detect: Only run mpm on HTTP buffers in the proper direction. Fixes a file_data FN.

author Victor Julien <victor@inliniac.net>

Fri, 22 Jun 2012 08:59:55 +0000 (10:59 +0200)

committer Victor Julien <victor@inliniac.net>

Fri, 22 Jun 2012 09:04:45 +0000 (11:04 +0200)
author Victor Julien <victor@inliniac.net>
Fri, 22 Jun 2012 08:59:55 +0000 (10:59 +0200)
committer Victor Julien <victor@inliniac.net>
Fri, 22 Jun 2012 09:04:45 +0000 (11:04 +0200)
diff --git a/src/detect.c b/src/detect.c

index a03a38808bf110e7929bde07d7197b9880a4f55e..bcef172e9634aba65b2f0564a4883324088db928 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -1202,20 +1202,48 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
  
          /* all http based mpms */
          if (alproto == ALPROTO_HTTP && alstate != NULL) {
-            if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_URI) {
-                PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_URI);
-                DetectUricontentInspectMpm(det_ctx, p->flow, alstate, flags);
-                PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_URI);
-            }
-            if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HCBD) {
-                PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HCBD);
-                DetectEngineRunHttpClientBodyMpm(de_ctx, det_ctx, p->flow, alstate, flags);
-                PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HCBD);
-            }
-            if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HSBD) {
-                PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HSBD);
-                DetectEngineRunHttpServerBodyMpm(de_ctx, det_ctx, p->flow, alstate, flags);
-                PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HSBD);
+            if (p->flowflags & FLOW_PKT_TOSERVER) {
+                if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_URI) {
+                    PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_URI);
+                    DetectUricontentInspectMpm(det_ctx, p->flow, alstate, flags);
+                    PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_URI);
+                }
+                if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRUD) {
+                    PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HRUD);
+                    DetectEngineRunHttpRawUriMpm(det_ctx, p->flow, alstate, flags);
+                    PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HRUD);
+                }
+                if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HCBD) {
+                    PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HCBD);
+                    DetectEngineRunHttpClientBodyMpm(de_ctx, det_ctx, p->flow, alstate, flags);
+                    PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HCBD);
+                }
+                if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HMD) {
+                    PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HMD);
+                    DetectEngineRunHttpMethodMpm(det_ctx, p->flow, alstate, flags);
+                    PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HMD);
+                }
+                if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HUAD) {
+                    PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HUAD);
+                    DetectEngineRunHttpUAMpm(det_ctx, p->flow, alstate, flags);
+                    PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HUAD);
+                }
+            } else { /* implied FLOW_PKT_TOCLIENT */
+                if (p->flowflags & FLOW_PKT_TOCLIENT && det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HSBD) {
+                    PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HSBD);
+                    DetectEngineRunHttpServerBodyMpm(de_ctx, det_ctx, p->flow, alstate, flags);
+                    PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HSBD);
+                }
+                if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HSMD) {
+                    PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HSMD);
+                    DetectEngineRunHttpStatMsgMpm(det_ctx, p->flow, alstate, flags);
+                    PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HSMD);
+                }
+                if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HSCD) {
+                    PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HSCD);
+                    DetectEngineRunHttpStatCodeMpm(det_ctx, p->flow, alstate, flags);
+                    PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HSCD);
+                }
              }
              if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HHD) {
                  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HHD);
@@ -1227,36 +1255,11 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
                  DetectEngineRunHttpRawHeaderMpm(det_ctx, p->flow, alstate, flags);
                  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HRHD);
              }
-            if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HMD) {
-                PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HMD);
-                DetectEngineRunHttpMethodMpm(det_ctx, p->flow, alstate, flags);
-                PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HMD);
-            }
              if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HCD) {
                  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HCD);
                  DetectEngineRunHttpCookieMpm(det_ctx, p->flow, alstate, flags);
                  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HCD);
              }
-            if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRUD) {
-                PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HRUD);
-                DetectEngineRunHttpRawUriMpm(det_ctx, p->flow, alstate, flags);
-                PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HRUD);
-            }
-            if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HSMD) {
-                PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HSMD);
-                DetectEngineRunHttpStatMsgMpm(det_ctx, p->flow, alstate, flags);
-                PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HSMD);
-            }
-            if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HSCD) {
-                PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HSCD);
-                DetectEngineRunHttpStatCodeMpm(det_ctx, p->flow, alstate, flags);
-                PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HSCD);
-            }
-            if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HUAD) {
-                PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HUAD);
-                DetectEngineRunHttpUAMpm(det_ctx, p->flow, alstate, flags);
-                PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HUAD);
-            }
          }
      } else {
          SCLogDebug("NOT p->flowflags & FLOW_PKT_ESTABLISHED");
author	Victor Julien <victor@inliniac.net>
	Fri, 22 Jun 2012 08:59:55 +0000 (10:59 +0200)
committer	Victor Julien <victor@inliniac.net>
	Fri, 22 Jun 2012 09:04:45 +0000 (11:04 +0200)