|
|
|
@ -983,11 +983,10 @@ static void PopulateMpmHelperAddPatternToPktCtx(MpmCtx *mpm_ctx,
|
|
|
|
#define SGH_DIRECTION_TS(sgh) ((sgh)->init->direction & SIG_FLAG_TOSERVER)
|
|
|
|
#define SGH_DIRECTION_TS(sgh) ((sgh)->init->direction & SIG_FLAG_TOSERVER)
|
|
|
|
#define SGH_DIRECTION_TC(sgh) ((sgh)->init->direction & SIG_FLAG_TOCLIENT)
|
|
|
|
#define SGH_DIRECTION_TC(sgh) ((sgh)->init->direction & SIG_FLAG_TOCLIENT)
|
|
|
|
|
|
|
|
|
|
|
|
SigMatch *RetrieveFPForSig(Signature *s)
|
|
|
|
void RetrieveFPForSig(Signature *s)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
if (s->mpm_sm != NULL)
|
|
|
|
if (s->mpm_sm != NULL)
|
|
|
|
return s->mpm_sm;
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SigMatch *mpm_sm = NULL, *sm = NULL;
|
|
|
|
SigMatch *mpm_sm = NULL, *sm = NULL;
|
|
|
|
int nn_sm_list[DETECT_SM_LIST_MAX];
|
|
|
|
int nn_sm_list[DETECT_SM_LIST_MAX];
|
|
|
|
@ -998,6 +997,8 @@ SigMatch *RetrieveFPForSig(Signature *s)
|
|
|
|
int count_n_sm_list = 0;
|
|
|
|
int count_n_sm_list = 0;
|
|
|
|
int list_id;
|
|
|
|
int list_id;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* inspect rule to see if we have the fast_pattern keyword to
|
|
|
|
|
|
|
|
* force using a sig, otherwise keep stats about the patterns */
|
|
|
|
for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) {
|
|
|
|
for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) {
|
|
|
|
if (!FastPatternSupportEnabledForSigMatchList(list_id))
|
|
|
|
if (!FastPatternSupportEnabledForSigMatchList(list_id))
|
|
|
|
continue;
|
|
|
|
continue;
|
|
|
|
@ -1007,8 +1008,13 @@ SigMatch *RetrieveFPForSig(Signature *s)
|
|
|
|
continue;
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
DetectContentData *cd = (DetectContentData *)sm->ctx;
|
|
|
|
DetectContentData *cd = (DetectContentData *)sm->ctx;
|
|
|
|
if ((cd->flags & DETECT_CONTENT_FAST_PATTERN))
|
|
|
|
|
|
|
|
return sm;
|
|
|
|
/* fast_pattern set in rule, so using this pattern */
|
|
|
|
|
|
|
|
if ((cd->flags & DETECT_CONTENT_FAST_PATTERN)) {
|
|
|
|
|
|
|
|
s->mpm_sm = sm;
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (cd->flags & DETECT_CONTENT_NEGATED) {
|
|
|
|
if (cd->flags & DETECT_CONTENT_NEGATED) {
|
|
|
|
n_sm_list[list_id] = 1;
|
|
|
|
n_sm_list[list_id] = 1;
|
|
|
|
count_n_sm_list++;
|
|
|
|
count_n_sm_list++;
|
|
|
|
@ -1016,9 +1022,10 @@ SigMatch *RetrieveFPForSig(Signature *s)
|
|
|
|
nn_sm_list[list_id] = 1;
|
|
|
|
nn_sm_list[list_id] = 1;
|
|
|
|
count_nn_sm_list++;
|
|
|
|
count_nn_sm_list++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} /* for */
|
|
|
|
}
|
|
|
|
} /* for */
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* prefer normal not-negated over negated */
|
|
|
|
int *curr_sm_list = NULL;
|
|
|
|
int *curr_sm_list = NULL;
|
|
|
|
int skip_negated_content = 1;
|
|
|
|
int skip_negated_content = 1;
|
|
|
|
if (count_nn_sm_list > 0) {
|
|
|
|
if (count_nn_sm_list > 0) {
|
|
|
|
@ -1027,7 +1034,7 @@ SigMatch *RetrieveFPForSig(Signature *s)
|
|
|
|
curr_sm_list = n_sm_list;
|
|
|
|
curr_sm_list = n_sm_list;
|
|
|
|
skip_negated_content = 0;
|
|
|
|
skip_negated_content = 0;
|
|
|
|
} else {
|
|
|
|
} else {
|
|
|
|
return NULL;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int final_sm_list[DETECT_SM_LIST_MAX];
|
|
|
|
int final_sm_list[DETECT_SM_LIST_MAX];
|
|
|
|
@ -1038,8 +1045,8 @@ SigMatch *RetrieveFPForSig(Signature *s)
|
|
|
|
while (tmp != NULL) {
|
|
|
|
while (tmp != NULL) {
|
|
|
|
for (priority = tmp->priority;
|
|
|
|
for (priority = tmp->priority;
|
|
|
|
tmp != NULL && priority == tmp->priority;
|
|
|
|
tmp != NULL && priority == tmp->priority;
|
|
|
|
tmp = tmp->next) {
|
|
|
|
tmp = tmp->next)
|
|
|
|
|
|
|
|
{
|
|
|
|
if (curr_sm_list[tmp->list_id] == 0)
|
|
|
|
if (curr_sm_list[tmp->list_id] == 0)
|
|
|
|
continue;
|
|
|
|
continue;
|
|
|
|
final_sm_list[count_final_sm_list++] = tmp->list_id;
|
|
|
|
final_sm_list[count_final_sm_list++] = tmp->list_id;
|
|
|
|
@ -1096,11 +1103,12 @@ SigMatch *RetrieveFPForSig(Signature *s)
|
|
|
|
} else {
|
|
|
|
} else {
|
|
|
|
SCLogDebug("sticking with mpm_sm");
|
|
|
|
SCLogDebug("sticking with mpm_sm");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} /* else - if */
|
|
|
|
}
|
|
|
|
} /* for */
|
|
|
|
}
|
|
|
|
} /* for */
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return mpm_sm;
|
|
|
|
s->mpm_sm = mpm_sm;
|
|
|
|
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/** \internal
|
|
|
|
/** \internal
|
|
|
|
@ -1767,7 +1775,7 @@ int DetectSetFastPatternAndItsId(DetectEngineCtx *de_ctx)
|
|
|
|
* true size, since duplicates are removed below, but counted here.
|
|
|
|
* true size, since duplicates are removed below, but counted here.
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
for (s = de_ctx->sig_list; s != NULL; s = s->next) {
|
|
|
|
for (s = de_ctx->sig_list; s != NULL; s = s->next) {
|
|
|
|
s->mpm_sm = RetrieveFPForSig(s);
|
|
|
|
RetrieveFPForSig(s);
|
|
|
|
if (s->mpm_sm != NULL) {
|
|
|
|
if (s->mpm_sm != NULL) {
|
|
|
|
DetectContentData *cd = (DetectContentData *)s->mpm_sm->ctx;
|
|
|
|
DetectContentData *cd = (DetectContentData *)s->mpm_sm->ctx;
|
|
|
|
struct_total_size += sizeof(DetectFPAndItsId);
|
|
|
|
struct_total_size += sizeof(DetectFPAndItsId);
|
|
|
|
|
Victor Julien
10 years ago