Commit Graph

934 Commits (8547d113bfe6b44f188ff72194c31e407d5ae42c)

Author SHA1 Message Date
Victor Julien 2b84387ea4 detect: work around cocci limitation 9 years ago
Victor Julien 0311f01b97 rule grouping: speed up port based grouping
Create a hash table of unique DetectPort objects before trying to
create a unique list of these objects. This safes a lot of cycles
in the creation of the list.
9 years ago
Victor Julien 30755265ee http_raw_header: improve mpm progress handling 9 years ago
Victor Julien de273d88cc detect: remove unused content minlen tracking 9 years ago
Victor Julien 5857660568 http_uri: mpm cleanup. Use mpm_ctx's minlen 9 years ago
Victor Julien caea596ce5 profiling: output post-prefilter matches
Dump a json record containing all sigs that need to be inspected after
prefilter. Part of profiling. Only dump if threshold is met, which is
currently set by:

 --set detect.profiling.inspect-logging-threshold=200

A file called packet_inspected_rules.json is created in the default
log dir.
9 years ago
Victor Julien 92c571b26d detect: move sm_list to string funcs to parser code 9 years ago
Victor Julien 722e2dbf7c profiling: initial rulegroup tracking
Per rule group tracking of checks, use of lists, mpm matches,
post filter counts.

Logs SGH id so it can be compared with the rule_group.json output.

Implemented both in a human readable text format and a JSON format.
9 years ago
Victor Julien e310a033be detect: assign id to sgh 9 years ago
Victor Julien ba9d43cce5 mpm: improve negated mpm
The idea is: if mpm is negated, it's both on mpm and nonmpm sid lists
and we can kick it out in that case during the merge sort.

It only works for patterns that are 'independent'. This means that the
rule doesn't need to only match if the negated mpm pattern is limited
to the first 10 bytes for example.

Or more generally, an negated mpm pattern that has depth, offset,
distance or within settings can't be handled this way. These patterns
are not added to the mpm at all, but just to to non-mpm list. This
makes sense as they will *always* need manual inspection.

Similarly, a pattern that is 'chopped' always needs validation. This
is because in this case we only inspect a part of the final pattern.
9 years ago
Victor Julien c1ad08d11e detect: remove stream pmq array 9 years ago
Victor Julien c87fcb29ff detect mpm: fast_pattern assignment cleanup 9 years ago
Victor Julien a96fa0fc2f detect: remove unused dport sgh hash 9 years ago
Victor Julien e6248b0dbe detect: clean up sgh's at detect engine free 9 years ago
Victor Julien 1f7e33a4b0 detect: remove unused flag 9 years ago
Victor Julien 2ab20d0b9b detect: free lookup structures 9 years ago
Victor Julien 4ba1ac55f0 detect: output sgh stats
Output stats for the rule groups into a json format.
9 years ago
Victor Julien 810d2d3ec6 detect: add list id to string funcs 9 years ago
Victor Julien a34be23002 detect: simplify negated mpm handling 9 years ago
Victor Julien b84d6d402f detect grouping: multiple whitelist conditions
Instead of the binary yes/no whitelisting used so far, use different
values for different sorts of whitelist reasons. The port list will
be sorted by whitelist value first, then by rule count.

The goal is to whitelist groups that have weak sigs:

 - 1 byte pattern groups

 - SYN sigs

    Rules that check for SYN packets are mostly scan detection rules.
    They will be checked often as SYN packets are very common.

    e.g. alert tcp any any -> any 22 (flags:S,12; sid:123;)

    This patch adds whitelisting for SYN-sigs, so that the sigs end up
    in as unique groups as possible.

 - negated mpm sigs

    Currently negated mpm sigs are inspected often, so they are quite
    expensive. For this reason, try to whitelist them.

These values are set during 'stage 1', rule preprocessing.
9 years ago
Victor Julien 3c184c19cd detect grouping: port based group whitelisting
Whitelist some ports in grouping to make sure they get their own group.
9 years ago
Victor Julien 5772f526dc detect grouping: warn on and fix up bad sigs
Only inspect directionless SYN scan sigs toserver. Issue a warning for
those rules.
9 years ago
Victor Julien 2ce03fbabb detect: split non-mpm list into syn/nosyn
Since SYN inspecting rules are expensive, this patch splits the
'non-mpm' list (i.e. the rules that are always considered) into
a 'syn' and 'non-syn' list. The SYN list is only inspected if the
packet has the SYN flag set, otherwise the non-syn list is used.

The syn-list contains _all_ rules. The non-syn list contains all
minus the rules requiring the SYN bit in a packet.
9 years ago
Victor Julien 26517b8b61 detect: mpm store frees mpm_ctx' it owns 9 years ago
Victor Julien 102a82fc7b detect: use mpm store for app layer mpms
Rework app-layer mpm setup and registration to make this possible.
9 years ago
Victor Julien fac2cc0560 detect: mpm deduplication
Create hash for mpm's that we can reuse. Have packet/stream mpms
use this.
9 years ago
Victor Julien f0ba00e51d detect: remove old unused code 9 years ago
Victor Julien 2ee9bf2aef detect: rename groupings vars 9 years ago
Victor Julien ae80ed5964 detect: make port grouping use config limits 9 years ago
Victor Julien df529b13ce detect: change port grouping
Update port grouping logic. Previously it would create one consistent
list w/o overlap. It largely still does this, except for the 'catch
all' port group at the end of the list. This port group contains all
the sigs that didn't fit into the other groups.
9 years ago
Victor Julien a392812302 detect: sort/group port sigs 9 years ago
Victor Julien e570b10abe detect: display unique sgh count 9 years ago
Victor Julien eda9552e95 detect: group proto sghs 9 years ago
Victor Julien d82df4eb8b detect-mpm: make sgh setup proto aware
Allow multi-proto, multi-direction sgh's.
9 years ago
Victor Julien 4223ce9aba detect: remove obsolete grouping code 9 years ago
Victor Julien 9ae4cb9e02 detect: debug output 9 years ago
Victor Julien fd5a06017d detect: per port and proto rule grouping
Replace tree based approach for rule grouping with a per port (tcp/udp)
and per protocol approach.

Grouping now looks like:

               +----+
               |icmp+--->
               +----+
               |gre +--->
               +----+
               |esp +--->
               +----+
          other|... |
        +----->-----+
        |      |N   +--->
        |      +----+
        |
        | tcp  +----+   +----+
        +----->+ 80 +-->+ 139+-->
        |      +----+   +----+
        |
        | udp  +----+   +----+
    +---+----->+ 53 +-->+ 135+-->
    |          +----+   +----+
    |toserver
+--->
    |toclient
    |
    +--->

So the first 'split' in the rules is the direction: toserver or toclient.
Rules that don't have a direction, are in both branches.

Then the split is between tcp/udp and the other protocols. For tcp and
udp port lists are used. For the other protocols, grouping is simply per
protocol.

The ports used are the destination ports for toserver sigs and source
ports for toclient sigs.
9 years ago
Victor Julien 27e63a1e11 detect: track direction and ipproto of sgh
Each SGH has a unique ipproto and direction.
9 years ago
Victor Julien e75a93b125 detect: pass ipproto to rule grouping funcs 9 years ago
Victor Julien c71c991669 detect: delay sgh cleanup 9 years ago
Victor Julien bb662a65f8 detect: delay sgh mpm setup 9 years ago
Victor Julien 18dd54dfa7 Start rule inspect with mask check 9 years ago
Victor Julien 66b3dba676 detect: remove dead code 9 years ago
Victor Julien 4f8e1f59a6 mpm: remove obsolete mpm algos
Remove: ac-gfbs, wumanber, b2g, b3g.
9 years ago
Victor Julien 8394b38941 cppcheck: work around snprintf warning
Cppcheck 1.72 gives a warning on the following code pattern:

    char blah[32] = "";
    snprintf(blah, sizeof(blah), "something");

The warning is:

    (error) Buffer is accessed out of bounds.

While this appears to be a FP, in most cases the initialization to ""
was unnecessary as the snprintf statement immediately follows the
variable declaration.
9 years ago
Victor Julien a74a8c874f smtp: reset inspection buffers 10 years ago
Victor Julien d7d76e7b27 multi-detect: use default tenant
The default detect engine can be used as 'default tenant'.
10 years ago
Jason Ish 6b15686fd1 base64_decode, base64_data: decode and match base64 10 years ago
Victor Julien 6b2f831a70 mpm: SGH maxlen was actually minlen, so rename 10 years ago
Victor Julien 2716c78628 mpm: improve SGH content len tracking
SGH's track content length for rule grouping.

This patch changes the logic to only consider the pattern that is
used in the mpm for a sig.
10 years ago
Victor Julien e529ebb50e mpm: redo uri maxlen logic
The mpm_uricontent_maxlen logic was meant to track the shortest
possible pattern in the MPM of a SGH. So a minlen more than a maxlen.

This patch replaces the complicated tracking logic by a simpler
scheme. When the SGH's are finalize, the minlen is calculated.

It also fixes a small corner case where the calculated "maxlen" could
be wrong. This would require a smaller pattern in a rule to be forced
as fast pattern.
10 years ago
Victor Julien c53c9b4b20 mpm: remove bloated counting logic
Counters were only used to print debug info.
10 years ago
Victor Julien e67188e437 detect: fix issue with smsg and seq wraps
Due to a broken sequence number check, detect could fail to process
smsgs in case of a sequence wrap. This could lead to excessive use
of smsg's but also of segments, since these aren't cleared until the
smsg containing them is.
10 years ago
Jason Ish 06beca62f5 app-layer: template for application layer content inspection 10 years ago
Victor Julien cb060f16fd detect plugin: add template 10 years ago
Victor Julien 82aa419431 multi-detect: set tenant id on pseudo packets
Store the tenant id in the flow and use the stored id when setting
up pesudo packets.

For tunnel and defrag packets, get tenant from parent. This will only
pass tenant_id's set at capture time.

For defrag packets, the tenant selector based on vlan id will still
work as the vlan id(s) are stored in the defrag tracker before being
passed on.
10 years ago
Victor Julien e19c41a807 multi-detect: hash lookup for tenants
Use hash for storing and looking up det_ctxs.
10 years ago
Victor Julien f4c9915066 multi-detect: store tenant id in packet
Store tenant id in the packet so that the output API's can log it.
10 years ago
Victor Julien 93f856a1b3 detect: don't error out on no de_ctx
This can happen on a multi-detect setup with no registered
engines yet.
10 years ago
Victor Julien 1893c5edb1 multi-detect: initial selectors for tenants
The Detection Thread has the TenantGetId pointer which allows it
to select a tenant id based on the packet.
10 years ago
Victor Julien 0ff6d3dcfd detect: select detect engine at Detect entry
Limited to Pcap only currently.
10 years ago
Victor Julien def2b58725 detect: initial MT lookup logic
In the DetectEngineThreadCtx, store another DetectEngineThreadCtx per
tenant.

Currently it's just a simple array indexed by the tenant id.
10 years ago
Victor Julien 2ef0ebb24b detect: fix pass transaction handling
If a flow was 'pass'd, it means that no packet of it will flow be handled
by the detection engine. A side effect of this was that the per flow
inspect_id would never be moved forward. This in turn lead to a situation
where transactions wouldn't be freed.

This patch addresses this case by incrementing the inspect_id anyway for
the pass case.
10 years ago
Victor Julien 814f0b4094 detect: make http prefilter use disrupt flags 10 years ago
Victor Julien b592f98727 detect: optimize http prefilter handing 10 years ago
Victor Julien ea571add73 app-layer: disruption flags
Stream GAPs and stream reassembly depth are tracked per direction. In
many cases they will happen in one direction, but not in the other.

Example:
HTTP requests a generally smaller than responses. So on the response
side we may hit the depth limit, but not on the request side.

The asynchronious 'disruption' has a side effect in the transaction
engine. The 'progress' tracking would never mark such transactions
as complete, and thus some inspection and logging wouldn't happen
until the very last moment: when EOF's are passed around.

Especially in proxy environments with _very_ many transactions in a
single TCP connection, this could lead to serious resource issues. The
EOF handling would suddenly have to handle thousands or more
transactions. These transactions would have been stored for a long time.

This patch introduces the concept of disruption flags. Flags passed to
the tx progress logic that are and indication of disruptions in the
traffic or the traffic handling. The idea is that the progress is
marked as complete on disruption, even if a tx is not complete. This
allows the detection and logging engines to process the tx after which
it can be cleaned up.
10 years ago
Victor Julien 8125e04b39 detect: clean up flag usage 10 years ago
Victor Julien 6e2c90a83b detect: constify some DetectMpmPrefilter args 10 years ago
Victor Julien 62fa9f09d4 Sync alversion/appversion types
The app layer state 'version' field is incremented with each update
to the state. It is used by the detection engine to see if the current
version of the state has already been inspected. Since app layer and
detect always run closely together there is no need for a big number
here. The detect code really only checks for equal/not-equal, so wrap
arounds are not an issue.
10 years ago
Alexander Gozman d36eba4e5e Fix issues #1493 and #1494 10 years ago
Victor Julien 752f03e7a4 counters: remaining s/SCPerf/Stats/g 10 years ago
Victor Julien 8992275b0c counters: s/SCPerfCounterAddUI64/StatsAddUI64/g 10 years ago
Victor Julien 74ab84c194 counters: introduce SCPerfSetupPrivate for thread setup 10 years ago
Victor Julien 799640f906 counters: make threadvars::perf_private_ctx static
Update SCPerfGetAllCountersArray and add a UT workaround.
10 years ago
Victor Julien 55cfab89e4 counters: SCPerfGetLocalCounterValue cleanup
Return u64, update arguments.
10 years ago
Victor Julien e9b067c1eb counters: make increment call take threadvars
This hides the implementation from the caller.
10 years ago
Victor Julien 9a8bff7d96 counters: threadvars s/sc_perf_pca/perf_private_ctx/g 10 years ago
Victor Julien 50bb995458 counters: rename threadvars public counters 10 years ago
Alexander Gozman f11e237d77 Feature #1440: support wildcards in rule filenames 10 years ago
Victor Julien c7bc9ae6a8 detect: minor cleanups 10 years ago
Victor Julien c1558f5ac4 stream: remove FLOW_NO_APPLAYER_INSPECTION flag
Instead, intruduce StreamTcpDisableAppLayer to disable app layer
tracking and reassembly. StreamTcpAppLayerIsDisabled can be used
to check it.

Replace all uses of FlowSetSessionNoApplayerInspectionFlag and
the FLOW_NO_APPLAYER_INSPECTION.
10 years ago
Victor Julien 37f0bd57b6 detect-state: handle duplicate inspect/match
If for a packet we have a TX N that has detect state and a TX N+1 that
has no detect state, but does have 'progress', we have a corner case
in stateful detection.

ContinueDetection inspects TX N, but cannot flag the rule in the
de_state_sig_array as the next (TX N+1) has already started and needs
to be inspected. 'StartDetection' however, is then unaware of the fact
that ContinueDetection already inspected the rule. It uses the per
session 'inspect_id' that is only moved forward at the end of the
detection run.

This patch adds a workaround. It uses the DetectEngineThreadCtx::
de_state_sig_array to store an offset between the 'base' inspect_id
and the inspect_id that StartDetection should use. The data type is
limited, so if the offset would be too big, a search based fall back
is implemented as well.
10 years ago
Victor Julien 62e937672d detect-events: set SIG_MASK_REQUIRE_*_STATE for events
Set SIG_MASK_REQUIRE_*_STATE for event rules to earlier discard
them.
10 years ago
Giuseppe Longo 84dc73d9de mpm: implement prefiltering for smtp 10 years ago
Giuseppe Longo 41a1a9f4af find and replace HSBDMATCH by FILEDATA
This commit do a find and replace of the following:

- DETECT_SM_LIST_HSBDMATCH by DETECT_SM_LIST_FILEDATA
  sed -i 's/DETECT_SM_LIST_HSBDMATCH/DETECT_SM_LIST_FILEDATA/g' src/*

- HSBD by FILEDATA:
  sed -i 's/HSBDMATCH/FILEDATA/g' src/*
10 years ago
Eric Leblond d98060410c list keywords: restore 2.0 similar output
Unset was previously displayed if the application layer was not
set. Code before this patch was displaying '(null)' which is not
user friendly.
10 years ago
Victor Julien dea8dda3c1 vars: redo var name <-> idx handling
Can't use sm type anymore as multiple var carriers (host/flow/etc) will
all have xbits.
10 years ago
Victor Julien 61cb2abc8d ippair: xbit implementation
detect xbits for ippair: initial implementation
10 years ago
Victor Julien 5c880377ae detect: hostbits keyword
Per host bit similar to 'flowbits'.

Initial code that uses just the 'src' ip for the operations.
10 years ago
Victor Julien 0704ece4d7 detect-reload: enable unconditionally
Reloading is available unconditionally now.
10 years ago
Victor Julien 7108085d33 detect: initialize detection engine by prefix
Initalize detection engine by configuration prefix.

    DetectEngineCtxInitWithPrefix(const char *prefix)

Takes the detection engine configuration from:
<prefix>.<config>

If prefix is NULL the regular config will be used.

Update sure that DetectLoadCompleteSigPath considers the prefix when
retrieving the configuration.
11 years ago
Victor Julien e250040b72 detect-state: implement tx state reset for reload
In case of Detect Reload, we need to reset active tx' state.
11 years ago
Victor Julien da3e8ad8f6 detect-state: split flow and tx state
Use separate data structures for storing TX and FLOW (AMATCH) detect
state.

- move state storing into util funcs
- remove de_state_m
- simplify reset state logic on reload
11 years ago
Victor Julien e9857200b3 detect: set action from utility function
Set actions that are set directly from Signatures using the new
utility function DetectSignatureApplyActions. This will apply
the actions and also store info about the 'drop' that first made
the rule drop.
11 years ago
Jason Ish 6ed246c041 Don't attempt to load the rule files if the rule-files configuration
node is not a sequence.  Instead log a warning as this is usually
a configuration error.
11 years ago
Victor Julien f1f5428faa detect: expand mask checking
Change mask to u16, and add checks for various protocol states
that need to be present for a rule to be considered.
11 years ago
Victor Julien ca59eabca3 detect: introduce DetectPrefilterBuildNonMpmList
Move building of non-mpm list into a separate function, that is inlined
for performance reasons.
11 years ago
Victor Julien cc4f7a4b96 detect: add profiling for non-mpm list build & filter 11 years ago
Victor Julien 4c10635dc1 detect: optimize non-mpm mask checking
Store id and mask in a single array of type SignatureNonMpmStore so
that both are loaded into the same cache line.
11 years ago
Victor Julien b5a3127151 detect: add mask check prefilter for non mpm list
Add mask array for non_mpm sigs, so that we can exclude many sigs before
we merge sort.

Shows 50% less non mpm sigs inspected on average.
11 years ago
Ken Steele 904441327c Conditionalize SigMatch performance counters.
Only include the counters when PROFILING.
11 years ago
Victor Julien 30b7fdcb49 Detect perf counters 11 years ago
Victor Julien ef6875d583 detect: Disable unused SignatureHeader code 11 years ago
Ken Steele 4bd280f196 Indentation clean up 11 years ago
Ken Steele 403b5a4645 Further optimize merging mpm and non-mpm rule ID lists.
When reaching the end of either list, merging is no longer required,
simply walk down the other list.

If the non-MPM list can't have duplicates, it would be worth removing
the duplicate check for the non-MPM list when it is the only non-empty list
remaining.
11 years ago
Ken Steele 86f4c6c47b Custom Quick Sort for Signature IDs
Use an in place Quick Sort instead of qsort(), which does merge sort and
calls memcpy().

Improves performance on my tests.
11 years ago
Ken Steele 736ac6a459 Use SigIntId as the type for storing signature IDs (Internal)
Previously using uint32_t, but SigIntId is currently uint16_t, so arrays
will take less memory.
11 years ago
Ken Steele 1874784c10 Create optimized sig_arrays from sig_lists
Create a copy of the SigMatch data in the sig_lists linked-lists and store
it in an array for faster access and not next and previous pointers. The
array is then used when calling the Match() functions.

Gives a 7.7% speed up on one test.
11 years ago
Ken Steele 923a77e952 Change Match() function to take const SigMatchCtx*
The Match functions don't need a pointer to the SigMatch object, just the
context pointer contained inside, so pass the Context to the Match function
rather than the SigMatch object. This allows for further optimization.

Change SigMatch->ctx to have type SigMatchCtx* rather than void* for better
type checking. This requires adding type casts when using or assigning it.

The SigMatch contex should not be changed by the Match() funciton, so pass it
as a const SigMatchCtx*.
11 years ago
Ken Steele 1c76fa50b1 Prefetch the next signature pointer
Read one signature pointer ahead to prefetch the value.
Use a variable, sflags, for s->flags, since it is used many times and the
compiles doesn't know that the signatures structure doesn't change, so it
will reload s->flags.
11 years ago
Ken Steele d31db4ed1c Fix clang warning
Clang doesn't seem to like defining a function within a function.
11 years ago
Ken Steele 23d2a1c422 Optimize DetectPrefilterMergeSort
Fixup rebase changes to remove debug code
11 years ago
Victor Julien 7876277119 detect: move checks from prefilter to rule detect
Move the prefilter checks to the main detect loop.
11 years ago
Victor Julien d1d895a884 Replace build match array with new filter logic
Use MPM and non-MPM lists to build our match array. Both lists are
sorted, and are merged and sorted into the match array.

This disables the old match array building code and thus also bypasses
the mask checking.
11 years ago
Victor Julien f5df526f9b Detect: create per sgh non-MPM rule array
Array of rule id's that are not using MPM prefiltering. These will be
merged with the MPM results array. Together these should lead to a
list of all the rules that can possibly match.
11 years ago
Victor Julien e49d0a5924 MPM: build sid list from MPM matches
Pmq add rule list: Array of uint32_t's to store (internal) sids from the MPM.

AC: store sids in the pattern list, append to Pmq::rule_id_array on match.

Detect: sort rule_id_array after it was set up by the MPM. Rule id's
(Signature::num) are ordered, and the rule's with the lowest id are to
be inspected first. As the MPM doesn't fill the array in order, but instead
'randomly' we need this sort step to assure proper inspection order.
11 years ago
Victor Julien 43a1007788 detect: add test for memcmp issue 11 years ago
Victor Julien d951de2f19 Bug 977: -T / --init-errors-fatal to process all rules
Have -T / --init-errors-fatal process all rules so that it's easier
to debug problems in ruleset. Otherwise it can be a lengthy fix, test
error cycle if multiple rules have issues.

Convert empty rulefile error into a warning.

Bug #977
11 years ago
DIALLO David b3bf2f9939 Detect: Add Modbus keyword management
Add the modbus.function and subfunction) keywords for public function match in rules (Modbus layer).
Matching based on code function, and if necessary, sub-function code
or based on category (assigned, unassigned, public, user or reserved)
and negation is permitted.

Add the modbus.access keyword for read/write Modbus function match in rules (Modbus layer).
Matching based on access type (read or write),
and/or function type (discretes, coils, input or holding)
and, if necessary, read or write address access,
and, if necessary, value to write.
For address and value matching, "<", ">" and "<>" is permitted.

Based on TLS source code and file size source code (address and value matching).

Signed-off-by: David DIALLO <diallo@et.esia.fr>
11 years ago
Anoop Saldanha b334b8a6e9 CUDA: Update the inspection engine to inform the cuda module that it
doesn't need the gpu results and to release the packet for the next run.

Previously the inspection engine wouldn't inform the cuda module, if it
didn't need the results.  As a consequence, when the packet is next taken
for re-use, and if the packet is still being processed by the cuda module,
the engine would wait till the cuda module frees the packet.

This commits updates this functionality to inform the cuda module to
release the packet for the afore-mentioned case.
11 years ago
Ken Steele 60c46170b0 Check replist is not NULL inline before doing any processing.
The replist is often NULL, so it is worth checking that case before making
the function call do perform work on the list.
11 years ago
Victor Julien f23399d672 Rename Lua code to just Lua
As we support regular Lua as well as LuaJIT, it makes more sense to call
it all Lua.
11 years ago
Ken Steele 8f1d75039a Enforce function coding standard
Functions should be defined as:

int foo(void)
{
}

Rather than:
int food(void) {
}

All functions where changed by a script to match this standard.
11 years ago
Victor Julien 96adcf6829 refactor IDS/IPS engine mode logic
Instead of error phrone externs with macro's, use functions with a local
static enum var instead.

- EngineModeIsIPS(): in IPS mode
- EngineModeIsIDS(): in IDS mode

To set the modes:

- EngineModeSetIDS(): IDS mode (default)
- EngineModeSetIPS(): IPS mode

Bug #1177.
11 years ago
Victor Julien fc559ce227 detect: fix alstate handling
Previously, the alstate use in the main detect loop was unsafe. The
alstate pointer would be set duing a lock, but it would again be used
after one or more lock/unlock cycles. If the data pointed to would
disappear, a dangling pointer would be the result.

Due to they way flows are cleaned up using reference counting and
such, changes of this happening were very small. However, at least
one path can lead to this situation. So it had to be fixed.
11 years ago
Victor Julien b6e2a6f525 detect: locking update continued
Make DeStateDetectContinueDetection get it's own alstate pointer instead
of using the one that was passed to it. We now get and use it only
inside a flow lock.
11 years ago
Victor Julien cf31e2cc74 detect: locking update
Make DeStateDetectStartDetection get it's own alstate pointer instead
of using the one that was passed to it. We now get and use it only
inside a flow lock.
11 years ago
Victor Julien 5e1bc99e5b detect: cleanup
Remove unused alstate and app layer flags arguments from
DetectEngineInspectPacketPayload()
11 years ago
Victor Julien f00703acc1 Fix False Positive of rules with ports on portless protocols
In case of 'alert ip' rules that have ports, the port checks would
be bypassed for non-port protocols, such as ICMP. This would lead to
a rule matching: a false positive.

This patch adds a check. If the rule has a port setting other than
'any' and the protocol is not TCP, UDP or SCTP, then we rule won't
match.

Rules with 'alert ip' and ports are rare, so the impact should be
minimal.

Bug #611.
12 years ago
Victor Julien b5afe2b51f ssh: reenable ssh.protoversion keyword 12 years ago
Victor Julien 6c0162bf26 ssh: reenable ssh.softwareversion keyword 12 years ago
Victor Julien df927f7ea8 unittest: fix mutex unlock w/o a lock
Fixes an error in a test. SCMutexUnlock was called w/o a prior
SCMutexLock.
12 years ago
Victor Julien 2c3a92a1c9 profiling: conditional rule profiling
Add support for conditional rule profiling. Currently only simple
rate limiting is supported, but hardcoded to inspecting rules for
each packet.
12 years ago
Victor Julien 54d64a1237 detect: use pflow pointer
Use pflow pointer in SigMatchSignatures consistently. Also, when
needing access to the ipproto, use p->proto, not p->flow->proto.
12 years ago
Victor Julien 0ec375d95a stream msg: remove structure 12 years ago
Victor Julien 8dbf7a0d78 Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this. 12 years ago
Victor Julien fdefb65be4 app-layer: rename AppLayerThreadCtx funcs
AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc
AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
Victor Julien f5f148805c app layer: uint16_t alproto -> AppProto alproto
This conversion was missing in a couple of places.
12 years ago
Victor Julien 8527b8e08e App Layer: cleanup state func naming
Rename functions related to AppLayerState to be more consistent.
12 years ago
Victor Julien e111401c10 detect unittests: clang build fix and cleanups
A number of unittests would lead to clang build errors because
of unsafe det_ctx ptr usage. This patch fixes these and inits
det_ctx to NULL in the other detect tests.
12 years ago
Anoop Saldanha 429c6388f6 App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].

Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
  parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
  "dnsudp" in the rules.  A user who previously wrote a rule like this -

  "alert dnstcp....." or
  "alert dnsudp....."

  would now have to use,

  alert dns (ipproto:tcp;) or
  alert udp (app-layer-protocol:dns;) or
  alert ip (ipproto:udp; app-layer-protocol:dns;)

  The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
  callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
  STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
  functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0.  This is
  needed by unittests, which would try to clean the flow, and that would
  call the api, AppLayerParserCleanupParserState(), which would try to
  clean the app state, but the app layer now needs an ipproto to figure
  out which api to internally call to clean the state, and if the ipproto
  is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
  they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
Anoop Saldanha abded4200a Disabling the ssh parser temporarily, since we are moving away from some
of the archaic features we use in the app layer. We will reintroduce this
parser shortly. Also do note that keywords that rely on the ssh parser
would now be disabled.
12 years ago
Victor Julien 2913a4a860 debug: fix realloc error checking on flowbit print
detect.c:1074:17: warning: Potential leak of memory pointed to by \
                                field 'debuglog_flowbits_names'
                return;

Bug #1062.
12 years ago
Ken Steele 882d98733f Fix pfring so that zero-copy mode can work.
Detect when default_packet_size is zero, which enables zero-copy mode for
pfring and in that case, do what AF Packet does and set pkt_ext pointer to
the data and set PKT_ZERO_COPY flag.
12 years ago
Ken Steele f9705377ae Remove pkt variable from Packet structure.
The uint8_t *pkt in the Packet structure always points to the memory
immediately following the Packet structure. It is better to simply
calculate that value every time than store the 8 byte pointer.
12 years ago
Ken Steele 5a1bc025e5 Mark pflow as a constant pointer.
Address review comment from Victor that the pflow pointer is constant, so
it can be marked as such.
12 years ago
Ken Steele bee24d8909 Use pflow variable in place of p->flow to prevent reloading.
In SigMatchSignatures, the value p->flow doens't change, but GCC can't
figure that out, so it reloads p->flow many times during the function.
When p->flow is loaded into the variable pflow once at the start of the
function, the compile then doesn't need to reload it.
12 years ago
Victor Julien 0b0e9340dc rule setup: cleanup
Remove rule preparation logic that ran, but it's results were not
used.
12 years ago
Victor Julien d397ed94c5 detect: use macro for max rule size 12 years ago
Victor Julien e7f6107e79 signature address parsing improvements and tests
Fix sigatures not supporting [10.0.0.0/24, !10.1.1.1] notation when
used directly in a rule instead of through a variable.

Add tests for Bugs #815 and #920.
12 years ago
Victor Julien 5330b1cae1 detect: don't consider smsgs for no inspect flag
When the PKT_NOPAYLOAD_INSPECTION flag is set, don't apply it to smsgs.
This way we can still inspect the outstanding smsgs.

The PKT_NOPAYLOAD_INSPECTION is set for encrypted traffic, and is combined
with disabling stream reassembly. So we only inspect the smsgs up to the
point of the disable detection point.
12 years ago
Ken Steele c6a8d0ab6b Share Packet checksum values for TCP, UDP, IPv6. ICMPv4 and ICMPv6
Keep a separate checksum for IPV4, since a packet can have both an IPV4
checksum and a TCPV4 checksum, or IPV4 and UDPV4 checksum.

This will allow future sharing of more values.

Use PACKET_RESET_CHECKSUMS() in Unit Tests in place of setting the
individual checksum values.
12 years ago
Victor Julien 72a147b6f1 detect: only inspect smsg for valid tcp packets
Packets that are rejected by the stream engine are not considered
part of an established tcp session. By allowing them to inspect
an smsg, some smsgs would not be properly inspected.
12 years ago
Ken Steele dfc2117e80 Add Unit test to check TCPv4 and IPV4 checksums together.
Copied SigTest26TCPV4Keyword and added check for invalid IPV4 checksums.
Created new SigTest26TCPV4AndIPV4Keyword test with a new packet with valid
IPV4 checksums.
12 years ago
Victor Julien 5686c673ec profiling: per buffer profiling 12 years ago
Victor Julien 97bfcac444 profiling: introduce per keyword profiling
Initial version of per keyword profiling. Prints stats about
how ofter a keyword was checked and what the costs were.
12 years ago
Victor Julien 1b11165864 Reset both sides of the de_state on rule reload. Bug #998. 12 years ago
Victor Julien edeeb7ed44 Store TX id with alerts
When generating an alert and storing it in the packet, store the tx_id
as well. This way the output modules can log the tx_id and access the
proper tx for logging.

Issue #904.
12 years ago
Anoop Saldanha b1dffdfbe0 Add app layer protocol packet event detection support. 12 years ago
Anoop Saldanha 94e40907e2 feature #727 - Add support for app-layer-protocol:<protocol> keyword 12 years ago
Victor Julien 48b5513ed9 Properly clean up decoder event rules
Addresses:
~~Dr.M~~ Error #3: LEAK 120 direct bytes 0x08a26ac8-0x08a26b40 + 1871 indirect bytes
~~Dr.M~~ # 0 replace_malloc                               [/work/drmemory_package/common/alloc_replace.c:2292]
~~Dr.M~~ # 1 SigGroupHeadAlloc                            [/home/victor/dev/oisf/src/detect-engine-siggroup.c:144]
~~Dr.M~~ # 2 SigGroupHeadAppendSig                        [/home/victor/dev/oisf/src/detect-engine-siggroup.c:1014]
~~Dr.M~~ # 3 DetectEngineAddDecoderEventSig               [/home/victor/dev/oisf/src/detect.c:3026]
~~Dr.M~~ # 4 SigAddressPrepareStage2                      [/home/victor/dev/oisf/src/detect.c:3075]
~~Dr.M~~ # 5 SigGroupBuild                                [/home/victor/dev/oisf/src/detect.c:4311]
~~Dr.M~~ # 6 SigLoadSignatures                            [/home/victor/dev/oisf/src/detect.c:464]
~~Dr.M~~ # 7 LoadSignatures                               [/home/victor/dev/oisf/src/suricata.c:1706]
~~Dr.M~~ # 8 main                                         [/home/victor/dev/oisf/src/suricata.c:1994]
12 years ago
Victor Julien 8080494e9a counters: consolidate counters after all ThreadInit functions of a thread have run. This prevents duplicate and overwriting memory allocations. 12 years ago
Victor Julien 3470b07ea5 Fix several compile and runtime warnings found by clang 3.2 with the -fsanitize=address option. 12 years ago
Victor Julien c82ecf553a Tag: document in the code that 'tag' is compatible with ip only 12 years ago
Ken Steele 50f859e9f2 Move SIMD implementations out of detect.c
Move SIMD the implementations of SigMatchSignaturesBuildMatchArray()
for SSE3 and Tile out of detect.c to reduce the size of the file.

Also moved SIMD unit tests to detect-simd.c
12 years ago
Ken Steele 784843b146 Use Tilera SIMD for Signature matching ala SSE3
Makes use of 8-wide byte compare instructions in signature matching.

For allocating aligned memory, _mm_malloc() is SSE only, so added
check for __tile__ to use memalign() instead.

Shows a 13% speed up.
12 years ago
Eric Leblond cd3e32ce19 unittests: some functions needs a flow lock.
In debug validation mode, it is required to call application layer
parsing and other functions with a lock on flow. This patch updates
the code to do so.
12 years ago
Eric Leblond c5bd04f102 unittest: recycle packet before exit
To avoid an issue with flow validation, we need to recycle the packet
before cleaning the flow.
12 years ago
Eric Leblond 75fa1e20d7 engine analysis is a running mode 12 years ago
Eric Leblond 325462d396 Export IsRuleReloadSet and use it. 12 years ago
Victor Julien 055b422c28 Remove obsolete code: flow alert sid storage 12 years ago
Victor Julien 9faa4b740d Add --unittests-coverage option to list how many code modules have tests 12 years ago
Victor Julien f4dcba6de3 In case of fragments, don't consider ports. Bug #847. 12 years ago
Anoop Saldanha 48cf0585fb Suricata upgrade to libhtp 0.5.x.
Remove the support for now unsupported personalities from libhtp -
TOMCAT_6_0, APACHE and APACHE_2_2.  We instead use the APACHE_2
personality.
12 years ago
Anoop Saldanha fba95e9125 Remove mpm ctxs in the wrong direction.
A lot of http mpm ctxs have now been removed as a result of this.
12 years ago
Victor Julien 9dc04d9fab app layer: add support for per TX decoder events 12 years ago
Victor Julien 6645620c03 Merge SIG_FLAG_MPM_HTTP and SIG_FLAG_MPM_DNS into SIG_FLAG_MPM_APPLAYER, do the same for the _NEG variant. 12 years ago
Victor Julien 43ba5a677e DNS: enable mpm/fast_pattern support for dns_query 12 years ago
Victor Julien f10dd603ff DNS: adding dns_request content modifier 12 years ago
Eric Leblond 4521de2dfd Use PACKET_* macro instead of UPDATE
Setting the ACTION_DROP flag can be done via PACKET_DROP instead
of using PACKET_UPDATE_ACTION.
12 years ago
Eric Leblond 3f107fa130 decode: Packet action start with PACKET
Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
Anoop Saldanha 602c91ed41 Minor cosmetic changes to the cuda code.
Moved a couple of functions to more cuda relevant files;
Re-structured some data types.
12 years ago
Anoop Saldanha 17c763f855 Version 1 of AC Cuda. 12 years ago
Anoop Saldanha 557cab3dc9 We call packet and stream mpm as late as possible now. Won't affect the working of the engine.
The rationale behind this is, if we have pkt buffered to the gpu, we'd want
to delay processing the pkt as much as possible.
12 years ago
Anoop Saldanha f4c719b83a code refactoring. Call mpmprefilter slightly later than where it's called atm 12 years ago
Anoop Saldanha b787da5643 Remove all cuda related code in the engine except for the cuda api wrappers 12 years ago
Anoop Saldanha e2a6cfb6a6 update cuda API wrappers 12 years ago
Eric Leblond a35c367942 action handling: use macro for test.
Use test macro instead of direct access to action field.

This patch has been obtained by using the following
spatch file:

  @@
  Packet *p;
  expression E;
  @@

  - p->action & E
  + TEST_PACKET_ACTION(p, E)
12 years ago
Eric Leblond efaa9a7302 action handling: define and use macros
The action field in Packet structure should not be accessed
directly as the tunneled packet needs to update the root packet
and not the initial packet.

This patch is fixing issue #819 where suricata was not able to
drop fragmented packets in AF_PACKET IPS mode. It also fixes
drop capability for tunneled packets.
12 years ago
Victor Julien 6e18ed0489 luajit flowvar support
This patch adds flowvar support to luajit. It does so by exposing two special
C functions to the luajit scripts: ScFlowvarGet and ScFlowvarSet.
12 years ago
Anoop Saldanha ab1f8afbc3 Removed Signature->order_id and replaced it with Signature->num. 12 years ago
Anoop Saldanha 43d1229dfa 1. Fix assignment of signums, which affected how we used read
sigs(priority wise) inside staging.

   Previously we would assign signums before sig ordering, and hence the
   order didn't actually reflect the order of the sig in the
   sig_list(assuming sig reordering changed the sig_list).  Staging would
   use the old sig_nums to decide the priority of sigs.
2. Fix sig ordering for flowvar, flowbits, flowint, pktvar sigs.   We have
   introduced a new priority to treat sigs with set + read as lower
   priority compared to set only sigs.
3. Previously we treated sigs with a "priority(keyword)" > another sig's
   priority, as a sig with greater priority than the later.  We have
   reversed it.  Now the sig priority ordering is 1,2,.etc.  Updated
   sigordering unittests to reflect the same.
12 years ago
Anoop Saldanha a490176c8a More lock fixes for the transaction update. Issues reported by Coverity. 12 years ago
Anoop Saldanha d4d18e3136 Transaction engine redesigned.
Improved accuracy, improved performance.  Performance improvement
noticeable with http heavy traffic and ruleset.

A lot of other cosmetic changes carried out as well.  Wrappers introduced
for a lot of app layer functions.

Failing dce unittests disabled.  Will be reintroduced in the updated dce
engine.

Cross transaction matching taken care of.  FPs emanating from these
matches have now disappeared.  Double inspection of transactions taken
care of as well.
12 years ago
Anoop Saldanha 6dcde9d7e9 hsbd mpm and packet mpm share same mpm ctx id.
This is a bug emanating from we having a var reference for hsbd mpm,
but failing to initialize it, and we default to using the packet mpm.
12 years ago
Victor Julien 3b68a9d1c6 UDP: inspection app layer state as soon as we have it. 12 years ago
Victor Julien 4cd736fcc9 flowvar: fix deadlock with http buffers
Bug #802

Flowvars are set from pcre, and lock the flow when being set. However
when HTTP buffers were inspected, flow was already locked: deadlock.

This patch introduces a post-match list in the detection engine thread
ctx, where store candidates are kept. Then a post-match function is used
to finalize the storing if the rule matches.

Solves the deadlock and brings the handling of flowvars more in line
with flowbits and flowints.
12 years ago
Anoop Saldanha a3212f6a0f Minor fixes against the last set of patches for #564, 565, 581 + fp automation.
Rename struct DetectFigureFPAndId_t_ to DetectFPAndItsId_ and move it's
definition from inside the function where it's used to the global namespace,
as requested on #suricata.

Rename DetectEngineContentModifiedBufferSetup to DetectEngineContentModifierBufferSetup.

Also rename DetectFigureFPAndId() to DetectSetFastPatternAndItsId().

Updated DetectSetFastPatternAndItsId() to not exit on failure and return error.
13 years ago
Anoop Saldanha 6de8b1ed53 fix for #564.
Get rid of the hash table, and use a single-one_time_alloc'ed array for
pattern id assignment.
13 years ago
Anoop Saldanha e77fd1c883 We now assign ids to fp patterns only. Rest of them don't need one. 13 years ago
Anoop Saldanha 4c6efa2d40 Update content id assignment.
All fp id assignment now happens in one go.
Also noticing a slight perf increase, probably emanating from improved cache
perf.
Removed irrelevant unittests as well.
13 years ago
Anoop Saldanha 601836d831 Fast pattern setup now configurable in our code.
You can either enable/disable fp for a particular type + set priority.
13 years ago
Victor Julien 37c80ea508 If an IP-only pass rule matches, set the no inspect flag for that flow. Bug #718. 13 years ago
Anoop Saldanha 3511f91bba Add support for the new keyword - http_raw_host header.
The corresponding pcre modifier would be 'Z'.
13 years ago
Anoop Saldanha c4ce19a1be Add support for a new keyword to inspect http_host header.
The corresponding content keyword would now be - http_host.
The corresponding pcre modifier would be W.
13 years ago
Victor Julien afb2d4eddf Fix stateful inspection not always inspecting at stream end. 13 years ago
Ignacio Sanchez d771e08156 Adds support for the geoip keyword
Adds support for match-on conditions (src, dst, any, both)
Uses GEOIP_MEMORY_CACHE for performance reasons
Adds support for negation and multiple countries in the same rule

Bug fixes

Changed to take flow direction from rule, if present

Comments addressed. Unit tests added.
13 years ago
Victor Julien 538a941486 decoder events: fix bug causing some rules not to be inspected if the decoder completed with warnings 13 years ago
Anoop Saldanha b1ce94babe Temporary fix for bug #599.
Treat sigs with negated addresses as non ip-only.

This fix exposes bug #608, which results in 2 failed unittest which
have now been disabled by this commit.  Would be reenabled when we
have #608 fix in.
13 years ago
Last G 8ae11f73b2 Added parentheses to fix Eclipse static code analysis
Fixed bug in action priority (REJECT_DST had lowest prio)
13 years ago
Eric Leblond 40891223e9 list-keyword: detect non built keyword
This patch update the glafs list to be able to indicate that a
flag is not supported. This information is used by list-keyword to
display information to the user.
13 years ago
Eric Leblond 6842545331 Add documentation url in list-keyword output.
The output of the list-keyword is modified to include the url to
the keyword documentation when this is available. All documented
keywords should have their link set.

list-keyword can be used with an optional value:
 no option or short: display list of keywords
 csv: display a csv output on info an all keywords
 all: display a human readable output of keywords info
 $KWD: display the info about one keyword.
13 years ago
Eric Leblond 5e4552fdcd suricata: update list-keyword command
This patch update the list-keyword command. Without any option,
the previous behavior is conserved. If 'all' is used as option,
suricata print a csv formatted output of keyword information:
	name;features;description
If a keyword name is used as argument, suricata print a readable
message:
tls.subject
Features: state inspecting
Description: Match TLS/SSL certificate Subject field
13 years ago
Eric Leblond 86709f5e9d rule analyser: display message for invalid signatures 13 years ago
Victor Julien e30b1bfe64 Simple IP reputation implementation 13 years ago
Victor Julien 84bad6db77 Silence compiler warnings found by clang 13 years ago
Xavier Lange 234922f3c6 Keyword pkt_data 13 years ago
Victor Julien 70bc9e2494 filestore: fix logic flag in continued stateful detection 13 years ago
Anoop Saldanha 7a7cd6999e feature #558.
Print FP info in rule analysis + other cleanup.
13 years ago
Victor Julien a3f963f630 filestore: fix a case where a matching non-filestore sig could trigger the store of a partially matching filestore sig. 13 years ago
Victor Julien 80d62b59ec Fix drop (and other actions) not being applied to thresholded packets. Bug #613. 13 years ago
Anoop Saldanha b99f9fe890 New app inspection engine introduced. Moved existing inspecting engines to use it. 13 years ago
Anoop Saldanha 10a6e6a3eb Engine cleanup. Remove all old engine inspection and mpm functions. 13 years ago
Anoop Saldanha b0e20a486c update client/server/http_header to use a different form of
buffering/buffer_retrieval.

Now it happens per tx, based on tx id.  Also notice a perf improvement with
this.
13 years ago
Victor Julien 10a11b750d Add dsize check to prefilter stage
Many sigs with dsize have a weak fast_pattern. Those patterns
are likely to match. By filtering on dsize early, we safe a lot
of cycles later.
13 years ago
Victor Julien 45cbef0735 For signatures with the dsize option set depth on any content match in that sig. 13 years ago
Anoop Saldanha 3d74fa964a Update all flow referencing to use the new FlowReference and FlowDeReference
macros.
13 years ago
Eric Leblond e176be6fcc Use unlikely for error treatment.
When handling error case on SCMallog, SCCalloc or SCStrdup
we are in an unlikely case. This patch adds the unlikely()
expression to indicate this to gcc.

This patch has been obtained via coccinelle. The transformation
is the following:

@istested@
identifier x;
statement S1;
identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)";
@@

x = func(...)
... when != x
- if (x == NULL) S1
+ if (unlikely(x == NULL)) S1
13 years ago
Eric Leblond d292004880 Add some missing checks of SCStrdup return. 13 years ago
Victor Julien 525367113a Fix compilation if luajit is disabled. 13 years ago
Victor Julien 98484ffdcc luajit: prealloc lua states to increases chances of alloc success. Luajit requires them to be in memory <2GB. 13 years ago
Victor Julien 9a4b612126 app layer events: prefilter sigs that need an event 13 years ago
Victor Julien 575c87aeba engine events: prefilter sigs that need a event 13 years ago
Victor Julien ec7e79c748 Rule profiling update
- Remove usage of counters api.
- Store stats in detect engine thread ctx to remove locking
- Support rule reloads
13 years ago
Eric Leblond d51dd6a30e Fix warning about unused return of SC_ATOMIC func. 13 years ago
Victor Julien f58e828c5e luajit: stub detection keyword 13 years ago
Eric Leblond 71b4257bc2 sig: add l3_proto keyword
This patch adds a l3_proto keyword to the signature language. It
can be used to specify if the signature has to match on IPv4, IPv6
or both. For example, one can write:
  alert http any any -> any 22 (msg: "HTTP v6"; l3_proto:ip6; sid:14;)

This should close #494.
13 years ago
Eric Leblond fd7b6db22d sig: Add ipv6 and ipv4 to list of protocols
With this patch it is possible to do:
 alert ipv6 any any -> any any
or
 alert ip4 any any -> any any
to match on IPv4 or IPv6 packets.
13 years ago
Victor Julien 5d27518bbd Make sure we never underflow len in DetectLoadSigFile 13 years ago
Victor Julien 8f71333e12 file: implement filesize keyword. #489. 13 years ago
pi-rho 0df4c5838d spelling corrections documented in redmine bug#533 13 years ago
Victor Julien bd6b865473 rule analyzer: fix fast pattern analyzer reporting wrong filename (same as rule analyzer). 13 years ago
Victor Julien 6841171882 profiling: fix 'match' counter sometimes not incrementing. #460. 13 years ago
Anoop Saldanha 64fad5b36e Update fast_pattern engine to not use negated content as fast_pattern if we have non-negated content in the sig.
Noticing a good spike in perf with et_pro ruleset.

Thanks to Will Metcalf for the suggestion.
13 years ago
Victor Julien d8356c5ebd Windows build and other misc fixes. 13 years ago
Victor Julien c9e93ec52c filemd5: add support code for md5 handling for signatures. 13 years ago
Anoop Saldanha 0c24bbab0c code cleanup for live swap 13 years ago
Anoop Saldanha 32183faa82 free flowvar entries in flow after live rule swap. Sync flowbits entries into packet struct to be used by alert debuglog when alert debuglog is enabled 13 years ago
Victor Julien 4cde2355bd Simplify flow resetting on de_ctx update. Detect ctx id starts at 1. So in a flow 0 means uninitialized (thus set) and if we detect flow is not equal to detect id, we reset the sgh storage and de_state. 13 years ago
Anoop Saldanha ecad4a24fa live rule support added
To reload ruleset during engine runtime, send the USR2 signal to the engine, and the ruleset would be reloaded from the same yaml file supplied at engine startup
13 years ago