s->flags |= SIG_FLAG_MPM_PACKET;
s->mpm_pattern_id_div_8 = cd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8);
- if (cd->flags & DETECT_CONTENT_NEGATED) {
- SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id);
- s->flags |= SIG_FLAG_MPM_PACKET_NEG;
- }
} else {
/* tell matcher we are inspecting stream */
s->flags |= SIG_FLAG_MPM_STREAM;
s->mpm_pattern_id_div_8 = cd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8);
- if (cd->flags & DETECT_CONTENT_NEGATED) {
- SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id);
- s->flags |= SIG_FLAG_MPM_STREAM_NEG;
- }
}
} else {
/* tell matcher we are inspecting app-layer */
s->mpm_pattern_id_div_8 = cd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8);
s->flags |= SIG_FLAG_MPM_APPLAYER;
- if (cd->flags & DETECT_CONTENT_NEGATED)
- s->flags |= SIG_FLAG_MPM_APPLAYER_NEG;
}
}
}
}
}
- /* check for a pattern match of the one pattern in this sig. */
- if (likely(sflags & (SIG_FLAG_MPM_PACKET|SIG_FLAG_MPM_STREAM|SIG_FLAG_MPM_APPLAYER))) {
- /* filter out sigs that want pattern matches, but
- * have no matches */
- if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id_div_8)] & s->mpm_pattern_id_mod_8)) {
- if (sflags & SIG_FLAG_MPM_PACKET) {
- if (!(sflags & SIG_FLAG_MPM_PACKET_NEG)) {
- goto next;
- }
- } else if (sflags & SIG_FLAG_MPM_STREAM) {
- /* filter out sigs that want pattern matches, but
- * have no matches */
- if (!(sflags & SIG_FLAG_MPM_STREAM_NEG)) {
- goto next;
- }
- } else if (sflags & SIG_FLAG_MPM_APPLAYER) {
- if (!(sflags & SIG_FLAG_MPM_APPLAYER_NEG)) {
- goto next;
- }
- }
- }
- }
if (sflags & SIG_FLAG_STATE_MATCH) {
if (det_ctx->de_state_sig_array[s->num] & DE_STATE_MATCH_NO_NEW_STATE)
goto next;
uint8_t pmq_idx = 0;
StreamMsg *smsg_inspect = smsg;
for ( ; smsg_inspect != NULL; smsg_inspect = smsg_inspect->next, pmq_idx++) {
- /* filter out sigs that want pattern matches, but
- * have no matches */
- if ((sflags & SIG_FLAG_MPM_STREAM) && !(sflags & SIG_FLAG_MPM_STREAM_NEG) &&
- !(det_ctx->smsg_pmq[pmq_idx].pattern_id_bitarray[(s->mpm_pattern_id_div_8)] & s->mpm_pattern_id_mod_8)) {
- SCLogDebug("no match in this smsg");
- continue;
- }
-
if (DetectEngineInspectStreamPayload(de_ctx, det_ctx, s, pflow, smsg_inspect->data, smsg_inspect->data_len) == 1) {
SCLogDebug("match in smsg %p", smsg);
pmatch = 1;
goto next;
}
- if (sms_runflags & SMS_USED_PM) {
- if ((sflags & SIG_FLAG_MPM_PACKET) && !(sflags & SIG_FLAG_MPM_PACKET_NEG) &&
- !(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id_div_8)] &
- s->mpm_pattern_id_mod_8)) {
- goto next;
- }
- if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, pflow, p) != 1) {
- goto next;
- }
- } else {
- if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, pflow, p) != 1) {
- goto next;
- }
- }
- }
- } else {
- if (sms_runflags & SMS_USED_PM) {
- if ((sflags & SIG_FLAG_MPM_PACKET) && !(sflags & SIG_FLAG_MPM_PACKET_NEG) &&
- !(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id_div_8)] &
- s->mpm_pattern_id_mod_8)) {
- goto next;
- }
if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, pflow, p) != 1) {
goto next;
}
- } else {
- if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, pflow, p) != 1)
- goto next;
+ }
+ } else {
+ if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, pflow, p) != 1) {
+ goto next;
}
}
}
}
#endif /* DEBUG */
+ if (RuleMpmIsNegated(tmp_s)) {
+ tmp_s->flags |= SIG_FLAG_MPM_NEG;
+ }
+
SignatureCreateMask(tmp_s);
SigParseApplyDsizeToContent(tmp_s);
#define SIG_FLAG_REQUIRE_PACKET (1<<9) /**< signature is requiring packet match */
#define SIG_FLAG_REQUIRE_STREAM (1<<10) /**< signature is requiring stream match */
-#define SIG_FLAG_MPM_PACKET (1<<11)
-#define SIG_FLAG_MPM_PACKET_NEG (1<<12)
+#define SIG_FLAG_MPM_NEG (1<<11)
+#define SIG_FLAG_MPM_PACKET (1<<12)
#define SIG_FLAG_MPM_STREAM (1<<13)
-#define SIG_FLAG_MPM_STREAM_NEG (1<<14)
-#define SIG_FLAG_MPM_APPLAYER (1<<15)
-#define SIG_FLAG_MPM_APPLAYER_NEG (1<<16)
+#define SIG_FLAG_MPM_APPLAYER (1<<14)
#define SIG_FLAG_REQUIRE_FLOWVAR (1<<17) /**< signature can only match if a flowbit, flowvar or flowint is available. */
projects / thirdparty / suricata.git / commitdiff
