diff --git a/src/detect.c b/src/detect.c index a03a38808b..bcef172e96 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1202,20 +1202,48 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx, /* all http based mpms */ if (alproto == ALPROTO_HTTP && alstate != NULL) { - if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_URI) { - PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_URI); - DetectUricontentInspectMpm(det_ctx, p->flow, alstate, flags); - PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_URI); - } - if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HCBD) { - PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HCBD); - DetectEngineRunHttpClientBodyMpm(de_ctx, det_ctx, p->flow, alstate, flags); - PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HCBD); - } - if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HSBD) { - PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HSBD); - DetectEngineRunHttpServerBodyMpm(de_ctx, det_ctx, p->flow, alstate, flags); - PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HSBD); + if (p->flowflags & FLOW_PKT_TOSERVER) { + if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_URI) { + PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_URI); + DetectUricontentInspectMpm(det_ctx, p->flow, alstate, flags); + PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_URI); + } + if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRUD) { + PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HRUD); + DetectEngineRunHttpRawUriMpm(det_ctx, p->flow, alstate, flags); + PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HRUD); + } + if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HCBD) { + PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HCBD); + DetectEngineRunHttpClientBodyMpm(de_ctx, det_ctx, p->flow, alstate, flags); + PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HCBD); + } + if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HMD) { + PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HMD); + DetectEngineRunHttpMethodMpm(det_ctx, p->flow, alstate, flags); + PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HMD); + } + if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HUAD) { + PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HUAD); + DetectEngineRunHttpUAMpm(det_ctx, p->flow, alstate, flags); + PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HUAD); + } + } else { /* implied FLOW_PKT_TOCLIENT */ + if (p->flowflags & FLOW_PKT_TOCLIENT && det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HSBD) { + PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HSBD); + DetectEngineRunHttpServerBodyMpm(de_ctx, det_ctx, p->flow, alstate, flags); + PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HSBD); + } + if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HSMD) { + PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HSMD); + DetectEngineRunHttpStatMsgMpm(det_ctx, p->flow, alstate, flags); + PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HSMD); + } + if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HSCD) { + PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HSCD); + DetectEngineRunHttpStatCodeMpm(det_ctx, p->flow, alstate, flags); + PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HSCD); + } } if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HHD) { PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HHD); @@ -1227,36 +1255,11 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx, DetectEngineRunHttpRawHeaderMpm(det_ctx, p->flow, alstate, flags); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HRHD); } - if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HMD) { - PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HMD); - DetectEngineRunHttpMethodMpm(det_ctx, p->flow, alstate, flags); - PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HMD); - } if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HCD) { PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HCD); DetectEngineRunHttpCookieMpm(det_ctx, p->flow, alstate, flags); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HCD); } - if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRUD) { - PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HRUD); - DetectEngineRunHttpRawUriMpm(det_ctx, p->flow, alstate, flags); - PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HRUD); - } - if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HSMD) { - PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HSMD); - DetectEngineRunHttpStatMsgMpm(det_ctx, p->flow, alstate, flags); - PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HSMD); - } - if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HSCD) { - PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HSCD); - DetectEngineRunHttpStatCodeMpm(det_ctx, p->flow, alstate, flags); - PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HSCD); - } - if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HUAD) { - PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HUAD); - DetectEngineRunHttpUAMpm(det_ctx, p->flow, alstate, flags); - PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HUAD); - } } } else { SCLogDebug("NOT p->flowflags & FLOW_PKT_ESTABLISHED");