Fixes to stream pattern matching.

15 years ago · 9a08d6c11c
parent a0c1209a44
commit 9a08d6c11c
5 changed files with 23 additions and 3 deletions
--- a/src/app-layer.c
+++ b/src/app-layer.c
@ -182,8 +182,12 @@ int AppLayerHandleMsg(AlpProtoDetectThreadCtx *dp_ctx, StreamMsg *smsg)
            }
        }

+        SCLogDebug("storing smsg in the tcp session");
+
        /* store the smsg in the tcp stream */
        if (smsg->flags & STREAM_TOSERVER) {
+            SCLogDebug("storing smsg in the to_server");
+
            /* put the smsg in the stream list */
            if (ssn->toserver_smsg_head == NULL) {
                ssn->toserver_smsg_head = smsg;
@ -198,6 +202,8 @@ int AppLayerHandleMsg(AlpProtoDetectThreadCtx *dp_ctx, StreamMsg *smsg)
                ssn->toserver_smsg_tail = smsg;
            }
        } else {
+            SCLogDebug("storing smsg in the to_client");
+
            /* put the smsg in the stream list */
            if (ssn->toclient_smsg_head == NULL) {
                ssn->toclient_smsg_head = smsg;
--- a/src/detect-engine-mpm.c
+++ b/src/detect-engine-mpm.c
@ -49,6 +49,7 @@

 #include "util-enum.h"
 #include "util-debug.h"
+#include "util-print.h"

 /** \todo make it possible to use multiple pattern matcher algorithms next to
          eachother. */
@ -188,11 +189,15 @@ uint32_t StreamPatternSearch(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
    uint8_t cnt = 0;

    for ( ; smsg != NULL; smsg = smsg->next) {
+        //PrintRawDataFp(stdout, smsg->data.data, smsg->data.data_len);
+
        uint32_t r = mpm_table[det_ctx->sgh->mpm_ctx->mpm_type].Search(det_ctx->sgh->mpm_ctx,
                &det_ctx->mtc, &det_ctx->smsg_pmq[cnt], smsg->data.data, smsg->data.data_len);
        if (r > 0) {
            ret += r;

+            SCLogDebug("smsg match stored in det_ctx->smsg_pmq[%u]", cnt);
+
            /* merge results with overall pmq */
            PmqMerge(&det_ctx->smsg_pmq[cnt], &det_ctx->pmq);
        }
--- a/src/detect.c
+++ b/src/detect.c
@ -538,6 +538,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
                    ssn->toserver_smsg_tail = NULL;

                    //BUG_ON(ssn->toclient_smsg_head != NULL);
+                    SCLogDebug("to_server smsg %p", smsg);
                } else {
                    smsg = ssn->toclient_smsg_head;
                    /* deref from the ssn */
@ -545,9 +546,10 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
                    ssn->toclient_smsg_tail = NULL;

                    //BUG_ON(ssn->toserver_smsg_head != NULL);
+
+                    SCLogDebug("to_client smsg %p", smsg);
                }

-                SCLogDebug("smsg %p", smsg);
            }
        }
        SCMutexUnlock(&p->flow->m);
@ -763,8 +765,10 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
                int i = 0;
                StreamMsg *smsg_inspect = smsg;
                for ( ; smsg_inspect != NULL; smsg_inspect = smsg_inspect->next, i++) {
-                    if (det_ctx->smsg_pmq[i].pattern_id_array_size != 0)
+                    if (det_ctx->smsg_pmq[i].pattern_id_array_cnt == 0) {
+                        SCLogDebug("no match in smsg_inspect %p (%u), idx %d", smsg_inspect, smsg_inspect->data.data_len, i);
                        continue;
+                    }

                    if (det_ctx->smsg_pmq[i].pattern_id_bitarray != NULL) {
                        /* filter out sigs that want pattern matches, but
@ -785,6 +789,8 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh

                /* no match? then inspect packet payload */
                if (pmatch == 0) {
+                    SCLogDebug("no match in smsg, fall back to packet payload");
+
                    if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1)
                        goto next;
                }
--- a/src/stream-tcp-reassemble.c
+++ b/src/stream-tcp-reassemble.c
@ -1949,8 +1949,10 @@ int StreamTcpReassembleHandleSegment(TcpReassemblyThreadCtx *ra_ctx,
       simple return */
    if (p->payload_len > 0 &&
        (((stream == &ssn->client) && !(ssn->flags & STREAMTCP_FLAG_NOCLIENT_REASSEMBLY)) ||
-        ((stream == &ssn->server) && !(ssn->flags & STREAMTCP_FLAG_NOSERVER_REASSEMBLY))))
+         ((stream == &ssn->server) && !(ssn->flags & STREAMTCP_FLAG_NOSERVER_REASSEMBLY))))
    {
+        SCLogDebug("calling StreamTcpReassembleHandleSegmentHandleData");
+
        if (StreamTcpReassembleHandleSegmentHandleData(ssn, stream, p) != 0) {
            SCLogDebug("StreamTcpReassembleHandleSegmentHandleData error");
            SCReturnInt(-1);
--- a/src/util-mpm.c
+++ b/src/util-mpm.c
@ -108,6 +108,7 @@ MpmVerifyMatch(MpmThreadCtx *thread_ctx, PatternMatcherQueue *pmq, uint32_t pati
            /* append the pattern_id to the array with matches */
            pmq->pattern_id_array[pmq->pattern_id_array_cnt] = patid;
            pmq->pattern_id_array_cnt++;
+            SCLogDebug("pattern_id_array_cnt %u", pmq->pattern_id_array_cnt);
        }
    }