aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge all http mpm related signature flags into a single set: SIG_FLAG_MPM_HTTP and SIG_FLAG_MPM_HTTP_NEG.

Browse Source
remotes/origin/master-1.2.x
Victor Julien 13 years ago
parent d5ed28b065
commit dd9da1a56f
3 changed files with 32 additions and 85 deletions
Show Stats Download Patch File Download Diff File

32
src/detect-engine-mpm.c
Unescape Escape View File

@ -911,11 +911,11 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
}
}
/* tell matcher we are inspecting uri */
s->flags |= SIG_FLAG_MPM_URICONTENT;
s->flags |= SIG_FLAG_MPM_HTTP;
s->mpm_pattern_id_div_8 = ud->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (ud->id % 8);
if (ud->flags & DETECT_CONTENT_NEGATED)
s->flags |= SIG_FLAG_MPM_URICONTENT_NEG;
s->flags |= SIG_FLAG_MPM_HTTP_NEG;
sgh->flags |= SIG_GROUP_HEAD_MPM_URI;
@ -967,11 +967,11 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
}
}
/* tell matcher we are inspecting uri */
s->flags |= SIG_FLAG_MPM_HCBDCONTENT;
s->flags |= SIG_FLAG_MPM_HTTP;
s->mpm_pattern_id_div_8 = hcbd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (hcbd->id % 8);
if (hcbd->flags & DETECT_CONTENT_NEGATED)
s->flags |= SIG_FLAG_MPM_HCBDCONTENT_NEG;
s->flags |= SIG_FLAG_MPM_HTTP_NEG;
sgh->flags |= SIG_GROUP_HEAD_MPM_HCBD;
@ -1023,11 +1023,11 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
}
}
/* tell matcher we are inspecting uri */
s->flags |= SIG_FLAG_MPM_HSBDCONTENT;
s->flags |= SIG_FLAG_MPM_HTTP;
s->mpm_pattern_id_div_8 = hsbd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (hsbd->id % 8);
if (hsbd->flags & DETECT_CONTENT_NEGATED)
s->flags |= SIG_FLAG_MPM_HSBDCONTENT_NEG;
s->flags |= SIG_FLAG_MPM_HTTP_NEG;
sgh->flags |= SIG_GROUP_HEAD_MPM_HSBD;
@ -1079,11 +1079,11 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
}
}
/* tell matcher we are inspecting uri */
s->flags |= SIG_FLAG_MPM_HHDCONTENT;
s->flags |= SIG_FLAG_MPM_HTTP;
s->mpm_pattern_id_div_8 = hhd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (hhd->id % 8);
if (hhd->flags & DETECT_CONTENT_NEGATED)
s->flags |= SIG_FLAG_MPM_HHDCONTENT_NEG;
s->flags |= SIG_FLAG_MPM_HTTP_NEG;
sgh->flags |= SIG_GROUP_HEAD_MPM_HHD;
@ -1135,11 +1135,11 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
}
}
/* tell matcher we are inspecting uri */
s->flags |= SIG_FLAG_MPM_HRHDCONTENT;
s->flags |= SIG_FLAG_MPM_HTTP;
s->mpm_pattern_id_div_8 = hrhd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (hrhd->id % 8);
if (hrhd->flags & DETECT_CONTENT_NEGATED)
s->flags |= SIG_FLAG_MPM_HRHDCONTENT_NEG;
s->flags |= SIG_FLAG_MPM_HTTP_NEG;
sgh->flags |= SIG_GROUP_HEAD_MPM_HRHD;
@ -1191,11 +1191,11 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
}
}
/* tell matcher we are inspecting method */
s->flags |= SIG_FLAG_MPM_HMDCONTENT;
s->flags |= SIG_FLAG_MPM_HTTP;
s->mpm_pattern_id_div_8 = hmd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (hmd->id % 8);
if (hmd->flags & DETECT_CONTENT_NEGATED)
s->flags |= SIG_FLAG_MPM_HMDCONTENT_NEG;
s->flags |= SIG_FLAG_MPM_HTTP_NEG;
sgh->flags |= SIG_GROUP_HEAD_MPM_HMD;
@ -1247,11 +1247,11 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
}
}
/* tell matcher we are inspecting cookie */
s->flags |= SIG_FLAG_MPM_HCDCONTENT;
s->flags |= SIG_FLAG_MPM_HTTP;
s->mpm_pattern_id_div_8 = hcd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (hcd->id % 8);
if (hcd->flags & DETECT_CONTENT_NEGATED)
s->flags |= SIG_FLAG_MPM_HCDCONTENT_NEG;
s->flags |= SIG_FLAG_MPM_HTTP_NEG;
sgh->flags |= SIG_GROUP_HEAD_MPM_HCD;
@ -1303,11 +1303,11 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
}
}
/* tell matcher we are inspecting raw uri */
s->flags |= SIG_FLAG_MPM_HRUDCONTENT;
s->flags |= SIG_FLAG_MPM_HTTP;
s->mpm_pattern_id_div_8 = hrud->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (hrud->id % 8);
if (hrud->flags & DETECT_CONTENT_NEGATED)
s->flags |= SIG_FLAG_MPM_HRUDCONTENT_NEG;
s->flags |= SIG_FLAG_MPM_HTTP_NEG;
sgh->flags |= SIG_GROUP_HEAD_MPM_HRUD;

37
src/detect.c
Unescape Escape View File

@ -710,10 +710,7 @@ static inline int SigMatchSignaturesBuildMatchArrayAddSignature(DetectEngineThre
}
/* check for a pattern match of the one pattern in this sig. */
if (s->flags & (SIG_FLAG_MPM_PACKET|SIG_FLAG_MPM_STREAM|SIG_FLAG_MPM_URICONTENT|
SIG_FLAG_MPM_HCBDCONTENT|SIG_FLAG_MPM_HSBDCONTENT|SIG_FLAG_MPM_HHDCONTENT|
SIG_FLAG_MPM_HRHDCONTENT|SIG_FLAG_MPM_HRHDCONTENT|SIG_FLAG_MPM_HMDCONTENT|
SIG_FLAG_MPM_HCDCONTENT|SIG_FLAG_MPM_HRUDCONTENT))
if (s->flags & (SIG_FLAG_MPM_PACKET|SIG_FLAG_MPM_STREAM|SIG_FLAG_MPM_HTTP))
{
/* filter out sigs that want pattern matches, but
* have no matches */
@ -728,36 +725,8 @@ static inline int SigMatchSignaturesBuildMatchArrayAddSignature(DetectEngineThre
if (!(s->flags & SIG_FLAG_MPM_STREAM_NEG)) {
return 0;
}
} else if (s->flags & SIG_FLAG_MPM_URICONTENT) {
if (!(s->flags & SIG_FLAG_MPM_URICONTENT_NEG)) {
return 0;
}
} else if (s->flags & SIG_FLAG_MPM_HCBDCONTENT) {
if (!(s->flags & SIG_FLAG_MPM_HCBDCONTENT_NEG)) {
return 0;
}
} else if (s->flags & SIG_FLAG_MPM_HSBDCONTENT) {
if (!(s->flags & SIG_FLAG_MPM_HSBDCONTENT_NEG)) {
return 0;
}
} else if (s->flags & SIG_FLAG_MPM_HHDCONTENT) {
if (!(s->flags & SIG_FLAG_MPM_HHDCONTENT_NEG)) {
return 0;
}
} else if (s->flags & SIG_FLAG_MPM_HRHDCONTENT) {
if (!(s->flags & SIG_FLAG_MPM_HRHDCONTENT_NEG)) {
return 0;
}
} else if (s->flags & SIG_FLAG_MPM_HMDCONTENT) {
if (!(s->flags & SIG_FLAG_MPM_HMDCONTENT_NEG)) {
return 0;
}
} else if (s->flags & SIG_FLAG_MPM_HCDCONTENT) {
if (!(s->flags & SIG_FLAG_MPM_HCDCONTENT_NEG)) {
return 0;
}
} else if (s->flags & SIG_FLAG_MPM_HRUDCONTENT) {
if (!(s->flags & SIG_FLAG_MPM_HRUDCONTENT_NEG)) {
} else if (s->flags & SIG_FLAG_MPM_HTTP) {
if (!(s->flags & SIG_FLAG_MPM_HTTP_NEG)) {
return 0;
}
}

48
src/detect.h
Unescape Escape View File

@ -221,53 +221,31 @@ typedef struct DetectPort_ {
/* Signature flags */
#define SIG_FLAG_RECURSIVE (((uint64_t)1)) /**< recursive capturing enabled */
#define SIG_FLAG_SRC_ANY (((uint64_t)1)<<1) /**< source is any */
#define SIG_FLAG_DST_ANY (((uint64_t)1)<<2) /**< destination is any */
#define SIG_FLAG_SP_ANY (((uint64_t)1)<<3) /**< source port is any */
#define SIG_FLAG_DP_ANY (((uint64_t)1)<<4) /**< destination port is any */
#define SIG_FLAG_NOALERT (((uint64_t)1)<<5) /**< no alert flag is set */
// reserved
// reserved
#define SIG_FLAG_DSIZE (((uint64_t)1)<<8) /**< signature has a dsize setting */
#define SIG_FLAG_APPLAYER (((uint64_t)1)<<9) /**< signature applies to app layer instead of packets */
#define SIG_FLAG_IPONLY (((uint64_t)1)<<10) /**< ip only signature */
#define SIG_FLAG_STATE_MATCH (((uint64_t)1)<<11) /**< signature has matches that require stateful inspection */
#define SIG_FLAG_REQUIRE_PACKET (((uint64_t)1)<<12) /**< signature is requiring packet match */
#define SIG_FLAG_MPM_PACKET (((uint64_t)1)<<13)
#define SIG_FLAG_MPM_PACKET_NEG (((uint64_t)1)<<14)
#define SIG_FLAG_MPM_STREAM (((uint64_t)1)<<15)
#define SIG_FLAG_MPM_STREAM_NEG (((uint64_t)1)<<16)
#define SIG_FLAG_MPM_URICONTENT (((uint64_t)1)<<17)
#define SIG_FLAG_MPM_URICONTENT_NEG (((uint64_t)1)<<18)
#define SIG_FLAG_MPM_HHDCONTENT (((uint64_t)1)<<19)
#define SIG_FLAG_MPM_HHDCONTENT_NEG (((uint64_t)1)<<20)
#define SIG_FLAG_MPM_HRHDCONTENT (((uint64_t)1)<<21)
#define SIG_FLAG_MPM_HRHDCONTENT_NEG (((uint64_t)1)<<22)
#define SIG_FLAG_NOALERT (((uint64_t)1)<<5) /**< no alert flag is set */
#define SIG_FLAG_DSIZE (((uint64_t)1)<<6) /**< signature has a dsize setting */
#define SIG_FLAG_APPLAYER (((uint64_t)1)<<7) /**< signature applies to app layer instead of packets */
#define SIG_FLAG_IPONLY (((uint64_t)1)<<8) /**< ip only signature */
#define SIG_FLAG_MPM_HCBDCONTENT (((uint64_t)1)<<23)
#define SIG_FLAG_MPM_HCBDCONTENT_NEG (((uint64_t)1)<<24)
#define SIG_FLAG_STATE_MATCH (((uint64_t)1)<<9) /**< signature has matches that require stateful inspection */
#define SIG_FLAG_REQUIRE_PACKET (((uint64_t)1)<<10) /**< signature is requiring packet match */
#define SIG_FLAG_MPM_HMDCONTENT (((uint64_t)1)<<25)
#define SIG_FLAG_MPM_HMDCONTENT_NEG (((uint64_t)1)<<26)
#define SIG_FLAG_MPM_PACKET (((uint64_t)1)<<11)
#define SIG_FLAG_MPM_PACKET_NEG (((uint64_t)1)<<12)
#define SIG_FLAG_MPM_HCDCONTENT (((uint64_t)1)<<27)
#define SIG_FLAG_MPM_HCDCONTENT_NEG (((uint64_t)1)<<28)
#define SIG_FLAG_MPM_STREAM (((uint64_t)1)<<13)
#define SIG_FLAG_MPM_STREAM_NEG (((uint64_t)1)<<14)
#define SIG_FLAG_MPM_HRUDCONTENT (((uint64_t)1)<<29)
#define SIG_FLAG_MPM_HRUDCONTENT_NEG (((uint64_t)1)<<30)
#define SIG_FLAG_MPM_HTTP (((uint64_t)1)<<15)
#define SIG_FLAG_MPM_HTTP_NEG (((uint64_t)1)<<16)
#define SIG_FLAG_REQUIRE_FLOWVAR (((uint64_t)1)<<31) /**< signature can only match if a flowbit, flowvar or flowint is available. */
#define SIG_FLAG_MPM_HSBDCONTENT (((uint64_t)1)<<32)
#define SIG_FLAG_MPM_HSBDCONTENT_NEG (((uint64_t)1)<<33)
#define SIG_FLAG_FILESTORE (((uint64_t)1)<<34) /**< signature has filestore keyword */
/* signature init flags */

Write Preview
Loading…
Cancel
Save