|
|
|
|
@ -672,6 +672,8 @@ int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file)
|
|
|
|
|
SCReturnInt(ret);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#include "util-vector.h"
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief build an array of signatures that will be inspected
|
|
|
|
|
*
|
|
|
|
|
@ -697,33 +699,49 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx,
|
|
|
|
|
DetectEngineThreadCtx *det_ctx, Packet *p, SignatureMask mask,
|
|
|
|
|
uint16_t alproto)
|
|
|
|
|
{
|
|
|
|
|
uint32_t i;
|
|
|
|
|
uint32_t u;
|
|
|
|
|
uint32_t bm; /* bit mask, 16 bits used */
|
|
|
|
|
|
|
|
|
|
#if defined(__SSE3__)
|
|
|
|
|
Vector pm, sm, r1, r2;
|
|
|
|
|
/* load the packet mask into each byte of the vector */
|
|
|
|
|
pm.v = _mm_set1_epi8(mask);
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* reset previous run */
|
|
|
|
|
det_ctx->match_array_cnt = 0;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < det_ctx->sgh->sig_cnt; i++) {
|
|
|
|
|
SignatureHeader *s = &det_ctx->sgh->head_array[i];
|
|
|
|
|
|
|
|
|
|
if ((mask & s->mask) != s->mask) {
|
|
|
|
|
SCLogDebug("Mask mismatch. mask %02X, s->mask %02x, after AND %02x", mask, s->mask, mask & s->mask);
|
|
|
|
|
for (u = 0; u < det_ctx->sgh->sig_cnt; u += 16) {
|
|
|
|
|
SigIntId x;
|
|
|
|
|
int bitno = 0;
|
|
|
|
|
#if defined(__SSE3__)
|
|
|
|
|
/* load a batch of masks */
|
|
|
|
|
sm.v = _mm_load_si128((const __m128i *)&det_ctx->sgh->mask_array[u]);
|
|
|
|
|
/* logical AND them with the packet's mask */
|
|
|
|
|
r1.v = _mm_and_si128(pm.v, sm.v);
|
|
|
|
|
/* compare the result with the original mask */
|
|
|
|
|
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
|
|
|
|
|
/* convert into a bitarray */
|
|
|
|
|
bm = _mm_movemask_epi8(r2.v);
|
|
|
|
|
#else
|
|
|
|
|
bm = 0;
|
|
|
|
|
for (x = u; x < det_ctx->sgh->sig_cnt && bitno < 16; x++, bitno++) {
|
|
|
|
|
int r = ((mask & det_ctx->sgh->mask_array[x]) == det_ctx->sgh->mask_array[x]);
|
|
|
|
|
bm |= (r << bitno);
|
|
|
|
|
}
|
|
|
|
|
SCLogDebug("bm %04X", bm);
|
|
|
|
|
#endif
|
|
|
|
|
if (bm == 0) {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
SCLogDebug("Mask match. mask %02X, s->mask %02x, after AND %02x", mask, s->mask, mask & s->mask);
|
|
|
|
|
|
|
|
|
|
#if 0
|
|
|
|
|
if (!(p->flags & PKT_HAS_FLOW) && s->init_flags & SIG_FLAG_FLOW) {
|
|
|
|
|
SCLogDebug("flow in sig but not in packet");
|
|
|
|
|
bitno = 0;
|
|
|
|
|
for (x = u; x < det_ctx->sgh->sig_cnt && bitno < 16; x++, bitno++) {
|
|
|
|
|
if (!(bm & (1 << bitno))) {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
SignatureHeader *s = &det_ctx->sgh->head_array[x];
|
|
|
|
|
|
|
|
|
|
/* filter out the sigs that inspect the payload, if packet
|
|
|
|
|
no payload inspection flag is set*/
|
|
|
|
|
if ((p->flags & PKT_NOPAYLOAD_INSPECTION) && (s->init_flags & SIG_FLAG_PAYLOAD)) {
|
|
|
|
|
SCLogDebug("no payload inspection enabled and sig has payload portion.");
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
/* if the sig has alproto and the session as well they should match */
|
|
|
|
|
if (s->flags & SIG_FLAG_APPLAYER && s->alproto != ALPROTO_UNKNOWN && s->alproto != alproto) {
|
|
|
|
|
if (s->alproto == ALPROTO_DCERPC) {
|
|
|
|
|
@ -865,6 +883,7 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx,
|
|
|
|
|
det_ctx->match_array_cnt++;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief Get the SigGroupHead for a packet.
|
|
|
|
|
@ -2125,6 +2144,7 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) {
|
|
|
|
|
}
|
|
|
|
|
#endif /* DEBUG */
|
|
|
|
|
|
|
|
|
|
SignatureCreateMask(tmp_s);
|
|
|
|
|
|
|
|
|
|
for (gr = tmp_s->src.ipv4_head; gr != NULL; gr = gr->next) {
|
|
|
|
|
if (SigGroupHeadAppendSig(de_ctx, &gr->sh, tmp_s) < 0) {
|
|
|
|
|
@ -2146,8 +2166,6 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) {
|
|
|
|
|
cnt++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SignatureCreateMask(tmp_s);
|
|
|
|
|
|
|
|
|
|
de_ctx->sig_cnt++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
Victor Julien
15 years ago