From b259e362cd80065d4a78f482732e00c0c2ae93cb Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Thu, 18 Mar 2010 14:42:13 +0100 Subject: [PATCH] Convert uricontent to use new scanning methods as well. Move http_method and http_cookie keywords out of pmatch list for now. --- src/detect-ack.c | 4 +- src/detect-bytejump.c | 24 +++++----- src/detect-bytetest.c | 8 ++-- src/detect-content.c | 26 +++++------ src/detect-csum.c | 31 +++++++------ src/detect-dce-iface.c | 6 ++- src/detect-dce-opnum.c | 6 ++- src/detect-dce-stub-data.c | 6 ++- src/detect-decode-event.c | 6 ++- src/detect-dsize.c | 7 ++- src/detect-engine-mpm.c | 27 +++++++---- src/detect-engine-payload.c | 37 ++++++++------- src/detect-flags.c | 7 ++- src/detect-flow.c | 6 ++- src/detect-flowbits.c | 4 +- src/detect-flowint.c | 4 +- src/detect-flowvar.c | 7 ++- src/detect-fragbits.c | 7 ++- src/detect-fragoffset.c | 6 ++- src/detect-ftpbounce.c | 6 +-- src/detect-http-cookie.c | 59 ++++++++++++++++-------- src/detect-http-method.c | 29 ++++++++---- src/detect-icmp-id.c | 6 ++- src/detect-icmp-seq.c | 6 ++- src/detect-icode.c | 6 ++- src/detect-id.c | 7 +-- src/detect-ipopts.c | 7 ++- src/detect-itype.c | 6 ++- src/detect-parse.c | 92 +++++++++++++++++++++++++++++-------- src/detect-parse.h | 9 +++- src/detect-pcre.c | 19 ++++---- src/detect-pktvar.c | 7 ++- src/detect-rpc.c | 4 +- src/detect-sameip.c | 6 +-- src/detect-seq.c | 4 +- src/detect-stream_size.c | 7 ++- src/detect-threshold.c | 7 ++- src/detect-tls-version.c | 7 +-- src/detect-ttl.c | 7 ++- src/detect-uricontent.c | 80 +++++++++++++++++++++++--------- src/detect-urilen.c | 9 ++-- src/detect-window.c | 6 ++- src/detect.c | 26 ++++++----- src/detect.h | 15 +++--- 44 files changed, 431 insertions(+), 235 deletions(-) diff --git a/src/detect-ack.c b/src/detect-ack.c index e6f9abb871..91828c50c2 100644 --- a/src/detect-ack.c +++ b/src/detect-ack.c @@ -76,7 +76,7 @@ static int DetectAckMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, * \retval -1 on Failure */ static int DetectAckSetup(DetectEngineCtx *de_ctx, Signature *s, - SigMatch *m, char *optstr) + SigMatch *notused, char *optstr) { DetectAckData *data; SigMatch *sm = NULL; @@ -101,7 +101,7 @@ static int DetectAckSetup(DetectEngineCtx *de_ctx, Signature *s, } sm->ctx = data; - SigMatchAppend(s, m, sm); + SigMatchAppendPacket(s, sm); return 0; diff --git a/src/detect-bytejump.c b/src/detect-bytejump.c index e9c16ca226..e76c4632e4 100644 --- a/src/detect-bytejump.c +++ b/src/detect-bytejump.c @@ -96,8 +96,8 @@ int DetectBytejumpDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, SigMatch * the packet from that point. */ if (data->flags & DETECT_BYTEJUMP_RELATIVE) { - ptr = payload + det_ctx->pkt_off; - len = payload_len - det_ctx->pkt_off; + ptr = payload + det_ctx->payload_offset; + len = payload_len - det_ctx->payload_offset; /* No match if there is no relative base */ if (ptr == NULL || len == 0) { @@ -181,8 +181,7 @@ int DetectBytejumpDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, SigMatch #endif /* DEBUG */ /* Adjust the detection context to the jump location. */ - det_ctx->pkt_ptr = jumpptr; - det_ctx->pkt_off = jumpptr - payload; + det_ctx->payload_offset = jumpptr - payload; SCReturnInt(1); } @@ -205,8 +204,8 @@ int DetectBytejumpMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, * the packet from that point. */ if (data->flags & DETECT_BYTEJUMP_RELATIVE) { - ptr = det_ctx->pkt_ptr; - len = p->pktlen - det_ctx->pkt_off; + ptr = p->payload + det_ctx->payload_offset; + len = p->payload_len - det_ctx->payload_offset; /* No match if there is no relative base */ if (ptr == NULL || len == 0) { @@ -222,10 +221,10 @@ int DetectBytejumpMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, } /* Verify the to-be-extracted data is within the packet */ - if (ptr < p->pkt || data->nbytes > len) { + if (ptr < p->payload || data->nbytes > len) { SCLogDebug("Data not within packet " - "pkt=%p, ptr=%p, len=%d, nbytes=%d", - p->pkt, ptr, len, data->nbytes); + "payload=%p, ptr=%p, len=%d, nbytes=%d", + p->payload, ptr, len, data->nbytes); return 0; } @@ -274,9 +273,9 @@ int DetectBytejumpMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, /* Validate that the jump location is still in the packet * \todo Should this validate it is still in the *payload*? */ - if ((jumpptr < p->pkt) || (jumpptr >= p->pkt + p->pktlen)) { + if ((jumpptr < p->payload) || (jumpptr >= p->payload + p->payload_len)) { SCLogDebug("Jump location (%p) is not within " - "packet (%p-%p)", jumpptr, p->pkt, p->pkt + p->pktlen - 1); + "packet (%p-%p)", jumpptr, p->payload, p->payload + p->payload_len - 1); return 0; } @@ -291,8 +290,7 @@ int DetectBytejumpMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, #endif /* DEBUG */ /* Adjust the detection context to the jump location. */ - det_ctx->pkt_ptr = jumpptr; - det_ctx->pkt_off = jumpptr - p->pkt; + det_ctx->payload_offset = jumpptr - p->payload; return 1; } diff --git a/src/detect-bytetest.c b/src/detect-bytetest.c index 0079765b0c..77f954e4ec 100644 --- a/src/detect-bytetest.c +++ b/src/detect-bytetest.c @@ -102,11 +102,11 @@ int DetectBytetestDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, SigMatch * the packet from that point. */ if (data->flags & DETECT_BYTETEST_RELATIVE) { - SCLogDebug("relative, working with det_ctx->pkt_off %"PRIu32", " - "data->offset %"PRIu32"", det_ctx->pkt_off, data->offset); + SCLogDebug("relative, working with det_ctx->payload_offset %"PRIu32", " + "data->offset %"PRIu32"", det_ctx->payload_offset, data->offset); - ptr = payload + det_ctx->pkt_off; - len = payload_len - det_ctx->pkt_off; + ptr = payload + det_ctx->payload_offset; + len = payload_len - det_ctx->payload_offset; /* No match if there is no relative base */ if (ptr == NULL || len == 0) { diff --git a/src/detect-content.c b/src/detect-content.c index e5a274b802..47dd788529 100644 --- a/src/detect-content.c +++ b/src/detect-content.c @@ -380,7 +380,7 @@ DoDetectContent(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signat { int ret = 0; char match = 0; - uint16_t pkt_off = det_ctx->pkt_off; + uint16_t payload_offset = det_ctx->payload_offset; MpmMatch *temp_m = NULL; SCLogDebug("det_ctx->mtc.match[%"PRIu32"].len %"PRIu32"", co->id, det_ctx->mtc.match[co->id].len); @@ -396,10 +396,10 @@ DoDetectContent(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signat /* only use pkt offset of previous matches * on relative matches. */ - pkt_off = 0; + payload_offset = 0; } - SCLogDebug("using pkt_off %"PRIu16"", pkt_off); + SCLogDebug("using payload_offset %"PRIu16"", payload_offset); /* if we have within or distance coming up next, check this match * for distance and/or within and check the rest of this match @@ -419,17 +419,17 @@ DoDetectContent(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signat for (; m != NULL; m = m->next) { /* first check our match for offset and depth */ - if (TestOffsetDepth(m, co, pkt_off) == 1) { + if (TestOffsetDepth(m, co, payload_offset) == 1) { SCLogDebug("TestOffsetDepth returned 1, for co->id %"PRIu32"", co->id); SigMatch *real_sm_next = DetectContentFindNextApplicableSM(sm->next); - ret = TestWithinDistanceOffsetDepth(t, det_ctx, m, sm, real_sm_next, pkt_off); + ret = TestWithinDistanceOffsetDepth(t, det_ctx, m, sm, real_sm_next, payload_offset); if (ret == 1) { SCLogDebug("TestWithinDistanceOffsetDepth returned 1"); - det_ctx->pkt_ptr = p->payload + m->offset; - /* update both the local and ctx pkt_off */ - pkt_off = det_ctx->pkt_off = m->offset; + //det_ctx->pkt_ptr = p->payload + m->offset; + /* update both the local and ctx payload_offset */ + payload_offset = det_ctx->payload_offset = m->offset; match = 1; break; } else if (ret == -1) { @@ -481,11 +481,11 @@ DoDetectContent(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signat * after the first match */ if (s->flags & SIG_FLAG_RECURSIVE && det_ctx->pkt_cnt) { for (; m != NULL; m = m->next) { - if (m->offset >= det_ctx->pkt_off) { + if (m->offset >= det_ctx->payload_offset) { /* update pkt ptrs, content doesn't use this, * but pcre does */ - det_ctx->pkt_ptr = p->payload + m->offset; - det_ctx->pkt_off = m->offset; + //det_ctx->pkt_ptr = p->payload + m->offset; + det_ctx->payload_offset = m->offset; match = 1; break; } @@ -514,8 +514,8 @@ DoDetectContent(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signat if (co->negated == 0) { /* update pkt ptrs, this content run doesn't * use this, but pcre does */ - det_ctx->pkt_ptr = p->payload + m->offset; - det_ctx->pkt_off = m->offset; + //det_ctx->pkt_ptr = p->payload + m->offset; + det_ctx->payload_offset = m->offset; match = 1; break; } diff --git a/src/detect-csum.c b/src/detect-csum.c index d1117386fb..60e678217e 100644 --- a/src/detect-csum.c +++ b/src/detect-csum.c @@ -8,7 +8,10 @@ #include "suricata-common.h" #include "debug.h" #include "decode.h" + #include "detect.h" +#include "detect-parse.h" + #include "detect-csum.h" #include "util-unittest.h" @@ -228,7 +231,7 @@ int DetectIPV4CsumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, * * \retval 0 on success, -1 on failure */ -int DetectIPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, +int DetectIPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *csum_str) { DetectCsumData *cd = NULL; @@ -253,7 +256,7 @@ int DetectIPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, sm->ctx = (void *)cd; - SigMatchAppend(s, m, sm); + SigMatchAppendPacket(s, sm); return 0; @@ -325,7 +328,7 @@ int DetectTCPV4CsumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, * * \retval 0 on success, -1 on failure */ -int DetectTCPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, +int DetectTCPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *csum_str) { DetectCsumData *cd = NULL; @@ -350,7 +353,7 @@ int DetectTCPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, sm->ctx = (void *)cd; - SigMatchAppend(s, m, sm); + SigMatchAppendPacket(s, sm); return 0; @@ -422,7 +425,7 @@ int DetectTCPV6CsumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, * * \retval 0 on success, -1 on failure */ -int DetectTCPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, +int DetectTCPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *csum_str) { DetectCsumData *cd = NULL; @@ -447,7 +450,7 @@ int DetectTCPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, sm->ctx = (void *)cd; - SigMatchAppend(s, m, sm); + SigMatchAppendPacket(s, sm); return 0; @@ -519,7 +522,7 @@ int DetectUDPV4CsumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, * * \retval 0 on success, -1 on failure */ -int DetectUDPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, +int DetectUDPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *csum_str) { DetectCsumData *cd = NULL; @@ -544,7 +547,7 @@ int DetectUDPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, sm->ctx = (void *)cd; - SigMatchAppend(s, m, sm); + SigMatchAppendPacket(s, sm); return 0; @@ -616,7 +619,7 @@ int DetectUDPV6CsumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, * * \retval 0 on success, -1 on failure */ -int DetectUDPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, +int DetectUDPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *csum_str) { DetectCsumData *cd = NULL; @@ -641,7 +644,7 @@ int DetectUDPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, sm->ctx = (void *)cd; - SigMatchAppend(s, m, sm); + SigMatchAppendPacket(s, sm); return 0; @@ -712,7 +715,7 @@ int DetectICMPV4CsumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, * * \retval 0 on success, -1 on failure */ -int DetectICMPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, +int DetectICMPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *csum_str) { DetectCsumData *cd = NULL; @@ -737,7 +740,7 @@ int DetectICMPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, sm->ctx = (void *)cd; - SigMatchAppend(s, m, sm); + SigMatchAppendPacket(s, sm); return 0; @@ -808,7 +811,7 @@ int DetectICMPV6CsumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, * * \retval 0 on success, -1 on failure */ -int DetectICMPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, +int DetectICMPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *csum_str) { DetectCsumData *cd = NULL; @@ -833,7 +836,7 @@ int DetectICMPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, sm->ctx = (void *)cd; - SigMatchAppend(s, m, sm); + SigMatchAppendPacket(s, sm); return 0; diff --git a/src/detect-dce-iface.c b/src/detect-dce-iface.c index 76b6c00b59..be401847aa 100644 --- a/src/detect-dce-iface.c +++ b/src/detect-dce-iface.c @@ -3,8 +3,10 @@ */ #include "suricata-common.h" + #include "detect.h" #include "detect-parse.h" + #include "detect-engine.h" #include "detect-engine-mpm.h" #include "detect-dce-iface.h" @@ -315,7 +317,7 @@ int DetectDceIfaceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, * \retval 0 on success, -1 on failure. */ -int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, +int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *arg) { DetectDceIfaceData *did = NULL; @@ -335,7 +337,7 @@ int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, sm->type = DETECT_DCE_IFACE; sm->ctx = (void *)did; - SigMatchAppend(s, m, sm); + SigMatchAppendAppLayer(s, sm); return 0; diff --git a/src/detect-dce-opnum.c b/src/detect-dce-opnum.c index 2d13ce2c05..d317e41f66 100644 --- a/src/detect-dce-opnum.c +++ b/src/detect-dce-opnum.c @@ -3,8 +3,10 @@ */ #include "suricata-common.h" + #include "detect.h" #include "detect-parse.h" + #include "detect-engine.h" #include "detect-engine-mpm.h" @@ -272,7 +274,7 @@ int DetectDceOpnumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, * \retval 0 on success, -1 on failure */ -int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, +int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *arg) { DetectDceOpnumData *dod = NULL; @@ -292,7 +294,7 @@ int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, sm->type = DETECT_DCE_OPNUM; sm->ctx = (void *)dod; - SigMatchAppend(s, m, sm); + SigMatchAppendAppLayer(s, sm); return 0; diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c index 69abf96869..1a31477adb 100644 --- a/src/detect-dce-stub-data.c +++ b/src/detect-dce-stub-data.c @@ -3,8 +3,10 @@ */ #include "suricata-common.h" + #include "detect.h" #include "detect-parse.h" + #include "detect-engine.h" #include "detect-engine-mpm.h" @@ -87,7 +89,7 @@ int DetectDceStubDataMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow * * \retval 0 on success, -1 on failure */ -int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, +int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *arg) { SigMatch *sm = NULL; @@ -99,7 +101,7 @@ int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, sm->type = DETECT_DCE_STUB_DATA; sm->ctx = NULL; - SigMatchAppend(s, m, sm); + SigMatchAppendAppLayer(s, sm); return 0; diff --git a/src/detect-decode-event.c b/src/detect-decode-event.c index db0e625fdf..af17ee04d3 100644 --- a/src/detect-decode-event.c +++ b/src/detect-decode-event.c @@ -7,6 +7,8 @@ #include "suricata.h" #include "decode.h" #include "detect.h" +#include "detect-parse.h" + #include "flow-var.h" #include "decode-events.h" @@ -150,7 +152,7 @@ error: * \retval 0 on Success * \retval -1 on Failure */ -int DetectDecodeEventSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr) +int DetectDecodeEventSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *rawstr) { DetectDecodeEventData *de = NULL; SigMatch *sm = NULL; @@ -166,7 +168,7 @@ int DetectDecodeEventSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, sm->type = DETECT_DECODE_EVENT; sm->ctx = (void *)de; - SigMatchAppend(s,m,sm); + SigMatchAppendPacket(s, sm); return 0; error: diff --git a/src/detect-dsize.c b/src/detect-dsize.c index d7e8c3a561..8193d0a353 100644 --- a/src/detect-dsize.c +++ b/src/detect-dsize.c @@ -7,7 +7,10 @@ #include "suricata-common.h" #include "decode.h" + #include "detect.h" +#include "detect-parse.h" + #include "flow-var.h" #include "detect-dsize.h" @@ -224,7 +227,7 @@ error: * \retval 0 on Success * \retval -1 on Failure */ -int DetectDsizeSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr) +int DetectDsizeSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *rawstr) { DetectDsizeData *dd = NULL; SigMatch *sm = NULL; @@ -248,7 +251,7 @@ int DetectDsizeSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char * sm->type = DETECT_DSIZE; sm->ctx = (void *)dd; - SigMatchAppend(s,m,sm); + SigMatchAppendPacket(s, sm); /* tell the sig it has a dsize to speed up engine init */ s->flags |= SIG_FLAG_DSIZE; diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 65c4331441..b5d3a2c440 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -620,6 +620,7 @@ static int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead } else { SCLogDebug("%"PRIu32" no scan pattern selected", s->id); } +#if 0 /* add the rest of the patterns to the search ctx */ for (sm = s->pmatch ; sm != NULL; sm = sm->next) { if (sm->type == DETECT_CONTENT) { @@ -645,6 +646,7 @@ static int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead SCLogDebug("%"PRIu32" adding co->id %"PRIu32" to the search phase", s->id, co->id); } } +#endif } if (fast_pattern != NULL) @@ -696,7 +698,11 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh) if (sm->type == DETECT_CONTENT) { co_cnt++; s->flags |= SIG_FLAG_MPM; - } else if (sm->type == DETECT_URICONTENT) { + } + } + + for (sm = s->match; sm != NULL; sm = sm->next) { + if (sm->type == DETECT_URICONTENT) { ur_cnt++; s->flags |= SIG_FLAG_MPM; } @@ -781,7 +787,10 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh) if (!content_added) { content_added = 1; } - } else if (sm->type == DETECT_URICONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY)) { + } + } + for (sm = s->match; sm != NULL; sm = sm->next) { + if (sm->type == DETECT_URICONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY)) { DetectUricontentData *ud = (DetectUricontentData *)sm->ctx; if (ud->uricontent_len > uricontent_maxlen) uricontent_maxlen = ud->uricontent_len; @@ -809,11 +818,6 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh) if (content_minoffset > cd->offset) content_minoffset = cd->offset; } - } else if (sm->type == DETECT_URICONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY)) { - DetectUricontentData *ud = (DetectUricontentData *)sm->ctx; - if (ud->uricontent_len == uricontent_maxlen) { - /** \todo we don't support offset in uricontent */ - } } } //if (content_maxlen < 4 && content_cnt) printf(" (%" PRIu32 ", min %" PRIu32 ", max %" PRIu32 ")\n", content_cnt, content_minlen, content_maxlen); @@ -918,7 +922,10 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh) if (content_minlen == 0) content_minlen = cd->content_len; else if (cd->content_len < content_minlen) content_minlen = cd->content_len; - } else if (sm->type == DETECT_URICONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY)) { + } + } + for (sm = s->match; sm != NULL; sm = sm->next) { + if (sm->type == DETECT_URICONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY)) { DetectUricontentData *ud = (DetectUricontentData *)sm->ctx; if (ud->uricontent_len > uricontent_maxlen) uricontent_maxlen = ud->uricontent_len; @@ -929,7 +936,7 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh) } } char uricontent_scanadded = 0; - for (sm = s->pmatch; sm != NULL; sm = sm->next) { + for (sm = s->match; sm != NULL; sm = sm->next) { if (sm->type == DETECT_URICONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY)) { DetectUricontentData *ud = (DetectUricontentData *)sm->ctx; @@ -944,12 +951,14 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh) uricontent_scanadded = 1; /* otherwise it's a 'search' pattern */ +#if 0 } else { if (ud->flags & DETECT_URICONTENT_NOCASE) { mpm_table[sh->mpm_uri_ctx->mpm_type].AddPatternNocase(sh->mpm_uri_ctx, ud->uricontent, ud->uricontent_len, 0, 0, ud->id, s->num); } else { mpm_table[sh->mpm_uri_ctx->mpm_type].AddPattern(sh->mpm_uri_ctx, ud->uricontent, ud->uricontent_len, 0, 0, ud->id, s->num); } +#endif } } } diff --git a/src/detect-engine-payload.c b/src/detect-engine-payload.c index 94da9393f1..0402b61433 100644 --- a/src/detect-engine-payload.c +++ b/src/detect-engine-payload.c @@ -67,9 +67,9 @@ static inline int DoInspectPacketPayload(DetectEngineCtx *de_ctx, if (cd->flags & DETECT_CONTENT_DISTANCE || cd->flags & DETECT_CONTENT_WITHIN) { - SCLogDebug("det_ctx->pkt_off %"PRIu32, det_ctx->pkt_off); + SCLogDebug("det_ctx->payload_offset %"PRIu32, det_ctx->payload_offset); - offset = det_ctx->pkt_off; + offset = det_ctx->payload_offset; depth = payload_len; if (cd->flags & DETECT_CONTENT_DISTANCE) { @@ -82,17 +82,17 @@ static inline int DoInspectPacketPayload(DetectEngineCtx *de_ctx, } if (cd->flags & DETECT_CONTENT_WITHIN) { - if ((int32_t)depth > (int32_t)(det_ctx->pkt_off + cd->within)) { - depth = det_ctx->pkt_off + cd->within; + if ((int32_t)depth > (int32_t)(det_ctx->payload_offset + cd->within)) { + depth = det_ctx->payload_offset + cd->within; } - SCLogDebug("cd->within %"PRIi32", det_ctx->pkt_off %"PRIu32", depth %"PRIu32, - cd->within, det_ctx->pkt_off, depth); + SCLogDebug("cd->within %"PRIi32", det_ctx->payload_offset %"PRIu32", depth %"PRIu32, + cd->within, det_ctx->payload_offset, depth); } if (cd->depth != 0) { - if ((cd->depth + det_ctx->pkt_off) < depth) { - depth = det_ctx->pkt_off + cd->depth; + if ((cd->depth + det_ctx->payload_offset) < depth) { + depth = det_ctx->payload_offset + cd->depth; } SCLogDebug("cd->depth %"PRIu32", depth %"PRIu32, cd->depth, depth); @@ -102,8 +102,6 @@ static inline int DoInspectPacketPayload(DetectEngineCtx *de_ctx, offset = cd->offset; SCLogDebug("setting offset %"PRIu32, offset); } - - //PrintRawDataFp(stdout,payload+offset,depth); } else { /* implied no relative matches */ /* set depth */ if (cd->depth != 0) { @@ -112,18 +110,15 @@ static inline int DoInspectPacketPayload(DetectEngineCtx *de_ctx, /* set offset */ offset = cd->offset; - - //PrintRawDataFp(stdout,payload+offset,depth); } - //BUG_ON(depth == 0); SCLogDebug("offset %"PRIu32", depth %"PRIu32, offset, depth); if (depth > payload_len) depth = payload_len; /* if offset is bigger than depth we can never match on a pattern. - * We can however, match on a negated pattern. */ + * We can however, "match" on a negated pattern. */ if (offset > depth || depth == 0) { if (cd->negated == 1) { goto match; @@ -131,7 +126,6 @@ static inline int DoInspectPacketPayload(DetectEngineCtx *de_ctx, SCReturnInt(0); } } - //BUG_ON(offset > depth); uint8_t *spayload = payload + offset; uint32_t spayload_len = depth - offset; @@ -141,8 +135,11 @@ static inline int DoInspectPacketPayload(DetectEngineCtx *de_ctx, //PrintRawDataFp(stdout,cd->content,cd->content_len); //PrintRawDataFp(stdout,spayload,spayload_len); + /* do the actual search */ found = BasicSearch(spayload, spayload_len, cd->content, cd->content_len); + /* next we evaluate the result in combination with the + * negation flag. */ SCLogDebug("found %p cd->negated %d", found, cd->negated); if (found == NULL && cd->negated == 0) { @@ -150,17 +147,19 @@ static inline int DoInspectPacketPayload(DetectEngineCtx *de_ctx, } else if (found == NULL && cd->negated == 1) { goto match; } else if (found != NULL && cd->negated == 1) { +#ifdef DEBUG uint32_t match_offset = (uint32_t)((found - payload) + cd->content_len); SCLogDebug("content %"PRIu32" matched at offset %"PRIu32", but negated so no match", cd->id, match_offset); +#endif SCReturnInt(0); } else { uint32_t match_offset = (uint32_t)((found - payload) + cd->content_len); SCLogDebug("content %"PRIu32" matched at offset %"PRIu32"", cd->id, match_offset); - det_ctx->pkt_off = match_offset; + det_ctx->payload_offset = match_offset; if (cd->flags & DETECT_CONTENT_ISDATAAT_RELATIVE) { - if (det_ctx->pkt_off + cd->isdataat > payload_len) { - SCLogDebug("det_ctx->pkt_off + cd->isdataat %"PRIu32" > %"PRIu32, det_ctx->pkt_off + cd->isdataat, payload_len); + if (det_ctx->payload_offset + cd->isdataat > payload_len) { + SCLogDebug("det_ctx->payload_offset + cd->isdataat %"PRIu32" > %"PRIu32, det_ctx->payload_offset + cd->isdataat, payload_len); SCReturnInt(0); } else { SCLogDebug("relative isdataat match"); @@ -288,7 +287,7 @@ int DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx, SCReturnInt(0); } - det_ctx->pkt_off = 0; + det_ctx->payload_offset = 0; r = DoInspectPacketPayload(de_ctx, det_ctx, s, s->pmatch, f, flags, alstate, p, p->payload, p->payload_len); if (r == 1) { diff --git a/src/detect-flags.c b/src/detect-flags.c index b97402753d..bb02f76724 100644 --- a/src/detect-flags.c +++ b/src/detect-flags.c @@ -7,7 +7,10 @@ #include "suricata-common.h" #include "suricata.h" #include "decode.h" + #include "detect.h" +#include "detect-parse.h" + #include "flow-var.h" #include "decode-events.h" @@ -421,7 +424,7 @@ error: * \retval 0 on Success * \retval -1 on Failure */ -static int DetectFlagsSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr) +static int DetectFlagsSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *rawstr) { DetectFlagsData *de = NULL; SigMatch *sm = NULL; @@ -437,7 +440,7 @@ static int DetectFlagsSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, sm->type = DETECT_FLAGS; sm->ctx = (void *)de; - SigMatchAppend(s,m,sm); + SigMatchAppendPacket(s, sm); return 0; error: diff --git a/src/detect-flow.c b/src/detect-flow.c index 5310e192a2..828d68d5f7 100644 --- a/src/detect-flow.c +++ b/src/detect-flow.c @@ -8,7 +8,9 @@ #include "suricata-common.h" #include "debug.h" #include "decode.h" + #include "detect.h" +#include "detect-parse.h" #include "flow.h" #include "flow-var.h" @@ -255,7 +257,7 @@ error: * \retval 0 on Success * \retval -1 on Failure */ -int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *flowstr) +int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *flowstr) { DetectFlowData *fd = NULL; SigMatch *sm = NULL; @@ -274,7 +276,7 @@ int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *f sm->type = DETECT_FLOW; sm->ctx = (void *)fd; - SigMatchAppend(s,m,sm); + SigMatchAppendPacket(s, sm); s->flags |= SIG_FLAG_FLOW; return 0; diff --git a/src/detect-flowbits.c b/src/detect-flowbits.c index f88e9bfefa..2cd272e620 100644 --- a/src/detect-flowbits.c +++ b/src/detect-flowbits.c @@ -133,7 +133,7 @@ int DetectFlowbitMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p return 0; } -int DetectFlowbitSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr) +int DetectFlowbitSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *rawstr) { DetectFlowbitsData *cd = NULL; SigMatch *sm = NULL; @@ -229,7 +229,7 @@ int DetectFlowbitSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char sm->type = DETECT_FLOWBITS; sm->ctx = (void *)cd; - SigMatchAppend(s,m,sm); + SigMatchAppendPacket(s, sm); return 0; diff --git a/src/detect-flowint.c b/src/detect-flowint.c index 6006228bee..b640b7d097 100644 --- a/src/detect-flowint.c +++ b/src/detect-flowint.c @@ -331,7 +331,7 @@ error: * \retval -1 if we find any problem */ int DetectFlowintSetup(DetectEngineCtx *de_ctx, - Signature *s, SigMatch *m, char *rawstr) + Signature *s, SigMatch *notused, char *rawstr) { DetectFlowintData *sfd = NULL; SigMatch *sm = NULL; @@ -349,7 +349,7 @@ int DetectFlowintSetup(DetectEngineCtx *de_ctx, sm->type = DETECT_FLOWINT; sm->ctx =(void *) sfd; - SigMatchAppend(s, m, sm); + SigMatchAppendPacket(s, sm); return 0; diff --git a/src/detect-flowvar.c b/src/detect-flowvar.c index f481b84df7..4b814bda46 100644 --- a/src/detect-flowvar.c +++ b/src/detect-flowvar.c @@ -4,7 +4,10 @@ #include "suricata-common.h" #include "decode.h" + #include "detect.h" +#include "detect-parse.h" + #include "detect-content.h" #include "threads.h" #include "flow.h" @@ -79,7 +82,7 @@ int DetectFlowvarMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p return ret; } -int DetectFlowvarSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr) +int DetectFlowvarSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *rawstr) { DetectFlowvarData *cd = NULL; SigMatch *sm = NULL; @@ -213,7 +216,7 @@ int DetectFlowvarSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char sm->type = DETECT_FLOWVAR; sm->ctx = (void *)cd; - SigMatchAppend(s,m,sm); + SigMatchAppendPacket(s, sm); if (dubbed) SCFree(str); return 0; diff --git a/src/detect-fragbits.c b/src/detect-fragbits.c index c24db0ae49..de58f87347 100644 --- a/src/detect-fragbits.c +++ b/src/detect-fragbits.c @@ -7,7 +7,10 @@ #include "suricata-common.h" #include "suricata.h" #include "decode.h" + #include "detect.h" +#include "detect-parse.h" + #include "flow-var.h" #include "decode-events.h" @@ -252,7 +255,7 @@ error: * \retval 0 on Success * \retval -1 on Failure */ -static int DetectFragBitsSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr) +static int DetectFragBitsSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *rawstr) { DetectFragBitsData *de = NULL; SigMatch *sm = NULL; @@ -268,7 +271,7 @@ static int DetectFragBitsSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch sm->type = DETECT_FRAGBITS; sm->ctx = (void *)de; - SigMatchAppend(s,m,sm); + SigMatchAppendPacket(s, sm); return 0; error: diff --git a/src/detect-fragoffset.c b/src/detect-fragoffset.c index 0f393fc780..18fa75684a 100644 --- a/src/detect-fragoffset.c +++ b/src/detect-fragoffset.c @@ -9,7 +9,9 @@ #include "decode.h" #include "decode-ipv4.h" #include "decode-ipv6.h" + #include "detect.h" +#include "detect-parse.h" #include "detect-fragoffset.h" @@ -188,7 +190,7 @@ error: * \retval 0 on Success * \retval -1 on Failure */ -int DetectFragOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *fragoffsetstr) { +int DetectFragOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *fragoffsetstr) { DetectFragOffsetData *fragoff = NULL; SigMatch *sm = NULL; @@ -201,7 +203,7 @@ int DetectFragOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, c sm->type = DETECT_FRAGOFFSET; sm->ctx = (void *)fragoff; - SigMatchAppend(s, m, sm); + SigMatchAppendPacket(s, sm); return 0; diff --git a/src/detect-ftpbounce.c b/src/detect-ftpbounce.c index b0e2a75f28..99c0ef8b8c 100644 --- a/src/detect-ftpbounce.c +++ b/src/detect-ftpbounce.c @@ -219,8 +219,8 @@ int DetectFtpbounceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, * \retval 0 on Success * \retval -1 on Failure */ -int DetectFtpbounceSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, - char *ftpbouncestr) +int DetectFtpbounceSetup(DetectEngineCtx *de_ctx, Signature *s, + SigMatch *notused, char *ftpbouncestr) { SigMatch *sm = NULL; @@ -244,7 +244,7 @@ int DetectFtpbounceSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, */ sm->ctx = NULL; - SigMatchAppend(s, m, sm); + SigMatchAppendAppLayer(s, sm); return 0; } diff --git a/src/detect-http-cookie.c b/src/detect-http-cookie.c index 6b90c56c78..ddf0767f09 100644 --- a/src/detect-http-cookie.c +++ b/src/detect-http-cookie.c @@ -57,7 +57,7 @@ int DetectHttpCookieDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, SCEnter(); int ret = 0; - uint8_t i; + size_t idx; SCMutexLock(&f->m); SCLogDebug("got lock %p", &f->m); @@ -86,10 +86,10 @@ int DetectHttpCookieDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, htp_tx_t *tx = NULL; - for (i = htp_state->new_in_tx_index; - i < list_size(htp_state->connp->conn->transactions); i++) + for (idx = htp_state->new_in_tx_index; + idx < list_size(htp_state->connp->conn->transactions); idx++) { - tx = list_get(htp_state->connp->conn->transactions, i); + tx = list_get(htp_state->connp->conn->transactions, idx); if (tx == NULL) continue; @@ -157,6 +157,9 @@ int DetectHttpCookieSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notu DetectHttpCookieData *hd = NULL; SigMatch *sm = NULL; + /** new sig match to replace previous content */ + SigMatch *nm = NULL; + if (str != NULL && strcmp(str, "") != 0) { SCLogError(SC_ERR_INVALID_ARGUMENT, "http_cookie shouldn't be supplied with" " an argument"); @@ -191,6 +194,12 @@ int DetectHttpCookieSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notu return -1; } + nm = SigMatchAlloc(); + if (nm == NULL) { + SCLogError(SC_ERR_MEM_ALLOC, "SigMatchAlloc failed"); + goto error; + } + /* Setup the HttpCookie data from Content data structure */ hd = SCMalloc(sizeof(DetectHttpCookieData)); if (hd == NULL) { @@ -207,14 +216,19 @@ int DetectHttpCookieSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notu } memcpy(hd->data, ((DetectContentData *)pm->ctx)->content, hd->data_len); - /* Okay we need to replace the type to HTTP_COOKIE from CONTENT */ - SCFree(((DetectContentData *)pm->ctx)->content); - SCFree(pm->ctx); - pm->type = DETECT_AL_HTTP_COOKIE; - pm->ctx = (void *)hd; + nm->type = DETECT_AL_HTTP_COOKIE; + nm->ctx = (void *)hd; + + /* pull the previous content from the pmatch list, append + * the new match to the match list */ + SigMatchReplaceContent(s, pm, nm); + + /* free the old content sigmatch */ + DetectContentFree(pm->ctx); + SCFree(pm); /* Flagged the signature as to scan the app layer data */ - s->flags |=SIG_FLAG_APPLAYER; + s->flags |= SIG_FLAG_APPLAYER; return 0; error: @@ -300,17 +314,24 @@ int DetectHttpCookieTest03(void) "http_cookie; content:\"two\"; http_cookie; " "content:\"two\"; http_cookie; " "sid:1;)"); - if (de_ctx->sig_list == NULL) + if (de_ctx->sig_list == NULL) { + printf("sig parse failed: "); goto end; + } result = 0; - sm = de_ctx->sig_list->pmatch; + sm = de_ctx->sig_list->match; + if (sm == NULL) { + printf("no sigmatch(es): "); + goto end; + } + while (sm != NULL) { if (sm->type == DETECT_AL_HTTP_COOKIE) { - result = 1; + result = 1; } else { - result = 0; - break; + printf("expected DETECT_AL_HTTP_COOKIE, got %d: ", sm->type); + goto end; } sm = sm->next; } @@ -392,17 +413,17 @@ int DetectHttpCookieTest06(void) Signature *s = de_ctx->sig_list; - BUG_ON(s->pmatch == NULL); + BUG_ON(s->match == NULL); - if (s->pmatch->type != DETECT_AL_HTTP_COOKIE) + if (s->match->type != DETECT_AL_HTTP_COOKIE) goto end; - if (s->pmatch->next == NULL) { + if (s->match->next == NULL) { printf("expected another SigMatch, got NULL: "); goto end; } - if (s->pmatch->next->type != DETECT_URICONTENT) { + if (s->match->next->type != DETECT_URICONTENT) { goto end; } diff --git a/src/detect-http-method.c b/src/detect-http-method.c index 4e7c06f700..51caf02d48 100644 --- a/src/detect-http-method.c +++ b/src/detect-http-method.c @@ -141,6 +141,8 @@ int DetectHttpMethodSetup(DetectEngineCtx *de_ctx, Signature *s, DetectHttpMethodData *data = NULL; SigMatch *sm = NULL; bstr *method; + /** new sig match to replace previous content */ + SigMatch *nm = NULL; if ((str != NULL) && (strcmp(str, "") != 0)) { SCLogError(SC_ERR_INVALID_ARGUMENT, @@ -176,9 +178,15 @@ int DetectHttpMethodSetup(DetectEngineCtx *de_ctx, Signature *s, SCReturnInt(-1); } + /* Setup the new sigmatch */ + nm = SigMatchAlloc(); + if (nm == NULL) { + SCLogError(SC_ERR_MEM_ALLOC, "SigMatchAlloc failed"); + goto error; + } + data = SCMalloc(sizeof(DetectHttpMethodData)); if (data == NULL) { - // XXX: Should we bother with an error - it may fail too? SCLogError(SC_ERR_MEM_ALLOC, "SCMalloc failed"); goto error; } @@ -186,7 +194,6 @@ int DetectHttpMethodSetup(DetectEngineCtx *de_ctx, Signature *s, data->content_len = ((DetectContentData *)pm->ctx)->content_len; data->content = SCMalloc(data->content_len); if (data->content == NULL) { - // XXX: Should we bother with an error - it may fail too? SCLogError(SC_ERR_MEM_ALLOC, "SCMalloc failed"); goto error; } @@ -196,15 +203,21 @@ int DetectHttpMethodSetup(DetectEngineCtx *de_ctx, Signature *s, method = bstr_memdup((char *)data->content, data->content_len); /** \todo error check */ data->method = htp_convert_method_to_number(method); + bstr_free(method); + + nm->type = DETECT_AL_HTTP_METHOD; + nm->ctx = (void *)data; + + /* pull the previous content from the pmatch list, append + * the new match to the match list */ + SigMatchReplaceContent(s, pm, nm); - /* Okay we need to replace the type to HTTP_METHOD from CONTENT */ - SCFree(((DetectContentData *)pm->ctx)->content); - SCFree(pm->ctx); - pm->type = DETECT_AL_HTTP_METHOD; - pm->ctx = (void *)data; + /* free the old content sigmatch */ + DetectContentFree(pm->ctx); + SCFree(pm); /* Flagged the signature as to scan the app layer data */ - s->flags |=SIG_FLAG_APPLAYER; + s->flags |= SIG_FLAG_APPLAYER; SCReturnInt(0); diff --git a/src/detect-icmp-id.c b/src/detect-icmp-id.c index f4f6db270a..1e89ea5f5e 100644 --- a/src/detect-icmp-id.c +++ b/src/detect-icmp-id.c @@ -10,7 +10,9 @@ #include "suricata-common.h" #include "debug.h" #include "decode.h" + #include "detect.h" +#include "detect-parse.h" #include "detect-icmp-id.h" @@ -187,7 +189,7 @@ error: * \retval 0 on Success * \retval -1 on Failure */ -int DetectIcmpIdSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *icmpidstr) { +int DetectIcmpIdSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *icmpidstr) { DetectIcmpIdData *iid = NULL; SigMatch *sm = NULL; @@ -200,7 +202,7 @@ int DetectIcmpIdSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char sm->type = DETECT_ICMP_ID; sm->ctx = (void *)iid; - SigMatchAppend(s, m, sm); + SigMatchAppendPacket(s, sm); return 0; diff --git a/src/detect-icmp-seq.c b/src/detect-icmp-seq.c index bcf15f2987..f626afd88a 100644 --- a/src/detect-icmp-seq.c +++ b/src/detect-icmp-seq.c @@ -7,7 +7,9 @@ #include "suricata-common.h" #include "debug.h" #include "decode.h" + #include "detect.h" +#include "detect-parse.h" #include "detect-icmp-seq.h" @@ -187,7 +189,7 @@ error: * \retval 0 on Success * \retval -1 on Failure */ -int DetectIcmpSeqSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *icmpseqstr) { +int DetectIcmpSeqSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *icmpseqstr) { DetectIcmpSeqData *iseq = NULL; SigMatch *sm = NULL; @@ -200,7 +202,7 @@ int DetectIcmpSeqSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char sm->type = DETECT_ICMP_SEQ; sm->ctx = (void *)iseq; - SigMatchAppend(s, m, sm); + SigMatchAppendPacket(s, sm); return 0; diff --git a/src/detect-icode.c b/src/detect-icode.c index aaa9d33d7b..fcee3d9ea3 100644 --- a/src/detect-icode.c +++ b/src/detect-icode.c @@ -10,7 +10,9 @@ #include "suricata-common.h" #include "debug.h" #include "decode.h" + #include "detect.h" +#include "detect-parse.h" #include "detect-icode.h" @@ -203,7 +205,7 @@ error: * \retval 0 on Success * \retval -1 on Failure */ -int DetectICodeSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *icodestr) { +int DetectICodeSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *icodestr) { DetectICodeData *icd = NULL; SigMatch *sm = NULL; @@ -217,7 +219,7 @@ int DetectICodeSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *i sm->type = DETECT_ICODE; sm->ctx = (void *)icd; - SigMatchAppend(s, m, sm); + SigMatchAppendPacket(s, sm); return 0; diff --git a/src/detect-id.c b/src/detect-id.c index 270b8c4054..b79dd7e188 100644 --- a/src/detect-id.c +++ b/src/detect-id.c @@ -197,14 +197,15 @@ error: * \retval 0 on Success * \retval -1 on Failure */ -int DetectIdSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, +int DetectIdSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *idstr) { DetectIdData *id_d = NULL; SigMatch *sm = NULL; id_d = DetectIdParse(idstr); - if (id_d == NULL) goto error; + if (id_d == NULL) + goto error; /* Okay so far so good, lets get this into a SigMatch * and put it in the Signature. */ @@ -215,7 +216,7 @@ int DetectIdSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, sm->type = DETECT_ID; sm->ctx = (void *)id_d; - SigMatchAppend(s,m,sm); + SigMatchAppendPacket(s, sm); return 0; diff --git a/src/detect-ipopts.c b/src/detect-ipopts.c index cf09b79da3..ca3c566fda 100644 --- a/src/detect-ipopts.c +++ b/src/detect-ipopts.c @@ -7,7 +7,10 @@ #include "suricata-common.h" #include "suricata.h" #include "decode.h" + #include "detect.h" +#include "detect-parse.h" + #include "flow-var.h" #include "decode-events.h" @@ -165,7 +168,7 @@ error: * \retval 0 on Success * \retval -1 on Failure */ -int DetectIpOptsSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr) +int DetectIpOptsSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *rawstr) { DetectIpOptsData *de = NULL; SigMatch *sm = NULL; @@ -181,7 +184,7 @@ int DetectIpOptsSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char sm->type = DETECT_IPOPTS; sm->ctx = (void *)de; - SigMatchAppend(s,m,sm); + SigMatchAppendPacket(s, sm); return 0; error: diff --git a/src/detect-itype.c b/src/detect-itype.c index 06c21c679c..a405742d8e 100644 --- a/src/detect-itype.c +++ b/src/detect-itype.c @@ -10,7 +10,9 @@ #include "suricata-common.h" #include "debug.h" #include "decode.h" + #include "detect.h" +#include "detect-parse.h" #include "detect-itype.h" @@ -203,7 +205,7 @@ error: * \retval 0 on Success * \retval -1 on Failure */ -int DetectITypeSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *itypestr) { +int DetectITypeSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *itypestr) { DetectITypeData *itd = NULL; SigMatch *sm = NULL; @@ -217,7 +219,7 @@ int DetectITypeSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *i sm->type = DETECT_ITYPE; sm->ctx = (void *)itd; - SigMatchAppend(s,m,sm); + SigMatchAppendPacket(s, sm); return 0; diff --git a/src/detect-parse.c b/src/detect-parse.c index 2d923378b4..ca72d29fda 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -33,9 +33,6 @@ static pcre *option_pcre = NULL; static pcre_extra *config_pcre_extra = NULL; static pcre_extra *option_pcre_extra = NULL; -/* XXX this should be part of the DE */ -//static uint32_t signum = 0; - static uint32_t dbg_srcportany_cnt = 0; static uint32_t dbg_dstportany_cnt = 0; @@ -124,21 +121,58 @@ void SigMatchAppendPayload(Signature *s, SigMatch *new) { } } -/* Append 'new' SigMatch to the current Signature. If present - * append it to Sigmatch 'm', otherwise place it in the root. +/** \brief Append a sig match to the signatures non-payload match list + * + * \param s signature + * \param new sigmatch to append */ -void SigMatchAppend(Signature *s, SigMatch *m, SigMatch *new) { - //printf("s:%p,m:%p,new:%p\n", s,m,new); +void SigMatchAppendPacket(Signature *s, SigMatch *new) { + if (s->match == NULL) { + s->match = new; + s->match_tail = new; + new->next = NULL; + } else { + SigMatch *cur = s->match; - if (m == NULL) - m = s->match; + for ( ; cur->next != NULL; cur = cur->next); - if (s->match == NULL) - s->match = new; - else { - m->next = new; - new->prev = m; + cur->next = new; + new->next = NULL; + new->prev = cur; + s->match_tail = new; + } +} + +/** \brief Pull a content 'old' from the pmatch list, append 'new' to match list. + * Used for replacing contents that have http_cookie, etc modifiers. + */ +void SigMatchReplaceContent(Signature *s, SigMatch *old, SigMatch *new) { + if (old == NULL) { + return SigMatchAppendAppLayer(s, new); + } + + SigMatch *m = s->pmatch; + SigMatch *pm = m; + + for ( ; m != NULL; m = m->next) { + if (m == old) { + if (m == s->pmatch) { + s->pmatch = m->next; + } else { + pm->next = m->next; + } + + if (m == s->pmatch_tail) { + s->pmatch_tail = pm; + } + + break; + } + + pm = m; } + + SigMatchAppendAppLayer(s, new); } /** @@ -655,7 +689,10 @@ Signature *SigInit(DetectEngineCtx *de_ctx, char *sigstr) { if (cd->negated == 1) { sig->flags |= SIG_FLAG_MPM_NEGCONTENT; } - } else if (sm->type == DETECT_URICONTENT) { + } + } + for (sm = sig->match; sm != NULL; sm = sm->next) { + if (sm->type == DETECT_URICONTENT) { DetectUricontentData *ud = (DetectUricontentData *)sm->ctx; if (ud == NULL) continue; @@ -679,7 +716,11 @@ Signature *SigInit(DetectEngineCtx *de_ctx, char *sigstr) { sig->mpm_content_maxlen = cd->content_len; if (sig->mpm_content_maxlen < cd->content_len) sig->mpm_content_maxlen = cd->content_len; - } else if (sm->type == DETECT_URICONTENT) { + } + } + + for (sm = sig->match; sm != NULL; sm = sm->next) { + if (sm->type == DETECT_URICONTENT) { DetectUricontentData *ud = (DetectUricontentData *)sm->ctx; if (sig->mpm_uricontent_maxlen == 0) sig->mpm_uricontent_maxlen = ud->uricontent_len; @@ -764,7 +805,11 @@ Signature *SigInitReal(DetectEngineCtx *de_ctx, char *sigstr) { if (cd->negated == 1) { sig->flags |= SIG_FLAG_MPM_NEGCONTENT; } - } else if (sm->type == DETECT_URICONTENT) { + } + } + + for (sm = sig->match; sm != NULL; sm = sm->next) { + if (sm->type == DETECT_URICONTENT) { DetectUricontentData *ud = (DetectUricontentData *)sm->ctx; if (ud == NULL) continue; @@ -788,7 +833,11 @@ Signature *SigInitReal(DetectEngineCtx *de_ctx, char *sigstr) { sig->mpm_content_maxlen = cd->content_len; if (sig->mpm_content_maxlen < cd->content_len) sig->mpm_content_maxlen = cd->content_len; - } else if (sm->type == DETECT_URICONTENT) { + } + } + + for (sm = sig->match; sm != NULL; sm = sm->next) { + if (sm->type == DETECT_URICONTENT) { DetectUricontentData *ud = (DetectUricontentData *)sm->ctx; if (sig->mpm_uricontent_maxlen == 0) sig->mpm_uricontent_maxlen = ud->uricontent_len; @@ -819,7 +868,7 @@ Signature *SigInitReal(DetectEngineCtx *de_ctx, char *sigstr) { sig->next->mpm_uricontent_maxlen = 0; SigMatch *sm; - for (sm = sig->next->match; sm != NULL; sm = sm->next) { + for (sm = sig->next->pmatch; sm != NULL; sm = sm->next) { if (sm->type == DETECT_CONTENT) { DetectContentData *cd = (DetectContentData *)sm->ctx; @@ -827,7 +876,10 @@ Signature *SigInitReal(DetectEngineCtx *de_ctx, char *sigstr) { sig->next->mpm_content_maxlen = cd->content_len; if (sig->next->mpm_content_maxlen < cd->content_len) sig->next->mpm_content_maxlen = cd->content_len; - } else if (sm->type == DETECT_URICONTENT) { + } + } + for (sm = sig->next->match; sm != NULL; sm = sm->next) { + if (sm->type == DETECT_URICONTENT) { DetectUricontentData *ud = (DetectUricontentData *)sm->ctx; if (sig->next->mpm_uricontent_maxlen == 0) sig->next->mpm_uricontent_maxlen = ud->uricontent_len; diff --git a/src/detect-parse.h b/src/detect-parse.h index 893f7962d3..b0972ebe9c 100644 --- a/src/detect-parse.h +++ b/src/detect-parse.h @@ -25,7 +25,14 @@ SigMatch *SigMatchGetLastSM(Signature *, uint8_t); void SigParsePrepare(void); void SigParseRegisterTests(void); Signature *DetectEngineAppendSig(DetectEngineCtx *, char *); + void SigMatchReplace(Signature *, SigMatch *, SigMatch *); -void SigMatchAppendPayload(Signature *s, SigMatch *); +void SigMatchReplaceContent(Signature *, SigMatch *, SigMatch *); + +void SigMatchAppendPayload(Signature *, SigMatch *); +void SigMatchAppendPacket(Signature *, SigMatch *); +/** for now we have one list for app layer and packet matches */ +#define SigMatchAppendAppLayer SigMatchAppendPacket + #endif /* __DETECT_PARSE_H__ */ diff --git a/src/detect-pcre.c b/src/detect-pcre.c index 42539e9d99..906a16dd11 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -257,11 +257,11 @@ int DetectPcreDoMatch(DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, S SCReturnInt(0); if (s->flags & SIG_FLAG_RECURSIVE) { - ptr = det_ctx->pkt_ptr ? det_ctx->pkt_ptr : p->payload; - len = p->payload_len - det_ctx->pkt_off; + ptr = p->payload + det_ctx->payload_offset; + len = p->payload_len - det_ctx->payload_offset; } else if (pe->flags & DETECT_PCRE_RELATIVE) { - ptr = det_ctx->pkt_ptr; - len = p->payload_len - det_ctx->pkt_off; + ptr = p->payload + det_ctx->payload_offset; + len = p->payload_len - det_ctx->payload_offset; if (ptr == NULL || len == 0) SCReturnInt(0); } else { @@ -298,10 +298,8 @@ int DetectPcreDoMatch(DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, S } } } - /* update ptrs for pcre RELATIVE */ - det_ctx->pkt_ptr = ptr+ov[1]; - det_ctx->pkt_off = (ptr+ov[1]) - p->payload; - //printf("DetectPcre: post match: t->pkt_ptr %p t->pkt_off %" PRIu32 "\n", t->pkt_ptr, t->pkt_off); + /* update offset for pcre RELATIVE */ + det_ctx->payload_offset = (ptr+ov[1]) - p->payload; ret = 1; } @@ -581,9 +579,12 @@ int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, c SCLogDebug("Body inspection modifier set"); s->flags |= SIG_FLAG_APPLAYER; pcre_need_htp_request_body = 1; + + SigMatchAppendAppLayer(s, sm); + } else { + SigMatchAppendPayload(s, sm); } - SigMatchAppendPayload(s,sm); return 0; diff --git a/src/detect-pktvar.c b/src/detect-pktvar.c index 363f90a21d..466f175ec3 100644 --- a/src/detect-pktvar.c +++ b/src/detect-pktvar.c @@ -4,7 +4,10 @@ #include "suricata-common.h" #include "decode.h" + #include "detect.h" +#include "detect-parse.h" + #include "threads.h" #include "pkt-var.h" #include "detect-pktvar.h" @@ -72,7 +75,7 @@ int DetectPktvarMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, return ret; } -int DetectPktvarSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr) +int DetectPktvarSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *rawstr) { DetectPktvarData *cd = NULL; SigMatch *sm = NULL; @@ -206,7 +209,7 @@ int DetectPktvarSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char sm->type = DETECT_PKTVAR; sm->ctx = (void *)cd; - SigMatchAppend(s,m,sm); + SigMatchAppendPacket(s, sm); if (dubbed) SCFree(str); return 0; diff --git a/src/detect-rpc.c b/src/detect-rpc.c index 161af3de3e..2b3d3309d3 100644 --- a/src/detect-rpc.c +++ b/src/detect-rpc.c @@ -250,7 +250,7 @@ error: * \retval 0 on Success * \retval -1 on Failure */ -int DetectRpcSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rpcstr) +int DetectRpcSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *rpcstr) { DetectRpcData *rd = NULL; SigMatch *sm = NULL; @@ -265,7 +265,7 @@ int DetectRpcSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rp sm->type = DETECT_RPC; sm->ctx = (void *)rd; - SigMatchAppend(s,m,sm); + SigMatchAppendPacket(s, sm); return 0; diff --git a/src/detect-sameip.c b/src/detect-sameip.c index 47de9736a3..ddc1e79a1e 100644 --- a/src/detect-sameip.c +++ b/src/detect-sameip.c @@ -70,12 +70,10 @@ static int DetectSameipMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, * \retval -1 on Failure */ static int DetectSameipSetup(DetectEngineCtx *de_ctx, Signature *s, - SigMatch *m, char *optstr) + SigMatch *notused, char *optstr) { SigMatch *sm = NULL; - // printf("DetectSameipSetup: \'%s\'\n", optstr); - /* Get this into a SigMatch and put it in the Signature. */ sm = SigMatchAlloc(); if (sm == NULL) @@ -84,7 +82,7 @@ static int DetectSameipSetup(DetectEngineCtx *de_ctx, Signature *s, sm->type = DETECT_SAMEIP; sm->ctx = NULL; - SigMatchAppend(s, m, sm); + SigMatchAppendPacket(s, sm); return 0; diff --git a/src/detect-seq.c b/src/detect-seq.c index ac3dd43d26..7ecd3911f9 100644 --- a/src/detect-seq.c +++ b/src/detect-seq.c @@ -77,7 +77,7 @@ static int DetectSeqMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, * \retval -1 on Failure */ static int DetectSeqSetup (DetectEngineCtx *de_ctx, Signature *s, - SigMatch *m, char *optstr) + SigMatch *notused, char *optstr) { DetectSeqData *data; SigMatch *sm = NULL; @@ -102,7 +102,7 @@ static int DetectSeqSetup (DetectEngineCtx *de_ctx, Signature *s, } sm->ctx = data; - SigMatchAppend(s, m, sm); + SigMatchAppendPacket(s, sm); return 0; diff --git a/src/detect-stream_size.c b/src/detect-stream_size.c index b73526befd..cce1ac76fb 100644 --- a/src/detect-stream_size.c +++ b/src/detect-stream_size.c @@ -8,7 +8,10 @@ #include "suricata-common.h" #include "stream-tcp.h" #include "util-unittest.h" + #include "detect.h" +#include "detect-parse.h" + #include "flow.h" #include "detect-stream_size.h" #include "stream-tcp-private.h" @@ -294,7 +297,7 @@ error: * \retval 0 on Success * \retval -1 on Failure */ -int DetectStreamSizeSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *streamstr) { +int DetectStreamSizeSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *streamstr) { DetectStreamSizeData *sd = NULL; SigMatch *sm = NULL; @@ -310,7 +313,7 @@ int DetectStreamSizeSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, c sm->type = DETECT_STREAM_SIZE; sm->ctx = (void *)sd; - SigMatchAppend(s,m,sm); + SigMatchAppendPacket(s, sm); return 0; diff --git a/src/detect-threshold.c b/src/detect-threshold.c index ce8f6522a8..a4b431336c 100644 --- a/src/detect-threshold.c +++ b/src/detect-threshold.c @@ -7,7 +7,10 @@ #include "suricata-common.h" #include "suricata.h" #include "decode.h" + #include "detect.h" +#include "detect-parse.h" + #include "flow-var.h" #include "decode-events.h" #include "stream-tcp.h" @@ -185,7 +188,7 @@ error: * \retval 0 on Success * \retval -1 on Failure */ -static int DetectThresholdSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr) +static int DetectThresholdSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *rawstr) { DetectThresholdData *de = NULL; SigMatch *sm = NULL; @@ -201,7 +204,7 @@ static int DetectThresholdSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch sm->type = DETECT_THRESHOLD; sm->ctx = (void *)de; - SigMatchAppend(s,m,sm); + SigMatchAppendPacket(s, sm); return 0; diff --git a/src/detect-tls-version.c b/src/detect-tls-version.c index 9821d24354..39e5cecf1a 100644 --- a/src/detect-tls-version.c +++ b/src/detect-tls-version.c @@ -9,9 +9,10 @@ #include "threads.h" #include "debug.h" #include "decode.h" -#include "detect.h" +#include "detect.h" #include "detect-parse.h" + #include "detect-engine.h" #include "detect-engine-mpm.h" @@ -206,7 +207,7 @@ error: * \retval 0 on Success * \retval -1 on Failure */ -int DetectTlsVersionSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *str) +int DetectTlsVersionSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *str) { DetectTlsVersionData *tls = NULL; SigMatch *sm = NULL; @@ -223,7 +224,7 @@ int DetectTlsVersionSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, c sm->type = DETECT_AL_TLS_VERSION; sm->ctx = (void *)tls; - SigMatchAppend(s,m,sm); + SigMatchAppendAppLayer(s, sm); return 0; error: diff --git a/src/detect-ttl.c b/src/detect-ttl.c index 8f4d428e93..f666d519b3 100644 --- a/src/detect-ttl.c +++ b/src/detect-ttl.c @@ -8,7 +8,10 @@ #include "suricata-common.h" #include "stream-tcp.h" #include "util-unittest.h" + #include "detect.h" +#include "detect-parse.h" + #include "detect-ttl.h" #include "util-debug.h" @@ -223,7 +226,7 @@ error: * \retval 0 on Success * \retval -1 on Failure */ -int DetectTtlSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *ttlstr) { +int DetectTtlSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *ttlstr) { DetectTtlData *ttld = NULL; SigMatch *sm = NULL; @@ -239,7 +242,7 @@ int DetectTtlSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *tt sm->type = DETECT_TTL; sm->ctx = (void *)ttld; - SigMatchAppend(s,m,sm); + SigMatchAppendPacket(s, sm); return 0; diff --git a/src/detect-uricontent.c b/src/detect-uricontent.c index 0338b2bc24..5df4b6ab0e 100644 --- a/src/detect-uricontent.c +++ b/src/detect-uricontent.c @@ -33,6 +33,7 @@ #include "util-debug.h" #include "util-unittest.h" #include "util-binsearch.h" +#include "util-spm.h" /* prototypes */ int DetectUricontentMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, @@ -171,10 +172,8 @@ static inline int DoDetectUricontent(ThreadVars *t, DetectEngineThreadCtx *det_c if (TestOffsetDepth(m, co) == 1) { ret = TestWithinDistanceOffsetDepth(t, det_ctx, m, sm->next); if (ret == 1) { - /* update pkt ptrs, content doesn't use this, - * but pcre does */ - det_ctx->pkt_ptr = p->payload + m->offset; - det_ctx->pkt_off = m->offset; + /* update payload offset */ + det_ctx->payload_offset = m->offset; match = 1; break; } @@ -202,10 +201,8 @@ static inline int DoDetectUricontent(ThreadVars *t, DetectEngineThreadCtx *det_c for (; m != NULL; m = m->next) { ret = TestOffsetDepth(m,co); if (ret == 1) { - /* update pkt ptrs, content doesn't use this, - * but pcre does */ - det_ctx->pkt_ptr = p->payload + m->offset; - det_ctx->pkt_off = m->offset; + /* update payload offset */ + det_ctx->payload_offset = m->offset; match = 1; break; } @@ -434,8 +431,9 @@ int DetectUricontentSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notu sm->type = DETECT_URICONTENT; sm->ctx = (void *)cd; - SigMatchAppendPayload(s,sm); + SigMatchAppendAppLayer(s, sm); + /** \todo use unique id here as well */ cd->id = de_ctx->uricontent_max_id; de_ctx->uricontent_max_id++; @@ -487,6 +485,7 @@ int DoDetectAppLayerUricontentMatch (ThreadVars *tv, DetectEngineThreadCtx *det_ SCLogDebug("post scan: cnt %" PRIu32 ", searchable %" PRIu32 "", ret, det_ctx->pmq.searchable); +/* if (det_ctx->pmq.searchable > 0) { if (det_ctx->sgh->mpm_uricontent_maxlen == 1) det_ctx->pkts_uri_searched1++; else if (det_ctx->sgh->mpm_uricontent_maxlen == 2) det_ctx->pkts_uri_searched2++; @@ -497,6 +496,7 @@ int DoDetectAppLayerUricontentMatch (ThreadVars *tv, DetectEngineThreadCtx *det_ ret += UriPatternMatch(tv, det_ctx, uri, uri_len); } +*/ det_ctx->pmq.searchable = 0; } return ret; @@ -524,6 +524,8 @@ int DetectAppLayerUricontentMatch (ThreadVars *tv, DetectEngineThreadCtx *det_ct { SCEnter(); int res = 0; + size_t idx = 0; + htp_tx_t *tx = NULL; /* if we don't have a uri, don't bother scanning */ if (det_ctx->de_have_httpuri == FALSE) { @@ -531,27 +533,63 @@ int DetectAppLayerUricontentMatch (ThreadVars *tv, DetectEngineThreadCtx *det_ct SCReturnInt(0); } + /* we're locking the flow as we'll be accessing the HTP state */ + SCMutexLock(&f->m); + DetectUricontentData *co = (DetectUricontentData *)sm->ctx; - if (det_ctx->mtcu.match[co->id].len > 0) { - SCLogDebug("Match has been found in the received request and " - "signature s->id %"PRIu32"", s->id); - res = 1; - } else { + if (co == NULL) + goto end; + + SCLogDebug("co->id %"PRIu32, co->id); + + HtpState *htp_state = (HtpState *)state; + if (htp_state == NULL) { + SCLogDebug("no HTTP state"); + goto end; + } + + for (idx = htp_state->new_in_tx_index; + idx < list_size(htp_state->connp->conn->transactions); idx++) + { + tx = list_get(htp_state->connp->conn->transactions, idx); + if (tx == NULL || tx->request_uri_normalized == NULL) + continue; + + /* Search for the pattern in each uri. Bail out on the first match */ + if ((BasicSearch((uint8_t *) bstr_ptr(tx->request_uri_normalized), + bstr_len(tx->request_uri_normalized), + co->uricontent, co->uricontent_len)) != NULL) { + SCLogDebug("Match has been found in the received request and " + "signature s->id %"PRIu32"", s->id); + res = 1; + break; + } + } + + if (res == 0) { SCLogDebug("We don't have app layer URI match"); - res = 0; } +end: + SCMutexUnlock(&f->m); SCReturnInt(res); } /** \brief Run the pattern matcher against the uri(s) + * + * We run against _all_ uri(s) we have as the pattern matcher will + * flag each sig that has a match. We need to do this for all uri(s) + * to not miss possible events. * * \warning Make sure the flow/state is locked + * \todo what should we return? Just the fact that we matched? */ uint32_t DetectUricontentInspectMpm(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, void *alstate) { SCEnter(); + uint32_t cnt = 0; - uint8_t i; + size_t idx = 0; + htp_tx_t *tx = NULL; HtpState *htp_state = (HtpState *)alstate; if (htp_state == NULL) { @@ -559,12 +597,10 @@ uint32_t DetectUricontentInspectMpm(ThreadVars *tv, DetectEngineThreadCtx *det_c SCReturnUInt(0U); } - htp_tx_t *tx = NULL; - - for (i = htp_state->new_in_tx_index; - i < list_size(htp_state->connp->conn->transactions); i++) + for (idx = htp_state->new_in_tx_index; + idx < list_size(htp_state->connp->conn->transactions); idx++) { - tx = list_get(htp_state->connp->conn->transactions, i); + tx = list_get(htp_state->connp->conn->transactions, idx); if (tx == NULL || tx->request_uri_normalized == NULL) continue; @@ -876,7 +912,7 @@ int DetectUriSigTest01(void) BUG_ON(de_ctx->sig_list == NULL); - sm = de_ctx->sig_list->pmatch; + sm = de_ctx->sig_list->match; if (sm->type == DETECT_URICONTENT) { result = 1; } else { diff --git a/src/detect-urilen.c b/src/detect-urilen.c index 40ebe80ac1..78850280e8 100644 --- a/src/detect-urilen.c +++ b/src/detect-urilen.c @@ -9,7 +9,10 @@ #include "app-layer-protos.h" #include "app-layer-htp.h" #include "util-unittest.h" + #include "detect.h" +#include "detect-parse.h" + #include "detect-urilen.h" #include "util-debug.h" #include "util-byte.h" @@ -264,7 +267,7 @@ error: * \retval 0 on Success * \retval -1 on Failure */ -int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, +int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *urilenstr) { SCEnter(); @@ -282,10 +285,10 @@ int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, sm->type = DETECT_AL_URILEN; sm->ctx = (void *)urilend; - SigMatchAppend(s,m,sm); + SigMatchAppendAppLayer(s, sm); /* Flagged the signature as to scan the app layer data */ - s->flags |=SIG_FLAG_APPLAYER; + s->flags |= SIG_FLAG_APPLAYER; SCReturnInt(0); diff --git a/src/detect-window.c b/src/detect-window.c index 779e2a10ae..54ad748c90 100644 --- a/src/detect-window.c +++ b/src/detect-window.c @@ -8,7 +8,9 @@ #include "suricata-common.h" #include "debug.h" #include "decode.h" + #include "detect.h" +#include "detect-parse.h" #include "detect-window.h" #include "flow.h" @@ -179,7 +181,7 @@ error: * \retval 0 on Success * \retval -1 on Failure */ -int DetectWindowSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *windowstr) +int DetectWindowSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *notused, char *windowstr) { DetectWindowData *wd = NULL; SigMatch *sm = NULL; @@ -196,7 +198,7 @@ int DetectWindowSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char sm->type = DETECT_WINDOW; sm->ctx = (void *)wd; - SigMatchAppend(s,m,sm); + SigMatchAppendPacket(s, sm); return 0; diff --git a/src/detect.c b/src/detect.c index f3e35a29e7..e058864685 100644 --- a/src/detect.c +++ b/src/detect.c @@ -197,7 +197,7 @@ void DetectExitPrintStats(ThreadVars *tv, void *data) { (float)(det_ctx->pkts_uri_searched/(float)(det_ctx->uris)*100), (float)(det_ctx->pkts_uri_searched/(float)(det_ctx->pkts_uri_scanned)*100)); - SCLogInfo("%"PRIu64" sigs per scan match on avg needed inspection, total scans %"PRIu64", less than 25 sigs need inspect %"PRIu64", more than 100 sigs need inspect %"PRIu64", more than 1000 %"PRIu64" max %"PRIu64"", det_ctx->scans_sigs / det_ctx->scans_match, det_ctx->scans_match, det_ctx->scans_sigsmin25, det_ctx->scans_sigsplus100, det_ctx->scans_sigsplus1000, det_ctx->scans_sigsmax); + SCLogInfo("%"PRIu64" sigs per scan match on avg needed inspection, total scans %"PRIu64", less than 25 sigs need inspect %"PRIu64", more than 100 sigs need inspect %"PRIu64", more than 1000 %"PRIu64" max %"PRIu64"", det_ctx->scans_match ? det_ctx->scans_sigs / det_ctx->scans_match : 0, det_ctx->scans_match, det_ctx->scans_sigsmin25, det_ctx->scans_sigsplus100, det_ctx->scans_sigsplus1000, det_ctx->scans_sigsmax); } /** \brief Create the path if default-rule-path was specified @@ -612,11 +612,15 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh SCMutexUnlock(&p->flow->m); /* only consider uri sigs if we've seen at least one match */ - /** \warn when we start supporting negated uri content matches + /** \warning when we start supporting negated uri content matches * we need to update this check as well */ if (cnt > 0) { det_ctx->de_have_httpuri = TRUE; } + + SCLogDebug("uricontent cnt %"PRIu32"", cnt); + } else { + SCLogDebug("no uri inspection: have uri %s", det_ctx->sgh->flags & SIG_GROUP_HAVEURICONTENT ? "true":"false"); } /* inspect the sigs against the packet */ @@ -643,8 +647,6 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh continue; } - //printf("idx %" PRIu32 ", det_ctx->pmq.sig_id_array_cnt %" PRIu32 ", s->id %" PRIu32 " (MPM? %s)\n", idx, det_ctx->pmq.sig_id_array_cnt, s->id, s->flags & SIG_FLAG_MPM ? "TRUE":"FALSE"); - //printf("Sig %" PRIu32 "\n", s->id); /* check the source & dst port in the sig */ if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP) { if (!(s->flags & SIG_FLAG_DP_ANY)) { @@ -680,11 +682,12 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh } } - /** we can't check the mpm flags if we do app layer inspection here as well */ - //if (s->flags & SIG_FLAG_MPM) { - if (s->pmatch != NULL && DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1) - continue; - //} + /* Check the payload keywords. If we are a MPM sig and we've made + * to here, we've had at least one of the patterns match */ + if (s->pmatch != NULL) { + if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1) + continue; + } /* if we get here but have no sigmatches to match against, * we consider the sig matched. */ @@ -698,9 +701,8 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh p->action |= s->action; } } else { - /* reset pkt ptr and offset */ - det_ctx->pkt_ptr = NULL; - det_ctx->pkt_off = 0; + /* reset offset */ + det_ctx->payload_offset = 0; /* new signature, so reset indicator of checking distance and within */ det_ctx->de_checking_distancewithin = 0; diff --git a/src/detect.h b/src/detect.h index 4373c0c2e0..f10d12a6aa 100644 --- a/src/detect.h +++ b/src/detect.h @@ -160,7 +160,7 @@ typedef struct Signature_ { uint8_t nchunk_groups; /**< Internal chunk grp id (for splitted patterns) */ char *msg; - /* classification message */ + /** classification message */ char *class_msg; /** addresses, ports and proto this sig matches on */ @@ -170,8 +170,9 @@ typedef struct Signature_ { /** ptr to the SigMatch list */ struct SigMatch_ *match; /* non-payload matches */ + struct SigMatch_ *match_tail; /* non-payload matches, tail of the list */ struct SigMatch_ *pmatch; /* payload matches */ - struct SigMatch_ *pmatch_tail; /* payload matches */ + struct SigMatch_ *pmatch_tail; /* payload matches, tail of the list */ /** ptr to the next sig in the list */ struct Signature_ *next; @@ -346,9 +347,12 @@ enum { */ typedef struct DetectionEngineThreadCtx_ { /* detection engine variables */ - /** \todo rename & comment */ - uint8_t *pkt_ptr; /* ptr to the current position in the pkt */ - uint32_t pkt_off; + + /** offset into the payload of the last match by: + * content, pcre, etc */ + uint32_t payload_offset; + + /** recursive counter */ uint8_t pkt_cnt; char de_checking_distancewithin; @@ -577,7 +581,6 @@ SigTableElmt sigmatch_table[DETECT_TBLSIZE]; /* detection api */ SigMatch *SigMatchAlloc(void); -void SigMatchAppend(Signature *, SigMatch *, SigMatch *); void SigCleanSignatures(DetectEngineCtx *); void SigTableRegisterTests(void);