From ffa013b2d83d50a1120c7a30d950458cac61e214 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Tue, 28 Jul 2009 00:35:58 +0200
Subject: [PATCH] Implement flow:established and flow:stateless

---
 src/detect-flow.c | 18 +++++++++++++-----
 src/detect-flow.h |  3 ++-
 src/flow.c        |  4 ++++
 3 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/src/detect-flow.c b/src/detect-flow.c
index 6e852cb5f7..c52fb53de9 100644
--- a/src/detect-flow.c
+++ b/src/detect-flow.c
@@ -57,17 +57,22 @@ error:
 
 int DetectFlowMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *m)
 {
-    int ret = 0;
-
+    u_int8_t cnt = 0;
     DetectFlowData *fd = (DetectFlowData *)m->ctx;
 
     if (fd->flags & FLOW_PKT_TOSERVER && p->flowflags & FLOW_PKT_TOSERVER) {
-        ret = 1;
+        cnt++;
+    } else if (fd->flags & FLOW_PKT_TOCLIENT && p->flowflags & FLOW_PKT_TOCLIENT) {
+        cnt++;
     }
-    else if (fd->flags & FLOW_PKT_TOCLIENT && p->flowflags & FLOW_PKT_TOCLIENT) {
-        ret = 1;
+
+    if (fd->flags & FLOW_PKT_ESTABLISHED && p->flowflags & FLOW_PKT_ESTABLISHED) {
+        cnt++;
+    } else if (!(fd->flags & FLOW_PKT_ESTABLISHED) && p->flowflags & FLOW_PKT_STATELESS) {
+        cnt++;
     }
 
+    int ret = (fd->match_cnt == cnt) ? 1 : 0;
     //printf("DetectFlowMatch: returning %d\n", ret);
     return ret;
 }
@@ -127,6 +132,7 @@ int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *f
         if (strcmp(state,"to_server") == 0) fd->flags |= FLOW_PKT_TOSERVER;
         if (strcmp(state,"from_server") == 0) fd->flags |= FLOW_PKT_TOCLIENT;
         if (strcmp(state,"from_client") == 0) fd->flags |= FLOW_PKT_TOSERVER;
+        fd->match_cnt = 1;
     }
     if (dir) {
         if (strcmp(dir,"established") == 0) fd->flags |= FLOW_PKT_ESTABLISHED;
@@ -135,6 +141,7 @@ int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *f
         if (strcmp(dir,"to_server") == 0) fd->flags |= FLOW_PKT_TOSERVER;
         if (strcmp(dir,"from_server") == 0) fd->flags |= FLOW_PKT_TOCLIENT;
         if (strcmp(dir,"from_client") == 0) fd->flags |= FLOW_PKT_TOSERVER;
+        fd->match_cnt = 2;
     }
     if (stream) {
         if (strcmp(stream,"established") == 0) fd->flags |= FLOW_PKT_ESTABLISHED;
@@ -143,6 +150,7 @@ int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *f
         if (strcmp(stream,"to_server") == 0) fd->flags |= FLOW_PKT_TOSERVER;
         if (strcmp(stream,"from_server") == 0) fd->flags |= FLOW_PKT_TOCLIENT;
         if (strcmp(stream,"from_client") == 0) fd->flags |= FLOW_PKT_TOSERVER;
+        fd->match_cnt = 3;
     }
 
     /* Okay so far so good, lets get this into a SigMatch
diff --git a/src/detect-flow.h b/src/detect-flow.h
index 4fc5c9e851..023de010fd 100644
--- a/src/detect-flow.h
+++ b/src/detect-flow.h
@@ -2,7 +2,8 @@
 #define __DETECT_FLOW_H__
 
 typedef struct _DetectFlowData {
-    u_int8_t flags;
+    u_int8_t flags;     /* flags to match */
+    u_int8_t match_cnt; /* number of matches we need */
 } DetectFlowData;
 
 /* prototypes */
diff --git a/src/flow.c b/src/flow.c
index 486c8e27c2..34c529cd8b 100644
--- a/src/flow.c
+++ b/src/flow.c
@@ -233,6 +233,10 @@ void FlowHandlePacket (ThreadVars *th_v, Packet *p)
     }
     f->bytecnt += p->pktlen;
 
+    if (f->flags & FLOW_TO_DST_SEEN && f->flags & FLOW_TO_SRC_SEEN) {
+        p->flowflags |= FLOW_PKT_ESTABLISHED;
+    }
+
     /* update queue positions */
     FlowUpdateQueue(f);