From d4f005933af7be08352f2fd405754f9a04eab69a Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 5 Jan 2024 10:42:34 +0100 Subject: [PATCH] detect/proto: reduce size for common sigs Make `Signature::proto` an optional member, meaning that if it is NULL we can skip the check. This can be done for `alert ip`, as no check is needed, and for `alert tcp` and `alert udp` as having a rule in a sgh for those means that the protocol matches. Some exceptions are rules that require: - ipv4/ipv6 specific matching - frames, due to sharing prefilter between tcp and udp - ip-only rules, due to those not being per sgh --- src/detect-app-layer-event.c | 4 +- src/detect-detection-filter.c | 8 +- src/detect-engine-analyzer.c | 11 +- src/detect-engine-build.c | 9 +- src/detect-engine-iponly.c | 24 +-- src/detect-engine-mpm.c | 4 +- src/detect-engine-proto.c | 83 ++++++++- src/detect-engine-proto.h | 2 + src/detect-frame.c | 4 +- src/detect-icmpv4hdr.c | 4 +- src/detect-icmpv6-mtu.c | 2 +- src/detect-icmpv6hdr.c | 4 +- src/detect-igmp-type.c | 4 +- src/detect-igmphdr.c | 4 +- src/detect-ipproto.c | 325 +++++++++++++++++----------------- src/detect-ipv4hdr.c | 2 +- src/detect-ipv6hdr.c | 2 +- src/detect-l3proto.c | 12 +- src/detect-parse.c | 28 +-- src/detect-tcphdr.c | 2 +- src/detect-udphdr.c | 2 +- src/detect.c | 38 ++-- src/detect.h | 7 +- 23 files changed, 336 insertions(+), 249 deletions(-) diff --git a/src/detect-app-layer-event.c b/src/detect-app-layer-event.c index 604655bdad..4dd2f5c3f9 100644 --- a/src/detect-app-layer-event.c +++ b/src/detect-app-layer-event.c @@ -234,9 +234,9 @@ static int DetectAppLayerEventSetup(DetectEngineCtx *de_ctx, Signature *s, const } uint8_t ipproto = 0; - if (s->proto.proto[IPPROTO_TCP / 8] & 1 << (IPPROTO_TCP % 8)) { + if (DetectProtoContainsProto(&s->init_data->proto, IPPROTO_TCP)) { ipproto = IPPROTO_TCP; - } else if (s->proto.proto[IPPROTO_UDP / 8] & 1 << (IPPROTO_UDP % 8)) { + } else if (DetectProtoContainsProto(&s->init_data->proto, IPPROTO_UDP)) { ipproto = IPPROTO_UDP; } else { SCLogError("protocol %s is disabled", alproto_name); diff --git a/src/detect-detection-filter.c b/src/detect-detection-filter.c index 5bba821de3..7b29cd804f 100644 --- a/src/detect-detection-filter.c +++ b/src/detect-detection-filter.c @@ -254,10 +254,10 @@ static int DetectDetectionFilterSetup(DetectEngineCtx *de_ctx, Signature *s, con /* unique_on requires a ported L4 protocol: tcp/udp/sctp */ if (df->unique_on != DF_UNIQUE_NONE) { - const int has_tcp = DetectProtoContainsProto(&s->proto, IPPROTO_TCP); - const int has_udp = DetectProtoContainsProto(&s->proto, IPPROTO_UDP); - const int has_sctp = DetectProtoContainsProto(&s->proto, IPPROTO_SCTP); - if (!(has_tcp || has_udp || has_sctp) || (s->proto.flags & DETECT_PROTO_ANY)) { + const bool has_tcp = DetectProtoHasExplicitProto(&s->init_data->proto, IPPROTO_TCP); + const bool has_udp = DetectProtoHasExplicitProto(&s->init_data->proto, IPPROTO_UDP); + const bool has_sctp = DetectProtoHasExplicitProto(&s->init_data->proto, IPPROTO_SCTP); + if (!(has_tcp || has_udp || has_sctp)) { SCLogError("detection_filter unique_on requires protocol tcp/udp/sctp"); goto error; } diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c index dc5cf98bb9..4eb5ad4c56 100644 --- a/src/detect-engine-analyzer.c +++ b/src/detect-engine-analyzer.c @@ -1756,10 +1756,10 @@ void EngineAnalysisRules(const DetectEngineCtx *de_ctx, stream_buf += 1; } - if (s->proto.flags & DETECT_PROTO_IPV4) { + if (s->proto && s->proto->flags & DETECT_PROTO_IPV4) { rule_ipv4_only += 1; } - if (s->proto.flags & DETECT_PROTO_IPV6) { + if (s->proto && s->proto->flags & DETECT_PROTO_IPV6) { rule_ipv6_only += 1; } @@ -1860,8 +1860,8 @@ void EngineAnalysisRules(const DetectEngineCtx *de_ctx, if (rule_content == 1) { //todo: warning if content is weak, separate warning for pcre + weak content } - if (rule_flow == 0 && rule_flags == 0 && !(s->proto.flags & DETECT_PROTO_ANY) && - DetectProtoContainsProto(&s->proto, IPPROTO_TCP) && + if (rule_flow == 0 && rule_flags == 0 && !(s->init_data->proto.flags & DETECT_PROTO_ANY) && + DetectProtoContainsProto(&s->init_data->proto, IPPROTO_TCP) && (rule_content || rule_content_http || rule_pcre || rule_pcre_http || rule_flowbits || rule_flowint)) { rule_warning += 1; @@ -1914,7 +1914,8 @@ void EngineAnalysisRules(const DetectEngineCtx *de_ctx, } /* No warning about direction for ICMP protos */ - if (!(DetectProtoContainsProto(&s->proto, IPPROTO_ICMPV6) && DetectProtoContainsProto(&s->proto, IPPROTO_ICMP))) { + if (!(DetectProtoContainsProto(&s->init_data->proto, IPPROTO_ICMPV6) && + DetectProtoContainsProto(&s->init_data->proto, IPPROTO_ICMP))) { if ((s->flags & (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)) == (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)) { warn_both_direction += 1; rule_warning += 1; diff --git a/src/detect-engine-build.c b/src/detect-engine-build.c index 0a9a721b69..ba27ff9344 100644 --- a/src/detect-engine-build.c +++ b/src/detect-engine-build.c @@ -650,7 +650,7 @@ static SCJsonBuilder *RulesGroupPrintSghStats(const DetectEngineCtx *de_ctx, continue; int any = 0; - if (s->proto.flags & DETECT_PROTO_ANY) { + if (s->proto == NULL || s->proto->flags & DETECT_PROTO_ANY) { any++; } if (s->flags & SIG_FLAG_DST_ANY) { @@ -970,7 +970,8 @@ static int RulesGroupByIPProto(DetectEngineCtx *de_ctx) if (p == IPPROTO_TCP || p == IPPROTO_UDP) { continue; } - if (!(s->proto.proto[p / 8] & (1<<(p % 8)) || (s->proto.flags & DETECT_PROTO_ANY))) { + + if (!DetectProtoContainsProto(&s->init_data->proto, p)) { continue; } @@ -1487,7 +1488,7 @@ static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, uint8_t ipproto, u if (s->type == SIG_TYPE_IPONLY) goto next; /* Protocol does not match the Signature protocol and is neither IP or pkthdr */ - if (!(s->proto.proto[ipproto / 8] & (1<<(ipproto % 8)) || (s->proto.flags & DETECT_PROTO_ANY))) + if (!DetectProtoContainsProto(&s->init_data->proto, ipproto)) goto next; /* Direction does not match Signature direction */ if (direction == SIG_FLAG_TOSERVER) { @@ -1785,7 +1786,7 @@ int SigPrepareStage1(DetectEngineCtx *de_ctx) if (copresent && colen == 1) { SCLogDebug("signature %8u content maxlen 1", s->id); for (int proto = 0; proto < 256; proto++) { - if (s->proto.proto[(proto/8)] & (1<<(proto%8))) + if (s->init_data->proto.proto[(proto / 8)] & (1 << (proto % 8))) SCLogDebug("=> proto %" PRId32 "", proto); } } diff --git a/src/detect-engine-iponly.c b/src/detect-engine-iponly.c index 7437dbd5d6..31a5f02f28 100644 --- a/src/detect-engine-iponly.c +++ b/src/detect-engine-iponly.c @@ -1044,18 +1044,20 @@ void IPOnlyMatchPacket(ThreadVars *tv, const DetectEngineCtx *de_ctx, for (uint8_t i = 0; i < 8; i++, bitarray = bitarray >> 1) { if (bitarray & 0x01) { const Signature *s = de_ctx->sig_array[io_ctx->sig_mapping[u * 8 + i]]; + if (s->proto) { + if ((s->proto->flags & DETECT_PROTO_IPV4) && !PacketIsIPv4(p)) { + SCLogDebug("ip version didn't match"); + continue; + } + if ((s->proto->flags & DETECT_PROTO_IPV6) && !PacketIsIPv6(p)) { + SCLogDebug("ip version didn't match"); + continue; + } - if ((s->proto.flags & DETECT_PROTO_IPV4) && !PacketIsIPv4(p)) { - SCLogDebug("ip version didn't match"); - continue; - } - if ((s->proto.flags & DETECT_PROTO_IPV6) && !PacketIsIPv6(p)) { - SCLogDebug("ip version didn't match"); - continue; - } - if (DetectProtoContainsProto(&s->proto, PacketGetIPProto(p)) == 0) { - SCLogDebug("proto didn't match"); - continue; + if (DetectProtoContainsProto(s->proto, PacketGetIPProto(p)) == 0) { + SCLogDebug("proto didn't match"); + continue; + } } /* check the source & dst port in the sig */ diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 2c388e62c7..e786f0da59 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -854,7 +854,7 @@ int SignatureHasPacketContent(const Signature *s) { SCEnter(); - if (!(s->proto.proto[IPPROTO_TCP / 8] & 1 << (IPPROTO_TCP % 8))) { + if (!DetectProtoContainsProto(&s->init_data->proto, IPPROTO_TCP)) { SCReturnInt(1); } @@ -884,7 +884,7 @@ int SignatureHasStreamContent(const Signature *s) { SCEnter(); - if (!(s->proto.proto[IPPROTO_TCP / 8] & 1 << (IPPROTO_TCP % 8))) { + if (!DetectProtoContainsProto(&s->init_data->proto, IPPROTO_TCP)) { SCReturnInt(0); } diff --git a/src/detect-engine-proto.c b/src/detect-engine-proto.c index 77606b1b4d..792b21da6c 100644 --- a/src/detect-engine-proto.c +++ b/src/detect-engine-proto.c @@ -109,7 +109,7 @@ int DetectProtoParse(DetectProto *dp, const char *str) * \retval 1 protocol is in the set */ int DetectProtoContainsProto(const DetectProto *dp, int proto) { - if (dp->flags & DETECT_PROTO_ANY) + if (dp == NULL || dp->flags & DETECT_PROTO_ANY) return 1; if (dp->proto[proto / 8] & (1<<(proto % 8))) @@ -118,6 +118,74 @@ int DetectProtoContainsProto(const DetectProto *dp, int proto) return 0; } +/** \brief see if a DetectProto explicitly a certain proto + * Explicit means the protocol was explicitly set, so "any" + * doesn't qualify. + * \param dp detect proto to inspect + * \param proto protocol (such as IPPROTO_TCP) to look for + * \retval false protocol not in the set + * \retval true protocol is in the set */ +bool DetectProtoHasExplicitProto(const DetectProto *dp, const uint8_t proto) +{ + if (dp == NULL || dp->flags & DETECT_PROTO_ANY) + return false; + + return ((dp->proto[proto / 8] & (1 << (proto % 8)))); +} + +/* return true if protocols enabled are only TCP and/or UDP */ +static int DetectProtoIsOnlyTCPUDP(const DetectProto *dp) +{ + uint8_t protos[256 / 8]; + memset(protos, 0x00, sizeof(protos)); + protos[IPPROTO_TCP / 8] |= (1 << (IPPROTO_TCP % 8)); + protos[IPPROTO_UDP / 8] |= (1 << (IPPROTO_UDP % 8)); + + int cnt = 0; + for (size_t i = 0; i < sizeof(protos); i++) { + if ((dp->proto[i] & protos[i]) != 0) + cnt++; + } + return cnt != 0; +} + +int DetectProtoFinalizeSignature(Signature *s) +{ + BUG_ON(s->proto); + /* IP-only sigs are not per SGH, so need full proto */ + if (s->type == SIG_TYPE_IPONLY && !(s->init_data->proto.flags & DETECT_PROTO_ANY)) + goto full; + /* Frames like the dns.pdu are registered for UDP and TCP, and share a MPM. So + * a UDP rule can become a match candidate for a TCP sgh, meaning we need to + * evaluate the rule's proto. */ + if ((s->init_data->init_flags & SIG_FLAG_INIT_FRAME) != 0 && + !(s->init_data->proto.flags & DETECT_PROTO_ANY)) + goto full; + + /* for now, we use the full protocol logic for DETECT_PROTO_IPV4/DETECT_PROTO_IPV6, + * but we should address that as well. */ + if (s->init_data->proto.flags & (DETECT_PROTO_IPV4 | DETECT_PROTO_IPV6)) { + SCLogDebug("sid %u has IPV4 or IPV6 flag set, so need full protocol", s->id); + goto full; + } + + /* no need to set up Signature::proto if sig needs any protocol, + * or only TCP and/or UDP, as for those the SGH is per TCP/UDP */ + if ((s->init_data->proto.flags & DETECT_PROTO_ANY) || + DetectProtoIsOnlyTCPUDP(&s->init_data->proto)) { + s->proto = NULL; + return 0; + } + +full: + s->proto = SCCalloc(1, sizeof(*s->proto)); + if (s->proto == NULL) + return -1; + + memcpy(s->proto, &s->init_data->proto, sizeof(*s->proto)); + return 0; +} + /* TESTS */ #ifdef UNITTESTS @@ -298,10 +366,10 @@ static int DetectProtoTestSetup01(void) FAIL_IF_NOT(DetectProtoInitTest(&de_ctx, &sig, &dp, "tcp")); /* The signature proto should be TCP */ - FAIL_IF_NOT(sig->proto.proto[(IPPROTO_TCP / 8)] & (1 << (IPPROTO_TCP % 8))); + FAIL_IF_NOT(sig->init_data->proto.proto[(IPPROTO_TCP / 8)] & (1 << (IPPROTO_TCP % 8))); for (i = 2; i < 256 / 8; i++) { - FAIL_IF(sig->proto.proto[i] != 0); + FAIL_IF(sig->init_data->proto.proto[i] != 0); } DetectEngineCtxFree(de_ctx); @@ -327,11 +395,12 @@ static int DetectProtoTestSetup02(void) FAIL_IF(DetectProtoInitTest(&de_ctx, &sig_icmpv6, &dp, "icmpv6") == 0); FAIL_IF(DetectProtoInitTest(&de_ctx, &sig_icmp, &dp, "icmp") == 0); - FAIL_IF_NOT(sig_icmpv4->proto.proto[IPPROTO_ICMP / 8] & (1 << (IPPROTO_ICMP % 8))); - FAIL_IF_NOT(sig_icmpv6->proto.proto[IPPROTO_ICMPV6 / 8] & (1 << (IPPROTO_ICMPV6 % 8))); + FAIL_IF_NOT(sig_icmpv4->init_data->proto.proto[IPPROTO_ICMP / 8] & (1 << (IPPROTO_ICMP % 8))); + FAIL_IF_NOT( + sig_icmpv6->init_data->proto.proto[IPPROTO_ICMPV6 / 8] & (1 << (IPPROTO_ICMPV6 % 8))); - FAIL_IF_NOT(sig_icmp->proto.proto[IPPROTO_ICMP / 8] & (1 << (IPPROTO_ICMP % 8))); - FAIL_IF_NOT(sig_icmp->proto.proto[IPPROTO_ICMPV6 / 8] & (1 << (IPPROTO_ICMPV6 % 8))); + FAIL_IF_NOT(sig_icmp->init_data->proto.proto[IPPROTO_ICMP / 8] & (1 << (IPPROTO_ICMP % 8))); + FAIL_IF_NOT(sig_icmp->init_data->proto.proto[IPPROTO_ICMPV6 / 8] & (1 << (IPPROTO_ICMPV6 % 8))); DetectEngineCtxFree(de_ctx); diff --git a/src/detect-engine-proto.h b/src/detect-engine-proto.h index 81a06cf49c..01f73e78f6 100644 --- a/src/detect-engine-proto.h +++ b/src/detect-engine-proto.h @@ -40,7 +40,9 @@ typedef struct DetectProto_ { /* prototypes */ int DetectProtoParse(DetectProto *dp, const char *str); int DetectProtoContainsProto(const DetectProto *, int); +bool DetectProtoHasExplicitProto(const DetectProto *dp, const uint8_t proto); void DetectEngineProtoList(void); +int DetectProtoFinalizeSignature(struct Signature_ *s); void DetectProtoTests(void); diff --git a/src/detect-frame.c b/src/detect-frame.c index c83cc8f421..72132b355e 100644 --- a/src/detect-frame.c +++ b/src/detect-frame.c @@ -67,8 +67,8 @@ static int DetectFrameSetup(DetectEngineCtx *de_ctx, Signature *s, const char *s strlcpy(value, str, sizeof(value)); char buffer_name[512] = ""; // for registering in detect API we always need .. - const bool is_tcp = DetectProtoContainsProto(&s->proto, IPPROTO_TCP); - const bool is_udp = DetectProtoContainsProto(&s->proto, IPPROTO_UDP); + const bool is_tcp = DetectProtoContainsProto(&s->init_data->proto, IPPROTO_TCP); + const bool is_udp = DetectProtoContainsProto(&s->init_data->proto, IPPROTO_UDP); if (!(is_tcp || is_udp)) { SCLogError("'frame' keyword only supported for TCP and UDP"); return -1; diff --git a/src/detect-icmpv4hdr.c b/src/detect-icmpv4hdr.c index b594ab5ad4..20af63ce2e 100644 --- a/src/detect-icmpv4hdr.c +++ b/src/detect-icmpv4hdr.c @@ -78,10 +78,10 @@ void DetectIcmpv4HdrRegister(void) */ static int DetectIcmpv4HdrSetup(DetectEngineCtx *de_ctx, Signature *s, const char *_unused) { - if (!(DetectProtoContainsProto(&s->proto, IPPROTO_ICMP))) + if (!(DetectProtoContainsProto(&s->init_data->proto, IPPROTO_ICMP))) return -1; - s->proto.flags |= DETECT_PROTO_IPV4; + s->init_data->proto.flags |= DETECT_PROTO_IPV4; s->flags |= SIG_FLAG_REQUIRE_PACKET; if (SCDetectBufferSetActiveList(de_ctx, s, g_icmpv4hdr_buffer_id) < 0) diff --git a/src/detect-icmpv6-mtu.c b/src/detect-icmpv6-mtu.c index 863d2b96fa..7cd218491f 100644 --- a/src/detect-icmpv6-mtu.c +++ b/src/detect-icmpv6-mtu.c @@ -123,7 +123,7 @@ static int DetectICMPv6mtuSetup (DetectEngineCtx *de_ctx, Signature *s, const ch return -1; } s->flags |= SIG_FLAG_REQUIRE_PACKET; - s->proto.flags |= DETECT_PROTO_IPV6; + s->init_data->proto.flags |= DETECT_PROTO_IPV6; return 0; } diff --git a/src/detect-icmpv6hdr.c b/src/detect-icmpv6hdr.c index 22dc257118..14345a5097 100644 --- a/src/detect-icmpv6hdr.c +++ b/src/detect-icmpv6hdr.c @@ -83,8 +83,8 @@ void DetectICMPv6hdrRegister(void) static int DetectICMPv6hdrSetup (DetectEngineCtx *de_ctx, Signature *s, const char *_unused) { // ICMPv6 comes only with IPv6 - s->proto.flags |= DETECT_PROTO_IPV6; - if (!(DetectProtoContainsProto(&s->proto, IPPROTO_ICMPV6))) + s->init_data->proto.flags |= DETECT_PROTO_IPV6; + if (!(DetectProtoContainsProto(&s->init_data->proto, IPPROTO_ICMPV6))) return -1; s->flags |= SIG_FLAG_REQUIRE_PACKET; diff --git a/src/detect-igmp-type.c b/src/detect-igmp-type.c index fb3b301601..9356922b08 100644 --- a/src/detect-igmp-type.c +++ b/src/detect-igmp-type.c @@ -100,7 +100,7 @@ static int DetectIGMPTypeMatch( */ static int DetectIGMPTypeSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str) { - if (!(DetectProtoContainsProto(&s->proto, IPPROTO_IGMP))) + if (!(DetectProtoContainsProto(&s->init_data->proto, IPPROTO_IGMP))) return -1; DetectU8Data *itd = DetectU8Parse(str); @@ -112,7 +112,7 @@ static int DetectIGMPTypeSetup(DetectEngineCtx *de_ctx, Signature *s, const char DetectIGMPTypeFree(de_ctx, itd); return -1; } - s->proto.flags |= DETECT_PROTO_IPV4; + s->init_data->proto.flags |= DETECT_PROTO_IPV4; s->flags |= SIG_FLAG_REQUIRE_PACKET; return 0; diff --git a/src/detect-igmphdr.c b/src/detect-igmphdr.c index f245e97770..1b3c8d5dbd 100644 --- a/src/detect-igmphdr.c +++ b/src/detect-igmphdr.c @@ -76,10 +76,10 @@ void DetectIGMPHdrRegister(void) */ static int DetectIGMPHdrSetup(DetectEngineCtx *de_ctx, Signature *s, const char *_unused) { - if (!(DetectProtoContainsProto(&s->proto, IPPROTO_IGMP))) + if (!(DetectProtoContainsProto(&s->init_data->proto, IPPROTO_IGMP))) return -1; - s->proto.flags |= DETECT_PROTO_IPV4; + s->init_data->proto.flags |= DETECT_PROTO_IPV4; s->flags |= SIG_FLAG_REQUIRE_PACKET; if (SCDetectBufferSetActiveList(de_ctx, s, g_igmphdr_buffer_id) < 0) diff --git a/src/detect-ipproto.c b/src/detect-ipproto.c index 2212802b51..7fc05b15e8 100644 --- a/src/detect-ipproto.c +++ b/src/detect-ipproto.c @@ -200,9 +200,9 @@ static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char * will refined the protocol list and thus it needs to reset the bitfield to zero * before setting the value specified by the ip_proto keyword. */ - if (s->proto.flags & (DETECT_PROTO_ANY | DETECT_PROTO_IPV6 | DETECT_PROTO_IPV4)) { - s->proto.flags &= ~DETECT_PROTO_ANY; - memset(s->proto.proto, 0x00, sizeof(s->proto.proto)); + if (s->init_data->proto.flags & (DETECT_PROTO_ANY | DETECT_PROTO_IPV6 | DETECT_PROTO_IPV4)) { + s->init_data->proto.flags &= ~DETECT_PROTO_ANY; + memset(s->init_data->proto.proto, 0x00, sizeof(s->init_data->proto.proto)); s->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; } else { /* The ipproto engine has a relationship with the protocol that is @@ -233,7 +233,7 @@ static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char "them in the same sig"); goto error; } - s->proto.proto[data->proto / 8] |= 1 << (data->proto % 8); + s->init_data->proto.proto[data->proto / 8] |= 1 << (data->proto % 8); break; case DETECT_IPPROTO_OP_GT: @@ -244,9 +244,9 @@ static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char goto error; } if (!lt_set && !not_set) { - s->proto.proto[data->proto / 8] = (uint8_t)(0xfe << (data->proto % 8)); + s->init_data->proto.proto[data->proto / 8] = (uint8_t)(0xfe << (data->proto % 8)); for (i = (data->proto / 8) + 1; i < (256 / 8); i++) { - s->proto.proto[i] = 0xff; + s->init_data->proto.proto[i] = 0xff; } } else if (lt_set && !not_set) { SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH]; @@ -265,21 +265,21 @@ static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char goto error; } else { for (i = 0; i < (data->proto / 8); i++) { - s->proto.proto[i] = 0; + s->init_data->proto.proto[i] = 0; } - s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8); + s->init_data->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8); for (i = (data->proto / 8) + 1; i < (256 / 8); i++) { - s->proto.proto[i] &= 0xff; + s->init_data->proto.proto[i] &= 0xff; } } } } else if (!lt_set && not_set) { for (i = 0; i < (data->proto / 8); i++) { - s->proto.proto[i] = 0; + s->init_data->proto.proto[i] = 0; } - s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8); + s->init_data->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8); for (i = (data->proto / 8) + 1; i < (256 / 8); i++) { - s->proto.proto[i] &= 0xff; + s->init_data->proto.proto[i] &= 0xff; } } else { DetectIPProtoData *data_temp; @@ -300,11 +300,11 @@ static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char goto error; } else { for (i = 0; i < (data->proto / 8); i++) { - s->proto.proto[i] = 0; + s->init_data->proto.proto[i] = 0; } - s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8); + s->init_data->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8); for (i = (data->proto / 8) + 1; i < (256 / 8); i++) { - s->proto.proto[i] &= 0xff; + s->init_data->proto.proto[i] &= 0xff; } } } @@ -320,9 +320,10 @@ static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char } if (!gt_set && !not_set) { for (i = 0; i < (data->proto / 8); i++) { - s->proto.proto[i] = 0xff; + s->init_data->proto.proto[i] = 0xff; } - s->proto.proto[data->proto / 8] = (uint8_t)(~(0xff << (data->proto % 8))); + s->init_data->proto.proto[data->proto / 8] = + (uint8_t)(~(0xff << (data->proto % 8))); } else if (gt_set && !not_set) { SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH]; while (temp_sm != NULL) { @@ -340,21 +341,21 @@ static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char goto error; } else { for (i = 0; i < (data->proto / 8); i++) { - s->proto.proto[i] &= 0xff; + s->init_data->proto.proto[i] &= 0xff; } - s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8)); + s->init_data->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8)); for (i = (data->proto / 8) + 1; i < 256 / 8; i++) { - s->proto.proto[i] = 0; + s->init_data->proto.proto[i] = 0; } } } } else if (!gt_set && not_set) { for (i = 0; i < (data->proto / 8); i++) { - s->proto.proto[i] &= 0xFF; + s->init_data->proto.proto[i] &= 0xFF; } - s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8)); + s->init_data->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8)); for (i = (data->proto / 8) + 1; i < (256 / 8); i++) { - s->proto.proto[i] = 0; + s->init_data->proto.proto[i] = 0; } } else { DetectIPProtoData *data_temp; @@ -375,11 +376,11 @@ static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char goto error; } else { for (i = 0; i < (data->proto / 8); i++) { - s->proto.proto[i] &= 0xFF; + s->init_data->proto.proto[i] &= 0xFF; } - s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8)); + s->init_data->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8)); for (i = (data->proto / 8) + 1; i < (256 / 8); i++) { - s->proto.proto[i] = 0; + s->init_data->proto.proto[i] = 0; } } } @@ -395,19 +396,19 @@ static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char } if (!gt_set && !lt_set && !not_set) { for (i = 0; i < (data->proto / 8); i++) { - s->proto.proto[i] = 0xff; + s->init_data->proto.proto[i] = 0xff; } - s->proto.proto[data->proto / 8] = (uint8_t)(~(1 << (data->proto % 8))); + s->init_data->proto.proto[data->proto / 8] = (uint8_t)(~(1 << (data->proto % 8))); for (i = (data->proto / 8) + 1; i < (256 / 8); i++) { - s->proto.proto[i] = 0xff; + s->init_data->proto.proto[i] = 0xff; } } else { for (i = 0; i < (data->proto / 8); i++) { - s->proto.proto[i] &= 0xff; + s->init_data->proto.proto[i] &= 0xff; } - s->proto.proto[data->proto / 8] &= ~(1 << (data->proto % 8)); + s->init_data->proto.proto[data->proto / 8] &= ~(1 << (data->proto % 8)); for (i = (data->proto / 8) + 1; i < (256 / 8); i++) { - s->proto.proto[i] &= 0xff; + s->init_data->proto.proto[i] &= 0xff; } } break; @@ -489,14 +490,14 @@ static int DetectIPProtoTestSetup01(void) FAIL_IF_NULL(sig); sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; DetectIPProtoSetup(NULL, sig, value_str); for (i = 0; i < (value / 8); i++) { - FAIL_IF(sig->proto.proto[i] != 0); + FAIL_IF(sig->init_data->proto.proto[i] != 0); } - FAIL_IF(sig->proto.proto[value / 8] != 0x40); + FAIL_IF(sig->init_data->proto.proto[value / 8] != 0x40); for (i = (value / 8) + 1; i < (256 / 8); i++) { - FAIL_IF(sig->proto.proto[i] != 0); + FAIL_IF(sig->init_data->proto.proto[i] != 0); } SigFree(NULL, sig); PASS; @@ -521,17 +522,17 @@ static int DetectIPProtoTestSetup02(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; DetectIPProtoSetup(NULL, sig, value_str); for (i = 0; i < (value / 8); i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } - if (sig->proto.proto[value / 8] != 0x40) { + if (sig->init_data->proto.proto[value / 8] != 0x40) { goto end; } for (i = (value / 8) + 1; i < (256 / 8); i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } @@ -558,17 +559,17 @@ static int DetectIPProtoTestSetup03(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; DetectIPProtoSetup(NULL, sig, value_str); for (i = 0; i < (value / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } - if (sig->proto.proto[value / 8] != 0x3F) { + if (sig->init_data->proto.proto[value / 8] != 0x3F) { goto end; } for (i = (value / 8) + 1; i < (256 / 8); i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } @@ -594,17 +595,17 @@ static int DetectIPProtoTestSetup04(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; DetectIPProtoSetup(NULL, sig, value_str); for (i = 0; i < (value / 8); i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } - if (sig->proto.proto[value / 8] != 0x80) { + if (sig->init_data->proto.proto[value / 8] != 0x80) { goto end; } for (i = (value / 8) + 1; i < (256 / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } @@ -630,17 +631,17 @@ static int DetectIPProtoTestSetup05(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; DetectIPProtoSetup(NULL, sig, value_str); for (i = 0; i < (value / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } - if (sig->proto.proto[value / 8] != 0xBF) { + if (sig->init_data->proto.proto[value / 8] != 0xBF) { goto end; } for (i = (value / 8) + 1; i < (256 / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } @@ -665,7 +666,7 @@ static int DetectIPProtoTestSetup06(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) @@ -692,7 +693,7 @@ static int DetectIPProtoTestSetup07(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) @@ -719,7 +720,7 @@ static int DetectIPProtoTestSetup08(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) @@ -746,7 +747,7 @@ static int DetectIPProtoTestSetup09(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) @@ -773,7 +774,7 @@ static int DetectIPProtoTestSetup10(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) @@ -800,7 +801,7 @@ static int DetectIPProtoTestSetup11(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) @@ -827,7 +828,7 @@ static int DetectIPProtoTestSetup12(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) @@ -854,7 +855,7 @@ static int DetectIPProtoTestSetup13(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) @@ -878,7 +879,7 @@ static int DetectIPProtoTestSetup14(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) @@ -904,18 +905,18 @@ static int DetectIPProtoTestSetup15(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; for (i = 0; i < (value1 / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } - if (sig->proto.proto[value1 / 8] != 0x3F) { + if (sig->init_data->proto.proto[value1 / 8] != 0x3F) { goto end; } for (i = (value1 / 8) + 1; i < (256 / 8); i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } if (DetectIPProtoSetup(NULL, sig, value2_str) == 0) @@ -941,18 +942,18 @@ static int DetectIPProtoTestSetup16(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; for (i = 0; i < (value2 / 8); i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } - if (sig->proto.proto[value2 / 8] != 0xF8) { + if (sig->init_data->proto.proto[value2 / 8] != 0xF8) { goto end; } for (i = (value2 / 8) + 1; i < (256 / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } if (DetectIPProtoSetup(NULL, sig, value1_str) == 0) @@ -978,18 +979,18 @@ static int DetectIPProtoTestSetup17(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; for (i = 0; i < (value1 / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } - if (sig->proto.proto[value1 / 8] != 0x07) { + if (sig->init_data->proto.proto[value1 / 8] != 0x07) { goto end; } for (i = (value1 / 8) + 1; i < (256 / 8); i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } if (DetectIPProtoSetup(NULL, sig, value2_str) == 0) @@ -1015,18 +1016,18 @@ static int DetectIPProtoTestSetup18(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; for (i = 0; i < (value2 / 8); i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } - if (sig->proto.proto[value2 / 8] != 0xC0) { + if (sig->init_data->proto.proto[value2 / 8] != 0xC0) { goto end; } for (i = (value2 / 8) + 1; i < (256 / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } if (DetectIPProtoSetup(NULL, sig, value1_str) == 0) @@ -1053,20 +1054,20 @@ static int DetectIPProtoTestSetup19(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; for (i = 0; i < (value1 / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } - if (sig->proto.proto[value1 / 8] != 0x07) { + if (sig->init_data->proto.proto[value1 / 8] != 0x07) { goto end; } for (i = (value1 / 8) + 1; i < (256 / 8); i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } if (DetectIPProtoSetup(NULL, sig, value3_str) == 0) @@ -1092,18 +1093,18 @@ static int DetectIPProtoTestSetup20(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; for (i = 0; i < (value1 / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } - if (sig->proto.proto[value1 / 8] != 0x07) { + if (sig->init_data->proto.proto[value1 / 8] != 0x07) { goto end; } for (i = (value1 / 8) + 1; i < (256 / 8); i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } if (DetectIPProtoSetup(NULL, sig, value3_str) == 0) @@ -1130,20 +1131,20 @@ static int DetectIPProtoTestSetup21(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; for (i = 0; i < (value1 / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } - if (sig->proto.proto[value1 / 8] != 0x07) { + if (sig->init_data->proto.proto[value1 / 8] != 0x07) { goto end; } for (i = (value1 / 8) + 1; i < (256 / 8); i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } if (DetectIPProtoSetup(NULL, sig, value3_str) == 0) @@ -1170,20 +1171,20 @@ static int DetectIPProtoTestSetup22(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; for (i = 0; i < (value3 / 8); i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } - if (sig->proto.proto[value3 / 8] != 0xE0) { + if (sig->init_data->proto.proto[value3 / 8] != 0xE0) { goto end; } for (i = (value3 / 8) + 1; i < (256 / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } if (DetectIPProtoSetup(NULL, sig, value1_str) == 0) @@ -1209,18 +1210,18 @@ static int DetectIPProtoTestSetup23(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; for (i = 0; i < (value3 / 8); i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } - if (sig->proto.proto[value3 / 8] != 0xE0) { + if (sig->init_data->proto.proto[value3 / 8] != 0xE0) { goto end; } for (i = (value3 / 8) + 1; i < (256 / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } if (DetectIPProtoSetup(NULL, sig, value1_str) == 0) @@ -1247,20 +1248,20 @@ static int DetectIPProtoTestSetup24(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; for (i = 0; i < (value3 / 8); i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } - if (sig->proto.proto[value3 / 8] != 0xE0) { + if (sig->init_data->proto.proto[value3 / 8] != 0xE0) { goto end; } for (i = (value3 / 8) + 1; i < (256 / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } if (DetectIPProtoSetup(NULL, sig, value1_str) == 0) @@ -1287,20 +1288,20 @@ static int DetectIPProtoTestSetup33(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; for (i = 0; i < (value1 / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } - if (sig->proto.proto[value1 / 8] != 0x07) { + if (sig->init_data->proto.proto[value1 / 8] != 0x07) { goto end; } for (i = (value1 / 8) + 1; i < (256 / 8); i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } if (DetectIPProtoSetup(NULL, sig, value3_str) == 0) @@ -1328,20 +1329,20 @@ static int DetectIPProtoTestSetup34(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; for (i = 0; i < (value1 / 8); i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } - if (sig->proto.proto[value3 / 8] != 0xE0) { + if (sig->init_data->proto.proto[value3 / 8] != 0xE0) { goto end; } for (i = (value3 / 8) + 1; i < (256 / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } if (DetectIPProtoSetup(NULL, sig, value1_str) == 0) @@ -1368,20 +1369,20 @@ static int DetectIPProtoTestSetup36(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; for (i = 0; i < (value3 / 8); i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } - if (sig->proto.proto[value3 / 8] != 0xE0) { + if (sig->init_data->proto.proto[value3 / 8] != 0xE0) { goto end; } for (i = (value3 / 8) + 1; i < (256 / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } if (DetectIPProtoSetup(NULL, sig, value1_str) == 0) @@ -1409,23 +1410,23 @@ static int DetectIPProtoTestSetup43(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; - if (sig->proto.proto[value1 / 8] != 0xEF) { + if (sig->init_data->proto.proto[value1 / 8] != 0xEF) { goto end; } for (i = (value1 / 8) + 1; i < (value2 / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } - if (sig->proto.proto[value2 / 8] != 0x1F) { + if (sig->init_data->proto.proto[value2 / 8] != 0x1F) { goto end; } for (i = (value2 / 8) + 1; i < 256 / 8; i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } if (DetectIPProtoSetup(NULL, sig, value3_str) == 0) @@ -1452,20 +1453,20 @@ static int DetectIPProtoTestSetup44(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; for (i = 0; i < (value3 / 8); i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } - if (sig->proto.proto[value3 / 8] != 0xF8) { + if (sig->init_data->proto.proto[value3 / 8] != 0xF8) { goto end; } for (i = (value3 / 8) + 1; i < 256 / 8; i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } if (DetectIPProtoSetup(NULL, sig, value2_str) == 0) @@ -1493,23 +1494,23 @@ static int DetectIPProtoTestSetup45(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; - if (sig->proto.proto[value1 / 8] != 0xEF) { + if (sig->init_data->proto.proto[value1 / 8] != 0xEF) { goto end; } for (i = (value1 / 8) + 1; i < (value2 / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } - if (sig->proto.proto[value2 / 8] != 0x1F) { + if (sig->init_data->proto.proto[value2 / 8] != 0x1F) { goto end; } for (i = (value2 / 8) + 1; i < 256 / 8; i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } if (DetectIPProtoSetup(NULL, sig, value3_str) == 0) @@ -1536,20 +1537,20 @@ static int DetectIPProtoTestSetup56(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; for (i = 0; i < (value1 / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } - if (sig->proto.proto[value1 / 8] != 0x1F) { + if (sig->init_data->proto.proto[value1 / 8] != 0x1F) { goto end; } for (i = (value1 / 8) + 1; i < 256 / 8; i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } if (DetectIPProtoSetup(NULL, sig, value2_str) == 0) @@ -1575,20 +1576,20 @@ static int DetectIPProtoTestSetup75(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; for (i = 0; i < (value2 / 8); i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } - if (sig->proto.proto[value2 / 8] != 0xF8) { + if (sig->init_data->proto.proto[value2 / 8] != 0xF8) { goto end; } for (i = (value2 / 8) + 1; i < (256 / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } @@ -1612,20 +1613,20 @@ static int DetectIPProtoTestSetup76(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; for (i = 0; i < (value2 / 8); i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } - if (sig->proto.proto[value2 / 8] != 0xF8) { + if (sig->init_data->proto.proto[value2 / 8] != 0xF8) { goto end; } for (i = (value2 / 8) + 1; i < (256 / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } @@ -1649,18 +1650,18 @@ static int DetectIPProtoTestSetup129(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; for (i = 0; i < (value1 / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } - if (sig->proto.proto[value1 / 8] != 0x03) { + if (sig->init_data->proto.proto[value1 / 8] != 0x03) { goto end; } for (i = (value1 / 8) + 1; i < 256 / 8; i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } if (DetectIPProtoSetup(NULL, sig, value2_str) == 0) @@ -1686,20 +1687,20 @@ static int DetectIPProtoTestSetup130(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) == 0) goto end; for (i = 0; i < (value2 / 8); i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } - if (sig->proto.proto[value2 / 8] != 0xF8) { + if (sig->init_data->proto.proto[value2 / 8] != 0xF8) { goto end; } for (i = (value2 / 8) + 1; i < 256 / 8; i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } @@ -1723,20 +1724,20 @@ static int DetectIPProtoTestSetup131(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; for (i = 0; i < (value1 / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } - if (sig->proto.proto[value1 / 8] != 0x03) { + if (sig->init_data->proto.proto[value1 / 8] != 0x03) { goto end; } for (i = (value1 / 8) + 1; i < 256 / 8; i++) { - if (sig->proto.proto[i] != 0x0) + if (sig->init_data->proto.proto[i] != 0x0) goto end; } @@ -1760,20 +1761,20 @@ static int DetectIPProtoTestSetup132(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; for (i = 0; i < (value1 / 8); i++) { - if (sig->proto.proto[i] != 0xFF) + if (sig->init_data->proto.proto[i] != 0xFF) goto end; } - if (sig->proto.proto[value1 / 8] != 0x03) { + if (sig->init_data->proto.proto[value1 / 8] != 0x03) { goto end; } for (i = (value1 / 8) + 1; i < 256 / 8; i++) { - if (sig->proto.proto[i] != 0x0) + if (sig->init_data->proto.proto[i] != 0x0) goto end; } @@ -1806,7 +1807,7 @@ static int DetectIPProtoTestSetup145(void) goto end; sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; - sig->proto.flags |= DETECT_PROTO_ANY; + sig->init_data->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value5_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value8_str) != 0) @@ -1827,23 +1828,23 @@ static int DetectIPProtoTestSetup145(void) goto end; if (DetectIPProtoSetup(NULL, sig, value7_str) != 0) goto end; - if (sig->proto.proto[0] != 0) { + if (sig->init_data->proto.proto[0] != 0) { goto end; } - if (sig->proto.proto[1] != 0xBA) { + if (sig->init_data->proto.proto[1] != 0xBA) { goto end; } - if (sig->proto.proto[2] != 0xFF) { + if (sig->init_data->proto.proto[2] != 0xFF) { goto end; } - if (sig->proto.proto[3] != 0x97) { + if (sig->init_data->proto.proto[3] != 0x97) { goto end; } - if (sig->proto.proto[4] != 0x0B) { + if (sig->init_data->proto.proto[4] != 0x0B) { goto end; } for (i = (value10 / 8) + 1; i < 256 / 8; i++) { - if (sig->proto.proto[i] != 0) + if (sig->init_data->proto.proto[i] != 0) goto end; } diff --git a/src/detect-ipv4hdr.c b/src/detect-ipv4hdr.c index b405d3bbf9..8133a27fbc 100644 --- a/src/detect-ipv4hdr.c +++ b/src/detect-ipv4hdr.c @@ -81,7 +81,7 @@ void DetectIpv4hdrRegister(void) */ static int DetectIpv4hdrSetup (DetectEngineCtx *de_ctx, Signature *s, const char *_unused) { - s->proto.flags |= DETECT_PROTO_IPV4; // TODO + s->init_data->proto.flags |= DETECT_PROTO_IPV4; // TODO s->flags |= SIG_FLAG_REQUIRE_PACKET; diff --git a/src/detect-ipv6hdr.c b/src/detect-ipv6hdr.c index 4eb2e9db6e..1ee0669871 100644 --- a/src/detect-ipv6hdr.c +++ b/src/detect-ipv6hdr.c @@ -81,7 +81,7 @@ void DetectIpv6hdrRegister(void) */ static int DetectIpv6hdrSetup (DetectEngineCtx *de_ctx, Signature *s, const char *_unused) { - s->proto.flags |= DETECT_PROTO_IPV6; // TODO + s->init_data->proto.flags |= DETECT_PROTO_IPV6; // TODO s->flags |= SIG_FLAG_REQUIRE_PACKET; diff --git a/src/detect-l3proto.c b/src/detect-l3proto.c index f1b9b91347..69edb46f99 100644 --- a/src/detect-l3proto.c +++ b/src/detect-l3proto.c @@ -76,26 +76,26 @@ static int DetectL3ProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char const char *str = optstr; /* reset possible any value */ - if (s->proto.flags & DETECT_PROTO_ANY) { - s->proto.flags &= ~DETECT_PROTO_ANY; + if (s->init_data->proto.flags & DETECT_PROTO_ANY) { + s->init_data->proto.flags &= ~DETECT_PROTO_ANY; } /* authorized value, ip, any, ip4, ipv4, ip6, ipv6 */ if (strcasecmp(str,"ipv4") == 0 || strcasecmp(str,"ip4") == 0 ) { - if (s->proto.flags & DETECT_PROTO_IPV6) { + if (s->init_data->proto.flags & DETECT_PROTO_IPV6) { SCLogError("Conflicting l3 proto specified"); goto error; } - s->proto.flags |= DETECT_PROTO_IPV4; + s->init_data->proto.flags |= DETECT_PROTO_IPV4; SCLogDebug("IPv4 protocol detected"); } else if (strcasecmp(str,"ipv6") == 0 || strcasecmp(str,"ip6") == 0 ) { - if (s->proto.flags & DETECT_PROTO_IPV6) { + if (s->init_data->proto.flags & DETECT_PROTO_IPV6) { SCLogError("Conflicting l3 proto specified"); goto error; } - s->proto.flags |= DETECT_PROTO_IPV6; + s->init_data->proto.flags |= DETECT_PROTO_IPV6; SCLogDebug("IPv6 protocol detected"); } else { SCLogError("Invalid l3 proto: \"%s\"", str); diff --git a/src/detect-parse.c b/src/detect-parse.c index 5b8dbe0de4..31e3464fde 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -1401,14 +1401,14 @@ static int SigParseProto(Signature *s, const char *protostr) return -1; } - int r = DetectProtoParse(&s->proto, p); + int r = DetectProtoParse(&s->init_data->proto, (char *)p); if (r < 0) { s->alproto = AppLayerGetProtoByName(p); /* indicate that the signature is app-layer */ if (s->alproto != ALPROTO_UNKNOWN) { s->flags |= SIG_FLAG_APPLAYER; - AppLayerProtoDetectSupportedIpprotos(s->alproto, s->proto.proto); + AppLayerProtoDetectSupportedIpprotos(s->alproto, s->init_data->proto.proto); if (h) { if (SigParseProtoHookApp(s, protostr, p, h) < 0) { @@ -1437,9 +1437,9 @@ static int SigParseProto(Signature *s, const char *protostr) /* if any of these flags are set they are set in a mutually exclusive * manner */ - if (s->proto.flags & DETECT_PROTO_ONLY_PKT) { + if (s->init_data->proto.flags & DETECT_PROTO_ONLY_PKT) { s->flags |= SIG_FLAG_REQUIRE_PACKET; - } else if (s->proto.flags & DETECT_PROTO_ONLY_STREAM) { + } else if (s->init_data->proto.flags & DETECT_PROTO_ONLY_STREAM) { s->flags |= SIG_FLAG_REQUIRE_STREAM; } @@ -2112,6 +2112,9 @@ void SigFree(DetectEngineCtx *de_ctx, Signature *s) if (s->dp != NULL) { DetectPortCleanupList(NULL, s->dp); } + if (s->proto) { + SCFree(s->proto); + } if (s->msg != NULL) SCFree(s->msg); @@ -2724,7 +2727,7 @@ static void SigConsolidateTcpBuffer(Signature *s) * - pkt vs stream vs depth/offset * - pkt vs stream vs stream_size */ - if (s->proto.proto[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) { + if (DetectProtoContainsProto(&s->init_data->proto, IPPROTO_TCP)) { if (s->init_data->smlists[DETECT_SM_LIST_PMATCH]) { if (!(s->flags & (SIG_FLAG_REQUIRE_PACKET | SIG_FLAG_REQUIRE_STREAM))) { s->flags |= SIG_FLAG_REQUIRE_STREAM; @@ -2837,6 +2840,9 @@ static int SigValidateConsolidate( SignatureSetType(de_ctx, s); DetectRuleSetTable(s); + if (DetectProtoFinalizeSignature(s) != 0) + SCReturnInt(0); + int r = SigValidateFileHandling(s); if (r == 0) { SCReturnInt(0); @@ -2931,15 +2937,15 @@ static Signature *SigInitHelper( if (sig->alproto != ALPROTO_UNKNOWN) { int override_needed = 0; - if (sig->proto.flags & DETECT_PROTO_ANY) { - sig->proto.flags &= ~DETECT_PROTO_ANY; - memset(sig->proto.proto, 0x00, sizeof(sig->proto.proto)); + if (sig->init_data->proto.flags & DETECT_PROTO_ANY) { + sig->init_data->proto.flags &= ~DETECT_PROTO_ANY; + memset(sig->init_data->proto.proto, 0x00, sizeof(sig->init_data->proto.proto)); override_needed = 1; } else { override_needed = 1; size_t s = 0; - for (s = 0; s < sizeof(sig->proto.proto); s++) { - if (sig->proto.proto[s] != 0x00) { + for (s = 0; s < sizeof(sig->init_data->proto.proto); s++) { + if (sig->init_data->proto.proto[s] != 0x00) { override_needed = 0; break; } @@ -2950,7 +2956,7 @@ static Signature *SigInitHelper( * overridden, we use the ip proto that has been configured * against the app proto in use. */ if (override_needed) - AppLayerProtoDetectSupportedIpprotos(sig->alproto, sig->proto.proto); + AppLayerProtoDetectSupportedIpprotos(sig->alproto, sig->init_data->proto.proto); } /* set the packet and app layer flags, but only if the diff --git a/src/detect-tcphdr.c b/src/detect-tcphdr.c index c35508e747..c2b055aa1f 100644 --- a/src/detect-tcphdr.c +++ b/src/detect-tcphdr.c @@ -81,7 +81,7 @@ void DetectTcphdrRegister(void) */ static int DetectTcphdrSetup (DetectEngineCtx *de_ctx, Signature *s, const char *_unused) { - if (!(DetectProtoContainsProto(&s->proto, IPPROTO_TCP))) + if (!(DetectProtoContainsProto(&s->init_data->proto, IPPROTO_TCP))) return -1; s->flags |= SIG_FLAG_REQUIRE_PACKET; diff --git a/src/detect-udphdr.c b/src/detect-udphdr.c index 057c7b1e22..a1f7fbd24f 100644 --- a/src/detect-udphdr.c +++ b/src/detect-udphdr.c @@ -80,7 +80,7 @@ void DetectUdphdrRegister(void) */ static int DetectUdphdrSetup (DetectEngineCtx *de_ctx, Signature *s, const char *_unused) { - if (!(DetectProtoContainsProto(&s->proto, IPPROTO_UDP))) + if (!(DetectProtoContainsProto(&s->init_data->proto, IPPROTO_UDP))) return -1; s->flags |= SIG_FLAG_REQUIRE_PACKET; diff --git a/src/detect.c b/src/detect.c index f9c234689d..b7c1f8eb4e 100644 --- a/src/detect.c +++ b/src/detect.c @@ -505,8 +505,8 @@ static void DetectRunInspectIPOnly(ThreadVars *tv, const DetectEngineCtx *de_ctx /** \internal * \brief inspect the rule header: protocol, ports, etc * \retval bool false if no match, true if match */ -static inline bool DetectRunInspectRuleHeader(const Packet *p, const Flow *f, const Signature *s, - const uint32_t sflags, const uint8_t s_proto_flags) +static inline bool DetectRunInspectRuleHeader( + const Packet *p, const Flow *f, const Signature *s, const uint32_t sflags) { /* check if this signature has a requirement for flowvars of some type * and if so, if we actually have any in the flow. If not, the sig @@ -523,18 +523,21 @@ static inline bool DetectRunInspectRuleHeader(const Packet *p, const Flow *f, co } } - if ((s_proto_flags & DETECT_PROTO_IPV4) && !PacketIsIPv4(p)) { - SCLogDebug("ip version didn't match"); - return false; - } - if ((s_proto_flags & DETECT_PROTO_IPV6) && !PacketIsIPv6(p)) { - SCLogDebug("ip version didn't match"); - return false; - } - - if (DetectProtoContainsProto(&s->proto, PacketGetIPProto(p)) == 0) { - SCLogDebug("proto didn't match"); - return false; + if (!(s->proto == NULL)) { + const uint8_t s_proto_flags = s->proto->flags; + /* TODO does it make sense to move these flags to s->flags? */ + if ((s_proto_flags & DETECT_PROTO_IPV4) && !PacketIsIPv4(p)) { + SCLogDebug("ip version didn't match"); + return false; + } + if ((s_proto_flags & DETECT_PROTO_IPV6) && !PacketIsIPv6(p)) { + SCLogDebug("ip version didn't match"); + return false; + } + if (DetectProtoContainsProto(s->proto, PacketGetIPProto(p)) == 0) { + SCLogDebug("proto didn't match"); + return false; + } } /* check the source & dst port in the sig */ @@ -695,7 +698,6 @@ static inline uint8_t DetectRulePacketRules(ThreadVars *const tv, next_s = *match_array++; next_sflags = next_s->flags; } - const uint8_t s_proto_flags = s->proto.flags; SCLogDebug("packet %" PRIu64 ": inspecting signature id %" PRIu32 "", PcapPacketCntGet(p), s->id); @@ -747,7 +749,7 @@ static inline uint8_t DetectRulePacketRules(ThreadVars *const tv, } } - if (!DetectRunInspectRuleHeader(p, pflow, s, sflags, s_proto_flags)) { + if (DetectRunInspectRuleHeader(p, pflow, s, sflags) == false) { goto next; } @@ -1202,7 +1204,7 @@ static bool DetectRunTxInspectRule(ThreadVars *tv, /* for a new inspection we inspect pkt header and packet matches */ if (likely(stored_flags == NULL)) { TRACE_SID_TXS(s->id, tx, "first inspect, run packet matches"); - if (!DetectRunInspectRuleHeader(p, f, s, s->flags, s->proto.flags)) { + if (DetectRunInspectRuleHeader(p, f, s, s->flags) == false) { TRACE_SID_TXS(s->id, tx, "DetectRunInspectRuleHeader() no match"); return false; } @@ -2200,7 +2202,7 @@ static void DetectRunFrames(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngin /* call individual rule inspection */ RULE_PROFILING_START(p); - bool r = DetectRunInspectRuleHeader(p, f, s, s->flags, s->proto.flags); + bool r = DetectRunInspectRuleHeader(p, f, s, s->flags); if (r) { r = DetectRunFrameInspectRule(tv, det_ctx, s, f, p, frames, frame); if (r) { diff --git a/src/detect.h b/src/detect.h index 77a657594b..c7ab286072 100644 --- a/src/detect.h +++ b/src/detect.h @@ -631,6 +631,9 @@ typedef struct SignatureInitData_ { DetectEngineTransforms transforms; + /** rule protocol settings */ + DetectProto proto; + /** score to influence rule grouping. A higher value leads to a higher * likelihood of a rulegroup with this sig ending up as a contained * group. */ @@ -684,8 +687,8 @@ typedef struct Signature_ { uint8_t action; uint8_t file_flags; - /** addresses, ports and proto this sig matches on */ - DetectProto proto; + /** rule protocol: can be NULL if the check can be skipped */ + DetectProto *proto; /* scope setting for the action: enum ActionScope */ uint8_t action_scope;