aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Cleanups

Browse Source
remotes/origin/master-1.0.x
Victor Julien 17 years ago
parent 855dc62e30
commit b9972a9d2c
17 changed files with 941 additions and 617 deletions
Show Stats Download Patch File Download Diff File

8
src/detect-content.c
Unescape Escape View File

@ -45,7 +45,7 @@
#include "threads.h" #include "threads.h"
int DetectContentMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *); int DetectContentMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
int DetectContentSetup (DetectEngineCtx *, Signature *, SigMatch *, char *); int DetectContentSetup (DetectEngineCtx *, Signature *, SigMatch *, char *);
void DetectContentRegisterTests(void); void DetectContentRegisterTests(void);
@ -109,7 +109,7 @@ TestOffsetDepth(MpmMatch *m, DetectContentData *co, uint16_t pktoff) {
* that turn out to fail being followed by full matches later in the * that turn out to fail being followed by full matches later in the
* packet. This adds some runtime complexity however. */ * packet. This adds some runtime complexity however. */
static inline int static inline int
TestWithinDistanceOffsetDepth(ThreadVars *t, PatternMatcherThread *pmt, MpmMatch *m, SigMatch *nsm, uint16_t pktoff) TestWithinDistanceOffsetDepth(ThreadVars *t, DetectEngineThreadCtx *pmt, MpmMatch *m, SigMatch *nsm, uint16_t pktoff)
{ {
//printf("test_nextsigmatch m:%p, nsm:%p\n", m,nsm); //printf("test_nextsigmatch m:%p, nsm:%p\n", m,nsm);
if (nsm == NULL) if (nsm == NULL)
@ -155,7 +155,7 @@ TestWithinDistanceOffsetDepth(ThreadVars *t, PatternMatcherThread *pmt, MpmMatch
} }
static inline int static inline int
DoDetectContent(ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *sm, DetectContentData *co) DoDetectContent(ThreadVars *t, DetectEngineThreadCtx *pmt, Packet *p, Signature *s, SigMatch *sm, DetectContentData *co)
{ {
int ret = 0; int ret = 0;
char match = 0; char match = 0;
@ -250,7 +250,7 @@ DoDetectContent(ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *
* -1: error * -1: error
*/ */
int DetectContentMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *m) int DetectContentMatch (ThreadVars *t, DetectEngineThreadCtx *pmt, Packet *p, Signature *s, SigMatch *m)
{ {
uint32_t len = 0; uint32_t len = 0;

4
src/detect-decode-event.c
Unescape Escape View File

@ -26,7 +26,7 @@
static pcre *parse_regex; static pcre *parse_regex;
static pcre_extra *parse_regex_study; static pcre_extra *parse_regex_study;
int DetectDecodeEventMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *); int DetectDecodeEventMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
int DetectDecodeEventSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *str); int DetectDecodeEventSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *str);
void DecodeEventRegisterTests(void); void DecodeEventRegisterTests(void);
@ -77,7 +77,7 @@ error:
* \retval 0 no match * \retval 0 no match
* \retval 1 match * \retval 1 match
*/ */
int DetectDecodeEventMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *m) int DetectDecodeEventMatch (ThreadVars *t, DetectEngineThreadCtx *pmt, Packet *p, Signature *s, SigMatch *m)
{ {
int ret = 0; int ret = 0;
DetectDecodeEventData *de = (DetectDecodeEventData *)m->ctx; DetectDecodeEventData *de = (DetectDecodeEventData *)m->ctx;

4
src/detect-dsize.c
Unescape Escape View File

@ -15,7 +15,7 @@
static pcre *parse_regex; static pcre *parse_regex;
static pcre_extra *parse_regex_study; static pcre_extra *parse_regex_study;
int DetectDsizeMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *); int DetectDsizeMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
int DetectDsizeSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *str); int DetectDsizeSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *str);
void DsizeRegisterTests(void); void DsizeRegisterTests(void);
@ -56,7 +56,7 @@ error:
* -1: error * -1: error
*/ */
int DetectDsizeMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *m) int DetectDsizeMatch (ThreadVars *t, DetectEngineThreadCtx *pmt, Packet *p, Signature *s, SigMatch *m)
{ {
int ret = 0; int ret = 0;

124
src/detect-engine-mpm.c
Unescape Escape View File

@ -20,32 +20,45 @@
#include "detect-content.h" #include "detect-content.h"
#include "detect-uricontent.h" #include "detect-uricontent.h"
/** \todo make it possible to use multiple pattern matcher algorithms next to
eachother. */
//#define PM MPM_WUMANBER //#define PM MPM_WUMANBER
#define PM MPM_B2G #define PM MPM_B2G
//#define PM MPM_B3G //#define PM MPM_B3G
uint32_t PacketPatternScan(ThreadVars *t, PatternMatcherThread *pmt, Packet *p) { /** \brief Pattern match, scan part -- searches for only 'scan' patterns,
* normally one per signature.
* \param tv threadvars
* \param det_ctx detection engine thread ctx
* \param p packet to scan
*/
uint32_t PacketPatternScan(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p) {
uint32_t ret; uint32_t ret;
pmt->pmq.mode = PMQ_MODE_SCAN; det_ctx->pmq.mode = PMQ_MODE_SCAN;
ret = pmt->sgh->mpm_ctx->Scan(pmt->sgh->mpm_ctx, &pmt->mtc, &pmt->pmq, p->payload, p->payload_len); ret = det_ctx->sgh->mpm_ctx->Scan(det_ctx->sgh->mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, p->payload, p->payload_len);
//printf("PacketPatternScan: ret %" PRIu32 "\n", ret); //printf("PacketPatternScan: ret %" PRIu32 "\n", ret);
return ret; return ret;
} }
uint32_t PacketPatternMatch(ThreadVars *t, PatternMatcherThread *pmt, Packet *p) { /** \brief Pattern match, search part -- searches for all other patterns
* \param tv threadvars
* \param det_ctx detection engine thread ctx
* \param p packet to scan
*/
uint32_t PacketPatternMatch(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p) {
uint32_t ret; uint32_t ret;
pmt->pmq.mode = PMQ_MODE_SEARCH; det_ctx->pmq.mode = PMQ_MODE_SEARCH;
ret = pmt->sgh->mpm_ctx->Search(pmt->sgh->mpm_ctx, &pmt->mtc, &pmt->pmq, p->payload, p->payload_len); ret = det_ctx->sgh->mpm_ctx->Search(det_ctx->sgh->mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, p->payload, p->payload_len);
//printf("PacketPatternMatch: ret %" PRIu32 "\n", ret); //printf("PacketPatternMatch: ret %" PRIu32 "\n", ret);
return ret; return ret;
} }
/* cleans up the mpm instance after a match */ /** \brief cleans up the mpm instance after a match */
void PacketPatternCleanup(ThreadVars *t, PatternMatcherThread *pmt) { void PacketPatternCleanup(ThreadVars *t, DetectEngineThreadCtx *pmt) {
PmqReset(&pmt->pmq); PmqReset(&pmt->pmq);
if (pmt->sgh == NULL) if (pmt->sgh == NULL)
@ -61,15 +74,13 @@ void PacketPatternCleanup(ThreadVars *t, PatternMatcherThread *pmt) {
} }
} }
/* XXX remove this once we got rid of the global mpm_ctx */
void PatternMatchDestroy(MpmCtx *mc) { void PatternMatchDestroy(MpmCtx *mc) {
mc->DestroyCtx(mc); mc->DestroyCtx(mc);
} }
/* TODO remove this when we move to the rule groups completely */ void PatternMatchPrepare(MpmCtx *mc, int type)
void PatternMatchPrepare(MpmCtx *mc)
{ {
MpmInitCtx(mc, PM); MpmInitCtx(mc, type);
} }
@ -131,8 +142,8 @@ void DbgPrintScanSearchStats() {
#endif #endif
} }
/* set the mpm_content_maxlen and mpm_uricontent_maxlen variables in /** \brief set the mpm_content_maxlen and mpm_uricontent_maxlen variables in
* a sig group head */ * a sig group head */
void SigGroupHeadSetMpmMaxlen(DetectEngineCtx *de_ctx, SigGroupHead *sgh) void SigGroupHeadSetMpmMaxlen(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
{ {
SigMatch *sm; SigMatch *sm;
@ -178,6 +189,8 @@ void SigGroupHeadSetMpmMaxlen(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
} }
} }
/** \brief Hash for looking up contents that are most used,
* always used, etc. */
typedef struct ContentHash_ { typedef struct ContentHash_ {
DetectContentData *ptr; DetectContentData *ptr;
uint16_t cnt; uint16_t cnt;
@ -229,7 +242,7 @@ void ContentHashFree(void *ch) {
free(ch); free(ch);
} }
/* Predict a strength value for patterns /** \brief Predict a strength value for patterns
* *
* Patterns with high character diversity score higher. * Patterns with high character diversity score higher.
* Alpha chars score not so high * Alpha chars score not so high
@ -351,9 +364,7 @@ int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
ContentHash *ch = ContentHashAlloc(co); ContentHash *ch = ContentHashAlloc(co);
if (ch == NULL) if (ch == NULL)
goto error; goto error;
//if (s->id == 2002102) {
//printf("%p %" PRIu32 " Content: ", sgh, s->id); PrintRawUriFp(stdout,co->content,co->content_len);printf(" (strength %" PRIu32 ", maxlen %" PRIu32 ")\n", PatternStrength(co->content,co->content_len,sgh->mpm_content_maxlen), sgh->mpm_content_maxlen);
//}
ContentHash *lookup_ch = (ContentHash *)HashTableLookup(ht, ch, 0); ContentHash *lookup_ch = (ContentHash *)HashTableLookup(ht, ch, 0);
if (lookup_ch == NULL) { if (lookup_ch == NULL) {
continue; continue;
@ -368,16 +379,10 @@ int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
if (ls > ss) if (ls > ss)
scan_ch = lookup_ch; scan_ch = lookup_ch;
else if (ls == ss) { else if (ls == ss) {
/* if 2 patterns are of equal strength, we pick the longest */
if (lookup_ch->ptr->content_len > scan_ch->ptr->content_len) if (lookup_ch->ptr->content_len > scan_ch->ptr->content_len)
scan_ch = lookup_ch; scan_ch = lookup_ch;
} }
// if (lookup_ch->cnt > scan_ch->cnt) {
// scan_ch = lookup_ch;
// } else if (lookup_ch->cnt == scan_ch->cnt) {
// if (lookup_ch->ptr->content_len < scan_ch->ptr->content_len)
// scan_ch = lookup_ch;
// }
} else { } else {
if (scan_ch->use == 0) if (scan_ch->use == 0)
scan_ch = lookup_ch; scan_ch = lookup_ch;
@ -386,18 +391,11 @@ int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
uint32_t ss = PatternStrength(scan_ch->ptr->content,scan_ch->ptr->content_len,sgh->mpm_content_maxlen); uint32_t ss = PatternStrength(scan_ch->ptr->content,scan_ch->ptr->content_len,sgh->mpm_content_maxlen);
if (ls > ss) if (ls > ss)
scan_ch = lookup_ch; scan_ch = lookup_ch;
/* if 2 patterns are of equal strength, we pick the longest */
else if (ls == ss) { else if (ls == ss) {
if (lookup_ch->ptr->content_len > scan_ch->ptr->content_len) if (lookup_ch->ptr->content_len > scan_ch->ptr->content_len)
scan_ch = lookup_ch; scan_ch = lookup_ch;
} }
/*
if (lookup_ch->cnt > scan_ch->cnt) {
scan_ch = lookup_ch;
} else if (lookup_ch->cnt == scan_ch->cnt) {
if (lookup_ch->ptr->content_len < scan_ch->ptr->content_len)
scan_ch = lookup_ch;
}
*/
} }
} }
} }
@ -408,12 +406,6 @@ int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
/* now add the scan_ch to the mpm ctx */ /* now add the scan_ch to the mpm ctx */
if (scan_ch != NULL) { if (scan_ch != NULL) {
DetectContentData *co = scan_ch->ptr; DetectContentData *co = scan_ch->ptr;
//if (s->id == 2002102) {
//if (sgh->mpm_content_maxlen == 1) {
//printf("%p %" PRIu32 " SCAN: ", sgh, s->id); PrintRawUriFp(stdout,co->content,co->content_len);printf("\n");
//}
//if (scan_ch->nosearch == 1) { printf("%3u (%" PRIu32 ") Content: ", scan_ch->cnt, scan_ch->use); PrintRawUriFp(stdout,co->content,co->content_len);printf("\n"); }
uint16_t offset = s->flags & SIG_FLAG_RECURSIVE ? 0 : co->offset; uint16_t offset = s->flags & SIG_FLAG_RECURSIVE ? 0 : co->offset;
uint16_t depth = s->flags & SIG_FLAG_RECURSIVE ? 0 : co->depth; uint16_t depth = s->flags & SIG_FLAG_RECURSIVE ? 0 : co->depth;
offset = scan_ch->cnt ? 0 : offset; offset = scan_ch->cnt ? 0 : offset;
@ -795,57 +787,3 @@ error:
return -1; return -1;
} }
int PatternMatcherThreadInit(ThreadVars *t, void *initdata, void **data) {
DetectEngineCtx *de_ctx = (DetectEngineCtx *)initdata;
if (de_ctx == NULL)
return -1;
PatternMatcherThread *pmt = malloc(sizeof(PatternMatcherThread));
if (pmt == NULL) {
return -1;
}
memset(pmt, 0, sizeof(PatternMatcherThread));
/* XXX we still depend on the global mpm_ctx here
*
* Initialize the thread pattern match ctx with the max size
* of the content and uricontent id's so our match lookup
* table is always big enough
*/
mpm_ctx[0].InitThreadCtx(&mpm_ctx[0], &pmt->mtc, DetectContentMaxId(de_ctx));
mpm_ctx[0].InitThreadCtx(&mpm_ctx[0], &pmt->mtcu, DetectUricontentMaxId(de_ctx));
PmqSetup(&pmt->pmq, DetectEngineGetMaxSigId(de_ctx));
/* IP-ONLY */
DetectEngineIPOnlyThreadInit(de_ctx,&pmt->io_ctx);
pmt->counter_alerts = PerfTVRegisterCounter("detect.alert", t, TYPE_UINT64,
"NULL");
t->pca = PerfGetAllCountersArray(&t->pctx);
PerfAddToClubbedTMTable(t->name, &t->pctx);
*data = (void *)pmt;
//printf("PatternMatcherThreadInit: data %p pmt %p\n", *data, pmt);
return 0;
}
int PatternMatcherThreadDeinit(ThreadVars *t, void *data) {
PatternMatcherThread *pmt = (PatternMatcherThread *)data;
/* XXX */
mpm_ctx[0].DestroyThreadCtx(&mpm_ctx[0], &pmt->mtc);
mpm_ctx[0].DestroyThreadCtx(&mpm_ctx[0], &pmt->mtcu);
return 0;
}
void PatternMatcherThreadInfo(ThreadVars *t, PatternMatcherThread *pmt) {
/* XXX */
mpm_ctx[0].PrintThreadCtx(&pmt->mtc);
mpm_ctx[0].PrintThreadCtx(&pmt->mtcu);
}

14
src/detect-engine-mpm.h
Unescape Escape View File

@ -4,18 +4,18 @@
/* XXX remove once */ /* XXX remove once */
MpmCtx mpm_ctx[1]; MpmCtx mpm_ctx[1];
uint32_t PacketPatternScan(ThreadVars *, PatternMatcherThread *, Packet *); uint32_t PacketPatternScan(ThreadVars *, DetectEngineThreadCtx *, Packet *);
uint32_t PacketPatternMatch(ThreadVars *, PatternMatcherThread *, Packet *); uint32_t PacketPatternMatch(ThreadVars *, DetectEngineThreadCtx *, Packet *);
void PacketPatternCleanup(ThreadVars *, PatternMatcherThread *); void PacketPatternCleanup(ThreadVars *, DetectEngineThreadCtx *);
void PatternMatchPrepare(MpmCtx *); void PatternMatchPrepare(MpmCtx *, int);
int PatternMatchPrepareGroup(DetectEngineCtx *, SigGroupHead *); int PatternMatchPrepareGroup(DetectEngineCtx *, SigGroupHead *);
void PatternMatcherThreadInfo(ThreadVars *, PatternMatcherThread *); void DetectEngineThreadCtxInfo(ThreadVars *, DetectEngineThreadCtx *);
void PatternMatchDestroy(MpmCtx *); void PatternMatchDestroy(MpmCtx *);
void PatternMatchDestroyGroup(SigGroupHead *); void PatternMatchDestroyGroup(SigGroupHead *);
int PatternMatcherThreadInit(ThreadVars *, void *, void **); int DetectEngineThreadCtxInit(ThreadVars *, void *, void **);
int PatternMatcherThreadDeinit(ThreadVars *, void *); int DetectEngineThreadCtxDeinit(ThreadVars *, void *);
void SigGroupHeadSetMpmMaxlen(DetectEngineCtx *, SigGroupHead *); void SigGroupHeadSetMpmMaxlen(DetectEngineCtx *, SigGroupHead *);

60
src/detect-engine.c
Unescape Escape View File

@ -10,7 +10,13 @@
#include "detect-engine-siggroup.h" #include "detect-engine-siggroup.h"
#include "detect-engine-address.h" #include "detect-engine-address.h"
#include "detect-engine-port.h" #include "detect-engine-port.h"
#include "detect-engine-mpm.h"
#include "detect-engine-iponly.h"
#include "detect-content.h"
#include "detect-uricontent.h"
//#include "util-mpm.h"
#include "util-hash.h" #include "util-hash.h"
#include "util-var-name.h" #include "util-var-name.h"
@ -52,6 +58,7 @@ void DetectEngineCtxFree(DetectEngineCtx *de_ctx) {
DetectPortSpHashFree(de_ctx); DetectPortSpHashFree(de_ctx);
DetectPortDpHashFree(de_ctx); DetectPortDpHashFree(de_ctx);
VariableNameFreeHash(de_ctx);
free(de_ctx); free(de_ctx);
} }
@ -67,3 +74,56 @@ void DetectEngineResetMaxSigId(DetectEngineCtx *de_ctx) {
de_ctx->signum = 0; de_ctx->signum = 0;
} }
int DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data) {
DetectEngineCtx *de_ctx = (DetectEngineCtx *)initdata;
if (de_ctx == NULL)
return -1;
DetectEngineThreadCtx *det_ctx = malloc(sizeof(DetectEngineThreadCtx));
if (det_ctx == NULL) {
return -1;
}
memset(det_ctx, 0, sizeof(DetectEngineThreadCtx));
det_ctx->de_ctx = de_ctx;
/** \todo we still depend on the global mpm_ctx here
*
* Initialize the thread pattern match ctx with the max size
* of the content and uricontent id's so our match lookup
* table is always big enough
*/
mpm_ctx[0].InitThreadCtx(&mpm_ctx[0], &det_ctx->mtc, DetectContentMaxId(de_ctx));
mpm_ctx[0].InitThreadCtx(&mpm_ctx[0], &det_ctx->mtcu, DetectUricontentMaxId(de_ctx));
PmqSetup(&det_ctx->pmq, DetectEngineGetMaxSigId(de_ctx));
/* IP-ONLY */
DetectEngineIPOnlyThreadInit(de_ctx,&det_ctx->io_ctx);
/** alert counter setup */
det_ctx->counter_alerts = PerfTVRegisterCounter("detect.alert", tv, TYPE_UINT64, "NULL");
tv->pca = PerfGetAllCountersArray(&tv->pctx);
PerfAddToClubbedTMTable(tv->name, &tv->pctx);
*data = (void *)det_ctx;
//printf("DetectEngineThreadCtxInit: data %p det_ctx %p\n", *data, det_ctx);
return 0;
}
int DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data) {
DetectEngineThreadCtx *det_ctx = (DetectEngineThreadCtx *)data;
/** \todo get rid of this static */
mpm_ctx[0].DestroyThreadCtx(&mpm_ctx[0], &det_ctx->mtc);
mpm_ctx[0].DestroyThreadCtx(&mpm_ctx[0], &det_ctx->mtcu);
return 0;
}
void DetectEngineThreadCtxInfo(ThreadVars *t, DetectEngineThreadCtx *det_ctx) {
/* XXX */
mpm_ctx[0].PrintThreadCtx(&det_ctx->mtc);
mpm_ctx[0].PrintThreadCtx(&det_ctx->mtcu);
}

4
src/detect-flow.c
Unescape Escape View File

@ -27,7 +27,7 @@
static pcre *parse_regex; static pcre *parse_regex;
static pcre_extra *parse_regex_study; static pcre_extra *parse_regex_study;
int DetectFlowMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *); int DetectFlowMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
int DetectFlowSetup (DetectEngineCtx *, Signature *, SigMatch *, char *); int DetectFlowSetup (DetectEngineCtx *, Signature *, SigMatch *, char *);
void DetectFlowRegisterTests(void); void DetectFlowRegisterTests(void);
void DetectFlowFree(void *); void DetectFlowFree(void *);
@ -85,7 +85,7 @@ error:
* \retval 0 no match * \retval 0 no match
* \retval 1 match * \retval 1 match
*/ */
int DetectFlowMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *m) int DetectFlowMatch (ThreadVars *t, DetectEngineThreadCtx *pmt, Packet *p, Signature *s, SigMatch *m)
{ {
uint8_t cnt = 0; uint8_t cnt = 0;
DetectFlowData *fd = (DetectFlowData *)m->ctx; DetectFlowData *fd = (DetectFlowData *)m->ctx;

4
src/detect-flowbits.c
Unescape Escape View File

@ -36,7 +36,7 @@
static pcre *parse_regex; static pcre *parse_regex;
static pcre_extra *parse_regex_study; static pcre_extra *parse_regex_study;
int DetectFlowbitMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *); int DetectFlowbitMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
int DetectFlowbitSetup (DetectEngineCtx *, Signature *, SigMatch *, char *); int DetectFlowbitSetup (DetectEngineCtx *, Signature *, SigMatch *, char *);
void DetectFlowbitFree (void *); void DetectFlowbitFree (void *);
@ -101,7 +101,7 @@ static int DetectFlowbitMatchIsnotset (Packet *p, DetectFlowbitsData *fd) {
* -1: error * -1: error
*/ */
int DetectFlowbitMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *m) int DetectFlowbitMatch (ThreadVars *t, DetectEngineThreadCtx *pmt, Packet *p, Signature *s, SigMatch *m)
{ {
DetectFlowbitsData *fd = (DetectFlowbitsData *)m->ctx; DetectFlowbitsData *fd = (DetectFlowbitsData *)m->ctx;
if (fd == NULL) if (fd == NULL)

4
src/detect-flowvar.c
Unescape Escape View File

@ -19,7 +19,7 @@
static pcre *parse_regex; static pcre *parse_regex;
static pcre_extra *parse_regex_study; static pcre_extra *parse_regex_study;
int DetectFlowvarMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *); int DetectFlowvarMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
int DetectFlowvarSetup (DetectEngineCtx *, Signature *, SigMatch *, char *); int DetectFlowvarSetup (DetectEngineCtx *, Signature *, SigMatch *, char *);
void DetectFlowvarRegister (void) { void DetectFlowvarRegister (void) {
@ -59,7 +59,7 @@ error:
* -1: error * -1: error
*/ */
int DetectFlowvarMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *m) int DetectFlowvarMatch (ThreadVars *t, DetectEngineThreadCtx *pmt, Packet *p, Signature *s, SigMatch *m)
{ {
int ret = 0; int ret = 0;
DetectFlowvarData *fd = (DetectFlowvarData *)m->ctx; DetectFlowvarData *fd = (DetectFlowvarData *)m->ctx;

4
src/detect-pcre.c
Unescape Escape View File

@ -23,7 +23,7 @@ static pcre_extra *parse_regex_study;
static pcre *parse_capture_regex; static pcre *parse_capture_regex;
static pcre_extra *parse_capture_regex_study; static pcre_extra *parse_capture_regex_study;
int DetectPcreMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *); int DetectPcreMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
int DetectPcreSetup (DetectEngineCtx *, Signature *, SigMatch *, char *); int DetectPcreSetup (DetectEngineCtx *, Signature *, SigMatch *, char *);
void DetectPcreFree(void *); void DetectPcreFree(void *);
@ -79,7 +79,7 @@ error:
* -1: error * -1: error
*/ */
int DetectPcreMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *m) int DetectPcreMatch (ThreadVars *t, DetectEngineThreadCtx *pmt, Packet *p, Signature *s, SigMatch *m)
{ {
#define MAX_SUBSTRINGS 30 #define MAX_SUBSTRINGS 30
int ret = 0; int ret = 0;

4
src/detect-pktvar.c
Unescape Escape View File

@ -17,7 +17,7 @@
static pcre *parse_regex; static pcre *parse_regex;
static pcre_extra *parse_regex_study; static pcre_extra *parse_regex_study;
int DetectPktvarMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *); int DetectPktvarMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
int DetectPktvarSetup (DetectEngineCtx *, Signature *, SigMatch *, char *); int DetectPktvarSetup (DetectEngineCtx *, Signature *, SigMatch *, char *);
void DetectPktvarRegister (void) { void DetectPktvarRegister (void) {
@ -57,7 +57,7 @@ error:
* -1: error * -1: error
*/ */
int DetectPktvarMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *m) int DetectPktvarMatch (ThreadVars *t, DetectEngineThreadCtx *pmt, Packet *p, Signature *s, SigMatch *m)
{ {
int ret = 0; int ret = 0;
DetectPktvarData *pd = (DetectPktvarData *)m->ctx; DetectPktvarData *pd = (DetectPktvarData *)m->ctx;

10
src/detect-uricontent.c
Unescape Escape View File

@ -18,7 +18,7 @@
#include "util-unittest.h" #include "util-unittest.h"
int DetectUricontentMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *); int DetectUricontentMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
int DetectUricontentSetup (DetectEngineCtx *, Signature *, SigMatch *, char *); int DetectUricontentSetup (DetectEngineCtx *, Signature *, SigMatch *, char *);
void HttpUriRegisterTests(void); void HttpUriRegisterTests(void);
@ -114,7 +114,7 @@ TestOffsetDepth(MpmMatch *m, DetectUricontentData *co) {
* that turn out to fail being followed by full matches later in the * that turn out to fail being followed by full matches later in the
* packet. This adds some runtime complexity however. */ * packet. This adds some runtime complexity however. */
static inline int static inline int
TestWithinDistanceOffsetDepth(ThreadVars *t, PatternMatcherThread *pmt, MpmMatch *m, SigMatch *nsm) TestWithinDistanceOffsetDepth(ThreadVars *t, DetectEngineThreadCtx *pmt, MpmMatch *m, SigMatch *nsm)
{ {
//printf("test_nextsigmatch m:%p, nsm:%p\n", m,nsm); //printf("test_nextsigmatch m:%p, nsm:%p\n", m,nsm);
if (nsm == NULL) if (nsm == NULL)
@ -147,7 +147,7 @@ TestWithinDistanceOffsetDepth(ThreadVars *t, PatternMatcherThread *pmt, MpmMatch
} }
static inline int static inline int
DoDetectUricontent(ThreadVars *t, PatternMatcherThread *pmt, Packet *p, SigMatch *sm, DetectUricontentData *co) DoDetectUricontent(ThreadVars *t, DetectEngineThreadCtx *pmt, Packet *p, SigMatch *sm, DetectUricontentData *co)
{ {
int ret = 0; int ret = 0;
char match = 0; char match = 0;
@ -221,7 +221,7 @@ DoDetectUricontent(ThreadVars *t, PatternMatcherThread *pmt, Packet *p, SigMatch
* -1: error * -1: error
*/ */
int DetectUricontentMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *m) int DetectUricontentMatch (ThreadVars *t, DetectEngineThreadCtx *pmt, Packet *p, Signature *s, SigMatch *m)
{ {
uint32_t len = 0; uint32_t len = 0;
@ -238,7 +238,7 @@ int DetectUricontentMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p,
#ifdef DEBUG #ifdef DEBUG
printf("uricontent \'"); printf("uricontent \'");
PrintRawUriFp(stdout, co->uricontent, co->uricontent_len); PrintRawUriFp(stdout, co->uricontent, co->uricontent_len);
printf("\' matched %" PRIu32 " time(s) at offsets: ", len); printf("\' matched %" PRIu32 " time(s) at offsets: ", len);
MpmMatch *tmpm = NULL; MpmMatch *tmpm = NULL;

1123
src/detect.c
View File

File diff suppressed because it is too large Load Diff

179
src/detect.h
Unescape Escape View File

@ -62,6 +62,7 @@ typedef struct DetectAddressGroup_ {
uint32_t cnt; uint32_t cnt;
} DetectAddressGroup; } DetectAddressGroup;
/** Signature grouping head. Here 'any', ipv4 and ipv6 are split out */
typedef struct DetectAddressGroupsHead_ { typedef struct DetectAddressGroupsHead_ {
DetectAddressGroup *any_head; DetectAddressGroup *any_head;
DetectAddressGroup *ipv4_head; DetectAddressGroup *ipv4_head;
@ -84,15 +85,13 @@ enum {
PORT_GT, /* bigger [bbb] [aaa] */ PORT_GT, /* bigger [bbb] [aaa] */
}; };
#define PORT_FLAG_ANY 0x1 #define PORT_FLAG_ANY 0x01 /**< 'any' special port */
#define PORT_FLAG_NOT 0x2 #define PORT_FLAG_NOT 0x02 /**< negated port */
#define PORT_SIGGROUPHEAD_COPY 0x04 /**< sgh is a ptr copy */
#define PORT_SIGGROUPHEAD_COPY 0x04 #define PORT_GROUP_PORTS_COPY 0x08 /**< dst_ph is a ptr copy */
#define PORT_GROUP_PORTS_COPY 0x08
/** \brief Port structure for detection engine */
typedef struct DetectPort_ { typedef struct DetectPort_ {
uint8_t flags;
uint16_t port; uint16_t port;
uint16_t port2; uint16_t port2;
@ -109,20 +108,21 @@ typedef struct DetectPort_ {
struct DetectPort_ *next; struct DetectPort_ *next;
uint32_t cnt; uint32_t cnt;
uint8_t flags; /**< flags for this port */
} DetectPort; } DetectPort;
/* Signature flags */ /* Signature flags */
#define SIG_FLAG_RECURSIVE 0x0001 /* recurive capturing enabled */ #define SIG_FLAG_RECURSIVE 0x0001 /**< recurive capturing enabled */
#define SIG_FLAG_SRC_ANY 0x0002 /* source is any */ #define SIG_FLAG_SRC_ANY 0x0002 /**< source is any */
#define SIG_FLAG_DST_ANY 0x0004 /* destination is any */ #define SIG_FLAG_DST_ANY 0x0004 /**< destination is any */
#define SIG_FLAG_SP_ANY 0x0008 /* source port is any */ #define SIG_FLAG_SP_ANY 0x0008 /**< source port is any */
#define SIG_FLAG_DP_ANY 0x0010 /* destination port is any */ #define SIG_FLAG_DP_ANY 0x0010 /**< destination port is any */
#define SIG_FLAG_NOALERT 0x0020 /* no alert flag is set */ #define SIG_FLAG_NOALERT 0x0020 /**< no alert flag is set */
#define SIG_FLAG_IPONLY 0x0040 /* ip only signature */ #define SIG_FLAG_IPONLY 0x0040 /**< ip only signature */
#define SIG_FLAG_MPM 0x0080 /* sig has mpm portion (content, uricontent, etc) */ #define SIG_FLAG_MPM 0x0080 /**< sig has mpm portion (content, uricontent, etc) */
/* Detection Engine flags */ /* Detection Engine flags */
#define DE_QUIET 0x01 /* DE is quiet (esp for unittests) */ #define DE_QUIET 0x01 /**< DE is quiet (esp for unittests) */
typedef struct DetectEngineIPOnlyThreadCtx_ { typedef struct DetectEngineIPOnlyThreadCtx_ {
DetectAddressGroup *src, *dst; DetectAddressGroup *src, *dst;
@ -130,78 +130,33 @@ typedef struct DetectEngineIPOnlyThreadCtx_ {
uint32_t sig_match_size; /* size in bytes of the array */ uint32_t sig_match_size; /* size in bytes of the array */
} DetectEngineIPOnlyThreadCtx; } DetectEngineIPOnlyThreadCtx;
/** /** \brief Signature container */
* Detection engine thread data.
* XXX: we should rename this
*/
typedef struct PatternMatcherThread_ {
/* detection engine variables */
uint8_t *pkt_ptr; /* ptr to the current position in the pkt */
uint16_t pkt_off;
uint8_t pkt_cnt;
char de_checking_distancewithin;
/* http_uri stuff for uricontent */
char de_have_httpuri;
/* pointer to the current mpm ctx that is stored
* in a rule group head -- can be either a content
* or uricontent ctx. */
MpmThreadCtx mtc; /* thread ctx for the mpm */
MpmThreadCtx mtcu;
struct SigGroupHead_ *sgh;
PatternMatcherQueue pmq;
/* counters */
uint32_t pkts;
uint32_t pkts_scanned;
uint32_t pkts_searched;
uint32_t pkts_scanned1;
uint32_t pkts_searched1;
uint32_t pkts_scanned2;
uint32_t pkts_searched2;
uint32_t pkts_scanned3;
uint32_t pkts_searched3;
uint32_t pkts_scanned4;
uint32_t pkts_searched4;
uint32_t uris;
uint32_t pkts_uri_scanned;
uint32_t pkts_uri_searched;
uint32_t pkts_uri_scanned1;
uint32_t pkts_uri_searched1;
uint32_t pkts_uri_scanned2;
uint32_t pkts_uri_searched2;
uint32_t pkts_uri_scanned3;
uint32_t pkts_uri_searched3;
uint32_t pkts_uri_scanned4;
uint32_t pkts_uri_searched4;
u_int64_t counter_alerts;
DetectEngineIPOnlyThreadCtx io_ctx;
} PatternMatcherThread;
typedef struct Signature_ { typedef struct Signature_ {
uint16_t flags; uint16_t flags;
uint32_t num; /* signature number, internal id */
uint32_t id;
uint8_t rev; uint8_t rev;
uint8_t prio; uint8_t prio;
uint32_t num; /**< signature number, internal id */
uint32_t id; /**< sid, set by the 'sid' rule keyword */
char *msg; char *msg;
uint8_t action;
/** addresses, ports and proto this sig matches on */
DetectAddressGroupsHead src, dst; DetectAddressGroupsHead src, dst;
DetectProto proto; DetectProto proto;
DetectPort *sp, *dp; DetectPort *sp, *dp;
/** ptr to the SigMatch list */
struct SigMatch_ *match; struct SigMatch_ *match;
/** ptr to the next sig in the list */
struct Signature_ *next; struct Signature_ *next;
/** inline -- action */
uint8_t action;
} Signature; } Signature;
/** \brief IP only rules matching ctx.
* \todo a radix tree would be great here */
typedef struct DetectEngineIPOnlyCtx_ { typedef struct DetectEngineIPOnlyCtx_ {
/* lookup hashes */ /* lookup hashes */
HashListTable *ht16_src, *ht16_dst; HashListTable *ht16_src, *ht16_dst;
@ -244,6 +199,7 @@ typedef struct DetectEngineLookupDsize_ {
*/ */
#define DSIZE_STATES 2 #define DSIZE_STATES 2
/** \brief main detection engine ctx */
typedef struct DetectEngineCtx_ { typedef struct DetectEngineCtx_ {
uint8_t flags; uint8_t flags;
@ -291,15 +247,73 @@ typedef struct DetectEngineCtx_ {
DetectEngineIPOnlyCtx io_ctx; DetectEngineIPOnlyCtx io_ctx;
} DetectEngineCtx; } DetectEngineCtx;
/**
* Detection engine thread data.
*/
typedef struct DetectionEngineThreadCtx_ {
/* detection engine variables */
uint8_t *pkt_ptr; /* ptr to the current position in the pkt */
uint16_t pkt_off;
uint8_t pkt_cnt;
char de_checking_distancewithin;
/* http_uri stuff for uricontent */
char de_have_httpuri;
/** pointer to the current mpm ctx that is stored
* in a rule group head -- can be either a content
* or uricontent ctx. */
MpmThreadCtx mtc; /**< thread ctx for the mpm */
MpmThreadCtx mtcu;
struct SigGroupHead_ *sgh;
PatternMatcherQueue pmq;
/* counters */
uint32_t pkts;
uint32_t pkts_scanned;
uint32_t pkts_searched;
uint32_t pkts_scanned1;
uint32_t pkts_searched1;
uint32_t pkts_scanned2;
uint32_t pkts_searched2;
uint32_t pkts_scanned3;
uint32_t pkts_searched3;
uint32_t pkts_scanned4;
uint32_t pkts_searched4;
uint32_t uris;
uint32_t pkts_uri_scanned;
uint32_t pkts_uri_searched;
uint32_t pkts_uri_scanned1;
uint32_t pkts_uri_searched1;
uint32_t pkts_uri_scanned2;
uint32_t pkts_uri_searched2;
uint32_t pkts_uri_scanned3;
uint32_t pkts_uri_searched3;
uint32_t pkts_uri_scanned4;
uint32_t pkts_uri_searched4;
/** id for alert counter */
uint16_t counter_alerts;
/** ip only rules ctx */
DetectEngineIPOnlyThreadCtx io_ctx;
DetectEngineCtx *de_ctx;
} DetectEngineThreadCtx;
/** \brief a single match condition for a signature */
typedef struct SigMatch_ { typedef struct SigMatch_ {
uint8_t type; uint8_t type; /**< match type */
void *ctx; void *ctx; /**< plugin specific data */
struct SigMatch_ *next; struct SigMatch_ *next;
struct SigMatch_ *prev; struct SigMatch_ *prev;
} SigMatch; } SigMatch;
/** \brief element in sigmatch type table. */
typedef struct SigTableElmt_ { typedef struct SigTableElmt_ {
int (*Match)(ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *); int (*Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
int (*Setup)(DetectEngineCtx *, Signature *, SigMatch *, char *); int (*Setup)(DetectEngineCtx *, Signature *, SigMatch *, char *);
void (*Free)(void *); void (*Free)(void *);
void (*RegisterTests)(void); void (*RegisterTests)(void);
@ -308,15 +322,15 @@ typedef struct SigTableElmt_ {
char *name; char *name;
} SigTableElmt; } SigTableElmt;
#define SIG_GROUP_HAVECONTENT 0x1 #define SIG_GROUP_HAVECONTENT 0x01
#define SIG_GROUP_HAVEURICONTENT 0x2 #define SIG_GROUP_HAVEURICONTENT 0x02
#define SIG_GROUP_HEAD_MPM_COPY 0x4 #define SIG_GROUP_HEAD_MPM_COPY 0x04
#define SIG_GROUP_HEAD_MPM_URI_COPY 0x8 #define SIG_GROUP_HEAD_MPM_URI_COPY 0x08
#define SIG_GROUP_HEAD_FREE 0x10 #define SIG_GROUP_HEAD_FREE 0x10
#define SIG_GROUP_HEAD_MPM_NOSCAN 0x20 #define SIG_GROUP_HEAD_MPM_NOSCAN 0x20
#define SIG_GROUP_HEAD_MPM_URI_NOSCAN 0x40 #define SIG_GROUP_HEAD_MPM_URI_NOSCAN 0x40
/* head of the list of containers. */ /** \brief head of the list of containers. */
typedef struct SigGroupHead_ { typedef struct SigGroupHead_ {
uint8_t flags; uint8_t flags;
@ -389,6 +403,7 @@ enum {
DETECT_PROTO, DETECT_PROTO,
DETECT_PORT, DETECT_PORT,
DETECT_DECODE_EVENT, DETECT_DECODE_EVENT,
/* make sure this stays last */ /* make sure this stays last */
DETECT_TBLSIZE, DETECT_TBLSIZE,
}; };
@ -399,7 +414,7 @@ SigTableElmt sigmatch_table[DETECT_TBLSIZE];
/* detection api */ /* detection api */
SigMatch *SigMatchAlloc(void); SigMatch *SigMatchAlloc(void);
void SigMatchAppend(Signature *, SigMatch *, SigMatch *); void SigMatchAppend(Signature *, SigMatch *, SigMatch *);
void SigCleanSignatures(void); void SigCleanSignatures(DetectEngineCtx *);
void SigTableRegisterTests(void); void SigTableRegisterTests(void);
void SigRegisterTests(void); void SigRegisterTests(void);

6
src/eidps.c
Unescape Escape View File

@ -923,7 +923,7 @@ int main(int argc, char **argv)
BinSearchInit(); BinSearchInit();
CIDRInit(); CIDRInit();
SigParsePrepare(); SigParsePrepare();
PatternMatchPrepare(mpm_ctx); PatternMatchPrepare(mpm_ctx, MPM_B2G);
PerfInitCounterApi(); PerfInitCounterApi();
/** \todo we need an api for this */ /** \todo we need an api for this */
@ -1108,8 +1108,8 @@ int main(int argc, char **argv)
FlowShutdown(); FlowShutdown();
FlowPrintFlows(); FlowPrintFlows();
SigGroupCleanup(); SigGroupCleanup(g_de_ctx);
SigCleanSignatures(); SigCleanSignatures(g_de_ctx);
pthread_exit(NULL); pthread_exit(NULL);
} }

4
src/util-var-name.c
Unescape Escape View File

@ -62,6 +62,10 @@ int VariableNameInitHash(DetectEngineCtx *de_ctx) {
return 0; return 0;
} }
void VariableNameFreeHash(DetectEngineCtx *de_ctx) {
HashListTableFree(de_ctx->variable_names);
}
/** \brief Get a name idx for a name. If the name is already used reuse the idx. /** \brief Get a name idx for a name. If the name is already used reuse the idx.
* \param de_ctx Ptr to the detection engine ctx. * \param de_ctx Ptr to the detection engine ctx.
* \param name nul terminated string with the name * \param name nul terminated string with the name

2
src/util-var-name.h
Unescape Escape View File

@ -2,6 +2,8 @@
#define __UTIL_VAR_NAME_H__ #define __UTIL_VAR_NAME_H__
int VariableNameInitHash(DetectEngineCtx *de_ctx); int VariableNameInitHash(DetectEngineCtx *de_ctx);
void VariableNameFreeHash(DetectEngineCtx *de_ctx);
uint16_t VariableNameGetIdx(DetectEngineCtx *, char *, uint8_t); uint16_t VariableNameGetIdx(DetectEngineCtx *, char *, uint8_t);
#endif #endif

Write Preview
Loading…
Cancel
Save