aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

mpm: cleanup: move mpm funcs into buffer specific files

Browse Source
pull/1980/head
Victor Julien 10 years ago
parent e57e7d1b96
commit 6bb2b001a3
20 changed files with 667 additions and 661 deletions
Show Stats Download Patch File Download Diff File

35
src/detect-dns-query.c
Unescape Escape View File

@ -98,41 +98,6 @@ static int DetectDnsQuerySetup(DetectEngineCtx *de_ctx, Signature *s, char *str)
return 0;
}
/**
* \brief Run the pattern matcher against the queries
*
* \param f locked flow
* \param dns_state initialized dns state
*
* \warning Make sure the flow/state is locked
* \todo what should we return? Just the fact that we matched?
*/
uint32_t DetectDnsQueryInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
DNSState *dns_state, uint8_t flags, void *txv,
uint64_t tx_id)
{
SCEnter();
DNSTransaction *tx = (DNSTransaction *)txv;
DNSQueryEntry *query = NULL;
uint8_t *buffer;
uint16_t buffer_len;
uint32_t cnt = 0;
TAILQ_FOREACH(query, &tx->query_list, next) {
SCLogDebug("tx %p query %p", tx, query);
buffer = (uint8_t *)((uint8_t *)query + sizeof(DNSQueryEntry));
buffer_len = query->len;
cnt += DnsQueryPatternSearch(det_ctx,
buffer, buffer_len,
flags);
}
SCReturnUInt(cnt);
}
#ifdef UNITTESTS
/** \test simple google.com query matching */
static int DetectDnsQueryTest01(void)

63
src/detect-engine-dns.c
Unescape Escape View File

@ -44,6 +44,7 @@
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-validate.h"
/** \brief Do the content inspection & validation for a signature
*
@ -93,6 +94,68 @@ int DetectEngineInspectDnsQueryName(ThreadVars *tv,
return r;
}
/**
* \brief DNS query match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param hrh Buffer to inspect.
* \param hrh_len buffer length.
* \param flags Flags
*
* \retval ret Number of matches.
*/
static uint32_t DnsQueryPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *buffer, uint32_t buffer_len,
uint8_t flags)
{
SCEnter();
uint32_t ret = 0;
DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_dnsquery_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_dnsquery_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_dnsquery_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, buffer, buffer_len);
SCReturnUInt(ret);
}
/**
* \brief Run the pattern matcher against the queries
*
* \param f locked flow
* \param dns_state initialized dns state
*
* \warning Make sure the flow/state is locked
* \todo what should we return? Just the fact that we matched?
*/
uint32_t DetectDnsQueryInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
DNSState *dns_state, uint8_t flags, void *txv,
uint64_t tx_id)
{
SCEnter();
DNSTransaction *tx = (DNSTransaction *)txv;
DNSQueryEntry *query = NULL;
uint8_t *buffer;
uint16_t buffer_len;
uint32_t cnt = 0;
TAILQ_FOREACH(query, &tx->query_list, next) {
SCLogDebug("tx %p query %p", tx, query);
buffer = (uint8_t *)((uint8_t *)query + sizeof(DNSQueryEntry));
buffer_len = query->len;
cnt += DnsQueryPatternSearch(det_ctx,
buffer, buffer_len,
flags);
}
SCReturnUInt(cnt);
}
/** \brief Do the content inspection & validation for a signature
*

30
src/detect-engine-filedata-smtp.c
Unescape Escape View File

@ -49,6 +49,8 @@
#include "app-layer-protos.h"
#include "app-layer-parser.h"
#include "util-validate.h"
#include "conf.h"
#include "conf-yaml-loader.h"
@ -269,6 +271,34 @@ void DetectEngineCleanSMTPBuffers(DetectEngineThreadCtx *det_ctx)
return;
}
/**
* \brief SMTP Filedata match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param buffer Buffer to inspect.
* \param buffer_len buffer length.
* \param flags Flags
*
* \retval ret Number of matches.
*/
static uint32_t SMTPFiledataPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *buffer, uint32_t buffer_len,
uint8_t flags)
{
SCEnter();
uint32_t ret = 0;
DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_smtp_filedata_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_smtp_filedata_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_smtp_filedata_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, buffer, buffer_len);
SCReturnUInt(ret);
}
int DetectEngineRunSMTPMpm(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, Flow *f,
SMTPState *smtp_state, uint8_t flags,

28
src/detect-engine-hcbd.c
Unescape Escape View File

@ -60,6 +60,8 @@
#include "conf.h"
#include "conf-yaml-loader.h"
#include "util-validate.h"
#define BUFFER_STEP 50
static inline int HCBDCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size)
@ -219,6 +221,32 @@ static uint8_t *DetectEngineHCBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
return buffer;
}
/** \brief Http client body pattern match -- searches for one pattern per
* signature.
*
* \param det_ctx Detection engine thread ctx.
* \param body The request body to inspect.
* \param body_len Body length.
*
* \retval ret Number of matches.
*/
static uint32_t HttpClientBodyPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *body, uint32_t body_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hcbd_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hcbd_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hcbd_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, body, body_len);
SCReturnUInt(ret);
}
int DetectEngineRunHttpClientBodyMpm(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags,

33
src/detect-engine-hcd.c
Unescape Escape View File

@ -56,6 +56,39 @@
#include "app-layer.h"
#include "app-layer-htp.h"
#include "app-layer-protos.h"
#include "util-validate.h"
/**
* \brief Http cookie match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param cookie Cookie to inspect.
* \param cookie_len Cookie length.
*
* \retval ret Number of matches.
*/
static uint32_t HttpCookiePatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *cookie, uint32_t cookie_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
if (flags & STREAM_TOSERVER) {
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hcd_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hcd_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hcd_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, cookie, cookie_len);
} else {
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hcd_ctx_tc == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hcd_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_hcd_ctx_tc, &det_ctx->mtcu,
&det_ctx->pmq, cookie, cookie_len);
}
SCReturnUInt(ret);
}
int DetectEngineRunHttpCookieMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags,

34
src/detect-engine-hhd.c
Unescape Escape View File

@ -58,6 +58,8 @@
#include "app-layer-htp.h"
#include "app-layer-protos.h"
#include "util-validate.h"
#define BUFFER_STEP 50
static inline int HHDCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size)
@ -212,6 +214,38 @@ static uint8_t *DetectEngineHHDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
return headers_buffer;
}
/**
* \brief Http header match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param headers Headers to inspect.
* \param headers_len Headers length.
*
* \retval ret Number of matches.
*/
static uint32_t HttpHeaderPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *headers, uint32_t headers_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
if (flags & STREAM_TOSERVER) {
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hhd_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hhd_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hhd_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, headers, headers_len);
} else {
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hhd_ctx_tc == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hhd_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_hhd_ctx_tc, &det_ctx->mtcu,
&det_ctx->pmq, headers, headers_len);
}
SCReturnUInt(ret);
}
int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags,
void *tx, uint64_t idx)

28
src/detect-engine-hhhd.c
Unescape Escape View File

@ -58,6 +58,34 @@
#include "app-layer-protos.h"
#include "detect-engine-hhhd.h"
#include "util-validate.h"
/**
* \brief Http host header match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param hh Host header to inspect.
* \param hh_len Host header buffer length.
* \param flags Flags
*
* \retval ret Number of matches.
*/
static uint32_t HttpHHPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *hh, uint32_t hh_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hhhd_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hhhd_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hhhd_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, hh, hh_len);
SCReturnUInt(ret);
}
int DetectEngineRunHttpHHMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags,

27
src/detect-engine-hmd.c
Unescape Escape View File

@ -56,6 +56,33 @@
#include "app-layer.h"
#include "app-layer-htp.h"
#include "app-layer-protos.h"
#include "util-validate.h"
/**
* \brief Http method match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param method Method to inspect.
* \param method_len Method length.
*
* \retval ret Number of matches.
*/
static uint32_t HttpMethodPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *raw_method, uint32_t raw_method_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hmd_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hmd_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hmd_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, raw_method, raw_method_len);
SCReturnUInt(ret);
}
int DetectEngineRunHttpMethodMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags,

33
src/detect-engine-hrhd.c
Unescape Escape View File

@ -57,6 +57,39 @@
#include "app-layer-htp.h"
#include "app-layer-protos.h"
#include "util-validate.h"
/**
* \brief Http raw header match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param headers Raw headers to inspect.
* \param headers_len Raw headers length.
*
* \retval ret Number of matches.
*/
static uint32_t HttpRawHeaderPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *raw_headers, uint32_t raw_headers_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
if (flags & STREAM_TOSERVER) {
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrhd_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hrhd_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hrhd_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, raw_headers, raw_headers_len);
} else {
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrhd_ctx_tc == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hrhd_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_hrhd_ctx_tc, &det_ctx->mtcu,
&det_ctx->pmq, raw_headers, raw_headers_len);
}
SCReturnUInt(ret);
}
int DetectEngineRunHttpRawHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags,

28
src/detect-engine-hrhhd.c
Unescape Escape View File

@ -58,6 +58,34 @@
#include "app-layer-protos.h"
#include "detect-engine-hrhhd.h"
#include "util-validate.h"
/**
* \brief Http raw host header match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param hrh Raw hostname to inspect.
* \param hrh_len Raw hostname buffer length.
* \param flags Flags
*
* \retval ret Number of matches.
*/
static uint32_t HttpHRHPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *hrh, uint32_t hrh_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrhhd_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hrhhd_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hrhhd_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, hrh, hrh_len);
SCReturnUInt(ret);
}
int DetectEngineRunHttpHRHMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags,

27
src/detect-engine-hrud.c
Unescape Escape View File

@ -56,6 +56,33 @@
#include "app-layer-htp.h"
#include "app-layer-protos.h"
#include "util-validate.h"
/**
* \brief Http raw uri match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param uri Raw uri to inspect.
* \param uri_len Raw uri length.
*
* \retval ret Number of matches.
*/
static uint32_t HttpRawUriPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *uri, uint32_t uri_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrud_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hrud_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hrud_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, uri, uri_len);
SCReturnUInt(ret);
}
/**
* \brief Run the mpm against raw http uris.

28
src/detect-engine-hsbd.c
Unescape Escape View File

@ -62,6 +62,8 @@
#include "conf.h"
#include "conf-yaml-loader.h"
#include "util-validate.h"
#define BUFFER_STEP 50
static inline int HSBDCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size)
@ -313,6 +315,32 @@ static uint8_t *DetectEngineHSBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
return buffer;
}
/** \brief Http server body pattern match -- searches for one pattern per
* signature.
*
* \param det_ctx Detection engine thread ctx.
* \param body The request body to inspect.
* \param body_len Body length.
*
* \retval ret Number of matches.
*/
static uint32_t HttpServerBodyPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *body, uint32_t body_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
DEBUG_VALIDATE_BUG_ON(!(flags & STREAM_TOCLIENT));
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hsbd_ctx_tc == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hsbd_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_hsbd_ctx_tc, &det_ctx->mtcu,
&det_ctx->pmq, body, body_len);
SCReturnUInt(ret);
}
int DetectEngineRunHttpServerBodyMpm(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags,

27
src/detect-engine-hscd.c
Unescape Escape View File

@ -53,6 +53,33 @@
#include "app-layer.h"
#include "app-layer-htp.h"
#include "app-layer-protos.h"
#include "util-validate.h"
/**
* \brief Http stat code match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param stat_code Stat code to inspect.
* \param stat_code_len Stat code length.
*
* \retval ret Number of matches.
*/
static uint32_t HttpStatCodePatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *stat_code, uint32_t stat_code_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
DEBUG_VALIDATE_BUG_ON(!(flags & STREAM_TOCLIENT));
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hscd_ctx_tc == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hscd_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_hscd_ctx_tc, &det_ctx->mtcu,
&det_ctx->pmq, stat_code, stat_code_len);
SCReturnUInt(ret);
}
/**
* \brief Run the mpm against http stat code.

27
src/detect-engine-hsmd.c
Unescape Escape View File

@ -53,6 +53,33 @@
#include "app-layer.h"
#include "app-layer-htp.h"
#include "app-layer-protos.h"
#include "util-validate.h"
/**
* \brief Http stat msg match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param stat_msg Stat msg to inspect.
* \param stat_msg_len Stat msg length.
*
* \retval ret Number of matches.
*/
static uint32_t HttpStatMsgPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *stat_msg, uint32_t stat_msg_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
DEBUG_VALIDATE_BUG_ON(!(flags & STREAM_TOCLIENT));
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hsmd_ctx_tc == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hsmd_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_hsmd_ctx_tc, &det_ctx->mtcu,
&det_ctx->pmq, stat_msg, stat_msg_len);
SCReturnUInt(ret);
}
/**
* \brief Run the mpm against http stat msg.

27
src/detect-engine-hua.c
Unescape Escape View File

@ -57,6 +57,33 @@
#include "app-layer-protos.h"
#include "detect-engine-hua.h"
#include "util-validate.h"
/**
* \brief Http user agent match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param cookie User-Agent to inspect.
* \param cookie_len User-Agent buffer length.
*
* \retval ret Number of matches.
*/
static uint32_t HttpUAPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *ua, uint32_t ua_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_huad_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_huad_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_huad_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, ua, ua_len);
SCReturnUInt(ret);
}
int DetectEngineRunHttpUAMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags,

546
src/detect-engine-mpm.c
Unescape Escape View File

@ -55,9 +55,6 @@
#include "util-debug.h"
#include "util-print.h"
#include "util-memcmp.h"
#ifdef __SC_CUDA_SUPPORT__
#include "util-mpm-ac.h"
#endif
#include "util-validate.h"
const char *builtin_mpms[] = {
@ -253,549 +250,6 @@ uint16_t PatternMatchDefaultMatcher(void)
return mpm_algo_val;
}
uint32_t PacketPatternSearchWithStreamCtx(DetectEngineThreadCtx *det_ctx,
Packet *p)
{
SCEnter();
uint32_t ret = 0;
const MpmCtx *mpm_ctx = NULL;
if (p->flowflags & FLOW_PKT_TOSERVER) {
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_stream_ctx_ts == NULL);
mpm_ctx = det_ctx->sgh->mpm_stream_ctx_ts;
} else {
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_stream_ctx_tc == NULL);
mpm_ctx = det_ctx->sgh->mpm_stream_ctx_tc;
}
if (unlikely(mpm_ctx == NULL)) {
SCReturnInt(0);
}
ret = mpm_table[mpm_ctx->mpm_type].
Search(mpm_ctx, &det_ctx->mtc, &det_ctx->pmq,
p->payload, p->payload_len);
SCReturnInt(ret);
}
/** \brief Pattern match -- searches for only one pattern per signature.
*
* \param det_ctx detection engine thread ctx
* \param p packet to inspect
*
* \retval ret number of matches
*/
uint32_t PacketPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p)
{
SCEnter();
uint32_t ret;
const MpmCtx *mpm_ctx = NULL;
if (p->proto == IPPROTO_TCP) {
if (p->flowflags & FLOW_PKT_TOSERVER) {
mpm_ctx = det_ctx->sgh->mpm_proto_tcp_ctx_ts;
} else {
mpm_ctx = det_ctx->sgh->mpm_proto_tcp_ctx_tc;
}
} else if (p->proto == IPPROTO_UDP) {
if (p->flowflags & FLOW_PKT_TOSERVER) {
mpm_ctx = det_ctx->sgh->mpm_proto_udp_ctx_ts;
} else {
mpm_ctx = det_ctx->sgh->mpm_proto_udp_ctx_tc;
}
} else {
mpm_ctx = det_ctx->sgh->mpm_proto_other_ctx;
}
if (unlikely(mpm_ctx == NULL))
SCReturnInt(0);
#ifdef __SC_CUDA_SUPPORT__
if (p->cuda_pkt_vars.cuda_mpm_enabled && p->pkt_src == PKT_SRC_WIRE) {
ret = SCACCudaPacketResultsProcessing(p, mpm_ctx, &det_ctx->pmq);
} else {
ret = mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
&det_ctx->mtc,
&det_ctx->pmq,
p->payload,
p->payload_len);
}
#else
ret = mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
&det_ctx->mtc,
&det_ctx->pmq,
p->payload,
p->payload_len);
#endif
SCReturnInt(ret);
}
/** \brief Uri Pattern match -- searches for one pattern per signature.
*
* \param det_ctx detection engine thread ctx
* \param p packet to inspect
*
* \retval ret number of matches
*/
uint32_t UriPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *uri, uint16_t uri_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_uri_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_uri_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_uri_ctx_ts,
&det_ctx->mtcu, &det_ctx->pmq, uri, uri_len);
//PrintRawDataFp(stdout, uri, uri_len);
SCReturnUInt(ret);
}
/** \brief Http client body pattern match -- searches for one pattern per
* signature.
*
* \param det_ctx Detection engine thread ctx.
* \param body The request body to inspect.
* \param body_len Body length.
*
* \retval ret Number of matches.
*/
uint32_t HttpClientBodyPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *body, uint32_t body_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hcbd_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hcbd_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hcbd_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, body, body_len);
SCReturnUInt(ret);
}
/** \brief Http server body pattern match -- searches for one pattern per
* signature.
*
* \param det_ctx Detection engine thread ctx.
* \param body The request body to inspect.
* \param body_len Body length.
*
* \retval ret Number of matches.
*/
uint32_t HttpServerBodyPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *body, uint32_t body_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
DEBUG_VALIDATE_BUG_ON(!(flags & STREAM_TOCLIENT));
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hsbd_ctx_tc == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hsbd_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_hsbd_ctx_tc, &det_ctx->mtcu,
&det_ctx->pmq, body, body_len);
SCReturnUInt(ret);
}
/**
* \brief Http header match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param headers Headers to inspect.
* \param headers_len Headers length.
*
* \retval ret Number of matches.
*/
uint32_t HttpHeaderPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *headers, uint32_t headers_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
if (flags & STREAM_TOSERVER) {
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hhd_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hhd_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hhd_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, headers, headers_len);
} else {
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hhd_ctx_tc == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hhd_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_hhd_ctx_tc, &det_ctx->mtcu,
&det_ctx->pmq, headers, headers_len);
}
SCReturnUInt(ret);
}
/**
* \brief Http raw header match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param headers Raw headers to inspect.
* \param headers_len Raw headers length.
*
* \retval ret Number of matches.
*/
uint32_t HttpRawHeaderPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *raw_headers, uint32_t raw_headers_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
if (flags & STREAM_TOSERVER) {
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrhd_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hrhd_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hrhd_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, raw_headers, raw_headers_len);
} else {
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrhd_ctx_tc == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hrhd_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_hrhd_ctx_tc, &det_ctx->mtcu,
&det_ctx->pmq, raw_headers, raw_headers_len);
}
SCReturnUInt(ret);
}
/**
* \brief Http method match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param method Method to inspect.
* \param method_len Method length.
*
* \retval ret Number of matches.
*/
uint32_t HttpMethodPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *raw_method, uint32_t raw_method_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hmd_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hmd_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hmd_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, raw_method, raw_method_len);
SCReturnUInt(ret);
}
/**
* \brief Http cookie match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param cookie Cookie to inspect.
* \param cookie_len Cookie length.
*
* \retval ret Number of matches.
*/
uint32_t HttpCookiePatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *cookie, uint32_t cookie_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
if (flags & STREAM_TOSERVER) {
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hcd_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hcd_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hcd_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, cookie, cookie_len);
} else {
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hcd_ctx_tc == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hcd_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_hcd_ctx_tc, &det_ctx->mtcu,
&det_ctx->pmq, cookie, cookie_len);
}
SCReturnUInt(ret);
}
/**
* \brief Http raw uri match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param uri Raw uri to inspect.
* \param uri_len Raw uri length.
*
* \retval ret Number of matches.
*/
uint32_t HttpRawUriPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *uri, uint32_t uri_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrud_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hrud_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hrud_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, uri, uri_len);
SCReturnUInt(ret);
}
/**
* \brief Http stat msg match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param stat_msg Stat msg to inspect.
* \param stat_msg_len Stat msg length.
*
* \retval ret Number of matches.
*/
uint32_t HttpStatMsgPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *stat_msg, uint32_t stat_msg_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
DEBUG_VALIDATE_BUG_ON(!(flags & STREAM_TOCLIENT));
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hsmd_ctx_tc == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hsmd_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_hsmd_ctx_tc, &det_ctx->mtcu,
&det_ctx->pmq, stat_msg, stat_msg_len);
SCReturnUInt(ret);
}
/**
* \brief Http stat code match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param stat_code Stat code to inspect.
* \param stat_code_len Stat code length.
*
* \retval ret Number of matches.
*/
uint32_t HttpStatCodePatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *stat_code, uint32_t stat_code_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
DEBUG_VALIDATE_BUG_ON(!(flags & STREAM_TOCLIENT));
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hscd_ctx_tc == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hscd_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_hscd_ctx_tc, &det_ctx->mtcu,
&det_ctx->pmq, stat_code, stat_code_len);
SCReturnUInt(ret);
}
/**
* \brief Http user agent match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param cookie User-Agent to inspect.
* \param cookie_len User-Agent buffer length.
*
* \retval ret Number of matches.
*/
uint32_t HttpUAPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *ua, uint32_t ua_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_huad_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_huad_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_huad_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, ua, ua_len);
SCReturnUInt(ret);
}
/**
* \brief Http host header match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param hh Host header to inspect.
* \param hh_len Host header buffer length.
* \param flags Flags
*
* \retval ret Number of matches.
*/
uint32_t HttpHHPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *hh, uint32_t hh_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hhhd_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hhhd_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hhhd_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, hh, hh_len);
SCReturnUInt(ret);
}
/**
* \brief Http raw host header match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param hrh Raw hostname to inspect.
* \param hrh_len Raw hostname buffer length.
* \param flags Flags
*
* \retval ret Number of matches.
*/
uint32_t HttpHRHPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *hrh, uint32_t hrh_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrhhd_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_hrhhd_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hrhhd_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, hrh, hrh_len);
SCReturnUInt(ret);
}
/**
* \brief DNS query match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param hrh Buffer to inspect.
* \param hrh_len buffer length.
* \param flags Flags
*
* \retval ret Number of matches.
*/
uint32_t DnsQueryPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *buffer, uint32_t buffer_len,
uint8_t flags)
{
SCEnter();
uint32_t ret = 0;
DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_dnsquery_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_dnsquery_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_dnsquery_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, buffer, buffer_len);
SCReturnUInt(ret);
}
/** \brief Pattern match -- searches for only one pattern per signature.
*
* \param det_ctx detection engine thread ctx
* \param p packet
* \param smsg stream msg (reassembled stream data)
* \param flags stream flags
*
* \retval ret number of matches
*/
uint32_t StreamPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p,
StreamMsg *smsg, uint8_t flags)
{
SCEnter();
uint32_t ret = 0;
uint8_t cnt = 0;
//PrintRawDataFp(stdout, smsg->data.data, smsg->data.data_len);
uint32_t r;
if (flags & STREAM_TOSERVER) {
for ( ; smsg != NULL; smsg = smsg->next) {
r = mpm_table[det_ctx->sgh->mpm_stream_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_stream_ctx_ts, &det_ctx->mtcs,
&det_ctx->pmq, smsg->data, smsg->data_len);
if (r > 0) {
ret += r;
}
cnt++;
}
} else {
for ( ; smsg != NULL; smsg = smsg->next) {
r = mpm_table[det_ctx->sgh->mpm_stream_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_stream_ctx_tc, &det_ctx->mtcs,
&det_ctx->pmq, smsg->data, smsg->data_len);
if (r > 0) {
ret += r;
}
cnt++;
}
}
SCReturnInt(ret);
}
/**
* \brief SMTP Filedata match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param buffer Buffer to inspect.
* \param buffer_len buffer length.
* \param flags Flags
*
* \retval ret Number of matches.
*/
uint32_t SMTPFiledataPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *buffer, uint32_t buffer_len,
uint8_t flags)
{
SCEnter();
uint32_t ret = 0;
DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_smtp_filedata_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_smtp_filedata_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_smtp_filedata_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, buffer, buffer_len);
SCReturnUInt(ret);
}
/** \brief cleans up the mpm instance after a match */
void PacketPatternCleanup(ThreadVars *t, DetectEngineThreadCtx *det_ctx)
{

14
src/detect-engine-mpm.h
Unescape Escape View File

@ -40,22 +40,8 @@ uint16_t PatternMatchDefaultMatcher(void);
uint32_t PatternStrength(uint8_t *, uint16_t);
uint32_t PacketPatternSearchWithStreamCtx(DetectEngineThreadCtx *, Packet *);
uint32_t PacketPatternSearch(DetectEngineThreadCtx *, Packet *);
uint32_t UriPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint16_t, uint8_t);
uint32_t StreamPatternSearch(DetectEngineThreadCtx *, Packet *, StreamMsg *, uint8_t);
uint32_t HttpClientBodyPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t HttpServerBodyPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t HttpHeaderPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t HttpRawHeaderPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t HttpMethodPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t HttpCookiePatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t HttpRawUriPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t HttpStatMsgPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t HttpStatCodePatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t HttpUAPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t HttpHHPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t HttpHRHPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t DnsQueryPatternSearch(DetectEngineThreadCtx *det_ctx, uint8_t *buffer, uint32_t buffer_len, uint8_t flags);
uint32_t SMTPFiledataPatternSearch(DetectEngineThreadCtx *det_ctx, uint8_t *buffer, uint32_t buffer_len, uint8_t flags);
void PacketPatternCleanup(ThreadVars *, DetectEngineThreadCtx *);

134
src/detect-engine-payload.c
Unescape Escape View File

@ -33,11 +33,145 @@
#include "detect-parse.h"
#include "detect-engine-content-inspection.h"
#include "stream.h"
#include "util-debug.h"
#include "util-print.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-validate.h"
#include "util-mpm-ac.h"
uint32_t PacketPatternSearchWithStreamCtx(DetectEngineThreadCtx *det_ctx,
Packet *p)
{
SCEnter();
uint32_t ret = 0;
const MpmCtx *mpm_ctx = NULL;
if (p->flowflags & FLOW_PKT_TOSERVER) {
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_stream_ctx_ts == NULL);
mpm_ctx = det_ctx->sgh->mpm_stream_ctx_ts;
} else {
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_stream_ctx_tc == NULL);
mpm_ctx = det_ctx->sgh->mpm_stream_ctx_tc;
}
if (unlikely(mpm_ctx == NULL)) {
SCReturnInt(0);
}
ret = mpm_table[mpm_ctx->mpm_type].
Search(mpm_ctx, &det_ctx->mtc, &det_ctx->pmq,
p->payload, p->payload_len);
SCReturnInt(ret);
}
/** \brief Pattern match -- searches for only one pattern per signature.
*
* \param det_ctx detection engine thread ctx
* \param p packet
* \param smsg stream msg (reassembled stream data)
* \param flags stream flags
*
* \retval ret number of matches
*/
uint32_t StreamPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p,
StreamMsg *smsg, uint8_t flags)
{
SCEnter();
uint32_t ret = 0;
uint8_t cnt = 0;
//PrintRawDataFp(stdout, smsg->data.data, smsg->data.data_len);
uint32_t r;
if (flags & STREAM_TOSERVER) {
for ( ; smsg != NULL; smsg = smsg->next) {
r = mpm_table[det_ctx->sgh->mpm_stream_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_stream_ctx_ts, &det_ctx->mtcs,
&det_ctx->pmq, smsg->data, smsg->data_len);
if (r > 0) {
ret += r;
}
cnt++;
}
} else if (flags & STREAM_TOCLIENT) {
for ( ; smsg != NULL; smsg = smsg->next) {
r = mpm_table[det_ctx->sgh->mpm_stream_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_stream_ctx_tc, &det_ctx->mtcs,
&det_ctx->pmq, smsg->data, smsg->data_len);
if (r > 0) {
ret += r;
}
cnt++;
}
}
SCReturnInt(ret);
}
/** \brief Pattern match -- searches for only one pattern per signature.
*
* \param det_ctx detection engine thread ctx
* \param p packet to inspect
*
* \retval ret number of matches
*/
uint32_t PacketPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p)
{
SCEnter();
uint32_t ret;
const MpmCtx *mpm_ctx = NULL;
if (p->proto == IPPROTO_TCP) {
if (p->flowflags & FLOW_PKT_TOSERVER) {
mpm_ctx = det_ctx->sgh->mpm_proto_tcp_ctx_ts;
} else if (p->flowflags & FLOW_PKT_TOCLIENT) {
mpm_ctx = det_ctx->sgh->mpm_proto_tcp_ctx_tc;
}
} else if (p->proto == IPPROTO_UDP) {
if (p->flowflags & FLOW_PKT_TOSERVER) {
mpm_ctx = det_ctx->sgh->mpm_proto_udp_ctx_ts;
} else if (p->flowflags & FLOW_PKT_TOCLIENT) {
mpm_ctx = det_ctx->sgh->mpm_proto_udp_ctx_tc;
}
} else {
mpm_ctx = det_ctx->sgh->mpm_proto_other_ctx;
}
if (unlikely(mpm_ctx == NULL))
SCReturnInt(0);
#ifdef __SC_CUDA_SUPPORT__
if (p->cuda_pkt_vars.cuda_mpm_enabled && p->pkt_src == PKT_SRC_WIRE) {
ret = SCACCudaPacketResultsProcessing(p, mpm_ctx, &det_ctx->pmq);
} else {
ret = mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
&det_ctx->mtc,
&det_ctx->pmq,
p->payload,
p->payload_len);
}
#else
ret = mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
&det_ctx->mtc,
&det_ctx->pmq,
p->payload,
p->payload_len);
#endif
SCReturnInt(ret);
}
/**
* \brief Do the content inspection & validation for a signature

93
src/detect-engine-uri.c
Unescape Escape View File

@ -47,6 +47,99 @@
#include "app-layer.h"
#include "app-layer-htp.h"
#include "app-layer-protos.h"
#include "util-validate.h"
/** \brief Uri Pattern match -- searches for one pattern per signature.
*
* \param det_ctx detection engine thread ctx
* \param p packet to inspect
*
* \retval ret number of matches
*/
static uint32_t UriPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *uri, uint16_t uri_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_uri_ctx_ts == NULL);
ret = mpm_table[det_ctx->sgh->mpm_uri_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_uri_ctx_ts,
&det_ctx->mtcu, &det_ctx->pmq, uri, uri_len);
//PrintRawDataFp(stdout, uri, uri_len);
SCReturnUInt(ret);
}
/**
* \brief Checks if the content sent as the argument, has a uricontent which
* has been provided in the rule. This match function matches the
* normalized http uri against the given rule using multi pattern
* search algorithms.
*
* \param det_ctx Pointer to the detection engine thread context
* \param content Pointer to the uri content currently being matched
* \param content_len Content_len of the received uri content
*
* \retval 1 if the uri contents match; 0 no match
*/
static inline int DoDetectAppLayerUricontentMatch (DetectEngineThreadCtx *det_ctx,
uint8_t *uri, uint16_t uri_len, uint8_t flags)
{
int ret = 0;
/* run the pattern matcher against the uri */
if (det_ctx->sgh->mpm_uricontent_minlen > uri_len) {
SCLogDebug("not searching as uri len is smaller than the "
"shortest uricontent length we need to match");
} else {
SCLogDebug("search: (%p, minlen %" PRIu32 ", sgh->sig_cnt "
"%" PRIu32 ")", det_ctx->sgh,
det_ctx->sgh->mpm_uricontent_minlen, det_ctx->sgh->sig_cnt);
ret += UriPatternSearch(det_ctx, uri, uri_len, flags);
SCLogDebug("post search: cnt %" PRIu32, ret);
}
return ret;
}
/**
* \brief Run the pattern matcher against the uri(s)
*
* We run against _all_ uri(s) we have as the pattern matcher will
* flag each sig that has a match. We need to do this for all uri(s)
* to not miss possible events.
*
* \param f locked flow
* \param htp_state initialized htp state
*
* \warning Make sure the flow/state is locked
* \todo what should we return? Just the fact that we matched?
*/
uint32_t DetectUricontentInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags,
void *txv, uint64_t idx)
{
SCEnter();
htp_tx_t *tx = (htp_tx_t *)txv;
HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
uint32_t cnt = 0;
if (tx_ud == NULL || tx_ud->request_uri_normalized == NULL)
goto end;
cnt = DoDetectAppLayerUricontentMatch(det_ctx, (uint8_t *)
bstr_ptr(tx_ud->request_uri_normalized),
bstr_len(tx_ud->request_uri_normalized),
flags);
end:
SCReturnUInt(cnt);
}
/**
* \brief Do the content inspection & validation for a signature

66
src/detect-uricontent.c
Unescape Escape View File

@ -190,72 +190,6 @@ error:
SCReturnInt(-1);
}
/**
* \brief Checks if the content sent as the argument, has a uricontent which
* has been provided in the rule. This match function matches the
* normalized http uri against the given rule using multi pattern
* search algorithms.
*
* \param det_ctx Pointer to the detection engine thread context
* \param content Pointer to the uri content currently being matched
* \param content_len Content_len of the received uri content
*
* \retval 1 if the uri contents match; 0 no match
*/
static inline int DoDetectAppLayerUricontentMatch (DetectEngineThreadCtx *det_ctx,
uint8_t *uri, uint16_t uri_len, uint8_t flags)
{
int ret = 0;
/* run the pattern matcher against the uri */
if (det_ctx->sgh->mpm_uricontent_minlen > uri_len) {
SCLogDebug("not searching as uri len is smaller than the "
"shortest uricontent length we need to match");
} else {
SCLogDebug("search: (%p, minlen %" PRIu32 ", sgh->sig_cnt "
"%" PRIu32 ")", det_ctx->sgh,
det_ctx->sgh->mpm_uricontent_minlen, det_ctx->sgh->sig_cnt);
ret += UriPatternSearch(det_ctx, uri, uri_len, flags);
SCLogDebug("post search: cnt %" PRIu32, ret);
}
return ret;
}
/**
* \brief Run the pattern matcher against the uri(s)
*
* We run against _all_ uri(s) we have as the pattern matcher will
* flag each sig that has a match. We need to do this for all uri(s)
* to not miss possible events.
*
* \param f locked flow
* \param htp_state initialized htp state
*
* \warning Make sure the flow/state is locked
* \todo what should we return? Just the fact that we matched?
*/
uint32_t DetectUricontentInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags,
void *txv, uint64_t idx)
{
SCEnter();
htp_tx_t *tx = (htp_tx_t *)txv;
HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
uint32_t cnt = 0;
if (tx_ud == NULL || tx_ud->request_uri_normalized == NULL)
goto end;
cnt = DoDetectAppLayerUricontentMatch(det_ctx, (uint8_t *)
bstr_ptr(tx_ud->request_uri_normalized),
bstr_len(tx_ud->request_uri_normalized),
flags);
end:
SCReturnUInt(cnt);
}
/*
* UNITTTESTS
*/

Write Preview
Loading…
Cancel
Save