make some name changes. break PopulateMpm(). Set the avoid mpm double check flags

remotes/origin/master-1.1.x
Anoop Saldanha 15 years ago committed by Victor Julien
parent 96bf15bd74
commit eade60f0fd

@ -42,6 +42,10 @@
/** a relative match to this content is next, used in matching phase */
#define DETECT_CONTENT_RELATIVE_NEXT 0x0400
#define DETECT_CONTENT_PACKET_MPM 0x0800
#define DETECT_CONTENT_STREAM_MPM 0x1000
#define DETECT_CONTENT_URI_MPM 0x2000
#define DETECT_CONTENT_IS_SINGLE(c) (!((c)->flags & DETECT_CONTENT_DISTANCE || \
(c)->flags & DETECT_CONTENT_WITHIN || \
(c)->flags & DETECT_CONTENT_RELATIVE_NEXT || \
@ -59,10 +63,8 @@ typedef struct DetectContentData_ {
uint16_t offset;
int32_t distance;
int32_t within;
BmCtx *bm_ctx; /**< Boyer Moore context (for spm search) */
/* if someone wants to add an extra var to this structutre of size 1 byte
* you can reduce the below var to uint8_t. No problemo */
uint16_t avoid_double_check;
/* Boyer Moore context (for spm search) */
BmCtx *bm_ctx;
/* for chopped fast pattern, the offset */
uint16_t fp_chop_offset;
/* for chopped fast pattern, the length */

@ -545,209 +545,11 @@ uint32_t PatternStrength(uint8_t *pat, uint16_t patlen) {
return s;
}
/**
* \brief Setup the mpm content.
*
* \param de_ctx Pointer to the detect engine context.
* \param sgh Pointer to the signature group head against which we are
* adding patterns to the mpm ctx.
*
* \retval 0 Always.
*/
static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx,
SigGroupHead *sgh)
static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
SigGroupHead *sgh, Signature *s,
SigMatch *mpm_sm)
{
uint32_t sig;
uint32_t *fast_pattern = NULL;
fast_pattern = (uint32_t *)SCMalloc(sgh->sig_cnt * sizeof(uint32_t));
if (fast_pattern == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
exit(EXIT_FAILURE);
}
memset(fast_pattern, 0, sgh->sig_cnt * sizeof(uint32_t));
/* add all mpm candidates to a hash */
for (sig = 0; sig < sgh->sig_cnt; sig++) {
Signature *s = sgh->match_array[sig];
if (s == NULL)
continue;
int sig_has_no_pkt_and_stream_content = 0;
if (!SignatureHasPacketContent(s) && !SignatureHasStreamContent(s)) {
sig_has_no_pkt_and_stream_content = 1;
}
int list_id = 0;
for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) {
/* we have no keywords that support fp in this Signature sm list */
if (!SCFPDoWeSupportFPForSMList(list_id))
continue;
SigMatch *sm = NULL;
/* get the total no of patterns in this Signature, as well as find out
* if we have a fast_pattern set in this Signature */
for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) {
/* this keyword isn't registered for fp support */
if (!SCFPDoWeSupportFPForSMType(sm->type))
continue;
/* \todo once we unify the flags, this switch will go and we
* should have a much more compact function. Applies everywhere
* else where we have used a switch like this */
DetectContentData *cd = NULL;
DetectContentData *ud = NULL;
switch (sm->type) {
case DETECT_CONTENT:
if (sig_has_no_pkt_and_stream_content ||
(!(sgh->flags & SIG_GROUP_HAVECONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_COPY)) &&
!(sgh->flags & SIG_GROUP_HAVESTREAMCONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY)))) {
break;
}
cd = (DetectContentData *)sm->ctx;
/* special handling of fast pattern keyword */
if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
fast_pattern[sig] = 1;
}
break;
case DETECT_URICONTENT:
if (!(sgh->flags & SIG_GROUP_HAVEURICONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_URI_COPY))) {
break;
}
ud = (DetectContentData *)sm->ctx;
/* special handling of fast pattern keyword */
if (ud->flags & DETECT_CONTENT_FAST_PATTERN) {
fast_pattern[sig] = 1;
}
break;
default:
SCLogError(SC_ERR_FATAL, "We shouldn't even be seeing this");
exit(EXIT_FAILURE);
} /* switch (sm->type) */
/* found a fast pattern for the sig. Let's get outta here */
if (fast_pattern[sig])
break;
} /* for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) */
/* found a fast pattern for the sig. Let's get outta here */
if (fast_pattern[sig])
break;
} /* for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) */
} /* for (sig = 0; sig < sgh->sig_cnt; sig++) { */
/* now determine which one to add to the mpm phase */
for (sig = 0; sig < sgh->sig_cnt; sig++) {
Signature *s = sgh->match_array[sig];
if (s == NULL)
continue;
int sig_has_no_pkt_and_stream_content = 0;
if (!SignatureHasPacketContent(s) && !SignatureHasStreamContent(s)) {
sig_has_no_pkt_and_stream_content = 1;
}
SigMatch *mpm_sm = NULL;
SigMatch *sm = NULL;
int list_id = 0;
for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) {
if (!SCFPDoWeSupportFPForSMList(list_id))
continue;
for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) {
if (!SCFPDoWeSupportFPForSMType(sm->type))
continue;
/* skip in case of:
* 1. we expect a fastpattern but this isn't it
* 2. we have a smaller content than mpm_content_maxlen */
if (fast_pattern[sig]) {
DetectContentData *cd = NULL;
DetectContentData *ud = NULL;
switch (sm->type) {
case DETECT_CONTENT:
cd = (DetectContentData *)sm->ctx;
if (!(cd->flags & DETECT_CONTENT_FAST_PATTERN)) {
SCLogDebug("not a fast pattern %"PRIu32"", co->id);
continue;
}
SCLogDebug("fast pattern %"PRIu32"", co->id);
break;
case DETECT_URICONTENT:
ud = (DetectContentData *)sm->ctx;
if (!(ud->flags & DETECT_CONTENT_FAST_PATTERN)) {
SCLogDebug("not a fast pattern %"PRIu32"", co->id);
continue;
}
SCLogDebug("fast pattern %"PRIu32"", co->id);
break;
} /* switch (sm->type) */
} else {
DetectContentData *cd = NULL;
DetectContentData *ud = NULL;
switch (sm->type) {
case DETECT_CONTENT:
if (sig_has_no_pkt_and_stream_content ||
(!(sgh->flags & SIG_GROUP_HAVECONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_COPY)) &&
!(sgh->flags & SIG_GROUP_HAVESTREAMCONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY)))) {
continue;
}
cd = (DetectContentData *)sm->ctx;
if (cd->content_len < sgh->mpm_content_maxlen)
continue;
break;
case DETECT_URICONTENT:
if (!(sgh->flags & SIG_GROUP_HAVEURICONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_URI_COPY))) {
continue;
}
ud = (DetectContentData *)sm->ctx;
if (ud->content_len < sgh->mpm_uricontent_maxlen)
continue;
break;
} /* switch (sm->type) */
} /* else - if (fast_pattern[sig] == 1) */
if (mpm_sm == NULL) {
mpm_sm = sm;
if (fast_pattern[sig])
break;
} else {
DetectContentData *data1 = (DetectContentData *)sm->ctx;
DetectContentData *data2 = (DetectContentData *)mpm_sm->ctx;
uint32_t ls = PatternStrength(data1->content, data1->content_len);
uint32_t ss = PatternStrength(data2->content, data2->content_len);
if (ls > ss) {
mpm_sm = sm;
} else if (ls == ss) {
/* if 2 patterns are of equal strength, we pick the longest */
if (data1->content_len > data2->content_len)
mpm_sm = sm;
} else {
SCLogDebug("sticking with mpm_sm");
}
} /* else - if (mpm == NULL) */
} /* for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) */
if (mpm_sm != NULL && fast_pattern[sig])
break;
} /* for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) */
/* now add the mpm_ch to the mpm ctx */
/* now add the mpm_ch to the mpm ctx */
if (mpm_sm != NULL) {
uint8_t flags = 0;
@ -806,8 +608,17 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx,
} else {
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
/* we will revisit you my dear friend */
;//cd->avoid_double_check = 1;
if (SignatureHasPacketContent(s) &&
(sgh->flags & SIG_GROUP_HAVECONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_COPY))) {
cd->flags |= DETECT_CONTENT_PACKET_MPM;
}
if (SignatureHasStreamContent(s) &&
(sgh->flags & SIG_GROUP_HAVESTREAMCONTENT
&& !(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY))) {
cd->flags |= DETECT_CONTENT_STREAM_MPM;
}
/* see if we can bypass the match validation for this pattern */
} else {
if (!(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) &&
@ -819,12 +630,20 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx,
if (prev_sm != NULL) {
DetectContentData *prev_cd = (DetectContentData *)prev_sm->ctx;
if (!(prev_cd->flags & DETECT_CONTENT_RELATIVE_NEXT)) {
/* we will revisit you my dear friend */
;//cd->avoid_double_check = 1;
if (SignatureHasPacketContent(s) &&
(sgh->flags & SIG_GROUP_HAVECONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_COPY))) {
cd->flags |= DETECT_CONTENT_PACKET_MPM;
}
if (SignatureHasStreamContent(s) &&
(sgh->flags & SIG_GROUP_HAVESTREAMCONTENT
&& !(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY))) {
cd->flags |= DETECT_CONTENT_STREAM_MPM;
}
}
}
} /* if (prev_sm != NULL) */
}
} /* else - if (co->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) */
} /* else - if (co->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) */
if (SignatureHasPacketContent(s) &&
(sgh->flags & SIG_GROUP_HAVECONTENT &&
@ -896,8 +715,8 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx,
}
} else {
if (ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
;/* we will revisit you my dear friend */
//ud->avoid_double_check = 1;
ud->flags |= DETECT_CONTENT_URI_MPM;
/* see if we can bypass the match validation for this pattern */
} else {
if (!(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) &&
@ -909,12 +728,11 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx,
if (prev_sm != NULL) {
DetectContentData *prev_ud = (DetectContentData *)prev_sm->ctx;
if (!(prev_ud->flags & DETECT_CONTENT_RELATIVE_NEXT)) {
/* we will revisit you my dear friend */
;//ud->avoid_double_check = 1;
ud->flags |= DETECT_CONTENT_URI_MPM;
}
}
}
} /* else - if (ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) */
} /* else - if (ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) */
/* add the content to the "packet" mpm */
if (ud->flags & DETECT_CONTENT_NOCASE) {
@ -939,10 +757,230 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx,
} /* case DETECT_URICONTENT */
} /* switch (mpm_sm->type) */
SCLogDebug("%"PRIu32" adding co->id %"PRIu32" to the mpm phase (s->num %"PRIu32")", s->id, co->id, s->num);
SCLogDebug("%"PRIu32" adding co->id %"PRIu32" to the mpm phase "
"(s->num %"PRIu32")", s->id, co->id, s->num);
} else {
SCLogDebug("%"PRIu32" no mpm pattern selected", s->id);
} /* else - if (mpm_sm != NULL) */
return;
}
/**
* \internal
* \brief Helper function for PrepareGroupPopulateMpm. Used to decide if a
* pattern should be skipped or considered under certain conditions.
*
* \param sgh Pointer to the sgh.
* \param s Pointer to the signature.
* \param sm Pointer to the SigMatch which holds the content.
*
* \retval 1 If the content should be skipped.
* \retval 0 Otherwise.
*/
static int PopulateMpmSkipContent(SigGroupHead *sgh, Signature *s, SigMatch *sm)
{
switch (sm->type) {
case DETECT_CONTENT:
{
if (s->flags & SIG_FLAG_HAS_NO_PKT_AND_STREAM_CONTENT) {
return 1;
}
if (!(sgh->flags & SIG_GROUP_HAVECONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_COPY)) &&
!(sgh->flags & SIG_GROUP_HAVESTREAMCONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY))) {
return 1;
}
DetectContentData *cd = sm->ctx;
if (cd->flags & DETECT_CONTENT_FAST_PATTERN)
return 0;
if (sgh->flags & SIG_GROUP_HAVECONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_COPY) &&
sgh->flags & SIG_GROUP_HAVESTREAMCONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY)) {
if (sgh->mpm_content_maxlen == sgh->mpm_streamcontent_maxlen) {
if (cd->content_len < sgh->mpm_content_maxlen)
return 1;
else
return 0;
} else if (sgh->mpm_content_maxlen < sgh->mpm_streamcontent_maxlen) {
if (cd->content_len < sgh->mpm_content_maxlen)
return 1;
else
return 0;
} else {
if (cd->content_len < sgh->mpm_streamcontent_maxlen)
return 1;
else
return 0;
}
} else if (sgh->flags & SIG_GROUP_HAVECONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_COPY)) {
if (cd->content_len < sgh->mpm_content_maxlen)
return 1;
else
return 0;
} else if (sgh->flags & SIG_GROUP_HAVESTREAMCONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY)){
if (cd->content_len < sgh->mpm_streamcontent_maxlen)
return 1;
else
return 0;
}
}
case DETECT_URICONTENT:
{
if (!(sgh->flags & SIG_GROUP_HAVEURICONTENT &&
!(sgh->flags & SIG_GROUP_HEAD_MPM_URI_COPY))) {
return 1;
}
DetectContentData *cd = sm->ctx;
if (cd->flags & DETECT_CONTENT_FAST_PATTERN)
return 0;
if (cd->content_len < sgh->mpm_uricontent_maxlen)
return 1;
else
return 0;
}
default:
return 0;
}
}
/**
* \internal
* \brief Setup the mpm content.
*
* \param de_ctx Pointer to the detect engine context.
* \param sgh Pointer to the signature group head against which we are
* adding patterns to the mpm ctx.
*
* \retval 0 Always.
*/
static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx,
SigGroupHead *sgh)
{
uint32_t sig;
uint32_t *fast_pattern = NULL;
fast_pattern = (uint32_t *)SCMalloc(sgh->sig_cnt * sizeof(uint32_t));
if (fast_pattern == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
exit(EXIT_FAILURE);
}
memset(fast_pattern, 0, sgh->sig_cnt * sizeof(uint32_t));
/* add all mpm candidates to a hash */
for (sig = 0; sig < sgh->sig_cnt; sig++) {
Signature *s = sgh->match_array[sig];
if (s == NULL)
continue;
if (!(s->flags & SIG_FLAG_HAS_NO_PKT_AND_STREAM_CONTENT) &&
!SignatureHasPacketContent(s) && !SignatureHasStreamContent(s)) {
s->flags |= SIG_FLAG_HAS_NO_PKT_AND_STREAM_CONTENT;
}
int list_id = 0;
for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) {
/* we have no keywords that support fp in this Signature sm list */
if (!FastPatternSupportEnabledForSigMatchList(list_id))
continue;
SigMatch *sm = NULL;
/* get the total no of patterns in this Signature, as well as find out
* if we have a fast_pattern set in this Signature */
for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) {
/* this keyword isn't registered for fp support */
if (!FastPatternSupportEnabledForSigMatchType(sm->type))
continue;
if (PopulateMpmSkipContent(sgh, s, sm)) {
continue;
}
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
fast_pattern[sig] = 1;
break;
}
} /* for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) */
/* found a fast pattern for the sig. Let's get outta here */
if (fast_pattern[sig])
break;
} /* for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) */
} /* for (sig = 0; sig < sgh->sig_cnt; sig++) { */
/* now determine which one to add to the mpm phase */
for (sig = 0; sig < sgh->sig_cnt; sig++) {
Signature *s = sgh->match_array[sig];
if (s == NULL)
continue;
SigMatch *mpm_sm = NULL;
SigMatch *sm = NULL;
int list_id = 0;
for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) {
if (!FastPatternSupportEnabledForSigMatchList(list_id))
continue;
for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) {
if (!FastPatternSupportEnabledForSigMatchType(sm->type))
continue;
/* skip in case of:
* 1. we expect a fastpattern but this isn't it
* 2. we have a smaller content than mpm_content_maxlen */
if (fast_pattern[sig]) {
/* can be any content based keyword since all of them
* now use a unified structure - DetectContentData */
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (!(cd->flags & DETECT_CONTENT_FAST_PATTERN)) {
SCLogDebug("not a fast pattern %"PRIu32"", co->id);
continue;
}
SCLogDebug("fast pattern %"PRIu32"", co->id);
} else {
if (PopulateMpmSkipContent(sgh, s, sm)) {
continue;
}
} /* else - if (fast_pattern[sig] == 1) */
if (mpm_sm == NULL) {
mpm_sm = sm;
if (fast_pattern[sig])
break;
} else {
DetectContentData *data1 = (DetectContentData *)sm->ctx;
DetectContentData *data2 = (DetectContentData *)mpm_sm->ctx;
uint32_t ls = PatternStrength(data1->content, data1->content_len);
uint32_t ss = PatternStrength(data2->content, data2->content_len);
if (ls > ss) {
mpm_sm = sm;
} else if (ls == ss) {
/* if 2 patterns are of equal strength, we pick the longest */
if (data1->content_len > data2->content_len)
mpm_sm = sm;
} else {
SCLogDebug("sticking with mpm_sm");
}
} /* else - if (mpm == NULL) */
} /* for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) */
if (mpm_sm != NULL && fast_pattern[sig])
break;
} /* for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) */
PopulateMpmAddPatternToMpm(de_ctx, sgh, s, mpm_sm);
} /* for (sig = 0; sig < sgh->sig_cnt; sig++) */
if (fast_pattern != NULL)

@ -96,8 +96,13 @@ static int DoInspectPacketPayload(DetectEngineCtx *de_ctx,
/* we might have already have this content matched by the mpm.
* (if there is any other reason why we'd want to avoid checking
* it here, please fill it in) */
//if (cd->avoid_double_check)
// goto match;
if (det_ctx->flags & DETECT_ENGINE_THREAD_CTX_INSPECTING_PACKET) {
if (cd->flags & DETECT_CONTENT_PACKET_MPM)
goto match;
} else if (det_ctx->flags & DETECT_ENGINE_THREAD_CTX_INSPECTING_STREAM) {
if (cd->flags & DETECT_CONTENT_STREAM_MPM)
goto match;
}
/* rule parsers should take care of this */
BUG_ON(cd->depth != 0 && cd->depth <= cd->offset);
@ -378,8 +383,10 @@ int DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx,
det_ctx->payload_offset = 0;
det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0;
det_ctx->flags |= DETECT_ENGINE_THREAD_CTX_INSPECTING_PACKET;
r = DoInspectPacketPayload(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_PMATCH], p, f, p->payload, p->payload_len);
det_ctx->flags &= ~DETECT_ENGINE_THREAD_CTX_INSPECTING_PACKET;
if (r == 1) {
SCReturnInt(1);
}
@ -416,8 +423,12 @@ int DetectEngineInspectStreamPayload(DetectEngineCtx *de_ctx,
}
det_ctx->payload_offset = 0;
det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0;
det_ctx->flags |= DETECT_ENGINE_THREAD_CTX_INSPECTING_STREAM;
r = DoInspectPacketPayload(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_PMATCH], NULL, f, payload, payload_len);
det_ctx->flags &= ~DETECT_ENGINE_THREAD_CTX_INSPECTING_STREAM;
if (r == 1) {
SCReturnInt(1);
}

@ -101,6 +101,9 @@ static int DoInspectPacketUri(DetectEngineCtx *de_ctx,
ud = (DetectContentData *)sm->ctx;
SCLogDebug("inspecting content %"PRIu32" payload_len %"PRIu32, ud->id, payload_len);
if (ud->flags & DETECT_CONTENT_URI_MPM)
goto match;
/* rule parsers should take care of this */
BUG_ON(ud->depth != 0 && ud->depth <= ud->offset);

@ -57,7 +57,7 @@ SCFPSupportSMList *sm_fp_support_smlist_list = NULL;
*
* \param list_id SM list id.
*/
static void SCFPAddFPSupportForSMList(int list_id)
static void SupportFastPatternForSigMatchList(int list_id)
{
if (sm_fp_support_smlist_list != NULL) {
SCFPSupportSMList *tmp_smlist_fp = sm_fp_support_smlist_list;
@ -88,7 +88,7 @@ static void SCFPAddFPSupportForSMList(int list_id)
*
* \param sm_type The sigmatch for which fp support has to be added.
*/
static void SCFPAddFPSupportForSMType(uint8_t sm_type)
static void SupportFastPatternForSigMatchType(uint8_t sm_type)
{
if (sm_fp_support_smtype_list != NULL) {
SCFPSupportSMType *tmp_smtype_fp = sm_fp_support_smtype_list;
@ -117,13 +117,13 @@ static void SCFPAddFPSupportForSMType(uint8_t sm_type)
/**
* \brief Registers the keywords(SMs) that should be given fp support.
*/
void SCFPAddFPSupportForSMTypes(void)
void SupportFastPatternForSigMatchTypes(void)
{
SCFPAddFPSupportForSMType(DETECT_CONTENT);
SCFPAddFPSupportForSMList(DETECT_SM_LIST_PMATCH);
SupportFastPatternForSigMatchType(DETECT_CONTENT);
SupportFastPatternForSigMatchList(DETECT_SM_LIST_PMATCH);
SCFPAddFPSupportForSMType(DETECT_URICONTENT);
SCFPAddFPSupportForSMList(DETECT_SM_LIST_UMATCH);
SupportFastPatternForSigMatchType(DETECT_URICONTENT);
SupportFastPatternForSigMatchList(DETECT_SM_LIST_UMATCH);
return;
}

@ -49,7 +49,7 @@ extern SCFPSupportSMList *sm_fp_support_smlist_list;
* \retval 1 If supported.
* \retval 0 If not.
*/
static inline int SCFPDoWeSupportFPForSMType(uint8_t sm_type)
static inline int FastPatternSupportEnabledForSigMatchType(uint8_t sm_type)
{
if (sm_fp_support_smtype_list == NULL)
return 0;
@ -74,7 +74,7 @@ static inline int SCFPDoWeSupportFPForSMType(uint8_t sm_type)
* \retval 1 If supported.
* \retval 0 If not.
*/
static inline int SCFPDoWeSupportFPForSMList(int list_id)
static inline int FastPatternSupportEnabledForSigMatchList(int list_id)
{
if (sm_fp_support_smlist_list == NULL)
return 0;
@ -90,9 +90,7 @@ static inline int SCFPDoWeSupportFPForSMList(int list_id)
return 0;
}
void SCFPAddFPSupportForSMTypes(void);
/* not implemented as of now. If there's a need we'll implement it */
void SCFPRemoveFPSupportForSMType(uint8_t);
void SupportFastPatternForSigMatchTypes(void);
void DetectFastPatternRegister(void);

@ -233,6 +233,8 @@ typedef struct DetectPort_ {
#define SIG_FLAG_MPM_URICONTENT 0x00800000
#define SIG_FLAG_MPM_URICONTENT_NEG 0x01000000
#define SIG_FLAG_HAS_NO_PKT_AND_STREAM_CONTENT 0x02000000
/* signature mask flags */
#define SIG_MASK_REQUIRE_PAYLOAD 0x01
#define SIG_MASK_REQUIRE_FLOW 0x02
@ -248,6 +250,9 @@ typedef struct DetectPort_ {
/* for now a uint8_t is enough */
#define SignatureMask uint8_t
#define DETECT_ENGINE_THREAD_CTX_INSPECTING_PACKET 0x0001
#define DETECT_ENGINE_THREAD_CTX_INSPECTING_STREAM 0x0002
/* Detection Engine flags */
#define DE_QUIET 0x01 /**< DE is quiet (esp for unittests) */
@ -641,7 +646,8 @@ typedef struct DetectionEngineThreadCtx_ {
uint16_t counter_alerts;
/* used to discontinue any more matching */
int discontinue_matching;
uint16_t discontinue_matching;
uint16_t flags;
/* holds the current recursion depth on content inspection */
int inspection_recursion_counter;

@ -826,7 +826,7 @@ int main(int argc, char **argv)
SigTableSetup(); /* load the rule keywords */
TmqhSetup();
SCFPAddFPSupportForSMTypes();
SupportFastPatternForSigMatchTypes();
CIDRInit();
SigParsePrepare();
//PatternMatchPrepare(mpm_ctx, MPM_B2G);

Loading…
Cancel
Save