For signatures with the dsize option set depth on any content match in that sig.

15 years ago · 45cbef0735
parent d774d6e226
commit 45cbef0735
3 changed files with 63 additions and 0 deletions
--- a/src/detect-dsize.c
+++ b/src/detect-dsize.c
@ -306,6 +306,11 @@ static int DetectDsizeSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr
            dd->dsize, dd->dsize2, dd->mode);
    /* tell the sig it has a dsize to speed up engine init */
    s->flags |= SIG_FLAG_REQUIRE_PACKET;
+    s->flags |= SIG_FLAG_DSIZE;
+
+    if (s->dsize_sm == NULL) {
+        s->dsize_sm = sm;
+    }

    return 0;

--- a/src/detect.c
+++ b/src/detect.c
@ -2628,6 +2628,60 @@ static void SigInitStandardMpmFactoryContexts(DetectEngineCtx *de_ctx)
    return;
 }

+static int SigParseGetMaxDsize(Signature *s) {
+    if (s->flags & SIG_FLAG_DSIZE && s->dsize_sm != NULL) {
+        DetectDsizeData *dd = (DetectDsizeData *)s->dsize_sm->ctx;
+
+        switch (dd->mode) {
+            case DETECTDSIZE_LT:
+            case DETECTDSIZE_EQ:
+                return dd->dsize;
+            case DETECTDSIZE_RA:
+                return dd->dsize2;
+            case DETECTDSIZE_GT:
+            default:
+                SCReturnInt(-2);
+        }
+    }
+    SCReturnInt(-1);
+}
+
+/**
+ *  \brief Apply dsize as depth to content matches in the rule
+ */
+static int SigParseApplyDsizeToContent(Signature *s) {
+    SCEnter();
+
+    if (s->flags & SIG_FLAG_DSIZE) {
+        int dsize = SigParseGetMaxDsize(s);
+
+        if (dsize < 0) {
+            /* nothing to do */
+            return 0;
+        }
+
+        SigMatch *sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+        for ( ; sm != NULL;  sm = sm->next) {
+            if (sm->type != DETECT_CONTENT) {
+                continue;
+            }
+
+            DetectContentData *cd = (DetectContentData *)sm->ctx;
+            if (cd == NULL) {
+                continue;
+            }
+
+            if (cd->depth == 0 || cd->depth >= dsize) {
+                cd->depth = (uint16_t)dsize;
+                SCLogDebug("updated %u, content %u to have depth %u "
+                        "because of dsize.", s->id, cd->id, cd->depth);
+            }
+        }
+    }
+
+    SCReturnInt(0);
+}
+
 /**
 * \brief Add all signatures to their own source address group
 *
@ -2750,6 +2804,8 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) {
            cnt++;
        }

+        SigParseApplyDsizeToContent(tmp_s);
+
        de_ctx->sig_cnt++;
    }

--- a/src/detect.h
+++ b/src/detect.h
@ -454,6 +454,8 @@ typedef struct Signature_ {
    /* used to hold flags that are predominantly used during init */
    uint32_t init_flags;

+    SigMatch *dsize_sm;
+
    /** ptr to the next sig in the list */
    struct Signature_ *next;
 } Signature;