From 859cb89c7e573722c745acebf23dceb3240c9ece Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Sun, 16 Oct 2016 11:29:23 +0200 Subject: [PATCH] detect alert/threshold/tag: sm_list -> sm_array --- src/detect-engine-alert.c | 39 +++++++++++++++++++---------------- src/detect-engine-threshold.c | 29 +++++++++++++++++--------- src/detect-engine-threshold.h | 2 +- 3 files changed, 41 insertions(+), 29 deletions(-) diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c index 8bfd719f75..5187bf9f3c 100644 --- a/src/detect-engine-alert.c +++ b/src/detect-engine-alert.c @@ -72,18 +72,18 @@ static int PacketAlertHandle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det SCEnter(); int ret = 1; const DetectThresholdData *td = NULL; - const SigMatch *sm; + const SigMatchData *smd; if (!(PKT_IS_IPV4(p) || PKT_IS_IPV6(p))) { SCReturnInt(1); } /* handle suppressions first */ - if (s->sm_lists[DETECT_SM_LIST_SUPPRESS] != NULL) { + if (s->sm_arrays[DETECT_SM_LIST_SUPPRESS] != NULL) { KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_SUPPRESS); - sm = NULL; + smd = NULL; do { - td = SigGetThresholdTypeIter(s, p, &sm, DETECT_SM_LIST_SUPPRESS); + td = SigGetThresholdTypeIter(s, p, &smd, DETECT_SM_LIST_SUPPRESS); if (td != NULL) { SCLogDebug("td %p", td); @@ -98,15 +98,15 @@ static int PacketAlertHandle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det } KEYWORD_PROFILING_END(det_ctx, DETECT_THRESHOLD, 1); } - } while (sm != NULL); + } while (smd != NULL); } /* if we're still here, consider thresholding */ - if (s->sm_lists[DETECT_SM_LIST_THRESHOLD] != NULL) { + if (s->sm_arrays[DETECT_SM_LIST_THRESHOLD] != NULL) { KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_THRESHOLD); - sm = NULL; + smd = NULL; do { - td = SigGetThresholdTypeIter(s, p, &sm, DETECT_SM_LIST_THRESHOLD); + td = SigGetThresholdTypeIter(s, p, &smd, DETECT_SM_LIST_THRESHOLD); if (td != NULL) { SCLogDebug("td %p", td); @@ -121,7 +121,7 @@ static int PacketAlertHandle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det } KEYWORD_PROFILING_END(det_ctx, DETECT_THRESHOLD, 1); } - } while (sm != NULL); + } while (smd != NULL); } SCReturnInt(1); } @@ -240,7 +240,6 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx { SCEnter(); int i = 0; - SigMatch *sm = NULL; while (i < p->alerts.cnt) { SCLogDebug("Sig->num: %"PRIu16, p->alerts.alerts[i].num); @@ -250,14 +249,18 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx if (res > 0) { /* Now, if we have an alert, we have to check if we want * to tag this session or src/dst host */ - KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_TMATCH); - sm = s->sm_lists[DETECT_SM_LIST_TMATCH]; - while (sm) { - /* tags are set only for alerts */ - KEYWORD_PROFILING_START; - sigmatch_table[sm->type].Match(NULL, det_ctx, p, (Signature *)s, sm->ctx); - KEYWORD_PROFILING_END(det_ctx, sm->type, 1); - sm = sm->next; + if (s->sm_arrays[DETECT_SM_LIST_TMATCH] != NULL) { + KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_TMATCH); + SigMatchData *smd = s->sm_arrays[DETECT_SM_LIST_TMATCH]; + while (1) { + /* tags are set only for alerts */ + KEYWORD_PROFILING_START; + sigmatch_table[smd->type].Match(NULL, det_ctx, p, (Signature *)s, smd->ctx); + KEYWORD_PROFILING_END(det_ctx, smd->type, 1); + if (smd->is_last) + break; + smd++; + } } if (s->flags & SIG_FLAG_IPONLY) { diff --git a/src/detect-engine-threshold.c b/src/detect-engine-threshold.c index 6b0d21141f..27e84d8e90 100644 --- a/src/detect-engine-threshold.c +++ b/src/detect-engine-threshold.c @@ -99,35 +99,44 @@ int ThresholdHostHasThreshold(Host *host) * */ const DetectThresholdData *SigGetThresholdTypeIter(const Signature *sig, - Packet *p, const SigMatch **psm, int list) + Packet *p, const SigMatchData **psm, int list) { - const SigMatch *sm = NULL; + const SigMatchData *smd = NULL; const DetectThresholdData *tsh = NULL; if (sig == NULL) return NULL; if (*psm == NULL) { - sm = sig->sm_lists_tail[list]; + smd = sig->sm_arrays[list]; } else { /* Iteration in progress, using provided value */ - sm = *psm; + smd = *psm; } if (p == NULL) return NULL; - while (sm != NULL) { - if (sm->type == DETECT_THRESHOLD || sm->type == DETECT_DETECTION_FILTER) { - tsh = (DetectThresholdData *)sm->ctx; - *psm = sm->prev; + while (1) { + if (smd->type == DETECT_THRESHOLD || + smd->type == DETECT_DETECTION_FILTER) + { + tsh = (DetectThresholdData *)smd->ctx; + + if (smd->is_last) { + *psm = NULL; + } else { + *psm = smd + 1; + } return tsh; } - sm = sm->prev; + if (smd->is_last) { + break; + } + smd++; } *psm = NULL; - return NULL; } diff --git a/src/detect-engine-threshold.h b/src/detect-engine-threshold.h index cef5f2058d..76a0759d35 100644 --- a/src/detect-engine-threshold.h +++ b/src/detect-engine-threshold.h @@ -34,7 +34,7 @@ int ThresholdHostStorageId(void); int ThresholdHostHasThreshold(Host *); const DetectThresholdData *SigGetThresholdTypeIter(const Signature *, - Packet *, const SigMatch **, int list); + Packet *, const SigMatchData **, int list); int PacketAlertThreshold(DetectEngineCtx *, DetectEngineThreadCtx *, const DetectThresholdData *, Packet *, const Signature *, PacketAlert *);