aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

store the content added for mpm inside Signature. also carry out an unconditional cleanup of packet pattern matcher pmq det_ctx->pmq

Browse Source
remotes/origin/master-1.1.x
Anoop Saldanha 15 years ago committed by Victor Julien
parent 68b78664fa
commit bbd0c5056b
5 changed files with 440 additions and 433 deletions
Show Stats Download Patch File Download Diff File

595
src/detect-engine-mpm.c
Unescape Escape View File

@ -549,6 +549,8 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
SigGroupHead *sgh, Signature *s, SigGroupHead *sgh, Signature *s,
SigMatch *mpm_sm) SigMatch *mpm_sm)
{ {
s->mpm_sm = mpm_sm;
/* now add the mpm_ch to the mpm ctx */ /* now add the mpm_ch to the mpm ctx */
if (mpm_sm != NULL) { if (mpm_sm != NULL) {
uint8_t flags = 0; uint8_t flags = 0;
@ -561,10 +563,7 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
cd = (DetectContentData *)mpm_sm->ctx; cd = (DetectContentData *)mpm_sm->ctx;
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) { if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
/* add the content to the "packet" mpm */ /* add the content to the "packet" mpm */
if (SignatureHasPacketContent(s) && if (SignatureHasPacketContent(s)) {
(sgh->flags & SIG_GROUP_HAVECONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_COPY))) {
if (cd->flags & DETECT_CONTENT_NOCASE) { if (cd->flags & DETECT_CONTENT_NOCASE) {
mpm_table[sgh->mpm_ctx->mpm_type]. mpm_table[sgh->mpm_ctx->mpm_type].
AddPatternNocase(sgh->mpm_ctx, AddPatternNocase(sgh->mpm_ctx,
@ -587,10 +586,7 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
s->flags |= SIG_FLAG_MPM_PACKET_NEG; s->flags |= SIG_FLAG_MPM_PACKET_NEG;
} }
} }
if (SignatureHasStreamContent(s) && if (SignatureHasStreamContent(s)) {
(sgh->flags & SIG_GROUP_HAVESTREAMCONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY))) {
if (cd->flags & DETECT_CONTENT_NOCASE) { if (cd->flags & DETECT_CONTENT_NOCASE) {
mpm_table[sgh->mpm_ctx->mpm_type]. mpm_table[sgh->mpm_ctx->mpm_type].
AddPatternNocase(sgh->mpm_ctx, AddPatternNocase(sgh->mpm_ctx,
@ -613,61 +609,24 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
s->flags |= SIG_FLAG_MPM_STREAM_NEG; s->flags |= SIG_FLAG_MPM_STREAM_NEG;
} }
} }
} else { } else {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
if (SignatureHasPacketContent(s) && if (SignatureHasPacketContent(s))
(sgh->flags & SIG_GROUP_HAVECONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_COPY))) {
cd->flags |= DETECT_CONTENT_PACKET_MPM; cd->flags |= DETECT_CONTENT_PACKET_MPM;
} if (SignatureHasStreamContent(s))
if (SignatureHasStreamContent(s) &&
(sgh->flags & SIG_GROUP_HAVESTREAMCONTENT
&& !(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY))) {
cd->flags |= DETECT_CONTENT_STREAM_MPM; cd->flags |= DETECT_CONTENT_STREAM_MPM;
}
/* see if we can bypass the match validation for this pattern */ /* see if we can bypass the match validation for this pattern */
} else { } else {
if (!(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) && if (DETECT_CONTENT_IS_SINGLE(cd)) {
!(cd->flags & DETECT_CONTENT_DEPTH) && if (SignatureHasPacketContent(s))
!(cd->flags & DETECT_CONTENT_OFFSET)) {
SigMatch *prev_sm = SigMatchGetLastSMFromLists(s, 2,
mpm_sm->type, mpm_sm->prev);
if (prev_sm != NULL) {
DetectContentData *prev_cd = (DetectContentData *)prev_sm->ctx;
if (!(prev_cd->flags & DETECT_CONTENT_RELATIVE_NEXT)) {
if (SignatureHasPacketContent(s) &&
(sgh->flags & SIG_GROUP_HAVECONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_COPY))) {
cd->flags |= DETECT_CONTENT_PACKET_MPM; cd->flags |= DETECT_CONTENT_PACKET_MPM;
} if (SignatureHasStreamContent(s))
if (SignatureHasStreamContent(s) &&
(sgh->flags & SIG_GROUP_HAVESTREAMCONTENT
&& !(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY))) {
cd->flags |= DETECT_CONTENT_STREAM_MPM; cd->flags |= DETECT_CONTENT_STREAM_MPM;
} }
}
} else {
if (SignatureHasPacketContent(s) &&
(sgh->flags & SIG_GROUP_HAVECONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_COPY))) {
cd->flags |= DETECT_CONTENT_PACKET_MPM;
}
if (SignatureHasStreamContent(s) &&
(sgh->flags & SIG_GROUP_HAVESTREAMCONTENT
&& !(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY))) {
cd->flags |= DETECT_CONTENT_STREAM_MPM;
}
} /* else - if (prev_sm != NULL) */
}
} /* else - if (co->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) */ } /* else - if (co->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) */
if (SignatureHasPacketContent(s) && if (SignatureHasPacketContent(s)) {
(sgh->flags & SIG_GROUP_HAVECONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_COPY))) {
/* add the content to the "packet" mpm */ /* add the content to the "packet" mpm */
if (cd->flags & DETECT_CONTENT_NOCASE) { if (cd->flags & DETECT_CONTENT_NOCASE) {
mpm_table[sgh->mpm_ctx->mpm_type]. mpm_table[sgh->mpm_ctx->mpm_type].
@ -689,10 +648,7 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
s->flags |= SIG_FLAG_MPM_PACKET_NEG; s->flags |= SIG_FLAG_MPM_PACKET_NEG;
} }
} }
if (SignatureHasStreamContent(s) && if (SignatureHasStreamContent(s)) {
(sgh->flags & SIG_GROUP_HAVESTREAMCONTENT
&& !(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY))) {
/* add the content to the "packet" mpm */ /* add the content to the "packet" mpm */
if (cd->flags & DETECT_CONTENT_NOCASE) { if (cd->flags & DETECT_CONTENT_NOCASE) {
mpm_table[sgh->mpm_stream_ctx->mpm_type]. mpm_table[sgh->mpm_stream_ctx->mpm_type].
@ -742,21 +698,9 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
/* see if we can bypass the match validation for this pattern */ /* see if we can bypass the match validation for this pattern */
} else { } else {
if (!(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) && if (DETECT_CONTENT_IS_SINGLE(ud)) {
!(ud->flags & DETECT_CONTENT_DEPTH) &&
!(ud->flags & DETECT_CONTENT_OFFSET)) {
SigMatch *prev_sm = SigMatchGetLastSMFromLists(s, 2,
mpm_sm->type, mpm_sm->prev);
if (prev_sm != NULL) {
DetectContentData *prev_ud = (DetectContentData *)prev_sm->ctx;
if (!(prev_ud->flags & DETECT_CONTENT_RELATIVE_NEXT)) {
ud->flags |= DETECT_CONTENT_URI_MPM; ud->flags |= DETECT_CONTENT_URI_MPM;
} }
} else {
ud->flags |= DETECT_CONTENT_URI_MPM;
}
}
} /* else - if (ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) */ } /* else - if (ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) */
/* add the content to the "packet" mpm */ /* add the content to the "packet" mpm */
@ -791,95 +735,99 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
return; return;
} }
/** ///**
* \internal // * \internal
* \brief Helper function for PrepareGroupPopulateMpm. Used to decide if a // * \brief Helper function for PrepareGroupPopulateMpm. Used to decide if a
* pattern should be skipped or considered under certain conditions. // * pattern should be skipped or considered under certain conditions.
* // *
* \param sgh Pointer to the sgh. // * \param sgh Pointer to the sgh.
* \param s Pointer to the signature. // * \param s Pointer to the signature.
* \param sm Pointer to the SigMatch which holds the content. // * \param sm Pointer to the SigMatch which holds the content.
* // *
* \retval 1 If the content should be skipped. // * \retval 1 If the content should be skipped.
* \retval 0 Otherwise. // * \retval 0 Otherwise.
*/ // */
static int PopulateMpmSkipContent(SigGroupHead *sgh, Signature *s, SigMatch *sm) //static int PopulateMpmSkipContent(SigGroupHead *sgh, Signature *s, SigMatch *sm)
{ //{
switch (sm->type) { // switch (sm->type) {
case DETECT_CONTENT: // case DETECT_CONTENT:
{ // {
if (s->flags & SIG_FLAG_HAS_NO_PKT_AND_STREAM_CONTENT) { // if (s->flags & SIG_FLAG_HAS_NO_PKT_AND_STREAM_CONTENT) {
return 1; // return 1;
} // }
//
if (!(sgh->flags & SIG_GROUP_HAVECONTENT && // if (!(sgh->flags & SIG_GROUP_HAVECONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_COPY)) && // !(sgh->flags & SIG_GROUP_HEAD_MPM_COPY)) &&
!(sgh->flags & SIG_GROUP_HAVESTREAMCONTENT && // !(sgh->flags & SIG_GROUP_HAVESTREAMCONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY))) { // !(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY))) {
return 1; // return 1;
} // }
//
DetectContentData *cd = sm->ctx; // DetectContentData *cd = sm->ctx;
if (cd->flags & DETECT_CONTENT_FAST_PATTERN) // if (cd->flags & DETECT_CONTENT_FAST_PATTERN)
return 0; // return 0;
//
if (sgh->flags & SIG_GROUP_HAVECONTENT && // return 1;
!(sgh->flags & SIG_GROUP_HEAD_MPM_COPY) && //
sgh->flags & SIG_GROUP_HAVESTREAMCONTENT && // if (sgh->flags & SIG_GROUP_HAVECONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY)) { // !(sgh->flags & SIG_GROUP_HEAD_MPM_COPY) &&
if (sgh->mpm_content_maxlen == sgh->mpm_streamcontent_maxlen) { // sgh->flags & SIG_GROUP_HAVESTREAMCONTENT &&
if (cd->content_len < sgh->mpm_content_maxlen) // !(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY)) {
return 1; // if (sgh->mpm_content_maxlen == sgh->mpm_streamcontent_maxlen) {
else // if (cd->content_len < sgh->mpm_content_maxlen)
return 0; // return 1;
} else if (sgh->mpm_content_maxlen < sgh->mpm_streamcontent_maxlen) { // else
if (cd->content_len < sgh->mpm_content_maxlen) // return 0;
return 1; // } else if (sgh->mpm_content_maxlen < sgh->mpm_streamcontent_maxlen) {
else // if (cd->content_len < sgh->mpm_content_maxlen)
return 0; // return 1;
} else { // else
if (cd->content_len < sgh->mpm_streamcontent_maxlen) // return 0;
return 1; // } else {
else // if (cd->content_len < sgh->mpm_streamcontent_maxlen)
return 0; // return 1;
} // else
} else if (sgh->flags & SIG_GROUP_HAVECONTENT && // return 0;
!(sgh->flags & SIG_GROUP_HEAD_MPM_COPY)) { // }
if (cd->content_len < sgh->mpm_content_maxlen) // } else if (sgh->flags & SIG_GROUP_HAVECONTENT &&
return 1; // !(sgh->flags & SIG_GROUP_HEAD_MPM_COPY)) {
else // if (cd->content_len < sgh->mpm_content_maxlen)
return 0; // return 1;
} else if (sgh->flags & SIG_GROUP_HAVESTREAMCONTENT && // else
!(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY)){ // return 0;
if (cd->content_len < sgh->mpm_streamcontent_maxlen) // } else if (sgh->flags & SIG_GROUP_HAVESTREAMCONTENT &&
return 1; // !(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY)){
else // if (cd->content_len < sgh->mpm_streamcontent_maxlen)
return 0; // return 1;
} // else
} // return 0;
// }
case DETECT_URICONTENT: // }
{ //
if (!(sgh->flags & SIG_GROUP_HAVEURICONTENT && // case DETECT_URICONTENT:
!(sgh->flags & SIG_GROUP_HEAD_MPM_URI_COPY))) { // {
return 1; // if (!(sgh->flags & SIG_GROUP_HAVEURICONTENT &&
} // !(sgh->flags & SIG_GROUP_HEAD_MPM_URI_COPY))) {
// return 1;
DetectContentData *cd = sm->ctx; // }
if (cd->flags & DETECT_CONTENT_FAST_PATTERN) //
return 0; // DetectContentData *cd = sm->ctx;
// if (cd->flags & DETECT_CONTENT_FAST_PATTERN)
if (cd->content_len < sgh->mpm_uricontent_maxlen) // return 0;
return 1; //
else // return 1;
return 0; //
} // if (cd->content_len < sgh->mpm_uricontent_maxlen)
// return 1;
default: // else
return 0; // return 0;
} // }
//
} // default:
// return 0;
// }
//
//}
/** /**
* \internal * \internal
@ -910,6 +858,13 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx,
if (s == NULL) if (s == NULL)
continue; continue;
/* we already have a sm set as fp for this sig. Add it to the current
* mpm context */
if (s->mpm_sm != NULL) {
PopulateMpmAddPatternToMpm(de_ctx, sgh, s, s->mpm_sm);
continue;
}
if (!(s->flags & SIG_FLAG_HAS_NO_PKT_AND_STREAM_CONTENT) && if (!(s->flags & SIG_FLAG_HAS_NO_PKT_AND_STREAM_CONTENT) &&
!SignatureHasPacketContent(s) && !SignatureHasStreamContent(s)) { !SignatureHasPacketContent(s) && !SignatureHasStreamContent(s)) {
s->flags |= SIG_FLAG_HAS_NO_PKT_AND_STREAM_CONTENT; s->flags |= SIG_FLAG_HAS_NO_PKT_AND_STREAM_CONTENT;
@ -929,9 +884,9 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx,
if (!FastPatternSupportEnabledForSigMatchType(sm->type)) if (!FastPatternSupportEnabledForSigMatchType(sm->type))
continue; continue;
if (PopulateMpmSkipContent(sgh, s, sm)) { //if (PopulateMpmSkipContent(sgh, s, sm)) {
continue; // continue;
} //}
DetectContentData *cd = (DetectContentData *)sm->ctx; DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
@ -951,6 +906,35 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx,
Signature *s = sgh->match_array[sig]; Signature *s = sgh->match_array[sig];
if (s == NULL) if (s == NULL)
continue; continue;
/* have taken care of this in the previous loop. move on to the next sig */
if (s->mpm_sm != NULL) {
continue;
}
int max_len = 0;
/* get the longest pattern in the sig */
if (!fast_pattern[sig]) {
SigMatch *sm = NULL;
int list_id = 0;
for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) {
if (!FastPatternSupportEnabledForSigMatchList(list_id))
continue;
for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) {
if (!FastPatternSupportEnabledForSigMatchType(sm->type))
continue;
//if (PopulateMpmSkipContent(sgh, s, sm)) {
// continue;
//}
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (max_len < cd->content_len)
max_len = cd->content_len;
}
}
}
SigMatch *mpm_sm = NULL; SigMatch *mpm_sm = NULL;
SigMatch *sm = NULL; SigMatch *sm = NULL;
@ -964,8 +948,7 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx,
continue; continue;
/* skip in case of: /* skip in case of:
* 1. we expect a fastpattern but this isn't it * 1. we expect a fastpattern but this isn't it */
* 2. we have a smaller content than mpm_content_maxlen */
if (fast_pattern[sig]) { if (fast_pattern[sig]) {
/* can be any content based keyword since all of them /* can be any content based keyword since all of them
* now use a unified structure - DetectContentData */ * now use a unified structure - DetectContentData */
@ -976,9 +959,14 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx,
} }
SCLogDebug("fast pattern %"PRIu32"", cd->id); SCLogDebug("fast pattern %"PRIu32"", cd->id);
} else { } else {
if (PopulateMpmSkipContent(sgh, s, sm)) { //if (PopulateMpmSkipContent(sgh, s, sm)) {
// continue;
//}
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->content_len < max_len)
continue; continue;
}
} /* else - if (fast_pattern[sig] == 1) */ } /* else - if (fast_pattern[sig] == 1) */
if (mpm_sm == NULL) { if (mpm_sm == NULL) {
@ -1782,17 +1770,17 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
uint32_t has_co_packet = 0; /**< our sgh has packet payload inspecting content */ uint32_t has_co_packet = 0; /**< our sgh has packet payload inspecting content */
uint32_t has_co_stream = 0; /**< our sgh has stream inspecting content */ uint32_t has_co_stream = 0; /**< our sgh has stream inspecting content */
uint32_t has_co_uri = 0; /**< our sgh has uri inspecting content */ uint32_t has_co_uri = 0; /**< our sgh has uri inspecting content */
uint32_t cnt = 0; //uint32_t cnt = 0;
uint32_t sig = 0; uint32_t sig = 0;
if (!(sh->flags & SIG_GROUP_HEAD_MPM_COPY)) //if (!(sh->flags & SIG_GROUP_HEAD_MPM_COPY))
sh->mpm_content_maxlen = 0; // sh->mpm_content_maxlen = 0;
//
if (!(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY)) //if (!(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY))
sh->mpm_uricontent_maxlen = 0; // sh->mpm_uricontent_maxlen = 0;
//
if (!(sh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY)) //if (!(sh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY))
sh->mpm_streamcontent_maxlen = 0; // sh->mpm_streamcontent_maxlen = 0;
/* see if this head has content and/or uricontent */ /* see if this head has content and/or uricontent */
for (sig = 0; sig < sh->sig_cnt; sig++) { for (sig = 0; sig < sh->sig_cnt; sig++) {
@ -1868,133 +1856,133 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
} }
/* for each signature in this group do */ /* for each signature in this group do */
for (sig = 0; sig < sh->sig_cnt; sig++) { //for (sig = 0; sig < sh->sig_cnt; sig++) {
s = sh->match_array[sig]; // s = sh->match_array[sig];
if (s == NULL) // if (s == NULL)
continue; // continue;
//
cnt++; // cnt++;
//
char content_added = 0; // char content_added = 0;
char uricontent_added = 0; // char uricontent_added = 0;
char stream_content_added = 0; // char stream_content_added = 0;
uint16_t content_maxlen = 0, stream_content_maxlen = 0; // uint16_t content_maxlen = 0, stream_content_maxlen = 0;
uint16_t content_minlen = 0, stream_content_minlen = 0; // uint16_t content_minlen = 0, stream_content_minlen = 0;
uint16_t uricontent_maxlen = 0; // uint16_t uricontent_maxlen = 0;
uint16_t uricontent_minlen = 0; // uint16_t uricontent_minlen = 0;
//
SigMatch *sm; // SigMatch *sm;
//
/* determine the length of the longest pattern */ // /* determine the length of the longest pattern */
if (sh->flags & SIG_GROUP_HAVECONTENT && // if (sh->flags & SIG_GROUP_HAVECONTENT &&
!(sh->flags & SIG_GROUP_HEAD_MPM_COPY)) // !(sh->flags & SIG_GROUP_HEAD_MPM_COPY))
{ // {
if (SignatureHasPacketContent(s) == 1) { // if (SignatureHasPacketContent(s) == 1) {
for (sm = s->sm_lists[DETECT_SM_LIST_PMATCH]; sm != NULL; sm = sm->next) { // for (sm = s->sm_lists[DETECT_SM_LIST_PMATCH]; sm != NULL; sm = sm->next) {
if (sm->type != DETECT_CONTENT) // if (sm->type != DETECT_CONTENT)
continue; // continue;
//
DetectContentData *cd = (DetectContentData *)sm->ctx; // DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd == NULL) // if (cd == NULL)
continue; // continue;
//
if (cd->content_len > content_maxlen) // if (cd->content_len > content_maxlen)
content_maxlen = cd->content_len; // content_maxlen = cd->content_len;
//
if (content_minlen == 0) // if (content_minlen == 0)
content_minlen = cd->content_len; // content_minlen = cd->content_len;
else if (cd->content_len < content_minlen) // else if (cd->content_len < content_minlen)
content_minlen = cd->content_len; // content_minlen = cd->content_len;
//
if (!content_added) { // if (!content_added) {
content_added = 1; // content_added = 1;
} // }
} // }
//
if (content_added > 0) { // if (content_added > 0) {
if (sh->mpm_content_maxlen == 0) // if (sh->mpm_content_maxlen == 0)
sh->mpm_content_maxlen = content_maxlen; // sh->mpm_content_maxlen = content_maxlen;
if (sh->mpm_content_maxlen > content_maxlen) { // if (sh->mpm_content_maxlen > content_maxlen) {
SCLogDebug("sgh (%p) sh->mpm_content_maxlen %u set to %u", // SCLogDebug("sgh (%p) sh->mpm_content_maxlen %u set to %u",
sh, sh->mpm_content_maxlen, content_maxlen); // sh, sh->mpm_content_maxlen, content_maxlen);
//
sh->mpm_content_maxlen = content_maxlen; // sh->mpm_content_maxlen = content_maxlen;
} // }
} // }
} // }
} // }
//
if (sh->flags & SIG_GROUP_HAVESTREAMCONTENT && // if (sh->flags & SIG_GROUP_HAVESTREAMCONTENT &&
!(sh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY)) // !(sh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY))
{ // {
if (SignatureHasStreamContent(s) == 1) { // if (SignatureHasStreamContent(s) == 1) {
for (sm = s->sm_lists[DETECT_SM_LIST_PMATCH]; sm != NULL; sm = sm->next) { // for (sm = s->sm_lists[DETECT_SM_LIST_PMATCH]; sm != NULL; sm = sm->next) {
if (sm->type != DETECT_CONTENT) // if (sm->type != DETECT_CONTENT)
continue; // continue;
//
DetectContentData *cd = (DetectContentData *)sm->ctx; // DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd == NULL) // if (cd == NULL)
continue; // continue;
//
if (cd->content_len > stream_content_maxlen) // if (cd->content_len > stream_content_maxlen)
stream_content_maxlen = cd->content_len; // stream_content_maxlen = cd->content_len;
//
if (stream_content_minlen == 0) // if (stream_content_minlen == 0)
stream_content_minlen = cd->content_len; // stream_content_minlen = cd->content_len;
else if (cd->content_len < stream_content_minlen) // else if (cd->content_len < stream_content_minlen)
stream_content_minlen = cd->content_len; // stream_content_minlen = cd->content_len;
//
if (!stream_content_added) { // if (!stream_content_added) {
stream_content_added = 1; // stream_content_added = 1;
} // }
} // }
//
if (stream_content_added > 0) { // if (stream_content_added > 0) {
if (sh->mpm_streamcontent_maxlen == 0) // if (sh->mpm_streamcontent_maxlen == 0)
sh->mpm_streamcontent_maxlen = stream_content_maxlen; // sh->mpm_streamcontent_maxlen = stream_content_maxlen;
if (sh->mpm_streamcontent_maxlen > stream_content_maxlen) { // if (sh->mpm_streamcontent_maxlen > stream_content_maxlen) {
SCLogDebug("sgh (%p) sh->mpm_streamcontent_maxlen %u set to %u", // SCLogDebug("sgh (%p) sh->mpm_streamcontent_maxlen %u set to %u",
sh, sh->mpm_streamcontent_maxlen, stream_content_maxlen); // sh, sh->mpm_streamcontent_maxlen, stream_content_maxlen);
//
sh->mpm_streamcontent_maxlen = stream_content_maxlen; // sh->mpm_streamcontent_maxlen = stream_content_maxlen;
} // }
} // }
} // }
} // }
//
if (sh->flags & SIG_GROUP_HAVEURICONTENT && // if (sh->flags & SIG_GROUP_HAVEURICONTENT &&
!(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY)) // !(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY))
{ // {
/* determine the length of the longest pattern */ // /* determine the length of the longest pattern */
for (sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; sm != NULL; sm = sm->next) { // for (sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; sm != NULL; sm = sm->next) {
if (sm->type != DETECT_URICONTENT) // if (sm->type != DETECT_URICONTENT)
continue; // continue;
//
DetectContentData *ud = (DetectContentData *)sm->ctx; // DetectContentData *ud = (DetectContentData *)sm->ctx;
if (ud == NULL) // if (ud == NULL)
continue; // continue;
//
if (ud->content_len > uricontent_maxlen) // if (ud->content_len > uricontent_maxlen)
uricontent_maxlen = ud->content_len; // uricontent_maxlen = ud->content_len;
//
if (uricontent_minlen == 0) // if (uricontent_minlen == 0)
uricontent_minlen = ud->content_len; // uricontent_minlen = ud->content_len;
else if (ud->content_len < uricontent_minlen) // else if (ud->content_len < uricontent_minlen)
uricontent_minlen = ud->content_len; // uricontent_minlen = ud->content_len;
//
if (!uricontent_added) { // if (!uricontent_added) {
uricontent_added = 1; // uricontent_added = 1;
} // }
} // }
//
if (uricontent_added) { // if (uricontent_added) {
if (sh->mpm_uricontent_maxlen == 0) // if (sh->mpm_uricontent_maxlen == 0)
sh->mpm_uricontent_maxlen = uricontent_maxlen; // sh->mpm_uricontent_maxlen = uricontent_maxlen;
if (sh->mpm_uricontent_maxlen > uricontent_maxlen) // if (sh->mpm_uricontent_maxlen > uricontent_maxlen)
sh->mpm_uricontent_maxlen = uricontent_maxlen; // sh->mpm_uricontent_maxlen = uricontent_maxlen;
} // }
} // }
} //}
if ( (sh->flags & SIG_GROUP_HAVECONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_COPY)) || if ( (sh->flags & SIG_GROUP_HAVECONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_COPY)) ||
(sh->flags & SIG_GROUP_HAVESTREAMCONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY)) || (sh->flags & SIG_GROUP_HAVESTREAMCONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY)) ||
@ -2037,6 +2025,13 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
} }
} }
} }
} else {
MpmFactoryReClaimMpmCtx(sh->mpm_ctx);
sh->mpm_ctx = NULL;
MpmFactoryReClaimMpmCtx(sh->mpm_stream_ctx);
sh->mpm_stream_ctx = NULL;
MpmFactoryReClaimMpmCtx(sh->mpm_uri_ctx);
sh->mpm_uri_ctx = NULL;
} }
///* uricontent */ ///* uricontent */

8
src/detect-engine-payload.c
Unescape Escape View File

@ -98,10 +98,16 @@ static int DoInspectPacketPayload(DetectEngineCtx *de_ctx,
* it here, please fill it in) */ * it here, please fill it in) */
if (det_ctx->flags & DETECT_ENGINE_THREAD_CTX_INSPECTING_PACKET) { if (det_ctx->flags & DETECT_ENGINE_THREAD_CTX_INSPECTING_PACKET) {
if (cd->flags & DETECT_CONTENT_PACKET_MPM && !(cd->flags & DETECT_CONTENT_NEGATED)) { if (cd->flags & DETECT_CONTENT_PACKET_MPM && !(cd->flags & DETECT_CONTENT_NEGATED)) {
goto match; /* we will remove this check in the end */
if (!DETECT_CONTENT_IS_SINGLE(cd))
abort();
//goto match;
} }
} else if (det_ctx->flags & DETECT_ENGINE_THREAD_CTX_INSPECTING_STREAM) { } else if (det_ctx->flags & DETECT_ENGINE_THREAD_CTX_INSPECTING_STREAM) {
if (cd->flags & DETECT_CONTENT_STREAM_MPM && !(cd->flags & DETECT_CONTENT_NEGATED)) { if (cd->flags & DETECT_CONTENT_STREAM_MPM && !(cd->flags & DETECT_CONTENT_NEGATED)) {
/* we will remove this check in the end */
if (!DETECT_CONTENT_IS_SINGLE(cd))
abort();
goto match; goto match;
} }
} }

240
src/detect.c
Unescape Escape View File

@ -1280,9 +1280,9 @@ end:
} }
/* cleanup pkt specific part of the patternmatcher */ /* cleanup pkt specific part of the patternmatcher */
if (sms_runflags & SMS_USED_PM) { //if (sms_runflags & SMS_USED_PM) {
PacketPatternCleanup(th_v, det_ctx); PacketPatternCleanup(th_v, det_ctx);
} //}
/* store the found sgh (or NULL) in the flow to save us from looking it /* store the found sgh (or NULL) in the flow to save us from looking it
* up again for the next packet. Also return any stream chunk we processed * up again for the next packet. Also return any stream chunk we processed
@ -2546,63 +2546,63 @@ int BuildDestinationAddressHeads(DetectEngineCtx *de_ctx, DetectAddressHead *hea
SigGroupHeadBuildMatchArray(de_ctx, sgr->sh, max_idx); SigGroupHeadBuildMatchArray(de_ctx, sgr->sh, max_idx);
/* content */ /* content */
SigGroupHeadLoadContent(de_ctx, sgr->sh); //SigGroupHeadLoadContent(de_ctx, sgr->sh);
if (sgr->sh->init->content_size == 0) { //if (sgr->sh->init->content_size == 0) {
de_ctx->mpm_none++; // de_ctx->mpm_none++;
} else { //} else {
/* now have a look if we can reuse a mpm ctx */ // /* now have a look if we can reuse a mpm ctx */
SigGroupHead *mpmsh = SigGroupHeadMpmHashLookup(de_ctx, sgr->sh); // SigGroupHead *mpmsh = SigGroupHeadMpmHashLookup(de_ctx, sgr->sh);
if (mpmsh == NULL) { // if (mpmsh == NULL) {
SigGroupHeadMpmHashAdd(de_ctx, sgr->sh); // SigGroupHeadMpmHashAdd(de_ctx, sgr->sh);
//
de_ctx->mpm_unique++; // de_ctx->mpm_unique++;
} else { // } else {
sgr->sh->mpm_ctx = mpmsh->mpm_ctx; // sgr->sh->mpm_ctx = mpmsh->mpm_ctx;
sgr->sh->flags |= SIG_GROUP_HEAD_MPM_COPY; // sgr->sh->flags |= SIG_GROUP_HEAD_MPM_COPY;
SigGroupHeadClearContent(sgr->sh); // SigGroupHeadClearContent(sgr->sh);
//
de_ctx->mpm_reuse++; // de_ctx->mpm_reuse++;
} // }
} //}
//
/* content */ ///* content */
SigGroupHeadLoadStreamContent(de_ctx, sgr->sh); //SigGroupHeadLoadStreamContent(de_ctx, sgr->sh);
if (sgr->sh->init->stream_content_size == 0) { //if (sgr->sh->init->stream_content_size == 0) {
de_ctx->mpm_none++; // de_ctx->mpm_none++;
} else { //} else {
/* now have a look if we can reuse a mpm ctx */ // /* now have a look if we can reuse a mpm ctx */
SigGroupHead *mpmsh = SigGroupHeadMpmStreamHashLookup(de_ctx, sgr->sh); // SigGroupHead *mpmsh = SigGroupHeadMpmStreamHashLookup(de_ctx, sgr->sh);
if (mpmsh == NULL) { // if (mpmsh == NULL) {
SigGroupHeadMpmStreamHashAdd(de_ctx, sgr->sh); // SigGroupHeadMpmStreamHashAdd(de_ctx, sgr->sh);
//
de_ctx->mpm_unique++; // de_ctx->mpm_unique++;
} else { // } else {
sgr->sh->mpm_stream_ctx = mpmsh->mpm_stream_ctx; // sgr->sh->mpm_stream_ctx = mpmsh->mpm_stream_ctx;
sgr->sh->flags |= SIG_GROUP_HEAD_MPM_STREAM_COPY; // sgr->sh->flags |= SIG_GROUP_HEAD_MPM_STREAM_COPY;
SigGroupHeadClearStreamContent(sgr->sh); // SigGroupHeadClearStreamContent(sgr->sh);
//
de_ctx->mpm_reuse++; // de_ctx->mpm_reuse++;
} // }
} //}
//
/* uricontent */ ///* uricontent */
SigGroupHeadLoadUricontent(de_ctx, sgr->sh); //SigGroupHeadLoadUricontent(de_ctx, sgr->sh);
if (sgr->sh->init->uri_content_size == 0) { //if (sgr->sh->init->uri_content_size == 0) {
de_ctx->mpm_uri_none++; // de_ctx->mpm_uri_none++;
} else { //} else {
/* now have a look if we can reuse a uri mpm ctx */ // /* now have a look if we can reuse a uri mpm ctx */
SigGroupHead *mpmsh = SigGroupHeadMpmUriHashLookup(de_ctx, sgr->sh); // SigGroupHead *mpmsh = SigGroupHeadMpmUriHashLookup(de_ctx, sgr->sh);
if (mpmsh == NULL) { // if (mpmsh == NULL) {
SigGroupHeadMpmUriHashAdd(de_ctx, sgr->sh); // SigGroupHeadMpmUriHashAdd(de_ctx, sgr->sh);
de_ctx->mpm_uri_unique++; // de_ctx->mpm_uri_unique++;
} else { // } else {
sgr->sh->mpm_uri_ctx = mpmsh->mpm_uri_ctx; // sgr->sh->mpm_uri_ctx = mpmsh->mpm_uri_ctx;
sgr->sh->flags |= SIG_GROUP_HEAD_MPM_URI_COPY; // sgr->sh->flags |= SIG_GROUP_HEAD_MPM_URI_COPY;
SigGroupHeadClearUricontent(sgr->sh); // SigGroupHeadClearUricontent(sgr->sh);
//
de_ctx->mpm_uri_reuse++; // de_ctx->mpm_uri_reuse++;
} // }
} //}
/* init the pattern matcher, this will respect the copy /* init the pattern matcher, this will respect the copy
* setting */ * setting */
@ -2855,67 +2855,67 @@ int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, DetectAdd
SigGroupHeadSetSigCnt(dp->sh, max_idx); SigGroupHeadSetSigCnt(dp->sh, max_idx);
SigGroupHeadBuildMatchArray(de_ctx,dp->sh, max_idx); SigGroupHeadBuildMatchArray(de_ctx,dp->sh, max_idx);
SigGroupHeadLoadContent(de_ctx, dp->sh); //SigGroupHeadLoadContent(de_ctx, dp->sh);
if (dp->sh->init->content_size == 0) { //if (dp->sh->init->content_size == 0) {
de_ctx->mpm_none++; // de_ctx->mpm_none++;
} else { //} else {
/* now have a look if we can reuse a mpm ctx */ // /* now have a look if we can reuse a mpm ctx */
SigGroupHead *mpmsh = SigGroupHeadMpmHashLookup(de_ctx, dp->sh); // SigGroupHead *mpmsh = SigGroupHeadMpmHashLookup(de_ctx, dp->sh);
if (mpmsh == NULL) { // if (mpmsh == NULL) {
SigGroupHeadMpmHashAdd(de_ctx, dp->sh); // SigGroupHeadMpmHashAdd(de_ctx, dp->sh);
//
de_ctx->mpm_unique++; // de_ctx->mpm_unique++;
} else { // } else {
/* XXX write dedicated function for this */ // /* XXX write dedicated function for this */
dp->sh->mpm_ctx = mpmsh->mpm_ctx; // dp->sh->mpm_ctx = mpmsh->mpm_ctx;
//SCLogDebug("replacing dp->sh, so setting mpm_content_maxlen to %u (was %u)", mpmsh->mpm_content_maxlen, dp->sh->mpm_content_maxlen); // //SCLogDebug("replacing dp->sh, so setting mpm_content_maxlen to %u (was %u)", mpmsh->mpm_content_maxlen, dp->sh->mpm_content_maxlen);
//dp->sh->mpm_content_maxlen = mpmsh->mpm_content_maxlen; // //dp->sh->mpm_content_maxlen = mpmsh->mpm_content_maxlen;
dp->sh->flags |= SIG_GROUP_HEAD_MPM_COPY; // dp->sh->flags |= SIG_GROUP_HEAD_MPM_COPY;
SigGroupHeadClearContent(dp->sh); // SigGroupHeadClearContent(dp->sh);
//
de_ctx->mpm_reuse++; // de_ctx->mpm_reuse++;
} // }
} //}
//
/* content */ ///* content */
SigGroupHeadLoadStreamContent(de_ctx, dp->sh); //SigGroupHeadLoadStreamContent(de_ctx, dp->sh);
if (dp->sh->init->stream_content_size == 0) { //if (dp->sh->init->stream_content_size == 0) {
de_ctx->mpm_none++; // de_ctx->mpm_none++;
} else { //} else {
/* now have a look if we can reuse a mpm ctx */ // /* now have a look if we can reuse a mpm ctx */
SigGroupHead *mpmsh = SigGroupHeadMpmStreamHashLookup(de_ctx, dp->sh); // SigGroupHead *mpmsh = SigGroupHeadMpmStreamHashLookup(de_ctx, dp->sh);
if (mpmsh == NULL) { // if (mpmsh == NULL) {
SigGroupHeadMpmStreamHashAdd(de_ctx, dp->sh); // SigGroupHeadMpmStreamHashAdd(de_ctx, dp->sh);
//
de_ctx->mpm_unique++; // de_ctx->mpm_unique++;
} else { // } else {
SCLogDebug("replacing mpm_stream_ctx %p by %p", dp->sh->mpm_stream_ctx, mpmsh->mpm_stream_ctx); // SCLogDebug("replacing mpm_stream_ctx %p by %p", dp->sh->mpm_stream_ctx, mpmsh->mpm_stream_ctx);
dp->sh->mpm_stream_ctx = mpmsh->mpm_stream_ctx; // dp->sh->mpm_stream_ctx = mpmsh->mpm_stream_ctx;
dp->sh->flags |= SIG_GROUP_HEAD_MPM_STREAM_COPY; // dp->sh->flags |= SIG_GROUP_HEAD_MPM_STREAM_COPY;
SigGroupHeadClearStreamContent(dp->sh); // SigGroupHeadClearStreamContent(dp->sh);
//
de_ctx->mpm_reuse++; // de_ctx->mpm_reuse++;
} // }
} //}
//
SigGroupHeadLoadUricontent(de_ctx, dp->sh); //SigGroupHeadLoadUricontent(de_ctx, dp->sh);
if (dp->sh->init->uri_content_size == 0) { //if (dp->sh->init->uri_content_size == 0) {
de_ctx->mpm_uri_none++; // de_ctx->mpm_uri_none++;
} else { //} else {
/* now have a look if we can reuse a uri mpm ctx */ // /* now have a look if we can reuse a uri mpm ctx */
SigGroupHead *mpmsh = SigGroupHeadMpmUriHashLookup(de_ctx, dp->sh); // SigGroupHead *mpmsh = SigGroupHeadMpmUriHashLookup(de_ctx, dp->sh);
if (mpmsh == NULL) { // if (mpmsh == NULL) {
SigGroupHeadMpmUriHashAdd(de_ctx, dp->sh); // SigGroupHeadMpmUriHashAdd(de_ctx, dp->sh);
//
de_ctx->mpm_uri_unique++; // de_ctx->mpm_uri_unique++;
} else { // } else {
dp->sh->mpm_uri_ctx = mpmsh->mpm_uri_ctx; // dp->sh->mpm_uri_ctx = mpmsh->mpm_uri_ctx;
dp->sh->flags |= SIG_GROUP_HEAD_MPM_URI_COPY; // dp->sh->flags |= SIG_GROUP_HEAD_MPM_URI_COPY;
SigGroupHeadClearUricontent(dp->sh); // SigGroupHeadClearUricontent(dp->sh);
//
de_ctx->mpm_uri_reuse++; // de_ctx->mpm_uri_reuse++;
} // }
} //}
/* init the pattern matcher, this will respect the copy /* init the pattern matcher, this will respect the copy
* setting */ * setting */
if (PatternMatchPrepareGroup(de_ctx, dp->sh) < 0) { if (PatternMatchPrepareGroup(de_ctx, dp->sh) < 0) {

21
src/detect.h
Unescape Escape View File

@ -306,6 +306,15 @@ typedef struct SignatureHeader_ {
struct Signature_ *full_sig; struct Signature_ *full_sig;
} SignatureHeader; } SignatureHeader;
/** \brief a single match condition for a signature */
typedef struct SigMatch_ {
uint16_t idx; /**< position in the signature */
uint8_t type; /**< match type */
void *ctx; /**< plugin specific data */
struct SigMatch_ *next;
struct SigMatch_ *prev;
} SigMatch;
/** \brief Signature container */ /** \brief Signature container */
typedef struct Signature_ { typedef struct Signature_ {
union { union {
@ -345,6 +354,9 @@ typedef struct Signature_ {
/** pattern in the mpm matcher */ /** pattern in the mpm matcher */
PatIntId mpm_uripattern_id; PatIntId mpm_uripattern_id;
/* the fast pattern added from this signature */
SigMatch *mpm_sm;
/** ipv4 match arrays */ /** ipv4 match arrays */
DetectMatchAddressIPv4 *addr_dst_match4; DetectMatchAddressIPv4 *addr_dst_match4;
uint16_t addr_dst_match4_cnt; uint16_t addr_dst_match4_cnt;
@ -713,15 +725,6 @@ typedef struct DetectionEngineThreadCtx_ {
#endif #endif
} DetectEngineThreadCtx; } DetectEngineThreadCtx;
/** \brief a single match condition for a signature */
typedef struct SigMatch_ {
uint16_t idx; /**< position in the signature */
uint8_t type; /**< match type */
void *ctx; /**< plugin specific data */
struct SigMatch_ *next;
struct SigMatch_ *prev;
} SigMatch;
/** \brief element in sigmatch type table. */ /** \brief element in sigmatch type table. */
typedef struct SigTableElmt_ { typedef struct SigTableElmt_ {
/** Packet match function pointer */ /** Packet match function pointer */

3
src/util-mpm.c
Unescape Escape View File

@ -182,6 +182,9 @@ MpmCtx *MpmFactoryGetMpmCtxForProfile(int32_t id)
void MpmFactoryReClaimMpmCtx(MpmCtx *mpm_ctx) void MpmFactoryReClaimMpmCtx(MpmCtx *mpm_ctx)
{ {
if (mpm_ctx == NULL)
return;
if (!MpmFactoryIsMpmCtxAvailable(mpm_ctx)) if (!MpmFactoryIsMpmCtxAvailable(mpm_ctx))
free(mpm_ctx); free(mpm_ctx);

Write Preview
Loading…
Cancel
Save