aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix for bug #577.

Browse Source 
If a pattern has matched on mpm, don't re-inspect it later, subject to certain
conditions met by the pattern - namely, not negated, right chop, no replacet
attached to it.
pull/116/head
Anoop Saldanha 13 years ago committed by Victor Julien
parent 6e0f8a3cb5
commit 51c9955c79
3 changed files with 46 additions and 74 deletions
Show Stats Download Patch File Download Diff File

50
src/detect-content.h
Unescape Escape View File

@ -26,44 +26,34 @@
/* Flags affecting this content */ /* Flags affecting this content */
#define DETECT_CONTENT_NOCASE 0x00000001 #define DETECT_CONTENT_NOCASE (1)
#define DETECT_CONTENT_DISTANCE 0x00000002 #define DETECT_CONTENT_DISTANCE (1 << 1)
#define DETECT_CONTENT_WITHIN 0x00000004 #define DETECT_CONTENT_WITHIN (1 << 2)
#define DETECT_CONTENT_OFFSET 0x00000008 #define DETECT_CONTENT_OFFSET (1 << 3)
#define DETECT_CONTENT_DEPTH 0x00000010 #define DETECT_CONTENT_DEPTH (1 << 4)
#define DETECT_CONTENT_FAST_PATTERN 0x00000020 #define DETECT_CONTENT_FAST_PATTERN (1 << 5)
#define DETECT_CONTENT_FAST_PATTERN_ONLY 0x00000040 #define DETECT_CONTENT_FAST_PATTERN_ONLY (1 << 6)
#define DETECT_CONTENT_FAST_PATTERN_CHOP 0x00000080 #define DETECT_CONTENT_FAST_PATTERN_CHOP (1 << 7)
/** content applies to a "raw"/undecoded field if applicable */ /** content applies to a "raw"/undecoded field if applicable */
#define DETECT_CONTENT_RAWBYTES 0x00000100 #define DETECT_CONTENT_RAWBYTES (1 << 8)
/** content is negated */ /** content is negated */
#define DETECT_CONTENT_NEGATED 0x00000200 #define DETECT_CONTENT_NEGATED (1 << 9)
/** a relative match to this content is next, used in matching phase */ /** a relative match to this content is next, used in matching phase */
#define DETECT_CONTENT_RELATIVE_NEXT 0x00000400 #define DETECT_CONTENT_RELATIVE_NEXT (1 << 10)
#define DETECT_CONTENT_PACKET_MPM 0x00000800
#define DETECT_CONTENT_STREAM_MPM 0x00001000
#define DETECT_CONTENT_URI_MPM 0x00002000
#define DETECT_CONTENT_HCBD_MPM 0x00004000
#define DETECT_CONTENT_HSBD_MPM 0x00008000
#define DETECT_CONTENT_HHD_MPM 0x00010000
#define DETECT_CONTENT_HRHD_MPM 0x00020000
#define DETECT_CONTENT_HMD_MPM 0x00040000
#define DETECT_CONTENT_HCD_MPM 0x00080000
#define DETECT_CONTENT_HRUD_MPM 0x00100000
#define DETECT_CONTENT_HSMD_MPM 0x00200000
#define DETECT_CONTENT_HSCD_MPM 0x00400000
#define DETECT_CONTENT_HUAD_MPM 0x00800000
/* BE - byte extract */ /* BE - byte extract */
#define DETECT_CONTENT_OFFSET_BE 0x01000000 #define DETECT_CONTENT_OFFSET_BE (1 << 11)
#define DETECT_CONTENT_DEPTH_BE 0x02000000 #define DETECT_CONTENT_DEPTH_BE (1 << 12)
#define DETECT_CONTENT_DISTANCE_BE 0x04000000 #define DETECT_CONTENT_DISTANCE_BE (1 << 13)
#define DETECT_CONTENT_WITHIN_BE 0x08000000 #define DETECT_CONTENT_WITHIN_BE (1 << 14)
/* replace data */ /* replace data */
#define DETECT_CONTENT_REPLACE 0x10000000 #define DETECT_CONTENT_REPLACE (1 << 15)
/* this flag is set during the staging phase. It indicates that a content
* has been added to the mpm phase and requires no further inspection inside
* the inspection phase */
#define DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED (1 << 16)
#define DETECT_CONTENT_IS_SINGLE(c) (!((c)->flags & DETECT_CONTENT_DISTANCE || \ #define DETECT_CONTENT_IS_SINGLE(c) (!((c)->flags & DETECT_CONTENT_DISTANCE || \
(c)->flags & DETECT_CONTENT_WITHIN || \ (c)->flags & DETECT_CONTENT_WITHIN || \

6
src/detect-engine-content-inspection.c
Unescape Escape View File

@ -116,10 +116,8 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
/* we might have already have this content matched by the mpm. /* we might have already have this content matched by the mpm.
* (if there is any other reason why we'd want to avoid checking * (if there is any other reason why we'd want to avoid checking
* it here, please fill it in) */ * it here, please fill it in) */
if (inspection_mode == DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM) { if (cd->flags & DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED) {
if (cd->flags & DETECT_CONTENT_STREAM_MPM && !(cd->flags & DETECT_CONTENT_NEGATED)) { goto match;
goto match;
}
} }
/* rule parsers should take care of this */ /* rule parsers should take care of this */

64
src/detect-engine-mpm.c
Unescape Escape View File

@ -1258,6 +1258,13 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
{ {
cd = (DetectContentData *)mpm_sm->ctx; cd = (DetectContentData *)mpm_sm->ctx;
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) { if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
if (DETECT_CONTENT_IS_SINGLE(cd) &&
!(cd->flags & DETECT_CONTENT_NEGATED) &&
!(cd->flags & DETECT_CONTENT_REPLACE) &&
cd->content_len == cd->fp_chop_len) {
cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
}
/* add the content to the "packet" mpm */ /* add the content to the "packet" mpm */
if (SignatureHasPacketContent(s)) { if (SignatureHasPacketContent(s)) {
if (s->proto.proto[6 / 8] & 1 << (6 % 8)) { if (s->proto.proto[6 / 8] & 1 << (6 % 8)) {
@ -1341,23 +1348,11 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
} }
} }
} else { } else {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { if (DETECT_CONTENT_IS_SINGLE(cd) &&
if (DETECT_CONTENT_IS_SINGLE(cd)) { !(cd->flags & DETECT_CONTENT_NEGATED) &&
if (SignatureHasPacketContent(s)) !(cd->flags & DETECT_CONTENT_REPLACE)) {
cd->flags |= DETECT_CONTENT_PACKET_MPM; cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
if (SignatureHasStreamContent(s)) }
cd->flags |= DETECT_CONTENT_STREAM_MPM;
}
/* see if we can bypass the match validation for this pattern */
} else {
if (DETECT_CONTENT_IS_SINGLE(cd)) {
if (SignatureHasPacketContent(s))
cd->flags |= DETECT_CONTENT_PACKET_MPM;
if (SignatureHasStreamContent(s))
cd->flags |= DETECT_CONTENT_STREAM_MPM;
}
} /* else - if (co->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) */
if (SignatureHasPacketContent(s)) { if (SignatureHasPacketContent(s)) {
/* add the content to the "packet" mpm */ /* add the content to the "packet" mpm */
@ -1464,7 +1459,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
MpmCtx *mpm_ctx_ts = NULL; MpmCtx *mpm_ctx_ts = NULL;
MpmCtx *mpm_ctx_tc = NULL; MpmCtx *mpm_ctx_tc = NULL;
uint32_t sgh_flags = 0; uint32_t sgh_flags = 0;
uint32_t cd_flags = 0;
uint32_t sig_flags = 0; uint32_t sig_flags = 0;
cd = (DetectContentData *)mpm_sm->ctx; cd = (DetectContentData *)mpm_sm->ctx;
@ -1475,7 +1469,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_TOCLIENT) if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_uri_ctx_tc; mpm_ctx_tc = sgh->mpm_uri_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_URI; sgh_flags = SIG_GROUP_HEAD_MPM_URI;
cd_flags = DETECT_CONTENT_URI_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP; sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED) if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG; sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@ -1485,7 +1478,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_TOCLIENT) if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hcbd_ctx_tc; mpm_ctx_tc = sgh->mpm_hcbd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HCBD; sgh_flags = SIG_GROUP_HEAD_MPM_HCBD;
cd_flags = DETECT_CONTENT_HCBD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP; sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED) if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG; sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@ -1495,7 +1487,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_TOCLIENT) if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hsbd_ctx_tc; mpm_ctx_tc = sgh->mpm_hsbd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HSBD; sgh_flags = SIG_GROUP_HEAD_MPM_HSBD;
cd_flags = DETECT_CONTENT_HSBD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP; sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED) if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG; sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@ -1505,7 +1496,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_TOCLIENT) if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hhd_ctx_tc; mpm_ctx_tc = sgh->mpm_hhd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HHD; sgh_flags = SIG_GROUP_HEAD_MPM_HHD;
cd_flags = DETECT_CONTENT_HHD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP; sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED) if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG; sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@ -1515,7 +1505,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_TOCLIENT) if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hrhd_ctx_tc; mpm_ctx_tc = sgh->mpm_hrhd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HRHD; sgh_flags = SIG_GROUP_HEAD_MPM_HRHD;
cd_flags = DETECT_CONTENT_HRHD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP; sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED) if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG; sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@ -1525,7 +1514,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_TOCLIENT) if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hmd_ctx_tc; mpm_ctx_tc = sgh->mpm_hmd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HMD; sgh_flags = SIG_GROUP_HEAD_MPM_HMD;
cd_flags = DETECT_CONTENT_HMD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP; sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED) if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG; sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@ -1535,7 +1523,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_TOCLIENT) if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hcd_ctx_tc; mpm_ctx_tc = sgh->mpm_hcd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HCD; sgh_flags = SIG_GROUP_HEAD_MPM_HCD;
cd_flags = DETECT_CONTENT_HCD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP; sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED) if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG; sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@ -1545,7 +1532,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_TOCLIENT) if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hrud_ctx_tc; mpm_ctx_tc = sgh->mpm_hrud_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HRUD; sgh_flags = SIG_GROUP_HEAD_MPM_HRUD;
cd_flags = DETECT_CONTENT_HRUD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP; sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED) if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG; sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@ -1555,7 +1541,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_TOCLIENT) if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hsmd_ctx_tc; mpm_ctx_tc = sgh->mpm_hsmd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HSMD; sgh_flags = SIG_GROUP_HEAD_MPM_HSMD;
cd_flags = DETECT_CONTENT_HSMD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP; sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED) if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG; sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@ -1565,7 +1550,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_TOCLIENT) if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hscd_ctx_tc; mpm_ctx_tc = sgh->mpm_hscd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HSCD; sgh_flags = SIG_GROUP_HEAD_MPM_HSCD;
cd_flags = DETECT_CONTENT_HSCD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP; sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED) if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG; sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@ -1575,13 +1559,19 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_TOCLIENT) if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_huad_ctx_tc; mpm_ctx_tc = sgh->mpm_huad_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HUAD; sgh_flags = SIG_GROUP_HEAD_MPM_HUAD;
cd_flags = DETECT_CONTENT_HUAD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP; sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED) if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG; sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
} }
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) { if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
if (DETECT_CONTENT_IS_SINGLE(cd) &&
!(cd->flags & DETECT_CONTENT_NEGATED) &&
!(cd->flags & DETECT_CONTENT_REPLACE) &&
cd->content_len == cd->fp_chop_len) {
cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
}
/* add the content to the mpm */ /* add the content to the mpm */
if (cd->flags & DETECT_CONTENT_NOCASE) { if (cd->flags & DETECT_CONTENT_NOCASE) {
if (mpm_ctx_ts != NULL) { if (mpm_ctx_ts != NULL) {
@ -1615,17 +1605,11 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
} }
} }
} else { } else {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { if (DETECT_CONTENT_IS_SINGLE(cd) &&
if (DETECT_CONTENT_IS_SINGLE(cd)) { !(cd->flags & DETECT_CONTENT_NEGATED) &&
cd->flags |= cd_flags; !(cd->flags & DETECT_CONTENT_REPLACE)) {
} cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
}
/* see if we can bypass the match validation for this pattern */
} else {
if (DETECT_CONTENT_IS_SINGLE(cd)) {
cd->flags |= cd_flags;
}
} /* else - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) */
/* add the content to the "uri" mpm */ /* add the content to the "uri" mpm */
if (cd->flags & DETECT_CONTENT_NOCASE) { if (cd->flags & DETECT_CONTENT_NOCASE) {

Write Preview
Loading…
Cancel
Save