diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 08bb30fff6..3355e79ce0 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -47,7 +47,8 @@ #include "detect-flow.h" #include "detect-content.h" -#include "detect-uricontent.h" + +#include "detect-engine-uri.h" #include "stream.h" @@ -73,44 +74,48 @@ typedef struct AppLayerMpms_ { int direction; /**< SIG_FLAG_TOSERVER or SIG_FLAG_TOCLIENT */ int sm_list; uint32_t flags; /**< flags set to SGH when this mpm is present */ + + int (*PrefilterRegister)(SigGroupHead *sgh, MpmCtx *mpm_ctx); + int id; /**< index into this array and result arrays */ } AppLayerMpms; AppLayerMpms app_mpms[] = { - { "http_uri", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_UMATCH, SIG_GROUP_HEAD_MPM_URI, 0 }, - { "http_raw_uri", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HRUDMATCH, SIG_GROUP_HEAD_MPM_HRUD, 1 }, + { "http_uri", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_UMATCH, + SIG_GROUP_HEAD_MPM_URI, PrefilterTxUriRegister, 0 }, + { "http_raw_uri", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HRUDMATCH, SIG_GROUP_HEAD_MPM_HRUD, NULL, 1 }, - { "http_header", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HHDMATCH, SIG_GROUP_HEAD_MPM_HHD, 2}, - { "http_header", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HHDMATCH, SIG_GROUP_HEAD_MPM_HHD, 3}, + { "http_header", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HHDMATCH, SIG_GROUP_HEAD_MPM_HHD, NULL, 2}, + { "http_header", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HHDMATCH, SIG_GROUP_HEAD_MPM_HHD, NULL, 3}, - { "http_user_agent", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HUADMATCH, SIG_GROUP_HEAD_MPM_HUAD, 4}, + { "http_user_agent", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HUADMATCH, SIG_GROUP_HEAD_MPM_HUAD, NULL, 4}, - { "http_raw_header", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HRHDMATCH, SIG_GROUP_HEAD_MPM_HRHD, 5}, - { "http_raw_header", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HRHDMATCH, SIG_GROUP_HEAD_MPM_HRHD, 6}, + { "http_raw_header", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HRHDMATCH, SIG_GROUP_HEAD_MPM_HRHD, NULL, 5}, + { "http_raw_header", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HRHDMATCH, SIG_GROUP_HEAD_MPM_HRHD, NULL, 6}, - { "http_method", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HMDMATCH, SIG_GROUP_HEAD_MPM_HMD, 7}, + { "http_method", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HMDMATCH, SIG_GROUP_HEAD_MPM_HMD, NULL, 7}, - { "file_data", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_FILEDATA, SIG_GROUP_HEAD_MPM_FD_SMTP, 8}, /* smtp */ - { "file_data", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_FILEDATA, SIG_GROUP_HEAD_MPM_HSBD, 9}, /* http server body */ + { "file_data", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_FILEDATA, SIG_GROUP_HEAD_MPM_FD_SMTP, NULL, 8}, /* smtp */ + { "file_data", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_FILEDATA, SIG_GROUP_HEAD_MPM_HSBD, NULL, 9}, /* http server body */ - { "http_stat_msg", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HSMDMATCH, SIG_GROUP_HEAD_MPM_HSMD, 10}, - { "http_stat_code", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HSCDMATCH, SIG_GROUP_HEAD_MPM_HSCD, 11}, + { "http_stat_msg", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HSMDMATCH, SIG_GROUP_HEAD_MPM_HSMD, NULL, 10}, + { "http_stat_code", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HSCDMATCH, SIG_GROUP_HEAD_MPM_HSCD, NULL, 11}, - { "http_client_body", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HCBDMATCH, SIG_GROUP_HEAD_MPM_HCBD, 12}, + { "http_client_body", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HCBDMATCH, SIG_GROUP_HEAD_MPM_HCBD, NULL, 12}, - { "http_host", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HHHDMATCH, SIG_GROUP_HEAD_MPM_HHHD, 13}, - { "http_raw_host", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HRHHDMATCH, SIG_GROUP_HEAD_MPM_HRHHD, 14}, + { "http_host", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HHHDMATCH, SIG_GROUP_HEAD_MPM_HHHD, NULL, 13}, + { "http_raw_host", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HRHHDMATCH, SIG_GROUP_HEAD_MPM_HRHHD, NULL, 14}, - { "http_cookie", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HCDMATCH, SIG_GROUP_HEAD_MPM_HCD, 15}, - { "http_cookie", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HCDMATCH, SIG_GROUP_HEAD_MPM_HCD, 16}, + { "http_cookie", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HCDMATCH, SIG_GROUP_HEAD_MPM_HCD, NULL, 15}, + { "http_cookie", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HCDMATCH, SIG_GROUP_HEAD_MPM_HCD, NULL, 16}, - { "dns_query", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_DNSQUERYNAME_MATCH, SIG_GROUP_HEAD_MPM_DNSQUERY, 17}, + { "dns_query", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_DNSQUERYNAME_MATCH, SIG_GROUP_HEAD_MPM_DNSQUERY, NULL, 17}, - { "tls_sni", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_TLSSNI_MATCH, SIG_GROUP_HEAD_MPM_TLSSNI, 18}, - { "tls_cert_issuer", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_TLSISSUER_MATCH, SIG_GROUP_HEAD_MPM_TLSISSUER, 19}, - { "tls_cert_subject", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_TLSSUBJECT_MATCH, SIG_GROUP_HEAD_MPM_TLSSUBJECT, 20}, + { "tls_sni", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_TLSSNI_MATCH, SIG_GROUP_HEAD_MPM_TLSSNI, NULL, 18}, + { "tls_cert_issuer", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_TLSISSUER_MATCH, SIG_GROUP_HEAD_MPM_TLSISSUER, NULL, 19}, + { "tls_cert_subject", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_TLSSUBJECT_MATCH, SIG_GROUP_HEAD_MPM_TLSSUBJECT, NULL, 20}, - { NULL, 0, 0, 0, 0, 0, } + { NULL, 0, 0, 0, 0, NULL, 0, } }; void DetectMpmInitializeAppMpms(DetectEngineCtx *de_ctx) @@ -1291,6 +1296,10 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh) sh->init->app_mpms[a->id] = mpm_store->mpm_ctx; if (sh->init->app_mpms[a->id] != NULL) sh->flags |= a->flags; + + if (a->PrefilterRegister) { + BUG_ON(a->PrefilterRegister(sh, mpm_store->mpm_ctx) != 0); + } } a++; } diff --git a/src/detect-engine-uri.c b/src/detect-engine-uri.c index a5fad2fc9c..1869599793 100644 --- a/src/detect-engine-uri.c +++ b/src/detect-engine-uri.c @@ -32,6 +32,7 @@ #include "detect-parse.h" #include "detect-engine-state.h" #include "detect-engine-content-inspection.h" +#include "detect-engine-prefilter.h" #include "flow-util.h" #include "util-debug.h" @@ -49,61 +50,43 @@ #include "app-layer-protos.h" #include "util-validate.h" -/** \brief Uri Pattern match -- searches for one pattern per signature. +/** \brief HTTP URI Mpm prefilter callback * * \param det_ctx detection engine thread ctx * \param p packet to inspect - * - * \retval ret number of matches + * \param f flow to inspect + * \param txv tx to inspect + * \param pectx inspection context */ -static inline uint32_t UriPatternSearch(DetectEngineThreadCtx *det_ctx, - const uint8_t *uri, const uint16_t uri_len) +static void PrefilterTxUri(DetectEngineThreadCtx *det_ctx, const void *pectx, + Packet *p, Flow *f, void *txv, + const uint64_t idx, const uint8_t flags) { SCEnter(); - uint32_t ret = 0; - - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_uri_ctx_ts == NULL); + const MpmCtx *mpm_ctx = (MpmCtx *)pectx; + htp_tx_t *tx = (htp_tx_t *)txv; + HtpTxUserData *tx_ud = htp_tx_get_user_data(tx); - if (uri_len >= det_ctx->sgh->mpm_uri_ctx_ts->minlen) { - ret = mpm_table[det_ctx->sgh->mpm_uri_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_uri_ctx_ts, - &det_ctx->mtcu, &det_ctx->pmq, uri, uri_len); - } + if (tx_ud == NULL || tx_ud->request_uri_normalized == NULL) + return; - //PrintRawDataFp(stdout, uri, uri_len); + const uint32_t uri_len = bstr_len(tx_ud->request_uri_normalized); + const uint8_t *uri = bstr_ptr(tx_ud->request_uri_normalized); - SCReturnUInt(ret); + if (uri_len >= mpm_ctx->minlen) { + (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx, + &det_ctx->mtcu, &det_ctx->pmq, uri, uri_len); + } } -/** - * \brief Run the pattern matcher against the uri(s) - * - * We run against _all_ uri(s) we have as the pattern matcher will - * flag each sig that has a match. We need to do this for all uri(s) - * to not miss possible events. - * - * \param f locked flow - * \param htp_state initialized htp state - * - * \todo what should we return? Just the fact that we matched? - */ -uint32_t DetectUricontentInspectMpm(DetectEngineThreadCtx *det_ctx, void *txv) +int PrefilterTxUriRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx) { SCEnter(); - htp_tx_t *tx = (htp_tx_t *)txv; - HtpTxUserData *tx_ud = htp_tx_get_user_data(tx); - uint32_t cnt = 0; - - if (tx_ud == NULL || tx_ud->request_uri_normalized == NULL) - goto end; - cnt = UriPatternSearch(det_ctx, (const uint8_t *) - bstr_ptr(tx_ud->request_uri_normalized), - bstr_len(tx_ud->request_uri_normalized)); - -end: - SCReturnUInt(cnt); + return PrefilterAppendTxEngine(sgh, PrefilterTxUri, + ALPROTO_HTTP, HTP_REQUEST_LINE, + mpm_ctx, NULL); } /** diff --git a/src/detect-engine-uri.h b/src/detect-engine-uri.h index b9f4431ea8..804ba875e3 100644 --- a/src/detect-engine-uri.h +++ b/src/detect-engine-uri.h @@ -24,7 +24,7 @@ #ifndef __DETECT_ENGINE_URICONTENT_H__ #define __DETECT_ENGINE_URICONTENT_H__ -uint32_t DetectUricontentInspectMpm(DetectEngineThreadCtx *det_ctx, void *tx); +int PrefilterTxUriRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx); int DetectEngineInspectPacketUris(ThreadVars *tv, DetectEngineCtx *de_ctx, diff --git a/src/detect.c b/src/detect.c index 18b61ac355..c863d964e2 100644 --- a/src/detect.c +++ b/src/detect.c @@ -903,11 +903,6 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx, tx_progress = AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags); if (tx_progress > HTP_REQUEST_LINE) { - if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_URI) { - PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_URI); - DetectUricontentInspectMpm(det_ctx, tx); - PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_URI); - } if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRUD) { PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HRUD); DetectEngineRunHttpRawUriMpm(det_ctx, tx);