From a5b46e727c30d7fc7a9aed8a1edd99e105d450c0 Mon Sep 17 00:00:00 2001
From: Anoop Saldanha <poonaatsoc@gmail.com>
Date: Sun, 19 Feb 2012 14:38:41 +0530
Subject: [PATCH] All http_client_body modified patterns now are DETECT_CONTENT
 and not DETECT_AL_HTTP_CLIENT_BODY

---
 src/detect-depth.c                     | 44 +---------------
 src/detect-distance.c                  | 64 +----------------------
 src/detect-engine-content-inspection.c |  1 -
 src/detect-fast-pattern.c              |  4 +-
 src/detect-http-client-body.c          | 18 +++----
 src/detect-isdataat.c                  |  3 +-
 src/detect-nocase.c                    |  3 +-
 src/detect-offset.c                    | 46 +----------------
 src/detect-pcre.c                      |  5 +-
 src/detect-within.c                    | 71 +-------------------------
 src/detect.c                           | 33 ++++++++----
 11 files changed, 41 insertions(+), 251 deletions(-)

diff --git a/src/detect-depth.c b/src/detect-depth.c
index 6fc6c99a38..6fd157af08 100644
--- a/src/detect-depth.c
+++ b/src/detect-depth.c
@@ -89,7 +89,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
                     DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
                     DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
                     DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
-                    DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+                    DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
                     DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                     DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
                     DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
@@ -162,48 +162,6 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
 
             break;
 
-        case DETECT_AL_HTTP_CLIENT_BODY:
-            cd = (DetectContentData *)pm->ctx;
-            if (cd->flags & DETECT_CONTENT_NEGATED) {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "negated keyword set along with a fast_pattern");
-                    goto error;
-                }
-            } else {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "keyword set along with a fast_pattern:only;");
-                    goto error;
-                }
-            }
-
-            if (str[0] != '-' && isalpha(str[0])) {
-                SigMatch *bed_sm =
-                    DetectByteExtractRetrieveSMVar(str, s,
-                                                   SigMatchListSMBelongsTo(s, pm));
-                if (bed_sm == NULL) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
-                               "seen in depth - %s\n", str);
-                    goto error;
-                }
-                cd->depth = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
-                cd->flags |= DETECT_CONTENT_DEPTH_BE;
-            } else {
-                cd->depth = (uint32_t)atoi(str);
-                if (cd->depth < cd->content_len) {
-                    cd->depth = cd->content_len;
-                    SCLogDebug("depth increased to %"PRIu32" to match pattern len ",
-                               cd->depth);
-                }
-                /* Now update the real limit, as depth is relative to the offset */
-                cd->depth += cd->offset;
-            }
-
-            cd->flags |= DETECT_CONTENT_DEPTH;
-
-            break;
-
         case DETECT_AL_HTTP_SERVER_BODY:
             cd = (DetectContentData *)pm->ctx;
             if (cd->flags & DETECT_CONTENT_NEGATED) {
diff --git a/src/detect-distance.c b/src/detect-distance.c
index 63ed3c92de..eff3df3785 100644
--- a/src/detect-distance.c
+++ b/src/detect-distance.c
@@ -164,7 +164,7 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
                 DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
                 DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
                 DETECT_AL_HTTP_RAW_URI, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
-                DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+                DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
                 DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                 DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
                 DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
@@ -291,68 +291,6 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
 
             break;
 
-        case DETECT_AL_HTTP_CLIENT_BODY:
-            cd = (DetectContentData *)pm->ctx;
-
-            if (str[0] != '-' && isalpha(str[0])) {
-                SigMatch *bed_sm =
-                    DetectByteExtractRetrieveSMVar(str, s,
-                                                   SigMatchListSMBelongsTo(s, pm));
-                if (bed_sm == NULL) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
-                               "seen in distance - %s\n", str);
-                    goto error;
-                }
-                cd->distance = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
-                cd->flags |= DETECT_CONTENT_DISTANCE_BE;
-            } else {
-                cd->distance = strtol(str, NULL, 10);
-            }
-
-            if (cd->flags & DETECT_CONTENT_NEGATED) {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "negated keyword set along with a fast_pattern");
-                    goto error;
-                }
-            } else {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "keyword set along with a fast_pattern:only;");
-                    goto error;
-                }
-            }
-
-            cd->flags |= DETECT_CONTENT_DISTANCE;
-
-            /* reassigning pm */
-            pm = SigMatchGetLastSMFromLists(s, 4,
-                                            DETECT_AL_HTTP_CLIENT_BODY, pm->prev,
-                                            DETECT_PCRE, pm->prev);
-            if (pm == NULL) {
-                SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for http_client_body "
-                           "needs preceeding http_client_body content");
-                goto error;
-            }
-
-            if (pm->type == DETECT_PCRE) {
-                DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
-                tmp_pd->flags |=  DETECT_PCRE_RELATIVE_NEXT;
-            } else {
-                /* reassigning cd */
-                cd = (DetectContentData *)pm->ctx;
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword "
-                               "has a fast_pattern:only; set.  You can't "
-                               "have relative keywords around a fast_pattern "
-                               "only content");
-                    goto error;
-                }
-                cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
-            }
-
-            break;
-
         case DETECT_AL_HTTP_SERVER_BODY:
             cd = (DetectContentData *)pm->ctx;
 
diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c
index f48160aadf..0c05ec2bcf 100644
--- a/src/detect-engine-content-inspection.c
+++ b/src/detect-engine-content-inspection.c
@@ -111,7 +111,6 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
         sm->type == DETECT_AL_HTTP_RAW_URI ||
         sm->type == DETECT_AL_HTTP_HEADER ||
         sm->type == DETECT_AL_HTTP_RAW_HEADER ||
-        sm->type == DETECT_AL_HTTP_CLIENT_BODY ||
         sm->type == DETECT_AL_HTTP_SERVER_BODY ||
         sm->type == DETECT_AL_HTTP_COOKIE ||
         sm->type == DETECT_AL_HTTP_METHOD ||
diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c
index 376880d25a..0bb687f20c 100644
--- a/src/detect-fast-pattern.c
+++ b/src/detect-fast-pattern.c
@@ -125,7 +125,7 @@ void SupportFastPatternForSigMatchTypes(void)
     SupportFastPatternForSigMatchType(DETECT_CONTENT);
     SupportFastPatternForSigMatchList(DETECT_SM_LIST_UMATCH);
 
-    SupportFastPatternForSigMatchType(DETECT_AL_HTTP_CLIENT_BODY);
+    SupportFastPatternForSigMatchType(DETECT_CONTENT);
     SupportFastPatternForSigMatchList(DETECT_SM_LIST_HCBDMATCH);
 
     SupportFastPatternForSigMatchType(DETECT_AL_HTTP_SERVER_BODY);
@@ -239,7 +239,7 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a
     SigMatch *pm = SigMatchGetLastSMFromLists(s, 22,
             DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
             DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
-            DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+            DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
             DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
             DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
             DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
diff --git a/src/detect-http-client-body.c b/src/detect-http-client-body.c
index 806128412f..9593a53f4b 100644
--- a/src/detect-http-client-body.c
+++ b/src/detect-http-client-body.c
@@ -147,7 +147,7 @@ int DetectHttpClientBodySetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
 
         /* reassigning pm */
         pm = SigMatchGetLastSMFromLists(s, 4,
-                                        DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+                                        DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
                                         DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]);
         if (pm == NULL) {
             SCLogError(SC_ERR_INVALID_SIGNATURE, "http_client_body seen with a "
@@ -164,7 +164,7 @@ int DetectHttpClientBodySetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
         }
     }
     cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_SM_LIST_HCBDMATCH);
-    sm->type = DETECT_AL_HTTP_CLIENT_BODY;
+    sm->type = DETECT_CONTENT;
 
     /* transfer the sm from the pmatch list to hcbdmatch list */
     SigMatchTransferSigMatchAcrossLists(sm,
@@ -243,7 +243,7 @@ static int DetectHttpClientBodyTest01(void)
 
     sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_MATCH];
     if (sm != NULL) {
-        result &= (sm->type == DETECT_AL_HTTP_CLIENT_BODY);
+        result &= (sm->type == DETECT_CONTENT);
         result &= (sm->next == NULL);
     }
 
@@ -2182,8 +2182,8 @@ int DetectHttpClientBodyTest27(void)
                                "(content:\"one\"; offset:10; http_client_body; pcre:/two/; distance:10; "
                                "content:\"three\"; distance:10; http_client_body; depth:10; "
                                "content:\"four\"; distance:10; sid:1;)");
-    if (de_ctx->sig_list != NULL) {
-        printf("de_ctx->sig_list != NULL\n");
+    if (de_ctx->sig_list == NULL) {
+        printf("de_ctx->sig_list == NULL\n");
         goto end;
     }
 
@@ -2374,7 +2374,7 @@ int DetectHttpClientBodyTest32(void)
     de_ctx->flags |= DE_QUIET;
     de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
                                "(content:\"one\"; http_client_body; within:5; sid:1;)");
-    if (de_ctx->sig_list != NULL) {
+    if (de_ctx->sig_list == NULL) {
         printf("de_ctx->sig_list != NULL\n");
         goto end;
     }
@@ -2439,7 +2439,7 @@ int DetectHttpClientBodyTest34(void)
     }
 
     if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH] == NULL ||
-        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->type != DETECT_AL_HTTP_CLIENT_BODY ||
+        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->type != DETECT_CONTENT ||
         de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev == NULL ||
         de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->type != DETECT_PCRE) {
 
@@ -2492,7 +2492,7 @@ int DetectHttpClientBodyTest35(void)
     if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH] == NULL ||
         de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->type != DETECT_PCRE ||
         de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev == NULL ||
-        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->type != DETECT_AL_HTTP_CLIENT_BODY) {
+        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->type != DETECT_CONTENT) {
 
         goto end;
     }
@@ -2541,7 +2541,7 @@ int DetectHttpClientBodyTest36(void)
     }
 
     if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH] == NULL ||
-        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->type != DETECT_AL_HTTP_CLIENT_BODY ||
+        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->type != DETECT_CONTENT ||
         de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev == NULL ||
         de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]->prev->type != DETECT_PCRE) {
 
diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c
index 9bfe5a4599..b6f724d4a0 100644
--- a/src/detect-isdataat.c
+++ b/src/detect-isdataat.c
@@ -354,7 +354,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
         pm = SigMatchGetLastSMFromLists(s, 54,
                 DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], /* 1 */
                 DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
-                DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+                DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
                 DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                 DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], /* 5 */
                 DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
@@ -419,7 +419,6 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
 
     switch (prev_pm->type) {
         case DETECT_CONTENT:
-        case DETECT_AL_HTTP_CLIENT_BODY:
         case DETECT_AL_HTTP_SERVER_BODY:
         case DETECT_AL_HTTP_HEADER:
         case DETECT_AL_HTTP_RAW_HEADER:
diff --git a/src/detect-nocase.c b/src/detect-nocase.c
index 8c20f459e4..59fb0f2fec 100644
--- a/src/detect-nocase.c
+++ b/src/detect-nocase.c
@@ -77,7 +77,7 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
     SigMatch *pm = SigMatchGetLastSMFromLists(s, 22,
             DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
             DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
-            DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+            DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
             DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
             DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
             DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
@@ -98,7 +98,6 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
 
     switch (pm->type) {
         case DETECT_CONTENT:
-        case DETECT_AL_HTTP_CLIENT_BODY:
         case DETECT_AL_HTTP_SERVER_BODY:
         case DETECT_AL_HTTP_HEADER:
         case DETECT_AL_HTTP_RAW_HEADER:
diff --git a/src/detect-offset.c b/src/detect-offset.c
index b35980cd20..1973a68f8a 100644
--- a/src/detect-offset.c
+++ b/src/detect-offset.c
@@ -86,7 +86,7 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
             pm = SigMatchGetLastSMFromLists(s, 22,
                     DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
                     DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
-                    DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+                    DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
                     DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                     DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
                     DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
@@ -163,50 +163,6 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
 
             break;
 
-        case DETECT_AL_HTTP_CLIENT_BODY:
-            cd = (DetectContentData *)pm->ctx;
-            if (cd->flags & DETECT_CONTENT_NEGATED) {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "negated keyword set along with a fast_pattern");
-                    goto error;
-                }
-            } else {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "keyword set along with a fast_pattern:only;");
-                    goto error;
-                }
-            }
-
-            if (str[0] != '-' && isalpha(str[0])) {
-                SigMatch *bed_sm =
-                    DetectByteExtractRetrieveSMVar(str, s,
-                                                   SigMatchListSMBelongsTo(s, pm));
-                if (bed_sm == NULL) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
-                               "seen in offset - %s\n", str);
-                    goto error;
-                }
-                cd->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
-                cd->flags |= DETECT_CONTENT_OFFSET_BE;
-            } else {
-                cd->offset = (uint32_t)atoi(str);
-                if (cd->depth != 0) {
-                    if (cd->depth < cd->content_len) {
-                        SCLogDebug("depth increased to %"PRIu32" to match pattern len",
-                                   cd->content_len);
-                        cd->depth = cd->content_len;
-                    }
-                    /* Updating the depth as is relative to the offset */
-                    cd->depth += cd->offset;
-                }
-            }
-
-            cd->flags |= DETECT_CONTENT_OFFSET;
-
-            break;
-
         case DETECT_AL_HTTP_SERVER_BODY:
             cd = (DetectContentData *)pm->ctx;
             if (cd->flags & DETECT_CONTENT_NEGATED) {
diff --git a/src/detect-pcre.c b/src/detect-pcre.c
index 7170769600..52368bf465 100644
--- a/src/detect-pcre.c
+++ b/src/detect-pcre.c
@@ -1201,10 +1201,8 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
         SCReturnInt(0);
     }
 
-    prev_sm = SigMatchGetLastSMFromLists(s, 24,
+    prev_sm = SigMatchGetLastSMFromLists(s, 20,
             DETECT_CONTENT, sm->prev,
-            DETECT_CONTENT, sm->prev,
-            DETECT_AL_HTTP_CLIENT_BODY, sm->prev,
             DETECT_AL_HTTP_SERVER_BODY, sm->prev,
             DETECT_AL_HTTP_HEADER, sm->prev,
             DETECT_AL_HTTP_RAW_HEADER, sm->prev,
@@ -1237,7 +1235,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
 
     switch (prev_sm->type) {
         case DETECT_CONTENT:
-        case DETECT_AL_HTTP_CLIENT_BODY:
         case DETECT_AL_HTTP_SERVER_BODY:
         case DETECT_AL_HTTP_HEADER:
         case DETECT_AL_HTTP_RAW_HEADER:
diff --git a/src/detect-within.c b/src/detect-within.c
index 899f375b4e..03406231be 100644
--- a/src/detect-within.c
+++ b/src/detect-within.c
@@ -166,7 +166,7 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
         pm = SigMatchGetLastSMFromLists(s, 22,
                 DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
                 DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
-                DETECT_AL_HTTP_CLIENT_BODY, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+                DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
                 DETECT_AL_HTTP_SERVER_BODY, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
                 DETECT_AL_HTTP_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
                 DETECT_AL_HTTP_RAW_HEADER, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
@@ -300,75 +300,6 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
 
             break;
 
-        case DETECT_AL_HTTP_CLIENT_BODY:
-            cd = (DetectContentData *)pm->ctx;
-
-            if (str[0] != '-' && isalpha(str[0])) {
-                SigMatch *bed_sm =
-                    DetectByteExtractRetrieveSMVar(str, s,
-                                                   SigMatchListSMBelongsTo(s, pm));
-                if (bed_sm == NULL) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
-                               "seen in within - %s\n", str);
-                    goto error;
-                }
-                cd->within = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
-                cd->flags |= DETECT_CONTENT_WITHIN_BE;
-            } else {
-                cd->within = strtol(str, NULL, 10);
-                if (cd->within < (int32_t)cd->content_len) {
-                    SCLogError(SC_ERR_WITHIN_INVALID, "within argument \"%"PRIi32"\" is "
-                               "less than the content length \"%"PRIu32"\" which is invalid, since "
-                               "this will never match.  Invalidating signature", cd->within,
-                               cd->content_len);
-                    goto error;
-                }
-            }
-
-            if (cd->flags & DETECT_CONTENT_NEGATED) {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "negated keyword set along with a fast_pattern");
-                    goto error;
-                }
-            } else {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative "
-                               "keyword set along with a fast_pattern:only;");
-                    goto error;
-                }
-            }
-
-            cd->flags |= DETECT_CONTENT_WITHIN;
-
-            /* reassigning pm */
-            pm = SigMatchGetLastSMFromLists(s, 4,
-                                            DETECT_AL_HTTP_CLIENT_BODY, pm->prev,
-                                            DETECT_PCRE, pm->prev);
-            if (pm == NULL) {
-                SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance for http_client_body "
-                           "needs preceeding http_client_body content");
-                goto error;
-            }
-
-            if (pm->type == DETECT_PCRE) {
-                DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
-                tmp_pd->flags |=  DETECT_PCRE_RELATIVE_NEXT;
-            } else {
-                /* reassigning cd */
-                cd = (DetectContentData *)pm->ctx;
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword "
-                               "has a fast_pattern:only; set.  You can't "
-                               "have relative keywords around a fast_pattern "
-                               "only content");
-                    goto error;
-                }
-                cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
-            }
-
-            break;
-
         case DETECT_AL_HTTP_SERVER_BODY:
             cd = (DetectContentData *)pm->ctx;
 
diff --git a/src/detect.c b/src/detect.c
index c8be3ffd07..8a5757f2ae 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -271,16 +271,30 @@ static inline void EngineAnalysisWriteFastPattern(Signature *s, SigMatch *mpm_sm
 
     fprintf(fp_engine_analysis_FD, "== Sid: %u ==\n", s->id);
     fprintf(fp_engine_analysis_FD, "    Fast pattern matcher: ");
-    if (mpm_sm->type == DETECT_CONTENT)
+    int list_type = SigMatchListSMBelongsTo(s, mpm_sm);
+    if (list_type == DETECT_SM_LIST_PMATCH)
         fprintf(fp_engine_analysis_FD, "content\n");
-    else if (mpm_sm->type == DETECT_CONTENT)
-        fprintf(fp_engine_analysis_FD, "uricontent\n");
-    else if (mpm_sm->type == DETECT_AL_HTTP_CLIENT_BODY)
-        fprintf(fp_engine_analysis_FD, "http_client_body\n");
-    else if (mpm_sm->type == DETECT_AL_HTTP_HEADER)
-        fprintf(fp_engine_analysis_FD, "http_header\n");
-    else if (mpm_sm->type == DETECT_AL_HTTP_RAW_HEADER)
-        fprintf(fp_engine_analysis_FD, "http_raw_header\n");
+    else if (list_type == DETECT_SM_LIST_UMATCH)
+        fprintf(fp_engine_analysis_FD, "http uri content\n");
+    else if (list_type == DETECT_SM_LIST_HRUDMATCH)
+        fprintf(fp_engine_analysis_FD, "http raw uri content\n");
+    else if (list_type == DETECT_SM_LIST_HHDMATCH)
+        fprintf(fp_engine_analysis_FD, "http header content\n");
+    else if (list_type == DETECT_SM_LIST_HRHDMATCH)
+        fprintf(fp_engine_analysis_FD, "http raw header content\n");
+    else if (list_type == DETECT_SM_LIST_HMDMATCH)
+        fprintf(fp_engine_analysis_FD, "http method content\n");
+    else if (list_type == DETECT_SM_LIST_HCDMATCH)
+        fprintf(fp_engine_analysis_FD, "http cookie content\n");
+    else if (list_type == DETECT_SM_LIST_HCBDMATCH)
+        fprintf(fp_engine_analysis_FD, "http client body content\n");
+    else if (list_type == DETECT_SM_LIST_HSBDMATCH)
+        fprintf(fp_engine_analysis_FD, "http server body content\n");
+    else if (list_type == DETECT_SM_LIST_HSCDMATCH)
+        fprintf(fp_engine_analysis_FD, "http stat code content\n");
+    else if (list_type == DETECT_SM_LIST_HSMDMATCH)
+        fprintf(fp_engine_analysis_FD, "http stat msg content\n");
+
     fprintf(fp_engine_analysis_FD, "    Fast pattern set: %s\n", fast_pattern_set ? "yes" : "no");
     fprintf(fp_engine_analysis_FD, "    Fast pattern only set: %s\n",
             fast_pattern_only_set ? "yes" : "no");
@@ -2198,7 +2212,6 @@ static int SignatureCreateMask(Signature *s) {
             case DETECT_AL_HTTP_COOKIE:
             case DETECT_AL_HTTP_METHOD:
             case DETECT_AL_URILEN:
-            case DETECT_AL_HTTP_CLIENT_BODY:
             case DETECT_AL_HTTP_HEADER:
             case DETECT_AL_HTTP_RAW_HEADER:
             case DETECT_AL_HTTP_URI: