diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c index 2c7031799a..5501820d92 100644 --- a/src/detect-engine-state.c +++ b/src/detect-engine-state.c @@ -335,70 +335,111 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, SCLogDebug("s->id %"PRIu32, s->id); /* Check the uricontent, http client body, http header keywords here */ - if (alproto == ALPROTO_HTTP && (flags & STREAM_TOSERVER)) { - if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_URI_INSPECT; - - SCLogDebug("inspecting uri"); - - if (DetectEngineInspectPacketUris(de_ctx, det_ctx, s, f, - flags, alstate) == 1) - { - SCLogDebug("uri matched"); - match_flags |= DE_STATE_FLAG_URI_MATCH; - } else { - SCLogDebug("uri inspected but no match"); + if (alproto == ALPROTO_HTTP) { + if (flags & STREAM_TOSERVER) { + if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL) { + inspect_flags |= DE_STATE_FLAG_URI_INSPECT; + + SCLogDebug("inspecting uri"); + + if (DetectEngineInspectPacketUris(de_ctx, det_ctx, s, f, + flags, alstate) == 1) + { + SCLogDebug("uri matched"); + match_flags |= DE_STATE_FLAG_URI_MATCH; + } else { + SCLogDebug("uri inspected but no match"); + } } - } - if (s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HCBD_INSPECT; - if (DetectEngineInspectHttpClientBody(de_ctx, det_ctx, s, f, - flags, alstate) == 1) { - match_flags |= DE_STATE_FLAG_HCBD_MATCH; + if (s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL) { + inspect_flags |= DE_STATE_FLAG_HCBD_INSPECT; + if (DetectEngineInspectHttpClientBody(de_ctx, det_ctx, s, f, + flags, alstate) == 1) { + match_flags |= DE_STATE_FLAG_HCBD_MATCH; + } + SCLogDebug("inspecting http client body"); } - SCLogDebug("inspecting http client body"); - } - if (s->sm_lists[DETECT_SM_LIST_HHDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HHD_INSPECT; - if (DetectEngineInspectHttpHeader(de_ctx, det_ctx, s, f, - flags, alstate) == 1) { - match_flags |= DE_STATE_FLAG_HHD_MATCH; + if (s->sm_lists[DETECT_SM_LIST_HHDMATCH] != NULL) { + inspect_flags |= DE_STATE_FLAG_HHD_INSPECT; + if (DetectEngineInspectHttpHeader(de_ctx, det_ctx, s, f, + flags, alstate) == 1) { + match_flags |= DE_STATE_FLAG_HHD_MATCH; + } + SCLogDebug("inspecting http header"); } - SCLogDebug("inspecting http header"); - } - if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HRHD_INSPECT; - if (DetectEngineInspectHttpRawHeader(de_ctx, det_ctx, s, f, - flags, alstate) == 1) { - match_flags |= DE_STATE_FLAG_HRHD_MATCH; + if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) { + inspect_flags |= DE_STATE_FLAG_HRHD_INSPECT; + if (DetectEngineInspectHttpRawHeader(de_ctx, det_ctx, s, f, + flags, alstate) == 1) { + match_flags |= DE_STATE_FLAG_HRHD_MATCH; + } + SCLogDebug("inspecting http raw header"); } - SCLogDebug("inspecting http raw header"); - } - if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HMD_INSPECT; - if (DetectEngineInspectHttpMethod(de_ctx, det_ctx, s, f, - flags, alstate) == 1) { - match_flags |= DE_STATE_FLAG_HMD_MATCH; + if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL) { + inspect_flags |= DE_STATE_FLAG_HMD_INSPECT; + if (DetectEngineInspectHttpMethod(de_ctx, det_ctx, s, f, + flags, alstate) == 1) { + match_flags |= DE_STATE_FLAG_HMD_MATCH; + } + SCLogDebug("inspecting http method"); } - SCLogDebug("inspecting http method"); - } - if (s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HCD_INSPECT; - if (DetectEngineInspectHttpCookie(de_ctx, det_ctx, s, f, - flags, alstate) == 1) { - match_flags |= DE_STATE_FLAG_HCD_MATCH; + if (s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL) { + inspect_flags |= DE_STATE_FLAG_HCD_INSPECT; + if (DetectEngineInspectHttpCookie(de_ctx, det_ctx, s, f, + flags, alstate) == 1) { + match_flags |= DE_STATE_FLAG_HCD_MATCH; + } + SCLogDebug("inspecting http cookie"); } - SCLogDebug("inspecting http cookie"); - } - if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HRUD_INSPECT; - if (DetectEngineInspectHttpRawUri(de_ctx, det_ctx, s, f, - flags, alstate) == 1) { - match_flags |= DE_STATE_FLAG_HRUD_MATCH; + if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL) { + inspect_flags |= DE_STATE_FLAG_HRUD_INSPECT; + if (DetectEngineInspectHttpRawUri(de_ctx, det_ctx, s, f, + flags, alstate) == 1) { + match_flags |= DE_STATE_FLAG_HRUD_MATCH; + } + SCLogDebug("inspecting http raw uri"); + } + } else if (flags & STREAM_TOCLIENT) { + /* For to client set the flags in inspect so it can't match + * if the sig requires something only the request has. The rest + * will be inspected in the opposite direction. */ + if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL) { + inspect_flags |= DE_STATE_FLAG_URI_INSPECT; + } + if (s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL) { + inspect_flags |= DE_STATE_FLAG_HCBD_INSPECT; + } + if (s->sm_lists[DETECT_SM_LIST_HHDMATCH] != NULL) { + inspect_flags |= DE_STATE_FLAG_HHD_INSPECT; + if (DetectEngineInspectHttpHeader(de_ctx, det_ctx, s, f, + flags, alstate) == 1) { + match_flags |= DE_STATE_FLAG_HHD_MATCH; + } + SCLogDebug("inspecting http header"); + } + if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) { + inspect_flags |= DE_STATE_FLAG_HRHD_INSPECT; + if (DetectEngineInspectHttpRawHeader(de_ctx, det_ctx, s, f, + flags, alstate) == 1) { + match_flags |= DE_STATE_FLAG_HRHD_MATCH; + } + SCLogDebug("inspecting http raw header"); + } + if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL) { + inspect_flags |= DE_STATE_FLAG_HMD_INSPECT; + } + if (s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL) { + inspect_flags |= DE_STATE_FLAG_HCD_INSPECT; + if (DetectEngineInspectHttpCookie(de_ctx, det_ctx, s, f, + flags, alstate) == 1) { + match_flags |= DE_STATE_FLAG_HCD_MATCH; + } + SCLogDebug("inspecting http cookie"); + } + if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL) { + inspect_flags |= DE_STATE_FLAG_HRUD_INSPECT; } - SCLogDebug("inspecting http raw uri"); } - } else if (alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB || alproto == ALPROTO_SMB2) { if (s->sm_lists[DETECT_SM_LIST_DMATCH] != NULL) { inspect_flags |= DE_STATE_FLAG_DCE_INSPECT; @@ -467,7 +508,8 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, } } - SCLogDebug("detection done, store results: sm %p, match_flags %04X", sm, match_flags); + SCLogDebug("detection done, store results: sm %p, inspect_flags %04X, " + "match_flags %04X", sm, inspect_flags, match_flags); SCMutexLock(&f->de_state_m); /* match or no match, we store the state anyway diff --git a/src/detect-http-cookie.c b/src/detect-http-cookie.c index c7a58754fb..ff1db74739 100644 --- a/src/detect-http-cookie.c +++ b/src/detect-http-cookie.c @@ -176,7 +176,7 @@ static int DetectHttpCookieSetup (DetectEngineCtx *de_ctx, Signature *s, char *s cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_AL_HTTP_COOKIE); sm->type = DETECT_AL_HTTP_COOKIE; - /* transfer the sm from the pmatch list to hmdmatch list */ + /* transfer the sm from the pmatch list to hcdmatch list */ SigMatchTransferSigMatchAcrossLists(sm, &s->sm_lists[DETECT_SM_LIST_PMATCH], &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], diff --git a/src/detect.c b/src/detect.c index fc1290e7bb..61f0315c55 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1573,8 +1573,14 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh } } - SCLogDebug("s->sm_lists[DETECT_SM_LIST_AMATCH] %p, s->sm_lists[DETECT_SM_LIST_UMATCH] %p, s->sm_lists[DETECT_SM_LIST_DMATCH] %p", - s->sm_lists[DETECT_SM_LIST_AMATCH], s->sm_lists[DETECT_SM_LIST_UMATCH], s->sm_lists[DETECT_SM_LIST_DMATCH]); + SCLogDebug("s->sm_lists[DETECT_SM_LIST_AMATCH] %p, " + "s->sm_lists[DETECT_SM_LIST_UMATCH] %p, " + "s->sm_lists[DETECT_SM_LIST_DMATCH] %p, " + "s->sm_lists[DETECT_SM_LIST_HCDMATCH] %p", + s->sm_lists[DETECT_SM_LIST_AMATCH], + s->sm_lists[DETECT_SM_LIST_UMATCH], + s->sm_lists[DETECT_SM_LIST_DMATCH], + s->sm_lists[DETECT_SM_LIST_HCDMATCH]); /* consider stateful sig matches */ if (s->flags & SIG_FLAG_STATE_MATCH) {