aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use new flags to indicate uricontent has a mpm set

Browse Source
remotes/origin/master-1.1.x
Anoop Saldanha 15 years ago committed by Victor Julien
parent 46b4806d8e
commit 6eaba8941c
4 changed files with 27 additions and 20 deletions
Show Stats Download Patch File Download Diff File

33
src/detect-engine-mpm.c
Unescape Escape View File

@ -839,6 +839,10 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx,
s->mpm_stream_pattern_id_div_8 = cd->id / 8; s->mpm_stream_pattern_id_div_8 = cd->id / 8;
s->mpm_stream_pattern_id_mod_8 = 1 << (cd->id % 8); s->mpm_stream_pattern_id_mod_8 = 1 << (cd->id % 8);
} }
if (cd->flags & DETECT_CONTENT_NEGATED) {
SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id);
s->flags |= SIG_FLAG_MPM_NEGCONTENT;
}
} }
break; break;
@ -895,18 +899,15 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx,
} }
} }
/* tell matcher we are inspecting uri */ /* tell matcher we are inspecting uri */
s->flags |= SIG_FLAG_MPM_URI; s->flags |= SIG_FLAG_MPM_URICONTENT;
s->mpm_uripattern_id = ud->id; s->mpm_uripattern_id = ud->id;
if (ud->flags & DETECT_URICONTENT_NEGATED)
s->flags |= SIG_FLAG_MPM_URICONTENT_NEG;
break; break;
} /* case DETECT_URICONTENT */ } /* case DETECT_URICONTENT */
} /* switch (mpm_sm->type) */ } /* switch (mpm_sm->type) */
if (scan_negated) {
SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id);
s->flags |= SIG_FLAG_MPM_NEGCONTENT;
}
SCLogDebug("%"PRIu32" adding co->id %"PRIu32" to the mpm phase (s->num %"PRIu32")", s->id, co->id, s->num); SCLogDebug("%"PRIu32" adding co->id %"PRIu32" to the mpm phase (s->num %"PRIu32")", s->id, co->id, s->num);
} else { } else {
SCLogDebug("%"PRIu32" no mpm pattern selected", s->id); SCLogDebug("%"PRIu32" no mpm pattern selected", s->id);
@ -1914,34 +1915,38 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
PatternMatchPreparePopulateMpm(de_ctx, sh, populate_mpm_flags); PatternMatchPreparePopulateMpm(de_ctx, sh, populate_mpm_flags);
//if (mpm_table[sh->mpm_ctx->mpm_type].Prepare != NULL) {
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) { if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
if (sh->mpm_ctx != NULL) { if (sh->mpm_ctx != NULL) {
if (sh->mpm_ctx->pattern_cnt == 0) { if (sh->mpm_ctx->pattern_cnt == 0) {
sh->mpm_ctx = NULL; sh->mpm_ctx = NULL;
} else { } else {
if (!(populate_mpm_flags & POPULATE_MPM_AVOID_PACKET_MPM_PATTERNS)) if (!(populate_mpm_flags & POPULATE_MPM_AVOID_PACKET_MPM_PATTERNS)) {
mpm_table[sh->mpm_ctx->mpm_type].Prepare(sh->mpm_ctx); if (mpm_table[sh->mpm_ctx->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_ctx->mpm_type].Prepare(sh->mpm_ctx);
}
} }
} }
if (sh->mpm_stream_ctx != NULL) { if (sh->mpm_stream_ctx != NULL) {
if (sh->mpm_stream_ctx->pattern_cnt == 0) { if (sh->mpm_stream_ctx->pattern_cnt == 0) {
sh->mpm_stream_ctx = NULL; sh->mpm_stream_ctx = NULL;
} else { } else {
if (!(populate_mpm_flags & POPULATE_MPM_AVOID_STREAM_MPM_PATTERNS)) if (!(populate_mpm_flags & POPULATE_MPM_AVOID_STREAM_MPM_PATTERNS)) {
mpm_table[sh->mpm_stream_ctx->mpm_type].Prepare(sh->mpm_stream_ctx); if (mpm_table[sh->mpm_stream_ctx->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_stream_ctx->mpm_type].Prepare(sh->mpm_stream_ctx);
}
} }
} }
if (sh->mpm_uri_ctx != NULL) { if (sh->mpm_uri_ctx != NULL) {
if (sh->mpm_uri_ctx->pattern_cnt == 0) { if (sh->mpm_uri_ctx->pattern_cnt == 0) {
sh->mpm_uri_ctx = NULL; sh->mpm_uri_ctx = NULL;
} else { } else {
if (!(populate_mpm_flags & POPULATE_MPM_AVOID_URI_MPM_PATTERNS)) if (!(populate_mpm_flags & POPULATE_MPM_AVOID_URI_MPM_PATTERNS)) {
mpm_table[sh->mpm_uri_ctx->mpm_type].Prepare(sh->mpm_uri_ctx); if (mpm_table[sh->mpm_uri_ctx->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_uri_ctx->mpm_type].Prepare(sh->mpm_uri_ctx);
}
} }
} }
} }
//}
} }
///* uricontent */ ///* uricontent */

8
src/detect-engine-uri.c
Unescape Escape View File

@ -372,7 +372,7 @@ int DetectEngineInspectPacketUris(DetectEngineCtx *de_ctx,
/* If we have the uricontent multi pattern matcher signatures in /* If we have the uricontent multi pattern matcher signatures in
signature list, then search the received HTTP uri(s) in the htp signature list, then search the received HTTP uri(s) in the htp
state against those patterns */ state against those patterns */
if (s->flags & SIG_FLAG_MPM_URI) { if (s->flags & SIG_FLAG_MPM_URICONTENT) {
if (det_ctx->de_mpm_scanned_uri == FALSE) { if (det_ctx->de_mpm_scanned_uri == FALSE) {
uint32_t cnt = DetectUricontentInspectMpm(det_ctx, f, htp_state); uint32_t cnt = DetectUricontentInspectMpm(det_ctx, f, htp_state);
@ -392,17 +392,17 @@ int DetectEngineInspectPacketUris(DetectEngineCtx *de_ctx,
} }
/* if we don't have a uri, don't bother inspecting */ /* if we don't have a uri, don't bother inspecting */
if (det_ctx->de_have_httpuri == FALSE && !(s->flags & SIG_FLAG_MPM_URI_NEG)) { if (det_ctx->de_have_httpuri == FALSE && !(s->flags & SIG_FLAG_MPM_URICONTENT_NEG)) {
SCLogDebug("We don't have uri"); SCLogDebug("We don't have uri");
goto end; goto end;
} }
if ((s->flags & SIG_FLAG_MPM_URI) && (det_ctx->de_mpm_scanned_uri == TRUE)) { if ((s->flags & SIG_FLAG_MPM_URICONTENT) && (det_ctx->de_mpm_scanned_uri == TRUE)) {
if (det_ctx->pmq.pattern_id_bitarray != NULL) { if (det_ctx->pmq.pattern_id_bitarray != NULL) {
/* filter out sigs that want pattern matches, but /* filter out sigs that want pattern matches, but
* have no matches */ * have no matches */
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_uripattern_id / 8)] & (1<<(s->mpm_uripattern_id % 8))) && if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_uripattern_id / 8)] & (1<<(s->mpm_uripattern_id % 8))) &&
(s->flags & SIG_FLAG_MPM_URI) && !(s->flags & SIG_FLAG_MPM_URI_NEG)) { (s->flags & SIG_FLAG_MPM_URICONTENT) && !(s->flags & SIG_FLAG_MPM_URICONTENT_NEG)) {
SCLogDebug("mpm sig without matches (pat id %"PRIu32 SCLogDebug("mpm sig without matches (pat id %"PRIu32
" check in uri).", s->mpm_uripattern_id); " check in uri).", s->mpm_uripattern_id);
goto end; goto end;

4
src/detect-parse.c
Unescape Escape View File

@ -1294,7 +1294,7 @@ Signature *SigInit(DetectEngineCtx *de_ctx, char *sigstr) {
if (ud == NULL) if (ud == NULL)
continue; continue;
//sig->flags |= SIG_FLAG_MPM_URI; sig->flags |= SIG_FLAG_MPM_URI;
if (ud->flags & DETECT_URICONTENT_NEGATED) { if (ud->flags & DETECT_URICONTENT_NEGATED) {
sig->flags |= SIG_FLAG_MPM_URI_NEG; sig->flags |= SIG_FLAG_MPM_URI_NEG;
@ -1436,7 +1436,7 @@ Signature *SigInitReal(DetectEngineCtx *de_ctx, char *sigstr) {
if (ud == NULL) if (ud == NULL)
continue; continue;
//sig->flags |= SIG_FLAG_MPM_URI; sig->flags |= SIG_FLAG_MPM_URI;
if (ud->flags & DETECT_URICONTENT_NEGATED) { if (ud->flags & DETECT_URICONTENT_NEGATED) {
sig->flags |= SIG_FLAG_MPM_URI_NEG; sig->flags |= SIG_FLAG_MPM_URI_NEG;

2
src/detect.h
Unescape Escape View File

@ -230,6 +230,8 @@ typedef struct DetectPort_ {
#define SIG_FLAG_MPM_PACKET 0x00200000 #define SIG_FLAG_MPM_PACKET 0x00200000
#define SIG_FLAG_MPM_STREAM 0x00400000 #define SIG_FLAG_MPM_STREAM 0x00400000
#define SIG_FLAG_MPM_URICONTENT 0x00800000
#define SIG_FLAG_MPM_URICONTENT_NEG 0x01000000
/* signature mask flags */ /* signature mask flags */
#define SIG_MASK_REQUIRE_PAYLOAD 0x01 #define SIG_MASK_REQUIRE_PAYLOAD 0x01

Write Preview
Loading…
Cancel
Save