aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Moving the stream content scanning to have it's own mpm ctx.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 16 years ago
parent 9a08d6c11c
commit a24f288074
8 changed files with 388 additions and 22 deletions
Show Stats Download Patch File Download Diff File

88
src/detect-engine-mpm.c
Unescape Escape View File

@ -26,6 +26,8 @@
#include "suricata.h"
#include "suricata-common.h"
#include "app-layer-protos.h"
#include "decode.h"
#include "detect.h"
#include "detect-engine.h"
@ -191,8 +193,8 @@ uint32_t StreamPatternSearch(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
for ( ; smsg != NULL; smsg = smsg->next) {
//PrintRawDataFp(stdout, smsg->data.data, smsg->data.data_len);
uint32_t r = mpm_table[det_ctx->sgh->mpm_ctx->mpm_type].Search(det_ctx->sgh->mpm_ctx,
&det_ctx->mtc, &det_ctx->smsg_pmq[cnt], smsg->data.data, smsg->data.data_len);
uint32_t r = mpm_table[det_ctx->sgh->mpm_stream_ctx->mpm_type].Search(det_ctx->sgh->mpm_stream_ctx,
&det_ctx->mtcs, &det_ctx->smsg_pmq[cnt], smsg->data.data, smsg->data.data_len);
if (r > 0) {
ret += r;
@ -208,7 +210,6 @@ uint32_t StreamPatternSearch(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
SCReturnInt(ret);
}
/** \brief cleans up the mpm instance after a match */
void PacketPatternCleanup(ThreadVars *t, DetectEngineThreadCtx *det_ctx) {
PmqReset(&det_ctx->pmq);
@ -224,6 +225,21 @@ void PacketPatternCleanup(ThreadVars *t, DetectEngineThreadCtx *det_ctx) {
if (det_ctx->sgh->mpm_uri_ctx != NULL && mpm_table[det_ctx->sgh->mpm_uri_ctx->mpm_type].Cleanup != NULL) {
mpm_table[det_ctx->sgh->mpm_uri_ctx->mpm_type].Cleanup(&det_ctx->mtcu);
}
/* stream content */
if (det_ctx->sgh->mpm_stream_ctx != NULL && mpm_table[det_ctx->sgh->mpm_stream_ctx->mpm_type].Cleanup != NULL) {
mpm_table[det_ctx->sgh->mpm_stream_ctx->mpm_type].Cleanup(&det_ctx->mtcs);
}
}
void StreamPatternCleanup(ThreadVars *t, DetectEngineThreadCtx *det_ctx, StreamMsg *smsg) {
uint8_t cnt = 0;
while (smsg != NULL) {
PmqReset(&det_ctx->smsg_pmq[cnt]);
smsg = smsg->next;
cnt++;
}
}
void PatternMatchDestroy(MpmCtx *mpm_ctx, uint16_t mpm_matcher) {
@ -275,6 +291,18 @@ void PatternMatchDestroyGroup(SigGroupHead *sh) {
sh->mpm_uri_ctx = NULL;
sh->flags &= ~SIG_GROUP_HAVEURICONTENT;
}
/* stream content */
if (sh->flags & SIG_GROUP_HAVESTREAMCONTENT && sh->mpm_stream_ctx != NULL &&
!(sh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY)) {
SCLogDebug("destroying mpm_stream_ctx %p (sh %p)", sh->mpm_stream_ctx, sh);
mpm_table[sh->mpm_stream_ctx->mpm_type].DestroyCtx(sh->mpm_stream_ctx);
SCFree(sh->mpm_stream_ctx);
/* ready for reuse */
sh->mpm_stream_ctx = NULL;
sh->flags &= ~SIG_GROUP_HAVESTREAMCONTENT;
}
}
static int g_uricontent_search = 0;
@ -583,10 +611,39 @@ static int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead
depth = mpm_ch->cnt ? 0 : depth;
uint8_t flags = 0;
if (co->flags & DETECT_CONTENT_NOCASE) {
mpm_table[sgh->mpm_ctx->mpm_type].AddPatternNocase(sgh->mpm_ctx, co->content, co->content_len, offset, depth, co->id, s->num, flags);
char scan_packet = 0;
char scan_stream = 0;
if (s->flags & SIG_FLAG_DSIZE) {
scan_packet = 1;
} else if (s->alproto == ALPROTO_UNKNOWN) {
scan_packet = 1;
scan_stream = 1;
} else {
mpm_table[sgh->mpm_ctx->mpm_type].AddPattern(sgh->mpm_ctx, co->content, co->content_len, offset, depth, co->id, s->num, flags);
scan_stream = 1;
}
if (scan_packet) {
/* add the content to the "packet" mpm */
if (co->flags & DETECT_CONTENT_NOCASE) {
mpm_table[sgh->mpm_ctx->mpm_type].AddPatternNocase(sgh->mpm_ctx,
co->content, co->content_len, offset, depth, co->id,
s->num, flags);
} else {
mpm_table[sgh->mpm_ctx->mpm_type].AddPattern(sgh->mpm_ctx,
co->content, co->content_len, offset, depth, co->id,
s->num, flags);
}
}
if (scan_stream) {
/* add the content to the "stream" mpm */
if (co->flags & DETECT_CONTENT_NOCASE) {
mpm_table[sgh->mpm_stream_ctx->mpm_type].AddPatternNocase(sgh->mpm_stream_ctx,
co->content, co->content_len, offset, depth, co->id, s->num, flags);
} else {
mpm_table[sgh->mpm_stream_ctx->mpm_type].AddPattern(sgh->mpm_stream_ctx,
co->content, co->content_len, offset, depth, co->id, s->num, flags);
}
}
s->mpm_pattern_id = co->id;
@ -632,6 +689,9 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
if (!(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY))
sh->mpm_uricontent_maxlen = 0;
if (!(sh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY))
sh->mpm_streamcontent_maxlen = 0;
/** see if this head has content and/or uricontent
* \todo we can move this to the signature init phase */
for (sig = 0; sig < sh->sig_cnt; sig++) {
@ -677,6 +737,19 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
#else
MpmInitCtx(sh->mpm_ctx, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle);
#endif
//if (sh->flags & SIG_GROUP_HAVESTREAMCONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_STREAM_COPY)) {
sh->mpm_stream_ctx = SCMalloc(sizeof(MpmCtx));
if (sh->mpm_stream_ctx == NULL)
goto error;
memset(sh->mpm_stream_ctx, 0x00, sizeof(MpmCtx));
#ifndef __SC_CUDA_SUPPORT__
MpmInitCtx(sh->mpm_stream_ctx, de_ctx->mpm_matcher, -1);
#else
MpmInitCtx(sh->mpm_stream_ctx, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle);
#endif
//}
}
if (sh->flags & SIG_GROUP_HAVEURICONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY)) {
sh->mpm_uri_ctx = SCMalloc(sizeof(MpmCtx));
@ -914,6 +987,9 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
if (mpm_table[sh->mpm_ctx->mpm_type].Prepare != NULL) {
mpm_table[sh->mpm_ctx->mpm_type].Prepare(sh->mpm_ctx);
}
if (mpm_table[sh->mpm_stream_ctx->mpm_type].Prepare != NULL) {
mpm_table[sh->mpm_stream_ctx->mpm_type].Prepare(sh->mpm_stream_ctx);
}
if (mpm_content_maxdepth) {
// printf("mpm_content_maxdepth %" PRIu32 "\n", mpm_content_maxdepth);

1
src/detect-engine-mpm.h
Unescape Escape View File

@ -38,6 +38,7 @@ uint32_t UriPatternSearch(ThreadVars *, DetectEngineThreadCtx *, uint8_t *, uint
uint32_t StreamPatternSearch(ThreadVars *, DetectEngineThreadCtx *, StreamMsg *);
void PacketPatternCleanup(ThreadVars *, DetectEngineThreadCtx *);
void StreamPatternCleanup(ThreadVars *t, DetectEngineThreadCtx *det_ctx, StreamMsg *smsg);
void PatternMatchPrepare(MpmCtx *, uint16_t);
void PatternMatchThreadPrepare(MpmThreadCtx *, uint16_t type, uint32_t max_id);

224
src/detect-engine-siggroup.c
Unescape Escape View File

@ -25,11 +25,10 @@
#include "suricata-common.h"
#include "decode.h"
#include "detect.h"
#include "flow-var.h"
#include "util-cidr.h"
#include "util-unittest.h"
#include "app-layer-protos.h"
#include "detect.h"
#include "detect-parse.h"
@ -46,6 +45,9 @@
#include "util-error.h"
#include "util-debug.h"
#include "util-cidr.h"
#include "util-unittest.h"
/* prototypes */
int SigGroupHeadClearSigs(SigGroupHead *);
@ -429,6 +431,131 @@ void SigGroupHeadMpmUriHashFree(DetectEngineCtx *de_ctx)
return;
}
/**
* \brief The hash function to be the used by the mpm uri SigGroupHead hash
* table - DetectEngineCtx->sgh_mpm_uri_hash_table.
*
* \param ht Pointer to the hash table.
* \param data Pointer to the SigGroupHead.
* \param datalen Not used in our case.
*
* \retval hash The generated hash value.
*/
uint32_t SigGroupHeadMpmStreamHashFunc(HashListTable *ht, void *data, uint16_t datalen)
{
SigGroupHead *sgh = (SigGroupHead *)data;
uint32_t hash = 0;
uint32_t b = 0;
for (b = 0; b < sgh->init->stream_content_size; b++)
hash += sgh->init->stream_content_array[b];
return hash % ht->array_size;
}
/**
* \brief The Compare function to be used by the mpm uri SigGroupHead hash
* table - DetectEngineCtx->sgh_mpm_uri_hash_table.
*
* \param data1 Pointer to the first SigGroupHead.
* \param len1 Not used.
* \param data2 Pointer to the second SigGroupHead.
* \param len2 Not used.
*
* \retval 1 If the 2 SigGroupHeads sent as args match.
* \retval 0 If the 2 SigGroupHeads sent as args do not match.
*/
char SigGroupHeadMpmStreamCompareFunc(void *data1, uint16_t len1, void *data2,
uint16_t len2)
{
SigGroupHead *sgh1 = (SigGroupHead *)data1;
SigGroupHead *sgh2 = (SigGroupHead *)data2;
if (sgh1->init->stream_content_size != sgh2->init->stream_content_size)
return 0;
if (memcmp(sgh1->init->stream_content_array, sgh2->init->stream_content_array,
sgh1->init->stream_content_size) != 0) {
return 0;
}
return 1;
}
/**
* \brief Initializes the mpm uri hash table to be used by the detection engine
* context.
*
* \param de_ctx Pointer to the detection engine context.
*
* \retval 0 On success.
* \retval -1 On failure.
*/
int SigGroupHeadMpmStreamHashInit(DetectEngineCtx *de_ctx)
{
de_ctx->sgh_mpm_stream_hash_table = HashListTableInit(4096,
SigGroupHeadMpmStreamHashFunc, SigGroupHeadMpmStreamCompareFunc, NULL);
if (de_ctx->sgh_mpm_stream_hash_table == NULL)
goto error;
return 0;
error:
return -1;
}
/**
* \brief Adds a SigGroupHead to the detection engine context SigGroupHead
* mpm uri hash table.
*
* \param de_ctx Pointer to the detection engine context.
* \param sgh Pointer to the SigGroupHead.
*
* \retval ret 0 on Successfully adding the argument sgh and -1 on failure.
*/
int SigGroupHeadMpmStreamHashAdd(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
{
int ret = HashListTableAdd(de_ctx->sgh_mpm_stream_hash_table, (void *)sgh, 0);
return ret;
}
/**
* \brief Used to lookup a SigGroupHead from the detection engine context
* SigGroupHead mpm uri hash table.
*
* \param de_ctx Pointer to the detection engine context.
* \param sgh Pointer to the SigGroupHead.
*
* \retval rsgh On success a pointer to the SigGroupHead if the SigGroupHead is
* found in the hash table; NULL on failure.
*/
SigGroupHead *SigGroupHeadMpmStreamHashLookup(DetectEngineCtx *de_ctx,
SigGroupHead *sgh)
{
SigGroupHead *rsgh = HashListTableLookup(de_ctx->sgh_mpm_stream_hash_table,
(void *)sgh, 0);
return rsgh;
}
/**
* \brief Frees the hash table - DetectEngineCtx->sgh_mpm_uri_hash_table,
* allocated by SigGroupHeadMpmUriHashInit() function.
*
* \param de_ctx Pointer to the detection engine context.
*/
void SigGroupHeadMpmStreamHashFree(DetectEngineCtx *de_ctx)
{
if (de_ctx->sgh_mpm_stream_hash_table == NULL)
return;
HashListTableFree(de_ctx->sgh_mpm_stream_hash_table);
de_ctx->sgh_mpm_stream_hash_table = NULL;
return;
}
/**
* \brief The hash function to be the used by the hash table -
* DetectEngineCtx->sgh_hash_table.
@ -880,7 +1007,7 @@ int SigGroupHeadAppendSig(DetectEngineCtx *de_ctx, SigGroupHead **sgh,
SCLogDebug("(%p)->mpm_content_maxlen %u", *sgh, (*sgh)->mpm_content_maxlen);
}
}
if (s->flags & SIG_FLAG_MPM) {
if (s->flags & SIG_FLAG_MPM_URI) {
if (s->mpm_uricontent_maxlen > 0) {
if ((*sgh)->mpm_uricontent_maxlen == 0)
(*sgh)->mpm_uricontent_maxlen = s->mpm_uricontent_maxlen;
@ -1168,6 +1295,9 @@ int SigGroupHeadLoadContent(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
if (!(s->flags & SIG_FLAG_MPM))
continue;
if (s->alproto != ALPROTO_UNKNOWN)
continue;
sm = s->pmatch;
if (sm == NULL)
continue;
@ -1290,6 +1420,92 @@ int SigGroupHeadClearUricontent(SigGroupHead *sh)
return 0;
}
/**
* \brief Loads all the content ids from all the contents belonging to all the
* Signatures in this SigGroupHead, into a bitarray. A fast and an
* efficient way of comparing pattern sets.
*
* \param de_ctx Pointer to the detection engine context.
* \param sgh Pointer to the SigGroupHead.
*
* \retval 0 On success, i.e. on either the detection engine context being NULL
* or on succesfully allocating memory and updating it with relevant
* data.
* \retval -1 On failure.
*/
int SigGroupHeadLoadStreamContent(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
{
Signature *s = NULL;
SigMatch *sm = NULL;
uint32_t sig = 0;
SigIntId num = 0;
DetectContentData *co = NULL;
if (sgh == NULL)
return 0;
if (DetectContentMaxId(de_ctx) == 0)
return 0;
BUG_ON(sgh->init == NULL);
sgh->init->stream_content_size = (DetectContentMaxId(de_ctx) / 8) + 1;
sgh->init->stream_content_array = SCMalloc(sgh->init->stream_content_size);
if (sgh->init->stream_content_array == NULL)
return -1;
memset(sgh->init->stream_content_array,0, sgh->init->stream_content_size);
for (sig = 0; sig < sgh->sig_cnt; sig++) {
num = sgh->match_array[sig];
s = de_ctx->sig_array[num];
if (s == NULL)
continue;
if (!(s->flags & SIG_FLAG_MPM))
continue;
if (s->flags & SIG_FLAG_DSIZE)
continue;
sm = s->pmatch;
if (sm == NULL)
continue;
for ( ;sm != NULL; sm = sm->next) {
if (sm->type == DETECT_CONTENT) {
co = (DetectContentData *)sm->ctx;
sgh->init->stream_content_array[co->id / 8] |= 1 << (co->id % 8);
}
}
}
return 0;
}
/**
* \brief Clears the memory allocated by SigGroupHeadLoadContent() for the
* bitarray to hold the content ids for a SigGroupHead.
*
* \param Pointer to the SigGroupHead whose content_array would to be cleared.
*
* \ret 0 Always.
*/
int SigGroupHeadClearStreamContent(SigGroupHead *sh)
{
if (sh == NULL)
return 0;
if (sh->init->stream_content_array != NULL) {
SCFree(sh->init->stream_content_array);
sh->init->stream_content_array = NULL;
sh->init->stream_content_size = 0;
}
return 0;
}
/**
* \brief Create an array with all the internal ids of the sigs that this
* sig group head will check for.

5
src/detect-engine-siggroup.h
Unescape Escape View File

@ -32,8 +32,10 @@ int SigGroupHeadCopySigs(DetectEngineCtx *, SigGroupHead *, SigGroupHead **);
int SigGroupHeadLoadContent(DetectEngineCtx *, SigGroupHead *);
int SigGroupHeadLoadUricontent(DetectEngineCtx *, SigGroupHead *);
int SigGroupHeadLoadStreamContent(DetectEngineCtx *, SigGroupHead *);
int SigGroupHeadClearContent(SigGroupHead *);
int SigGroupHeadClearUricontent(SigGroupHead *);
int SigGroupHeadClearStreamContent(SigGroupHead *);
void SigGroupHeadFree(SigGroupHead *);
@ -42,11 +44,13 @@ void SigGroupHeadFreeMpmArrays(DetectEngineCtx *);
SigGroupHead *SigGroupHeadHashLookup(DetectEngineCtx *, SigGroupHead *);
SigGroupHead *SigGroupHeadMpmHashLookup(DetectEngineCtx *, SigGroupHead *);
SigGroupHead *SigGroupHeadMpmUriHashLookup(DetectEngineCtx *, SigGroupHead *);
SigGroupHead *SigGroupHeadMpmStreamHashLookup(DetectEngineCtx *, SigGroupHead *);
SigGroupHead *SigGroupHeadDPortHashLookup(DetectEngineCtx *, SigGroupHead *);
SigGroupHead *SigGroupHeadSPortHashLookup(DetectEngineCtx *, SigGroupHead *);
int SigGroupHeadMpmHashAdd(DetectEngineCtx *, SigGroupHead *);
int SigGroupHeadMpmUriHashAdd(DetectEngineCtx *, SigGroupHead *);
int SigGroupHeadMpmStreamHashAdd(DetectEngineCtx *, SigGroupHead *);
int SigGroupHeadHashAdd(DetectEngineCtx *, SigGroupHead *);
int SigGroupHeadDPortHashAdd(DetectEngineCtx *, SigGroupHead *);
int SigGroupHeadSPortHashAdd(DetectEngineCtx *, SigGroupHead *);
@ -54,6 +58,7 @@ int SigGroupHeadSPortHashAdd(DetectEngineCtx *, SigGroupHead *);
void SigGroupHeadHashFree(DetectEngineCtx *);
void SigGroupHeadMpmHashFree(DetectEngineCtx *);
void SigGroupHeadMpmUriHashFree(DetectEngineCtx *);
void SigGroupHeadMpmStreamHashFree(DetectEngineCtx *);
void SigGroupHeadDPortHashFree(DetectEngineCtx *);
void SigGroupHeadSPortHashFree(DetectEngineCtx *);

12
src/detect-tls-version.c
Unescape Escape View File

@ -568,6 +568,18 @@ static int DetectTlsVersionTestDetect03(void) {
StreamTcpInitConfig(TRUE);
StreamL7DataPtrInit(&ssn);
StreamMsg *stream_msg = StreamMsgGetFromPool();
if (stream_msg == NULL) {
printf("no stream_msg: ");
goto end;
}
memcpy(stream_msg->data.data, tlsbuf4, tlslen4);
stream_msg->data.data_len = tlslen4;
ssn.toserver_smsg_head = stream_msg;
ssn.toserver_smsg_tail = stream_msg;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;

30
src/detect-uricontent.c
Unescape Escape View File

@ -1227,6 +1227,18 @@ static int DetectUriSigTest05(void) {
StreamTcpInitConfig(TRUE);
StreamL7DataPtrInit(&ssn);
StreamMsg *stream_msg = StreamMsgGetFromPool();
if (stream_msg == NULL) {
printf("no stream_msg: ");
goto end;
}
memcpy(stream_msg->data.data, httpbuf1, httplen1);
stream_msg->data.data_len = httplen1;
ssn.toserver_smsg_head = stream_msg;
ssn.toserver_smsg_tail = stream_msg;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
@ -1278,13 +1290,13 @@ static int DetectUriSigTest05(void) {
}
if ((PacketAlertCheck(&p, 1))) {
printf("sig: 1 alerted, but it should not:");
printf("sig: 1 alerted, but it should not: ");
goto end;
} else if (! PacketAlertCheck(&p, 2)) {
printf("sig: 2 did not alerted, but it should:");
printf("sig: 2 did not alert, but it should: ");
goto end;
} else if (! (PacketAlertCheck(&p, 3))) {
printf("sig: 3 did not alerted, but it should:");
printf("sig: 3 did not alert, but it should: ");
goto end;
}
@ -1337,6 +1349,18 @@ static int DetectUriSigTest06(void) {
StreamTcpInitConfig(TRUE);
StreamL7DataPtrInit(&ssn);
StreamMsg *stream_msg = StreamMsgGetFromPool();
if (stream_msg == NULL) {
printf("no stream_msg: ");
goto end;
}
memcpy(stream_msg->data.data, httpbuf1, httplen1);
stream_msg->data.data_len = httplen1;
ssn.toserver_smsg_head = stream_msg;
ssn.toserver_smsg_tail = stream_msg;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;

26
src/detect.c
Unescape Escape View File

@ -603,7 +603,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
}
/* have a look at the reassembled stream (if any) */
if (smsg != NULL) {
if (smsg != NULL && det_ctx->sgh->mpm_stream_ctx != NULL) {
cnt = StreamPatternSearch(th_v, det_ctx, smsg);
SCLogDebug("cnt %u", cnt);
}
@ -911,6 +911,9 @@ end:
/* cleanup pkt specific part of the patternmatcher */
PacketPatternCleanup(th_v, det_ctx);
if (smsg != NULL) {
StreamPatternCleanup(th_v, det_ctx, smsg);
}
if (p->flow != NULL) {
SCMutexLock(&p->flow->m);
@ -921,6 +924,7 @@ end:
p->flow->sgh_toclient = det_ctx->sgh;
p->flow->flags |= FLOW_SGH_TOCLIENT;
}
/* if we have (a) smsg(s), return to the pool */
while(smsg != NULL) {
StreamMsg *smsg_next = smsg->next;
@ -1957,6 +1961,26 @@ int BuildDestinationAddressHeads(DetectEngineCtx *de_ctx, DetectAddressHead *hea
}
}
/* content */
SigGroupHeadLoadStreamContent(de_ctx, sgr->sh);
if (sgr->sh->init->stream_content_size == 0) {
de_ctx->mpm_none++;
} else {
/* now have a look if we can reuse a mpm ctx */
SigGroupHead *mpmsh = SigGroupHeadMpmStreamHashLookup(de_ctx, sgr->sh);
if (mpmsh == NULL) {
SigGroupHeadMpmStreamHashAdd(de_ctx, sgr->sh);
de_ctx->mpm_unique++;
} else {
sgr->sh->mpm_stream_ctx = mpmsh->mpm_stream_ctx;
sgr->sh->flags |= SIG_GROUP_HEAD_MPM_STREAM_COPY;
SigGroupHeadClearStreamContent(sgr->sh);
de_ctx->mpm_reuse++;
}
}
/* uricontent */
SigGroupHeadLoadUricontent(de_ctx, sgr->sh);
if (sgr->sh->init->uri_content_size == 0) {

24
src/detect.h
Unescape Escape View File

@ -386,6 +386,7 @@ typedef struct DetectEngineCtx_ {
HashListTable *sgh_mpm_hash_table;
HashListTable *sgh_mpm_uri_hash_table;
HashListTable *sgh_mpm_stream_hash_table;
HashListTable *sgh_sport_hash_table;
HashListTable *sgh_dport_hash_table;
@ -479,8 +480,9 @@ typedef struct DetectionEngineThreadCtx_ {
/** pointer to the current mpm ctx that is stored
* in a rule group head -- can be either a content
* or uricontent ctx. */
MpmThreadCtx mtc; /**< thread ctx for the mpm */
MpmThreadCtx mtcu;
MpmThreadCtx mtc; /**< thread ctx for the mpm */
MpmThreadCtx mtcu; /**< thread ctx for uricontent mpm */
MpmThreadCtx mtcs; /**< thread ctx for stream mpm */
struct SigGroupHead_ *sgh;
PatternMatcherQueue pmq;
PatternMatcherQueue smsg_pmq[256];
@ -546,12 +548,14 @@ typedef struct SigTableElmt_ {
char *name;
} SigTableElmt;
#define SIG_GROUP_HAVECONTENT 0x01
#define SIG_GROUP_HAVEURICONTENT 0x02
#define SIG_GROUP_HEAD_MPM_COPY 0x04
#define SIG_GROUP_HEAD_MPM_URI_COPY 0x08
#define SIG_GROUP_HEAD_FREE 0x10
#define SIG_GROUP_HEAD_REFERENCED 0x20 /**< sgh is being referenced by others, don't clear */
#define SIG_GROUP_HAVECONTENT 0x01
#define SIG_GROUP_HAVEURICONTENT 0x02
#define SIG_GROUP_HAVESTREAMCONTENT 0x04
#define SIG_GROUP_HEAD_MPM_COPY 0x08
#define SIG_GROUP_HEAD_MPM_URI_COPY 0x10
#define SIG_GROUP_HEAD_MPM_STREAM_COPY 0x20
#define SIG_GROUP_HEAD_FREE 0x40
#define SIG_GROUP_HEAD_REFERENCED 0x80 /**< sgh is being referenced by others, don't clear */
typedef struct SigGroupHeadInitData_ {
/* list of content containers
@ -563,6 +567,8 @@ typedef struct SigGroupHeadInitData_ {
uint32_t content_size;
uint8_t *uri_content_array;
uint32_t uri_content_size;
uint8_t *stream_content_array;
uint32_t stream_content_size;
/* port ptr */
struct DetectPort_ *port;
@ -577,6 +583,8 @@ typedef struct SigGroupHead_ {
uint16_t mpm_content_maxlen;
MpmCtx *mpm_uri_ctx;
uint16_t mpm_uricontent_maxlen;
MpmCtx *mpm_stream_ctx;
uint16_t mpm_streamcontent_maxlen;
/* number of sigs in this head */
uint32_t sig_cnt;

Write Preview
Loading…
Cancel
Save