SigMatch *sm = NULL;
uint16_t file_no_match = 0;
uint32_t inspect_flags = 0;
- uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
int alert_cnt = 0;
- int check_before_add = 0;
+ int dmatch = 0;
SCLogDebug("rule %u", s->id);
/* TX based matches (inspect engines) */
if (AppLayerParserProtocolSupportsTxs(f->proto, alproto)) {
+ uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
+ int check_before_add = 0;
uint64_t tx_id = 0;
uint64_t total_txs = 0;
if (smb_state->dcerpc_present &&
DetectEngineInspectDcePayload(de_ctx, det_ctx, s, f,
flags, &smb_state->dcerpc) == 1) {
- if (!(s->flags & SIG_FLAG_NOALERT)) {
- PacketAlertAppend(det_ctx, s, p, 0,
- PACKET_ALERT_FLAG_STATE_MATCH);
- } else {
- DetectSignatureApplyActions(p, s);
- }
- alert_cnt = 1;
+ inspect_flags |= DE_STATE_FLAG_DCE_PAYLOAD_INSPECT;
+ dmatch = 1;
}
} else {
if (DetectEngineInspectDcePayload(de_ctx, det_ctx, s, f,
flags, alstate) == 1) {
- if (!(s->flags & SIG_FLAG_NOALERT)) {
- PacketAlertAppend(det_ctx, s, p, 0,
- PACKET_ALERT_FLAG_STATE_MATCH);
- } else {
- DetectSignatureApplyActions(p, s);
- }
- alert_cnt = 1;
+ inspect_flags |= DE_STATE_FLAG_DCE_PAYLOAD_INSPECT;
+ dmatch = 1;
}
}
}
+ int amatch = 0;
/* flow based matches */
KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_AMATCH);
sm = s->sm_lists[DETECT_SM_LIST_AMATCH];
goto end;
}
- int match = 0;
for ( ; sm != NULL; sm = sm->next) {
if (sigmatch_table[sm->type].AppLayerMatch != NULL) {
- match = 0;
+ int match = 0;
if (alproto == ALPROTO_SMB || alproto == ALPROTO_SMB2) {
SMBState *smb_state = (SMBState *)alstate;
if (smb_state->dcerpc_present) {
KEYWORD_PROFILING_END(det_ctx, sm->type, (match == 1));
}
- if (match == 0)
+ if (match == 0) {
break;
- if (match == 2) {
+ } else if (match == 2) {
inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
break;
+ } else if (match == 1 && sm->next == NULL) {
+ amatch = 1;
}
}
}
+ }
- if (sm == NULL || inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH) {
- if (match == 1) {
+ /* if AMATCH and/or DMATCH are in use, see if we need to
+ * alert and store the state */
+ if ((s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL ||
+ s->sm_lists[DETECT_SM_LIST_DMATCH] != NULL))
+ {
+ /* if dmatch in use and match + amatch in use and match
+ or
+ if dmatch in use and match + amatch not in use
+ or
+ if dmatch not in use + amatch in use and match
+ or
+ sig can't match
+ */
+ if (inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH) {
+ inspect_flags |= DE_STATE_FLAG_FULL_INSPECT;
+ } else {
+ if ((amatch || s->sm_lists[DETECT_SM_LIST_AMATCH] == NULL) &&
+ (dmatch || s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL))
+ {
if (!(s->flags & SIG_FLAG_NOALERT)) {
PacketAlertAppend(det_ctx, s, p, 0,
PACKET_ALERT_FLAG_STATE_MATCH);
DetectSignatureApplyActions(p, s);
}
alert_cnt = 1;
+
+ inspect_flags |= DE_STATE_FLAG_FULL_INSPECT;
}
- inspect_flags |= DE_STATE_FLAG_FULL_INSPECT;
}
StoreState(det_ctx, f, flags, alversion,
s, sm, inspect_flags, file_no_match);
}
-
end:
det_ctx->tx_id = 0;
det_ctx->tx_id_set = 0;
}
uint8_t alert = 0;
- uint32_t inspect_flags = 0;
+ uint32_t inspect_flags = item->flags;
int total_matches = 0;
+ int full_match = 0;
SigMatch *sm = NULL;
Signature *s = de_ctx->sig_array[item->sid];
}
}
}
+ /* AMATCH part checked out, or isn't there at all */
+ full_match = (sm == NULL);
- if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL) {
- if (total_matches > 0 && (sm == NULL || inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH)) {
- if (sm == NULL)
- alert = 1;
- inspect_flags |= DE_STATE_FLAG_FULL_INSPECT;
+ /* DCERPC matches */
+ if (s->sm_lists[DETECT_SM_LIST_DMATCH] != NULL &&
+ (alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB ||
+ alproto == ALPROTO_SMB2) &&
+ !(item->flags & DE_STATE_FLAG_DCE_PAYLOAD_INSPECT))
+ {
+ void *alstate = FlowGetAppState(f);
+ if (alstate != NULL) {
+ KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_DMATCH);
+ if (alproto == ALPROTO_SMB || alproto == ALPROTO_SMB2) {
+ SMBState *smb_state = (SMBState *)alstate;
+ if (smb_state->dcerpc_present &&
+ DetectEngineInspectDcePayload(de_ctx, det_ctx, s, f,
+ flags, &smb_state->dcerpc) == 1)
+ {
+ total_matches++;
+ inspect_flags |= DE_STATE_FLAG_DCE_PAYLOAD_INSPECT;
+ }
+ } else {
+ if (DetectEngineInspectDcePayload(de_ctx, det_ctx, s, f,
+ flags, alstate) == 1)
+ {
+ total_matches++;
+ inspect_flags |= DE_STATE_FLAG_DCE_PAYLOAD_INSPECT;
+ }
+ }
}
- /* prevent the rule loop from reinspecting this rule */
- det_ctx->de_state_sig_array[item->sid] = DE_STATE_MATCH_NO_NEW_STATE;
}
+ /* update full_match with DMATCH result */
+ if (full_match && s->sm_lists[DETECT_SM_LIST_DMATCH] != NULL) {
+ full_match = ((inspect_flags & DE_STATE_FLAG_DCE_PAYLOAD_INSPECT) != 0);
+ }
+
+ /* check the results */
+ if (total_matches > 0 && (full_match || (inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH)))
+ {
+ if (full_match)
+ alert = 1;
+ inspect_flags |= DE_STATE_FLAG_FULL_INSPECT;
+ }
+ /* prevent the rule loop from reinspecting this rule */
+ det_ctx->de_state_sig_array[item->sid] = DE_STATE_MATCH_NO_NEW_STATE;
RULE_PROFILING_END(det_ctx, s, (alert == 1), p);
/* store the progress in the state */
projects / thirdparty / suricata.git / commitdiff
