From: Victor Julien <victor@inliniac.net>
Date: Thu, 9 Aug 2018 13:32:49 +0000 (+0200)
Subject: detect: limit flush logic to sigs that need it
X-Git-Tag: suricata-4.1.0-rc2~138
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=35c5ae34589804768b75c9d04e715317f89c3447;p=thirdparty%2Fsuricata.git

detect: limit flush logic to sigs that need it

Limit the early 'flush' logic to sigs that actually need to match
on both stream and http bodies.
---

diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c
index 364fcd26e1..f11e4f47df 100644
--- a/src/detect-engine-analyzer.c
+++ b/src/detect-engine-analyzer.c
@@ -610,6 +610,9 @@ void EngineAnalysisRules2(const DetectEngineCtx *de_ctx, const Signature *s)
         if (s->flags & SIG_FLAG_MPM_NEG) {
             json_array_append_new(js_flags, json_string("negated_mpm"));
         }
+        if (s->flags & SIG_FLAG_FLUSH) {
+            json_array_append_new(js_flags, json_string("flush"));
+        }
         if (s->flags & SIG_FLAG_REQUIRE_FLOWVAR) {
             json_array_append_new(js_flags, json_string("need_flowvar"));
         }
diff --git a/src/detect-engine.c b/src/detect-engine.c
index 2fcb282ced..8cf351ba92 100644
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@@ -488,6 +488,10 @@ next:
             AppendStreamInspectEngine(s, stream, 0, last_id + 1);
             AppendStreamInspectEngine(s, stream, 1, last_id + 1);
         }
+
+        if (s->init_data->init_flags & SIG_FLAG_INIT_NEED_FLUSH) {
+            s->flags |= SIG_FLAG_FLUSH;
+        }
     }
 
 #ifdef DEBUG
diff --git a/src/detect-file-data.c b/src/detect-file-data.c
index 3bd7a4c15a..c429235c0c 100644
--- a/src/detect-file-data.c
+++ b/src/detect-file-data.c
@@ -182,6 +182,10 @@ static void DetectFiledataSetupCallback(const DetectEngineCtx *de_ctx,
         AppLayerHtpEnableRequestBodyCallback();
     }
 
+
+    /* server body needs to be inspected in sync with stream if possible */
+    s->init_data->init_flags |= SIG_FLAG_INIT_NEED_FLUSH;
+
     SCLogDebug("callback invoked by %u", s->id);
 }
 
diff --git a/src/detect-http-client-body.c b/src/detect-http-client-body.c
index 8cb84325eb..0becb07ab8 100644
--- a/src/detect-http-client-body.c
+++ b/src/detect-http-client-body.c
@@ -101,6 +101,9 @@ static void DetectHttpClientBodySetupCallback(const DetectEngineCtx *de_ctx,
 {
     SCLogDebug("callback invoked by %u", s->id);
     AppLayerHtpEnableRequestBodyCallback();
+
+    /* client body needs to be inspected in sync with stream if possible */
+    s->init_data->init_flags |= SIG_FLAG_INIT_NEED_FLUSH;
 }
 
 /**
diff --git a/src/detect.c b/src/detect.c
index 205da3ecf1..39b395728f 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -1141,7 +1141,7 @@ static bool DetectRunTxInspectRule(ThreadVars *tv,
         DetectEngineThreadCtx *det_ctx,
         Packet *p,
         Flow *f,
-        const uint8_t flow_flags,   // direction, EOF, etc
+        const uint8_t in_flow_flags,   // direction, EOF, etc
         void *alstate,
         DetectTransaction *tx,
         const Signature *s,
@@ -1149,6 +1149,7 @@ static bool DetectRunTxInspectRule(ThreadVars *tv,
         RuleMatchCandidateTx *can,
         DetectRunScratchpad *scratch)
 {
+    uint8_t flow_flags = in_flow_flags;
     const int direction = (flow_flags & STREAM_TOSERVER) ? 0 : 1;
     uint32_t inspect_flags = stored_flags ? *stored_flags : 0;
     int total_matches = 0;
@@ -1157,6 +1158,10 @@ static bool DetectRunTxInspectRule(ThreadVars *tv,
     bool mpm_before_progress = false;   // is mpm engine before progress?
     bool mpm_in_progress = false;       // is mpm engine in a buffer we will revisit?
 
+    /* see if we want to pass on the FLUSH flag */
+    if ((s->flags & SIG_FLAG_FLUSH) == 0)
+        flow_flags &=~ STREAM_FLUSH;
+
     TRACE_SID_TXS(s->id, tx, "starting %s", direction ? "toclient" : "toserver");
 
     /* for a new inspection we inspect pkt header and packet matches */
diff --git a/src/detect.h b/src/detect.h
index 270dae4a7d..a08d26d4c2 100644
--- a/src/detect.h
+++ b/src/detect.h
@@ -229,6 +229,8 @@ typedef struct DetectPort_ {
 
 #define SIG_FLAG_MPM_NEG                (1<<11)
 
+#define SIG_FLAG_FLUSH                  (1<<12) /**< detection logic needs stream flush notification */
+
 #define SIG_FLAG_REQUIRE_FLOWVAR        (1<<17) /**< signature can only match if a flowbit, flowvar or flowint is available. */
 
 #define SIG_FLAG_FILESTORE              (1<<18) /**< signature has filestore keyword */
@@ -260,6 +262,7 @@ typedef struct DetectPort_ {
 #define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN    (1<<4)  /** < signature has seen the first ip_proto keyword */
 #define SIG_FLAG_INIT_HAS_TRANSFORM         (1<<5)
 #define SIG_FLAG_INIT_STATE_MATCH           (1<<6)  /**< signature has matches that require stateful inspection */
+#define SIG_FLAG_INIT_NEED_FLUSH            (1<<7)
 
 /* signature mask flags */
 #define SIG_MASK_REQUIRE_PAYLOAD            (1<<0)