENT_FAST_PATTERN_CHOP (1 << 7)
/** content applies to a "raw"/undecoded field if applicable */
#define DETECT_CONTENT_RAWBYTES 0x00000100
#define DETECT_CONTENT_RAWBYTES (1 << 8)
/** content is negated */
#define DETECT_CONTENT_NEGATED 0x00000200
#define DETECT_CONTENT_NEGATED (1 << 9)
/** a relative match to this content is next, used in matching phase */
#define DETECT_CONTENT_RELATIVE_NEXT 0x00000400
#define DETECT_CONTENT_PACKET_MPM 0x00000800
#define DETECT_CONTENT_STREAM_MPM 0x00001000
#define DETECT_CONTENT_URI_MPM 0x00002000
#define DETECT_CONTENT_HCBD_MPM 0x00004000
#define DETECT_CONTENT_HSBD_MPM 0x00008000
#define DETECT_CONTENT_HHD_MPM 0x00010000
#define DETECT_CONTENT_HRHD_MPM 0x00020000
#define DETECT_CONTENT_HMD_MPM 0x00040000
#define DETECT_CONTENT_HCD_MPM 0x00080000
#define DETECT_CONTENT_HRUD_MPM 0x00100000
#define DETECT_CONTENT_HSMD_MPM 0x00200000
#define DETECT_CONTENT_HSCD_MPM 0x00400000
#define DETECT_CONTENT_HUAD_MPM 0x00800000
#define DETECT_CONTENT_RELATIVE_NEXT (1 << 10)
/* BE - byte extract */
#define DETECT_CONTENT_OFFSET_BE 0x01000000
#define DETECT_CONTENT_DEPTH_BE 0x02000000
#define DETECT_CONTENT_DISTANCE_BE 0x04000000
#define DETECT_CONTENT_WITHIN_BE 0x08000000
#define DETECT_CONTENT_OFFSET_BE (1 << 11)
#define DETECT_CONTENT_DEPTH_BE (1 << 12)
#define DETECT_CONTENT_DISTANCE_BE (1 << 13)
#define DETECT_CONTENT_WITHIN_BE (1 << 14)
/* replace data */
#define DETECT_CONTENT_REPLACE 0x10000000
#define DETECT_CONTENT_REPLACE (1 << 15)
/* this flag is set during the staging phase. It indicates that a content
* has been added to the mpm phase and requires no further inspection inside
* the inspection phase */
#define DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED (1 << 16)
#define DETECT_CONTENT_IS_SINGLE(c) (!((c)->flags & DETECT_CONTENT_DISTANCE || \
(c)->flags & DETECT_CONTENT_WITHIN || \

6
src/detect-engine-content-inspection.c
Unescape Escape View File

@ -116,10 +116,8 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
/* we might have already have this content matched by the mpm.
* (if there is any other reason why we'd want to avoid checking
* it here, please fill it in) */
if (inspection_mode == DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM) {
if (cd->flags & DETECT_CONTENT_STREAM_MPM && !(cd->flags & DETECT_CONTENT_NEGATED)) {
goto match;
}
if (cd->flags & DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED) {
goto match;
}
/* rule parsers should take care of this */

64
src/detect-engine-mpm.c
Unescape Escape View File

@ -1258,6 +1258,13 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
{
cd = (DetectContentData *)mpm_sm->ctx;
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
if (DETECT_CONTENT_IS_SINGLE(cd) &&
!(cd->flags & DETECT_CONTENT_NEGATED) &&
!(cd->flags & DETECT_CONTENT_REPLACE) &&
cd->content_len == cd->fp_chop_len) {
cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
}
/* add the content to the "packet" mpm */
if (SignatureHasPacketContent(s)) {
if (s->proto.proto[6 / 8] & 1 << (6 % 8)) {
@ -1341,23 +1348,11 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
}
}
} else {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
if (DETECT_CONTENT_IS_SINGLE(cd)) {
if (SignatureHasPacketContent(s))
cd->flags |= DETECT_CONTENT_PACKET_MPM;
if (SignatureHasStreamContent(s))
cd->flags |= DETECT_CONTENT_STREAM_MPM;
}
/* see if we can bypass the match validation for this pattern */
} else {
if (DETECT_CONTENT_IS_SINGLE(cd)) {
if (SignatureHasPacketContent(s))
cd->flags |= DETECT_CONTENT_PACKET_MPM;
if (SignatureHasStreamContent(s))
cd->flags |= DETECT_CONTENT_STREAM_MPM;
}
} /* else - if (co->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) */
if (DETECT_CONTENT_IS_SINGLE(cd) &&
!(cd->flags & DETECT_CONTENT_NEGATED) &&
!(cd->flags & DETECT_CONTENT_REPLACE)) {
cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
}
if (SignatureHasPacketContent(s)) {
/* add the content to the "packet" mpm */
@ -1464,7 +1459,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
MpmCtx *mpm_ctx_ts = NULL;
MpmCtx *mpm_ctx_tc = NULL;
uint32_t sgh_flags = 0;
uint32_t cd_flags = 0;
uint32_t sig_flags = 0;
cd = (DetectContentData *)mpm_sm->ctx;
@ -1475,7 +1469,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_uri_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_URI;
cd_flags = DETECT_CONTENT_URI_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@ -1485,7 +1478,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hcbd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HCBD;
cd_flags = DETECT_CONTENT_HCBD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@ -1495,7 +1487,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hsbd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HSBD;
cd_flags = DETECT_CONTENT_HSBD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@ -1505,7 +1496,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hhd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HHD;
cd_flags = DETECT_CONTENT_HHD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@ -1515,7 +1505,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hrhd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HRHD;
cd_flags = DETECT_CONTENT_HRHD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@ -1525,7 +1514,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hmd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HMD;
cd_flags = DETECT_CONTENT_HMD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@ -1535,7 +1523,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hcd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HCD;
cd_flags = DETECT_CONTENT_HCD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@ -1545,7 +1532,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hrud_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HRUD;
cd_flags = DETECT_CONTENT_HRUD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@ -1555,7 +1541,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hsmd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HSMD;
cd_flags = DETECT_CONTENT_HSMD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@ -1565,7 +1550,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hscd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HSCD;
cd_flags = DETECT_CONTENT_HSCD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@ -1575,13 +1559,19 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_huad_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HUAD;
cd_flags = DETECT_CONTENT_HUAD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
}
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
if (DETECT_CONTENT_IS_SINGLE(cd) &&
!(cd->flags & DETECT_CONTENT_NEGATED) &&
!(cd->flags & DETECT_CONTENT_REPLACE) &&
cd->content_len == cd->fp_chop_len) {
cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
}
/* add the content to the mpm */
if (cd->flags & DETECT_CONTENT_NOCASE) {
if (mpm_ctx_ts != NULL) {
@ -1615,17 +1605,11 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
}
}
} else {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
if (DETECT_CONTENT_IS_SINGLE(cd)) {
cd->flags |= cd_flags;
}
/* see if we can bypass the match validation for this pattern */
} else {
if (DETECT_CONTENT_IS_SINGLE(cd)) {
cd->flags |= cd_flags;
}
} /* else - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) */
if (DETECT_CONTENT_IS_SINGLE(cd) &&
!(cd->flags & DETECT_CONTENT_NEGATED) &&
!(cd->flags & DETECT_CONTENT_REPLACE)) {
cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
}
/* add the content to the "uri" mpm */
if (cd->flags & DETECT_CONTENT_NOCASE) {

Write Preview
Loading…
Cancel
Save