From e43c4f3ea2b9d72a58df6e4c4ada9057bcf01101 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Wed, 21 Oct 2015 08:19:21 +0200 Subject: [PATCH] mpm: optimize calls For all mpm wrapper functions, check minlen vs the input buffer to see if we can bypass the mpm search. Next to this, make all the function inline. Also constify the input and do other minor cleanups. --- src/detect-engine-dns.c | 14 ++++++----- src/detect-engine-filedata-smtp.c | 14 ++++++----- src/detect-engine-hcbd.c | 15 ++++++----- src/detect-engine-hcd.c | 24 +++++++++++------- src/detect-engine-hhd.c | 24 +++++++++++------- src/detect-engine-hhhd.c | 21 +++++++++------- src/detect-engine-hmd.c | 19 ++++++++------ src/detect-engine-hrhd.c | 42 ++++++++++++++++++------------- src/detect-engine-hrhhd.c | 30 ++++++++++++---------- src/detect-engine-hrud.c | 19 ++++++++------ src/detect-engine-hsbd.c | 17 +++++++------ src/detect-engine-hscd.c | 20 ++++++++------- src/detect-engine-hsmd.c | 18 +++++++------ src/detect-engine-hua.c | 22 ++++++++-------- src/detect-engine-payload.c | 41 ++++++++++++++++-------------- src/detect-engine-uri.c | 6 ++--- 16 files changed, 199 insertions(+), 147 deletions(-) diff --git a/src/detect-engine-dns.c b/src/detect-engine-dns.c index 3efb848f01..915533f150 100644 --- a/src/detect-engine-dns.c +++ b/src/detect-engine-dns.c @@ -104,9 +104,9 @@ int DetectEngineInspectDnsQueryName(ThreadVars *tv, * * \retval ret Number of matches. */ -static uint32_t DnsQueryPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *buffer, uint32_t buffer_len, - uint8_t flags) +static inline uint32_t DnsQueryPatternSearch(DetectEngineThreadCtx *det_ctx, + const uint8_t *buffer, const uint32_t buffer_len, + const uint8_t flags) { SCEnter(); @@ -115,9 +115,11 @@ static uint32_t DnsQueryPatternSearch(DetectEngineThreadCtx *det_ctx, DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_dnsquery_ctx_ts == NULL); - ret = mpm_table[det_ctx->sgh->mpm_dnsquery_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_dnsquery_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, buffer, buffer_len); + if (buffer_len >= det_ctx->sgh->mpm_dnsquery_ctx_ts->minlen) { + ret = mpm_table[det_ctx->sgh->mpm_dnsquery_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_dnsquery_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, buffer, buffer_len); + } SCReturnUInt(ret); } diff --git a/src/detect-engine-filedata-smtp.c b/src/detect-engine-filedata-smtp.c index 8b2f5caead..80fec628dc 100644 --- a/src/detect-engine-filedata-smtp.c +++ b/src/detect-engine-filedata-smtp.c @@ -281,9 +281,9 @@ void DetectEngineCleanSMTPBuffers(DetectEngineThreadCtx *det_ctx) * * \retval ret Number of matches. */ -static uint32_t SMTPFiledataPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *buffer, uint32_t buffer_len, - uint8_t flags) +static inline uint32_t SMTPFiledataPatternSearch(DetectEngineThreadCtx *det_ctx, + const uint8_t *buffer, const uint32_t buffer_len, + const uint8_t flags) { SCEnter(); @@ -292,9 +292,11 @@ static uint32_t SMTPFiledataPatternSearch(DetectEngineThreadCtx *det_ctx, DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_smtp_filedata_ctx_ts == NULL); - ret = mpm_table[det_ctx->sgh->mpm_smtp_filedata_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_smtp_filedata_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, buffer, buffer_len); + if (buffer_len >= det_ctx->sgh->mpm_smtp_filedata_ctx_ts->minlen) { + ret = mpm_table[det_ctx->sgh->mpm_smtp_filedata_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_smtp_filedata_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, buffer, buffer_len); + } SCReturnUInt(ret); } diff --git a/src/detect-engine-hcbd.c b/src/detect-engine-hcbd.c index 28ebfe584f..42ef760aa2 100644 --- a/src/detect-engine-hcbd.c +++ b/src/detect-engine-hcbd.c @@ -230,19 +230,22 @@ static uint8_t *DetectEngineHCBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id, * * \retval ret Number of matches. */ -static uint32_t HttpClientBodyPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *body, uint32_t body_len, uint8_t flags) +static inline uint32_t HttpClientBodyPatternSearch(DetectEngineThreadCtx *det_ctx, + const uint8_t *body, const uint32_t body_len, + const uint8_t flags) { SCEnter(); - uint32_t ret; + uint32_t ret = 0; DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hcbd_ctx_ts == NULL); - ret = mpm_table[det_ctx->sgh->mpm_hcbd_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_hcbd_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, body, body_len); + if (body_len >= det_ctx->sgh->mpm_hcbd_ctx_ts->minlen) { + ret = mpm_table[det_ctx->sgh->mpm_hcbd_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_hcbd_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, body, body_len); + } SCReturnUInt(ret); } diff --git a/src/detect-engine-hcd.c b/src/detect-engine-hcd.c index 432266e706..dfc97a9add 100644 --- a/src/detect-engine-hcd.c +++ b/src/detect-engine-hcd.c @@ -67,24 +67,30 @@ * * \retval ret Number of matches. */ -static uint32_t HttpCookiePatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *cookie, uint32_t cookie_len, uint8_t flags) +static inline uint32_t HttpCookiePatternSearch(DetectEngineThreadCtx *det_ctx, + const uint8_t *cookie, const uint32_t cookie_len, + const uint8_t flags) { SCEnter(); - uint32_t ret; + uint32_t ret = 0; + if (flags & STREAM_TOSERVER) { DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hcd_ctx_ts == NULL); - ret = mpm_table[det_ctx->sgh->mpm_hcd_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_hcd_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, cookie, cookie_len); + if (cookie_len >= det_ctx->sgh->mpm_hcd_ctx_ts->minlen) { + ret = mpm_table[det_ctx->sgh->mpm_hcd_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_hcd_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, cookie, cookie_len); + } } else { DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hcd_ctx_tc == NULL); - ret = mpm_table[det_ctx->sgh->mpm_hcd_ctx_tc->mpm_type]. - Search(det_ctx->sgh->mpm_hcd_ctx_tc, &det_ctx->mtcu, - &det_ctx->pmq, cookie, cookie_len); + if (cookie_len >= det_ctx->sgh->mpm_hcd_ctx_tc->minlen) { + ret = mpm_table[det_ctx->sgh->mpm_hcd_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_hcd_ctx_tc, &det_ctx->mtcu, + &det_ctx->pmq, cookie, cookie_len); + } } SCReturnUInt(ret); diff --git a/src/detect-engine-hhd.c b/src/detect-engine-hhd.c index 0656b112af..acfae6f54b 100644 --- a/src/detect-engine-hhd.c +++ b/src/detect-engine-hhd.c @@ -223,24 +223,30 @@ static uint8_t *DetectEngineHHDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id, * * \retval ret Number of matches. */ -static uint32_t HttpHeaderPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *headers, uint32_t headers_len, uint8_t flags) +static inline uint32_t HttpHeaderPatternSearch(DetectEngineThreadCtx *det_ctx, + const uint8_t *headers, const uint32_t headers_len, + const uint8_t flags) { SCEnter(); - uint32_t ret; + uint32_t ret = 0; + if (flags & STREAM_TOSERVER) { DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hhd_ctx_ts == NULL); - ret = mpm_table[det_ctx->sgh->mpm_hhd_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_hhd_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, headers, headers_len); + if (headers_len >= det_ctx->sgh->mpm_hhd_ctx_ts->minlen) { + ret = mpm_table[det_ctx->sgh->mpm_hhd_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_hhd_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, headers, headers_len); + } } else { DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hhd_ctx_tc == NULL); - ret = mpm_table[det_ctx->sgh->mpm_hhd_ctx_tc->mpm_type]. - Search(det_ctx->sgh->mpm_hhd_ctx_tc, &det_ctx->mtcu, - &det_ctx->pmq, headers, headers_len); + if (headers_len >= det_ctx->sgh->mpm_hhd_ctx_tc->minlen) { + ret = mpm_table[det_ctx->sgh->mpm_hhd_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_hhd_ctx_tc, &det_ctx->mtcu, + &det_ctx->pmq, headers, headers_len); + } } SCReturnUInt(ret); diff --git a/src/detect-engine-hhhd.c b/src/detect-engine-hhhd.c index 0882d16d1a..e86debc243 100644 --- a/src/detect-engine-hhhd.c +++ b/src/detect-engine-hhhd.c @@ -70,19 +70,22 @@ * * \retval ret Number of matches. */ -static uint32_t HttpHHPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *hh, uint32_t hh_len, uint8_t flags) +static inline uint32_t HttpHHPatternSearch(DetectEngineThreadCtx *det_ctx, + const uint8_t *hh, const uint32_t hh_len, + const uint8_t flags) { SCEnter(); - uint32_t ret; + uint32_t ret = 0; DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hhhd_ctx_ts == NULL); - ret = mpm_table[det_ctx->sgh->mpm_hhhd_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_hhhd_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, hh, hh_len); + if (hh_len >= det_ctx->sgh->mpm_hhhd_ctx_ts->minlen) { + ret = mpm_table[det_ctx->sgh->mpm_hhhd_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_hhhd_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, hh, hh_len); + } SCReturnUInt(ret); } @@ -95,12 +98,12 @@ int DetectEngineRunHttpHHMpm(DetectEngineThreadCtx *det_ctx, Flow *f, htp_tx_t *tx = (htp_tx_t *)txv; if (tx->request_hostname == NULL) goto end; - uint8_t *hname = (uint8_t *)bstr_ptr(tx->request_hostname); + const uint8_t *hname = (const uint8_t *)bstr_ptr(tx->request_hostname); if (hname == NULL) goto end; - uint32_t hname_len = bstr_len(tx->request_hostname); + const uint32_t hname_len = bstr_len(tx->request_hostname); - cnt += HttpHHPatternSearch(det_ctx, hname, hname_len, flags); + cnt = HttpHHPatternSearch(det_ctx, hname, hname_len, flags); end: return cnt; diff --git a/src/detect-engine-hmd.c b/src/detect-engine-hmd.c index f80e279a39..e410286859 100644 --- a/src/detect-engine-hmd.c +++ b/src/detect-engine-hmd.c @@ -67,19 +67,22 @@ * * \retval ret Number of matches. */ -static uint32_t HttpMethodPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *raw_method, uint32_t raw_method_len, uint8_t flags) +static inline uint32_t HttpMethodPatternSearch(DetectEngineThreadCtx *det_ctx, + const uint8_t *raw_method, const uint32_t raw_method_len, + const uint8_t flags) { SCEnter(); - uint32_t ret; + uint32_t ret = 0; DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hmd_ctx_ts == NULL); - ret = mpm_table[det_ctx->sgh->mpm_hmd_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_hmd_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, raw_method, raw_method_len); + if (raw_method_len >= det_ctx->sgh->mpm_hmd_ctx_ts->minlen) { + ret = mpm_table[det_ctx->sgh->mpm_hmd_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_hmd_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, raw_method, raw_method_len); + } SCReturnUInt(ret); } @@ -92,11 +95,11 @@ int DetectEngineRunHttpMethodMpm(DetectEngineThreadCtx *det_ctx, Flow *f, htp_tx_t *tx = (htp_tx_t *)txv; if (tx->request_method == NULL) goto end; + cnt = HttpMethodPatternSearch(det_ctx, - (uint8_t *)bstr_ptr(tx->request_method), + (const uint8_t *)bstr_ptr(tx->request_method), bstr_len(tx->request_method), flags); - end: return cnt; } diff --git a/src/detect-engine-hrhd.c b/src/detect-engine-hrhd.c index 54618a3df1..2dd26f2f23 100644 --- a/src/detect-engine-hrhd.c +++ b/src/detect-engine-hrhd.c @@ -62,30 +62,36 @@ /** * \brief Http raw header match -- searches for one pattern per signature. * - * \param det_ctx Detection engine thread ctx. - * \param headers Raw headers to inspect. - * \param headers_len Raw headers length. + * \param det_ctx Detection engine thread ctx. + * \param raw_headers Raw headers to inspect. + * \param raw_headers_len Raw headers length. * * \retval ret Number of matches. */ -static uint32_t HttpRawHeaderPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *raw_headers, uint32_t raw_headers_len, uint8_t flags) +static inline uint32_t HttpRawHeaderPatternSearch(DetectEngineThreadCtx *det_ctx, + const uint8_t *raw_headers, const uint32_t raw_headers_len, + const uint8_t flags) { SCEnter(); - uint32_t ret; + uint32_t ret = 0; + if (flags & STREAM_TOSERVER) { DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrhd_ctx_ts == NULL); - ret = mpm_table[det_ctx->sgh->mpm_hrhd_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_hrhd_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, raw_headers, raw_headers_len); + if (raw_headers_len >= det_ctx->sgh->mpm_hrhd_ctx_ts->minlen) { + ret = mpm_table[det_ctx->sgh->mpm_hrhd_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_hrhd_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, raw_headers, raw_headers_len); + } } else { DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrhd_ctx_tc == NULL); - ret = mpm_table[det_ctx->sgh->mpm_hrhd_ctx_tc->mpm_type]. - Search(det_ctx->sgh->mpm_hrhd_ctx_tc, &det_ctx->mtcu, - &det_ctx->pmq, raw_headers, raw_headers_len); + if (raw_headers_len >= det_ctx->sgh->mpm_hrhd_ctx_tc->minlen) { + ret = mpm_table[det_ctx->sgh->mpm_hrhd_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_hrhd_ctx_tc, &det_ctx->mtcu, + &det_ctx->pmq, raw_headers, raw_headers_len); + } } SCReturnUInt(ret); @@ -98,14 +104,16 @@ int DetectEngineRunHttpRawHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f, SCEnter(); uint32_t cnt = 0; + htp_tx_t *tx = (htp_tx_t *)txv; HtpTxUserData *tx_ud = htp_tx_get_user_data(tx); - if (tx_ud == NULL) - SCReturnInt(cnt); + if (tx_ud == NULL) { + SCReturnInt(0); + } if (flags & STREAM_TOSERVER) { if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, txv, flags) <= HTP_REQUEST_HEADERS) - SCReturnInt(cnt); + SCReturnInt(0); if (tx_ud->request_headers_raw != NULL) { cnt = HttpRawHeaderPatternSearch(det_ctx, @@ -115,10 +123,10 @@ int DetectEngineRunHttpRawHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f, } } else { if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, txv, flags) <= HTP_RESPONSE_HEADERS) - SCReturnInt(cnt); + SCReturnInt(0); if (tx_ud->response_headers_raw != NULL) { - cnt += HttpRawHeaderPatternSearch(det_ctx, + cnt = HttpRawHeaderPatternSearch(det_ctx, tx_ud->response_headers_raw, tx_ud->response_headers_raw_len, flags); diff --git a/src/detect-engine-hrhhd.c b/src/detect-engine-hrhhd.c index 732226c468..bee6cd8eff 100644 --- a/src/detect-engine-hrhhd.c +++ b/src/detect-engine-hrhhd.c @@ -70,19 +70,22 @@ * * \retval ret Number of matches. */ -static uint32_t HttpHRHPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *hrh, uint32_t hrh_len, uint8_t flags) +static inline uint32_t HttpHRHPatternSearch(DetectEngineThreadCtx *det_ctx, + const uint8_t *hrh, const uint32_t hrh_len, + const uint8_t flags) { SCEnter(); - uint32_t ret; + uint32_t ret = 0; DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrhhd_ctx_ts == NULL); - ret = mpm_table[det_ctx->sgh->mpm_hrhhd_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_hrhhd_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, hrh, hrh_len); + if (hrh_len >= det_ctx->sgh->mpm_hrhhd_ctx_ts->minlen) { + ret = mpm_table[det_ctx->sgh->mpm_hrhhd_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_hrhhd_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, hrh, hrh_len); + } SCReturnUInt(ret); } @@ -93,7 +96,7 @@ int DetectEngineRunHttpHRHMpm(DetectEngineThreadCtx *det_ctx, Flow *f, { uint32_t cnt = 0; htp_tx_t *tx = (htp_tx_t *)txv; - uint8_t *hname = NULL; + const uint8_t *hname = NULL; uint32_t hname_len = 0; if (tx->parsed_uri == NULL || tx->parsed_uri->hostname == NULL) { @@ -102,21 +105,22 @@ int DetectEngineRunHttpHRHMpm(DetectEngineThreadCtx *det_ctx, Flow *f, htp_header_t *h = NULL; h = (htp_header_t *)htp_table_get_c(tx->request_headers, "Host"); if (h != NULL) { - SCLogDebug("HTTP host header not present in this request"); - hname = (uint8_t *)bstr_ptr(h->value); - hname_len = bstr_len(h->value); + hname = (const uint8_t *)bstr_ptr(h->value); + if (hname != NULL) + hname_len = bstr_len(h->value); } else { + SCLogDebug("HTTP host header not present in this request"); goto end; } } else { hname = (uint8_t *)bstr_ptr(tx->parsed_uri->hostname); if (hname != NULL) hname_len = bstr_len(tx->parsed_uri->hostname); - else - goto end; } - cnt = HttpHRHPatternSearch(det_ctx, hname, hname_len, flags); + if (hname != NULL) { + cnt = HttpHRHPatternSearch(det_ctx, hname, hname_len, flags); + } end: return cnt; diff --git a/src/detect-engine-hrud.c b/src/detect-engine-hrud.c index 4249cccc3a..e7b08cf536 100644 --- a/src/detect-engine-hrud.c +++ b/src/detect-engine-hrud.c @@ -67,19 +67,22 @@ * * \retval ret Number of matches. */ -static uint32_t HttpRawUriPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *uri, uint32_t uri_len, uint8_t flags) +static inline uint32_t HttpRawUriPatternSearch(DetectEngineThreadCtx *det_ctx, + const uint8_t *uri, const uint32_t uri_len, + const uint8_t flags) { SCEnter(); - uint32_t ret; + uint32_t ret = 0; DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrud_ctx_ts == NULL); - ret = mpm_table[det_ctx->sgh->mpm_hrud_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_hrud_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, uri, uri_len); + if (uri_len >= det_ctx->sgh->mpm_hrud_ctx_ts->minlen) { + ret = mpm_table[det_ctx->sgh->mpm_hrud_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_hrud_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, uri, uri_len); + } SCReturnUInt(ret); } @@ -99,10 +102,10 @@ int DetectEngineRunHttpRawUriMpm(DetectEngineThreadCtx *det_ctx, Flow *f, uint32_t cnt = 0; if (tx->request_uri == NULL) goto end; + cnt = HttpRawUriPatternSearch(det_ctx, - (uint8_t *)bstr_ptr(tx->request_uri), + (const uint8_t *)bstr_ptr(tx->request_uri), bstr_len(tx->request_uri), flags); - end: SCReturnInt(cnt); } diff --git a/src/detect-engine-hsbd.c b/src/detect-engine-hsbd.c index 401296e38d..93d9adee6d 100644 --- a/src/detect-engine-hsbd.c +++ b/src/detect-engine-hsbd.c @@ -324,19 +324,22 @@ static uint8_t *DetectEngineHSBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id, * * \retval ret Number of matches. */ -static uint32_t HttpServerBodyPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *body, uint32_t body_len, uint8_t flags) +static inline uint32_t HttpServerBodyPatternSearch(DetectEngineThreadCtx *det_ctx, + const uint8_t *body, const uint32_t body_len, + const uint8_t flags) { SCEnter(); - uint32_t ret; + uint32_t ret = 0; DEBUG_VALIDATE_BUG_ON(!(flags & STREAM_TOCLIENT)); DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hsbd_ctx_tc == NULL); - ret = mpm_table[det_ctx->sgh->mpm_hsbd_ctx_tc->mpm_type]. - Search(det_ctx->sgh->mpm_hsbd_ctx_tc, &det_ctx->mtcu, - &det_ctx->pmq, body, body_len); + if (body_len >= det_ctx->sgh->mpm_hsbd_ctx_tc->minlen) { + ret = mpm_table[det_ctx->sgh->mpm_hsbd_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_hsbd_ctx_tc, &det_ctx->mtcu, + &det_ctx->pmq, body, body_len); + } SCReturnUInt(ret); } @@ -349,7 +352,7 @@ int DetectEngineRunHttpServerBodyMpm(DetectEngineCtx *de_ctx, uint32_t cnt = 0; uint32_t buffer_len = 0; uint32_t stream_start_offset = 0; - uint8_t *buffer = DetectEngineHSBDGetBufferForTX(tx, idx, + const uint8_t *buffer = DetectEngineHSBDGetBufferForTX(tx, idx, de_ctx, det_ctx, f, htp_state, flags, diff --git a/src/detect-engine-hscd.c b/src/detect-engine-hscd.c index 6fd938d184..72df1c8d5f 100644 --- a/src/detect-engine-hscd.c +++ b/src/detect-engine-hscd.c @@ -64,19 +64,22 @@ * * \retval ret Number of matches. */ -static uint32_t HttpStatCodePatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *stat_code, uint32_t stat_code_len, uint8_t flags) +static inline uint32_t HttpStatCodePatternSearch(DetectEngineThreadCtx *det_ctx, + const uint8_t *stat_code, const uint32_t stat_code_len, + const uint8_t flags) { SCEnter(); - uint32_t ret; + uint32_t ret = 0; DEBUG_VALIDATE_BUG_ON(!(flags & STREAM_TOCLIENT)); DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hscd_ctx_tc == NULL); - ret = mpm_table[det_ctx->sgh->mpm_hscd_ctx_tc->mpm_type]. - Search(det_ctx->sgh->mpm_hscd_ctx_tc, &det_ctx->mtcu, - &det_ctx->pmq, stat_code, stat_code_len); + if (stat_code_len >= det_ctx->sgh->mpm_hscd_ctx_tc->minlen) { + ret = mpm_table[det_ctx->sgh->mpm_hscd_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_hscd_ctx_tc, &det_ctx->mtcu, + &det_ctx->pmq, stat_code, stat_code_len); + } SCReturnUInt(ret); } @@ -98,9 +101,8 @@ int DetectEngineRunHttpStatCodeMpm(DetectEngineThreadCtx *det_ctx, Flow *f, goto end; cnt = HttpStatCodePatternSearch(det_ctx, - (uint8_t *)bstr_ptr(tx->response_status), - bstr_len(tx->response_status), flags); - + (const uint8_t *)bstr_ptr(tx->response_status), + bstr_len(tx->response_status), flags); end: SCReturnInt(cnt); } diff --git a/src/detect-engine-hsmd.c b/src/detect-engine-hsmd.c index 9017ebfd55..3b8a0004d9 100644 --- a/src/detect-engine-hsmd.c +++ b/src/detect-engine-hsmd.c @@ -64,19 +64,22 @@ * * \retval ret Number of matches. */ -static uint32_t HttpStatMsgPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *stat_msg, uint32_t stat_msg_len, uint8_t flags) +static inline uint32_t HttpStatMsgPatternSearch(DetectEngineThreadCtx *det_ctx, + const uint8_t *stat_msg, const uint32_t stat_msg_len, + const uint8_t flags) { SCEnter(); - uint32_t ret; + uint32_t ret = 0; DEBUG_VALIDATE_BUG_ON(!(flags & STREAM_TOCLIENT)); DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hsmd_ctx_tc == NULL); - ret = mpm_table[det_ctx->sgh->mpm_hsmd_ctx_tc->mpm_type]. - Search(det_ctx->sgh->mpm_hsmd_ctx_tc, &det_ctx->mtcu, - &det_ctx->pmq, stat_msg, stat_msg_len); + if (stat_msg_len >= det_ctx->sgh->mpm_hsmd_ctx_tc->minlen) { + ret = mpm_table[det_ctx->sgh->mpm_hsmd_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_hsmd_ctx_tc, &det_ctx->mtcu, + &det_ctx->pmq, stat_msg, stat_msg_len); + } SCReturnUInt(ret); } @@ -98,9 +101,8 @@ int DetectEngineRunHttpStatMsgMpm(DetectEngineThreadCtx *det_ctx, Flow *f, goto end; cnt = HttpStatMsgPatternSearch(det_ctx, - (uint8_t *)bstr_ptr(tx->response_message), + (const uint8_t *)bstr_ptr(tx->response_message), bstr_len(tx->response_message), flags); - end: SCReturnInt(cnt); } diff --git a/src/detect-engine-hua.c b/src/detect-engine-hua.c index 27e1383f0f..a459776b6e 100644 --- a/src/detect-engine-hua.c +++ b/src/detect-engine-hua.c @@ -63,24 +63,27 @@ * \brief Http user agent match -- searches for one pattern per signature. * * \param det_ctx Detection engine thread ctx. - * \param cookie User-Agent to inspect. - * \param cookie_len User-Agent buffer length. + * \param ua User-Agent to inspect. + * \param ua_len User-Agent buffer length. * * \retval ret Number of matches. */ -static uint32_t HttpUAPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *ua, uint32_t ua_len, uint8_t flags) +static inline uint32_t HttpUAPatternSearch(DetectEngineThreadCtx *det_ctx, + const uint8_t *ua, const uint32_t ua_len, + const uint8_t flags) { SCEnter(); - uint32_t ret; + uint32_t ret = 0; DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_huad_ctx_ts == NULL); - ret = mpm_table[det_ctx->sgh->mpm_huad_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_huad_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, ua, ua_len); + if (ua_len >= det_ctx->sgh->mpm_huad_ctx_ts->minlen) { + ret = mpm_table[det_ctx->sgh->mpm_huad_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_huad_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, ua, ua_len); + } SCReturnUInt(ret); } @@ -101,9 +104,8 @@ int DetectEngineRunHttpUAMpm(DetectEngineThreadCtx *det_ctx, Flow *f, goto end; } cnt = HttpUAPatternSearch(det_ctx, - (uint8_t *)bstr_ptr(h->value), + (const uint8_t *)bstr_ptr(h->value), bstr_len(h->value), flags); - end: return cnt; } diff --git a/src/detect-engine-payload.c b/src/detect-engine-payload.c index f952deafd0..ab63d16f86 100644 --- a/src/detect-engine-payload.c +++ b/src/detect-engine-payload.c @@ -66,9 +66,11 @@ uint32_t PacketPatternSearchWithStreamCtx(DetectEngineThreadCtx *det_ctx, SCReturnInt(0); } - ret = mpm_table[mpm_ctx->mpm_type]. - Search(mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, - p->payload, p->payload_len); + if (p->payload_len >= mpm_ctx->minlen) { + ret = mpm_table[mpm_ctx->mpm_type]. + Search(mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, + p->payload, p->payload_len); + } SCReturnInt(ret); } @@ -88,32 +90,31 @@ uint32_t StreamPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p, SCEnter(); uint32_t ret = 0; - uint8_t cnt = 0; //PrintRawDataFp(stdout, smsg->data.data, smsg->data.data_len); uint32_t r; if (flags & STREAM_TOSERVER) { for ( ; smsg != NULL; smsg = smsg->next) { - r = mpm_table[det_ctx->sgh->mpm_stream_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_stream_ctx_ts, &det_ctx->mtcs, - &det_ctx->pmq, smsg->data, smsg->data_len); - if (r > 0) { - ret += r; + if (smsg->data_len >= det_ctx->sgh->mpm_stream_ctx_ts->minlen) { + r = mpm_table[det_ctx->sgh->mpm_stream_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_stream_ctx_ts, &det_ctx->mtcs, + &det_ctx->pmq, smsg->data, smsg->data_len); + if (r > 0) { + ret += r; + } } - - cnt++; } } else if (flags & STREAM_TOCLIENT) { for ( ; smsg != NULL; smsg = smsg->next) { - r = mpm_table[det_ctx->sgh->mpm_stream_ctx_tc->mpm_type]. - Search(det_ctx->sgh->mpm_stream_ctx_tc, &det_ctx->mtcs, - &det_ctx->pmq, smsg->data, smsg->data_len); - if (r > 0) { - ret += r; + if (smsg->data_len >= det_ctx->sgh->mpm_stream_ctx_tc->minlen) { + r = mpm_table[det_ctx->sgh->mpm_stream_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_stream_ctx_tc, &det_ctx->mtcs, + &det_ctx->pmq, smsg->data, smsg->data_len); + if (r > 0) { + ret += r; + } } - - cnt++; } } @@ -131,7 +132,7 @@ uint32_t PacketPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p) { SCEnter(); - uint32_t ret; + uint32_t ret = 0; const MpmCtx *mpm_ctx = NULL; if (p->proto == IPPROTO_TCP) { @@ -151,6 +152,8 @@ uint32_t PacketPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p) } if (unlikely(mpm_ctx == NULL)) SCReturnInt(0); + if (p->payload_len < mpm_ctx->minlen) + SCReturnInt(0); #ifdef __SC_CUDA_SUPPORT__ if (p->cuda_pkt_vars.cuda_mpm_enabled && p->pkt_src == PKT_SRC_WIRE) { diff --git a/src/detect-engine-uri.c b/src/detect-engine-uri.c index 72a9a037bf..e88b8d7e23 100644 --- a/src/detect-engine-uri.c +++ b/src/detect-engine-uri.c @@ -56,9 +56,9 @@ * * \retval ret number of matches */ -static uint32_t UriPatternSearch(DetectEngineThreadCtx *det_ctx, - const uint8_t *uri, const uint16_t uri_len, - const uint8_t flags) +static inline uint32_t UriPatternSearch(DetectEngineThreadCtx *det_ctx, + const uint8_t *uri, const uint16_t uri_len, + const uint8_t flags) { SCEnter();