diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c index c182abde01..c499a08fe9 100644 --- a/src/detect-engine-state.c +++ b/src/detect-engine-state.c @@ -126,15 +126,6 @@ static DeStateStore *DeStateStoreAlloc(void) return d; } -static DeStateStoreFlowRules *DeStateStoreFlowRulesAlloc(void) -{ - DeStateStoreFlowRules *d = SCMalloc(sizeof(DeStateStoreFlowRules)); - if (unlikely(d == NULL)) - return NULL; - memset(d, 0, sizeof(DeStateStoreFlowRules)); - - return d; -} static int DeStateSearchState(DetectEngineState *state, uint8_t direction, SigIntId num) { @@ -203,46 +194,6 @@ static void DeStateSignatureAppend(DetectEngineState *state, return; } -static void DeStateFlowRuleAppend(DetectEngineStateFlow *state, const Signature *s, - const SigMatchData *smd, uint32_t inspect_flags, - uint8_t direction) -{ - int jump = 0; - int i = 0; - DetectEngineStateDirectionFlow *dir_state = &state->dir_state[direction & STREAM_TOSERVER ? 0 : 1]; - DeStateStoreFlowRules *store = dir_state->head; - - if (store == NULL) { - store = DeStateStoreFlowRulesAlloc(); - if (store != NULL) { - dir_state->head = store; - dir_state->tail = store; - } - } else { - jump = dir_state->cnt / DE_STATE_CHUNK_SIZE; - for (i = 0; i < jump; i++) { - store = store->next; - } - if (store == NULL) { - store = DeStateStoreFlowRulesAlloc(); - if (store != NULL) { - dir_state->tail->next = store; - dir_state->tail = store; - } - } - } - - if (store == NULL) - return; - - SigIntId idx = dir_state->cnt++ % DE_STATE_CHUNK_SIZE; - store->store[idx].sid = s->num; - store->store[idx].flags = inspect_flags; - store->store[idx].nm = smd; - - return; -} - static void DeStateStoreStateVersion(Flow *f, const uint8_t alversion, uint8_t direction) { @@ -274,16 +225,6 @@ DetectEngineState *DetectEngineStateAlloc(void) return d; } -DetectEngineStateFlow *DetectEngineStateFlowAlloc(void) -{ - DetectEngineStateFlow *d = SCMalloc(sizeof(DetectEngineStateFlow)); - if (unlikely(d == NULL)) - return NULL; - memset(d, 0, sizeof(DetectEngineStateFlow)); - - return d; -} - void DetectEngineStateFree(DetectEngineState *state) { DeStateStore *store; @@ -303,32 +244,8 @@ void DetectEngineStateFree(DetectEngineState *state) return; } -void DetectEngineStateFlowFree(DetectEngineStateFlow *state) -{ - DeStateStoreFlowRules *store; - DeStateStoreFlowRules *store_next; - int i = 0; - - for (i = 0; i < 2; i++) { - store = state->dir_state[i].head; - while (store != NULL) { - store_next = store->next; - SCFree(store); - store = store_next; - } - } - SCFree(state); - - return; -} - static int HasStoredSigs(Flow *f, uint8_t flags) { - if (f->de_state != NULL && f->de_state->dir_state[flags & STREAM_TOSERVER ? 0 : 1].cnt != 0) { - SCLogDebug("global sigs present"); - return 1; - } - if (AppLayerParserProtocolSupportsTxs(f->proto, f->alproto)) { AppProto alproto = f->alproto; void *alstate = FlowGetAppState(f); @@ -372,18 +289,13 @@ static int HasStoredSigs(Flow *f, uint8_t flags) * * \retval 0 no inspectable state * \retval 1 inspectable state - * \retval 2 inspectable state, but no update */ int DeStateFlowHasInspectableState(Flow *f, AppProto alproto, const uint8_t alversion, uint8_t flags) { int r = 0; - if (!(flags & STREAM_EOF) && f->de_state && - f->detect_alversion[flags & STREAM_TOSERVER ? 0 : 1] == alversion) { - SCLogDebug("unchanged state"); - r = 2; - } else if (HasStoredSigs(f, flags)) { + if (HasStoredSigs(f, flags)) { r = 1; } else { r = 0; @@ -391,20 +303,8 @@ int DeStateFlowHasInspectableState(Flow *f, AppProto alproto, return r; } -static int StoreState(DetectEngineThreadCtx *det_ctx, - Flow *f, const uint8_t flags, const uint8_t alversion, - const Signature *s, const SigMatchData *smd, - const uint32_t inspect_flags, - const uint16_t file_no_match) +static int StoreState(Flow *f, const uint8_t flags, const uint8_t alversion) { - if (f->de_state == NULL) { - f->de_state = DetectEngineStateFlowAlloc(); - if (f->de_state == NULL) { - return 0; - } - } - - DeStateFlowRuleAppend(f->de_state, s, smd, inspect_flags, flags); DeStateStoreStateVersion(f, alversion, flags); return 1; } @@ -660,8 +560,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, } } - StoreState(det_ctx, f, flags, alversion, - s, smd, inspect_flags, file_no_match); + StoreState(f, flags, alversion); } end: det_ctx->tx_id = 0; @@ -873,82 +772,6 @@ static int DoInspectItem(ThreadVars *tv, return 1; } -/** \internal - * \brief Continue Detection for a single "flow" rule (AMATCH) - */ -static int DoInspectFlowRule(ThreadVars *tv, - DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, - DeStateStoreFlowRule *item, const uint8_t dir_state_flags, - Packet *p, Flow *f, AppProto alproto, uint8_t flags) -{ - /* flag rules that are either full inspected or unable to match - * in the de_state_sig_array so that prefilter filters them out */ - if (item->flags & (DE_STATE_FLAG_FULL_INSPECT|DE_STATE_FLAG_SIG_CANT_MATCH)) { - det_ctx->de_state_sig_array[item->sid] = DE_STATE_MATCH_NO_NEW_STATE; - return 0; - } - - uint8_t alert = 0; - uint32_t inspect_flags = item->flags; - int total_matches = 0; - int full_match = 0; - const SigMatchData *smd = NULL; - const Signature *s = de_ctx->sig_array[item->sid]; - - RULE_PROFILING_START(p); - - /* DCERPC matches */ - if (s->sm_arrays[DETECT_SM_LIST_DMATCH] != NULL && - (alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB || - alproto == ALPROTO_SMB2) && - !(item->flags & DE_STATE_FLAG_DCE_PAYLOAD_INSPECT)) - { - void *alstate = FlowGetAppState(f); - if (alstate != NULL) { - KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_DMATCH); - if (DetectEngineInspectDcePayload(de_ctx, det_ctx, s, f, - flags, alstate) == 1) - { - total_matches++; - inspect_flags |= DE_STATE_FLAG_DCE_PAYLOAD_INSPECT; - } - } - } - /* update full_match with DMATCH result */ - if (s->sm_arrays[DETECT_SM_LIST_DMATCH] != NULL) { - full_match = ((inspect_flags & DE_STATE_FLAG_DCE_PAYLOAD_INSPECT) != 0); - } - - /* check the results */ - if (total_matches > 0 && (full_match || (inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH))) - { - if (full_match) - alert = 1; - inspect_flags |= DE_STATE_FLAG_FULL_INSPECT; - } - /* prevent the rule loop from reinspecting this rule */ - det_ctx->de_state_sig_array[item->sid] = DE_STATE_MATCH_NO_NEW_STATE; - RULE_PROFILING_END(det_ctx, s, (alert == 1), p); - - /* store the progress in the state */ - item->flags |= inspect_flags; - item->nm = smd; - - if (alert) { - SigMatchSignaturesRunPostMatch(tv, de_ctx, det_ctx, p, s); - - if (!(s->flags & SIG_FLAG_NOALERT)) { - PacketAlertAppend(det_ctx, s, p, 0, - PACKET_ALERT_FLAG_STATE_MATCH); - } else { - DetectSignatureApplyActions(p, s); - } - } - - DetectFlowvarProcessList(det_ctx, f); - return 1; -} - void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p, Flow *f, uint8_t flags, @@ -1040,29 +863,6 @@ void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, } } - /* continue on flow based state rules (AMATCH) */ - if (f->de_state != NULL) { - DetectEngineStateDirectionFlow *dir_state = &f->de_state->dir_state[direction]; - DeStateStoreFlowRules *store = dir_state->head; - /* Loop through stored 'items' (stateful rules) and inspect them */ - for (; store != NULL; store = store->next) { - for (store_cnt = 0; - store_cnt < DE_STATE_CHUNK_SIZE && state_cnt < dir_state->cnt; - store_cnt++, state_cnt++) - { - DeStateStoreFlowRule *rule = &store->store[store_cnt]; - - int r = DoInspectFlowRule(tv, de_ctx, det_ctx, - rule, dir_state->flags, - p, f, alproto, flags); - if (r < 0) { - goto end; - } - } - } - DeStateStoreStateVersion(f, alversion, flags); - } - end: det_ctx->tx_id = 0; det_ctx->tx_id_set = 0; @@ -1083,22 +883,6 @@ void DeStateUpdateInspectTransactionId(Flow *f, const uint8_t flags) return; } -void DetectEngineStateReset(DetectEngineStateFlow *state, uint8_t direction) -{ - if (state != NULL) { - if (direction & STREAM_TOSERVER) { - state->dir_state[0].cnt = 0; - state->dir_state[0].flags = 0; - } - if (direction & STREAM_TOCLIENT) { - state->dir_state[1].cnt = 0; - state->dir_state[1].flags = 0; - } - } - - return; -} - /** \brief Reset de state for active tx' * To be used on detect engine reload. * \param f write LOCKED flow diff --git a/src/detect-engine-state.h b/src/detect-engine-state.h index 3fcd7b08e3..9215739841 100644 --- a/src/detect-engine-state.h +++ b/src/detect-engine-state.h @@ -31,19 +31,6 @@ * \author Anoop Saldanha */ -/* On DeState and locking. - * - * The DeState is part of a flow, but it can't be protected by the flow lock. - * Reason is we need to lock the DeState data for an entire detection run, - * as we're looping through on "continued" detection and rely on only a single - * detection instance setting it up on first run. We can't keep the entire flow - * locked during detection for performance reasons, it would slow us down too - * much. - * - * So a new lock was introduced. The only part of the process where we need - * the flow lock is obviously when we're getting/setting the de_state ptr from - * to the flow. - */ #ifndef __DETECT_ENGINE_STATE_H__ #define __DETECT_ENGINE_STATE_H__ @@ -96,8 +83,6 @@ #define DE_STATE_MATCH_HAS_NEW_STATE 0x00 #define DE_STATE_MATCH_NO_NEW_STATE 0x80 -/* TX BASED (inspect engines) */ - typedef struct DeStateStoreItem_ { uint32_t flags; SigIntId sid; @@ -120,30 +105,6 @@ typedef struct DetectEngineState_ { DetectEngineStateDirection dir_state[2]; } DetectEngineState; -/* FLOW BASED (AMATCH) */ - -typedef struct DeStateStoreFlowRule_ { - const SigMatchData *nm; - uint32_t flags; - SigIntId sid; -} DeStateStoreFlowRule; - -typedef struct DeStateStoreFlowRules_ { - DeStateStoreFlowRule store[DE_STATE_CHUNK_SIZE]; - struct DeStateStoreFlowRules_ *next; -} DeStateStoreFlowRules; - -typedef struct DetectEngineStateDirectionFlow_ { - DeStateStoreFlowRules *head; - DeStateStoreFlowRules *tail; - SigIntId cnt; - uint8_t flags; -} DetectEngineStateDirectionFlow; - -typedef struct DetectEngineStateFlow_ { - DetectEngineStateDirectionFlow dir_state[2]; -} DetectEngineStateFlow; - /** * \brief Alloc a DetectEngineState object. * @@ -157,7 +118,6 @@ DetectEngineState *DetectEngineStateAlloc(void); * \param state DetectEngineState instance to free. */ void DetectEngineStateFree(DetectEngineState *state); -void DetectEngineStateFlowFree(DetectEngineStateFlow *state); /** * \brief Check if a flow already contains(newly updated as well) de state. @@ -216,14 +176,6 @@ void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, */ void DeStateUpdateInspectTransactionId(Flow *f, const uint8_t flags); -/** - * \brief Reset a DetectEngineState state. - * - * \param state Pointer to the state(LOCKED). - * \param direction Direction flags - STREAM_TOSERVER or STREAM_TOCLIENT. - */ -void DetectEngineStateReset(DetectEngineStateFlow *state, uint8_t direction); - void DetectEngineStateResetTxs(Flow *f); void DeStateRegisterTests(void); diff --git a/src/detect-engine-uri.c b/src/detect-engine-uri.c index e6684cff73..084f9dde31 100644 --- a/src/detect-engine-uri.c +++ b/src/detect-engine-uri.c @@ -225,8 +225,6 @@ static int UriTestSig01(void) goto end; } - DetectEngineStateReset(f.de_state, STREAM_TOSERVER | STREAM_TOCLIENT); - FLOWLOCK_WRLOCK(&f); r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); @@ -349,8 +347,6 @@ static int UriTestSig02(void) goto end; } - DetectEngineStateReset(f.de_state, STREAM_TOSERVER | STREAM_TOCLIENT); - FLOWLOCK_WRLOCK(&f); r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); @@ -473,8 +469,6 @@ static int UriTestSig03(void) goto end; } - DetectEngineStateReset(f.de_state, STREAM_TOSERVER | STREAM_TOCLIENT); - FLOWLOCK_WRLOCK(&f); r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); @@ -597,8 +591,6 @@ static int UriTestSig04(void) goto end; } - DetectEngineStateReset(f.de_state, STREAM_TOSERVER | STREAM_TOCLIENT); - FLOWLOCK_WRLOCK(&f); r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); @@ -721,8 +713,6 @@ static int UriTestSig05(void) goto end; } - DetectEngineStateReset(f.de_state, STREAM_TOSERVER | STREAM_TOCLIENT); - FLOWLOCK_WRLOCK(&f); r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); @@ -845,8 +835,6 @@ static int UriTestSig06(void) goto end; } - DetectEngineStateReset(f.de_state, STREAM_TOSERVER | STREAM_TOCLIENT); - FLOWLOCK_WRLOCK(&f); r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); @@ -969,8 +957,6 @@ static int UriTestSig07(void) goto end; } - DetectEngineStateReset(f.de_state, STREAM_TOSERVER | STREAM_TOCLIENT); - FLOWLOCK_WRLOCK(&f); r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); @@ -1093,8 +1079,6 @@ static int UriTestSig08(void) goto end; } - DetectEngineStateReset(f.de_state, STREAM_TOSERVER | STREAM_TOCLIENT); - FLOWLOCK_WRLOCK(&f); r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); @@ -1217,8 +1201,6 @@ static int UriTestSig09(void) goto end; } - DetectEngineStateReset(f.de_state, STREAM_TOSERVER | STREAM_TOCLIENT); - FLOWLOCK_WRLOCK(&f); r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); @@ -1341,8 +1323,6 @@ static int UriTestSig10(void) goto end; } - DetectEngineStateReset(f.de_state, STREAM_TOSERVER | STREAM_TOCLIENT); - FLOWLOCK_WRLOCK(&f); r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); @@ -1466,8 +1446,6 @@ static int UriTestSig11(void) goto end; } - DetectEngineStateReset(f.de_state, STREAM_TOSERVER | STREAM_TOCLIENT); - FLOWLOCK_WRLOCK(&f); r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); @@ -1591,8 +1569,6 @@ static int UriTestSig12(void) goto end; } - DetectEngineStateReset(f.de_state, STREAM_TOSERVER | STREAM_TOCLIENT); - FLOWLOCK_WRLOCK(&f); r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); @@ -1715,8 +1691,6 @@ static int UriTestSig13(void) goto end; } - DetectEngineStateReset(f.de_state, STREAM_TOSERVER | STREAM_TOCLIENT); - FLOWLOCK_WRLOCK(&f); r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); @@ -1840,8 +1814,6 @@ static int UriTestSig14(void) goto end; } - DetectEngineStateReset(f.de_state, STREAM_TOSERVER | STREAM_TOCLIENT); - FLOWLOCK_WRLOCK(&f); r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); @@ -1965,8 +1937,6 @@ static int UriTestSig15(void) goto end; } - DetectEngineStateReset(f.de_state, STREAM_TOSERVER | STREAM_TOCLIENT); - FLOWLOCK_WRLOCK(&f); r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf2, http_buf2_len); @@ -2089,7 +2059,6 @@ static int UriTestSig16(void) } p->alerts.cnt = 0; - DetectEngineStateReset(f.de_state, STREAM_TOSERVER | STREAM_TOCLIENT); p->payload = http_buf2; p->payload_len = http_buf2_len; diff --git a/src/detect.c b/src/detect.c index bd58de6567..780216a30e 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1105,8 +1105,6 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh GenericVarFree(pflow->flowvar); pflow->flowvar = NULL; - DetectEngineStateReset(pflow->de_state, - (STREAM_TOSERVER|STREAM_TOCLIENT)); DetectEngineStateResetTxs(pflow); } @@ -1236,9 +1234,6 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh /* initialize to 0(DE_STATE_MATCH_HAS_NEW_STATE) */ DeStateDetectContinueDetection(th_v, de_ctx, det_ctx, p, pflow, flow_flags, alproto, alversion); - } else if (has_inspectable_state == 2) { - /* no inspectable state, so pretend we don't have a state at all */ - has_state = 0; } } PACKET_PROFILING_DETECT_END(p, PROF_DETECT_STATEFUL); diff --git a/src/flow-util.h b/src/flow-util.h index 8eea21ee42..c0b8c06967 100644 --- a/src/flow-util.h +++ b/src/flow-util.h @@ -61,7 +61,6 @@ (f)->detect_alversion[1] = 0; \ (f)->alparser = NULL; \ (f)->alstate = NULL; \ - (f)->de_state = NULL; \ (f)->sgh_toserver = NULL; \ (f)->sgh_toclient = NULL; \ (f)->flowvar = NULL; \ @@ -102,9 +101,6 @@ (f)->thread_id = 0; \ (f)->detect_alversion[0] = 0; \ (f)->detect_alversion[1] = 0; \ - if ((f)->de_state != NULL) { \ - DetectEngineStateReset((f)->de_state, (STREAM_TOSERVER | STREAM_TOCLIENT)); \ - } \ (f)->sgh_toserver = NULL; \ (f)->sgh_toclient = NULL; \ GenericVarFree((f)->flowvar); \ @@ -118,9 +114,6 @@ SC_ATOMIC_DESTROY((f)->use_cnt); \ \ FLOWLOCK_DESTROY((f)); \ - if ((f)->de_state != NULL) { \ - DetectEngineStateFlowFree((f)->de_state); \ - } \ GenericVarFree((f)->flowvar); \ } while(0) diff --git a/src/flow.h b/src/flow.h index d6660dd00c..35ba26f589 100644 --- a/src/flow.h +++ b/src/flow.h @@ -386,7 +386,7 @@ typedef struct Flow_ /** detection engine ctx id used to inspect this flow. Set at initial * inspection. If it doesn't match the currently in use de_ctx, the - * de_state and stored sgh ptrs are reset. */ + * stored sgh ptrs are reset. */ uint32_t de_ctx_id; /** Thread ID for the stream/detect portion of this flow */ @@ -401,9 +401,6 @@ typedef struct Flow_ AppLayerParserState *alparser; /**< parser internal state */ void *alstate; /**< application layer state */ - /** detection engine state */ - struct DetectEngineStateFlow_ *de_state; - /** toclient sgh for this flow. Only use when FLOW_SGH_TOCLIENT flow flag * has been set. */ const struct SigGroupHead_ *sgh_toclient;