aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use new flags to indicate uricontent has a mpm set

Browse Source
remotes/origin/master-1.1.x
Anoop Saldanha 15 years ago committed by Victor Julien
parent 46b4806d8e
commit 6eaba8941c
4 changed files with 27 additions and 20 deletions
Show Stats Download Patch File Download Diff File

33
src/detect-engine-mpm.c
Unescape Escape View File

@ -839,6 +839,10 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx,
s->mpm_stream_pattern_id_div_8 = cd->id / 8;
s->mpm_stream_pattern_id_mod_8 = 1 << (cd->id % 8);
}
if (cd->flags & DETECT_CONTENT_NEGATED) {
SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id);
s->flags |= SIG_FLAG_MPM_NEGCONTENT;
}
}
break;
@ -895,18 +899,15 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx,
}
}
/* tell matcher we are inspecting uri */
s->flags |= SIG_FLAG_MPM_URI;
s->flags |= SIG_FLAG_MPM_URICONTENT;
s->mpm_uripattern_id = ud->id;
if (ud->flags & DETECT_URICONTENT_NEGATED)
s->flags |= SIG_FLAG_MPM_URICONTENT_NEG;
break;
} /* case DETECT_URICONTENT */
} /* switch (mpm_sm->type) */
if (scan_negated) {
SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id);
s->flags |= SIG_FLAG_MPM_NEGCONTENT;
}
SCLogDebug("%"PRIu32" adding co->id %"PRIu32" to the mpm phase (s->num %"PRIu32")", s->id, co->id, s->num);
} else {
SCLogDebug("%"PRIu32" no mpm pattern selected", s->id);
@ -1914,34 +1915,38 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
PatternMatchPreparePopulateMpm(de_ctx, sh, populate_mpm_flags);
//if (mpm_table[sh->mpm_ctx->mpm_type].Prepare != NULL) {
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
if (sh->mpm_ctx != NULL) {
if (sh->mpm_ctx->pattern_cnt == 0) {
sh->mpm_ctx = NULL;
} else {
if (!(populate_mpm_flags & POPULATE_MPM_AVOID_PACKET_MPM_PATTERNS))
mpm_table[sh->mpm_ctx->mpm_type].Prepare(sh->mpm_ctx);
if (!(populate_mpm_flags & POPULATE_MPM_AVOID_PACKET_MPM_PATTERNS)) {
if (mpm_table[sh->mpm_ctx->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_ctx->mpm_type].Prepare(sh->mpm_ctx);
}
}
}
if (sh->mpm_stream_ctx != NULL) {
if (sh->mpm_stream_ctx->pattern_cnt == 0) {
sh->mpm_stream_ctx = NULL;
} else {
if (!(populate_mpm_flags & POPULATE_MPM_AVOID_STREAM_MPM_PATTERNS))
mpm_table[sh->mpm_stream_ctx->mpm_type].Prepare(sh->mpm_stream_ctx);
if (!(populate_mpm_flags & POPULATE_MPM_AVOID_STREAM_MPM_PATTERNS)) {
if (mpm_table[sh->mpm_stream_ctx->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_stream_ctx->mpm_type].Prepare(sh->mpm_stream_ctx);
}
}
}
if (sh->mpm_uri_ctx != NULL) {
if (sh->mpm_uri_ctx->pattern_cnt == 0) {
sh->mpm_uri_ctx = NULL;
} else {
if (!(populate_mpm_flags & POPULATE_MPM_AVOID_URI_MPM_PATTERNS))
mpm_table[sh->mpm_uri_ctx->mpm_type].Prepare(sh->mpm_uri_ctx);
if (!(populate_mpm_flags & POPULATE_MPM_AVOID_URI_MPM_PATTERNS)) {
if (mpm_table[sh->mpm_uri_ctx->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_uri_ctx->mpm_type].Prepare(sh->mpm_uri_ctx);
}
}
}
}
//}
}
///* uricontent */

8
src/detect-engine-uri.c
Unescape Escape View File

@ -372,7 +372,7 @@ int DetectEngineInspectPacketUris(DetectEngineCtx *de_ctx,
/* If we have the uricontent multi pattern matcher signatures in
signature list, then search the received HTTP uri(s) in the htp
state against those patterns */
if (s->flags & SIG_FLAG_MPM_URI) {
if (s->flags & SIG_FLAG_MPM_URICONTENT) {
if (det_ctx->de_mpm_scanned_uri == FALSE) {
uint32_t cnt = DetectUricontentInspectMpm(det_ctx, f, htp_state);
@ -392,17 +392,17 @@ int DetectEngineInspectPacketUris(DetectEngineCtx *de_ctx,
}
/* if we don't have a uri, don't bother inspecting */
if (det_ctx->de_have_httpuri == FALSE && !(s->flags & SIG_FLAG_MPM_URI_NEG)) {
if (det_ctx->de_have_httpuri == FALSE && !(s->flags & SIG_FLAG_MPM_URICONTENT_NEG)) {
SCLogDebug("We don't have uri");
goto end;
}
if ((s->flags & SIG_FLAG_MPM_URI) && (det_ctx->de_mpm_scanned_uri == TRUE)) {
if ((s->flags & SIG_FLAG_MPM_URICONTENT) && (det_ctx->de_mpm_scanned_uri == TRUE)) {
if (det_ctx->pmq.pattern_id_bitarray != NULL) {
/* filter out sigs that want pattern matches, but
* have no matches */
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_uripattern_id / 8)] & (1<<(s->mpm_uripattern_id % 8))) &&
(s->flags & SIG_FLAG_MPM_URI) && !(s->flags & SIG_FLAG_MPM_URI_NEG)) {
(s->flags & SIG_FLAG_MPM_URICONTENT) && !(s->flags & SIG_FLAG_MPM_URICONTENT_NEG)) {
SCLogDebug("mpm sig without matches (pat id %"PRIu32
" check in uri).", s->mpm_uripattern_id);
goto end;

4
src/detect-parse.c
Unescape Escape View File

@ -1294,7 +1294,7 @@ Signature *SigInit(DetectEngineCtx *de_ctx, char *sigstr) {
if (ud == NULL)
continue;
//sig->flags |= SIG_FLAG_MPM_URI;
sig->flags |= SIG_FLAG_MPM_URI;
if (ud->flags & DETECT_URICONTENT_NEGATED) {
sig->flags |= SIG_FLAG_MPM_URI_NEG;
@ -1436,7 +1436,7 @@ Signature *SigInitReal(DetectEngineCtx *de_ctx, char *sigstr) {
if (ud == NULL)
continue;
//sig->flags |= SIG_FLAG_MPM_URI;
sig->flags |= SIG_FLAG_MPM_URI;
if (ud->flags & DETECT_URICONTENT_NEGATED) {
sig->flags |= SIG_FLAG_MPM_URI_NEG;

2
src/detect.h
Unescape Escape View File

@ -230,6 +230,8 @@ typedef struct DetectPort_ {
#define SIG_FLAG_MPM_PACKET 0x00200000
#define SIG_FLAG_MPM_STREAM 0x00400000
#define SIG_FLAG_MPM_URICONTENT 0x00800000
#define SIG_FLAG_MPM_URICONTENT_NEG 0x01000000
/* signature mask flags */
#define SIG_MASK_REQUIRE_PAYLOAD 0x01

Write Preview
Loading…
Cancel
Save