diff --git a/src/detect.c b/src/detect.c index 4a12286611..5b543ed936 100644 --- a/src/detect.c +++ b/src/detect.c @@ -615,38 +615,21 @@ SigGroupHead *SigMatchSignaturesGetSgh(DetectEngineCtx *de_ctx, DetectEngineThre else f = 1; - SCLogDebug("f %d", f); - SCLogDebug("IP_GET_IPPROTO(p) %u", IP_GET_IPPROTO(p)); - - /* find the right mpm instance */ - DetectAddress *ag = DetectAddressLookupInHead(de_ctx->flow_gh[f].src_gh[IP_GET_IPPROTO(p)], &p->src); - if (ag != NULL) { - /* source group found, lets try a dst group */ - ag = DetectAddressLookupInHead(ag->dst_gh, &p->dst); - if (ag != NULL) { - if (ag->port == NULL) { - SCLogDebug("we don't have ports"); - sgh = ag->sh; - } else { - SCLogDebug("we have ports"); - - DetectPort *sport = DetectPortLookupGroup(ag->port,p->sp); - if (sport != NULL) { - DetectPort *dport = DetectPortLookupGroup(sport->dst_ph,p->dp); - if (dport != NULL) { - sgh = dport->sh; - } else { - SCLogDebug("no dst port group found for the packet with dp %"PRIu16"", p->dp); - } - } else { - SCLogDebug("no src port group found for the packet with sp %"PRIu16"", p->sp); - } - } - } else { - SCLogDebug("no dst address group found for the packet"); - } + int proto = IP_GET_IPPROTO(p); + if (proto == IPPROTO_TCP) { + DetectPort *list = de_ctx->flow_gh[f].tcp; + uint16_t port = f ? p->dp : p->sp; + DetectPort *sghport = DetectPortLookupGroup(list, port); + if (sghport != NULL) + sgh = sghport->sh; + } else if (proto == IPPROTO_UDP) { + DetectPort *list = de_ctx->flow_gh[f].udp; + uint16_t port = f ? p->dp : p->sp; + DetectPort *sghport = DetectPortLookupGroup(list, port); + if (sghport != NULL) + sgh = sghport->sh; } else { - SCLogDebug("no src address group found for the packet"); + sgh = de_ctx->flow_gh[f].sgh[proto]; } SCReturnPtr(sgh, "SigGroupHead"); @@ -2878,6 +2861,93 @@ static void SigParseApplyDsizeToContent(Signature *s) } } +static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, int ipproto, uint32_t direction) { + /* step 1: create a list of 'DetectPort' objects based on all the + * rules. Each object will have a SGH with the sigs added + * that belong to the SGH. */ + + uint32_t max_idx = 0; + const Signature *s = de_ctx->sig_list; + DetectPort *list = NULL; + while (s) { + /* IP Only rules are handled separately */ + if (s->flags & SIG_FLAG_IPONLY) + goto next; + if (!(s->proto.proto[ipproto / 8] & (1<<(ipproto % 8)) || (s->proto.flags & DETECT_PROTO_ANY))) + goto next; + if (!(s->flags & direction)) + goto next; + + DetectPort *p = NULL; + if (direction == SIG_FLAG_TOSERVER) + p = s->dp; + else if (direction == SIG_FLAG_TOCLIENT) + p = s->sp; + else + BUG_ON(1); + + while (p) { + DetectPort *tmp = DetectPortCopySingle(de_ctx, p); + BUG_ON(tmp == NULL); + SigGroupHeadAppendSig(de_ctx, &tmp->sh, s); + + int r = DetectPortInsert(de_ctx, &list , tmp); + BUG_ON(r == -1); + + p = p->next; + } + max_idx = s->num; + next: + s = s->next; + } + + /* step 2: deduplicate the SGH's */ + SigGroupHeadHashFree(de_ctx); + SigGroupHeadHashInit(de_ctx); + + uint32_t cnt = 0; + uint32_t own = 0; + uint32_t ref = 0; + DetectPort *iter; + for (iter = list ; iter != NULL; iter = iter->next) { + BUG_ON (iter->sh == NULL); + cnt++; + + SigGroupHead *lookup_sgh = SigGroupHeadHashLookup(de_ctx, iter->sh); + if (lookup_sgh == NULL) { + SCLogDebug("port group %p sgh %p is the original", iter, iter->sh); + + SigGroupHeadSetSigCnt(iter->sh, max_idx); + SigGroupHeadBuildMatchArray(de_ctx, iter->sh, max_idx); + + /* init the pattern matcher, this will respect the copy + * setting */ + BUG_ON(PatternMatchPrepareGroup(de_ctx, iter->sh) != 0); + SigGroupHeadHashAdd(de_ctx, iter->sh); + SigGroupHeadStore(de_ctx, iter->sh); + de_ctx->gh_unique++; + own++; + } else { + SCLogDebug("port group %p sgh %p is a copy", iter, iter->sh); + + SigGroupHeadFree(iter->sh); + iter->sh = lookup_sgh; + iter->flags |= PORT_SIGGROUPHEAD_COPY; + iter->sh->flags |= SIG_GROUP_HEAD_REFERENCED; + + de_ctx->gh_reuse++; + ref++; + } + } +#if 0 + for (iter = list ; iter != NULL; iter = iter->next) { + SCLogInfo("PORT %u-%u %p (sgh=%s)", iter->port, iter->port2, iter->sh, iter->flags & PORT_SIGGROUPHEAD_COPY ? "ref" : "own"); + } +#endif + SCLogInfo("%u port groups, %u unique SGH's, %u copies", cnt, own, ref); + return list; +} + /** * \brief Preprocess signature, classify ip-only, etc, build sig array * @@ -3004,83 +3074,36 @@ error: return -1; } -static int DetectEngineLookupBuildSourceAddressList(DetectEngineCtx *de_ctx, - DetectEngineLookupFlow *flow_gh, - Signature *s, int family) -{ - DetectAddress *gr = NULL, *lookup_gr = NULL, *head = NULL; - int proto; - - if (family == AF_INET) { - head = s->src.ipv4_head; - } else if (family == AF_INET6) { - head = s->src.ipv6_head; - } else { - head = s->src.any_head; - } - - /* for each source address group in the signature... */ - for (gr = head; gr != NULL; gr = gr->next) { - BUG_ON(gr->ip.family == 0 && !(gr->flags & ADDRESS_FLAG_ANY)); - - /* ...and each protocol the signature matches on... */ - for (proto = 0; proto < 256; proto++) { - if ((s->proto.proto[(proto/8)] & (1<<(proto%8))) || (s->proto.flags & DETECT_PROTO_ANY)) { - /* ...see if the group is in the tmp list, and if not add it. */ - if (family == AF_INET) { - lookup_gr = DetectAddressLookupInList(flow_gh->tmp_gh[proto]->ipv4_head,gr); - } else if (family == AF_INET6) { - lookup_gr = DetectAddressLookupInList(flow_gh->tmp_gh[proto]->ipv6_head,gr); - } else { - lookup_gr = DetectAddressLookupInList(flow_gh->tmp_gh[proto]->any_head,gr); - } - - if (lookup_gr == NULL) { - DetectAddress *grtmp = DetectAddressCopy(gr); - if (grtmp == NULL) { - goto error; - } - SigGroupHeadAppendSig(de_ctx, &grtmp->sh, s); - - /* add to the lookup list */ - if (family == AF_INET) { - DetectAddressAdd(&flow_gh->tmp_gh[proto]->ipv4_head, grtmp); - } else if (family == AF_INET6) { - DetectAddressAdd(&flow_gh->tmp_gh[proto]->ipv6_head, grtmp); - } else { - DetectAddressAdd(&flow_gh->tmp_gh[proto]->any_head, grtmp); - } - } else { - /* our group will only have one sig, this one. So add that. */ - SigGroupHeadAppendSig(de_ctx, &lookup_gr->sh, s); - lookup_gr->cnt++; - } - } - } - } - - return 0; -error: - return -1; -} - /** * \brief add signature to the right flow group(s) */ -static int DetectEngineLookupFlowAddSig(DetectEngineCtx *de_ctx, Signature *s, int family) +static int DetectEngineLookupFlowAddSig(DetectEngineCtx *de_ctx, Signature *s) { SCLogDebug("s->id %u", s->id); - if (s->flags & SIG_FLAG_TOCLIENT) { - SCLogDebug("s->id %u (toclient)", s->id); - DetectEngineLookupBuildSourceAddressList(de_ctx, - &de_ctx->flow_gh[0], s, family); + uint32_t cnt_ts = 0; + uint32_t cnt_tc = 0; + + int p; + for (p = 0; p < 256; p++) { + if (p == IPPROTO_TCP || p == IPPROTO_UDP) + continue; + + if (s->proto.proto[p / 8] & (1<<(p % 8)) || (s->proto.flags & DETECT_PROTO_ANY)) { + if (s->flags & SIG_FLAG_TOCLIENT) { + SigGroupHeadAppendSig(de_ctx, &de_ctx->flow_gh[0].sgh[p], s); + cnt_tc++; + } + if (s->flags & SIG_FLAG_TOSERVER) { + SigGroupHeadAppendSig(de_ctx, &de_ctx->flow_gh[1].sgh[p], s); + cnt_ts++; + } + } } - if (s->flags & SIG_FLAG_TOSERVER) { - SCLogDebug("s->id %u (toserver)", s->id); - DetectEngineLookupBuildSourceAddressList(de_ctx, - &de_ctx->flow_gh[1], s, family); + /* see which rules use many protos. > 2 as alert icmp actually is also icmpv6. */ + if (cnt_ts > 2 || cnt_tc > 2) { + SCLogDebug("Rule %u added to multiple proto groups (%u ts/%u tc)", s->id, cnt_ts, cnt_tc); } return 0; @@ -3476,19 +3499,10 @@ int SigAddressPrepareStage2(DetectEngineCtx *de_ctx) IPOnlyInit(de_ctx, &de_ctx->io_ctx); - int f, proto; - for (f = 0; f < FLOW_STATES; f++) { - for (proto = 0; proto < 256; proto++) { - de_ctx->flow_gh[f].src_gh[proto] = DetectAddressHeadInit(); - if (de_ctx->flow_gh[f].src_gh[proto] == NULL) { - goto error; - } - de_ctx->flow_gh[f].tmp_gh[proto] = DetectAddressHeadInit(); - if (de_ctx->flow_gh[f].tmp_gh[proto] == NULL) { - goto error; - } - } - } + de_ctx->flow_gh[1].tcp = RulesGroupByPorts(de_ctx, IPPROTO_TCP, SIG_FLAG_TOSERVER); + de_ctx->flow_gh[0].tcp = RulesGroupByPorts(de_ctx, IPPROTO_TCP, SIG_FLAG_TOCLIENT); + de_ctx->flow_gh[1].udp = RulesGroupByPorts(de_ctx, IPPROTO_UDP, SIG_FLAG_TOSERVER); + de_ctx->flow_gh[0].udp = RulesGroupByPorts(de_ctx, IPPROTO_UDP, SIG_FLAG_TOCLIENT); /* now for every rule add the source group to our temp lists */ for (tmp_s = de_ctx->sig_list; tmp_s != NULL; tmp_s = tmp_s->next) { @@ -3496,9 +3510,8 @@ int SigAddressPrepareStage2(DetectEngineCtx *de_ctx) if (tmp_s->flags & SIG_FLAG_IPONLY) { IPOnlyAddSignature(de_ctx, &de_ctx->io_ctx, tmp_s); } else { - DetectEngineLookupFlowAddSig(de_ctx, tmp_s, AF_INET); - DetectEngineLookupFlowAddSig(de_ctx, tmp_s, AF_INET6); - DetectEngineLookupFlowAddSig(de_ctx, tmp_s, AF_UNSPEC); + /* handle non-tcp/non-udp rules */ + DetectEngineLookupFlowAddSig(de_ctx, tmp_s); } if (tmp_s->init_flags & SIG_FLAG_INIT_DEONLY) { @@ -3508,136 +3521,10 @@ int SigAddressPrepareStage2(DetectEngineCtx *de_ctx) sigs++; } - /* create the final src addr list based on the tmplist. */ - for (f = 0; f < FLOW_STATES; f++) { - for (proto = 0; proto < 256; proto++) { - int groups = (f ? de_ctx->max_uniq_toserver_src_groups : de_ctx->max_uniq_toclient_src_groups); - - CreateGroupedAddrList(de_ctx, - de_ctx->flow_gh[f].tmp_gh[proto]->ipv4_head, AF_INET, - de_ctx->flow_gh[f].src_gh[proto], groups, - CreateGroupedAddrListCmpMpmMinlen, DetectEngineGetMaxSigId(de_ctx)); - - CreateGroupedAddrList(de_ctx, - de_ctx->flow_gh[f].tmp_gh[proto]->ipv6_head, AF_INET6, - de_ctx->flow_gh[f].src_gh[proto], groups, - CreateGroupedAddrListCmpMpmMinlen, DetectEngineGetMaxSigId(de_ctx)); - CreateGroupedAddrList(de_ctx, - de_ctx->flow_gh[f].tmp_gh[proto]->any_head, AF_UNSPEC, - de_ctx->flow_gh[f].src_gh[proto], groups, - CreateGroupedAddrListCmpMpmMinlen, DetectEngineGetMaxSigId(de_ctx)); - - DetectAddressHeadFree(de_ctx->flow_gh[f].tmp_gh[proto]); - de_ctx->flow_gh[f].tmp_gh[proto] = NULL; - } - } - //DetectAddressPrintMemory(); - //DetectSigGroupPrintMemory(); - - //printf("g_src_gh strt\n"); - //DetectAddressPrintList(g_src_gh->ipv4_head); - //printf("g_src_gh end\n"); - IPOnlyPrepare(de_ctx); IPOnlyPrint(de_ctx, &de_ctx->io_ctx); -#ifdef DEBUG - DetectAddress *gr = NULL; - if (!(de_ctx->flags & DE_QUIET)) { - SCLogDebug("%" PRIu32 " total signatures:", sigs); - } - - /* TCP */ - uint32_t cnt_any = 0, cnt_ipv4 = 0, cnt_ipv6 = 0; - for (f = 0; f < FLOW_STATES; f++) { - for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_TCP]->any_head; gr != NULL; gr = gr->next) { - cnt_any++; - } - } - for (f = 0; f < FLOW_STATES; f++) { - for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_TCP]->ipv4_head; gr != NULL; gr = gr->next) { - cnt_ipv4++; - } - } - for (f = 0; f < FLOW_STATES; f++) { - for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_TCP]->ipv6_head; gr != NULL; gr = gr->next) { - cnt_ipv6++; - } - } - if (!(de_ctx->flags & DE_QUIET)) { - SCLogDebug("TCP Source address blocks: any: %4u, ipv4: %4u, ipv6: %4u.", cnt_any, cnt_ipv4, cnt_ipv6); - } - - cnt_any = 0, cnt_ipv4 = 0, cnt_ipv6 = 0; - /* UDP */ - for (f = 0; f < FLOW_STATES; f++) { - for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_UDP]->any_head; gr != NULL; gr = gr->next) { - cnt_any++; - } - } - for (f = 0; f < FLOW_STATES; f++) { - for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_UDP]->ipv4_head; gr != NULL; gr = gr->next) { - cnt_ipv4++; - } - } - for (f = 0; f < FLOW_STATES; f++) { - for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_UDP]->ipv6_head; gr != NULL; gr = gr->next) { - cnt_ipv6++; - } - } - if (!(de_ctx->flags & DE_QUIET)) { - SCLogDebug("UDP Source address blocks: any: %4u, ipv4: %4u, ipv6: %4u.", cnt_any, cnt_ipv4, cnt_ipv6); - } - - cnt_any = 0, cnt_ipv4 = 0, cnt_ipv6 = 0; - /* SCTP */ - for (f = 0; f < FLOW_STATES; f++) { - for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP]->any_head; gr != NULL; gr = gr->next) { - cnt_any++; - } - } - for (f = 0; f < FLOW_STATES; f++) { - for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP]->ipv4_head; gr != NULL; gr = gr->next) { - cnt_ipv4++; - } - } - for (f = 0; f < FLOW_STATES; f++) { - for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP]->ipv6_head; gr != NULL; gr = gr->next) { - cnt_ipv6++; - } - } - if (!(de_ctx->flags & DE_QUIET)) { - SCLogDebug("SCTP Source address blocks: any: %4u, ipv4: %4u, ipv6: %4u.", cnt_any, cnt_ipv4, cnt_ipv6); - } - - /* ICMP */ - cnt_any = 0, cnt_ipv4 = 0, cnt_ipv6 = 0; - for (f = 0; f < FLOW_STATES; f++) { - for (gr = de_ctx->flow_gh[f].src_gh[1]->any_head; gr != NULL; gr = gr->next) { - cnt_any++; - } - } - for (f = 0; f < FLOW_STATES; f++) { - for (gr = de_ctx->flow_gh[f].src_gh[1]->ipv4_head; gr != NULL; gr = gr->next) { - cnt_ipv4++; - } - } - for (f = 0; f < FLOW_STATES; f++) { - for (gr = de_ctx->flow_gh[f].src_gh[1]->ipv6_head; gr != NULL; gr = gr->next) { - cnt_ipv6++; - } - } - if (!(de_ctx->flags & DE_QUIET)) { - SCLogDebug("ICMP Source address blocks: any: %4u, ipv4: %4u, ipv6: %4u.", cnt_any, cnt_ipv4, cnt_ipv6); - } -#endif /* DEBUG */ - if (!(de_ctx->flags & DE_QUIET)) { - SCLogInfo("building signature grouping structure, stage 2: building source address list... complete"); - } return 0; -error: - printf("SigAddressPrepareStage2 error\n"); - return -1; } /** @@ -4045,100 +3932,9 @@ static void DetectEngineBuildDecoderEventSgh(DetectEngineCtx *de_ctx) int SigAddressPrepareStage3(DetectEngineCtx *de_ctx) { - int r; - - if (!(de_ctx->flags & DE_QUIET)) { - SCLogDebug("building signature grouping structure, stage 3: " - "building destination address lists..."); - } - //DetectAddressPrintMemory(); - //DetectSigGroupPrintMemory(); - //DetectPortPrintMemory(); - - int f = 0; - int proto; - for (f = 0; f < FLOW_STATES; f++) { - r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_TCP],AF_INET,f,IPPROTO_TCP); - if (r < 0) { - printf ("BuildDestinationAddressHeads(src_gh[6],AF_INET) failed\n"); - goto error; - } - r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_UDP],AF_INET,f,IPPROTO_UDP); - if (r < 0) { - printf ("BuildDestinationAddressHeads(src_gh[17],AF_INET) failed\n"); - goto error; - } - r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP],AF_INET,f,IPPROTO_SCTP); - if (r < 0) { - printf ("BuildDestinationAddressHeads(src_gh[IPPROTO_SCTP],AF_INET) failed\n"); - goto error; - } - r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_TCP],AF_INET6,f,IPPROTO_TCP); - if (r < 0) { - printf ("BuildDestinationAddressHeads(src_gh[6],AF_INET) failed\n"); - goto error; - } - r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_UDP],AF_INET6,f,IPPROTO_UDP); - if (r < 0) { - printf ("BuildDestinationAddressHeads(src_gh[17],AF_INET) failed\n"); - goto error; - } - r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP],AF_INET6,f,IPPROTO_SCTP); - if (r < 0) { - printf ("BuildDestinationAddressHeads(src_gh[IPPROTO_SCTP],AF_INET) failed\n"); - goto error; - } - r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_TCP],AF_UNSPEC,f,IPPROTO_TCP); - if (r < 0) { - printf ("BuildDestinationAddressHeads(src_gh[6],AF_INET) failed\n"); - goto error; - } - r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_UDP],AF_UNSPEC,f,IPPROTO_UDP); - if (r < 0) { - printf ("BuildDestinationAddressHeads(src_gh[17],AF_INET) failed\n"); - goto error; - } - r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP],AF_UNSPEC,f,IPPROTO_SCTP); - if (r < 0) { - printf ("BuildDestinationAddressHeads(src_gh[IPPROTO_SCTP],AF_INET) failed\n"); - goto error; - } - for (proto = 0; proto < 256; proto++) { - if (proto == IPPROTO_TCP || proto == IPPROTO_UDP || proto == IPPROTO_SCTP) - continue; - - r = BuildDestinationAddressHeads(de_ctx, de_ctx->flow_gh[f].src_gh[proto],AF_INET,f,proto); - if (r < 0) { - printf ("BuildDestinationAddressHeads(src_gh[%" PRId32 "],AF_INET) failed\n", proto); - goto error; - } - r = BuildDestinationAddressHeads(de_ctx, de_ctx->flow_gh[f].src_gh[proto],AF_INET6,f,proto); - if (r < 0) { - printf ("BuildDestinationAddressHeads(src_gh[%" PRId32 "],AF_INET6) failed\n", proto); - goto error; - } - r = BuildDestinationAddressHeads(de_ctx, de_ctx->flow_gh[f].src_gh[proto],AF_UNSPEC,f,proto); /* for any */ - if (r < 0) { - printf ("BuildDestinationAddressHeads(src_gh[%" PRId32 "],AF_UNSPEC) failed\n", proto); - goto error; - } - } - } - /* prepare the decoder event sgh */ DetectEngineBuildDecoderEventSgh(de_ctx); - - if (!(de_ctx->flags & DE_QUIET)) { - SCLogDebug("max sig id %" PRIu32 ", array size %" PRIu32 "", DetectEngineGetMaxSigId(de_ctx), DetectEngineGetMaxSigId(de_ctx) / 8 + 1); - SCLogDebug("signature group heads: unique %" PRIu32 ", copies %" PRIu32 ".", de_ctx->gh_unique, de_ctx->gh_reuse); - SCLogDebug("port maxgroups: %" PRIu32 ", avg %" PRIu32 ", tot %" PRIu32 "", g_groupportlist_maxgroups, g_groupportlist_groupscnt ? g_groupportlist_totgroups/g_groupportlist_groupscnt : 0, g_groupportlist_totgroups); - - SCLogInfo("building signature grouping structure, stage 3: building destination address lists... complete"); - } return 0; -error: - printf("SigAddressPrepareStage3 error\n"); - return -1; } int SigAddressCleanupStage1(DetectEngineCtx *de_ctx) @@ -4148,16 +3944,6 @@ int SigAddressCleanupStage1(DetectEngineCtx *de_ctx) if (!(de_ctx->flags & DE_QUIET)) { SCLogDebug("cleaning up signature grouping structure..."); } - - int f, proto; - for (f = 0; f < FLOW_STATES; f++) { - for (proto = 0; proto < 256; proto++) { - /* XXX fix this */ - DetectAddressHeadFree(de_ctx->flow_gh[f].src_gh[proto]); - de_ctx->flow_gh[f].src_gh[proto] = NULL; - } - } - if (de_ctx->decoder_event_sgh) SigGroupHeadFree(de_ctx->decoder_event_sgh); de_ctx->decoder_event_sgh = NULL; @@ -4232,6 +4018,32 @@ int SigAddressPrepareStage4(DetectEngineCtx *de_ctx) uint32_t idx = 0; + for (idx = 0; idx < 256; idx++) { + int f = 0; + for (f = 0; f <= 1; f++) { + SigGroupHead *sgh = de_ctx->flow_gh[f].sgh[idx]; + if (sgh == NULL) { + //SCLogInfo("skipped %u/%d", idx, f); + continue; + } + + uint32_t max_idx = DetectEngineGetMaxSigId(de_ctx); + SigGroupHeadSetSigCnt(sgh, max_idx); + SigGroupHeadSetProtoAndDirection(sgh, idx, + ((f == 1) ? SIG_FLAG_TOSERVER : SIG_FLAG_TOCLIENT)); + SigGroupHeadBuildMatchArray(de_ctx, sgh, max_idx); + SigGroupHeadSetFilemagicFlag(de_ctx, sgh); + SigGroupHeadSetFileMd5Flag(de_ctx, sgh); + SigGroupHeadSetFilesizeFlag(de_ctx, sgh); + SigGroupHeadSetFilestoreCount(de_ctx, sgh); + SCLogDebug("filestore count %u", sgh->filestore_cnt); + + PatternMatchPrepareGroup(de_ctx, sgh); + SigGroupHeadBuildNonMpmArray(de_ctx, sgh); + } + } + + for (idx = 0; idx < de_ctx->sgh_array_cnt; idx++) { SigGroupHead *sgh = de_ctx->sgh_array[idx]; if (sgh == NULL) @@ -4276,371 +4088,59 @@ int SigAddressPrepareStage4(DetectEngineCtx *de_ctx) SCReturnInt(0); } -/* shortcut for debugging. If enabled Stage5 will - * print sigid's for all groups */ -#define PRINTSIGS - -/* just printing */ -int SigAddressPrepareStage5(DetectEngineCtx *de_ctx) +static int SigMatchListLen(SigMatch *sm) { - DetectAddressHead *global_dst_gh = NULL; - DetectAddress *global_src_gr = NULL, *global_dst_gr = NULL; - uint32_t u; + int len = 0; + for (; sm != NULL; sm = sm->next) + len++; - printf("* Building signature grouping structure, stage 5: print...\n"); + return len; +} - int f, proto; - printf("\n"); - for (f = 0; f < FLOW_STATES; f++) { - printf("\n"); - for (proto = 0; proto < 256; proto++) { - if (proto != IPPROTO_TCP) - continue; +static int SigMatchPrepare(DetectEngineCtx *de_ctx) +{ + SCEnter(); - for (global_src_gr = de_ctx->flow_gh[f].src_gh[proto]->ipv4_head; global_src_gr != NULL; - global_src_gr = global_src_gr->next) - { - printf("1 Src Addr: "); DetectAddressPrint(global_src_gr); - printf(" (sh %p)\n", global_src_gr->sh); - //printf("\n"); - -#ifdef PRINTSIGS - SigGroupHeadPrintSigs(de_ctx, global_src_gr->sh); - if (global_src_gr->sh != NULL) { - printf(" - "); - for (u = 0; u < global_src_gr->sh->sig_cnt; u++) { - Signature *s = global_src_gr->sh->match_array[u]; - printf("%" PRIu32 " ", s->id); - } - printf("\n"); + Signature *s = de_ctx->sig_list; + for (; s != NULL; s = s->next) { + int type; + for (type = 0; type < DETECT_SM_LIST_MAX; type++) { + SigMatch *sm = s->sm_lists[type]; + int len = SigMatchListLen(sm); + if (len == 0) + s->sm_arrays[type] = NULL; + else { + SigMatchData *smd = (SigMatchData*)SCMalloc(len * sizeof(SigMatchData)); + if (smd == NULL) { + SCLogError(SC_ERR_DETECT_PREPARE, "initializing the detection engine failed"); + exit(EXIT_FAILURE); } -#endif - - global_dst_gh = global_src_gr->dst_gh; - if (global_dst_gh == NULL) - continue; + /* Copy sm type and Context into array */ + s->sm_arrays[type] = smd; + for (; sm != NULL; sm = sm->next, smd++) { + smd->type = sm->type; + smd->ctx = sm->ctx; + smd->is_last = (sm->next == NULL); + } + } + } + } - for (global_dst_gr = global_dst_gh->ipv4_head; - global_dst_gr != NULL; - global_dst_gr = global_dst_gr->next) - { - printf(" 2 Dst Addr: "); DetectAddressPrint(global_dst_gr); + SCReturnInt(0); +} - //printf(" (sh %p) ", global_dst_gr->sh); - if (global_dst_gr->sh) { - if (global_dst_gr->sh->flags & ADDRESS_SIGGROUPHEAD_COPY) { - printf(" (COPY): "); - } else { - printf(" (ORIGINAL): "); - } - } else { - printf(" "); - } - -#ifdef PRINTSIGS - if (global_dst_gr->sh != NULL) { - printf(" - "); - for (u = 0; u < global_dst_gr->sh->sig_cnt; u++) { - Signature *s = global_dst_gr->sh->match_array[u]; - printf("%" PRIu32 " ", s->id); - } - printf("\n"); - } -#endif - - - DetectPort *sp = global_dst_gr->port; - for ( ; sp != NULL; sp = sp->next) { - printf(" 3 Src port(range): "); DetectPortPrint(sp); - //printf(" (sh %p)", sp->sh); - printf("\n"); - DetectPort *dp = sp->dst_ph; - for ( ; dp != NULL; dp = dp->next) { - printf(" 4 Dst port(range): "); DetectPortPrint(dp); - printf(" (sigs %" PRIu32 ", sgh %p, minlen %" PRIu32 ")", dp->sh->sig_cnt, dp->sh, dp->sh->mpm_content_minlen); -#ifdef PRINTSIGS - printf(" - "); - for (u = 0; u < dp->sh->sig_cnt; u++) { - Signature *s = dp->sh->match_array[u]; - printf("%" PRIu32 " ", s->id); - } -#endif - printf("\n"); - } - } - } - for (global_dst_gr = global_dst_gh->any_head; - global_dst_gr != NULL; - global_dst_gr = global_dst_gr->next) - { - printf(" - "); DetectAddressPrint(global_dst_gr); - //printf(" (sh %p) ", global_dst_gr->sh); - if (global_dst_gr->sh) { - if (global_dst_gr->sh->flags & ADDRESS_SIGGROUPHEAD_COPY) { - printf("(COPY)\n"); - } else { - printf("\n"); - } - } - DetectPort *sp = global_dst_gr->port; - for ( ; sp != NULL; sp = sp->next) { - printf(" * Src port(range): "); DetectPortPrint(sp); printf("\n"); - DetectPort *dp = sp->dst_ph; - for ( ; dp != NULL; dp = dp->next) { - printf(" * Dst port(range): "); DetectPortPrint(dp); - printf(" (sigs %" PRIu32 ")", dp->sh->sig_cnt); -#ifdef PRINTSIGS - printf(" - "); - for (u = 0; u < dp->sh->sig_cnt; u++) { - Signature *s = dp->sh->match_array[u]; - printf("%" PRIu32 " ", s->id); - } -#endif - printf("\n"); - } - } - } - } -#if 0 - for (global_src_gr = de_ctx->flow_gh[f].src_gh[proto]->ipv6_head; global_src_gr != NULL; - global_src_gr = global_src_gr->next) - { - printf("- "); DetectAddressPrint(global_src_gr); - //printf(" (sh %p)\n", global_src_gr->sh); - - global_dst_gh = global_src_gr->dst_gh; - if (global_dst_gh == NULL) - continue; - - for (global_dst_gr = global_dst_gh->ipv6_head; - global_dst_gr != NULL; - global_dst_gr = global_dst_gr->next) - { - printf(" - "); DetectAddressPrint(global_dst_gr); - //printf(" (sh %p) ", global_dst_gr->sh); - if (global_dst_gr->sh) { - if (global_dst_gr->sh->flags & ADDRESS_SIGGROUPHEAD_COPY) { - printf("(COPY)\n"); - } else { - printf("\n"); - } - } - DetectPort *sp = global_dst_gr->port; - for ( ; sp != NULL; sp = sp->next) { - printf(" * Src port(range): "); DetectPortPrint(sp); printf("\n"); - DetectPort *dp = sp->dst_ph; - for ( ; dp != NULL; dp = dp->next) { - printf(" * Dst port(range): "); DetectPortPrint(dp); - printf(" (sigs %" PRIu32 ")", dp->sh->sig_cnt); -#ifdef PRINTSIGS - printf(" - "); - for (u = 0; u < dp->sh->sig_cnt; u++) { - Signature *s = de_ctx->sig_array[dp->sh->match_array[u]]; - printf("%" PRIu32 " ", s->id); - } -#endif - printf("\n"); - } - } - } - for (global_dst_gr = global_dst_gh->any_head; - global_dst_gr != NULL; - global_dst_gr = global_dst_gr->next) - { - printf(" - "); DetectAddressPrint(global_dst_gr); - //printf(" (sh %p) ", global_dst_gr->sh); - if (global_dst_gr->sh) { - if (global_dst_gr->sh->flags & ADDRESS_SIGGROUPHEAD_COPY) { - printf("(COPY)\n"); - } else { - printf("\n"); - } - } - DetectPort *sp = global_dst_gr->port; - for ( ; sp != NULL; sp = sp->next) { - printf(" * Src port(range): "); DetectPortPrint(sp); printf("\n"); - DetectPort *dp = sp->dst_ph; - for ( ; dp != NULL; dp = dp->next) { - printf(" * Dst port(range): "); DetectPortPrint(dp); - printf(" (sigs %" PRIu32 ")", dp->sh->sig_cnt); -#ifdef PRINTSIGS - printf(" - "); - for (u = 0; u < dp->sh->sig_cnt; u++) { - Signature *s = de_ctx->sig_array[dp->sh->match_array[u]]; - printf("%" PRIu32 " ", s->id); - } -#endif - printf("\n"); - } - } - } - } - - for (global_src_gr = de_ctx->flow_gh[f].src_gh[proto]->any_head; global_src_gr != NULL; - global_src_gr = global_src_gr->next) - { - printf("- "); DetectAddressPrint(global_src_gr); - //printf(" (sh %p)\n", global_src_gr->sh); - - global_dst_gh = global_src_gr->dst_gh; - if (global_dst_gh == NULL) - continue; - - for (global_dst_gr = global_dst_gh->any_head; - global_dst_gr != NULL; - global_dst_gr = global_dst_gr->next) - { - printf(" - "); DetectAddressPrint(global_dst_gr); - //printf(" (sh %p) ", global_dst_gr->sh); - if (global_dst_gr->sh) { - if (global_dst_gr->sh->flags & ADDRESS_SIGGROUPHEAD_COPY) { - printf("(COPY)\n"); - } else { - printf("\n"); - } - } - DetectPort *sp = global_dst_gr->port; - for ( ; sp != NULL; sp = sp->next) { - printf(" * Src port(range): "); DetectPortPrint(sp); printf("\n"); - DetectPort *dp = sp->dst_ph; - for ( ; dp != NULL; dp = dp->next) { - printf(" * Dst port(range): "); DetectPortPrint(dp); - printf(" (sigs %" PRIu32 ")", dp->sh->sig_cnt); -#ifdef PRINTSIGS - printf(" - "); - for (u = 0; u < dp->sh->sig_cnt; u++) { - Signature *s = de_ctx->sig_array[dp->sh->match_array[u]]; - printf("%" PRIu32 " ", s->id); - } -#endif - printf("\n"); - } - } - } - for (global_dst_gr = global_dst_gh->ipv4_head; - global_dst_gr != NULL; - global_dst_gr = global_dst_gr->next) - { - printf(" - "); DetectAddressPrint(global_dst_gr); - //printf(" (sh %p) ", global_dst_gr->sh); - if (global_dst_gr->sh) { - if (global_dst_gr->sh->flags & ADDRESS_SIGGROUPHEAD_COPY) { - printf("(COPY)\n"); - } else { - printf("\n"); - } - } - DetectPort *sp = global_dst_gr->port; - for ( ; sp != NULL; sp = sp->next) { - printf(" * Src port(range): "); DetectPortPrint(sp); printf("\n"); - DetectPort *dp = sp->dst_ph; - for ( ; dp != NULL; dp = dp->next) { - printf(" * Dst port(range): "); DetectPortPrint(dp); - printf(" (sigs %" PRIu32 ")", dp->sh->sig_cnt); -#ifdef PRINTSIGS - printf(" - "); - for (u = 0; u < dp->sh->sig_cnt; u++) { - Signature *s = de_ctx->sig_array[dp->sh->match_array[u]]; - printf("%" PRIu32 " ", s->id); - } -#endif - printf("\n"); - } - } - } - for (global_dst_gr = global_dst_gh->ipv6_head; - global_dst_gr != NULL; - global_dst_gr = global_dst_gr->next) - { - printf(" - "); DetectAddressPrint(global_dst_gr); - //printf(" (sh %p) ", global_dst_gr->sh); - if (global_dst_gr->sh) { - if (global_dst_gr->sh->flags & ADDRESS_SIGGROUPHEAD_COPY) { - printf("(COPY)\n"); - } else { - printf("\n"); - } - } - DetectPort *sp = global_dst_gr->port; - for ( ; sp != NULL; sp = sp->next) { - printf(" * Src port(range): "); DetectPortPrint(sp); printf("\n"); - DetectPort *dp = sp->dst_ph; - for ( ; dp != NULL; dp = dp->next) { - printf(" * Dst port(range): "); DetectPortPrint(dp); - printf(" (sigs %" PRIu32 ")", dp->sh->sig_cnt); -#ifdef PRINTSIGS - printf(" - "); - for (u = 0; u < dp->sh->sig_cnt; u++) { - Signature *s = de_ctx->sig_array[dp->sh->match_array[u]]; - printf("%" PRIu32 " ", s->id); - } -#endif - printf("\n"); - } - } - } - } -#endif - } - } - - printf("* Building signature grouping structure, stage 5: print... done\n"); - return 0; -} - -static int SigMatchListLen(SigMatch *sm) -{ - int len = 0; - for (; sm != NULL; sm = sm->next) - len++; - - return len; -} - -static int SigMatchPrepare(DetectEngineCtx *de_ctx) -{ - SCEnter(); - - Signature *s = de_ctx->sig_list; - for (; s != NULL; s = s->next) { - int type; - for (type = 0; type < DETECT_SM_LIST_MAX; type++) { - SigMatch *sm = s->sm_lists[type]; - int len = SigMatchListLen(sm); - if (len == 0) - s->sm_arrays[type] = NULL; - else { - SigMatchData *smd = (SigMatchData*)SCMalloc(len * sizeof(SigMatchData)); - if (smd == NULL) { - SCLogError(SC_ERR_DETECT_PREPARE, "initializing the detection engine failed"); - exit(EXIT_FAILURE); - } - /* Copy sm type and Context into array */ - s->sm_arrays[type] = smd; - for (; sm != NULL; sm = sm->next, smd++) { - smd->type = sm->type; - smd->ctx = sm->ctx; - smd->is_last = (sm->next == NULL); - } - } - } - } - - SCReturnInt(0); -} - -/** - * \brief Convert the signature list into the runtime match structure. - * - * \param de_ctx Pointer to the Detection Engine Context whose Signatures have - * to be processed - * - * \retval 0 On Success. - * \retval -1 On failure. - */ -int SigGroupBuild(DetectEngineCtx *de_ctx) -{ - Signature *s = de_ctx->sig_list; +/** + * \brief Convert the signature list into the runtime match structure. + * + * \param de_ctx Pointer to the Detection Engine Context whose Signatures have + * to be processed + * + * \retval 0 On Success. + * \retval -1 On failure. + */ +int SigGroupBuild(DetectEngineCtx *de_ctx) +{ + Signature *s = de_ctx->sig_list; /* Assign the unique order id of signatures after sorting, * so the IP Only engine process them in order too. Also @@ -9375,15 +8875,18 @@ end: return result; } -static int SigTestSgh01 (void) +static int SigTestContent01 (void) { + uint8_t *buf = (uint8_t *)"01234567890123456789012345678901"; + uint16_t buflen = strlen((char *)buf); ThreadVars th_v; - int result = 0; DetectEngineThreadCtx *det_ctx = NULL; + int result = 0; + memset(&th_v, 0, sizeof(th_v)); Packet *p = NULL; - p = UTHBuildPacketSrcDstPorts((uint8_t *)"a", 1, IPPROTO_TCP, 12345, 80); + p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP); DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) { @@ -9391,129 +8894,42 @@ static int SigTestSgh01 (void) } de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"1\"; content:\"one\"; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)"); if (de_ctx->sig_list == NULL) { result = 0; goto end; } - if (de_ctx->sig_list->num != 0) { - printf("internal id != 0: "); - goto end; - } - - de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any 81 (msg:\"2\"; content:\"two\"; content:\"abcd\"; sid:2;)"); - if (de_ctx->sig_list->next == NULL) { - result = 0; - goto end; - } - if (de_ctx->sig_list->next->num != 1) { - printf("internal id != 1: "); - goto end; - } - - de_ctx->sig_list->next->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"3\"; content:\"three\"; sid:3;)"); - if (de_ctx->sig_list->next->next == NULL) { - result = 0; - goto end; - } - if (de_ctx->sig_list->next->next->num != 2) { - printf("internal id != 2: "); - goto end; - } SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - SigGroupHead *sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p); - if (sgh == NULL) { - printf("no sgh: "); - goto end; - } -#if 0 - printf("-\n"); - printf("sgh->mpm_content_maxlen %u\n", sgh->mpm_content_maxlen); - printf("sgh->mpm_uricontent_maxlen %u\n", sgh->mpm_uricontent_maxlen); - printf("sgh->sig_cnt %u\n", sgh->sig_cnt); - printf("sgh->sig_size %u\n", sgh->sig_size); -#endif - if (sgh->mpm_content_minlen != 3) { - printf("sgh->mpm_content_minlen %u, expected 3: ", sgh->mpm_content_minlen); - goto end; - } - - if (sgh->match_array == NULL) { - printf("sgh->match_array == NULL: "); - goto end; - } - - if (sgh->match_array[0] != de_ctx->sig_list) { - printf("sgh doesn't contain sid 1, should have (sgh->match_array[0] %p, expected %p): ", sgh->match_array[0], de_ctx->sig_list); - goto end; - } - if (sgh->match_array[1] != de_ctx->sig_list->next->next) { - printf("sgh doesn't contain sid 3, should have: "); - goto end; - } - - p->dp = 81; - - SigGroupHead *sgh2 = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p); - if (sgh2 == NULL) { - printf("no sgh2: "); - goto end; - } -#if 0 - if (!(SigGroupHeadContainsSigId(de_ctx, sgh2, 1))) { - printf("sgh2 doesn't have sid 1: "); - goto end; - } -#endif - if (sgh2->sig_cnt != 1) { - printf("expected one sig, got %u in sgh2: ", sgh2->sig_cnt); - goto end; - } - - if (sgh2->match_array[0] != de_ctx->sig_list->next) { - printf("sgh doesn't contain sid 2, should have (sgh2->match_array[0] %p, expected %p): ", - sgh2->match_array[0], de_ctx->sig_list->next); - goto end; - } - -#if 0 - printf("-\n"); - printf("sgh2->mpm_content_minlen %u\n", sgh2->mpm_content_minlen); - printf("sgh2->mpm_uricontent_minlen %u\n", sgh2->mpm_uricontent_minlen); - printf("sgh2->sig_cnt %u\n", sgh2->sig_cnt); - printf("sgh2->sig_size %u\n", sgh2->sig_size); -#endif - if (sgh2->mpm_content_minlen != 4) { - printf("sgh2->mpm_content_minlen %u, expected 4: ", sgh2->mpm_content_minlen); - goto end; - } + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + if (PacketAlertCheck(p, 1)) + result = 1; + else + printf("sig 1 didn't match: "); - if (sgh2->match_array[0] != de_ctx->sig_list->next) { - printf("sgh2 doesn't contain sid 2, should have: "); - goto end; - } + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - SigGroupCleanup(de_ctx); DetectEngineCtxFree(de_ctx); - - result = 1; end: + UTHFreePackets(&p, 1); return result; } -static int SigTestSgh02 (void) +static int SigTestContent02 (void) { + uint8_t *buf = (uint8_t *)"01234567890123456789012345678901"; + uint16_t buflen = strlen((char *)buf); ThreadVars th_v; - int result = 0; DetectEngineThreadCtx *det_ctx = NULL; - Packet *p = NULL; - p = UTHBuildPacketSrcDstPorts((uint8_t *)"a", 1, IPPROTO_TCP, 12345, 80); + int result = 0; memset(&th_v, 0, sizeof(th_v)); + Packet *p = NULL; + p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP); DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) { @@ -9521,703 +8937,33 @@ static int SigTestSgh02 (void) } de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80:82 (msg:\"1\"; content:\"one\"; content:\"1\"; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)"); if (de_ctx->sig_list == NULL) { result = 0; goto end; } - if (de_ctx->sig_list->num != 0) { - printf("internal id != 0: "); - goto end; - } - de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any 81 (msg:\"2\"; content:\"two2\"; content:\"abcdef\"; sid:2;)"); + de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 31\"; content:\"0123456789012345678901234567890\"; sid:2;)"); if (de_ctx->sig_list->next == NULL) { result = 0; goto end; } - if (de_ctx->sig_list->next->num != 1) { - printf("internal id != 1: "); - goto end; - } - de_ctx->sig_list->next->next = SigInit(de_ctx,"alert tcp any any -> any 80:81 (msg:\"3\"; content:\"three\"; content:\"abcdefgh\"; sid:3;)"); - if (de_ctx->sig_list->next->next == NULL) { - result = 0; - goto end; - } - if (de_ctx->sig_list->next->next->num != 2) { - printf("internal id != 2: "); - goto end; - } SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - SigGroupHead *sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p); - if (sgh == NULL) { - printf("no sgh: "); - goto end; + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + if (PacketAlertCheck(p, 1)) { + if (PacketAlertCheck(p, 2)) { + result = 1; + } else + printf("sig 2 didn't match: "); } + else + printf("sig 1 didn't match: "); - if (sgh->mpm_content_minlen != 3) { - printf("sgh->mpm_content_minlen %u, expected 3: ", sgh->mpm_content_minlen); - goto end; - } - - if (sgh->match_array == NULL) { - printf("sgh->match_array == NULL: "); - goto end; - } - - if (sgh->sig_cnt != 2) { - printf("sgh sig cnt %u, expected 2: ", sgh->sig_cnt); - goto end; - } - - if (sgh->match_array[0] != de_ctx->sig_list) { - printf("sgh doesn't contain sid 1, should have (sgh->match_array[0] %p, expected %p): ", sgh->match_array[0], de_ctx->sig_list); - goto end; - } - if (sgh->match_array[1] != de_ctx->sig_list->next->next) { - printf("sgh doesn't contain sid 3, should have: "); - goto end; - } -#if 0 - printf("sgh->mpm_content_minlen %u\n", sgh->mpm_content_minlen); - printf("sgh->mpm_uricontent_minlen %u\n", sgh->mpm_uricontent_minlen); - printf("sgh->sig_cnt %u\n", sgh->sig_cnt); - printf("sgh->sig_size %u\n", sgh->sig_size); - printf("sgh->refcnt %u\n", sgh->refcnt); -#endif - p->dp = 81; - - sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p); - if (sgh == NULL) { - printf("no sgh: "); - goto end; - } - - if (sgh->mpm_content_minlen != 3) { - printf("sgh->mpm_content_minlen %u, expected 3: ", sgh->mpm_content_minlen); - goto end; - } - - if (sgh->sig_cnt != 3) { - printf("sgh sig cnt %u, expected 3: ", sgh->sig_cnt); - goto end; - } - if (sgh->match_array[0] != de_ctx->sig_list) { - printf("sgh doesn't contain sid 1, should have: "); - goto end; - } - if (sgh->match_array[1] != de_ctx->sig_list->next) { - printf("sgh doesn't contain sid 2, should have: "); - goto end; - } - if (sgh->match_array[2] != de_ctx->sig_list->next->next) { - printf("sgh doesn't contain sid 3, should have: "); - goto end; - } -#if 0 - printf("sgh->mpm_content_minlen %u\n", sgh->mpm_content_minlen); - printf("sgh->mpm_uricontent_minlen %u\n", sgh->mpm_uricontent_minlen); - printf("sgh->sig_cnt %u\n", sgh->sig_cnt); - printf("sgh->sig_size %u\n", sgh->sig_size); - printf("sgh->refcnt %u\n", sgh->refcnt); -#endif - p->dp = 82; - - sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p); - if (sgh == NULL) { - printf("no sgh: "); - goto end; - } - - if (sgh->mpm_content_minlen != 3) { - printf("sgh->mpm_content_minlen %u, expected 3: ", sgh->mpm_content_minlen); - goto end; - } - - if (sgh->sig_cnt != 1) { - printf("sgh sig cnt %u, expected 1: ", sgh->sig_cnt); - goto end; - } - - if (sgh->match_array[0] != de_ctx->sig_list) { - printf("sgh doesn't contain sid 1, should have: "); - goto end; - } -#if 0 - printf("sgh->mpm_content_minlen %u\n", sgh->mpm_content_minlen); - printf("sgh->mpm_uricontent_minlen %u\n", sgh->mpm_uricontent_minlen); - printf("sgh->sig_cnt %u\n", sgh->sig_cnt); - printf("sgh->sig_size %u\n", sgh->sig_size); - printf("sgh->refcnt %u\n", sgh->refcnt); -#endif - p->src.family = AF_INET6; - p->dst.family = AF_INET6; - - sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p); - if (sgh == NULL) { - printf("no sgh: "); - goto end; - } - - if (sgh->mpm_content_minlen != 3) { - printf("sgh->mpm_content_minlen %u, expected 3: ", sgh->mpm_content_minlen); - goto end; - } - - if (sgh->sig_cnt != 1) { - printf("sgh sig cnt %u, expected 1: ", sgh->sig_cnt); - goto end; - } - - if (sgh->match_array[0] != de_ctx->sig_list) { - printf("sgh doesn't contain sid 1, should have: "); - goto end; - } -#if 0 - printf("sgh->mpm_content_minlen %u\n", sgh->mpm_content_minlen); - printf("sgh->mpm_uricontent_minlen %u\n", sgh->mpm_uricontent_minlen); - printf("sgh->sig_cnt %u\n", sgh->sig_cnt); - printf("sgh->sig_size %u\n", sgh->sig_size); - printf("sgh->refcnt %u\n", sgh->refcnt); -#endif - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - SigGroupCleanup(de_ctx); - DetectEngineCtxFree(de_ctx); - - result = 1; -end: - return result; -} - -static int SigTestSgh03 (void) -{ - ThreadVars th_v; - int result = 0; - Packet *p = SCMalloc(SIZE_OF_PACKET); - if (unlikely(p == NULL)) - return 0; - DetectEngineThreadCtx *det_ctx = NULL; - - memset(&th_v, 0, sizeof(th_v)); - memset(p, 0, SIZE_OF_PACKET); - p->src.family = AF_INET; - p->dst.family = AF_INET; - p->payload_len = 1; - p->proto = IPPROTO_TCP; - p->dp = 80; - p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4"); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) { - goto end; - } - de_ctx->flags |= DE_QUIET; - - de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> 1.2.3.4-1.2.3.6 any (msg:\"1\"; content:\"one\"; content:\"1\"; sid:1;)"); - if (de_ctx->sig_list == NULL) { - result = 0; - goto end; - } - if (de_ctx->sig_list->num != 0) { - printf("internal id != 0: "); - goto end; - } - - de_ctx->sig_list->next = SigInit(de_ctx,"alert ip any any -> 1.2.3.5 any (msg:\"2\"; content:\"two2\"; content:\"abcdef\"; sid:2;)"); - if (de_ctx->sig_list->next == NULL) { - result = 0; - goto end; - } - if (de_ctx->sig_list->next->num != 1) { - printf("internal id != 1: "); - goto end; - } - de_ctx->sig_list->next->next = SigInit(de_ctx,"alert ip any any -> 1.2.3.4-1.2.3.5 any (msg:\"3\"; content:\"three\"; content:\"abcdefgh\"; sid:3;)"); - if (de_ctx->sig_list->next->next == NULL) { - result = 0; - goto end; - } - if (de_ctx->sig_list->next->next->num != 2) { - printf("internal id != 2: "); - goto end; - } - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - SigGroupHead *sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p); - if (sgh == NULL) { - printf("no sgh: "); - goto end; - } -#if 0 - printf("-\n"); - printf("sgh->mpm_content_minlen %u\n", sgh->mpm_content_minlen); - printf("sgh->mpm_uricontent_minlen %u\n", sgh->mpm_uricontent_minlen); - printf("sgh->sig_cnt %u\n", sgh->sig_cnt); - printf("sgh->sig_size %u\n", sgh->sig_size); - printf("sgh->refcnt %u\n", sgh->refcnt); -#endif - if (sgh->mpm_content_minlen != 3) { - printf("sgh->mpm_content_minlen %u, expected 3: ", sgh->mpm_content_minlen); - goto end; - } - - if (sgh->match_array == NULL) { - printf("sgh->match_array == NULL: "); - goto end; - } - - if (sgh->sig_cnt != 2) { - printf("sgh sig cnt %u, expected 2: ", sgh->sig_cnt); - goto end; - } - - if (sgh->match_array[0] != de_ctx->sig_list) { - printf("sgh doesn't contain sid 1, should have (sgh->match_array[0] %p, expected %p): ", sgh->match_array[0], de_ctx->sig_list); - goto end; - } - if (sgh->match_array[1] != de_ctx->sig_list->next->next) { - printf("sgh doesn't contain sid 3, should have: "); - goto end; - } - - p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.5"); - - sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p); - if (sgh == NULL) { - printf("no sgh: "); - goto end; - } -#if 0 - printf("-\n"); - printf("sgh %p\n", sgh); - printf("sgh->mpm_content_minlen %u\n", sgh->mpm_content_minlen); - printf("sgh->mpm_uricontent_minlen %u\n", sgh->mpm_uricontent_minlen); - printf("sgh->sig_cnt %u\n", sgh->sig_cnt); - printf("sgh->sig_size %u\n", sgh->sig_size); - printf("sgh->refcnt %u\n", sgh->refcnt); -#endif - if (sgh->sig_cnt != 3) { - printf("sgh sig cnt %u, expected 3: ", sgh->sig_cnt); - goto end; - } - if (sgh->match_array[0] != de_ctx->sig_list) { - printf("sgh doesn't contain sid 1, should have: "); - goto end; - } - if (sgh->match_array[1] != de_ctx->sig_list->next) { - printf("sgh doesn't contain sid 1, should have: "); - goto end; - } - if (sgh->match_array[2] != de_ctx->sig_list->next->next) { - printf("sgh doesn't contain sid 1, should have: "); - goto end; - } - - if (sgh->mpm_content_minlen != 3) { - printf("sgh->mpm_content_minlen %u, expected 3 (%x): ", sgh->mpm_content_minlen, p->dst.addr_data32[0]); - goto end; - } - - - p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.6"); - - sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p); - if (sgh == NULL) { - printf("no sgh: "); - goto end; - } -#if 0 - printf("-\n"); - printf("sgh->mpm_content_minlen %u\n", sgh->mpm_content_minlen); - printf("sgh->mpm_uricontent_minlen %u\n", sgh->mpm_uricontent_minlen); - printf("sgh->sig_cnt %u\n", sgh->sig_cnt); - printf("sgh->sig_size %u\n", sgh->sig_size); - printf("sgh->refcnt %u\n", sgh->refcnt); -#endif - if (sgh->mpm_content_minlen != 3) { - printf("sgh->mpm_content_minlen %u, expected 3: ", sgh->mpm_content_minlen); - goto end; - } - - if (sgh->sig_cnt != 1) { - printf("sgh sig cnt %u, expected 1: ", sgh->sig_cnt); - goto end; - } - - if (sgh->match_array[0] != de_ctx->sig_list) { - printf("sgh doesn't contain sid 1, should have: "); - goto end; - } - - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - SigGroupCleanup(de_ctx); - DetectEngineCtxFree(de_ctx); - - result = 1; -end: - SCFree(p); - return result; -} - -static int SigTestSgh04 (void) -{ - ThreadVars th_v; - int result = 0; - Packet *p = SCMalloc(SIZE_OF_PACKET); - if (unlikely(p == NULL)) - return 0; - DetectEngineThreadCtx *det_ctx = NULL; - - memset(&th_v, 0, sizeof(th_v)); - memset(p, 0, SIZE_OF_PACKET); - p->src.family = AF_INET; - p->dst.family = AF_INET; - p->payload_len = 1; - p->proto = IPPROTO_TCP; - p->dp = 80; - p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4"); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) { - goto end; - } - de_ctx->flags |= DE_QUIET; - - de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> 1.2.3.4-1.2.3.6 any (msg:\"1\"; content:\"one\"; content:\"1\"; sid:1;)"); - if (de_ctx->sig_list == NULL) { - result = 0; - goto end; - } - if (de_ctx->sig_list->num != 0) { - printf("internal id != 0: "); - goto end; - } - - de_ctx->sig_list->next = SigInit(de_ctx,"alert ip any any -> 1.2.3.5 any (msg:\"2\"; content:\"two2\"; content:\"abcdef\"; sid:2;)"); - if (de_ctx->sig_list->next == NULL) { - result = 0; - goto end; - } - if (de_ctx->sig_list->next->num != 1) { - printf("internal id != 1: "); - goto end; - } - de_ctx->sig_list->next->next = SigInit(de_ctx,"alert ip any any -> 1.2.3.4-1.2.3.5 any (msg:\"3\"; content:\"three\"; content:\"abcdefgh\"; sid:3;)"); - if (de_ctx->sig_list->next->next == NULL) { - result = 0; - goto end; - } - if (de_ctx->sig_list->next->next->num != 2) { - printf("internal id != 2: "); - goto end; - } - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - SigGroupHead *sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p); - if (sgh == NULL) { - printf("no sgh: "); - goto end; - } - - if (sgh->mpm_content_minlen != 3) { - printf("sgh->mpm_content_minlen %u, expected 3: ", sgh->mpm_content_minlen); - goto end; - } - - if (sgh->match_array == NULL) { - printf("sgh->match_array == NULL: "); - goto end; - } - - if (sgh->sig_cnt != 2) { - printf("sgh sig cnt %u, expected 2: ", sgh->sig_cnt); - goto end; - } - - if (sgh->match_array[0] != de_ctx->sig_list) { - printf("sgh doesn't contain sid 1, should have (sgh->match_array[0] %p, expected %p): ", sgh->match_array[0], de_ctx->sig_list); - goto end; - } - if (sgh->match_array[1] != de_ctx->sig_list->next->next) { - printf("sgh doesn't contain sid 3, should have: "); - goto end; - } -#if 0 - printf("sgh->mpm_content_minlen %u\n", sgh->mpm_content_minlen); - printf("sgh->mpm_uricontent_minlen %u\n", sgh->mpm_uricontent_minlen); - printf("sgh->sig_cnt %u\n", sgh->sig_cnt); - printf("sgh->sig_size %u\n", sgh->sig_size); - printf("sgh->refcnt %u\n", sgh->refcnt); -#endif - p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.5"); - - sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p); - if (sgh == NULL) { - printf("no sgh: "); - goto end; - } - - if (sgh->mpm_content_minlen != 3) { - printf("sgh->mpm_content_minlen %u, expected 3: ", sgh->mpm_content_minlen); - goto end; - } - - if (sgh->sig_cnt != 3) { - printf("sgh sig cnt %u, expected 3: ", sgh->sig_cnt); - goto end; - } - if (sgh->match_array[0] != de_ctx->sig_list) { - printf("sgh doesn't contain sid 1, should have: "); - goto end; - } - if (sgh->match_array[1] != de_ctx->sig_list->next) { - printf("sgh doesn't contain sid 2, should have: "); - goto end; - } - if (sgh->match_array[2] != de_ctx->sig_list->next->next) { - printf("sgh doesn't contain sid 3, should have: "); - goto end; - } -#if 0 - printf("sgh->mpm_content_minlen %u\n", sgh->mpm_content_minlen); - printf("sgh->mpm_uricontent_minlen %u\n", sgh->mpm_uricontent_minlen); - printf("sgh->sig_cnt %u\n", sgh->sig_cnt); - printf("sgh->sig_size %u\n", sgh->sig_size); - printf("sgh->refcnt %u\n", sgh->refcnt); -#endif - p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.6"); - - sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p); - if (sgh == NULL) { - printf("no sgh: "); - goto end; - } - - if (sgh->mpm_content_minlen != 3) { - printf("sgh->mpm_content_minlen %u, expected 3: ", sgh->mpm_content_minlen); - goto end; - } - - if (sgh->sig_cnt != 1) { - printf("sgh sig cnt %u, expected 1: ", sgh->sig_cnt); - goto end; - } - - if (sgh->match_array[0] != de_ctx->sig_list) { - printf("sgh doesn't contain sid 1, should have: "); - goto end; - } -#if 0 - printf("sgh->mpm_content_minlen %u\n", sgh->mpm_content_minlen); - printf("sgh->mpm_uricontent_minlen %u\n", sgh->mpm_uricontent_minlen); - printf("sgh->sig_cnt %u\n", sgh->sig_cnt); - printf("sgh->sig_size %u\n", sgh->sig_size); - printf("sgh->refcnt %u\n", sgh->refcnt); -#endif - p->proto = IPPROTO_GRE; - - sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p); - if (sgh == NULL) { - printf("no sgh: "); - goto end; - } -#if 0 - printf("-\n"); - printf("sgh->mpm_content_minlen %u\n", sgh->mpm_content_minlen); - printf("sgh->mpm_uricontent_minlen %u\n", sgh->mpm_uricontent_minlen); - printf("sgh->sig_cnt %u\n", sgh->sig_cnt); - printf("sgh->sig_size %u\n", sgh->sig_size); - printf("sgh->refcnt %u\n", sgh->refcnt); -#endif - if (sgh->mpm_content_minlen != 3) { - printf("sgh->mpm_content_minlen %u, expected 3: ", sgh->mpm_content_minlen); - goto end; - } - - if (sgh->match_array[0] != de_ctx->sig_list) { - printf("sgh doesn't contain sid 1, should have: "); - goto end; - } - - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - SigGroupCleanup(de_ctx); - DetectEngineCtxFree(de_ctx); - - result = 1; -end: - SCFree(p); - return result; -} - -/** \test setting of mpm type */ -static int SigTestSgh05 (void) -{ - ThreadVars th_v; - int result = 0; - Packet *p = SCMalloc(SIZE_OF_PACKET); - if (unlikely(p == NULL)) - return 0; - DetectEngineThreadCtx *det_ctx = NULL; - - memset(&th_v, 0, sizeof(th_v)); - memset(p, 0, SIZE_OF_PACKET); - p->src.family = AF_INET; - p->dst.family = AF_INET; - p->payload_len = 1; - p->proto = IPPROTO_TCP; - p->dp = 80; - p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4"); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) { - goto end; - } - de_ctx->flags |= DE_QUIET; - de_ctx->mpm_matcher = MPM_AC; - - de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> 1.2.3.4-1.2.3.6 any (msg:\"1\"; content:\"one\"; content:\"1\"; sid:1;)"); - if (de_ctx->sig_list == NULL) { - result = 0; - goto end; - } - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - SigGroupHead *sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p); - if (sgh == NULL) { - printf("no sgh: "); - goto end; - } - - if (sgh->mpm_proto_tcp_ctx_ts != NULL || sgh->mpm_proto_tcp_ctx_tc != NULL || - sgh->mpm_proto_udp_ctx_ts != NULL || sgh->mpm_proto_udp_ctx_tc != NULL || - sgh->mpm_proto_other_ctx != NULL) { - printf("sgh->mpm_proto_tcp_ctx_ts != NULL || sgh->mpm_proto_tcp_ctx_tc != NULL" - "sgh->mpm_proto_udp_ctx_ts != NULL || sgh->mpm_proto_udp_ctx_tc != NULL" - "sgh->mpm_proto_other_ctx != NULL: "); - goto end; - } - - if (sgh->mpm_stream_ctx_ts == NULL || sgh->mpm_stream_ctx_tc == NULL) { - printf("sgh->mpm_stream_ctx == NULL || sgh->mpm_stream_ctx_tc == NULL: "); - goto end; - } - - if (sgh->mpm_stream_ctx_ts->mpm_type != MPM_AC) { - printf("sgh->mpm_type != MPM_AC, expected %d, got %d: ", MPM_AC, sgh->mpm_stream_ctx_ts->mpm_type); - goto end; - } - - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - SigGroupCleanup(de_ctx); - DetectEngineCtxFree(de_ctx); - - result = 1; -end: - SCFree(p); - return result; -} - -static int SigTestContent01 (void) -{ - uint8_t *buf = (uint8_t *)"01234567890123456789012345678901"; - uint16_t buflen = strlen((char *)buf); - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - int result = 0; - - memset(&th_v, 0, sizeof(th_v)); - - Packet *p = NULL; - p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) { - goto end; - } - - de_ctx->flags |= DE_QUIET; - - de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)"); - if (de_ctx->sig_list == NULL) { - result = 0; - goto end; - } - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - if (PacketAlertCheck(p, 1)) - result = 1; - else - printf("sig 1 didn't match: "); - - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - DetectEngineCtxFree(de_ctx); -end: - UTHFreePackets(&p, 1); - return result; -} - -static int SigTestContent02 (void) -{ - uint8_t *buf = (uint8_t *)"01234567890123456789012345678901"; - uint16_t buflen = strlen((char *)buf); - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - int result = 0; - - memset(&th_v, 0, sizeof(th_v)); - Packet *p = NULL; - p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) { - goto end; - } - - de_ctx->flags |= DE_QUIET; - - de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)"); - if (de_ctx->sig_list == NULL) { - result = 0; - goto end; - } - - de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 31\"; content:\"0123456789012345678901234567890\"; sid:2;)"); - if (de_ctx->sig_list->next == NULL) { - result = 0; - goto end; - } - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - if (PacketAlertCheck(p, 1)) { - if (PacketAlertCheck(p, 2)) { - result = 1; - } else - printf("sig 2 didn't match: "); - } - else - printf("sig 1 didn't match: "); - - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); DetectEngineCtxFree(de_ctx); @@ -11686,12 +10432,6 @@ void SigRegisterTests(void) UtRegisterTest("SigTestMemory02", SigTestMemory02, 1); UtRegisterTest("SigTestMemory03", SigTestMemory03, 1); - UtRegisterTest("SigTestSgh01", SigTestSgh01, 1); - UtRegisterTest("SigTestSgh02", SigTestSgh02, 1); - UtRegisterTest("SigTestSgh03", SigTestSgh03, 1); - UtRegisterTest("SigTestSgh04", SigTestSgh04, 1); - UtRegisterTest("SigTestSgh05", SigTestSgh05, 1); - UtRegisterTest("SigTestContent01 -- 32 byte pattern", SigTestContent01, 1); UtRegisterTest("SigTestContent02 -- 32+31 byte pattern", SigTestContent02, 1); UtRegisterTest("SigTestContent03 -- 32 byte pattern, x2 + distance", SigTestContent03, 1); diff --git a/src/detect.h b/src/detect.h index 3afd5b3132..01756e0335 100644 --- a/src/detect.h +++ b/src/detect.h @@ -525,8 +525,9 @@ typedef struct DetectEngineIPOnlyCtx_ { } DetectEngineIPOnlyCtx; typedef struct DetectEngineLookupFlow_ { - DetectAddressHead *src_gh[256]; /* a head for each protocol */ - DetectAddressHead *tmp_gh[256]; + DetectPort *tcp; + DetectPort *udp; + struct SigGroupHead_ *sgh[256]; } DetectEngineLookupFlow; /* Flow status