|
|
|
|
@ -314,17 +314,16 @@ static int StreamContentInspectEngineFunc(void *cb_data, const uint8_t *data, co
|
|
|
|
|
*
|
|
|
|
|
* Returns "can't match" if depth is reached.
|
|
|
|
|
*/
|
|
|
|
|
int DetectEngineInspectStream(ThreadVars *tv,
|
|
|
|
|
DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
|
|
|
|
|
const Signature *s, const SigMatchData *smd,
|
|
|
|
|
Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
|
|
|
|
|
int DetectEngineInspectStream(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
|
|
|
|
|
const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
|
|
|
|
|
uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
|
|
|
|
|
{
|
|
|
|
|
Packet *p = det_ctx->p; /* TODO: get rid of this HACK */
|
|
|
|
|
|
|
|
|
|
/* in certain sigs, e.g. 'alert dns', which apply to both tcp and udp
|
|
|
|
|
* we can get called for UDP. Then we simply inspect the packet payload */
|
|
|
|
|
if (p->proto == IPPROTO_UDP) {
|
|
|
|
|
return DetectEngineInspectStreamUDPPayload(de_ctx, det_ctx, s, smd, f, p);
|
|
|
|
|
return DetectEngineInspectStreamUDPPayload(de_ctx, det_ctx, s, engine->smd, f, p);
|
|
|
|
|
/* for other non-TCP protocols we assume match */
|
|
|
|
|
} else if (p->proto != IPPROTO_TCP)
|
|
|
|
|
return DETECT_ENGINE_INSPECT_SIG_MATCH;
|
|
|
|
|
@ -337,7 +336,7 @@ int DetectEngineInspectStream(ThreadVars *tv,
|
|
|
|
|
det_ctx->raw_stream_progress,
|
|
|
|
|
(s->flags & SIG_FLAG_FLUSH)?"true":"false");
|
|
|
|
|
uint64_t unused;
|
|
|
|
|
struct StreamContentInspectEngineData inspect_data = { de_ctx, det_ctx, s, smd, f };
|
|
|
|
|
struct StreamContentInspectEngineData inspect_data = { de_ctx, det_ctx, s, engine->smd, f };
|
|
|
|
|
int match = StreamReassembleRaw(f->protoctx, p,
|
|
|
|
|
StreamContentInspectEngineFunc, &inspect_data,
|
|
|
|
|
&unused, ((s->flags & SIG_FLAG_FLUSH) != 0));
|
|
|
|
|
|
Victor Julien
4 years ago