From: Victor Julien Date: Thu, 8 Dec 2016 10:05:51 +0000 (+0100) Subject: http_user_agent: dynamic buffer X-Git-Tag: suricata-4.0.0-beta1~391 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=54604c7bf29cad212283157250bdd5e4723d492d;p=thirdparty%2Fsuricata.git http_user_agent: dynamic buffer --- diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c index 19f153b03f..af9b049c9a 100644 --- a/src/detect-engine-analyzer.c +++ b/src/detect-engine-analyzer.c @@ -126,8 +126,6 @@ void EngineAnalysisFP(Signature *s, char *line) fprintf(fp_engine_analysis_FD, "http stat code content\n"); else if (list_type == DETECT_SM_LIST_HSMDMATCH) fprintf(fp_engine_analysis_FD, "http stat msg content\n"); - else if (list_type == DETECT_SM_LIST_HUADMATCH) - fprintf(fp_engine_analysis_FD, "http user agent content\n"); else { const char *desc = DetectBufferTypeGetDescriptionById(list_type); const char *name = DetectBufferTypeGetNameById(list_type); @@ -476,8 +474,6 @@ static void EngineAnalysisRulesPrintFP(const Signature *s) fprintf(rule_engine_analysis_FD, "http stat code content"); else if (list_type == DETECT_SM_LIST_HSMDMATCH) fprintf(rule_engine_analysis_FD, "http stat msg content"); - else if (list_type == DETECT_SM_LIST_HUADMATCH) - fprintf(rule_engine_analysis_FD, "http user agent content"); else if (list_type == DETECT_SM_LIST_DNSQUERYNAME_MATCH) fprintf(rule_engine_analysis_FD, "dns query name content"); else if (list_type == DETECT_SM_LIST_TLSSNI_MATCH) @@ -580,6 +576,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) const int filedata_id = DetectBufferTypeGetByName("file_data"); const int httpmethod_id = DetectBufferTypeGetByName("http_method"); const int httpuri_id = DetectBufferTypeGetByName("http_uri"); + const int httpuseragent_id = DetectBufferTypeGetByName("http_user_agent"); if (s->init_data->init_flags & SIG_FLAG_INIT_BIDIREC) { rule_bidirectional = 1; @@ -653,7 +650,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) raw_http_buf += 1; http_stat_code_buf += 1; } - else if (list_id == DETECT_SM_LIST_HUADMATCH) { + else if (list_id == httpuseragent_id) { rule_pcre_http += 1; norm_http_buf += 1; http_ua_buf += 1; diff --git a/src/detect-engine.c b/src/detect-engine.c index db0e9b1a21..113ad1f692 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -2816,8 +2816,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type) return "http raw host header"; case DETECT_SM_LIST_HCDMATCH: return "http cookie"; - case DETECT_SM_LIST_HUADMATCH: - return "http user-agent"; case DETECT_SM_LIST_APP_EVENT: return "app layer events"; diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index 239c0bc8b1..42589e13b3 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -324,6 +324,7 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a static int g_file_data_buffer_id = 0; static int g_http_method_buffer_id = 0; static int g_http_uri_buffer_id = 0; +static int g_http_ua_buffer_id = 0; /** * \test Checks if a fast_pattern is registered in a Signature @@ -15238,7 +15239,7 @@ int DetectFastPatternTest548(void) "content:\"three\"; http_user_agent; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -15277,7 +15278,7 @@ int DetectFastPatternTest549(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_ua_buffer_id]; if (sm != NULL) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { @@ -15314,7 +15315,7 @@ int DetectFastPatternTest550(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_ua_buffer_id]; if (sm != NULL) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { @@ -15345,7 +15346,7 @@ int DetectFastPatternTest551(void) if (de_ctx->sig_list == NULL) goto end; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_ua_buffer_id]; if (sm == NULL) { goto end; } @@ -15381,7 +15382,7 @@ int DetectFastPatternTest552(void) if (de_ctx->sig_list == NULL) goto end; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_ua_buffer_id]; if (sm == NULL) { goto end; } @@ -15626,7 +15627,7 @@ int DetectFastPatternTest562(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -15658,7 +15659,7 @@ int DetectFastPatternTest563(void) "content:\"two\"; fast_pattern:only; http_user_agent; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -15690,7 +15691,7 @@ int DetectFastPatternTest564(void) "content:\"two\"; fast_pattern:only; http_user_agent; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -15722,7 +15723,7 @@ int DetectFastPatternTest565(void) "content:\"two\"; fast_pattern:only; http_user_agent; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -15753,7 +15754,7 @@ int DetectFastPatternTest566(void) "content:\"two\"; http_user_agent; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -15878,7 +15879,7 @@ int DetectFastPatternTest571(void) "content:\"three\"; http_user_agent; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -15910,7 +15911,7 @@ int DetectFastPatternTest572(void) "content:\"three\"; http_user_agent; distance:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -15942,7 +15943,7 @@ int DetectFastPatternTest573(void) "content:\"three\"; http_user_agent; within:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -15974,7 +15975,7 @@ int DetectFastPatternTest574(void) "content:\"three\"; http_user_agent; offset:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -16006,7 +16007,7 @@ int DetectFastPatternTest575(void) "content:\"three\"; http_user_agent; depth:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -16038,7 +16039,7 @@ int DetectFastPatternTest576(void) "content:\"oneonethree\"; fast_pattern:3,4; http_user_agent; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -16070,7 +16071,7 @@ int DetectFastPatternTest577(void) "content:\"oneonethree\"; fast_pattern:3,4; http_user_agent; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -16102,7 +16103,7 @@ int DetectFastPatternTest578(void) "content:\"oneonethree\"; fast_pattern:3,4; http_user_agent; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -16134,7 +16135,7 @@ int DetectFastPatternTest579(void) "content:\"oneonethree\"; fast_pattern:3,4; http_user_agent; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -16241,7 +16242,7 @@ int DetectFastPatternTest583(void) "content:\"three\"; http_user_agent; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -16370,7 +16371,7 @@ int DetectFastPatternTest588(void) "content:\"three\"; http_user_agent; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -18827,6 +18828,7 @@ void DetectFastPatternRegisterTests(void) g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); g_http_method_buffer_id = DetectBufferTypeGetByName("http_method"); g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri"); + g_http_ua_buffer_id = DetectBufferTypeGetByName("http_user_agent"); UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01); UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02); diff --git a/src/detect-http-ua.c b/src/detect-http-ua.c index c500387cc1..625d287550 100644 --- a/src/detect-http-ua.c +++ b/src/detect-http-ua.c @@ -59,9 +59,11 @@ #include "detect-http-ua.h" #include "detect-engine-hua.h" -int DetectHttpUASetup(DetectEngineCtx *, Signature *, char *); -void DetectHttpUARegisterTests(void); -void DetectHttpUAFree(void *); +static int DetectHttpUASetup(DetectEngineCtx *, Signature *, char *); +static void DetectHttpUARegisterTests(void); +static void DetectHttpUAFree(void *); +static void DetectHttpUASetupCallback(Signature *); +static int g_http_ua_buffer_id = 0; /** * \brief Registers the keyword handlers for the "http_user_agent" keyword. @@ -80,15 +82,20 @@ void DetectHttpUARegister(void) sigmatch_table[DETECT_AL_HTTP_USER_AGENT].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_HTTP_USER_AGENT].flags |= SIGMATCH_PAYLOAD ; - DetectMpmAppLayerRegister("http_user_agent", SIG_FLAG_TOSERVER, - DETECT_SM_LIST_HUADMATCH, 2, + DetectAppLayerMpmRegister("http_user_agent", SIG_FLAG_TOSERVER, 2, PrefilterTxUARegister); - DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER, - DETECT_SM_LIST_HUADMATCH, + DetectAppLayerInspectEngineRegister2("http_user_agent", + ALPROTO_HTTP, SIG_FLAG_TOSERVER, DetectEngineInspectHttpUA); - return; + DetectBufferTypeSetDescriptionByName("http_user_agent", + "http user agent"); + + DetectBufferTypeRegisterSetupCallback("http_user_agent", + DetectHttpUASetupCallback); + + g_http_ua_buffer_id = DetectBufferTypeGetByName("http_user_agent"); } /** @@ -108,11 +115,17 @@ int DetectHttpUASetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { return DetectEngineContentModifierBufferSetup(de_ctx, s, arg, DETECT_AL_HTTP_USER_AGENT, - DETECT_SM_LIST_HUADMATCH, + g_http_ua_buffer_id, ALPROTO_HTTP, NULL); } +static void DetectHttpUASetupCallback(Signature *s) +{ + SCLogDebug("callback invoked by %u", s->id); + s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; +} + /** * \brief The function to free the http_user_agent data. * @@ -1443,15 +1456,15 @@ int DetectHttpUATest22(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL\n"); goto end; } DetectContentData *cd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx; DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; - DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx; - DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx; + DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx; + DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx; if (cd1->flags != 0 || memcmp(cd1->content, "one", cd1->content_len) != 0 || cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 || huad1->flags != DETECT_CONTENT_RELATIVE_NEXT || @@ -1498,15 +1511,15 @@ int DetectHttpUATest23(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL\n"); goto end; } DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx; DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; - DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx; - DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx; + DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx; + DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx; if (pd1->flags != 0 || cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 || huad1->flags != DETECT_CONTENT_RELATIVE_NEXT || @@ -1552,15 +1565,15 @@ int DetectHttpUATest24(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL\n"); goto end; } DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx; DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; - DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx; - DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx; + DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx; + DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx; if (pd1->flags != 0 || cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 || huad1->flags != DETECT_CONTENT_RELATIVE_NEXT || @@ -1607,15 +1620,15 @@ int DetectHttpUATest25(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL\n"); goto end; } DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx; DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; - DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx; - DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx; + DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx; + DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx; if (pd1->flags != DETECT_PCRE_RELATIVE_NEXT || cd2->flags != DETECT_CONTENT_DISTANCE || memcmp(cd2->content, "four", cd2->content_len) != 0 || @@ -1663,15 +1676,15 @@ int DetectHttpUATest26(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL\n"); goto end; } DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx; DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; - DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx; - DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx; + DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx; + DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx; if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || cd2->flags != DETECT_CONTENT_DISTANCE || memcmp(cd2->content, "four", cd2->content_len) != 0 || @@ -1746,15 +1759,15 @@ int DetectHttpUATest28(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL\n"); goto end; } DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx; DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; - DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx; - DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx; + DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx; + DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx; if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || cd2->flags != DETECT_CONTENT_DISTANCE || memcmp(cd2->content, "four", cd2->content_len) != 0 || @@ -1801,13 +1814,13 @@ int DetectHttpUATest29(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL\n"); goto end; } - DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx; - DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx; + DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx; + DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx; if (huad1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(huad1->content, "one", huad1->content_len) != 0 || huad2->flags != DETECT_CONTENT_DISTANCE || @@ -1845,13 +1858,13 @@ int DetectHttpUATest30(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL\n"); goto end; } - DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx; - DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx; + DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx; + DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx; if (huad1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(huad1->content, "one", huad1->content_len) != 0 || huad2->flags != DETECT_CONTENT_WITHIN || @@ -1961,21 +1974,21 @@ int DetectHttpUATest34(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL\n"); goto end; } - if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH] == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->type != DETECT_CONTENT || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->type != DETECT_PCRE) { + if (de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id] == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->type != DETECT_CONTENT || + de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->type != DETECT_PCRE) { goto end; } - DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx; - DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx; + DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx; + DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx; if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || huad2->flags != DETECT_CONTENT_WITHIN || memcmp(huad2->content, "two", huad2->content_len) != 0) { @@ -2012,21 +2025,21 @@ int DetectHttpUATest35(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL\n"); goto end; } - if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH] == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->type != DETECT_PCRE || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->type != DETECT_CONTENT) { + if (de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id] == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->type != DETECT_PCRE || + de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->type != DETECT_CONTENT) { goto end; } - DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx; - DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx; + DetectContentData *huad1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx; + DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx; if (pd2->flags != (DETECT_PCRE_RELATIVE) || huad1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(huad1->content, "two", huad1->content_len) != 0) { @@ -2063,21 +2076,21 @@ int DetectHttpUATest36(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HUADMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_ua_buffer_id] == NULL\n"); goto end; } - if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH] == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->type != DETECT_CONTENT || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->type != DETECT_PCRE) { + if (de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id] == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->type != DETECT_CONTENT || + de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->type != DETECT_PCRE) { goto end; } - DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->prev->ctx; - DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]->ctx; + DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->prev->ctx; + DetectContentData *huad2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_ua_buffer_id]->ctx; if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || huad2->flags != DETECT_CONTENT_DISTANCE || memcmp(huad2->content, "two", huad2->content_len) != 0) { diff --git a/src/detect-lua.c b/src/detect-lua.c index 81d9668411..886dfd7f61 100644 --- a/src/detect-lua.c +++ b/src/detect-lua.c @@ -1003,9 +1003,10 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRUDMATCH); else if (lua->flags & DATATYPE_HTTP_REQUEST_COOKIE) SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HCDMATCH); - else if (lua->flags & DATATYPE_HTTP_REQUEST_UA) - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HUADMATCH); - else if (lua->flags & (DATATYPE_HTTP_REQUEST_HEADERS|DATATYPE_HTTP_RESPONSE_HEADERS)) + else if (lua->flags & DATATYPE_HTTP_REQUEST_UA) { + int list = DetectBufferTypeGetByName("http_user_agent"); + SigMatchAppendSMToList(s, sm, list); + } else if (lua->flags & (DATATYPE_HTTP_REQUEST_HEADERS|DATATYPE_HTTP_RESPONSE_HEADERS)) SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HHDMATCH); else if (lua->flags & (DATATYPE_HTTP_REQUEST_HEADERS_RAW|DATATYPE_HTTP_RESPONSE_HEADERS_RAW)) SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRHDMATCH); diff --git a/src/detect-parse.c b/src/detect-parse.c index 689c21bfcd..11735db18c 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -150,7 +150,6 @@ const char *DetectListToHumanString(int list) CASE_CODE_STRING(DETECT_SM_LIST_HHHDMATCH, "http_host"); CASE_CODE_STRING(DETECT_SM_LIST_HRHHDMATCH, "http_raw_host"); CASE_CODE_STRING(DETECT_SM_LIST_HCDMATCH, "http_cookie"); - CASE_CODE_STRING(DETECT_SM_LIST_HUADMATCH, "http_user_agent"); CASE_CODE_STRING(DETECT_SM_LIST_APP_EVENT, "app-layer-event"); CASE_CODE_STRING(DETECT_SM_LIST_AMATCH, "app-layer"); CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc"); @@ -190,7 +189,6 @@ const char *DetectListToString(int list) CASE_CODE(DETECT_SM_LIST_HHHDMATCH); CASE_CODE(DETECT_SM_LIST_HRHHDMATCH); CASE_CODE(DETECT_SM_LIST_HCDMATCH); - CASE_CODE(DETECT_SM_LIST_HUADMATCH); CASE_CODE(DETECT_SM_LIST_APP_EVENT); CASE_CODE(DETECT_SM_LIST_AMATCH); CASE_CODE(DETECT_SM_LIST_DMATCH); @@ -1428,8 +1426,7 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) if (fd->flags & FLOW_PKT_TOCLIENT) { /* check for request + from_server/to_client */ if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL || - s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL || - s->init_data->smlists[DETECT_SM_LIST_HUADMATCH] != NULL) { + s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use uricontent " "/http_uri , raw_uri, http_client_body, " "http_method, http_user_agent keywords " @@ -1582,7 +1579,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH] || - s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]) { diff --git a/src/detect-pcre.c b/src/detect-pcre.c index 515ec7096a..302983dc52 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -404,13 +404,15 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr, *sm_list = DetectPcreSetList(*sm_list, list); break; } - case 'V': + case 'V': { if (pd->flags & DETECT_PCRE_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'V' inconsistent with 'B'"); goto error; } - *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HUADMATCH); + int list = DetectBufferTypeGetByName("http_user_agent"); + *sm_list = DetectPcreSetList(*sm_list, list); break; + } case 'W': if (pd->flags & DETECT_PCRE_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'W' inconsistent with 'B'"); @@ -678,8 +680,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst parsed_sm_list == DETECT_SM_LIST_HHHDMATCH || parsed_sm_list == DETECT_SM_LIST_HRHHDMATCH || // parsed_sm_list == DETECT_SM_LIST_HMDMATCH || - parsed_sm_list == DETECT_SM_LIST_HCDMATCH || - parsed_sm_list == DETECT_SM_LIST_HUADMATCH) + parsed_sm_list == DETECT_SM_LIST_HCDMATCH) { if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. " @@ -717,7 +718,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst case DETECT_SM_LIST_HSMDMATCH: case DETECT_SM_LIST_HSCDMATCH: case DETECT_SM_LIST_HCDMATCH: - case DETECT_SM_LIST_HUADMATCH: s->flags |= SIG_FLAG_APPLAYER; s->alproto = ALPROTO_HTTP; sm_list = parsed_sm_list; diff --git a/src/detect.c b/src/detect.c index b4247cc4df..1a53d399c4 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1933,9 +1933,6 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s) if (s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL) return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HUADMATCH] != NULL) - return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HHHDMATCH] != NULL) return 0; @@ -2035,9 +2032,6 @@ static int SignatureIsPDOnly(const Signature *s) if (s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL) return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HUADMATCH] != NULL) - return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HHHDMATCH] != NULL) return 0; @@ -2151,7 +2145,6 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, const Signature *s) s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL || - s->init_data->smlists[DETECT_SM_LIST_HUADMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HHHDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HRHHDMATCH] != NULL) { @@ -2341,11 +2334,6 @@ static int SignatureCreateMask(Signature *s) SCLogDebug("sig requires http app state"); } - if (s->init_data->smlists[DETECT_SM_LIST_HUADMATCH] != NULL) { - s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; - SCLogDebug("sig requires http app state"); - } - if (s->init_data->smlists[DETECT_SM_LIST_HHHDMATCH] != NULL) { s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; SCLogDebug("sig requires http app state"); diff --git a/src/detect.h b/src/detect.h index 7a47d367ce..e9190b539e 100644 --- a/src/detect.h +++ b/src/detect.h @@ -133,8 +133,6 @@ enum DetectSigmatchListEnum { DETECT_SM_LIST_HRHHDMATCH, /* list for http_cookie keyword and the ones relative to it */ DETECT_SM_LIST_HCDMATCH, - /* list for http_user_agent keyword and the ones relative to it */ - DETECT_SM_LIST_HUADMATCH, /* app event engine sm list */ DETECT_SM_LIST_APP_EVENT,