From ec39f5446cf31c450dd373113c39d0ac98f38fdc Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Sun, 25 Jan 2009 19:44:17 +0100 Subject: [PATCH] Fix rule tree update. Fix bloomfilter error in b2g. --- src/detect-engine-address-ipv4.c | 34 ++++++++++++++++++++++++++------ src/detect-engine-address-ipv6.c | 29 +++++++++++++++++++++------ src/detect-engine-port.c | 21 ++++++++++---------- src/detect.c | 20 +++++++++++-------- src/util-mpm-b2g.c | 6 +++--- 5 files changed, 77 insertions(+), 33 deletions(-) diff --git a/src/detect-engine-address-ipv4.c b/src/detect-engine-address-ipv4.c index 1f0b4831da..1420a5129f 100644 --- a/src/detect-engine-address-ipv4.c +++ b/src/detect-engine-address-ipv4.c @@ -72,6 +72,7 @@ int DetectAddressGroupCutIPv4(DetectAddressGroup *a, DetectAddressGroup *b, Dete u_int32_t b_ip1 = ntohl(b->ad->ip[0]); u_int32_t b_ip2 = ntohl(b->ad->ip2[0]); DetectPort *port = NULL; + DetectAddressGroup *tmp = NULL; /* default to NULL */ *c = NULL; @@ -83,7 +84,7 @@ int DetectAddressGroupCutIPv4(DetectAddressGroup *a, DetectAddressGroup *b, Dete } /* get a place to temporary put sigs lists */ - DetectAddressGroup *tmp = DetectAddressGroupInit(); + tmp = DetectAddressGroupInit(); if (tmp == NULL) { goto error; } @@ -225,6 +226,9 @@ int DetectAddressGroupCutIPv4(DetectAddressGroup *a, DetectAddressGroup *b, Dete /* 'b' overlaps 'a' so 'a' needs the 'b' sigs */ SigGroupHeadCopySigs(b->sh,&a->sh); + //printf("a: "); DetectAddressDataPrint(a->ad); printf(": "); DbgPrintSigs2(a->sh); + //printf("b: "); DetectAddressDataPrint(b->ad); printf(": "); DbgPrintSigs2(b->sh); + for (port = b->port; port != NULL; port = port->next) { DetectPortInsertCopy(&a->port, port); } @@ -234,19 +238,35 @@ int DetectAddressGroupCutIPv4(DetectAddressGroup *a, DetectAddressGroup *b, Dete #ifdef DBG printf("DetectAddressGroupCutIPv4: 2\n"); #endif + //printf("1a: "); DetectAddressDataPrint(a->ad); printf(": "); DbgPrintSigs2(a->sh); + //printf("1b: "); DetectAddressDataPrint(b->ad); printf(": "); DbgPrintSigs2(b->sh); a->ad->ip[0] = htonl(b_ip1); a->ad->ip2[0] = htonl(a_ip1 - 1); b->ad->ip[0] = htonl(a_ip1); b->ad->ip2[0] = htonl(a_ip2); - /* 'a' overlaps 'b' so a needs the 'a' sigs */ - SigGroupHeadCopySigs(a->sh,&b->sh); + /* 'a' overlaps 'b' so 'b' needs the 'a' sigs */ + SigGroupHeadCopySigs(a->sh,&tmp->sh); + SigGroupHeadClearSigs(a->sh); + SigGroupHeadCopySigs(b->sh,&a->sh); + SigGroupHeadCopySigs(tmp->sh,&b->sh); + SigGroupHeadClearSigs(tmp->sh); for (port = a->port; port != NULL; port = port->next) { + DetectPortInsertCopy(&tmp->port, a->port); + } + for (port = b->port; port != NULL; port = port->next) { + DetectPortInsertCopy(&a->port, port); + } + for (port = tmp->port; port != NULL; port = port->next) { DetectPortInsertCopy(&b->port, port); } - b->cnt += a->cnt; + tmp->cnt += a->cnt; + a->cnt = 0; + a->cnt += b->cnt; + b->cnt += tmp->cnt; + tmp->cnt = 0; } else { #ifdef DBG printf("3\n"); @@ -413,11 +433,13 @@ int DetectAddressGroupCutIPv4(DetectAddressGroup *a, DetectAddressGroup *b, Dete } } - DetectAddressGroupFree(tmp); + if (tmp != NULL) + DetectAddressGroupFree(tmp); return 0; error: - DetectAddressGroupFree(tmp); + if (tmp != NULL) + DetectAddressGroupFree(tmp); return -1; } diff --git a/src/detect-engine-address-ipv6.c b/src/detect-engine-address-ipv6.c index 66fa115eec..fc3a20e7ad 100644 --- a/src/detect-engine-address-ipv6.c +++ b/src/detect-engine-address-ipv6.c @@ -197,6 +197,7 @@ int DetectAddressGroupCutIPv6(DetectAddressGroup *a, DetectAddressGroup *b, Dete u_int32_t b_ip2[4] = { ntohl(b->ad->ip2[0]), ntohl(b->ad->ip2[1]), ntohl(b->ad->ip2[2]), ntohl(b->ad->ip2[3]) }; DetectPort *port = NULL; + DetectAddressGroup *tmp = NULL; /* default to NULL */ *c = NULL; @@ -207,7 +208,7 @@ int DetectAddressGroupCutIPv6(DetectAddressGroup *a, DetectAddressGroup *b, Dete } /* get a place to temporary put sigs lists */ - DetectAddressGroup *tmp = DetectAddressGroupInit(); + tmp = DetectAddressGroupInit(); if (tmp == NULL) { goto error; } @@ -346,13 +347,27 @@ int DetectAddressGroupCutIPv6(DetectAddressGroup *a, DetectAddressGroup *b, Dete AddressCutIPv6Copy(a_ip1, b->ad->ip); AddressCutIPv6Copy(a_ip2, b->ad->ip2); - /* 'a' overlaps 'b' so a needs the 'a' sigs */ - SigGroupHeadCopySigs(a->sh,&b->sh); + /* 'a' overlaps 'b' so 'b' needs the 'a' sigs */ + SigGroupHeadCopySigs(a->sh,&tmp->sh); + SigGroupHeadClearSigs(a->sh); + SigGroupHeadCopySigs(b->sh,&a->sh); + SigGroupHeadCopySigs(tmp->sh,&b->sh); + SigGroupHeadClearSigs(tmp->sh); for (port = a->port; port != NULL; port = port->next) { + DetectPortInsertCopy(&tmp->port, a->port); + } + for (port = b->port; port != NULL; port = port->next) { + DetectPortInsertCopy(&a->port, port); + } + for (port = tmp->port; port != NULL; port = port->next) { DetectPortInsertCopy(&b->port, port); } - b->cnt += a->cnt; + tmp->cnt += a->cnt; + a->cnt = 0; + a->cnt += b->cnt; + b->cnt += tmp->cnt; + tmp->cnt = 0; } else { AddressCutIPv6Copy(b_ip1, a->ad->ip); AddressCutIPv6CopySubOne(a_ip1, a->ad->ip2); @@ -501,11 +516,13 @@ int DetectAddressGroupCutIPv6(DetectAddressGroup *a, DetectAddressGroup *b, Dete } } - DetectAddressGroupFree(tmp); + if (tmp != NULL) + DetectAddressGroupFree(tmp); return 0; error: - DetectAddressGroupFree(tmp); + if (tmp != NULL) + DetectAddressGroupFree(tmp); return -1; } diff --git a/src/detect-engine-port.c b/src/detect-engine-port.c index 0b2f45ab59..8421c99691 100644 --- a/src/detect-engine-port.c +++ b/src/detect-engine-port.c @@ -214,11 +214,10 @@ int DetectPortInsert(DetectPort **head, DetectPort *new) { if (new == NULL) return 0; - #ifdef DBG - printf("DetectPortInsert: head %p, new %p, new->dp %p\n", head, new, new->dp); + printf("DetectPortInsert: head %p, new %p\n", head, new); printf("DetectPortInsert: inserting (sig %u) ", new->sh ? new->sh->sig_cnt : 0); DetectPortPrint(new); printf("\n"); - //DetectPortPrintList(*head); + DetectPortPrintList(*head); #endif /* see if it already exists or overlaps with existing ag's */ @@ -570,6 +569,7 @@ int DetectPortCut(DetectPort *a, DetectPort *b, DetectPort **c) { u_int32_t a_port2 = a->port2; u_int32_t b_port1 = b->port; u_int32_t b_port2 = b->port2; + DetectPort *tmp = NULL; /* default to NULL */ *c = NULL; @@ -584,7 +584,6 @@ int DetectPortCut(DetectPort *a, DetectPort *b, DetectPort **c) { } /* get a place to temporary put sigs lists */ - DetectPort *tmp = NULL; tmp = DetectPortInit(); if (tmp == NULL) { goto error; @@ -709,7 +708,7 @@ int DetectPortCut(DetectPort *a, DetectPort *b, DetectPort **c) { b->port = a_port1; b->port2 = a_port2; - /* 'a' overlaps 'b' so a needs the 'a' sigs */ + /* 'a' overlaps 'b' so 'b' needs the 'a' sigs */ SigGroupHeadCopySigs(a->sh,&b->sh); b->cnt += a->cnt; @@ -740,7 +739,7 @@ int DetectPortCut(DetectPort *a, DetectPort *b, DetectPort **c) { SigGroupHeadClearSigs(a->sh); /* clean a list */ SigGroupHeadCopySigs(b->sh,&tmp_c->sh); /* copy old b to c */ SigGroupHeadCopySigs(b->sh,&a->sh); /* copy old b to a */ - SigGroupHeadCopySigs(tmp->sh,&b->sh); /* prepend old a before b */ + SigGroupHeadCopySigs(tmp->sh,&b->sh); /* merge old a with b */ SigGroupHeadClearSigs(tmp->sh); /* clean tmp list */ @@ -781,7 +780,7 @@ int DetectPortCut(DetectPort *a, DetectPort *b, DetectPort **c) { b->port = b_port2 + 1; b->port2 = a_port2; - /* 'b' overlaps 'a' so a needs the 'b' sigs */ + /* 'b' overlaps 'a' so 'a' needs the 'b' sigs */ SigGroupHeadCopySigs(b->sh,&tmp->sh); SigGroupHeadClearSigs(b->sh); SigGroupHeadCopySigs(a->sh,&b->sh); @@ -807,7 +806,7 @@ int DetectPortCut(DetectPort *a, DetectPort *b, DetectPort **c) { b->port = b_port1; b->port2 = b_port2; - /* 'a' overlaps 'b' so a needs the 'a' sigs */ + /* 'a' overlaps 'b' so 'b' needs the 'a' sigs */ SigGroupHeadCopySigs(a->sh,&b->sh); b->cnt += a->cnt; @@ -841,12 +840,14 @@ int DetectPortCut(DetectPort *a, DetectPort *b, DetectPort **c) { } /* XXX free tmp */ - DetectPortFree(tmp); + if (tmp != NULL) + DetectPortFree(tmp); return 0; error: /* XXX free tmp */ - DetectPortFree(tmp); + if (tmp != NULL) + DetectPortFree(tmp); return -1; return -1; diff --git a/src/detect.c b/src/detect.c index 484e0ff4d8..de59985fa7 100644 --- a/src/detect.c +++ b/src/detect.c @@ -170,6 +170,7 @@ void SigLoadSignatures (void) return; prevsig->next = sig; prevsig = sig; + /* sig = SigInit("alert udp any any -> any any (msg:\"ViCtOr nocase test\"; sid:4; rev:13; content:\"ViCtOr!!\"; offset:100; depth:150; nocase; content:\"ViCtOr!!\"; nocase; offset:99; depth:150;)"); if (sig == NULL) @@ -852,7 +853,7 @@ static DetectAddressGroup *GetHeadPtr(DetectAddressGroupsHead *head, int family) return grhead; } -#define MAX_UNIQ_GROUPS 3 +#define MAX_UNIQ_GROUPS 2 /* set unique_groups to 0 for no grouping. * @@ -868,6 +869,7 @@ int CreateGroupedAddrList(DetectAddressGroup *srchead, int family, DetectAddress /* insert the addresses into the tmplist, where it will * be sorted descending on 'cnt'. */ for (gr = srchead; gr != NULL; gr = gr->next) { +// printf(" 1 -= Address "); DetectAddressDataPrint(gr->ad); printf(" : "); DbgPrintSigs2(gr->sh); groups++; /* alloc a copy */ @@ -981,6 +983,7 @@ int CreateGroupedAddrList(DetectAddressGroup *srchead, int family, DetectAddress * * Start with inserting the unique groups */ for (gr = tmplist2; gr != NULL; ) { +// printf(" 2 -= U Address "); DetectAddressDataPrint(gr->ad); printf(" : "); DbgPrintSigs2(gr->sh); DetectAddressGroup *newtmp = DetectAddressGroupInit(); if (newtmp == NULL) { goto error; @@ -1007,6 +1010,7 @@ int CreateGroupedAddrList(DetectAddressGroup *srchead, int family, DetectAddress } /* if present, insert the joingr that covers the rest */ if (joingr != NULL) { +// printf(" 3 -= J Address "); DetectAddressDataPrint(joingr->ad); printf(" : "); DbgPrintSigs2(joingr->sh); DetectAddressGroupInsert(newhead,joingr); /* mark the groups that are not unique */ @@ -1026,9 +1030,9 @@ int CreateGroupedAddrList(DetectAddressGroup *srchead, int family, DetectAddress } - //for (gr = newhead->ipv4_head; gr != NULL; gr = gr->next) { - // printf(" -= Address "); DetectAddressDataPrint(gr->ad); printf("\n"); - //} + for (gr = newhead->ipv4_head; gr != NULL; gr = gr->next) { +// printf(" 4 -= R Address "); DetectAddressDataPrint(gr->ad); printf(" : "); DbgPrintSigs2(gr->sh); + } return 0; error: @@ -1130,9 +1134,9 @@ int CreateGroupedPortList(DetectPort *srchead, DetectPort **newhead, u_int32_t u DetectPortInsert(newhead,joingr); } - //for (gr = *newhead; gr != NULL; gr = gr->next) { - // printf(" -= Port "); DetectPortPrint(gr); printf("\n"); - //} + for (gr = *newhead; gr != NULL; gr = gr->next) { + //printf(" -= Port "); DetectPortPrint(gr); printf(" : "); DbgPrintSigs2(gr->sh); + } return 0; error: @@ -2352,7 +2356,7 @@ int SigGroupBuild (DetectEngineCtx *de_ctx) { SigAddressPrepareStage1(de_ctx); SigAddressPrepareStage2(de_ctx); SigAddressPrepareStage3(de_ctx); -// SigAddressPrepareStage5(); + //SigAddressPrepareStage5(); DbgPrintScanSearchStats(); // DetectAddressGroupPrintMemory(); // DetectSigGroupPrintMemory(); diff --git a/src/util-mpm-b2g.c b/src/util-mpm-b2g.c index 72f8d20b3a..df7baee474 100644 --- a/src/util-mpm-b2g.c +++ b/src/util-mpm-b2g.c @@ -463,11 +463,11 @@ static void B2gPrepareScanHash(MpmCtx *mpm_ctx) { hi->idx = i; hi->flags |= 0x01; - if (ctx->parray[i]->len < hi->p_min_len) - hi->p_min_len = ctx->parray[i]->len; - /* Append this HashItem to the list */ B2gHashItem *thi = ctx->scan_hash[idx]; + if (ctx->parray[i]->len < thi->p_min_len) + thi->p_min_len = ctx->parray[i]->len; + while (thi->nxt) thi = thi->nxt; thi->nxt = hi; }