detect: apply within as depth where possible

The rule lang allows for within and distance to act as depth/offset,
but internally this was not handle the same way. This patch converts
within/distance w/o a prior pattern to depth/within.

diff --git a/src/detect-content.c b/src/detect-content.c
index d22fbc8f89b3f8f27f7c5f792e24209bd601504a..aec5f631f8f814296555c42b9edcb3af9c6ad975 100644 (file)
--- a/src/detect-content.c
+++ b/src/detect-content.c
@@ -528,6 +528,27 @@ static void PropagateLimits(Signature *s, SigMatch *sm_head)
                     has_active_depth_chain = false;
                     continue;
                 }
+                if (sm->prev == NULL) {
+                    if (cd->distance >= 0 && cd->distance <= (int32_t)USHRT_MAX &&
+                            cd->within >= 0 && cd->within <= (int32_t)USHRT_MAX) {
+                        if (cd->flags & DETECT_CONTENT_DISTANCE) {
+                            if (cd->distance > 0)
+                                cd->flags |= DETECT_CONTENT_OFFSET;
+                            cd->flags &= ~DETECT_CONTENT_DISTANCE;
+                            cd->offset = (uint16_t)cd->distance;
+                            cd->distance = 0;
+                            cd->flags |= DETECT_CONTENT_DISTANCE2OFFSET;
+                        }
+                        if (cd->flags & DETECT_CONTENT_WITHIN) {
+                            cd->flags |= DETECT_CONTENT_DEPTH;
+                            cd->flags &= ~DETECT_CONTENT_WITHIN;
+                            cd->depth = (uint16_t)cd->within + cd->offset;
+                            cd->within = 0;
+                            cd->flags |= DETECT_CONTENT_WITHIN2DEPTH;
+                        }
+                    }
+                }
+
                 if (cd->flags & DETECT_CONTENT_NEGATED) {
                     offset = depth = 0;
                     offset_plus_pat = 0;

diff --git a/src/detect-content.h b/src/detect-content.h
index a99dc78462b90b9c9573dcbdee06f5f6bf338257..3f1fc35e00a43c6f5db4d4545d9ebd68caf8eca9 100644 (file)
--- a/src/detect-content.h
+++ b/src/detect-content.h
@@ -59,6 +59,8 @@
 #define DETECT_CONTENT_STARTS_WITH      BIT_U32(19)
 /** MPM pattern selected by the engine or forced by fast_pattern keyword */
 #define DETECT_CONTENT_MPM              BIT_U32(20)
+#define DETECT_CONTENT_WITHIN2DEPTH     BIT_U32(21)
+#define DETECT_CONTENT_DISTANCE2OFFSET  BIT_U32(22)
 
 /** a relative match to this content is next, used in matching phase */
 #define DETECT_CONTENT_RELATIVE_NEXT    (DETECT_CONTENT_WITHIN_NEXT|DETECT_CONTENT_DISTANCE_NEXT)

diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c
index d71dcb6f50902bca1849d72d2574595ad5c1f4a7..beb736f471f9889475017eb5a721b0e3a485dc4f 100644 (file)
--- a/src/detect-engine-analyzer.c
+++ b/src/detect-engine-analyzer.c
@@ -684,6 +684,14 @@ static void DumpMatches(RuleAnalyzer *ctx, JsonBuilder *js, const SigMatchData *
                             (char *)"pattern looks like it inspects HTTP, use http.user_agent "
                                     "or http.header for improved performance");
                 }
+                if (cd->flags & DETECT_CONTENT_WITHIN2DEPTH) {
+                    AnalyzerNote(ctx, (char *)"'within' option for pattern w/o previous content "
+                                              "was converted to 'depth'");
+                }
+                if (cd->flags & DETECT_CONTENT_DISTANCE2OFFSET) {
+                    AnalyzerNote(ctx, (char *)"'distance' option for pattern w/o previous content "
+                                              "was converted to 'offset'");
+                }
                 jb_close(js);
                 break;
             }