diff --git a/src/detect-content.h b/src/detect-content.h index 06ecb5e8fc..50dd4df9da 100644 --- a/src/detect-content.h +++ b/src/detect-content.h @@ -42,6 +42,10 @@ /** a relative match to this content is next, used in matching phase */ #define DETECT_CONTENT_RELATIVE_NEXT 0x0400 +#define DETECT_CONTENT_PACKET_MPM 0x0800 +#define DETECT_CONTENT_STREAM_MPM 0x1000 +#define DETECT_CONTENT_URI_MPM 0x2000 + #define DETECT_CONTENT_IS_SINGLE(c) (!((c)->flags & DETECT_CONTENT_DISTANCE || \ (c)->flags & DETECT_CONTENT_WITHIN || \ (c)->flags & DETECT_CONTENT_RELATIVE_NEXT || \ @@ -59,10 +63,8 @@ typedef struct DetectContentData_ { uint16_t offset; int32_t distance; int32_t within; - BmCtx *bm_ctx; /**< Boyer Moore context (for spm search) */ - /* if someone wants to add an extra var to this structutre of size 1 byte - * you can reduce the below var to uint8_t. No problemo */ - uint16_t avoid_double_check; + /* Boyer Moore context (for spm search) */ + BmCtx *bm_ctx; /* for chopped fast pattern, the offset */ uint16_t fp_chop_offset; /* for chopped fast pattern, the length */ diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 7522d42ff3..551760a1f7 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -545,209 +545,11 @@ uint32_t PatternStrength(uint8_t *pat, uint16_t patlen) { return s; } -/** - * \brief Setup the mpm content. - * - * \param de_ctx Pointer to the detect engine context. - * \param sgh Pointer to the signature group head against which we are - * adding patterns to the mpm ctx. - * - * \retval 0 Always. - */ -static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx, - SigGroupHead *sgh) +static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, + SigGroupHead *sgh, Signature *s, + SigMatch *mpm_sm) { - uint32_t sig; - uint32_t *fast_pattern = NULL; - - fast_pattern = (uint32_t *)SCMalloc(sgh->sig_cnt * sizeof(uint32_t)); - if (fast_pattern == NULL) { - SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory"); - exit(EXIT_FAILURE); - } - memset(fast_pattern, 0, sgh->sig_cnt * sizeof(uint32_t)); - - /* add all mpm candidates to a hash */ - for (sig = 0; sig < sgh->sig_cnt; sig++) { - Signature *s = sgh->match_array[sig]; - if (s == NULL) - continue; - - int sig_has_no_pkt_and_stream_content = 0; - if (!SignatureHasPacketContent(s) && !SignatureHasStreamContent(s)) { - sig_has_no_pkt_and_stream_content = 1; - } - - int list_id = 0; - for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) { - /* we have no keywords that support fp in this Signature sm list */ - if (!SCFPDoWeSupportFPForSMList(list_id)) - continue; - - SigMatch *sm = NULL; - /* get the total no of patterns in this Signature, as well as find out - * if we have a fast_pattern set in this Signature */ - for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) { - /* this keyword isn't registered for fp support */ - if (!SCFPDoWeSupportFPForSMType(sm->type)) - continue; - - /* \todo once we unify the flags, this switch will go and we - * should have a much more compact function. Applies everywhere - * else where we have used a switch like this */ - DetectContentData *cd = NULL; - DetectContentData *ud = NULL; - switch (sm->type) { - case DETECT_CONTENT: - if (sig_has_no_pkt_and_stream_content || - (!(sgh->flags & SIG_GROUP_HAVECONTENT && - !(sgh->flags & SIG_GROUP_HEAD_MPM_COPY)) && - !(sgh->flags & SIG_GROUP_HAVESTREAMCONTENT && - !(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY)))) { - break; - } - cd = (DetectContentData *)sm->ctx; - /* special handling of fast pattern keyword */ - if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { - fast_pattern[sig] = 1; - } - - break; - - case DETECT_URICONTENT: - if (!(sgh->flags & SIG_GROUP_HAVEURICONTENT && - !(sgh->flags & SIG_GROUP_HEAD_MPM_URI_COPY))) { - break; - } - ud = (DetectContentData *)sm->ctx; - /* special handling of fast pattern keyword */ - if (ud->flags & DETECT_CONTENT_FAST_PATTERN) { - fast_pattern[sig] = 1; - } - - break; - - default: - SCLogError(SC_ERR_FATAL, "We shouldn't even be seeing this"); - exit(EXIT_FAILURE); - } /* switch (sm->type) */ - - /* found a fast pattern for the sig. Let's get outta here */ - if (fast_pattern[sig]) - break; - } /* for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) */ - - /* found a fast pattern for the sig. Let's get outta here */ - if (fast_pattern[sig]) - break; - } /* for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) */ - } /* for (sig = 0; sig < sgh->sig_cnt; sig++) { */ - - /* now determine which one to add to the mpm phase */ - for (sig = 0; sig < sgh->sig_cnt; sig++) { - Signature *s = sgh->match_array[sig]; - if (s == NULL) - continue; - - int sig_has_no_pkt_and_stream_content = 0; - if (!SignatureHasPacketContent(s) && !SignatureHasStreamContent(s)) { - sig_has_no_pkt_and_stream_content = 1; - } - - SigMatch *mpm_sm = NULL; - SigMatch *sm = NULL; - int list_id = 0; - for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) { - if (!SCFPDoWeSupportFPForSMList(list_id)) - continue; - - for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) { - if (!SCFPDoWeSupportFPForSMType(sm->type)) - continue; - - /* skip in case of: - * 1. we expect a fastpattern but this isn't it - * 2. we have a smaller content than mpm_content_maxlen */ - if (fast_pattern[sig]) { - DetectContentData *cd = NULL; - DetectContentData *ud = NULL; - switch (sm->type) { - case DETECT_CONTENT: - cd = (DetectContentData *)sm->ctx; - if (!(cd->flags & DETECT_CONTENT_FAST_PATTERN)) { - SCLogDebug("not a fast pattern %"PRIu32"", co->id); - continue; - } - SCLogDebug("fast pattern %"PRIu32"", co->id); - - break; - - case DETECT_URICONTENT: - ud = (DetectContentData *)sm->ctx; - if (!(ud->flags & DETECT_CONTENT_FAST_PATTERN)) { - SCLogDebug("not a fast pattern %"PRIu32"", co->id); - continue; - } - SCLogDebug("fast pattern %"PRIu32"", co->id); - - break; - } /* switch (sm->type) */ - } else { - DetectContentData *cd = NULL; - DetectContentData *ud = NULL; - switch (sm->type) { - case DETECT_CONTENT: - if (sig_has_no_pkt_and_stream_content || - (!(sgh->flags & SIG_GROUP_HAVECONTENT && - !(sgh->flags & SIG_GROUP_HEAD_MPM_COPY)) && - !(sgh->flags & SIG_GROUP_HAVESTREAMCONTENT && - !(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY)))) { - continue; - } - cd = (DetectContentData *)sm->ctx; - if (cd->content_len < sgh->mpm_content_maxlen) - continue; - - break; - - case DETECT_URICONTENT: - if (!(sgh->flags & SIG_GROUP_HAVEURICONTENT && - !(sgh->flags & SIG_GROUP_HEAD_MPM_URI_COPY))) { - continue; - } - ud = (DetectContentData *)sm->ctx; - if (ud->content_len < sgh->mpm_uricontent_maxlen) - continue; - - break; - } /* switch (sm->type) */ - } /* else - if (fast_pattern[sig] == 1) */ - - if (mpm_sm == NULL) { - mpm_sm = sm; - if (fast_pattern[sig]) - break; - } else { - DetectContentData *data1 = (DetectContentData *)sm->ctx; - DetectContentData *data2 = (DetectContentData *)mpm_sm->ctx; - uint32_t ls = PatternStrength(data1->content, data1->content_len); - uint32_t ss = PatternStrength(data2->content, data2->content_len); - if (ls > ss) { - mpm_sm = sm; - } else if (ls == ss) { - /* if 2 patterns are of equal strength, we pick the longest */ - if (data1->content_len > data2->content_len) - mpm_sm = sm; - } else { - SCLogDebug("sticking with mpm_sm"); - } - } /* else - if (mpm == NULL) */ - } /* for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) */ - if (mpm_sm != NULL && fast_pattern[sig]) - break; - } /* for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) */ - - /* now add the mpm_ch to the mpm ctx */ + /* now add the mpm_ch to the mpm ctx */ if (mpm_sm != NULL) { uint8_t flags = 0; @@ -806,8 +608,17 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx, } else { if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - /* we will revisit you my dear friend */ - ;//cd->avoid_double_check = 1; + if (SignatureHasPacketContent(s) && + (sgh->flags & SIG_GROUP_HAVECONTENT && + !(sgh->flags & SIG_GROUP_HEAD_MPM_COPY))) { + cd->flags |= DETECT_CONTENT_PACKET_MPM; + } + if (SignatureHasStreamContent(s) && + (sgh->flags & SIG_GROUP_HAVESTREAMCONTENT + && !(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY))) { + cd->flags |= DETECT_CONTENT_STREAM_MPM; + } + /* see if we can bypass the match validation for this pattern */ } else { if (!(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) && @@ -819,12 +630,20 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx, if (prev_sm != NULL) { DetectContentData *prev_cd = (DetectContentData *)prev_sm->ctx; if (!(prev_cd->flags & DETECT_CONTENT_RELATIVE_NEXT)) { - /* we will revisit you my dear friend */ - ;//cd->avoid_double_check = 1; + if (SignatureHasPacketContent(s) && + (sgh->flags & SIG_GROUP_HAVECONTENT && + !(sgh->flags & SIG_GROUP_HEAD_MPM_COPY))) { + cd->flags |= DETECT_CONTENT_PACKET_MPM; + } + if (SignatureHasStreamContent(s) && + (sgh->flags & SIG_GROUP_HAVESTREAMCONTENT + && !(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY))) { + cd->flags |= DETECT_CONTENT_STREAM_MPM; + } } - } + } /* if (prev_sm != NULL) */ } - } /* else - if (co->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) */ + } /* else - if (co->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) */ if (SignatureHasPacketContent(s) && (sgh->flags & SIG_GROUP_HAVECONTENT && @@ -896,8 +715,8 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx, } } else { if (ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { - ;/* we will revisit you my dear friend */ - //ud->avoid_double_check = 1; + ud->flags |= DETECT_CONTENT_URI_MPM; + /* see if we can bypass the match validation for this pattern */ } else { if (!(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) && @@ -909,12 +728,11 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx, if (prev_sm != NULL) { DetectContentData *prev_ud = (DetectContentData *)prev_sm->ctx; if (!(prev_ud->flags & DETECT_CONTENT_RELATIVE_NEXT)) { - /* we will revisit you my dear friend */ - ;//ud->avoid_double_check = 1; + ud->flags |= DETECT_CONTENT_URI_MPM; } } } - } /* else - if (ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) */ + } /* else - if (ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) */ /* add the content to the "packet" mpm */ if (ud->flags & DETECT_CONTENT_NOCASE) { @@ -939,10 +757,230 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx, } /* case DETECT_URICONTENT */ } /* switch (mpm_sm->type) */ - SCLogDebug("%"PRIu32" adding co->id %"PRIu32" to the mpm phase (s->num %"PRIu32")", s->id, co->id, s->num); + SCLogDebug("%"PRIu32" adding co->id %"PRIu32" to the mpm phase " + "(s->num %"PRIu32")", s->id, co->id, s->num); } else { SCLogDebug("%"PRIu32" no mpm pattern selected", s->id); } /* else - if (mpm_sm != NULL) */ + + return; +} + +/** + * \internal + * \brief Helper function for PrepareGroupPopulateMpm. Used to decide if a + * pattern should be skipped or considered under certain conditions. + * + * \param sgh Pointer to the sgh. + * \param s Pointer to the signature. + * \param sm Pointer to the SigMatch which holds the content. + * + * \retval 1 If the content should be skipped. + * \retval 0 Otherwise. + */ +static int PopulateMpmSkipContent(SigGroupHead *sgh, Signature *s, SigMatch *sm) +{ + switch (sm->type) { + case DETECT_CONTENT: + { + if (s->flags & SIG_FLAG_HAS_NO_PKT_AND_STREAM_CONTENT) { + return 1; + } + + if (!(sgh->flags & SIG_GROUP_HAVECONTENT && + !(sgh->flags & SIG_GROUP_HEAD_MPM_COPY)) && + !(sgh->flags & SIG_GROUP_HAVESTREAMCONTENT && + !(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY))) { + return 1; + } + + DetectContentData *cd = sm->ctx; + if (cd->flags & DETECT_CONTENT_FAST_PATTERN) + return 0; + + if (sgh->flags & SIG_GROUP_HAVECONTENT && + !(sgh->flags & SIG_GROUP_HEAD_MPM_COPY) && + sgh->flags & SIG_GROUP_HAVESTREAMCONTENT && + !(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY)) { + if (sgh->mpm_content_maxlen == sgh->mpm_streamcontent_maxlen) { + if (cd->content_len < sgh->mpm_content_maxlen) + return 1; + else + return 0; + } else if (sgh->mpm_content_maxlen < sgh->mpm_streamcontent_maxlen) { + if (cd->content_len < sgh->mpm_content_maxlen) + return 1; + else + return 0; + } else { + if (cd->content_len < sgh->mpm_streamcontent_maxlen) + return 1; + else + return 0; + } + } else if (sgh->flags & SIG_GROUP_HAVECONTENT && + !(sgh->flags & SIG_GROUP_HEAD_MPM_COPY)) { + if (cd->content_len < sgh->mpm_content_maxlen) + return 1; + else + return 0; + } else if (sgh->flags & SIG_GROUP_HAVESTREAMCONTENT && + !(sgh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY)){ + if (cd->content_len < sgh->mpm_streamcontent_maxlen) + return 1; + else + return 0; + } + } + + case DETECT_URICONTENT: + { + if (!(sgh->flags & SIG_GROUP_HAVEURICONTENT && + !(sgh->flags & SIG_GROUP_HEAD_MPM_URI_COPY))) { + return 1; + } + + DetectContentData *cd = sm->ctx; + if (cd->flags & DETECT_CONTENT_FAST_PATTERN) + return 0; + + if (cd->content_len < sgh->mpm_uricontent_maxlen) + return 1; + else + return 0; + } + + default: + return 0; + } + +} + +/** + * \internal + * \brief Setup the mpm content. + * + * \param de_ctx Pointer to the detect engine context. + * \param sgh Pointer to the signature group head against which we are + * adding patterns to the mpm ctx. + * + * \retval 0 Always. + */ +static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx, + SigGroupHead *sgh) +{ + uint32_t sig; + uint32_t *fast_pattern = NULL; + + fast_pattern = (uint32_t *)SCMalloc(sgh->sig_cnt * sizeof(uint32_t)); + if (fast_pattern == NULL) { + SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory"); + exit(EXIT_FAILURE); + } + memset(fast_pattern, 0, sgh->sig_cnt * sizeof(uint32_t)); + + /* add all mpm candidates to a hash */ + for (sig = 0; sig < sgh->sig_cnt; sig++) { + Signature *s = sgh->match_array[sig]; + if (s == NULL) + continue; + + if (!(s->flags & SIG_FLAG_HAS_NO_PKT_AND_STREAM_CONTENT) && + !SignatureHasPacketContent(s) && !SignatureHasStreamContent(s)) { + s->flags |= SIG_FLAG_HAS_NO_PKT_AND_STREAM_CONTENT; + } + + int list_id = 0; + for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) { + /* we have no keywords that support fp in this Signature sm list */ + if (!FastPatternSupportEnabledForSigMatchList(list_id)) + continue; + + SigMatch *sm = NULL; + /* get the total no of patterns in this Signature, as well as find out + * if we have a fast_pattern set in this Signature */ + for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) { + /* this keyword isn't registered for fp support */ + if (!FastPatternSupportEnabledForSigMatchType(sm->type)) + continue; + + if (PopulateMpmSkipContent(sgh, s, sm)) { + continue; + } + + DetectContentData *cd = (DetectContentData *)sm->ctx; + if (cd->flags & DETECT_CONTENT_FAST_PATTERN) { + fast_pattern[sig] = 1; + break; + } + } /* for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) */ + + /* found a fast pattern for the sig. Let's get outta here */ + if (fast_pattern[sig]) + break; + } /* for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) */ + } /* for (sig = 0; sig < sgh->sig_cnt; sig++) { */ + + /* now determine which one to add to the mpm phase */ + for (sig = 0; sig < sgh->sig_cnt; sig++) { + Signature *s = sgh->match_array[sig]; + if (s == NULL) + continue; + + SigMatch *mpm_sm = NULL; + SigMatch *sm = NULL; + int list_id = 0; + for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) { + if (!FastPatternSupportEnabledForSigMatchList(list_id)) + continue; + + for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) { + if (!FastPatternSupportEnabledForSigMatchType(sm->type)) + continue; + + /* skip in case of: + * 1. we expect a fastpattern but this isn't it + * 2. we have a smaller content than mpm_content_maxlen */ + if (fast_pattern[sig]) { + /* can be any content based keyword since all of them + * now use a unified structure - DetectContentData */ + DetectContentData *cd = (DetectContentData *)sm->ctx; + if (!(cd->flags & DETECT_CONTENT_FAST_PATTERN)) { + SCLogDebug("not a fast pattern %"PRIu32"", co->id); + continue; + } + SCLogDebug("fast pattern %"PRIu32"", co->id); + } else { + if (PopulateMpmSkipContent(sgh, s, sm)) { + continue; + } + } /* else - if (fast_pattern[sig] == 1) */ + + if (mpm_sm == NULL) { + mpm_sm = sm; + if (fast_pattern[sig]) + break; + } else { + DetectContentData *data1 = (DetectContentData *)sm->ctx; + DetectContentData *data2 = (DetectContentData *)mpm_sm->ctx; + uint32_t ls = PatternStrength(data1->content, data1->content_len); + uint32_t ss = PatternStrength(data2->content, data2->content_len); + if (ls > ss) { + mpm_sm = sm; + } else if (ls == ss) { + /* if 2 patterns are of equal strength, we pick the longest */ + if (data1->content_len > data2->content_len) + mpm_sm = sm; + } else { + SCLogDebug("sticking with mpm_sm"); + } + } /* else - if (mpm == NULL) */ + } /* for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) */ + if (mpm_sm != NULL && fast_pattern[sig]) + break; + } /* for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) */ + + PopulateMpmAddPatternToMpm(de_ctx, sgh, s, mpm_sm); } /* for (sig = 0; sig < sgh->sig_cnt; sig++) */ if (fast_pattern != NULL) diff --git a/src/detect-engine-payload.c b/src/detect-engine-payload.c index 5151839a02..b37e525dab 100644 --- a/src/detect-engine-payload.c +++ b/src/detect-engine-payload.c @@ -96,8 +96,13 @@ static int DoInspectPacketPayload(DetectEngineCtx *de_ctx, /* we might have already have this content matched by the mpm. * (if there is any other reason why we'd want to avoid checking * it here, please fill it in) */ - //if (cd->avoid_double_check) - // goto match; + if (det_ctx->flags & DETECT_ENGINE_THREAD_CTX_INSPECTING_PACKET) { + if (cd->flags & DETECT_CONTENT_PACKET_MPM) + goto match; + } else if (det_ctx->flags & DETECT_ENGINE_THREAD_CTX_INSPECTING_STREAM) { + if (cd->flags & DETECT_CONTENT_STREAM_MPM) + goto match; + } /* rule parsers should take care of this */ BUG_ON(cd->depth != 0 && cd->depth <= cd->offset); @@ -378,8 +383,10 @@ int DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx, det_ctx->payload_offset = 0; det_ctx->discontinue_matching = 0; det_ctx->inspection_recursion_counter = 0; + det_ctx->flags |= DETECT_ENGINE_THREAD_CTX_INSPECTING_PACKET; r = DoInspectPacketPayload(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_PMATCH], p, f, p->payload, p->payload_len); + det_ctx->flags &= ~DETECT_ENGINE_THREAD_CTX_INSPECTING_PACKET; if (r == 1) { SCReturnInt(1); } @@ -416,8 +423,12 @@ int DetectEngineInspectStreamPayload(DetectEngineCtx *de_ctx, } det_ctx->payload_offset = 0; + det_ctx->discontinue_matching = 0; + det_ctx->inspection_recursion_counter = 0; + det_ctx->flags |= DETECT_ENGINE_THREAD_CTX_INSPECTING_STREAM; r = DoInspectPacketPayload(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_PMATCH], NULL, f, payload, payload_len); + det_ctx->flags &= ~DETECT_ENGINE_THREAD_CTX_INSPECTING_STREAM; if (r == 1) { SCReturnInt(1); } diff --git a/src/detect-engine-uri.c b/src/detect-engine-uri.c index 5be162e765..9d16beab56 100644 --- a/src/detect-engine-uri.c +++ b/src/detect-engine-uri.c @@ -101,6 +101,9 @@ static int DoInspectPacketUri(DetectEngineCtx *de_ctx, ud = (DetectContentData *)sm->ctx; SCLogDebug("inspecting content %"PRIu32" payload_len %"PRIu32, ud->id, payload_len); + if (ud->flags & DETECT_CONTENT_URI_MPM) + goto match; + /* rule parsers should take care of this */ BUG_ON(ud->depth != 0 && ud->depth <= ud->offset); diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index 39e99dbe68..00b16290b2 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -57,7 +57,7 @@ SCFPSupportSMList *sm_fp_support_smlist_list = NULL; * * \param list_id SM list id. */ -static void SCFPAddFPSupportForSMList(int list_id) +static void SupportFastPatternForSigMatchList(int list_id) { if (sm_fp_support_smlist_list != NULL) { SCFPSupportSMList *tmp_smlist_fp = sm_fp_support_smlist_list; @@ -88,7 +88,7 @@ static void SCFPAddFPSupportForSMList(int list_id) * * \param sm_type The sigmatch for which fp support has to be added. */ -static void SCFPAddFPSupportForSMType(uint8_t sm_type) +static void SupportFastPatternForSigMatchType(uint8_t sm_type) { if (sm_fp_support_smtype_list != NULL) { SCFPSupportSMType *tmp_smtype_fp = sm_fp_support_smtype_list; @@ -117,13 +117,13 @@ static void SCFPAddFPSupportForSMType(uint8_t sm_type) /** * \brief Registers the keywords(SMs) that should be given fp support. */ -void SCFPAddFPSupportForSMTypes(void) +void SupportFastPatternForSigMatchTypes(void) { - SCFPAddFPSupportForSMType(DETECT_CONTENT); - SCFPAddFPSupportForSMList(DETECT_SM_LIST_PMATCH); + SupportFastPatternForSigMatchType(DETECT_CONTENT); + SupportFastPatternForSigMatchList(DETECT_SM_LIST_PMATCH); - SCFPAddFPSupportForSMType(DETECT_URICONTENT); - SCFPAddFPSupportForSMList(DETECT_SM_LIST_UMATCH); + SupportFastPatternForSigMatchType(DETECT_URICONTENT); + SupportFastPatternForSigMatchList(DETECT_SM_LIST_UMATCH); return; } diff --git a/src/detect-fast-pattern.h b/src/detect-fast-pattern.h index cdb717fa90..bcc56a72ef 100644 --- a/src/detect-fast-pattern.h +++ b/src/detect-fast-pattern.h @@ -49,7 +49,7 @@ extern SCFPSupportSMList *sm_fp_support_smlist_list; * \retval 1 If supported. * \retval 0 If not. */ -static inline int SCFPDoWeSupportFPForSMType(uint8_t sm_type) +static inline int FastPatternSupportEnabledForSigMatchType(uint8_t sm_type) { if (sm_fp_support_smtype_list == NULL) return 0; @@ -74,7 +74,7 @@ static inline int SCFPDoWeSupportFPForSMType(uint8_t sm_type) * \retval 1 If supported. * \retval 0 If not. */ -static inline int SCFPDoWeSupportFPForSMList(int list_id) +static inline int FastPatternSupportEnabledForSigMatchList(int list_id) { if (sm_fp_support_smlist_list == NULL) return 0; @@ -90,9 +90,7 @@ static inline int SCFPDoWeSupportFPForSMList(int list_id) return 0; } -void SCFPAddFPSupportForSMTypes(void); -/* not implemented as of now. If there's a need we'll implement it */ -void SCFPRemoveFPSupportForSMType(uint8_t); +void SupportFastPatternForSigMatchTypes(void); void DetectFastPatternRegister(void); diff --git a/src/detect.h b/src/detect.h index 3bd4ef8879..edb633ebd7 100644 --- a/src/detect.h +++ b/src/detect.h @@ -233,6 +233,8 @@ typedef struct DetectPort_ { #define SIG_FLAG_MPM_URICONTENT 0x00800000 #define SIG_FLAG_MPM_URICONTENT_NEG 0x01000000 +#define SIG_FLAG_HAS_NO_PKT_AND_STREAM_CONTENT 0x02000000 + /* signature mask flags */ #define SIG_MASK_REQUIRE_PAYLOAD 0x01 #define SIG_MASK_REQUIRE_FLOW 0x02 @@ -248,6 +250,9 @@ typedef struct DetectPort_ { /* for now a uint8_t is enough */ #define SignatureMask uint8_t +#define DETECT_ENGINE_THREAD_CTX_INSPECTING_PACKET 0x0001 +#define DETECT_ENGINE_THREAD_CTX_INSPECTING_STREAM 0x0002 + /* Detection Engine flags */ #define DE_QUIET 0x01 /**< DE is quiet (esp for unittests) */ @@ -641,7 +646,8 @@ typedef struct DetectionEngineThreadCtx_ { uint16_t counter_alerts; /* used to discontinue any more matching */ - int discontinue_matching; + uint16_t discontinue_matching; + uint16_t flags; /* holds the current recursion depth on content inspection */ int inspection_recursion_counter; diff --git a/src/suricata.c b/src/suricata.c index 6a13d55f9c..72ef763258 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -826,7 +826,7 @@ int main(int argc, char **argv) SigTableSetup(); /* load the rule keywords */ TmqhSetup(); - SCFPAddFPSupportForSMTypes(); + SupportFastPatternForSigMatchTypes(); CIDRInit(); SigParsePrepare(); //PatternMatchPrepare(mpm_ctx, MPM_B2G);