diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index ff30f08d23..e2b2d03d7a 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -788,8 +788,8 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, } /* tell matcher we are inspecting stream */ s->flags |= SIG_FLAG_MPM_STREAM; - s->mpm_stream_pattern_id_div_8 = cd->id / 8; - s->mpm_stream_pattern_id_mod_8 = 1 << (cd->id % 8); + s->mpm_pattern_id_div_8 = cd->id / 8; + s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8); if (cd->flags & DETECT_CONTENT_NEGATED) { SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id); s->flags |= SIG_FLAG_MPM_STREAM_NEG; @@ -851,8 +851,8 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, } /* tell matcher we are inspecting stream */ s->flags |= SIG_FLAG_MPM_STREAM; - s->mpm_stream_pattern_id_div_8 = cd->id / 8; - s->mpm_stream_pattern_id_mod_8 = 1 << (cd->id % 8); + s->mpm_pattern_id_div_8 = cd->id / 8; + s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8); if (cd->flags & DETECT_CONTENT_NEGATED) { SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id); s->flags |= SIG_FLAG_MPM_STREAM_NEG; @@ -915,7 +915,8 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, } /* tell matcher we are inspecting uri */ s->flags |= SIG_FLAG_MPM_URICONTENT; - s->mpm_http_pattern_id = ud->id; + s->mpm_pattern_id_div_8 = ud->id / 8; + s->mpm_pattern_id_mod_8 = 1 << (ud->id % 8); if (ud->flags & DETECT_CONTENT_NEGATED) s->flags |= SIG_FLAG_MPM_URICONTENT_NEG; @@ -970,7 +971,8 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, } /* tell matcher we are inspecting uri */ s->flags |= SIG_FLAG_MPM_HCBDCONTENT; - s->mpm_http_pattern_id = hcbd->id; + s->mpm_pattern_id_div_8 = hcbd->id / 8; + s->mpm_pattern_id_mod_8 = 1 << (hcbd->id % 8); if (hcbd->flags & DETECT_CONTENT_NEGATED) s->flags |= SIG_FLAG_MPM_HCBDCONTENT_NEG; @@ -1025,7 +1027,8 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, } /* tell matcher we are inspecting uri */ s->flags |= SIG_FLAG_MPM_HSBDCONTENT; - s->mpm_http_pattern_id = hsbd->id; + s->mpm_pattern_id_div_8 = hsbd->id / 8; + s->mpm_pattern_id_mod_8 = 1 << (hsbd->id % 8); if (hsbd->flags & DETECT_CONTENT_NEGATED) s->flags |= SIG_FLAG_MPM_HSBDCONTENT_NEG; @@ -1080,7 +1083,8 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, } /* tell matcher we are inspecting uri */ s->flags |= SIG_FLAG_MPM_HHDCONTENT; - s->mpm_http_pattern_id = hhd->id; + s->mpm_pattern_id_div_8 = hhd->id / 8; + s->mpm_pattern_id_mod_8 = 1 << (hhd->id % 8); if (hhd->flags & DETECT_CONTENT_NEGATED) s->flags |= SIG_FLAG_MPM_HHDCONTENT_NEG; @@ -1135,7 +1139,8 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, } /* tell matcher we are inspecting uri */ s->flags |= SIG_FLAG_MPM_HRHDCONTENT; - s->mpm_http_pattern_id = hrhd->id; + s->mpm_pattern_id_div_8 = hrhd->id / 8; + s->mpm_pattern_id_mod_8 = 1 << (hrhd->id % 8); if (hrhd->flags & DETECT_CONTENT_NEGATED) s->flags |= SIG_FLAG_MPM_HRHDCONTENT_NEG; @@ -1190,7 +1195,8 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, } /* tell matcher we are inspecting method */ s->flags |= SIG_FLAG_MPM_HMDCONTENT; - s->mpm_http_pattern_id = hmd->id; + s->mpm_pattern_id_div_8 = hmd->id / 8; + s->mpm_pattern_id_mod_8 = 1 << (hmd->id % 8); if (hmd->flags & DETECT_CONTENT_NEGATED) s->flags |= SIG_FLAG_MPM_HMDCONTENT_NEG; @@ -1245,7 +1251,8 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, } /* tell matcher we are inspecting cookie */ s->flags |= SIG_FLAG_MPM_HCDCONTENT; - s->mpm_http_pattern_id = hcd->id; + s->mpm_pattern_id_div_8 = hcd->id / 8; + s->mpm_pattern_id_mod_8 = 1 << (hcd->id % 8); if (hcd->flags & DETECT_CONTENT_NEGATED) s->flags |= SIG_FLAG_MPM_HCDCONTENT_NEG; @@ -1300,7 +1307,8 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx, } /* tell matcher we are inspecting raw uri */ s->flags |= SIG_FLAG_MPM_HRUDCONTENT; - s->mpm_http_pattern_id = hrud->id; + s->mpm_pattern_id_div_8 = hrud->id / 8; + s->mpm_pattern_id_mod_8 = 1 << (hrud->id % 8); if (hrud->flags & DETECT_CONTENT_NEGATED) s->flags |= SIG_FLAG_MPM_HRUDCONTENT_NEG; diff --git a/src/detect.c b/src/detect.c index 84d456ba7a..d24f60a13d 100644 --- a/src/detect.c +++ b/src/detect.c @@ -688,10 +688,7 @@ int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file, int sig_file_excl * 2. alproto * 3. mpm_pattern_id_div8 * 4. mpm_pattern_id_mod8 - * 5. mpm_stream_pattern_id_div8 - * 6. mpm_stream_pattern_id_mod8 - * 7. mpm_http_pattern_id - * 8. num + * 5. num * * \retval 0 can't match, don't inspect * \retval 1 might match, further inspection required @@ -713,85 +710,56 @@ static inline int SigMatchSignaturesBuildMatchArrayAddSignature(DetectEngineThre } /* check for a pattern match of the one pattern in this sig. */ - if (s->flags & SIG_FLAG_MPM_PACKET) { + if (s->flags & (SIG_FLAG_MPM_PACKET|SIG_FLAG_MPM_STREAM|SIG_FLAG_MPM_URICONTENT| + SIG_FLAG_MPM_HCBDCONTENT|SIG_FLAG_MPM_HSBDCONTENT|SIG_FLAG_MPM_HHDCONTENT| + SIG_FLAG_MPM_HRHDCONTENT|SIG_FLAG_MPM_HRHDCONTENT|SIG_FLAG_MPM_HMDCONTENT| + SIG_FLAG_MPM_HCDCONTENT|SIG_FLAG_MPM_HRUDCONTENT)) + { /* filter out sigs that want pattern matches, but * have no matches */ if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id_div_8)] & s->mpm_pattern_id_mod_8)) { - //if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id / 8)] & (1<<(s->mpm_pattern_id % 8)))) { - //SCLogDebug("mpm sig without matches (pat id %"PRIu32" check in content).", s->mpm_pattern_id); - - if (!(s->flags & SIG_FLAG_MPM_PACKET_NEG)) { - return 0; - } else { - SCLogDebug("but thats okay, we are looking for neg-content"); - } - } - } else if (s->flags & SIG_FLAG_MPM_STREAM) { - /* filter out sigs that want pattern matches, but - * have no matches */ - if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_stream_pattern_id_div_8)] & s->mpm_stream_pattern_id_mod_8)) { - //SCLogDebug("mpm stream sig without matches (pat id %"PRIu32" check in content).", s->mpm_stream_pattern_id); - - if (!(s->flags & SIG_FLAG_MPM_STREAM_NEG)) { - return 0; - } else { - SCLogDebug("but thats okay, we are looking for neg-content"); - } - } - } else if (s->flags & SIG_FLAG_MPM_URICONTENT) { - if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] & - (1 << (s->mpm_http_pattern_id % 8)))) { - if (!(s->full_sig->flags & SIG_FLAG_MPM_URICONTENT_NEG)) { - return 0; - } - } - } else if (s->flags & SIG_FLAG_MPM_HCBDCONTENT) { - if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] & - (1 << (s->mpm_http_pattern_id % 8)))) { - if (!(s->flags & SIG_FLAG_MPM_HCBDCONTENT_NEG)) { - return 0; - } - } - } else if (s->flags & SIG_FLAG_MPM_HSBDCONTENT) { - if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] & - (1 << (s->mpm_http_pattern_id % 8)))) { - if (!(s->flags & SIG_FLAG_MPM_HSBDCONTENT_NEG)) { - return 0; - } - } - } else if (s->flags & SIG_FLAG_MPM_HHDCONTENT) { - if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] & - (1 << (s->mpm_http_pattern_id % 8)))) { - if (!(s->flags & SIG_FLAG_MPM_HHDCONTENT_NEG)) { - return 0; - } - } - } else if (s->flags & SIG_FLAG_MPM_HRHDCONTENT) { - if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] & - (1 << (s->mpm_http_pattern_id % 8)))) { - if (!(s->flags & SIG_FLAG_MPM_HRHDCONTENT_NEG)) { - return 0; - } - } - } else if (s->flags & SIG_FLAG_MPM_HMDCONTENT) { - if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] & - (1 << (s->mpm_http_pattern_id % 8)))) { - if (!(s->flags & SIG_FLAG_MPM_HMDCONTENT_NEG)) { - return 0; - } - } - } else if (s->flags & SIG_FLAG_MPM_HCDCONTENT) { - if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] & - (1 << (s->mpm_http_pattern_id % 8)))) { - if (!(s->flags & SIG_FLAG_MPM_HCDCONTENT_NEG)) { - return 0; - } - } - } else if (s->flags & SIG_FLAG_MPM_HRUDCONTENT) { - if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] & - (1 << (s->mpm_http_pattern_id % 8)))) { - if (!(s->flags & SIG_FLAG_MPM_HRUDCONTENT_NEG)) { - return 0; + if (s->flags & SIG_FLAG_MPM_PACKET) { + if (!(s->flags & SIG_FLAG_MPM_PACKET_NEG)) { + return 0; + } + } else if (s->flags & SIG_FLAG_MPM_STREAM) { + /* filter out sigs that want pattern matches, but + * have no matches */ + if (!(s->flags & SIG_FLAG_MPM_STREAM_NEG)) { + return 0; + } + } else if (s->flags & SIG_FLAG_MPM_URICONTENT) { + if (!(s->flags & SIG_FLAG_MPM_URICONTENT_NEG)) { + return 0; + } + } else if (s->flags & SIG_FLAG_MPM_HCBDCONTENT) { + if (!(s->flags & SIG_FLAG_MPM_HCBDCONTENT_NEG)) { + return 0; + } + } else if (s->flags & SIG_FLAG_MPM_HSBDCONTENT) { + if (!(s->flags & SIG_FLAG_MPM_HSBDCONTENT_NEG)) { + return 0; + } + } else if (s->flags & SIG_FLAG_MPM_HHDCONTENT) { + if (!(s->flags & SIG_FLAG_MPM_HHDCONTENT_NEG)) { + return 0; + } + } else if (s->flags & SIG_FLAG_MPM_HRHDCONTENT) { + if (!(s->flags & SIG_FLAG_MPM_HRHDCONTENT_NEG)) { + return 0; + } + } else if (s->flags & SIG_FLAG_MPM_HMDCONTENT) { + if (!(s->flags & SIG_FLAG_MPM_HMDCONTENT_NEG)) { + return 0; + } + } else if (s->flags & SIG_FLAG_MPM_HCDCONTENT) { + if (!(s->flags & SIG_FLAG_MPM_HCDCONTENT_NEG)) { + return 0; + } + } else if (s->flags & SIG_FLAG_MPM_HRUDCONTENT) { + if (!(s->flags & SIG_FLAG_MPM_HRUDCONTENT_NEG)) { + return 0; + } } } } @@ -1531,7 +1499,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh if (det_ctx->smsg_pmq[pmq_idx].pattern_id_bitarray != NULL) { /* filter out sigs that want pattern matches, but * have no matches */ - if (!(det_ctx->smsg_pmq[pmq_idx].pattern_id_bitarray[(s->mpm_stream_pattern_id_div_8)] & s->mpm_stream_pattern_id_mod_8) && + if (!(det_ctx->smsg_pmq[pmq_idx].pattern_id_bitarray[(s->mpm_pattern_id_div_8)] & s->mpm_pattern_id_mod_8) && (s->flags & SIG_FLAG_MPM_STREAM) && !(s->flags & SIG_FLAG_MPM_STREAM_NEG)) { SCLogDebug("no match in this smsg"); continue; diff --git a/src/detect.h b/src/detect.h index f9e4a898dd..600ee07eb9 100644 --- a/src/detect.h +++ b/src/detect.h @@ -332,20 +332,15 @@ typedef struct SignatureHeader_ { uint16_t mpm_pattern_id_div_8; uint8_t mpm_pattern_id_mod_8; SignatureMask mask; - uint16_t alproto; - uint16_t mpm_stream_pattern_id_div_8; }; - uint64_t hdr_copy2; + uint32_t hdr_copy2; }; union { struct { - uint8_t file_flags; - uint8_t mpm_stream_pattern_id_mod_8; + uint16_t alproto; SigIntId num; /**< signature number, internal id */ - /** pattern in the mpm matcher */ - PatIntId mpm_http_pattern_id; }; - uint64_t hdr_copy3; + uint32_t hdr_copy3; }; /** pointer to the full signature */ @@ -374,19 +369,15 @@ typedef struct Signature_ { uint16_t mpm_pattern_id_div_8; uint8_t mpm_pattern_id_mod_8; SignatureMask mask; - uint16_t alproto; - uint16_t mpm_stream_pattern_id_div_8; }; - uint64_t hdr_copy2; + uint32_t hdr_copy2; }; union { struct { - uint8_t file_flags; - uint8_t mpm_stream_pattern_id_mod_8; + uint16_t alproto; SigIntId num; /**< signature number, internal id */ - PatIntId mpm_http_pattern_id; }; - uint64_t hdr_copy3; + uint32_t hdr_copy3; }; /* the fast pattern added from this signature */ @@ -416,6 +407,7 @@ typedef struct Signature_ { uint16_t mpm_content_maxlen; uint16_t mpm_uricontent_maxlen; + uint8_t file_flags; /** number of sigmatches in the match and pmatch list */ uint16_t sm_cnt;