diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 036ed2899c..620cda3cce 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -1389,27 +1389,17 @@ void MpmStoreSetup(const DetectEngineCtx *de_ctx, MpmStore *ms) s->flags |= SIG_FLAG_MPM_PACKET; s->mpm_pattern_id_div_8 = cd->id / 8; s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8); - if (cd->flags & DETECT_CONTENT_NEGATED) { - SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id); - s->flags |= SIG_FLAG_MPM_PACKET_NEG; - } } else { /* tell matcher we are inspecting stream */ s->flags |= SIG_FLAG_MPM_STREAM; s->mpm_pattern_id_div_8 = cd->id / 8; s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8); - if (cd->flags & DETECT_CONTENT_NEGATED) { - SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id); - s->flags |= SIG_FLAG_MPM_STREAM_NEG; - } } } else { /* tell matcher we are inspecting app-layer */ s->mpm_pattern_id_div_8 = cd->id / 8; s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8); s->flags |= SIG_FLAG_MPM_APPLAYER; - if (cd->flags & DETECT_CONTENT_NEGATED) - s->flags |= SIG_FLAG_MPM_APPLAYER_NEG; } } } diff --git a/src/detect-engine-siggroup.c b/src/detect-engine-siggroup.c index 96a6775ad8..544a32d291 100644 --- a/src/detect-engine-siggroup.c +++ b/src/detect-engine-siggroup.c @@ -979,7 +979,7 @@ int SigGroupHeadBuildNonMpmArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh) if (s == NULL) continue; - if (s->mpm_sm == NULL || (s->flags & (SIG_FLAG_MPM_PACKET_NEG|SIG_FLAG_MPM_STREAM_NEG|SIG_FLAG_MPM_APPLAYER_NEG))) { + if (s->mpm_sm == NULL || (s->flags & SIG_FLAG_MPM_NEG)) { if (!(DetectFlagsSignatureNeedsSynPackets(s))) { non_mpm++; } @@ -1006,7 +1006,7 @@ int SigGroupHeadBuildNonMpmArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh) if (s == NULL) continue; - if (s->mpm_sm == NULL || (s->flags & (SIG_FLAG_MPM_PACKET_NEG|SIG_FLAG_MPM_STREAM_NEG|SIG_FLAG_MPM_APPLAYER_NEG))) { + if (s->mpm_sm == NULL || (s->flags & SIG_FLAG_MPM_NEG)) { if (!(DetectFlagsSignatureNeedsSynPackets(s))) { BUG_ON(sgh->non_mpm_other_store_cnt >= non_mpm); sgh->non_mpm_other_store_array[sgh->non_mpm_other_store_cnt].id = s->num; diff --git a/src/detect.c b/src/detect.c index 2353969244..7682f28aa5 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1558,28 +1558,6 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh } } - /* check for a pattern match of the one pattern in this sig. */ - if (likely(sflags & (SIG_FLAG_MPM_PACKET|SIG_FLAG_MPM_STREAM|SIG_FLAG_MPM_APPLAYER))) { - /* filter out sigs that want pattern matches, but - * have no matches */ - if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id_div_8)] & s->mpm_pattern_id_mod_8)) { - if (sflags & SIG_FLAG_MPM_PACKET) { - if (!(sflags & SIG_FLAG_MPM_PACKET_NEG)) { - goto next; - } - } else if (sflags & SIG_FLAG_MPM_STREAM) { - /* filter out sigs that want pattern matches, but - * have no matches */ - if (!(sflags & SIG_FLAG_MPM_STREAM_NEG)) { - goto next; - } - } else if (sflags & SIG_FLAG_MPM_APPLAYER) { - if (!(sflags & SIG_FLAG_MPM_APPLAYER_NEG)) { - goto next; - } - } - } - } if (sflags & SIG_FLAG_STATE_MATCH) { if (det_ctx->de_state_sig_array[s->num] & DE_STATE_MATCH_NO_NEW_STATE) goto next; @@ -1673,14 +1651,6 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh uint8_t pmq_idx = 0; StreamMsg *smsg_inspect = smsg; for ( ; smsg_inspect != NULL; smsg_inspect = smsg_inspect->next, pmq_idx++) { - /* filter out sigs that want pattern matches, but - * have no matches */ - if ((sflags & SIG_FLAG_MPM_STREAM) && !(sflags & SIG_FLAG_MPM_STREAM_NEG) && - !(det_ctx->smsg_pmq[pmq_idx].pattern_id_bitarray[(s->mpm_pattern_id_div_8)] & s->mpm_pattern_id_mod_8)) { - SCLogDebug("no match in this smsg"); - continue; - } - if (DetectEngineInspectStreamPayload(de_ctx, det_ctx, s, pflow, smsg_inspect->data, smsg_inspect->data_len) == 1) { SCLogDebug("match in smsg %p", smsg); pmatch = 1; @@ -1706,34 +1676,13 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh goto next; } - if (sms_runflags & SMS_USED_PM) { - if ((sflags & SIG_FLAG_MPM_PACKET) && !(sflags & SIG_FLAG_MPM_PACKET_NEG) && - !(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id_div_8)] & - s->mpm_pattern_id_mod_8)) { - goto next; - } - if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, pflow, p) != 1) { - goto next; - } - } else { - if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, pflow, p) != 1) { - goto next; - } - } - } - } else { - if (sms_runflags & SMS_USED_PM) { - if ((sflags & SIG_FLAG_MPM_PACKET) && !(sflags & SIG_FLAG_MPM_PACKET_NEG) && - !(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id_div_8)] & - s->mpm_pattern_id_mod_8)) { - goto next; - } if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, pflow, p) != 1) { goto next; } - } else { - if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, pflow, p) != 1) - goto next; + } + } else { + if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, pflow, p) != 1) { + goto next; } } } @@ -3301,6 +3250,10 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) } #endif /* DEBUG */ + if (RuleMpmIsNegated(tmp_s)) { + tmp_s->flags |= SIG_FLAG_MPM_NEG; + } + SignatureCreateMask(tmp_s); SigParseApplyDsizeToContent(tmp_s); diff --git a/src/detect.h b/src/detect.h index 03c354da8d..ab4674508b 100644 --- a/src/detect.h +++ b/src/detect.h @@ -276,12 +276,10 @@ typedef struct DetectPort_ { #define SIG_FLAG_REQUIRE_PACKET (1<<9) /**< signature is requiring packet match */ #define SIG_FLAG_REQUIRE_STREAM (1<<10) /**< signature is requiring stream match */ -#define SIG_FLAG_MPM_PACKET (1<<11) -#define SIG_FLAG_MPM_PACKET_NEG (1<<12) +#define SIG_FLAG_MPM_NEG (1<<11) +#define SIG_FLAG_MPM_PACKET (1<<12) #define SIG_FLAG_MPM_STREAM (1<<13) -#define SIG_FLAG_MPM_STREAM_NEG (1<<14) -#define SIG_FLAG_MPM_APPLAYER (1<<15) -#define SIG_FLAG_MPM_APPLAYER_NEG (1<<16) +#define SIG_FLAG_MPM_APPLAYER (1<<14) #define SIG_FLAG_REQUIRE_FLOWVAR (1<<17) /**< signature can only match if a flowbit, flowvar or flowint is available. */