|
|
|
@ -364,25 +364,26 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
|
|
|
|
const Signature *s, Packet *p, Flow *f, uint8_t flags,
|
|
|
|
const Signature *s, Packet *p, Flow *f, uint8_t flags,
|
|
|
|
AppProto alproto)
|
|
|
|
AppProto alproto)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
|
|
|
|
SCLogDebug("rule %u", s->id);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* TX based matches (inspect engines) */
|
|
|
|
|
|
|
|
if (unlikely(!AppLayerParserProtocolSupportsTxs(f->proto, alproto))) {
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
void *alstate = FlowGetAppState(f);
|
|
|
|
|
|
|
|
if (unlikely(!StateIsValid(alproto, alstate))) {
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
SigMatchData *smd = NULL;
|
|
|
|
SigMatchData *smd = NULL;
|
|
|
|
uint16_t file_no_match = 0;
|
|
|
|
uint16_t file_no_match = 0;
|
|
|
|
uint32_t inspect_flags = 0;
|
|
|
|
uint32_t inspect_flags = 0;
|
|
|
|
int alert_cnt = 0;
|
|
|
|
int alert_cnt = 0;
|
|
|
|
|
|
|
|
|
|
|
|
SCLogDebug("rule %u", s->id);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* TX based matches (inspect engines) */
|
|
|
|
|
|
|
|
if (AppLayerParserProtocolSupportsTxs(f->proto, alproto)) {
|
|
|
|
|
|
|
|
uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
|
|
|
|
uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
|
|
|
|
int check_before_add = 0;
|
|
|
|
int check_before_add = 0;
|
|
|
|
uint64_t tx_id = 0;
|
|
|
|
uint64_t tx_id = 0;
|
|
|
|
uint64_t total_txs = 0;
|
|
|
|
uint64_t total_txs = 0;
|
|
|
|
|
|
|
|
|
|
|
|
void *alstate = FlowGetAppState(f);
|
|
|
|
|
|
|
|
if (!StateIsValid(alproto, alstate)) {
|
|
|
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* if continue detection already inspected this rule for this tx,
|
|
|
|
/* if continue detection already inspected this rule for this tx,
|
|
|
|
* continue with the first not-inspected tx */
|
|
|
|
* continue with the first not-inspected tx */
|
|
|
|
uint8_t offset = det_ctx->de_state_sig_array[s->num] & 0xef;
|
|
|
|
uint8_t offset = det_ctx->de_state_sig_array[s->num] & 0xef;
|
|
|
|
@ -434,7 +435,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
|
|
|
|
continue;
|
|
|
|
continue;
|
|
|
|
} else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH) {
|
|
|
|
} else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH) {
|
|
|
|
inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
|
|
|
|
inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
|
|
|
|
inspect_flags |= BIT_U32(engine->id);;
|
|
|
|
inspect_flags |= BIT_U32(engine->id);
|
|
|
|
} else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILESTORE) {
|
|
|
|
} else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILESTORE) {
|
|
|
|
inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
|
|
|
|
inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
|
|
|
|
inspect_flags |= BIT_U32(engine->id);
|
|
|
|
inspect_flags |= BIT_U32(engine->id);
|
|
|
|
@ -500,8 +501,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
|
|
|
|
if (next_tx_no_progress)
|
|
|
|
if (next_tx_no_progress)
|
|
|
|
break;
|
|
|
|
break;
|
|
|
|
} /* for */
|
|
|
|
} /* for */
|
|
|
|
}
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
|
|
|
det_ctx->tx_id = 0;
|
|
|
|
det_ctx->tx_id = 0;
|
|
|
|
det_ctx->tx_id_set = 0;
|
|
|
|
det_ctx->tx_id_set = 0;
|
|
|
|
return alert_cnt ? 1:0;
|
|
|
|
return alert_cnt ? 1:0;
|
|
|
|
|
Victor Julien
9 years ago