From 975062cf401f79c00abf728d923c65aabd143af2 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Thu, 25 Feb 2021 20:06:40 +0100 Subject: [PATCH] detect: track base id for xform buffers Buffers with transforms are based on the non-transformed "base" buffer, with a new ID assigned and the transform callbacks added. This patch stores the id of the original buffer in the new buffer inspect and prefilter structures. This way the buffers with and without transforms can share some of the logic are progression of file and body inspection trackers. Related tickets: #4361 #4199 #3616 --- src/detect-engine-mpm.c | 3 +++ src/detect-engine.c | 10 ++++++++++ src/detect.h | 15 +++++++++------ 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 5c99e3386a..2ea28e7775 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -116,6 +116,7 @@ void DetectAppLayerMpmRegister2(const char *name, snprintf(am->pname, sizeof(am->pname), "%s", am->name); am->direction = direction; am->sm_list = sm_list; + am->sm_list_base = sm_list; am->priority = priority; am->type = DETECT_BUFFER_MPM_TYPE_APP; @@ -155,6 +156,7 @@ void DetectAppLayerMpmRegisterByParentId(DetectEngineCtx *de_ctx, am->name = t->name; am->direction = t->direction; am->sm_list = id; // use new id + am->sm_list_base = t->sm_list; am->type = DETECT_BUFFER_MPM_TYPE_APP; am->PrefilterRegisterWithListId = t->PrefilterRegisterWithListId; am->app_v2.GetData = t->app_v2.GetData; @@ -350,6 +352,7 @@ void DetectPktMpmRegisterByParentId(DetectEngineCtx *de_ctx, am->name = t->name; snprintf(am->pname, sizeof(am->pname), "%s#%d", am->name, id); am->sm_list = id; // use new id + am->sm_list_base = t->sm_list; am->type = DETECT_BUFFER_MPM_TYPE_PKT; am->PrefilterRegisterWithListId = t->PrefilterRegisterWithListId; am->pkt_v1.GetData = t->pkt_v1.GetData; diff --git a/src/detect-engine.c b/src/detect-engine.c index ef56d18500..027186626d 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -150,6 +150,7 @@ void DetectPktInspectEngineRegister(const char *name, "failed to register inspect engine %s: %s", name, strerror(errno)); } new_engine->sm_list = sm_list; + new_engine->sm_list_base = sm_list; new_engine->v1.Callback = Callback; new_engine->v1.GetData = GetPktData; @@ -209,6 +210,7 @@ void DetectAppLayerInspectEngineRegister2(const char *name, new_engine->alproto = alproto; new_engine->dir = direction; new_engine->sm_list = sm_list; + new_engine->sm_list_base = sm_list; new_engine->progress = progress; new_engine->v2.Callback = Callback2; new_engine->v2.GetData = GetData; @@ -241,6 +243,7 @@ static void DetectAppLayerInspectEngineCopy( new_engine->alproto = t->alproto; new_engine->dir = t->dir; new_engine->sm_list = new_list; /* use new list id */ + new_engine->sm_list_base = sm_list; new_engine->progress = t->progress; new_engine->v2 = t->v2; new_engine->v2.transforms = transforms; /* assign transforms */ @@ -272,6 +275,7 @@ static void DetectAppLayerInspectEngineCopyListToDetectCtx(DetectEngineCtx *de_c new_engine->alproto = t->alproto; new_engine->dir = t->dir; new_engine->sm_list = t->sm_list; + new_engine->sm_list_base = t->sm_list; new_engine->progress = t->progress; new_engine->v2 = t->v2; @@ -304,6 +308,7 @@ static void DetectPktInspectEngineCopy( exit(EXIT_FAILURE); } new_engine->sm_list = new_list; /* use new list id */ + new_engine->sm_list_base = sm_list; new_engine->v1 = t->v1; new_engine->v1.transforms = transforms; /* assign transforms */ @@ -333,6 +338,7 @@ static void DetectPktInspectEngineCopyListToDetectCtx(DetectEngineCtx *de_ctx) exit(EXIT_FAILURE); } new_engine->sm_list = t->sm_list; + new_engine->sm_list_base = t->sm_list; new_engine->v1 = t->v1; if (de_ctx->pkt_inspect_engines == NULL) { @@ -372,6 +378,7 @@ static void AppendStreamInspectEngine(Signature *s, SigMatchData *stream, int di new_engine->dir = direction; new_engine->stream = true; new_engine->sm_list = DETECT_SM_LIST_PMATCH; + new_engine->sm_list_base = DETECT_SM_LIST_PMATCH; new_engine->smd = stream; new_engine->v2.Callback = DetectEngineInspectStream; new_engine->progress = 0; @@ -441,6 +448,7 @@ int DetectEngineAppInspectionEngine2Signature(DetectEngineCtx *de_ctx, Signature } new_engine->sm_list = e->sm_list; + new_engine->sm_list_base = e->sm_list_base; new_engine->smd = ptrs[new_engine->sm_list]; new_engine->v1 = e->v1; SCLogDebug("sm_list %d new_engine->v1 %p/%p/%p", @@ -504,6 +512,7 @@ int DetectEngineAppInspectionEngine2Signature(DetectEngineCtx *de_ctx, Signature new_engine->alproto = t->alproto; new_engine->dir = t->dir; new_engine->sm_list = t->sm_list; + new_engine->sm_list_base = t->sm_list_base; new_engine->smd = ptrs[new_engine->sm_list]; new_engine->progress = t->progress; new_engine->v2 = t->v2; @@ -1423,6 +1432,7 @@ static int DetectEnginePktInspectionAppend(Signature *s, InspectionBufferPktInsp return -1; e->sm_list = list_id; + e->sm_list_base = list_id; e->v1.Callback = Callback; e->smd = data; diff --git a/src/detect.h b/src/detect.h index 3644eb7744..51afd7cd70 100644 --- a/src/detect.h +++ b/src/detect.h @@ -396,9 +396,10 @@ typedef struct DetectEngineAppInspectionEngine_ { AppProto alproto; uint8_t dir; uint8_t id; /**< per sig id used in state keeping */ - uint16_t mpm:1; - uint16_t stream:1; - uint16_t sm_list:14; + bool mpm; + bool stream; + uint16_t sm_list; + uint16_t sm_list_base; /**< base buffer being transformed */ int16_t progress; struct { @@ -445,8 +446,9 @@ typedef InspectionBuffer *(*InspectionBufferGetPktDataPtr)( typedef struct DetectEnginePktInspectionEngine { SigMatchData *smd; - uint16_t mpm:1; - uint16_t sm_list:15; + bool mpm; + uint16_t sm_list; + uint16_t sm_list_base; struct { InspectionBufferGetPktDataPtr GetData; InspectionBufferPktInspectFunc Callback; @@ -597,7 +599,8 @@ typedef struct DetectBufferMpmRegistery_ { const char *name; char pname[32]; /**< name used in profiling */ int direction; /**< SIG_FLAG_TOSERVER or SIG_FLAG_TOCLIENT */ - int sm_list; + int16_t sm_list; + int16_t sm_list_base; int priority; int id; /**< index into this array and result arrays */ enum DetectBufferMpmType type;