From: Victor Julien Date: Thu, 11 Jan 2018 12:50:59 +0000 (+0100) Subject: detect/state: clean up old code X-Git-Tag: suricata-4.1.0-beta1~315 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2b8f34a1b5e7ac7b9b756d5abf1fdbbe518a84dc;p=thirdparty%2Fsuricata.git detect/state: clean up old code --- diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c index f47305951a..45166f4099 100644 --- a/src/detect-engine-state.c +++ b/src/detect-engine-state.c @@ -18,23 +18,12 @@ /** * \defgroup sigstate State support * - * It is possible to do matching on reconstructed applicative flow. - * This is done by this code. It uses the ::Flow structure to store - * the list of signatures to match on the reconstructed stream. - * - * The Flow::de_state is a ::DetectEngineState structure. This is + * State is stored in the ::DetectEngineState structure. This is * basically a containter for storage item of type ::DeStateStore. * They contains an array of ::DeStateStoreItem which store the * state of match for an individual signature identified by * DeStateStoreItem::sid. * - * The state is constructed by DeStateDetectStartDetection() which - * also starts the matching. Work is continued by - * DeStateDetectContinueDetection(). - * - * Once a transaction has been analysed DeStateRestartDetection() - * is used to reset the structures. - * * @{ */ @@ -81,22 +70,6 @@ /** convert enum to string */ #define CASE_CODE(E) case E: return #E -#if 0 -/** The DetectEngineThreadCtx::de_state_sig_array contains 2 separate values: - * 1. the first bit tells the prefilter engine to bypass the rule (or not) - * 2. the other bits allow 'ContinueDetect' to specify an offset again the - * base tx id. This offset will then be used by 'StartDetect' to not - * inspect transactions again for the same signature. - * - * The offset in (2) has a max value due to the limited data type. If it is - * set to max the code will fall back to a slower path that validates that - * we're not adding duplicate rules to the detection state. - */ -#define MAX_STORED_TXID_OFFSET 127 - -/******** static internal helpers *********/ -#endif - static inline int StateIsValid(uint16_t alproto, void *alstate) { if (alstate != NULL) { @@ -112,15 +85,6 @@ static inline int StateIsValid(uint16_t alproto, void *alstate) return 0; } -#if 0 -static inline int TxIsLast(uint64_t tx_id, uint64_t total_txs) -{ - if (total_txs - tx_id <= 1) - return 1; - return 0; -} -#endif - static DeStateStore *DeStateStoreAlloc(void) { DeStateStore *d = SCMalloc(sizeof(DeStateStore)); @@ -279,584 +243,6 @@ void DetectRunStoreStateTx( SCLogDebug("Stored for TX %"PRIu64, tx_id); } -void DetectRunStoreStateTxFileOnly( - const SigGroupHead *sgh, - Flow *f, void *tx, uint64_t tx_id, - const uint8_t flow_flags, - const uint16_t file_no_match) -{ - DetectEngineState *destate = AppLayerParserGetTxDetectState(f->proto, f->alproto, tx); - if (destate == NULL) { - destate = DetectEngineStateAlloc(); - if (destate == NULL) - return; - if (AppLayerParserSetTxDetectState(f, f->alstate, tx, destate) < 0) { - DetectEngineStateFree(destate); - return; - } - SCLogDebug("destate created for %"PRIu64, tx_id); - } - StoreStateTxHandleFiles(sgh, f, destate, flow_flags, tx_id, file_no_match); -} - -#if 0 -/** - * \param check_before_add check for duplicates before adding the sig - */ -static void StoreStateTx(DetectEngineThreadCtx *det_ctx, - Flow *f, const uint8_t flags, - const uint64_t tx_id, void *tx, - const Signature *s, const SigMatchData *smd, - const uint32_t inspect_flags, const uint16_t file_no_match, int check_before_add) -{ - DetectEngineState *destate = AppLayerParserGetTxDetectState(f->proto, f->alproto, tx); - if (destate == NULL) { - destate = DetectEngineStateAlloc(); - if (destate == NULL) - return; - if (AppLayerParserSetTxDetectState(f, f->alstate, tx, destate) < 0) { - DetectEngineStateFree(destate); - return; - } - SCLogDebug("destate created for %"PRIu64, tx_id); - } - - SCLogDebug("file_no_match %u", file_no_match); - - if (check_before_add == 0 || DeStateSearchState(destate, flags, s->num) == 0) - DeStateSignatureAppend(destate, s, inspect_flags, flags); - - StoreStateTxHandleFiles(det_ctx, f, destate, flags, tx_id, file_no_match); - SCLogDebug("Stored for TX %"PRIu64, tx_id); -} - -static int HasStoredSigs(const Flow *f, const uint8_t flags) -{ - AppProto alproto = f->alproto; - void *alstate = FlowGetAppState(f); - if (!StateIsValid(f->alproto, alstate)) { - return 0; - } - - int state = AppLayerParserHasTxDetectState(f->proto, alproto, f->alstate); - if (state == -ENOSYS) { /* proto doesn't support this API call */ - /* fall through */ - } else if (state == 0) { - return 0; - } - /* if state == 1 we also fall through */ - - uint64_t inspect_tx_id = AppLayerParserGetTransactionInspectId(f->alparser, flags); - uint64_t total_txs = AppLayerParserGetTxCnt(f, alstate); - - for ( ; inspect_tx_id < total_txs; inspect_tx_id++) { - void *inspect_tx = AppLayerParserGetTx(f->proto, alproto, alstate, inspect_tx_id); - if (inspect_tx != NULL) { - DetectEngineState *tx_de_state = AppLayerParserGetTxDetectState(f->proto, alproto, inspect_tx); - if (tx_de_state == NULL) { - continue; - } - if (tx_de_state->dir_state[flags & STREAM_TOSERVER ? 0 : 1].cnt != 0) { - SCLogDebug("tx %"PRIu64" has sigs present", inspect_tx_id); - return 1; - } - } - } - return 0; -} - -/** \brief Check if we need to inspect this state - * - * State needs to be inspected if: - * 1. state has been updated - * 2. we already have de_state in progress - * - * \retval 0 no inspectable state - * \retval 1 inspectable state - */ -int DeStateFlowHasInspectableState(const Flow *f, const uint8_t flags) -{ - int r = 0; - - if (HasStoredSigs(f, flags)) { - r = 1; - } else { - r = 0; - } - return r; -} - -/* returns: true match, false no match */ -bool DeStateDetectStartDetection(ThreadVars *tv, - DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, - const Signature *s, Packet *p, Flow *f, - const uint8_t flags, // direction - const AppProto alproto) -{ - SCLogDebug("rule %u/%u", s->id, s->num); - - /* TX based matches (inspect engines) */ - void *alstate = FlowGetAppState(f); - if (unlikely(!StateIsValid(alproto, alstate))) { - return false; - } - - SigMatchData *smd = NULL; - uint16_t file_no_match = 0; - uint32_t inspect_flags = 0; - int alert_cnt = 0; - uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1; - int check_before_add = 0; - - /* if continue detection already inspected this rule for this tx, - * continue with the first not-inspected tx */ - uint8_t offset = det_ctx->de_state_sig_array[s->num] & 0x7f; - uint64_t tx_id = AppLayerParserGetTransactionInspectId(f->alparser, flags); - if (offset > 0) { - SCLogDebug("using stored_tx_id %"PRIu64" instead of %"PRIu64, tx_id+offset, tx_id); - tx_id += offset; - } - if (offset == MAX_STORED_TXID_OFFSET) { - check_before_add = 1; - } - - uint64_t total_txs = AppLayerParserGetTxCnt(f, alstate); - SCLogDebug("total_txs %"PRIu64, total_txs); - - SCLogDebug("starting: start tx %"PRIu64", packet %"PRIu64, tx_id, p->pcap_cnt); - - det_ctx->stream_already_inspected = false; - for (; tx_id < total_txs; tx_id++) { - int total_matches = 0; - void *tx = AppLayerParserGetTx(f->proto, alproto, alstate, tx_id); - SCLogDebug("tx %p", tx); - if (tx == NULL) - continue; - det_ctx->tx_id = tx_id; - det_ctx->tx_id_set = 1; - det_ctx->p = p; - int tx_progress = AppLayerParserGetStateProgress(f->proto, alproto, tx, flags); - - /* see if we need to consider the next tx in our decision to add - * a sig to the 'no inspect array'. */ - bool next_tx_no_progress = false; - if (!TxIsLast(tx_id, total_txs)) { - void *next_tx = AppLayerParserGetTx(f->proto, alproto, alstate, tx_id+1); - if (next_tx != NULL) { - int c = AppLayerParserGetStateProgress(f->proto, alproto, next_tx, flags); - if (c == 0) { - next_tx_no_progress = true; - } - } - } - - DetectEngineAppInspectionEngine *engine = s->app_inspect; - SCLogDebug("engine %p", engine); - inspect_flags = 0; - while (engine != NULL) { - SCLogDebug("engine %p", engine); - SCLogDebug("inspect_flags %x", inspect_flags); - if (direction == engine->dir) { - if (tx_progress < engine->progress) { - SCLogDebug("tx progress %d < engine progress %d", - tx_progress, engine->progress); - break; - } - - KEYWORD_PROFILING_SET_LIST(det_ctx, engine->sm_list); - int match = engine->Callback(tv, de_ctx, det_ctx, - s, engine->smd, f, flags, alstate, tx, tx_id); - SCLogDebug("engine %p match %d", engine, match); - if ((match == DETECT_ENGINE_INSPECT_SIG_NO_MATCH || match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH) - && (engine->mpm)) { - SCLogDebug("MPM and not matching, so skip the whole TX"); - // TODO - goto try_next; - } else - if (match == DETECT_ENGINE_INSPECT_SIG_MATCH) { - inspect_flags |= BIT_U32(engine->id); - engine = engine->next; - total_matches++; - continue; - } else if (match == DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES) { - /* if the file engine matched, but indicated more - * files are still in progress, we don't set inspect - * flags as these would end inspection for this tx */ - engine = engine->next; - total_matches++; - continue; - } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH) { - inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH; - inspect_flags |= BIT_U32(engine->id); - } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILESTORE) { - inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH; - inspect_flags |= BIT_U32(engine->id); - file_no_match++; - } - break; - } - engine = engine->next; - } - SCLogDebug("inspect_flags %x", inspect_flags); - /* all the engines seem to be exhausted at this point. If we - * didn't have a match in one of the engines we would have - * broken off and engine wouldn't be NULL. Hence the alert. */ - if (engine == NULL && total_matches > 0) { - if (!(s->flags & SIG_FLAG_NOALERT)) { - PacketAlertAppend(det_ctx, s, p, tx_id, - PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_TX); - } else { - DetectSignatureApplyActions(p, s, - PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_TX); - } - alert_cnt = 1; - SCLogDebug("MATCH: tx %"PRIu64" packet %"PRIu64, tx_id, p->pcap_cnt); - } - - /* if this is the last tx in our list, and it's incomplete: then - * we store the state so that ContinueDetection knows about it */ - int tx_is_done = (tx_progress >= - AppLayerParserGetStateProgressCompletionStatus(alproto, flags)); - - SCLogDebug("tx %"PRIu64", packet %"PRIu64", rule %u, alert_cnt %u, " - "last tx %d, tx_is_done %d, next_tx_no_progress %s", - tx_id, p->pcap_cnt, s->num, alert_cnt, - TxIsLast(tx_id, total_txs), tx_is_done, - next_tx_no_progress ? "true" : "false"); - - /* store our state */ - if (!(TxIsLast(tx_id, total_txs)) || !tx_is_done) { - if (engine == NULL || inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH) { - inspect_flags |= DE_STATE_FLAG_FULL_INSPECT; - } - - /* store */ - StoreStateTx(det_ctx, f, flags, tx_id, tx, - s, smd, inspect_flags, file_no_match, check_before_add); - } else { - StoreStateTxFileOnly(det_ctx, f, flags, tx_id, tx, file_no_match); - } - try_next: - if (next_tx_no_progress) - break; - } /* for */ - - det_ctx->tx_id = 0; - det_ctx->tx_id_set = 0; - det_ctx->p = NULL; - return (alert_cnt > 0); -} - -static int DoInspectItem(ThreadVars *tv, - DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, - DeStateStoreItem *item, const uint8_t dir_state_flags, - Packet *p, Flow *f, AppProto alproto, uint8_t flags, - const uint64_t inspect_tx_id, const uint64_t total_txs, - uint16_t *file_no_match, - const bool inprogress, // is current tx in progress? - const bool next_tx_no_progress) // tx after current is still dormant -{ - Signature *s = de_ctx->sig_array[item->sid]; - det_ctx->stream_already_inspected = false; - - SCLogDebug("file_no_match %u, sid %u", *file_no_match, s->id); - - /* check if a sig in state 'full inspect' needs to be reconsidered - * as the result of a new file in the existing tx */ - if (item->flags & DE_STATE_FLAG_FULL_INSPECT) { - if (item->flags & (DE_STATE_FLAG_FILE_TC_INSPECT|DE_STATE_FLAG_FILE_TS_INSPECT)) { - if ((flags & STREAM_TOCLIENT) && - (dir_state_flags & DETECT_ENGINE_STATE_FLAG_FILE_TC_NEW)) - { - SCLogDebug("~DE_STATE_FLAG_FILE_TC_INSPECT"); - item->flags &= ~DE_STATE_FLAG_FILE_TC_INSPECT; - item->flags &= ~DE_STATE_FLAG_FULL_INSPECT; - item->flags &= ~DE_STATE_FLAG_SIG_CANT_MATCH; - } - - if ((flags & STREAM_TOSERVER) && - (dir_state_flags & DETECT_ENGINE_STATE_FLAG_FILE_TS_NEW)) - { - SCLogDebug("~DE_STATE_FLAG_FILE_TS_INSPECT"); - item->flags &= ~DE_STATE_FLAG_FILE_TS_INSPECT; - item->flags &= ~DE_STATE_FLAG_FULL_INSPECT; - item->flags &= ~DE_STATE_FLAG_SIG_CANT_MATCH; - } - } - - if (item->flags & DE_STATE_FLAG_FULL_INSPECT) { - if (TxIsLast(inspect_tx_id, total_txs) || inprogress || next_tx_no_progress) { - det_ctx->de_state_sig_array[item->sid] = DE_STATE_MATCH_NO_NEW_STATE; - SCLogDebug("skip and bypass %u: tx %"PRIu64" packet %"PRIu64, s->id, inspect_tx_id, p->pcap_cnt); - } else { - SCLogDebug("just skip: tx %"PRIu64" packet %"PRIu64, inspect_tx_id, p->pcap_cnt); - - /* make sure that if we reinspect this right now from - * start detection, we skip this tx we just matched on */ - uint64_t base_tx_id = AppLayerParserGetTransactionInspectId(f->alparser, flags); - uint64_t offset = (inspect_tx_id + 1) - base_tx_id; - if (offset > MAX_STORED_TXID_OFFSET) - offset = MAX_STORED_TXID_OFFSET; - det_ctx->de_state_sig_array[item->sid] = (uint8_t)offset; -#ifdef DEBUG_VALIDATION - BUG_ON(det_ctx->de_state_sig_array[item->sid] & DE_STATE_MATCH_NO_NEW_STATE); // check that we don't set the bit -#endif - SCLogDebug("storing tx_id %"PRIu64" for this sid", inspect_tx_id + 1); - } - return 0; - } - } - - /* check if a sig in state 'cant match' needs to be reconsidered - * as the result of a new file in the existing tx */ - SCLogDebug("item->flags %x", item->flags); - if (item->flags & DE_STATE_FLAG_SIG_CANT_MATCH) { - SCLogDebug("DE_STATE_FLAG_SIG_CANT_MATCH"); - - if ((flags & STREAM_TOSERVER) && - (item->flags & DE_STATE_FLAG_FILE_TS_INSPECT) && - (dir_state_flags & DETECT_ENGINE_STATE_FLAG_FILE_TS_NEW)) - { - SCLogDebug("unset ~DE_STATE_FLAG_FILE_TS_INSPECT ~DE_STATE_FLAG_SIG_CANT_MATCH"); - item->flags &= ~DE_STATE_FLAG_FILE_TS_INSPECT; - item->flags &= ~DE_STATE_FLAG_SIG_CANT_MATCH; - - } else if ((flags & STREAM_TOCLIENT) && - (item->flags & DE_STATE_FLAG_FILE_TC_INSPECT) && - (dir_state_flags & DETECT_ENGINE_STATE_FLAG_FILE_TC_NEW)) - { - SCLogDebug("unset ~DE_STATE_FLAG_FILE_TC_INSPECT ~DE_STATE_FLAG_SIG_CANT_MATCH"); - item->flags &= ~DE_STATE_FLAG_FILE_TC_INSPECT; - item->flags &= ~DE_STATE_FLAG_SIG_CANT_MATCH; - } else { - if (TxIsLast(inspect_tx_id, total_txs) || inprogress || next_tx_no_progress) { - det_ctx->de_state_sig_array[item->sid] = DE_STATE_MATCH_NO_NEW_STATE; - SCLogDebug("skip and bypass: tx %"PRIu64" packet %"PRIu64, inspect_tx_id, p->pcap_cnt); - } else { - SCLogDebug("just skip: tx %"PRIu64" packet %"PRIu64, inspect_tx_id, p->pcap_cnt); - - /* make sure that if we reinspect this right now from - * start detection, we skip this tx we just matched on */ - uint64_t base_tx_id = AppLayerParserGetTransactionInspectId(f->alparser, flags); - uint64_t offset = (inspect_tx_id + 1) - base_tx_id; - if (offset > MAX_STORED_TXID_OFFSET) - offset = MAX_STORED_TXID_OFFSET; - det_ctx->de_state_sig_array[item->sid] = (uint8_t)offset; -#ifdef DEBUG_VALIDATION - BUG_ON(det_ctx->de_state_sig_array[item->sid] & DE_STATE_MATCH_NO_NEW_STATE); // check that we don't set the bit -#endif - SCLogDebug("storing tx_id %"PRIu64" for this sid", inspect_tx_id + 1); - } - return 0; - } - } - - uint8_t alert = 0; - uint32_t inspect_flags = 0; - int total_matches = 0; - - RULE_PROFILING_START(p); - - void *alstate = FlowGetAppState(f); - if (!StateIsValid(alproto, alstate)) { - RULE_PROFILING_END(det_ctx, s, 0, p); - return -1; - } - - det_ctx->tx_id = inspect_tx_id; - det_ctx->tx_id_set = 1; - det_ctx->p = p; - SCLogDebug("inspecting: tx %"PRIu64" packet %"PRIu64, inspect_tx_id, p->pcap_cnt); - - uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1; - DetectEngineAppInspectionEngine *engine = s->app_inspect; - void *inspect_tx = AppLayerParserGetTx(f->proto, alproto, alstate, inspect_tx_id); - if (inspect_tx == NULL) { - RULE_PROFILING_END(det_ctx, s, 0, p); - return -1; - } - int tx_progress = AppLayerParserGetStateProgress(f->proto, alproto, inspect_tx, flags); - - while (engine != NULL) { - if (!(item->flags & BIT_U32(engine->id)) && - direction == engine->dir) - { - SCLogDebug("inspect_flags %x", inspect_flags); - - if (tx_progress < engine->progress) { - SCLogDebug("tx progress %d < engine progress %d", - tx_progress, engine->progress); - break; - } - - KEYWORD_PROFILING_SET_LIST(det_ctx, engine->sm_list); - int match = engine->Callback(tv, de_ctx, det_ctx, - s, engine->smd, - f, flags, alstate, inspect_tx, inspect_tx_id); - if (match == DETECT_ENGINE_INSPECT_SIG_MATCH) { - inspect_flags |= BIT_U32(engine->id); - engine = engine->next; - total_matches++; - continue; - } else if (match == DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES) { - /* if the file engine matched, but indicated more - * files are still in progress, we don't set inspect - * flags as these would end inspection for this tx */ - engine = engine->next; - total_matches++; - continue; - } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH) { - inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH; - inspect_flags |= BIT_U32(engine->id); - } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILESTORE) { - inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH; - inspect_flags |= BIT_U32(engine->id); - (*file_no_match)++; - } - break; - } - engine = engine->next; - } - SCLogDebug("inspect_flags %x", inspect_flags); - if (total_matches > 0 && (engine == NULL || inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH)) { - if (engine == NULL) - alert = 1; - inspect_flags |= DE_STATE_FLAG_FULL_INSPECT; - } - - item->flags |= inspect_flags; - /* flag this sig to don't inspect again from the detection loop it if - * there is no need for it */ - if (TxIsLast(inspect_tx_id, total_txs) || inprogress || next_tx_no_progress) { - det_ctx->de_state_sig_array[item->sid] = DE_STATE_MATCH_NO_NEW_STATE; - SCLogDebug("inspected, now bypass: tx %"PRIu64" packet %"PRIu64, inspect_tx_id, p->pcap_cnt); - } else { - /* make sure that if we reinspect this right now from - * start detection, we skip this tx we just matched on */ - uint64_t base_tx_id = AppLayerParserGetTransactionInspectId(f->alparser, flags); - uint64_t offset = (inspect_tx_id + 1) - base_tx_id; - if (offset > MAX_STORED_TXID_OFFSET) - offset = MAX_STORED_TXID_OFFSET; - det_ctx->de_state_sig_array[item->sid] = (uint8_t)offset; -#ifdef DEBUG_VALIDATION - BUG_ON(det_ctx->de_state_sig_array[item->sid] & DE_STATE_MATCH_NO_NEW_STATE); // check that we don't set the bit -#endif - SCLogDebug("storing tx_id %"PRIu64" for this sid", inspect_tx_id + 1); - } - RULE_PROFILING_END(det_ctx, s, (alert == 1), p); - - if (alert) { - SigMatchSignaturesRunPostMatch(tv, de_ctx, det_ctx, p, s); - - if (!(s->flags & SIG_FLAG_NOALERT)) { - PacketAlertAppend(det_ctx, s, p, inspect_tx_id, - PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_TX); - } else { - PACKET_UPDATE_ACTION(p, s->action); - } - SCLogDebug("MATCH: tx %"PRIu64" packet %"PRIu64, inspect_tx_id, p->pcap_cnt); - } - - DetectVarProcessList(det_ctx, f, p); - return 1; -} - -void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, - Packet *p, Flow *f, const uint8_t flags, - AppProto alproto) -{ - SCLogDebug("starting continue detection for packet %"PRIu64, p->pcap_cnt); - - void *alstate = FlowGetAppState(f); - if (unlikely(!StateIsValid(alproto, alstate))) { - return; - } - - const uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1; - uint64_t inspect_tx_id = AppLayerParserGetTransactionInspectId(f->alparser, flags); - const uint64_t total_txs = AppLayerParserGetTxCnt(f, alstate); - const int end_progress = AppLayerParserGetStateProgressCompletionStatus(alproto, flags); - - for ( ; inspect_tx_id < total_txs; inspect_tx_id++) { - bool inspect_tx_inprogress = false; - void *inspect_tx = AppLayerParserGetTx(f->proto, alproto, alstate, inspect_tx_id); - if (inspect_tx != NULL) { - bool next_tx_no_progress = false; - - const int tx_progress = AppLayerParserGetStateProgress(f->proto, alproto, inspect_tx, flags); - if (end_progress < tx_progress) { - inspect_tx_inprogress = true; - } - SCLogDebug("tx %"PRIu64" (%"PRIu64") => %s", inspect_tx_id, total_txs, - inspect_tx_inprogress ? "in progress" : "done"); - - DetectEngineState *tx_de_state = AppLayerParserGetTxDetectState(f->proto, alproto, inspect_tx); - if (tx_de_state == NULL) { - SCLogDebug("NO STATE tx %"PRIu64" (%"PRIu64")", inspect_tx_id, total_txs); - continue; - } - DetectEngineStateDirection *tx_dir_state = &tx_de_state->dir_state[direction]; - DeStateStore *tx_store = tx_dir_state->head; - - SCLogDebug("tx_dir_state->filestore_cnt %u", tx_dir_state->filestore_cnt); - - /* see if we need to consider the next tx in our decision to add - * a sig to the 'no inspect array'. */ - if (!TxIsLast(inspect_tx_id, total_txs)) { - void *next_inspect_tx = AppLayerParserGetTx(f->proto, alproto, alstate, inspect_tx_id+1); - if (next_inspect_tx != NULL) { - int c = AppLayerParserGetStateProgress(f->proto, alproto, next_inspect_tx, flags); - if (c == 0) { - next_tx_no_progress = true; - } - } - } - - /* Loop through stored 'items' (stateful rules) and inspect them */ - SigIntId state_cnt = 0; - for (; tx_store != NULL; tx_store = tx_store->next) { - SCLogDebug("tx_store %p", tx_store); - - SigIntId store_cnt = 0; - for (store_cnt = 0; - store_cnt < DE_STATE_CHUNK_SIZE && state_cnt < tx_dir_state->cnt; - store_cnt++, state_cnt++) - { - uint16_t file_no_match = 0; // TODO looks like we're just ignoring this - DeStateStoreItem *item = &tx_store->store[store_cnt]; - int r = DoInspectItem(tv, de_ctx, det_ctx, - item, tx_dir_state->flags, - p, f, alproto, flags, - inspect_tx_id, total_txs, - &file_no_match, inspect_tx_inprogress, next_tx_no_progress); - if (r < 0) { - SCLogDebug("failed"); - goto end; - } - } - } - - tx_dir_state->flags &= - ~(DETECT_ENGINE_STATE_FLAG_FILE_TS_NEW|DETECT_ENGINE_STATE_FLAG_FILE_TC_NEW); - } - /* if the current tx is in progress, we won't advance to any newer - * tx' just yet. */ - if (inspect_tx_inprogress) { - SCLogDebug("break out"); - break; - } - } - -end: - det_ctx->p = NULL; - det_ctx->tx_id = 0; - det_ctx->tx_id_set = 0; - return; -} -#endif - /** \brief update flow's inspection id's * * \param f unlocked flow diff --git a/src/detect-engine-state.h b/src/detect-engine-state.h index db43f92b6b..5a8e17af01 100644 --- a/src/detect-engine-state.h +++ b/src/detect-engine-state.h @@ -67,24 +67,6 @@ */ #define DETECT_ENGINE_STATE_FLAG_FILE_NEW BIT_U8(0) -/* We have 2 possible state values to be used by ContinueDetection() while - * trying to figure if we have fresh state to install or not. - * - * For tx based alprotos, we don't need to indicate the below values on a - * per sig basis, but for non-tx based alprotos we do, since we might have - * new alstate coming in, and some sigs might have already matchced in - * de_state and ContinueDetection needs to inform the detection filter that - * it no longer needs to inspect this sig, since ContinueDetection would - * handle it. - * - * Wrt tx based alprotos, if we have a new tx available apart from the one - * currently being inspected(and also added to de_state), we continue with - * the HAS_NEW_STATE flag, while if we don't have a new tx, we set - * NO_NEW_STATE, to avoid getting the sig reinspected for the already - * inspected tx. */ -//#define DE_STATE_MATCH_HAS_NEW_STATE 0x00 -//#define DE_STATE_MATCH_NO_NEW_STATE 0x80 - typedef struct DeStateStoreItem_ { uint32_t flags; SigIntId sid; @@ -134,51 +116,6 @@ DetectEngineState *DetectEngineStateAlloc(void); */ void DetectEngineStateFree(DetectEngineState *state); -/** - * \brief Check if a flow already contains(newly updated as well) de state. - * - * \param f Pointer to the flow. - * \param flags direction - * - * \retval 1 Has state. - * \retval 0 Has no state. - */ -int DeStateFlowHasInspectableState(const Flow *f, const uint8_t flags); - -/** - * \brief Match app layer sig list against app state and store relevant match - * information. - * - * \param tv Pointer to the threadvars. - * \param de_ctx DetectEngineCtx instance. - * \param det_ctx DetectEngineThreadCtx instance. - * \param s Pointer to the signature. - * \param f Pointer to the flow. - * \param flags Flags. - * \param alproto App protocol. - * - * \retval bool true is sig matched, false if it didn't - */ -bool DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, - const Signature *s, Packet *p, Flow *f, - const uint8_t flags, const AppProto alproto); - -/** - * \brief Continue DeState detection of the signatures stored in the state. - * - * \param tv Pointer to the threadvars. - * \param de_ctx DetectEngineCtx instance. - * \param det_ctx DetectEngineThreadCtx instance. - * \param f Pointer to the flow. - * \param flags Flags. - * \param alproto App protocol. - */ -void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, - Packet *p, Flow *f, uint8_t flags, - AppProto alproto); - /** * \brief Update the inspect id. *