detect/prefilter: allow special engine for each app update

Allow registering the progress as -1, which means it will be invoked each time the app prefilters are called.
8 months ago · fff65c5e40
parent f60e1efc8a
commit fff65c5e40
2 changed files with 39 additions and 30 deletions
--- a/src/detect-engine-prefilter.c
+++ b/src/detect-engine-prefilter.c
@ -115,32 +115,40 @@ void DetectRunPrefilterTx(DetectEngineThreadCtx *det_ctx,
            // incompatible engine->alproto with flow alproto
            goto next;
        }
-        if (engine->ctx.tx_min_progress > tx->tx_progress)
+
-            break;
+        if (engine->ctx.tx_min_progress != -1) {
-        if (tx->tx_progress > engine->ctx.tx_min_progress) {
+            if (engine->ctx.tx_min_progress > tx->tx_progress)
-            /* if state value is at or beyond engine state, we can skip it. It means we ran at
+                break;
-             * least once already. */
+            if (tx->tx_progress > engine->ctx.tx_min_progress) {
-            if (tx->detect_progress > engine->ctx.tx_min_progress) {
+                /* if state value is at or beyond engine state, we can skip it. It means we ran at
-                SCLogDebug("tx already marked progress as beyond engine: %u > %u",
+                 * least once already. */
-                        tx->detect_progress, engine->ctx.tx_min_progress);
+                if (tx->detect_progress > engine->ctx.tx_min_progress) {
-                goto next;
+                    SCLogDebug("tx already marked progress as beyond engine: %u > %u",
                            tx->detect_progress, engine->ctx.tx_min_progress);
                    goto next;
                }
            }
        }
-        PREFILTER_PROFILING_START(det_ctx);
+            PREFILTER_PROFILING_START(det_ctx);
-        engine->cb.PrefilterTx(
+            engine->cb.PrefilterTx(det_ctx, engine->pectx, p, p->flow, tx_ptr, tx->tx_id,
-                det_ctx, engine->pectx, p, p->flow, tx_ptr, tx->tx_id, tx->tx_data_ptr, flow_flags);
+                    tx->tx_data_ptr, flow_flags);
-        PREFILTER_PROFILING_END(det_ctx, engine->gid);
+            PREFILTER_PROFILING_END(det_ctx, engine->gid);
-
+
-        if (tx->tx_progress > engine->ctx.tx_min_progress && engine->is_last_for_progress) {
+            if (tx->tx_progress > engine->ctx.tx_min_progress && engine->is_last_for_progress) {
-            /* track with an offset of one, so that tx->progress 0 complete is tracked
+                /* track with an offset of one, so that tx->progress 0 complete is tracked
-             * as 1, progress 1 as 2, etc. This is to allow 0 to mean: nothing tracked, even
+                 * as 1, progress 1 as 2, etc. This is to allow 0 to mean: nothing tracked, even
-             * though a parser may use 0 as a valid value. */
+                 * though a parser may use 0 as a valid value. */
-            tx->detect_progress = engine->ctx.tx_min_progress + 1;
+                tx->detect_progress = engine->ctx.tx_min_progress + 1;
-            SCLogDebug("tx->tx_progress %d engine->ctx.tx_min_progress %d "
+                SCLogDebug("tx->tx_progress %d engine->ctx.tx_min_progress %d "
-                       "engine->is_last_for_progress %d => tx->detect_progress updated to %02x",
+                           "engine->is_last_for_progress %d => tx->detect_progress updated to %02x",
-                    tx->tx_progress, engine->ctx.tx_min_progress, engine->is_last_for_progress,
+                        tx->tx_progress, engine->ctx.tx_min_progress, engine->is_last_for_progress,
-                    tx->detect_progress);
+                        tx->detect_progress);
            }
        } else {
            PREFILTER_PROFILING_START(det_ctx);
            engine->cb.PrefilterTx(det_ctx, engine->pectx, p, p->flow, tx_ptr, tx->tx_id,
                    tx->tx_data_ptr, flow_flags);
            PREFILTER_PROFILING_END(det_ctx, engine->gid);
        }
    next:
        if (engine->is_last)
@ -338,7 +346,7 @@ int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
    e->pectx = pectx;
    e->alproto = alproto;
    // TODO change function prototype ?
-    DEBUG_VALIDATE_BUG_ON(tx_min_progress > UINT8_MAX);
+    DEBUG_VALIDATE_BUG_ON(tx_min_progress > INT8_MAX);
    e->tx_min_progress = (uint8_t)tx_min_progress;
    e->Free = FreeFunc;
@ -1236,7 +1244,8 @@ int PrefilterSetupRuleGroup(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
            PrefilterEngine *prev_engine = NULL;
            engine = sgh->tx_engines;
            do {
-                BUG_ON(engine->ctx.tx_min_progress < last_tx_progress);
+                if (engine->ctx.tx_min_progress != -1)
                    BUG_ON(engine->ctx.tx_min_progress < last_tx_progress);
                if (engine->alproto == a) {
                    if (last_tx_progress_set && engine->ctx.tx_min_progress > last_tx_progress) {
                        if (prev_engine) {
--- a/src/detect.h
+++ b/src/detect.h
@ -1454,8 +1454,8 @@ typedef struct PrefilterEngineList_ {
    /** App Proto this engine applies to: only used with Tx Engines */
    AppProto alproto;
    /** Minimal Tx progress we need before running the engine. Only used
-     *  with Tx Engine */
+     *  with Tx Engine. Set to -1 for all states. */
-    uint8_t tx_min_progress;
+    int8_t tx_min_progress;
    uint8_t frame_type;
@ -1495,8 +1495,8 @@ typedef struct PrefilterEngine_ {
            uint8_t hook;       /**< enum SignatureHookPkt */
        } pkt;
        /** Minimal Tx progress we need before running the engine. Only used
-         *  with Tx Engine */
+         *  with Tx Engine. Set to -1 for all states. */
-        uint8_t tx_min_progress;
+        int8_t tx_min_progress;
        uint8_t frame_type;
    } ctx;