detect: limit flush logic to sigs that need it

Limit the early 'flush' logic to sigs that actually need to match
on both stream and http bodies.

diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c
index b9a79e9347188997cfd73eed01bfd90e8e6634c5..2024c004863f308aad06c0d79e8881268b58ec74 100644 (file)
--- a/src/detect-engine-state.c
+++ b/src/detect-engine-state.c
@@ -373,6 +373,10 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
     uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
     int check_before_add = 0;
 
+    /* see if we want to pass on the FLUSH flag */
+    if ((s->flags & SIG_FLAG_FLUSH) == 0)
+        flags &=~ STREAM_FLUSH;
+
     /* if continue detection already inspected this rule for this tx,
      * continue with the first not-inspected tx */
     uint8_t offset = det_ctx->de_state_sig_array[s->num] & 0x7f;
@@ -522,6 +526,10 @@ static int DoInspectItem(ThreadVars *tv,
     Signature *s = de_ctx->sig_array[item->sid];
     det_ctx->stream_already_inspected = false;
 
+    /* see if we want to pass on the FLUSH flag */
+    if ((s->flags & SIG_FLAG_FLUSH) == 0)
+        flags &=~ STREAM_FLUSH;
+
     SCLogDebug("file_no_match %u, sid %u", *file_no_match, s->id);
 
     /* check if a sig in state 'full inspect' needs to be reconsidered

diff --git a/src/detect-engine.c b/src/detect-engine.c
index 51c880d0fc4b669bb0fe446657f4ec9f4a673491..5bfb3565915d9edd79fce7badd9b6a05f9371c84 100644 (file)
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@@ -294,6 +294,10 @@ next:
             AppendStreamInspectEngine(s, stream, 0, last_id + 1);
             AppendStreamInspectEngine(s, stream, 1, last_id + 1);
         }
+
+        if (s->init_data->init_flags & SIG_FLAG_INIT_NEED_FLUSH) {
+            s->flags |= SIG_FLAG_FLUSH;
+        }
     }
 
 #ifdef DEBUG

diff --git a/src/detect-file-data.c b/src/detect-file-data.c
index 326ebbf784d788a43062d59171fcbe90b4ea14e2..febccef938978cd908af3ecf35faaa5d3ffe2f24 100644 (file)
--- a/src/detect-file-data.c
+++ b/src/detect-file-data.c
@@ -138,6 +138,10 @@ static void DetectFiledataSetupCallback(Signature *s)
         s->mask |= SIG_MASK_REQUIRE_SMTP_STATE;
     }
 
+
+    /* server body needs to be inspected in sync with stream if possible */
+    s->init_data->init_flags |= SIG_FLAG_INIT_NEED_FLUSH;
+
     SCLogDebug("callback invoked by %u", s->id);
 }
 

diff --git a/src/detect-http-client-body.c b/src/detect-http-client-body.c
index cdbc204d30c250608a4374920ae64d4097fd7b37..372417f7b4fd967e73615d6dd81e3ae89d3b73d4 100644 (file)
--- a/src/detect-http-client-body.c
+++ b/src/detect-http-client-body.c
@@ -100,6 +100,9 @@ static void DetectHttpClientBodySetupCallback(Signature *s)
     SCLogDebug("callback invoked by %u", s->id);
     AppLayerHtpEnableRequestBodyCallback();
     s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
+
+    /* client body needs to be inspected in sync with stream if possible */
+    s->init_data->init_flags |= SIG_FLAG_INIT_NEED_FLUSH;
 }
 
 /**

diff --git a/src/detect.h b/src/detect.h
index d377cbd032b2e5d82dfe3acce9116961d49956cf..458baf01e93df22708df7da308327554216b80b6 100644 (file)
--- a/src/detect.h
+++ b/src/detect.h
@@ -224,6 +224,8 @@ typedef struct DetectPort_ {
 
 #define SIG_FLAG_MPM_NEG                (1<<11)
 
+#define SIG_FLAG_FLUSH                  (1<<12) /**< detection logic needs stream flush notification */
+
 #define SIG_FLAG_REQUIRE_FLOWVAR        (1<<17) /**< signature can only match if a flowbit, flowvar or flowint is available. */
 
 #define SIG_FLAG_FILESTORE              (1<<18) /**< signature has filestore keyword */
@@ -253,6 +255,7 @@ typedef struct DetectPort_ {
 #define SIG_FLAG_INIT_FLOW           (1<<2)  /**< signature has a flow setting */
 #define SIG_FLAG_INIT_BIDIREC        (1<<3)  /**< signature has bidirectional operator */
 #define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN (1 << 4) /** < signature has seen the first ip_proto keyword */
+#define SIG_FLAG_INIT_NEED_FLUSH            (1<<7)
 
 /* signature mask flags */
 #define SIG_MASK_REQUIRE_PAYLOAD            (1<<0)