aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Cleanups

Browse Source
remotes/origin/master-1.0.x
Victor Julien 17 years ago
parent 855dc62e30
commit b9972a9d2c
17 changed files with 941 additions and 617 deletions
Show Stats Download Patch File Download Diff File

8
src/detect-content.c
Unescape Escape View File

@ -45,7 +45,7 @@
#include "threads.h"
int DetectContentMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *);
int DetectContentMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
int DetectContentSetup (DetectEngineCtx *, Signature *, SigMatch *, char *);
void DetectContentRegisterTests(void);
@ -109,7 +109,7 @@ TestOffsetDepth(MpmMatch *m, DetectContentData *co, uint16_t pktoff) {
* that turn out to fail being followed by full matches later in the
* packet. This adds some runtime complexity however. */
static inline int
TestWithinDistanceOffsetDepth(ThreadVars *t, PatternMatcherThread *pmt, MpmMatch *m, SigMatch *nsm, uint16_t pktoff)
TestWithinDistanceOffsetDepth(ThreadVars *t, DetectEngineThreadCtx *pmt, MpmMatch *m, SigMatch *nsm, uint16_t pktoff)
{
//printf("test_nextsigmatch m:%p, nsm:%p\n", m,nsm);
if (nsm == NULL)
@ -155,7 +155,7 @@ TestWithinDistanceOffsetDepth(ThreadVars *t, PatternMatcherThread *pmt, MpmMatch
}
static inline int
DoDetectContent(ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *sm, DetectContentData *co)
DoDetectContent(ThreadVars *t, DetectEngineThreadCtx *pmt, Packet *p, Signature *s, SigMatch *sm, DetectContentData *co)
{
int ret = 0;
char match = 0;
@ -250,7 +250,7 @@ DoDetectContent(ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *
* -1: error
*/
int DetectContentMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *m)
int DetectContentMatch (ThreadVars *t, DetectEngineThreadCtx *pmt, Packet *p, Signature *s, SigMatch *m)
{
uint32_t len = 0;

4
src/detect-decode-event.c
Unescape Escape View File

@ -26,7 +26,7 @@
static pcre *parse_regex;
static pcre_extra *parse_regex_study;
int DetectDecodeEventMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *);
int DetectDecodeEventMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
int DetectDecodeEventSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *str);
void DecodeEventRegisterTests(void);
@ -77,7 +77,7 @@ error:
* \retval 0 no match
* \retval 1 match
*/
int DetectDecodeEventMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *m)
int DetectDecodeEventMatch (ThreadVars *t, DetectEngineThreadCtx *pmt, Packet *p, Signature *s, SigMatch *m)
{
int ret = 0;
DetectDecodeEventData *de = (DetectDecodeEventData *)m->ctx;

4
src/detect-dsize.c
Unescape Escape View File

@ -15,7 +15,7 @@
static pcre *parse_regex;
static pcre_extra *parse_regex_study;
int DetectDsizeMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *);
int DetectDsizeMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
int DetectDsizeSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *str);
void DsizeRegisterTests(void);
@ -56,7 +56,7 @@ error:
* -1: error
*/
int DetectDsizeMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *m)
int DetectDsizeMatch (ThreadVars *t, DetectEngineThreadCtx *pmt, Packet *p, Signature *s, SigMatch *m)
{
int ret = 0;

124
src/detect-engine-mpm.c
Unescape Escape View File

@ -20,32 +20,45 @@
#include "detect-content.h"
#include "detect-uricontent.h"
/** \todo make it possible to use multiple pattern matcher algorithms next to
eachother. */
//#define PM MPM_WUMANBER
#define PM MPM_B2G
//#define PM MPM_B3G
uint32_t PacketPatternScan(ThreadVars *t, PatternMatcherThread *pmt, Packet *p) {
/** \brief Pattern match, scan part -- searches for only 'scan' patterns,
* normally one per signature.
* \param tv threadvars
* \param det_ctx detection engine thread ctx
* \param p packet to scan
*/
uint32_t PacketPatternScan(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p) {
uint32_t ret;
pmt->pmq.mode = PMQ_MODE_SCAN;
ret = pmt->sgh->mpm_ctx->Scan(pmt->sgh->mpm_ctx, &pmt->mtc, &pmt->pmq, p->payload, p->payload_len);
det_ctx->pmq.mode = PMQ_MODE_SCAN;
ret = det_ctx->sgh->mpm_ctx->Scan(det_ctx->sgh->mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, p->payload, p->payload_len);
//printf("PacketPatternScan: ret %" PRIu32 "\n", ret);
return ret;
}
uint32_t PacketPatternMatch(ThreadVars *t, PatternMatcherThread *pmt, Packet *p) {
/** \brief Pattern match, search part -- searches for all other patterns
* \param tv threadvars
* \param det_ctx detection engine thread ctx
* \param p packet to scan
*/
uint32_t PacketPatternMatch(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p) {
uint32_t ret;
pmt->pmq.mode = PMQ_MODE_SEARCH;
ret = pmt->sgh->mpm_ctx->Search(pmt->sgh->mpm_ctx, &pmt->mtc, &pmt->pmq, p->payload, p->payload_len);
det_ctx->pmq.mode = PMQ_MODE_SEARCH;
ret = det_ctx->sgh->mpm_ctx->Search(det_ctx->sgh->mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, p->payload, p->payload_len);
//printf("PacketPatternMatch: ret %" PRIu32 "\n", ret);
return ret;
}
/* cleans up the mpm instance after a match */
void PacketPatternCleanup(ThreadVars *t, PatternMatcherThread *pmt) {
/** \brief cleans up the mpm instance after a match */
void PacketPatternCleanup(ThreadVars *t, DetectEngineThreadCtx *pmt) {
PmqReset(&pmt->pmq);
if (pmt->sgh == NULL)
@ -61,15 +74,13 @@ void PacketPatternCleanup(ThreadVars *t, PatternMatcherThread *pmt) {
}
}
/* XXX remove this once we got rid of the global mpm_ctx */
void PatternMatchDestroy(MpmCtx *mc) {
mc->DestroyCtx(mc);
}
/* TODO remove this when we move to the rule groups completely */
void PatternMatchPrepare(MpmCtx *mc)
void PatternMatchPrepare(MpmCtx *mc, int type)
{
MpmInitCtx(mc, PM);
MpmInitCtx(mc, type);
}
@ -131,8 +142,8 @@ void DbgPrintScanSearchStats() {
#endif
}
/* set the mpm_content_maxlen and mpm_uricontent_maxlen variables in
* a sig group head */
/** \brief set the mpm_content_maxlen and mpm_uricontent_maxlen variables in
* a sig group head */
void SigGroupHeadSetMpmMaxlen(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
{
SigMatch *sm;
@ -178,6 +189,8 @@ void SigGroupHeadSetMpmMaxlen(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
}
}
/** \brief Hash for looking up contents that are most used,
* always used, etc. */
typedef struct ContentHash_ {
DetectContentData *ptr;
uint16_t cnt;
@ -229,7 +242,7 @@ void ContentHashFree(void *ch) {
free(ch);
}
/* Predict a strength value for patterns
/** \brief Predict a strength value for patterns
*
* Patterns with high character diversity score higher.
* Alpha chars score not so high
@ -351,9 +364,7 @@ int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
ContentHash *ch = ContentHashAlloc(co);
if (ch == NULL)
goto error;
//if (s->id == 2002102) {
//printf("%p %" PRIu32 " Content: ", sgh, s->id); PrintRawUriFp(stdout,co->content,co->content_len);printf(" (strength %" PRIu32 ", maxlen %" PRIu32 ")\n", PatternStrength(co->content,co->content_len,sgh->mpm_content_maxlen), sgh->mpm_content_maxlen);
//}
ContentHash *lookup_ch = (ContentHash *)HashTableLookup(ht, ch, 0);
if (lookup_ch == NULL) {
continue;
@ -368,16 +379,10 @@ int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
if (ls > ss)
scan_ch = lookup_ch;
else if (ls == ss) {
/* if 2 patterns are of equal strength, we pick the longest */
if (lookup_ch->ptr->content_len > scan_ch->ptr->content_len)
scan_ch = lookup_ch;
}
// if (lookup_ch->cnt > scan_ch->cnt) {
// scan_ch = lookup_ch;
// } else if (lookup_ch->cnt == scan_ch->cnt) {
// if (lookup_ch->ptr->content_len < scan_ch->ptr->content_len)
// scan_ch = lookup_ch;
// }
} else {
if (scan_ch->use == 0)
scan_ch = lookup_ch;
@ -386,18 +391,11 @@ int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
uint32_t ss = PatternStrength(scan_ch->ptr->content,scan_ch->ptr->content_len,sgh->mpm_content_maxlen);
if (ls > ss)
scan_ch = lookup_ch;
/* if 2 patterns are of equal strength, we pick the longest */
else if (ls == ss) {
if (lookup_ch->ptr->content_len > scan_ch->ptr->content_len)
scan_ch = lookup_ch;
}
/*
if (lookup_ch->cnt > scan_ch->cnt) {
scan_ch = lookup_ch;
} else if (lookup_ch->cnt == scan_ch->cnt) {
if (lookup_ch->ptr->content_len < scan_ch->ptr->content_len)
scan_ch = lookup_ch;
}
*/
}
}
}
@ -408,12 +406,6 @@ int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
/* now add the scan_ch to the mpm ctx */
if (scan_ch != NULL) {
DetectContentData *co = scan_ch->ptr;
//if (s->id == 2002102) {
//if (sgh->mpm_content_maxlen == 1) {
//printf("%p %" PRIu32 " SCAN: ", sgh, s->id); PrintRawUriFp(stdout,co->content,co->content_len);printf("\n");
//}
//if (scan_ch->nosearch == 1) { printf("%3u (%" PRIu32 ") Content: ", scan_ch->cnt, scan_ch->use); PrintRawUriFp(stdout,co->content,co->content_len);printf("\n"); }
uint16_t offset = s->flags & SIG_FLAG_RECURSIVE ? 0 : co->offset;
uint16_t depth = s->flags & SIG_FLAG_RECURSIVE ? 0 : co->depth;
offset = scan_ch->cnt ? 0 : offset;
@ -795,57 +787,3 @@ error:
return -1;
}
int PatternMatcherThreadInit(ThreadVars *t, void *initdata, void **data) {
DetectEngineCtx *de_ctx = (DetectEngineCtx *)initdata;
if (de_ctx == NULL)
return -1;
PatternMatcherThread *pmt = malloc(sizeof(PatternMatcherThread));
if (pmt == NULL) {
return -1;
}
memset(pmt, 0, sizeof(PatternMatcherThread));
/* XXX we still depend on the global mpm_ctx here
*
* Initialize the thread pattern match ctx with the max size
* of the content and uricontent id's so our match lookup
* table is always big enough
*/
mpm_ctx[0].InitThreadCtx(&mpm_ctx[0], &pmt->mtc, DetectContentMaxId(de_ctx));
mpm_ctx[0].InitThreadCtx(&mpm_ctx[0], &pmt->mtcu, DetectUricontentMaxId(de_ctx));
PmqSetup(&pmt->pmq, DetectEngineGetMaxSigId(de_ctx));
/* IP-ONLY */
DetectEngineIPOnlyThreadInit(de_ctx,&pmt->io_ctx);
pmt->counter_alerts = PerfTVRegisterCounter("detect.alert", t, TYPE_UINT64,
"NULL");
t->pca = PerfGetAllCountersArray(&t->pctx);
PerfAddToClubbedTMTable(t->name, &t->pctx);
*data = (void *)pmt;
//printf("PatternMatcherThreadInit: data %p pmt %p\n", *data, pmt);
return 0;
}
int PatternMatcherThreadDeinit(ThreadVars *t, void *data) {
PatternMatcherThread *pmt = (PatternMatcherThread *)data;
/* XXX */
mpm_ctx[0].DestroyThreadCtx(&mpm_ctx[0], &pmt->mtc);
mpm_ctx[0].DestroyThreadCtx(&mpm_ctx[0], &pmt->mtcu);
return 0;
}
void PatternMatcherThreadInfo(ThreadVars *t, PatternMatcherThread *pmt) {
/* XXX */
mpm_ctx[0].PrintThreadCtx(&pmt->mtc);
mpm_ctx[0].PrintThreadCtx(&pmt->mtcu);
}

14
src/detect-engine-mpm.h
Unescape Escape View File

@ -4,18 +4,18 @@
/* XXX remove once */
MpmCtx mpm_ctx[1];
uint32_t PacketPatternScan(ThreadVars *, PatternMatcherThread *, Packet *);
uint32_t PacketPatternMatch(ThreadVars *, PatternMatcherThread *, Packet *);
uint32_t PacketPatternScan(ThreadVars *, DetectEngineThreadCtx *, Packet *);
uint32_t PacketPatternMatch(ThreadVars *, DetectEngineThreadCtx *, Packet *);
void PacketPatternCleanup(ThreadVars *, PatternMatcherThread *);
void PatternMatchPrepare(MpmCtx *);
void PacketPatternCleanup(ThreadVars *, DetectEngineThreadCtx *);
void PatternMatchPrepare(MpmCtx *, int);
int PatternMatchPrepareGroup(DetectEngineCtx *, SigGroupHead *);
void PatternMatcherThreadInfo(ThreadVars *, PatternMatcherThread *);
void DetectEngineThreadCtxInfo(ThreadVars *, DetectEngineThreadCtx *);
void PatternMatchDestroy(MpmCtx *);
void PatternMatchDestroyGroup(SigGroupHead *);
int PatternMatcherThreadInit(ThreadVars *, void *, void **);
int PatternMatcherThreadDeinit(ThreadVars *, void *);
int DetectEngineThreadCtxInit(ThreadVars *, void *, void **);
int DetectEngineThreadCtxDeinit(ThreadVars *, void *);
void SigGroupHeadSetMpmMaxlen(DetectEngineCtx *, SigGroupHead *);

60
src/detect-engine.c
Unescape Escape View File

@ -10,7 +10,13 @@
#include "detect-engine-siggroup.h"
#include "detect-engine-address.h"
#include "detect-engine-port.h"
#include "detect-engine-mpm.h"
#include "detect-engine-iponly.h"
#include "detect-content.h"
#include "detect-uricontent.h"
//#include "util-mpm.h"
#include "util-hash.h"
#include "util-var-name.h"
@ -52,6 +58,7 @@ void DetectEngineCtxFree(DetectEngineCtx *de_ctx) {
DetectPortSpHashFree(de_ctx);
DetectPortDpHashFree(de_ctx);
VariableNameFreeHash(de_ctx);
free(de_ctx);
}
@ -67,3 +74,56 @@ void DetectEngineResetMaxSigId(DetectEngineCtx *de_ctx) {
de_ctx->signum = 0;
}
int DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data) {
DetectEngineCtx *de_ctx = (DetectEngineCtx *)initdata;
if (de_ctx == NULL)
return -1;
DetectEngineThreadCtx *det_ctx = malloc(sizeof(DetectEngineThreadCtx));
if (det_ctx == NULL) {
return -1;
}
memset(det_ctx, 0, sizeof(DetectEngineThreadCtx));
det_ctx->de_ctx = de_ctx;
/** \todo we still depend on the global mpm_ctx here
*
* Initialize the thread pattern match ctx with the max size
* of the content and uricontent id's so our match lookup
* table is always big enough
*/
mpm_ctx[0].InitThreadCtx(&mpm_ctx[0], &det_ctx->mtc, DetectContentMaxId(de_ctx));
mpm_ctx[0].InitThreadCtx(&mpm_ctx[0], &det_ctx->mtcu, DetectUricontentMaxId(de_ctx));
PmqSetup(&det_ctx->pmq, DetectEngineGetMaxSigId(de_ctx));
/* IP-ONLY */
DetectEngineIPOnlyThreadInit(de_ctx,&det_ctx->io_ctx);
/** alert counter setup */
det_ctx->counter_alerts = PerfTVRegisterCounter("detect.alert", tv, TYPE_UINT64, "NULL");
tv->pca = PerfGetAllCountersArray(&tv->pctx);
PerfAddToClubbedTMTable(tv->name, &tv->pctx);
*data = (void *)det_ctx;
//printf("DetectEngineThreadCtxInit: data %p det_ctx %p\n", *data, det_ctx);
return 0;
}
int DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data) {
DetectEngineThreadCtx *det_ctx = (DetectEngineThreadCtx *)data;
/** \todo get rid of this static */
mpm_ctx[0].DestroyThreadCtx(&mpm_ctx[0], &det_ctx->mtc);
mpm_ctx[0].DestroyThreadCtx(&mpm_ctx[0], &det_ctx->mtcu);
return 0;
}
void DetectEngineThreadCtxInfo(ThreadVars *t, DetectEngineThreadCtx *det_ctx) {
/* XXX */
mpm_ctx[0].PrintThreadCtx(&det_ctx->mtc);
mpm_ctx[0].PrintThreadCtx(&det_ctx->mtcu);
}

4
src/detect-flow.c
Unescape Escape View File

@ -27,7 +27,7 @@
static pcre *parse_regex;
static pcre_extra *parse_regex_study;
int DetectFlowMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *);
int DetectFlowMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
int DetectFlowSetup (DetectEngineCtx *, Signature *, SigMatch *, char *);
void DetectFlowRegisterTests(void);
void DetectFlowFree(void *);
@ -85,7 +85,7 @@ error:
* \retval 0 no match
* \retval 1 match
*/
int DetectFlowMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *m)
int DetectFlowMatch (ThreadVars *t, DetectEngineThreadCtx *pmt, Packet *p, Signature *s, SigMatch *m)
{
uint8_t cnt = 0;
DetectFlowData *fd = (DetectFlowData *)m->ctx;

4
src/detect-flowbits.c
Unescape Escape View File

@ -36,7 +36,7 @@
static pcre *parse_regex;
static pcre_extra *parse_regex_study;
int DetectFlowbitMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *);
int DetectFlowbitMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
int DetectFlowbitSetup (DetectEngineCtx *, Signature *, SigMatch *, char *);
void DetectFlowbitFree (void *);
@ -101,7 +101,7 @@ static int DetectFlowbitMatchIsnotset (Packet *p, DetectFlowbitsData *fd) {
* -1: error
*/
int DetectFlowbitMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *m)
int DetectFlowbitMatch (ThreadVars *t, DetectEngineThreadCtx *pmt, Packet *p, Signature *s, SigMatch *m)
{
DetectFlowbitsData *fd = (DetectFlowbitsData *)m->ctx;
if (fd == NULL)

4
src/detect-flowvar.c
Unescape Escape View File

@ -19,7 +19,7 @@
static pcre *parse_regex;
static pcre_extra *parse_regex_study;
int DetectFlowvarMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *);
int DetectFlowvarMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
int DetectFlowvarSetup (DetectEngineCtx *, Signature *, SigMatch *, char *);
void DetectFlowvarRegister (void) {
@ -59,7 +59,7 @@ error:
* -1: error
*/
int DetectFlowvarMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *m)
int DetectFlowvarMatch (ThreadVars *t, DetectEngineThreadCtx *pmt, Packet *p, Signature *s, SigMatch *m)
{
int ret = 0;
DetectFlowvarData *fd = (DetectFlowvarData *)m->ctx;

4
src/detect-pcre.c
Unescape Escape View File

@ -23,7 +23,7 @@ static pcre_extra *parse_regex_study;
static pcre *parse_capture_regex;
static pcre_extra *parse_capture_regex_study;
int DetectPcreMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *);
int DetectPcreMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
int DetectPcreSetup (DetectEngineCtx *, Signature *, SigMatch *, char *);
void DetectPcreFree(void *);
@ -79,7 +79,7 @@ error:
* -1: error
*/
int DetectPcreMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *m)
int DetectPcreMatch (ThreadVars *t, DetectEngineThreadCtx *pmt, Packet *p, Signature *s, SigMatch *m)
{
#define MAX_SUBSTRINGS 30
int ret = 0;

4
src/detect-pktvar.c
Unescape Escape View File

@ -17,7 +17,7 @@
static pcre *parse_regex;
static pcre_extra *parse_regex_study;
int DetectPktvarMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *);
int DetectPktvarMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
int DetectPktvarSetup (DetectEngineCtx *, Signature *, SigMatch *, char *);
void DetectPktvarRegister (void) {
@ -57,7 +57,7 @@ error:
* -1: error
*/
int DetectPktvarMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *m)
int DetectPktvarMatch (ThreadVars *t, DetectEngineThreadCtx *pmt, Packet *p, Signature *s, SigMatch *m)
{
int ret = 0;
DetectPktvarData *pd = (DetectPktvarData *)m->ctx;

10
src/detect-uricontent.c
Unescape Escape View File

@ -18,7 +18,7 @@
#include "util-unittest.h"
int DetectUricontentMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *);
int DetectUricontentMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
int DetectUricontentSetup (DetectEngineCtx *, Signature *, SigMatch *, char *);
void HttpUriRegisterTests(void);
@ -114,7 +114,7 @@ TestOffsetDepth(MpmMatch *m, DetectUricontentData *co) {
* that turn out to fail being followed by full matches later in the
* packet. This adds some runtime complexity however. */
static inline int
TestWithinDistanceOffsetDepth(ThreadVars *t, PatternMatcherThread *pmt, MpmMatch *m, SigMatch *nsm)
TestWithinDistanceOffsetDepth(ThreadVars *t, DetectEngineThreadCtx *pmt, MpmMatch *m, SigMatch *nsm)
{
//printf("test_nextsigmatch m:%p, nsm:%p\n", m,nsm);
if (nsm == NULL)
@ -147,7 +147,7 @@ TestWithinDistanceOffsetDepth(ThreadVars *t, PatternMatcherThread *pmt, MpmMatch
}
static inline int
DoDetectUricontent(ThreadVars *t, PatternMatcherThread *pmt, Packet *p, SigMatch *sm, DetectUricontentData *co)
DoDetectUricontent(ThreadVars *t, DetectEngineThreadCtx *pmt, Packet *p, SigMatch *sm, DetectUricontentData *co)
{
int ret = 0;
char match = 0;
@ -221,7 +221,7 @@ DoDetectUricontent(ThreadVars *t, PatternMatcherThread *pmt, Packet *p, SigMatch
* -1: error
*/
int DetectUricontentMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *m)
int DetectUricontentMatch (ThreadVars *t, DetectEngineThreadCtx *pmt, Packet *p, Signature *s, SigMatch *m)
{
uint32_t len = 0;
@ -238,7 +238,7 @@ int DetectUricontentMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p,
#ifdef DEBUG
printf("uricontent \'");
PrintRawUriFp(stdout, co->uricontent, co->uricontent_len);
PrintRawUriFp(stdout, co->uricontent, co->uricontent_len);
printf("\' matched %" PRIu32 " time(s) at offsets: ", len);
MpmMatch *tmpm = NULL;

1123
src/detect.c
View File

File diff suppressed because it is too large Load Diff

179
src/detect.h
Unescape Escape View File

@ -62,6 +62,7 @@ typedef struct DetectAddressGroup_ {
uint32_t cnt;
} DetectAddressGroup;
/** Signature grouping head. Here 'any', ipv4 and ipv6 are split out */
typedef struct DetectAddressGroupsHead_ {
DetectAddressGroup *any_head;
DetectAddressGroup *ipv4_head;
@ -84,15 +85,13 @@ enum {
PORT_GT, /* bigger [bbb] [aaa] */
};
#define PORT_FLAG_ANY 0x1
#define PORT_FLAG_NOT 0x2
#define PORT_SIGGROUPHEAD_COPY 0x04
#define PORT_GROUP_PORTS_COPY 0x08
#define PORT_FLAG_ANY 0x01 /**< 'any' special port */
#define PORT_FLAG_NOT 0x02 /**< negated port */
#define PORT_SIGGROUPHEAD_COPY 0x04 /**< sgh is a ptr copy */
#define PORT_GROUP_PORTS_COPY 0x08 /**< dst_ph is a ptr copy */
/** \brief Port structure for detection engine */
typedef struct DetectPort_ {
uint8_t flags;
uint16_t port;
uint16_t port2;
@ -109,20 +108,21 @@ typedef struct DetectPort_ {
struct DetectPort_ *next;
uint32_t cnt;
uint8_t flags; /**< flags for this port */
} DetectPort;
/* Signature flags */
#define SIG_FLAG_RECURSIVE 0x0001 /* recurive capturing enabled */
#define SIG_FLAG_SRC_ANY 0x0002 /* source is any */
#define SIG_FLAG_DST_ANY 0x0004 /* destination is any */
#define SIG_FLAG_SP_ANY 0x0008 /* source port is any */
#define SIG_FLAG_DP_ANY 0x0010 /* destination port is any */
#define SIG_FLAG_NOALERT 0x0020 /* no alert flag is set */
#define SIG_FLAG_IPONLY 0x0040 /* ip only signature */
#define SIG_FLAG_MPM 0x0080 /* sig has mpm portion (content, uricontent, etc) */
#define SIG_FLAG_RECURSIVE 0x0001 /**< recurive capturing enabled */
#define SIG_FLAG_SRC_ANY 0x0002 /**< source is any */
#define SIG_FLAG_DST_ANY 0x0004 /**< destination is any */
#define SIG_FLAG_SP_ANY 0x0008 /**< source port is any */
#define SIG_FLAG_DP_ANY 0x0010 /**< destination port is any */
#define SIG_FLAG_NOALERT 0x0020 /**< no alert flag is set */
#define SIG_FLAG_IPONLY 0x0040 /**< ip only signature */
#define SIG_FLAG_MPM 0x0080 /**< sig has mpm portion (content, uricontent, etc) */
/* Detection Engine flags */
#define DE_QUIET 0x01 /* DE is quiet (esp for unittests) */
#define DE_QUIET 0x01 /**< DE is quiet (esp for unittests) */
typedef struct DetectEngineIPOnlyThreadCtx_ {
DetectAddressGroup *src, *dst;
@ -130,78 +130,33 @@ typedef struct DetectEngineIPOnlyThreadCtx_ {
uint32_t sig_match_size; /* size in bytes of the array */
} DetectEngineIPOnlyThreadCtx;
/**
* Detection engine thread data.
* XXX: we should rename this
*/
typedef struct PatternMatcherThread_ {
/* detection engine variables */
uint8_t *pkt_ptr; /* ptr to the current position in the pkt */
uint16_t pkt_off;
uint8_t pkt_cnt;
char de_checking_distancewithin;
/* http_uri stuff for uricontent */
char de_have_httpuri;
/* pointer to the current mpm ctx that is stored
* in a rule group head -- can be either a content
* or uricontent ctx. */
MpmThreadCtx mtc; /* thread ctx for the mpm */
MpmThreadCtx mtcu;
struct SigGroupHead_ *sgh;
PatternMatcherQueue pmq;
/* counters */
uint32_t pkts;
uint32_t pkts_scanned;
uint32_t pkts_searched;
uint32_t pkts_scanned1;
uint32_t pkts_searched1;
uint32_t pkts_scanned2;
uint32_t pkts_searched2;
uint32_t pkts_scanned3;
uint32_t pkts_searched3;
uint32_t pkts_scanned4;
uint32_t pkts_searched4;
uint32_t uris;
uint32_t pkts_uri_scanned;
uint32_t pkts_uri_searched;
uint32_t pkts_uri_scanned1;
uint32_t pkts_uri_searched1;
uint32_t pkts_uri_scanned2;
uint32_t pkts_uri_searched2;
uint32_t pkts_uri_scanned3;
uint32_t pkts_uri_searched3;
uint32_t pkts_uri_scanned4;
uint32_t pkts_uri_searched4;
u_int64_t counter_alerts;
DetectEngineIPOnlyThreadCtx io_ctx;
} PatternMatcherThread;
/** \brief Signature container */
typedef struct Signature_ {
uint16_t flags;
uint32_t num; /* signature number, internal id */
uint32_t id;
uint8_t rev;
uint8_t prio;
uint32_t num; /**< signature number, internal id */
uint32_t id; /**< sid, set by the 'sid' rule keyword */
char *msg;
uint8_t action;
/** addresses, ports and proto this sig matches on */
DetectAddressGroupsHead src, dst;
DetectProto proto;
DetectPort *sp, *dp;
/** ptr to the SigMatch list */
struct SigMatch_ *match;
/** ptr to the next sig in the list */
struct Signature_ *next;
/** inline -- action */
uint8_t action;
} Signature;
/** \brief IP only rules matching ctx.
* \todo a radix tree would be great here */
typedef struct DetectEngineIPOnlyCtx_ {
/* lookup hashes */
HashListTable *ht16_src, *ht16_dst;
@ -244,6 +199,7 @@ typedef struct DetectEngineLookupDsize_ {
*/
#define DSIZE_STATES 2
/** \brief main detection engine ctx */
typedef struct DetectEngineCtx_ {
uint8_t flags;
@ -291,15 +247,73 @@ typedef struct DetectEngineCtx_ {
DetectEngineIPOnlyCtx io_ctx;
} DetectEngineCtx;
/**
* Detection engine thread data.
*/
typedef struct DetectionEngineThreadCtx_ {
/* detection engine variables */
uint8_t *pkt_ptr; /* ptr to the current position in the pkt */
uint16_t pkt_off;
uint8_t pkt_cnt;
char de_checking_distancewithin;
/* http_uri stuff for uricontent */
char de_have_httpuri;
/** pointer to the current mpm ctx that is stored
* in a rule group head -- can be either a content
* or uricontent ctx. */
MpmThreadCtx mtc; /**< thread ctx for the mpm */
MpmThreadCtx mtcu;
struct SigGroupHead_ *sgh;
PatternMatcherQueue pmq;
/* counters */
uint32_t pkts;
uint32_t pkts_scanned;
uint32_t pkts_searched;
uint32_t pkts_scanned1;
uint32_t pkts_searched1;
uint32_t pkts_scanned2;
uint32_t pkts_searched2;
uint32_t pkts_scanned3;
uint32_t pkts_searched3;
uint32_t pkts_scanned4;
uint32_t pkts_searched4;
uint32_t uris;
uint32_t pkts_uri_scanned;
uint32_t pkts_uri_searched;
uint32_t pkts_uri_scanned1;
uint32_t pkts_uri_searched1;
uint32_t pkts_uri_scanned2;
uint32_t pkts_uri_searched2;
uint32_t pkts_uri_scanned3;
uint32_t pkts_uri_searched3;
uint32_t pkts_uri_scanned4;
uint32_t pkts_uri_searched4;
/** id for alert counter */
uint16_t counter_alerts;
/** ip only rules ctx */
DetectEngineIPOnlyThreadCtx io_ctx;
DetectEngineCtx *de_ctx;
} DetectEngineThreadCtx;
/** \brief a single match condition for a signature */
typedef struct SigMatch_ {
uint8_t type;
void *ctx;
uint8_t type; /**< match type */
void *ctx; /**< plugin specific data */
struct SigMatch_ *next;
struct SigMatch_ *prev;
} SigMatch;
/** \brief element in sigmatch type table. */
typedef struct SigTableElmt_ {
int (*Match)(ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *);
int (*Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
int (*Setup)(DetectEngineCtx *, Signature *, SigMatch *, char *);
void (*Free)(void *);
void (*RegisterTests)(void);
@ -308,15 +322,15 @@ typedef struct SigTableElmt_ {
char *name;
} SigTableElmt;
#define SIG_GROUP_HAVECONTENT 0x1
#define SIG_GROUP_HAVEURICONTENT 0x2
#define SIG_GROUP_HEAD_MPM_COPY 0x4
#define SIG_GROUP_HEAD_MPM_URI_COPY 0x8
#define SIG_GROUP_HAVECONTENT 0x01
#define SIG_GROUP_HAVEURICONTENT 0x02
#define SIG_GROUP_HEAD_MPM_COPY 0x04
#define SIG_GROUP_HEAD_MPM_URI_COPY 0x08
#define SIG_GROUP_HEAD_FREE 0x10
#define SIG_GROUP_HEAD_MPM_NOSCAN 0x20
#define SIG_GROUP_HEAD_MPM_URI_NOSCAN 0x40
/* head of the list of containers. */
/** \brief head of the list of containers. */
typedef struct SigGroupHead_ {
uint8_t flags;
@ -389,6 +403,7 @@ enum {
DETECT_PROTO,
DETECT_PORT,
DETECT_DECODE_EVENT,
/* make sure this stays last */
DETECT_TBLSIZE,
};
@ -399,7 +414,7 @@ SigTableElmt sigmatch_table[DETECT_TBLSIZE];
/* detection api */
SigMatch *SigMatchAlloc(void);
void SigMatchAppend(Signature *, SigMatch *, SigMatch *);
void SigCleanSignatures(void);
void SigCleanSignatures(DetectEngineCtx *);
void SigTableRegisterTests(void);
void SigRegisterTests(void);

6
src/eidps.c
Unescape Escape View File

@ -923,7 +923,7 @@ int main(int argc, char **argv)
BinSearchInit();
CIDRInit();
SigParsePrepare();
PatternMatchPrepare(mpm_ctx);
PatternMatchPrepare(mpm_ctx, MPM_B2G);
PerfInitCounterApi();
/** \todo we need an api for this */
@ -1108,8 +1108,8 @@ int main(int argc, char **argv)
FlowShutdown();
FlowPrintFlows();
SigGroupCleanup();
SigCleanSignatures();
SigGroupCleanup(g_de_ctx);
SigCleanSignatures(g_de_ctx);
pthread_exit(NULL);
}

4
src/util-var-name.c
Unescape Escape View File

@ -62,6 +62,10 @@ int VariableNameInitHash(DetectEngineCtx *de_ctx) {
return 0;
}
void VariableNameFreeHash(DetectEngineCtx *de_ctx) {
HashListTableFree(de_ctx->variable_names);
}
/** \brief Get a name idx for a name. If the name is already used reuse the idx.
* \param de_ctx Ptr to the detection engine ctx.
* \param name nul terminated string with the name

2
src/util-var-name.h
Unescape Escape View File

@ -2,6 +2,8 @@
#define __UTIL_VAR_NAME_H__
int VariableNameInitHash(DetectEngineCtx *de_ctx);
void VariableNameFreeHash(DetectEngineCtx *de_ctx);
uint16_t VariableNameGetIdx(DetectEngineCtx *, char *, uint8_t);
#endif

Write Preview
Loading…
Cancel
Save