diff --git a/src/Makefile.am b/src/Makefile.am index fdc02008d6..c3b5944edb 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -61,6 +61,7 @@ util-mpm-b3g.c util-mpm-b3g.h \ util-cidr.c util-cidr.h \ util-unittest.c util-unittest.h \ util-hash.c util-hash.h \ +util-hashlist.c util-hashlist.h \ util-bloomfilter.c util-bloomfilter.h \ util-bloomfilter-counting.c util-bloomfilter-counting.h \ tm-modules.c tm-modules.h \ diff --git a/src/alert-debuglog.c b/src/alert-debuglog.c index 57c71ca5c8..2d23c62b99 100644 --- a/src/alert-debuglog.c +++ b/src/alert-debuglog.c @@ -36,7 +36,7 @@ int AlertDebuglog (ThreadVars *, Packet *, void *, PacketQueue *); int AlertDebuglogIPv4(ThreadVars *, Packet *, void *, PacketQueue *); int AlertDebuglogIPv6(ThreadVars *, Packet *, void *, PacketQueue *); -int AlertDebuglogThreadInit(ThreadVars *, void **); +int AlertDebuglogThreadInit(ThreadVars *, void*, void **); int AlertDebuglogThreadDeinit(ThreadVars *, void *); void AlertDebuglogExitPrintStats(ThreadVars *, void *); @@ -196,7 +196,7 @@ int AlertDebuglog (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) return 0; } -int AlertDebuglogThreadInit(ThreadVars *t, void **data) +int AlertDebuglogThreadInit(ThreadVars *t, void *initdata, void **data) { AlertDebuglogThread *aft = malloc(sizeof(AlertDebuglogThread)); if (aft == NULL) { diff --git a/src/alert-fastlog.c b/src/alert-fastlog.c index b90c5e3a95..a523f40703 100644 --- a/src/alert-fastlog.c +++ b/src/alert-fastlog.c @@ -36,7 +36,7 @@ int AlertFastlog (ThreadVars *, Packet *, void *, PacketQueue *); int AlertFastlogIPv4(ThreadVars *, Packet *, void *, PacketQueue *); int AlertFastlogIPv6(ThreadVars *, Packet *, void *, PacketQueue *); -int AlertFastlogThreadInit(ThreadVars *, void **); +int AlertFastlogThreadInit(ThreadVars *, void *, void **); int AlertFastlogThreadDeinit(ThreadVars *, void *); void AlertFastlogExitPrintStats(ThreadVars *, void *); @@ -147,7 +147,7 @@ int AlertFastlog (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) return 0; } -int AlertFastlogThreadInit(ThreadVars *t, void **data) +int AlertFastlogThreadInit(ThreadVars *t, void *initdata, void **data) { AlertFastlogThread *aft = malloc(sizeof(AlertFastlogThread)); if (aft == NULL) { diff --git a/src/alert-unified-alert.c b/src/alert-unified-alert.c index ee90c51d19..93497579de 100644 --- a/src/alert-unified-alert.c +++ b/src/alert-unified-alert.c @@ -34,7 +34,7 @@ #include "util-unittest.h" int AlertUnifiedAlert (ThreadVars *, Packet *, void *, PacketQueue *); -int AlertUnifiedAlertThreadInit(ThreadVars *, void **); +int AlertUnifiedAlertThreadInit(ThreadVars *, void *, void **); int AlertUnifiedAlertThreadDeinit(ThreadVars *, void *); void TmModuleAlertUnifiedAlertRegister (void) { @@ -203,7 +203,7 @@ int AlertUnifiedAlert (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) return 0; } -int AlertUnifiedAlertThreadInit(ThreadVars *t, void **data) +int AlertUnifiedAlertThreadInit(ThreadVars *t, void *initdata, void **data) { AlertUnifiedAlertThread *aun = malloc(sizeof(AlertUnifiedAlertThread)); if (aun == NULL) { diff --git a/src/alert-unified-log.c b/src/alert-unified-log.c index bd908193cc..e516792c77 100644 --- a/src/alert-unified-log.c +++ b/src/alert-unified-log.c @@ -34,7 +34,7 @@ #include "util-unittest.h" int AlertUnifiedLog (ThreadVars *, Packet *, void *, PacketQueue *); -int AlertUnifiedLogThreadInit(ThreadVars *, void **); +int AlertUnifiedLogThreadInit(ThreadVars *, void *, void **); int AlertUnifiedLogThreadDeinit(ThreadVars *, void *); void TmModuleAlertUnifiedLogRegister (void) { @@ -218,7 +218,7 @@ int AlertUnifiedLog (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) return 0; } -int AlertUnifiedLogThreadInit(ThreadVars *t, void **data) +int AlertUnifiedLogThreadInit(ThreadVars *t, void *initdata, void **data) { AlertUnifiedLogThread *aun = malloc(sizeof(AlertUnifiedLogThread)); if (aun == NULL) { diff --git a/src/detect-classtype.c b/src/detect-classtype.c index e47bd7c649..e502a06f29 100644 --- a/src/detect-classtype.c +++ b/src/detect-classtype.c @@ -4,7 +4,7 @@ #include "detect.h" #include "flow-var.h" -int DetectClasstypeSetup (Signature *s, SigMatch *m, char *str); +int DetectClasstypeSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *str); void DetectClasstypeRegister (void) { sigmatch_table[DETECT_CLASSTYPE].name = "classtype"; @@ -14,7 +14,7 @@ void DetectClasstypeRegister (void) { sigmatch_table[DETECT_CLASSTYPE].RegisterTests = NULL; } -int DetectClasstypeSetup (Signature *s, SigMatch *m, char *rawstr) +int DetectClasstypeSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr) { char *str = rawstr; char dubbed = 0; diff --git a/src/detect-content.c b/src/detect-content.c index fd79135119..b2d82f9843 100644 --- a/src/detect-content.c +++ b/src/detect-content.c @@ -42,15 +42,11 @@ #include "threads.h" int DetectContentMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *); -int DetectContentSetup (Signature *, SigMatch *, char *); +int DetectContentSetup (DetectEngineCtx *, Signature *, SigMatch *, char *); u_int8_t nocasetable[256]; #define _nc(c) nocasetable[(c)] -/* we use a global id for content matches to be able to use - * just one pattern matcher thread context per thread. */ -static u_int32_t content_max_id = 0; - void DetectContentRegister (void) { sigmatch_table[DETECT_CONTENT].name = "content"; sigmatch_table[DETECT_CONTENT].Match = DetectContentMatch; @@ -77,9 +73,9 @@ void DetectContentRegister (void) { } /* pass on the content_max_id */ -u_int32_t DetectContentMaxId(void) { - //printf("DetectContentMaxId: %u\n", content_max_id); - return content_max_id; +u_int32_t DetectContentMaxId(DetectEngineCtx *de_ctx) { + //printf("DetectContentMaxId: %u\n", de_ctx->content_max_id); + return de_ctx->content_max_id; } static inline int @@ -277,7 +273,7 @@ int DetectContentMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Sig return DoDetectContent(t, pmt, p, s, m, co); } -int DetectContentSetup (Signature *s, SigMatch *m, char *contentstr) +int DetectContentSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *contentstr) { DetectContentData *cd = NULL; SigMatch *sm = NULL; @@ -385,8 +381,8 @@ int DetectContentSetup (Signature *s, SigMatch *m, char *contentstr) SigMatchAppend(s,m,sm); - cd->id = content_max_id; - content_max_id++; + cd->id = de_ctx->content_max_id; + de_ctx->content_max_id++; if (dubbed) free(str); return 0; diff --git a/src/detect-content.h b/src/detect-content.h index a291e807cd..8194829ccc 100644 --- a/src/detect-content.h +++ b/src/detect-content.h @@ -10,7 +10,6 @@ #define DETECT_CONTENT_RAWBYTES 0x20 - typedef struct _DetectContentData { u_int8_t *content; u_int8_t content_len; @@ -25,7 +24,7 @@ typedef struct _DetectContentData { /* prototypes */ void DetectContentRegister (void); -u_int32_t DetectContentMaxId(void); +u_int32_t DetectContentMaxId(DetectEngineCtx *); #endif /* __DETECT_CONTENT_H__ */ diff --git a/src/detect-depth.c b/src/detect-depth.c index 1df2366aa6..0d6065d3e9 100644 --- a/src/detect-depth.c +++ b/src/detect-depth.c @@ -8,7 +8,7 @@ #include "detect-content.h" #include "detect-pcre.h" -int DetectDepthSetup (Signature *s, SigMatch *m, char *depthstr); +int DetectDepthSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *depthstr); void DetectDepthRegister (void) { sigmatch_table[DETECT_DEPTH].name = "depth"; @@ -18,7 +18,7 @@ void DetectDepthRegister (void) { sigmatch_table[DETECT_DEPTH].RegisterTests = NULL; } -int DetectDepthSetup (Signature *s, SigMatch *m, char *depthstr) +int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *depthstr) { char *str = depthstr; char dubbed = 0; diff --git a/src/detect-distance.c b/src/detect-distance.c index e732567722..a6efdad14e 100644 --- a/src/detect-distance.c +++ b/src/detect-distance.c @@ -9,7 +9,7 @@ #include "detect-uricontent.h" #include "detect-pcre.h" -int DetectDistanceSetup (Signature *s, SigMatch *m, char *distancestr); +int DetectDistanceSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *distancestr); void DetectDistanceRegister (void) { sigmatch_table[DETECT_DISTANCE].name = "distance"; @@ -19,7 +19,7 @@ void DetectDistanceRegister (void) { sigmatch_table[DETECT_DISTANCE].RegisterTests = NULL; } -int DetectDistanceSetup (Signature *s, SigMatch *m, char *distancestr) +int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *distancestr) { char *str = distancestr; char dubbed = 0; diff --git a/src/detect-dsize.c b/src/detect-dsize.c index 5c8beba67d..48538cbc94 100644 --- a/src/detect-dsize.c +++ b/src/detect-dsize.c @@ -24,7 +24,7 @@ typedef struct _DetectDsizeData { } DetectDsizeData; int DetectDsizeMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *); -int DetectDsizeSetup (Signature *s, SigMatch *m, char *str); +int DetectDsizeSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *str); void DsizeRegisterTests(void); void DetectDsizeRegister (void) { @@ -177,7 +177,7 @@ error: return NULL; } -int DetectDsizeSetup (Signature *s, SigMatch *m, char *rawstr) +int DetectDsizeSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr) { DetectDsizeData *dd = NULL; SigMatch *sm = NULL; diff --git a/src/detect-engine-address-ipv4.c b/src/detect-engine-address-ipv4.c index 1420a5129f..10686cb047 100644 --- a/src/detect-engine-address-ipv4.c +++ b/src/detect-engine-address-ipv4.c @@ -12,6 +12,7 @@ #include "detect-engine-address.h" #include "detect-engine-siggroup.h" +#include "detect-engine-port.h" int DetectAddressCmpIPv4(DetectAddressData *a, DetectAddressData *b) { u_int32_t a_ip1 = ntohl(a->ip[0]); @@ -66,7 +67,7 @@ int DetectAddressCmpIPv4(DetectAddressData *a, DetectAddressData *b) { * a = 1.2.3.4, b = 1.2.3.0/24 * must result in: a == 1.2.3.0-1.2.3.3, b == 1.2.3.4, c == 1.2.3.5-1.2.3.255 */ -int DetectAddressGroupCutIPv4(DetectAddressGroup *a, DetectAddressGroup *b, DetectAddressGroup **c) { +int DetectAddressGroupCutIPv4(DetectEngineCtx *de_ctx, DetectAddressGroup *a, DetectAddressGroup *b, DetectAddressGroup **c) { u_int32_t a_ip1 = ntohl(a->ad->ip[0]); u_int32_t a_ip2 = ntohl(a->ad->ip2[0]); u_int32_t b_ip1 = ntohl(b->ad->ip[0]); @@ -120,14 +121,14 @@ int DetectAddressGroupCutIPv4(DetectAddressGroup *a, DetectAddressGroup *b, Dete tmp_c->ad->ip2[0] = htonl(b_ip2); *c = tmp_c; - SigGroupHeadCopySigs(b->sh,&tmp_c->sh); - SigGroupHeadCopySigs(a->sh,&b->sh); + SigGroupHeadCopySigs(de_ctx, b->sh,&tmp_c->sh); + SigGroupHeadCopySigs(de_ctx, a->sh,&b->sh); for (port = b->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&tmp_c->port, port); + DetectPortInsertCopy(de_ctx, &tmp_c->port, port); } for (port = a->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&b->port, port); + DetectPortInsertCopy(de_ctx, &b->port, port); } tmp_c->cnt += b->cnt; @@ -166,24 +167,24 @@ int DetectAddressGroupCutIPv4(DetectAddressGroup *a, DetectAddressGroup *b, Dete /* 'a' gets clean and then 'b' sigs * 'b' gets clean, then 'a' then 'b' sigs * 'c' gets 'a' sigs */ - SigGroupHeadCopySigs(a->sh,&tmp->sh); /* store old a list */ + SigGroupHeadCopySigs(de_ctx, a->sh, &tmp->sh); /* store old a list */ SigGroupHeadClearSigs(a->sh); /* clean a list */ - SigGroupHeadCopySigs(tmp->sh,&tmp_c->sh); /* copy old b to c */ - SigGroupHeadCopySigs(b->sh,&a->sh); /* copy old b to a */ - SigGroupHeadCopySigs(tmp->sh,&b->sh); /* prepend old a before b */ + SigGroupHeadCopySigs(de_ctx, tmp->sh, &tmp_c->sh); /* copy old b to c */ + SigGroupHeadCopySigs(de_ctx, b->sh, &a->sh); /* copy old b to a */ + SigGroupHeadCopySigs(de_ctx, tmp->sh, &b->sh); /* prepend old a before b */ SigGroupHeadClearSigs(tmp->sh); /* clean tmp list */ for (port = a->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&tmp->port, port); + DetectPortInsertCopy(de_ctx, &tmp->port, port); } for (port = b->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&a->port, port); + DetectPortInsertCopy(de_ctx, &a->port, port); } for (port = tmp->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&b->port, port); + DetectPortInsertCopy(de_ctx, &b->port, port); } for (port = tmp->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&tmp_c->port, port); + DetectPortInsertCopy(de_ctx, &tmp_c->port, port); } tmp->cnt += a->cnt; @@ -224,13 +225,13 @@ int DetectAddressGroupCutIPv4(DetectAddressGroup *a, DetectAddressGroup *b, Dete b->ad->ip2[0] = htonl(b_ip2); /* 'b' overlaps 'a' so 'a' needs the 'b' sigs */ - SigGroupHeadCopySigs(b->sh,&a->sh); + SigGroupHeadCopySigs(de_ctx, b->sh, &a->sh); //printf("a: "); DetectAddressDataPrint(a->ad); printf(": "); DbgPrintSigs2(a->sh); //printf("b: "); DetectAddressDataPrint(b->ad); printf(": "); DbgPrintSigs2(b->sh); for (port = b->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&a->port, port); + DetectPortInsertCopy(de_ctx, &a->port, port); } a->cnt += b->cnt; @@ -247,20 +248,20 @@ int DetectAddressGroupCutIPv4(DetectAddressGroup *a, DetectAddressGroup *b, Dete b->ad->ip2[0] = htonl(a_ip2); /* 'a' overlaps 'b' so 'b' needs the 'a' sigs */ - SigGroupHeadCopySigs(a->sh,&tmp->sh); + SigGroupHeadCopySigs(de_ctx, a->sh, &tmp->sh); SigGroupHeadClearSigs(a->sh); - SigGroupHeadCopySigs(b->sh,&a->sh); - SigGroupHeadCopySigs(tmp->sh,&b->sh); + SigGroupHeadCopySigs(de_ctx, b->sh, &a->sh); + SigGroupHeadCopySigs(de_ctx, tmp->sh, &b->sh); SigGroupHeadClearSigs(tmp->sh); for (port = a->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&tmp->port, a->port); + DetectPortInsertCopy(de_ctx, &tmp->port, a->port); } for (port = b->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&a->port, port); + DetectPortInsertCopy(de_ctx, &a->port, port); } for (port = tmp->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&b->port, port); + DetectPortInsertCopy(de_ctx, &b->port, port); } tmp->cnt += a->cnt; a->cnt = 0; @@ -295,24 +296,24 @@ int DetectAddressGroupCutIPv4(DetectAddressGroup *a, DetectAddressGroup *b, Dete /* 'a' gets clean and then 'b' sigs * 'b' gets clean, then 'a' then 'b' sigs * 'c' gets 'b' sigs */ - SigGroupHeadCopySigs(a->sh,&tmp->sh); /* store old a list */ + SigGroupHeadCopySigs(de_ctx, a->sh, &tmp->sh); /* store old a list */ SigGroupHeadClearSigs(a->sh); /* clean a list */ - SigGroupHeadCopySigs(b->sh,&tmp_c->sh); /* copy old b to c */ - SigGroupHeadCopySigs(b->sh,&a->sh); /* copy old b to a */ - SigGroupHeadCopySigs(tmp->sh,&b->sh); /* prepend old a before b */ + SigGroupHeadCopySigs(de_ctx, b->sh, &tmp_c->sh); /* copy old b to c */ + SigGroupHeadCopySigs(de_ctx, b->sh, &a->sh); /* copy old b to a */ + SigGroupHeadCopySigs(de_ctx, tmp->sh, &b->sh); /* prepend old a before b */ SigGroupHeadClearSigs(tmp->sh); /* clean tmp list */ for (port = a->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&tmp->port, port); + DetectPortInsertCopy(de_ctx, &tmp->port, port); } for (port = b->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&tmp_c->port, port); + DetectPortInsertCopy(de_ctx, &tmp_c->port, port); } for (port = b->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&a->port, port); + DetectPortInsertCopy(de_ctx, &a->port, port); } for (port = tmp->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&b->port, port); + DetectPortInsertCopy(de_ctx, &b->port, port); } tmp->cnt += a->cnt; a->cnt = 0; @@ -352,20 +353,20 @@ int DetectAddressGroupCutIPv4(DetectAddressGroup *a, DetectAddressGroup *b, Dete b->ad->ip2[0] = htonl(a_ip2); /* 'b' overlaps 'a' so a needs the 'b' sigs */ - SigGroupHeadCopySigs(b->sh,&tmp->sh); + SigGroupHeadCopySigs(de_ctx, b->sh, &tmp->sh); SigGroupHeadClearSigs(b->sh); - SigGroupHeadCopySigs(a->sh,&b->sh); - SigGroupHeadCopySigs(tmp->sh,&a->sh); + SigGroupHeadCopySigs(de_ctx, a->sh, &b->sh); + SigGroupHeadCopySigs(de_ctx, tmp->sh, &a->sh); SigGroupHeadClearSigs(tmp->sh); for (port = b->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&tmp->port, b->port); + DetectPortInsertCopy(de_ctx, &tmp->port, b->port); } for (port = a->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&b->port, port); + DetectPortInsertCopy(de_ctx, &b->port, port); } for (port = tmp->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&a->port, port); + DetectPortInsertCopy(de_ctx, &a->port, port); } tmp->cnt += b->cnt; b->cnt = 0; @@ -383,10 +384,10 @@ int DetectAddressGroupCutIPv4(DetectAddressGroup *a, DetectAddressGroup *b, Dete b->ad->ip2[0] = htonl(b_ip2); /* 'a' overlaps 'b' so a needs the 'a' sigs */ - SigGroupHeadCopySigs(a->sh,&b->sh); + SigGroupHeadCopySigs(de_ctx, a->sh, &b->sh); for (port = a->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&b->port, port); + DetectPortInsertCopy(de_ctx, &b->port, port); } b->cnt += a->cnt; @@ -418,14 +419,14 @@ int DetectAddressGroupCutIPv4(DetectAddressGroup *a, DetectAddressGroup *b, Dete /* 'a' stays the same wrt sigs * 'b' keeps it's own sigs and gets a's sigs prepended * 'c' gets 'a' sigs */ - SigGroupHeadCopySigs(a->sh,&b->sh); - SigGroupHeadCopySigs(a->sh,&tmp_c->sh); + SigGroupHeadCopySigs(de_ctx, a->sh, &b->sh); + SigGroupHeadCopySigs(de_ctx, a->sh, &tmp_c->sh); for (port = a->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&b->port, port); + DetectPortInsertCopy(de_ctx, &b->port, port); } for (port = a->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&tmp_c->port, port); + DetectPortInsertCopy(de_ctx, &tmp_c->port, port); } b->cnt += a->cnt; @@ -658,7 +659,7 @@ error: return -1; } -int DetectAddressGroupJoinIPv4(DetectAddressGroup *target, DetectAddressGroup *source) { +int DetectAddressGroupJoinIPv4(DetectEngineCtx *de_ctx, DetectAddressGroup *target, DetectAddressGroup *source) { if (ntohl(source->ad->ip[0]) < ntohl(target->ad->ip[0])) target->ad->ip[0] = source->ad->ip[0]; diff --git a/src/detect-engine-address-ipv4.h b/src/detect-engine-address-ipv4.h index 88d8eab568..d67a30b82b 100644 --- a/src/detect-engine-address-ipv4.h +++ b/src/detect-engine-address-ipv4.h @@ -10,9 +10,8 @@ int DetectAddressCmpIPv4(DetectAddressData *, DetectAddressData *); int DetectAddressCutIPv4(DetectAddressData *, DetectAddressData *, DetectAddressData **); int DetectAddressCutNotIPv4(DetectAddressData *, DetectAddressData **); -int DetectAddressGroupCutIPv4(DetectAddressGroup *, DetectAddressGroup *, DetectAddressGroup **); - -int DetectAddressGroupJoinIPv4(DetectAddressGroup *target, DetectAddressGroup *source); +int DetectAddressGroupCutIPv4(DetectEngineCtx *, DetectAddressGroup *, DetectAddressGroup *, DetectAddressGroup **); +int DetectAddressGroupJoinIPv4(DetectEngineCtx *, DetectAddressGroup *target, DetectAddressGroup *source); #endif /* __DETECT_ADDRESS_IPV4_H__ */ diff --git a/src/detect-engine-address-ipv6.c b/src/detect-engine-address-ipv6.c index fc3a20e7ad..75e5c9e683 100644 --- a/src/detect-engine-address-ipv6.c +++ b/src/detect-engine-address-ipv6.c @@ -12,6 +12,7 @@ #include "detect-engine-address.h" #include "detect-engine-siggroup.h" +#include "detect-engine-port.h" /* return: 1 lt, 0 not lt */ @@ -187,7 +188,7 @@ static void AddressCutIPv6Copy(u_int32_t *a, u_int32_t *b) { b[3] = htonl(a[3]); } -int DetectAddressGroupCutIPv6(DetectAddressGroup *a, DetectAddressGroup *b, DetectAddressGroup **c) { +int DetectAddressGroupCutIPv6(DetectEngineCtx *de_ctx, DetectAddressGroup *a, DetectAddressGroup *b, DetectAddressGroup **c) { u_int32_t a_ip1[4] = { ntohl(a->ad->ip[0]), ntohl(a->ad->ip[1]), ntohl(a->ad->ip[2]), ntohl(a->ad->ip[3]) }; u_int32_t a_ip2[4] = { ntohl(a->ad->ip2[0]), ntohl(a->ad->ip2[1]), @@ -240,14 +241,14 @@ int DetectAddressGroupCutIPv6(DetectAddressGroup *a, DetectAddressGroup *b, Dete AddressCutIPv6Copy(b_ip2, tmp_c->ad->ip2); *c = tmp_c; - SigGroupHeadCopySigs(b->sh,&tmp_c->sh); /* copy old b to c */ - SigGroupHeadCopySigs(a->sh,&b->sh); /* copy old b to a */ + SigGroupHeadCopySigs(de_ctx, b->sh, &tmp_c->sh); /* copy old b to c */ + SigGroupHeadCopySigs(de_ctx, a->sh, &b->sh); /* copy old b to a */ for (port = b->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&tmp_c->port, port); + DetectPortInsertCopy(de_ctx, &tmp_c->port, port); } for (port = a->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&b->port, port); + DetectPortInsertCopy(de_ctx, &b->port, port); } tmp_c->cnt += b->cnt; @@ -282,25 +283,25 @@ int DetectAddressGroupCutIPv6(DetectAddressGroup *a, DetectAddressGroup *b, Dete /* 'a' gets clean and then 'b' sigs * 'b' gets clean, then 'a' then 'b' sigs * 'c' gets 'a' sigs */ - SigGroupHeadCopySigs(a->sh,&tmp->sh); /* store old a list */ + SigGroupHeadCopySigs(de_ctx, a->sh, &tmp->sh); /* store old a list */ SigGroupHeadClearSigs(a->sh); /* clean a list */ - SigGroupHeadCopySigs(tmp->sh,&tmp_c->sh); /* copy old b to c */ - SigGroupHeadCopySigs(b->sh,&a->sh); /* copy old b to a */ - SigGroupHeadCopySigs(tmp->sh,&b->sh); /* prepend old a before b */ + SigGroupHeadCopySigs(de_ctx, tmp->sh, &tmp_c->sh); /* copy old b to c */ + SigGroupHeadCopySigs(de_ctx, b->sh,&a->sh); /* copy old b to a */ + SigGroupHeadCopySigs(de_ctx, tmp->sh, &b->sh); /* prepend old a before b */ SigGroupHeadClearSigs(tmp->sh); /* clean tmp list */ for (port = a->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&tmp->port, port); + DetectPortInsertCopy(de_ctx,&tmp->port, port); } for (port = b->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&a->port, port); + DetectPortInsertCopy(de_ctx,&a->port, port); } for (port = tmp->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&b->port, port); + DetectPortInsertCopy(de_ctx,&b->port, port); } for (port = tmp->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&tmp_c->port, port); + DetectPortInsertCopy(de_ctx,&tmp_c->port, port); } tmp->cnt += a->cnt; @@ -333,10 +334,10 @@ int DetectAddressGroupCutIPv6(DetectAddressGroup *a, DetectAddressGroup *b, Dete AddressCutIPv6Copy(b_ip2, b->ad->ip2); /* 'b' overlaps 'a' so 'a' needs the 'b' sigs */ - SigGroupHeadCopySigs(b->sh,&a->sh); + SigGroupHeadCopySigs(de_ctx, b->sh,&a->sh); for (port = b->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&a->port, port); + DetectPortInsertCopy(de_ctx,&a->port, port); } a->cnt += b->cnt; @@ -348,20 +349,20 @@ int DetectAddressGroupCutIPv6(DetectAddressGroup *a, DetectAddressGroup *b, Dete AddressCutIPv6Copy(a_ip2, b->ad->ip2); /* 'a' overlaps 'b' so 'b' needs the 'a' sigs */ - SigGroupHeadCopySigs(a->sh,&tmp->sh); + SigGroupHeadCopySigs(de_ctx, a->sh, &tmp->sh); SigGroupHeadClearSigs(a->sh); - SigGroupHeadCopySigs(b->sh,&a->sh); - SigGroupHeadCopySigs(tmp->sh,&b->sh); + SigGroupHeadCopySigs(de_ctx, b->sh, &a->sh); + SigGroupHeadCopySigs(de_ctx, tmp->sh, &b->sh); SigGroupHeadClearSigs(tmp->sh); for (port = a->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&tmp->port, a->port); + DetectPortInsertCopy(de_ctx,&tmp->port, a->port); } for (port = b->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&a->port, port); + DetectPortInsertCopy(de_ctx,&a->port, port); } for (port = tmp->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&b->port, port); + DetectPortInsertCopy(de_ctx,&b->port, port); } tmp->cnt += a->cnt; a->cnt = 0; @@ -392,25 +393,25 @@ int DetectAddressGroupCutIPv6(DetectAddressGroup *a, DetectAddressGroup *b, Dete /* 'a' gets clean and then 'b' sigs * 'b' gets clean, then 'a' then 'b' sigs * 'c' gets 'b' sigs */ - SigGroupHeadCopySigs(a->sh,&tmp->sh); /* store old a list */ + SigGroupHeadCopySigs(de_ctx, a->sh, &tmp->sh); /* store old a list */ SigGroupHeadClearSigs(a->sh); /* clean a list */ - SigGroupHeadCopySigs(b->sh,&tmp_c->sh); /* copy old b to c */ - SigGroupHeadCopySigs(b->sh,&a->sh); /* copy old b to a */ - SigGroupHeadCopySigs(tmp->sh,&b->sh); /* prepend old a before b */ + SigGroupHeadCopySigs(de_ctx, b->sh, &tmp_c->sh); /* copy old b to c */ + SigGroupHeadCopySigs(de_ctx, b->sh, &a->sh); /* copy old b to a */ + SigGroupHeadCopySigs(de_ctx, tmp->sh, &b->sh); /* prepend old a before b */ SigGroupHeadClearSigs(tmp->sh); /* clean tmp list */ for (port = a->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&tmp->port, port); + DetectPortInsertCopy(de_ctx,&tmp->port, port); } for (port = b->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&tmp_c->port, port); + DetectPortInsertCopy(de_ctx,&tmp_c->port, port); } for (port = b->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&a->port, port); + DetectPortInsertCopy(de_ctx,&a->port, port); } for (port = tmp->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&b->port, port); + DetectPortInsertCopy(de_ctx,&b->port, port); } tmp->cnt += a->cnt; a->cnt = 0; @@ -442,20 +443,20 @@ int DetectAddressGroupCutIPv6(DetectAddressGroup *a, DetectAddressGroup *b, Dete AddressCutIPv6Copy(a_ip2, b->ad->ip2); /* 'b' overlaps 'a' so a needs the 'b' sigs */ - SigGroupHeadCopySigs(b->sh,&tmp->sh); + SigGroupHeadCopySigs(de_ctx, b->sh, &tmp->sh); SigGroupHeadClearSigs(b->sh); - SigGroupHeadCopySigs(a->sh,&b->sh); - SigGroupHeadCopySigs(tmp->sh,&a->sh); + SigGroupHeadCopySigs(de_ctx, a->sh, &b->sh); + SigGroupHeadCopySigs(de_ctx, tmp->sh, &a->sh); SigGroupHeadClearSigs(tmp->sh); for (port = b->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&tmp->port, b->port); + DetectPortInsertCopy(de_ctx,&tmp->port, b->port); } for (port = a->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&b->port, port); + DetectPortInsertCopy(de_ctx,&b->port, port); } for (port = tmp->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&a->port, port); + DetectPortInsertCopy(de_ctx,&a->port, port); } tmp->cnt += b->cnt; b->cnt = 0; @@ -470,10 +471,10 @@ int DetectAddressGroupCutIPv6(DetectAddressGroup *a, DetectAddressGroup *b, Dete AddressCutIPv6Copy(b_ip2, b->ad->ip2); /* 'a' overlaps 'b' so a needs the 'a' sigs */ - SigGroupHeadCopySigs(a->sh,&b->sh); + SigGroupHeadCopySigs(de_ctx, a->sh, &b->sh); for (port = a->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&b->port, port); + DetectPortInsertCopy(de_ctx,&b->port, port); } b->cnt += a->cnt; @@ -501,14 +502,14 @@ int DetectAddressGroupCutIPv6(DetectAddressGroup *a, DetectAddressGroup *b, Dete /* 'a' stays the same wrt sigs * 'b' keeps it's own sigs and gets a's sigs prepended * 'c' gets 'a' sigs */ - SigGroupHeadCopySigs(a->sh,&b->sh); - SigGroupHeadCopySigs(a->sh,&tmp_c->sh); + SigGroupHeadCopySigs(de_ctx, a->sh, &b->sh); + SigGroupHeadCopySigs(de_ctx, a->sh, &tmp_c->sh); for (port = a->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&b->port, port); + DetectPortInsertCopy(de_ctx,&b->port, port); } for (port = a->port; port != NULL; port = port->next) { - DetectPortInsertCopy(&tmp_c->port, port); + DetectPortInsertCopy(de_ctx,&tmp_c->port, port); } b->cnt += a->cnt; @@ -743,7 +744,7 @@ error: return -1; } -int DetectAddressGroupJoinIPv6(DetectAddressGroup *target, DetectAddressGroup *source) { +int DetectAddressGroupJoinIPv6(DetectEngineCtx *de_ctx, DetectAddressGroup *target, DetectAddressGroup *source) { if (AddressIPv6Lt(source->ad->ip,target->ad->ip)) { target->ad->ip[0] = source->ad->ip[0]; target->ad->ip[1] = source->ad->ip[1]; diff --git a/src/detect-engine-address-ipv6.h b/src/detect-engine-address-ipv6.h index bc1e6cf26f..6d30217027 100644 --- a/src/detect-engine-address-ipv6.h +++ b/src/detect-engine-address-ipv6.h @@ -16,9 +16,8 @@ int DetectAddressCutIPv6(DetectAddressData *, DetectAddressData *, DetectAddress int DetectAddressCutNotIPv6(DetectAddressData *, DetectAddressData **); int DetectAddressCmpIPv6(DetectAddressData *, DetectAddressData *); -int DetectAddressGroupCutIPv6(DetectAddressGroup *, DetectAddressGroup *, DetectAddressGroup **); - -int DetectAddressGroupJoinIPv6(DetectAddressGroup *, DetectAddressGroup *); +int DetectAddressGroupCutIPv6(DetectEngineCtx *, DetectAddressGroup *, DetectAddressGroup *, DetectAddressGroup **); +int DetectAddressGroupJoinIPv6(DetectEngineCtx *, DetectAddressGroup *, DetectAddressGroup *); void DetectAddressIPv6Tests(void); diff --git a/src/detect-engine-address.c b/src/detect-engine-address.c index b2e840caf7..9513be6b9b 100644 --- a/src/detect-engine-address.c +++ b/src/detect-engine-address.c @@ -19,8 +19,9 @@ #include "detect-engine-address.h" #include "detect-engine-address-ipv4.h" #include "detect-engine-address-ipv6.h" +#include "detect-engine-port.h" -int DetectAddressSetup (Signature *s, SigMatch *m, char *sidstr); +int DetectAddressSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *sidstr); void DetectAddressTests (void); void DetectAddressRegister (void) { @@ -35,7 +36,7 @@ void DetectAddressRegister (void) { void DetectAddressDataPrint(DetectAddressData *); int DetectAddressCut(DetectAddressData *, DetectAddressData *, DetectAddressData **); int DetectAddressCutNot(DetectAddressData *, DetectAddressData **); -int DetectAddressGroupCut(DetectAddressGroup *, DetectAddressGroup *, DetectAddressGroup **); +int DetectAddressGroupCut(DetectEngineCtx *, DetectAddressGroup *, DetectAddressGroup *, DetectAddressGroup **); /* memory usage counters */ static u_int32_t detect_address_group_memory = 0; @@ -238,7 +239,7 @@ static DetectAddressGroup *GetHeadPtr(DetectAddressGroupsHead *gh, DetectAddress * 0: not inserted, memory of new is freed * 1: inserted * */ -int DetectAddressGroupInsert(DetectAddressGroupsHead *gh, DetectAddressGroup *new) { +int DetectAddressGroupInsert(DetectEngineCtx *de_ctx, DetectAddressGroupsHead *gh, DetectAddressGroup *new) { DetectAddressGroup *head = NULL; if (new == NULL) @@ -273,9 +274,9 @@ int DetectAddressGroupInsert(DetectAddressGroupsHead *gh, DetectAddressGroup *ne if (cur != new) { DetectPort *port = new->port; for ( ; port != NULL; port = port->next) { - DetectPortInsertCopy(&cur->port,port); + DetectPortInsertCopy(de_ctx,&cur->port,port); } - SigGroupHeadCopySigs(new->sh,&cur->sh); + SigGroupHeadCopySigs(de_ctx,new->sh,&cur->sh); cur->cnt += new->cnt; DetectAddressGroupFree(new); return 0; @@ -325,13 +326,13 @@ int DetectAddressGroupInsert(DetectAddressGroupsHead *gh, DetectAddressGroup *ne printf("DetectAddressGroupInsert: ADDRESS_ES\n"); #endif DetectAddressGroup *c = NULL; - r = DetectAddressGroupCut(cur,new,&c); - DetectAddressGroupInsert(gh, new); + r = DetectAddressGroupCut(de_ctx, cur,new,&c); + DetectAddressGroupInsert(de_ctx, gh, new); if (c) { #ifdef DBG printf("DetectAddressGroupInsert: inserting C "); DetectAddressDataPrint(c->ad); printf("\n"); #endif - DetectAddressGroupInsert(gh, c); + DetectAddressGroupInsert(de_ctx, gh, c); } return 1; } else if (r == ADDRESS_EB) { @@ -339,14 +340,14 @@ int DetectAddressGroupInsert(DetectAddressGroupsHead *gh, DetectAddressGroup *ne printf("ADDRESS_EB\n"); #endif DetectAddressGroup *c = NULL; - r = DetectAddressGroupCut(cur,new,&c); + r = DetectAddressGroupCut(de_ctx, cur,new,&c); //printf("DetectAddressGroupCut returned %d\n", r); - DetectAddressGroupInsert(gh, new); + DetectAddressGroupInsert(de_ctx, gh, new); if (c) { #ifdef DBG printf("DetectAddressGroupInsert: inserting C "); DetectAddressDataPrint(c->ad); printf("\n"); #endif - DetectAddressGroupInsert(gh, c); + DetectAddressGroupInsert(de_ctx, gh, c); } return 1; } else if (r == ADDRESS_LE) { @@ -354,13 +355,13 @@ int DetectAddressGroupInsert(DetectAddressGroupsHead *gh, DetectAddressGroup *ne printf("ADDRESS_LE\n"); #endif DetectAddressGroup *c = NULL; - r = DetectAddressGroupCut(cur,new,&c); - DetectAddressGroupInsert(gh, new); + r = DetectAddressGroupCut(de_ctx, cur,new,&c); + DetectAddressGroupInsert(de_ctx, gh, new); if (c) { #ifdef DBG printf("DetectAddressGroupInsert: inserting C "); DetectAddressDataPrint(c->ad); printf("\n"); #endif - DetectAddressGroupInsert(gh, c); + DetectAddressGroupInsert(de_ctx, gh, c); } return 1; } else if (r == ADDRESS_GE) { @@ -368,13 +369,13 @@ int DetectAddressGroupInsert(DetectAddressGroupsHead *gh, DetectAddressGroup *ne printf("DetectAddressGroupInsert: ADDRESS_GE\n"); #endif DetectAddressGroup *c = NULL; - r = DetectAddressGroupCut(cur,new,&c); - DetectAddressGroupInsert(gh, new); + r = DetectAddressGroupCut(de_ctx, cur,new,&c); + DetectAddressGroupInsert(de_ctx, gh, new); if (c) { #ifdef DBG printf("DetectAddressGroupInsert: inserting C "); DetectAddressDataPrint(c->ad); printf("\n"); #endif - DetectAddressGroupInsert(gh, c); + DetectAddressGroupInsert(de_ctx, gh, c); } return 1; } @@ -396,7 +397,7 @@ error: return -1; } -int DetectAddressGroupJoin(DetectAddressGroup *target, DetectAddressGroup *source) { +int DetectAddressGroupJoin(DetectEngineCtx *de_ctx, DetectAddressGroup *target, DetectAddressGroup *source) { if (target == NULL || source == NULL) return -1; @@ -404,17 +405,17 @@ int DetectAddressGroupJoin(DetectAddressGroup *target, DetectAddressGroup *sourc return -1; target->cnt += source->cnt; - SigGroupHeadCopySigs(source->sh,&target->sh); + SigGroupHeadCopySigs(de_ctx, source->sh,&target->sh); DetectPort *port = source->port; for ( ; port != NULL; port = port->next) { - DetectPortInsertCopy(&target->port, port); + DetectPortInsertCopy(de_ctx,&target->port, port); } if (target->ad->family == AF_INET) { - return DetectAddressGroupJoinIPv4(target,source); + return DetectAddressGroupJoinIPv4(de_ctx, target,source); } else if (target->ad->family == AF_INET6) { - return DetectAddressGroupJoinIPv6(target,source); + return DetectAddressGroupJoinIPv6(de_ctx, target,source); } return -1; @@ -822,11 +823,11 @@ void DetectAddressGroupsHeadFree(DetectAddressGroupsHead *gh) { } } -int DetectAddressGroupCut(DetectAddressGroup *a, DetectAddressGroup *b, DetectAddressGroup **c) { +int DetectAddressGroupCut(DetectEngineCtx *de_ctx, DetectAddressGroup *a, DetectAddressGroup *b, DetectAddressGroup **c) { if (a->ad->family == AF_INET) { - return DetectAddressGroupCutIPv4(a,b,c); + return DetectAddressGroupCutIPv4(de_ctx, a,b,c); } else if (a->ad->family == AF_INET6) { - return DetectAddressGroupCutIPv6(a,b,c); + return DetectAddressGroupCutIPv6(de_ctx, a,b,c); } return -1; @@ -1108,7 +1109,7 @@ error: return NULL; } -int DetectAddressSetup (Signature *s, SigMatch *m, char *addressstr) +int DetectAddressSetup (DetectEngineCtx * de_ctx, Signature *s, SigMatch *m, char *addressstr) { char *str = addressstr; char dubbed = 0; diff --git a/src/detect-engine-address.h b/src/detect-engine-address.h index 0d156fe51b..9200f7af89 100644 --- a/src/detect-engine-address.h +++ b/src/detect-engine-address.h @@ -1,58 +1,6 @@ #ifndef __DETECT_ADDRESS_H__ #define __DETECT_ADDRESS_H__ -/* a is ... than b */ -enum { - ADDRESS_ER = -1, /* error e.g. compare ipv4 and ipv6 */ - ADDRESS_LT, /* smaller [aaa] [bbb] */ - ADDRESS_LE, /* smaller with overlap [aa[bab]bb] */ - ADDRESS_EQ, /* exactly equal [abababab] */ - ADDRESS_ES, /* within [bb[aaa]bb] and [[abab]bbb] and [bbb[abab]] */ - ADDRESS_EB, /* completely overlaps [aa[bbb]aa] and [[baba]aaa] and [aaa[baba]] */ - ADDRESS_GE, /* bigger with overlap [bb[aba]aa] */ - ADDRESS_GT, /* bigger [bbb] [aaa] */ -}; - -#define ADDRESS_FLAG_ANY 0x1 -#define ADDRESS_FLAG_NOT 0x2 - -#define ADDRESS_GROUP_SIGGROUPHEAD_COPY 0x01 -#define ADDRESS_GROUP_PORTS_COPY 0x02 -#define ADDRESS_GROUP_PORTS_NOTUNIQ 0x04 - -typedef struct DetectAddressData_ { - /* XXX convert to use a Address datatype to replace family, ip,ip2*/ - u_int8_t family; - u_int32_t ip[4]; - u_int32_t ip2[4]; - u_int8_t flags; -} DetectAddressData; - -typedef struct DetectAddressGroup_ { - /* address data for this group */ - DetectAddressData *ad; - - /* XXX ptr to rules, or PortGroup or whatever */ - struct DetectAddressGroupsHead_ *dst_gh; - struct DetectPort_ *port; - - /* signatures that belong in this group */ - struct _SigGroupHead *sh; - u_int8_t flags; - - /* double linked list */ - struct DetectAddressGroup_ *prev; - struct DetectAddressGroup_ *next; - - u_int32_t cnt; -} DetectAddressGroup; - -typedef struct DetectAddressGroupsHead_ { - DetectAddressGroup *any_head; - DetectAddressGroup *ipv4_head; - DetectAddressGroup *ipv6_head; -} DetectAddressGroupsHead; - /* prototypes */ void DetectAddressRegister (void); DetectAddressGroupsHead *DetectAddressGroupsHeadInit(); @@ -72,10 +20,10 @@ int DetectAddressGroupAdd(DetectAddressGroup **, DetectAddressGroup *); DetectAddressGroup *DetectAddressGroupLookup(DetectAddressGroup *, DetectAddressData *); void DetectAddressGroupPrintList(DetectAddressGroup *); void DetectAddressGroupFree(DetectAddressGroup *); -int DetectAddressGroupInsert(DetectAddressGroupsHead *, DetectAddressGroup *); +int DetectAddressGroupInsert(DetectEngineCtx *, DetectAddressGroupsHead *, DetectAddressGroup *); void DetectAddressGroupPrintMemory(void); void DetectAddressGroupCleanupList (DetectAddressGroup *); -int DetectAddressGroupJoin(DetectAddressGroup *target, DetectAddressGroup *source); +int DetectAddressGroupJoin(DetectEngineCtx *, DetectAddressGroup *target, DetectAddressGroup *source); #endif /* __DETECT_ADDRESS_H__ */ diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 06bc894c1a..e226be7263 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -7,6 +7,7 @@ #include "decode.h" #include "detect.h" +#include "detect-engine.h" #include "detect-engine-siggroup.h" #include "detect-engine-mpm.h" #include "util-mpm.h" @@ -26,7 +27,7 @@ u_int32_t PacketPatternScan(ThreadVars *t, PatternMatcherThread *pmt, Packet *p) u_int32_t ret; pmt->pmq.mode = PMQ_MODE_SCAN; - ret = pmt->mc->Scan(pmt->mc, &pmt->mtc, &pmt->pmq, p->tcp_payload, p->tcp_payload_len); + ret = pmt->sgh->mpm_ctx->Scan(pmt->sgh->mpm_ctx, &pmt->mtc, &pmt->pmq, p->tcp_payload, p->tcp_payload_len); //printf("PacketPatternScan: ret %u\n", ret); return ret; @@ -36,7 +37,7 @@ u_int32_t PacketPatternMatch(ThreadVars *t, PatternMatcherThread *pmt, Packet *p u_int32_t ret; pmt->pmq.mode = PMQ_MODE_SEARCH; - ret = pmt->mc->Search(pmt->mc, &pmt->mtc, &pmt->pmq, p->tcp_payload, p->tcp_payload_len); + ret = pmt->sgh->mpm_ctx->Search(pmt->sgh->mpm_ctx, &pmt->mtc, &pmt->pmq, p->tcp_payload, p->tcp_payload_len); //printf("PacketPatternMatch: ret %u\n", ret); return ret; @@ -50,13 +51,16 @@ void PacketPatternCleanup(ThreadVars *t, PatternMatcherThread *pmt) { } pmt->pmq.sig_id_array_cnt = 0; + if (pmt->sgh == NULL) + return; + /* content */ - if (pmt->mc != NULL && pmt->mc->Cleanup != NULL) { - pmt->mc->Cleanup(&pmt->mtc); + if (pmt->sgh->mpm_ctx != NULL && pmt->sgh->mpm_ctx->Cleanup != NULL) { + pmt->sgh->mpm_ctx->Cleanup(&pmt->mtc); } /* uricontent */ - if (pmt->mcu != NULL && pmt->mcu->Cleanup != NULL) { - pmt->mcu->Cleanup(&pmt->mtcu); + if (pmt->sgh->mpm_uri_ctx != NULL && pmt->sgh->mpm_uri_ctx->Cleanup != NULL) { + pmt->sgh->mpm_uri_ctx->Cleanup(&pmt->mtcu); } } @@ -107,13 +111,11 @@ static int g_content_total = 0; void DbgPrintScanSearchStats() { #if 0 - printf(": content scan %d, search %d (%02.1f%%) :\n", g_content_scan, g_content_search, + printf(" - MPM: scan %d, search %d (%02.1f%%) :\n", g_content_scan, g_content_search, (float)(g_content_scan/(float)(g_content_scan+g_content_search))*100); -// printf(": uricontent scan %d, urisearch %d (%02f%%) :\n", g_uricontent_scan, g_uricontent_search, -// (float)(g_uricontent_scan/(float)(g_uricontent_scan+g_uricontent_search))*100); - printf(": content maxdepth %d, total %d (%02.1f%%) :\n", g_content_maxdepth, g_content_total, + printf(" - MPM: maxdepth %d, total %d (%02.1f%%) :\n", g_content_maxdepth, g_content_total, (float)(g_content_maxdepth/(float)(g_content_total))*100); - printf(": content minoffset %d, total %d (%02.1f%%) :\n", g_content_minoffset, g_content_total, + printf(" - MPM: minoffset %d, total %d (%02.1f%%) :\n", g_content_minoffset, g_content_total, (float)(g_content_minoffset/(float)(g_content_total))*100); #endif } @@ -181,7 +183,7 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh) MpmInitCtx(sh->mpm_uri_ctx, PM); } - u_int16_t mpm_content_scan_maxlen = 65535, mpm_uricontent_scan_maxlen = 65535; + //u_int16_t mpm_content_scan_maxlen = 65535, mpm_uricontent_scan_maxlen = 65535; u_int32_t mpm_content_cnt = 0, mpm_uricontent_cnt = 0; u_int16_t mpm_content_maxdepth = 65535, mpm_content_minoffset = 65535; u_int16_t mpm_content_maxdepth_one = 65535, mpm_content_minoffset_one = 65535; @@ -417,7 +419,11 @@ error: return -1; } -int PatternMatcherThreadInit(ThreadVars *t, void **data) { +int PatternMatcherThreadInit(ThreadVars *t, void *initdata, void **data) { + DetectEngineCtx *de_ctx = (DetectEngineCtx *)initdata; + if (de_ctx == NULL) + return -1; + PatternMatcherThread *pmt = malloc(sizeof(PatternMatcherThread)); if (pmt == NULL) { return -1; @@ -430,9 +436,9 @@ int PatternMatcherThreadInit(ThreadVars *t, void **data) { * of the content and uricontent id's so our match lookup * table is always big enough */ - mpm_ctx[0].InitThreadCtx(&mpm_ctx[0], &pmt->mtc, DetectContentMaxId()); - mpm_ctx[0].InitThreadCtx(&mpm_ctx[0], &pmt->mtcu, DetectUricontentMaxId()); - u_int32_t max_sig_id = SigGetMaxId(); + mpm_ctx[0].InitThreadCtx(&mpm_ctx[0], &pmt->mtc, DetectContentMaxId(de_ctx)); + mpm_ctx[0].InitThreadCtx(&mpm_ctx[0], &pmt->mtcu, DetectUricontentMaxId(de_ctx)); + u_int32_t max_sig_id = DetectEngineGetMaxSigId(de_ctx); /* sig callback testing stuff below */ pmt->pmq.sig_id_array = malloc(max_sig_id * sizeof(u_int32_t)); diff --git a/src/detect-engine-mpm.h b/src/detect-engine-mpm.h index ddcb58f73d..3d827cdd15 100644 --- a/src/detect-engine-mpm.h +++ b/src/detect-engine-mpm.h @@ -4,7 +4,9 @@ /* XXX remove once */ MpmCtx mpm_ctx[1]; +u_int32_t PacketPatternScan(ThreadVars *, PatternMatcherThread *, Packet *); u_int32_t PacketPatternMatch(ThreadVars *, PatternMatcherThread *, Packet *); + void PacketPatternCleanup(ThreadVars *, PatternMatcherThread *); void PatternMatchPrepare(MpmCtx *); int PatternMatchPrepareGroup(DetectEngineCtx *, SigGroupHead *); @@ -12,7 +14,7 @@ void PatternMatcherThreadInfo(ThreadVars *, PatternMatcherThread *); void PatternMatchDestroy(MpmCtx *); void PatternMatchDestroyGroup(SigGroupHead *); -int PatternMatcherThreadInit(ThreadVars *, void **); +int PatternMatcherThreadInit(ThreadVars *, void *, void **); int PatternMatcherThreadDeinit(ThreadVars *, void *); #endif /* __DETECT_MPM_H__ */ diff --git a/src/detect-engine-port.c b/src/detect-engine-port.c index 8421c99691..85ab5b6ac9 100644 --- a/src/detect-engine-port.c +++ b/src/detect-engine-port.c @@ -19,7 +19,7 @@ #include "detect-engine-siggroup.h" #include "detect-engine-port.h" -int DetectPortSetupTmp (Signature *s, SigMatch *m, char *sidstr); +int DetectPortSetupTmp (DetectEngineCtx *, Signature *s, SigMatch *m, char *sidstr); void DetectPortTests (void); void DetectPortRegister (void) { @@ -31,26 +31,15 @@ void DetectPortRegister (void) { } /* prototypes */ -void DetectPortPrint(DetectPort *); -int DetectPortCut(DetectPort *, DetectPort *, DetectPort **); int DetectPortCutNot(DetectPort *, DetectPort **); -int DetectPortCut(DetectPort *, DetectPort *, DetectPort **); -DetectPort *DetectPortCopy(DetectPort *src); +int DetectPortCut(DetectEngineCtx *, DetectPort *, DetectPort *, DetectPort **); DetectPort *PortParse(char *str); -int DetectPortCmp(DetectPort *, DetectPort *); /* memory usage counters */ static u_int32_t detect_port_memory = 0; static u_int32_t detect_port_init_cnt = 0; static u_int32_t detect_port_free_cnt = 0; -static u_int32_t detect_port_hash_add_cnt = 0; -static u_int32_t detect_port_hash_add_coll_cnt = 0; -static u_int32_t detect_port_hash_lookup_cnt = 0; -static u_int32_t detect_port_hash_lookup_miss_cnt = 0; -static u_int32_t detect_port_hash_lookup_hit_cnt = 0; -static u_int32_t detect_port_hash_lookup_loop_cnt = 0; - DetectPort *DetectPortInit(void) { DetectPort *dp = malloc(sizeof(DetectPort)); if (dp == NULL) { @@ -92,15 +81,6 @@ void DetectPortPrintMemory(void) { printf(" - detect_port_free_cnt %u\n", detect_port_free_cnt); printf(" - outstanding ports %u\n", detect_port_init_cnt - detect_port_free_cnt); printf(" * Port memory stats done\n"); -#if 0 - printf(" x detect_port_hash_add_cnt %u\n", detect_port_hash_add_cnt); - printf(" x detect_port_hash_add_insert_cnt %u\n", detect_port_hash_add_insert_cnt); - printf(" x detect_port_hash_add_coll_cnt %u\n", detect_port_hash_add_coll_cnt); - printf(" x detect_port_hash_lookup_cnt %u\n", detect_port_hash_lookup_cnt); - printf(" x detect_port_hash_lookup_miss_cnt %u\n", detect_port_hash_lookup_miss_cnt); - printf(" x detect_port_hash_lookup_hit_cnt %u\n", detect_port_hash_lookup_hit_cnt); - printf(" x detect_port_hash_lookup_loop_cnt %u\n", detect_port_hash_lookup_loop_cnt); -#endif } /* used to see if the exact same portrange exists in the list @@ -188,8 +168,8 @@ int DetectPortAdd(DetectPort **head, DetectPort *dp) { return 0; } -int DetectPortInsertCopy(DetectPort **head, DetectPort *new) { - DetectPort *copy = DetectPortCopySingle(new); +int DetectPortInsertCopy(DetectEngineCtx *de_ctx, DetectPort **head, DetectPort *new) { + DetectPort *copy = DetectPortCopySingle(de_ctx,new); //printf("new (%p): ", new); DetectPortPrint(new); printf(" "); DbgPrintSigs2(new->sh); //printf("copy (%p): ",copy); DetectPortPrint(copy); printf(" "); DbgPrintSigs2(copy->sh); @@ -198,7 +178,7 @@ int DetectPortInsertCopy(DetectPort **head, DetectPort *new) { //printf("DetectPortInsertCopy: "); DetectPortPrint(copy); printf("\n"); } - return DetectPortInsert(head, copy); + return DetectPortInsert(de_ctx, head, copy); } //#define DBG @@ -210,7 +190,7 @@ int DetectPortInsertCopy(DetectPort **head, DetectPort *new) { * 0: not inserted, memory of new is freed * 1: inserted * */ -int DetectPortInsert(DetectPort **head, DetectPort *new) { +int DetectPortInsert(DetectEngineCtx *de_ctx, DetectPort **head, DetectPort *new) { if (new == NULL) return 0; @@ -243,7 +223,7 @@ int DetectPortInsert(DetectPort **head, DetectPort *new) { #endif /* exact overlap/match */ if (cur != new) { - SigGroupHeadCopySigs(new->sh,&cur->sh); + SigGroupHeadCopySigs(de_ctx,new->sh,&cur->sh); cur->cnt += new->cnt; DetectPortFree(new); return 0; @@ -300,13 +280,13 @@ int DetectPortInsert(DetectPort **head, DetectPort *new) { printf("DetectPortInsert: PORT_ES\n"); #endif DetectPort *c = NULL; - r = DetectPortCut(cur,new,&c); - DetectPortInsert(head, new); + r = DetectPortCut(de_ctx,cur,new,&c); + DetectPortInsert(de_ctx, head, new); if (c) { #ifdef DBG printf("DetectPortInsert: inserting C (%p) ",c); DetectPortPrint(c); printf("\n"); #endif - DetectPortInsert(head, c); + DetectPortInsert(de_ctx, head, c); } return 1; } else if (r == PORT_EB) { @@ -314,14 +294,14 @@ int DetectPortInsert(DetectPort **head, DetectPort *new) { printf("DetectPortInsert: PORT_EB\n"); #endif DetectPort *c = NULL; - r = DetectPortCut(cur,new,&c); + r = DetectPortCut(de_ctx,cur,new,&c); //printf("DetectPortCut returned %d\n", r); - DetectPortInsert(head, new); + DetectPortInsert(de_ctx, head, new); if (c) { #ifdef DBG printf("DetectPortInsert: inserting C "); DetectPortPrint(c); printf("\n"); #endif - DetectPortInsert(head, c); + DetectPortInsert(de_ctx, head, c); } return 1; } else if (r == PORT_LE) { @@ -329,13 +309,13 @@ int DetectPortInsert(DetectPort **head, DetectPort *new) { printf("DetectPortInsert: PORT_LE\n"); #endif DetectPort *c = NULL; - r = DetectPortCut(cur,new,&c); - DetectPortInsert(head, new); + r = DetectPortCut(de_ctx,cur,new,&c); + DetectPortInsert(de_ctx, head, new); if (c) { #ifdef DBG printf("DetectPortInsert: inserting C "); DetectPortPrint(c); printf("\n"); #endif - DetectPortInsert(head, c); + DetectPortInsert(de_ctx, head, c); } return 1; } else if (r == PORT_GE) { @@ -343,13 +323,13 @@ int DetectPortInsert(DetectPort **head, DetectPort *new) { printf("DetectPortInsert: PORT_GE\n"); #endif DetectPort *c = NULL; - r = DetectPortCut(cur,new,&c); - DetectPortInsert(head, new); + r = DetectPortCut(de_ctx,cur,new,&c); + DetectPortInsert(de_ctx, head, new); if (c) { #ifdef DBG printf("DetectPortInsert: inserting C "); DetectPortPrint(c); printf("\n"); #endif - DetectPortInsert(head, c); + DetectPortInsert(de_ctx, head, c); } return 1; } @@ -369,202 +349,7 @@ error: return -1; } -int DetectPortSetup(DetectPort **head, char *s) { - DetectPort *ad = NULL; - int r = 0; - - /* parse the address */ - ad = PortParse(s); - if (ad == NULL) { - printf("PortParse error \"%s\"\n",s); - goto error; - } - - /* handle the not case, we apply the negation - * then insert the part(s) */ - if (ad->flags & PORT_FLAG_NOT) { - DetectPort *ad2 = NULL; - - if (DetectPortCutNot(ad,&ad2) < 0) { - goto error; - } - - /* normally a 'not' will result in two ad's - * unless the 'not' is on the start or end - * of the address space (e.g. 0.0.0.0 or - * 255.255.255.255). */ - if (ad2 != NULL) { - if (DetectPortInsert(head, ad2) < 0) - goto error; - } - } - - r = DetectPortInsert(head, ad); - if (r < 0) - goto error; - - /* if any, insert 0.0.0.0/0 and ::/0 as well */ - if (r == 1 && ad->flags & PORT_FLAG_ANY) { - ad = PortParse("0:65535"); - if (ad == NULL) - goto error; - - if (DetectPortInsert(head, ad) < 0) - goto error; - } - - return 0; - -error: - printf("DetectPortSetup error\n"); - /* XXX cleanup */ - return -1; -} - -/* XXX error handling */ -int DetectPortParse2(DetectPort **head, DetectPort **nhead, char *s,int negate) { - int i, x; - int o_set = 0, n_set = 0; - int depth = 0; - size_t size = strlen(s); - char address[1024] = ""; - - for (i = 0, x = 0; i < size && x < sizeof(address); i++) { - address[x] = s[i]; - x++; - - if (!o_set && s[i] == '!') { - n_set = 1; - x--; - } else if (s[i] == '[') { - if (!o_set) { - o_set = 1; - x = 0; - } - depth++; - } else if (s[i] == ']') { - if (depth == 1) { - address[x-1] = '\0'; - x = 0; - - DetectPortParse2(head,nhead,address,negate ? negate : n_set); - n_set = 0; - } - depth--; - } else if (depth == 0 && s[i] == ',') { - if (o_set == 1) { - o_set = 0; - } else { - address[x-1] = '\0'; - - if (negate == 0 && n_set == 0) { - DetectPortSetup(head,address); - } else { - DetectPortSetup(nhead,address); - } - n_set = 0; - } - x = 0; - } else if (depth == 0 && i == size-1) { - address[x] = '\0'; - x = 0; - - if (negate == 0 && n_set == 0) { - DetectPortSetup(head,address); - } else { - DetectPortSetup(nhead,address); - } - n_set = 0; - } - } - - return 0; -//error: -// return -1; -} - -int DetectPortMergeNot(DetectPort **head, DetectPort **nhead) { - DetectPort *ad; - DetectPort *ag, *ag2; - int r = 0; - - /* step 0: if the head list is empty, but the nhead list isn't - * we have a pure not thingy. In that case we add a 0:65535 - * first. */ - if (*head == NULL && *nhead != NULL) { - r = DetectPortSetup(head,"0:65535"); - if (r < 0) { - goto error; - } - } - - /* step 1: insert our ghn members into the gh list */ - for (ag = *nhead; ag != NULL; ag = ag->next) { - /* work with a copy of the ad so we can easily clean up - * the ghn group later. */ - ad = DetectPortCopy(ag); - if (ad == NULL) { - goto error; - } - r = DetectPortInsert(head,ad); - if (r < 0) { - goto error; - } - } - - /* step 2: pull the address blocks that match our 'not' blocks */ - for (ag = *nhead; ag != NULL; ag = ag->next) { - for (ag2 = *head; ag2 != NULL; ) { - r = DetectPortCmp(ag,ag2); - if (r == PORT_EQ || r == PORT_EB) { /* XXX more ??? */ - if (ag2->prev == NULL) { - *head = ag2->next; - } else { - ag2->prev->next = ag2->next; - } - - if (ag2->next != NULL) { - ag2->next->prev = ag2->prev; - } - /* store the next ptr and remove the group */ - DetectPort *next_ag2 = ag2->next; - DetectPortFree(ag2); - ag2 = next_ag2; - } else { - ag2 = ag2->next; - } - } - } - - return 0; -error: - return -1; -} - -int DetectPortParse(DetectPort **head, char *str) { - int r; - - DetectPort *nhead = NULL; - - r = DetectPortParse2(head,&nhead,str,/* start with negate no */0); - if (r < 0) { - goto error; - } - - /* merge the 'not' address groups */ - if (DetectPortMergeNot(head,&nhead) < 0) { - goto error; - } - - /* free the temp negate head */ - DetectPortFree(nhead); - return 0; -error: - DetectPortFree(nhead); - return -1; -} - -int DetectPortCut(DetectPort *a, DetectPort *b, DetectPort **c) { +int DetectPortCut(DetectEngineCtx *de_ctx, DetectPort *a, DetectPort *b, DetectPort **c) { u_int32_t a_port1 = a->port; u_int32_t a_port2 = a->port2; u_int32_t b_port1 = b->port; @@ -615,8 +400,8 @@ int DetectPortCut(DetectPort *a, DetectPort *b, DetectPort **c) { tmp_c->port2 = b_port2; *c = tmp_c; - SigGroupHeadCopySigs(b->sh,&tmp_c->sh); /* copy old b to c */ - SigGroupHeadCopySigs(a->sh,&b->sh); /* copy old b to a */ + SigGroupHeadCopySigs(de_ctx,b->sh,&tmp_c->sh); /* copy old b to c */ + SigGroupHeadCopySigs(de_ctx,a->sh,&b->sh); /* copy old b to a */ tmp_c->cnt += b->cnt; b->cnt += a->cnt; @@ -649,11 +434,11 @@ int DetectPortCut(DetectPort *a, DetectPort *b, DetectPort **c) { /* 'a' gets clean and then 'b' sigs * 'b' gets clean, then 'a' then 'b' sigs * 'c' gets 'a' sigs */ - SigGroupHeadCopySigs(a->sh,&tmp->sh); /* store old a list */ + SigGroupHeadCopySigs(de_ctx,a->sh,&tmp->sh); /* store old a list */ SigGroupHeadClearSigs(a->sh); /* clean a list */ - SigGroupHeadCopySigs(tmp->sh,&tmp_c->sh); /* copy old b to c */ - SigGroupHeadCopySigs(b->sh,&a->sh); /* copy old b to a */ - SigGroupHeadCopySigs(tmp->sh,&b->sh); /* prepend old a before b */ + SigGroupHeadCopySigs(de_ctx,tmp->sh,&tmp_c->sh); /* copy old b to c */ + SigGroupHeadCopySigs(de_ctx,b->sh,&a->sh); /* copy old b to a */ + SigGroupHeadCopySigs(de_ctx,tmp->sh,&b->sh); /* prepend old a before b */ SigGroupHeadClearSigs(tmp->sh); /* clean tmp list */ @@ -695,7 +480,7 @@ int DetectPortCut(DetectPort *a, DetectPort *b, DetectPort **c) { b->port2 = b_port2; /* 'b' overlaps 'a' so 'a' needs the 'b' sigs */ - SigGroupHeadCopySigs(b->sh,&a->sh); + SigGroupHeadCopySigs(de_ctx,b->sh,&a->sh); a->cnt += b->cnt; } else if (a_port2 == b_port2) { @@ -709,7 +494,7 @@ int DetectPortCut(DetectPort *a, DetectPort *b, DetectPort **c) { b->port2 = a_port2; /* 'a' overlaps 'b' so 'b' needs the 'a' sigs */ - SigGroupHeadCopySigs(a->sh,&b->sh); + SigGroupHeadCopySigs(de_ctx,a->sh,&b->sh); b->cnt += a->cnt; } else { @@ -735,11 +520,11 @@ int DetectPortCut(DetectPort *a, DetectPort *b, DetectPort **c) { /* 'a' gets clean and then 'b' sigs * 'b' gets clean, then 'a' then 'b' sigs * 'c' gets 'b' sigs */ - SigGroupHeadCopySigs(a->sh,&tmp->sh); /* store old a list */ + SigGroupHeadCopySigs(de_ctx,a->sh,&tmp->sh); /* store old a list */ SigGroupHeadClearSigs(a->sh); /* clean a list */ - SigGroupHeadCopySigs(b->sh,&tmp_c->sh); /* copy old b to c */ - SigGroupHeadCopySigs(b->sh,&a->sh); /* copy old b to a */ - SigGroupHeadCopySigs(tmp->sh,&b->sh); /* merge old a with b */ + SigGroupHeadCopySigs(de_ctx,b->sh,&tmp_c->sh); /* copy old b to c */ + SigGroupHeadCopySigs(de_ctx,b->sh,&a->sh); /* copy old b to a */ + SigGroupHeadCopySigs(de_ctx,tmp->sh,&b->sh); /* merge old a with b */ SigGroupHeadClearSigs(tmp->sh); /* clean tmp list */ @@ -781,10 +566,10 @@ int DetectPortCut(DetectPort *a, DetectPort *b, DetectPort **c) { b->port2 = a_port2; /* 'b' overlaps 'a' so 'a' needs the 'b' sigs */ - SigGroupHeadCopySigs(b->sh,&tmp->sh); + SigGroupHeadCopySigs(de_ctx,b->sh,&tmp->sh); SigGroupHeadClearSigs(b->sh); - SigGroupHeadCopySigs(a->sh,&b->sh); - SigGroupHeadCopySigs(tmp->sh,&a->sh); + SigGroupHeadCopySigs(de_ctx,a->sh,&b->sh); + SigGroupHeadCopySigs(de_ctx,tmp->sh,&a->sh); SigGroupHeadClearSigs(tmp->sh); @@ -807,7 +592,7 @@ int DetectPortCut(DetectPort *a, DetectPort *b, DetectPort **c) { b->port2 = b_port2; /* 'a' overlaps 'b' so 'b' needs the 'a' sigs */ - SigGroupHeadCopySigs(a->sh,&b->sh); + SigGroupHeadCopySigs(de_ctx,a->sh,&b->sh); b->cnt += a->cnt; @@ -831,8 +616,8 @@ int DetectPortCut(DetectPort *a, DetectPort *b, DetectPort **c) { tmp_c->port2 = a_port2; *c = tmp_c; - SigGroupHeadCopySigs(a->sh,&b->sh); - SigGroupHeadCopySigs(a->sh,&tmp_c->sh); + SigGroupHeadCopySigs(de_ctx,a->sh,&b->sh); + SigGroupHeadCopySigs(de_ctx,a->sh,&tmp_c->sh); b->cnt += a->cnt; tmp_c->cnt += a->cnt; @@ -939,58 +724,7 @@ int DetectPortCmp(DetectPort *a, DetectPort *b) { return PORT_ER; } -DetectPort *PortParse(char *str) { - char *portdup = strdup(str); - char *port2 = NULL; - - DetectPort *dp = DetectPortInit(); - if (dp == NULL) - goto error; - - /* XXX better input validation */ - - /* we dup so we can put a nul-termination in it later */ - char *port = portdup; - - /* handle the negation case */ - if (port[0] == '!') { - dp->flags |= PORT_FLAG_NOT; - port++; - } - - /* see if the address is an ipv4 or ipv6 address */ - if ((port2 = strchr(port, ':')) != NULL) { - /* 80:81 range format */ - port[port2 - port] = '\0'; - port2++; - dp->port = atoi(port); - if (strcmp(port2,"") != 0) - dp->port2 = atoi(port2); - else - dp->port2 = 65535; - - /* a>b is illegal, a=b is ok */ - if (dp->port > dp->port2) - goto error; - - } else { - if (strcasecmp(port,"any") == 0) { - dp->port = 0; - dp->port2 = 65535; - } else { - dp->port = dp->port2 = atoi(port); - } - } - - free(portdup); - return dp; - -error: - if (portdup) free(portdup); - return NULL; -} - -DetectPort *DetectPortCopy(DetectPort *src) { +DetectPort *DetectPortCopy(DetectEngineCtx *de_ctx, DetectPort *src) { if (src == NULL) return NULL; @@ -1003,14 +737,14 @@ DetectPort *DetectPortCopy(DetectPort *src) { dst->sh = NULL; if (src->next != NULL) - dst->next = DetectPortCopy(src->next); + dst->next = DetectPortCopy(de_ctx,src->next); return dst; error: return NULL; } -DetectPort *DetectPortCopySingle(DetectPort *src) { +DetectPort *DetectPortCopySingle(DetectEngineCtx *de_ctx,DetectPort *src) { if (src == NULL) return NULL; @@ -1024,14 +758,14 @@ DetectPort *DetectPortCopySingle(DetectPort *src) { dst->next = NULL; dst->prev = NULL; - SigGroupHeadCopySigs(src->sh,&dst->sh); + SigGroupHeadCopySigs(de_ctx,src->sh,&dst->sh); return dst; error: return NULL; } -int DetectPortSetupTmp (Signature *s, SigMatch *m, char *addressstr) +int DetectPortSetupTmp (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *addressstr) { return 0; } @@ -1076,274 +810,368 @@ DetectPortLookupGroup(DetectPort *dp, u_int16_t port) { return NULL; } +int DetectPortJoin(DetectEngineCtx *de_ctx, DetectPort *target, DetectPort *source) { + if (target == NULL || source == NULL) + return -1; -/* XXX eeewww global! move to DetectionEngineCtx once we have that! */ -static DetectPort **port_hash; -static DetectPort *port_list; -#define PORT_HASH_SIZE 1024 + target->cnt += source->cnt; + SigGroupHeadCopySigs(de_ctx,source->sh,&target->sh); -/* XXX dynamic size based on number of sigs? */ -int DetectPortHashInit(void) { - port_hash = (DetectPort **)malloc(sizeof(DetectPort *) * PORT_HASH_SIZE); - if (port_hash == NULL) { - goto error; - } - memset(port_hash,0,sizeof(DetectPort *) * PORT_HASH_SIZE); + if (source->port < target->port) + target->port = source->port; - port_list = NULL; + if (source->port2 > target->port2) + target->port2 = source->port2; - return 0; -error: return -1; } -void DetectPortHashFree(void) { - free(port_hash); - port_hash = NULL; +/* parsing routines */ + +static int DetectPortParseInsert(DetectPort **head, DetectPort *new) { + return DetectPortInsert(NULL, head, new); } -void DetectPortHashReset(void) { - if (port_hash != NULL) { - memset(port_hash,0,sizeof(DetectPort *) * PORT_HASH_SIZE); +static int DetectPortParseInsertString(DetectPort **head, char *s) { + DetectPort *ad = NULL; + int r = 0; + + /* parse the address */ + ad = PortParse(s); + if (ad == NULL) { + printf("PortParse error \"%s\"\n",s); + goto error; } - port_list = NULL; -} -DetectPort **DetectPortHashGetPtr(void) { - return port_hash; -} + /* handle the not case, we apply the negation + * then insert the part(s) */ + if (ad->flags & PORT_FLAG_NOT) { + DetectPort *ad2 = NULL; -DetectPort *DetectPortHashGetListPtr(void) { - return port_list; -} + if (DetectPortCutNot(ad,&ad2) < 0) { + goto error; + } -u_int32_t DetectPortHashGetSize(void) { - return PORT_HASH_SIZE; -} + /* normally a 'not' will result in two ad's + * unless the 'not' is on the start or end + * of the address space (e.g. 0.0.0.0 or + * 255.255.255.255). */ + if (ad2 != NULL) { + if (DetectPortParseInsert(head, ad2) < 0) + goto error; + } + } -static inline u_int32_t DetectPortHash(DetectPort *p) { - u_int32_t hash = p->port * p->port2; + r = DetectPortParseInsert(head, ad); + if (r < 0) + goto error; + + /* if any, insert 0.0.0.0/0 and ::/0 as well */ + if (r == 1 && ad->flags & PORT_FLAG_ANY) { + ad = PortParse("0:65535"); + if (ad == NULL) + goto error; + + if (DetectPortParseInsert(head, ad) < 0) + goto error; + } + + return 0; - return (hash % PORT_HASH_SIZE); +error: + printf("DetectPortParseInsertString error\n"); + /* XXX cleanup */ + return -1; } -int DetectPortHashAdd(DetectPort *p) { - u_int32_t hash = DetectPortHash(p); +/* XXX error handling */ +static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,int negate) { + int i, x; + int o_set = 0, n_set = 0; + int depth = 0; + size_t size = strlen(s); + char address[1024] = ""; - //printf("DetectPortHashAdd: hash %u\n", hash); - detect_port_hash_add_cnt++; + for (i = 0, x = 0; i < size && x < sizeof(address); i++) { + address[x] = s[i]; + x++; - /* list */ - p->next = port_list; - port_list = p; + if (!o_set && s[i] == '!') { + n_set = 1; + x--; + } else if (s[i] == '[') { + if (!o_set) { + o_set = 1; + x = 0; + } + depth++; + } else if (s[i] == ']') { + if (depth == 1) { + address[x-1] = '\0'; + x = 0; - /* easy: no collision */ - if (port_hash[hash] == NULL) { - port_hash[hash] = p; - return 0; - } + DetectPortParseDo(head,nhead,address,negate ? negate : n_set); + n_set = 0; + } + depth--; + } else if (depth == 0 && s[i] == ',') { + if (o_set == 1) { + o_set = 0; + } else { + address[x-1] = '\0'; - detect_port_hash_add_coll_cnt++; + if (negate == 0 && n_set == 0) { + DetectPortParseInsertString(head,address); + } else { + DetectPortParseInsertString(nhead,address); + } + n_set = 0; + } + x = 0; + } else if (depth == 0 && i == size-1) { + address[x] = '\0'; + x = 0; - /* harder: collision */ - DetectPort *h = port_hash[hash], *ph = NULL; - for ( ; h != NULL; h = h->hnext) { -#if 0 - if (DetectPortCmp(p,h) == PORT_EB) { - if (h == port_hash[hash]) { - p->hnext = h; - port_hash[hash] = p; + if (negate == 0 && n_set == 0) { + DetectPortParseInsertString(head,address); } else { - p->hnext = ph->hnext; - ph->hnext = p; + DetectPortParseInsertString(nhead,address); } - detect_port_hash_add_insert_cnt++; - return 0; + n_set = 0; } -#endif - ph = h; } - ph->hnext = p; - - return 0; -} - -static inline int DetectPortHashCmp(DetectPort *a,DetectPort *b) { - if (a->port2 == b->port2 && a->port == b->port && a->flags == b->flags) - return 1; return 0; +//error: +// return -1; } -DetectPort *DetectPortHashLookup(DetectPort *p) { - u_int32_t hash = DetectPortHash(p); +/* part of the parsing routine */ +int DetectPortParseMergeNotPorts(DetectPort **head, DetectPort **nhead) { + DetectPort *ad; + DetectPort *ag, *ag2; + int r = 0; - //printf("DetectPortHashLookup: hash %u\n", hash); - detect_port_hash_lookup_cnt++; + /* step 0: if the head list is empty, but the nhead list isn't + * we have a pure not thingy. In that case we add a 0:65535 + * first. */ + if (*head == NULL && *nhead != NULL) { + r = DetectPortParseInsertString(head,"0:65535"); + if (r < 0) { + goto error; + } + } - /* easy: no sgh at our hash */ - if (port_hash[hash] == NULL) { - detect_port_hash_lookup_miss_cnt++; - //printf("DetectPortHashLookup: not found\n"); - return NULL; + /* step 1: insert our ghn members into the gh list */ + for (ag = *nhead; ag != NULL; ag = ag->next) { + /* work with a copy of the ad so we can easily clean up + * the ghn group later. */ + ad = DetectPortCopy(NULL,ag); + if (ad == NULL) { + goto error; + } + r = DetectPortParseInsert(head, ad); + if (r < 0) { + goto error; + } } - /* see if we have the sgh we're looking for */ - DetectPort *h = port_hash[hash]; - for ( ; h != NULL; h = h->hnext) { - detect_port_hash_lookup_loop_cnt++; - if (DetectPortHashCmp(p,h) == 1) { - //printf("DetectPortHashLookup: found at %p\n", h); - detect_port_hash_lookup_hit_cnt++; - return h; + /* step 2: pull the address blocks that match our 'not' blocks */ + for (ag = *nhead; ag != NULL; ag = ag->next) { + for (ag2 = *head; ag2 != NULL; ) { + r = DetectPortCmp(ag,ag2); + if (r == PORT_EQ || r == PORT_EB) { /* XXX more ??? */ + if (ag2->prev == NULL) { + *head = ag2->next; + } else { + ag2->prev->next = ag2->next; + } + + if (ag2->next != NULL) { + ag2->next->prev = ag2->prev; + } + /* store the next ptr and remove the group */ + DetectPort *next_ag2 = ag2->next; + DetectPortFree(ag2); + ag2 = next_ag2; + } else { + ag2 = ag2->next; + } } } - //printf("DetectPortHashLookup: not found\n"); - return NULL; + return 0; +error: + return -1; } -/* XXX eeewww global! move to DetectionEngineCtx once we have that! */ -static DetectPort **sport_hash; -static DetectPort *sport_list; -#define SPORT_HASH_SIZE 1024 +int DetectPortParse(DetectPort **head, char *str) { + int r; + + /* negate port list */ + DetectPort *nhead = NULL; -/* XXX dynamic size based on number of sigs? */ -int DetectPortSpHashInit(void) { - sport_hash = (DetectPort **)malloc(sizeof(DetectPort *) * SPORT_HASH_SIZE); - if (sport_hash == NULL) { + r = DetectPortParseDo(head,&nhead,str,/* start with negate no */0); + if (r < 0) { goto error; } - memset(sport_hash,0,sizeof(DetectPort *) * SPORT_HASH_SIZE); - sport_list = NULL; - //printf("DetectSPortHashInit: sport_hash %p\n", sport_hash); + /* merge the 'not' address groups */ + if (DetectPortParseMergeNotPorts(head,&nhead) < 0) { + goto error; + } + + /* free the temp negate head */ + DetectPortFree(nhead); return 0; error: - printf("DetectSPortHashInit: error sport_hash %p\n", sport_hash); + DetectPortFree(nhead); return -1; } -void DetectPortSpHashFree(void) { - free(sport_hash); - sport_hash = NULL; -} +DetectPort *PortParse(char *str) { + char *portdup = strdup(str); + char *port2 = NULL; + + DetectPort *dp = DetectPortInit(); + if (dp == NULL) + goto error; + + /* XXX better input validation */ -void DetectPortSpHashReset(void) { - if (sport_hash != NULL) { - memset(sport_hash,0,sizeof(DetectPort *) * SPORT_HASH_SIZE); + /* we dup so we can put a nul-termination in it later */ + char *port = portdup; + + /* handle the negation case */ + if (port[0] == '!') { + dp->flags |= PORT_FLAG_NOT; + port++; } - sport_list = NULL; -} -DetectPort **DetectPortSpHashGetPtr(void) { - return sport_hash; -} + /* see if the address is an ipv4 or ipv6 address */ + if ((port2 = strchr(port, ':')) != NULL) { + /* 80:81 range format */ + port[port2 - port] = '\0'; + port2++; + dp->port = atoi(port); + if (strcmp(port2,"") != 0) + dp->port2 = atoi(port2); + else + dp->port2 = 65535; -DetectPort *DetectPortSpHashGetListPtr(void) { - return sport_list; -} + /* a>b is illegal, a=b is ok */ + if (dp->port > dp->port2) + goto error; -u_int32_t DetectPortSpHashGetSize(void) { - return SPORT_HASH_SIZE; -} + } else { + if (strcasecmp(port,"any") == 0) { + dp->port = 0; + dp->port2 = 65535; + } else { + dp->port = dp->port2 = atoi(port); + } + } -static inline u_int32_t DetectPortSpHash(DetectPort *p) { - u_int32_t hash = p->port * p->port2; + free(portdup); + return dp; - return (hash % SPORT_HASH_SIZE); +error: + if (portdup) free(portdup); + return NULL; } -int DetectPortSpHashAdd(DetectPort *p) { - u_int32_t hash = DetectPortSpHash(p); +/* end parsing routines */ - //printf("DetectSPortHashAdd: hash %u\n", hash); - detect_port_hash_add_cnt++; +/* init hashes */ +#define PORT_HASH_SIZE 1024 - /* list */ - p->next = sport_list; - sport_list = p; +u_int32_t DetectPortHashFunc(HashListTable *ht, void *data, u_int16_t datalen) { + DetectPort *p = (DetectPort *)data; + u_int32_t hash = p->port * p->port2; - /* easy: no collision */ - if (sport_hash[hash] == NULL) { - sport_hash[hash] = p; - return 0; - } + return hash % ht->array_size; +} - detect_port_hash_add_coll_cnt++; +char DetectPortCompareFunc(void *data1, u_int16_t len1, void *data2, u_int16_t len2) { + DetectPort *p1 = (DetectPort *)data1; + DetectPort *p2 = (DetectPort *)data2; - /* harder: collision */ - DetectPort *h = sport_hash[hash], *ph = NULL; - for ( ; h != NULL; h = h->hnext) { -#if 0 - if (DetectPortCmp(p,h) == PORT_EB) { - if (h == port_hash[hash]) { - p->hnext = h; - port_hash[hash] = p; - } else { - p->hnext = ph->hnext; - ph->hnext = p; - } - detect_port_hash_add_insert_cnt++; - return 0; - } -#endif - ph = h; - } - ph->hnext = p; + if (p1->port2 == p2->port2 && p1->port == p2->port && p1->flags == p2->flags) + return 1; return 0; } -DetectPort *DetectPortSpHashLookup(DetectPort *p) { - u_int32_t hash = DetectPortSpHash(p); +/* dp hash */ - //printf("DetectSPortHashLookup: hash %u, sport_hash %p, size %u port %p\n", hash, sport_hash, SPORT_HASH_SIZE, p); - detect_port_hash_lookup_cnt++; +int DetectPortDpHashInit(DetectEngineCtx *de_ctx) { + de_ctx->dport_hash_table = HashListTableInit(PORT_HASH_SIZE, DetectPortHashFunc, DetectPortCompareFunc, NULL); + if (de_ctx->dport_hash_table == NULL) + goto error; - /* easy: no sgh at our hash */ - if (sport_hash[hash] == NULL) { - detect_port_hash_lookup_miss_cnt++; - //printf("DetectSPortHashLookup: not found\n"); - return NULL; - } + return 0; +error: + return -1; +} - /* see if we have the sgh we're looking for */ - DetectPort *h = sport_hash[hash]; - for ( ; h != NULL; h = h->hnext) { - detect_port_hash_lookup_loop_cnt++; - if (DetectPortHashCmp(p,h) == 1) { - //printf("DetectSPortHashLookup: found at %p\n", h); - detect_port_hash_lookup_hit_cnt++; - return h; - } - } +void DetectPortDpHashFree(DetectEngineCtx *de_ctx) { + if (de_ctx->dport_hash_table == NULL) + return; - //printf("DetectSPortHashLookup: not found\n"); - return NULL; + HashListTableFree(de_ctx->dport_hash_table); + de_ctx->dport_hash_table = NULL; } -int DetectPortJoin(DetectPort *target, DetectPort *source) { - if (target == NULL || source == NULL) - return -1; +void DetectPortDpHashReset(DetectEngineCtx *de_ctx) { + DetectPortDpHashFree(de_ctx); + DetectPortDpHashInit(de_ctx); +} - target->cnt += source->cnt; - SigGroupHeadCopySigs(source->sh,&target->sh); +int DetectPortDpHashAdd(DetectEngineCtx *de_ctx, DetectPort *p) { + return HashListTableAdd(de_ctx->dport_hash_table, (void *)p, 0); +} - //DetectPort *port = source->port; - //for ( ; port != NULL; port = port->next) { - // DetectPortInsertCopy(&target->port, port); - //} +DetectPort *DetectPortDpHashLookup(DetectEngineCtx *de_ctx, DetectPort *p) { + DetectPort *rp = HashListTableLookup(de_ctx->dport_hash_table, (void *)p, 0); + return rp; +} - if (source->port < target->port) - target->port = source->port; +/* sp hash */ - if (source->port2 > target->port2) - target->port2 = source->port2; +int DetectPortSpHashInit(DetectEngineCtx *de_ctx) { + de_ctx->sport_hash_table = HashListTableInit(PORT_HASH_SIZE, DetectPortHashFunc, DetectPortCompareFunc, NULL); + if (de_ctx->sport_hash_table == NULL) + goto error; + return 0; +error: return -1; } +void DetectPortSpHashFree(DetectEngineCtx *de_ctx) { + if (de_ctx->sport_hash_table == NULL) + return; + + HashListTableFree(de_ctx->sport_hash_table); + de_ctx->sport_hash_table = NULL; +} + +void DetectPortSpHashReset(DetectEngineCtx *de_ctx) { + DetectPortSpHashFree(de_ctx); + DetectPortSpHashInit(de_ctx); +} + +int DetectPortSpHashAdd(DetectEngineCtx *de_ctx, DetectPort *p) { + return HashListTableAdd(de_ctx->sport_hash_table, (void *)p, 0); +} + +DetectPort *DetectPortSpHashLookup(DetectEngineCtx *de_ctx, DetectPort *p) { + DetectPort *rp = HashListTableLookup(de_ctx->sport_hash_table, (void *)p, 0); + return rp; +} + +/* end init hashes */ + /* TESTS */ int PortTestParse01 (void) { @@ -1446,7 +1274,7 @@ int PortTestParse06 (void) { if (r != 0) goto end; - copy = DetectPortCopy(dd); + copy = DetectPortCopy(NULL,dd); if (copy == NULL) goto end; diff --git a/src/detect-engine-port.h b/src/detect-engine-port.h index 7c0d068386..8ed334f00b 100644 --- a/src/detect-engine-port.h +++ b/src/detect-engine-port.h @@ -1,54 +1,15 @@ #ifndef __DETECT_PORT_H__ #define __DETECT_PORT_H__ -/* a is ... than b */ -enum { - PORT_ER = -1, /* error e.g. compare ipv4 and ipv6 */ - PORT_LT, /* smaller [aaa] [bbb] */ - PORT_LE, /* smaller with overlap [aa[bab]bb] */ - PORT_EQ, /* exactly equal [abababab] */ - PORT_ES, /* within [bb[aaa]bb] and [[abab]bbb] and [bbb[abab]] */ - PORT_EB, /* completely overlaps [aa[bbb]aa] and [[baba]aaa] and [aaa[baba]] */ - PORT_GE, /* bigger with overlap [bb[aba]aa] */ - PORT_GT, /* bigger [bbb] [aaa] */ -}; - -#define PORT_FLAG_ANY 0x1 -#define PORT_FLAG_NOT 0x2 - -#define PORT_SIGGROUPHEAD_COPY 0x04 -#define PORT_GROUP_PORTS_COPY 0x08 - -typedef struct DetectPort_ { - u_int8_t flags; - - u_int16_t port; - u_int16_t port2; - - /* signatures that belong in this group */ - struct _SigGroupHead *sh; - - struct DetectPort_ *dst_ph; - - /* double linked list */ - union { - struct DetectPort_ *prev; - struct DetectPort_ *hnext; /* hash next */ - }; - struct DetectPort_ *next; - - u_int32_t cnt; -} DetectPort; - /* prototypes */ void DetectPortRegister (void); int DetectPortParse(DetectPort **head, char *str); -DetectPort *DetectPortCopy(DetectPort *); -DetectPort *DetectPortCopySingle(DetectPort *); -int DetectPortInsertCopy(DetectPort **, DetectPort *); -int DetectPortInsert(DetectPort **, DetectPort *); +DetectPort *DetectPortCopy(DetectEngineCtx *, DetectPort *); +DetectPort *DetectPortCopySingle(DetectEngineCtx *, DetectPort *); +int DetectPortInsertCopy(DetectEngineCtx *,DetectPort **, DetectPort *); +int DetectPortInsert(DetectEngineCtx *,DetectPort **, DetectPort *); void DetectPortCleanupList (DetectPort *head); DetectPort *DetectPortLookup(DetectPort *head, DetectPort *dp); @@ -58,25 +19,24 @@ DetectPort *DetectPortLookupGroup(DetectPort *dp, u_int16_t port); void DetectPortPrintMemory(void); -DetectPort *DetectPortHashLookup(DetectPort *p); -DetectPort **DetectPortHashGetPtr(void); -DetectPort *DetectPortHashGetListPtr(void); -u_int32_t DetectPortHashGetSize(void); -int DetectPortHashInit(void); -void DetectPortHashFree(void); -int DetectPortHashAdd(DetectPort *p); -void DetectPortHashReset(void); +DetectPort *DetectPortDpHashLookup(DetectEngineCtx *, DetectPort *); +DetectPort *DetectPortDpHashGetListPtr(DetectEngineCtx *); +int DetectPortDpHashInit(DetectEngineCtx *); +void DetectPortDpHashFree(DetectEngineCtx *); +int DetectPortDpHashAdd(DetectEngineCtx *, DetectPort *); +void DetectPortDpHashReset(DetectEngineCtx *); + +DetectPort *DetectPortSpHashLookup(DetectEngineCtx *, DetectPort *); +int DetectPortSpHashInit(DetectEngineCtx *); +void DetectPortSpHashFree(DetectEngineCtx *); +int DetectPortSpHashAdd(DetectEngineCtx *, DetectPort *); +void DetectPortSpHashReset(DetectEngineCtx *); -DetectPort *DetectPortSpHashLookup(DetectPort *p); -DetectPort **DetectPortSpHashGetPtr(void); -DetectPort *DetectPortSpHashGetListPtr(void); -u_int32_t DetectPortSpHashGetSize(void); -int DetectPortSpHashInit(void); -void DetectPortSpHashFree(void); -int DetectPortSpHashAdd(DetectPort *p); -void DetectPortSpHashReset(void); +int DetectPortJoin(DetectEngineCtx *,DetectPort *target, DetectPort *source); -int DetectPortJoin(DetectPort *target, DetectPort *source); +void DetectPortPrint(DetectPort *); +int DetectPortCmp(DetectPort *, DetectPort *); +void DetectPortFree(DetectPort *); #endif /* __DETECT_PORT_H__ */ diff --git a/src/detect-engine-proto.c b/src/detect-engine-proto.c index ad2d88cd4e..6c4c9fef53 100644 --- a/src/detect-engine-proto.c +++ b/src/detect-engine-proto.c @@ -13,7 +13,7 @@ #include "detect-engine-siggroup.h" -int DetectProtoSetup (Signature *s, SigMatch *m, char *sidstr); +int DetectProtoSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *sidstr); void DetectProtoTests (void); void DetectProtoRegister (void) { @@ -67,7 +67,7 @@ int DetectProtoParse(DetectProto *dp, char *str) { } /* XXX remove */ -int DetectProtoSetup (Signature *s, SigMatch *m, char *str) +int DetectProtoSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *str) { return 0; } diff --git a/src/detect-engine-siggroup.c b/src/detect-engine-siggroup.c index 59f6bbb7a9..0af011eaed 100644 --- a/src/detect-engine-siggroup.c +++ b/src/detect-engine-siggroup.c @@ -1,3 +1,7 @@ +/* sig group + * + * + */ #include "decode.h" #include "detect.h" @@ -7,8 +11,16 @@ #include "util-unittest.h" #include "detect.h" +#include "detect-engine.h" #include "detect-engine-address.h" #include "detect-engine-mpm.h" +#include "detect-engine-siggroup.h" + +#include "detect-content.h" +#include "detect-uricontent.h" + +#include "util-hash.h" +#include "util-hashlist.h" /* prototypes */ int SigGroupHeadClearSigs(SigGroupHead *); @@ -33,490 +45,359 @@ void SigGroupHeadFree(SigGroupHead *sh) { if (sh->sig_array != NULL) { free(sh->sig_array); + sh->sig_array = NULL; detect_siggroup_sigarray_free_cnt++; detect_siggroup_sigarray_memory -= sh->sig_size; } + if (sh->content_array != NULL) { + free(sh->content_array); + sh->content_array = NULL; + sh->content_size = 0; + } + + if (sh->uri_content_array != NULL) { + free(sh->uri_content_array); + sh->uri_content_array = NULL; + sh->uri_content_size = 0; + } + + if (sh->match_array) { + detect_siggroup_matcharray_init_cnt--; + detect_siggroup_matcharray_memory -= (sh->sig_cnt * sizeof(u_int32_t)); + free(sh->match_array); + sh->match_array = NULL; + } free(sh); detect_siggroup_head_free_cnt++; detect_siggroup_head_memory -= sizeof(SigGroupHead); } -static int SigGroupHeadCmpSigArray(SigGroupHead *a, SigGroupHead *b) { - if (a->sig_size != b->sig_size) - return 0; - - if (memcmp(a->sig_array,b->sig_array,a->sig_size) != 0) - return 0; - - return 1; -} - -/* hashes */ - -/* XXX eeewww global! move to DetectionEngineCtx once we have that! */ -static SigGroupHead **sgh_port_hash = NULL; -static SigGroupHead **sgh_sport_hash = NULL; -static SigGroupHead **sgh_hash = NULL; -static SigGroupHead **sgh_mpm_hash = NULL; -static SigGroupHead **sgh_mpm_uri_hash = NULL; - -#define HASH_SIZE 262144 +/* + * initialization hashes + */ /* mpm sgh hash */ - -/* XXX dynamic size based on number of sigs? */ -int SigGroupHeadMpmHashInit(void) { - sgh_mpm_hash = (SigGroupHead **)malloc(sizeof(SigGroupHead *) * HASH_SIZE); - if (sgh_mpm_hash == NULL) { - goto error; - } - memset(sgh_mpm_hash,0,sizeof(SigGroupHead *) * HASH_SIZE); - - return 0; -error: - return -1; -} - -u_int32_t SigGroupHeadMpmHash(SigGroupHead *sgh) { - u_int32_t hash = sgh->content_size<<8; +u_int32_t SigGroupHeadMpmHashFunc(HashListTable *ht, void *data, u_int16_t datalen) { + SigGroupHead *sgh = (SigGroupHead *)data; + u_int32_t hash = 0; u_int32_t b; for (b = 0; b < sgh->content_size; b+=1) { hash += sgh->content_array[b]; } - - return (hash % HASH_SIZE); + return hash % ht->array_size; } -int SigGroupHeadMpmHashAdd(SigGroupHead *sgh) { - u_int32_t hash = SigGroupHeadMpmHash(sgh); +char SigGroupHeadMpmCompareFunc(void *data1, u_int16_t len1, void *data2, u_int16_t len2) { + SigGroupHead *sgh1 = (SigGroupHead *)data1; + SigGroupHead *sgh2 = (SigGroupHead *)data2; - //printf("SigGroupHeadMpmHashAdd: hash %u\n", hash); - - /* easy: no collision */ - if (sgh_mpm_hash[hash] == NULL) { - sgh_mpm_hash[hash] = sgh; + if (sgh1->content_size != sgh2->content_size) return 0; - } - /* harder: collision */ - SigGroupHead *h = sgh_mpm_hash[hash], *ph = NULL; - for ( ; h != NULL; h = h->mpm_next) { - ph = h; - } - ph->mpm_next = sgh; + if (memcmp(sgh1->content_array,sgh2->content_array,sgh1->content_size) != 0) + return 0; - return 0; + return 1; } -SigGroupHead *SigGroupHeadMpmHashLookup(SigGroupHead *sgh) { - u_int32_t hash = SigGroupHeadMpmHash(sgh); - - //printf("SigGroupHeadMpmHashLookup: hash %u\n", hash); - - /* easy: no sgh at our hash */ - if (sgh_mpm_hash[hash] == NULL) { - return NULL; - } - - /* see if we have the sgh we're looking for */ - SigGroupHead *h = sgh_mpm_hash[hash]; - for ( ; h != NULL; h = h->mpm_next) { - if (sgh->content_size == h->content_size && - memcmp(sgh->content_array,h->content_array,sgh->content_size) == 0) { - return h; - } - } +int SigGroupHeadMpmHashInit(DetectEngineCtx *de_ctx) { + de_ctx->sgh_mpm_hash_table = HashListTableInit(4096, SigGroupHeadMpmHashFunc, SigGroupHeadMpmCompareFunc, NULL); + if (de_ctx->sgh_mpm_hash_table == NULL) + goto error; - return NULL; + return 0; +error: + return -1; } -void SigGroupHeadMpmHashFree(void) { - free(sgh_mpm_hash); - sgh_mpm_hash = NULL; +int SigGroupHeadMpmHashAdd(DetectEngineCtx *de_ctx, SigGroupHead *sgh) { + return HashListTableAdd(de_ctx->sgh_mpm_hash_table, (void *)sgh, 0); } -/* mpm uri sgh hash */ +SigGroupHead *SigGroupHeadMpmHashLookup(DetectEngineCtx *de_ctx, SigGroupHead *sgh) { + SigGroupHead *rsgh = HashListTableLookup(de_ctx->sgh_mpm_hash_table, (void *)sgh, 0); + return rsgh; +} -/* XXX dynamic size based on number of sigs? */ -int SigGroupHeadMpmUriHashInit(void) { - sgh_mpm_uri_hash = (SigGroupHead **)malloc(sizeof(SigGroupHead *) * HASH_SIZE); - if (sgh_mpm_uri_hash == NULL) { - goto error; - } - memset(sgh_mpm_uri_hash,0,sizeof(SigGroupHead *) * HASH_SIZE); +void SigGroupHeadMpmHashFree(DetectEngineCtx *de_ctx) { + if (de_ctx->sgh_mpm_hash_table == NULL) + return; - return 0; -error: - return -1; + HashListTableFree(de_ctx->sgh_mpm_hash_table); + de_ctx->sgh_mpm_hash_table = NULL; } -u_int32_t SigGroupHeadMpmUriHash(SigGroupHead *sgh) { - u_int32_t hash = sgh->uri_content_size<<8; +/* mpm uri sgh hash */ + +u_int32_t SigGroupHeadMpmUriHashFunc(HashListTable *ht, void *data, u_int16_t datalen) { + SigGroupHead *sgh = (SigGroupHead *)data; + u_int32_t hash = 0; u_int32_t b; for (b = 0; b < sgh->uri_content_size; b+=1) { hash += sgh->uri_content_array[b]; } - - return (hash % HASH_SIZE); + return hash % ht->array_size; } -int SigGroupHeadMpmUriHashAdd(SigGroupHead *sgh) { - u_int32_t hash = SigGroupHeadMpmUriHash(sgh); - - //printf("SigGroupHeadHashAdd: hash %u\n", hash); +char SigGroupHeadMpmUriCompareFunc(void *data1, u_int16_t len1, void *data2, u_int16_t len2) { + SigGroupHead *sgh1 = (SigGroupHead *)data1; + SigGroupHead *sgh2 = (SigGroupHead *)data2; - /* easy: no collision */ - if (sgh_mpm_uri_hash[hash] == NULL) { - sgh_mpm_uri_hash[hash] = sgh; + if (sgh1->uri_content_size != sgh2->uri_content_size) return 0; - } - /* harder: collision */ - SigGroupHead *h = sgh_mpm_uri_hash[hash], *ph = NULL; - for ( ; h != NULL; h = h->mpm_uri_next) { - ph = h; - } - ph->mpm_uri_next = sgh; + if (memcmp(sgh1->uri_content_array,sgh2->uri_content_array,sgh1->uri_content_size) != 0) + return 0; - return 0; + return 1; } -SigGroupHead *SigGroupHeadMpmUriHashLookup(SigGroupHead *sgh) { - u_int32_t hash = SigGroupHeadMpmUriHash(sgh); - - //printf("SigGroupHeadHashLookup: hash %u\n", hash); - - /* easy: no sgh at our hash */ - if (sgh_mpm_uri_hash[hash] == NULL) { - return NULL; - } - - /* see if we have the sgh we're looking for */ - SigGroupHead *h = sgh_mpm_uri_hash[hash]; - for ( ; h != NULL; h = h->mpm_uri_next) { - if (sgh->uri_content_size == h->uri_content_size && - memcmp(sgh->uri_content_array,h->uri_content_array,sgh->uri_content_size) == 0) { - return h; - } - } +int SigGroupHeadMpmUriHashInit(DetectEngineCtx *de_ctx) { + de_ctx->sgh_mpm_uri_hash_table = HashListTableInit(4096, SigGroupHeadMpmUriHashFunc, SigGroupHeadMpmUriCompareFunc, NULL); + if (de_ctx->sgh_mpm_uri_hash_table == NULL) + goto error; - return NULL; + return 0; +error: + return -1; } -void SigGroupHeadMpmUriHashFree(void) { - free(sgh_mpm_uri_hash); - sgh_mpm_uri_hash = NULL; +int SigGroupHeadMpmUriHashAdd(DetectEngineCtx *de_ctx, SigGroupHead *sgh) { + return HashListTableAdd(de_ctx->sgh_mpm_uri_hash_table, (void *)sgh, 0); } -/* non-port sgh hash */ +SigGroupHead *SigGroupHeadMpmUriHashLookup(DetectEngineCtx *de_ctx, SigGroupHead *sgh) { + SigGroupHead *rsgh = HashListTableLookup(de_ctx->sgh_mpm_uri_hash_table, (void *)sgh, 0); + return rsgh; +} -/* XXX dynamic size based on number of sigs? */ -int SigGroupHeadHashInit(void) { - sgh_hash = (SigGroupHead **)malloc(sizeof(SigGroupHead *) * HASH_SIZE); - if (sgh_hash == NULL) { - goto error; - } - memset(sgh_hash,0,sizeof(SigGroupHead *) * HASH_SIZE); +void SigGroupHeadMpmUriHashFree(DetectEngineCtx *de_ctx) { + if (de_ctx->sgh_mpm_uri_hash_table == NULL) + return; - return 0; -error: - return -1; + HashListTableFree(de_ctx->sgh_mpm_uri_hash_table); + de_ctx->sgh_mpm_uri_hash_table = NULL; } -u_int32_t SigGroupHeadHash(SigGroupHead *sgh) { +/* non-port sgh hash */ + +u_int32_t SigGroupHeadHashFunc(HashListTable *ht, void *data, u_int16_t datalen) { + SigGroupHead *sgh = (SigGroupHead *)data; u_int32_t hash = 0; u_int32_t b; - for (b = 0; b < sgh->content_size; b+=1) { - hash += sgh->content_array[b]; + for (b = 0; b < sgh->sig_size; b+=1) { + hash += sgh->sig_array[b]; } - - return (hash % HASH_SIZE); + return hash % ht->array_size; } -int SigGroupHeadHashAdd(SigGroupHead *sgh) { - u_int32_t hash = SigGroupHeadHash(sgh); - - //printf("SigGroupHeadHashAdd: hash %u\n", hash); +char SigGroupHeadCompareFunc(void *data1, u_int16_t len1, void *data2, u_int16_t len2) { + SigGroupHead *sgh1 = (SigGroupHead *)data1; + SigGroupHead *sgh2 = (SigGroupHead *)data2; - /* easy: no collision */ - if (sgh_hash[hash] == NULL) { - sgh_hash[hash] = sgh; + if (sgh1->sig_size != sgh2->sig_size) return 0; - } - /* harder: collision */ - SigGroupHead *h = sgh_hash[hash], *ph = NULL; - for ( ; h != NULL; h = h->next) { - ph = h; - } - ph->next = sgh; + if (memcmp(sgh1->sig_array,sgh2->sig_array,sgh1->sig_size) != 0) + return 0; - return 0; + return 1; } -SigGroupHead *SigGroupHeadHashLookup(SigGroupHead *sgh) { - u_int32_t hash = SigGroupHeadHash(sgh); - - //printf("SigGroupHeadHashLookup: hash %u\n", hash); +/* sgh */ - /* easy: no sgh at our hash */ - if (sgh_hash[hash] == NULL) { - return NULL; - } +int SigGroupHeadHashInit(DetectEngineCtx *de_ctx) { + de_ctx->sgh_hash_table = HashListTableInit(4096, SigGroupHeadHashFunc, SigGroupHeadCompareFunc, NULL); + if (de_ctx->sgh_hash_table == NULL) + goto error; - /* see if we have the sgh we're looking for */ - SigGroupHead *h = sgh_hash[hash]; - for ( ; h != NULL; h = h->next) { - if (SigGroupHeadCmpSigArray(sgh,h) == 1) { - return h; - } - } + return 0; +error: + return -1; +} - return NULL; +int SigGroupHeadHashAdd(DetectEngineCtx *de_ctx, SigGroupHead *sgh) { + return HashListTableAdd(de_ctx->sgh_hash_table, (void *)sgh, 0); } -void SigGroupHeadHashFree(void) { - free(sgh_hash); - sgh_hash = NULL; +SigGroupHead *SigGroupHeadHashLookup(DetectEngineCtx *de_ctx, SigGroupHead *sgh) { + SigGroupHead *rsgh = HashListTableLookup(de_ctx->sgh_hash_table, (void *)sgh, 0); + return rsgh; } +void SigGroupHeadHashFree(DetectEngineCtx *de_ctx) { + if (de_ctx->sgh_hash_table == NULL) + return; + + HashListTableFree(de_ctx->sgh_hash_table); + de_ctx->sgh_hash_table = NULL; +} /* port based sgh hash */ -/* XXX dynamic size based on number of sigs? */ -int SigGroupHeadPortHashInit(void) { - sgh_port_hash = (SigGroupHead **)malloc(sizeof(SigGroupHead *) * HASH_SIZE); - if (sgh_port_hash == NULL) { +/* dport */ + +int SigGroupHeadDPortHashInit(DetectEngineCtx *de_ctx) { + de_ctx->sgh_dport_hash_table = HashListTableInit(4096, SigGroupHeadHashFunc, SigGroupHeadCompareFunc, NULL); + if (de_ctx->sgh_dport_hash_table == NULL) goto error; - } - memset(sgh_port_hash,0,sizeof(SigGroupHead *) * HASH_SIZE); return 0; error: return -1; } -int SigGroupHeadPortHashAdd(SigGroupHead *sgh) { - u_int32_t hash = SigGroupHeadHash(sgh); - - //printf("SigGroupHeadHashAdd: hash %u\n", hash); - - /* easy: no collision */ - if (sgh_port_hash[hash] == NULL) { - sgh_port_hash[hash] = sgh; - return 0; - } - - /* harder: collision */ - SigGroupHead *h = sgh_port_hash[hash], *ph = NULL; - for ( ; h != NULL; h = h->next) { - ph = h; - } - ph->next = sgh; - - return 0; +int SigGroupHeadDPortHashAdd(DetectEngineCtx *de_ctx, SigGroupHead *sgh) { + return HashListTableAdd(de_ctx->sgh_dport_hash_table, (void *)sgh, 0); } -SigGroupHead *SigGroupHeadPortHashLookup(SigGroupHead *sgh) { - u_int32_t hash = SigGroupHeadHash(sgh); - - //printf("SigGroupHeadHashLookup: hash %u\n", hash); - - /* easy: no sgh at our hash */ - if (sgh_port_hash[hash] == NULL) { - return NULL; - } +SigGroupHead *SigGroupHeadDPortHashLookup(DetectEngineCtx *de_ctx, SigGroupHead *sgh) { + SigGroupHead *rsgh = HashListTableLookup(de_ctx->sgh_dport_hash_table, (void *)sgh, 0); + return rsgh; +} - /* see if we have the sgh we're looking for */ - SigGroupHead *h = sgh_port_hash[hash]; - for ( ; h != NULL; h = h->next) { - if (SigGroupHeadCmpSigArray(sgh,h) == 1) { - return h; - } - } +void SigGroupHeadDPortHashFree(DetectEngineCtx *de_ctx) { + if (de_ctx->dport_hash_table == NULL) + return; - return NULL; + HashListTableFree(de_ctx->sgh_dport_hash_table); + de_ctx->sgh_dport_hash_table = NULL; } -void SigGroupHeadPortHashFree(void) { - free(sgh_port_hash); - sgh_port_hash = NULL; -} +/* sport */ -/* XXX dynamic size based on number of sigs? */ -int SigGroupHeadSPortHashInit(void) { - sgh_sport_hash = (SigGroupHead **)malloc(sizeof(SigGroupHead *) * HASH_SIZE); - if (sgh_sport_hash == NULL) { +int SigGroupHeadSPortHashInit(DetectEngineCtx *de_ctx) { + de_ctx->sgh_sport_hash_table = HashListTableInit(4096, SigGroupHeadHashFunc, SigGroupHeadCompareFunc, NULL); + if (de_ctx->sgh_sport_hash_table == NULL) goto error; - } - memset(sgh_sport_hash,0,sizeof(SigGroupHead *) * HASH_SIZE); return 0; error: return -1; } -int SigGroupHeadSPortHashAdd(SigGroupHead *sgh) { - u_int32_t hash = SigGroupHeadHash(sgh); - - //printf("SigGroupHeadHashAdd: hash %u\n", hash); - - /* easy: no collision */ - if (sgh_sport_hash[hash] == NULL) { - sgh_sport_hash[hash] = sgh; - return 0; - } - - /* harder: collision */ - SigGroupHead *h = sgh_sport_hash[hash], *ph = NULL; - for ( ; h != NULL; h = h->next) { - ph = h; - } - ph->next = sgh; - - return 0; +int SigGroupHeadSPortHashAdd(DetectEngineCtx *de_ctx, SigGroupHead *sgh) { + return HashListTableAdd(de_ctx->sgh_sport_hash_table, (void *)sgh, 0); } -SigGroupHead *SigGroupHeadSPortHashLookup(SigGroupHead *sgh) { - u_int32_t hash = SigGroupHeadHash(sgh); +SigGroupHead *SigGroupHeadSPortHashLookup(DetectEngineCtx *de_ctx, SigGroupHead *sgh) { + SigGroupHead *rsgh = HashListTableLookup(de_ctx->sgh_sport_hash_table, (void *)sgh, 0); + return rsgh; +} - //printf("SigGroupHeadHashLookup: hash %u\n", hash); +void SigGroupHeadSPortHashFree(DetectEngineCtx *de_ctx) { + if (de_ctx->sport_hash_table == NULL) + return; - /* easy: no sgh at our hash */ - if (sgh_sport_hash[hash] == NULL) { - return NULL; - } + HashListTableFree(de_ctx->sgh_sport_hash_table); + de_ctx->sgh_sport_hash_table = NULL; +} - /* see if we have the sgh we're looking for */ - SigGroupHead *h = sgh_sport_hash[hash]; - for ( ; h != NULL; h = h->next) { - if (SigGroupHeadCmpSigArray(sgh,h) == 1) { - return h; - } - } +/* end hashes */ - return NULL; -} +static void SigGroupHeadFreeSigArraysHash2(DetectEngineCtx *de_ctx, HashListTable *ht) { + HashListTableBucket *htb = NULL; -void SigGroupHeadSPortHashFree(void) { - free(sgh_sport_hash); - sgh_sport_hash = NULL; -} + for (htb = HashListTableGetListHead(ht); htb != NULL; htb = HashListTableGetListNext(htb)) { + SigGroupHead *sgh = (SigGroupHead *)HashListTableGetListData(htb); -/* end hashes */ + if (sgh->sig_array != NULL) { + detect_siggroup_sigarray_free_cnt++; + detect_siggroup_sigarray_memory -= sgh->sig_size; -void SigGroupHeadFreeHeads(void) { - SigGroupHead *b, *nb, *pb; + free(sgh->sig_array); + sgh->sig_array = NULL; + sgh->sig_size = 0; + } - u_int32_t hash = 0; - for ( ; hash < HASH_SIZE; hash++) { - b = sgh_hash[hash]; - for ( ; b != NULL; ) { - nb = b->next; - - if (b->flags & SIG_GROUP_HEAD_FREE) { -printf("SigGroupHeadFreeHeads: want to free %p\n", b); -//#if 0 - SigGroupHeadFree(b); - - /* remove from the hash as well */ - if (b == sgh_hash[hash]) { - sgh_hash[hash] = nb; - } else { - pb->next = nb; - } -//#endif - } + if (sgh->content_array != NULL) { + free(sgh->content_array); + sgh->content_array = NULL; + sgh->content_size = 0; + } - pb = b; - b = nb; + if (sgh->uri_content_array != NULL) { + free(sgh->uri_content_array); + sgh->uri_content_array = NULL; + sgh->uri_content_size = 0; } } } -static void SigGroupHeadFreeSigArraysHash(SigGroupHead **hashtbl) { - SigGroupHead *b; +static void SigGroupHeadFreeSigArraysHash(DetectEngineCtx *de_ctx, HashListTable *ht) { + HashListTableBucket *htb = NULL; - u_int32_t hash = 0; - for ( ; hash < HASH_SIZE; hash++) { - b = hashtbl[hash]; - for ( ; b != NULL; b = b->next) { - if (b->sig_array != NULL) { - detect_siggroup_sigarray_free_cnt++; - detect_siggroup_sigarray_memory -= b->sig_size; - - free(b->sig_array); - b->sig_array = NULL; - b->sig_size = 0; - } + for (htb = HashListTableGetListHead(ht); htb != NULL; htb = HashListTableGetListNext(htb)) { + SigGroupHead *sgh = (SigGroupHead *)HashListTableGetListData(htb); + + if (sgh->sig_array != NULL) { + detect_siggroup_sigarray_free_cnt++; + detect_siggroup_sigarray_memory -= sgh->sig_size; + + free(sgh->sig_array); + sgh->sig_array = NULL; + sgh->sig_size = 0; } } } /* Free the sigarrays in the sgh's. Those are only * used during the init stage. */ -void SigGroupHeadFreeSigArrays(void) { - SigGroupHeadFreeSigArraysHash(sgh_hash); - SigGroupHeadFreeSigArraysHash(sgh_port_hash); - SigGroupHeadFreeSigArraysHash(sgh_sport_hash); +void SigGroupHeadFreeSigArrays(DetectEngineCtx *de_ctx) { + SigGroupHeadFreeSigArraysHash2(de_ctx, de_ctx->sgh_hash_table); + + SigGroupHeadFreeSigArraysHash(de_ctx, de_ctx->sgh_dport_hash_table); + SigGroupHeadFreeSigArraysHash(de_ctx, de_ctx->sgh_sport_hash_table); } /* Free the mpm arrays that are only used during the * init stage */ -void SigGroupHeadFreeMpmArrays(void) { - SigGroupHead *b; +void SigGroupHeadFreeMpmArrays(DetectEngineCtx *de_ctx) { + HashListTableBucket *htb = NULL; - u_int32_t hash = 0; - for ( ; hash < HASH_SIZE; hash++) { - b = sgh_hash[hash]; - for ( ; b != NULL; b = b->next) { - if (b->content_array != NULL) { - free(b->content_array); - b->content_array = NULL; - b->content_size = 0; - } - if (b->uri_content_array != NULL) { - free(b->uri_content_array); - b->uri_content_array = NULL; - b->uri_content_size = 0; - } + for (htb = HashListTableGetListHead(de_ctx->sgh_dport_hash_table); htb != NULL; htb = HashListTableGetListNext(htb)) { + SigGroupHead *sgh = (SigGroupHead *)HashListTableGetListData(htb); + + if (sgh->content_array != NULL) { + free(sgh->content_array); + sgh->content_array = NULL; + sgh->content_size = 0; } - b = sgh_port_hash[hash]; - for ( ; b != NULL; b = b->next) { - if (b->content_array != NULL) { - free(b->content_array); - b->content_array = NULL; - b->content_size = 0; - } - if (b->uri_content_array != NULL) { - free(b->uri_content_array); - b->uri_content_array = NULL; - b->uri_content_size = 0; - } + + if (sgh->uri_content_array != NULL) { + free(sgh->uri_content_array); + sgh->uri_content_array = NULL; + sgh->uri_content_size = 0; } - b = sgh_sport_hash[hash]; - for ( ; b != NULL; b = b->next) { - if (b->content_array != NULL) { - free(b->content_array); - b->content_array = NULL; - b->content_size = 0; - } - if (b->uri_content_array != NULL) { - free(b->uri_content_array); - b->uri_content_array = NULL; - b->uri_content_size = 0; - } + } + + for (htb = HashListTableGetListHead(de_ctx->sgh_sport_hash_table); htb != NULL; htb = HashListTableGetListNext(htb)) { + SigGroupHead *sgh = (SigGroupHead *)HashListTableGetListData(htb); + + if (sgh->content_array != NULL) { + free(sgh->content_array); + sgh->content_array = NULL; + sgh->content_size = 0; + } + + if (sgh->uri_content_array != NULL) { + free(sgh->uri_content_array); + sgh->uri_content_array = NULL; + sgh->uri_content_size = 0; } } } -int SigGroupHeadAppendSig(SigGroupHead **sh, Signature *s) { +int SigGroupHeadAppendSig(DetectEngineCtx *de_ctx, SigGroupHead **sh, Signature *s) { + if (de_ctx == NULL) + return 0; + /* see if we have a head already */ if (*sh == NULL) { *sh = malloc(sizeof(SigGroupHead)); @@ -529,7 +410,7 @@ int SigGroupHeadAppendSig(SigGroupHead **sh, Signature *s) { detect_siggroup_head_memory += sizeof(SigGroupHead); /* initialize the signature bitarray */ - (*sh)->sig_size = SigGetMaxId() / 8 + 1; + (*sh)->sig_size = DetectEngineGetMaxSigId(de_ctx) / 8 + 1; (*sh)->sig_array = malloc((*sh)->sig_size); if ((*sh)->sig_array == NULL) goto error; @@ -558,8 +439,8 @@ int SigGroupHeadClearSigs(SigGroupHead *sh) { return 0; } -int SigGroupHeadCopySigs(SigGroupHead *src, SigGroupHead **dst) { - if (src == NULL) +int SigGroupHeadCopySigs(DetectEngineCtx *de_ctx, SigGroupHead *src, SigGroupHead **dst) { + if (src == NULL || de_ctx == NULL) return 0; if (*dst == NULL) { @@ -572,7 +453,7 @@ int SigGroupHeadCopySigs(SigGroupHead *src, SigGroupHead **dst) { detect_siggroup_head_init_cnt++; detect_siggroup_head_memory += sizeof(SigGroupHead); - (*dst)->sig_size = SigGetMaxId() / 8 + 1; + (*dst)->sig_size = DetectEngineGetMaxSigId(de_ctx) / 8 + 1; (*dst)->sig_array = malloc((*dst)->sig_size); if ((*dst)->sig_array == NULL) goto error; @@ -626,11 +507,24 @@ void DetectSigGroupPrintMemory(void) { printf(" X Total %u\n", detect_siggroup_head_memory + detect_siggroup_sigarray_memory + detect_siggroup_matcharray_memory); } +void SigGroupHeadPrintSigs(DetectEngineCtx *de_ctx, SigGroupHead *sgh) { + printf("SigGroupHeadPrintSigs: "); + + u_int32_t i; + for (i = 0; i < sgh->sig_size; i++) { + if (sgh->sig_array[(i/8)] & (1<<(i%8))) { + printf("%u ", i); + } + } + + printf("\n"); +} + void SigGroupHeadPrintContent(DetectEngineCtx *de_ctx, SigGroupHead *sgh) { printf("SigGroupHeadPrintContent: "); u_int32_t i; - for (i = 0; i < DetectContentMaxId(); i++) { + for (i = 0; i < DetectContentMaxId(de_ctx); i++) { if (sgh->content_array[(i/8)] & (1<<(i%8))) { printf("%u ", i); } @@ -643,7 +537,7 @@ void SigGroupHeadPrintContentCnt(DetectEngineCtx *de_ctx, SigGroupHead *sgh) { printf("SigGroupHeadPrintContent: "); u_int32_t i, cnt = 0; - for (i = 0; i < DetectContentMaxId(); i++) { + for (i = 0; i < DetectContentMaxId(de_ctx); i++) { if (sgh->content_array[(i/8)] & (1<<(i%8))) { cnt++; } @@ -662,10 +556,10 @@ int SigGroupHeadLoadContent(DetectEngineCtx *de_ctx, SigGroupHead *sgh) { Signature *s; SigMatch *sm; - if (DetectContentMaxId() == 0) + if (DetectContentMaxId(de_ctx) == 0) return 0; - sgh->content_size = (DetectContentMaxId() / 8) + 1; + sgh->content_size = (DetectContentMaxId(de_ctx) / 8) + 1; sgh->content_array = malloc(sgh->content_size * sizeof(u_int32_t)); if (sgh->content_array == NULL) return -1; @@ -715,10 +609,10 @@ int SigGroupHeadLoadUricontent(DetectEngineCtx *de_ctx, SigGroupHead *sgh) { Signature *s; SigMatch *sm; - if (DetectUricontentMaxId() == 0) + if (DetectUricontentMaxId(de_ctx) == 0) return 0; - sgh->uri_content_size = (DetectUricontentMaxId() / 8) + 1; + sgh->uri_content_size = (DetectUricontentMaxId(de_ctx) / 8) + 1; sgh->uri_content_array = malloc(sgh->uri_content_size * sizeof(u_int32_t)); if (sgh->uri_content_array == NULL) return -1; diff --git a/src/detect-engine-siggroup.h b/src/detect-engine-siggroup.h index 7ecbb42e09..49e60d04a3 100644 --- a/src/detect-engine-siggroup.h +++ b/src/detect-engine-siggroup.h @@ -3,9 +3,9 @@ /* XXX cleanup */ -int SigGroupHeadAppendSig(SigGroupHead **, Signature *); +int SigGroupHeadAppendSig(DetectEngineCtx *, SigGroupHead **, Signature *); int SigGroupHeadClearSigs(SigGroupHead *); -int SigGroupHeadCopySigs(SigGroupHead *, SigGroupHead **); +int SigGroupHeadCopySigs(DetectEngineCtx *, SigGroupHead *, SigGroupHead **); int SigGroupHeadLoadContent(DetectEngineCtx *, SigGroupHead *); int SigGroupHeadLoadUricontent(DetectEngineCtx *, SigGroupHead *); @@ -14,35 +14,35 @@ int SigGroupHeadClearUricontent(SigGroupHead *); void SigGroupHeadFree(SigGroupHead *); -void SigGroupHeadFreeMpmArrays(void); +void SigGroupHeadFreeMpmArrays(DetectEngineCtx *); -SigGroupHead *SigGroupHeadHashLookup(SigGroupHead *sgh); -SigGroupHead *SigGroupHeadPortHashLookup(SigGroupHead *sgh); -SigGroupHead *SigGroupHeadSPortHashLookup(SigGroupHead *sgh); -SigGroupHead *SigGroupHeadMpmHashLookup(SigGroupHead *sgh); -SigGroupHead *SigGroupHeadMpmUriHashLookup(SigGroupHead *sgh); +SigGroupHead *SigGroupHeadHashLookup(DetectEngineCtx *, SigGroupHead *); +SigGroupHead *SigGroupHeadMpmHashLookup(DetectEngineCtx *, SigGroupHead *); +SigGroupHead *SigGroupHeadMpmUriHashLookup(DetectEngineCtx *, SigGroupHead *); +SigGroupHead *SigGroupHeadDPortHashLookup(DetectEngineCtx *, SigGroupHead *); +SigGroupHead *SigGroupHeadSPortHashLookup(DetectEngineCtx *, SigGroupHead *); -int SigGroupHeadPortHashAdd(SigGroupHead *sgh); -int SigGroupHeadSPortHashAdd(SigGroupHead *sgh); -int SigGroupHeadMpmHashAdd(SigGroupHead *sgh); -int SigGroupHeadMpmUriHashAdd(SigGroupHead *sgh); -int SigGroupHeadHashAdd(SigGroupHead *sgh); +int SigGroupHeadMpmHashAdd(DetectEngineCtx *, SigGroupHead *); +int SigGroupHeadMpmUriHashAdd(DetectEngineCtx *, SigGroupHead *); +int SigGroupHeadHashAdd(DetectEngineCtx *, SigGroupHead *); +int SigGroupHeadDPortHashAdd(DetectEngineCtx *, SigGroupHead *); +int SigGroupHeadSPortHashAdd(DetectEngineCtx *, SigGroupHead *); -void SigGroupHeadHashFree(void); -void SigGroupHeadPortHashFree(void); -void SigGroupHeadSPortHashFree(void); -void SigGroupHeadMpmHashFree(void); -void SigGroupHeadMpmUriHashFree(void); +void SigGroupHeadHashFree(DetectEngineCtx *); +void SigGroupHeadMpmHashFree(DetectEngineCtx *); +void SigGroupHeadMpmUriHashFree(DetectEngineCtx *); +void SigGroupHeadDPortHashFree(DetectEngineCtx *); +void SigGroupHeadSPortHashFree(DetectEngineCtx *); -int SigGroupHeadMpmHashInit(void); -int SigGroupHeadMpmUriHashInit(void); -int SigGroupHeadPortHashInit(void); -int SigGroupHeadSPortHashInit(void); -int SigGroupHeadHashInit(void); +int SigGroupHeadHashInit(DetectEngineCtx *); +int SigGroupHeadMpmHashInit(DetectEngineCtx *); +int SigGroupHeadMpmUriHashInit(DetectEngineCtx *); +int SigGroupHeadDPortHashInit(DetectEngineCtx *); +int SigGroupHeadSPortHashInit(DetectEngineCtx *); void SigGroupHeadSetSigCnt(SigGroupHead *sgh, u_int32_t max_idx); int SigGroupHeadBuildMatchArray (DetectEngineCtx *de_ctx, SigGroupHead *sgh, u_int32_t max_idx); -void SigGroupHeadFreeSigArrays(void); +void SigGroupHeadFreeSigArrays(DetectEngineCtx *de_ctx); #endif /* __DETECT_SIGGROUP_H__ */ diff --git a/src/detect-engine.c b/src/detect-engine.c index 74d2284911..18a6acec19 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -9,6 +9,9 @@ #include "detect-engine-siggroup.h" #include "detect-engine-address.h" +#include "detect-engine-port.h" + +#include "util-hash.h" DetectEngineCtx *DetectEngineCtxInit(void) { DetectEngineCtx *de_ctx; @@ -20,12 +23,43 @@ DetectEngineCtx *DetectEngineCtxInit(void) { memset(de_ctx,0,sizeof(DetectEngineCtx)); + SigGroupHeadHashInit(de_ctx); + SigGroupHeadMpmHashInit(de_ctx); + SigGroupHeadMpmUriHashInit(de_ctx); + SigGroupHeadSPortHashInit(de_ctx); + SigGroupHeadDPortHashInit(de_ctx); + DetectPortSpHashInit(de_ctx); + DetectPortDpHashInit(de_ctx); return de_ctx; error: return NULL; } void DetectEngineCtxFree(DetectEngineCtx *de_ctx) { + + /* Normally the hashes are freed elsewhere, but + * to be sure look at them again here. + */ + SigGroupHeadHashFree(de_ctx); + SigGroupHeadMpmHashFree(de_ctx); + SigGroupHeadMpmUriHashFree(de_ctx); + SigGroupHeadSPortHashFree(de_ctx); + SigGroupHeadDPortHashFree(de_ctx); + DetectPortSpHashFree(de_ctx); + DetectPortDpHashFree(de_ctx); + free(de_ctx); } +/* + * getting & (re)setting the internal sig i + */ + +u_int32_t DetectEngineGetMaxSigId(DetectEngineCtx *de_ctx) { + return de_ctx->signum; +} + +void DetectEngineResetMaxSigId(DetectEngineCtx *de_ctx) { + de_ctx->signum = 0; +} + diff --git a/src/detect-engine.h b/src/detect-engine.h index 1858abefa3..4bad41cf26 100644 --- a/src/detect-engine.h +++ b/src/detect-engine.h @@ -5,5 +5,8 @@ DetectEngineCtx *DetectEngineCtxInit(void); void DetectEngineCtxFree(DetectEngineCtx *); +u_int32_t DetectEngineGetMaxSigId(DetectEngineCtx *); +void DetectEngineResetMaxSigId(DetectEngineCtx *); + #endif /* __DETECT_ENGINE_H__ */ diff --git a/src/detect-flow.c b/src/detect-flow.c index a1290d8238..6e852cb5f7 100644 --- a/src/detect-flow.c +++ b/src/detect-flow.c @@ -16,7 +16,7 @@ static pcre *parse_regex; static pcre_extra *parse_regex_study; int DetectFlowMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *); -int DetectFlowSetup (Signature *, SigMatch *, char *); +int DetectFlowSetup (DetectEngineCtx *, Signature *, SigMatch *, char *); void DetectFlowRegister (void) { sigmatch_table[DETECT_FLOW].name = "flow"; @@ -72,7 +72,7 @@ int DetectFlowMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signat return ret; } -int DetectFlowSetup (Signature *s, SigMatch *m, char *flowstr) +int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *flowstr) { DetectFlowData *fd = NULL; SigMatch *sm = NULL; diff --git a/src/detect-flowvar.c b/src/detect-flowvar.c index 0c833f3009..08312fabda 100644 --- a/src/detect-flowvar.c +++ b/src/detect-flowvar.c @@ -17,7 +17,7 @@ static pcre *parse_regex; static pcre_extra *parse_regex_study; int DetectFlowvarMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *); -int DetectFlowvarSetup (Signature *, SigMatch *, char *); +int DetectFlowvarSetup (DetectEngineCtx *, Signature *, SigMatch *, char *); void DetectFlowvarRegister (void) { sigmatch_table[DETECT_FLOWVAR].name = "flowvar"; @@ -75,7 +75,7 @@ int DetectFlowvarMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Sig return ret; } -int DetectFlowvarSetup (Signature *s, SigMatch *m, char *rawstr) +int DetectFlowvarSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr) { DetectFlowvarData *cd = NULL; SigMatch *sm = NULL; diff --git a/src/detect-metadata.c b/src/detect-metadata.c index c1bdbd7649..0348a2fac7 100644 --- a/src/detect-metadata.c +++ b/src/detect-metadata.c @@ -4,7 +4,7 @@ #include "detect.h" #include "flow-var.h" -int DetectMetadataSetup (Signature *s, SigMatch *m, char *str); +int DetectMetadataSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *str); void DetectMetadataRegister (void) { sigmatch_table[DETECT_METADATA].name = "metadata"; @@ -14,7 +14,7 @@ void DetectMetadataRegister (void) { sigmatch_table[DETECT_METADATA].RegisterTests = NULL; } -int DetectMetadataSetup (Signature *s, SigMatch *m, char *rawstr) +int DetectMetadataSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr) { char *str = rawstr; char dubbed = 0; diff --git a/src/detect-msg.c b/src/detect-msg.c index a8d230210a..6266a1b19e 100644 --- a/src/detect-msg.c +++ b/src/detect-msg.c @@ -4,7 +4,7 @@ #include "detect.h" #include "flow-var.h" -int DetectMsgSetup (Signature *s, SigMatch *m, char *msgstr); +int DetectMsgSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *msgstr); void DetectMsgRegister (void) { sigmatch_table[DETECT_MSG].name = "msg"; @@ -14,7 +14,7 @@ void DetectMsgRegister (void) { sigmatch_table[DETECT_MSG].RegisterTests = NULL; } -int DetectMsgSetup (Signature *s, SigMatch *m, char *msgstr) +int DetectMsgSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *msgstr) { char *str = msgstr; diff --git a/src/detect-noalert.c b/src/detect-noalert.c index a3f6ad4cf7..2cb49330c3 100644 --- a/src/detect-noalert.c +++ b/src/detect-noalert.c @@ -6,7 +6,7 @@ #include -int DetectNoalertSetup (Signature *, SigMatch *, char *); +int DetectNoalertSetup (DetectEngineCtx *, Signature *, SigMatch *, char *); void DetectNoalertRegister (void) { sigmatch_table[DETECT_NOALERT].name = "noalert"; @@ -18,7 +18,7 @@ void DetectNoalertRegister (void) { sigmatch_table[DETECT_NOALERT].flags |= SIGMATCH_NOOPT; } -int DetectNoalertSetup (Signature *s, SigMatch *m, char *nullstr) +int DetectNoalertSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *nullstr) { if (nullstr != NULL) { printf("DetectNoalertSetup: nocase has no value\n"); diff --git a/src/detect-nocase.c b/src/detect-nocase.c index 47db71d5c6..79172834ef 100644 --- a/src/detect-nocase.c +++ b/src/detect-nocase.c @@ -9,7 +9,7 @@ #include "detect-uricontent.h" #include "detect-pcre.h" -int DetectNocaseSetup (Signature *s, SigMatch *m, char *depthstr); +int DetectNocaseSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *depthstr); void DetectNocaseRegister (void) { sigmatch_table[DETECT_NOCASE].name = "nocase"; @@ -21,7 +21,7 @@ void DetectNocaseRegister (void) { sigmatch_table[DETECT_NOCASE].flags |= SIGMATCH_NOOPT; } -int DetectNocaseSetup (Signature *s, SigMatch *m, char *nullstr) +int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *nullstr) { //printf("DetectNocaseSetup: s->match:%p,m:%p\n", s->match, m); diff --git a/src/detect-offset.c b/src/detect-offset.c index 080bd514ae..a9273481bc 100644 --- a/src/detect-offset.c +++ b/src/detect-offset.c @@ -8,7 +8,7 @@ #include "detect-content.h" #include "detect-pcre.h" -int DetectOffsetSetup (Signature *s, SigMatch *m, char *offsetstr); +int DetectOffsetSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *offsetstr); void DetectOffsetRegister (void) { sigmatch_table[DETECT_OFFSET].name = "offset"; @@ -18,7 +18,7 @@ void DetectOffsetRegister (void) { sigmatch_table[DETECT_OFFSET].RegisterTests = NULL; } -int DetectOffsetSetup (Signature *s, SigMatch *m, char *offsetstr) +int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *offsetstr) { char *str = offsetstr; char dubbed = 0; diff --git a/src/detect-parse.c b/src/detect-parse.c index 75140dadce..1222700dbe 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -4,7 +4,12 @@ #include "vips.h" #include "debug.h" + #include "detect.h" +#include "detect-engine.h" +#include "detect-engine-address.h" +#include "detect-engine-port.h" + #include "flow.h" #include "util-unittest.h" @@ -15,7 +20,7 @@ static pcre_extra *config_pcre_extra = NULL; static pcre_extra *option_pcre_extra = NULL; /* XXX this should be part of the DE */ -static u_int32_t signum = 0; +//static u_int32_t signum = 0; static u_int32_t dbg_srcportany_cnt = 0; static u_int32_t dbg_dstportany_cnt = 0; @@ -36,9 +41,6 @@ static u_int32_t dbg_dstportany_cnt = 0; #define OPTION_PARTS 3 #define OPTION_PCRE "^\\s*([A-z_0-9]+)(?:\\s*\\:\\s*(.*)(?Setup(s, m, optvalue) < 0) + if (st->Setup(de_ctx, s, m, optvalue) < 0) goto error; /* thats why we check for that here */ @@ -211,7 +209,7 @@ int SigParseOptions(Signature *s, SigMatch *m, char *optstr) { if (optstr) free(optstr); //if (optmore) pcre_free_substring(optmore); if (arr != NULL) free(arr); - return SigParseOptions(s, m, optmore); + return SigParseOptions(de_ctx, s, m, optmore); } if (optname) pcre_free_substring(optname); @@ -426,7 +424,7 @@ error: return -1; } -int SigParse(Signature *s, char *sigstr) { +int SigParse(DetectEngineCtx *de_ctx, Signature *s, char *sigstr) { char **basics; int ret = SigParseBasics(s, sigstr, &basics); @@ -443,7 +441,7 @@ int SigParse(Signature *s, char *sigstr) { /* we can have no options, so make sure we have them */ if (basics[CONFIG_OPTS] != NULL) { - ret = SigParseOptions(s, NULL, strdup(basics[CONFIG_OPTS])); + ret = SigParseOptions(de_ctx, s, NULL, strdup(basics[CONFIG_OPTS])); } /* cleanup */ @@ -486,7 +484,7 @@ void SigFree(Signature *s) { free(s); } -Signature *SigInit(char *sigstr) { +Signature *SigInit(DetectEngineCtx *de_ctx, char *sigstr) { Signature *sig = SigAlloc(); if (sig == NULL) goto error; @@ -495,11 +493,11 @@ Signature *SigInit(char *sigstr) { * through classifications.config */ sig->prio = 3; - if (SigParse(sig, sigstr) < 0) + if (SigParse(de_ctx, sig, sigstr) < 0) goto error; - sig->num = signum; - signum++; + sig->num = de_ctx->signum; + de_ctx->signum++; return sig; error: @@ -516,13 +514,18 @@ int SigParseTest01 (void) { int result = 1; Signature *sig = NULL; - sig = SigInit("alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1;)"); + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + sig = SigInit(de_ctx, "alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1;)"); if (sig == NULL) { result = 0; goto end; } SigFree(sig); + DetectEngineCtxFree(de_ctx); end: return result; } @@ -531,13 +534,19 @@ int SigParseTest02 (void) { int result = 0; Signature *sig = NULL; - sig = SigInit("alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; classtype:non-standard-protocol; sid:2003055; rev:4;)"); + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; classtype:non-standard-protocol; sid:2003055; rev:4;)"); if (sig == NULL) { goto end; } DetectPort *port = NULL; int r = DetectPortParse(&port, "0:20"); + if (r < 0) + goto end; if (DetectPortCmp(sig->sp, port) == PORT_EQ) { result = 1; @@ -546,6 +555,7 @@ int SigParseTest02 (void) { } SigFree(sig); + DetectEngineCtxFree(de_ctx); end: return result; } diff --git a/src/detect-parse.h b/src/detect-parse.h index d18e0e7dc8..039733f740 100644 --- a/src/detect-parse.h +++ b/src/detect-parse.h @@ -5,7 +5,7 @@ int SigParse(Signature *s, char *sigstr); Signature *SigAlloc (void); void SigFree(Signature *s); -Signature *SigInit(char *sigstr); +Signature *SigInit(DetectEngineCtx *,char *sigstr); void SigParsePrepare(void); void SigParseRegisterTests(void); diff --git a/src/detect-pcre.c b/src/detect-pcre.c index 9cc3c45cbe..ef4a7da949 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -21,7 +21,7 @@ static pcre *parse_capture_regex; static pcre_extra *parse_capture_regex_study; int DetectPcreMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *); -int DetectPcreSetup (Signature *, SigMatch *, char *); +int DetectPcreSetup (DetectEngineCtx *, Signature *, SigMatch *, char *); int DetectPcreFree(SigMatch *); void DetectPcreRegister (void) { @@ -123,7 +123,7 @@ int DetectPcreMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signat /* don't bother scanning if we don't have a pattern matcher ctx * which means we don't have uricontent sigs */ - if (pmt->mcu != NULL) { + if (pmt->sgh->mpm_uri_ctx != NULL) { if (pmt->sgh->mpm_uricontent_maxlen <= p->http_uri.raw_size[pmt->pkt_cnt]) { if (pmt->sgh->mpm_uricontent_maxlen == 1) pmt->pkts_uri_scanned1++; else if (pmt->sgh->mpm_uricontent_maxlen == 2) pmt->pkts_uri_scanned2++; @@ -132,7 +132,7 @@ int DetectPcreMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signat else pmt->pkts_uri_scanned++; pmt->pmq.mode = PMQ_MODE_SCAN; - ret = pmt->mcu->Scan(pmt->mcu, &pmt->mtcu, &pmt->pmq, p->http_uri.raw[pmt->pkt_cnt], p->http_uri.raw_size[pmt->pkt_cnt]); + ret = pmt->sgh->mpm_uri_ctx->Scan(pmt->sgh->mpm_uri_ctx, &pmt->mtcu, &pmt->pmq, p->http_uri.raw[pmt->pkt_cnt], p->http_uri.raw_size[pmt->pkt_cnt]); if (ret > 0) { if (pmt->sgh->mpm_uricontent_maxlen == 1) pmt->pkts_uri_searched1++; else if (pmt->sgh->mpm_uricontent_maxlen == 2) pmt->pkts_uri_searched2++; @@ -141,7 +141,7 @@ int DetectPcreMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signat else pmt->pkts_uri_searched++; pmt->pmq.mode = PMQ_MODE_SEARCH; - ret += pmt->mcu->Search(pmt->mcu, &pmt->mtcu, &pmt->pmq, p->http_uri.raw[pmt->pkt_cnt], p->http_uri.raw_size[pmt->pkt_cnt]); + ret += pmt->sgh->mpm_uri_ctx->Search(pmt->sgh->mpm_uri_ctx, &pmt->mtcu, &pmt->pmq, p->http_uri.raw[pmt->pkt_cnt], p->http_uri.raw_size[pmt->pkt_cnt]); /* indicate to uricontent that we have a uri, * we scanned it _AND_ we found pattern matches. */ @@ -173,7 +173,7 @@ int DetectPcreMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signat return ret; } -int DetectPcreSetup (Signature *s, SigMatch *m, char *regexstr) +int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *regexstr) { const char *eb; int eo; diff --git a/src/detect-pktvar.c b/src/detect-pktvar.c index d61acc90ad..1439371836 100644 --- a/src/detect-pktvar.c +++ b/src/detect-pktvar.c @@ -16,7 +16,7 @@ static pcre *parse_regex; static pcre_extra *parse_regex_study; int DetectPktvarMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *); -int DetectPktvarSetup (Signature *, SigMatch *, char *); +int DetectPktvarSetup (DetectEngineCtx *, Signature *, SigMatch *, char *); void DetectPktvarRegister (void) { sigmatch_table[DETECT_PKTVAR].name = "pktvar"; @@ -70,7 +70,7 @@ int DetectPktvarMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Sign return ret; } -int DetectPktvarSetup (Signature *s, SigMatch *m, char *rawstr) +int DetectPktvarSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr) { DetectPktvarData *cd = NULL; SigMatch *sm = NULL; diff --git a/src/detect-priority.c b/src/detect-priority.c index d233fbf2c6..7aa7180de7 100644 --- a/src/detect-priority.c +++ b/src/detect-priority.c @@ -4,7 +4,7 @@ #include "detect.h" #include "flow-var.h" -int DetectPrioritySetup (Signature *s, SigMatch *m, char *sidstr); +int DetectPrioritySetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *sidstr); void DetectPriorityRegister (void) { sigmatch_table[DETECT_PRIORITY].name = "priority"; @@ -14,7 +14,7 @@ void DetectPriorityRegister (void) { sigmatch_table[DETECT_PRIORITY].RegisterTests = NULL; } -int DetectPrioritySetup (Signature *s, SigMatch *m, char *rawstr) +int DetectPrioritySetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr) { char *str = rawstr; char dubbed = 0; diff --git a/src/detect-rawbytes.c b/src/detect-rawbytes.c index 58ea1fbc2d..675b56ccd9 100644 --- a/src/detect-rawbytes.c +++ b/src/detect-rawbytes.c @@ -8,7 +8,7 @@ #include "detect-content.h" #include "detect-pcre.h" -int DetectRawbytesSetup (Signature *s, SigMatch *m, char *depthstr); +int DetectRawbytesSetup (DetectEngineCtx *, Signature *, SigMatch *, char *); void DetectRawbytesRegister (void) { sigmatch_table[DETECT_RAWBYTES].name = "rawbytes"; @@ -20,7 +20,7 @@ void DetectRawbytesRegister (void) { sigmatch_table[DETECT_RAWBYTES].flags |= SIGMATCH_NOOPT; } -int DetectRawbytesSetup (Signature *s, SigMatch *m, char *nullstr) +int DetectRawbytesSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *nullstr) { //printf("DetectRawbytesSetup: s->match:%p,m:%p\n", s->match, m); diff --git a/src/detect-recursive.c b/src/detect-recursive.c index cba68ab283..5a437bae06 100644 --- a/src/detect-recursive.c +++ b/src/detect-recursive.c @@ -11,7 +11,7 @@ #include -int DetectRecursiveSetup (Signature *s, SigMatch *m, char *depthstr); +int DetectRecursiveSetup (DetectEngineCtx *, Signature *, SigMatch *, char *); void DetectRecursiveRegister (void) { sigmatch_table[DETECT_RECURSIVE].name = "recursive"; @@ -23,7 +23,7 @@ void DetectRecursiveRegister (void) { sigmatch_table[DETECT_RECURSIVE].flags |= SIGMATCH_NOOPT; } -int DetectRecursiveSetup (Signature *s, SigMatch *m, char *nullstr) +int DetectRecursiveSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *nullstr) { //printf("DetectRecursiveSetup: s->match:%p,m:%p\n", s->match, m); diff --git a/src/detect-reference.c b/src/detect-reference.c index a3db65e1e8..0cdae4887d 100644 --- a/src/detect-reference.c +++ b/src/detect-reference.c @@ -4,7 +4,7 @@ #include "detect.h" #include "flow-var.h" -int DetectReferenceSetup (Signature *s, SigMatch *m, char *str); +int DetectReferenceSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *str); void DetectReferenceRegister (void) { sigmatch_table[DETECT_REFERENCE].name = "reference"; @@ -14,7 +14,7 @@ void DetectReferenceRegister (void) { sigmatch_table[DETECT_REFERENCE].RegisterTests = NULL; } -int DetectReferenceSetup (Signature *s, SigMatch *m, char *rawstr) +int DetectReferenceSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr) { char *str = rawstr; char dubbed = 0; diff --git a/src/detect-rev.c b/src/detect-rev.c index 1e030706dd..c2ecd5f54b 100644 --- a/src/detect-rev.c +++ b/src/detect-rev.c @@ -4,7 +4,7 @@ #include "detect.h" #include "flow-var.h" -int DetectRevSetup (Signature *s, SigMatch *m, char *str); +int DetectRevSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *str); void DetectRevRegister (void) { sigmatch_table[DETECT_REV].name = "rev"; @@ -14,7 +14,7 @@ void DetectRevRegister (void) { sigmatch_table[DETECT_REV].RegisterTests = NULL; } -int DetectRevSetup (Signature *s, SigMatch *m, char *rawstr) +int DetectRevSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr) { char *str = rawstr; char dubbed = 0; diff --git a/src/detect-sid.c b/src/detect-sid.c index c2a53159ba..e7c5370537 100644 --- a/src/detect-sid.c +++ b/src/detect-sid.c @@ -4,7 +4,7 @@ #include "detect.h" #include "flow-var.h" -int DetectSidSetup (Signature *s, SigMatch *m, char *sidstr); +int DetectSidSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *sidstr); void DetectSidRegister (void) { sigmatch_table[DETECT_SID].name = "sid"; @@ -14,7 +14,7 @@ void DetectSidRegister (void) { sigmatch_table[DETECT_SID].RegisterTests = NULL; } -int DetectSidSetup (Signature *s, SigMatch *m, char *sidstr) +int DetectSidSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *sidstr) { char *str = sidstr; char dubbed = 0; diff --git a/src/detect-threshold.c b/src/detect-threshold.c index d8f0ba09e2..82b44ba109 100644 --- a/src/detect-threshold.c +++ b/src/detect-threshold.c @@ -4,7 +4,7 @@ #include "detect.h" #include "flow-var.h" -int DetectThresholdSetup (Signature *s, SigMatch *m, char *str); +int DetectThresholdSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *str); void DetectThresholdRegister (void) { sigmatch_table[DETECT_THRESHOLD].name = "threshold"; @@ -14,7 +14,7 @@ void DetectThresholdRegister (void) { sigmatch_table[DETECT_THRESHOLD].RegisterTests = NULL; } -int DetectThresholdSetup (Signature *s, SigMatch *m, char *rawstr) +int DetectThresholdSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr) { char *str = rawstr; char dubbed = 0; diff --git a/src/detect-uricontent.c b/src/detect-uricontent.c index 7c36a122b5..ff4fcf6a03 100644 --- a/src/detect-uricontent.c +++ b/src/detect-uricontent.c @@ -31,16 +31,12 @@ #include "util-unittest.h" int DetectUricontentMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *); -int DetectUricontentSetup (Signature *, SigMatch *, char *); +int DetectUricontentSetup (DetectEngineCtx *, Signature *, SigMatch *, char *); void HttpUriRegisterTests(void); u_int8_t nocasetable[256]; #define _nc(c) nocasetable[(c)] -/* we use a global id for uricontent matches to be able to - * use just one pattern matcher thread context per thread. */ -static u_int32_t uricontent_max_id = 0; - void DetectUricontentRegister (void) { sigmatch_table[DETECT_URICONTENT].name = "uricontent"; sigmatch_table[DETECT_URICONTENT].Match = DetectUricontentMatch; @@ -67,9 +63,8 @@ void DetectUricontentRegister (void) { } /* pass on the uricontent_max_id */ -u_int32_t DetectUricontentMaxId(void) { - //printf("DetectUricontentMaxId: %u\n", uricontent_max_id); - return uricontent_max_id; +u_int32_t DetectUricontentMaxId(DetectEngineCtx *de_ctx) { + return de_ctx->uricontent_max_id; } /* Normalize http buffer @@ -258,7 +253,7 @@ int DetectUricontentMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, return DoDetectUricontent(t, pmt, p, m, co); } -int DetectUricontentSetup (Signature *s, SigMatch *m, char *contentstr) +int DetectUricontentSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *contentstr) { DetectUricontentData *cd = NULL; SigMatch *sm = NULL; @@ -369,8 +364,8 @@ int DetectUricontentSetup (Signature *s, SigMatch *m, char *contentstr) SigMatchAppend(s,m,sm); - cd->id = uricontent_max_id; - uricontent_max_id++; + cd->id = de_ctx->uricontent_max_id; + de_ctx->uricontent_max_id++; if (dubbed) free(str); return 0; diff --git a/src/detect-uricontent.h b/src/detect-uricontent.h index c88360a849..2fb2b81788 100644 --- a/src/detect-uricontent.h +++ b/src/detect-uricontent.h @@ -24,7 +24,7 @@ typedef struct _DetectUricontentData { /* prototypes */ void DetectUricontentRegister (void); -u_int32_t DetectUricontentMaxId(void); +u_int32_t DetectUricontentMaxId(DetectEngineCtx *); #endif /* __DETECT_URICONTENT_H__ */ diff --git a/src/detect-within.c b/src/detect-within.c index fab182c6aa..68b2dee6c5 100644 --- a/src/detect-within.c +++ b/src/detect-within.c @@ -9,7 +9,7 @@ #include "detect-uricontent.h" #include "detect-pcre.h" -int DetectWithinSetup (Signature *s, SigMatch *m, char *withinstr); +int DetectWithinSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *withinstr); void DetectWithinRegister (void) { sigmatch_table[DETECT_WITHIN].name = "within"; @@ -19,7 +19,7 @@ void DetectWithinRegister (void) { sigmatch_table[DETECT_WITHIN].RegisterTests = NULL; } -int DetectWithinSetup (Signature *s, SigMatch *m, char *withinstr) +int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *withinstr) { char *str = withinstr; char dubbed = 0; diff --git a/src/detect.c b/src/detect.c index ce4e1cb9c0..825e74d250 100644 --- a/src/detect.c +++ b/src/detect.c @@ -45,10 +45,10 @@ #include "pkt-var.h" +#include "util-print.h" #include "util-unittest.h" -static DetectEngineCtx *g_de_ctx = NULL; -static u_int32_t mpm_memory_size = 0; +#include "util-hashlist.h" SigMatch *SigMatchAlloc(void); void SigMatchFree(SigMatch *sm); @@ -56,7 +56,7 @@ void DetectExitPrintStats(ThreadVars *tv, void *data); /* tm module api functions */ int Detect(ThreadVars *, Packet *, void *, PacketQueue *); -int DetectThreadInit(ThreadVars *, void **); +int DetectThreadInit(ThreadVars *, void *, void **); int DetectThreadDeinit(ThreadVars *, void *); void TmModuleDetectRegister (void) { @@ -146,122 +146,122 @@ void SigLoadSignatures (void) /* The next 3 rules handle HTTP header capture. */ /* http_uri -- for uricontent */ - sig = SigInit("alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP GET URI cap\"; flow:to_server; content:\"GET \"; depth:4; pcre:\"/^GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:1;)"); + sig = SigInit(g_de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP GET URI cap\"; flow:to_server; content:\"GET \"; depth:4; pcre:\"/^GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:1;)"); if (sig) { prevsig = sig; g_de_ctx->sig_list = sig; } - sig = SigInit("alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP POST URI cap\"; flow:to_server; content:\"POST \"; depth:5; pcre:\"/^POST (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:2;)"); + sig = SigInit(g_de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP POST URI cap\"; flow:to_server; content:\"POST \"; depth:5; pcre:\"/^POST (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:2;)"); if (sig == NULL) return; prevsig->next = sig; prevsig = sig; /* http_host -- for the log-httplog module */ - sig = SigInit("alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; flow:to_server; content:\"|0d 0a|Host:\"; pcre:\"/^Host: (?P.*)\\r\\n/m\"; noalert; sid:3;)"); + sig = SigInit(g_de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; flow:to_server; content:\"|0d 0a|Host:\"; pcre:\"/^Host: (?P.*)\\r\\n/m\"; noalert; sid:3;)"); if (sig == NULL) return; prevsig->next = sig; prevsig = sig; /* http_ua -- for the log-httplog module */ - sig = SigInit("alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP UA cap\"; flow:to_server; content:\"|0d 0a|User-Agent:\"; pcre:\"/^User-Agent: (?P.*)\\r\\n/m\"; noalert; sid:4;)"); + sig = SigInit(g_de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP UA cap\"; flow:to_server; content:\"|0d 0a|User-Agent:\"; pcre:\"/^User-Agent: (?P.*)\\r\\n/m\"; noalert; sid:4;)"); if (sig == NULL) return; prevsig->next = sig; prevsig = sig; /* - sig = SigInit("alert udp any any -> any any (msg:\"ViCtOr nocase test\"; sid:4; rev:13; content:\"ViCtOr!!\"; offset:100; depth:150; nocase; content:\"ViCtOr!!\"; nocase; offset:99; depth:150;)"); + sig = SigInit(g_de_ctx,"alert udp any any -> any any (msg:\"ViCtOr nocase test\"; sid:4; rev:13; content:\"ViCtOr!!\"; offset:100; depth:150; nocase; content:\"ViCtOr!!\"; nocase; offset:99; depth:150;)"); if (sig == NULL) return; prevsig->next = sig; prevsig = sig; - sig = SigInit("alert ip any any -> 1.2.3.4 any (msg:\"ViCtOr case test\"; sid:2001; content:\"ViCtOr\"; depth:150;)"); + sig = SigInit(g_de_ctx,"alert ip any any -> 1.2.3.4 any (msg:\"ViCtOr case test\"; sid:2001; content:\"ViCtOr\"; depth:150;)"); if (sig == NULL) return; prevsig->next = sig; prevsig = sig; - sig = SigInit("alert ip any any -> 1.2.3.4 any (msg:\"IP ONLY\"; sid:2002;)"); + sig = SigInit(g_de_ctx,"alert ip any any -> 1.2.3.4 any (msg:\"IP ONLY\"; sid:2002;)"); if (sig == NULL) return; prevsig->next = sig; prevsig = sig; - sig = SigInit("alert ip ANY any -> 192.168.0.0/16 any (msg:\"offset, depth, within test\"; flow:to_client; sid:2002; content:HTTP; depth:4; content:Server:; offset:15; within:100; depth:200;)"); + sig = SigInit(g_de_ctx,"alert ip ANY any -> 192.168.0.0/16 any (msg:\"offset, depth, within test\"; flow:to_client; sid:2002; content:HTTP; depth:4; content:Server:; offset:15; within:100; depth:200;)"); if (sig == NULL) return; prevsig->next = sig; prevsig = sig; - sig = SigInit("alert ip 1.2.3.4 any -> any any (msg:\"Inliniac blog within test\"; flow:to_client; sid:2003; content:inliniac; content:blog; within:9;)"); + sig = SigInit(g_de_ctx,"alert ip 1.2.3.4 any -> any any (msg:\"Inliniac blog within test\"; flow:to_client; sid:2003; content:inliniac; content:blog; within:9;)"); if (sig == NULL) return; prevsig->next = sig; prevsig = sig; - sig = SigInit("alert ip 2001::1 any -> 2001::3 any (msg:\"abcdefg distance 1 test\"; flow:to_server; sid:2004; content:abcd; content:efgh; within:4; distance:0; content:ijkl; within:4; distance:0;)"); + sig = SigInit(g_de_ctx,"alert ip 2001::1 any -> 2001::3 any (msg:\"abcdefg distance 1 test\"; flow:to_server; sid:2004; content:abcd; content:efgh; within:4; distance:0; content:ijkl; within:4; distance:0;)"); if (sig == NULL) return; prevsig->next = sig; prevsig = sig; - sig = SigInit("alert ip 2001::5 any -> 2001::7 any (msg:\"abcdef distance 0 test\"; flow:to_server; sid:2005; content:abcdef; content:ghijklmnop; distance:0;)"); + sig = SigInit(g_de_ctx,"alert ip 2001::5 any -> 2001::7 any (msg:\"abcdef distance 0 test\"; flow:to_server; sid:2005; content:abcdef; content:ghijklmnop; distance:0;)"); if (sig == NULL) return; prevsig->next = sig; prevsig = sig; - sig = SigInit("alert ip 10.0.0.0/8 any -> 4.3.2.1 any (msg:\"abcdefg distance 1 test\"; flow:to_server; sid:2006; content:abcdef; content:ghijklmnop; distance:1;)"); + sig = SigInit(g_de_ctx,"alert ip 10.0.0.0/8 any -> 4.3.2.1 any (msg:\"abcdefg distance 1 test\"; flow:to_server; sid:2006; content:abcdef; content:ghijklmnop; distance:1;)"); if (sig == NULL) return; prevsig->next = sig; prevsig = sig; - sig = SigInit("alert tcp 172.16.1.0/24 any -> 0.0.0.0/0 any (msg:\"HTTP response code cap\"; flow:to_client; content:HTTP; depth:4; pcre:\"/^HTTP\\/\\d\\.\\d (?[0-9]+) [A-z\\s]+\\r\\n/\"; depth:50; sid:3;)"); + sig = SigInit(g_de_ctx,"alert tcp 172.16.1.0/24 any -> 0.0.0.0/0 any (msg:\"HTTP response code cap\"; flow:to_client; content:HTTP; depth:4; pcre:\"/^HTTP\\/\\d\\.\\d (?[0-9]+) [A-z\\s]+\\r\\n/\"; depth:50; sid:3;)"); if (sig == NULL) return; prevsig->next = sig; prevsig = sig; - sig = SigInit("alert tcp 172.16.2.0/24 any -> 10.10.10.10 any (msg:\"HTTP server code cap\"; flow:to_client; content:Server:; depth:500; pcre:\"/^Server: (?.*)\\r\\n/m\"; sid:4;)"); + sig = SigInit(g_de_ctx,"alert tcp 172.16.2.0/24 any -> 10.10.10.10 any (msg:\"HTTP server code cap\"; flow:to_client; content:Server:; depth:500; pcre:\"/^Server: (?.*)\\r\\n/m\"; sid:4;)"); if (sig == NULL) return; prevsig->next = sig; prevsig = sig; - sig = SigInit("alert tcp 192.168.0.1 any -> 1.0.2.1 any (msg:\"\to_client nocase test\"; flow:to_client; content:Servere:; nocase; sid:400;)"); + sig = SigInit(g_de_ctx,"alert tcp 192.168.0.1 any -> 1.0.2.1 any (msg:\"\to_client nocase test\"; flow:to_client; content:Servere:; nocase; sid:400;)"); if (sig == NULL) return; prevsig->next = sig; prevsig = sig; - sig = SigInit("alert tcp 192.168.0.4 any -> 1.2.0.1 any (msg:\"HTTP UA code cap\"; flow:to_server; content:User-Agent:; depth:300; pcre:\"/^User-Agent: (?.*)\\r\\n/m\"; sid:5;)"); + sig = SigInit(g_de_ctx,"alert tcp 192.168.0.4 any -> 1.2.0.1 any (msg:\"HTTP UA code cap\"; flow:to_server; content:User-Agent:; depth:300; pcre:\"/^User-Agent: (?.*)\\r\\n/m\"; sid:5;)"); if (sig == NULL) return; prevsig->next = sig; prevsig = sig; - sig = SigInit("alert tcp 192.168.0.12 any -> 0.0.0.0/0 any (msg:\"HTTP http_host flowvar www.inliniac.net\"; flow:to_server; flowvar:http_host,\"www.inliniac.net\"; sid:7;)"); + sig = SigInit(g_de_ctx,"alert tcp 192.168.0.12 any -> 0.0.0.0/0 any (msg:\"HTTP http_host flowvar www.inliniac.net\"; flow:to_server; flowvar:http_host,\"www.inliniac.net\"; sid:7;)"); if (sig) { prevsig->next = sig; prevsig = sig; } - sig = SigInit("alert tcp 192.168.0.0/16 any -> 0.0.0.0/0 any (msg:\"HTTP http_uri flowvar MattJonkman\"; flow:to_server; flowvar:http_uri,\"MattJonkman\"; sid:8;)"); + sig = SigInit(g_de_ctx,"alert tcp 192.168.0.0/16 any -> 0.0.0.0/0 any (msg:\"HTTP http_uri flowvar MattJonkman\"; flow:to_server; flowvar:http_uri,\"MattJonkman\"; sid:8;)"); if (sig) { prevsig->next = sig; prevsig = sig; } - sig = SigInit("alert tcp 0.0.0.0/0 any -> 0.0.0.0/0 any (msg:\"HTTP uricontent VictorJulien\"; flow:to_server; uricontent:\"VictorJulien\"; nocase; sid:9;)"); + sig = SigInit(g_de_ctx,"alert tcp 0.0.0.0/0 any -> 0.0.0.0/0 any (msg:\"HTTP uricontent VictorJulien\"; flow:to_server; uricontent:\"VictorJulien\"; nocase; sid:9;)"); if (sig) { prevsig->next = sig; prevsig = sig; } - sig = SigInit("alert tcp 0.0.0.0/0 any -> 10.0.0.0/8 any (msg:\"HTTP uricontent VictorJulien\"; flow:to_server; uricontent:\"VictorJulien\"; nocase; sid:5;)"); + sig = SigInit(g_de_ctx,"alert tcp 0.0.0.0/0 any -> 10.0.0.0/8 any (msg:\"HTTP uricontent VictorJulien\"; flow:to_server; uricontent:\"VictorJulien\"; nocase; sid:5;)"); if (sig) { prevsig->next = sig; prevsig = sig; @@ -300,7 +300,7 @@ void SigLoadSignatures (void) //if (i > 1000) break; - sig = SigInit(line); + sig = SigInit(g_de_ctx, line); if (sig) { prevsig->next = sig; prevsig = sig; @@ -324,8 +324,6 @@ void SigLoadSignatures (void) //DetectAddressGroupPrintMemory(); //DetectSigGroupPrintMemory(); //DetectPortPrintMemory(); - -//abort(); } /* check if a certain sid alerted, this is used in the test functions */ @@ -405,8 +403,8 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p) /* we assume we don't have an uri when we start inspection */ pmt->de_have_httpuri = 0; - pmt->mc = NULL; - pmt->mcu = NULL; + //pmt->mc = NULL; + //pmt->mcu = NULL; pmt->sgh = NULL; /* find the right mpm instance */ @@ -416,8 +414,6 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p) ag = DetectAddressLookupGroup(ag->dst_gh,&p->dst); if (ag != NULL) { if (ag->port == NULL) { - pmt->mc = ag->sh->mpm_ctx; - pmt->mcu = ag->sh->mpm_uri_ctx; pmt->sgh = ag->sh; //printf("SigMatchSignatures: mc %p, mcu %p\n", pmt->mc, pmt->mcu); @@ -429,8 +425,6 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p) if (sport != NULL) { DetectPort *dport = DetectPortLookupGroup(sport->dst_ph,p->dp); if (dport != NULL) { - pmt->mc = dport->sh->mpm_ctx; - pmt->mcu = dport->sh->mpm_uri_ctx; pmt->sgh = dport->sh; } } @@ -445,7 +439,7 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p) return 0; } - if (p->tcp_payload_len > 0 && pmt->mc != NULL) { + if (p->tcp_payload_len > 0 && pmt->sgh->mpm_ctx != NULL) { /* run the pattern matcher against the packet */ if (pmt->sgh->mpm_content_maxlen > p->tcp_payload_len) { //printf("Not scanning as pkt payload is smaller than the largest content length we need to match"); @@ -593,8 +587,8 @@ int Detect(ThreadVars *t, Packet *p, void *data, PacketQueue *pq) { return SigMatchSignatures(t,pmt,p); } -int DetectThreadInit(ThreadVars *t, void **data) { - return PatternMatcherThreadInit(t,data); +int DetectThreadInit(ThreadVars *t, void *initdata, void **data) { + return PatternMatcherThreadInit(t,initdata,data); } int DetectThreadDeinit(ThreadVars *t, void *data) { @@ -611,7 +605,7 @@ void SigCleanSignatures() s = ns; } - SigResetMaxId(); + DetectEngineResetMaxSigId(g_de_ctx); } /* return codes: @@ -662,7 +656,7 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) { "adding signatures to signature source addresses...\n"); } - de_ctx->sig_array_len = SigGetMaxId(); + de_ctx->sig_array_len = DetectEngineGetMaxSigId(de_ctx); de_ctx->sig_array_size = (de_ctx->sig_array_len * sizeof(Signature *)); de_ctx->sig_array = (Signature **)malloc(de_ctx->sig_array_size); if (de_ctx->sig_array == NULL) @@ -690,19 +684,19 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) { } for (gr = tmp_s->src.ipv4_head; gr != NULL; gr = gr->next) { - if (SigGroupHeadAppendSig(&gr->sh,tmp_s) < 0) { + if (SigGroupHeadAppendSig(de_ctx, &gr->sh,tmp_s) < 0) { goto error; } cnt++; } for (gr = tmp_s->src.ipv6_head; gr != NULL; gr = gr->next) { - if (SigGroupHeadAppendSig(&gr->sh,tmp_s) < 0) { + if (SigGroupHeadAppendSig(de_ctx, &gr->sh,tmp_s) < 0) { goto error; } cnt++; } for (gr = tmp_s->src.any_head; gr != NULL; gr = gr->next) { - if (SigGroupHeadAppendSig(&gr->sh,tmp_s) < 0) { + if (SigGroupHeadAppendSig(de_ctx, &gr->sh,tmp_s) < 0) { goto error; } cnt++; @@ -767,7 +761,7 @@ static int BuildSourceAddressList(DetectEngineCtx *de_ctx, Signature *s, int fam grtmp->ad = adtmp; grtmp->cnt = 1; - SigGroupHeadAppendSig(&grtmp->sh, s); + SigGroupHeadAppendSig(de_ctx, &grtmp->sh, s); /* add to the lookup list */ if (family == AF_INET) { @@ -779,7 +773,7 @@ static int BuildSourceAddressList(DetectEngineCtx *de_ctx, Signature *s, int fam } } else { /* our group will only have one sig, this one. So add that. */ - SigGroupHeadAppendSig(&lookup_gr->sh, s); + SigGroupHeadAppendSig(de_ctx, &lookup_gr->sh, s); lookup_gr->cnt++; } } @@ -819,10 +813,10 @@ static int BuildSourceAddressList(DetectEngineCtx *de_ctx, Signature *s, int fam DetectAddressGroupAdd(&de_ctx->io_tmp_gh->any_head, grtmp); } - SigGroupHeadAppendSig(&grtmp->sh, s); + SigGroupHeadAppendSig(de_ctx, &grtmp->sh, s); } else { /* our group will only have one sig, this one. So add that. */ - SigGroupHeadAppendSig(&lookup_gr->sh, s); + SigGroupHeadAppendSig(de_ctx, &lookup_gr->sh, s); lookup_gr->cnt++; } @@ -860,7 +854,7 @@ static DetectAddressGroup *GetHeadPtr(DetectAddressGroupsHead *head, int family) * srchead is a ordered "inserted" list w/o internal overlap * */ -int CreateGroupedAddrList(DetectAddressGroup *srchead, int family, DetectAddressGroupsHead *newhead, u_int32_t unique_groups) { +int CreateGroupedAddrList(DetectEngineCtx *de_ctx, DetectAddressGroup *srchead, int family, DetectAddressGroupsHead *newhead, u_int32_t unique_groups) { DetectAddressGroup *tmplist = NULL, *tmplist2 = NULL, *joingr = NULL; char insert = 0; DetectAddressGroup *gr, *next_gr; @@ -884,10 +878,10 @@ int CreateGroupedAddrList(DetectAddressGroup *srchead, int family, DetectAddress newtmp->ad = adtmp; newtmp->cnt = gr->cnt; - SigGroupHeadCopySigs(gr->sh,&newtmp->sh); + SigGroupHeadCopySigs(de_ctx, gr->sh,&newtmp->sh); DetectPort *port = gr->port; for ( ; port != NULL; port = port->next) { - DetectPortInsertCopy(&newtmp->port, port); + DetectPortInsertCopy(de_ctx,&newtmp->port, port); } /* insert it */ @@ -935,14 +929,14 @@ int CreateGroupedAddrList(DetectAddressGroup *srchead, int family, DetectAddress joingr->ad = adtmp; joingr->cnt = gr->cnt; - SigGroupHeadCopySigs(gr->sh,&joingr->sh); + SigGroupHeadCopySigs(de_ctx,gr->sh,&joingr->sh); DetectPort *port = gr->port; for ( ; port != NULL; port = port->next) { - DetectPortInsertCopy(&joingr->port, port); + DetectPortInsertCopy(de_ctx,&joingr->port, port); } } else { - DetectAddressGroupJoin(joingr, gr); + DetectAddressGroupJoin(de_ctx, joingr, gr); } } else { DetectAddressGroup *newtmp = DetectAddressGroupInit(); @@ -956,11 +950,11 @@ int CreateGroupedAddrList(DetectAddressGroup *srchead, int family, DetectAddress newtmp->ad = adtmp; newtmp->cnt = gr->cnt; - SigGroupHeadCopySigs(gr->sh,&newtmp->sh); + SigGroupHeadCopySigs(de_ctx,gr->sh,&newtmp->sh); DetectPort *port = gr->port; for ( ; port != NULL; port = port->next) { - DetectPortInsertCopy(&newtmp->port, port); + DetectPortInsertCopy(de_ctx,&newtmp->port, port); } if (tmplist2 == NULL) { @@ -995,14 +989,14 @@ int CreateGroupedAddrList(DetectAddressGroup *srchead, int family, DetectAddress newtmp->ad = adtmp; newtmp->cnt = gr->cnt; - SigGroupHeadCopySigs(gr->sh,&newtmp->sh); + SigGroupHeadCopySigs(de_ctx, gr->sh,&newtmp->sh); DetectPort *port = gr->port; for ( ; port != NULL; port = port->next) { - DetectPortInsertCopy(&newtmp->port, port); + DetectPortInsertCopy(de_ctx, &newtmp->port, port); } - DetectAddressGroupInsert(newhead,newtmp); + DetectAddressGroupInsert(de_ctx, newhead, newtmp); next_gr = gr->next; // DetectAddressGroupFree(gr); @@ -1011,7 +1005,7 @@ int CreateGroupedAddrList(DetectAddressGroup *srchead, int family, DetectAddress /* if present, insert the joingr that covers the rest */ if (joingr != NULL) { // printf(" 3 -= J Address "); DetectAddressDataPrint(joingr->ad); printf(" : "); DbgPrintSigs2(joingr->sh); - DetectAddressGroupInsert(newhead,joingr); + DetectAddressGroupInsert(de_ctx, newhead, joingr); /* mark the groups that are not unique */ DetectAddressGroup *ag = GetHeadPtr(newhead,family); @@ -1039,16 +1033,20 @@ error: return -1; } -int CreateGroupedPortList(DetectPort *srchead, DetectPort **newhead, u_int32_t unique_groups) { +int CreateGroupedPortList(DetectEngineCtx *de_ctx,HashListTable *port_hash, DetectPort **newhead, u_int32_t unique_groups) { DetectPort *tmplist = NULL, *tmplist2 = NULL, *joingr = NULL; char insert = 0; DetectPort *gr, *next_gr; + HashListTableBucket *htb = HashListTableGetListHead(port_hash); + /* insert the addresses into the tmplist, where it will * be sorted descending on 'cnt'. */ - for (gr = srchead; gr != NULL; gr = gr->next) { + for ( ; htb != NULL; htb = HashListTableGetListNext(htb)) { + gr = (DetectPort *)HashListTableGetListData(htb); + /* alloc a copy */ - DetectPort *newtmp = DetectPortCopySingle(gr); + DetectPort *newtmp = DetectPortCopySingle(de_ctx,gr); if (newtmp == NULL) { goto error; } @@ -1085,15 +1083,15 @@ int CreateGroupedPortList(DetectPort *srchead, DetectPort **newhead, u_int32_t u for (gr = tmplist; gr != NULL; ) { if (i == 0) { if (joingr == NULL) { - joingr = DetectPortCopySingle(gr); + joingr = DetectPortCopySingle(de_ctx,gr); if (joingr == NULL) { goto error; } } else { - DetectPortJoin(joingr, gr); + DetectPortJoin(de_ctx,joingr, gr); } } else { - DetectPort *newtmp = DetectPortCopySingle(gr); + DetectPort *newtmp = DetectPortCopySingle(de_ctx,gr); if (newtmp == NULL) { goto error; } @@ -1118,12 +1116,12 @@ int CreateGroupedPortList(DetectPort *srchead, DetectPort **newhead, u_int32_t u * * Start with inserting the unique groups */ for (gr = tmplist2; gr != NULL; ) { - DetectPort *newtmp = DetectPortCopySingle(gr); + DetectPort *newtmp = DetectPortCopySingle(de_ctx,gr); if (newtmp == NULL) { goto error; } - DetectPortInsert(newhead,newtmp); + DetectPortInsert(de_ctx,newhead,newtmp); next_gr = gr->next; DetectPortFree(gr); @@ -1131,7 +1129,7 @@ int CreateGroupedPortList(DetectPort *srchead, DetectPort **newhead, u_int32_t u } /* if present, insert the joingr that covers the rest */ if (joingr != NULL) { - DetectPortInsert(newhead,joingr); + DetectPortInsert(de_ctx,newhead,joingr); } for (gr = *newhead; gr != NULL; gr = gr->next) { @@ -1185,9 +1183,9 @@ int SigAddressPrepareStage2(DetectEngineCtx *de_ctx) { /* create the final src addr list based on the tmplist. */ for (proto = 0; proto < 256; proto++) { - CreateGroupedAddrList(de_ctx->tmp_gh[proto]->ipv4_head, AF_INET, de_ctx->src_gh[proto], MAX_UNIQ_GROUPS); - CreateGroupedAddrList(de_ctx->tmp_gh[proto]->ipv6_head, AF_INET6, de_ctx->src_gh[proto], MAX_UNIQ_GROUPS); - CreateGroupedAddrList(de_ctx->tmp_gh[proto]->any_head, AF_UNSPEC, de_ctx->src_gh[proto], MAX_UNIQ_GROUPS); + CreateGroupedAddrList(de_ctx, de_ctx->tmp_gh[proto]->ipv4_head, AF_INET, de_ctx->src_gh[proto], MAX_UNIQ_GROUPS); + CreateGroupedAddrList(de_ctx, de_ctx->tmp_gh[proto]->ipv6_head, AF_INET6, de_ctx->src_gh[proto], MAX_UNIQ_GROUPS); + CreateGroupedAddrList(de_ctx, de_ctx->tmp_gh[proto]->any_head, AF_UNSPEC, de_ctx->src_gh[proto], MAX_UNIQ_GROUPS); //DetectAddressGroupsHeadFree(de_ctx->tmp_gh[proto]); free(de_ctx->tmp_gh[proto]); @@ -1205,7 +1203,7 @@ int SigAddressPrepareStage2(DetectEngineCtx *de_ctx) { DetectAddressGroup *grnext = gr->next; gr->next = NULL; - if (DetectAddressGroupInsert(de_ctx->io_src_gh,gr) < 0) + if (DetectAddressGroupInsert(de_ctx, de_ctx->io_src_gh, gr) < 0) goto error; gr = grnext; @@ -1215,7 +1213,7 @@ int SigAddressPrepareStage2(DetectEngineCtx *de_ctx) { DetectAddressGroup *grnext = gr->next; gr->next = NULL; - if (DetectAddressGroupInsert(de_ctx->io_src_gh,gr) < 0) + if (DetectAddressGroupInsert(de_ctx, de_ctx->io_src_gh, gr) < 0) goto error; gr = grnext; @@ -1349,11 +1347,11 @@ static int BuildDestinationAddressHeads(DetectEngineCtx *de_ctx, DetectAddressGr DetectAddressGroupAdd(&tmp_gr_list,grtmp); - SigGroupHeadAppendSig(&grtmp->sh,tmp_s); + SigGroupHeadAppendSig(de_ctx,&grtmp->sh,tmp_s); grtmp->cnt = 1; } else { /* our group will only have one sig, this one. So add that. */ - SigGroupHeadAppendSig(&lookup_gr->sh,tmp_s); + SigGroupHeadAppendSig(de_ctx,&lookup_gr->sh,tmp_s); lookup_gr->cnt++; } } @@ -1362,7 +1360,7 @@ static int BuildDestinationAddressHeads(DetectEngineCtx *de_ctx, DetectAddressGr /* Create the destination address list, keeping in * mind the limits we use. */ - CreateGroupedAddrList(tmp_gr_list,family,gr->dst_gh,MAX_UNIQ_GROUPS); + CreateGroupedAddrList(de_ctx,tmp_gr_list,family,gr->dst_gh,MAX_UNIQ_GROUPS); /* see if the sig group head of each address group is the * same as an earlier one. If it is, free our head and use @@ -1375,7 +1373,7 @@ static int BuildDestinationAddressHeads(DetectEngineCtx *de_ctx, DetectAddressGr /* Because a pattern matcher context uses quite some * memory, we first check if we can reuse it from * another group head. */ - SigGroupHead *sgh = SigGroupHeadHashLookup(sgr->sh); + SigGroupHead *sgh = SigGroupHeadHashLookup(de_ctx, sgr->sh); if (sgh == NULL) { /* put the contents in our sig group head */ SigGroupHeadSetSigCnt(sgr->sh, max_idx); @@ -1387,9 +1385,9 @@ static int BuildDestinationAddressHeads(DetectEngineCtx *de_ctx, DetectAddressGr de_ctx->mpm_none++; } else { /* now have a look if we can reuse a mpm ctx */ - SigGroupHead *mpmsh = SigGroupHeadMpmHashLookup(sgr->sh); + SigGroupHead *mpmsh = SigGroupHeadMpmHashLookup(de_ctx, sgr->sh); if (mpmsh == NULL) { - SigGroupHeadMpmHashAdd(sgr->sh); + SigGroupHeadMpmHashAdd(de_ctx, sgr->sh); de_ctx->mpm_unique++; } else { @@ -1407,9 +1405,9 @@ static int BuildDestinationAddressHeads(DetectEngineCtx *de_ctx, DetectAddressGr de_ctx->mpm_uri_none++; } else { /* now have a look if we can reuse a uri mpm ctx */ - SigGroupHead *mpmsh = SigGroupHeadMpmUriHashLookup(sgr->sh); + SigGroupHead *mpmsh = SigGroupHeadMpmUriHashLookup(de_ctx, sgr->sh); if (mpmsh == NULL) { - SigGroupHeadMpmUriHashAdd(sgr->sh); + SigGroupHeadMpmUriHashAdd(de_ctx, sgr->sh); de_ctx->mpm_uri_unique++; } else { sgr->sh->mpm_uri_ctx = mpmsh->mpm_uri_ctx; @@ -1440,13 +1438,13 @@ static int BuildDestinationAddressHeads(DetectEngineCtx *de_ctx, DetectAddressGr } /* dbg */ if (!(sgr->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && sgr->sh->mpm_ctx) { - mpm_memory_size += sgr->sh->mpm_ctx->memory_size; + de_ctx->mpm_memory_size += sgr->sh->mpm_ctx->memory_size; } if (!(sgr->sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY) && sgr->sh->mpm_uri_ctx) { - mpm_memory_size += sgr->sh->mpm_uri_ctx->memory_size; + de_ctx->mpm_memory_size += sgr->sh->mpm_uri_ctx->memory_size; } - SigGroupHeadHashAdd(sgr->sh); + SigGroupHeadHashAdd(de_ctx, sgr->sh); de_ctx->gh_unique++; } else { SigGroupHeadFree(sgr->sh); @@ -1521,11 +1519,11 @@ static int BuildDestinationAddressHeadsIPOnly(DetectEngineCtx *de_ctx, DetectAdd DetectAddressGroupAdd(&tmp_gr_list,grtmp); - SigGroupHeadAppendSig(&grtmp->sh,tmp_s); + SigGroupHeadAppendSig(de_ctx, &grtmp->sh,tmp_s); grtmp->cnt = 1; } else { /* our group will only have one sig, this one. So add that. */ - SigGroupHeadAppendSig(&lookup_gr->sh,tmp_s); + SigGroupHeadAppendSig(de_ctx, &lookup_gr->sh,tmp_s); lookup_gr->cnt++; } } @@ -1534,7 +1532,7 @@ static int BuildDestinationAddressHeadsIPOnly(DetectEngineCtx *de_ctx, DetectAdd /* Create the destination address list, keeping in * mind the limits we use. */ - CreateGroupedAddrList(tmp_gr_list,family,gr->dst_gh,0); + CreateGroupedAddrList(de_ctx, tmp_gr_list,family,gr->dst_gh,0); /* see if the sig group head of each address group is the * same as an earlier one. If it is, free our head and use @@ -1547,13 +1545,13 @@ static int BuildDestinationAddressHeadsIPOnly(DetectEngineCtx *de_ctx, DetectAdd /* Because a pattern matcher context uses quite some * memory, we first check if we can reuse it from * another group head. */ - SigGroupHead *sgh = SigGroupHeadHashLookup(sgr->sh); + SigGroupHead *sgh = SigGroupHeadHashLookup(de_ctx, sgr->sh); if (sgh == NULL) { /* put the contents in our sig group head */ SigGroupHeadSetSigCnt(sgr->sh, max_idx); SigGroupHeadBuildMatchArray(de_ctx,sgr->sh, max_idx); - SigGroupHeadHashAdd(sgr->sh); + SigGroupHeadHashAdd(de_ctx, sgr->sh); de_ctx->gh_unique++; } else { SigGroupHeadFree(sgr->sh); @@ -1622,13 +1620,13 @@ static int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, De goto error; } grtmp->ad = adtmp; - SigGroupHeadAppendSig(&grtmp->sh,tmp_s); + SigGroupHeadAppendSig(de_ctx, &grtmp->sh, tmp_s); grtmp->cnt = 1; DetectAddressGroupAdd(&tmp_gr_list,grtmp); } else { /* our group will only have one sig, this one. So add that. */ - SigGroupHeadAppendSig(&lookup_gr->sh,tmp_s); + SigGroupHeadAppendSig(de_ctx, &lookup_gr->sh, tmp_s); lookup_gr->cnt++; } @@ -1639,7 +1637,7 @@ static int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, De /* Create the destination address list, keeping in * mind the limits we use. */ - CreateGroupedAddrList(tmp_gr_list,family,src_gr->dst_gh,MAX_UNIQ_GROUPS); + CreateGroupedAddrList(de_ctx,tmp_gr_list,family,src_gr->dst_gh,MAX_UNIQ_GROUPS); /* add the ports to the dst address groups and the sigs * to the ports */ @@ -1653,9 +1651,9 @@ static int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, De /* we will reuse address sig group heads at this points, * because if the sigs are the same, the ports will be * the same. Saves memory and a lot of init time. */ - SigGroupHead *lookup_sgh = SigGroupHeadHashLookup(dst_gr->sh); + SigGroupHead *lookup_sgh = SigGroupHeadHashLookup(de_ctx, dst_gr->sh); if (lookup_sgh == NULL) { - DetectPortSpHashReset(); + DetectPortSpHashReset(de_ctx); u_int32_t sig2; for (sig2 = 0; sig2 < max_idx+1; sig2++) { @@ -1668,34 +1666,35 @@ static int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, De DetectPort *sdp = s->sp; for ( ; sdp != NULL; sdp = sdp->next) { - DetectPort *lookup_port = DetectPortSpHashLookup(sdp); + DetectPort *lookup_port = DetectPortSpHashLookup(de_ctx, sdp); if (lookup_port == NULL) { - DetectPort *port = DetectPortCopySingle(sdp); + DetectPort *port = DetectPortCopySingle(de_ctx,sdp); if (port == NULL) goto error; - SigGroupHeadAppendSig(&port->sh,s); - DetectPortSpHashAdd(port); + SigGroupHeadAppendSig(de_ctx, &port->sh, s); + DetectPortSpHashAdd(de_ctx, port); port->cnt = 1; } else { - SigGroupHeadAppendSig(&lookup_port->sh,s); + SigGroupHeadAppendSig(de_ctx, &lookup_port->sh, s); lookup_port->cnt++; } } } - DetectPort *p = DetectPortSpHashGetListPtr(); - CreateGroupedPortList(p, &dst_gr->port, MAX_UNIQ_GROUPS); - if (p != NULL) { - DetectPort *next_p; - for (; p != NULL; ) { - next_p = p->next; - DetectPortFree(p); - p = next_p; - } - } +// HashListTableBucket *htb = HashListTableGetListHead(de_ctx->sport_hash_table); +// DetectPort *tsp = HashListTableGetListData(htb); + CreateGroupedPortList(de_ctx, de_ctx->sport_hash_table, &dst_gr->port, MAX_UNIQ_GROUPS); +// if (tsp != NULL) { +// DetectPort *next_p; +// for (; tsp != NULL; ) { +// next_p = tsp->next; +// DetectPortFree(tsp); +// tsp = next_p; +// } +// } - SigGroupHeadHashAdd(dst_gr->sh); + SigGroupHeadHashAdd(de_ctx, dst_gr->sh); dst_gr->sh->port = dst_gr->port; /* mark this head for deletion once we no longer need @@ -1714,9 +1713,9 @@ static int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, De /* we will reuse address sig group heads at this points, * because if the sigs are the same, the ports will be * the same. Saves memory and a lot of init time. */ - SigGroupHead *lookup_sp_sgh = SigGroupHeadSPortHashLookup(sp->sh); + SigGroupHead *lookup_sp_sgh = SigGroupHeadSPortHashLookup(de_ctx, sp->sh); if (lookup_sp_sgh == NULL) { - DetectPortHashReset(); + DetectPortDpHashReset(de_ctx); u_int32_t sig2; for (sig2 = 0; sig2 < max_idx+1; sig2++) { if (!(sp->sh->sig_array[(sig2/8)] & (1<<(sig2%8)))) @@ -1728,34 +1727,35 @@ static int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, De DetectPort *sdp = s->dp; for ( ; sdp != NULL; sdp = sdp->next) { - DetectPort *lookup_port = DetectPortHashLookup(sdp); + DetectPort *lookup_port = DetectPortDpHashLookup(de_ctx,sdp); if (lookup_port == NULL) { - DetectPort *port = DetectPortCopySingle(sdp); + DetectPort *port = DetectPortCopySingle(de_ctx,sdp); if (port == NULL) goto error; - SigGroupHeadAppendSig(&port->sh,s); - DetectPortHashAdd(port); + SigGroupHeadAppendSig(de_ctx, &port->sh, s); + DetectPortDpHashAdd(de_ctx,port); port->cnt = 1; } else { - SigGroupHeadAppendSig(&lookup_port->sh,s); + SigGroupHeadAppendSig(de_ctx, &lookup_port->sh, s); lookup_port->cnt++; } } } - DetectPort *p = DetectPortHashGetListPtr(); - CreateGroupedPortList(p,&sp->dst_ph,MAX_UNIQ_GROUPS); - if (p != NULL) { - DetectPort *next_p; - for (; p != NULL; ) { - next_p = p->next; - DetectPortFree(p); - p = next_p; - } - } +// HashListTableBucket *htb = HashListTableGetListHead(de_ctx->dport_hash_table); +// DetectPort *tdp = HashListTableGetListData(htb); + CreateGroupedPortList(de_ctx, de_ctx->dport_hash_table, &sp->dst_ph, MAX_UNIQ_GROUPS); +// if (tdp != NULL) { +// DetectPort *next_p; +// for (; tdp != NULL; ) { +// next_p = tdp->next; +// DetectPortFree(tdp); +// tdp = next_p; +// } +// } - SigGroupHeadSPortHashAdd(sp->sh); + SigGroupHeadSPortHashAdd(de_ctx, sp->sh); sp->sh->port = sp->dst_ph; /* mark this head for deletion once we no longer need @@ -1775,7 +1775,7 @@ static int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, De /* Because a pattern matcher context uses quite some * memory, we first check if we can reuse it from * another group head. */ - SigGroupHead *lookup_dp_sgh = SigGroupHeadPortHashLookup(dp->sh); + SigGroupHead *lookup_dp_sgh = SigGroupHeadDPortHashLookup(de_ctx, dp->sh); if (lookup_dp_sgh == NULL) { SigGroupHeadSetSigCnt(dp->sh, max_idx); SigGroupHeadBuildMatchArray(de_ctx,dp->sh, max_idx); @@ -1785,9 +1785,9 @@ static int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, De de_ctx->mpm_none++; } else { /* now have a look if we can reuse a mpm ctx */ - SigGroupHead *mpmsh = SigGroupHeadMpmHashLookup(dp->sh); + SigGroupHead *mpmsh = SigGroupHeadMpmHashLookup(de_ctx, dp->sh); if (mpmsh == NULL) { - SigGroupHeadMpmHashAdd(dp->sh); + SigGroupHeadMpmHashAdd(de_ctx, dp->sh); de_ctx->mpm_unique++; } else { @@ -1804,9 +1804,9 @@ static int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, De de_ctx->mpm_uri_none++; } else { /* now have a look if we can reuse a uri mpm ctx */ - SigGroupHead *mpmsh = SigGroupHeadMpmUriHashLookup(dp->sh); + SigGroupHead *mpmsh = SigGroupHeadMpmUriHashLookup(de_ctx, dp->sh); if (mpmsh == NULL) { - SigGroupHeadMpmUriHashAdd(dp->sh); + SigGroupHeadMpmUriHashAdd(de_ctx, dp->sh); de_ctx->mpm_uri_unique++; } else { @@ -1838,13 +1838,13 @@ static int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, De } /* dbg */ if (!(dp->sh->flags & SIG_GROUP_HEAD_MPM_COPY) && dp->sh->mpm_ctx) { - mpm_memory_size += dp->sh->mpm_ctx->memory_size; + de_ctx->mpm_memory_size += dp->sh->mpm_ctx->memory_size; } if (!(dp->sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY) && dp->sh->mpm_uri_ctx) { - mpm_memory_size += dp->sh->mpm_uri_ctx->memory_size; + de_ctx->mpm_memory_size += dp->sh->mpm_uri_ctx->memory_size; } - SigGroupHeadPortHashAdd(dp->sh); + SigGroupHeadDPortHashAdd(de_ctx, dp->sh); de_ctx->gh_unique++; } else { SigGroupHeadFree(dp->sh); @@ -1903,21 +1903,12 @@ int SigAddressPrepareStage3(DetectEngineCtx *de_ctx) { //DetectSigGroupPrintMemory(); //DetectPortPrintMemory(); - SigGroupHeadHashInit(); - SigGroupHeadPortHashInit(); - SigGroupHeadSPortHashInit(); - SigGroupHeadMpmHashInit(); - SigGroupHeadMpmUriHashInit(); - - DetectPortHashInit(); - DetectPortSpHashInit(); r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->src_gh[6],AF_INET); if (r < 0) { printf ("BuildDestinationAddressHeads(src_gh[6],AF_INET) failed\n"); goto error; } -//#if 0 r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->src_gh[17],AF_INET); if (r < 0) { printf ("BuildDestinationAddressHeads(src_gh[17],AF_INET) failed\n"); @@ -1981,36 +1972,32 @@ int SigAddressPrepareStage3(DetectEngineCtx *de_ctx) { printf ("BuildDestinationAddressHeads(src_gh[%d],AF_UNSPEC) failed\n", i); goto error; } -//#endif + /* cleanup group head (uri)content_array's */ - SigGroupHeadFreeMpmArrays(); + SigGroupHeadFreeMpmArrays(de_ctx); /* cleanup group head sig arrays */ - SigGroupHeadFreeSigArrays(); + SigGroupHeadFreeSigArrays(de_ctx); /* cleanup heads left over in *WithPorts */ /* XXX VJ breaks SigGroupCleanup */ //SigGroupHeadFreeHeads(); - /* cleanup the hashes */ - SigGroupHeadHashFree(); - SigGroupHeadPortHashFree(); - SigGroupHeadSPortHashFree(); - SigGroupHeadMpmHashFree(); - SigGroupHeadMpmUriHashFree(); + /* cleanup the hashes now since we won't need them + * after the initialization phase. */ + SigGroupHeadHashFree(de_ctx); + SigGroupHeadDPortHashFree(de_ctx); + SigGroupHeadSPortHashFree(de_ctx); + SigGroupHeadMpmHashFree(de_ctx); + SigGroupHeadMpmUriHashFree(de_ctx); + DetectPortDpHashFree(de_ctx); + DetectPortSpHashFree(de_ctx); - DetectPortHashFree(); - DetectPortSpHashFree(); - -// DetectAddressGroupPrintMemory(); -// DetectSigGroupPrintMemory(); -// DetectPortPrintMemory(); -//#endif if (!(de_ctx->flags & DE_QUIET)) { printf("* MPM memory %u (dynamic %u, ctxs %u, avg per ctx %u)\n", - mpm_memory_size + ((de_ctx->mpm_unique + de_ctx->mpm_uri_unique) * sizeof(MpmCtx)), - mpm_memory_size, ((de_ctx->mpm_unique + de_ctx->mpm_uri_unique) * sizeof(MpmCtx)), - mpm_memory_size / de_ctx->mpm_unique); + de_ctx->mpm_memory_size + ((de_ctx->mpm_unique + de_ctx->mpm_uri_unique) * sizeof(MpmCtx)), + de_ctx->mpm_memory_size, ((de_ctx->mpm_unique + de_ctx->mpm_uri_unique) * sizeof(MpmCtx)), + de_ctx->mpm_memory_size / de_ctx->mpm_unique); - printf(" * Max sig id %u, array size %u\n", SigGetMaxId(), SigGetMaxId() / 8 + 1); + printf(" * Max sig id %u, array size %u\n", DetectEngineGetMaxSigId(de_ctx), DetectEngineGetMaxSigId(de_ctx) / 8 + 1); printf("* Signature group heads: unique %u, copies %u.\n", de_ctx->gh_unique, de_ctx->gh_reuse); printf("* MPM instances: %u unique, copies %u (none %u).\n", de_ctx->mpm_unique, de_ctx->mpm_reuse, de_ctx->mpm_none); @@ -2028,8 +2015,6 @@ error: } int SigAddressCleanupStage1(DetectEngineCtx *de_ctx) { - DetectAddressGroup *gr = NULL; - if (!(de_ctx->flags & DE_QUIET)) { printf("* Cleaning up signature grouping structure, stage 1...\n"); } @@ -2040,6 +2025,7 @@ int SigAddressCleanupStage1(DetectEngineCtx *de_ctx) { de_ctx->src_gh[i] = NULL; } DetectAddressGroupsHeadFree(de_ctx->io_src_gh); + de_ctx->io_src_gh = NULL; if (!(de_ctx->flags & DE_QUIET)) { printf("* Cleaning up signature grouping structure, stage 1... done\n"); @@ -2067,7 +2053,7 @@ void DbgPrintSigs2(SigGroupHead *sgh) { } u_int32_t sig; - for (sig = 0; sig < SigGetMaxId(); sig++) { + for (sig = 0; sig < DetectEngineGetMaxSigId(g_de_ctx); sig++) { if (sgh->sig_array[(sig/8)] & (1<<(sig%8))) { printf("%u ", g_de_ctx->sig_array[sig]->id); } @@ -2357,7 +2343,7 @@ int SigGroupBuild (DetectEngineCtx *de_ctx) { SigAddressPrepareStage2(de_ctx); SigAddressPrepareStage3(de_ctx); //SigAddressPrepareStage5(); - DbgPrintScanSearchStats(); +// DbgPrintScanSearchStats(); // DetectAddressGroupPrintMemory(); // DetectSigGroupPrintMemory(); // DetectPortPrintMemory(); @@ -2465,7 +2451,7 @@ int SigTest01 (void) { g_de_ctx->flags |= DE_QUIET; - g_de_ctx->sig_list = SigInit("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; recursive; sid:1;)"); + g_de_ctx->sig_list = SigInit(g_de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; recursive; sid:1;)"); if (g_de_ctx->sig_list == NULL) { result = 0; goto end; @@ -2473,7 +2459,7 @@ int SigTest01 (void) { SigGroupBuild(g_de_ctx); PatternMatchPrepare(mpm_ctx); - PatternMatcherThreadInit(&th_v, (void *)&pmt); + PatternMatcherThreadInit(&th_v, (void *)g_de_ctx, (void *)&pmt); SigMatchSignatures(&th_v, pmt, &p); if (PacketAlertCheck(&p, 1) == 0) { @@ -2531,7 +2517,7 @@ int SigTest02 (void) { g_de_ctx->flags |= DE_QUIET; - g_de_ctx->sig_list = SigInit("alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:41; sid:1;)"); + g_de_ctx->sig_list = SigInit(g_de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:41; sid:1;)"); if (g_de_ctx->sig_list == NULL) { result = 0; goto end; @@ -2539,7 +2525,7 @@ int SigTest02 (void) { SigGroupBuild(g_de_ctx); PatternMatchPrepare(mpm_ctx); - PatternMatcherThreadInit(&th_v, (void *)&pmt); + PatternMatcherThreadInit(&th_v, (void *)g_de_ctx, (void *)&pmt); SigMatchSignatures(&th_v, pmt, &p); if (PacketAlertCheck(&p, 1)) @@ -2584,7 +2570,7 @@ int SigTest03 (void) { g_de_ctx->flags |= DE_QUIET; - g_de_ctx->sig_list = SigInit("alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:40; sid:1;)"); + g_de_ctx->sig_list = SigInit(g_de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:40; sid:1;)"); if (g_de_ctx->sig_list == NULL) { result = 0; goto end; @@ -2592,7 +2578,7 @@ int SigTest03 (void) { SigGroupBuild(g_de_ctx); PatternMatchPrepare(mpm_ctx); - PatternMatcherThreadInit(&th_v, (void *)&pmt); + PatternMatcherThreadInit(&th_v, (void *)g_de_ctx, (void *)&pmt); SigMatchSignatures(&th_v, pmt, &p); if (!PacketAlertCheck(&p, 1)) @@ -2638,7 +2624,7 @@ int SigTest04 (void) { g_de_ctx->flags |= DE_QUIET; - g_de_ctx->sig_list = SigInit("alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:47; within:52; sid:1;)"); + g_de_ctx->sig_list = SigInit(g_de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:47; within:52; sid:1;)"); if (g_de_ctx->sig_list == NULL) { result = 0; goto end; @@ -2646,7 +2632,7 @@ int SigTest04 (void) { SigGroupBuild(g_de_ctx); PatternMatchPrepare(mpm_ctx); - PatternMatcherThreadInit(&th_v, (void *)&pmt); + PatternMatcherThreadInit(&th_v, (void *)g_de_ctx, (void *)&pmt); SigMatchSignatures(&th_v, pmt, &p); if (PacketAlertCheck(&p, 1)) @@ -2691,7 +2677,7 @@ int SigTest05 (void) { g_de_ctx->flags |= DE_QUIET; - g_de_ctx->sig_list = SigInit("alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:48; within:52; sid:1;)"); + g_de_ctx->sig_list = SigInit(g_de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:48; within:52; sid:1;)"); if (g_de_ctx->sig_list == NULL) { result = 0; goto end; @@ -2699,7 +2685,7 @@ int SigTest05 (void) { SigGroupBuild(g_de_ctx); PatternMatchPrepare(mpm_ctx); - PatternMatcherThreadInit(&th_v, (void *)&pmt); + PatternMatcherThreadInit(&th_v, (void *)g_de_ctx, (void *)&pmt); SigMatchSignatures(&th_v, pmt, &p); if (!PacketAlertCheck(&p, 1)) @@ -2744,12 +2730,12 @@ int SigTest06 (void) { g_de_ctx->flags |= DE_QUIET; - g_de_ctx->sig_list = SigInit("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; recursive; sid:1;)"); + g_de_ctx->sig_list = SigInit(g_de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; recursive; sid:1;)"); if (g_de_ctx->sig_list == NULL) { result = 0; goto end; } - g_de_ctx->sig_list->next = SigInit("alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)"); + g_de_ctx->sig_list->next = SigInit(g_de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)"); if (g_de_ctx->sig_list->next == NULL) { result = 0; goto end; @@ -2757,7 +2743,7 @@ int SigTest06 (void) { SigGroupBuild(g_de_ctx); PatternMatchPrepare(mpm_ctx); - PatternMatcherThreadInit(&th_v, (void *)&pmt); + PatternMatcherThreadInit(&th_v, (void *)g_de_ctx, (void *)&pmt); SigMatchSignatures(&th_v, pmt, &p); if (PacketAlertCheck(&p, 1) && PacketAlertCheck(&p, 2)) @@ -2806,12 +2792,12 @@ int SigTest07 (void) { g_de_ctx->flags |= DE_QUIET; - g_de_ctx->sig_list = SigInit("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; recursive; sid:1;)"); + g_de_ctx->sig_list = SigInit(g_de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; recursive; sid:1;)"); if (g_de_ctx->sig_list == NULL) { result = 0; goto end; } - g_de_ctx->sig_list->next = SigInit("alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"three\"; sid:2;)"); + g_de_ctx->sig_list->next = SigInit(g_de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"three\"; sid:2;)"); if (g_de_ctx->sig_list->next == NULL) { result = 0; goto end; @@ -2819,7 +2805,7 @@ int SigTest07 (void) { SigGroupBuild(g_de_ctx); PatternMatchPrepare(mpm_ctx); - PatternMatcherThreadInit(&th_v, (void *)&pmt); + PatternMatcherThreadInit(&th_v, (void *)g_de_ctx,(void *)&pmt); SigMatchSignatures(&th_v, pmt, &p); if (PacketAlertCheck(&p, 1) && PacketAlertCheck(&p, 2)) @@ -2866,12 +2852,12 @@ int SigTest08 (void) { g_de_ctx->flags |= DE_QUIET; - g_de_ctx->sig_list = SigInit("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)"); + g_de_ctx->sig_list = SigInit(g_de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)"); if (g_de_ctx->sig_list == NULL) { result = 0; goto end; } - g_de_ctx->sig_list->next = SigInit("alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"one\"; sid:2;)"); + g_de_ctx->sig_list->next = SigInit(g_de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"one\"; sid:2;)"); if (g_de_ctx->sig_list->next == NULL) { result = 0; goto end; @@ -2879,7 +2865,7 @@ int SigTest08 (void) { SigGroupBuild(g_de_ctx); PatternMatchPrepare(mpm_ctx); - PatternMatcherThreadInit(&th_v, (void *)&pmt); + PatternMatcherThreadInit(&th_v, (void *)g_de_ctx,(void *)&pmt); SigMatchSignatures(&th_v, pmt, &p); if (PacketAlertCheck(&p, 1) && PacketAlertCheck(&p, 2)) @@ -2928,12 +2914,12 @@ int SigTest09 (void) { g_de_ctx->flags |= DE_QUIET; - g_de_ctx->sig_list = SigInit("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)"); + g_de_ctx->sig_list = SigInit(g_de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)"); if (g_de_ctx->sig_list == NULL) { result = 0; goto end; } - g_de_ctx->sig_list->next = SigInit("alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)"); + g_de_ctx->sig_list->next = SigInit(g_de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)"); if (g_de_ctx->sig_list->next == NULL) { result = 0; goto end; @@ -2941,7 +2927,7 @@ int SigTest09 (void) { SigGroupBuild(g_de_ctx); PatternMatchPrepare(mpm_ctx); - PatternMatcherThreadInit(&th_v, (void *)&pmt); + PatternMatcherThreadInit(&th_v, (void *)g_de_ctx,(void *)&pmt); SigMatchSignatures(&th_v, pmt, &p); if (PacketAlertCheck(&p, 1) && PacketAlertCheck(&p, 2)) @@ -2982,12 +2968,12 @@ int SigTest10 (void) { g_de_ctx->flags |= DE_QUIET; - g_de_ctx->sig_list = SigInit("alert tcp any any -> any any (msg:\"Long content test (1)\"; content:\"ABCD\"; depth:4; sid:1;)"); + g_de_ctx->sig_list = SigInit(g_de_ctx,"alert tcp any any -> any any (msg:\"Long content test (1)\"; content:\"ABCD\"; depth:4; sid:1;)"); if (g_de_ctx->sig_list == NULL) { result = 0; goto end; } - g_de_ctx->sig_list->next = SigInit("alert tcp any any -> any any (msg:\"Long content test (2)\"; content:\"VWXYZ\"; sid:2;)"); + g_de_ctx->sig_list->next = SigInit(g_de_ctx,"alert tcp any any -> any any (msg:\"Long content test (2)\"; content:\"VWXYZ\"; sid:2;)"); if (g_de_ctx->sig_list->next == NULL) { result = 0; goto end; @@ -2995,7 +2981,7 @@ int SigTest10 (void) { SigGroupBuild(g_de_ctx); PatternMatchPrepare(mpm_ctx); - PatternMatcherThreadInit(&th_v, (void *)&pmt); + PatternMatcherThreadInit(&th_v, (void *)g_de_ctx,(void *)&pmt); SigMatchSignatures(&th_v, pmt, &p); if (PacketAlertCheck(&p, 1) && PacketAlertCheck(&p, 2)) @@ -3036,12 +3022,12 @@ int SigTest11 (void) { g_de_ctx->flags |= DE_QUIET; - g_de_ctx->sig_list = SigInit("alert tcp any any -> any any (msg:\"Scan vs Search (1)\"; content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)"); + g_de_ctx->sig_list = SigInit(g_de_ctx,"alert tcp any any -> any any (msg:\"Scan vs Search (1)\"; content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)"); if (g_de_ctx->sig_list == NULL) { result = 0; goto end; } - g_de_ctx->sig_list->next = SigInit("alert tcp any any -> any any (msg:\"Scan vs Search (2)\"; content:\"VWXYZabcde\"; content:\"5678\"; content:\"89\"; sid:2;)"); + g_de_ctx->sig_list->next = SigInit(g_de_ctx,"alert tcp any any -> any any (msg:\"Scan vs Search (2)\"; content:\"VWXYZabcde\"; content:\"5678\"; content:\"89\"; sid:2;)"); if (g_de_ctx->sig_list->next == NULL) { result = 0; goto end; @@ -3049,7 +3035,7 @@ int SigTest11 (void) { SigGroupBuild(g_de_ctx); PatternMatchPrepare(mpm_ctx); - PatternMatcherThreadInit(&th_v, (void *)&pmt); + PatternMatcherThreadInit(&th_v, (void *)g_de_ctx,(void *)&pmt); SigMatchSignatures(&th_v, pmt, &p); if (PacketAlertCheck(&p, 1) && PacketAlertCheck(&p, 2)) @@ -3090,7 +3076,7 @@ int SigTest12 (void) { g_de_ctx->flags |= DE_QUIET; - g_de_ctx->sig_list = SigInit("alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)"); + g_de_ctx->sig_list = SigInit(g_de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)"); if (g_de_ctx->sig_list == NULL) { result = 0; goto end; @@ -3098,7 +3084,7 @@ int SigTest12 (void) { SigGroupBuild(g_de_ctx); PatternMatchPrepare(mpm_ctx); - PatternMatcherThreadInit(&th_v, (void *)&pmt); + PatternMatcherThreadInit(&th_v, (void *)g_de_ctx,(void *)&pmt); SigMatchSignatures(&th_v, pmt, &p); if (PacketAlertCheck(&p, 1)) @@ -3139,7 +3125,7 @@ int SigTest13 (void) { g_de_ctx->flags |= DE_QUIET; - g_de_ctx->sig_list = SigInit("alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; sid:1;)"); + g_de_ctx->sig_list = SigInit(g_de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; sid:1;)"); if (g_de_ctx->sig_list == NULL) { result = 0; goto end; @@ -3147,7 +3133,7 @@ int SigTest13 (void) { SigGroupBuild(g_de_ctx); PatternMatchPrepare(mpm_ctx); - PatternMatcherThreadInit(&th_v, (void *)&pmt); + PatternMatcherThreadInit(&th_v, (void *)g_de_ctx,(void *)&pmt); SigMatchSignatures(&th_v, pmt, &p); if (PacketAlertCheck(&p, 1)) @@ -3188,7 +3174,7 @@ int SigTest14 (void) { g_de_ctx->flags |= DE_QUIET; - g_de_ctx->sig_list = SigInit("alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; distance:0; sid:1;)"); + g_de_ctx->sig_list = SigInit(g_de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; distance:0; sid:1;)"); if (g_de_ctx->sig_list == NULL) { result = 0; goto end; @@ -3196,7 +3182,7 @@ int SigTest14 (void) { SigGroupBuild(g_de_ctx); PatternMatchPrepare(mpm_ctx); - PatternMatcherThreadInit(&th_v, (void *)&pmt); + PatternMatcherThreadInit(&th_v, (void *)g_de_ctx,(void *)&pmt); SigMatchSignatures(&th_v, pmt, &p); if (PacketAlertCheck(&p, 1)) @@ -3238,7 +3224,7 @@ int SigTest15 (void) { g_de_ctx->flags |= DE_QUIET; - g_de_ctx->sig_list = SigInit("alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; classtype:misc-activity; sid:2008284; rev:2;)"); + g_de_ctx->sig_list = SigInit(g_de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; classtype:misc-activity; sid:2008284; rev:2;)"); if (g_de_ctx->sig_list == NULL) { result = 0; goto end; @@ -3246,7 +3232,7 @@ int SigTest15 (void) { SigGroupBuild(g_de_ctx); PatternMatchPrepare(mpm_ctx); - PatternMatcherThreadInit(&th_v, (void *)&pmt); + PatternMatcherThreadInit(&th_v, (void *)g_de_ctx,(void *)&pmt); SigMatchSignatures(&th_v, pmt, &p); if (PacketAlertCheck(&p, 2008284)) @@ -3288,14 +3274,14 @@ int SigTest16 (void) { g_de_ctx->flags |= DE_QUIET; - g_de_ctx->sig_list = SigInit("alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; classtype:misc-activity; sid:2008284; rev:2;)"); + g_de_ctx->sig_list = SigInit(g_de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; classtype:misc-activity; sid:2008284; rev:2;)"); if (g_de_ctx->sig_list == NULL) { goto end; } SigGroupBuild(g_de_ctx); PatternMatchPrepare(mpm_ctx); - PatternMatcherThreadInit(&th_v, (void *)&pmt); + PatternMatcherThreadInit(&th_v, (void *)g_de_ctx,(void *)&pmt); SigMatchSignatures(&th_v, pmt, &p); if (PacketAlertCheck(&p, 2008284)) @@ -3342,7 +3328,7 @@ int SigTest17 (void) { g_de_ctx->flags |= DE_QUIET; - g_de_ctx->sig_list = SigInit("alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; content:\"Host:\"; pcre:\"/^Host: (?P.*)\\r\\n/m\"; noalert; sid:1;)"); + g_de_ctx->sig_list = SigInit(g_de_ctx,"alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; content:\"Host:\"; pcre:\"/^Host: (?P.*)\\r\\n/m\"; noalert; sid:1;)"); if (g_de_ctx->sig_list == NULL) { result = 0; goto end; @@ -3350,7 +3336,7 @@ int SigTest17 (void) { SigGroupBuild(g_de_ctx); PatternMatchPrepare(mpm_ctx); - PatternMatcherThreadInit(&th_v, (void *)&pmt); + PatternMatcherThreadInit(&th_v, (void *)g_de_ctx,(void *)&pmt); SigMatchSignatures(&th_v, pmt, &p); PktVar *pv_hn = PktVarGet(&p, "http_host"); @@ -3402,7 +3388,7 @@ int SigTest18 (void) { g_de_ctx->flags |= DE_QUIET; - g_de_ctx->sig_list = SigInit("alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; classtype:non-standard-protocol; sid:2003055; rev:4;)"); + g_de_ctx->sig_list = SigInit(g_de_ctx,"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; classtype:non-standard-protocol; sid:2003055; rev:4;)"); if (g_de_ctx->sig_list == NULL) { result = 0; goto end; @@ -3410,7 +3396,7 @@ int SigTest18 (void) { SigGroupBuild(g_de_ctx); PatternMatchPrepare(mpm_ctx); - PatternMatcherThreadInit(&th_v, (void *)&pmt); + PatternMatcherThreadInit(&th_v, (void *)g_de_ctx,(void *)&pmt); SigMatchSignatures(&th_v, pmt, &p); if (!PacketAlertCheck(&p, 2003055)) diff --git a/src/detect.h b/src/detect.h index e92547b0c8..04ebcd6013 100644 --- a/src/detect.h +++ b/src/detect.h @@ -2,11 +2,110 @@ #define __DETECT_H__ #include "detect-engine-proto.h" -#include "detect-engine-port.h" -#include "detect-engine-address.h" -#include "detect-content.h" -#include "detect-uricontent.h" +#include "util-hash.h" +#include "util-hashlist.h" + +/* + * DETECT ADDRESS + */ + +/* a is ... than b */ +enum { + ADDRESS_ER = -1, /* error e.g. compare ipv4 and ipv6 */ + ADDRESS_LT, /* smaller [aaa] [bbb] */ + ADDRESS_LE, /* smaller with overlap [aa[bab]bb] */ + ADDRESS_EQ, /* exactly equal [abababab] */ + ADDRESS_ES, /* within [bb[aaa]bb] and [[abab]bbb] and [bbb[abab]] */ + ADDRESS_EB, /* completely overlaps [aa[bbb]aa] and [[baba]aaa] and [aaa[baba]] */ + ADDRESS_GE, /* bigger with overlap [bb[aba]aa] */ + ADDRESS_GT, /* bigger [bbb] [aaa] */ +}; + +#define ADDRESS_FLAG_ANY 0x1 +#define ADDRESS_FLAG_NOT 0x2 + +#define ADDRESS_GROUP_SIGGROUPHEAD_COPY 0x01 +#define ADDRESS_GROUP_PORTS_COPY 0x02 +#define ADDRESS_GROUP_PORTS_NOTUNIQ 0x04 + +typedef struct DetectAddressData_ { + /* XXX convert to use a Address datatype to replace family, ip,ip2*/ + u_int8_t family; + u_int32_t ip[4]; + u_int32_t ip2[4]; + u_int8_t flags; +} DetectAddressData; + +typedef struct DetectAddressGroup_ { + /* address data for this group */ + DetectAddressData *ad; + + /* XXX ptr to rules, or PortGroup or whatever */ + struct DetectAddressGroupsHead_ *dst_gh; + struct DetectPort_ *port; + + /* signatures that belong in this group */ + struct _SigGroupHead *sh; + u_int8_t flags; + + /* double linked list */ + struct DetectAddressGroup_ *prev; + struct DetectAddressGroup_ *next; + + u_int32_t cnt; +} DetectAddressGroup; + +typedef struct DetectAddressGroupsHead_ { + DetectAddressGroup *any_head; + DetectAddressGroup *ipv4_head; + DetectAddressGroup *ipv6_head; +} DetectAddressGroupsHead; + +/* + * DETECT PORT + */ + +/* a is ... than b */ +enum { + PORT_ER = -1, /* error e.g. compare ipv4 and ipv6 */ + PORT_LT, /* smaller [aaa] [bbb] */ + PORT_LE, /* smaller with overlap [aa[bab]bb] */ + PORT_EQ, /* exactly equal [abababab] */ + PORT_ES, /* within [bb[aaa]bb] and [[abab]bbb] and [bbb[abab]] */ + PORT_EB, /* completely overlaps [aa[bbb]aa] and [[baba]aaa] and [aaa[baba]] */ + PORT_GE, /* bigger with overlap [bb[aba]aa] */ + PORT_GT, /* bigger [bbb] [aaa] */ +}; + +#define PORT_FLAG_ANY 0x1 +#define PORT_FLAG_NOT 0x2 + +#define PORT_SIGGROUPHEAD_COPY 0x04 +#define PORT_GROUP_PORTS_COPY 0x08 + +typedef struct DetectPort_ { + u_int8_t flags; + + u_int16_t port; + u_int16_t port2; + + /* signatures that belong in this group */ + struct _SigGroupHead *sh; + + struct DetectPort_ *dst_ph; + + /* double linked list */ + union { + struct DetectPort_ *prev; + struct DetectPort_ *hnext; /* hash next */ + }; + struct DetectPort_ *next; + + u_int32_t cnt; +} DetectPort; + + /* Signature flags */ #define SIG_FLAG_RECURSIVE 0x0001 /* recurive capturing enabled */ @@ -35,9 +134,7 @@ typedef struct _PatternMatcherThread { /* pointer to the current mpm ctx that is stored * in a rule group head -- can be either a content * or uricontent ctx. */ - MpmCtx *mc; /* content */ - MpmCtx *mcu; /* uricontent */ - MpmThreadCtx mtc; + MpmThreadCtx mtc; /* thread ctx for the mpm */ MpmThreadCtx mtcu; struct _SigGroupHead *sgh; PatternMatcherQueue pmq; @@ -83,28 +180,10 @@ typedef struct _Signature { DetectProto proto; DetectPort *sp, *dp; - //u_int32_t rulegroup_refcnt; struct _SigMatch *match; struct _Signature *next; } Signature; -typedef struct _SigMatch { - u_int8_t type; - void *ctx; - struct _SigMatch *prev; - struct _SigMatch *next; -} SigMatch; - -typedef struct SigTableElmt { - char *name; - u_int8_t cost; /* 0 hardly any, 255 very expensive */ - int (*Match)(ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *); - int (*Setup)(Signature *, SigMatch *, char *); - int (*Free)(SigMatch *); - void (*RegisterTests)(void); - u_int8_t flags; -} SigTableElmt; - typedef struct DetectEngineCtx_ { u_int8_t flags; @@ -115,6 +194,8 @@ typedef struct DetectEngineCtx_ { u_int32_t sig_array_size; /* size in bytes */ u_int32_t sig_array_len; /* size in array members */ + u_int32_t signum; + /* ip only sigs: we only add 'alert ip' without * an ip_proto setting here, so no need to look * at the proto */ @@ -122,60 +203,55 @@ typedef struct DetectEngineCtx_ { DetectAddressGroupsHead *io_tmp_gh; /* main sigs */ - DetectAddressGroupsHead *src_gh[256]; + DetectAddressGroupsHead *src_gh[256]; /* a head for each protocol */ DetectAddressGroupsHead *tmp_gh[256]; u_int32_t mpm_unique, mpm_reuse, mpm_none, mpm_uri_unique, mpm_uri_reuse, mpm_uri_none; u_int32_t gh_unique, gh_reuse; - u_int32_t mpm_max_patcnt, - mpm_min_patcnt, - mpm_tot_patcnt, - mpm_uri_max_patcnt, - mpm_uri_min_patcnt, - mpm_uri_tot_patcnt; + u_int32_t mpm_max_patcnt, mpm_min_patcnt, mpm_tot_patcnt, + mpm_uri_max_patcnt, mpm_uri_min_patcnt, mpm_uri_tot_patcnt; -} DetectEngineCtx; -/* -typedef struct SignatureTuple_ { - DetectAddressGroup *src; - DetectAddressGroup *dst; - DetectPort *sp; - DetectPort *dp; - u_int8_t proto; + /* content and uricontent vars */ + u_int32_t content_max_id; + u_int32_t uricontent_max_id; - struct _SigGroupHead *sgh; + /* init phase vars */ + HashListTable *sgh_hash_table; - struct SignatureTuple_ *hnext; - struct SignatureTuple_ *next; + HashListTable *sgh_mpm_hash_table; + HashListTable *sgh_mpm_uri_hash_table; - u_int32_t cnt; -} SignatureTuple; -*/ -/* container for content matches... we use this to compare - * group heads for contents - * XXX name */ -typedef struct _SigGroupContent { - DetectContentData *content; - struct _SigGroupContent *next; -} SigGroupContent; - -/* container for content matches... we use this to compare - * group heads for contents - * XXX name */ -typedef struct _SigGroupUricontent { - DetectUricontentData *content; - struct _SigGroupUricontent *next; -} SigGroupUricontent; + HashListTable *sgh_sport_hash_table; + HashListTable *sgh_dport_hash_table; -#define SIG_GROUP_HAVECONTENT 0x1 -#define SIG_GROUP_HAVEURICONTENT 0x2 + HashListTable *sport_hash_table; + HashListTable *dport_hash_table; + + /* memory counters */ + u_int32_t mpm_memory_size; +} DetectEngineCtx; -/* XXX rename */ -//#define SIG_GROUP_INITIALIZED 0x4 -//#define SIG_GROUP_COPY 0x8 +typedef struct _SigMatch { + u_int8_t type; + void *ctx; + struct _SigMatch *prev; + struct _SigMatch *next; +} SigMatch; + +typedef struct SigTableElmt { + char *name; + u_int8_t cost; /* 0 hardly any, 255 very expensive */ + int (*Match)(ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *); + int (*Setup)(DetectEngineCtx *, Signature *, SigMatch *, char *); + int (*Free)(SigMatch *); + void (*RegisterTests)(void); + u_int8_t flags; +} SigTableElmt; +#define SIG_GROUP_HAVECONTENT 0x1 +#define SIG_GROUP_HAVEURICONTENT 0x2 #define SIG_GROUP_HEAD_MPM_COPY 0x4 #define SIG_GROUP_HEAD_MPM_URI_COPY 0x8 #define SIG_GROUP_HEAD_FREE 0x10 @@ -270,5 +346,11 @@ void TmModuleDetectRegister (void); int SigGroupBuild(DetectEngineCtx *); int SigGroupCleanup(); +/* + * XXX globals, remove + */ + +DetectEngineCtx *g_de_ctx; + #endif /* __DETECT_H__ */ diff --git a/src/log-httplog.c b/src/log-httplog.c index 742dbafab6..9d6e1ca213 100644 --- a/src/log-httplog.c +++ b/src/log-httplog.c @@ -31,7 +31,7 @@ int LogHttplog (ThreadVars *, Packet *, void *, PacketQueue *); int LogHttplogIPv4(ThreadVars *, Packet *, void *, PacketQueue *); int LogHttplogIPv6(ThreadVars *, Packet *, void *, PacketQueue *); -int LogHttplogThreadInit(ThreadVars *, void **); +int LogHttplogThreadInit(ThreadVars *, void *, void **); int LogHttplogThreadDeinit(ThreadVars *, void *); void LogHttplogExitPrintStats(ThreadVars *, void *); @@ -172,7 +172,7 @@ int LogHttplog (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) return 0; } -int LogHttplogThreadInit(ThreadVars *t, void **data) +int LogHttplogThreadInit(ThreadVars *t, void *initdata, void **data) { LogHttplogThread *aft = malloc(sizeof(LogHttplogThread)); if (aft == NULL) { diff --git a/src/source-nfq.c b/src/source-nfq.c index 96dfb41cfe..992157b3b3 100644 --- a/src/source-nfq.c +++ b/src/source-nfq.c @@ -30,11 +30,11 @@ static pthread_mutex_t nfq_init_lock; int ReceiveNFQ(ThreadVars *, Packet *, void *, PacketQueue *); -int ReceiveNFQThreadInit(ThreadVars *, void **); +int ReceiveNFQThreadInit(ThreadVars *, void *, void **); void ReceiveNFQThreadExitStats(ThreadVars *, void *); int VerdictNFQ(ThreadVars *, Packet *, void *, PacketQueue *); -int VerdictNFQThreadInit(ThreadVars *, void **); +int VerdictNFQThreadInit(ThreadVars *, void *, void **); void VerdictNFQThreadExitStats(ThreadVars *, void *); int VerdictNFQThreadDeinit(ThreadVars *, void *); @@ -231,7 +231,7 @@ int NFQInitThread(NFQThreadVars *nfq_t, u_int16_t queue_num, u_int32_t queue_max return 0; } -int ReceiveNFQThreadInit(ThreadVars *tv, void **data) { +int ReceiveNFQThreadInit(ThreadVars *tv, void *initdata, void **data) { mutex_lock(&nfq_init_lock); printf("ReceiveNFQThreadInit: starting... will bind to queuenum %u\n", receive_queue_num); @@ -255,7 +255,7 @@ int ReceiveNFQThreadInit(ThreadVars *tv, void **data) { return 0; } -int VerdictNFQThreadInit(ThreadVars *tv, void **data) { +int VerdictNFQThreadInit(ThreadVars *tv, void *initdata, void **data) { mutex_lock(&nfq_init_lock); printf("VerdictNFQThreadInit: starting... will bind to queuenum %u\n", verdict_queue_num); diff --git a/src/tm-modules.h b/src/tm-modules.h index 99de4c7a44..ae527411d9 100644 --- a/src/tm-modules.h +++ b/src/tm-modules.h @@ -3,7 +3,7 @@ typedef struct _TmModule { char *name; - int (*Init)(ThreadVars *, void **); + int (*Init)(ThreadVars *, void *, void **); int (*Func)(ThreadVars *, Packet *, void *, PacketQueue *); void (*ExitPrintStats)(ThreadVars *, void *); int (*Deinit)(ThreadVars *, void *); diff --git a/src/tm-threads.c b/src/tm-threads.c index 513dd038ba..98ca1801bb 100644 --- a/src/tm-threads.c +++ b/src/tm-threads.c @@ -21,12 +21,13 @@ static ThreadVars *tv_root; typedef struct _TmSlot { /* function pointers */ - int (*SlotInit)(ThreadVars *, void **); + int (*SlotInit)(ThreadVars *, void *, void **); int (*SlotFunc)(ThreadVars *, Packet *, void *, PacketQueue *); void (*SlotExitPrintStats)(ThreadVars *, void *); int (*SlotDeinit)(ThreadVars *, void *); /* data storage */ + void *slot_initdata; void *slot_data; PacketQueue slot_pq; @@ -67,7 +68,7 @@ void *TmThreadsSlot1NoIn(void *td) { SetCPUAffinity(tv->cpu_affinity); if (s->s.SlotInit != NULL) { - r = s->s.SlotInit(tv, &s->s.slot_data); + r = s->s.SlotInit(tv, s->s.slot_initdata, &s->s.slot_data); if (r != 0) { pthread_exit((void *) -1); } @@ -114,7 +115,7 @@ void *TmThreadsSlot1NoOut(void *td) { SetCPUAffinity(tv->cpu_affinity); if (s->s.SlotInit != NULL) { - r = s->s.SlotInit(tv, &s->s.slot_data); + r = s->s.SlotInit(tv, s->s.slot_initdata, &s->s.slot_data); if (r != 0) { pthread_exit((void *) -1); } @@ -157,7 +158,7 @@ void *TmThreadsSlot1NoInOut(void *td) { //printf("TmThreadsSlot1NoInOut: %s starting\n", tv->name); if (s->s.SlotInit != NULL) { - r = s->s.SlotInit(tv, &s->s.slot_data); + r = s->s.SlotInit(tv, s->s.slot_initdata, &s->s.slot_data); if (r != 0) { pthread_exit((void *) -1); } @@ -203,7 +204,7 @@ void *TmThreadsSlot1(void *td) { //printf("TmThreadsSlot1: %s starting\n", tv->name); if (s->s.SlotInit != NULL) { - r = s->s.SlotInit(tv, &s->s.slot_data); + r = s->s.SlotInit(tv, s->s.slot_initdata, &s->s.slot_data); if (r != 0) { pthread_exit((void *) -1); } @@ -265,13 +266,13 @@ void *TmThreadsSlot2(void *td) { //printf("TmThreadsSlot2: %s starting\n", tv->name); if (s->s1.SlotInit != NULL) { - r = s->s1.SlotInit(tv, &s->s1.slot_data); + r = s->s1.SlotInit(tv, s->s1.slot_initdata, &s->s1.slot_data); if (r != 0) { pthread_exit((void *) -1); } } if (s->s2.SlotInit != NULL) { - r = s->s2.SlotInit(tv, &s->s2.slot_data); + r = s->s2.SlotInit(tv, s->s2.slot_initdata, &s->s2.slot_data); if (r != 0) { pthread_exit((void *) -1); } @@ -356,19 +357,19 @@ void *TmThreadsSlot3(void *td) { //printf("TmThreadsSlot3: %s starting\n", tv->name); if (s->s1.SlotInit != NULL) { - r = s->s1.SlotInit(tv, &s->s1.slot_data); + r = s->s1.SlotInit(tv, s->s1.slot_initdata, &s->s1.slot_data); if (r != 0) { pthread_exit((void *) -1); } } if (s->s2.SlotInit != NULL) { - r = s->s2.SlotInit(tv, &s->s2.slot_data); + r = s->s2.SlotInit(tv, s->s2.slot_initdata, &s->s2.slot_data); if (r != 0) { pthread_exit((void *) -1); } } if (s->s3.SlotInit != NULL) { - r = s->s3.SlotInit(tv, &s->s3.slot_data); + r = s->s3.SlotInit(tv, s->s3.slot_initdata, &s->s3.slot_data); if (r != 0) { pthread_exit((void *) -1); } @@ -516,7 +517,7 @@ void *TmThreadsSlotVar(void *td) { for (slot = s->s; slot != NULL; slot = slot->slot_next) { if (slot->SlotInit != NULL) { - r = slot->SlotInit(tv, &slot->slot_data); + r = slot->SlotInit(tv, slot->slot_initdata, &slot->slot_data); if (r != 0) { pthread_exit((void *) -1); } @@ -596,7 +597,7 @@ error: return -1; } -void Tm1SlotSetFunc(ThreadVars *tv, TmModule *tm) { +void Tm1SlotSetFunc(ThreadVars *tv, TmModule *tm, void *data) { Tm1Slot *s1 = (Tm1Slot *)tv->tm_slots; if (s1->s.SlotFunc != NULL) @@ -604,12 +605,13 @@ void Tm1SlotSetFunc(ThreadVars *tv, TmModule *tm) { "overwriting with %p\n", s1->s.SlotFunc, tm->Func); s1->s.SlotInit = tm->Init; + s1->s.slot_initdata = data; s1->s.SlotFunc = tm->Func; s1->s.SlotExitPrintStats = tm->ExitPrintStats; s1->s.SlotDeinit = tm->Deinit; } -void Tm2SlotSetFunc1(ThreadVars *tv, TmModule *tm) { +void Tm2SlotSetFunc1(ThreadVars *tv, TmModule *tm, void *data) { Tm2Slot *s = (Tm2Slot *)tv->tm_slots; if (s->s1.SlotFunc != NULL) @@ -617,12 +619,13 @@ void Tm2SlotSetFunc1(ThreadVars *tv, TmModule *tm) { "overwriting with %p\n", s->s1.SlotFunc, tm->Func); s->s1.SlotInit = tm->Init; + s->s1.slot_initdata = data; s->s1.SlotFunc = tm->Func; s->s1.SlotExitPrintStats = tm->ExitPrintStats; s->s1.SlotDeinit = tm->Deinit; } -void Tm2SlotSetFunc2(ThreadVars *tv, TmModule *tm) { +void Tm2SlotSetFunc2(ThreadVars *tv, TmModule *tm, void *data) { Tm2Slot *s = (Tm2Slot *)tv->tm_slots; if (s->s2.SlotFunc != NULL) @@ -630,12 +633,13 @@ void Tm2SlotSetFunc2(ThreadVars *tv, TmModule *tm) { "overwriting with %p\n", s->s2.SlotFunc, tm->Func); s->s2.SlotInit = tm->Init; + s->s2.slot_initdata = data; s->s2.SlotFunc = tm->Func; s->s2.SlotExitPrintStats = tm->ExitPrintStats; s->s2.SlotDeinit = tm->Deinit; } -void Tm3SlotSetFunc1(ThreadVars *tv, TmModule *tm) { +void Tm3SlotSetFunc1(ThreadVars *tv, TmModule *tm, void *data) { Tm3Slot *s = (Tm3Slot *)tv->tm_slots; if (s->s1.SlotFunc != NULL) @@ -643,12 +647,13 @@ void Tm3SlotSetFunc1(ThreadVars *tv, TmModule *tm) { "overwriting with %p\n", s->s1.SlotFunc, tm->Func); s->s1.SlotInit = tm->Init; + s->s1.slot_initdata = data; s->s1.SlotFunc = tm->Func; s->s1.SlotExitPrintStats = tm->ExitPrintStats; s->s1.SlotDeinit = tm->Deinit; } -void Tm3SlotSetFunc2(ThreadVars *tv, TmModule *tm) { +void Tm3SlotSetFunc2(ThreadVars *tv, TmModule *tm, void *data) { Tm3Slot *s = (Tm3Slot *)tv->tm_slots; if (s->s2.SlotFunc != NULL) @@ -656,12 +661,13 @@ void Tm3SlotSetFunc2(ThreadVars *tv, TmModule *tm) { "overwriting with %p\n", s->s2.SlotFunc, tm->Func); s->s2.SlotInit = tm->Init; + s->s2.slot_initdata = data; s->s2.SlotFunc = tm->Func; s->s2.SlotExitPrintStats = tm->ExitPrintStats; s->s2.SlotDeinit = tm->Deinit; } -void Tm3SlotSetFunc3(ThreadVars *tv, TmModule *tm) { +void Tm3SlotSetFunc3(ThreadVars *tv, TmModule *tm, void *data) { Tm3Slot *s = (Tm3Slot *)tv->tm_slots; if (s->s3.SlotFunc != NULL) @@ -669,12 +675,13 @@ void Tm3SlotSetFunc3(ThreadVars *tv, TmModule *tm) { "overwriting with %p\n", s->s3.SlotFunc, tm->Func); s->s3.SlotInit = tm->Init; + s->s3.slot_initdata = data; s->s3.SlotFunc = tm->Func; s->s3.SlotExitPrintStats = tm->ExitPrintStats; s->s3.SlotDeinit = tm->Deinit; } -void TmVarSlotSetFuncAppend(ThreadVars *tv, TmModule *tm) { +void TmVarSlotSetFuncAppend(ThreadVars *tv, TmModule *tm, void *data) { TmVarSlot *s = (TmVarSlot *)tv->tm_slots; TmSlot *slot = malloc(sizeof(TmSlot)); if (slot == NULL) @@ -683,6 +690,7 @@ void TmVarSlotSetFuncAppend(ThreadVars *tv, TmModule *tm) { memset(slot, 0, sizeof(TmSlot)); slot->SlotInit = tm->Init; + slot->slot_initdata = data; slot->SlotFunc = tm->Func; slot->SlotExitPrintStats = tm->ExitPrintStats; slot->SlotDeinit = tm->Deinit; diff --git a/src/tm-threads.h b/src/tm-threads.h index 48ed509357..4e249adab4 100644 --- a/src/tm-threads.h +++ b/src/tm-threads.h @@ -1,13 +1,13 @@ #ifndef __TM_THREADS_H__ #define __TM_THREADS_H__ -void Tm1SlotSetFunc(ThreadVars *, TmModule *); -void Tm2SlotSetFunc1(ThreadVars *, TmModule *); -void Tm2SlotSetFunc2(ThreadVars *, TmModule *); -void Tm3SlotSetFunc1(ThreadVars *, TmModule *); -void Tm3SlotSetFunc2(ThreadVars *, TmModule *); -void Tm3SlotSetFunc3(ThreadVars *, TmModule *); -void TmVarSlotSetFuncAppend(ThreadVars *, TmModule *); +void Tm1SlotSetFunc(ThreadVars *, TmModule *, void *); +void Tm2SlotSetFunc1(ThreadVars *, TmModule *, void *); +void Tm2SlotSetFunc2(ThreadVars *, TmModule *, void *); +void Tm3SlotSetFunc1(ThreadVars *, TmModule *, void *); +void Tm3SlotSetFunc2(ThreadVars *, TmModule *, void *); +void Tm3SlotSetFunc3(ThreadVars *, TmModule *, void *); +void TmVarSlotSetFuncAppend(ThreadVars *, TmModule *, void *); ThreadVars *TmThreadCreate(char *name, char *inq_name, char *inqh_name, char *outq_name, char *outqh_name, char *slots); int TmThreadSpawn(ThreadVars *); void TmThreadKillThreads(void); diff --git a/src/util-bloomfilter.c b/src/util-bloomfilter.c index 1a660509ab..0042fa07db 100644 --- a/src/util-bloomfilter.c +++ b/src/util-bloomfilter.c @@ -98,6 +98,13 @@ int BloomFilterTest(BloomFilter *bf, void *data, u_int16_t datalen) { return hit; } +u_int32_t BloomFilterMemoryCnt(BloomFilter *bf) { + if (bf == NULL) + return 0; + + return 2; +} + u_int32_t BloomFilterMemorySize(BloomFilter *bf) { if (bf == NULL) return 0; diff --git a/src/util-bloomfilter.h b/src/util-bloomfilter.h index 148ffb0a6d..736dcae7d3 100644 --- a/src/util-bloomfilter.h +++ b/src/util-bloomfilter.h @@ -17,6 +17,7 @@ void BloomFilterFree(BloomFilter *); void BloomFilterPrint(BloomFilter *); int BloomFilterAdd(BloomFilter *, void *, u_int16_t); int BloomFilterTest(BloomFilter *, void *, u_int16_t); +u_int32_t BloomFilterMemoryCnt(BloomFilter *); u_int32_t BloomFilterMemorySize(BloomFilter *); void BloomFilterRegisterTests(void); diff --git a/src/util-hashlist.c b/src/util-hashlist.c new file mode 100644 index 0000000000..726292d6fe --- /dev/null +++ b/src/util-hashlist.c @@ -0,0 +1,382 @@ +/* Copyright (c) 2008 by Victor Julien */ + +/* Chained hash table implementation + * + * The 'Free' pointer can be used to have the API free your + * hashed data. If it's NULL it's the callers responsebility */ + +#include +#include +#include +#include + +#include "util-hashlist.h" + +#include "util-unittest.h" + +HashListTable* HashListTableInit(u_int32_t size, u_int32_t (*Hash)(struct _HashListTable *, void *, u_int16_t), char (*Compare)(void *, u_int16_t, void *, u_int16_t), void (*Free)(void *)) { + + HashListTable *ht = NULL; + + if (size == 0) { + goto error; + } + + if (Hash == NULL) { + //printf("ERROR: HashListTableInit no Hash function\n"); + goto error; + } + + /* setup the filter */ + ht = malloc(sizeof(HashListTable)); + if (ht == NULL) + goto error; + memset(ht,0,sizeof(HashListTable)); + ht->array_size = size; + ht->Hash = Hash; + ht->Free = Free; + + if (Compare != NULL) + ht->Compare = Compare; + else + ht->Compare = HashListTableDefaultCompare; + + /* setup the bitarray */ + ht->array = malloc(ht->array_size * sizeof(HashListTableBucket *)); + if (ht->array == NULL) + goto error; + memset(ht->array,0,ht->array_size * sizeof(HashListTableBucket *)); + + ht->listhead = NULL; + ht->listtail = NULL; + return ht; + +error: + if (ht != NULL) { + if (ht->array != NULL) + free(ht->array); + + free(ht); + } + return NULL; +} + +void HashListTableFree(HashListTable *ht) { + u_int32_t i = 0; + + if (ht == NULL) + return; + + /* free the buckets */ + for (i = 0; i < ht->array_size; i++) { + HashListTableBucket *hashbucket = ht->array[i]; + while (hashbucket != NULL) { + HashListTableBucket *next_hashbucket = hashbucket->bucknext; + if (ht->Free != NULL) + ht->Free(hashbucket->data); + free(hashbucket); + hashbucket = next_hashbucket; + } + } + + /* free the arrray */ + if (ht->array != NULL) + free(ht->array); + + free(ht); +} + +void HashListTablePrint(HashListTable *ht) { + printf("\n----------- Hash Table Stats ------------\n"); + printf("Buckets: %u\n", ht->array_size); + printf("Hash function pointer: %p\n", ht->Hash); + printf("-----------------------------------------\n"); +} + +int HashListTableAdd(HashListTable *ht, void *data, u_int16_t datalen) { + if (ht == NULL || data == NULL) + return -1; + + u_int32_t hash = ht->Hash(ht, data, datalen); + + HashListTableBucket *hb = malloc(sizeof(HashListTableBucket)); + if (hb == NULL) { + goto error; + } + memset(hb, 0, sizeof(HashListTableBucket)); + hb->data = data; + hb->size = datalen; + hb->bucknext = NULL; + hb->listnext = NULL; + hb->listprev = NULL; + + if (ht->array[hash] == NULL) { + ht->array[hash] = hb; + } else { + hb->bucknext = ht->array[hash]; + ht->array[hash] = hb; + } + + if (ht->listtail == NULL) { + ht->listhead = hb; + ht->listtail = hb; + } else { + ht->listtail->listnext = hb; + hb->listprev = ht->listtail->listnext; + ht->listtail = hb; + } + + return 0; + +error: + return -1; +} + +int HashListTableRemove(HashListTable *ht, void *data, u_int16_t datalen) { + u_int32_t hash = ht->Hash(ht, data, datalen); + + if (ht->array[hash] == NULL) { + return -1; + } + + if (ht->array[hash]->bucknext == NULL) { + if (ht->Free != NULL) + ht->Free(ht->array[hash]->data); + free(ht->array[hash]); + ht->array[hash] = NULL; + return 0; + } + + HashListTableBucket *hashbucket = ht->array[hash], *prev_hashbucket = NULL; + do { + if (hashbucket->size != datalen) { + prev_hashbucket = hashbucket; + hashbucket = hashbucket->bucknext; + continue; + } + + if (memcmp(hashbucket->data,data,datalen) == 0) { + /* remove from the list */ + if (hashbucket->listprev == NULL) { + ht->listhead = hashbucket->listnext; + } else { + hashbucket->listprev->listnext = hashbucket->listnext; + } + if (hashbucket->listnext == NULL) { + ht->listtail = hashbucket->listprev; + } else { + hashbucket->listnext->listprev = hashbucket->listprev; + } + + if (prev_hashbucket == NULL) { + /* root bucket */ + ht->array[hash] = hashbucket->bucknext; + } else { + /* child bucket */ + prev_hashbucket->bucknext = hashbucket->bucknext; + } + + /* remove this */ + if (ht->Free != NULL) + ht->Free(hashbucket->data); + free(hashbucket); + return 0; + } + + prev_hashbucket = hashbucket; + hashbucket = hashbucket->bucknext; + } while (hashbucket != NULL); + + return -1; +} + +char HashListTableDefaultCompare(void *data1, u_int16_t len1, void *data2, u_int16_t len2) { + if (len1 != len2) + return 0; + + if (memcmp(data1,data2,len1) != 0) + return 0; + + return 1; +} + +void *HashListTableLookup(HashListTable *ht, void *data, u_int16_t datalen) { + u_int32_t hash = ht->Hash(ht, data, datalen); + + if (ht->array[hash] == NULL) { + return NULL; + } + + HashListTableBucket *hashbucket = ht->array[hash]; + do { + if (ht->Compare(hashbucket->data,hashbucket->size,data,datalen) == 1) + return hashbucket->data; + + hashbucket = hashbucket->bucknext; + } while (hashbucket != NULL); + + return NULL; +} + +u_int32_t HashListTableGenericHash(HashListTable *ht, void *data, u_int16_t datalen) { + u_int8_t *d = (u_int8_t *)data; + u_int32_t i; + u_int32_t hash = 0; + + for (i = 0; i < datalen; i++) { + if (i == 0) hash += (((u_int32_t)*d++)); + else if (i == 1) hash += (((u_int32_t)*d++) * datalen); + else hash *= (((u_int32_t)*d++) * i) + datalen + i; + } + + hash *= datalen; + hash %= ht->array_size; + return hash; +} + +HashListTableBucket *HashListTableGetListHead(HashListTable *ht) { + return ht->listhead; +} + +/* + * ONLY TESTS BELOW THIS COMMENT + */ + +static int HashListTableTestInit01 (void) { + HashListTable *ht = HashListTableInit(1024, HashListTableGenericHash, NULL, NULL); + if (ht == NULL) + return 0; + + HashListTableFree(ht); + return 1; +} + +/* no hash function, so it should fail */ +static int HashListTableTestInit02 (void) { + HashListTable *ht = HashListTableInit(1024, NULL, NULL, NULL); + if (ht == NULL) + return 1; + + HashListTableFree(ht); + return 0; +} + +static int HashListTableTestInit03 (void) { + int result = 0; + HashListTable *ht = HashListTableInit(1024, HashListTableGenericHash, NULL, NULL); + if (ht == NULL) + return 0; + + if (ht->Hash == HashListTableGenericHash) + result = 1; + + HashListTableFree(ht); + return result; +} + +static int HashListTableTestInit04 (void) { + HashListTable *ht = HashListTableInit(0, HashListTableGenericHash, NULL, NULL); + if (ht == NULL) + return 1; + + HashListTableFree(ht); + return 0; +} + +static int HashListTableTestAdd01 (void) { + int result = 0; + HashListTable *ht = HashListTableInit(32, HashListTableGenericHash, NULL, NULL); + if (ht == NULL) + goto end; + + int r = HashListTableAdd(ht, "test", 0); + if (r == 0) + goto end; + + /* all is good! */ + result = 1; +end: + if (ht != NULL) HashListTableFree(ht); + return result; +} + +static int HashListTableTestAdd02 (void) { + int result = 0; + HashListTable *ht = HashListTableInit(32, HashListTableGenericHash, NULL, NULL); + if (ht == NULL) + goto end; + + int r = HashListTableAdd(ht, NULL, 4); + if (r == 0) + goto end; + + /* all is good! */ + result = 1; +end: + if (ht != NULL) HashListTableFree(ht); + return result; +} + +static int HashListTableTestFull01 (void) { + int result = 0; + HashListTable *ht = HashListTableInit(32, HashListTableGenericHash, NULL, NULL); + if (ht == NULL) + goto end; + + int r = HashListTableAdd(ht, "test", 4); + if (r != 0) + goto end; + + char *rp = HashListTableLookup(ht, "test", 4); + if (rp == NULL) + goto end; + + r = HashListTableRemove(ht, "test", 4); + if (r != 0) + goto end; + + /* all is good! */ + result = 1; +end: + if (ht != NULL) HashListTableFree(ht); + return result; +} + +static int HashListTableTestFull02 (void) { + int result = 0; + HashListTable *ht = HashListTableInit(32, HashListTableGenericHash, NULL, NULL); + if (ht == NULL) + goto end; + + int r = HashListTableAdd(ht, "test", 4); + if (r != 0) + goto end; + + char *rp = HashListTableLookup(ht, "test", 4); + if (rp == NULL) + goto end; + + r = HashListTableRemove(ht, "test2", 5); + if (r == 0) + goto end; + + /* all is good! */ + result = 1; +end: + if (ht != NULL) HashListTableFree(ht); + return result; +} + +void HashListTableRegisterTests(void) { + UtRegisterTest("HashListTableTestInit01", HashListTableTestInit01, 1); + UtRegisterTest("HashListTableTestInit02", HashListTableTestInit02, 1); + UtRegisterTest("HashListTableTestInit03", HashListTableTestInit03, 1); + UtRegisterTest("HashListTableTestInit04", HashListTableTestInit04, 1); + + UtRegisterTest("HashListTableTestAdd01", HashListTableTestAdd01, 1); + UtRegisterTest("HashListTableTestAdd02", HashListTableTestAdd02, 1); + + UtRegisterTest("HashListTableTestFull01", HashListTableTestFull01, 1); + UtRegisterTest("HashListTableTestFull02", HashListTableTestFull02, 1); +} + diff --git a/src/util-hashlist.h b/src/util-hashlist.h new file mode 100644 index 0000000000..1c96cac086 --- /dev/null +++ b/src/util-hashlist.h @@ -0,0 +1,42 @@ +/* Copyright (c) 2008 by Victor Julien */ + +#ifndef __HASHLIST_H__ +#define __HASHLIST_H__ + +/* hash bucket structure */ +typedef struct _HashListTableBucket { + void *data; + u_int16_t size; + struct _HashListTableBucket *bucknext; + struct _HashListTableBucket *listnext; + struct _HashListTableBucket *listprev; +} HashListTableBucket; + +/* hash table structure */ +typedef struct _HashListTable { + HashListTableBucket **array; + HashListTableBucket *listhead; + HashListTableBucket *listtail; + u_int32_t array_size; + u_int32_t (*Hash)(struct _HashListTable *, void *, u_int16_t); + char (*Compare)(void *, u_int16_t, void *, u_int16_t); + void (*Free)(void *); +} HashListTable; + +/* prototypes */ +HashListTable* HashListTableInit(u_int32_t, u_int32_t (*Hash)(struct _HashListTable *, void *, u_int16_t), char (*Compare)(void *, u_int16_t, void *, u_int16_t), void (*Free)(void *)); +void HashListTableFree(HashListTable *); +void HashListTablePrint(HashListTable *); +int HashListTableAdd(HashListTable *, void *, u_int16_t); +int HashListTableRemove(HashListTable *, void *, u_int16_t); +void *HashListTableLookup(HashListTable *, void *, u_int16_t); +u_int32_t HashListTableGenericHash(HashListTable *, void *, u_int16_t); +HashListTableBucket *HashListTableGetListHead(HashListTable *); +#define HashListTableGetListNext(hb) (hb)->listnext +#define HashListTableGetListData(hb) (hb)->data +char HashListTableDefaultCompare(void *, u_int16_t, void *, u_int16_t); + +void HashListTableRegisterTests(void); + +#endif /* __HASHLIST_H__ */ + diff --git a/src/util-mpm-b2g.c b/src/util-mpm-b2g.c index b90210f2b4..75dc5dd574 100644 --- a/src/util-mpm-b2g.c +++ b/src/util-mpm-b2g.c @@ -170,6 +170,18 @@ B2gAllocHashItem(MpmCtx *mpm_ctx) { return hi; } +static void B2gHashFree(MpmCtx *mpm_ctx, B2gHashItem *hi) { + if (hi == NULL) + return; + + B2gHashItem *t = hi->nxt; + B2gHashFree(mpm_ctx, t); + + mpm_ctx->memory_cnt--; + mpm_ctx->memory_size -= sizeof(B2gHashItem); + free(hi); +} + static inline void memcpy_tolower(u_int8_t *d, u_int8_t *s, u_int16_t len) { u_int16_t i; for (i = 0; i < len; i++) { @@ -518,7 +530,7 @@ static void B2gPrepareScanHash(MpmCtx *mpm_ctx) { if (ctx->scan_bloom[h] == NULL) continue; - mpm_ctx->memory_cnt+=2; /* hackish: bloomfilter itself and the bitarray */ + mpm_ctx->memory_cnt += BloomFilterMemoryCnt(ctx->scan_bloom[h]); mpm_ctx->memory_size += BloomFilterMemorySize(ctx->scan_bloom[h]); if (ctx->scan_pminlen[h] > 8) @@ -623,7 +635,7 @@ static void B2gPrepareSearchHash(MpmCtx *mpm_ctx) { if (ctx->search_bloom[h] == NULL) continue; - mpm_ctx->memory_cnt+=2; /* hackish: bloomfilter itself and the bitarray */ + mpm_ctx->memory_cnt += BloomFilterMemoryCnt(ctx->search_bloom[h]); mpm_ctx->memory_size += BloomFilterMemorySize(ctx->search_bloom[h]); if (ctx->search_pminlen[h] > 8) @@ -908,18 +920,94 @@ void B2gDestroyCtx(MpmCtx *mpm_ctx) { mpm_ctx->memory_size -= (mpm_ctx->pattern_cnt * sizeof(B2gPattern)); } + if (ctx->scan_B2G) { + free(ctx->scan_B2G); + mpm_ctx->memory_cnt--; + mpm_ctx->memory_size -= (sizeof(B2G_TYPE) * ctx->scan_hash_size); + } + + if (ctx->search_B2G) { + free(ctx->search_B2G); + mpm_ctx->memory_cnt--; + mpm_ctx->memory_size -= (sizeof(B2G_TYPE) * ctx->search_hash_size); + } + + if (ctx->scan_bloom) { + int h; + for (h = 0; h < ctx->scan_hash_size; h++) { + if (ctx->scan_bloom[h] == NULL) + continue; + + mpm_ctx->memory_cnt -= BloomFilterMemoryCnt(ctx->scan_bloom[h]); + mpm_ctx->memory_size -= BloomFilterMemorySize(ctx->scan_bloom[h]); + + BloomFilterFree(ctx->scan_bloom[h]); + } + + free(ctx->scan_bloom); + + mpm_ctx->memory_cnt--; + mpm_ctx->memory_size -= (sizeof(BloomFilter *) * ctx->scan_hash_size); + } + if (ctx->scan_hash) { + int h; + for (h = 0; h < ctx->scan_hash_size; h++) { + if (ctx->scan_hash[h] == NULL) + continue; + + B2gHashFree(mpm_ctx, ctx->scan_hash[h]); + } + free(ctx->scan_hash); mpm_ctx->memory_cnt--; mpm_ctx->memory_size -= (sizeof(B2gHashItem) * ctx->scan_hash_size); } + if (ctx->search_bloom) { + int h; + for (h = 0; h < ctx->search_hash_size; h++) { + if (ctx->search_bloom[h] == NULL) + continue; + + mpm_ctx->memory_cnt -= BloomFilterMemoryCnt(ctx->search_bloom[h]); + mpm_ctx->memory_size -= BloomFilterMemorySize(ctx->search_bloom[h]); + + BloomFilterFree(ctx->search_bloom[h]); + } + + free(ctx->search_bloom); + + mpm_ctx->memory_cnt--; + mpm_ctx->memory_size -= (sizeof(BloomFilter *) * ctx->search_hash_size); + } + if (ctx->search_hash) { + int h; + for (h = 0; h < ctx->search_hash_size; h++) { + if (ctx->search_hash[h] == NULL) + continue; + + B2gHashFree(mpm_ctx, ctx->search_hash[h]); + } + free(ctx->search_hash); mpm_ctx->memory_cnt--; mpm_ctx->memory_size -= (sizeof(B2gHashItem) * ctx->search_hash_size); } + if (ctx->scan_pminlen) { + free(ctx->scan_pminlen); + mpm_ctx->memory_cnt--; + mpm_ctx->memory_size -= (sizeof(u_int8_t) * ctx->scan_hash_size); + } + + if (ctx->search_pminlen) { + free(ctx->search_pminlen); + mpm_ctx->memory_cnt--; + mpm_ctx->memory_size -= (sizeof(u_int8_t) * ctx->search_hash_size); + } + free(mpm_ctx->ctx); mpm_ctx->memory_cnt--; mpm_ctx->memory_size -= sizeof(B2gCtx); @@ -1499,6 +1587,7 @@ static int B2gTestInit01 (void) { return result; } +#if 0 static int B2gTestS0Init01 (void) { int result = 0; MpmCtx mpm_ctx; @@ -1595,6 +1684,7 @@ static int B2gTestS0Init05 (void) { B2gDestroyCtx(&mpm_ctx); return result; } +#endif static int B2gTestScan01 (void) { int result = 0; diff --git a/src/util-mpm-b3g.c b/src/util-mpm-b3g.c index 4b77687750..8788fafe56 100644 --- a/src/util-mpm-b3g.c +++ b/src/util-mpm-b3g.c @@ -1,4 +1,4 @@ -/* Implementation of the SBNDMq pattern matching algorithm. +/* 3 gram implementation of the (S)BNDMq pattern matching algorithm. * * Copyright (c) 2009 Victor Julien * @@ -169,6 +169,18 @@ B3gAllocHashItem(MpmCtx *mpm_ctx) { return hi; } +static void B3gHashFree(MpmCtx *mpm_ctx, B3gHashItem *hi) { + if (hi == NULL) + return; + + B3gHashItem *t = hi->nxt; + B3gHashFree(mpm_ctx, t); + + mpm_ctx->memory_cnt--; + mpm_ctx->memory_size -= sizeof(B3gHashItem); + free(hi); +} + static inline void memcpy_tolower(u_int8_t *d, u_int8_t *s, u_int16_t len) { u_int16_t i; for (i = 0; i < len; i++) { @@ -515,7 +527,7 @@ static void B3gPrepareScanHash(MpmCtx *mpm_ctx) { if (ctx->scan_bloom[h] == NULL) continue; - mpm_ctx->memory_cnt+=2; /* hackish: bloomfilter itself and the bitarray */ + mpm_ctx->memory_cnt += BloomFilterMemoryCnt(ctx->scan_bloom[h]); mpm_ctx->memory_size += BloomFilterMemorySize(ctx->scan_bloom[h]); if (ctx->scan_pminlen[h] > 8) @@ -884,18 +896,94 @@ void B3gDestroyCtx(MpmCtx *mpm_ctx) { mpm_ctx->memory_size -= (mpm_ctx->pattern_cnt * sizeof(B3gPattern)); } + if (ctx->scan_B3G) { + free(ctx->scan_B3G); + mpm_ctx->memory_cnt--; + mpm_ctx->memory_size -= (sizeof(B3G_TYPE) * ctx->scan_hash_size); + } + + if (ctx->search_B3G) { + free(ctx->search_B3G); + mpm_ctx->memory_cnt--; + mpm_ctx->memory_size -= (sizeof(B3G_TYPE) * ctx->search_hash_size); + } + + if (ctx->scan_bloom) { + int h; + for (h = 0; h < ctx->scan_hash_size; h++) { + if (ctx->scan_bloom[h] == NULL) + continue; + + mpm_ctx->memory_cnt -= BloomFilterMemoryCnt(ctx->scan_bloom[h]); + mpm_ctx->memory_size -= BloomFilterMemorySize(ctx->scan_bloom[h]); + + BloomFilterFree(ctx->scan_bloom[h]); + } + + free(ctx->scan_bloom); + + mpm_ctx->memory_cnt--; + mpm_ctx->memory_size -= (sizeof(BloomFilter *) * ctx->scan_hash_size); + } + if (ctx->scan_hash) { + int h; + for (h = 0; h < ctx->scan_hash_size; h++) { + if (ctx->scan_hash[h] == NULL) + continue; + + B3gHashFree(mpm_ctx, ctx->scan_hash[h]); + } + free(ctx->scan_hash); mpm_ctx->memory_cnt--; mpm_ctx->memory_size -= (sizeof(B3gHashItem) * ctx->scan_hash_size); } +#if 0 + if (ctx->search_bloom) { + int h; + for (h = 0; h < ctx->search_hash_size; h++) { + if (ctx->search_bloom[h] == NULL) + continue; + + mpm_ctx->memory_cnt -= BloomFilterMemoryCnt(ctx->search_bloom[h]); + mpm_ctx->memory_size -= BloomFilterMemorySize(ctx->search_bloom[h]); + + BloomFilterFree(ctx->search_bloom[h]); + } + + free(ctx->search_bloom); + mpm_ctx->memory_cnt--; + mpm_ctx->memory_size -= (sizeof(BloomFilter *) * ctx->search_hash_size); + } +#endif if (ctx->search_hash) { + int h; + for (h = 0; h < ctx->search_hash_size; h++) { + if (ctx->search_hash[h] == NULL) + continue; + + B3gHashFree(mpm_ctx, ctx->search_hash[h]); + } + free(ctx->search_hash); mpm_ctx->memory_cnt--; mpm_ctx->memory_size -= (sizeof(B3gHashItem) * ctx->search_hash_size); } + if (ctx->scan_pminlen) { + free(ctx->scan_pminlen); + mpm_ctx->memory_cnt--; + mpm_ctx->memory_size -= (sizeof(u_int8_t) * ctx->scan_hash_size); + } +#if 0 + if (ctx->search_pminlen) { + free(ctx->search_pminlen); + mpm_ctx->memory_cnt--; + mpm_ctx->memory_size -= (sizeof(u_int8_t) * ctx->search_hash_size); + } +#endif free(mpm_ctx->ctx); mpm_ctx->memory_cnt--; mpm_ctx->memory_size -= sizeof(B3gCtx); @@ -1510,6 +1598,7 @@ static int B3gTestInit01 (void) { return result; } +#if 0 static int B3gTestS0Init01 (void) { int result = 0; MpmCtx mpm_ctx; @@ -1606,6 +1695,7 @@ static int B3gTestS0Init05 (void) { B3gDestroyCtx(&mpm_ctx); return result; } +#endif static int B3gTestScan01 (void) { int result = 0; diff --git a/src/util-mpm-wumanber.c b/src/util-mpm-wumanber.c index 8ab5a36975..ce681beb3a 100644 --- a/src/util-mpm-wumanber.c +++ b/src/util-mpm-wumanber.c @@ -225,6 +225,18 @@ WmAllocHashItem(MpmCtx *mpm_ctx) { return hi; } +static void WmHashFree(MpmCtx *mpm_ctx, WmHashItem *hi) { + if (hi == NULL) + return; + + WmHashItem *t = hi->nxt; + WmHashFree(mpm_ctx, t); + + mpm_ctx->memory_cnt--; + mpm_ctx->memory_size -= sizeof(WmHashItem); + free(hi); +} + static inline void memcpy_tolower(u_int8_t *d, u_int8_t *s, u_int16_t len) { u_int16_t i; for (i = 0; i < len; i++) { @@ -580,7 +592,7 @@ static void WmScanPrepareHash(MpmCtx *mpm_ctx) { if (ctx->scan_bloom[h] == NULL) continue; - mpm_ctx->memory_cnt+=2; /* hackish: bloomfilter itself and the bitarray */ + mpm_ctx->memory_cnt += BloomFilterMemoryCnt(ctx->scan_bloom[h]); mpm_ctx->memory_size += BloomFilterMemorySize(ctx->scan_bloom[h]); if (ctx->scan_pminlen[h] > 8) @@ -2196,7 +2208,33 @@ void WmDestroyCtx(MpmCtx *mpm_ctx) { mpm_ctx->memory_size -= (mpm_ctx->pattern_cnt * sizeof(WmPattern)); } + if (ctx->scan_bloom) { + int h; + for (h = 0; h < ctx->scan_hash_size; h++) { + if (ctx->scan_bloom[h] == NULL) + continue; + + mpm_ctx->memory_cnt -= BloomFilterMemoryCnt(ctx->scan_bloom[h]); + mpm_ctx->memory_size -= BloomFilterMemorySize(ctx->scan_bloom[h]); + + BloomFilterFree(ctx->scan_bloom[h]); + } + + free(ctx->scan_bloom); + + mpm_ctx->memory_cnt--; + mpm_ctx->memory_size -= (sizeof(BloomFilter *) * ctx->scan_hash_size); + } + if (ctx->scan_hash) { + int h; + for (h = 0; h < ctx->scan_hash_size; h++) { + if (ctx->scan_hash[h] == NULL) + continue; + + WmHashFree(mpm_ctx, ctx->scan_hash[h]); + } + free(ctx->scan_hash); mpm_ctx->memory_cnt--; mpm_ctx->memory_size -= (sizeof(WmHashItem) * ctx->scan_hash_size); @@ -2207,8 +2245,34 @@ void WmDestroyCtx(MpmCtx *mpm_ctx) { mpm_ctx->memory_cnt--; mpm_ctx->memory_size -= (sizeof(u_int16_t) * ctx->scan_hash_size); } +#if 0 + if (ctx->search_bloom) { + int h; + for (h = 0; h < ctx->search_hash_size; h++) { + if (ctx->search_bloom[h] == NULL) + continue; + + mpm_ctx->memory_cnt -= BloomFilterMemoryCnt(ctx->scan_bloom[h]); + mpm_ctx->memory_size -= BloomFilterMemorySize(ctx->search_bloom[h]); + + BloomFilterFree(ctx->search_bloom[h]); + } + free(ctx->search_bloom); + + mpm_ctx->memory_cnt--; + mpm_ctx->memory_size -= (sizeof(BloomFilter *) * ctx->search_hash_size); + } +#endif if (ctx->search_hash) { + int h; + for (h = 0; h < ctx->search_hash_size; h++) { + if (ctx->search_hash[h] == NULL) + continue; + + WmHashFree(mpm_ctx, ctx->search_hash[h]); + } + free(ctx->search_hash); mpm_ctx->memory_cnt--; mpm_ctx->memory_size -= (sizeof(WmHashItem) * ctx->search_hash_size); @@ -2220,6 +2284,18 @@ void WmDestroyCtx(MpmCtx *mpm_ctx) { mpm_ctx->memory_size -= (sizeof(u_int16_t) * ctx->search_hash_size); } + if (ctx->scan_pminlen) { + free(ctx->scan_pminlen); + mpm_ctx->memory_cnt--; + mpm_ctx->memory_size -= (sizeof(u_int8_t) * ctx->scan_hash_size); + } +#if 0 + if (ctx->search_pminlen) { + free(ctx->search_pminlen); + mpm_ctx->memory_cnt--; + mpm_ctx->memory_size -= (sizeof(u_int8_t) * ctx->search_hash_size); + } +#endif free(mpm_ctx->ctx); mpm_ctx->memory_cnt--; mpm_ctx->memory_size -= sizeof(WmCtx); diff --git a/src/vips.c b/src/vips.c index 7e92fd9f96..eb5b7df800 100644 --- a/src/vips.c +++ b/src/vips.c @@ -23,6 +23,7 @@ #include "util-binsearch.h" #include "util-hash.h" +#include "util-hashlist.h" #include "util-bloomfilter.h" #include "util-bloomfilter-counting.h" @@ -210,11 +211,12 @@ int main(int argc, char **argv) TmModuleRegisterTests(); SigTableRegisterTests(); HashTableRegisterTests(); + HashListTableRegisterTests(); BloomFilterRegisterTests(); BloomFilterCountingRegisterTests(); MpmRegisterTests(); SigRegisterTests(); - UtRunTests(); + //UtRunTests(); UtCleanup(); //exit(1); @@ -266,7 +268,7 @@ int main(int argc, char **argv) printf("ERROR: TmModuleGetByName failed for ReceiveNFQ\n"); exit(1); } - Tm1SlotSetFunc(tv_receivenfq,tm_module); + Tm1SlotSetFunc(tv_receivenfq,tm_module,NULL); if (TmThreadSpawn(tv_receivenfq) != 0) { printf("ERROR: TmThreadSpawn failed\n"); @@ -284,7 +286,7 @@ int main(int argc, char **argv) printf("ERROR: TmModuleGetByName DecodeNFQ failed\n"); exit(1); } - Tm1SlotSetFunc(tv_decode1,tm_module); + Tm1SlotSetFunc(tv_decode1,tm_module,NULL); if (TmThreadSpawn(tv_decode1) != 0) { printf("ERROR: TmThreadSpawn failed\n"); @@ -301,7 +303,7 @@ int main(int argc, char **argv) printf("ERROR: TmModuleGetByName DecodeNFQ failed\n"); exit(1); } - Tm1SlotSetFunc(tv_decode2,tm_module); + Tm1SlotSetFunc(tv_decode2,tm_module,NULL); if (TmThreadSpawn(tv_decode2) != 0) { printf("ERROR: TmThreadSpawn failed\n"); @@ -318,7 +320,7 @@ int main(int argc, char **argv) printf("ERROR: TmModuleGetByName Detect failed\n"); exit(1); } - Tm1SlotSetFunc(tv_detect1,tm_module); + Tm1SlotSetFunc(tv_detect1,tm_module,(void *)g_de_ctx); if (TmThreadSpawn(tv_detect1) != 0) { printf("ERROR: TmThreadSpawn failed\n"); @@ -335,7 +337,7 @@ int main(int argc, char **argv) printf("ERROR: TmModuleGetByName Detect failed\n"); exit(1); } - Tm1SlotSetFunc(tv_detect2,tm_module); + Tm1SlotSetFunc(tv_detect2,tm_module,(void *)g_de_ctx); if (TmThreadSpawn(tv_detect2) != 0) { printf("ERROR: TmThreadSpawn failed\n"); @@ -352,7 +354,7 @@ int main(int argc, char **argv) printf("ERROR: TmModuleGetByName VerdictNFQ failed\n"); exit(1); } - Tm1SlotSetFunc(tv_verdict,tm_module); + Tm1SlotSetFunc(tv_verdict,tm_module,NULL); if (TmThreadSpawn(tv_verdict) != 0) { printf("ERROR: TmThreadSpawn failed\n"); @@ -369,7 +371,7 @@ int main(int argc, char **argv) printf("ERROR: TmModuleGetByName for RespondReject failed\n"); exit(1); } - Tm1SlotSetFunc(tv_rreject,tm_module); + Tm1SlotSetFunc(tv_rreject,tm_module,NULL); if (TmThreadSpawn(tv_rreject) != 0) { printf("ERROR: TmThreadSpawn failed\n"); @@ -386,14 +388,14 @@ int main(int argc, char **argv) printf("ERROR: TmModuleGetByName for AlertFastlog failed\n"); exit(1); } - Tm2SlotSetFunc1(tv_alert,tm_module); + Tm2SlotSetFunc1(tv_alert,tm_module,NULL); tm_module = TmModuleGetByName("LogHttplog"); if (tm_module == NULL) { printf("ERROR: TmModuleGetByName failed\n"); exit(1); } - Tm2SlotSetFunc2(tv_alert,tm_module); + Tm2SlotSetFunc2(tv_alert,tm_module,NULL); if (TmThreadSpawn(tv_alert) != 0) { printf("ERROR: TmThreadSpawn failed\n"); @@ -412,14 +414,14 @@ int main(int argc, char **argv) printf("ERROR: TmModuleGetByName for AlertUnifiedLog failed\n"); exit(1); } - Tm2SlotSetFunc1(tv_unified,tm_module); + Tm2SlotSetFunc1(tv_unified,tm_module,NULL); tm_module = TmModuleGetByName("AlertUnifiedAlert"); if (tm_module == NULL) { printf("ERROR: TmModuleGetByName for AlertUnifiedAlert failed\n"); exit(1); } - Tm2SlotSetFunc2(tv_unified,tm_module); + Tm2SlotSetFunc2(tv_unified,tm_module,NULL); if (TmThreadSpawn(tv_unified) != 0) { printf("ERROR: TmThreadSpawn failed\n"); @@ -437,7 +439,7 @@ int main(int argc, char **argv) printf("ERROR: TmModuleGetByName failed\n"); exit(1); } - Tm1SlotSetFunc(tv_debugalert,tm_module); + Tm1SlotSetFunc(tv_debugalert,tm_module,NULL); if (TmThreadSpawn(tv_debugalert) != 0) { printf("ERROR: TmThreadSpawn failed\n");