From b7076a8ea033a8c8f0a48c2842509bd70066121e Mon Sep 17 00:00:00 2001 From: Pablo Rincon Date: Fri, 2 Jul 2010 19:21:11 +0200 Subject: [PATCH] Don't avoid inspecting uricontents if we get no match. It can be negated uricontents (and urilens/pcre..). But at least skip the search if we get no match --- src/detect-engine-uri.c | 17 +++++++++++------ src/detect-uricontent.c | 4 +++- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/src/detect-engine-uri.c b/src/detect-engine-uri.c index ee7cfb03fd..c1b70b7c04 100644 --- a/src/detect-engine-uri.c +++ b/src/detect-engine-uri.c @@ -184,11 +184,16 @@ static int DoInspectPacketUri(DetectEngineCtx *de_ctx, //PrintawDataFp(stdout,ud->uricontent,ud->uricontent_len); - /* do the actual search with boyer moore precooked ctx */ - if (ud->flags & DETECT_URICONTENT_NOCASE) - found = BoyerMooreNocase(ud->uricontent, ud->uricontent_len, spayload, spayload_len, ud->bm_ctx->bmGs, ud->bm_ctx->bmBc); - else - found = BoyerMoore(ud->uricontent, ud->uricontent_len, spayload, spayload_len, ud->bm_ctx->bmGs, ud->bm_ctx->bmBc); + /* If we got no matches from the mpm, avoid searching (just check if negated) */ + if (det_ctx->de_have_httpuri == TRUE) { + /* do the actual search with boyer moore precooked ctx */ + if (ud->flags & DETECT_URICONTENT_NOCASE) + found = BoyerMooreNocase(ud->uricontent, ud->uricontent_len, spayload, spayload_len, ud->bm_ctx->bmGs, ud->bm_ctx->bmBc); + else + found = BoyerMoore(ud->uricontent, ud->uricontent_len, spayload, spayload_len, ud->bm_ctx->bmGs, ud->bm_ctx->bmBc); + } else { + found = NULL; + } /* next we evaluate the result in combination with the * negation flag. */ @@ -350,7 +355,7 @@ int DetectEngineInspectPacketUris(DetectEngineCtx *de_ctx, } /* if we don't have a uri, don't bother inspecting */ - if (det_ctx->de_have_httpuri == FALSE) { + if (det_ctx->de_have_httpuri == FALSE && !(s->flags & SIG_FLAG_MPM_URI_NEG)) { SCLogDebug("We don't have uri"); goto end; } diff --git a/src/detect-uricontent.c b/src/detect-uricontent.c index e04317f880..ea89ceb1a1 100644 --- a/src/detect-uricontent.c +++ b/src/detect-uricontent.c @@ -321,7 +321,6 @@ DetectUricontentData *DoDetectUricontentSetup (char * contentstr) cd->offset = 0; cd->within = 0; cd->distance = 0; - cd->flags = 0; /* Prepare Boyer Moore context for searching faster */ cd->bm_ctx = BoyerMooreCtxInit(cd->uricontent, cd->uricontent_len); @@ -368,6 +367,9 @@ int DetectUricontentSetup (DetectEngineCtx *de_ctx, Signature *s, char *contents if (sm == NULL) goto error; + if (cd->flags & DETECT_URICONTENT_NEGATED) + s->flags |= SIG_FLAG_MPM_URI_NEG; + sm->type = DETECT_URICONTENT; sm->ctx = (void *)cd;