aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect-mpm: make sgh setup proto aware

Browse Source 
Allow multi-proto, multi-direction sgh's.
pull/1978/head
Victor Julien 10 years ago
parent 4223ce9aba
commit d82df4eb8b
5 changed files with 213 additions and 254 deletions
Show Stats Download Patch File Download Diff File

451
src/detect-engine-mpm.c
Unescape Escape View File

@ -1149,6 +1149,139 @@ static void PopulateMpmHelperAddPatternToPktCtx(MpmCtx *mpm_ctx,
return;
}
#define SGH_PROTO(sgh, p) ((sgh)->init->protos[(p)] == 1)
#define SGH_DIRECTION_TS(sgh) ((sgh)->init->direction & SIG_FLAG_TOSERVER)
#define SGH_DIRECTION_TC(sgh) ((sgh)->init->direction & SIG_FLAG_TOCLIENT)
/* TODO the sig updates don't belong here */
static void PopulateMpmAddPatternToMpmPMATCH(const DetectEngineCtx *de_ctx,
SigGroupHead *sgh, Signature *s,
SigMatch *mpm_sm)
{
DetectContentData *cd = (DetectContentData *)mpm_sm->ctx;
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
if (DETECT_CONTENT_IS_SINGLE(cd) &&
!(cd->flags & DETECT_CONTENT_NEGATED) &&
!(cd->flags & DETECT_CONTENT_REPLACE) &&
cd->content_len == cd->fp_chop_len)
{
cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
}
} else {
if (DETECT_CONTENT_IS_SINGLE(cd) &&
!(cd->flags & DETECT_CONTENT_NEGATED) &&
!(cd->flags & DETECT_CONTENT_REPLACE))
{
cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
}
}
/* add the content to the "packet" mpm:
* chop is handled in PopulateMpmHelperAddPatternToPktCtx
*/
if (SignatureHasPacketContent(s)) {
/* per TCP packet mpm */
if (SGH_PROTO(sgh, IPPROTO_TCP) && (s->proto.proto[IPPROTO_TCP / 8] & 1 << (IPPROTO_TCP % 8))) {
if (SGH_DIRECTION_TS(sgh) && s->flags & SIG_FLAG_TOSERVER) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_tcp_ctx_ts,
cd, s, 0, (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP));
}
if (SGH_DIRECTION_TC(sgh) && s->flags & SIG_FLAG_TOCLIENT) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_tcp_ctx_tc,
cd, s, 0, (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP));
}
}
}
/* per UDP packet mpm */
if (SGH_PROTO(sgh, IPPROTO_UDP) && (s->proto.proto[IPPROTO_UDP / 8] & 1 << (IPPROTO_UDP % 8))) {
if (SGH_DIRECTION_TS(sgh) && s->flags & SIG_FLAG_TOSERVER) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_udp_ctx_ts,
cd, s, 0, (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP));
}
if (SGH_DIRECTION_TC(sgh) && s->flags & SIG_FLAG_TOCLIENT) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_udp_ctx_tc,
cd, s, 0, (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP));
}
}
/* other IP protocols */
if (!(SGH_PROTO(sgh, IPPROTO_TCP) || SGH_PROTO(sgh, IPPROTO_UDP))) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_other_ctx,
cd, s, 0, (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP));
}
/* tell matcher we are inspecting packet */
s->flags |= SIG_FLAG_MPM_PACKET;
s->mpm_pattern_id_div_8 = cd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8);
if (cd->flags & DETECT_CONTENT_NEGATED) {
SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id);
s->flags |= SIG_FLAG_MPM_PACKET_NEG;
}
sgh->flags |= SIG_GROUP_HEAD_MPM_PACKET;
/* for TCP, we have a special "stream" mpm as well */
if (SGH_PROTO(sgh, IPPROTO_TCP) && SignatureHasStreamContent(s)) {
if (cd->flags & DETECT_CONTENT_NOCASE) {
if (SGH_DIRECTION_TS(sgh) && s->flags & SIG_FLAG_TOSERVER) {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
MpmAddPatternCI(sgh->mpm_stream_ctx_ts,
cd->content + cd->fp_chop_offset, cd->fp_chop_len,
0, 0, cd->id, s->num, 0);
} else {
MpmAddPatternCI(sgh->mpm_stream_ctx_ts,
cd->content, cd->content_len,
0, 0, cd->id, s->num, 0);
}
}
if (SGH_DIRECTION_TC(sgh) && s->flags & SIG_FLAG_TOCLIENT) {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
MpmAddPatternCI(sgh->mpm_stream_ctx_tc,
cd->content + cd->fp_chop_offset, cd->fp_chop_len,
0, 0, cd->id, s->num, 0);
} else {
MpmAddPatternCI(sgh->mpm_stream_ctx_tc,
cd->content, cd->content_len,
0, 0, cd->id, s->num, 0);
}
}
} else {
if (SGH_DIRECTION_TS(sgh) && s->flags & SIG_FLAG_TOSERVER) {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
MpmAddPatternCS(sgh->mpm_stream_ctx_ts,
cd->content + cd->fp_chop_offset, cd->fp_chop_len,
0, 0, cd->id, s->num, 0);
} else {
MpmAddPatternCS(sgh->mpm_stream_ctx_ts,
cd->content, cd->content_len,
0, 0, cd->id, s->num, 0);
}
}
if (SGH_DIRECTION_TC(sgh) && s->flags & SIG_FLAG_TOCLIENT) {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
MpmAddPatternCS(sgh->mpm_stream_ctx_tc,
cd->content + cd->fp_chop_offset, cd->fp_chop_len,
0, 0, cd->id, s->num, 0);
} else {
MpmAddPatternCS(sgh->mpm_stream_ctx_tc,
cd->content, cd->content_len,
0, 0, cd->id, s->num, 0);
}
}
}
/* tell matcher we are inspecting stream */
s->flags |= SIG_FLAG_MPM_STREAM;
s->mpm_pattern_id_div_8 = cd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8);
if (cd->flags & DETECT_CONTENT_NEGATED) {
SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id);
s->flags |= SIG_FLAG_MPM_STREAM_NEG;
}
sgh->flags |= SIG_GROUP_HEAD_MPM_STREAM;
}
}
static void PopulateMpmAddPatternToMpm(const DetectEngineCtx *de_ctx,
SigGroupHead *sgh, Signature *s,
SigMatch *mpm_sm)
@ -1171,187 +1304,7 @@ static void PopulateMpmAddPatternToMpm(const DetectEngineCtx *de_ctx,
switch (sm_list) {
case DETECT_SM_LIST_PMATCH:
{
cd = (DetectContentData *)mpm_sm->ctx;
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
if (DETECT_CONTENT_IS_SINGLE(cd) &&
!(cd->flags & DETECT_CONTENT_NEGATED) &&
!(cd->flags & DETECT_CONTENT_REPLACE) &&
cd->content_len == cd->fp_chop_len) {
cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
}
/* add the content to the "packet" mpm */
if (SignatureHasPacketContent(s)) {
if (s->proto.proto[6 / 8] & 1 << (6 % 8)) {
if (s->flags & SIG_FLAG_TOSERVER) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_tcp_ctx_ts,
cd, s, flags, 1);
}
if (s->flags & SIG_FLAG_TOCLIENT) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_tcp_ctx_tc,
cd, s, flags, 1);
}
}
if (s->proto.proto[17 / 8] & 1 << (17 % 8)) {
if (s->flags & SIG_FLAG_TOSERVER) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_udp_ctx_ts,
cd, s, flags, 1);
}
if (s->flags & SIG_FLAG_TOCLIENT) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_udp_ctx_tc,
cd, s, flags, 1);
}
}
int i;
for (i = 0; i < 256; i++) {
if (i == 6 || i == 17)
continue;
if (s->proto.proto[i / 8] & (1 << (i % 8))) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_other_ctx,
cd, s, flags, 1);
break;
}
}
/* tell matcher we are inspecting packet */
s->flags |= SIG_FLAG_MPM_PACKET;
s->mpm_pattern_id_div_8 = cd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8);
if (cd->flags & DETECT_CONTENT_NEGATED) {
SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id);
s->flags |= SIG_FLAG_MPM_PACKET_NEG;
}
}
if (SignatureHasStreamContent(s)) {
if (cd->flags & DETECT_CONTENT_NOCASE) {
if (s->flags & SIG_FLAG_TOSERVER) {
MpmAddPatternCI(sgh->mpm_stream_ctx_ts,
cd->content + cd->fp_chop_offset, cd->fp_chop_len,
0, 0,
cd->id, s->num, flags);
}
if (s->flags & SIG_FLAG_TOCLIENT) {
MpmAddPatternCI(sgh->mpm_stream_ctx_tc,
cd->content + cd->fp_chop_offset, cd->fp_chop_len,
0, 0,
cd->id, s->num, flags);
}
} else {
if (s->flags & SIG_FLAG_TOSERVER) {
MpmAddPatternCS(sgh->mpm_stream_ctx_ts,
cd->content + cd->fp_chop_offset, cd->fp_chop_len,
0, 0,
cd->id, s->num, flags);
}
if (s->flags & SIG_FLAG_TOCLIENT) {
MpmAddPatternCS(sgh->mpm_stream_ctx_tc,
cd->content + cd->fp_chop_offset, cd->fp_chop_len,
0, 0,
cd->id, s->num, flags);
}
}
/* tell matcher we are inspecting stream */
s->flags |= SIG_FLAG_MPM_STREAM;
s->mpm_pattern_id_div_8 = cd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8);
if (cd->flags & DETECT_CONTENT_NEGATED) {
SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id);
s->flags |= SIG_FLAG_MPM_STREAM_NEG;
}
}
} else {
if (DETECT_CONTENT_IS_SINGLE(cd) &&
!(cd->flags & DETECT_CONTENT_NEGATED) &&
!(cd->flags & DETECT_CONTENT_REPLACE)) {
cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
}
if (SignatureHasPacketContent(s)) {
/* add the content to the "packet" mpm */
if (s->proto.proto[6 / 8] & 1 << (6 % 8)) {
if (s->flags & SIG_FLAG_TOSERVER) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_tcp_ctx_ts,
cd, s, flags, 0);
}
if (s->flags & SIG_FLAG_TOCLIENT) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_tcp_ctx_tc,
cd, s, flags, 0);
}
}
if (s->proto.proto[17 / 8] & 1 << (17 % 8)) {
if (s->flags & SIG_FLAG_TOSERVER) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_udp_ctx_ts,
cd, s, flags, 0);
}
if (s->flags & SIG_FLAG_TOCLIENT) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_udp_ctx_tc,
cd, s, flags, 0);
}
}
int i;
for (i = 0; i < 256; i++) {
if (i == 6 || i == 17)
continue;
if (s->proto.proto[i / 8] & (1 << (i % 8))) {
PopulateMpmHelperAddPatternToPktCtx(sgh->mpm_proto_other_ctx,
cd, s, flags, 0);
break;
}
}
/* tell matcher we are inspecting packet */
s->flags |= SIG_FLAG_MPM_PACKET;
s->mpm_pattern_id_div_8 = cd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8);
if (cd->flags & DETECT_CONTENT_NEGATED) {
SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id);
s->flags |= SIG_FLAG_MPM_PACKET_NEG;
}
}
if (SignatureHasStreamContent(s)) {
/* add the content to the "packet" mpm */
if (cd->flags & DETECT_CONTENT_NOCASE) {
if (s->flags & SIG_FLAG_TOSERVER) {
MpmAddPatternCI(sgh->mpm_stream_ctx_ts,
cd->content, cd->content_len,
0, 0,
cd->id, s->num, flags);
}
if (s->flags & SIG_FLAG_TOCLIENT) {
MpmAddPatternCI(sgh->mpm_stream_ctx_tc,
cd->content, cd->content_len,
0, 0,
cd->id, s->num, flags);
}
} else {
if (s->flags & SIG_FLAG_TOSERVER) {
MpmAddPatternCS(sgh->mpm_stream_ctx_ts,
cd->content, cd->content_len,
0, 0,
cd->id, s->num, flags);
}
if (s->flags & SIG_FLAG_TOCLIENT) {
MpmAddPatternCS(sgh->mpm_stream_ctx_tc,
cd->content, cd->content_len,
0, 0,
cd->id, s->num, flags);
}
}
/* tell matcher we are inspecting stream */
s->flags |= SIG_FLAG_MPM_STREAM;
s->mpm_pattern_id_div_8 = cd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8);
if (cd->flags & DETECT_CONTENT_NEGATED) {
SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id);
s->flags |= SIG_FLAG_MPM_STREAM_NEG;
}
}
}
if (SignatureHasPacketContent(s)) {
sgh->flags |= SIG_GROUP_HEAD_MPM_PACKET;
}
if (SignatureHasStreamContent(s)) {
sgh->flags |= SIG_GROUP_HEAD_MPM_STREAM;
}
PopulateMpmAddPatternToMpmPMATCH(de_ctx, sgh, s, mpm_sm);
break;
} /* case DETECT_CONTENT */
@ -1767,94 +1720,101 @@ int PatternMatchPrepareGroup(const DetectEngineCtx *de_ctx, SigGroupHead *sh)
s = sh->match_array[sig];
if (s == NULL)
continue;
if (SignatureHasPacketContent(s) == 1) {
if (!(SGH_PROTO(sh, IPPROTO_TCP)) ||
(SGH_PROTO(sh, IPPROTO_TCP) && SignatureHasPacketContent(s) == 1))
{
has_co_packet = 1;
}
if (SignatureHasStreamContent(s) == 1) {
has_co_stream = 1;
}
if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL) {
has_co_uri = 1;
}
if (SGH_PROTO(sh, IPPROTO_TCP)) {
if (SignatureHasStreamContent(s) == 1) {
has_co_stream = 1;
}
if (s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL) {
has_co_hcbd = 1;
}
if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL) {
has_co_uri = 1;
}
if (s->sm_lists[DETECT_SM_LIST_FILEDATA] != NULL) {
if (s->alproto == ALPROTO_SMTP)
has_co_smtp = 1;
else if (s->alproto == ALPROTO_HTTP)
has_co_hsbd = 1;
else if (s->alproto == ALPROTO_UNKNOWN) {
has_co_smtp = 1;
has_co_hsbd = 1;
if (s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL) {
has_co_hcbd = 1;
}
}
if (s->sm_lists[DETECT_SM_LIST_HHDMATCH] != NULL) {
has_co_hhd = 1;
}
if (s->sm_lists[DETECT_SM_LIST_FILEDATA] != NULL) {
if (s->alproto == ALPROTO_SMTP)
has_co_smtp = 1;
else if (s->alproto == ALPROTO_HTTP)
has_co_hsbd = 1;
else if (s->alproto == ALPROTO_UNKNOWN) {
has_co_smtp = 1;
has_co_hsbd = 1;
}
}
if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) {
has_co_hrhd = 1;
}
if (s->sm_lists[DETECT_SM_LIST_HHDMATCH] != NULL) {
has_co_hhd = 1;
}
if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL) {
has_co_hmd = 1;
}
if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) {
has_co_hrhd = 1;
}
if (s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL) {
has_co_hcd = 1;
}
if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL) {
has_co_hmd = 1;
}
if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL) {
has_co_hrud = 1;
}
if (s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL) {
has_co_hcd = 1;
}
if (s->sm_lists[DETECT_SM_LIST_HSMDMATCH] != NULL) {
has_co_hsmd = 1;
}
if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL) {
has_co_hrud = 1;
}
if (s->sm_lists[DETECT_SM_LIST_HSCDMATCH] != NULL) {
has_co_hscd = 1;
}
if (s->sm_lists[DETECT_SM_LIST_HSMDMATCH] != NULL) {
has_co_hsmd = 1;
}
if (s->sm_lists[DETECT_SM_LIST_HUADMATCH] != NULL) {
has_co_huad = 1;
}
if (s->sm_lists[DETECT_SM_LIST_HSCDMATCH] != NULL) {
has_co_hscd = 1;
}
if (s->sm_lists[DETECT_SM_LIST_HHHDMATCH] != NULL) {
has_co_hhhd = 1;
}
if (s->sm_lists[DETECT_SM_LIST_HUADMATCH] != NULL) {
has_co_huad = 1;
}
if (s->sm_lists[DETECT_SM_LIST_HHHDMATCH] != NULL) {
has_co_hhhd = 1;
}
if (s->sm_lists[DETECT_SM_LIST_HRHHDMATCH] != NULL) {
has_co_hrhhd = 1;
if (s->sm_lists[DETECT_SM_LIST_HRHHDMATCH] != NULL) {
has_co_hrhhd = 1;
}
}
if (s->sm_lists[DETECT_SM_LIST_DNSQUERYNAME_MATCH] != NULL) {
has_co_dnsquery = 1;
if (SGH_PROTO(sh, IPPROTO_TCP) || SGH_PROTO(sh, IPPROTO_UDP)) {
if (s->sm_lists[DETECT_SM_LIST_DNSQUERYNAME_MATCH] != NULL) {
has_co_dnsquery = 1;
}
}
}
/* intialize contexes */
if (has_co_packet) {
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
sh->mpm_proto_tcp_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_proto_tcp_packet, 0);
sh->mpm_proto_tcp_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_proto_tcp_packet, 1);
} else {
sh->mpm_proto_tcp_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0);
sh->mpm_proto_tcp_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1);
}
if (sh->mpm_proto_tcp_ctx_ts == NULL || sh->mpm_proto_tcp_ctx_tc == NULL) {
SCLogDebug("sh->mpm_proto_tcp_ctx == NULL. This should never happen");
exit(EXIT_FAILURE);
if (SGH_PROTO(sh, IPPROTO_TCP)) {
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
sh->mpm_proto_tcp_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_proto_tcp_packet, 0);
sh->mpm_proto_tcp_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_proto_tcp_packet, 1);
} else {
sh->mpm_proto_tcp_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0);
sh->mpm_proto_tcp_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1);
}
if (sh->mpm_proto_tcp_ctx_ts == NULL || sh->mpm_proto_tcp_ctx_tc == NULL) {
SCLogDebug("sh->mpm_proto_tcp_ctx == NULL. This should never happen");
exit(EXIT_FAILURE);
}
MpmInitCtx(sh->mpm_proto_tcp_ctx_ts, de_ctx->mpm_matcher);
MpmInitCtx(sh->mpm_proto_tcp_ctx_tc, de_ctx->mpm_matcher);
}
MpmInitCtx(sh->mpm_proto_tcp_ctx_ts, de_ctx->mpm_matcher);
MpmInitCtx(sh->mpm_proto_tcp_ctx_tc, de_ctx->mpm_matcher);
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
sh->mpm_proto_udp_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_proto_udp_packet, 0);
sh->mpm_proto_udp_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_proto_udp_packet, 1);
@ -2136,6 +2096,7 @@ int PatternMatchPrepareGroup(const DetectEngineCtx *de_ctx, SigGroupHead *sh)
has_co_hrhhd ||
has_co_dnsquery)
{
/* add the patterns of all the rules to the mpms of this sgh */
PatternMatchPreparePopulateMpm(de_ctx, sh);
if (sh->mpm_proto_tcp_ctx_ts != NULL) {

5
src/detect-engine-siggroup.c
Unescape Escape View File

@ -1143,11 +1143,12 @@ void SigGroupHeadSetSigCnt(SigGroupHead *sgh, uint32_t max_idx)
}
void SigGroupHeadSetProtoAndDirection(SigGroupHead *sgh,
uint8_t ipproto, uint8_t dir)
uint8_t ipproto, int dir)
{
if (sgh && sgh->init) {
SCLogDebug("setting proto %u and dir %d on sgh %p", ipproto, dir, sgh);
sgh->init->protos[ipproto] = 1;
sgh->init->direction = dir;
sgh->init->direction |= dir;
}
}

2
src/detect-engine-siggroup.h
Unescape Escape View File

@ -74,7 +74,7 @@ int SigGroupHeadSPortHashRemove(DetectEngineCtx *, SigGroupHead *);
void SigGroupHeadInitDataFree(SigGroupHeadInitData *sghid);
void SigGroupHeadSetSigCnt(SigGroupHead *sgh, uint32_t max_idx);
void SigGroupHeadSetProtoAndDirection(SigGroupHead *sgh,
uint8_t ipproto, uint8_t dir);
uint8_t ipproto, int dir);
int SigGroupHeadBuildMatchArray (DetectEngineCtx *de_ctx, SigGroupHead *sgh,
uint32_t max_idx);
void SigGroupHeadFreeSigArrays(DetectEngineCtx *de_ctx);

5
src/detect.c
Unescape Escape View File

@ -2937,10 +2937,7 @@ static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, int ipproto, uint3
SigGroupHeadSetSigCnt(iter->sh, max_idx);
SigGroupHeadBuildMatchArray(de_ctx, iter->sh, max_idx);
/* init the pattern matcher, this will respect the copy
* setting */
BUG_ON(PatternMatchPrepareGroup(de_ctx, iter->sh) != 0);
SigGroupHeadSetProtoAndDirection(iter->sh, ipproto, direction);
SigGroupHeadHashAdd(de_ctx, iter->sh);
SigGroupHeadStore(de_ctx, iter->sh);
de_ctx->gh_unique++;

4
src/detect.h
Unescape Escape View File

@ -984,8 +984,8 @@ typedef struct SigGroupHeadInitData_ {
uint8_t *sig_array; /**< bit array of sig nums (internal id's) */
uint32_t sig_size; /**< size in bytes */
uint8_t protos[256];
uint8_t direction;
uint8_t protos[256]; /**< proto(s) this sgh is for */
uint32_t direction; /**< set to SIG_FLAG_TOSERVER, SIG_FLAG_TOCLIENT or both */
/* port ptr */
struct DetectPort_ *port;

Write Preview
Loading…
Cancel
Save