diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index f75bc165d8..66dad79c92 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -546,7 +546,7 @@ static int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead /* now determine which one to add to the mpm phase */ for (sig = 0; sig < sgh->sig_cnt; sig++) { Signature *s = sgh->match_array[sig]; - if (s == NULL) + if (s == NULL || s->pmatch == NULL) continue; ContentHash *mpm_ch = NULL; @@ -602,6 +602,7 @@ static int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead ContentHashFree(ch); } } + /* now add the mpm_ch to the mpm ctx */ if (mpm_ch != NULL) { DetectContentData *co = mpm_ch->ptr; @@ -610,9 +611,26 @@ static int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead offset = mpm_ch->cnt ? 0 : offset; depth = mpm_ch->cnt ? 0 : depth; uint8_t flags = 0; - char scan_packet = 0; char scan_stream = 0; + char scan_negated = 0; + + SigMatch *tmpsm = s->pmatch; + for ( ; tmpsm != NULL; tmpsm = tmpsm->next) { + if (tmpsm->type != DETECT_CONTENT) + continue; + + DetectContentData *tmp = (DetectContentData *)tmpsm->ctx; + if (tmp == NULL) + continue; + + if (co->id == tmp->id) { + if (tmp->flags & DETECT_CONTENT_NEGATED) { + scan_negated = 1; + } + break; + } + } if (s->flags & SIG_FLAG_DSIZE) { scan_packet = 1; @@ -647,6 +665,10 @@ static int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead } s->mpm_pattern_id = co->id; + if (scan_negated) { + SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id); + s->flags |= SIG_FLAG_MPM_NEGCONTENT; + } SCLogDebug("%"PRIu32" adding co->id %"PRIu32" to the mpm phase (s->num %"PRIu32")", s->id, co->id, s->num); } else { diff --git a/src/detect-parse.c b/src/detect-parse.c index d0f8be1051..687bac8470 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -1060,10 +1060,6 @@ Signature *SigInit(DetectEngineCtx *de_ctx, char *sigstr) { continue; sig->flags |= SIG_FLAG_MPM; - - if (cd->flags & DETECT_CONTENT_NEGATED) { - sig->flags |= SIG_FLAG_MPM_NEGCONTENT; - } } } for (sm = sig->umatch; sm != NULL; sm = sm->next) { @@ -1194,13 +1190,8 @@ Signature *SigInitReal(DetectEngineCtx *de_ctx, char *sigstr) { continue; sig->flags |= SIG_FLAG_MPM; - - if (cd->flags & DETECT_CONTENT_NEGATED) { - sig->flags |= SIG_FLAG_MPM_NEGCONTENT; - } } } - for (sm = sig->umatch; sm != NULL; sm = sm->next) { if (sm->type == DETECT_URICONTENT) { DetectUricontentData *ud = (DetectUricontentData *)sm->ctx; diff --git a/src/detect-uricontent.c b/src/detect-uricontent.c index c1c428ce5d..e04317f880 100644 --- a/src/detect-uricontent.c +++ b/src/detect-uricontent.c @@ -234,6 +234,7 @@ DetectUricontentData *DoDetectUricontentSetup (char * contentstr) char converted = 0; { + uint8_t escape = 0; uint16_t i, x; uint8_t bin = 0, binstr[3] = "", binpos = 0; for (i = 0, x = 0; i < len; i++) { @@ -244,6 +245,8 @@ DetectUricontentData *DoDetectUricontentSetup (char * contentstr) } else { bin = 1; } + } else if(!escape && str[i] == '\\') { + escape = 1; } else { if (bin) { if (isdigit(str[i]) || @@ -269,6 +272,20 @@ DetectUricontentData *DoDetectUricontentSetup (char * contentstr) } else if (str[i] == ' ') { SCLogDebug("space as part of binary string"); } + } else if (escape) { + if (str[i] == ':' || + str[i] == ';' || + str[i] == '\\' || + str[i] == '\"') + { + str[x] = str[i]; + x++; + } else { + //SCLogDebug("Can't escape %c", str[i]); + goto error; + } + escape = 0; + converted = 1; } else { str[x] = str[i]; x++; diff --git a/src/detect.c b/src/detect.c index 87b34a20a5..b06f050eb1 100644 --- a/src/detect.c +++ b/src/detect.c @@ -464,20 +464,24 @@ static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx, } /* check for a pattern match of the one pattern in this sig. */ - if (s->flags & SIG_FLAG_MPM && !(s->flags & SIG_FLAG_MPM_NEGCONTENT)) { + if (s->flags & SIG_FLAG_MPM) { /* filter out sigs that want pattern matches, but * have no matches */ if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id / 8)] & (1<<(s->mpm_pattern_id % 8)))) { SCLogDebug("mpm sig without matches (pat id %"PRIu32" check in content).", s->mpm_pattern_id); - /* pattern didn't match. There is one case where we will inspect - * the signature anyway: if the packet payload was added to the - * stream it is not scanned itself: the stream data is inspected. - * Inspecting both would result in duplicated alerts. There is - * one case where we are going to inspect the packet payload - * anyway: if a signature has the dsize option. */ - if (!((p->flags & PKT_STREAM_ADD) && (s->flags & SIG_FLAG_DSIZE))) { - continue; + if (!(s->flags & SIG_FLAG_MPM_NEGCONTENT)) { + /* pattern didn't match. There is one case where we will inspect + * the signature anyway: if the packet payload was added to the + * stream it is not scanned itself: the stream data is inspected. + * Inspecting both would result in duplicated alerts. There is + * one case where we are going to inspect the packet payload + * anyway: if a signature has the dsize option. */ + if (!((p->flags & PKT_STREAM_ADD) && (s->flags & SIG_FLAG_DSIZE))) { + continue; + } + } else { + SCLogDebug("but thats okay, we are looking for neg-content"); } } } @@ -852,31 +856,6 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh } } - SCLogDebug("s->amatch %p, s->umatch %p, s->dmatch %p", - s->amatch, s->umatch, s->dmatch); - - if (s->amatch != NULL || s->umatch != NULL || s->dmatch != NULL) { - if (alstate == NULL) { - SCLogDebug("state matches but no state, we can't match"); - goto next; - } - - if (de_state_start == TRUE) { - SCLogDebug("stateful app layer match inspection starting"); - if (DeStateDetectStartDetection(th_v, de_ctx, det_ctx, s, - p->flow, flags, alstate, alproto) != 1) - goto next; - } else { - SCLogDebug("signature %"PRIu32" (%"PRIuMAX"): %s", - s->id, (uintmax_t)s->num, DeStateMatchResultToString(det_ctx->de_state_sig_array[s->num])); - if (det_ctx->de_state_sig_array[s->num] != DE_STATE_MATCH_NEW) { - if (s->pmatch == NULL && s->dmatch == NULL) { - goto next; - } - } - } - } - if (s->flags & SIG_FLAG_DSIZE && s->dsize_sm != NULL) { if (sigmatch_table[DETECT_DSIZE].Match(th_v, det_ctx, p, s, s->dsize_sm) == 0) continue; @@ -927,6 +906,31 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh } } + SCLogDebug("s->amatch %p, s->umatch %p, s->dmatch %p", + s->amatch, s->umatch, s->dmatch); + + if (s->amatch != NULL || s->umatch != NULL || s->dmatch != NULL) { + if (alstate == NULL) { + SCLogDebug("state matches but no state, we can't match"); + goto next; + } + + if (de_state_start == TRUE) { + SCLogDebug("stateful app layer match inspection starting"); + if (DeStateDetectStartDetection(th_v, de_ctx, det_ctx, s, + p->flow, flags, alstate, alproto) != 1) + goto next; + } else { + SCLogDebug("signature %"PRIu32" (%"PRIuMAX"): %s", + s->id, (uintmax_t)s->num, DeStateMatchResultToString(det_ctx->de_state_sig_array[s->num])); + if (det_ctx->de_state_sig_array[s->num] != DE_STATE_MATCH_NEW) { + if (s->pmatch == NULL && s->dmatch == NULL) { + goto next; + } + } + } + } + /* if we get here but have no sigmatches to match against, * we consider the sig matched. */ if (s->match == NULL) {