Mpm update: Toss out signatures that mix pkt and stream/state. Update profiling code to track new mpm.

14 years ago · af51493da2
parent 539ce13695
commit af51493da2
4 changed files with 31 additions and 5 deletions
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@ -1352,6 +1352,28 @@ static int SigValidate(Signature *s) {
    }

    if (s->flags & SIG_FLAG_REQUIRE_PACKET) {
+        if (s->alproto != ALPROTO_UNKNOWN) {
+            SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature combines packet "
+                    "specific matches (like dsize, flags, ttl) with stream / "
+                    "state matching by matching on app layer proto (like http).");
+            SCReturnInt(0);
+        }
+
+        if (s->sm_lists_tail[DETECT_SM_LIST_UMATCH] ||
+                s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH] ||
+                s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH] ||
+                s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]  ||
+                s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH] ||
+                s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]  ||
+                s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH])
+        {
+            SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature combines packet "
+                    "specific matches (like dsize, flags, ttl) with stream / "
+                    "state matching by matching on app layer proto (like using "
+                    "http_* keywords).");
+            SCReturnInt(0);
+        }
+
        SigMatch *pm =  SigMatchGetLastSMFromLists(s, 14,
                DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
                DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
@ -1362,9 +1384,9 @@ static int SigValidate(Signature *s) {
                DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]);
        if (pm != NULL) {
            SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature has"
-                " replace keyword linked with a modified content"
-                " keyword (http_*, dce_*). It only supports content on"
-                " raw payload");
+                    " replace keyword linked with a modified content"
+                    " keyword (http_*, dce_*). It only supports content on"
+                    " raw payload");
            SCReturnInt(0);
        }
    }
--- a/src/detect.c
+++ b/src/detect.c
@ -1191,7 +1191,9 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,

        if (!(p->flags & PKT_STREAM_ADD) && det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_STREAM) {
            *sms_runflags |= SMS_USED_PM;
+            PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_PKT_STREAM);
            PacketPatternSearchWithStreamCtx(det_ctx, p);
+            PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_PKT_STREAM);
        }
    }

--- a/src/suricata-common.h
+++ b/src/suricata-common.h
@ -162,8 +162,9 @@

 typedef enum PacketProfileDetectId_ {
    PROF_DETECT_MPM,
-    PROF_DETECT_MPM_PACKET,
-    PROF_DETECT_MPM_STREAM,
+    PROF_DETECT_MPM_PACKET,         /* PKT MPM */
+    PROF_DETECT_MPM_PKT_STREAM,     /* PKT inspected with stream MPM */
+    PROF_DETECT_MPM_STREAM,         /* STREAM MPM */
    PROF_DETECT_MPM_URI,
    PROF_DETECT_MPM_HCBD,
    PROF_DETECT_MPM_HHD,
--- a/src/util-profiling.c
+++ b/src/util-profiling.c
@ -1126,6 +1126,7 @@ const char * PacketProfileDetectIdToString(PacketProfileDetectId id)
    switch (id) {
        CASE_CODE (PROF_DETECT_MPM);
        CASE_CODE (PROF_DETECT_MPM_PACKET);
+        CASE_CODE (PROF_DETECT_MPM_PKT_STREAM);
        CASE_CODE (PROF_DETECT_MPM_STREAM);
        CASE_CODE (PROF_DETECT_MPM_URI);
        CASE_CODE (PROF_DETECT_MPM_HCBD);