From 21ee59e6f3ee73ba4436ff759f2e0d24cbff5b28 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 6 Jan 2012 18:51:55 +0100 Subject: [PATCH] Add signature direction (flow:toserver/flow:toclient) as a signature flag. --- src/detect-flow.c | 18 ++++++++++++++---- src/detect-parse.c | 10 ++++++++++ src/detect.c | 40 +++++++++++----------------------------- src/detect.h | 3 +++ 4 files changed, 38 insertions(+), 33 deletions(-) diff --git a/src/detect-flow.c b/src/detect-flow.c index e632822689..446bdab1d2 100644 --- a/src/detect-flow.c +++ b/src/detect-flow.c @@ -297,8 +297,6 @@ int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, char *flowstr) DetectFlowData *fd = NULL; SigMatch *sm = NULL; - //printf("DetectFlowSetup: \'%s\'\n", flowstr); - fd = DetectFlowParse(flowstr); if (fd == NULL) goto error; @@ -314,6 +312,16 @@ int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, char *flowstr) SigMatchAppendPacket(s, sm); + /* set the signature direction flags */ + if (fd->flags & FLOW_PKT_TOSERVER) { + s->flags |= SIG_FLAG_TOSERVER; + } else if (fd->flags & FLOW_PKT_TOCLIENT) { + s->flags |= SIG_FLAG_TOCLIENT; + } else { + s->flags |= SIG_FLAG_TOSERVER; + s->flags |= SIG_FLAG_TOCLIENT; + } + if (fd->flags & FLOW_PKT_ONLYSTREAM) { s->flags |= SIG_FLAG_REQUIRE_STREAM; } @@ -325,8 +333,10 @@ int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, char *flowstr) return 0; error: - if (fd != NULL) DetectFlowFree(fd); - if (sm != NULL) SCFree(sm); + if (fd != NULL) + DetectFlowFree(fd); + if (sm != NULL) + SCFree(sm); return -1; } diff --git a/src/detect-parse.c b/src/detect-parse.c index fa6dd7216a..3f1d343e6f 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -1509,6 +1509,11 @@ Signature *SigInit(DetectEngineCtx *de_ctx, char *sigstr) { if (sig->sm_lists[DETECT_SM_LIST_FILEMATCH]) sig->flags |= SIG_FLAG_STATE_MATCH; + if (!(sig->init_flags & SIG_FLAG_INIT_FLOW)) { + sig->flags |= SIG_FLAG_TOSERVER; + sig->flags |= SIG_FLAG_TOCLIENT; + } + SCLogDebug("sig %"PRIu32" SIG_FLAG_APPLAYER: %s, SIG_FLAG_PACKET: %s", sig->id, sig->flags & SIG_FLAG_APPLAYER ? "set" : "not set", sig->init_flags & SIG_FLAG_INIT_PACKET ? "set" : "not set"); @@ -1695,6 +1700,11 @@ Signature *SigInitReal(DetectEngineCtx *de_ctx, char *sigstr) { if (sig->sm_lists[DETECT_SM_LIST_FILEMATCH]) sig->flags |= SIG_FLAG_STATE_MATCH; + if (!(sig->init_flags & SIG_FLAG_INIT_FLOW)) { + sig->flags |= SIG_FLAG_TOSERVER; + sig->flags |= SIG_FLAG_TOCLIENT; + } + SigBuildAddressMatchArray(sig); SCLogDebug("sig %"PRIu32" SIG_FLAG_APPLAYER: %s, SIG_FLAG_PACKET: %s", diff --git a/src/detect.c b/src/detect.c index 6d98dc30ae..0adb0ec9b0 100644 --- a/src/detect.c +++ b/src/detect.c @@ -2464,40 +2464,22 @@ error: return -1; } -/* add signature to the right flow groups +/** + * \brief add signature to the right flow group(s) */ static int DetectEngineLookupFlowAddSig(DetectEngineCtx *de_ctx, Signature *s, int family) { - uint8_t flags = 0; - - if (s->init_flags & SIG_FLAG_INIT_FLOW) { - SigMatch *sm = s->sm_lists[DETECT_SM_LIST_MATCH]; - for ( ; sm != NULL; sm = sm->next) { - if (sm->type != DETECT_FLOW) - continue; - - DetectFlowData *df = (DetectFlowData *)sm->ctx; - if (df == NULL) - continue; + SCLogDebug("s->id %u", s->id); - flags = df->flags; - } + if (s->flags & SIG_FLAG_TOCLIENT) { + SCLogDebug("s->id %u (toclient)", s->id); + DetectEngineLookupBuildSourceAddressList(de_ctx, + &de_ctx->flow_gh[0], s, family); } - if (flags & FLOW_PKT_TOCLIENT) { - /* only toclient */ - DetectEngineLookupBuildSourceAddressList(de_ctx, &de_ctx->flow_gh[0], s, family); - - } else if (flags & FLOW_PKT_TOSERVER) { - /* only toserver */ - DetectEngineLookupBuildSourceAddressList(de_ctx, &de_ctx->flow_gh[1], s, family); - - } else { - //printf("DetectEngineLookupFlowAddSig: s->id %"PRIu32"\n", s->id); - - /* both */ - DetectEngineLookupBuildSourceAddressList(de_ctx, &de_ctx->flow_gh[0], s, family); - DetectEngineLookupBuildSourceAddressList(de_ctx, &de_ctx->flow_gh[1], s, family); - + if (s->flags & SIG_FLAG_TOSERVER) { + SCLogDebug("s->id %u (toserver)", s->id); + DetectEngineLookupBuildSourceAddressList(de_ctx, + &de_ctx->flow_gh[1], s, family); } return 0; diff --git a/src/detect.h b/src/detect.h index b964b129a1..c801449a7a 100644 --- a/src/detect.h +++ b/src/detect.h @@ -248,6 +248,9 @@ typedef struct DetectPort_ { #define SIG_FLAG_FILESTORE (1<<19) /**< signature has filestore keyword */ +#define SIG_FLAG_TOSERVER (1<<20) +#define SIG_FLAG_TOCLIENT (1<<21) + /* signature init flags */ #define SIG_FLAG_INIT_DEONLY 1 /**< decode event only signature */ #define SIG_FLAG_INIT_PACKET (1<<1) /**< signature has matches against a packet (as opposed to app layer) */