|  |  |  | @ -35,6 +35,7 @@ | 
		
	
		
			
				|  |  |  |  | #include "detect-engine-hhd.h" | 
		
	
		
			
				|  |  |  |  | #include "detect-engine-hrhd.h" | 
		
	
		
			
				|  |  |  |  | #include "detect-engine-hmd.h" | 
		
	
		
			
				|  |  |  |  | #include "detect-engine-hcd.h" | 
		
	
		
			
				|  |  |  |  | #include "detect-engine-dcepayload.h" | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  | #include "stream-tcp.h" | 
		
	
	
		
			
				
					|  |  |  | @ -212,7 +213,7 @@ int DeStateUpdateInspectTransactionId(Flow *f, char direction) { | 
		
	
		
			
				|  |  |  |  |  */ | 
		
	
		
			
				|  |  |  |  | static void DeStateSignatureAppend(DetectEngineState *state, Signature *s, | 
		
	
		
			
				|  |  |  |  |                                    SigMatch *sm, char uri, char dce, char hcbd, | 
		
	
		
			
				|  |  |  |  |                                    char hhd, char hrhd, char hmd) { | 
		
	
		
			
				|  |  |  |  |                                    char hhd, char hrhd, char hmd, char hcd) { | 
		
	
		
			
				|  |  |  |  |     DeStateStore *store = state->tail; | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     if (store == NULL) { | 
		
	
	
		
			
				
					|  |  |  | @ -258,6 +259,9 @@ static void DeStateSignatureAppend(DetectEngineState *state, Signature *s, | 
		
	
		
			
				|  |  |  |  |     if (hmd) { | 
		
	
		
			
				|  |  |  |  |         store->store[idx].flags |= DE_STATE_FLAG_HMD_MATCH; | 
		
	
		
			
				|  |  |  |  |     } | 
		
	
		
			
				|  |  |  |  |     if (hcd) { | 
		
	
		
			
				|  |  |  |  |         store->store[idx].flags |= DE_STATE_FLAG_HCD_MATCH; | 
		
	
		
			
				|  |  |  |  |     } | 
		
	
		
			
				|  |  |  |  |     store->store[idx].nm = sm; | 
		
	
		
			
				|  |  |  |  |     state->cnt++; | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
	
		
			
				
					|  |  |  | @ -325,6 +329,8 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, | 
		
	
		
			
				|  |  |  |  |     char hrhdinspect = 0; | 
		
	
		
			
				|  |  |  |  |     char hmdinspect = 0; | 
		
	
		
			
				|  |  |  |  |     char hmdmatch = 0; | 
		
	
		
			
				|  |  |  |  |     char hcdinspect = 0; | 
		
	
		
			
				|  |  |  |  |     char hcdmatch = 0; | 
		
	
		
			
				|  |  |  |  |     char dmatch = 0; | 
		
	
		
			
				|  |  |  |  |     char dinspect = 0; | 
		
	
		
			
				|  |  |  |  |     char appinspect = 0; | 
		
	
	
		
			
				
					|  |  |  | @ -384,6 +390,14 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, | 
		
	
		
			
				|  |  |  |  |             } | 
		
	
		
			
				|  |  |  |  |             SCLogDebug("inspecting http method"); | 
		
	
		
			
				|  |  |  |  |         } | 
		
	
		
			
				|  |  |  |  |         if (s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL) { | 
		
	
		
			
				|  |  |  |  |             hcdinspect = 1; | 
		
	
		
			
				|  |  |  |  |             if (DetectEngineInspectHttpCookie(de_ctx, det_ctx, s, f, | 
		
	
		
			
				|  |  |  |  |                                               flags, alstate) == 1) { | 
		
	
		
			
				|  |  |  |  |                 hcdmatch = 1; | 
		
	
		
			
				|  |  |  |  |             } | 
		
	
		
			
				|  |  |  |  |             SCLogDebug("inspecting http cookie"); | 
		
	
		
			
				|  |  |  |  |         } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     } else if (alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB || alproto == ALPROTO_SMB2) { | 
		
	
		
			
				|  |  |  |  |         if (s->sm_lists[DETECT_SM_LIST_DMATCH] != NULL) { | 
		
	
	
		
			
				
					|  |  |  | @ -415,8 +429,8 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, | 
		
	
		
			
				|  |  |  |  |         } | 
		
	
		
			
				|  |  |  |  |     } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     appinspect = uinspect + dinspect + hcbdinspect + hhdinspect + hrhdinspect + hmdinspect; | 
		
	
		
			
				|  |  |  |  |     appmatch = umatch + dmatch + hcbdmatch + hhdmatch + hrhdmatch + hmdmatch; | 
		
	
		
			
				|  |  |  |  |     appinspect = uinspect + dinspect + hcbdinspect + hhdinspect + hrhdinspect + hmdinspect + hcdinspect; | 
		
	
		
			
				|  |  |  |  |     appmatch = umatch + dmatch + hcbdmatch + hhdmatch + hrhdmatch + hmdmatch + hcdmatch; | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL) { | 
		
	
		
			
				|  |  |  |  |         for ( ; sm != NULL; sm = sm->next) { | 
		
	
	
		
			
				
					|  |  |  | @ -459,8 +473,8 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, | 
		
	
		
			
				|  |  |  |  |     } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     SCLogDebug("detection done, store results: sm %p, uri %d, dce %d, hcbd %d, " | 
		
	
		
			
				|  |  |  |  |                "hhd %d, hrhd %d hmd %d", sm, umatch, dmatch, hcbdmatch, | 
		
	
		
			
				|  |  |  |  |                hhdmatch, hrhdmatch, hmdmatch); | 
		
	
		
			
				|  |  |  |  |                "hhd %d, hrhd %d hmd %d hcd %d", sm, umatch, dmatch, hcbdmatch, | 
		
	
		
			
				|  |  |  |  |                hhdmatch, hrhdmatch, hmdmatch, hcdmatch); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     SCMutexLock(&f->de_state_m); | 
		
	
		
			
				|  |  |  |  |     /* match or no match, we store the state anyway
 | 
		
	
	
		
			
				
					|  |  |  | @ -471,7 +485,8 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, | 
		
	
		
			
				|  |  |  |  |     } | 
		
	
		
			
				|  |  |  |  |     if (f->de_state != NULL) { | 
		
	
		
			
				|  |  |  |  |         /* \todo shift to an array to transfer these match values*/ | 
		
	
		
			
				|  |  |  |  |         DeStateSignatureAppend(f->de_state, s, sm, umatch, dmatch, hcbdmatch, hhdmatch, hrhdmatch, hmdmatch); | 
		
	
		
			
				|  |  |  |  |         DeStateSignatureAppend(f->de_state, s, sm, umatch, dmatch, hcbdmatch, | 
		
	
		
			
				|  |  |  |  |                                hhdmatch, hrhdmatch, hmdmatch, hcdmatch); | 
		
	
		
			
				|  |  |  |  |     } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     SCMutexUnlock(&f->de_state_m); | 
		
	
	
		
			
				
					|  |  |  | @ -501,6 +516,8 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete | 
		
	
		
			
				|  |  |  |  |     char hrhdinspect = 0; | 
		
	
		
			
				|  |  |  |  |     char hmdmatch = 0; | 
		
	
		
			
				|  |  |  |  |     char hmdinspect = 0; | 
		
	
		
			
				|  |  |  |  |     char hcdmatch = 0; | 
		
	
		
			
				|  |  |  |  |     char hcdinspect = 0; | 
		
	
		
			
				|  |  |  |  |     char dmatch = 0; | 
		
	
		
			
				|  |  |  |  |     char dinspect = 0; | 
		
	
		
			
				|  |  |  |  |     char appinspect = 0; | 
		
	
	
		
			
				
					|  |  |  | @ -535,6 +552,8 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete | 
		
	
		
			
				|  |  |  |  |             hrhdinspect = 0; | 
		
	
		
			
				|  |  |  |  |             hmdmatch = 0; | 
		
	
		
			
				|  |  |  |  |             hmdinspect = 0; | 
		
	
		
			
				|  |  |  |  |             hcdmatch = 0; | 
		
	
		
			
				|  |  |  |  |             hcdinspect = 0; | 
		
	
		
			
				|  |  |  |  |             dmatch = 0; | 
		
	
		
			
				|  |  |  |  |             dinspect = 0; | 
		
	
		
			
				|  |  |  |  |             appinspect = 0; | 
		
	
	
		
			
				
					|  |  |  | @ -630,6 +649,19 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete | 
		
	
		
			
				|  |  |  |  |                         } | 
		
	
		
			
				|  |  |  |  |                     } | 
		
	
		
			
				|  |  |  |  |                 } | 
		
	
		
			
				|  |  |  |  |                 if (s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL) { | 
		
	
		
			
				|  |  |  |  |                     if (!(item->flags & DE_STATE_FLAG_HCD_MATCH)) { | 
		
	
		
			
				|  |  |  |  |                         SCLogDebug("inspecting http cookie data"); | 
		
	
		
			
				|  |  |  |  |                         hcdinspect = 1; | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |                         if (DetectEngineInspectHttpCookie(de_ctx, det_ctx, s, f, | 
		
	
		
			
				|  |  |  |  |                                                           flags, alstate) == 1) { | 
		
	
		
			
				|  |  |  |  |                             SCLogDebug("http cookie matched"); | 
		
	
		
			
				|  |  |  |  |                             item->flags |= DE_STATE_FLAG_HCD_MATCH; | 
		
	
		
			
				|  |  |  |  |                             hcdmatch = 1; | 
		
	
		
			
				|  |  |  |  |                         } | 
		
	
		
			
				|  |  |  |  |                     } | 
		
	
		
			
				|  |  |  |  |                 } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |             } else if (alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB || alproto == ALPROTO_SMB2) { | 
		
	
		
			
				|  |  |  |  |                 if (s->sm_lists[DETECT_SM_LIST_DMATCH] != NULL) { | 
		
	
	
		
			
				
					|  |  |  | @ -668,8 +700,8 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |             } | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |             appinspect = uinspect + dinspect + hcbdinspect + hhdinspect + hrhdinspect + hmdinspect; | 
		
	
		
			
				|  |  |  |  |             appmatch = umatch + dmatch + hcbdmatch + hhdmatch + hrhdmatch + hmdmatch; | 
		
	
		
			
				|  |  |  |  |             appinspect = uinspect + dinspect + hcbdinspect + hhdinspect + hrhdinspect + hmdinspect + hcdinspect; | 
		
	
		
			
				|  |  |  |  |             appmatch = umatch + dmatch + hcbdmatch + hhdmatch + hrhdmatch + hmdmatch + hcdmatch; | 
		
	
		
			
				|  |  |  |  |             SCLogDebug("appinspect %d, appmatch %d", appinspect, appmatch); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |             /* next, check the other sig matches */ | 
		
	
	
		
			
				
					|  |  |  | @ -809,39 +841,39 @@ static int DeStateTest02(void) { | 
		
	
		
			
				|  |  |  |  |     memset(&s, 0x00, sizeof(s)); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     s.num = 0; | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     s.num = 11; | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     s.num = 22; | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     s.num = 33; | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     s.num = 44; | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     s.num = 55; | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     s.num = 66; | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     s.num = 77; | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     s.num = 88; | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     s.num = 99; | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     s.num = 100; | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     s.num = 111; | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     s.num = 122; | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     s.num = 133; | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     s.num = 144; | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     s.num = 155; | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     s.num = 166; | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     if (state->head == NULL) { | 
		
	
		
			
				|  |  |  |  |         goto end; | 
		
	
	
		
			
				
					|  |  |  | @ -884,9 +916,9 @@ static int DeStateTest03(void) { | 
		
	
		
			
				|  |  |  |  |     memset(&s, 0x00, sizeof(s)); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     s.num = 11; | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 0, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     s.num = 22; | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 1, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  |     DeStateSignatureAppend(state, &s, NULL, 1, 0, 0, 0, 0, 0, 0); | 
		
	
		
			
				|  |  |  |  | 
 | 
		
	
		
			
				|  |  |  |  |     if (state->head == NULL) { | 
		
	
		
			
				|  |  |  |  |         goto end; | 
		
	
	
		
			
				
					|  |  |  | 
 |