Introduce utility functions to aid this.
if (data == NULL)
goto error;
- SigMatch *tsm = s->sm_lists[DETECT_SM_LIST_MATCH];
+ SigMatch *tsm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
for ( ; tsm != NULL; tsm = tsm->next) {
if (tsm->type == DETECT_AL_APP_LAYER_PROTOCOL) {
const DetectAppLayerProtocolData *them = (const DetectAppLayerProtocolData *)tsm->ctx;
#include "suricata-common.h"
#include "detect.h"
+#include "detect-engine.h"
#include "detect-engine-content-inspection.h"
#include "detect-parse.h"
SigMatch *pm = NULL;
/* Check for a preceding base64_decode. */
- pm = SigMatchGetLastSMFromLists(s, 28,
- DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ pm = DetectGetLastSMFromLists(s, DETECT_BASE64_DECODE, -1);
if (pm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE,
"\"base64_data\" keyword seen without preceding base64_decode.");
#endif
}
else {
- /* Copied from detect-isdataat.c. */
- pm = SigMatchGetLastSMFromLists(s, 168,
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ pm = DetectGetLastSMFromLists(s,
+ DETECT_CONTENT, DETECT_PCRE,
+ DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
+ DETECT_ISDATAAT, -1);
if (pm == NULL) {
sm_list = DETECT_SM_LIST_PMATCH;
}
sm_list = s->init_data->list;
s->flags |= SIG_FLAG_APPLAYER;
if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
- prev_pm = SigMatchGetLastSMFromLists(s, 4,
- DETECT_CONTENT, s->init_data->smlists_tail[sm_list],
- DETECT_PCRE, s->init_data->smlists_tail[sm_list]);
+ prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
}
} else if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
- prev_pm = SigMatchGetLastSMFromLists(s, 12,
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
+ prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE,
+ DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
+ DETECT_ISDATAAT, -1);
if (prev_pm == NULL) {
sm_list = DETECT_SM_LIST_PMATCH;
} else {
s->flags |= SIG_FLAG_APPLAYER;
} else if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
- prev_pm = SigMatchGetLastSMFromLists(s, 168,
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
-
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
-
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
-
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
-
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
-
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ prev_pm = DetectGetLastSMFromLists(s,
+ DETECT_CONTENT, DETECT_PCRE,
+ DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
+ DETECT_ISDATAAT, -1);
if (prev_pm == NULL) {
sm_list = DETECT_SM_LIST_PMATCH;
} else {
}
}
- SigMatch *prev_bed_sm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[sm_list]);
+ SigMatch *prev_bed_sm = DetectGetLastSMByListId(s, sm_list,
+ DETECT_BYTE_EXTRACT, -1);
if (prev_bed_sm == NULL)
data->local_id = 0;
else
{
DetectByteExtractData *bed = NULL;
int list;
+ const int nlists = DetectBufferTypeMaxId();
- for (list = 0; list < DETECT_SM_LIST_MAX; list++) {
+ for (list = 0; list < nlists; list++) {
SigMatch *sm = s->init_data->smlists[list];
while (sm != NULL) {
if (sm->type == DETECT_BYTE_EXTRACT) {
sm_list = s->init_data->list;
s->flags |= SIG_FLAG_APPLAYER;
if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
- prev_pm = SigMatchGetLastSMFromLists(s, 4,
- DETECT_CONTENT, s->init_data->smlists_tail[sm_list],
- DETECT_PCRE, s->init_data->smlists_tail[sm_list]);
-
+ prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
}
} else if (data->flags & DETECT_BYTEJUMP_DCE) {
if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
- prev_pm = SigMatchGetLastSMFromLists(s, 12,
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
+ prev_pm = DetectGetLastSMFromLists(s,
+ DETECT_CONTENT, DETECT_PCRE,
+ DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
+ DETECT_ISDATAAT, -1);
if (prev_pm == NULL) {
sm_list = DETECT_SM_LIST_PMATCH;
} else {
s->flags |= SIG_FLAG_APPLAYER;
} else if (data->flags & DETECT_BYTEJUMP_RELATIVE) {
- prev_pm = SigMatchGetLastSMFromLists(s, 168,
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
-
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
-
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
-
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
-
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
-
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ prev_pm = DetectGetLastSMFromLists(s,
+ DETECT_CONTENT, DETECT_PCRE,
+ DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
+ DETECT_ISDATAAT, -1);
if (prev_pm == NULL) {
sm_list = DETECT_SM_LIST_PMATCH;
} else {
sm_list = s->init_data->list;
s->flags |= SIG_FLAG_APPLAYER;
if (data->flags & DETECT_BYTETEST_RELATIVE) {
- prev_pm = SigMatchGetLastSMFromLists(s, 4,
- DETECT_CONTENT, s->init_data->smlists_tail[sm_list],
- DETECT_PCRE, s->init_data->smlists_tail[sm_list]);
+ prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
}
} else if (data->flags & DETECT_BYTETEST_DCE) {
if (data->flags & DETECT_BYTETEST_RELATIVE) {
- prev_pm = SigMatchGetLastSMFromLists(s, 12,
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
+ prev_pm = DetectGetLastSMFromLists(s,
+ DETECT_CONTENT, DETECT_PCRE,
+ DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
+ DETECT_ISDATAAT, -1);
if (prev_pm == NULL) {
sm_list = DETECT_SM_LIST_PMATCH;
} else {
s->flags |= SIG_FLAG_APPLAYER;
} else if (data->flags & DETECT_BYTETEST_RELATIVE) {
- prev_pm = SigMatchGetLastSMFromLists(s, 168,
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
-
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
-
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
-
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
-
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
-
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ prev_pm = DetectGetLastSMFromLists(s,
+ DETECT_CONTENT, DETECT_PCRE,
+ DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
+ DETECT_ISDATAAT, -1);
if (prev_pm == NULL) {
sm_list = DETECT_SM_LIST_PMATCH;
} else {
FAIL_IF_NULL(de_ctx);\
Signature *s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:valid; sid:1;)");\
FAIL_IF_NULL(s);\
- SigMatch *sm = SigMatchGetLastSMFromLists(s, 2, (kwtype), s->sm_lists[DETECT_SM_LIST_MATCH]);\
+ SigMatch *sm = DetectGetLastSMFromLists(s, (kwtype), -1);\
FAIL_IF_NULL(sm);\
FAIL_IF_NULL(sm->ctx);\
FAIL_IF_NOT(((DetectCsumData *)sm->ctx)->valid == 1);\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:INVALID; sid:2;)");\
FAIL_IF_NULL(s);\
- sm = SigMatchGetLastSMFromLists(s, 2, (kwtype), s->sm_lists[DETECT_SM_LIST_MATCH]);\
+ sm = DetectGetLastSMFromLists(s, (kwtype), -1);\
FAIL_IF_NULL(sm);\
FAIL_IF_NULL(sm->ctx);\
FAIL_IF_NOT(((DetectCsumData *)sm->ctx)->valid == 0);\
}
/* retrive the sm to apply the depth against */
- if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
- pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->init_data->smlists_tail[s->init_data->list]);
- } else {
- pm = SigMatchGetLastSMFromLists(s, 28,
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
- }
+ pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, -1);
if (pm == NULL) {
SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs "
"preceding content, uricontent option, http_client_body, "
SigMatch *tmpm = NULL;
/* checks if there's a previous instance of threshold */
- tmpm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_THRESHOLD, s->init_data->smlists_tail[DETECT_SM_LIST_MATCH]);
+ tmpm = DetectGetLastSMFromLists(s, DETECT_THRESHOLD, -1);
if (tmpm != NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and \"threshold\" are not allowed in the same rule");
SCReturnInt(-1);
}
/* checks there's no previous instance of detection_filter */
- tmpm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_DETECTION_FILTER, s->init_data->smlists_tail[DETECT_SM_LIST_MATCH]);
+ tmpm = DetectGetLastSMFromLists(s, DETECT_DETECTION_FILTER, -1);
if (tmpm != NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "At most one \"detection_filter\" is allowed per rule");
SCReturnInt(-1);
dubbed = 1;
}
- /* retrive the sm to apply the depth against */
- if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
- pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->init_data->smlists_tail[s->init_data->list]);
- } else {
- pm = SigMatchGetLastSMFromLists(s, 28,
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
- }
+ /* retrieve the sm to apply the distance against */
+ pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, -1);
if (pm == NULL) {
SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "distance needs "
"preceding content, uricontent option, http_client_body, "
}
cd->flags |= DETECT_CONTENT_DISTANCE;
- SigMatch *prev_pm = SigMatchGetLastSMFromLists(s, 4,
- DETECT_CONTENT, pm->prev,
- DETECT_PCRE, pm->prev);
+ SigMatch *prev_pm = DetectGetLastSMByListPtr(s, pm->prev,
+ DETECT_CONTENT, DETECT_PCRE, -1);
if (prev_pm == NULL) {
ret = 0;
goto end;
DetectDsizeData *dd = NULL;
SigMatch *sm = NULL;
- if (SigMatchGetLastSMFromLists(s, 2,
- DETECT_DSIZE,
- s->init_data->smlists_tail[DETECT_SM_LIST_MATCH]) != NULL) {
+ if (DetectGetLastSMFromLists(s, DETECT_DSIZE, -1)) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Can't use 2 or more dsizes in "
"the same sig. Invalidating signature.");
goto error;
//uint32_t rule_flowvar = 0;
uint32_t rule_content_http = 0;
uint32_t rule_content_offset_depth = 0;
- uint32_t list_id = 0;
+ int32_t list_id = 0;
uint32_t rule_warning = 0;
uint32_t raw_http_buf = 0;
uint32_t norm_http_buf = 0;
SupportFastPatternForSigMatchList(sm_list, priority);
}
+void DetectAppLayerMpmRegister(const char *name,
+ int direction, int priority,
+ int (*PrefilterRegister)(SigGroupHead *sgh, MpmCtx *mpm_ctx))
+{
+ DetectBufferTypeSupportsMpm(name);
+ int sm_list = DetectBufferTypeGetByName(name);
+ BUG_ON(sm_list == -1);
+ DetectMpmAppLayerRegister(name, direction, sm_list, priority,
+ PrefilterRegister);
+}
+
void DetectMpmInitializeAppMpms(DetectEngineCtx *de_ctx)
{
BUG_ON(g_app_mpms_list_cnt == 0);
if (s->init_data->mpm_sm != NULL)
return;
+ const int nlists = DetectBufferTypeMaxId();
+
SigMatch *mpm_sm = NULL, *sm = NULL;
- int nn_sm_list[DETECT_SM_LIST_MAX];
- int n_sm_list[DETECT_SM_LIST_MAX];
- memset(nn_sm_list, 0, sizeof(nn_sm_list));
- memset(n_sm_list, 0, sizeof(n_sm_list));
+ int nn_sm_list[nlists];
+ int n_sm_list[nlists];
+ memset(nn_sm_list, 0, nlists * sizeof(int));
+ memset(n_sm_list, 0, nlists * sizeof(int));
int count_nn_sm_list = 0;
int count_n_sm_list = 0;
int list_id;
/* inspect rule to see if we have the fast_pattern reg to
* force using a sig, otherwise keep stats about the patterns */
- for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) {
+ for (list_id = 0; list_id < nlists; list_id++) {
if (s->init_data->smlists[list_id] == NULL)
continue;
return;
}
- int final_sm_list[DETECT_SM_LIST_MAX] = { 0 };
+ int final_sm_list[nlists];
+ memset(&final_sm_list, 0, (nlists * sizeof(int)));
+
int count_final_sm_list = 0;
int priority;
int direction, int sm_list, int priority,
int (*PrefilterRegister)(SigGroupHead *sgh, MpmCtx *mpm_ctx));
+void DetectAppLayerMpmRegister(const char *name,
+ int direction, int priority,
+ int (*PrefilterRegister)(SigGroupHead *sgh, MpmCtx *mpm_ctx));
+
#endif /* __DETECT_ENGINE_MPM_H__ */
void DetectAppLayerInspectEngineRegister(AppProto alproto,
uint32_t dir, int32_t sm_list, InspectEngineFuncPtr Callback)
{
+ const int nlists = DetectBufferTypeMaxId();
+
if ((alproto >= ALPROTO_FAILED) ||
(!(dir == SIG_FLAG_TOSERVER || dir == SIG_FLAG_TOCLIENT)) ||
- (sm_list < DETECT_SM_LIST_MATCH || sm_list >= DETECT_SM_LIST_MAX) ||
+ (sm_list < DETECT_SM_LIST_MATCH || sm_list >= nlists) ||
(Callback == NULL))
{
SCLogError(SC_ERR_INVALID_ARGUMENTS, "Invalid arguments");
}
}
+void DetectAppLayerInspectEngineRegister2(const char *name,
+ AppProto alproto, uint32_t dir, InspectEngineFuncPtr Callback)
+{
+ DetectBufferTypeRegister(name);
+ int sm_list = DetectBufferTypeGetByName(name);
+ BUG_ON(sm_list == -1);
+ DetectAppLayerInspectEngineRegister(alproto, dir, sm_list, Callback);
+}
+
int DetectEngineAppInspectionEngine2Signature(Signature *s)
{
- SigMatchData *ptrs[DETECT_SM_LIST_MAX] = { NULL };
+ const int nlists = DetectBufferTypeMaxId();
+ SigMatchData *ptrs[nlists];
+ memset(&ptrs, 0, (nlists * sizeof(SigMatchData *)));
/* convert lists to SigMatchData arrays */
int i = 0;
- for (i = DETECT_SM_LIST_BUILTIN_MAX; i < DETECT_SM_LIST_MAX; i++) {
+ for (i = DETECT_SM_LIST_BUILTIN_MAX; i < nlists; i++) {
if (s->init_data->smlists[i] == NULL)
continue;
*/
void DetectEngineAppInspectionEngineSignatureFree(Signature *s)
{
- SigMatchData *ptrs[DETECT_SM_LIST_MAX] = { NULL };
+ const int nlists = DetectBufferTypeMaxId();
+ SigMatchData *ptrs[nlists];
+ memset(&ptrs, 0, (nlists * sizeof(SigMatchData *)));
/* free engines and put smd in the array */
DetectEngineAppInspectionEngine *ie = s->app_inspect;
/* free the smds */
int i;
- for (i = 0; i < DETECT_SM_LIST_MAX; i++)
+ for (i = 0; i < nlists; i++)
{
if (ptrs[i] == NULL)
continue;
void DetectAppLayerInspectEngineRegister(AppProto alproto,
uint32_t dir, int32_t sm_list, InspectEngineFuncPtr Callback);
+void DetectAppLayerInspectEngineRegister2(const char *name,
+ AppProto alproto, uint32_t dir, InspectEngineFuncPtr Callback);
+
int DetectEngineAppInspectionEngine2Signature(Signature *s);
void DetectEngineAppInspectionEngineSignatureFree(Signature *s);
int ov[MAX_SUBSTRINGS];
char arg_substr[128] = "";
DetectContentData *cd = NULL;
+ const int nlists = DetectBufferTypeMaxId();
- if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL &&
- s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH] == NULL &&
- s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH] == NULL &&
- s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA] == NULL &&
- s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH] == NULL &&
- s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH] == NULL &&
- s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH] == NULL &&
- s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH] == NULL &&
- s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH] == NULL &&
- s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH] == NULL &&
- s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH] == NULL &&
- s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH] == NULL &&
- s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH] == NULL &&
- s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH] == NULL &&
- s->init_data->smlists_tail[DETECT_SM_LIST_DNSQUERYNAME_MATCH] == NULL &&
- s->init_data->smlists_tail[DETECT_SM_LIST_TLSSNI_MATCH] == NULL &&
- s->init_data->smlists_tail[DETECT_SM_LIST_TLSISSUER_MATCH] == NULL &&
- s->init_data->smlists_tail[DETECT_SM_LIST_TLSSUBJECT_MATCH] == NULL &&
- s->init_data->smlists_tail[DETECT_SM_LIST_HTTP_REQLINEMATCH] == NULL) {
- SCLogWarning(SC_WARN_COMPATIBILITY, "fast_pattern found inside the "
- "rule, without a preceding content based keyword. "
- "Currently we provide fast_pattern support for content, "
- "uricontent, http_client_body, http_server_body, http_header, "
- "http_raw_header, http_method, http_cookie, "
- "http_raw_uri, http_stat_msg, http_stat_code, "
- "http_user_agent, http_host, http_raw_host, "
- "http_request_line, dns_query, "
- "tls_sni, tls_cert_issuer or tls_cert_subject option");
+ SigMatch *pm1 = DetectGetLastSMFromMpmLists(s);
+ SigMatch *pm2 = DetectGetLastSMFromLists(s, DETECT_CONTENT, -1);
+ if (pm1 == NULL && pm2 == NULL) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "fast_pattern found inside "
+ "the rule, without a content context. Please use a "
+ "content based keyword before using fast_pattern");
return -1;
}
- SigMatch *pm = SigMatchGetLastSMFromLists(s, 38,
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HTTP_REQLINEMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_DNSQUERYNAME_MATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_TLSSNI_MATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_TLSISSUER_MATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_TLSSUBJECT_MATCH]);
- if (pm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "fast_pattern found inside "
- "the rule, without a content context. Please use a "
- "content based keyword before using fast_pattern");
- return -1;
+ SigMatch *pm = NULL;
+ if (pm1 && pm2) {
+ if (pm1->idx > pm2->idx)
+ pm = pm1;
+ else
+ pm = pm2;
+ } else if (pm1 && !pm2) {
+ pm = pm1;
+ } else {
+ pm = pm2;
}
cd = (DetectContentData *)pm->ctx;
}
else { /*allow only one content to have fast_pattern modifier*/
int list_id = 0;
- for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) {
+ for (list_id = 0; list_id < nlists; list_id++) {
SigMatch *sm = NULL;
for (sm = s->init_data->smlists[list_id]; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_CONTENT) {
sm_list = s->init_data->list;
s->flags |= SIG_FLAG_APPLAYER;
if (idad->flags & ISDATAAT_RELATIVE) {
- prev_pm = SigMatchGetLastSMFromLists(s, 4,
- DETECT_CONTENT, s->init_data->smlists_tail[sm_list],
- DETECT_PCRE, s->init_data->smlists_tail[sm_list]);
+ prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
}
} else if (idad->flags & ISDATAAT_RELATIVE) {
- prev_pm = SigMatchGetLastSMFromLists(s, 168,
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
-
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
-
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
-
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
-
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH],
-
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ prev_pm = DetectGetLastSMFromLists(s,
+ DETECT_CONTENT, DETECT_PCRE,
+ DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
+ DETECT_ISDATAAT, -1);
if (prev_pm == NULL)
sm_list = DETECT_SM_LIST_PMATCH;
else {
goto end;
}
- /* retrive the sm to apply the depth against */
- if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
- pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->init_data->smlists_tail[s->init_data->list]);
- } else {
- pm = SigMatchGetLastSMFromLists(s, 28,
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
- }
+ /* retrive the sm to apply the nocase against */
+ pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, -1);
if (pm == NULL) {
SCLogError(SC_ERR_NOCASE_MISSING_PATTERN, "nocase needs "
- "preceding content, uricontent option, http_client_body, "
- "http_server_body, http_header option, http_raw_header option, "
- "http_method option, http_cookie, http_raw_uri, "
- "http_stat_msg, http_stat_code, http_user_agent or "
- "file_data/dce_stub_data sticky buffer options");
+ "preceding content option");
goto end;
}
-
/* verify other conditions. */
DetectContentData *cd = (DetectContentData *)pm->ctx;;
dubbed = 1;
}
- /* retrive the sm to apply the depth against */
- if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
- pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->init_data->smlists_tail[s->init_data->list]);
- } else {
- pm = SigMatchGetLastSMFromLists(s, 28,
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
- }
+ /* retrive the sm to apply the offset against */
+ pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, -1);
if (pm == NULL) {
SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs "
- "preceding content, uricontent option, http_client_body, "
- "http_server_body, http_header option, http_raw_header option, "
- "http_method option, http_cookie, http_raw_uri, "
- "http_stat_msg, http_stat_code, http_user_agent or "
- "file_data/dce_stub_data sticky buffer options");
+ "preceding content option");
goto end;
}
-
/* verify other conditions */
DetectContentData *cd = (DetectContentData *)pm->ctx;
static pcre_extra *config_pcre_extra = NULL;
static pcre_extra *option_pcre_extra = NULL;
+static void SigMatchTransferSigMatchAcrossLists(SigMatch *sm,
+ SigMatch **src_sm_list, SigMatch **src_sm_list_tail,
+ SigMatch **dst_sm_list, SigMatch **dst_sm_list_tail);
+
/**
* \brief We use this as data to the hash table DetectEngineCtx->dup_sig_hash_table.
*/
return "unknown";
}
-int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg,
- uint8_t sm_type, uint8_t sm_list,
- AppProto alproto, void (*CustomCallback)(Signature *s))
+int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx,
+ Signature *s, const char *arg,
+ int sm_type, int sm_list,
+ AppProto alproto, void (*CustomCallback)(Signature *s))
{
SigMatch *sm = NULL;
int ret = -1;
sigmatch_table[sm_type].name);
goto end;
}
- /* for now let's hardcode it as http */
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != alproto) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting "
"alprotos set");
goto end;
}
- sm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
+ sm = DetectGetLastSMByListId(s,
+ DETECT_SM_LIST_PMATCH, DETECT_CONTENT, -1);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"%s\" keyword "
"found inside the rule without a content context. "
goto end;
}
if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
- SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
- DETECT_CONTENT, sm->prev,
- DETECT_PCRE, sm->prev);
+ SigMatch *pm = DetectGetLastSMByListPtr(s, sm->prev,
+ DETECT_CONTENT, DETECT_PCRE, -1);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
}
}
- pm = SigMatchGetLastSMFromLists(s, 4,
- DETECT_CONTENT, s->init_data->smlists_tail[sm_list],
- DETECT_PCRE, s->init_data->smlists_tail[sm_list]);
+ pm = DetectGetLastSMByListId(s, sm_list,
+ DETECT_CONTENT, DETECT_PCRE, -1);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
s->alproto = alproto;
s->flags |= SIG_FLAG_APPLAYER;
- /* transfer the sm from the pmatch list to hcbdmatch list */
+ /* transfer the sm from the pmatch list to sm_list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->init_data->smlists[DETECT_SM_LIST_PMATCH],
&s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
*
* \retval match Pointer to the last SigMatch instance of type 'type'.
*/
-static SigMatch *SigMatchGetLastSMByType(SigMatch *sm, uint8_t type)
+static SigMatch *SigMatchGetLastSMByType(SigMatch *sm, int type)
{
while (sm != NULL) {
if (sm->type == type) {
return NULL;
}
+/** \brief get the last SigMatch from lists that support
+ * MPM.
+ * \note only supports the lists that are registered through
+ * DetectBufferTypeSupportsMpm().
+ */
+SigMatch *DetectGetLastSMFromMpmLists(const Signature *s)
+{
+ SigMatch *sm_last = NULL;
+ SigMatch *sm_new;
+ int sm_type;
+
+ /* if we have a sticky buffer, use that */
+ if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
+ if (!(DetectBufferTypeSupportsMpmGetById(s->init_data->list))) {
+ return NULL;
+ }
+
+ sm_last = DetectGetLastSMByListPtr(s,
+ s->init_data->smlists_tail[s->init_data->list],
+ DETECT_CONTENT, -1);
+ return sm_last;
+ }
+
+ /* otherwise brute force it */
+ const int nlists = DetectBufferTypeMaxId();
+ for (sm_type = 0; sm_type < nlists; sm_type++) {
+ if (!DetectBufferTypeSupportsMpmGetById(sm_type))
+ continue;
+ SigMatch *sm_list = s->init_data->smlists_tail[sm_type];
+ sm_new = SigMatchGetLastSMByType(sm_list, DETECT_CONTENT);
+ if (sm_new == NULL)
+ continue;
+ if (sm_last == NULL || sm_new->idx > sm_last->idx)
+ sm_last = sm_new;
+ }
+
+ return sm_last;
+}
+
/**
* \brief Returns the sm with the largest index (added latest) from the lists
* passed to us.
*
* \retval Pointer to Last sm.
*/
-SigMatch *SigMatchGetLastSMFromLists(const Signature *s, int args, ...)
+SigMatch *DetectGetLastSMFromLists(const Signature *s, ...)
{
- if (args == 0 || args % 2 != 0) {
- SCLogError(SC_ERR_INVALID_ARGUMENTS, "You need to send an even no of args "
- "(non zero as well) to this function, since we need a "
- "SigMatch list for every SigMatch type(send a map of sm_type "
- "and sm_list) sent");
- /* as this is a bug we should abort to ease debugging */
- BUG_ON(1);
+ SigMatch *sm_last = NULL;
+ SigMatch *sm_new;
+
+ /* otherwise brute force it */
+ const int nlists = DetectBufferTypeMaxId();
+ for (int buf_type = 0; buf_type < nlists; buf_type++) {
+ if (s->init_data->smlists[buf_type] == NULL)
+ continue;
+ if (s->init_data->list != DETECT_SM_LIST_NOTSET &&
+ buf_type != s->init_data->list)
+ continue;
+
+ int sm_type;
+ va_list ap;
+ va_start(ap, s);
+
+ for (sm_type = va_arg(ap, int); sm_type != -1; sm_type = va_arg(ap, int))
+ {
+ sm_new = SigMatchGetLastSMByType(s->init_data->smlists_tail[buf_type], sm_type);
+ if (sm_new == NULL)
+ continue;
+ if (sm_last == NULL || sm_new->idx > sm_last->idx)
+ sm_last = sm_new;
+ }
+ va_end(ap);
}
+ return sm_last;
+}
+
+/**
+ * \brief Returns the sm with the largest index (added last) from the list
+ * passed to us as a pointer.
+ *
+ * \param sm_list pointer to the SigMatch we should look before
+ * \param va_args list of keyword types terminated by -1
+ *
+ * \retval sm_last to last sm.
+ */
+SigMatch *DetectGetLastSMByListPtr(const Signature *s, SigMatch *sm_list, ...)
+{
SigMatch *sm_last = NULL;
SigMatch *sm_new;
- int i;
+ int sm_type;
+
+ va_list ap;
+ va_start(ap, sm_list);
+
+ for (sm_type = va_arg(ap, int); sm_type != -1; sm_type = va_arg(ap, int))
+ {
+ sm_new = SigMatchGetLastSMByType(sm_list, sm_type);
+ if (sm_new == NULL)
+ continue;
+ if (sm_last == NULL || sm_new->idx > sm_last->idx)
+ sm_last = sm_new;
+ }
+
+ va_end(ap);
+
+ return sm_last;
+}
+
+/**
+ * \brief Returns the sm with the largest index (added last) from the list
+ * passed to us as an id.
+ *
+ * \param list_id id of the list to be searched
+ * \param va_args list of keyword types terminated by -1
+ *
+ * \retval sm_last to last sm.
+ */
+SigMatch *DetectGetLastSMByListId(const Signature *s, int list_id, ...)
+{
+ SigMatch *sm_last = NULL;
+ SigMatch *sm_new;
+ int sm_type;
+
+ SigMatch *sm_list = s->init_data->smlists_tail[list_id];
+ if (sm_list == NULL)
+ return NULL;
va_list ap;
- va_start(ap, args);
+ va_start(ap, list_id);
- for (i = 0; i < args; i += 2) {
- int sm_type = va_arg(ap, int);
- SigMatch *sm_list = va_arg(ap, SigMatch *);
+ for (sm_type = va_arg(ap, int); sm_type != -1; sm_type = va_arg(ap, int))
+ {
sm_new = SigMatchGetLastSMByType(sm_list, sm_type);
if (sm_new == NULL)
continue;
/**
* \brief Returns the sm with the largest index (added latest) from this sig
*
- * \retval Pointer to Last sm.
+ * \retval sm_last Pointer to last sm
*/
-SigMatch *SigMatchGetLastSM(const Signature *s)
+SigMatch *DetectGetLastSM(const Signature *s)
{
+ const int nlists = DetectBufferTypeMaxId();
SigMatch *sm_last = NULL;
SigMatch *sm_new;
int i;
- for (i = 0; i < DETECT_SM_LIST_MAX; i ++) {
+ for (i = 0; i < nlists; i ++) {
sm_new = s->init_data->smlists_tail[i];
if (sm_new == NULL)
continue;
return sm_last;
}
-void SigMatchTransferSigMatchAcrossLists(SigMatch *sm,
- SigMatch **src_sm_list, SigMatch **src_sm_list_tail,
- SigMatch **dst_sm_list, SigMatch **dst_sm_list_tail)
+static void SigMatchTransferSigMatchAcrossLists(SigMatch *sm,
+ SigMatch **src_sm_list, SigMatch **src_sm_list_tail,
+ SigMatch **dst_sm_list, SigMatch **dst_sm_list_tail)
{
/* we won't do any checks for args */
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
{
+ const int nlists = DetectBufferTypeMaxId();
int list = 0;
- for (list = 0; list < DETECT_SM_LIST_MAX; list++) {
+ for (list = 0; list < nlists; list++) {
const SigMatch *sm = s->init_data->smlists[list];
while (sm != NULL) {
if (sm == key_sm)
SCFree(sig);
return NULL;
}
+ int lists = DetectBufferTypeMaxId();
+ SCLogDebug("smlists size %d", lists);
+ sig->init_data->smlists = SCCalloc(lists, sizeof(SigMatch *));
+ if (sig->init_data->smlists == NULL) {
+ SCFree(sig->init_data);
+ SCFree(sig);
+ return NULL;
+ }
+
+ sig->init_data->smlists_tail = SCCalloc(lists, sizeof(SigMatch *));
+ if (sig->init_data->smlists_tail == NULL) {
+ SCFree(sig->init_data->smlists_tail);
+ SCFree(sig->init_data);
+ SCFree(sig);
+ return NULL;
+ }
/* assign it to -1, so that we can later check if the value has been
* overwritten after the Signature has been parsed, and if it hasn't been
void SigFree(Signature *s)
{
+ const int nlists = DetectBufferTypeMaxId();
+
if (s == NULL)
return;
int i;
if (s->init_data) {
- for (i = 0; i < DETECT_SM_LIST_MAX; i++) {
+ for (i = 0; i < nlists; i++) {
SigMatch *sm = s->init_data->smlists[i];
while (sm != NULL) {
SigMatch *nsm = sm->next;
}
SigMatchFreeArrays(s, (s->init_data == NULL));
if (s->init_data) {
+ SCFree(s->init_data->smlists);
+ SCFree(s->init_data->smlists_tail);
SCFree(s->init_data);
s->init_data = NULL;
}
//}
if (s->flags & SIG_FLAG_REQUIRE_PACKET) {
- pm = SigMatchGetLastSMFromLists(s, 24,
- DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
- if (pm != NULL) {
+ pm = DetectGetLastSMFromLists(s, DETECT_REPLACE, -1);
+ if (pm != NULL && SigMatchListSMBelongsTo(s, pm) != DETECT_SM_LIST_PMATCH) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature has"
" replace keyword linked with a modified content"
" keyword (http_*, dce_*). It only supports content on"
if (s->init_data->smlists[DETECT_SM_LIST_BASE64_DATA] != NULL) {
int list;
uint16_t idx = s->init_data->smlists[DETECT_SM_LIST_BASE64_DATA]->idx;
- for (list = 0; list < DETECT_SM_LIST_MAX; list++) {
+ for (list = 0; list < nlists; list++) {
if (list == DETECT_SM_LIST_POSTMATCH ||
list == DETECT_SM_LIST_TMATCH ||
list == DETECT_SM_LIST_SUPPRESS ||
#ifdef DEBUG
int i;
- for (i = 0; i < DETECT_SM_LIST_MAX; i++) {
+ for (i = 0; i < nlists; i++) {
if (s->init_data->smlists[i] != NULL) {
for (sm = s->init_data->smlists[i]; sm != NULL; sm = sm->next) {
BUG_ON(sm == sm->prev);
void SigFree(Signature *s);
Signature *SigInit(DetectEngineCtx *,char *sigstr);
Signature *SigInitReal(DetectEngineCtx *, char *);
-SigMatch *SigMatchGetLastSMFromLists(const Signature *, int, ...);
-SigMatch *SigMatchGetLastSM(const Signature *);
-void SigMatchTransferSigMatchAcrossLists(SigMatch *sm,
- SigMatch **, SigMatch **s,
- SigMatch **, SigMatch **);
SigMatchData* SigMatchList2DataArray(SigMatch *head);
void SigParsePrepare(void);
void SigParseRegisterTests(void);
int DetectParseDupSigHashInit(DetectEngineCtx *);
void DetectParseDupSigHashFree(DetectEngineCtx *);
-int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg,
- uint8_t sm_type, uint8_t sm_list,
+int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg,
+ int sm_type, int sm_list,
AppProto alproto, void (*CustomCallback)(Signature *s));
const char *DetectListToHumanString(int list);
const char *DetectListToString(int list);
+SigMatch *DetectGetLastSM(const Signature *);
+SigMatch *DetectGetLastSMFromMpmLists(const Signature *s);
+SigMatch *DetectGetLastSMFromLists(const Signature *s, ...);
+SigMatch *DetectGetLastSMByListPtr(const Signature *s, SigMatch *sm_list, ...);
+SigMatch *DetectGetLastSMByListId(const Signature *s, int list_id, ...);
+
/* parse regex setup and free util funcs */
void DetectSetupParseRegexes(const char *parse_str,
/* errors below shouldn't free pd */
- SigMatch *prev_pm = SigMatchGetLastSMFromLists(s, 4,
- DETECT_CONTENT, sm->prev,
- DETECT_PCRE, sm->prev);
+ SigMatch *prev_pm = DetectGetLastSMByListPtr(s, sm->prev,
+ DETECT_CONTENT, DETECT_PCRE, -1);
if (s->init_data->list == DETECT_SM_LIST_NOTSET && prev_pm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre with /R (relative) needs "
"preceeding match in the same buffer");
goto end;
}
- sm = SigMatchGetLastSM(s);
+ sm = DetectGetLastSM(s);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "prefilter needs preceding match");
goto end;
SCReturnInt(-1);
}
- SigMatch *pm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
+ SigMatch *pm = DetectGetLastSMByListId(s, DETECT_SM_LIST_PMATCH,
+ DETECT_CONTENT, -1);
if (pm == NULL) {
SCLogError(SC_ERR_RAWBYTES_MISSING_CONTENT, "\"rawbytes\" needs a preceding content option");
SCReturnInt(-1);
return 0;
}
- /* add to the latest "content" keyword from either dmatch or pmatch */
- pm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
+ /* add to the latest "content" keyword from pmatch */
+ pm = DetectGetLastSMByListId(s, DETECT_SM_LIST_PMATCH,
+ DETECT_CONTENT, -1);
if (pm == NULL) {
SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "replace needs"
"preceding content option for raw sig");
SigMatch *tmpm = NULL;
/* checks if there is a previous instance of detection_filter */
- tmpm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_DETECTION_FILTER, s->init_data->smlists[DETECT_SM_LIST_MATCH]);
+ tmpm = DetectGetLastSMFromLists(s, DETECT_DETECTION_FILTER, -1);
if (tmpm != NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and \"threshold\" are not allowed in the same rule");
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and "
+ "\"threshold\" are not allowed in the same rule");
SCReturnInt(-1);
}
dubbed = 1;
}
- /* retrive the sm to apply the depth against */
- if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
- pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->init_data->smlists_tail[s->init_data->list]);
- } else {
- pm = SigMatchGetLastSMFromLists(s, 28,
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]);
- }
+ /* retrieve the sm to apply the within against */
+ pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, -1);
if (pm == NULL) {
SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "within needs "
- "preceding content, uricontent option, http_client_body, "
- "http_server_body, http_header option, http_raw_header option, "
- "http_method option, http_cookie, http_raw_uri, "
- "http_stat_msg, http_stat_code, http_user_agent or "
- "file_data/dce_stub_data sticky buffer option");
+ "preceding content option");
goto end;
}
-
/* verify other conditions */
DetectContentData *cd = (DetectContentData *)pm->ctx;
if (cd->flags & DETECT_CONTENT_WITHIN) {
/* these are the only ones against which we set a flag. We have other
* relative keywords like byttest, isdataat, bytejump, but we don't
* set a flag against them */
- SigMatch *prev_pm = SigMatchGetLastSMFromLists(s, 4,
- DETECT_CONTENT, pm->prev,
- DETECT_PCRE, pm->prev);
+ SigMatch *prev_pm = DetectGetLastSMByListPtr(s, pm->prev,
+ DETECT_CONTENT, DETECT_PCRE, -1);
if (prev_pm == NULL) {
ret = 0;
goto end;
int prefilter_list = DETECT_TBLSIZE;
/* get the keyword supporting prefilter with the lowest type */
- for (i = 0; i < DETECT_SM_LIST_MAX; i++) {
+ for (i = 0; i < nlists; i++) {
SigMatch *sm = tmp_s->init_data->smlists[i];
while (sm != NULL) {
if (sigmatch_table[sm->type].SupportsPrefilter != NULL) {
/* apply that keyword as prefilter */
if (prefilter_list != DETECT_TBLSIZE) {
- for (i = 0; i < DETECT_SM_LIST_MAX; i++) {
+ for (i = 0; i < nlists; i++) {
SigMatch *sm = tmp_s->init_data->smlists[i];
while (sm != NULL) {
if (sm->type == prefilter_list) {
{
SCEnter();
+ const int nlists = DetectBufferTypeMaxId();
Signature *s = de_ctx->sig_list;
for (; s != NULL; s = s->next) {
/* set up inspect engines */
/* free lists. Ctx' are xferred to sm_arrays so won't get freed */
int i;
- for (i = 0; i < DETECT_SM_LIST_MAX; i++) {
+ for (i = 0; i < nlists; i++) {
SigMatch *sm = s->init_data->smlists[i];
while (sm != NULL) {
SigMatch *nsm = sm->next;
sm = nsm;
}
}
+ SCFree(s->init_data->smlists);
+ SCFree(s->init_data->smlists_tail);
SCFree(s->init_data);
s->init_data = NULL;
}
DETECT_SM_LIST_SUPPRESS,
DETECT_SM_LIST_THRESHOLD,
+ /* used for Signature->list, which indicates which list
+ * we're adding keywords to in cases of sticky buffers like
+ * file_data */
+ DETECT_SM_LIST_NOTSET,
+
DETECT_SM_LIST_BUILTIN_MAX,
/* list for http_uri keyword and the ones relative to it */
DETECT_SM_LIST_MAX,
- /* used for Signature->list, which indicates which list
- * we're adding keywords to in cases of sticky buffers like
- * file_data */
- DETECT_SM_LIST_NOTSET,
};
/* a is ... than b */
int prefilter_list;
/* holds all sm lists */
- struct SigMatch_ *smlists[DETECT_SM_LIST_MAX];
+ struct SigMatch_ **smlists;
/* holds all sm lists' tails */
- struct SigMatch_ *smlists_tail[DETECT_SM_LIST_MAX];
+ struct SigMatch_ **smlists_tail;
} SignatureInitData;
/** \brief Signature container */
-/* Copyright (C) 2007-2010 Open Information Security Foundation
+/* Copyright (C) 2007-2016 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
/* Install it */
if (id == 0 && gid == 0) {
for (s = de_ctx->sig_list; s != NULL; s = s->next) {
- sm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_THRESHOLD, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
+ sm = DetectGetLastSMByListId(s,
+ DETECT_SM_LIST_THRESHOLD, DETECT_THRESHOLD, -1);
if (sm != NULL) {
SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
"an event var set. The signature event var is "
continue;
}
- sm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_DETECTION_FILTER, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
+ sm = DetectGetLastSMByListId(s,
+ DETECT_SM_LIST_THRESHOLD, DETECT_DETECTION_FILTER, -1);
if (sm != NULL) {
SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
"an event var set. The signature event var is "
} else if (id == 0 && gid > 0) {
for (s = de_ctx->sig_list; s != NULL; s = s->next) {
if (s->gid == gid) {
- sm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_THRESHOLD, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
- if (sm != NULL) {
- SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
- "an event var set. The signature event var is "
- "given precedence over the threshold.conf one. "
- "We'll change this in the future though.", id);
- continue;
- }
-
- sm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_DETECTION_FILTER, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
+ sm = DetectGetLastSMByListId(s, DETECT_SM_LIST_THRESHOLD,
+ DETECT_THRESHOLD, DETECT_DETECTION_FILTER, -1);
if (sm != NULL) {
SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
"an event var set. The signature event var is "
if (parsed_type != TYPE_SUPPRESS && parsed_type != TYPE_THRESHOLD &&
parsed_type != TYPE_BOTH && parsed_type != TYPE_LIMIT)
{
- sm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_THRESHOLD, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
+ sm = DetectGetLastSMByListId(s,
+ DETECT_SM_LIST_THRESHOLD, DETECT_THRESHOLD, -1);
if (sm != NULL) {
SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
"a threshold set. The signature event var is "
goto end;
}
- sm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_DETECTION_FILTER, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
+ sm = DetectGetLastSMByListId(s, DETECT_SM_LIST_THRESHOLD,
+ DETECT_DETECTION_FILTER, -1);
if (sm != NULL) {
SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
"a detection_filter set. The signature event var is "
}
/* replace threshold on sig if we have a global override for it */
-#if 1
} else if (parsed_type == TYPE_THRESHOLD || parsed_type == TYPE_BOTH || parsed_type == TYPE_LIMIT) {
- sm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_THRESHOLD, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
- if (sm == NULL) {
- sm = SigMatchGetLastSMFromLists(s, 2,
- DETECT_DETECTION_FILTER, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
- }
+ sm = DetectGetLastSMByListId(s, DETECT_SM_LIST_THRESHOLD,
+ DETECT_THRESHOLD, DETECT_DETECTION_FILTER, -1);
if (sm != NULL) {
SigMatchRemoveSMFromList(s, sm, DETECT_SM_LIST_THRESHOLD);
SigMatchFree(sm);
sm = NULL;
}
-#endif
}
de = SCMalloc(sizeof(DetectThresholdData));
FAIL_IF_NULL(g_ut_threshold_fp);
SCThresholdConfInitContext(de_ctx);
- SigMatch *m = SigMatchGetLastSMFromLists(sig, 2,
- DETECT_THRESHOLD, sig->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
+ SigMatch *m = DetectGetLastSMByListId(sig, DETECT_SM_LIST_THRESHOLD,
+ DETECT_THRESHOLD, -1);
FAIL_IF_NULL(m);
DetectThresholdData *de = (DetectThresholdData *)m->ctx;
FAIL_IF_NULL(g_ut_threshold_fp);
SCThresholdConfInitContext(de_ctx);
- SigMatch *m = SigMatchGetLastSMFromLists(sig, 2,
- DETECT_THRESHOLD, sig->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
+ SigMatch *m = DetectGetLastSMByListId(sig, DETECT_SM_LIST_THRESHOLD,
+ DETECT_THRESHOLD, -1);
FAIL_IF_NULL(m);
DetectThresholdData *de = (DetectThresholdData *)m->ctx;
FAIL_IF_NULL(g_ut_threshold_fp);
SCThresholdConfInitContext(de_ctx);
- SigMatch *m = SigMatchGetLastSMFromLists(sig, 2,
- DETECT_THRESHOLD, sig->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
+ SigMatch *m = DetectGetLastSMByListId(sig, DETECT_SM_LIST_THRESHOLD,
+ DETECT_THRESHOLD, -1);
FAIL_IF_NULL(m);
DetectThresholdData *de = (DetectThresholdData *)m->ctx;
FAIL_IF_NULL(g_ut_threshold_fp);
SCThresholdConfInitContext(de_ctx);
- SigMatch *m = SigMatchGetLastSMFromLists(sig, 2,
- DETECT_THRESHOLD, sig->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
+ SigMatch *m = DetectGetLastSMByListId(sig, DETECT_SM_LIST_THRESHOLD,
+ DETECT_THRESHOLD, -1);
FAIL_IF_NOT_NULL(m);
DetectEngineCtxFree(de_ctx);
SCThresholdConfInitContext(de_ctx);
Signature *s = de_ctx->sig_list;
- SigMatch *m = SigMatchGetLastSMFromLists(s, 2,
- DETECT_THRESHOLD, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
+ SigMatch *m = DetectGetLastSMByListId(s, DETECT_SM_LIST_THRESHOLD,
+ DETECT_THRESHOLD, -1);
FAIL_IF_NULL(m);
FAIL_IF_NULL(m->ctx);
DetectThresholdData *de = (DetectThresholdData *)m->ctx;
FAIL_IF_NOT(de->type == TYPE_THRESHOLD && de->track == TRACK_SRC && de->count == 100 && de->seconds == 60);
s = de_ctx->sig_list->next;
- m = SigMatchGetLastSMFromLists(s, 2,
- DETECT_THRESHOLD, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
+ m = DetectGetLastSMByListId(s, DETECT_SM_LIST_THRESHOLD,
+ DETECT_THRESHOLD, -1);
FAIL_IF_NULL(m);
FAIL_IF_NULL(m->ctx);
de = (DetectThresholdData *)m->ctx;
FAIL_IF_NOT(de->type == TYPE_THRESHOLD && de->track == TRACK_SRC && de->count == 100 && de->seconds == 60);
s = de_ctx->sig_list->next->next;
- m = SigMatchGetLastSMFromLists(s, 2,
- DETECT_THRESHOLD, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
+ m = DetectGetLastSMByListId(s, DETECT_SM_LIST_THRESHOLD,
+ DETECT_THRESHOLD, -1);
FAIL_IF_NULL(m);
FAIL_IF_NULL(m->ctx);
de = (DetectThresholdData *)m->ctx;
FAIL_IF_NULL(g_ut_threshold_fp);
SCThresholdConfInitContext(de_ctx);
- SigMatch *m = SigMatchGetLastSMFromLists(sig, 2,
- DETECT_THRESHOLD, sig->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
+ SigMatch *m = DetectGetLastSMByListId(sig, DETECT_SM_LIST_THRESHOLD,
+ DETECT_THRESHOLD, -1);
FAIL_IF_NULL(m);
DetectThresholdData *de = (DetectThresholdData *)m->ctx;
FAIL_IF_NULL(g_ut_threshold_fp);
SCThresholdConfInitContext(de_ctx);
- SigMatch *m = SigMatchGetLastSMFromLists(sig, 2,
- DETECT_DETECTION_FILTER, sig->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
+ SigMatch *m = DetectGetLastSMByListId(sig, DETECT_SM_LIST_THRESHOLD,
+ DETECT_DETECTION_FILTER, -1);
FAIL_IF_NULL(m);
DetectThresholdData *de = (DetectThresholdData *)m->ctx;
FAIL_IF_NULL(g_ut_threshold_fp);
SCThresholdConfInitContext(de_ctx);
- SigMatch *m = SigMatchGetLastSMFromLists(sig, 2,
- DETECT_DETECTION_FILTER, sig->init_data->smlists[DETECT_SM_LIST_THRESHOLD]);
+ SigMatch *m = DetectGetLastSMByListId(sig, DETECT_SM_LIST_THRESHOLD,
+ DETECT_DETECTION_FILTER, -1);
FAIL_IF_NULL(m);
DetectThresholdData *de = (DetectThresholdData *)m->ctx;
FAIL_IF_NULL(g_ut_threshold_fp);
SCThresholdConfInitContext(de_ctx);
- SigMatch *m = SigMatchGetLastSMFromLists(sig, 2,
- DETECT_THRESHOLD, sig->init_data->smlists[DETECT_SM_LIST_SUPPRESS]);
+ SigMatch *m = DetectGetLastSMByListId(sig,
+ DETECT_SM_LIST_SUPPRESS, DETECT_THRESHOLD, -1);
FAIL_IF_NULL(m);
DetectThresholdData *de = (DetectThresholdData *)m->ctx;
projects / thirdparty / suricata.git / commitdiff
