aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix tcp connections that are reset (RST packet) not always inspecting the reassembled stream. Update transaction id code to make sure both directions of a transaction are inspected before incrementing the inspect_id.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 15 years ago
parent 26f69aa3a6
commit b8fec77f37
14 changed files with 170 additions and 39 deletions
Show Stats Download Patch File Download Diff File

2
src/app-layer-htp.c
Unescape Escape View File

@ -291,6 +291,8 @@ static int HTPHandleRequestData(Flow *f, void *htp_state,
int r = -1;
int ret = 1;
//PrintRawDataFp(stdout, input, input_len);
HtpState *hstate = (HtpState *)htp_state;
/* if the previous run set the new request flag, we unset it here. As

17
src/app-layer-parser.c
Unescape Escape View File

@ -1080,11 +1080,13 @@ error:
/**
* \param f LOCKED flow
* \param direction STREAM_TOSERVER or STREAM_TOCLIENT
*
* \retval 2 current transaction done, new available
* \retval 1 current transaction done, no new (yet)
* \retval 0 current transaction is not done yet
*/
int AppLayerTransactionUpdateInspectId(Flow *f)
int AppLayerTransactionUpdateInspectId(Flow *f, char direction)
{
SCEnter();
@ -1102,7 +1104,18 @@ int AppLayerTransactionUpdateInspectId(Flow *f)
SCLogDebug("avail_id %"PRIu16", inspect_id %"PRIu16,
parser_state_store->avail_id, parser_state_store->inspect_id);
if ((parser_state_store->inspect_id+1) < parser_state_store->avail_id) {
if (direction == STREAM_TOSERVER)
parser_state_store->id_flags |= APP_LAYER_TRANSACTION_TOSERVER;
else
parser_state_store->id_flags |= APP_LAYER_TRANSACTION_TOCLIENT;
if ((parser_state_store->inspect_id+1) < parser_state_store->avail_id &&
(parser_state_store->id_flags & APP_LAYER_TRANSACTION_TOCLIENT) &&
(parser_state_store->id_flags & APP_LAYER_TRANSACTION_TOSERVER))
{
parser_state_store->id_flags &=~ APP_LAYER_TRANSACTION_TOCLIENT;
parser_state_store->id_flags &=~ APP_LAYER_TRANSACTION_TOSERVER;
parser_state_store->inspect_id++;
if (parser_state_store->inspect_id < parser_state_store->avail_id) {
/* done and more transactions available */

6
src/app-layer-parser.h
Unescape Escape View File

@ -85,6 +85,10 @@ typedef struct AppLayerParserResult_ {
#define APP_LAYER_TRANSACTION_EOF 0x01 /**< Session done, last transaction
as well */
#define APP_LAYER_TRANSACTION_TOSERVER 0x02 /**< transaction has been inspected
in to server direction. */
#define APP_LAYER_TRANSACTION_TOCLIENT 0x04 /**< transaction has been inspected
in to server direction. */
typedef struct AppLayerParserState_ {
uint8_t flags;
@ -162,7 +166,7 @@ uint16_t AlpGetStateIdx(uint16_t);
uint16_t AppLayerGetProtoByName(const char *);
int AppLayerTransactionUpdateInspectId(Flow *);
int AppLayerTransactionUpdateInspectId(Flow *, char);
void AppLayerTransactionUpdateLoggedId(Flow *);
int AppLayerTransactionGetLoggableId(Flow *f);

2
src/app-layer.c
Unescape Escape View File

@ -194,7 +194,7 @@ int AppLayerHandleMsg(AlpProtoDetectThreadCtx *dp_ctx, StreamMsg *smsg)
}
}
SCLogDebug("storing smsg in the tcp session");
SCLogDebug("storing smsg %p in the tcp session", smsg);
/* store the smsg in the tcp stream */
if (smsg->flags & STREAM_TOSERVER) {

16
src/detect-dce-iface.c
Unescape Escape View File

@ -1108,6 +1108,8 @@ static int DetectDceIfaceTestParse13(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1125,6 +1127,8 @@ static int DetectDceIfaceTestParse13(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1143,6 +1147,8 @@ static int DetectDceIfaceTestParse13(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1161,6 +1167,8 @@ static int DetectDceIfaceTestParse13(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1179,6 +1187,8 @@ static int DetectDceIfaceTestParse13(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1195,6 +1205,8 @@ static int DetectDceIfaceTestParse13(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1211,6 +1223,8 @@ static int DetectDceIfaceTestParse13(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1227,6 +1241,8 @@ static int DetectDceIfaceTestParse13(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);

48
src/detect-dce-opnum.c
Unescape Escape View File

@ -1903,6 +1903,8 @@ static int DetectDceOpnumTestParse10(void)
SCLogDebug("no dcerpc state: ");
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
SCLogDebug("sending bind_ack");
@ -1913,6 +1915,8 @@ static int DetectDceOpnumTestParse10(void)
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
SCLogDebug("sending request1");
@ -1925,6 +1929,8 @@ static int DetectDceOpnumTestParse10(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1943,6 +1949,8 @@ static int DetectDceOpnumTestParse10(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1959,6 +1967,8 @@ static int DetectDceOpnumTestParse10(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1975,6 +1985,8 @@ static int DetectDceOpnumTestParse10(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1991,6 +2003,8 @@ static int DetectDceOpnumTestParse10(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -2007,6 +2021,8 @@ static int DetectDceOpnumTestParse10(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -2185,6 +2201,8 @@ static int DetectDceOpnumTestParse11(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -2200,6 +2218,8 @@ static int DetectDceOpnumTestParse11(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -2215,6 +2235,8 @@ static int DetectDceOpnumTestParse11(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -2230,6 +2252,8 @@ static int DetectDceOpnumTestParse11(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -2245,6 +2269,8 @@ static int DetectDceOpnumTestParse11(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -2260,6 +2286,8 @@ static int DetectDceOpnumTestParse11(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -2438,6 +2466,8 @@ static int DetectDceOpnumTestParse12(void)
printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
dcerpc_state = f.aldata[AlpGetStateIdx(ALPROTO_DCERPC)];
@ -2452,6 +2482,8 @@ static int DetectDceOpnumTestParse12(void)
printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
/* request1 */
@ -2476,6 +2508,8 @@ static int DetectDceOpnumTestParse12(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -2504,6 +2538,8 @@ static int DetectDceOpnumTestParse12(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -2532,6 +2568,8 @@ static int DetectDceOpnumTestParse12(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -2560,6 +2598,8 @@ static int DetectDceOpnumTestParse12(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -2730,6 +2770,8 @@ static int DetectDceOpnumTestParse13(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -2756,6 +2798,8 @@ static int DetectDceOpnumTestParse13(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -2783,6 +2827,8 @@ static int DetectDceOpnumTestParse13(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -2809,6 +2855,8 @@ static int DetectDceOpnumTestParse13(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);

36
src/detect-dce-stub-data.c
Unescape Escape View File

@ -686,6 +686,8 @@ static int DetectDceStubDataTestParse02(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -701,6 +703,8 @@ static int DetectDceStubDataTestParse02(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -715,6 +719,8 @@ static int DetectDceStubDataTestParse02(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1225,6 +1231,8 @@ static int DetectDceStubDataTestParse03(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1411,6 +1419,8 @@ static int DetectDceStubDataTestParse04(void)
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
dcerpc_state = f.aldata[AlpGetStateIdx(ALPROTO_DCERPC)];
@ -1425,6 +1435,8 @@ static int DetectDceStubDataTestParse04(void)
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
/* request1 */
@ -1435,6 +1447,8 @@ static int DetectDceStubDataTestParse04(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1449,6 +1463,8 @@ static int DetectDceStubDataTestParse04(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1463,6 +1479,8 @@ static int DetectDceStubDataTestParse04(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1477,6 +1495,8 @@ static int DetectDceStubDataTestParse04(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1491,6 +1511,8 @@ static int DetectDceStubDataTestParse04(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1505,6 +1527,8 @@ static int DetectDceStubDataTestParse04(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1675,6 +1699,8 @@ static int DetectDceStubDataTestParse05(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1689,6 +1715,8 @@ static int DetectDceStubDataTestParse05(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1703,6 +1731,8 @@ static int DetectDceStubDataTestParse05(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1717,6 +1747,8 @@ static int DetectDceStubDataTestParse05(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1731,6 +1763,8 @@ static int DetectDceStubDataTestParse05(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOCLIENT;
p.flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
@ -1745,6 +1779,8 @@ static int DetectDceStubDataTestParse05(void)
goto end;
}
p.flowflags &=~ FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);

6
src/detect-engine-dcepayload.c
Unescape Escape View File

@ -2417,6 +2417,7 @@ int DcePayloadTest02(void)
p[i].flowflags |= FLOW_PKT_ESTABLISHED;
}
p[1].flowflags |= FLOW_PKT_TOCLIENT;
p[1].flowflags &=~ FLOW_PKT_TOSERVER;
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
@ -6313,8 +6314,11 @@ int DcePayloadTest13(void)
p[i].flowflags |= FLOW_PKT_ESTABLISHED;
}
p[1].flowflags |= FLOW_PKT_TOCLIENT;
p[1].flowflags &=~ FLOW_PKT_TOSERVER;
p[3].flowflags |= FLOW_PKT_TOCLIENT;
p[3].flowflags &=~ FLOW_PKT_TOSERVER;
p[5].flowflags |= FLOW_PKT_TOCLIENT;
p[5].flowflags &=~ FLOW_PKT_TOSERVER;
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
@ -6555,7 +6559,9 @@ int DcePayloadTest14(void)
p[i].flowflags |= FLOW_PKT_ESTABLISHED;
}
p[3].flowflags |= FLOW_PKT_TOCLIENT;
p[3].flowflags &=~ FLOW_PKT_TOSERVER;
p[5].flowflags |= FLOW_PKT_TOCLIENT;
p[5].flowflags &=~ FLOW_PKT_TOSERVER;
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;

2
src/detect-engine-mpm.c
Unescape Escape View File

@ -151,6 +151,8 @@ uint32_t UriPatternSearch(DetectEngineThreadCtx *det_ctx,
if (det_ctx->sgh->mpm_uri_ctx == NULL)
SCReturnUInt(0U);
//PrintRawDataFp(stdout, uri, uri_len);
uint32_t ret;
#ifndef __SC_CUDA_SUPPORT__
ret = mpm_table[det_ctx->sgh->mpm_uri_ctx->mpm_type].Search

8
src/detect-engine-state.c
Unescape Escape View File

@ -154,17 +154,21 @@ void DetectEngineStateReset(DetectEngineState *state) {
/**
* \brief update the transaction id
*
* \param f unlocked flow
* \param direction STREAM_TOCLIENT / STREAM_TOSERVER
*
* \retval 2 current transaction done, new available
* \retval 1 current transaction done, no new (yet)
* \retval 0 current transaction is not done yet
*/
int DeStateUpdateInspectTransactionId(Flow *f) {
int DeStateUpdateInspectTransactionId(Flow *f, char direction) {
SCEnter();
int r = 0;
SCMutexLock(&f->m);
r = AppLayerTransactionUpdateInspectId(f);
r = AppLayerTransactionUpdateInspectId(f, direction);
SCMutexUnlock(&f->m);
SCReturnInt(r);

2
src/detect-engine-state.h
Unescape Escape View File

@ -97,7 +97,7 @@ int DeStateDetectContinueDetection(ThreadVars *, DetectEngineCtx *,
DetectEngineThreadCtx *, Flow *, uint8_t, void *, uint16_t);
const char *DeStateMatchResultToString(DeStateMatchResult);
int DeStateUpdateInspectTransactionId(Flow *f);
int DeStateUpdateInspectTransactionId(Flow *, char);
#endif /* __DETECT_ENGINE_STATE_H__ */

18
src/detect.c
Unescape Escape View File

@ -574,13 +574,6 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
FlowIncrUsecnt(p->flow);
SCMutexLock(&p->flow->m);
if (p->flowflags & FLOW_PKT_ESTABLISHED) {
alstate = AppLayerGetProtoStateFromPacket(p);
alproto = AppLayerGetProtoFromPacket(p);
SCLogDebug("alstate %p, alproto %u", alstate, alproto);
} else {
SCLogDebug("packet doesn't have established flag set");
}
if (p->flowflags & FLOW_PKT_TOSERVER && p->flow->flags & FLOW_SGH_TOSERVER) {
sgh = p->flow->sgh_toserver;
@ -590,6 +583,11 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
use_flow_sgh = TRUE;
}
if (p->flowflags & FLOW_PKT_ESTABLISHED) {
alstate = AppLayerGetProtoStateFromPacket(p);
alproto = AppLayerGetProtoFromPacket(p);
SCLogDebug("alstate %p, alproto %u", alstate, alproto);
if (p->proto == IPPROTO_TCP) {
TcpSession *ssn = (TcpSession *)p->flow->protoctx;
if (ssn != NULL) {
@ -610,6 +608,10 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
}
}
}
} else {
SCLogDebug("packet doesn't have established flag set");
}
SCMutexUnlock(&p->flow->m);
if (p->flowflags & FLOW_PKT_TOSERVER) {
@ -909,7 +911,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
if (alstate != NULL) {
SCLogDebug("getting de_state_status");
int de_state_status = DeStateUpdateInspectTransactionId(p->flow);
int de_state_status = DeStateUpdateInspectTransactionId(p->flow, (flags & STREAM_TOSERVER) ? STREAM_TOSERVER : STREAM_TOCLIENT);
SCLogDebug("de_state_status %d", de_state_status);
if (de_state_status == 2) {
DetectEngineStateReset(p->flow->de_state);

8
src/stream-tcp.c
Unescape Escape View File

@ -221,8 +221,7 @@ void StreamTcpSessionClear(void *ssnptr)
SCReturn;
}
/** \brief Function to return the stream back to the pool. It returns the
* segments in the stream to the segment pool.
/** \brief Function to return the stream segments back to the pool.
*
* We don't clear out the app layer storage here as that is under protection
* of the "use_cnt" reference counter in the flow. This function is called
@ -235,7 +234,7 @@ static void StreamTcpSessionPktFree (Packet *p)
{
SCEnter();
StreamMsg *smsg = NULL;
// StreamMsg *smsg = NULL;
TcpSession *ssn = (TcpSession *)p->flow->protoctx;
if (ssn == NULL)
@ -245,6 +244,7 @@ static void StreamTcpSessionPktFree (Packet *p)
StreamTcpReturnStreamSegments(&ssn->server);
/* if we have (a) smsg(s), return to the pool */
#if 0
smsg = ssn->toserver_smsg_head;
while(smsg != NULL) {
StreamMsg *smsg_next = smsg->next;
@ -268,7 +268,7 @@ static void StreamTcpSessionPktFree (Packet *p)
smsg = smsg_next;
}
ssn->toclient_smsg_head = NULL;
#endif
SCReturn;
}

4
src/util-mpm-b2g.c
Unescape Escape View File

@ -1173,10 +1173,8 @@ uint32_t B2gSearch1(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatche
uint8_t h = u8_tolower(*buf);
hi = &ctx->hash1[h];
if (hi->flags & MPM_PATTERN_ONE_BYTE) {
for (thi = hi; thi != NULL; thi = thi->next) {
//p = ctx->parray[thi->idx];
if (hi->flags & MPM_PATTERN_ONE_BYTE) {
if (thi->len != 1)
continue;

Write Preview
Loading…
Cancel
Save