|
|
|
|
@ -691,6 +691,9 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) {
|
|
|
|
|
//printf("(IP only)\n");
|
|
|
|
|
} else {
|
|
|
|
|
//printf("\n");
|
|
|
|
|
//if (tmp_s->proto.flags & DETECT_PROTO_ANY) {
|
|
|
|
|
//printf("Signature %u applies to all protocols.\n",tmp_s->id);
|
|
|
|
|
//}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* DEBUG */
|
|
|
|
|
@ -719,6 +722,7 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) {
|
|
|
|
|
}
|
|
|
|
|
/* DEBUG */
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
for (gr = tmp_s->src.ipv4_head; gr != NULL; gr = gr->next) {
|
|
|
|
|
//printf("Stage1: ip4 ");DetectAddressDataPrint(gr->ad);printf("\n");
|
|
|
|
|
if (SigGroupHeadAppendSig(de_ctx, &gr->sh,tmp_s) < 0) {
|
|
|
|
|
@ -769,14 +773,11 @@ static int DetectEngineLookupBuildSourceAddressList(DetectEngineCtx *de_ctx, Det
|
|
|
|
|
head = s->src.any_head;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Normal sigs are added per protocol. For performance reasons we deal with
|
|
|
|
|
* ip address only sigs in a different way. */
|
|
|
|
|
if (!(s->flags & SIG_FLAG_IPONLY) || !(s->proto.flags & DETECT_PROTO_ANY)) {
|
|
|
|
|
/* for each source address group in the signature... */
|
|
|
|
|
for (gr = head; gr != NULL; gr = gr->next) {
|
|
|
|
|
/* ...and each protocol the signature matches on... */
|
|
|
|
|
for (proto = 0; proto < 256; proto++) {
|
|
|
|
|
if (s->proto.proto[(proto/8)] & (1<<(proto%8))) {
|
|
|
|
|
if ((s->proto.proto[(proto/8)] & (1<<(proto%8))) || (s->proto.flags & DETECT_PROTO_ANY)) {
|
|
|
|
|
/* ...see if the group is in the tmp list, and if not add it. */
|
|
|
|
|
if (family == AF_INET) {
|
|
|
|
|
lookup_gr = DetectAddressGroupLookup(flow_gh->tmp_gh[proto]->ipv4_head,gr->ad);
|
|
|
|
|
@ -818,9 +819,6 @@ static int DetectEngineLookupBuildSourceAddressList(DetectEngineCtx *de_ctx, Det
|
|
|
|
|
SigGroupHeadFree(gr->sh);
|
|
|
|
|
gr->sh = NULL;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
IPOnlyAddSignature(de_ctx, &de_ctx->io_ctx, s);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
error:
|
|
|
|
|
@ -1396,9 +1394,13 @@ int SigAddressPrepareStage2(DetectEngineCtx *de_ctx) {
|
|
|
|
|
|
|
|
|
|
/* now for every rule add the source group to our temp lists */
|
|
|
|
|
for (tmp_s = de_ctx->sig_list; tmp_s != NULL; tmp_s = tmp_s->next) {
|
|
|
|
|
if (!(tmp_s->flags & SIG_FLAG_IPONLY)) {
|
|
|
|
|
DetectEngineLookupDsizeAddSig(de_ctx, tmp_s, AF_INET);
|
|
|
|
|
DetectEngineLookupDsizeAddSig(de_ctx, tmp_s, AF_INET6);
|
|
|
|
|
DetectEngineLookupDsizeAddSig(de_ctx, tmp_s, AF_UNSPEC);
|
|
|
|
|
} else {
|
|
|
|
|
IPOnlyAddSignature(de_ctx, &de_ctx->io_ctx, tmp_s);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sigs++;
|
|
|
|
|
}
|
|
|
|
|
|
Victor Julien
17 years ago