aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Don't avoid inspecting uricontents if we get no match. It can be negated uricontents (and urilens/pcre..). But at least skip the search if we get no match

Browse Source
remotes/origin/master-1.0.x
Pablo Rincon 15 years ago committed by Victor Julien
parent 016af36051
commit b7076a8ea0
2 changed files with 14 additions and 7 deletions
Show Stats Download Patch File Download Diff File

7
src/detect-engine-uri.c
Unescape Escape View File

@ -184,11 +184,16 @@ static int DoInspectPacketUri(DetectEngineCtx *de_ctx,
//PrintawDataFp(stdout,ud->uricontent,ud->uricontent_len); //PrintawDataFp(stdout,ud->uricontent,ud->uricontent_len);
/* If we got no matches from the mpm, avoid searching (just check if negated) */
if (det_ctx->de_have_httpuri == TRUE) {
/* do the actual search with boyer moore precooked ctx */ /* do the actual search with boyer moore precooked ctx */
if (ud->flags & DETECT_URICONTENT_NOCASE) if (ud->flags & DETECT_URICONTENT_NOCASE)
found = BoyerMooreNocase(ud->uricontent, ud->uricontent_len, spayload, spayload_len, ud->bm_ctx->bmGs, ud->bm_ctx->bmBc); found = BoyerMooreNocase(ud->uricontent, ud->uricontent_len, spayload, spayload_len, ud->bm_ctx->bmGs, ud->bm_ctx->bmBc);
else else
found = BoyerMoore(ud->uricontent, ud->uricontent_len, spayload, spayload_len, ud->bm_ctx->bmGs, ud->bm_ctx->bmBc); found = BoyerMoore(ud->uricontent, ud->uricontent_len, spayload, spayload_len, ud->bm_ctx->bmGs, ud->bm_ctx->bmBc);
} else {
found = NULL;
}
/* next we evaluate the result in combination with the /* next we evaluate the result in combination with the
* negation flag. */ * negation flag. */
@ -350,7 +355,7 @@ int DetectEngineInspectPacketUris(DetectEngineCtx *de_ctx,
} }
/* if we don't have a uri, don't bother inspecting */ /* if we don't have a uri, don't bother inspecting */
if (det_ctx->de_have_httpuri == FALSE) { if (det_ctx->de_have_httpuri == FALSE && !(s->flags & SIG_FLAG_MPM_URI_NEG)) {
SCLogDebug("We don't have uri"); SCLogDebug("We don't have uri");
goto end; goto end;
} }

4
src/detect-uricontent.c
Unescape Escape View File

@ -321,7 +321,6 @@ DetectUricontentData *DoDetectUricontentSetup (char * contentstr)
cd->offset = 0; cd->offset = 0;
cd->within = 0; cd->within = 0;
cd->distance = 0; cd->distance = 0;
cd->flags = 0;
/* Prepare Boyer Moore context for searching faster */ /* Prepare Boyer Moore context for searching faster */
cd->bm_ctx = BoyerMooreCtxInit(cd->uricontent, cd->uricontent_len); cd->bm_ctx = BoyerMooreCtxInit(cd->uricontent, cd->uricontent_len);
@ -368,6 +367,9 @@ int DetectUricontentSetup (DetectEngineCtx *de_ctx, Signature *s, char *contents
if (sm == NULL) if (sm == NULL)
goto error; goto error;
if (cd->flags & DETECT_URICONTENT_NEGATED)
s->flags |= SIG_FLAG_MPM_URI_NEG;
sm->type = DETECT_URICONTENT; sm->type = DETECT_URICONTENT;
sm->ctx = (void *)cd; sm->ctx = (void *)cd;

Write Preview
Loading…
Cancel
Save