engine events: prefilter sigs that need a event

12 years ago · 575c87aeba
parent 5f12b23469
commit 575c87aeba
2 changed files with 10 additions and 2 deletions
--- a/src/detect.c
+++ b/src/detect.c
@ -2339,6 +2339,11 @@ PacketCreateMask(Packet *p, SignatureMask *mask, uint16_t alproto, void *alstate
        (*mask) |= SIG_MASK_REQUIRE_NO_PAYLOAD;
    }

+    if (p->events.cnt > 0) {
+        SCLogDebug("packet has events set");
+        (*mask) |= SIG_MASK_REQUIRE_ENGINE_EVENT;
+    }
+
    if (PKT_IS_TCP(p)) {
        if ((p->tcph->th_flags & MASK_TCP_INITDEINIT_FLAGS) != 0) {
            (*mask) |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT;
@ -2529,6 +2534,9 @@ static int SignatureCreateMask(Signature *s) {
                }
                break;
            }
+            case DETECT_ENGINE_EVENT:
+                s->mask |= SIG_MASK_REQUIRE_ENGINE_EVENT;
+                break;
        }
    }

--- a/src/detect.h
+++ b/src/detect.h
@ -273,14 +273,14 @@ typedef struct DetectPort_ {
 #define SIG_FLAG_INIT_FILE_DATA      (1<<5)  /**< file_data set */

 /* signature mask flags */
-#define SIG_MASK_REQUIRE_PAYLOAD            1
+#define SIG_MASK_REQUIRE_PAYLOAD            (1<<0)
 #define SIG_MASK_REQUIRE_FLOW               (1<<1)
 #define SIG_MASK_REQUIRE_FLAGS_INITDEINIT   (1<<2)    /* SYN, FIN, RST */
 #define SIG_MASK_REQUIRE_FLAGS_UNUSUAL      (1<<3)    /* URG, ECN, CWR */
 #define SIG_MASK_REQUIRE_NO_PAYLOAD         (1<<4)
-//
 #define SIG_MASK_REQUIRE_HTTP_STATE         (1<<5)
 #define SIG_MASK_REQUIRE_DCE_STATE          (1<<6)
+#define SIG_MASK_REQUIRE_ENGINE_EVENT       (1<<7)

 /* for now a uint8_t is enough */
 #define SignatureMask uint8_t