aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect: simplify negated mpm handling

Browse Source
pull/1980/head
Victor Julien 10 years ago
parent b84d6d402f
commit a34be23002
4 changed files with 13 additions and 72 deletions
Show Stats Download Patch File Download Diff File

10
src/detect-engine-mpm.c
Unescape Escape View File

@ -1389,27 +1389,17 @@ void MpmStoreSetup(const DetectEngineCtx *de_ctx, MpmStore *ms)
s->flags |= SIG_FLAG_MPM_PACKET;
s->mpm_pattern_id_div_8 = cd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8);
if (cd->flags & DETECT_CONTENT_NEGATED) {
SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id);
s->flags |= SIG_FLAG_MPM_PACKET_NEG;
}
} else {
/* tell matcher we are inspecting stream */
s->flags |= SIG_FLAG_MPM_STREAM;
s->mpm_pattern_id_div_8 = cd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8);
if (cd->flags & DETECT_CONTENT_NEGATED) {
SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id);
s->flags |= SIG_FLAG_MPM_STREAM_NEG;
}
}
} else {
/* tell matcher we are inspecting app-layer */
s->mpm_pattern_id_div_8 = cd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8);
s->flags |= SIG_FLAG_MPM_APPLAYER;
if (cd->flags & DETECT_CONTENT_NEGATED)
s->flags |= SIG_FLAG_MPM_APPLAYER_NEG;
}
}
}

4
src/detect-engine-siggroup.c
Unescape Escape View File

@ -979,7 +979,7 @@ int SigGroupHeadBuildNonMpmArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
if (s == NULL)
continue;
if (s->mpm_sm == NULL || (s->flags & (SIG_FLAG_MPM_PACKET_NEG|SIG_FLAG_MPM_STREAM_NEG|SIG_FLAG_MPM_APPLAYER_NEG))) {
if (s->mpm_sm == NULL || (s->flags & SIG_FLAG_MPM_NEG)) {
if (!(DetectFlagsSignatureNeedsSynPackets(s))) {
non_mpm++;
}
@ -1006,7 +1006,7 @@ int SigGroupHeadBuildNonMpmArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
if (s == NULL)
continue;
if (s->mpm_sm == NULL || (s->flags & (SIG_FLAG_MPM_PACKET_NEG|SIG_FLAG_MPM_STREAM_NEG|SIG_FLAG_MPM_APPLAYER_NEG))) {
if (s->mpm_sm == NULL || (s->flags & SIG_FLAG_MPM_NEG)) {
if (!(DetectFlagsSignatureNeedsSynPackets(s))) {
BUG_ON(sgh->non_mpm_other_store_cnt >= non_mpm);
sgh->non_mpm_other_store_array[sgh->non_mpm_other_store_cnt].id = s->num;

63
src/detect.c
Unescape Escape View File

@ -1558,28 +1558,6 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
}
}
/* check for a pattern match of the one pattern in this sig. */
if (likely(sflags & (SIG_FLAG_MPM_PACKET|SIG_FLAG_MPM_STREAM|SIG_FLAG_MPM_APPLAYER))) {
/* filter out sigs that want pattern matches, but
* have no matches */
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id_div_8)] & s->mpm_pattern_id_mod_8)) {
if (sflags & SIG_FLAG_MPM_PACKET) {
if (!(sflags & SIG_FLAG_MPM_PACKET_NEG)) {
goto next;
}
} else if (sflags & SIG_FLAG_MPM_STREAM) {
/* filter out sigs that want pattern matches, but
* have no matches */
if (!(sflags & SIG_FLAG_MPM_STREAM_NEG)) {
goto next;
}
} else if (sflags & SIG_FLAG_MPM_APPLAYER) {
if (!(sflags & SIG_FLAG_MPM_APPLAYER_NEG)) {
goto next;
}
}
}
}
if (sflags & SIG_FLAG_STATE_MATCH) {
if (det_ctx->de_state_sig_array[s->num] & DE_STATE_MATCH_NO_NEW_STATE)
goto next;
@ -1673,14 +1651,6 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
uint8_t pmq_idx = 0;
StreamMsg *smsg_inspect = smsg;
for ( ; smsg_inspect != NULL; smsg_inspect = smsg_inspect->next, pmq_idx++) {
/* filter out sigs that want pattern matches, but
* have no matches */
if ((sflags & SIG_FLAG_MPM_STREAM) && !(sflags & SIG_FLAG_MPM_STREAM_NEG) &&
!(det_ctx->smsg_pmq[pmq_idx].pattern_id_bitarray[(s->mpm_pattern_id_div_8)] & s->mpm_pattern_id_mod_8)) {
SCLogDebug("no match in this smsg");
continue;
}
if (DetectEngineInspectStreamPayload(de_ctx, det_ctx, s, pflow, smsg_inspect->data, smsg_inspect->data_len) == 1) {
SCLogDebug("match in smsg %p", smsg);
pmatch = 1;
@ -1706,34 +1676,13 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
goto next;
}
if (sms_runflags & SMS_USED_PM) {
if ((sflags & SIG_FLAG_MPM_PACKET) && !(sflags & SIG_FLAG_MPM_PACKET_NEG) &&
!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id_div_8)] &
s->mpm_pattern_id_mod_8)) {
goto next;
}
if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, pflow, p) != 1) {
goto next;
}
} else {
if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, pflow, p) != 1) {
goto next;
}
}
}
} else {
if (sms_runflags & SMS_USED_PM) {
if ((sflags & SIG_FLAG_MPM_PACKET) && !(sflags & SIG_FLAG_MPM_PACKET_NEG) &&
!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id_div_8)] &
s->mpm_pattern_id_mod_8)) {
goto next;
}
if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, pflow, p) != 1) {
goto next;
}
} else {
if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, pflow, p) != 1)
goto next;
}
} else {
if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, pflow, p) != 1) {
goto next;
}
}
}
@ -3301,6 +3250,10 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx)
}
#endif /* DEBUG */
if (RuleMpmIsNegated(tmp_s)) {
tmp_s->flags |= SIG_FLAG_MPM_NEG;
}
SignatureCreateMask(tmp_s);
SigParseApplyDsizeToContent(tmp_s);

8
src/detect.h
Unescape Escape View File

@ -276,12 +276,10 @@ typedef struct DetectPort_ {
#define SIG_FLAG_REQUIRE_PACKET (1<<9) /**< signature is requiring packet match */
#define SIG_FLAG_REQUIRE_STREAM (1<<10) /**< signature is requiring stream match */
#define SIG_FLAG_MPM_PACKET (1<<11)
#define SIG_FLAG_MPM_PACKET_NEG (1<<12)
#define SIG_FLAG_MPM_NEG (1<<11)
#define SIG_FLAG_MPM_PACKET (1<<12)
#define SIG_FLAG_MPM_STREAM (1<<13)
#define SIG_FLAG_MPM_STREAM_NEG (1<<14)
#define SIG_FLAG_MPM_APPLAYER (1<<15)
#define SIG_FLAG_MPM_APPLAYER_NEG (1<<16)
#define SIG_FLAG_MPM_APPLAYER (1<<14)
#define SIG_FLAG_REQUIRE_FLOWVAR (1<<17) /**< signature can only match if a flowbit, flowvar or flowint is available. */

Write Preview
Loading…
Cancel
Save