detect: limit flush logic to sigs that need it

Limit the early 'flush' logic to sigs that actually need to match
on both stream and http bodies.

diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c
index 364fcd26e167209581e70f302ba059308c6434ee..f11e4f47dfbb064614834d7d119c553d0e5a78e1 100644 (file)
--- a/src/detect-engine-analyzer.c
+++ b/src/detect-engine-analyzer.c
@@ -610,6 +610,9 @@ void EngineAnalysisRules2(const DetectEngineCtx *de_ctx, const Signature *s)
         if (s->flags & SIG_FLAG_MPM_NEG) {
             json_array_append_new(js_flags, json_string("negated_mpm"));
         }
+        if (s->flags & SIG_FLAG_FLUSH) {
+            json_array_append_new(js_flags, json_string("flush"));
+        }
         if (s->flags & SIG_FLAG_REQUIRE_FLOWVAR) {
             json_array_append_new(js_flags, json_string("need_flowvar"));
         }

diff --git a/src/detect-engine.c b/src/detect-engine.c
index 2fcb282ced5fd02069bd4bb7aeacae69bdceea10..8cf351ba927e93fa75c3b96a6999261726de14c9 100644 (file)
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@@ -488,6 +488,10 @@ next:
             AppendStreamInspectEngine(s, stream, 0, last_id + 1);
             AppendStreamInspectEngine(s, stream, 1, last_id + 1);
         }
+
+        if (s->init_data->init_flags & SIG_FLAG_INIT_NEED_FLUSH) {
+            s->flags |= SIG_FLAG_FLUSH;
+        }
     }
 
 #ifdef DEBUG

diff --git a/src/detect-file-data.c b/src/detect-file-data.c
index 3bd7a4c15a16441c6c74762e214ec9efa2af92aa..c429235c0c587b4dd744823c057cff92d5689f9a 100644 (file)
--- a/src/detect-file-data.c
+++ b/src/detect-file-data.c
@@ -182,6 +182,10 @@ static void DetectFiledataSetupCallback(const DetectEngineCtx *de_ctx,
         AppLayerHtpEnableRequestBodyCallback();
     }
 
+
+    /* server body needs to be inspected in sync with stream if possible */
+    s->init_data->init_flags |= SIG_FLAG_INIT_NEED_FLUSH;
+
     SCLogDebug("callback invoked by %u", s->id);
 }
 

diff --git a/src/detect-http-client-body.c b/src/detect-http-client-body.c
index 8cb84325eb7da24d3cf102e5f6c9f7dba7aa0c18..0becb07ab80115e4f94e097fefeb3cb141371b27 100644 (file)
--- a/src/detect-http-client-body.c
+++ b/src/detect-http-client-body.c
@@ -101,6 +101,9 @@ static void DetectHttpClientBodySetupCallback(const DetectEngineCtx *de_ctx,
 {
     SCLogDebug("callback invoked by %u", s->id);
     AppLayerHtpEnableRequestBodyCallback();
+
+    /* client body needs to be inspected in sync with stream if possible */
+    s->init_data->init_flags |= SIG_FLAG_INIT_NEED_FLUSH;
 }
 
 /**

diff --git a/src/detect.c b/src/detect.c
index 205da3ecf14eec0dd770072b40d0cbacb2214647..39b395728fca12a33c13f3e9c10cf8b2653075e5 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -1141,7 +1141,7 @@ static bool DetectRunTxInspectRule(ThreadVars *tv,
         DetectEngineThreadCtx *det_ctx,
         Packet *p,
         Flow *f,
-        const uint8_t flow_flags,   // direction, EOF, etc
+        const uint8_t in_flow_flags,   // direction, EOF, etc
         void *alstate,
         DetectTransaction *tx,
         const Signature *s,
@@ -1149,6 +1149,7 @@ static bool DetectRunTxInspectRule(ThreadVars *tv,
         RuleMatchCandidateTx *can,
         DetectRunScratchpad *scratch)
 {
+    uint8_t flow_flags = in_flow_flags;
     const int direction = (flow_flags & STREAM_TOSERVER) ? 0 : 1;
     uint32_t inspect_flags = stored_flags ? *stored_flags : 0;
     int total_matches = 0;
@@ -1157,6 +1158,10 @@ static bool DetectRunTxInspectRule(ThreadVars *tv,
     bool mpm_before_progress = false;   // is mpm engine before progress?
     bool mpm_in_progress = false;       // is mpm engine in a buffer we will revisit?
 
+    /* see if we want to pass on the FLUSH flag */
+    if ((s->flags & SIG_FLAG_FLUSH) == 0)
+        flow_flags &=~ STREAM_FLUSH;
+
     TRACE_SID_TXS(s->id, tx, "starting %s", direction ? "toclient" : "toserver");
 
     /* for a new inspection we inspect pkt header and packet matches */

diff --git a/src/detect.h b/src/detect.h
index 270dae4a7d683b9ba901fe56eac034a1e72d6865..a08d26d4c2a8216e56da2bc983309130d7de5a66 100644 (file)
--- a/src/detect.h
+++ b/src/detect.h
@@ -229,6 +229,8 @@ typedef struct DetectPort_ {
 
 #define SIG_FLAG_MPM_NEG                (1<<11)
 
+#define SIG_FLAG_FLUSH                  (1<<12) /**< detection logic needs stream flush notification */
+
 #define SIG_FLAG_REQUIRE_FLOWVAR        (1<<17) /**< signature can only match if a flowbit, flowvar or flowint is available. */
 
 #define SIG_FLAG_FILESTORE              (1<<18) /**< signature has filestore keyword */
@@ -260,6 +262,7 @@ typedef struct DetectPort_ {
 #define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN    (1<<4)  /** < signature has seen the first ip_proto keyword */
 #define SIG_FLAG_INIT_HAS_TRANSFORM         (1<<5)
 #define SIG_FLAG_INIT_STATE_MATCH           (1<<6)  /**< signature has matches that require stateful inspection */
+#define SIG_FLAG_INIT_NEED_FLUSH            (1<<7)
 
 /* signature mask flags */
 #define SIG_MASK_REQUIRE_PAYLOAD            (1<<0)