app-layer-events: dynamic list

8 years ago · 815120896b
parent b68343e372
commit 815120896b
5 changed files with 48 additions and 47 deletions
--- a/src/detect-app-layer-event.c
+++ b/src/detect-app-layer-event.c
@ -60,6 +60,8 @@ static int DetectEngineAptEventInspect(ThreadVars *tv,
        const Signature *s, const SigMatchData *smd,
        Flow *f, uint8_t flags, void *alstate,
        void *tx, uint64_t tx_id);
+static void DetectAppLayerEventSetupCallback(Signature *s);
+static int g_applayer_events_list_id = 0;

 /**
 * \brief Registers the keyword handlers for the "app-layer-event" keyword.
@ -76,14 +78,17 @@ void DetectAppLayerEventRegister(void)
    sigmatch_table[DETECT_AL_APP_LAYER_EVENT].RegisterTests =
        DetectAppLayerEventRegisterTests;

-    DetectAppLayerInspectEngineRegister(ALPROTO_UNKNOWN,
-            SIG_FLAG_TOSERVER, DETECT_SM_LIST_APP_EVENT,
+    DetectAppLayerInspectEngineRegister2("app-layer-events",
+            ALPROTO_UNKNOWN, SIG_FLAG_TOSERVER,
            DetectEngineAptEventInspect);
-    DetectAppLayerInspectEngineRegister(ALPROTO_UNKNOWN,
-            SIG_FLAG_TOCLIENT, DETECT_SM_LIST_APP_EVENT,
+    DetectAppLayerInspectEngineRegister2("app-layer-events",
+            ALPROTO_UNKNOWN, SIG_FLAG_TOCLIENT,
            DetectEngineAptEventInspect);

-    return;
+    DetectBufferTypeRegisterSetupCallback("app-layer-events",
+            DetectAppLayerEventSetupCallback);
+
+    g_applayer_events_list_id = DetectBufferTypeGetByName("app-layer-events");
 }

 static int DetectEngineAptEventInspect(ThreadVars *tv,
@ -165,6 +170,38 @@ static int DetectAppLayerEventAppMatch(ThreadVars *t, DetectEngineThreadCtx *det
    SCReturnInt(r);
 }

+static void DetectAppLayerEventSetupCallback(Signature *s)
+{
+    SigMatch *sm;
+    for (sm = s->init_data->smlists[g_applayer_events_list_id] ; sm != NULL; sm = sm->next) {
+        switch (sm->type) {
+            case DETECT_AL_APP_LAYER_EVENT:
+            {
+                DetectAppLayerEventData *aed = (DetectAppLayerEventData *)sm->ctx;
+                switch (aed->alproto) {
+                    case ALPROTO_HTTP:
+                        s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
+                        SCLogDebug("sig %u requires http app state (http event)", s->id);
+                        break;
+                    case ALPROTO_SMTP:
+                        s->mask |= SIG_MASK_REQUIRE_SMTP_STATE;
+                        SCLogDebug("sig %u requires smtp app state (smtp event)", s->id);
+                        break;
+                    case ALPROTO_DNS:
+                        s->mask |= SIG_MASK_REQUIRE_DNS_STATE;
+                        SCLogDebug("sig %u requires dns app state (dns event)", s->id);
+                        break;
+                    case ALPROTO_TLS:
+                        s->mask |= SIG_MASK_REQUIRE_TLS_STATE;
+                        SCLogDebug("sig %u requires tls app state (tls event)", s->id);
+                        break;
+                }
+                break;
+            }
+        }
+    }
+}
+
 static DetectAppLayerEventData *DetectAppLayerEventParsePkt(const char *arg,
                                                            AppLayerEventType *event_type)
 {
@ -302,7 +339,7 @@ static int DetectAppLayerEventSetupP2(Signature *s,
    if (event_type == APP_LAYER_EVENT_TYPE_GENERAL)
        SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
    else
-        SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_APP_EVENT);
+        SigMatchAppendSMToList(s, sm, g_applayer_events_list_id);
    /* We should have set this flag already in SetupP1 */
    s->flags |= SIG_FLAG_APPLAYER;

@ -341,7 +378,7 @@ static int DetectAppLayerEventSetupP1(DetectEngineCtx *de_ctx, Signature *s, cha
    } else {
        /* We push it to this list temporarily.  We deal with
         * these in DetectAppLayerEventPrepare(). */
-        SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_APP_EVENT);
+        SigMatchAppendSMToList(s, sm, g_applayer_events_list_id);
        s->flags |= SIG_FLAG_APPLAYER;
    }

@ -370,9 +407,9 @@ static void DetectAppLayerEventFree(void *ptr)

 int DetectAppLayerEventPrepare(Signature *s)
 {
-    SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_APP_EVENT];
-    s->init_data->smlists[DETECT_SM_LIST_APP_EVENT] = NULL;
-    s->init_data->smlists_tail[DETECT_SM_LIST_APP_EVENT] = NULL;
+    SigMatch *sm = s->init_data->smlists[g_applayer_events_list_id];
+    s->init_data->smlists[g_applayer_events_list_id] = NULL;
+    s->init_data->smlists_tail[g_applayer_events_list_id] = NULL;

    while (sm != NULL) {
        sm->next = sm->prev = NULL;
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@ -2798,9 +2798,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
        case DETECT_SM_LIST_PMATCH:
            return "packet/stream payload";

-        case DETECT_SM_LIST_APP_EVENT:
-            return "app layer events";
-
        case DETECT_SM_LIST_AMATCH:
            return "generic app layer";
        case DETECT_SM_LIST_DMATCH:
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@ -141,7 +141,6 @@ const char *DetectListToHumanString(int list)
    switch (list) {
        CASE_CODE_STRING(DETECT_SM_LIST_MATCH, "packet");
        CASE_CODE_STRING(DETECT_SM_LIST_PMATCH, "payload");
-        CASE_CODE_STRING(DETECT_SM_LIST_APP_EVENT, "app-layer-event");
        CASE_CODE_STRING(DETECT_SM_LIST_AMATCH, "app-layer");
        CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc");
        CASE_CODE_STRING(DETECT_SM_LIST_TMATCH, "tag");
@ -162,7 +161,6 @@ const char *DetectListToString(int list)
    switch (list) {
        CASE_CODE(DETECT_SM_LIST_MATCH);
        CASE_CODE(DETECT_SM_LIST_PMATCH);
-        CASE_CODE(DETECT_SM_LIST_APP_EVENT);
        CASE_CODE(DETECT_SM_LIST_AMATCH);
        CASE_CODE(DETECT_SM_LIST_DMATCH);
        CASE_CODE(DETECT_SM_LIST_TMATCH);
--- a/src/detect.c
+++ b/src/detect.c
@ -2250,34 +2250,6 @@ static int SignatureCreateMask(Signature *s)
        }
    }

-    for (sm = s->init_data->smlists[DETECT_SM_LIST_APP_EVENT] ; sm != NULL; sm = sm->next) {
-        switch (sm->type) {
-            case DETECT_AL_APP_LAYER_EVENT:
-            {
-                DetectAppLayerEventData *aed = (DetectAppLayerEventData *)sm->ctx;
-                switch (aed->alproto) {
-                    case ALPROTO_HTTP:
-                        s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
-                        SCLogDebug("sig %u requires http app state (http event)", s->id);
-                        break;
-                    case ALPROTO_SMTP:
-                        s->mask |= SIG_MASK_REQUIRE_SMTP_STATE;
-                        SCLogDebug("sig %u requires smtp app state (smtp event)", s->id);
-                        break;
-                    case ALPROTO_DNS:
-                        s->mask |= SIG_MASK_REQUIRE_DNS_STATE;
-                        SCLogDebug("sig %u requires dns app state (dns event)", s->id);
-                        break;
-                    case ALPROTO_TLS:
-                        s->mask |= SIG_MASK_REQUIRE_TLS_STATE;
-                        SCLogDebug("sig %u requires tls app state (tls event)", s->id);
-                        break;
-                }
-                break;
-            }
-        }
-    }
-
    for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
        switch(sm->type) {
            case DETECT_FLOWBITS:
--- a/src/detect.h
+++ b/src/detect.h
@ -115,10 +115,7 @@ enum DetectSigmatchListEnum {

    DETECT_SM_LIST_BUILTIN_MAX,

-    /* app event engine sm list */
-    DETECT_SM_LIST_APP_EVENT = DETECT_SM_LIST_BUILTIN_MAX,
-
-    DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH,
+    DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH = DETECT_SM_LIST_BUILTIN_MAX,

    DETECT_SM_LIST_MAX,