From fc248ca7a11c75f471d25f5dad157e16820b4843 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Thu, 16 Sep 2010 11:55:35 +0200 Subject: [PATCH] Many small performance updates. --- src/app-layer-detect-proto.c | 5 + src/app-layer-ftp.h | 2 +- src/app-layer-parser.h | 2 +- src/app-layer-smb.h | 6 +- src/app-layer-ssh.h | 7 +- src/app-layer-ssl.h | 7 +- src/app-layer-tls.h | 7 +- src/data-queue.h | 6 +- src/decode-tcp.c | 9 +- src/decode.h | 5 +- src/detect-content.c | 1 + src/detect-content.h | 9 +- src/detect-dce-iface.c | 3 + src/detect-dce-opnum.c | 6 + src/detect-dce-stub-data.c | 4 + src/detect-engine-dcepayload.c | 26 ++++ src/detect-engine-mpm.c | 6 +- src/detect-engine-proto.c | 1 + src/detect-engine-siggroup.c | 27 ++-- src/detect-engine-state.c | 2 + src/detect-engine-uri.c | 22 +++ src/detect-ftpbounce.c | 2 + src/detect-http-client-body.c | 14 ++ src/detect-http-cookie.c | 7 + src/detect-http-header.c | 12 ++ src/detect-http-method.c | 3 + src/detect-pcre.c | 44 ++++-- src/detect-pcre.h | 27 ++-- src/detect-ssh-proto-version.c | 3 + src/detect-ssh-software-version.c | 3 + src/detect-tls-version.c | 3 + src/detect-uricontent.c | 5 + src/detect-uricontent.h | 9 +- src/detect-urilen.c | 1 + src/detect.c | 240 ++++++++++++++++-------------- src/detect.h | 157 +++++++++++-------- src/flow-queue.h | 4 +- src/flow.c | 2 + src/flow.h | 35 +++-- src/suricata-common.h | 2 + src/util-mpm-b2gc.h | 6 +- src/util-radix-tree.h | 10 +- 42 files changed, 472 insertions(+), 280 deletions(-) diff --git a/src/app-layer-detect-proto.c b/src/app-layer-detect-proto.c index 0a24887d20..7bd071a235 100644 --- a/src/app-layer-detect-proto.c +++ b/src/app-layer-detect-proto.c @@ -1467,6 +1467,7 @@ static int AlpDetectTestSig1(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1557,6 +1558,7 @@ static int AlpDetectTestSig2(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1647,6 +1649,7 @@ static int AlpDetectTestSig3(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1734,6 +1737,7 @@ static int AlpDetectTestSig4(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_FTP; StreamTcpInitConfig(TRUE); @@ -1822,6 +1826,7 @@ static int AlpDetectTestSig5(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; f.proto = IPPROTO_TCP; p->flags |= PKT_STREAM_ADD; diff --git a/src/app-layer-ftp.h b/src/app-layer-ftp.h index 838b76dc88..89e1d879eb 100644 --- a/src/app-layer-ftp.h +++ b/src/app-layer-ftp.h @@ -96,8 +96,8 @@ typedef struct FtpState_ { FtpRequestCommand command; FtpRequestCommandArgOfs arg_offset; FtpResponseCode response_code; - uint8_t *port_line; uint32_t port_line_len; + uint8_t *port_line; } FtpState; void RegisterFTPParsers(void); diff --git a/src/app-layer-parser.h b/src/app-layer-parser.h index e01309ef20..623050bd1e 100644 --- a/src/app-layer-parser.h +++ b/src/app-layer-parser.h @@ -60,9 +60,9 @@ typedef struct AppLayerParserResultElmt_ { uint16_t flags; /* flags. E.g. local alloc */ uint16_t name_idx; /* idx for names like "http.request_line.uri" */ + uint32_t data_len; /* length of the data from the ptr */ uint8_t *data_ptr; /* point to the position in the "input" data * or ptr to new mem if local alloc flag set */ - uint32_t data_len; /* length of the data from the ptr */ struct AppLayerParserResultElmt_ *next; } AppLayerParserResultElmt; diff --git a/src/app-layer-smb.h b/src/app-layer-smb.h index 9234c01fa1..30265d9897 100644 --- a/src/app-layer-smb.h +++ b/src/app-layer-smb.h @@ -76,17 +76,15 @@ typedef struct SMBAndX_ { } SMBAndX; typedef struct SMBState_ { - uint32_t head; NBSSHdr nbss; + uint16_t transaction_id; + uint16_t bytesprocessed; SMBHdr smb; SMBWordCount wordcount; SMBByteCount bytecount; SMBAndX andx; - uint16_t bytesprocessed; DCERPC dcerpc; uint8_t dcerpc_present; - uint32_t tail; - uint16_t transaction_id; } SMBState; #define SMB_FLAGS_SERVER_TO_REDIR 0x80 diff --git a/src/app-layer-ssh.h b/src/app-layer-ssh.h index 3ce0dc084d..fea4fd4398 100644 --- a/src/app-layer-ssh.h +++ b/src/app-layer-ssh.h @@ -77,16 +77,17 @@ typedef struct SSHHeader_ { /** structure to store the SSH state values */ typedef struct SshState_ { + uint8_t flags; /**< Flags to indicate the current SSH + sessoin state */ uint8_t client_msg_code; /**< Client content type storage field */ + uint8_t server_msg_code; /**< Server content type storage field */ + uint8_t *client_proto_version; /**< Client SSH version storage field */ uint8_t *client_software_version; /**< Client SSH version storage field */ - uint8_t server_msg_code; /**< Server content type storage field */ uint8_t *server_proto_version; /**< Server SSH version storage field */ uint8_t *server_software_version; /**< Server SSH version storage field */ - uint8_t flags; /**< Flags to indicate the current SSH - sessoin state */ SshHeader srv_hdr; SshHeader cli_hdr; } SshState; diff --git a/src/app-layer-ssl.h b/src/app-layer-ssl.h index b9dcaf1c7c..91a0f2b5e0 100644 --- a/src/app-layer-ssl.h +++ b/src/app-layer-ssl.h @@ -48,14 +48,13 @@ /* structure to store the SSL state values */ typedef struct SslState_ { + uint8_t flags; /**< Flags to indicate the current SSL + sessoin state */ uint8_t client_content_type; /**< Client content type storage field */ uint16_t client_version; /**< Client SSL version storage field */ - uint8_t server_content_type; /**< Server content type storage field */ uint16_t server_version; /**< Server SSL version storage field */ - - uint8_t flags; /**< Flags to indicate the current SSL - sessoin state */ + uint8_t server_content_type; /**< Server content type storage field */ } SslState; typedef struct SslClient_ { diff --git a/src/app-layer-tls.h b/src/app-layer-tls.h index 4948e426dc..22cfd507dc 100644 --- a/src/app-layer-tls.h +++ b/src/app-layer-tls.h @@ -47,14 +47,13 @@ enum { }; /* structure to store the TLS state values */ typedef struct TlsState_ { + uint8_t flags; /**< Flags to indicate the current TLS + sessoin state */ uint8_t client_content_type; /**< Client content type storage field */ uint16_t client_version; /**< Client TLS version storage field */ - uint8_t server_content_type; /**< Server content type storage field */ uint16_t server_version; /**< Server TLS version storage field */ - - uint8_t flags; /**< Flags to indicate the current TLS - sessoin state */ + uint8_t server_content_type; /**< Server content type storage field */ } TlsState; enum { diff --git a/src/data-queue.h b/src/data-queue.h index f3c11fcf74..fc9669da29 100644 --- a/src/data-queue.h +++ b/src/data-queue.h @@ -49,13 +49,13 @@ typedef struct SCDQDataQueue_ { SCDQGenericQData *bot; /* no of items currently in the queue */ uint16_t len; +#ifdef DBG_PERF + uint16_t dbg_maxlen; +#endif /* DBG_PERF */ SCMutex mutex_q; SCCondT cond_q; -#ifdef DBG_PERF - uint16_t dbg_maxlen; -#endif /* DBG_PERF */ } SCDQDataQueue; void SCDQDataEnqueue(SCDQDataQueue *, SCDQGenericQData *); diff --git a/src/decode-tcp.c b/src/decode-tcp.c index e1ec4cd062..995df94c80 100644 --- a/src/decode-tcp.c +++ b/src/decode-tcp.c @@ -29,6 +29,7 @@ #include "decode-events.h" #include "util-unittest.h" #include "util-debug.h" +#include "util-optimize.h" #include "flow.h" static int DecodeTCPOptions(ThreadVars *tv, Packet *p, uint8_t *pkt, uint16_t len) @@ -124,7 +125,7 @@ static int DecodeTCPOptions(ThreadVars *tv, Packet *p, uint8_t *pkt, uint16_t le static int DecodeTCPPacket(ThreadVars *tv, Packet *p, uint8_t *pkt, uint16_t len) { - if (len < TCP_HEADER_LEN) { + if (unlikely(len < TCP_HEADER_LEN)) { DECODER_SET_EVENT(p, TCP_PKT_TOO_SMALL); return -1; } @@ -132,7 +133,7 @@ static int DecodeTCPPacket(ThreadVars *tv, Packet *p, uint8_t *pkt, uint16_t len p->tcph = (TCPHdr *)pkt; p->tcpvars.hlen = TCP_GET_HLEN(p); - if (len < p->tcpvars.hlen) { + if (unlikely(len < p->tcpvars.hlen)) { DECODER_SET_EVENT(p, TCP_HLEN_TOO_SMALL); return -1; } @@ -141,7 +142,7 @@ static int DecodeTCPPacket(ThreadVars *tv, Packet *p, uint8_t *pkt, uint16_t len SET_TCP_DST_PORT(p,&p->dp); p->tcpvars.tcp_opt_len = p->tcpvars.hlen - TCP_HEADER_LEN; - if (p->tcpvars.tcp_opt_len > TCP_OPTLENMAX) { + if (unlikely(p->tcpvars.tcp_opt_len > TCP_OPTLENMAX)) { DECODER_SET_EVENT(p, TCP_INVALID_OPTLEN); return -1; } @@ -162,7 +163,7 @@ void DecodeTCP(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, u { SCPerfCounterIncr(dtv->counter_tcp, tv->sc_perf_pca); - if (DecodeTCPPacket(tv, p,pkt,len) < 0) { + if (unlikely(DecodeTCPPacket(tv, p,pkt,len) < 0)) { p->tcph = NULL; return; } diff --git a/src/decode.h b/src/decode.h index 1e6ac7ad28..2a02b34041 100644 --- a/src/decode.h +++ b/src/decode.h @@ -406,11 +406,11 @@ typedef struct PacketQueue_ { Packet *top; Packet *bot; uint16_t len; - SCMutex mutex_q; - SCCondT cond_q; #ifdef DBG_PERF uint16_t dbg_maxlen; #endif /* DBG_PERF */ + SCMutex mutex_q; + SCCondT cond_q; } PacketQueue; /** \brief Specific ctx for AL proto detection */ @@ -730,6 +730,7 @@ void AddressDebugPrint(Address *); #define PKT_HAS_TAG 0x08 /**< Packet has matched a tag */ #define PKT_STREAM_ADD 0x10 /**< Packet payload was added to reassembled stream */ #define PKT_STREAM_EOF 0x20 /**< Stream is in eof state */ +#define PKT_HAS_FLOW 0x40 #endif /* __DECODE_H__ */ diff --git a/src/detect-content.c b/src/detect-content.c index 491e2da5f3..8e90064420 100644 --- a/src/detect-content.c +++ b/src/detect-content.c @@ -1773,6 +1773,7 @@ static int SigTest76TestBug134(void) p->flowflags |= FLOW_PKT_ESTABLISHED; p->flowflags |= FLOW_PKT_TOSERVER; p->flow = &f; + p->flags |= PKT_HAS_FLOW; char sig[] = "alert tcp any any -> any 515 " "(msg:\"detect IFS\"; flow:to_server,established; content:\"${IFS}\";" diff --git a/src/detect-content.h b/src/detect-content.h index 9fece997a9..4c99670be0 100644 --- a/src/detect-content.h +++ b/src/detect-content.h @@ -49,19 +49,14 @@ typedef struct DetectContentData_ { uint8_t *content; /**< ptr to chunk of memory containing the pattern */ uint8_t content_len;/**< length of the pattern (and size of the memory) */ - uint8_t pad0; - uint16_t pad1; - uint32_t id; /**< unique pattern id */ - + uint8_t flags; + PatIntId id; /**< unique pattern id */ uint16_t depth; uint16_t offset; /** distance from the last match this match should start. * Can be negative */ int32_t distance; int32_t within; - uint8_t flags; - uint8_t pad2; - uint16_t pad3; BmCtx *bm_ctx; /**< Boyer Moore context (for spm search) */ } DetectContentData; diff --git a/src/detect-dce-iface.c b/src/detect-dce-iface.c index 65d037f24a..72d85a6744 100644 --- a/src/detect-dce-iface.c +++ b/src/detect-dce-iface.c @@ -868,6 +868,7 @@ static int DetectDceIfaceTestParse12(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); @@ -1099,6 +1100,7 @@ static int DetectDceIfaceTestParse13(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); @@ -1354,6 +1356,7 @@ static int DetectDceIfaceTestParse14(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); diff --git a/src/detect-dce-opnum.c b/src/detect-dce-opnum.c index abadea9258..12fed22619 100644 --- a/src/detect-dce-opnum.c +++ b/src/detect-dce-opnum.c @@ -1135,6 +1135,7 @@ static int DetectDceOpnumTestParse08(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); @@ -1661,6 +1662,7 @@ static int DetectDceOpnumTestParse09(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); @@ -1858,6 +1860,7 @@ static int DetectDceOpnumTestParse10(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); @@ -2150,6 +2153,7 @@ static int DetectDceOpnumTestParse11(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); @@ -2425,6 +2429,7 @@ static int DetectDceOpnumTestParse12(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); @@ -2709,6 +2714,7 @@ static int DetectDceOpnumTestParse13(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c index 6e20f2db04..77cb0165ad 100644 --- a/src/detect-dce-stub-data.c +++ b/src/detect-dce-stub-data.c @@ -637,6 +637,7 @@ static int DetectDceStubDataTestParse02(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); @@ -1179,6 +1180,7 @@ static int DetectDceStubDataTestParse03(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); @@ -1374,6 +1376,7 @@ static int DetectDceStubDataTestParse04(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); @@ -1640,6 +1643,7 @@ static int DetectDceStubDataTestParse05(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_DCERPC; StreamTcpInitConfig(TRUE); diff --git a/src/detect-engine-dcepayload.c b/src/detect-engine-dcepayload.c index 01578e2a72..4d2392c888 100644 --- a/src/detect-engine-dcepayload.c +++ b/src/detect-engine-dcepayload.c @@ -1612,6 +1612,7 @@ int DcePayloadTest01(void) for (i = 0; i < 11; i++) { p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p[i]->flow = &f; + p[i]->flags |= PKT_HAS_FLOW; p[i]->flowflags |= FLOW_PKT_TOSERVER; p[i]->flowflags |= FLOW_PKT_ESTABLISHED; } @@ -2475,6 +2476,7 @@ int DcePayloadTest02(void) for (i = 0; i < 4; i++) { p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p[i]->flow = &f; + p[i]->flags |= PKT_HAS_FLOW; p[i]->flowflags |= FLOW_PKT_TOSERVER; p[i]->flowflags |= FLOW_PKT_ESTABLISHED; } @@ -2921,6 +2923,7 @@ int DcePayloadTest03(void) for (i = 0; i < 4; i++) { p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p[i]->flow = &f; + p[i]->flags |= PKT_HAS_FLOW; p[i]->flowflags |= FLOW_PKT_TOSERVER; p[i]->flowflags |= FLOW_PKT_ESTABLISHED; } @@ -3366,6 +3369,7 @@ int DcePayloadTest04(void) for (i = 0; i < 4; i++) { p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p[i]->flow = &f; + p[i]->flags |= PKT_HAS_FLOW; p[i]->flowflags |= FLOW_PKT_TOSERVER; p[i]->flowflags |= FLOW_PKT_ESTABLISHED; } @@ -3810,6 +3814,7 @@ int DcePayloadTest05(void) for (i = 0; i < 4; i++) { p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p[i]->flow = &f; + p[i]->flags |= PKT_HAS_FLOW; p[i]->flowflags |= FLOW_PKT_TOSERVER; p[i]->flowflags |= FLOW_PKT_ESTABLISHED; } @@ -4255,6 +4260,7 @@ int DcePayloadTest06(void) for (i = 0; i < 4; i++) { p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p[i]->flow = &f; + p[i]->flags |= PKT_HAS_FLOW; p[i]->flowflags |= FLOW_PKT_TOSERVER; p[i]->flowflags |= FLOW_PKT_ESTABLISHED; } @@ -4699,6 +4705,7 @@ int DcePayloadTest07(void) for (i = 0; i < 4; i++) { p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p[i]->flow = &f; + p[i]->flags |= PKT_HAS_FLOW; p[i]->flowflags |= FLOW_PKT_TOSERVER; p[i]->flowflags |= FLOW_PKT_ESTABLISHED; } @@ -4981,6 +4988,7 @@ int DcePayloadTest08(void) for (i = 0; i < 1; i++) { p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p[i]->flow = &f; + p[i]->flags |= PKT_HAS_FLOW; p[i]->flowflags |= FLOW_PKT_TOSERVER; p[i]->flowflags |= FLOW_PKT_ESTABLISHED; } @@ -5202,6 +5210,7 @@ int DcePayloadTest09(void) for (i = 0; i < 1; i++) { p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p[i]->flow = &f; + p[i]->flags |= PKT_HAS_FLOW; p[i]->flowflags |= FLOW_PKT_TOSERVER; p[i]->flowflags |= FLOW_PKT_ESTABLISHED; } @@ -5423,6 +5432,7 @@ int DcePayloadTest10(void) for (i = 0; i < 1; i++) { p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p[i]->flow = &f; + p[i]->flags |= PKT_HAS_FLOW; p[i]->flowflags |= FLOW_PKT_TOSERVER; p[i]->flowflags |= FLOW_PKT_ESTABLISHED; } @@ -5779,6 +5789,7 @@ int DcePayloadTest11(void) for (i = 0; i < 2; i++) { p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p[i]->flow = &f; + p[i]->flags |= PKT_HAS_FLOW; p[i]->flowflags |= FLOW_PKT_TOSERVER; p[i]->flowflags |= FLOW_PKT_ESTABLISHED; } @@ -6149,6 +6160,7 @@ int DcePayloadTest12(void) for (i = 0; i < 2; i++) { p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p[i]->flow = &f; + p[i]->flags |= PKT_HAS_FLOW; p[i]->flowflags |= FLOW_PKT_TOSERVER; p[i]->flowflags |= FLOW_PKT_ESTABLISHED; } @@ -6328,6 +6340,7 @@ int DcePayloadTest13(void) for (i = 0; i < 8; i++) { p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p[i]->flow = &f; + p[i]->flags |= PKT_HAS_FLOW; p[i]->flowflags |= FLOW_PKT_TOSERVER; p[i]->flowflags |= FLOW_PKT_ESTABLISHED; } @@ -6569,6 +6582,7 @@ int DcePayloadTest14(void) for (i = 0; i < 6; i++) { p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p[i]->flow = &f; + p[i]->flags |= PKT_HAS_FLOW; p[i]->flowflags |= FLOW_PKT_TOSERVER; p[i]->flowflags |= FLOW_PKT_ESTABLISHED; } @@ -6743,6 +6757,7 @@ int DcePayloadTest15(void) p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; @@ -6854,6 +6869,7 @@ int DcePayloadTest16(void) p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; @@ -6965,6 +6981,7 @@ int DcePayloadTest17(void) p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; @@ -7076,6 +7093,7 @@ int DcePayloadTest18(void) p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; @@ -7187,6 +7205,7 @@ int DcePayloadTest19(void) p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; @@ -7298,6 +7317,7 @@ int DcePayloadTest20(void) p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; @@ -7401,6 +7421,7 @@ int DcePayloadTest21(void) p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; @@ -7497,6 +7518,7 @@ int DcePayloadTest22(void) p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; @@ -7594,6 +7616,7 @@ int DcePayloadTest23(void) p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; @@ -7689,6 +7712,7 @@ int DcePayloadTest24(void) p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; @@ -9887,6 +9911,7 @@ int DcePayloadTest42(void) p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; @@ -9984,6 +10009,7 @@ int DcePayloadTest43(void) p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 5a8034b20c..0cffe831fd 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -742,7 +742,8 @@ static int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead /* tell matcher we are inspecting packet */ s->flags |= SIG_FLAG_MPM_PACKET; - s->mpm_pattern_id = co->id; + s->mpm_pattern_id_mod_8 = 1<<(co->id%8); + s->mpm_pattern_id_div_8 = co->id/8; if (scan_negated) { SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id); s->flags |= SIG_FLAG_MPM_NEGCONTENT; @@ -980,7 +981,8 @@ static int PatternMatchPreprarePopulateMpmStream(DetectEngineCtx *de_ctx, SigGro /* tell matcher we are inspecting stream */ s->flags |= SIG_FLAG_MPM_STREAM; - s->mpm_stream_pattern_id = co->id; + s->mpm_stream_pattern_id_div_8 = co->id/8; + s->mpm_stream_pattern_id_mod_8 = 1<<(co->id%8); if (scan_negated) { SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id); s->flags |= SIG_FLAG_MPM_NEGCONTENT; diff --git a/src/detect-engine-proto.c b/src/detect-engine-proto.c index d1ba7fdc33..404468bb34 100644 --- a/src/detect-engine-proto.c +++ b/src/detect-engine-proto.c @@ -366,6 +366,7 @@ static int DetectProtoTestSig01(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; + p->flags |= PKT_HAS_FLOW; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) { diff --git a/src/detect-engine-siggroup.c b/src/detect-engine-siggroup.c index e08545caa1..b47a0d3ec1 100644 --- a/src/detect-engine-siggroup.c +++ b/src/detect-engine-siggroup.c @@ -1594,19 +1594,24 @@ int SigGroupHeadBuildHeadArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh) if (s == NULL) continue; - sgh->head_array[idx].flags = s->flags; - sgh->head_array[idx].mpm_pattern_id = s->mpm_pattern_id; - sgh->head_array[idx].mpm_stream_pattern_id = s->mpm_stream_pattern_id; - sgh->head_array[idx].alproto = s->alproto; - sgh->head_array[idx].num = s->num; +// sgh->head_array[idx].flags = s->flags; +// sgh->head_array[idx].alproto = s->alproto; +// sgh->head_array[idx].num = s->num; + sgh->head_array[idx].hdr_copy = s->hdr_copy; + sgh->head_array[idx].mpm_pattern_copy = s->mpm_pattern_copy; +// sgh->head_array[idx].mpm_pattern_id_div_8 = s->mpm_pattern_id_div_8; +// sgh->head_array[idx].mpm_pattern_id_mod_8 = s->mpm_pattern_id_mod_8; +// sgh->head_array[idx].mpm_stream_pattern_copy = s->mpm_stream_pattern_copy; +// sgh->head_array[idx].mpm_stream_pattern_id_div_8 = s->mpm_stream_pattern_id_div_8; +// sgh->head_array[idx].mpm_stream_pattern_id_mod_8 = s->mpm_stream_pattern_id_mod_8; sgh->head_array[idx].full_sig = s; - BUG_ON(s->flags != sgh->head_array[idx].flags); - BUG_ON(s->alproto != sgh->head_array[idx].alproto); - BUG_ON(s->mpm_pattern_id != sgh->head_array[idx].mpm_pattern_id); - BUG_ON(s->mpm_stream_pattern_id != sgh->head_array[idx].mpm_stream_pattern_id); - BUG_ON(s->num != sgh->head_array[idx].num); - BUG_ON(s != sgh->head_array[idx].full_sig); +// BUG_ON(s->flags != sgh->head_array[idx].flags); +// BUG_ON(s->alproto != sgh->head_array[idx].alproto); +// BUG_ON(s->mpm_pattern_id != sgh->head_array[idx].mpm_pattern_id); +// BUG_ON(s->mpm_stream_pattern_id != sgh->head_array[idx].mpm_stream_pattern_id); +// BUG_ON(s->num != sgh->head_array[idx].num); +// BUG_ON(s != sgh->head_array[idx].full_sig); idx++; } diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c index b85ca9a48e..825d2cfa31 100644 --- a/src/detect-engine-state.c +++ b/src/detect-engine-state.c @@ -810,6 +810,7 @@ static int DeStateSigTest01(void) { f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; @@ -943,6 +944,7 @@ static int DeStateSigTest02(void) { f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; diff --git a/src/detect-engine-uri.c b/src/detect-engine-uri.c index 4be6930878..eff5a5b513 100644 --- a/src/detect-engine-uri.c +++ b/src/detect-engine-uri.c @@ -476,6 +476,7 @@ static int UriTestSig01(void) f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; @@ -590,6 +591,7 @@ static int UriTestSig02(void) f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; @@ -704,6 +706,7 @@ static int UriTestSig03(void) f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; @@ -818,6 +821,7 @@ static int UriTestSig04(void) f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; @@ -932,6 +936,7 @@ static int UriTestSig05(void) f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; @@ -1046,6 +1051,7 @@ static int UriTestSig06(void) f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; @@ -1160,6 +1166,7 @@ static int UriTestSig07(void) f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; @@ -1274,6 +1281,7 @@ static int UriTestSig08(void) f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; @@ -1388,6 +1396,7 @@ static int UriTestSig09(void) f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; @@ -1502,6 +1511,7 @@ static int UriTestSig10(void) f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; @@ -1616,6 +1626,7 @@ static int UriTestSig11(void) f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; @@ -1731,6 +1742,7 @@ static int UriTestSig12(void) f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; @@ -1846,6 +1858,7 @@ static int UriTestSig13(void) f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; @@ -1961,6 +1974,7 @@ static int UriTestSig14(void) f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; @@ -2076,6 +2090,7 @@ static int UriTestSig15(void) f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; @@ -2191,6 +2206,7 @@ static int UriTestSig16(void) f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; @@ -2302,6 +2318,7 @@ static int UriTestSig17(void) f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; @@ -2392,6 +2409,7 @@ static int UriTestSig18(void) f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; @@ -2482,6 +2500,7 @@ static int UriTestSig19(void) f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; @@ -2573,6 +2592,7 @@ static int UriTestSig20(void) f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; @@ -2663,6 +2683,7 @@ static int UriTestSig21(void) f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; @@ -2753,6 +2774,7 @@ static int UriTestSig22(void) f.dst.family = AF_INET; p->flow = &f; + p->flags |= PKT_HAS_FLOW; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; f.alproto = ALPROTO_HTTP; diff --git a/src/detect-ftpbounce.c b/src/detect-ftpbounce.c index c0e211dec6..c1729bcc35 100644 --- a/src/detect-ftpbounce.c +++ b/src/detect-ftpbounce.c @@ -343,6 +343,7 @@ static int DetectFtpbounceTestALMatch02(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_FTP; StreamTcpInitConfig(TRUE); @@ -472,6 +473,7 @@ static int DetectFtpbounceTestALMatch03(void) { p.flow = &f; p.flowflags |= FLOW_PKT_TOSERVER; p.flowflags |= FLOW_PKT_ESTABLISHED; + p.flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_FTP; StreamTcpInitConfig(TRUE); diff --git a/src/detect-http-client-body.c b/src/detect-http-client-body.c index be4f933851..121fd92611 100644 --- a/src/detect-http-client-body.c +++ b/src/detect-http-client-body.c @@ -500,6 +500,7 @@ static int DetectHttpClientBodyTest06(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -602,9 +603,11 @@ static int DetectHttpClientBodyTest07(void) p1->flow = &f; p1->flowflags |= FLOW_PKT_TOSERVER; p1->flowflags |= FLOW_PKT_ESTABLISHED; + p1->flags |= PKT_HAS_FLOW; p2->flow = &f; p2->flowflags |= FLOW_PKT_TOSERVER; p2->flowflags |= FLOW_PKT_ESTABLISHED; + p2->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -723,9 +726,11 @@ static int DetectHttpClientBodyTest08(void) p1->flow = &f; p1->flowflags |= FLOW_PKT_TOSERVER; p1->flowflags |= FLOW_PKT_ESTABLISHED; + p1->flags |= PKT_HAS_FLOW; p2->flow = &f; p2->flowflags |= FLOW_PKT_TOSERVER; p2->flowflags |= FLOW_PKT_ESTABLISHED; + p2->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -845,9 +850,11 @@ static int DetectHttpClientBodyTest09(void) p1->flow = &f; p1->flowflags |= FLOW_PKT_TOSERVER; p1->flowflags |= FLOW_PKT_ESTABLISHED; + p1->flags |= PKT_HAS_FLOW; p2->flow = &f; p2->flowflags |= FLOW_PKT_TOSERVER; p2->flowflags |= FLOW_PKT_ESTABLISHED; + p2->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -966,9 +973,11 @@ static int DetectHttpClientBodyTest10(void) p1->flow = &f; p1->flowflags |= FLOW_PKT_TOSERVER; p1->flowflags |= FLOW_PKT_ESTABLISHED; + p1->flags |= PKT_HAS_FLOW; p2->flow = &f; p2->flowflags |= FLOW_PKT_TOSERVER; p2->flowflags |= FLOW_PKT_ESTABLISHED; + p2->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1082,6 +1091,7 @@ static int DetectHttpClientBodyTest11(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1179,6 +1189,7 @@ static int DetectHttpClientBodyTest12(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1277,6 +1288,7 @@ static int DetectHttpClientBodyTest13(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1375,6 +1387,7 @@ static int DetectHttpClientBodyTest14(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1570,6 +1583,7 @@ static int DetectHttpClientBodyTest15(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); diff --git a/src/detect-http-cookie.c b/src/detect-http-cookie.c index 82d0a16755..955dc89d67 100644 --- a/src/detect-http-cookie.c +++ b/src/detect-http-cookie.c @@ -505,6 +505,7 @@ static int DetectHttpCookieSigTest01(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -605,6 +606,7 @@ static int DetectHttpCookieSigTest02(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -692,6 +694,7 @@ static int DetectHttpCookieSigTest03(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -780,6 +783,7 @@ static int DetectHttpCookieSigTest04(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -868,6 +872,7 @@ static int DetectHttpCookieSigTest05(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -956,6 +961,7 @@ static int DetectHttpCookieSigTest06(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1043,6 +1049,7 @@ static int DetectHttpCookieSigTest07(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); diff --git a/src/detect-http-header.c b/src/detect-http-header.c index 3aad464644..b3beb62644 100644 --- a/src/detect-http-header.c +++ b/src/detect-http-header.c @@ -477,6 +477,7 @@ static int DetectHttpHeaderTest06(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -578,9 +579,11 @@ static int DetectHttpHeaderTest07(void) p1->flow = &f; p1->flowflags |= FLOW_PKT_TOSERVER; p1->flowflags |= FLOW_PKT_ESTABLISHED; + p1->flags |= PKT_HAS_FLOW; p2->flow = &f; p2->flowflags |= FLOW_PKT_TOSERVER; p2->flowflags |= FLOW_PKT_ESTABLISHED; + p2->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -696,9 +699,11 @@ static int DetectHttpHeaderTest08(void) p1->flow = &f; p1->flowflags |= FLOW_PKT_TOSERVER; p1->flowflags |= FLOW_PKT_ESTABLISHED; + p1->flags |= PKT_HAS_FLOW; p2->flow = &f; p2->flowflags |= FLOW_PKT_TOSERVER; p2->flowflags |= FLOW_PKT_ESTABLISHED; + p2->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -815,9 +820,11 @@ static int DetectHttpHeaderTest09(void) p1->flow = &f; p1->flowflags |= FLOW_PKT_TOSERVER; p1->flowflags |= FLOW_PKT_ESTABLISHED; + p1->flags |= PKT_HAS_FLOW; p2->flow = &f; p2->flowflags |= FLOW_PKT_TOSERVER; p2->flowflags |= FLOW_PKT_ESTABLISHED; + p2->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -934,9 +941,11 @@ static int DetectHttpHeaderTest10(void) p1->flow = &f; p1->flowflags |= FLOW_PKT_TOSERVER; p1->flowflags |= FLOW_PKT_ESTABLISHED; + p1->flags |= PKT_HAS_FLOW; p2->flow = &f; p2->flowflags |= FLOW_PKT_TOSERVER; p2->flowflags |= FLOW_PKT_ESTABLISHED; + p2->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1049,6 +1058,7 @@ static int DetectHttpHeaderTest11(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1145,6 +1155,7 @@ static int DetectHttpHeaderTest12(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1242,6 +1253,7 @@ static int DetectHttpHeaderTest13(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); diff --git a/src/detect-http-method.c b/src/detect-http-method.c index 83da968f6b..5c50194a3e 100644 --- a/src/detect-http-method.c +++ b/src/detect-http-method.c @@ -428,6 +428,7 @@ static int DetectHttpMethodSigTest01(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -527,6 +528,7 @@ static int DetectHttpMethodSigTest02(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -625,6 +627,7 @@ static int DetectHttpMethodSigTest03(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); diff --git a/src/detect-pcre.c b/src/detect-pcre.c index d3005b6ab2..ff5b6af257 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -269,7 +269,7 @@ int DetectPcreALDoMatchMethod(DetectEngineThreadCtx *det_ctx, Signature *s, SCLogDebug("ret %d (negating %s)", ret, pe->negate ? "set" : "not set"); if (ret == PCRE_ERROR_NOMATCH) { - if (pe->negate == 1) { + if (pe->flags & DETECT_PCRE_NEGATE) { /* regex didn't match with negate option means we * consider it a match */ ret = 1; @@ -280,7 +280,7 @@ int DetectPcreALDoMatchMethod(DetectEngineThreadCtx *det_ctx, Signature *s, } toret |= ret; } else if (ret >= 0) { - if (pe->negate == 1) { + if (pe->flags & DETECT_PCRE_NEGATE) { /* regex matched but we're negated, so not * considering it a match */ ret = 0; @@ -386,7 +386,7 @@ int DetectPcreALDoMatchHeader(DetectEngineThreadCtx *det_ctx, Signature *s, SCLogDebug("ret %d (negating %s)", ret, pe->negate ? "set" : "not set"); if (ret == PCRE_ERROR_NOMATCH) { - if (pe->negate == 1) { + if (pe->flags & DETECT_PCRE_NEGATE) { /* regex didn't match with negate option means we * consider it a match */ ret = 1; @@ -397,7 +397,7 @@ int DetectPcreALDoMatchHeader(DetectEngineThreadCtx *det_ctx, Signature *s, } toret |= ret; } else if (ret >= 0) { - if (pe->negate == 1) { + if (pe->flags & DETECT_PCRE_NEGATE) { /* regex matched but we're negated, so not * considering it a match */ ret = 0; @@ -505,7 +505,7 @@ int DetectPcreALDoMatchCookie(DetectEngineThreadCtx *det_ctx, Signature *s, SCLogDebug("ret %d (negating %s)", ret, pe->negate ? "set" : "not set"); if (ret == PCRE_ERROR_NOMATCH) { - if (pe->negate == 1) { + if (pe->flags & DETECT_PCRE_NEGATE) { /* regex didn't match with negate option means we * consider it a match */ ret = 1; @@ -516,7 +516,7 @@ int DetectPcreALDoMatchCookie(DetectEngineThreadCtx *det_ctx, Signature *s, } toret |= ret; } else if (ret >= 0) { - if (pe->negate == 1) { + if (pe->flags & DETECT_PCRE_NEGATE) { /* regex matched but we're negated, so not * considering it a match */ ret = 0; @@ -529,7 +529,7 @@ int DetectPcreALDoMatchCookie(DetectEngineThreadCtx *det_ctx, Signature *s, } } else { SCLogDebug("pcre had matching error"); - if (pe->negate == 1) { + if (pe->flags & DETECT_PCRE_NEGATE) { ret = 1; toret |= ret; break; @@ -644,7 +644,7 @@ int DetectPcreALDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, SigMatch * unlock: SCMutexUnlock(&f->m); - SCReturnInt(ret ^ pe->negate); + SCReturnInt(ret ^ (pe->flags & DETECT_PCRE_NEGATE)); } /** @@ -767,7 +767,7 @@ int DetectPcrePayloadMatch(DetectEngineThreadCtx *det_ctx, Signature *s, SCLogDebug("ret %d (negating %s)", ret, pe->negate ? "set" : "not set"); if (ret == PCRE_ERROR_NOMATCH) { - if (pe->negate == 1) { + if (pe->flags & DETECT_PCRE_NEGATE) { /* regex didn't match with negate option means we * consider it a match */ ret = 1; @@ -775,7 +775,7 @@ int DetectPcrePayloadMatch(DetectEngineThreadCtx *det_ctx, Signature *s, ret = 0; } } else if (ret >= 0) { - if (pe->negate == 1) { + if (pe->flags & DETECT_PCRE_NEGATE) { /* regex matched but we're negated, so not * considering it a match */ ret = 0; @@ -861,7 +861,7 @@ int DetectPcrePacketPayloadMatch(DetectEngineThreadCtx *det_ctx, Packet *p, Sign SCLogDebug("ret %d (negating %s)", ret, pe->negate ? "set" : "not set"); if (ret == PCRE_ERROR_NOMATCH) { - if (pe->negate == 1) { + if (pe->flags & DETECT_PCRE_NEGATE) { /* regex didn't match with negate option means we * consider it a match */ ret = 1; @@ -869,7 +869,7 @@ int DetectPcrePacketPayloadMatch(DetectEngineThreadCtx *det_ctx, Packet *p, Sign ret = 0; } } else if (ret >= 0) { - if (pe->negate == 1) { + if (pe->flags & DETECT_PCRE_NEGATE) { /* regex matched but we're negated, so not * considering it a match */ ret = 0; @@ -954,7 +954,7 @@ int DetectPcrePayloadDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, SCLogDebug("ret %d (negating %s)", ret, pe->negate ? "set" : "not set"); if (ret == PCRE_ERROR_NOMATCH) { - if (pe->negate == 1) { + if (pe->flags & DETECT_PCRE_NEGATE) { /* regex didn't match with negate option means we * consider it a match */ ret = 1; @@ -962,7 +962,7 @@ int DetectPcrePayloadDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, ret = 0; } } else if (ret >= 0) { - if (pe->negate == 1) { + if (pe->flags & DETECT_PCRE_NEGATE) { /* regex matched but we're negated, so not * considering it a match */ ret = 0; @@ -1076,7 +1076,7 @@ DetectPcreData *DetectPcreParse (char *regexstr) memset(pd, 0, sizeof(DetectPcreData)); if (negate) - pd->negate = 1; + pd->flags |= DETECT_PCRE_NEGATE; if (op != NULL) { while (*op) { @@ -1795,6 +1795,7 @@ static int DetectPcreTestSig01Real(int mpm_type) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; StreamTcpInitConfig(TRUE); FlowL7DataPtrInit(&f); @@ -1874,6 +1875,7 @@ static int DetectPcreTestSig02Real(int mpm_type) { p = UTHBuildPacket(buf, buflen, IPPROTO_TCP); p->flow = &f; + p->flags |= PKT_HAS_FLOW; pcre_match_limit = 100; pcre_match_limit_recursion = 100; @@ -2038,6 +2040,7 @@ static int DetectPcreModifPTest04(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -2165,9 +2168,11 @@ static int DetectPcreModifPTest05(void) { p1->flow = &f; p1->flowflags |= FLOW_PKT_TOSERVER; p1->flowflags |= FLOW_PKT_ESTABLISHED; + p1->flags |= PKT_HAS_FLOW; p2->flow = &f; p2->flowflags |= FLOW_PKT_TOSERVER; p2->flowflags |= FLOW_PKT_ESTABLISHED; + p2->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -2350,6 +2355,7 @@ static int DetectPcreTestSig09(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -2440,6 +2446,7 @@ static int DetectPcreTestSig10(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -2530,6 +2537,7 @@ static int DetectPcreTestSig11(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -2620,6 +2628,7 @@ static int DetectPcreTestSig12(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -2710,6 +2719,7 @@ static int DetectPcreTestSig13(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -2800,6 +2810,7 @@ static int DetectPcreTestSig14(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -2895,6 +2906,7 @@ static int DetectPcreTxBodyChunksTest01(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -3044,6 +3056,7 @@ static int DetectPcreTxBodyChunksTest02(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -3269,6 +3282,7 @@ static int DetectPcreTxBodyChunksTest03(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); diff --git a/src/detect-pcre.h b/src/detect-pcre.h index 0450e3abbf..671ba34634 100644 --- a/src/detect-pcre.h +++ b/src/detect-pcre.h @@ -24,31 +24,30 @@ #ifndef __DETECT_PCRE_H__ #define __DETECT_PCRE_H__ -#define DETECT_PCRE_RELATIVE 0x0001 -#define DETECT_PCRE_RAWBYTES 0x0002 -#define DETECT_PCRE_URI 0x0004 +#define DETECT_PCRE_RELATIVE 0x0001 +#define DETECT_PCRE_RAWBYTES 0x0002 +#define DETECT_PCRE_URI 0x0004 -#define DETECT_PCRE_CAPTURE_PKT 0x0008 -#define DETECT_PCRE_CAPTURE_FLOW 0x0010 -#define DETECT_PCRE_MATCH_LIMIT 0x0020 +#define DETECT_PCRE_CAPTURE_PKT 0x0008 +#define DETECT_PCRE_CAPTURE_FLOW 0x0010 +#define DETECT_PCRE_MATCH_LIMIT 0x0020 -#define DETECT_PCRE_HTTP_BODY_AL 0x0040 -#define DETECT_PCRE_RELATIVE_NEXT 0x0080 +#define DETECT_PCRE_HTTP_BODY_AL 0x0040 +#define DETECT_PCRE_RELATIVE_NEXT 0x0080 /* new modifiers 2.8.5.3 support */ -#define DETECT_PCRE_HEADER 0x0100 -#define DETECT_PCRE_COOKIE 0x0200 -#define DETECT_PCRE_METHOD 0x0400 +#define DETECT_PCRE_HEADER 0x0100 +#define DETECT_PCRE_COOKIE 0x0200 +#define DETECT_PCRE_METHOD 0x0400 + +#define DETECT_PCRE_NEGATE 0x0800 typedef struct DetectPcreData_ { /* pcre options */ pcre *re; pcre_extra *sd; int opts; - uint16_t flags; - uint8_t negate; - uint16_t capidx; char *capname; } DetectPcreData; diff --git a/src/detect-ssh-proto-version.c b/src/detect-ssh-proto-version.c index d7a4989d9b..1bb099d8d2 100644 --- a/src/detect-ssh-proto-version.c +++ b/src/detect-ssh-proto-version.c @@ -370,6 +370,7 @@ static int DetectSshVersionTestDetect01(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_SSH; StreamTcpInitConfig(TRUE); @@ -473,6 +474,7 @@ static int DetectSshVersionTestDetect02(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_SSH; StreamTcpInitConfig(TRUE); @@ -576,6 +578,7 @@ static int DetectSshVersionTestDetect03(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_SSH; StreamTcpInitConfig(TRUE); diff --git a/src/detect-ssh-software-version.c b/src/detect-ssh-software-version.c index 78e94e213e..17e370840a 100644 --- a/src/detect-ssh-software-version.c +++ b/src/detect-ssh-software-version.c @@ -331,6 +331,7 @@ static int DetectSshSoftwareVersionTestDetect01(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_SSH; StreamTcpInitConfig(TRUE); @@ -434,6 +435,7 @@ static int DetectSshSoftwareVersionTestDetect02(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_SSH; StreamTcpInitConfig(TRUE); @@ -537,6 +539,7 @@ static int DetectSshSoftwareVersionTestDetect03(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_SSH; StreamTcpInitConfig(TRUE); diff --git a/src/detect-tls-version.c b/src/detect-tls-version.c index 23780dc767..f799612445 100644 --- a/src/detect-tls-version.c +++ b/src/detect-tls-version.c @@ -337,6 +337,7 @@ static int DetectTlsVersionTestDetect01(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_TLS; StreamTcpInitConfig(TRUE); @@ -451,6 +452,7 @@ static int DetectTlsVersionTestDetect02(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_TLS; StreamTcpInitConfig(TRUE); @@ -565,6 +567,7 @@ static int DetectTlsVersionTestDetect03(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_TLS; f.proto = p->proto; diff --git a/src/detect-uricontent.c b/src/detect-uricontent.c index 2248d0d88d..60ee2eb658 100644 --- a/src/detect-uricontent.c +++ b/src/detect-uricontent.c @@ -834,6 +834,7 @@ static int DetectUriSigTest02(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -944,6 +945,7 @@ static int DetectUriSigTest03(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -1273,6 +1275,7 @@ static int DetectUriSigTest05(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; f.proto = p->proto; @@ -1396,6 +1399,7 @@ static int DetectUriSigTest06(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; f.proto = p->proto; @@ -1527,6 +1531,7 @@ static int DetectUriSigTest07(void) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); diff --git a/src/detect-uricontent.h b/src/detect-uricontent.h index 3d47ef943a..a5673f1708 100644 --- a/src/detect-uricontent.h +++ b/src/detect-uricontent.h @@ -48,17 +48,12 @@ typedef struct DetectUricontentData_ { uint8_t *uricontent; uint8_t uricontent_len; - uint8_t pad0; - uint16_t pad1; - uint32_t id; - + uint8_t flags; + PatIntId id; uint16_t depth; uint16_t offset; int32_t distance; int32_t within; - uint8_t flags; - uint8_t pad2; - uint16_t pad3; BmCtx *bm_ctx; /**< Boyer Moore context (for spm search) */ } DetectUricontentData; diff --git a/src/detect-urilen.c b/src/detect-urilen.c index b9edc8aae6..afb7afa459 100644 --- a/src/detect-urilen.c +++ b/src/detect-urilen.c @@ -509,6 +509,7 @@ static int DetectUrilenSigTest01(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); diff --git a/src/detect.c b/src/detect.c index a2055ccfb3..adf836f983 100644 --- a/src/detect.c +++ b/src/detect.c @@ -147,6 +147,7 @@ #include "util-privs.h" #include "util-profiling.h" #include "util-validate.h" +#include "util-optimize.h" extern uint8_t engine_mode; @@ -448,7 +449,7 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx, for (i = 0; i < det_ctx->sgh->sig_cnt; i++) { SignatureHeader *s = &det_ctx->sgh->head_array[i]; - if (s->flags & SIG_FLAG_FLOW && !p->flow) { + if (!(p->flags & PKT_HAS_FLOW) && s->flags & SIG_FLAG_FLOW) { SCLogDebug("flow in sig but not in packet"); continue; } @@ -461,17 +462,15 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx, } /* if the sig has alproto and the session as well they should match */ - if (s->alproto != ALPROTO_UNKNOWN) { - if (s->alproto != alproto) { - if (s->alproto == ALPROTO_DCERPC) { - if (alproto != ALPROTO_SMB && alproto != ALPROTO_SMB2) { - SCLogDebug("DCERPC sig, alproto not SMB or SMB2"); - continue; - } - } else { - SCLogDebug("alproto mismatch"); + if (s->flags & SIG_FLAG_APPLAYER && s->alproto != ALPROTO_UNKNOWN && s->alproto != alproto) { + if (s->alproto == ALPROTO_DCERPC) { + if (alproto != ALPROTO_SMB && alproto != ALPROTO_SMB2) { + SCLogDebug("DCERPC sig, alproto not SMB or SMB2"); continue; } + } else { + SCLogDebug("alproto mismatch"); + continue; } } @@ -479,7 +478,8 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx, if (s->flags & SIG_FLAG_MPM_PACKET) { /* filter out sigs that want pattern matches, but * have no matches */ - if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id / 8)] & (1<<(s->mpm_pattern_id % 8)))) { + if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id_div_8)] & s->mpm_pattern_id_mod_8)) { + //if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id / 8)] & (1<<(s->mpm_pattern_id % 8)))) { SCLogDebug("mpm sig without matches (pat id %"PRIu32" check in content).", s->mpm_pattern_id); if (!(s->flags & SIG_FLAG_MPM_NEGCONTENT)) { @@ -500,7 +500,7 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx, if (s->flags & SIG_FLAG_MPM_STREAM) { /* filter out sigs that want pattern matches, but * have no matches */ - if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_stream_pattern_id / 8)] & (1<<(s->mpm_stream_pattern_id % 8)))) { + if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_stream_pattern_id_div_8)] & s->mpm_stream_pattern_id_mod_8)) { SCLogDebug("mpm stream sig without matches (pat id %"PRIu32" check in content).", s->mpm_stream_pattern_id); if (!(s->flags & SIG_FLAG_MPM_NEGCONTENT)) { @@ -616,68 +616,67 @@ static StreamMsg *SigMatchSignaturesGetSmsg(Flow *f, Packet *p, uint8_t flags) { StreamMsg *smsg = NULL; - if (p->proto == IPPROTO_TCP) { + if (p->proto == IPPROTO_TCP && f->protoctx != NULL) { TcpSession *ssn = (TcpSession *)f->protoctx; - if (ssn != NULL) { - /* at stream eof, inspect all smsg's */ - if (flags & STREAM_EOF) { - if (p->flowflags & FLOW_PKT_TOSERVER) { - smsg = ssn->toserver_smsg_head; - /* deref from the ssn */ - ssn->toserver_smsg_head = NULL; - ssn->toserver_smsg_tail = NULL; - - SCLogDebug("to_server smsg %p at stream eof", smsg); - } else { - smsg = ssn->toclient_smsg_head; - /* deref from the ssn */ - ssn->toclient_smsg_head = NULL; - ssn->toclient_smsg_tail = NULL; - SCLogDebug("to_client smsg %p at stream eof", smsg); - } - } else { - if (p->flowflags & FLOW_PKT_TOSERVER) { - StreamMsg *head = ssn->toserver_smsg_head; - if (head == NULL) { - SCLogDebug("no smsgs in to_server direction"); - goto end; - } + /* at stream eof, inspect all smsg's */ + if (unlikely(flags & STREAM_EOF)) { + if (p->flowflags & FLOW_PKT_TOSERVER) { + smsg = ssn->toserver_smsg_head; + /* deref from the ssn */ + ssn->toserver_smsg_head = NULL; + ssn->toserver_smsg_tail = NULL; - /* if the smsg is bigger than the current packet, we will - * process the smsg in a later run */ - if ((head->data.seq + head->data.data_len) > (TCP_GET_SEQ(p) + p->payload_len)) { - SCLogDebug("smsg ends beyond current packet, skipping for now %"PRIu32">%"PRIu32, - (head->data.seq + head->data.data_len), (TCP_GET_SEQ(p) + p->payload_len)); - goto end; - } + SCLogDebug("to_server smsg %p at stream eof", smsg); + } else { + smsg = ssn->toclient_smsg_head; + /* deref from the ssn */ + ssn->toclient_smsg_head = NULL; + ssn->toclient_smsg_tail = NULL; - smsg = head; - /* deref from the ssn */ - ssn->toserver_smsg_head = NULL; - ssn->toserver_smsg_tail = NULL; + SCLogDebug("to_client smsg %p at stream eof", smsg); + } + } else { + if (p->flowflags & FLOW_PKT_TOSERVER) { + StreamMsg *head = ssn->toserver_smsg_head; + if (unlikely(head == NULL)) { + SCLogDebug("no smsgs in to_server direction"); + goto end; + } - SCLogDebug("to_server smsg %p", smsg); - } else { - StreamMsg *head = ssn->toclient_smsg_head; - if (head == NULL) - goto end; - - /* if the smsg is bigger than the current packet, we will - * process the smsg in a later run */ - if ((head->data.seq + head->data.data_len) > (TCP_GET_SEQ(p) + p->payload_len)) { - SCLogDebug("smsg ends beyond current packet, skipping for now %"PRIu32">%"PRIu32, - (head->data.seq + head->data.data_len), (TCP_GET_SEQ(p) + p->payload_len)); - goto end; - } + /* if the smsg is bigger than the current packet, we will + * process the smsg in a later run */ + if ((head->data.seq + head->data.data_len) > (TCP_GET_SEQ(p) + p->payload_len)) { + SCLogDebug("smsg ends beyond current packet, skipping for now %"PRIu32">%"PRIu32, + (head->data.seq + head->data.data_len), (TCP_GET_SEQ(p) + p->payload_len)); + goto end; + } - smsg = head; - /* deref from the ssn */ - ssn->toclient_smsg_head = NULL; - ssn->toclient_smsg_tail = NULL; + smsg = head; + /* deref from the ssn */ + ssn->toserver_smsg_head = NULL; + ssn->toserver_smsg_tail = NULL; - SCLogDebug("to_client smsg %p", smsg); + SCLogDebug("to_server smsg %p", smsg); + } else { + StreamMsg *head = ssn->toclient_smsg_head; + if (unlikely(head == NULL)) + goto end; + + /* if the smsg is bigger than the current packet, we will + * process the smsg in a later run */ + if ((head->data.seq + head->data.data_len) > (TCP_GET_SEQ(p) + p->payload_len)) { + SCLogDebug("smsg ends beyond current packet, skipping for now %"PRIu32">%"PRIu32, + (head->data.seq + head->data.data_len), (TCP_GET_SEQ(p) + p->payload_len)); + goto end; } + + smsg = head; + /* deref from the ssn */ + ssn->toclient_smsg_head = NULL; + ssn->toclient_smsg_tail = NULL; + + SCLogDebug("to_client smsg %p", smsg); } } } @@ -723,7 +722,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh det_ctx->pkts++; /* grab the protocol state we will detect on */ - if (p->flow != NULL) { + if (p->flags & PKT_HAS_FLOW) { if (p->flags & PKT_STREAM_EOF) { flags |= STREAM_EOF; SCLogDebug("STREAM_EOF set"); @@ -770,42 +769,46 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh SCLogDebug("flag STREAM_TOCLIENT set"); } SCLogDebug("p->flowflags 0x%02x", p->flowflags); - } - /* match the ip only signatures */ - if ((p->flowflags & FLOW_PKT_TOSERVER && !(p->flowflags & FLOW_PKT_TOSERVER_IPONLY_SET)) || - (p->flowflags & FLOW_PKT_TOCLIENT && !(p->flowflags & FLOW_PKT_TOCLIENT_IPONLY_SET))) { - SCLogDebug("testing against \"ip-only\" signatures"); + if ((p->flowflags & FLOW_PKT_TOSERVER && !(p->flowflags & FLOW_PKT_TOSERVER_IPONLY_SET)) || + (p->flowflags & FLOW_PKT_TOCLIENT && !(p->flowflags & FLOW_PKT_TOCLIENT_IPONLY_SET))) { + SCLogDebug("testing against \"ip-only\" signatures"); - IPOnlyMatchPacket(de_ctx, det_ctx, &de_ctx->io_ctx, &det_ctx->io_ctx, p); - /* save in the flow that we scanned this direction... locking is - * done in the FlowSetIPOnlyFlag function. */ - if (p->flow != NULL) { - FlowSetIPOnlyFlag(p->flow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0); - } - } else if (p->flow != NULL && ((p->flowflags & FLOW_PKT_TOSERVER && - (p->flow->flags & FLOW_TOSERVER_IPONLY_SET)) || - (p->flowflags & FLOW_PKT_TOCLIENT && - (p->flow->flags & FLOW_TOCLIENT_IPONLY_SET)))) { - /* Get the result of the first IPOnlyMatch() */ - if (p->flow->flags & FLOW_ACTION_PASS) { - /* if it matched a "pass" rule, we have to let it go */ - p->action |= ACTION_PASS; - } - /* If we have a drop from IP only module, - * we will drop the rest of the flow packets - * This will apply only to inline/IPS */ - if (p->flow != NULL && - (p->flow->flags & FLOW_ACTION_DROP)) - { - alert_flags = PACKET_ALERT_FLAG_DROP_FLOW; - p->action |= ACTION_DROP; + IPOnlyMatchPacket(de_ctx, det_ctx, &de_ctx->io_ctx, &det_ctx->io_ctx, p); + /* save in the flow that we scanned this direction... locking is + * done in the FlowSetIPOnlyFlag function. */ + if (p->flow != NULL) { + FlowSetIPOnlyFlag(p->flow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0); + } + } else { +//if (p->flow != NULL && ((p->flowflags & FLOW_PKT_TOSERVER && +// (p->flow->flags & FLOW_TOSERVER_IPONLY_SET)) || +// (p->flowflags & FLOW_PKT_TOCLIENT && +// (p->flow->flags & FLOW_TOCLIENT_IPONLY_SET)))) { + /* Get the result of the first IPOnlyMatch() */ + if (p->flow->flags & FLOW_ACTION_PASS) { + /* if it matched a "pass" rule, we have to let it go */ + p->action |= ACTION_PASS; + } + /* If we have a drop from IP only module, + * we will drop the rest of the flow packets + * This will apply only to inline/IPS */ + if (p->flow != NULL && + (p->flow->flags & FLOW_ACTION_DROP)) + { + alert_flags = PACKET_ALERT_FLAG_DROP_FLOW; + p->action |= ACTION_DROP; + } } } else { + /* no flow */ + /* Even without flow we should match the packet src/dst */ IPOnlyMatchPacket(de_ctx, det_ctx, &de_ctx->io_ctx, &det_ctx->io_ctx, p); } + /* match the ip only signatures */ + /* use the sgh from the flow unless we have no flow or the flow * sgh wasn't initialized yet */ if (sgh == NULL && !use_flow_sgh) { @@ -851,12 +854,6 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh else det_ctx->pkts_searched++; #endif cnt = PacketPatternSearch(th_v, det_ctx, p); - if (cnt > 0) { -#if 0 - det_ctx->mpm_match++; -#endif - } - SCLogDebug("post search: cnt %" PRIu32, cnt); } } @@ -864,14 +861,15 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh det_ctx->de_mpm_scanned_uri = FALSE; /* stateful app layer detection */ - - /* initialize to 0 (DE_STATE_MATCH_NOSTATE) */ - memset(det_ctx->de_state_sig_array, 0x00, det_ctx->de_state_sig_array_len); - - /* if applicable, continue stateful detection */ - if (p->flow != NULL && DeStateFlowHasState(p->flow)) { - DeStateDetectContinueDetection(th_v, de_ctx, det_ctx, p->flow, - flags, alstate, alproto); + if (p->flags & PKT_HAS_FLOW && alstate != NULL) { + /* initialize to 0 (DE_STATE_MATCH_NOSTATE) */ + memset(det_ctx->de_state_sig_array, 0x00, det_ctx->de_state_sig_array_len); + + /* if applicable, continue stateful detection */ + if (DeStateFlowHasState(p->flow)) { + DeStateDetectContinueDetection(th_v, de_ctx, det_ctx, p->flow, + flags, alstate, alproto); + } } /* build the match array */ @@ -951,7 +949,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh if (det_ctx->smsg_pmq[pmq_idx].pattern_id_bitarray != NULL) { /* filter out sigs that want pattern matches, but * have no matches */ - if (!(det_ctx->smsg_pmq[pmq_idx].pattern_id_bitarray[(s->mpm_stream_pattern_id / 8)] & (1<<(s->mpm_stream_pattern_id % 8))) && + if (!(det_ctx->smsg_pmq[pmq_idx].pattern_id_bitarray[(s->mpm_stream_pattern_id_div_8)] & s->mpm_stream_pattern_id_mod_8) && (s->flags & SIG_FLAG_MPM) && !(s->flags & SIG_FLAG_MPM_NEGCONTENT)) { SCLogDebug("no match in this smsg"); continue; @@ -1026,7 +1024,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh } else { if (s->flags & SIG_FLAG_RECURSIVE) { uint8_t rmatch = 0; - det_ctx->pkt_cnt = 0; + uint8_t recursion_cnt = 0; do { sm = s->match; @@ -1045,7 +1043,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh } } rmatch = fmatch = 1; - det_ctx->pkt_cnt++; + recursion_cnt++; } } else { /* done with this sig */ @@ -1056,7 +1054,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh /* Limit the number of times we do this recursive thing. * XXX is this a sane limit? Should it be configurable? */ - if (det_ctx->pkt_cnt == 10) + if (recursion_cnt == 10) goto done; } while (rmatch); @@ -1125,7 +1123,7 @@ end: /* store the found sgh (or NULL) in the flow to save us from looking it * up again for the next packet. Also return any stream chunk we processed * to the pool. */ - if (p->flow != NULL) { + if (p->flags & PKT_HAS_FLOW) { SCMutexLock(&p->flow->m); if (no_store_flow_sgh == FALSE) { if (p->flowflags & FLOW_PKT_TOSERVER && !(p->flow->flags & FLOW_SGH_TOSERVER)) { @@ -3770,6 +3768,7 @@ static int SigTest06Real (int mpm_type) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -3865,6 +3864,7 @@ static int SigTest07Real (int mpm_type) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -3960,6 +3960,7 @@ static int SigTest08Real (int mpm_type) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -4055,6 +4056,7 @@ static int SigTest09Real (int mpm_type) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -4142,6 +4144,7 @@ static int SigTest10Real (int mpm_type) { p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -4228,6 +4231,7 @@ static int SigTest11Real (int mpm_type) { f.dst.family = AF_INET; p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -4296,6 +4300,7 @@ static int SigTest12Real (int mpm_type) { p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP); p->flow = &f; + p->flags |= PKT_HAS_FLOW; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) { @@ -4360,6 +4365,7 @@ static int SigTest13Real (int mpm_type) { p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP); p->flow = &f; + p->flags |= PKT_HAS_FLOW; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) { @@ -8888,6 +8894,7 @@ static int SigTestDropFlow01(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -8985,6 +8992,7 @@ static int SigTestDropFlow02(void) p->flow = &f; p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -9095,10 +9103,12 @@ static int SigTestDropFlow03(void) p1->flow = &f; p1->flowflags |= FLOW_PKT_TOSERVER; p1->flowflags |= FLOW_PKT_ESTABLISHED; + p1->flags |= PKT_HAS_FLOW; p2->flow = &f; p2->flowflags |= FLOW_PKT_TOSERVER; p2->flowflags |= FLOW_PKT_ESTABLISHED; + p2->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); @@ -9258,10 +9268,12 @@ static int SigTestDropFlow04(void) p1->flow = &f; p1->flowflags |= FLOW_PKT_TOSERVER; p1->flowflags |= FLOW_PKT_ESTABLISHED; + p1->flags |= PKT_HAS_FLOW; p2->flow = &f; p2->flowflags |= FLOW_PKT_TOSERVER; p2->flowflags |= FLOW_PKT_ESTABLISHED; + p2->flags |= PKT_HAS_FLOW; f.alproto = ALPROTO_HTTP; StreamTcpInitConfig(TRUE); diff --git a/src/detect.h b/src/detect.h index 9b42270b73..6f9401e4e2 100644 --- a/src/detect.h +++ b/src/detect.h @@ -240,16 +240,31 @@ typedef struct IPOnlyCIDRItem_ { /** \brief Subset of the Signature for cache efficient prefiltering */ typedef struct SignatureHeader_ { - uint32_t flags; - - /* app layer signature stuff */ - uint16_t alproto; + union { + struct { + uint32_t flags; + /* app layer signature stuff */ + uint16_t alproto; + + uint16_t mpm_pattern_id_div_8; + }; + uint64_t hdr_copy; + }; /** pattern in the mpm matcher */ - uint32_t mpm_pattern_id; - uint32_t mpm_stream_pattern_id; - - SigIntId num; /**< signature number, internal id */ + union { + struct { + uint8_t mpm_pattern_id_mod_8; + uint8_t pad0; + uint16_t mpm_stream_pattern_id_div_8; + uint8_t mpm_stream_pattern_id_mod_8; + uint8_t pad1; + SigIntId num; /**< signature number, internal id */ + }; + uint64_t mpm_pattern_copy; + }; + //PatIntId mpm_pattern_id; + //PatIntId mpm_stream_pattern_id; /** pointer to the full signature */ struct Signature_ *full_sig; @@ -257,16 +272,47 @@ typedef struct SignatureHeader_ { /** \brief Signature container */ typedef struct Signature_ { - uint32_t flags; + union { + struct { + uint32_t flags; - /* app layer signature stuff */ - uint16_t alproto; + /* app layer signature stuff */ + uint16_t alproto; + + uint16_t mpm_pattern_id_div_8; + }; + uint64_t hdr_copy; + }; /** pattern in the mpm matcher */ - uint32_t mpm_pattern_id; - uint32_t mpm_stream_pattern_id; + union { + struct { + uint8_t mpm_pattern_id_mod_8; + uint8_t pad0; + uint16_t mpm_stream_pattern_id_div_8; + uint8_t mpm_stream_pattern_id_mod_8; + uint8_t pad1; + SigIntId num; /**< signature number, internal id */ + }; + uint64_t mpm_pattern_copy; + }; + //PatIntId mpm_pattern_id; + //PatIntId mpm_stream_pattern_id; - SigIntId num; /**< signature number, internal id */ +/* + //PatIntId mpm_pattern_id; + //PatIntId mpm_stream_pattern_id; + uint16_t mpm_pattern_id_div_8; + uint8_t mpm_pattern_id_mod_8; + uint8_t pad0; + //PatIntId mpm_pattern_id; + //PatIntId mpm_stream_pattern_id; + uint16_t mpm_stream_pattern_id_div_8; + uint8_t mpm_stream_pattern_id_mod_8; + uint8_t pad1; +*/ + /** pattern in the mpm matcher */ + PatIntId mpm_uripattern_id; /** ipv4 match arrays */ DetectMatchAddressIPv4 *addr_dst_match4; @@ -289,49 +335,38 @@ typedef struct Signature_ { IPOnlyCIDRItem *CidrSrc, *CidrDst; /** ptr to the SigMatch lists */ - struct SigMatch_ *match; /* non-payload matches */ - struct SigMatch_ *match_tail; /* non-payload matches, tail of the list */ struct SigMatch_ *pmatch; /* payload matches */ - struct SigMatch_ *pmatch_tail; /* payload matches, tail of the list */ struct SigMatch_ *umatch; /* uricontent payload matches */ - struct SigMatch_ *umatch_tail; /* uricontent payload matches, tail of the list */ struct SigMatch_ *amatch; /* general app layer matches */ - struct SigMatch_ *amatch_tail; /* general app layer matches, tail of the list */ struct SigMatch_ *dmatch; /* dce app layer matches */ - struct SigMatch_ *dmatch_tail; /* dce app layer matches, tail of the list */ + struct SigMatch_ *match; /* non-payload matches */ struct SigMatch_ *tmatch; /* list of tags matches */ - struct SigMatch_ *tmatch_tail; /* tag matches, tail of the list */ - - /** ptr to the next sig in the list */ - struct Signature_ *next; struct SigMatch_ *dsize_sm; - /** inline -- action */ - uint8_t action; - /* helper for init phase */ uint16_t mpm_content_maxlen; uint16_t mpm_uricontent_maxlen; + /** number of sigmatches in the match and pmatch list */ uint16_t sm_cnt; SigIntId order_id; - /** pattern in the mpm matcher */ - uint32_t mpm_uripattern_id; + /** inline -- action */ + uint8_t action; uint8_t rev; + /** classification id **/ + uint8_t class; + int prio; uint32_t gid; /**< generator id */ uint32_t id; /**< sid, set by the 'sid' rule keyword */ char *msg; - /** classification id **/ - uint8_t class; - /** classification message */ char *class_msg; @@ -346,8 +381,18 @@ typedef struct Signature_ { uint16_t profiling_id; #endif + struct SigMatch_ *match_tail; /* non-payload matches, tail of the list */ + struct SigMatch_ *pmatch_tail; /* payload matches, tail of the list */ + struct SigMatch_ *umatch_tail; /* uricontent payload matches, tail of the list */ + struct SigMatch_ *amatch_tail; /* general app layer matches, tail of the list */ + struct SigMatch_ *dmatch_tail; /* dce app layer matches, tail of the list */ + struct SigMatch_ *tmatch_tail; /* tag matches, tail of the list */ + /** address settings for this signature */ DetectAddressHead src, dst; + + /** ptr to the next sig in the list */ + struct Signature_ *next; } Signature; typedef struct DetectEngineIPOnlyThreadCtx_ { @@ -400,7 +445,7 @@ typedef struct DetectEngineLookupFlow_ { /* mpm pattern id api */ typedef struct MpmPatternIdStore_ { HashTable *hash; - uint32_t max_id; + PatIntId max_id; uint32_t unique_patterns; uint32_t shared_patterns; @@ -550,9 +595,13 @@ typedef struct DetectionEngineThreadCtx_ { uint32_t payload_offset; /* used by pcre match function alone */ uint32_t pcre_match_start_offset; - /** offset into the uri payload of the last match by - * uricontent */ - uint32_t uricontent_payload_offset; + + /* http_uri stuff for uricontent */ + char de_have_httpuri; + char de_mpm_scanned_uri; + + /** id for alert counter */ + uint16_t counter_alerts; /* used to discontinue any more matching */ int discontinue_matching; @@ -565,32 +614,26 @@ typedef struct DetectionEngineThreadCtx_ { * stored in Signature->dmatch, by content, pcre, etc */ uint32_t dce_payload_offset; - /** recursive counter */ - uint8_t pkt_cnt; - - /* http_uri stuff for uricontent */ - char de_have_httpuri; - char de_mpm_scanned_uri; - /** array of signature pointers we're going to inspect in the detection * loop. */ Signature **match_array; - /** size of the array in items (mem size if * sizeof(Signature *) */ + /** size of the array in items (mem size if * sizeof(Signature *) + * Only used during initialization. */ uint32_t match_array_len; /** size in use */ - uint32_t match_array_cnt; + SigIntId match_array_cnt; /** Array of sigs that had a state change */ - uint8_t *de_state_sig_array; SigIntId de_state_sig_array_len; + uint8_t *de_state_sig_array; + struct SigGroupHead_ *sgh; /** pointer to the current mpm ctx that is stored * in a rule group head -- can be either a content * or uricontent ctx. */ MpmThreadCtx mtc; /**< thread ctx for the mpm */ MpmThreadCtx mtcu; /**< thread ctx for uricontent mpm */ MpmThreadCtx mtcs; /**< thread ctx for stream mpm */ - struct SigGroupHead_ *sgh; PatternMatcherQueue pmq; PatternMatcherQueue smsg_pmq[256]; @@ -609,21 +652,15 @@ typedef struct DetectionEngineThreadCtx_ { uint32_t pkts_uri_searched3; uint32_t pkts_uri_searched4; - /** id for alert counter */ - uint16_t counter_alerts; - /** ip only rules ctx */ DetectEngineIPOnlyThreadCtx io_ctx; DetectEngineCtx *de_ctx; - #ifdef __SC_CUDA_SUPPORT__ /* each detection thread would have it's own queue where the cuda dispatcher * thread can dump the packets once it has processed them */ Tmq *cuda_mpm_rc_disp_outq; #endif - - uint64_t mpm_match; } DetectEngineThreadCtx; /** \brief a single match condition for a signature */ @@ -689,12 +726,12 @@ typedef struct SigGroupHeadInitData_ { /** \brief Container for matching data for a signature group */ typedef struct SigGroupHead_ { uint8_t flags; - uint8_t pad0; - uint16_t pad1; - /* number of sigs in this head */ - uint32_t sig_cnt; + SigIntId sig_cnt; + + uint16_t mpm_content_maxlen; + uint16_t mpm_streamcontent_maxlen; /** chunk of memory containing the "header" part of each * signature ordered as an array. Used to pre-filter the @@ -704,10 +741,12 @@ typedef struct SigGroupHead_ { /* pattern matcher instances */ MpmCtx *mpm_ctx; MpmCtx *mpm_stream_ctx; - uint16_t mpm_content_maxlen; - uint16_t mpm_streamcontent_maxlen; MpmCtx *mpm_uri_ctx; uint16_t mpm_uricontent_maxlen; + uint16_t pad1; +#if __WORDSIZE == 64 + uint32_t pad2; +#endif /** Array with sig ptrs... size is sig_cnt * sizeof(Signature *) */ Signature **match_array; diff --git a/src/flow-queue.h b/src/flow-queue.h index 7222809f17..e4679daa28 100644 --- a/src/flow-queue.h +++ b/src/flow-queue.h @@ -33,11 +33,11 @@ typedef struct FlowQueue_ Flow *top; Flow *bot; uint32_t len; - SCMutex mutex_q; - SCCondT cond_q; #ifdef DBG_PERF uint32_t dbg_maxlen; #endif /* DBG_PERF */ + SCMutex mutex_q; + SCCondT cond_q; } FlowQueue; /* prototypes */ diff --git a/src/flow.c b/src/flow.c index 1271c41f2c..d955529157 100644 --- a/src/flow.c +++ b/src/flow.c @@ -736,6 +736,8 @@ void FlowHandlePacket (ThreadVars *tv, Packet *p) p->flow = f; SCMutexUnlock(&f->m); + + p->flags |= PKT_HAS_FLOW; } /** \brief initialize the configuration diff --git a/src/flow.h b/src/flow.h index d3307a7bb0..641ff41541 100644 --- a/src/flow.h +++ b/src/flow.h @@ -147,22 +147,19 @@ typedef struct Flow_ uint16_t flags; /* ts of flow init and last update */ - struct timeval startts; struct timeval lastts; - /* pointer to the var list */ - GenericVar *flowvar; + SCMutex m; - uint32_t todstpktcnt; - uint32_t tosrcpktcnt; - uint64_t bytecnt; + /** protocol specific data pointer, e.g. for TcpSession */ + void *protoctx; /** mapping to Flow's protocol specific protocols for timeouts and state and free functions. */ uint8_t protomap; - /** protocol specific data pointer, e.g. for TcpSession */ - void *protoctx; + uint8_t alflags; /**< application level specific flags */ + uint16_t alproto; /**< application level protocol */ /** how many pkts and stream msgs are using the flow *right now*. This * variable is atomic so not protected by the Flow mutex "m". @@ -172,9 +169,12 @@ typedef struct Flow_ */ SC_ATOMIC_DECLARE(unsigned short, use_cnt); + uint16_t pad0; + + void **aldata; /**< application level storage ptrs */ + /** detection engine state */ struct DetectEngineState_ *de_state; - SCMutex de_state_m; /**< mutex lock for the de_state object */ /** toclient sgh for this flow. Only use when FLOW_SGH_TOCLIENT flow flag * has been set. */ @@ -183,24 +183,27 @@ typedef struct Flow_ * has been set. */ struct SigGroupHead_ *sgh_toserver; - SCMutex m; - /** List of tags of this flow (from "tag" keyword of type "session") */ DetectTagDataEntryList *tag_list; + /* pointer to the var list */ + GenericVar *flowvar; + + SCMutex de_state_m; /**< mutex lock for the de_state object */ + /* list flow ptrs * NOTE!!! These are NOT protected by the * above mutex, but by the FlowQ's */ struct Flow_ *hnext; /* hash list */ struct Flow_ *hprev; + struct FlowBucket_ *fb; struct Flow_ *lnext; /* list */ struct Flow_ *lprev; - struct FlowBucket_ *fb; - - uint16_t alproto; /**< application level protocol */ - void **aldata; /**< application level storage ptrs */ - uint8_t alflags; /**< application level specific flags */ + struct timeval startts; + uint32_t todstpktcnt; + uint32_t tosrcpktcnt; + uint64_t bytecnt; } Flow; diff --git a/src/suricata-common.h b/src/suricata-common.h index edf9dcb0f8..a87f8986fb 100644 --- a/src/suricata-common.h +++ b/src/suricata-common.h @@ -130,6 +130,8 @@ #define SigIntId uint16_t //#define SigIntId uint32_t +/** same for pattern id's */ +#define PatIntId uint16_t #include #include "threads.h" diff --git a/src/util-mpm-b2gc.h b/src/util-mpm-b2gc.h index 7ec46d5e9d..5713ccc886 100644 --- a/src/util-mpm-b2gc.h +++ b/src/util-mpm-b2gc.h @@ -72,7 +72,7 @@ typedef struct B2gcPatternHdr_ { uint32_t np_offset; /* offset of the next pattern */ uint8_t len; uint8_t flags; - uint16_t id; + PatIntId id; } B2gcPatternHdr; #define B2GC_GET_FLAGS(hdr) ((hdr)->flags) @@ -87,7 +87,7 @@ typedef struct B2gcPatternHdr_ { typedef struct B2gcPattern1_ { uint8_t flags; uint8_t pat; - uint16_t id; + PatIntId id; } B2gcPattern1; #define B2GC1_GET_FLAGS(hdr) ((hdr)->flags) @@ -99,7 +99,7 @@ typedef struct B2gcPattern_ { uint16_t len; uint8_t flags; uint8_t pad0; - uint32_t id; + PatIntId id; uint8_t *pat; } B2gcPattern; diff --git a/src/util-radix-tree.h b/src/util-radix-tree.h index 31a8c62b16..b18c74b0a0 100644 --- a/src/util-radix-tree.h +++ b/src/util-radix-tree.h @@ -43,12 +43,12 @@ * \brief Structure that hold the user data and the netmask associated with it. */ typedef struct SCRadixUserData_ { - /* holds the netmask value that corresponds to this user data pointer */ - uint8_t netmask; /* holds a pointer to the user data associated with the particular netmask */ void *user; /* pointer to the next user data in the list */ struct SCRadixUserData_ *next; + /* holds the netmask value that corresponds to this user data pointer */ + uint8_t netmask; } SCRadixUserData; /** @@ -81,10 +81,12 @@ typedef struct SCRadixNode_ { * to determine the path to be taken during a lookup*/ uint16_t bit; - /* holds a list of netmaks that come under this node in the tree */ - uint8_t *netmasks; + uint16_t pad0; + /* total no of netmasks that are registered under this node */ int netmask_cnt; + /* holds a list of netmaks that come under this node in the tree */ + uint8_t *netmasks; /* holds the prefix that the path to this node holds */ SCRadixPrefix *prefix;