From 93fa7ea8288a2c03e903006fd0b6f3d5a7920744 Mon Sep 17 00:00:00 2001 From: Anoop Saldanha Date: Tue, 7 Dec 2010 21:56:57 +0530 Subject: [PATCH] modify detection engine to run hrhd mpm before building the match array --- src/detect-engine-hrhd.c | 180 +++++++++++++++++++++------------------ src/detect-engine-hrhd.h | 11 ++- src/detect.c | 19 +++-- 3 files changed, 119 insertions(+), 91 deletions(-) diff --git a/src/detect-engine-hrhd.c b/src/detect-engine-hrhd.c index f9fd1d987a..c1e307a673 100644 --- a/src/detect-engine-hrhd.c +++ b/src/detect-engine-hrhd.c @@ -255,35 +255,63 @@ match: * stores them away in detection context. Also calls the mpm on the * buffers. * + * \param de_ctx Detection engine ctx. * \param det_ctx Detection engine thread ctx. * \param f Pointer to the flow. * \param htp_state http state. * - * \retval cnt The match count from the mpm call. - * * \warning Make sure the flow is locked. */ -static uint32_t DetectEngineInspectHttpRawHeaderMpmInspect(DetectEngineThreadCtx *det_ctx, - Signature *s, Flow *f, - HtpState *htp_state) +void DetectEngineBufferHttpRawHeaders(DetectEngineThreadCtx *det_ctx, + Flow *f, HtpState *htp_state) { - uint32_t cnt = 0; size_t idx = 0; htp_tx_t *tx = NULL; int i = 0; - for (idx = AppLayerTransactionGetInspectId(f); - i < det_ctx->hrhd_buffers_list_len; idx++, i++) { + /* locking the flow, we will inspect the htp state */ + SCMutexLock(&f->m); - /* if the buffer already exists, use it */ - if (det_ctx->hrhd_buffers[i] != NULL) { - if (s->mpm_flags & SIG_FLAG_MPM_HRHDCONTENT) { - cnt += HttpRawHeaderPatternSearch(det_ctx, - det_ctx->hrhd_buffers[i], - det_ctx->hrhd_buffers_len[i]); - } - continue; + if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { + SCLogDebug("HTP state has no conn(p)"); + goto end; + } + + /* it is either the first entry into this function. If it is not, + * then we just don't have any http transactions */ + if (det_ctx->hrhd_buffers_list_len == 0) { + /* get the transaction id */ + int tmp_idx = AppLayerTransactionGetInspectId(f); + /* error! get out of here */ + if (tmp_idx == -1) + goto end; + + /* let's get the transaction count. We need this to hold the header + * buffer for each transaction */ + det_ctx->hrhd_buffers_list_len = list_size(htp_state->connp->conn->transactions) - tmp_idx; + /* no transactions?! cool. get out of here */ + if (det_ctx->hrhd_buffers_list_len == 0) + goto end; + + /* assign space to hold buffers. Each per transaction */ + det_ctx->hrhd_buffers = SCMalloc(det_ctx->hrhd_buffers_list_len * sizeof(uint8_t *)); + if (det_ctx->hrhd_buffers == NULL) { + goto end; + } + memset(det_ctx->hrhd_buffers, 0, det_ctx->hrhd_buffers_list_len * sizeof(uint8_t *)); + + det_ctx->hrhd_buffers_len = SCMalloc(det_ctx->hrhd_buffers_list_len * sizeof(uint32_t)); + if (det_ctx->hrhd_buffers_len == NULL) { + goto end; } + memset(det_ctx->hrhd_buffers_len, 0, det_ctx->hrhd_buffers_list_len * sizeof(uint32_t)); + + } else { + goto end; + } /* else -if (det_ctx->hrhd_buffers_list_len == 0) */ + + for (idx = AppLayerTransactionGetInspectId(f); + i < det_ctx->hrhd_buffers_list_len; idx++, i++) { tx = list_get(htp_state->connp->conn->transactions, idx); if (tx == NULL) @@ -297,13 +325,31 @@ static uint32_t DetectEngineInspectHttpRawHeaderMpmInspect(DetectEngineThreadCtx det_ctx->hrhd_buffers[i] = (uint8_t *)bstr_ptr(raw_headers); det_ctx->hrhd_buffers_len[i] = bstr_len(raw_headers); - /* carry out the mpm */ - if (s->mpm_flags & SIG_FLAG_MPM_HRHDCONTENT) - cnt += HttpRawHeaderPatternSearch(det_ctx, det_ctx->hrhd_buffers[i], - det_ctx->hrhd_buffers_len[i]); } /* for (idx = AppLayerTransactionGetInspectId(f); .. */ - SCReturnUInt(cnt); + end: + SCMutexUnlock(&f->m); + return; +} + +int DetectEngineRunHttpRawHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f) +{ + int i; + uint32_t cnt = 0; + + /* we need to lock because the buffers are not actually true buffers + * but are ones that point to a buffer given by libhtp */ + SCMutexLock(&f->m); + + for (i = 0; i < det_ctx->hrhd_buffers_list_len; i++) { + cnt += HttpRawHeaderPatternSearch(det_ctx, + det_ctx->hrhd_buffers[i], + det_ctx->hrhd_buffers_len[i]); + } + + SCMutexUnlock(&f->m); + + return cnt; } /** @@ -335,73 +381,40 @@ int DetectEngineInspectHttpRawHeader(DetectEngineCtx *de_ctx, SCReturnInt(0); } - /* locking the flow, we will inspect the htp state */ - SCMutexLock(&f->m); - if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { SCLogDebug("HTP state has no conn(p)"); goto end; } - /* it is either the first entry into this function. If it is not, - * then we just don't have any http transactions */ - if (det_ctx->hrhd_buffers_list_len == 0) { - /* get the transaction id */ - int tmp_idx = AppLayerTransactionGetInspectId(f); - /* error! get out of here */ - if (tmp_idx == -1) - goto end; - - /* let's get the transaction count. We need this to hold the header - * buffer for each transaction */ - det_ctx->hrhd_buffers_list_len = list_size(htp_state->connp->conn->transactions) - tmp_idx; - /* no transactions?! cool. get out of here */ - if (det_ctx->hrhd_buffers_list_len == 0) - goto end; - - /* assign space to hold buffers. Each per transaction */ - det_ctx->hrhd_buffers = SCMalloc(det_ctx->hrhd_buffers_list_len * sizeof(uint8_t *)); - if (det_ctx->hrhd_buffers == NULL) { - r = 0; - goto end; - } - memset(det_ctx->hrhd_buffers, 0, det_ctx->hrhd_buffers_list_len * sizeof(uint8_t *)); - - det_ctx->hrhd_buffers_len = SCMalloc(det_ctx->hrhd_buffers_list_len * sizeof(uint32_t)); - if (det_ctx->hrhd_buffers_len == NULL) { - r = 0; - goto end; - } - memset(det_ctx->hrhd_buffers_len, 0, det_ctx->hrhd_buffers_list_len * sizeof(uint32_t)); - } /* if (det_ctx->hrhd_buffers_list_len == 0) */ - - if (s->mpm_flags & SIG_FLAG_MPM_HRHDCONTENT) { - if (det_ctx->de_mpm_scanned_hrhd == FALSE) { - uint32_t cnt = DetectEngineInspectHttpRawHeaderMpmInspect(det_ctx, s, - f, htp_state); - if (cnt <= 0) - det_ctx->de_have_hrhd = FALSE; - - det_ctx->de_mpm_scanned_hrhd = TRUE; - } - } else { - DetectEngineInspectHttpRawHeaderMpmInspect(det_ctx, s, f, htp_state); - } - - if (det_ctx->de_have_hrhd == FALSE && - s->mpm_flags & SIG_FLAG_MPM_HRHDCONTENT && - !(s->mpm_flags & SIG_FLAG_MPM_HRHDCONTENT_NEG)) { - SCLogDebug("mpm results failure for http raw headers. Get out of here"); - goto end; - } - - if ((s->mpm_flags & SIG_FLAG_MPM_HRHDCONTENT) && (det_ctx->de_mpm_scanned_hrhd == TRUE)) { - /* filter out the sig that needs a match, but have no matches */ - if (!(s->mpm_flags & SIG_FLAG_MPM_HRHDCONTENT_NEG) && - !(det_ctx->pmq.pattern_id_bitarray[(s->mpm_hrhdpattern_id / 8)] & (1 << (s->mpm_hrhdpattern_id % 8)))) { - goto end; - } - } + DetectEngineBufferHttpRawHeaders(det_ctx, f, htp_state); + + //if (s->mpm_flags & SIG_FLAG_MPM_HRHDCONTENT) { + // if (det_ctx->de_mpm_scanned_hrhd == FALSE) { + // uint32_t cnt = DetectEngineInspectHttpRawHeaderMpmInspect(det_ctx, s, + // f, htp_state); + // if (cnt <= 0) + // det_ctx->de_have_hrhd = FALSE; + // + // det_ctx->de_mpm_scanned_hrhd = TRUE; + // } + //} else { + // DetectEngineInspectHttpRawHeaderMpmInspect(det_ctx, s, f, htp_state); + //} + + //if (det_ctx->de_have_hrhd == FALSE && + // s->mpm_flags & SIG_FLAG_MPM_HRHDCONTENT && + // !(s->mpm_flags & SIG_FLAG_MPM_HRHDCONTENT_NEG)) { + // SCLogDebug("mpm results failure for http raw headers. Get out of here"); + // goto end; + //} + // + //if ((s->mpm_flags & SIG_FLAG_MPM_HRHDCONTENT) && (det_ctx->de_mpm_scanned_hrhd == TRUE)) { + // /* filter out the sig that needs a match, but have no matches */ + // if (!(s->mpm_flags & SIG_FLAG_MPM_HRHDCONTENT_NEG) && + // !(det_ctx->pmq.pattern_id_bitarray[(s->mpm_hrhdpattern_id / 8)] & (1 << (s->mpm_hrhdpattern_id % 8)))) { + // goto end; + // } + //} for (i = 0; i < det_ctx->hrhd_buffers_list_len; i++) { uint8_t *hrhd_buffer = det_ctx->hrhd_buffers[i]; @@ -418,7 +431,6 @@ int DetectEngineInspectHttpRawHeader(DetectEngineCtx *de_ctx, } end: - SCMutexUnlock(&f->m); SCReturnInt(r); } diff --git a/src/detect-engine-hrhd.h b/src/detect-engine-hrhd.h index c8e4408411..6d8089c84d 100644 --- a/src/detect-engine-hrhd.h +++ b/src/detect-engine-hrhd.h @@ -23,8 +23,15 @@ #ifndef __DETECT_ENGINE_HRHD_H__ #define __DETECT_ENGINE_HRHD_H__ -int DetectEngineInspectHttpRawHeader(DetectEngineCtx *, DetectEngineThreadCtx *, - Signature *, Flow *, uint8_t, void *); +#include "app-layer-htp.h" + +int DetectEngineInspectHttpRawHeader(DetectEngineCtx *, + DetectEngineThreadCtx *, + Signature *, Flow *, uint8_t, + void *); +void DetectEngineBufferHttpRawHeaders(DetectEngineThreadCtx *det_ctx, + Flow *f, HtpState *); +int DetectEngineRunHttpRawHeaderMpm(DetectEngineThreadCtx *, Flow *); void DetectEngineCleanHRHDBuffers(DetectEngineThreadCtx *); void DetectEngineHttpRawHeaderRegisterTests(void); diff --git a/src/detect.c b/src/detect.c index c037bf9dde..b4b0c4257c 100644 --- a/src/detect.c +++ b/src/detect.c @@ -719,6 +719,15 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx, } } + if (s->full_sig->mpm_flags & SIG_FLAG_MPM_HRHDCONTENT) { + if (!(det_ctx->pmq.pattern_id_bitarray[(s->full_sig->mpm_hrhdpattern_id / 8)] & + (1 << (s->full_sig->mpm_hrhdpattern_id % 8)))) { + if (!(s->full_sig->mpm_flags & SIG_FLAG_MPM_HRHDCONTENT_NEG)) { + continue; + } + } + } + /* de_state check, filter out all signatures that already had a match before * or just partially match */ if (s->flags & SIG_FLAG_AMATCH || s->flags & SIG_FLAG_UMATCH || @@ -944,11 +953,11 @@ static inline void RunMpmsOnFlow(DetectEngineCtx *de_ctx, cnt = DetectEngineRunHttpHeaderMpm(det_ctx); SCLogDebug("hhd search: cnt %" PRIu32, cnt); } - //if (sgh->flags & SIG_GROUP_HEAD_MPM_HHD) { - // cnt = DetectEngineInspectHttpRawHeaderMpmInspect(det_ctx, f, - // htp_state); - // SCLogDebug("hrhd search: cnt %" PRIu32, cnt); - //} + if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRHD) { + DetectEngineBufferHttpRawHeaders(det_ctx, p->flow, alstate); + cnt = DetectEngineRunHttpRawHeaderMpm(det_ctx, p->flow); + SCLogDebug("hrhd search: cnt %" PRIu32, cnt); + } } return;