From 6eaba8941c9c7d127fae089fd129c2eaf5b3d688 Mon Sep 17 00:00:00 2001 From: Anoop Saldanha Date: Tue, 16 Nov 2010 18:50:24 +0530 Subject: [PATCH] Use new flags to indicate uricontent has a mpm set --- src/detect-engine-mpm.c | 33 +++++++++++++++++++-------------- src/detect-engine-uri.c | 8 ++++---- src/detect-parse.c | 4 ++-- src/detect.h | 2 ++ 4 files changed, 27 insertions(+), 20 deletions(-) diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 4b18624ff1..e9bf152a8a 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -839,6 +839,10 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx, s->mpm_stream_pattern_id_div_8 = cd->id / 8; s->mpm_stream_pattern_id_mod_8 = 1 << (cd->id % 8); } + if (cd->flags & DETECT_CONTENT_NEGATED) { + SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id); + s->flags |= SIG_FLAG_MPM_NEGCONTENT; + } } break; @@ -895,18 +899,15 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx, } } /* tell matcher we are inspecting uri */ - s->flags |= SIG_FLAG_MPM_URI; + s->flags |= SIG_FLAG_MPM_URICONTENT; s->mpm_uripattern_id = ud->id; + if (ud->flags & DETECT_URICONTENT_NEGATED) + s->flags |= SIG_FLAG_MPM_URICONTENT_NEG; break; } /* case DETECT_URICONTENT */ } /* switch (mpm_sm->type) */ - if (scan_negated) { - SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id); - s->flags |= SIG_FLAG_MPM_NEGCONTENT; - } - SCLogDebug("%"PRIu32" adding co->id %"PRIu32" to the mpm phase (s->num %"PRIu32")", s->id, co->id, s->num); } else { SCLogDebug("%"PRIu32" no mpm pattern selected", s->id); @@ -1914,34 +1915,38 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh) PatternMatchPreparePopulateMpm(de_ctx, sh, populate_mpm_flags); - //if (mpm_table[sh->mpm_ctx->mpm_type].Prepare != NULL) { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) { if (sh->mpm_ctx != NULL) { if (sh->mpm_ctx->pattern_cnt == 0) { sh->mpm_ctx = NULL; } else { - if (!(populate_mpm_flags & POPULATE_MPM_AVOID_PACKET_MPM_PATTERNS)) - mpm_table[sh->mpm_ctx->mpm_type].Prepare(sh->mpm_ctx); + if (!(populate_mpm_flags & POPULATE_MPM_AVOID_PACKET_MPM_PATTERNS)) { + if (mpm_table[sh->mpm_ctx->mpm_type].Prepare != NULL) + mpm_table[sh->mpm_ctx->mpm_type].Prepare(sh->mpm_ctx); + } } } if (sh->mpm_stream_ctx != NULL) { if (sh->mpm_stream_ctx->pattern_cnt == 0) { sh->mpm_stream_ctx = NULL; } else { - if (!(populate_mpm_flags & POPULATE_MPM_AVOID_STREAM_MPM_PATTERNS)) - mpm_table[sh->mpm_stream_ctx->mpm_type].Prepare(sh->mpm_stream_ctx); + if (!(populate_mpm_flags & POPULATE_MPM_AVOID_STREAM_MPM_PATTERNS)) { + if (mpm_table[sh->mpm_stream_ctx->mpm_type].Prepare != NULL) + mpm_table[sh->mpm_stream_ctx->mpm_type].Prepare(sh->mpm_stream_ctx); + } } } if (sh->mpm_uri_ctx != NULL) { if (sh->mpm_uri_ctx->pattern_cnt == 0) { sh->mpm_uri_ctx = NULL; } else { - if (!(populate_mpm_flags & POPULATE_MPM_AVOID_URI_MPM_PATTERNS)) - mpm_table[sh->mpm_uri_ctx->mpm_type].Prepare(sh->mpm_uri_ctx); + if (!(populate_mpm_flags & POPULATE_MPM_AVOID_URI_MPM_PATTERNS)) { + if (mpm_table[sh->mpm_uri_ctx->mpm_type].Prepare != NULL) + mpm_table[sh->mpm_uri_ctx->mpm_type].Prepare(sh->mpm_uri_ctx); + } } } } - //} } ///* uricontent */ diff --git a/src/detect-engine-uri.c b/src/detect-engine-uri.c index 124065b7f0..696d5263f7 100644 --- a/src/detect-engine-uri.c +++ b/src/detect-engine-uri.c @@ -372,7 +372,7 @@ int DetectEngineInspectPacketUris(DetectEngineCtx *de_ctx, /* If we have the uricontent multi pattern matcher signatures in signature list, then search the received HTTP uri(s) in the htp state against those patterns */ - if (s->flags & SIG_FLAG_MPM_URI) { + if (s->flags & SIG_FLAG_MPM_URICONTENT) { if (det_ctx->de_mpm_scanned_uri == FALSE) { uint32_t cnt = DetectUricontentInspectMpm(det_ctx, f, htp_state); @@ -392,17 +392,17 @@ int DetectEngineInspectPacketUris(DetectEngineCtx *de_ctx, } /* if we don't have a uri, don't bother inspecting */ - if (det_ctx->de_have_httpuri == FALSE && !(s->flags & SIG_FLAG_MPM_URI_NEG)) { + if (det_ctx->de_have_httpuri == FALSE && !(s->flags & SIG_FLAG_MPM_URICONTENT_NEG)) { SCLogDebug("We don't have uri"); goto end; } - if ((s->flags & SIG_FLAG_MPM_URI) && (det_ctx->de_mpm_scanned_uri == TRUE)) { + if ((s->flags & SIG_FLAG_MPM_URICONTENT) && (det_ctx->de_mpm_scanned_uri == TRUE)) { if (det_ctx->pmq.pattern_id_bitarray != NULL) { /* filter out sigs that want pattern matches, but * have no matches */ if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_uripattern_id / 8)] & (1<<(s->mpm_uripattern_id % 8))) && - (s->flags & SIG_FLAG_MPM_URI) && !(s->flags & SIG_FLAG_MPM_URI_NEG)) { + (s->flags & SIG_FLAG_MPM_URICONTENT) && !(s->flags & SIG_FLAG_MPM_URICONTENT_NEG)) { SCLogDebug("mpm sig without matches (pat id %"PRIu32 " check in uri).", s->mpm_uripattern_id); goto end; diff --git a/src/detect-parse.c b/src/detect-parse.c index d843bb002f..c336f317d2 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -1294,7 +1294,7 @@ Signature *SigInit(DetectEngineCtx *de_ctx, char *sigstr) { if (ud == NULL) continue; - //sig->flags |= SIG_FLAG_MPM_URI; + sig->flags |= SIG_FLAG_MPM_URI; if (ud->flags & DETECT_URICONTENT_NEGATED) { sig->flags |= SIG_FLAG_MPM_URI_NEG; @@ -1436,7 +1436,7 @@ Signature *SigInitReal(DetectEngineCtx *de_ctx, char *sigstr) { if (ud == NULL) continue; - //sig->flags |= SIG_FLAG_MPM_URI; + sig->flags |= SIG_FLAG_MPM_URI; if (ud->flags & DETECT_URICONTENT_NEGATED) { sig->flags |= SIG_FLAG_MPM_URI_NEG; diff --git a/src/detect.h b/src/detect.h index 144ecd266b..3bd4ef8879 100644 --- a/src/detect.h +++ b/src/detect.h @@ -230,6 +230,8 @@ typedef struct DetectPort_ { #define SIG_FLAG_MPM_PACKET 0x00200000 #define SIG_FLAG_MPM_STREAM 0x00400000 +#define SIG_FLAG_MPM_URICONTENT 0x00800000 +#define SIG_FLAG_MPM_URICONTENT_NEG 0x01000000 /* signature mask flags */ #define SIG_MASK_REQUIRE_PAYLOAD 0x01