aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
main-8.0.x
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.2
suricata-7.0.13
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '867d493d7f'
${ noResults }
suricata/src/detect-mpm.c

230 lines
6.3 KiB
C
Raw Blame History

/* Multi pattern matcher */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include "decode.h"
#include "detect.h"
#include "detect-siggroup.h"
#include "detect-mpm.h"
#include "util-mpm.h"
#include "flow.h"
#include "flow-var.h"
#include "detect-flow.h"
#include "detect-content.h"
#include "detect-uricontent.h"
u_int32_t PacketPatternMatch(ThreadVars *t, PatternMatcherThread *pmt, Packet *p) {
u_int32_t ret;
ret = pmt->mc->Search(pmt->mc, &pmt->mtc, p->tcp_payload, p->tcp_payload_len);
//printf("PacketPatternMatch: ret %u\n", ret);
return ret;
}
/* cleans up the mpm instance after a match */
void PacketPatternCleanup(ThreadVars *t, PatternMatcherThread *pmt) {
/* content */
if (pmt->mc != NULL && pmt->mc->Cleanup != NULL) {
pmt->mc->Cleanup(&pmt->mtc);
}
/* uricontent */
if (pmt->mcu != NULL && pmt->mcu->Cleanup != NULL) {
pmt->mcu->Cleanup(&pmt->mtcu);
}
}
/* XXX remove this once we got rid of the global mpm_ctx */
void PatternMatchDestroy(MpmCtx *mc) {
u_int8_t instance = 0;
for (instance = 0; instance < MPM_INSTANCE_MAX; instance++)
mc[instance].DestroyCtx(&mc[instance]);
}
/* TODO remove this when we move to the rule groups completely */
void PatternMatchPrepare(MpmCtx *mc)
{
u_int8_t instance = 0;
/* intialize contexes */
for (instance = 0; instance < MPM_INSTANCE_MAX; instance++) {
MpmInitCtx(&mc[instance], MPM_WUMANBER);
}
}
/* free the pattern matcher part of a SigGroupHead */
void PatternMatchDestroyGroup(SigGroupHead *sh) {
/* content */
if (sh->flags & SIG_GROUP_HAVECONTENT && sh->mpm_ctx != NULL) {
sh->mpm_ctx->DestroyCtx(sh->mpm_ctx);
free(sh->mpm_ctx);
/* ready for reuse */
sh->mpm_ctx = NULL;
sh->flags &= ~SIG_GROUP_HAVECONTENT;
}
/* uricontent */
if (sh->flags & SIG_GROUP_HAVEURICONTENT && sh->mpm_uri_ctx != NULL) {
sh->mpm_uri_ctx->DestroyCtx(sh->mpm_uri_ctx);
free(sh->mpm_uri_ctx);
/* ready for reuse */
sh->mpm_uri_ctx = NULL;
sh->flags &= ~SIG_GROUP_HAVEURICONTENT;
}
}
/*
*
* TODO
* - determine if a content match can set the 'single' flag
*
*
* XXX do error checking
*/
int PatternMatchPrepareGroup(SigGroupHead *sh)
{
Signature *s;
SigGroupContainer *sc;
u_int32_t co_cnt = 0;
u_int32_t ur_cnt = 0;
u_int32_t cnt = 0;
/* see if this head has content and/or uricontent */
for (sc = sh->head; sc != NULL; sc = sc->next) {
s = sc->s;
/* find flow setting of this rule */
SigMatch *sm;
for (sm = s->match; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_CONTENT) {
co_cnt++;
} else if (sm->type == DETECT_URICONTENT) {
ur_cnt++;
}
}
}
if (co_cnt > 0) {
sh->flags |= SIG_GROUP_HAVECONTENT;
}
if (ur_cnt > 0) {
sh->flags |= SIG_GROUP_HAVEURICONTENT;
}
/* intialize contexes */
if (sh->flags & SIG_GROUP_HAVECONTENT) {
sh->mpm_ctx = malloc(sizeof(MpmCtx));
if (sh->mpm_ctx == NULL)
goto error;
MpmInitCtx(sh->mpm_ctx, MPM_WUMANBER);
}
if (sh->flags & SIG_GROUP_HAVEURICONTENT) {
sh->mpm_uri_ctx = malloc(sizeof(MpmCtx));
if (sh->mpm_uri_ctx == NULL)
goto error;
MpmInitCtx(sh->mpm_uri_ctx, MPM_WUMANBER);
}
/* for each signature in this group do */
for (sc = sh->head; sc != NULL; sc = sc->next) {
s = sc->s;
cnt++;
/* find flow setting of this rule */
SigMatch *sm;
for (sm = s->match; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_CONTENT) {
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_NOCASE) {
sh->mpm_ctx->AddPatternNocase(sh->mpm_ctx, cd->content, cd->content_len, cd->id);
} else {
sh->mpm_ctx->AddPattern(sh->mpm_ctx, cd->content, cd->content_len, cd->id);
}
} else if (sm->type == DETECT_URICONTENT) {
DetectUricontentData *ud = (DetectUricontentData *)sm->ctx;
if (ud->flags & DETECT_URICONTENT_NOCASE) {
sh->mpm_uri_ctx->AddPatternNocase(sh->mpm_uri_ctx, ud->uricontent, ud->uricontent_len, ud->id);
} else {
sh->mpm_uri_ctx->AddPattern(sh->mpm_uri_ctx, ud->uricontent, ud->uricontent_len, ud->id);
}
}
}
}
/* content */
if (sh->flags & SIG_GROUP_HAVECONTENT) {
if (sh->mpm_ctx->Prepare != NULL) {
sh->mpm_ctx->Prepare(sh->mpm_ctx);
}
}
/* uricontent */
if (sh->flags & SIG_GROUP_HAVEURICONTENT) {
if (sh->mpm_uri_ctx->Prepare != NULL) {
sh->mpm_uri_ctx->Prepare(sh->mpm_uri_ctx);
}
}
//printf("Printing info...\n");
//sh->mpm_ctx.PrintCtx(&sh->mpm_ctx);
//sh->mpm_uri_ctx.PrintCtx(&sh->mpm_uri_ctx);
//printf("mpm_ctx %p\n", &sh->mpm_uri_ctx);
return 0;
error:
/* XXX */
return -1;
}
int PatternMatcherThreadInit(ThreadVars *t, void **data) {
PatternMatcherThread *pmt = malloc(sizeof(PatternMatcherThread));
if (pmt == NULL) {
return -1;
}
memset(pmt, 0, sizeof(PatternMatcherThread));
/* XXX we still depend on the global mpm_ctx here
*
* Initialize the thread pattern match ctx with the max size
* of the content and uricontent id's so our match lookup
* table is always big enough
*/
mpm_ctx[0].InitThreadCtx(&mpm_ctx[0], &pmt->mtc, DetectContentMaxId());
mpm_ctx[0].InitThreadCtx(&mpm_ctx[0], &pmt->mtcu, DetectUricontentMaxId());
*data = (void *)pmt;
//printf("PatternMatcherThreadInit: data %p pmt %p\n", *data, pmt);
return 0;
}
int PatternMatcherThreadDeinit(ThreadVars *t, void *data) {
PatternMatcherThread *pmt = (PatternMatcherThread *)data;
/* XXX */
mpm_ctx[0].DestroyThreadCtx(&mpm_ctx[0], &pmt->mtc);
mpm_ctx[0].DestroyThreadCtx(&mpm_ctx[0], &pmt->mtcu);
return 0;
}
void PatternMatcherThreadInfo(ThreadVars *t, PatternMatcherThread *pmt) {
/* XXX */
mpm_ctx[0].PrintThreadCtx(&pmt->mtc);
mpm_ctx[0].PrintThreadCtx(&pmt->mtcu);
}
Reference in New Issue View Git Blame Copy Permalink