diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 8b20d6eafe..004b86c0b8 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -911,11 +911,11 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, } } /* tell matcher we are inspecting uri */ - s->flags |= SIG_FLAG_MPM_URICONTENT; + s->flags |= SIG_FLAG_MPM_HTTP; s->mpm_pattern_id_div_8 = ud->id / 8; s->mpm_pattern_id_mod_8 = 1 << (ud->id % 8); if (ud->flags & DETECT_CONTENT_NEGATED) - s->flags |= SIG_FLAG_MPM_URICONTENT_NEG; + s->flags |= SIG_FLAG_MPM_HTTP_NEG; sgh->flags |= SIG_GROUP_HEAD_MPM_URI; @@ -967,11 +967,11 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, } } /* tell matcher we are inspecting uri */ - s->flags |= SIG_FLAG_MPM_HCBDCONTENT; + s->flags |= SIG_FLAG_MPM_HTTP; s->mpm_pattern_id_div_8 = hcbd->id / 8; s->mpm_pattern_id_mod_8 = 1 << (hcbd->id % 8); if (hcbd->flags & DETECT_CONTENT_NEGATED) - s->flags |= SIG_FLAG_MPM_HCBDCONTENT_NEG; + s->flags |= SIG_FLAG_MPM_HTTP_NEG; sgh->flags |= SIG_GROUP_HEAD_MPM_HCBD; @@ -1023,11 +1023,11 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, } } /* tell matcher we are inspecting uri */ - s->flags |= SIG_FLAG_MPM_HSBDCONTENT; + s->flags |= SIG_FLAG_MPM_HTTP; s->mpm_pattern_id_div_8 = hsbd->id / 8; s->mpm_pattern_id_mod_8 = 1 << (hsbd->id % 8); if (hsbd->flags & DETECT_CONTENT_NEGATED) - s->flags |= SIG_FLAG_MPM_HSBDCONTENT_NEG; + s->flags |= SIG_FLAG_MPM_HTTP_NEG; sgh->flags |= SIG_GROUP_HEAD_MPM_HSBD; @@ -1079,11 +1079,11 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, } } /* tell matcher we are inspecting uri */ - s->flags |= SIG_FLAG_MPM_HHDCONTENT; + s->flags |= SIG_FLAG_MPM_HTTP; s->mpm_pattern_id_div_8 = hhd->id / 8; s->mpm_pattern_id_mod_8 = 1 << (hhd->id % 8); if (hhd->flags & DETECT_CONTENT_NEGATED) - s->flags |= SIG_FLAG_MPM_HHDCONTENT_NEG; + s->flags |= SIG_FLAG_MPM_HTTP_NEG; sgh->flags |= SIG_GROUP_HEAD_MPM_HHD; @@ -1135,11 +1135,11 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, } } /* tell matcher we are inspecting uri */ - s->flags |= SIG_FLAG_MPM_HRHDCONTENT; + s->flags |= SIG_FLAG_MPM_HTTP; s->mpm_pattern_id_div_8 = hrhd->id / 8; s->mpm_pattern_id_mod_8 = 1 << (hrhd->id % 8); if (hrhd->flags & DETECT_CONTENT_NEGATED) - s->flags |= SIG_FLAG_MPM_HRHDCONTENT_NEG; + s->flags |= SIG_FLAG_MPM_HTTP_NEG; sgh->flags |= SIG_GROUP_HEAD_MPM_HRHD; @@ -1191,11 +1191,11 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, } } /* tell matcher we are inspecting method */ - s->flags |= SIG_FLAG_MPM_HMDCONTENT; + s->flags |= SIG_FLAG_MPM_HTTP; s->mpm_pattern_id_div_8 = hmd->id / 8; s->mpm_pattern_id_mod_8 = 1 << (hmd->id % 8); if (hmd->flags & DETECT_CONTENT_NEGATED) - s->flags |= SIG_FLAG_MPM_HMDCONTENT_NEG; + s->flags |= SIG_FLAG_MPM_HTTP_NEG; sgh->flags |= SIG_GROUP_HEAD_MPM_HMD; @@ -1247,11 +1247,11 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, } } /* tell matcher we are inspecting cookie */ - s->flags |= SIG_FLAG_MPM_HCDCONTENT; + s->flags |= SIG_FLAG_MPM_HTTP; s->mpm_pattern_id_div_8 = hcd->id / 8; s->mpm_pattern_id_mod_8 = 1 << (hcd->id % 8); if (hcd->flags & DETECT_CONTENT_NEGATED) - s->flags |= SIG_FLAG_MPM_HCDCONTENT_NEG; + s->flags |= SIG_FLAG_MPM_HTTP_NEG; sgh->flags |= SIG_GROUP_HEAD_MPM_HCD; @@ -1303,11 +1303,11 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, } } /* tell matcher we are inspecting raw uri */ - s->flags |= SIG_FLAG_MPM_HRUDCONTENT; + s->flags |= SIG_FLAG_MPM_HTTP; s->mpm_pattern_id_div_8 = hrud->id / 8; s->mpm_pattern_id_mod_8 = 1 << (hrud->id % 8); if (hrud->flags & DETECT_CONTENT_NEGATED) - s->flags |= SIG_FLAG_MPM_HRUDCONTENT_NEG; + s->flags |= SIG_FLAG_MPM_HTTP_NEG; sgh->flags |= SIG_GROUP_HEAD_MPM_HRUD; diff --git a/src/detect.c b/src/detect.c index 89c1fef608..e54f26ffba 100644 --- a/src/detect.c +++ b/src/detect.c @@ -710,10 +710,7 @@ static inline int SigMatchSignaturesBuildMatchArrayAddSignature(DetectEngineThre } /* check for a pattern match of the one pattern in this sig. */ - if (s->flags & (SIG_FLAG_MPM_PACKET|SIG_FLAG_MPM_STREAM|SIG_FLAG_MPM_URICONTENT| - SIG_FLAG_MPM_HCBDCONTENT|SIG_FLAG_MPM_HSBDCONTENT|SIG_FLAG_MPM_HHDCONTENT| - SIG_FLAG_MPM_HRHDCONTENT|SIG_FLAG_MPM_HRHDCONTENT|SIG_FLAG_MPM_HMDCONTENT| - SIG_FLAG_MPM_HCDCONTENT|SIG_FLAG_MPM_HRUDCONTENT)) + if (s->flags & (SIG_FLAG_MPM_PACKET|SIG_FLAG_MPM_STREAM|SIG_FLAG_MPM_HTTP)) { /* filter out sigs that want pattern matches, but * have no matches */ @@ -728,36 +725,8 @@ static inline int SigMatchSignaturesBuildMatchArrayAddSignature(DetectEngineThre if (!(s->flags & SIG_FLAG_MPM_STREAM_NEG)) { return 0; } - } else if (s->flags & SIG_FLAG_MPM_URICONTENT) { - if (!(s->flags & SIG_FLAG_MPM_URICONTENT_NEG)) { - return 0; - } - } else if (s->flags & SIG_FLAG_MPM_HCBDCONTENT) { - if (!(s->flags & SIG_FLAG_MPM_HCBDCONTENT_NEG)) { - return 0; - } - } else if (s->flags & SIG_FLAG_MPM_HSBDCONTENT) { - if (!(s->flags & SIG_FLAG_MPM_HSBDCONTENT_NEG)) { - return 0; - } - } else if (s->flags & SIG_FLAG_MPM_HHDCONTENT) { - if (!(s->flags & SIG_FLAG_MPM_HHDCONTENT_NEG)) { - return 0; - } - } else if (s->flags & SIG_FLAG_MPM_HRHDCONTENT) { - if (!(s->flags & SIG_FLAG_MPM_HRHDCONTENT_NEG)) { - return 0; - } - } else if (s->flags & SIG_FLAG_MPM_HMDCONTENT) { - if (!(s->flags & SIG_FLAG_MPM_HMDCONTENT_NEG)) { - return 0; - } - } else if (s->flags & SIG_FLAG_MPM_HCDCONTENT) { - if (!(s->flags & SIG_FLAG_MPM_HCDCONTENT_NEG)) { - return 0; - } - } else if (s->flags & SIG_FLAG_MPM_HRUDCONTENT) { - if (!(s->flags & SIG_FLAG_MPM_HRUDCONTENT_NEG)) { + } else if (s->flags & SIG_FLAG_MPM_HTTP) { + if (!(s->flags & SIG_FLAG_MPM_HTTP_NEG)) { return 0; } } diff --git a/src/detect.h b/src/detect.h index 063393a95d..6e93f04558 100644 --- a/src/detect.h +++ b/src/detect.h @@ -221,53 +221,31 @@ typedef struct DetectPort_ { /* Signature flags */ #define SIG_FLAG_RECURSIVE (((uint64_t)1)) /**< recursive capturing enabled */ + #define SIG_FLAG_SRC_ANY (((uint64_t)1)<<1) /**< source is any */ #define SIG_FLAG_DST_ANY (((uint64_t)1)<<2) /**< destination is any */ #define SIG_FLAG_SP_ANY (((uint64_t)1)<<3) /**< source port is any */ - #define SIG_FLAG_DP_ANY (((uint64_t)1)<<4) /**< destination port is any */ -#define SIG_FLAG_NOALERT (((uint64_t)1)<<5) /**< no alert flag is set */ -// reserved -// reserved -#define SIG_FLAG_DSIZE (((uint64_t)1)<<8) /**< signature has a dsize setting */ - -#define SIG_FLAG_APPLAYER (((uint64_t)1)<<9) /**< signature applies to app layer instead of packets */ -#define SIG_FLAG_IPONLY (((uint64_t)1)<<10) /**< ip only signature */ - -#define SIG_FLAG_STATE_MATCH (((uint64_t)1)<<11) /**< signature has matches that require stateful inspection */ -#define SIG_FLAG_REQUIRE_PACKET (((uint64_t)1)<<12) /**< signature is requiring packet match */ -#define SIG_FLAG_MPM_PACKET (((uint64_t)1)<<13) -#define SIG_FLAG_MPM_PACKET_NEG (((uint64_t)1)<<14) -#define SIG_FLAG_MPM_STREAM (((uint64_t)1)<<15) -#define SIG_FLAG_MPM_STREAM_NEG (((uint64_t)1)<<16) - -#define SIG_FLAG_MPM_URICONTENT (((uint64_t)1)<<17) -#define SIG_FLAG_MPM_URICONTENT_NEG (((uint64_t)1)<<18) - -#define SIG_FLAG_MPM_HHDCONTENT (((uint64_t)1)<<19) -#define SIG_FLAG_MPM_HHDCONTENT_NEG (((uint64_t)1)<<20) - -#define SIG_FLAG_MPM_HRHDCONTENT (((uint64_t)1)<<21) -#define SIG_FLAG_MPM_HRHDCONTENT_NEG (((uint64_t)1)<<22) +#define SIG_FLAG_NOALERT (((uint64_t)1)<<5) /**< no alert flag is set */ +#define SIG_FLAG_DSIZE (((uint64_t)1)<<6) /**< signature has a dsize setting */ +#define SIG_FLAG_APPLAYER (((uint64_t)1)<<7) /**< signature applies to app layer instead of packets */ +#define SIG_FLAG_IPONLY (((uint64_t)1)<<8) /**< ip only signature */ -#define SIG_FLAG_MPM_HCBDCONTENT (((uint64_t)1)<<23) -#define SIG_FLAG_MPM_HCBDCONTENT_NEG (((uint64_t)1)<<24) +#define SIG_FLAG_STATE_MATCH (((uint64_t)1)<<9) /**< signature has matches that require stateful inspection */ +#define SIG_FLAG_REQUIRE_PACKET (((uint64_t)1)<<10) /**< signature is requiring packet match */ -#define SIG_FLAG_MPM_HMDCONTENT (((uint64_t)1)<<25) -#define SIG_FLAG_MPM_HMDCONTENT_NEG (((uint64_t)1)<<26) +#define SIG_FLAG_MPM_PACKET (((uint64_t)1)<<11) +#define SIG_FLAG_MPM_PACKET_NEG (((uint64_t)1)<<12) -#define SIG_FLAG_MPM_HCDCONTENT (((uint64_t)1)<<27) -#define SIG_FLAG_MPM_HCDCONTENT_NEG (((uint64_t)1)<<28) +#define SIG_FLAG_MPM_STREAM (((uint64_t)1)<<13) +#define SIG_FLAG_MPM_STREAM_NEG (((uint64_t)1)<<14) -#define SIG_FLAG_MPM_HRUDCONTENT (((uint64_t)1)<<29) -#define SIG_FLAG_MPM_HRUDCONTENT_NEG (((uint64_t)1)<<30) +#define SIG_FLAG_MPM_HTTP (((uint64_t)1)<<15) +#define SIG_FLAG_MPM_HTTP_NEG (((uint64_t)1)<<16) #define SIG_FLAG_REQUIRE_FLOWVAR (((uint64_t)1)<<31) /**< signature can only match if a flowbit, flowvar or flowint is available. */ -#define SIG_FLAG_MPM_HSBDCONTENT (((uint64_t)1)<<32) -#define SIG_FLAG_MPM_HSBDCONTENT_NEG (((uint64_t)1)<<33) - #define SIG_FLAG_FILESTORE (((uint64_t)1)<<34) /**< signature has filestore keyword */ /* signature init flags */