SGH's track content length for rule grouping.
This patch changes the logic to only consider the pattern that is
used in the mpm for a sig.
return;
}
+static uint16_t SignatureGetMpmPatternLen(Signature *s, int list)
+{
+ if (s->sm_lists[list] != NULL && s->mpm_sm != NULL &&
+ SigMatchListSMBelongsTo(s, s->mpm_sm) == list)
+ {
+ DetectContentData *cd = (DetectContentData *)s->mpm_sm->ctx;
+ return cd->content_len;
+ }
+ return 0;
+}
+
/**
* \brief Add a Signature to a SigGroupHead.
*
/* update maxlen for mpm */
if (s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
/* check with the precalculated values from the sig */
- if (s->mpm_content_maxlen > 0) {
+ uint16_t mpm_content_minlen = SignatureGetMpmPatternLen(s, DETECT_SM_LIST_PMATCH);
+ if (mpm_content_minlen > 0) {
if ((*sgh)->mpm_content_maxlen == 0)
- (*sgh)->mpm_content_maxlen = s->mpm_content_maxlen;
+ (*sgh)->mpm_content_maxlen = mpm_content_minlen;
- if ((*sgh)->mpm_content_maxlen > s->mpm_content_maxlen)
- (*sgh)->mpm_content_maxlen = s->mpm_content_maxlen;
+ if ((*sgh)->mpm_content_maxlen > mpm_content_minlen)
+ (*sgh)->mpm_content_maxlen = mpm_content_minlen;
SCLogDebug("(%p)->mpm_content_maxlen %u", *sgh, (*sgh)->mpm_content_maxlen);
}
s = sgh->match_array[sig];
if (s == NULL)
continue;
- if (s->sm_lists[list] == NULL)
- continue;
- if (s->mpm_sm != NULL && SigMatchListSMBelongsTo(s, s->mpm_sm) == list)
- {
- DetectContentData *cd = (DetectContentData *)s->mpm_sm->ctx;
- if (cd->content_len < min)
- min = cd->content_len;
- SCLogDebug("cd->content_len %u", cd->content_len);
+ uint16_t mpm_content_minlen = SignatureGetMpmPatternLen(s, DETECT_SM_LIST_PMATCH);
+ if (mpm_content_minlen > 0) {
+ if (mpm_content_minlen < min)
+ min = mpm_content_minlen;
+ SCLogDebug("mpm_content_minlen %u", mpm_content_minlen);
}
}
static Signature *SigInitHelper(DetectEngineCtx *de_ctx, char *sigstr,
uint8_t dir)
{
- SigMatch *sm;
Signature *sig = SigAlloc();
if (sig == NULL)
goto error;
if (DetectAppLayerEventPrepare(sig) < 0)
goto error;
- /* determine the length of the longest pattern in the sig */
- if (sig->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
- sig->mpm_content_maxlen = 0;
-
- for (sm = sig->sm_lists[DETECT_SM_LIST_PMATCH]; sm != NULL; sm = sm->next) {
- if (sm->type == DETECT_CONTENT) {
- DetectContentData *cd = (DetectContentData *)sm->ctx;
- if (cd == NULL)
- continue;
-
- if (sig->mpm_content_maxlen == 0)
- sig->mpm_content_maxlen = cd->content_len;
- if (sig->mpm_content_maxlen < cd->content_len)
- sig->mpm_content_maxlen = cd->content_len;
- }
- }
- }
-
/* set the packet and app layer flags, but only if the
* app layer flag wasn't already set in which case we
* only consider the app layer */
goto end;
}
- if (sig->mpm_content_maxlen != 4) {
- printf("mpm content max len %"PRIu16", expected 4: ", sig->mpm_content_maxlen);
- goto end;
- }
-
result = 1;
end:
if (sig != NULL)
goto end;
}
- if (sig->mpm_content_maxlen != 6) {
- printf("mpm content max len %"PRIu16", expected 6: ", sig->mpm_content_maxlen);
- goto end;
- }
-
result = 1;
end:
if (sig != NULL)
printf("internal id != 0: ");
goto end;
}
- if (de_ctx->sig_list->mpm_content_maxlen != 3) {
- printf("de_ctx->sig_list->mpm_content_maxlen %u, expected 3: ", de_ctx->sig_list->mpm_content_maxlen);
- goto end;
- }
de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any 81 (msg:\"2\"; content:\"two\"; content:\"abcd\"; sid:2;)");
if (de_ctx->sig_list->next == NULL) {
printf("internal id != 1: ");
goto end;
}
- if (de_ctx->sig_list->next->mpm_content_maxlen != 4) {
- printf("de_ctx->sig_list->mpm_content_maxlen %u, expected 4: ", de_ctx->sig_list->next->mpm_content_maxlen);
- goto end;
- }
de_ctx->sig_list->next->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"3\"; content:\"three\"; sid:3;)");
if (de_ctx->sig_list->next->next == NULL) {
printf("internal id != 2: ");
goto end;
}
- if (de_ctx->sig_list->next->next->mpm_content_maxlen != 5) {
- printf("de_ctx->sig_list->next->next->mpm_content_maxlen %u, expected 5: ", de_ctx->sig_list->next->next->mpm_content_maxlen);
- goto end;
- }
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
/* the fast pattern added from this signature */
SigMatch *mpm_sm;
- /* track max length for content. Indirectly used in grouping:
- * used to set SigGroupHead::mpm_content_maxlen */
- uint16_t mpm_content_maxlen;
-
/* SigMatch list used for adding content and friends. E.g. file_data; */
int list;
projects / thirdparty / suricata.git / commitdiff
