detect: skip pseudo packets if sig needs real pkt

If a signature uses a condition that requires a real packet, filter out pseudo packets as early as possible. To do this, the SignatureMask logic is used. This allows for the removal of checks for pseudo packets in individual keywords `Match` functions, which will be done in a follow up commit. Update analyzer to output the new flag. Ticket: #7002.
10 months ago · d03660a646
parent e3034a6f54
commit d03660a646
3 changed files with 12 additions and 1 deletions
--- a/src/detect-engine-analyzer.c
+++ b/src/detect-engine-analyzer.c
@ -973,6 +973,9 @@ void EngineAnalysisRules2(const DetectEngineCtx *de_ctx, const Signature *s)
    if (s->mask & SIG_MASK_REQUIRE_ENGINE_EVENT) {
        jb_append_string(ctx.js, "engine_event");
    }
+    if (s->mask & SIG_MASK_REQUIRE_REAL_PKT) {
+        jb_append_string(ctx.js, "real_pkt");
+    }
    jb_close(ctx.js);

    switch (s->type) {
--- a/src/detect-engine-build.c
+++ b/src/detect-engine-build.c
@ -406,6 +406,9 @@ void
 PacketCreateMask(Packet *p, SignatureMask *mask, AppProto alproto,
        bool app_decoder_events)
 {
+    if (!(PKT_IS_PSEUDOPKT(p))) {
+        (*mask) |= SIG_MASK_REQUIRE_REAL_PKT;
+    }
    if (!(p->flags & PKT_NOPAYLOAD_INSPECTION) && p->payload_len > 0) {
        SCLogDebug("packet has payload");
        (*mask) |= SIG_MASK_REQUIRE_PAYLOAD;
@ -442,6 +445,10 @@ static int SignatureCreateMask(Signature *s)
 {
    SCEnter();

+    if ((s->flags & (SIG_FLAG_REQUIRE_PACKET | SIG_FLAG_REQUIRE_STREAM)) ==
+            SIG_FLAG_REQUIRE_PACKET) {
+        s->mask |= SIG_MASK_REQUIRE_REAL_PKT;
+    }
    if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL) {
        s->mask |= SIG_MASK_REQUIRE_PAYLOAD;
        SCLogDebug("sig requires payload");
--- a/src/detect.h
+++ b/src/detect.h
@ -303,7 +303,8 @@ typedef struct DetectPort_ {
 #define SIG_MASK_REQUIRE_FLAGS_INITDEINIT   BIT_U8(2)    /* SYN, FIN, RST */
 #define SIG_MASK_REQUIRE_FLAGS_UNUSUAL      BIT_U8(3)    /* URG, ECN, CWR */
 #define SIG_MASK_REQUIRE_NO_PAYLOAD         BIT_U8(4)
-// vacancy 2x
+#define SIG_MASK_REQUIRE_REAL_PKT           BIT_U8(5)
+// vacancy 1x
 #define SIG_MASK_REQUIRE_ENGINE_EVENT       BIT_U8(7)

 /* for now a uint8_t is enough */