From: Victor Julien Date: Tue, 20 Oct 2015 15:49:32 +0000 (+0200) Subject: mpm: cleanup: move mpm funcs into buffer specific files X-Git-Tag: suricata-3.1RC1~324 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6bb2b001a33e542f840dfef0e1b0d01db86f0d15;p=thirdparty%2Fsuricata.git mpm: cleanup: move mpm funcs into buffer specific files --- diff --git a/src/detect-dns-query.c b/src/detect-dns-query.c index 55742f8982..63babd8f13 100644 --- a/src/detect-dns-query.c +++ b/src/detect-dns-query.c @@ -98,41 +98,6 @@ static int DetectDnsQuerySetup(DetectEngineCtx *de_ctx, Signature *s, char *str) return 0; } -/** - * \brief Run the pattern matcher against the queries - * - * \param f locked flow - * \param dns_state initialized dns state - * - * \warning Make sure the flow/state is locked - * \todo what should we return? Just the fact that we matched? - */ -uint32_t DetectDnsQueryInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f, - DNSState *dns_state, uint8_t flags, void *txv, - uint64_t tx_id) -{ - SCEnter(); - - DNSTransaction *tx = (DNSTransaction *)txv; - DNSQueryEntry *query = NULL; - uint8_t *buffer; - uint16_t buffer_len; - uint32_t cnt = 0; - - TAILQ_FOREACH(query, &tx->query_list, next) { - SCLogDebug("tx %p query %p", tx, query); - - buffer = (uint8_t *)((uint8_t *)query + sizeof(DNSQueryEntry)); - buffer_len = query->len; - - cnt += DnsQueryPatternSearch(det_ctx, - buffer, buffer_len, - flags); - } - - SCReturnUInt(cnt); -} - #ifdef UNITTESTS /** \test simple google.com query matching */ static int DetectDnsQueryTest01(void) diff --git a/src/detect-engine-dns.c b/src/detect-engine-dns.c index b08681c01e..3efb848f01 100644 --- a/src/detect-engine-dns.c +++ b/src/detect-engine-dns.c @@ -44,6 +44,7 @@ #include "util-unittest.h" #include "util-unittest-helper.h" +#include "util-validate.h" /** \brief Do the content inspection & validation for a signature * @@ -93,6 +94,68 @@ int DetectEngineInspectDnsQueryName(ThreadVars *tv, return r; } +/** + * \brief DNS query match -- searches for one pattern per signature. + * + * \param det_ctx Detection engine thread ctx. + * \param hrh Buffer to inspect. + * \param hrh_len buffer length. + * \param flags Flags + * + * \retval ret Number of matches. + */ +static uint32_t DnsQueryPatternSearch(DetectEngineThreadCtx *det_ctx, + uint8_t *buffer, uint32_t buffer_len, + uint8_t flags) +{ + SCEnter(); + + uint32_t ret = 0; + + DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); + DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_dnsquery_ctx_ts == NULL); + + ret = mpm_table[det_ctx->sgh->mpm_dnsquery_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_dnsquery_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, buffer, buffer_len); + + SCReturnUInt(ret); +} + +/** + * \brief Run the pattern matcher against the queries + * + * \param f locked flow + * \param dns_state initialized dns state + * + * \warning Make sure the flow/state is locked + * \todo what should we return? Just the fact that we matched? + */ +uint32_t DetectDnsQueryInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f, + DNSState *dns_state, uint8_t flags, void *txv, + uint64_t tx_id) +{ + SCEnter(); + + DNSTransaction *tx = (DNSTransaction *)txv; + DNSQueryEntry *query = NULL; + uint8_t *buffer; + uint16_t buffer_len; + uint32_t cnt = 0; + + TAILQ_FOREACH(query, &tx->query_list, next) { + SCLogDebug("tx %p query %p", tx, query); + + buffer = (uint8_t *)((uint8_t *)query + sizeof(DNSQueryEntry)); + buffer_len = query->len; + + cnt += DnsQueryPatternSearch(det_ctx, + buffer, buffer_len, + flags); + } + + SCReturnUInt(cnt); +} /** \brief Do the content inspection & validation for a signature * diff --git a/src/detect-engine-filedata-smtp.c b/src/detect-engine-filedata-smtp.c index f037dfec7a..8b2f5caead 100644 --- a/src/detect-engine-filedata-smtp.c +++ b/src/detect-engine-filedata-smtp.c @@ -49,6 +49,8 @@ #include "app-layer-protos.h" #include "app-layer-parser.h" +#include "util-validate.h" + #include "conf.h" #include "conf-yaml-loader.h" @@ -269,6 +271,34 @@ void DetectEngineCleanSMTPBuffers(DetectEngineThreadCtx *det_ctx) return; } +/** + * \brief SMTP Filedata match -- searches for one pattern per signature. + * + * \param det_ctx Detection engine thread ctx. + * \param buffer Buffer to inspect. + * \param buffer_len buffer length. + * \param flags Flags + * + * \retval ret Number of matches. + */ +static uint32_t SMTPFiledataPatternSearch(DetectEngineThreadCtx *det_ctx, + uint8_t *buffer, uint32_t buffer_len, + uint8_t flags) +{ + SCEnter(); + + uint32_t ret = 0; + + DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); + DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_smtp_filedata_ctx_ts == NULL); + + ret = mpm_table[det_ctx->sgh->mpm_smtp_filedata_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_smtp_filedata_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, buffer, buffer_len); + + SCReturnUInt(ret); +} + int DetectEngineRunSMTPMpm(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Flow *f, SMTPState *smtp_state, uint8_t flags, diff --git a/src/detect-engine-hcbd.c b/src/detect-engine-hcbd.c index 09b7980a1c..28ebfe584f 100644 --- a/src/detect-engine-hcbd.c +++ b/src/detect-engine-hcbd.c @@ -60,6 +60,8 @@ #include "conf.h" #include "conf-yaml-loader.h" +#include "util-validate.h" + #define BUFFER_STEP 50 static inline int HCBDCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size) @@ -219,6 +221,32 @@ static uint8_t *DetectEngineHCBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id, return buffer; } +/** \brief Http client body pattern match -- searches for one pattern per + * signature. + * + * \param det_ctx Detection engine thread ctx. + * \param body The request body to inspect. + * \param body_len Body length. + * + * \retval ret Number of matches. + */ +static uint32_t HttpClientBodyPatternSearch(DetectEngineThreadCtx *det_ctx, + uint8_t *body, uint32_t body_len, uint8_t flags) +{ + SCEnter(); + + uint32_t ret; + + DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); + DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hcbd_ctx_ts == NULL); + + ret = mpm_table[det_ctx->sgh->mpm_hcbd_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_hcbd_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, body, body_len); + + SCReturnUInt(ret); +} + int DetectEngineRunHttpClientBodyMpm(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags, diff --git a/src/detect-engine-hcd.c b/src/detect-engine-hcd.c index 5fcfa51fd3..432266e706 100644 --- a/src/detect-engine-hcd.c +++ b/src/detect-engine-hcd.c @@ -56,6 +56,39 @@ #include "app-layer.h" #include "app-layer-htp.h" #include "app-layer-protos.h" +#include "util-validate.h" + +/** + * \brief Http cookie match -- searches for one pattern per signature. + * + * \param det_ctx Detection engine thread ctx. + * \param cookie Cookie to inspect. + * \param cookie_len Cookie length. + * + * \retval ret Number of matches. + */ +static uint32_t HttpCookiePatternSearch(DetectEngineThreadCtx *det_ctx, + uint8_t *cookie, uint32_t cookie_len, uint8_t flags) +{ + SCEnter(); + + uint32_t ret; + if (flags & STREAM_TOSERVER) { + DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hcd_ctx_ts == NULL); + + ret = mpm_table[det_ctx->sgh->mpm_hcd_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_hcd_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, cookie, cookie_len); + } else { + DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hcd_ctx_tc == NULL); + + ret = mpm_table[det_ctx->sgh->mpm_hcd_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_hcd_ctx_tc, &det_ctx->mtcu, + &det_ctx->pmq, cookie, cookie_len); + } + + SCReturnUInt(ret); +} int DetectEngineRunHttpCookieMpm(DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags, diff --git a/src/detect-engine-hhd.c b/src/detect-engine-hhd.c index 3bec4fd2f2..0656b112af 100644 --- a/src/detect-engine-hhd.c +++ b/src/detect-engine-hhd.c @@ -58,6 +58,8 @@ #include "app-layer-htp.h" #include "app-layer-protos.h" +#include "util-validate.h" + #define BUFFER_STEP 50 static inline int HHDCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size) @@ -212,6 +214,38 @@ static uint8_t *DetectEngineHHDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id, return headers_buffer; } +/** + * \brief Http header match -- searches for one pattern per signature. + * + * \param det_ctx Detection engine thread ctx. + * \param headers Headers to inspect. + * \param headers_len Headers length. + * + * \retval ret Number of matches. + */ +static uint32_t HttpHeaderPatternSearch(DetectEngineThreadCtx *det_ctx, + uint8_t *headers, uint32_t headers_len, uint8_t flags) +{ + SCEnter(); + + uint32_t ret; + if (flags & STREAM_TOSERVER) { + DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hhd_ctx_ts == NULL); + + ret = mpm_table[det_ctx->sgh->mpm_hhd_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_hhd_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, headers, headers_len); + } else { + DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hhd_ctx_tc == NULL); + + ret = mpm_table[det_ctx->sgh->mpm_hhd_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_hhd_ctx_tc, &det_ctx->mtcu, + &det_ctx->pmq, headers, headers_len); + } + + SCReturnUInt(ret); +} + int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags, void *tx, uint64_t idx) diff --git a/src/detect-engine-hhhd.c b/src/detect-engine-hhhd.c index 65aebd070a..0882d16d1a 100644 --- a/src/detect-engine-hhhd.c +++ b/src/detect-engine-hhhd.c @@ -58,6 +58,34 @@ #include "app-layer-protos.h" #include "detect-engine-hhhd.h" +#include "util-validate.h" + +/** + * \brief Http host header match -- searches for one pattern per signature. + * + * \param det_ctx Detection engine thread ctx. + * \param hh Host header to inspect. + * \param hh_len Host header buffer length. + * \param flags Flags + * + * \retval ret Number of matches. + */ +static uint32_t HttpHHPatternSearch(DetectEngineThreadCtx *det_ctx, + uint8_t *hh, uint32_t hh_len, uint8_t flags) +{ + SCEnter(); + + uint32_t ret; + + DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); + DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hhhd_ctx_ts == NULL); + + ret = mpm_table[det_ctx->sgh->mpm_hhhd_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_hhhd_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, hh, hh_len); + + SCReturnUInt(ret); +} int DetectEngineRunHttpHHMpm(DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags, diff --git a/src/detect-engine-hmd.c b/src/detect-engine-hmd.c index 5a4b7d8ad1..f80e279a39 100644 --- a/src/detect-engine-hmd.c +++ b/src/detect-engine-hmd.c @@ -56,6 +56,33 @@ #include "app-layer.h" #include "app-layer-htp.h" #include "app-layer-protos.h" +#include "util-validate.h" + +/** + * \brief Http method match -- searches for one pattern per signature. + * + * \param det_ctx Detection engine thread ctx. + * \param method Method to inspect. + * \param method_len Method length. + * + * \retval ret Number of matches. + */ +static uint32_t HttpMethodPatternSearch(DetectEngineThreadCtx *det_ctx, + uint8_t *raw_method, uint32_t raw_method_len, uint8_t flags) +{ + SCEnter(); + + uint32_t ret; + + DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); + DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hmd_ctx_ts == NULL); + + ret = mpm_table[det_ctx->sgh->mpm_hmd_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_hmd_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, raw_method, raw_method_len); + + SCReturnUInt(ret); +} int DetectEngineRunHttpMethodMpm(DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags, diff --git a/src/detect-engine-hrhd.c b/src/detect-engine-hrhd.c index 90cf1d5e90..54618a3df1 100644 --- a/src/detect-engine-hrhd.c +++ b/src/detect-engine-hrhd.c @@ -57,6 +57,39 @@ #include "app-layer-htp.h" #include "app-layer-protos.h" +#include "util-validate.h" + +/** + * \brief Http raw header match -- searches for one pattern per signature. + * + * \param det_ctx Detection engine thread ctx. + * \param headers Raw headers to inspect. + * \param headers_len Raw headers length. + * + * \retval ret Number of matches. + */ +static uint32_t HttpRawHeaderPatternSearch(DetectEngineThreadCtx *det_ctx, + uint8_t *raw_headers, uint32_t raw_headers_len, uint8_t flags) +{ + SCEnter(); + + uint32_t ret; + if (flags & STREAM_TOSERVER) { + DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrhd_ctx_ts == NULL); + + ret = mpm_table[det_ctx->sgh->mpm_hrhd_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_hrhd_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, raw_headers, raw_headers_len); + } else { + DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrhd_ctx_tc == NULL); + + ret = mpm_table[det_ctx->sgh->mpm_hrhd_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_hrhd_ctx_tc, &det_ctx->mtcu, + &det_ctx->pmq, raw_headers, raw_headers_len); + } + + SCReturnUInt(ret); +} int DetectEngineRunHttpRawHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags, diff --git a/src/detect-engine-hrhhd.c b/src/detect-engine-hrhhd.c index f1acf10018..732226c468 100644 --- a/src/detect-engine-hrhhd.c +++ b/src/detect-engine-hrhhd.c @@ -58,6 +58,34 @@ #include "app-layer-protos.h" #include "detect-engine-hrhhd.h" +#include "util-validate.h" + +/** + * \brief Http raw host header match -- searches for one pattern per signature. + * + * \param det_ctx Detection engine thread ctx. + * \param hrh Raw hostname to inspect. + * \param hrh_len Raw hostname buffer length. + * \param flags Flags + * + * \retval ret Number of matches. + */ +static uint32_t HttpHRHPatternSearch(DetectEngineThreadCtx *det_ctx, + uint8_t *hrh, uint32_t hrh_len, uint8_t flags) +{ + SCEnter(); + + uint32_t ret; + + DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); + DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrhhd_ctx_ts == NULL); + + ret = mpm_table[det_ctx->sgh->mpm_hrhhd_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_hrhhd_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, hrh, hrh_len); + + SCReturnUInt(ret); +} int DetectEngineRunHttpHRHMpm(DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags, diff --git a/src/detect-engine-hrud.c b/src/detect-engine-hrud.c index 585c736b6d..4249cccc3a 100644 --- a/src/detect-engine-hrud.c +++ b/src/detect-engine-hrud.c @@ -56,6 +56,33 @@ #include "app-layer-htp.h" #include "app-layer-protos.h" +#include "util-validate.h" + +/** + * \brief Http raw uri match -- searches for one pattern per signature. + * + * \param det_ctx Detection engine thread ctx. + * \param uri Raw uri to inspect. + * \param uri_len Raw uri length. + * + * \retval ret Number of matches. + */ +static uint32_t HttpRawUriPatternSearch(DetectEngineThreadCtx *det_ctx, + uint8_t *uri, uint32_t uri_len, uint8_t flags) +{ + SCEnter(); + + uint32_t ret; + + DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); + DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrud_ctx_ts == NULL); + + ret = mpm_table[det_ctx->sgh->mpm_hrud_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_hrud_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, uri, uri_len); + + SCReturnUInt(ret); +} /** * \brief Run the mpm against raw http uris. diff --git a/src/detect-engine-hsbd.c b/src/detect-engine-hsbd.c index 7d52c7d8f6..401296e38d 100644 --- a/src/detect-engine-hsbd.c +++ b/src/detect-engine-hsbd.c @@ -62,6 +62,8 @@ #include "conf.h" #include "conf-yaml-loader.h" +#include "util-validate.h" + #define BUFFER_STEP 50 static inline int HSBDCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size) @@ -313,6 +315,32 @@ static uint8_t *DetectEngineHSBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id, return buffer; } +/** \brief Http server body pattern match -- searches for one pattern per + * signature. + * + * \param det_ctx Detection engine thread ctx. + * \param body The request body to inspect. + * \param body_len Body length. + * + * \retval ret Number of matches. + */ +static uint32_t HttpServerBodyPatternSearch(DetectEngineThreadCtx *det_ctx, + uint8_t *body, uint32_t body_len, uint8_t flags) +{ + SCEnter(); + + uint32_t ret; + + DEBUG_VALIDATE_BUG_ON(!(flags & STREAM_TOCLIENT)); + DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hsbd_ctx_tc == NULL); + + ret = mpm_table[det_ctx->sgh->mpm_hsbd_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_hsbd_ctx_tc, &det_ctx->mtcu, + &det_ctx->pmq, body, body_len); + + SCReturnUInt(ret); +} + int DetectEngineRunHttpServerBodyMpm(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags, diff --git a/src/detect-engine-hscd.c b/src/detect-engine-hscd.c index a38562b193..6fd938d184 100644 --- a/src/detect-engine-hscd.c +++ b/src/detect-engine-hscd.c @@ -53,6 +53,33 @@ #include "app-layer.h" #include "app-layer-htp.h" #include "app-layer-protos.h" +#include "util-validate.h" + +/** + * \brief Http stat code match -- searches for one pattern per signature. + * + * \param det_ctx Detection engine thread ctx. + * \param stat_code Stat code to inspect. + * \param stat_code_len Stat code length. + * + * \retval ret Number of matches. + */ +static uint32_t HttpStatCodePatternSearch(DetectEngineThreadCtx *det_ctx, + uint8_t *stat_code, uint32_t stat_code_len, uint8_t flags) +{ + SCEnter(); + + uint32_t ret; + + DEBUG_VALIDATE_BUG_ON(!(flags & STREAM_TOCLIENT)); + DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hscd_ctx_tc == NULL); + + ret = mpm_table[det_ctx->sgh->mpm_hscd_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_hscd_ctx_tc, &det_ctx->mtcu, + &det_ctx->pmq, stat_code, stat_code_len); + + SCReturnUInt(ret); +} /** * \brief Run the mpm against http stat code. diff --git a/src/detect-engine-hsmd.c b/src/detect-engine-hsmd.c index 61c8e2e9b5..9017ebfd55 100644 --- a/src/detect-engine-hsmd.c +++ b/src/detect-engine-hsmd.c @@ -53,6 +53,33 @@ #include "app-layer.h" #include "app-layer-htp.h" #include "app-layer-protos.h" +#include "util-validate.h" + +/** + * \brief Http stat msg match -- searches for one pattern per signature. + * + * \param det_ctx Detection engine thread ctx. + * \param stat_msg Stat msg to inspect. + * \param stat_msg_len Stat msg length. + * + * \retval ret Number of matches. + */ +static uint32_t HttpStatMsgPatternSearch(DetectEngineThreadCtx *det_ctx, + uint8_t *stat_msg, uint32_t stat_msg_len, uint8_t flags) +{ + SCEnter(); + + uint32_t ret; + + DEBUG_VALIDATE_BUG_ON(!(flags & STREAM_TOCLIENT)); + DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hsmd_ctx_tc == NULL); + + ret = mpm_table[det_ctx->sgh->mpm_hsmd_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_hsmd_ctx_tc, &det_ctx->mtcu, + &det_ctx->pmq, stat_msg, stat_msg_len); + + SCReturnUInt(ret); +} /** * \brief Run the mpm against http stat msg. diff --git a/src/detect-engine-hua.c b/src/detect-engine-hua.c index 8cafa423af..27e1383f0f 100644 --- a/src/detect-engine-hua.c +++ b/src/detect-engine-hua.c @@ -57,6 +57,33 @@ #include "app-layer-protos.h" #include "detect-engine-hua.h" +#include "util-validate.h" + +/** + * \brief Http user agent match -- searches for one pattern per signature. + * + * \param det_ctx Detection engine thread ctx. + * \param cookie User-Agent to inspect. + * \param cookie_len User-Agent buffer length. + * + * \retval ret Number of matches. + */ +static uint32_t HttpUAPatternSearch(DetectEngineThreadCtx *det_ctx, + uint8_t *ua, uint32_t ua_len, uint8_t flags) +{ + SCEnter(); + + uint32_t ret; + + DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); + DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_huad_ctx_ts == NULL); + + ret = mpm_table[det_ctx->sgh->mpm_huad_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_huad_ctx_ts, &det_ctx->mtcu, + &det_ctx->pmq, ua, ua_len); + + SCReturnUInt(ret); +} int DetectEngineRunHttpUAMpm(DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags, diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 9a8a8bd6f9..04f455e38b 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -55,9 +55,6 @@ #include "util-debug.h" #include "util-print.h" #include "util-memcmp.h" -#ifdef __SC_CUDA_SUPPORT__ -#include "util-mpm-ac.h" -#endif #include "util-validate.h" const char *builtin_mpms[] = { @@ -253,549 +250,6 @@ uint16_t PatternMatchDefaultMatcher(void) return mpm_algo_val; } -uint32_t PacketPatternSearchWithStreamCtx(DetectEngineThreadCtx *det_ctx, - Packet *p) -{ - SCEnter(); - - uint32_t ret = 0; - const MpmCtx *mpm_ctx = NULL; - - if (p->flowflags & FLOW_PKT_TOSERVER) { - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_stream_ctx_ts == NULL); - - mpm_ctx = det_ctx->sgh->mpm_stream_ctx_ts; - - } else { - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_stream_ctx_tc == NULL); - - mpm_ctx = det_ctx->sgh->mpm_stream_ctx_tc; - } - if (unlikely(mpm_ctx == NULL)) { - SCReturnInt(0); - } - - ret = mpm_table[mpm_ctx->mpm_type]. - Search(mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, - p->payload, p->payload_len); - - SCReturnInt(ret); -} - -/** \brief Pattern match -- searches for only one pattern per signature. - * - * \param det_ctx detection engine thread ctx - * \param p packet to inspect - * - * \retval ret number of matches - */ -uint32_t PacketPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p) -{ - SCEnter(); - - uint32_t ret; - const MpmCtx *mpm_ctx = NULL; - - if (p->proto == IPPROTO_TCP) { - if (p->flowflags & FLOW_PKT_TOSERVER) { - mpm_ctx = det_ctx->sgh->mpm_proto_tcp_ctx_ts; - } else { - mpm_ctx = det_ctx->sgh->mpm_proto_tcp_ctx_tc; - } - } else if (p->proto == IPPROTO_UDP) { - if (p->flowflags & FLOW_PKT_TOSERVER) { - mpm_ctx = det_ctx->sgh->mpm_proto_udp_ctx_ts; - } else { - mpm_ctx = det_ctx->sgh->mpm_proto_udp_ctx_tc; - } - } else { - mpm_ctx = det_ctx->sgh->mpm_proto_other_ctx; - } - if (unlikely(mpm_ctx == NULL)) - SCReturnInt(0); - -#ifdef __SC_CUDA_SUPPORT__ - if (p->cuda_pkt_vars.cuda_mpm_enabled && p->pkt_src == PKT_SRC_WIRE) { - ret = SCACCudaPacketResultsProcessing(p, mpm_ctx, &det_ctx->pmq); - } else { - ret = mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx, - &det_ctx->mtc, - &det_ctx->pmq, - p->payload, - p->payload_len); - } -#else - ret = mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx, - &det_ctx->mtc, - &det_ctx->pmq, - p->payload, - p->payload_len); -#endif - - SCReturnInt(ret); -} - -/** \brief Uri Pattern match -- searches for one pattern per signature. - * - * \param det_ctx detection engine thread ctx - * \param p packet to inspect - * - * \retval ret number of matches - */ -uint32_t UriPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *uri, uint16_t uri_len, uint8_t flags) -{ - SCEnter(); - - uint32_t ret; - - DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_uri_ctx_ts == NULL); - - ret = mpm_table[det_ctx->sgh->mpm_uri_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_uri_ctx_ts, - &det_ctx->mtcu, &det_ctx->pmq, uri, uri_len); - - //PrintRawDataFp(stdout, uri, uri_len); - - SCReturnUInt(ret); -} - -/** \brief Http client body pattern match -- searches for one pattern per - * signature. - * - * \param det_ctx Detection engine thread ctx. - * \param body The request body to inspect. - * \param body_len Body length. - * - * \retval ret Number of matches. - */ -uint32_t HttpClientBodyPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *body, uint32_t body_len, uint8_t flags) -{ - SCEnter(); - - uint32_t ret; - - DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hcbd_ctx_ts == NULL); - - ret = mpm_table[det_ctx->sgh->mpm_hcbd_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_hcbd_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, body, body_len); - - SCReturnUInt(ret); -} - -/** \brief Http server body pattern match -- searches for one pattern per - * signature. - * - * \param det_ctx Detection engine thread ctx. - * \param body The request body to inspect. - * \param body_len Body length. - * - * \retval ret Number of matches. - */ -uint32_t HttpServerBodyPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *body, uint32_t body_len, uint8_t flags) -{ - SCEnter(); - - uint32_t ret; - - DEBUG_VALIDATE_BUG_ON(!(flags & STREAM_TOCLIENT)); - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hsbd_ctx_tc == NULL); - - ret = mpm_table[det_ctx->sgh->mpm_hsbd_ctx_tc->mpm_type]. - Search(det_ctx->sgh->mpm_hsbd_ctx_tc, &det_ctx->mtcu, - &det_ctx->pmq, body, body_len); - - SCReturnUInt(ret); -} - -/** - * \brief Http header match -- searches for one pattern per signature. - * - * \param det_ctx Detection engine thread ctx. - * \param headers Headers to inspect. - * \param headers_len Headers length. - * - * \retval ret Number of matches. - */ -uint32_t HttpHeaderPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *headers, uint32_t headers_len, uint8_t flags) -{ - SCEnter(); - - uint32_t ret; - if (flags & STREAM_TOSERVER) { - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hhd_ctx_ts == NULL); - - ret = mpm_table[det_ctx->sgh->mpm_hhd_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_hhd_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, headers, headers_len); - } else { - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hhd_ctx_tc == NULL); - - ret = mpm_table[det_ctx->sgh->mpm_hhd_ctx_tc->mpm_type]. - Search(det_ctx->sgh->mpm_hhd_ctx_tc, &det_ctx->mtcu, - &det_ctx->pmq, headers, headers_len); - } - - SCReturnUInt(ret); -} - -/** - * \brief Http raw header match -- searches for one pattern per signature. - * - * \param det_ctx Detection engine thread ctx. - * \param headers Raw headers to inspect. - * \param headers_len Raw headers length. - * - * \retval ret Number of matches. - */ -uint32_t HttpRawHeaderPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *raw_headers, uint32_t raw_headers_len, uint8_t flags) -{ - SCEnter(); - - uint32_t ret; - if (flags & STREAM_TOSERVER) { - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrhd_ctx_ts == NULL); - - ret = mpm_table[det_ctx->sgh->mpm_hrhd_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_hrhd_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, raw_headers, raw_headers_len); - } else { - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrhd_ctx_tc == NULL); - - ret = mpm_table[det_ctx->sgh->mpm_hrhd_ctx_tc->mpm_type]. - Search(det_ctx->sgh->mpm_hrhd_ctx_tc, &det_ctx->mtcu, - &det_ctx->pmq, raw_headers, raw_headers_len); - } - - SCReturnUInt(ret); -} - -/** - * \brief Http method match -- searches for one pattern per signature. - * - * \param det_ctx Detection engine thread ctx. - * \param method Method to inspect. - * \param method_len Method length. - * - * \retval ret Number of matches. - */ -uint32_t HttpMethodPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *raw_method, uint32_t raw_method_len, uint8_t flags) -{ - SCEnter(); - - uint32_t ret; - - DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hmd_ctx_ts == NULL); - - ret = mpm_table[det_ctx->sgh->mpm_hmd_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_hmd_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, raw_method, raw_method_len); - - SCReturnUInt(ret); -} - -/** - * \brief Http cookie match -- searches for one pattern per signature. - * - * \param det_ctx Detection engine thread ctx. - * \param cookie Cookie to inspect. - * \param cookie_len Cookie length. - * - * \retval ret Number of matches. - */ -uint32_t HttpCookiePatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *cookie, uint32_t cookie_len, uint8_t flags) -{ - SCEnter(); - - uint32_t ret; - if (flags & STREAM_TOSERVER) { - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hcd_ctx_ts == NULL); - - ret = mpm_table[det_ctx->sgh->mpm_hcd_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_hcd_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, cookie, cookie_len); - } else { - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hcd_ctx_tc == NULL); - - ret = mpm_table[det_ctx->sgh->mpm_hcd_ctx_tc->mpm_type]. - Search(det_ctx->sgh->mpm_hcd_ctx_tc, &det_ctx->mtcu, - &det_ctx->pmq, cookie, cookie_len); - } - - SCReturnUInt(ret); -} - -/** - * \brief Http raw uri match -- searches for one pattern per signature. - * - * \param det_ctx Detection engine thread ctx. - * \param uri Raw uri to inspect. - * \param uri_len Raw uri length. - * - * \retval ret Number of matches. - */ -uint32_t HttpRawUriPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *uri, uint32_t uri_len, uint8_t flags) -{ - SCEnter(); - - uint32_t ret; - - DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrud_ctx_ts == NULL); - - ret = mpm_table[det_ctx->sgh->mpm_hrud_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_hrud_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, uri, uri_len); - - SCReturnUInt(ret); -} - -/** - * \brief Http stat msg match -- searches for one pattern per signature. - * - * \param det_ctx Detection engine thread ctx. - * \param stat_msg Stat msg to inspect. - * \param stat_msg_len Stat msg length. - * - * \retval ret Number of matches. - */ -uint32_t HttpStatMsgPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *stat_msg, uint32_t stat_msg_len, uint8_t flags) -{ - SCEnter(); - - uint32_t ret; - - DEBUG_VALIDATE_BUG_ON(!(flags & STREAM_TOCLIENT)); - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hsmd_ctx_tc == NULL); - - ret = mpm_table[det_ctx->sgh->mpm_hsmd_ctx_tc->mpm_type]. - Search(det_ctx->sgh->mpm_hsmd_ctx_tc, &det_ctx->mtcu, - &det_ctx->pmq, stat_msg, stat_msg_len); - - SCReturnUInt(ret); -} - -/** - * \brief Http stat code match -- searches for one pattern per signature. - * - * \param det_ctx Detection engine thread ctx. - * \param stat_code Stat code to inspect. - * \param stat_code_len Stat code length. - * - * \retval ret Number of matches. - */ -uint32_t HttpStatCodePatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *stat_code, uint32_t stat_code_len, uint8_t flags) -{ - SCEnter(); - - uint32_t ret; - - DEBUG_VALIDATE_BUG_ON(!(flags & STREAM_TOCLIENT)); - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hscd_ctx_tc == NULL); - - ret = mpm_table[det_ctx->sgh->mpm_hscd_ctx_tc->mpm_type]. - Search(det_ctx->sgh->mpm_hscd_ctx_tc, &det_ctx->mtcu, - &det_ctx->pmq, stat_code, stat_code_len); - - SCReturnUInt(ret); -} - -/** - * \brief Http user agent match -- searches for one pattern per signature. - * - * \param det_ctx Detection engine thread ctx. - * \param cookie User-Agent to inspect. - * \param cookie_len User-Agent buffer length. - * - * \retval ret Number of matches. - */ -uint32_t HttpUAPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *ua, uint32_t ua_len, uint8_t flags) -{ - SCEnter(); - - uint32_t ret; - - DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_huad_ctx_ts == NULL); - - ret = mpm_table[det_ctx->sgh->mpm_huad_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_huad_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, ua, ua_len); - - SCReturnUInt(ret); -} - -/** - * \brief Http host header match -- searches for one pattern per signature. - * - * \param det_ctx Detection engine thread ctx. - * \param hh Host header to inspect. - * \param hh_len Host header buffer length. - * \param flags Flags - * - * \retval ret Number of matches. - */ -uint32_t HttpHHPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *hh, uint32_t hh_len, uint8_t flags) -{ - SCEnter(); - - uint32_t ret; - - DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hhhd_ctx_ts == NULL); - - ret = mpm_table[det_ctx->sgh->mpm_hhhd_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_hhhd_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, hh, hh_len); - - SCReturnUInt(ret); -} - -/** - * \brief Http raw host header match -- searches for one pattern per signature. - * - * \param det_ctx Detection engine thread ctx. - * \param hrh Raw hostname to inspect. - * \param hrh_len Raw hostname buffer length. - * \param flags Flags - * - * \retval ret Number of matches. - */ -uint32_t HttpHRHPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *hrh, uint32_t hrh_len, uint8_t flags) -{ - SCEnter(); - - uint32_t ret; - - DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrhhd_ctx_ts == NULL); - - ret = mpm_table[det_ctx->sgh->mpm_hrhhd_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_hrhhd_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, hrh, hrh_len); - - SCReturnUInt(ret); -} - -/** - * \brief DNS query match -- searches for one pattern per signature. - * - * \param det_ctx Detection engine thread ctx. - * \param hrh Buffer to inspect. - * \param hrh_len buffer length. - * \param flags Flags - * - * \retval ret Number of matches. - */ -uint32_t DnsQueryPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *buffer, uint32_t buffer_len, - uint8_t flags) -{ - SCEnter(); - - uint32_t ret = 0; - - DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_dnsquery_ctx_ts == NULL); - - ret = mpm_table[det_ctx->sgh->mpm_dnsquery_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_dnsquery_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, buffer, buffer_len); - - SCReturnUInt(ret); -} - -/** \brief Pattern match -- searches for only one pattern per signature. - * - * \param det_ctx detection engine thread ctx - * \param p packet - * \param smsg stream msg (reassembled stream data) - * \param flags stream flags - * - * \retval ret number of matches - */ -uint32_t StreamPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p, - StreamMsg *smsg, uint8_t flags) -{ - SCEnter(); - - uint32_t ret = 0; - uint8_t cnt = 0; - - //PrintRawDataFp(stdout, smsg->data.data, smsg->data.data_len); - - uint32_t r; - if (flags & STREAM_TOSERVER) { - for ( ; smsg != NULL; smsg = smsg->next) { - r = mpm_table[det_ctx->sgh->mpm_stream_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_stream_ctx_ts, &det_ctx->mtcs, - &det_ctx->pmq, smsg->data, smsg->data_len); - if (r > 0) { - ret += r; - } - - cnt++; - } - } else { - for ( ; smsg != NULL; smsg = smsg->next) { - r = mpm_table[det_ctx->sgh->mpm_stream_ctx_tc->mpm_type]. - Search(det_ctx->sgh->mpm_stream_ctx_tc, &det_ctx->mtcs, - &det_ctx->pmq, smsg->data, smsg->data_len); - if (r > 0) { - ret += r; - } - - cnt++; - } - } - - SCReturnInt(ret); -} - -/** - * \brief SMTP Filedata match -- searches for one pattern per signature. - * - * \param det_ctx Detection engine thread ctx. - * \param buffer Buffer to inspect. - * \param buffer_len buffer length. - * \param flags Flags - * - * \retval ret Number of matches. - */ -uint32_t SMTPFiledataPatternSearch(DetectEngineThreadCtx *det_ctx, - uint8_t *buffer, uint32_t buffer_len, - uint8_t flags) -{ - SCEnter(); - - uint32_t ret = 0; - - DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_smtp_filedata_ctx_ts == NULL); - - ret = mpm_table[det_ctx->sgh->mpm_smtp_filedata_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_smtp_filedata_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, buffer, buffer_len); - - SCReturnUInt(ret); -} - /** \brief cleans up the mpm instance after a match */ void PacketPatternCleanup(ThreadVars *t, DetectEngineThreadCtx *det_ctx) { diff --git a/src/detect-engine-mpm.h b/src/detect-engine-mpm.h index de687876a3..4bb7fe31a5 100644 --- a/src/detect-engine-mpm.h +++ b/src/detect-engine-mpm.h @@ -40,22 +40,8 @@ uint16_t PatternMatchDefaultMatcher(void); uint32_t PatternStrength(uint8_t *, uint16_t); uint32_t PacketPatternSearchWithStreamCtx(DetectEngineThreadCtx *, Packet *); uint32_t PacketPatternSearch(DetectEngineThreadCtx *, Packet *); -uint32_t UriPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint16_t, uint8_t); uint32_t StreamPatternSearch(DetectEngineThreadCtx *, Packet *, StreamMsg *, uint8_t); -uint32_t HttpClientBodyPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t); -uint32_t HttpServerBodyPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t); -uint32_t HttpHeaderPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t); -uint32_t HttpRawHeaderPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t); -uint32_t HttpMethodPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t); -uint32_t HttpCookiePatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t); -uint32_t HttpRawUriPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t); -uint32_t HttpStatMsgPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t); -uint32_t HttpStatCodePatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t); -uint32_t HttpUAPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t); -uint32_t HttpHHPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t); -uint32_t HttpHRHPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t); uint32_t DnsQueryPatternSearch(DetectEngineThreadCtx *det_ctx, uint8_t *buffer, uint32_t buffer_len, uint8_t flags); -uint32_t SMTPFiledataPatternSearch(DetectEngineThreadCtx *det_ctx, uint8_t *buffer, uint32_t buffer_len, uint8_t flags); void PacketPatternCleanup(ThreadVars *, DetectEngineThreadCtx *); diff --git a/src/detect-engine-payload.c b/src/detect-engine-payload.c index 9b21085de4..f952deafd0 100644 --- a/src/detect-engine-payload.c +++ b/src/detect-engine-payload.c @@ -33,11 +33,145 @@ #include "detect-parse.h" #include "detect-engine-content-inspection.h" +#include "stream.h" + #include "util-debug.h" #include "util-print.h" #include "util-unittest.h" #include "util-unittest-helper.h" +#include "util-validate.h" + +#include "util-mpm-ac.h" + +uint32_t PacketPatternSearchWithStreamCtx(DetectEngineThreadCtx *det_ctx, + Packet *p) +{ + SCEnter(); + + uint32_t ret = 0; + const MpmCtx *mpm_ctx = NULL; + + if (p->flowflags & FLOW_PKT_TOSERVER) { + DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_stream_ctx_ts == NULL); + + mpm_ctx = det_ctx->sgh->mpm_stream_ctx_ts; + + } else { + DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_stream_ctx_tc == NULL); + + mpm_ctx = det_ctx->sgh->mpm_stream_ctx_tc; + } + if (unlikely(mpm_ctx == NULL)) { + SCReturnInt(0); + } + + ret = mpm_table[mpm_ctx->mpm_type]. + Search(mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, + p->payload, p->payload_len); + + SCReturnInt(ret); +} + +/** \brief Pattern match -- searches for only one pattern per signature. + * + * \param det_ctx detection engine thread ctx + * \param p packet + * \param smsg stream msg (reassembled stream data) + * \param flags stream flags + * + * \retval ret number of matches + */ +uint32_t StreamPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p, + StreamMsg *smsg, uint8_t flags) +{ + SCEnter(); + + uint32_t ret = 0; + uint8_t cnt = 0; + + //PrintRawDataFp(stdout, smsg->data.data, smsg->data.data_len); + + uint32_t r; + if (flags & STREAM_TOSERVER) { + for ( ; smsg != NULL; smsg = smsg->next) { + r = mpm_table[det_ctx->sgh->mpm_stream_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_stream_ctx_ts, &det_ctx->mtcs, + &det_ctx->pmq, smsg->data, smsg->data_len); + if (r > 0) { + ret += r; + } + + cnt++; + } + } else if (flags & STREAM_TOCLIENT) { + for ( ; smsg != NULL; smsg = smsg->next) { + r = mpm_table[det_ctx->sgh->mpm_stream_ctx_tc->mpm_type]. + Search(det_ctx->sgh->mpm_stream_ctx_tc, &det_ctx->mtcs, + &det_ctx->pmq, smsg->data, smsg->data_len); + if (r > 0) { + ret += r; + } + + cnt++; + } + } + + SCReturnInt(ret); +} + +/** \brief Pattern match -- searches for only one pattern per signature. + * + * \param det_ctx detection engine thread ctx + * \param p packet to inspect + * + * \retval ret number of matches + */ +uint32_t PacketPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p) +{ + SCEnter(); + + uint32_t ret; + const MpmCtx *mpm_ctx = NULL; + + if (p->proto == IPPROTO_TCP) { + if (p->flowflags & FLOW_PKT_TOSERVER) { + mpm_ctx = det_ctx->sgh->mpm_proto_tcp_ctx_ts; + } else if (p->flowflags & FLOW_PKT_TOCLIENT) { + mpm_ctx = det_ctx->sgh->mpm_proto_tcp_ctx_tc; + } + } else if (p->proto == IPPROTO_UDP) { + if (p->flowflags & FLOW_PKT_TOSERVER) { + mpm_ctx = det_ctx->sgh->mpm_proto_udp_ctx_ts; + } else if (p->flowflags & FLOW_PKT_TOCLIENT) { + mpm_ctx = det_ctx->sgh->mpm_proto_udp_ctx_tc; + } + } else { + mpm_ctx = det_ctx->sgh->mpm_proto_other_ctx; + } + if (unlikely(mpm_ctx == NULL)) + SCReturnInt(0); + +#ifdef __SC_CUDA_SUPPORT__ + if (p->cuda_pkt_vars.cuda_mpm_enabled && p->pkt_src == PKT_SRC_WIRE) { + ret = SCACCudaPacketResultsProcessing(p, mpm_ctx, &det_ctx->pmq); + } else { + ret = mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx, + &det_ctx->mtc, + &det_ctx->pmq, + p->payload, + p->payload_len); + } +#else + ret = mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx, + &det_ctx->mtc, + &det_ctx->pmq, + p->payload, + p->payload_len); +#endif + + SCReturnInt(ret); +} /** * \brief Do the content inspection & validation for a signature diff --git a/src/detect-engine-uri.c b/src/detect-engine-uri.c index 500272150e..f8ace30a3a 100644 --- a/src/detect-engine-uri.c +++ b/src/detect-engine-uri.c @@ -47,6 +47,99 @@ #include "app-layer.h" #include "app-layer-htp.h" #include "app-layer-protos.h" +#include "util-validate.h" + +/** \brief Uri Pattern match -- searches for one pattern per signature. + * + * \param det_ctx detection engine thread ctx + * \param p packet to inspect + * + * \retval ret number of matches + */ +static uint32_t UriPatternSearch(DetectEngineThreadCtx *det_ctx, + uint8_t *uri, uint16_t uri_len, uint8_t flags) +{ + SCEnter(); + + uint32_t ret; + + DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT); + DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_uri_ctx_ts == NULL); + + ret = mpm_table[det_ctx->sgh->mpm_uri_ctx_ts->mpm_type]. + Search(det_ctx->sgh->mpm_uri_ctx_ts, + &det_ctx->mtcu, &det_ctx->pmq, uri, uri_len); + + //PrintRawDataFp(stdout, uri, uri_len); + + SCReturnUInt(ret); +} + +/** + * \brief Checks if the content sent as the argument, has a uricontent which + * has been provided in the rule. This match function matches the + * normalized http uri against the given rule using multi pattern + * search algorithms. + * + * \param det_ctx Pointer to the detection engine thread context + * \param content Pointer to the uri content currently being matched + * \param content_len Content_len of the received uri content + * + * \retval 1 if the uri contents match; 0 no match + */ +static inline int DoDetectAppLayerUricontentMatch (DetectEngineThreadCtx *det_ctx, + uint8_t *uri, uint16_t uri_len, uint8_t flags) +{ + int ret = 0; + /* run the pattern matcher against the uri */ + if (det_ctx->sgh->mpm_uricontent_minlen > uri_len) { + SCLogDebug("not searching as uri len is smaller than the " + "shortest uricontent length we need to match"); + } else { + SCLogDebug("search: (%p, minlen %" PRIu32 ", sgh->sig_cnt " + "%" PRIu32 ")", det_ctx->sgh, + det_ctx->sgh->mpm_uricontent_minlen, det_ctx->sgh->sig_cnt); + + ret += UriPatternSearch(det_ctx, uri, uri_len, flags); + + SCLogDebug("post search: cnt %" PRIu32, ret); + } + return ret; +} + +/** + * \brief Run the pattern matcher against the uri(s) + * + * We run against _all_ uri(s) we have as the pattern matcher will + * flag each sig that has a match. We need to do this for all uri(s) + * to not miss possible events. + * + * \param f locked flow + * \param htp_state initialized htp state + * + * \warning Make sure the flow/state is locked + * \todo what should we return? Just the fact that we matched? + */ +uint32_t DetectUricontentInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f, + HtpState *htp_state, uint8_t flags, + void *txv, uint64_t idx) +{ + SCEnter(); + + htp_tx_t *tx = (htp_tx_t *)txv; + HtpTxUserData *tx_ud = htp_tx_get_user_data(tx); + uint32_t cnt = 0; + + if (tx_ud == NULL || tx_ud->request_uri_normalized == NULL) + goto end; + cnt = DoDetectAppLayerUricontentMatch(det_ctx, (uint8_t *) + bstr_ptr(tx_ud->request_uri_normalized), + bstr_len(tx_ud->request_uri_normalized), + flags); + +end: + SCReturnUInt(cnt); +} /** * \brief Do the content inspection & validation for a signature diff --git a/src/detect-uricontent.c b/src/detect-uricontent.c index dbc30cb627..b6927d205b 100644 --- a/src/detect-uricontent.c +++ b/src/detect-uricontent.c @@ -190,72 +190,6 @@ error: SCReturnInt(-1); } -/** - * \brief Checks if the content sent as the argument, has a uricontent which - * has been provided in the rule. This match function matches the - * normalized http uri against the given rule using multi pattern - * search algorithms. - * - * \param det_ctx Pointer to the detection engine thread context - * \param content Pointer to the uri content currently being matched - * \param content_len Content_len of the received uri content - * - * \retval 1 if the uri contents match; 0 no match - */ -static inline int DoDetectAppLayerUricontentMatch (DetectEngineThreadCtx *det_ctx, - uint8_t *uri, uint16_t uri_len, uint8_t flags) -{ - int ret = 0; - /* run the pattern matcher against the uri */ - if (det_ctx->sgh->mpm_uricontent_minlen > uri_len) { - SCLogDebug("not searching as uri len is smaller than the " - "shortest uricontent length we need to match"); - } else { - SCLogDebug("search: (%p, minlen %" PRIu32 ", sgh->sig_cnt " - "%" PRIu32 ")", det_ctx->sgh, - det_ctx->sgh->mpm_uricontent_minlen, det_ctx->sgh->sig_cnt); - - ret += UriPatternSearch(det_ctx, uri, uri_len, flags); - - SCLogDebug("post search: cnt %" PRIu32, ret); - } - return ret; -} - -/** - * \brief Run the pattern matcher against the uri(s) - * - * We run against _all_ uri(s) we have as the pattern matcher will - * flag each sig that has a match. We need to do this for all uri(s) - * to not miss possible events. - * - * \param f locked flow - * \param htp_state initialized htp state - * - * \warning Make sure the flow/state is locked - * \todo what should we return? Just the fact that we matched? - */ -uint32_t DetectUricontentInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f, - HtpState *htp_state, uint8_t flags, - void *txv, uint64_t idx) -{ - SCEnter(); - - htp_tx_t *tx = (htp_tx_t *)txv; - HtpTxUserData *tx_ud = htp_tx_get_user_data(tx); - uint32_t cnt = 0; - - if (tx_ud == NULL || tx_ud->request_uri_normalized == NULL) - goto end; - cnt = DoDetectAppLayerUricontentMatch(det_ctx, (uint8_t *) - bstr_ptr(tx_ud->request_uri_normalized), - bstr_len(tx_ud->request_uri_normalized), - flags); - -end: - SCReturnUInt(cnt); -} - /* * UNITTTESTS */