aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Many small performance updates.

Browse Source
remotes/origin/master-1.1.x
Victor Julien 15 years ago
parent b4454b6846
commit fc248ca7a1
42 changed files with 472 additions and 280 deletions
Show Stats Download Patch File Download Diff File

5
src/app-layer-detect-proto.c
Unescape Escape View File

@ -1467,6 +1467,7 @@ static int AlpDetectTestSig1(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1557,6 +1558,7 @@ static int AlpDetectTestSig2(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1647,6 +1649,7 @@ static int AlpDetectTestSig3(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1734,6 +1737,7 @@ static int AlpDetectTestSig4(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_FTP;
StreamTcpInitConfig(TRUE);
@ -1822,6 +1826,7 @@ static int AlpDetectTestSig5(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
f.proto = IPPROTO_TCP;
p->flags |= PKT_STREAM_ADD;

2
src/app-layer-ftp.h
Unescape Escape View File

@ -96,8 +96,8 @@ typedef struct FtpState_ {
FtpRequestCommand command;
FtpRequestCommandArgOfs arg_offset;
FtpResponseCode response_code;
uint8_t *port_line;
uint32_t port_line_len;
uint8_t *port_line;
} FtpState;
void RegisterFTPParsers(void);

2
src/app-layer-parser.h
Unescape Escape View File

@ -60,9 +60,9 @@ typedef struct AppLayerParserResultElmt_ {
uint16_t flags; /* flags. E.g. local alloc */
uint16_t name_idx; /* idx for names like "http.request_line.uri" */
uint32_t data_len; /* length of the data from the ptr */
uint8_t *data_ptr; /* point to the position in the "input" data
* or ptr to new mem if local alloc flag set */
uint32_t data_len; /* length of the data from the ptr */
struct AppLayerParserResultElmt_ *next;
} AppLayerParserResultElmt;

6
src/app-layer-smb.h
Unescape Escape View File

@ -76,17 +76,15 @@ typedef struct SMBAndX_ {
} SMBAndX;
typedef struct SMBState_ {
uint32_t head;
NBSSHdr nbss;
uint16_t transaction_id;
uint16_t bytesprocessed;
SMBHdr smb;
SMBWordCount wordcount;
SMBByteCount bytecount;
SMBAndX andx;
uint16_t bytesprocessed;
DCERPC dcerpc;
uint8_t dcerpc_present;
uint32_t tail;
uint16_t transaction_id;
} SMBState;
#define SMB_FLAGS_SERVER_TO_REDIR 0x80

7
src/app-layer-ssh.h
Unescape Escape View File

@ -77,16 +77,17 @@ typedef struct SSHHeader_ {
/** structure to store the SSH state values */
typedef struct SshState_ {
uint8_t flags; /**< Flags to indicate the current SSH
sessoin state */
uint8_t client_msg_code; /**< Client content type storage field */
uint8_t server_msg_code; /**< Server content type storage field */
uint8_t *client_proto_version; /**< Client SSH version storage field */
uint8_t *client_software_version; /**< Client SSH version storage field */
uint8_t server_msg_code; /**< Server content type storage field */
uint8_t *server_proto_version; /**< Server SSH version storage field */
uint8_t *server_software_version; /**< Server SSH version storage field */
uint8_t flags; /**< Flags to indicate the current SSH
sessoin state */
SshHeader srv_hdr;
SshHeader cli_hdr;
} SshState;

7
src/app-layer-ssl.h
Unescape Escape View File

@ -48,14 +48,13 @@
/* structure to store the SSL state values */
typedef struct SslState_ {
uint8_t flags; /**< Flags to indicate the current SSL
sessoin state */
uint8_t client_content_type; /**< Client content type storage field */
uint16_t client_version; /**< Client SSL version storage field */
uint8_t server_content_type; /**< Server content type storage field */
uint16_t server_version; /**< Server SSL version storage field */
uint8_t flags; /**< Flags to indicate the current SSL
sessoin state */
uint8_t server_content_type; /**< Server content type storage field */
} SslState;
typedef struct SslClient_ {

7
src/app-layer-tls.h
Unescape Escape View File

@ -47,14 +47,13 @@ enum {
};
/* structure to store the TLS state values */
typedef struct TlsState_ {
uint8_t flags; /**< Flags to indicate the current TLS
sessoin state */
uint8_t client_content_type; /**< Client content type storage field */
uint16_t client_version; /**< Client TLS version storage field */
uint8_t server_content_type; /**< Server content type storage field */
uint16_t server_version; /**< Server TLS version storage field */
uint8_t flags; /**< Flags to indicate the current TLS
sessoin state */
uint8_t server_content_type; /**< Server content type storage field */
} TlsState;
enum {

6
src/data-queue.h
Unescape Escape View File

@ -49,13 +49,13 @@ typedef struct SCDQDataQueue_ {
SCDQGenericQData *bot;
/* no of items currently in the queue */
uint16_t len;
#ifdef DBG_PERF
uint16_t dbg_maxlen;
#endif /* DBG_PERF */
SCMutex mutex_q;
SCCondT cond_q;
#ifdef DBG_PERF
uint16_t dbg_maxlen;
#endif /* DBG_PERF */
} SCDQDataQueue;
void SCDQDataEnqueue(SCDQDataQueue *, SCDQGenericQData *);

9
src/decode-tcp.c
Unescape Escape View File

@ -29,6 +29,7 @@
#include "decode-events.h"
#include "util-unittest.h"
#include "util-debug.h"
#include "util-optimize.h"
#include "flow.h"
static int DecodeTCPOptions(ThreadVars *tv, Packet *p, uint8_t *pkt, uint16_t len)
@ -124,7 +125,7 @@ static int DecodeTCPOptions(ThreadVars *tv, Packet *p, uint8_t *pkt, uint16_t le
static int DecodeTCPPacket(ThreadVars *tv, Packet *p, uint8_t *pkt, uint16_t len)
{
if (len < TCP_HEADER_LEN) {
if (unlikely(len < TCP_HEADER_LEN)) {
DECODER_SET_EVENT(p, TCP_PKT_TOO_SMALL);
return -1;
}
@ -132,7 +133,7 @@ static int DecodeTCPPacket(ThreadVars *tv, Packet *p, uint8_t *pkt, uint16_t len
p->tcph = (TCPHdr *)pkt;
p->tcpvars.hlen = TCP_GET_HLEN(p);
if (len < p->tcpvars.hlen) {
if (unlikely(len < p->tcpvars.hlen)) {
DECODER_SET_EVENT(p, TCP_HLEN_TOO_SMALL);
return -1;
}
@ -141,7 +142,7 @@ static int DecodeTCPPacket(ThreadVars *tv, Packet *p, uint8_t *pkt, uint16_t len
SET_TCP_DST_PORT(p,&p->dp);
p->tcpvars.tcp_opt_len = p->tcpvars.hlen - TCP_HEADER_LEN;
if (p->tcpvars.tcp_opt_len > TCP_OPTLENMAX) {
if (unlikely(p->tcpvars.tcp_opt_len > TCP_OPTLENMAX)) {
DECODER_SET_EVENT(p, TCP_INVALID_OPTLEN);
return -1;
}
@ -162,7 +163,7 @@ void DecodeTCP(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, u
{
SCPerfCounterIncr(dtv->counter_tcp, tv->sc_perf_pca);
if (DecodeTCPPacket(tv, p,pkt,len) < 0) {
if (unlikely(DecodeTCPPacket(tv, p,pkt,len) < 0)) {
p->tcph = NULL;
return;
}

5
src/decode.h
Unescape Escape View File

@ -406,11 +406,11 @@ typedef struct PacketQueue_ {
Packet *top;
Packet *bot;
uint16_t len;
SCMutex mutex_q;
SCCondT cond_q;
#ifdef DBG_PERF
uint16_t dbg_maxlen;
#endif /* DBG_PERF */
SCMutex mutex_q;
SCCondT cond_q;
} PacketQueue;
/** \brief Specific ctx for AL proto detection */
@ -730,6 +730,7 @@ void AddressDebugPrint(Address *);
#define PKT_HAS_TAG 0x08 /**< Packet has matched a tag */
#define PKT_STREAM_ADD 0x10 /**< Packet payload was added to reassembled stream */
#define PKT_STREAM_EOF 0x20 /**< Stream is in eof state */
#define PKT_HAS_FLOW 0x40
#endif /* __DECODE_H__ */

1
src/detect-content.c
Unescape Escape View File

@ -1773,6 +1773,7 @@ static int SigTest76TestBug134(void)
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
char sig[] = "alert tcp any any -> any 515 "
"(msg:\"detect IFS\"; flow:to_server,established; content:\"${IFS}\";"

9
src/detect-content.h
Unescape Escape View File

@ -49,19 +49,14 @@
typedef struct DetectContentData_ {
uint8_t *content; /**< ptr to chunk of memory containing the pattern */
uint8_t content_len;/**< length of the pattern (and size of the memory) */
uint8_t pad0;
uint16_t pad1;
uint32_t id; /**< unique pattern id */
uint8_t flags;
PatIntId id; /**< unique pattern id */
uint16_t depth;
uint16_t offset;
/** distance from the last match this match should start.
* Can be negative */
int32_t distance;
int32_t within;
uint8_t flags;
uint8_t pad2;
uint16_t pad3;
BmCtx *bm_ctx; /**< Boyer Moore context (for spm search) */
} DetectContentData;

3
src/detect-dce-iface.c
Unescape Escape View File

@ -868,6 +868,7 @@ static int DetectDceIfaceTestParse12(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
@ -1099,6 +1100,7 @@ static int DetectDceIfaceTestParse13(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
@ -1354,6 +1356,7 @@ static int DetectDceIfaceTestParse14(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);

6
src/detect-dce-opnum.c
Unescape Escape View File

@ -1135,6 +1135,7 @@ static int DetectDceOpnumTestParse08(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
@ -1661,6 +1662,7 @@ static int DetectDceOpnumTestParse09(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
@ -1858,6 +1860,7 @@ static int DetectDceOpnumTestParse10(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
@ -2150,6 +2153,7 @@ static int DetectDceOpnumTestParse11(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
@ -2425,6 +2429,7 @@ static int DetectDceOpnumTestParse12(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
@ -2709,6 +2714,7 @@ static int DetectDceOpnumTestParse13(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);

4
src/detect-dce-stub-data.c
Unescape Escape View File

@ -637,6 +637,7 @@ static int DetectDceStubDataTestParse02(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
@ -1179,6 +1180,7 @@ static int DetectDceStubDataTestParse03(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
@ -1374,6 +1376,7 @@ static int DetectDceStubDataTestParse04(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
@ -1640,6 +1643,7 @@ static int DetectDceStubDataTestParse05(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);

26
src/detect-engine-dcepayload.c
Unescape Escape View File

@ -1612,6 +1612,7 @@ int DcePayloadTest01(void)
for (i = 0; i < 11; i++) {
p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p[i]->flow = &f;
p[i]->flags |= PKT_HAS_FLOW;
p[i]->flowflags |= FLOW_PKT_TOSERVER;
p[i]->flowflags |= FLOW_PKT_ESTABLISHED;
}
@ -2475,6 +2476,7 @@ int DcePayloadTest02(void)
for (i = 0; i < 4; i++) {
p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p[i]->flow = &f;
p[i]->flags |= PKT_HAS_FLOW;
p[i]->flowflags |= FLOW_PKT_TOSERVER;
p[i]->flowflags |= FLOW_PKT_ESTABLISHED;
}
@ -2921,6 +2923,7 @@ int DcePayloadTest03(void)
for (i = 0; i < 4; i++) {
p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p[i]->flow = &f;
p[i]->flags |= PKT_HAS_FLOW;
p[i]->flowflags |= FLOW_PKT_TOSERVER;
p[i]->flowflags |= FLOW_PKT_ESTABLISHED;
}
@ -3366,6 +3369,7 @@ int DcePayloadTest04(void)
for (i = 0; i < 4; i++) {
p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p[i]->flow = &f;
p[i]->flags |= PKT_HAS_FLOW;
p[i]->flowflags |= FLOW_PKT_TOSERVER;
p[i]->flowflags |= FLOW_PKT_ESTABLISHED;
}
@ -3810,6 +3814,7 @@ int DcePayloadTest05(void)
for (i = 0; i < 4; i++) {
p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p[i]->flow = &f;
p[i]->flags |= PKT_HAS_FLOW;
p[i]->flowflags |= FLOW_PKT_TOSERVER;
p[i]->flowflags |= FLOW_PKT_ESTABLISHED;
}
@ -4255,6 +4260,7 @@ int DcePayloadTest06(void)
for (i = 0; i < 4; i++) {
p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p[i]->flow = &f;
p[i]->flags |= PKT_HAS_FLOW;
p[i]->flowflags |= FLOW_PKT_TOSERVER;
p[i]->flowflags |= FLOW_PKT_ESTABLISHED;
}
@ -4699,6 +4705,7 @@ int DcePayloadTest07(void)
for (i = 0; i < 4; i++) {
p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p[i]->flow = &f;
p[i]->flags |= PKT_HAS_FLOW;
p[i]->flowflags |= FLOW_PKT_TOSERVER;
p[i]->flowflags |= FLOW_PKT_ESTABLISHED;
}
@ -4981,6 +4988,7 @@ int DcePayloadTest08(void)
for (i = 0; i < 1; i++) {
p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p[i]->flow = &f;
p[i]->flags |= PKT_HAS_FLOW;
p[i]->flowflags |= FLOW_PKT_TOSERVER;
p[i]->flowflags |= FLOW_PKT_ESTABLISHED;
}
@ -5202,6 +5210,7 @@ int DcePayloadTest09(void)
for (i = 0; i < 1; i++) {
p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p[i]->flow = &f;
p[i]->flags |= PKT_HAS_FLOW;
p[i]->flowflags |= FLOW_PKT_TOSERVER;
p[i]->flowflags |= FLOW_PKT_ESTABLISHED;
}
@ -5423,6 +5432,7 @@ int DcePayloadTest10(void)
for (i = 0; i < 1; i++) {
p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p[i]->flow = &f;
p[i]->flags |= PKT_HAS_FLOW;
p[i]->flowflags |= FLOW_PKT_TOSERVER;
p[i]->flowflags |= FLOW_PKT_ESTABLISHED;
}
@ -5779,6 +5789,7 @@ int DcePayloadTest11(void)
for (i = 0; i < 2; i++) {
p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p[i]->flow = &f;
p[i]->flags |= PKT_HAS_FLOW;
p[i]->flowflags |= FLOW_PKT_TOSERVER;
p[i]->flowflags |= FLOW_PKT_ESTABLISHED;
}
@ -6149,6 +6160,7 @@ int DcePayloadTest12(void)
for (i = 0; i < 2; i++) {
p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p[i]->flow = &f;
p[i]->flags |= PKT_HAS_FLOW;
p[i]->flowflags |= FLOW_PKT_TOSERVER;
p[i]->flowflags |= FLOW_PKT_ESTABLISHED;
}
@ -6328,6 +6340,7 @@ int DcePayloadTest13(void)
for (i = 0; i < 8; i++) {
p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p[i]->flow = &f;
p[i]->flags |= PKT_HAS_FLOW;
p[i]->flowflags |= FLOW_PKT_TOSERVER;
p[i]->flowflags |= FLOW_PKT_ESTABLISHED;
}
@ -6569,6 +6582,7 @@ int DcePayloadTest14(void)
for (i = 0; i < 6; i++) {
p[i] = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p[i]->flow = &f;
p[i]->flags |= PKT_HAS_FLOW;
p[i]->flowflags |= FLOW_PKT_TOSERVER;
p[i]->flowflags |= FLOW_PKT_ESTABLISHED;
}
@ -6743,6 +6757,7 @@ int DcePayloadTest15(void)
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
@ -6854,6 +6869,7 @@ int DcePayloadTest16(void)
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
@ -6965,6 +6981,7 @@ int DcePayloadTest17(void)
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
@ -7076,6 +7093,7 @@ int DcePayloadTest18(void)
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
@ -7187,6 +7205,7 @@ int DcePayloadTest19(void)
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
@ -7298,6 +7317,7 @@ int DcePayloadTest20(void)
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
@ -7401,6 +7421,7 @@ int DcePayloadTest21(void)
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
@ -7497,6 +7518,7 @@ int DcePayloadTest22(void)
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
@ -7594,6 +7616,7 @@ int DcePayloadTest23(void)
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
@ -7689,6 +7712,7 @@ int DcePayloadTest24(void)
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
@ -9887,6 +9911,7 @@ int DcePayloadTest42(void)
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
@ -9984,6 +10009,7 @@ int DcePayloadTest43(void)
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;

6
src/detect-engine-mpm.c
Unescape Escape View File

@ -742,7 +742,8 @@ static int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead
/* tell matcher we are inspecting packet */
s->flags |= SIG_FLAG_MPM_PACKET;
s->mpm_pattern_id = co->id;
s->mpm_pattern_id_mod_8 = 1<<(co->id%8);
s->mpm_pattern_id_div_8 = co->id/8;
if (scan_negated) {
SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id);
s->flags |= SIG_FLAG_MPM_NEGCONTENT;
@ -980,7 +981,8 @@ static int PatternMatchPreprarePopulateMpmStream(DetectEngineCtx *de_ctx, SigGro
/* tell matcher we are inspecting stream */
s->flags |= SIG_FLAG_MPM_STREAM;
s->mpm_stream_pattern_id = co->id;
s->mpm_stream_pattern_id_div_8 = co->id/8;
s->mpm_stream_pattern_id_mod_8 = 1<<(co->id%8);
if (scan_negated) {
SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id);
s->flags |= SIG_FLAG_MPM_NEGCONTENT;

1
src/detect-engine-proto.c
Unescape Escape View File

@ -366,6 +366,7 @@ static int DetectProtoTestSig01(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flags |= PKT_HAS_FLOW;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {

27
src/detect-engine-siggroup.c
Unescape Escape View File

@ -1594,19 +1594,24 @@ int SigGroupHeadBuildHeadArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
if (s == NULL)
continue;
sgh->head_array[idx].flags = s->flags;
sgh->head_array[idx].mpm_pattern_id = s->mpm_pattern_id;
sgh->head_array[idx].mpm_stream_pattern_id = s->mpm_stream_pattern_id;
sgh->head_array[idx].alproto = s->alproto;
sgh->head_array[idx].num = s->num;
// sgh->head_array[idx].flags = s->flags;
// sgh->head_array[idx].alproto = s->alproto;
// sgh->head_array[idx].num = s->num;
sgh->head_array[idx].hdr_copy = s->hdr_copy;
sgh->head_array[idx].mpm_pattern_copy = s->mpm_pattern_copy;
// sgh->head_array[idx].mpm_pattern_id_div_8 = s->mpm_pattern_id_div_8;
// sgh->head_array[idx].mpm_pattern_id_mod_8 = s->mpm_pattern_id_mod_8;
// sgh->head_array[idx].mpm_stream_pattern_copy = s->mpm_stream_pattern_copy;
// sgh->head_array[idx].mpm_stream_pattern_id_div_8 = s->mpm_stream_pattern_id_div_8;
// sgh->head_array[idx].mpm_stream_pattern_id_mod_8 = s->mpm_stream_pattern_id_mod_8;
sgh->head_array[idx].full_sig = s;
BUG_ON(s->flags != sgh->head_array[idx].flags);
BUG_ON(s->alproto != sgh->head_array[idx].alproto);
BUG_ON(s->mpm_pattern_id != sgh->head_array[idx].mpm_pattern_id);
BUG_ON(s->mpm_stream_pattern_id != sgh->head_array[idx].mpm_stream_pattern_id);
BUG_ON(s->num != sgh->head_array[idx].num);
BUG_ON(s != sgh->head_array[idx].full_sig);
// BUG_ON(s->flags != sgh->head_array[idx].flags);
// BUG_ON(s->alproto != sgh->head_array[idx].alproto);
// BUG_ON(s->mpm_pattern_id != sgh->head_array[idx].mpm_pattern_id);
// BUG_ON(s->mpm_stream_pattern_id != sgh->head_array[idx].mpm_stream_pattern_id);
// BUG_ON(s->num != sgh->head_array[idx].num);
// BUG_ON(s != sgh->head_array[idx].full_sig);
idx++;
}

2
src/detect-engine-state.c
Unescape Escape View File

@ -810,6 +810,7 @@ static int DeStateSigTest01(void) {
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
@ -943,6 +944,7 @@ static int DeStateSigTest02(void) {
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;

22
src/detect-engine-uri.c
Unescape Escape View File

@ -476,6 +476,7 @@ static int UriTestSig01(void)
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
@ -590,6 +591,7 @@ static int UriTestSig02(void)
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
@ -704,6 +706,7 @@ static int UriTestSig03(void)
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
@ -818,6 +821,7 @@ static int UriTestSig04(void)
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
@ -932,6 +936,7 @@ static int UriTestSig05(void)
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
@ -1046,6 +1051,7 @@ static int UriTestSig06(void)
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
@ -1160,6 +1166,7 @@ static int UriTestSig07(void)
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
@ -1274,6 +1281,7 @@ static int UriTestSig08(void)
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
@ -1388,6 +1396,7 @@ static int UriTestSig09(void)
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
@ -1502,6 +1511,7 @@ static int UriTestSig10(void)
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
@ -1616,6 +1626,7 @@ static int UriTestSig11(void)
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
@ -1731,6 +1742,7 @@ static int UriTestSig12(void)
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
@ -1846,6 +1858,7 @@ static int UriTestSig13(void)
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
@ -1961,6 +1974,7 @@ static int UriTestSig14(void)
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
@ -2076,6 +2090,7 @@ static int UriTestSig15(void)
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
@ -2191,6 +2206,7 @@ static int UriTestSig16(void)
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
@ -2302,6 +2318,7 @@ static int UriTestSig17(void)
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
@ -2392,6 +2409,7 @@ static int UriTestSig18(void)
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
@ -2482,6 +2500,7 @@ static int UriTestSig19(void)
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
@ -2573,6 +2592,7 @@ static int UriTestSig20(void)
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
@ -2663,6 +2683,7 @@ static int UriTestSig21(void)
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
@ -2753,6 +2774,7 @@ static int UriTestSig22(void)
f.dst.family = AF_INET;
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;

2
src/detect-ftpbounce.c
Unescape Escape View File

@ -343,6 +343,7 @@ static int DetectFtpbounceTestALMatch02(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_FTP;
StreamTcpInitConfig(TRUE);
@ -472,6 +473,7 @@ static int DetectFtpbounceTestALMatch03(void) {
p.flow = &f;
p.flowflags |= FLOW_PKT_TOSERVER;
p.flowflags |= FLOW_PKT_ESTABLISHED;
p.flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_FTP;
StreamTcpInitConfig(TRUE);

14
src/detect-http-client-body.c
Unescape Escape View File

@ -500,6 +500,7 @@ static int DetectHttpClientBodyTest06(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -602,9 +603,11 @@ static int DetectHttpClientBodyTest07(void)
p1->flow = &f;
p1->flowflags |= FLOW_PKT_TOSERVER;
p1->flowflags |= FLOW_PKT_ESTABLISHED;
p1->flags |= PKT_HAS_FLOW;
p2->flow = &f;
p2->flowflags |= FLOW_PKT_TOSERVER;
p2->flowflags |= FLOW_PKT_ESTABLISHED;
p2->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -723,9 +726,11 @@ static int DetectHttpClientBodyTest08(void)
p1->flow = &f;
p1->flowflags |= FLOW_PKT_TOSERVER;
p1->flowflags |= FLOW_PKT_ESTABLISHED;
p1->flags |= PKT_HAS_FLOW;
p2->flow = &f;
p2->flowflags |= FLOW_PKT_TOSERVER;
p2->flowflags |= FLOW_PKT_ESTABLISHED;
p2->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -845,9 +850,11 @@ static int DetectHttpClientBodyTest09(void)
p1->flow = &f;
p1->flowflags |= FLOW_PKT_TOSERVER;
p1->flowflags |= FLOW_PKT_ESTABLISHED;
p1->flags |= PKT_HAS_FLOW;
p2->flow = &f;
p2->flowflags |= FLOW_PKT_TOSERVER;
p2->flowflags |= FLOW_PKT_ESTABLISHED;
p2->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -966,9 +973,11 @@ static int DetectHttpClientBodyTest10(void)
p1->flow = &f;
p1->flowflags |= FLOW_PKT_TOSERVER;
p1->flowflags |= FLOW_PKT_ESTABLISHED;
p1->flags |= PKT_HAS_FLOW;
p2->flow = &f;
p2->flowflags |= FLOW_PKT_TOSERVER;
p2->flowflags |= FLOW_PKT_ESTABLISHED;
p2->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1082,6 +1091,7 @@ static int DetectHttpClientBodyTest11(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1179,6 +1189,7 @@ static int DetectHttpClientBodyTest12(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1277,6 +1288,7 @@ static int DetectHttpClientBodyTest13(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1375,6 +1387,7 @@ static int DetectHttpClientBodyTest14(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1570,6 +1583,7 @@ static int DetectHttpClientBodyTest15(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);

7
src/detect-http-cookie.c
Unescape Escape View File

@ -505,6 +505,7 @@ static int DetectHttpCookieSigTest01(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -605,6 +606,7 @@ static int DetectHttpCookieSigTest02(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -692,6 +694,7 @@ static int DetectHttpCookieSigTest03(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -780,6 +783,7 @@ static int DetectHttpCookieSigTest04(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -868,6 +872,7 @@ static int DetectHttpCookieSigTest05(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -956,6 +961,7 @@ static int DetectHttpCookieSigTest06(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1043,6 +1049,7 @@ static int DetectHttpCookieSigTest07(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);

12
src/detect-http-header.c
Unescape Escape View File

@ -477,6 +477,7 @@ static int DetectHttpHeaderTest06(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -578,9 +579,11 @@ static int DetectHttpHeaderTest07(void)
p1->flow = &f;
p1->flowflags |= FLOW_PKT_TOSERVER;
p1->flowflags |= FLOW_PKT_ESTABLISHED;
p1->flags |= PKT_HAS_FLOW;
p2->flow = &f;
p2->flowflags |= FLOW_PKT_TOSERVER;
p2->flowflags |= FLOW_PKT_ESTABLISHED;
p2->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -696,9 +699,11 @@ static int DetectHttpHeaderTest08(void)
p1->flow = &f;
p1->flowflags |= FLOW_PKT_TOSERVER;
p1->flowflags |= FLOW_PKT_ESTABLISHED;
p1->flags |= PKT_HAS_FLOW;
p2->flow = &f;
p2->flowflags |= FLOW_PKT_TOSERVER;
p2->flowflags |= FLOW_PKT_ESTABLISHED;
p2->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -815,9 +820,11 @@ static int DetectHttpHeaderTest09(void)
p1->flow = &f;
p1->flowflags |= FLOW_PKT_TOSERVER;
p1->flowflags |= FLOW_PKT_ESTABLISHED;
p1->flags |= PKT_HAS_FLOW;
p2->flow = &f;
p2->flowflags |= FLOW_PKT_TOSERVER;
p2->flowflags |= FLOW_PKT_ESTABLISHED;
p2->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -934,9 +941,11 @@ static int DetectHttpHeaderTest10(void)
p1->flow = &f;
p1->flowflags |= FLOW_PKT_TOSERVER;
p1->flowflags |= FLOW_PKT_ESTABLISHED;
p1->flags |= PKT_HAS_FLOW;
p2->flow = &f;
p2->flowflags |= FLOW_PKT_TOSERVER;
p2->flowflags |= FLOW_PKT_ESTABLISHED;
p2->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1049,6 +1058,7 @@ static int DetectHttpHeaderTest11(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1145,6 +1155,7 @@ static int DetectHttpHeaderTest12(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1242,6 +1253,7 @@ static int DetectHttpHeaderTest13(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);

3
src/detect-http-method.c
Unescape Escape View File

@ -428,6 +428,7 @@ static int DetectHttpMethodSigTest01(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -527,6 +528,7 @@ static int DetectHttpMethodSigTest02(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -625,6 +627,7 @@ static int DetectHttpMethodSigTest03(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);

44
src/detect-pcre.c
Unescape Escape View File

@ -269,7 +269,7 @@ int DetectPcreALDoMatchMethod(DetectEngineThreadCtx *det_ctx, Signature *s,
SCLogDebug("ret %d (negating %s)", ret, pe->negate ? "set" : "not set");
if (ret == PCRE_ERROR_NOMATCH) {
if (pe->negate == 1) {
if (pe->flags & DETECT_PCRE_NEGATE) {
/* regex didn't match with negate option means we
* consider it a match */
ret = 1;
@ -280,7 +280,7 @@ int DetectPcreALDoMatchMethod(DetectEngineThreadCtx *det_ctx, Signature *s,
}
toret |= ret;
} else if (ret >= 0) {
if (pe->negate == 1) {
if (pe->flags & DETECT_PCRE_NEGATE) {
/* regex matched but we're negated, so not
* considering it a match */
ret = 0;
@ -386,7 +386,7 @@ int DetectPcreALDoMatchHeader(DetectEngineThreadCtx *det_ctx, Signature *s,
SCLogDebug("ret %d (negating %s)", ret, pe->negate ? "set" : "not set");
if (ret == PCRE_ERROR_NOMATCH) {
if (pe->negate == 1) {
if (pe->flags & DETECT_PCRE_NEGATE) {
/* regex didn't match with negate option means we
* consider it a match */
ret = 1;
@ -397,7 +397,7 @@ int DetectPcreALDoMatchHeader(DetectEngineThreadCtx *det_ctx, Signature *s,
}
toret |= ret;
} else if (ret >= 0) {
if (pe->negate == 1) {
if (pe->flags & DETECT_PCRE_NEGATE) {
/* regex matched but we're negated, so not
* considering it a match */
ret = 0;
@ -505,7 +505,7 @@ int DetectPcreALDoMatchCookie(DetectEngineThreadCtx *det_ctx, Signature *s,
SCLogDebug("ret %d (negating %s)", ret, pe->negate ? "set" : "not set");
if (ret == PCRE_ERROR_NOMATCH) {
if (pe->negate == 1) {
if (pe->flags & DETECT_PCRE_NEGATE) {
/* regex didn't match with negate option means we
* consider it a match */
ret = 1;
@ -516,7 +516,7 @@ int DetectPcreALDoMatchCookie(DetectEngineThreadCtx *det_ctx, Signature *s,
}
toret |= ret;
} else if (ret >= 0) {
if (pe->negate == 1) {
if (pe->flags & DETECT_PCRE_NEGATE) {
/* regex matched but we're negated, so not
* considering it a match */
ret = 0;
@ -529,7 +529,7 @@ int DetectPcreALDoMatchCookie(DetectEngineThreadCtx *det_ctx, Signature *s,
}
} else {
SCLogDebug("pcre had matching error");
if (pe->negate == 1) {
if (pe->flags & DETECT_PCRE_NEGATE) {
ret = 1;
toret |= ret;
break;
@ -644,7 +644,7 @@ int DetectPcreALDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, SigMatch *
unlock:
SCMutexUnlock(&f->m);
SCReturnInt(ret ^ pe->negate);
SCReturnInt(ret ^ (pe->flags & DETECT_PCRE_NEGATE));
}
/**
@ -767,7 +767,7 @@ int DetectPcrePayloadMatch(DetectEngineThreadCtx *det_ctx, Signature *s,
SCLogDebug("ret %d (negating %s)", ret, pe->negate ? "set" : "not set");
if (ret == PCRE_ERROR_NOMATCH) {
if (pe->negate == 1) {
if (pe->flags & DETECT_PCRE_NEGATE) {
/* regex didn't match with negate option means we
* consider it a match */
ret = 1;
@ -775,7 +775,7 @@ int DetectPcrePayloadMatch(DetectEngineThreadCtx *det_ctx, Signature *s,
ret = 0;
}
} else if (ret >= 0) {
if (pe->negate == 1) {
if (pe->flags & DETECT_PCRE_NEGATE) {
/* regex matched but we're negated, so not
* considering it a match */
ret = 0;
@ -861,7 +861,7 @@ int DetectPcrePacketPayloadMatch(DetectEngineThreadCtx *det_ctx, Packet *p, Sign
SCLogDebug("ret %d (negating %s)", ret, pe->negate ? "set" : "not set");
if (ret == PCRE_ERROR_NOMATCH) {
if (pe->negate == 1) {
if (pe->flags & DETECT_PCRE_NEGATE) {
/* regex didn't match with negate option means we
* consider it a match */
ret = 1;
@ -869,7 +869,7 @@ int DetectPcrePacketPayloadMatch(DetectEngineThreadCtx *det_ctx, Packet *p, Sign
ret = 0;
}
} else if (ret >= 0) {
if (pe->negate == 1) {
if (pe->flags & DETECT_PCRE_NEGATE) {
/* regex matched but we're negated, so not
* considering it a match */
ret = 0;
@ -954,7 +954,7 @@ int DetectPcrePayloadDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s,
SCLogDebug("ret %d (negating %s)", ret, pe->negate ? "set" : "not set");
if (ret == PCRE_ERROR_NOMATCH) {
if (pe->negate == 1) {
if (pe->flags & DETECT_PCRE_NEGATE) {
/* regex didn't match with negate option means we
* consider it a match */
ret = 1;
@ -962,7 +962,7 @@ int DetectPcrePayloadDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s,
ret = 0;
}
} else if (ret >= 0) {
if (pe->negate == 1) {
if (pe->flags & DETECT_PCRE_NEGATE) {
/* regex matched but we're negated, so not
* considering it a match */
ret = 0;
@ -1076,7 +1076,7 @@ DetectPcreData *DetectPcreParse (char *regexstr)
memset(pd, 0, sizeof(DetectPcreData));
if (negate)
pd->negate = 1;
pd->flags |= DETECT_PCRE_NEGATE;
if (op != NULL) {
while (*op) {
@ -1795,6 +1795,7 @@ static int DetectPcreTestSig01Real(int mpm_type) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
StreamTcpInitConfig(TRUE);
FlowL7DataPtrInit(&f);
@ -1874,6 +1875,7 @@ static int DetectPcreTestSig02Real(int mpm_type) {
p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
pcre_match_limit = 100;
pcre_match_limit_recursion = 100;
@ -2038,6 +2040,7 @@ static int DetectPcreModifPTest04(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -2165,9 +2168,11 @@ static int DetectPcreModifPTest05(void) {
p1->flow = &f;
p1->flowflags |= FLOW_PKT_TOSERVER;
p1->flowflags |= FLOW_PKT_ESTABLISHED;
p1->flags |= PKT_HAS_FLOW;
p2->flow = &f;
p2->flowflags |= FLOW_PKT_TOSERVER;
p2->flowflags |= FLOW_PKT_ESTABLISHED;
p2->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -2350,6 +2355,7 @@ static int DetectPcreTestSig09(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -2440,6 +2446,7 @@ static int DetectPcreTestSig10(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -2530,6 +2537,7 @@ static int DetectPcreTestSig11(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -2620,6 +2628,7 @@ static int DetectPcreTestSig12(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -2710,6 +2719,7 @@ static int DetectPcreTestSig13(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -2800,6 +2810,7 @@ static int DetectPcreTestSig14(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -2895,6 +2906,7 @@ static int DetectPcreTxBodyChunksTest01(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -3044,6 +3056,7 @@ static int DetectPcreTxBodyChunksTest02(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -3269,6 +3282,7 @@ static int DetectPcreTxBodyChunksTest03(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);

27
src/detect-pcre.h
Unescape Escape View File

@ -24,31 +24,30 @@
#ifndef __DETECT_PCRE_H__
#define __DETECT_PCRE_H__
#define DETECT_PCRE_RELATIVE 0x0001
#define DETECT_PCRE_RAWBYTES 0x0002
#define DETECT_PCRE_URI 0x0004
#define DETECT_PCRE_RELATIVE 0x0001
#define DETECT_PCRE_RAWBYTES 0x0002
#define DETECT_PCRE_URI 0x0004
#define DETECT_PCRE_CAPTURE_PKT 0x0008
#define DETECT_PCRE_CAPTURE_FLOW 0x0010
#define DETECT_PCRE_MATCH_LIMIT 0x0020
#define DETECT_PCRE_CAPTURE_PKT 0x0008
#define DETECT_PCRE_CAPTURE_FLOW 0x0010
#define DETECT_PCRE_MATCH_LIMIT 0x0020
#define DETECT_PCRE_HTTP_BODY_AL 0x0040
#define DETECT_PCRE_RELATIVE_NEXT 0x0080
#define DETECT_PCRE_HTTP_BODY_AL 0x0040
#define DETECT_PCRE_RELATIVE_NEXT 0x0080
/* new modifiers 2.8.5.3 support */
#define DETECT_PCRE_HEADER 0x0100
#define DETECT_PCRE_COOKIE 0x0200
#define DETECT_PCRE_METHOD 0x0400
#define DETECT_PCRE_HEADER 0x0100
#define DETECT_PCRE_COOKIE 0x0200
#define DETECT_PCRE_METHOD 0x0400
#define DETECT_PCRE_NEGATE 0x0800
typedef struct DetectPcreData_ {
/* pcre options */
pcre *re;
pcre_extra *sd;
int opts;
uint16_t flags;
uint8_t negate;
uint16_t capidx;
char *capname;
} DetectPcreData;

3
src/detect-ssh-proto-version.c
Unescape Escape View File

@ -370,6 +370,7 @@ static int DetectSshVersionTestDetect01(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_SSH;
StreamTcpInitConfig(TRUE);
@ -473,6 +474,7 @@ static int DetectSshVersionTestDetect02(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_SSH;
StreamTcpInitConfig(TRUE);
@ -576,6 +578,7 @@ static int DetectSshVersionTestDetect03(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_SSH;
StreamTcpInitConfig(TRUE);

3
src/detect-ssh-software-version.c
Unescape Escape View File

@ -331,6 +331,7 @@ static int DetectSshSoftwareVersionTestDetect01(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_SSH;
StreamTcpInitConfig(TRUE);
@ -434,6 +435,7 @@ static int DetectSshSoftwareVersionTestDetect02(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_SSH;
StreamTcpInitConfig(TRUE);
@ -537,6 +539,7 @@ static int DetectSshSoftwareVersionTestDetect03(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_SSH;
StreamTcpInitConfig(TRUE);

3
src/detect-tls-version.c
Unescape Escape View File

@ -337,6 +337,7 @@ static int DetectTlsVersionTestDetect01(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_TLS;
StreamTcpInitConfig(TRUE);
@ -451,6 +452,7 @@ static int DetectTlsVersionTestDetect02(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_TLS;
StreamTcpInitConfig(TRUE);
@ -565,6 +567,7 @@ static int DetectTlsVersionTestDetect03(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_TLS;
f.proto = p->proto;

5
src/detect-uricontent.c
Unescape Escape View File

@ -834,6 +834,7 @@ static int DetectUriSigTest02(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -944,6 +945,7 @@ static int DetectUriSigTest03(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -1273,6 +1275,7 @@ static int DetectUriSigTest05(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
f.proto = p->proto;
@ -1396,6 +1399,7 @@ static int DetectUriSigTest06(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
f.proto = p->proto;
@ -1527,6 +1531,7 @@ static int DetectUriSigTest07(void) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);

9
src/detect-uricontent.h
Unescape Escape View File

@ -48,17 +48,12 @@
typedef struct DetectUricontentData_ {
uint8_t *uricontent;
uint8_t uricontent_len;
uint8_t pad0;
uint16_t pad1;
uint32_t id;
uint8_t flags;
PatIntId id;
uint16_t depth;
uint16_t offset;
int32_t distance;
int32_t within;
uint8_t flags;
uint8_t pad2;
uint16_t pad3;
BmCtx *bm_ctx; /**< Boyer Moore context (for spm search) */
} DetectUricontentData;

1
src/detect-urilen.c
Unescape Escape View File

@ -509,6 +509,7 @@ static int DetectUrilenSigTest01(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);

240
src/detect.c
Unescape Escape View File

@ -147,6 +147,7 @@
#include "util-privs.h"
#include "util-profiling.h"
#include "util-validate.h"
#include "util-optimize.h"
extern uint8_t engine_mode;
@ -448,7 +449,7 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx,
for (i = 0; i < det_ctx->sgh->sig_cnt; i++) {
SignatureHeader *s = &det_ctx->sgh->head_array[i];
if (s->flags & SIG_FLAG_FLOW && !p->flow) {
if (!(p->flags & PKT_HAS_FLOW) && s->flags & SIG_FLAG_FLOW) {
SCLogDebug("flow in sig but not in packet");
continue;
}
@ -461,17 +462,15 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx,
}
/* if the sig has alproto and the session as well they should match */
if (s->alproto != ALPROTO_UNKNOWN) {
if (s->alproto != alproto) {
if (s->alproto == ALPROTO_DCERPC) {
if (alproto != ALPROTO_SMB && alproto != ALPROTO_SMB2) {
SCLogDebug("DCERPC sig, alproto not SMB or SMB2");
continue;
}
} else {
SCLogDebug("alproto mismatch");
if (s->flags & SIG_FLAG_APPLAYER && s->alproto != ALPROTO_UNKNOWN && s->alproto != alproto) {
if (s->alproto == ALPROTO_DCERPC) {
if (alproto != ALPROTO_SMB && alproto != ALPROTO_SMB2) {
SCLogDebug("DCERPC sig, alproto not SMB or SMB2");
continue;
}
} else {
SCLogDebug("alproto mismatch");
continue;
}
}
@ -479,7 +478,8 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_MPM_PACKET) {
/* filter out sigs that want pattern matches, but
* have no matches */
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id / 8)] & (1<<(s->mpm_pattern_id % 8)))) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id_div_8)] & s->mpm_pattern_id_mod_8)) {
//if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id / 8)] & (1<<(s->mpm_pattern_id % 8)))) {
SCLogDebug("mpm sig without matches (pat id %"PRIu32" check in content).", s->mpm_pattern_id);
if (!(s->flags & SIG_FLAG_MPM_NEGCONTENT)) {
@ -500,7 +500,7 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx,
if (s->flags & SIG_FLAG_MPM_STREAM) {
/* filter out sigs that want pattern matches, but
* have no matches */
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_stream_pattern_id / 8)] & (1<<(s->mpm_stream_pattern_id % 8)))) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_stream_pattern_id_div_8)] & s->mpm_stream_pattern_id_mod_8)) {
SCLogDebug("mpm stream sig without matches (pat id %"PRIu32" check in content).", s->mpm_stream_pattern_id);
if (!(s->flags & SIG_FLAG_MPM_NEGCONTENT)) {
@ -616,68 +616,67 @@ static StreamMsg *SigMatchSignaturesGetSmsg(Flow *f, Packet *p, uint8_t flags) {
StreamMsg *smsg = NULL;
if (p->proto == IPPROTO_TCP) {
if (p->proto == IPPROTO_TCP && f->protoctx != NULL) {
TcpSession *ssn = (TcpSession *)f->protoctx;
if (ssn != NULL) {
/* at stream eof, inspect all smsg's */
if (flags & STREAM_EOF) {
if (p->flowflags & FLOW_PKT_TOSERVER) {
smsg = ssn->toserver_smsg_head;
/* deref from the ssn */
ssn->toserver_smsg_head = NULL;
ssn->toserver_smsg_tail = NULL;
SCLogDebug("to_server smsg %p at stream eof", smsg);
} else {
smsg = ssn->toclient_smsg_head;
/* deref from the ssn */
ssn->toclient_smsg_head = NULL;
ssn->toclient_smsg_tail = NULL;
SCLogDebug("to_client smsg %p at stream eof", smsg);
}
} else {
if (p->flowflags & FLOW_PKT_TOSERVER) {
StreamMsg *head = ssn->toserver_smsg_head;
if (head == NULL) {
SCLogDebug("no smsgs in to_server direction");
goto end;
}
/* at stream eof, inspect all smsg's */
if (unlikely(flags & STREAM_EOF)) {
if (p->flowflags & FLOW_PKT_TOSERVER) {
smsg = ssn->toserver_smsg_head;
/* deref from the ssn */
ssn->toserver_smsg_head = NULL;
ssn->toserver_smsg_tail = NULL;
/* if the smsg is bigger than the current packet, we will
* process the smsg in a later run */
if ((head->data.seq + head->data.data_len) > (TCP_GET_SEQ(p) + p->payload_len)) {
SCLogDebug("smsg ends beyond current packet, skipping for now %"PRIu32">%"PRIu32,
(head->data.seq + head->data.data_len), (TCP_GET_SEQ(p) + p->payload_len));
goto end;
}
SCLogDebug("to_server smsg %p at stream eof", smsg);
} else {
smsg = ssn->toclient_smsg_head;
/* deref from the ssn */
ssn->toclient_smsg_head = NULL;
ssn->toclient_smsg_tail = NULL;
smsg = head;
/* deref from the ssn */
ssn->toserver_smsg_head = NULL;
ssn->toserver_smsg_tail = NULL;
SCLogDebug("to_client smsg %p at stream eof", smsg);
}
} else {
if (p->flowflags & FLOW_PKT_TOSERVER) {
StreamMsg *head = ssn->toserver_smsg_head;
if (unlikely(head == NULL)) {
SCLogDebug("no smsgs in to_server direction");
goto end;
}
SCLogDebug("to_server smsg %p", smsg);
} else {
StreamMsg *head = ssn->toclient_smsg_head;
if (head == NULL)
goto end;
/* if the smsg is bigger than the current packet, we will
* process the smsg in a later run */
if ((head->data.seq + head->data.data_len) > (TCP_GET_SEQ(p) + p->payload_len)) {
SCLogDebug("smsg ends beyond current packet, skipping for now %"PRIu32">%"PRIu32,
(head->data.seq + head->data.data_len), (TCP_GET_SEQ(p) + p->payload_len));
goto end;
}
/* if the smsg is bigger than the current packet, we will
* process the smsg in a later run */
if ((head->data.seq + head->data.data_len) > (TCP_GET_SEQ(p) + p->payload_len)) {
SCLogDebug("smsg ends beyond current packet, skipping for now %"PRIu32">%"PRIu32,
(head->data.seq + head->data.data_len), (TCP_GET_SEQ(p) + p->payload_len));
goto end;
}
smsg = head;
/* deref from the ssn */
ssn->toclient_smsg_head = NULL;
ssn->toclient_smsg_tail = NULL;
smsg = head;
/* deref from the ssn */
ssn->toserver_smsg_head = NULL;
ssn->toserver_smsg_tail = NULL;
SCLogDebug("to_client smsg %p", smsg);
SCLogDebug("to_server smsg %p", smsg);
} else {
StreamMsg *head = ssn->toclient_smsg_head;
if (unlikely(head == NULL))
goto end;
/* if the smsg is bigger than the current packet, we will
* process the smsg in a later run */
if ((head->data.seq + head->data.data_len) > (TCP_GET_SEQ(p) + p->payload_len)) {
SCLogDebug("smsg ends beyond current packet, skipping for now %"PRIu32">%"PRIu32,
(head->data.seq + head->data.data_len), (TCP_GET_SEQ(p) + p->payload_len));
goto end;
}
smsg = head;
/* deref from the ssn */
ssn->toclient_smsg_head = NULL;
ssn->toclient_smsg_tail = NULL;
SCLogDebug("to_client smsg %p", smsg);
}
}
}
@ -723,7 +722,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
det_ctx->pkts++;
/* grab the protocol state we will detect on */
if (p->flow != NULL) {
if (p->flags & PKT_HAS_FLOW) {
if (p->flags & PKT_STREAM_EOF) {
flags |= STREAM_EOF;
SCLogDebug("STREAM_EOF set");
@ -770,42 +769,46 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
SCLogDebug("flag STREAM_TOCLIENT set");
}
SCLogDebug("p->flowflags 0x%02x", p->flowflags);
}
/* match the ip only signatures */
if ((p->flowflags & FLOW_PKT_TOSERVER && !(p->flowflags & FLOW_PKT_TOSERVER_IPONLY_SET)) ||
(p->flowflags & FLOW_PKT_TOCLIENT && !(p->flowflags & FLOW_PKT_TOCLIENT_IPONLY_SET))) {
SCLogDebug("testing against \"ip-only\" signatures");
if ((p->flowflags & FLOW_PKT_TOSERVER && !(p->flowflags & FLOW_PKT_TOSERVER_IPONLY_SET)) ||
(p->flowflags & FLOW_PKT_TOCLIENT && !(p->flowflags & FLOW_PKT_TOCLIENT_IPONLY_SET))) {
SCLogDebug("testing against \"ip-only\" signatures");
IPOnlyMatchPacket(de_ctx, det_ctx, &de_ctx->io_ctx, &det_ctx->io_ctx, p);
/* save in the flow that we scanned this direction... locking is
* done in the FlowSetIPOnlyFlag function. */
if (p->flow != NULL) {
FlowSetIPOnlyFlag(p->flow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0);
}
} else if (p->flow != NULL && ((p->flowflags & FLOW_PKT_TOSERVER &&
(p->flow->flags & FLOW_TOSERVER_IPONLY_SET)) ||
(p->flowflags & FLOW_PKT_TOCLIENT &&
(p->flow->flags & FLOW_TOCLIENT_IPONLY_SET)))) {
/* Get the result of the first IPOnlyMatch() */
if (p->flow->flags & FLOW_ACTION_PASS) {
/* if it matched a "pass" rule, we have to let it go */
p->action |= ACTION_PASS;
}
/* If we have a drop from IP only module,
* we will drop the rest of the flow packets
* This will apply only to inline/IPS */
if (p->flow != NULL &&
(p->flow->flags & FLOW_ACTION_DROP))
{
alert_flags = PACKET_ALERT_FLAG_DROP_FLOW;
p->action |= ACTION_DROP;
IPOnlyMatchPacket(de_ctx, det_ctx, &de_ctx->io_ctx, &det_ctx->io_ctx, p);
/* save in the flow that we scanned this direction... locking is
* done in the FlowSetIPOnlyFlag function. */
if (p->flow != NULL) {
FlowSetIPOnlyFlag(p->flow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0);
}
} else {
//if (p->flow != NULL && ((p->flowflags & FLOW_PKT_TOSERVER &&
// (p->flow->flags & FLOW_TOSERVER_IPONLY_SET)) ||
// (p->flowflags & FLOW_PKT_TOCLIENT &&
// (p->flow->flags & FLOW_TOCLIENT_IPONLY_SET)))) {
/* Get the result of the first IPOnlyMatch() */
if (p->flow->flags & FLOW_ACTION_PASS) {
/* if it matched a "pass" rule, we have to let it go */
p->action |= ACTION_PASS;
}
/* If we have a drop from IP only module,
* we will drop the rest of the flow packets
* This will apply only to inline/IPS */
if (p->flow != NULL &&
(p->flow->flags & FLOW_ACTION_DROP))
{
alert_flags = PACKET_ALERT_FLAG_DROP_FLOW;
p->action |= ACTION_DROP;
}
}
} else {
/* no flow */
/* Even without flow we should match the packet src/dst */
IPOnlyMatchPacket(de_ctx, det_ctx, &de_ctx->io_ctx, &det_ctx->io_ctx, p);
}
/* match the ip only signatures */
/* use the sgh from the flow unless we have no flow or the flow
* sgh wasn't initialized yet */
if (sgh == NULL && !use_flow_sgh) {
@ -851,12 +854,6 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
else det_ctx->pkts_searched++;
#endif
cnt = PacketPatternSearch(th_v, det_ctx, p);
if (cnt > 0) {
#if 0
det_ctx->mpm_match++;
#endif
}
SCLogDebug("post search: cnt %" PRIu32, cnt);
}
}
@ -864,14 +861,15 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
det_ctx->de_mpm_scanned_uri = FALSE;
/* stateful app layer detection */
/* initialize to 0 (DE_STATE_MATCH_NOSTATE) */
memset(det_ctx->de_state_sig_array, 0x00, det_ctx->de_state_sig_array_len);
/* if applicable, continue stateful detection */
if (p->flow != NULL && DeStateFlowHasState(p->flow)) {
DeStateDetectContinueDetection(th_v, de_ctx, det_ctx, p->flow,
flags, alstate, alproto);
if (p->flags & PKT_HAS_FLOW && alstate != NULL) {
/* initialize to 0 (DE_STATE_MATCH_NOSTATE) */
memset(det_ctx->de_state_sig_array, 0x00, det_ctx->de_state_sig_array_len);
/* if applicable, continue stateful detection */
if (DeStateFlowHasState(p->flow)) {
DeStateDetectContinueDetection(th_v, de_ctx, det_ctx, p->flow,
flags, alstate, alproto);
}
}
/* build the match array */
@ -951,7 +949,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
if (det_ctx->smsg_pmq[pmq_idx].pattern_id_bitarray != NULL) {
/* filter out sigs that want pattern matches, but
* have no matches */
if (!(det_ctx->smsg_pmq[pmq_idx].pattern_id_bitarray[(s->mpm_stream_pattern_id / 8)] & (1<<(s->mpm_stream_pattern_id % 8))) &&
if (!(det_ctx->smsg_pmq[pmq_idx].pattern_id_bitarray[(s->mpm_stream_pattern_id_div_8)] & s->mpm_stream_pattern_id_mod_8) &&
(s->flags & SIG_FLAG_MPM) && !(s->flags & SIG_FLAG_MPM_NEGCONTENT)) {
SCLogDebug("no match in this smsg");
continue;
@ -1026,7 +1024,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
} else {
if (s->flags & SIG_FLAG_RECURSIVE) {
uint8_t rmatch = 0;
det_ctx->pkt_cnt = 0;
uint8_t recursion_cnt = 0;
do {
sm = s->match;
@ -1045,7 +1043,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
}
}
rmatch = fmatch = 1;
det_ctx->pkt_cnt++;
recursion_cnt++;
}
} else {
/* done with this sig */
@ -1056,7 +1054,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
/* Limit the number of times we do this recursive thing.
* XXX is this a sane limit? Should it be configurable? */
if (det_ctx->pkt_cnt == 10)
if (recursion_cnt == 10)
goto done;
} while (rmatch);
@ -1125,7 +1123,7 @@ end:
/* store the found sgh (or NULL) in the flow to save us from looking it
* up again for the next packet. Also return any stream chunk we processed
* to the pool. */
if (p->flow != NULL) {
if (p->flags & PKT_HAS_FLOW) {
SCMutexLock(&p->flow->m);
if (no_store_flow_sgh == FALSE) {
if (p->flowflags & FLOW_PKT_TOSERVER && !(p->flow->flags & FLOW_SGH_TOSERVER)) {
@ -3770,6 +3768,7 @@ static int SigTest06Real (int mpm_type) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -3865,6 +3864,7 @@ static int SigTest07Real (int mpm_type) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -3960,6 +3960,7 @@ static int SigTest08Real (int mpm_type) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -4055,6 +4056,7 @@ static int SigTest09Real (int mpm_type) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -4142,6 +4144,7 @@ static int SigTest10Real (int mpm_type) {
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -4228,6 +4231,7 @@ static int SigTest11Real (int mpm_type) {
f.dst.family = AF_INET;
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -4296,6 +4300,7 @@ static int SigTest12Real (int mpm_type) {
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
@ -4360,6 +4365,7 @@ static int SigTest13Real (int mpm_type) {
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
@ -8888,6 +8894,7 @@ static int SigTestDropFlow01(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -8985,6 +8992,7 @@ static int SigTestDropFlow02(void)
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -9095,10 +9103,12 @@ static int SigTestDropFlow03(void)
p1->flow = &f;
p1->flowflags |= FLOW_PKT_TOSERVER;
p1->flowflags |= FLOW_PKT_ESTABLISHED;
p1->flags |= PKT_HAS_FLOW;
p2->flow = &f;
p2->flowflags |= FLOW_PKT_TOSERVER;
p2->flowflags |= FLOW_PKT_ESTABLISHED;
p2->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
@ -9258,10 +9268,12 @@ static int SigTestDropFlow04(void)
p1->flow = &f;
p1->flowflags |= FLOW_PKT_TOSERVER;
p1->flowflags |= FLOW_PKT_ESTABLISHED;
p1->flags |= PKT_HAS_FLOW;
p2->flow = &f;
p2->flowflags |= FLOW_PKT_TOSERVER;
p2->flowflags |= FLOW_PKT_ESTABLISHED;
p2->flags |= PKT_HAS_FLOW;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);

157
src/detect.h
Unescape Escape View File

@ -240,16 +240,31 @@ typedef struct IPOnlyCIDRItem_ {
/** \brief Subset of the Signature for cache efficient prefiltering
*/
typedef struct SignatureHeader_ {
uint32_t flags;
/* app layer signature stuff */
uint16_t alproto;
union {
struct {
uint32_t flags;
/* app layer signature stuff */
uint16_t alproto;
uint16_t mpm_pattern_id_div_8;
};
uint64_t hdr_copy;
};
/** pattern in the mpm matcher */
uint32_t mpm_pattern_id;
uint32_t mpm_stream_pattern_id;
SigIntId num; /**< signature number, internal id */
union {
struct {
uint8_t mpm_pattern_id_mod_8;
uint8_t pad0;
uint16_t mpm_stream_pattern_id_div_8;
uint8_t mpm_stream_pattern_id_mod_8;
uint8_t pad1;
SigIntId num; /**< signature number, internal id */
};
uint64_t mpm_pattern_copy;
};
//PatIntId mpm_pattern_id;
//PatIntId mpm_stream_pattern_id;
/** pointer to the full signature */
struct Signature_ *full_sig;
@ -257,16 +272,47 @@ typedef struct SignatureHeader_ {
/** \brief Signature container */
typedef struct Signature_ {
uint32_t flags;
union {
struct {
uint32_t flags;
/* app layer signature stuff */
uint16_t alproto;
/* app layer signature stuff */
uint16_t alproto;
uint16_t mpm_pattern_id_div_8;
};
uint64_t hdr_copy;
};
/** pattern in the mpm matcher */
uint32_t mpm_pattern_id;
uint32_t mpm_stream_pattern_id;
union {
struct {
uint8_t mpm_pattern_id_mod_8;
uint8_t pad0;
uint16_t mpm_stream_pattern_id_div_8;
uint8_t mpm_stream_pattern_id_mod_8;
uint8_t pad1;
SigIntId num; /**< signature number, internal id */
};
uint64_t mpm_pattern_copy;
};
//PatIntId mpm_pattern_id;
//PatIntId mpm_stream_pattern_id;
SigIntId num; /**< signature number, internal id */
/*
//PatIntId mpm_pattern_id;
//PatIntId mpm_stream_pattern_id;
uint16_t mpm_pattern_id_div_8;
uint8_t mpm_pattern_id_mod_8;
uint8_t pad0;
//PatIntId mpm_pattern_id;
//PatIntId mpm_stream_pattern_id;
uint16_t mpm_stream_pattern_id_div_8;
uint8_t mpm_stream_pattern_id_mod_8;
uint8_t pad1;
*/
/** pattern in the mpm matcher */
PatIntId mpm_uripattern_id;
/** ipv4 match arrays */
DetectMatchAddressIPv4 *addr_dst_match4;
@ -289,49 +335,38 @@ typedef struct Signature_ {
IPOnlyCIDRItem *CidrSrc, *CidrDst;
/** ptr to the SigMatch lists */
struct SigMatch_ *match; /* non-payload matches */
struct SigMatch_ *match_tail; /* non-payload matches, tail of the list */
struct SigMatch_ *pmatch; /* payload matches */
struct SigMatch_ *pmatch_tail; /* payload matches, tail of the list */
struct SigMatch_ *umatch; /* uricontent payload matches */
struct SigMatch_ *umatch_tail; /* uricontent payload matches, tail of the list */
struct SigMatch_ *amatch; /* general app layer matches */
struct SigMatch_ *amatch_tail; /* general app layer matches, tail of the list */
struct SigMatch_ *dmatch; /* dce app layer matches */
struct SigMatch_ *dmatch_tail; /* dce app layer matches, tail of the list */
struct SigMatch_ *match; /* non-payload matches */
struct SigMatch_ *tmatch; /* list of tags matches */
struct SigMatch_ *tmatch_tail; /* tag matches, tail of the list */
/** ptr to the next sig in the list */
struct Signature_ *next;
struct SigMatch_ *dsize_sm;
/** inline -- action */
uint8_t action;
/* helper for init phase */
uint16_t mpm_content_maxlen;
uint16_t mpm_uricontent_maxlen;
/** number of sigmatches in the match and pmatch list */
uint16_t sm_cnt;
SigIntId order_id;
/** pattern in the mpm matcher */
uint32_t mpm_uripattern_id;
/** inline -- action */
uint8_t action;
uint8_t rev;
/** classification id **/
uint8_t class;
int prio;
uint32_t gid; /**< generator id */
uint32_t id; /**< sid, set by the 'sid' rule keyword */
char *msg;
/** classification id **/
uint8_t class;
/** classification message */
char *class_msg;
@ -346,8 +381,18 @@ typedef struct Signature_ {
uint16_t profiling_id;
#endif
struct SigMatch_ *match_tail; /* non-payload matches, tail of the list */
struct SigMatch_ *pmatch_tail; /* payload matches, tail of the list */
struct SigMatch_ *umatch_tail; /* uricontent payload matches, tail of the list */
struct SigMatch_ *amatch_tail; /* general app layer matches, tail of the list */
struct SigMatch_ *dmatch_tail; /* dce app layer matches, tail of the list */
struct SigMatch_ *tmatch_tail; /* tag matches, tail of the list */
/** address settings for this signature */
DetectAddressHead src, dst;
/** ptr to the next sig in the list */
struct Signature_ *next;
} Signature;
typedef struct DetectEngineIPOnlyThreadCtx_ {
@ -400,7 +445,7 @@ typedef struct DetectEngineLookupFlow_ {
/* mpm pattern id api */
typedef struct MpmPatternIdStore_ {
HashTable *hash;
uint32_t max_id;
PatIntId max_id;
uint32_t unique_patterns;
uint32_t shared_patterns;
@ -550,9 +595,13 @@ typedef struct DetectionEngineThreadCtx_ {
uint32_t payload_offset;
/* used by pcre match function alone */
uint32_t pcre_match_start_offset;
/** offset into the uri payload of the last match by
* uricontent */
uint32_t uricontent_payload_offset;
/* http_uri stuff for uricontent */
char de_have_httpuri;
char de_mpm_scanned_uri;
/** id for alert counter */
uint16_t counter_alerts;
/* used to discontinue any more matching */
int discontinue_matching;
@ -565,32 +614,26 @@ typedef struct DetectionEngineThreadCtx_ {
* stored in Signature->dmatch, by content, pcre, etc */
uint32_t dce_payload_offset;
/** recursive counter */
uint8_t pkt_cnt;
/* http_uri stuff for uricontent */
char de_have_httpuri;
char de_mpm_scanned_uri;
/** array of signature pointers we're going to inspect in the detection
* loop. */
Signature **match_array;
/** size of the array in items (mem size if * sizeof(Signature *) */
/** size of the array in items (mem size if * sizeof(Signature *)
* Only used during initialization. */
uint32_t match_array_len;
/** size in use */
uint32_t match_array_cnt;
SigIntId match_array_cnt;
/** Array of sigs that had a state change */
uint8_t *de_state_sig_array;
SigIntId de_state_sig_array_len;
uint8_t *de_state_sig_array;
struct SigGroupHead_ *sgh;
/** pointer to the current mpm ctx that is stored
* in a rule group head -- can be either a content
* or uricontent ctx. */
MpmThreadCtx mtc; /**< thread ctx for the mpm */
MpmThreadCtx mtcu; /**< thread ctx for uricontent mpm */
MpmThreadCtx mtcs; /**< thread ctx for stream mpm */
struct SigGroupHead_ *sgh;
PatternMatcherQueue pmq;
PatternMatcherQueue smsg_pmq[256];
@ -609,21 +652,15 @@ typedef struct DetectionEngineThreadCtx_ {
uint32_t pkts_uri_searched3;
uint32_t pkts_uri_searched4;
/** id for alert counter */
uint16_t counter_alerts;
/** ip only rules ctx */
DetectEngineIPOnlyThreadCtx io_ctx;
DetectEngineCtx *de_ctx;
#ifdef __SC_CUDA_SUPPORT__
/* each detection thread would have it's own queue where the cuda dispatcher
* thread can dump the packets once it has processed them */
Tmq *cuda_mpm_rc_disp_outq;
#endif
uint64_t mpm_match;
} DetectEngineThreadCtx;
/** \brief a single match condition for a signature */
@ -689,12 +726,12 @@ typedef struct SigGroupHeadInitData_ {
/** \brief Container for matching data for a signature group */
typedef struct SigGroupHead_ {
uint8_t flags;
uint8_t pad0;
uint16_t pad1;
/* number of sigs in this head */
uint32_t sig_cnt;
SigIntId sig_cnt;
uint16_t mpm_content_maxlen;
uint16_t mpm_streamcontent_maxlen;
/** chunk of memory containing the "header" part of each
* signature ordered as an array. Used to pre-filter the
@ -704,10 +741,12 @@ typedef struct SigGroupHead_ {
/* pattern matcher instances */
MpmCtx *mpm_ctx;
MpmCtx *mpm_stream_ctx;
uint16_t mpm_content_maxlen;
uint16_t mpm_streamcontent_maxlen;
MpmCtx *mpm_uri_ctx;
uint16_t mpm_uricontent_maxlen;
uint16_t pad1;
#if __WORDSIZE == 64
uint32_t pad2;
#endif
/** Array with sig ptrs... size is sig_cnt * sizeof(Signature *) */
Signature **match_array;

4
src/flow-queue.h
Unescape Escape View File

@ -33,11 +33,11 @@ typedef struct FlowQueue_
Flow *top;
Flow *bot;
uint32_t len;
SCMutex mutex_q;
SCCondT cond_q;
#ifdef DBG_PERF
uint32_t dbg_maxlen;
#endif /* DBG_PERF */
SCMutex mutex_q;
SCCondT cond_q;
} FlowQueue;
/* prototypes */

2
src/flow.c
Unescape Escape View File

@ -736,6 +736,8 @@ void FlowHandlePacket (ThreadVars *tv, Packet *p)
p->flow = f;
SCMutexUnlock(&f->m);
p->flags |= PKT_HAS_FLOW;
}
/** \brief initialize the configuration

35
src/flow.h
Unescape Escape View File

@ -147,22 +147,19 @@ typedef struct Flow_
uint16_t flags;
/* ts of flow init and last update */
struct timeval startts;
struct timeval lastts;
/* pointer to the var list */
GenericVar *flowvar;
SCMutex m;
uint32_t todstpktcnt;
uint32_t tosrcpktcnt;
uint64_t bytecnt;
/** protocol specific data pointer, e.g. for TcpSession */
void *protoctx;
/** mapping to Flow's protocol specific protocols for timeouts
and state and free functions. */
uint8_t protomap;
/** protocol specific data pointer, e.g. for TcpSession */
void *protoctx;
uint8_t alflags; /**< application level specific flags */
uint16_t alproto; /**< application level protocol */
/** how many pkts and stream msgs are using the flow *right now*. This
* variable is atomic so not protected by the Flow mutex "m".
@ -172,9 +169,12 @@ typedef struct Flow_
*/
SC_ATOMIC_DECLARE(unsigned short, use_cnt);
uint16_t pad0;
void **aldata; /**< application level storage ptrs */
/** detection engine state */
struct DetectEngineState_ *de_state;
SCMutex de_state_m; /**< mutex lock for the de_state object */
/** toclient sgh for this flow. Only use when FLOW_SGH_TOCLIENT flow flag
* has been set. */
@ -183,24 +183,27 @@ typedef struct Flow_
* has been set. */
struct SigGroupHead_ *sgh_toserver;
SCMutex m;
/** List of tags of this flow (from "tag" keyword of type "session") */
DetectTagDataEntryList *tag_list;
/* pointer to the var list */
GenericVar *flowvar;
SCMutex de_state_m; /**< mutex lock for the de_state object */
/* list flow ptrs
* NOTE!!! These are NOT protected by the
* above mutex, but by the FlowQ's */
struct Flow_ *hnext; /* hash list */
struct Flow_ *hprev;
struct FlowBucket_ *fb;
struct Flow_ *lnext; /* list */
struct Flow_ *lprev;
struct FlowBucket_ *fb;
uint16_t alproto; /**< application level protocol */
void **aldata; /**< application level storage ptrs */
uint8_t alflags; /**< application level specific flags */
struct timeval startts;
uint32_t todstpktcnt;
uint32_t tosrcpktcnt;
uint64_t bytecnt;
} Flow;

2
src/suricata-common.h
Unescape Escape View File

@ -130,6 +130,8 @@
#define SigIntId uint16_t
//#define SigIntId uint32_t
/** same for pattern id's */
#define PatIntId uint16_t
#include <htp/htp.h>
#include "threads.h"

6
src/util-mpm-b2gc.h
Unescape Escape View File

@ -72,7 +72,7 @@ typedef struct B2gcPatternHdr_ {
uint32_t np_offset; /* offset of the next pattern */
uint8_t len;
uint8_t flags;
uint16_t id;
PatIntId id;
} B2gcPatternHdr;
#define B2GC_GET_FLAGS(hdr) ((hdr)->flags)
@ -87,7 +87,7 @@ typedef struct B2gcPatternHdr_ {
typedef struct B2gcPattern1_ {
uint8_t flags;
uint8_t pat;
uint16_t id;
PatIntId id;
} B2gcPattern1;
#define B2GC1_GET_FLAGS(hdr) ((hdr)->flags)
@ -99,7 +99,7 @@ typedef struct B2gcPattern_ {
uint16_t len;
uint8_t flags;
uint8_t pad0;
uint32_t id;
PatIntId id;
uint8_t *pat;
} B2gcPattern;

10
src/util-radix-tree.h
Unescape Escape View File

@ -43,12 +43,12 @@
* \brief Structure that hold the user data and the netmask associated with it.
*/
typedef struct SCRadixUserData_ {
/* holds the netmask value that corresponds to this user data pointer */
uint8_t netmask;
/* holds a pointer to the user data associated with the particular netmask */
void *user;
/* pointer to the next user data in the list */
struct SCRadixUserData_ *next;
/* holds the netmask value that corresponds to this user data pointer */
uint8_t netmask;
} SCRadixUserData;
/**
@ -81,10 +81,12 @@ typedef struct SCRadixNode_ {
* to determine the path to be taken during a lookup*/
uint16_t bit;
/* holds a list of netmaks that come under this node in the tree */
uint8_t *netmasks;
uint16_t pad0;
/* total no of netmasks that are registered under this node */
int netmask_cnt;
/* holds a list of netmaks that come under this node in the tree */
uint8_t *netmasks;
/* holds the prefix that the path to this node holds */
SCRadixPrefix *prefix;

Write Preview
Loading…
Cancel
Save