detect: limit flush logic to sigs that need it

Limit the early 'flush' logic to sigs that actually need to match
on both stream and http bodies.

src/detect-engine-analyzer.c

@@ -610,6 +610,9 @@ void EngineAnalysisRules2(const DetectEngineCtx *de_ctx, const Signature *s)
         if (s->flags & SIG_FLAG_MPM_NEG) {
             json_array_append_new(js_flags, json_string("negated_mpm"));
         }
+        if (s->flags & SIG_FLAG_FLUSH) {
+            json_array_append_new(js_flags, json_string("flush"));
+        }
         if (s->flags & SIG_FLAG_REQUIRE_FLOWVAR) {
             json_array_append_new(js_flags, json_string("need_flowvar"));
         }

src/detect-engine.c

@@ -488,6 +488,10 @@ next:
             AppendStreamInspectEngine(s, stream, 0, last_id + 1);
             AppendStreamInspectEngine(s, stream, 1, last_id + 1);
         }
+
+        if (s->init_data->init_flags & SIG_FLAG_INIT_NEED_FLUSH) {
+            s->flags |= SIG_FLAG_FLUSH;
+        }
     }
 
 #ifdef DEBUG

src/detect-file-data.c

@@ -182,6 +182,10 @@ static void DetectFiledataSetupCallback(const DetectEngineCtx *de_ctx,
         AppLayerHtpEnableRequestBodyCallback();
     }
 
+
+    /* server body needs to be inspected in sync with stream if possible */
+    s->init_data->init_flags |= SIG_FLAG_INIT_NEED_FLUSH;
+
     SCLogDebug("callback invoked by %u", s->id);
 }
 

src/detect-http-client-body.c

@@ -101,6 +101,9 @@ static void DetectHttpClientBodySetupCallback(const DetectEngineCtx *de_ctx,
 {
     SCLogDebug("callback invoked by %u", s->id);
     AppLayerHtpEnableRequestBodyCallback();
+
+    /* client body needs to be inspected in sync with stream if possible */
+    s->init_data->init_flags |= SIG_FLAG_INIT_NEED_FLUSH;
 }
 
 /**

src/detect.c

@@ -1141,7 +1141,7 @@ static bool DetectRunTxInspectRule(ThreadVars *tv,
         DetectEngineThreadCtx *det_ctx,
         Packet *p,
         Flow *f,
-        const uint8_t flow_flags,   // direction, EOF, etc
+        const uint8_t in_flow_flags,   // direction, EOF, etc
         void *alstate,
         DetectTransaction *tx,
         const Signature *s,
@@ -1149,6 +1149,7 @@ static bool DetectRunTxInspectRule(ThreadVars *tv,
         RuleMatchCandidateTx *can,
         DetectRunScratchpad *scratch)
 {
+    uint8_t flow_flags = in_flow_flags;
     const int direction = (flow_flags & STREAM_TOSERVER) ? 0 : 1;
     uint32_t inspect_flags = stored_flags ? *stored_flags : 0;
     int total_matches = 0;
@@ -1157,6 +1158,10 @@ static bool DetectRunTxInspectRule(ThreadVars *tv,
     bool mpm_before_progress = false;   // is mpm engine before progress?
     bool mpm_in_progress = false;       // is mpm engine in a buffer we will revisit?
 
+    /* see if we want to pass on the FLUSH flag */
+    if ((s->flags & SIG_FLAG_FLUSH) == 0)
+        flow_flags &=~ STREAM_FLUSH;
+
     TRACE_SID_TXS(s->id, tx, "starting %s", direction ? "toclient" : "toserver");
 
     /* for a new inspection we inspect pkt header and packet matches */

src/detect.h

@@ -229,6 +229,8 @@ typedef struct DetectPort_ {
 
 #define SIG_FLAG_MPM_NEG                (1<<11)
 
+#define SIG_FLAG_FLUSH                  (1<<12) /**< detection logic needs stream flush notification */
+
 #define SIG_FLAG_REQUIRE_FLOWVAR        (1<<17) /**< signature can only match if a flowbit, flowvar or flowint is available. */
 
 #define SIG_FLAG_FILESTORE              (1<<18) /**< signature has filestore keyword */
@@ -260,6 +262,7 @@ typedef struct DetectPort_ {
 #define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN    (1<<4)  /** < signature has seen the first ip_proto keyword */
 #define SIG_FLAG_INIT_HAS_TRANSFORM         (1<<5)
 #define SIG_FLAG_INIT_STATE_MATCH           (1<<6)  /**< signature has matches that require stateful inspection */
+#define SIG_FLAG_INIT_NEED_FLUSH            (1<<7)
 
 /* signature mask flags */
 #define SIG_MASK_REQUIRE_PAYLOAD            (1<<0)