From: Victor Julien Date: Wed, 14 Dec 2016 11:39:13 +0000 (+0100) Subject: detect: remove hardcoded sm_list logic from setup X-Git-Tag: suricata-4.0.0-beta1~397 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=779d40cedf6657ab7e0ba63f660fdc68f85e0b4f;p=thirdparty%2Fsuricata.git detect: remove hardcoded sm_list logic from setup Introduce utility functions to aid this. --- diff --git a/src/detect-app-layer-protocol.c b/src/detect-app-layer-protocol.c index c28f5867b6..7e4560ffac 100644 --- a/src/detect-app-layer-protocol.c +++ b/src/detect-app-layer-protocol.c @@ -165,7 +165,7 @@ static int DetectAppLayerProtocolSetup(DetectEngineCtx *de_ctx, if (data == NULL) goto error; - SigMatch *tsm = s->sm_lists[DETECT_SM_LIST_MATCH]; + SigMatch *tsm = s->init_data->smlists[DETECT_SM_LIST_MATCH]; for ( ; tsm != NULL; tsm = tsm->next) { if (tsm->type == DETECT_AL_APP_LAYER_PROTOCOL) { const DetectAppLayerProtocolData *them = (const DetectAppLayerProtocolData *)tsm->ctx; diff --git a/src/detect-base64-data.c b/src/detect-base64-data.c index 2eb4442a91..7b1be1f137 100644 --- a/src/detect-base64-data.c +++ b/src/detect-base64-data.c @@ -17,6 +17,7 @@ #include "suricata-common.h" #include "detect.h" +#include "detect-engine.h" #include "detect-engine-content-inspection.h" #include "detect-parse.h" @@ -45,21 +46,7 @@ static int DetectBase64DataSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *pm = NULL; /* Check for a preceding base64_decode. */ - pm = SigMatchGetLastSMFromLists(s, 28, - DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_BASE64_DECODE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]); + pm = DetectGetLastSMFromLists(s, DETECT_BASE64_DECODE, -1); if (pm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "\"base64_data\" keyword seen without preceding base64_decode."); diff --git a/src/detect-base64-decode.c b/src/detect-base64-decode.c index 3d0254efe2..83dfd64139 100644 --- a/src/detect-base64-decode.c +++ b/src/detect-base64-decode.c @@ -203,92 +203,10 @@ static int DetectBase64DecodeSetup(DetectEngineCtx *de_ctx, Signature *s, #endif } else { - /* Copied from detect-isdataat.c. */ - pm = SigMatchGetLastSMFromLists(s, 168, - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]); + pm = DetectGetLastSMFromLists(s, + DETECT_CONTENT, DETECT_PCRE, + DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT, + DETECT_ISDATAAT, -1); if (pm == NULL) { sm_list = DETECT_SM_LIST_PMATCH; } diff --git a/src/detect-byte-extract.c b/src/detect-byte-extract.c index 170f4b8bb6..06f39e5c74 100644 --- a/src/detect-byte-extract.c +++ b/src/detect-byte-extract.c @@ -531,19 +531,13 @@ static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *a sm_list = s->init_data->list; s->flags |= SIG_FLAG_APPLAYER; if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) { - prev_pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, s->init_data->smlists_tail[sm_list], - DETECT_PCRE, s->init_data->smlists_tail[sm_list]); + prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1); } } else if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) { if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) { - prev_pm = SigMatchGetLastSMFromLists(s, 12, - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]); + prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, + DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT, + DETECT_ISDATAAT, -1); if (prev_pm == NULL) { sm_list = DETECT_SM_LIST_PMATCH; } else { @@ -559,96 +553,10 @@ static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *a s->flags |= SIG_FLAG_APPLAYER; } else if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) { - prev_pm = SigMatchGetLastSMFromLists(s, 168, - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]); + prev_pm = DetectGetLastSMFromLists(s, + DETECT_CONTENT, DETECT_PCRE, + DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT, + DETECT_ISDATAAT, -1); if (prev_pm == NULL) { sm_list = DETECT_SM_LIST_PMATCH; } else { @@ -680,8 +588,8 @@ static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *a } } - SigMatch *prev_bed_sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[sm_list]); + SigMatch *prev_bed_sm = DetectGetLastSMByListId(s, sm_list, + DETECT_BYTE_EXTRACT, -1); if (prev_bed_sm == NULL) data->local_id = 0; else @@ -749,8 +657,9 @@ SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s) { DetectByteExtractData *bed = NULL; int list; + const int nlists = DetectBufferTypeMaxId(); - for (list = 0; list < DETECT_SM_LIST_MAX; list++) { + for (list = 0; list < nlists; list++) { SigMatch *sm = s->init_data->smlists[list]; while (sm != NULL) { if (sm->type == DETECT_BYTE_EXTRACT) { diff --git a/src/detect-bytejump.c b/src/detect-bytejump.c index 1511811500..4eb362b0b9 100644 --- a/src/detect-bytejump.c +++ b/src/detect-bytejump.c @@ -530,20 +530,14 @@ static int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts sm_list = s->init_data->list; s->flags |= SIG_FLAG_APPLAYER; if (data->flags & DETECT_BYTEJUMP_RELATIVE) { - prev_pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, s->init_data->smlists_tail[sm_list], - DETECT_PCRE, s->init_data->smlists_tail[sm_list]); - + prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1); } } else if (data->flags & DETECT_BYTEJUMP_DCE) { if (data->flags & DETECT_BYTEJUMP_RELATIVE) { - prev_pm = SigMatchGetLastSMFromLists(s, 12, - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]); + prev_pm = DetectGetLastSMFromLists(s, + DETECT_CONTENT, DETECT_PCRE, + DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT, + DETECT_ISDATAAT, -1); if (prev_pm == NULL) { sm_list = DETECT_SM_LIST_PMATCH; } else { @@ -559,96 +553,10 @@ static int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts s->flags |= SIG_FLAG_APPLAYER; } else if (data->flags & DETECT_BYTEJUMP_RELATIVE) { - prev_pm = SigMatchGetLastSMFromLists(s, 168, - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]); + prev_pm = DetectGetLastSMFromLists(s, + DETECT_CONTENT, DETECT_PCRE, + DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT, + DETECT_ISDATAAT, -1); if (prev_pm == NULL) { sm_list = DETECT_SM_LIST_PMATCH; } else { diff --git a/src/detect-bytetest.c b/src/detect-bytetest.c index 5c23e3f762..15938a0c41 100644 --- a/src/detect-bytetest.c +++ b/src/detect-bytetest.c @@ -457,20 +457,15 @@ static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts sm_list = s->init_data->list; s->flags |= SIG_FLAG_APPLAYER; if (data->flags & DETECT_BYTETEST_RELATIVE) { - prev_pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, s->init_data->smlists_tail[sm_list], - DETECT_PCRE, s->init_data->smlists_tail[sm_list]); + prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1); } } else if (data->flags & DETECT_BYTETEST_DCE) { if (data->flags & DETECT_BYTETEST_RELATIVE) { - prev_pm = SigMatchGetLastSMFromLists(s, 12, - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]); + prev_pm = DetectGetLastSMFromLists(s, + DETECT_CONTENT, DETECT_PCRE, + DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT, + DETECT_ISDATAAT, -1); if (prev_pm == NULL) { sm_list = DETECT_SM_LIST_PMATCH; } else { @@ -486,96 +481,10 @@ static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *opts s->flags |= SIG_FLAG_APPLAYER; } else if (data->flags & DETECT_BYTETEST_RELATIVE) { - prev_pm = SigMatchGetLastSMFromLists(s, 168, - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]); + prev_pm = DetectGetLastSMFromLists(s, + DETECT_CONTENT, DETECT_PCRE, + DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT, + DETECT_ISDATAAT, -1); if (prev_pm == NULL) { sm_list = DETECT_SM_LIST_PMATCH; } else { diff --git a/src/detect-csum.c b/src/detect-csum.c index ed5c17554f..a7e5d9ba4a 100644 --- a/src/detect-csum.c +++ b/src/detect-csum.c @@ -955,13 +955,13 @@ int DetectCsumInvalidArgsTestParse02(void) FAIL_IF_NULL(de_ctx);\ Signature *s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:valid; sid:1;)");\ FAIL_IF_NULL(s);\ - SigMatch *sm = SigMatchGetLastSMFromLists(s, 2, (kwtype), s->sm_lists[DETECT_SM_LIST_MATCH]);\ + SigMatch *sm = DetectGetLastSMFromLists(s, (kwtype), -1);\ FAIL_IF_NULL(sm);\ FAIL_IF_NULL(sm->ctx);\ FAIL_IF_NOT(((DetectCsumData *)sm->ctx)->valid == 1);\ s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:INVALID; sid:2;)");\ FAIL_IF_NULL(s);\ - sm = SigMatchGetLastSMFromLists(s, 2, (kwtype), s->sm_lists[DETECT_SM_LIST_MATCH]);\ + sm = DetectGetLastSMFromLists(s, (kwtype), -1);\ FAIL_IF_NULL(sm);\ FAIL_IF_NULL(sm->ctx);\ FAIL_IF_NOT(((DetectCsumData *)sm->ctx)->valid == 0);\ diff --git a/src/detect-depth.c b/src/detect-depth.c index 056c107d59..a78f8a1b96 100644 --- a/src/detect-depth.c +++ b/src/detect-depth.c @@ -74,25 +74,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths } /* retrive the sm to apply the depth against */ - if (s->init_data->list != DETECT_SM_LIST_NOTSET) { - pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->init_data->smlists_tail[s->init_data->list]); - } else { - pm = SigMatchGetLastSMFromLists(s, 28, - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]); - } + pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, -1); if (pm == NULL) { SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs " "preceding content, uricontent option, http_client_body, " diff --git a/src/detect-detection-filter.c b/src/detect-detection-filter.c index 9048f458e4..f209f6991e 100644 --- a/src/detect-detection-filter.c +++ b/src/detect-detection-filter.c @@ -215,15 +215,13 @@ static int DetectDetectionFilterSetup (DetectEngineCtx *de_ctx, Signature *s, ch SigMatch *tmpm = NULL; /* checks if there's a previous instance of threshold */ - tmpm = SigMatchGetLastSMFromLists(s, 2, - DETECT_THRESHOLD, s->init_data->smlists_tail[DETECT_SM_LIST_MATCH]); + tmpm = DetectGetLastSMFromLists(s, DETECT_THRESHOLD, -1); if (tmpm != NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and \"threshold\" are not allowed in the same rule"); SCReturnInt(-1); } /* checks there's no previous instance of detection_filter */ - tmpm = SigMatchGetLastSMFromLists(s, 2, - DETECT_DETECTION_FILTER, s->init_data->smlists_tail[DETECT_SM_LIST_MATCH]); + tmpm = DetectGetLastSMFromLists(s, DETECT_DETECTION_FILTER, -1); if (tmpm != NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "At most one \"detection_filter\" is allowed per rule"); SCReturnInt(-1); diff --git a/src/detect-distance.c b/src/detect-distance.c index 3eff265ce5..c700675f4a 100644 --- a/src/detect-distance.c +++ b/src/detect-distance.c @@ -80,26 +80,8 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, dubbed = 1; } - /* retrive the sm to apply the depth against */ - if (s->init_data->list != DETECT_SM_LIST_NOTSET) { - pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->init_data->smlists_tail[s->init_data->list]); - } else { - pm = SigMatchGetLastSMFromLists(s, 28, - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]); - } + /* retrieve the sm to apply the distance against */ + pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, -1); if (pm == NULL) { SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "distance needs " "preceding content, uricontent option, http_client_body, " @@ -147,9 +129,8 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, } cd->flags |= DETECT_CONTENT_DISTANCE; - SigMatch *prev_pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, pm->prev, - DETECT_PCRE, pm->prev); + SigMatch *prev_pm = DetectGetLastSMByListPtr(s, pm->prev, + DETECT_CONTENT, DETECT_PCRE, -1); if (prev_pm == NULL) { ret = 0; goto end; diff --git a/src/detect-dsize.c b/src/detect-dsize.c index 2e835ad844..5f7b7575b5 100644 --- a/src/detect-dsize.c +++ b/src/detect-dsize.c @@ -256,9 +256,7 @@ static int DetectDsizeSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr DetectDsizeData *dd = NULL; SigMatch *sm = NULL; - if (SigMatchGetLastSMFromLists(s, 2, - DETECT_DSIZE, - s->init_data->smlists_tail[DETECT_SM_LIST_MATCH]) != NULL) { + if (DetectGetLastSMFromLists(s, DETECT_DSIZE, -1)) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Can't use 2 or more dsizes in " "the same sig. Invalidating signature."); goto error; diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c index 6faf38c66d..16acb2fc4b 100644 --- a/src/detect-engine-analyzer.c +++ b/src/detect-engine-analyzer.c @@ -553,7 +553,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) //uint32_t rule_flowvar = 0; uint32_t rule_content_http = 0; uint32_t rule_content_offset_depth = 0; - uint32_t list_id = 0; + int32_t list_id = 0; uint32_t rule_warning = 0; uint32_t raw_http_buf = 0; uint32_t norm_http_buf = 0; diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 3cd3471160..073600aa13 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -119,6 +119,17 @@ void DetectMpmAppLayerRegister(const char *name, SupportFastPatternForSigMatchList(sm_list, priority); } +void DetectAppLayerMpmRegister(const char *name, + int direction, int priority, + int (*PrefilterRegister)(SigGroupHead *sgh, MpmCtx *mpm_ctx)) +{ + DetectBufferTypeSupportsMpm(name); + int sm_list = DetectBufferTypeGetByName(name); + BUG_ON(sm_list == -1); + DetectMpmAppLayerRegister(name, direction, sm_list, priority, + PrefilterRegister); +} + void DetectMpmInitializeAppMpms(DetectEngineCtx *de_ctx) { BUG_ON(g_app_mpms_list_cnt == 0); @@ -543,18 +554,20 @@ void RetrieveFPForSig(Signature *s) if (s->init_data->mpm_sm != NULL) return; + const int nlists = DetectBufferTypeMaxId(); + SigMatch *mpm_sm = NULL, *sm = NULL; - int nn_sm_list[DETECT_SM_LIST_MAX]; - int n_sm_list[DETECT_SM_LIST_MAX]; - memset(nn_sm_list, 0, sizeof(nn_sm_list)); - memset(n_sm_list, 0, sizeof(n_sm_list)); + int nn_sm_list[nlists]; + int n_sm_list[nlists]; + memset(nn_sm_list, 0, nlists * sizeof(int)); + memset(n_sm_list, 0, nlists * sizeof(int)); int count_nn_sm_list = 0; int count_n_sm_list = 0; int list_id; /* inspect rule to see if we have the fast_pattern reg to * force using a sig, otherwise keep stats about the patterns */ - for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) { + for (list_id = 0; list_id < nlists; list_id++) { if (s->init_data->smlists[list_id] == NULL) continue; @@ -595,7 +608,9 @@ void RetrieveFPForSig(Signature *s) return; } - int final_sm_list[DETECT_SM_LIST_MAX] = { 0 }; + int final_sm_list[nlists]; + memset(&final_sm_list, 0, (nlists * sizeof(int))); + int count_final_sm_list = 0; int priority; diff --git a/src/detect-engine-mpm.h b/src/detect-engine-mpm.h index 27de064d89..9d53c456a8 100644 --- a/src/detect-engine-mpm.h +++ b/src/detect-engine-mpm.h @@ -93,5 +93,9 @@ void DetectMpmAppLayerRegister(const char *name, int direction, int sm_list, int priority, int (*PrefilterRegister)(SigGroupHead *sgh, MpmCtx *mpm_ctx)); +void DetectAppLayerMpmRegister(const char *name, + int direction, int priority, + int (*PrefilterRegister)(SigGroupHead *sgh, MpmCtx *mpm_ctx)); + #endif /* __DETECT_ENGINE_MPM_H__ */ diff --git a/src/detect-engine.c b/src/detect-engine.c index 85e9b19afc..f899e029db 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -104,9 +104,11 @@ static DetectEngineAppInspectionEngine *g_app_inspect_engines = NULL; void DetectAppLayerInspectEngineRegister(AppProto alproto, uint32_t dir, int32_t sm_list, InspectEngineFuncPtr Callback) { + const int nlists = DetectBufferTypeMaxId(); + if ((alproto >= ALPROTO_FAILED) || (!(dir == SIG_FLAG_TOSERVER || dir == SIG_FLAG_TOCLIENT)) || - (sm_list < DETECT_SM_LIST_MATCH || sm_list >= DETECT_SM_LIST_MAX) || + (sm_list < DETECT_SM_LIST_MATCH || sm_list >= nlists) || (Callback == NULL)) { SCLogError(SC_ERR_INVALID_ARGUMENTS, "Invalid arguments"); @@ -142,13 +144,24 @@ void DetectAppLayerInspectEngineRegister(AppProto alproto, } } +void DetectAppLayerInspectEngineRegister2(const char *name, + AppProto alproto, uint32_t dir, InspectEngineFuncPtr Callback) +{ + DetectBufferTypeRegister(name); + int sm_list = DetectBufferTypeGetByName(name); + BUG_ON(sm_list == -1); + DetectAppLayerInspectEngineRegister(alproto, dir, sm_list, Callback); +} + int DetectEngineAppInspectionEngine2Signature(Signature *s) { - SigMatchData *ptrs[DETECT_SM_LIST_MAX] = { NULL }; + const int nlists = DetectBufferTypeMaxId(); + SigMatchData *ptrs[nlists]; + memset(&ptrs, 0, (nlists * sizeof(SigMatchData *))); /* convert lists to SigMatchData arrays */ int i = 0; - for (i = DETECT_SM_LIST_BUILTIN_MAX; i < DETECT_SM_LIST_MAX; i++) { + for (i = DETECT_SM_LIST_BUILTIN_MAX; i < nlists; i++) { if (s->init_data->smlists[i] == NULL) continue; @@ -215,7 +228,9 @@ next: */ void DetectEngineAppInspectionEngineSignatureFree(Signature *s) { - SigMatchData *ptrs[DETECT_SM_LIST_MAX] = { NULL }; + const int nlists = DetectBufferTypeMaxId(); + SigMatchData *ptrs[nlists]; + memset(&ptrs, 0, (nlists * sizeof(SigMatchData *))); /* free engines and put smd in the array */ DetectEngineAppInspectionEngine *ie = s->app_inspect; @@ -229,7 +244,7 @@ void DetectEngineAppInspectionEngineSignatureFree(Signature *s) /* free the smds */ int i; - for (i = 0; i < DETECT_SM_LIST_MAX; i++) + for (i = 0; i < nlists; i++) { if (ptrs[i] == NULL) continue; diff --git a/src/detect-engine.h b/src/detect-engine.h index c8c51546c9..ada68647a9 100644 --- a/src/detect-engine.h +++ b/src/detect-engine.h @@ -106,6 +106,9 @@ int DetectEngineInspectGenericList(ThreadVars *, const DetectEngineCtx *, void DetectAppLayerInspectEngineRegister(AppProto alproto, uint32_t dir, int32_t sm_list, InspectEngineFuncPtr Callback); +void DetectAppLayerInspectEngineRegister2(const char *name, + AppProto alproto, uint32_t dir, InspectEngineFuncPtr Callback); + int DetectEngineAppInspectionEngine2Signature(Signature *s); void DetectEngineAppInspectionEngineSignatureFree(Signature *s); diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index e844f39d11..9661eee6d2 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -162,63 +162,27 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a int ov[MAX_SUBSTRINGS]; char arg_substr[128] = ""; DetectContentData *cd = NULL; + const int nlists = DetectBufferTypeMaxId(); - if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL && - s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH] == NULL && - s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH] == NULL && - s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA] == NULL && - s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH] == NULL && - s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH] == NULL && - s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH] == NULL && - s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH] == NULL && - s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH] == NULL && - s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH] == NULL && - s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH] == NULL && - s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH] == NULL && - s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH] == NULL && - s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH] == NULL && - s->init_data->smlists_tail[DETECT_SM_LIST_DNSQUERYNAME_MATCH] == NULL && - s->init_data->smlists_tail[DETECT_SM_LIST_TLSSNI_MATCH] == NULL && - s->init_data->smlists_tail[DETECT_SM_LIST_TLSISSUER_MATCH] == NULL && - s->init_data->smlists_tail[DETECT_SM_LIST_TLSSUBJECT_MATCH] == NULL && - s->init_data->smlists_tail[DETECT_SM_LIST_HTTP_REQLINEMATCH] == NULL) { - SCLogWarning(SC_WARN_COMPATIBILITY, "fast_pattern found inside the " - "rule, without a preceding content based keyword. " - "Currently we provide fast_pattern support for content, " - "uricontent, http_client_body, http_server_body, http_header, " - "http_raw_header, http_method, http_cookie, " - "http_raw_uri, http_stat_msg, http_stat_code, " - "http_user_agent, http_host, http_raw_host, " - "http_request_line, dns_query, " - "tls_sni, tls_cert_issuer or tls_cert_subject option"); + SigMatch *pm1 = DetectGetLastSMFromMpmLists(s); + SigMatch *pm2 = DetectGetLastSMFromLists(s, DETECT_CONTENT, -1); + if (pm1 == NULL && pm2 == NULL) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "fast_pattern found inside " + "the rule, without a content context. Please use a " + "content based keyword before using fast_pattern"); return -1; } - SigMatch *pm = SigMatchGetLastSMFromLists(s, 38, - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HTTP_REQLINEMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_DNSQUERYNAME_MATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_TLSSNI_MATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_TLSISSUER_MATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_TLSSUBJECT_MATCH]); - if (pm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "fast_pattern found inside " - "the rule, without a content context. Please use a " - "content based keyword before using fast_pattern"); - return -1; + SigMatch *pm = NULL; + if (pm1 && pm2) { + if (pm1->idx > pm2->idx) + pm = pm1; + else + pm = pm2; + } else if (pm1 && !pm2) { + pm = pm1; + } else { + pm = pm2; } cd = (DetectContentData *)pm->ctx; @@ -242,7 +206,7 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a } else { /*allow only one content to have fast_pattern modifier*/ int list_id = 0; - for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) { + for (list_id = 0; list_id < nlists; list_id++) { SigMatch *sm = NULL; for (sm = s->init_data->smlists[list_id]; sm != NULL; sm = sm->next) { if (sm->type == DETECT_CONTENT) { diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index 92d69d562c..ad3b16ae79 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -218,101 +218,13 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst sm_list = s->init_data->list; s->flags |= SIG_FLAG_APPLAYER; if (idad->flags & ISDATAAT_RELATIVE) { - prev_pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, s->init_data->smlists_tail[sm_list], - DETECT_PCRE, s->init_data->smlists_tail[sm_list]); + prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1); } } else if (idad->flags & ISDATAAT_RELATIVE) { - prev_pm = SigMatchGetLastSMFromLists(s, 168, - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_PCRE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_BYTETEST, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_BYTEJUMP, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_BYTE_EXTRACT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH], - - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_ISDATAAT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]); + prev_pm = DetectGetLastSMFromLists(s, + DETECT_CONTENT, DETECT_PCRE, + DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT, + DETECT_ISDATAAT, -1); if (prev_pm == NULL) sm_list = DETECT_SM_LIST_PMATCH; else { diff --git a/src/detect-nocase.c b/src/detect-nocase.c index bec5f8b8eb..18a392ed59 100644 --- a/src/detect-nocase.c +++ b/src/detect-nocase.c @@ -79,37 +79,14 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls goto end; } - /* retrive the sm to apply the depth against */ - if (s->init_data->list != DETECT_SM_LIST_NOTSET) { - pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->init_data->smlists_tail[s->init_data->list]); - } else { - pm = SigMatchGetLastSMFromLists(s, 28, - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]); - } + /* retrive the sm to apply the nocase against */ + pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, -1); if (pm == NULL) { SCLogError(SC_ERR_NOCASE_MISSING_PATTERN, "nocase needs " - "preceding content, uricontent option, http_client_body, " - "http_server_body, http_header option, http_raw_header option, " - "http_method option, http_cookie, http_raw_uri, " - "http_stat_msg, http_stat_code, http_user_agent or " - "file_data/dce_stub_data sticky buffer options"); + "preceding content option"); goto end; } - /* verify other conditions. */ DetectContentData *cd = (DetectContentData *)pm->ctx;; diff --git a/src/detect-offset.c b/src/detect-offset.c index d48324757e..b43cca7723 100644 --- a/src/detect-offset.c +++ b/src/detect-offset.c @@ -72,37 +72,14 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) dubbed = 1; } - /* retrive the sm to apply the depth against */ - if (s->init_data->list != DETECT_SM_LIST_NOTSET) { - pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->init_data->smlists_tail[s->init_data->list]); - } else { - pm = SigMatchGetLastSMFromLists(s, 28, - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]); - } + /* retrive the sm to apply the offset against */ + pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, -1); if (pm == NULL) { SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs " - "preceding content, uricontent option, http_client_body, " - "http_server_body, http_header option, http_raw_header option, " - "http_method option, http_cookie, http_raw_uri, " - "http_stat_msg, http_stat_code, http_user_agent or " - "file_data/dce_stub_data sticky buffer options"); + "preceding content option"); goto end; } - /* verify other conditions */ DetectContentData *cd = (DetectContentData *)pm->ctx; diff --git a/src/detect-parse.c b/src/detect-parse.c index 5731cd5890..cec9022deb 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -75,6 +75,10 @@ static pcre *option_pcre = NULL; static pcre_extra *config_pcre_extra = NULL; static pcre_extra *option_pcre_extra = NULL; +static void SigMatchTransferSigMatchAcrossLists(SigMatch *sm, + SigMatch **src_sm_list, SigMatch **src_sm_list_tail, + SigMatch **dst_sm_list, SigMatch **dst_sm_list_tail); + /** * \brief We use this as data to the hash table DetectEngineCtx->dup_sig_hash_table. */ @@ -220,9 +224,10 @@ const char *DetectListToString(int list) return "unknown"; } -int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg, - uint8_t sm_type, uint8_t sm_list, - AppProto alproto, void (*CustomCallback)(Signature *s)) +int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, + Signature *s, const char *arg, + int sm_type, int sm_list, + AppProto alproto, void (*CustomCallback)(Signature *s)) { SigMatch *sm = NULL; int ret = -1; @@ -240,15 +245,14 @@ int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s sigmatch_table[sm_type].name); goto end; } - /* for now let's hardcode it as http */ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != alproto) { SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting " "alprotos set"); goto end; } - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]); + sm = DetectGetLastSMByListId(s, + DETECT_SM_LIST_PMATCH, DETECT_CONTENT, -1); if (sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "\"%s\" keyword " "found inside the rule without a content context. " @@ -265,9 +269,8 @@ int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s goto end; } if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { - SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, sm->prev, - DETECT_PCRE, sm->prev); + SigMatch *pm = DetectGetLastSMByListPtr(s, sm->prev, + DETECT_CONTENT, DETECT_PCRE, -1); if (pm != NULL) { if (pm->type == DETECT_CONTENT) { DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; @@ -278,9 +281,8 @@ int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s } } - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, s->init_data->smlists_tail[sm_list], - DETECT_PCRE, s->init_data->smlists_tail[sm_list]); + pm = DetectGetLastSMByListId(s, sm_list, + DETECT_CONTENT, DETECT_PCRE, -1); if (pm != NULL) { if (pm->type == DETECT_CONTENT) { DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; @@ -296,7 +298,7 @@ int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s s->alproto = alproto; s->flags |= SIG_FLAG_APPLAYER; - /* transfer the sm from the pmatch list to hcbdmatch list */ + /* transfer the sm from the pmatch list to sm_list */ SigMatchTransferSigMatchAcrossLists(sm, &s->init_data->smlists[DETECT_SM_LIST_PMATCH], &s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], @@ -408,7 +410,7 @@ void SigMatchRemoveSMFromList(Signature *s, SigMatch *sm, int sm_list) * * \retval match Pointer to the last SigMatch instance of type 'type'. */ -static SigMatch *SigMatchGetLastSMByType(SigMatch *sm, uint8_t type) +static SigMatch *SigMatchGetLastSMByType(SigMatch *sm, int type) { while (sm != NULL) { if (sm->type == type) { @@ -420,33 +422,139 @@ static SigMatch *SigMatchGetLastSMByType(SigMatch *sm, uint8_t type) return NULL; } +/** \brief get the last SigMatch from lists that support + * MPM. + * \note only supports the lists that are registered through + * DetectBufferTypeSupportsMpm(). + */ +SigMatch *DetectGetLastSMFromMpmLists(const Signature *s) +{ + SigMatch *sm_last = NULL; + SigMatch *sm_new; + int sm_type; + + /* if we have a sticky buffer, use that */ + if (s->init_data->list != DETECT_SM_LIST_NOTSET) { + if (!(DetectBufferTypeSupportsMpmGetById(s->init_data->list))) { + return NULL; + } + + sm_last = DetectGetLastSMByListPtr(s, + s->init_data->smlists_tail[s->init_data->list], + DETECT_CONTENT, -1); + return sm_last; + } + + /* otherwise brute force it */ + const int nlists = DetectBufferTypeMaxId(); + for (sm_type = 0; sm_type < nlists; sm_type++) { + if (!DetectBufferTypeSupportsMpmGetById(sm_type)) + continue; + SigMatch *sm_list = s->init_data->smlists_tail[sm_type]; + sm_new = SigMatchGetLastSMByType(sm_list, DETECT_CONTENT); + if (sm_new == NULL) + continue; + if (sm_last == NULL || sm_new->idx > sm_last->idx) + sm_last = sm_new; + } + + return sm_last; +} + /** * \brief Returns the sm with the largest index (added latest) from the lists * passed to us. * * \retval Pointer to Last sm. */ -SigMatch *SigMatchGetLastSMFromLists(const Signature *s, int args, ...) +SigMatch *DetectGetLastSMFromLists(const Signature *s, ...) { - if (args == 0 || args % 2 != 0) { - SCLogError(SC_ERR_INVALID_ARGUMENTS, "You need to send an even no of args " - "(non zero as well) to this function, since we need a " - "SigMatch list for every SigMatch type(send a map of sm_type " - "and sm_list) sent"); - /* as this is a bug we should abort to ease debugging */ - BUG_ON(1); + SigMatch *sm_last = NULL; + SigMatch *sm_new; + + /* otherwise brute force it */ + const int nlists = DetectBufferTypeMaxId(); + for (int buf_type = 0; buf_type < nlists; buf_type++) { + if (s->init_data->smlists[buf_type] == NULL) + continue; + if (s->init_data->list != DETECT_SM_LIST_NOTSET && + buf_type != s->init_data->list) + continue; + + int sm_type; + va_list ap; + va_start(ap, s); + + for (sm_type = va_arg(ap, int); sm_type != -1; sm_type = va_arg(ap, int)) + { + sm_new = SigMatchGetLastSMByType(s->init_data->smlists_tail[buf_type], sm_type); + if (sm_new == NULL) + continue; + if (sm_last == NULL || sm_new->idx > sm_last->idx) + sm_last = sm_new; + } + va_end(ap); } + return sm_last; +} + +/** + * \brief Returns the sm with the largest index (added last) from the list + * passed to us as a pointer. + * + * \param sm_list pointer to the SigMatch we should look before + * \param va_args list of keyword types terminated by -1 + * + * \retval sm_last to last sm. + */ +SigMatch *DetectGetLastSMByListPtr(const Signature *s, SigMatch *sm_list, ...) +{ SigMatch *sm_last = NULL; SigMatch *sm_new; - int i; + int sm_type; + + va_list ap; + va_start(ap, sm_list); + + for (sm_type = va_arg(ap, int); sm_type != -1; sm_type = va_arg(ap, int)) + { + sm_new = SigMatchGetLastSMByType(sm_list, sm_type); + if (sm_new == NULL) + continue; + if (sm_last == NULL || sm_new->idx > sm_last->idx) + sm_last = sm_new; + } + + va_end(ap); + + return sm_last; +} + +/** + * \brief Returns the sm with the largest index (added last) from the list + * passed to us as an id. + * + * \param list_id id of the list to be searched + * \param va_args list of keyword types terminated by -1 + * + * \retval sm_last to last sm. + */ +SigMatch *DetectGetLastSMByListId(const Signature *s, int list_id, ...) +{ + SigMatch *sm_last = NULL; + SigMatch *sm_new; + int sm_type; + + SigMatch *sm_list = s->init_data->smlists_tail[list_id]; + if (sm_list == NULL) + return NULL; va_list ap; - va_start(ap, args); + va_start(ap, list_id); - for (i = 0; i < args; i += 2) { - int sm_type = va_arg(ap, int); - SigMatch *sm_list = va_arg(ap, SigMatch *); + for (sm_type = va_arg(ap, int); sm_type != -1; sm_type = va_arg(ap, int)) + { sm_new = SigMatchGetLastSMByType(sm_list, sm_type); if (sm_new == NULL) continue; @@ -462,15 +570,16 @@ SigMatch *SigMatchGetLastSMFromLists(const Signature *s, int args, ...) /** * \brief Returns the sm with the largest index (added latest) from this sig * - * \retval Pointer to Last sm. + * \retval sm_last Pointer to last sm */ -SigMatch *SigMatchGetLastSM(const Signature *s) +SigMatch *DetectGetLastSM(const Signature *s) { + const int nlists = DetectBufferTypeMaxId(); SigMatch *sm_last = NULL; SigMatch *sm_new; int i; - for (i = 0; i < DETECT_SM_LIST_MAX; i ++) { + for (i = 0; i < nlists; i ++) { sm_new = s->init_data->smlists_tail[i]; if (sm_new == NULL) continue; @@ -481,9 +590,9 @@ SigMatch *SigMatchGetLastSM(const Signature *s) return sm_last; } -void SigMatchTransferSigMatchAcrossLists(SigMatch *sm, - SigMatch **src_sm_list, SigMatch **src_sm_list_tail, - SigMatch **dst_sm_list, SigMatch **dst_sm_list_tail) +static void SigMatchTransferSigMatchAcrossLists(SigMatch *sm, + SigMatch **src_sm_list, SigMatch **src_sm_list_tail, + SigMatch **dst_sm_list, SigMatch **dst_sm_list_tail) { /* we won't do any checks for args */ @@ -515,9 +624,10 @@ void SigMatchTransferSigMatchAcrossLists(SigMatch *sm, int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm) { + const int nlists = DetectBufferTypeMaxId(); int list = 0; - for (list = 0; list < DETECT_SM_LIST_MAX; list++) { + for (list = 0; list < nlists; list++) { const SigMatch *sm = s->init_data->smlists[list]; while (sm != NULL) { if (sm == key_sm) @@ -1001,6 +1111,22 @@ Signature *SigAlloc (void) SCFree(sig); return NULL; } + int lists = DetectBufferTypeMaxId(); + SCLogDebug("smlists size %d", lists); + sig->init_data->smlists = SCCalloc(lists, sizeof(SigMatch *)); + if (sig->init_data->smlists == NULL) { + SCFree(sig->init_data); + SCFree(sig); + return NULL; + } + + sig->init_data->smlists_tail = SCCalloc(lists, sizeof(SigMatch *)); + if (sig->init_data->smlists_tail == NULL) { + SCFree(sig->init_data->smlists_tail); + SCFree(sig->init_data); + SCFree(sig); + return NULL; + } /* assign it to -1, so that we can later check if the value has been * overwritten after the Signature has been parsed, and if it hasn't been @@ -1067,6 +1193,8 @@ static void SigMatchFreeArrays(Signature *s, int ctxs) void SigFree(Signature *s) { + const int nlists = DetectBufferTypeMaxId(); + if (s == NULL) return; @@ -1078,7 +1206,7 @@ void SigFree(Signature *s) int i; if (s->init_data) { - for (i = 0; i < DETECT_SM_LIST_MAX; i++) { + for (i = 0; i < nlists; i++) { SigMatch *sm = s->init_data->smlists[i]; while (sm != NULL) { SigMatch *nsm = sm->next; @@ -1089,6 +1217,8 @@ void SigFree(Signature *s) } SigMatchFreeArrays(s, (s->init_data == NULL)); if (s->init_data) { + SCFree(s->init_data->smlists); + SCFree(s->init_data->smlists_tail); SCFree(s->init_data); s->init_data = NULL; } @@ -1437,21 +1567,8 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) //} if (s->flags & SIG_FLAG_REQUIRE_PACKET) { - pm = SigMatchGetLastSMFromLists(s, 24, - DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_REPLACE, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]); - if (pm != NULL) { + pm = DetectGetLastSMFromLists(s, DETECT_REPLACE, -1); + if (pm != NULL && SigMatchListSMBelongsTo(s, pm) != DETECT_SM_LIST_PMATCH) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature has" " replace keyword linked with a modified content" " keyword (http_*, dce_*). It only supports content on" @@ -1529,7 +1646,7 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) if (s->init_data->smlists[DETECT_SM_LIST_BASE64_DATA] != NULL) { int list; uint16_t idx = s->init_data->smlists[DETECT_SM_LIST_BASE64_DATA]->idx; - for (list = 0; list < DETECT_SM_LIST_MAX; list++) { + for (list = 0; list < nlists; list++) { if (list == DETECT_SM_LIST_POSTMATCH || list == DETECT_SM_LIST_TMATCH || list == DETECT_SM_LIST_SUPPRESS || @@ -1555,7 +1672,7 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) #ifdef DEBUG int i; - for (i = 0; i < DETECT_SM_LIST_MAX; i++) { + for (i = 0; i < nlists; i++) { if (s->init_data->smlists[i] != NULL) { for (sm = s->init_data->smlists[i]; sm != NULL; sm = sm->next) { BUG_ON(sm == sm->prev); diff --git a/src/detect-parse.h b/src/detect-parse.h index 044fcdfd67..9dfe5ac219 100644 --- a/src/detect-parse.h +++ b/src/detect-parse.h @@ -45,11 +45,6 @@ Signature *SigAlloc(void); void SigFree(Signature *s); Signature *SigInit(DetectEngineCtx *,char *sigstr); Signature *SigInitReal(DetectEngineCtx *, char *); -SigMatch *SigMatchGetLastSMFromLists(const Signature *, int, ...); -SigMatch *SigMatchGetLastSM(const Signature *); -void SigMatchTransferSigMatchAcrossLists(SigMatch *sm, - SigMatch **, SigMatch **s, - SigMatch **, SigMatch **); SigMatchData* SigMatchList2DataArray(SigMatch *head); void SigParsePrepare(void); void SigParseRegisterTests(void); @@ -62,13 +57,19 @@ int SigMatchListSMBelongsTo(const Signature *, const SigMatch *); int DetectParseDupSigHashInit(DetectEngineCtx *); void DetectParseDupSigHashFree(DetectEngineCtx *); -int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg, - uint8_t sm_type, uint8_t sm_list, +int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg, + int sm_type, int sm_list, AppProto alproto, void (*CustomCallback)(Signature *s)); const char *DetectListToHumanString(int list); const char *DetectListToString(int list); +SigMatch *DetectGetLastSM(const Signature *); +SigMatch *DetectGetLastSMFromMpmLists(const Signature *s); +SigMatch *DetectGetLastSMFromLists(const Signature *s, ...); +SigMatch *DetectGetLastSMByListPtr(const Signature *s, SigMatch *sm_list, ...); +SigMatch *DetectGetLastSMByListId(const Signature *s, int list_id, ...); + /* parse regex setup and free util funcs */ void DetectSetupParseRegexes(const char *parse_str, diff --git a/src/detect-pcre.c b/src/detect-pcre.c index a43fd8fc5d..918c475998 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -760,9 +760,8 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst /* errors below shouldn't free pd */ - SigMatch *prev_pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, sm->prev, - DETECT_PCRE, sm->prev); + SigMatch *prev_pm = DetectGetLastSMByListPtr(s, sm->prev, + DETECT_CONTENT, DETECT_PCRE, -1); if (s->init_data->list == DETECT_SM_LIST_NOTSET && prev_pm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre with /R (relative) needs " "preceeding match in the same buffer"); diff --git a/src/detect-prefilter.c b/src/detect-prefilter.c index 08eacac39e..fe50e39ac0 100644 --- a/src/detect-prefilter.c +++ b/src/detect-prefilter.c @@ -72,7 +72,7 @@ static int DetectPrefilterSetup (DetectEngineCtx *de_ctx, Signature *s, char *nu goto end; } - sm = SigMatchGetLastSM(s); + sm = DetectGetLastSM(s); if (sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "prefilter needs preceding match"); goto end; diff --git a/src/detect-rawbytes.c b/src/detect-rawbytes.c index 0803822c89..5e7e48d974 100644 --- a/src/detect-rawbytes.c +++ b/src/detect-rawbytes.c @@ -65,8 +65,8 @@ static int DetectRawbytesSetup (DetectEngineCtx *de_ctx, Signature *s, char *nul SCReturnInt(-1); } - SigMatch *pm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]); + SigMatch *pm = DetectGetLastSMByListId(s, DETECT_SM_LIST_PMATCH, + DETECT_CONTENT, -1); if (pm == NULL) { SCLogError(SC_ERR_RAWBYTES_MISSING_CONTENT, "\"rawbytes\" needs a preceding content option"); SCReturnInt(-1); diff --git a/src/detect-replace.c b/src/detect-replace.c index 7f50bbd9b6..08ab84c887 100644 --- a/src/detect-replace.c +++ b/src/detect-replace.c @@ -103,9 +103,9 @@ int DetectReplaceSetup(DetectEngineCtx *de_ctx, Signature *s, char *replacestr) return 0; } - /* add to the latest "content" keyword from either dmatch or pmatch */ - pm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]); + /* add to the latest "content" keyword from pmatch */ + pm = DetectGetLastSMByListId(s, DETECT_SM_LIST_PMATCH, + DETECT_CONTENT, -1); if (pm == NULL) { SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "replace needs" "preceding content option for raw sig"); diff --git a/src/detect-threshold.c b/src/detect-threshold.c index 85849295fe..3632d4d4d1 100644 --- a/src/detect-threshold.c +++ b/src/detect-threshold.c @@ -229,10 +229,10 @@ static int DetectThresholdSetup(DetectEngineCtx *de_ctx, Signature *s, char *raw SigMatch *tmpm = NULL; /* checks if there is a previous instance of detection_filter */ - tmpm = SigMatchGetLastSMFromLists(s, 2, - DETECT_DETECTION_FILTER, s->init_data->smlists[DETECT_SM_LIST_MATCH]); + tmpm = DetectGetLastSMFromLists(s, DETECT_DETECTION_FILTER, -1); if (tmpm != NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and \"threshold\" are not allowed in the same rule"); + SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and " + "\"threshold\" are not allowed in the same rule"); SCReturnInt(-1); } diff --git a/src/detect-within.c b/src/detect-within.c index 0c243c6fa7..61272e3844 100644 --- a/src/detect-within.c +++ b/src/detect-within.c @@ -84,37 +84,14 @@ static int DetectWithinSetup(DetectEngineCtx *de_ctx, Signature *s, char *within dubbed = 1; } - /* retrive the sm to apply the depth against */ - if (s->init_data->list != DETECT_SM_LIST_NOTSET) { - pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->init_data->smlists_tail[s->init_data->list]); - } else { - pm = SigMatchGetLastSMFromLists(s, 28, - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_FILEDATA], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_CONTENT, s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]); - } + /* retrieve the sm to apply the within against */ + pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, -1); if (pm == NULL) { SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "within needs " - "preceding content, uricontent option, http_client_body, " - "http_server_body, http_header option, http_raw_header option, " - "http_method option, http_cookie, http_raw_uri, " - "http_stat_msg, http_stat_code, http_user_agent or " - "file_data/dce_stub_data sticky buffer option"); + "preceding content option"); goto end; } - /* verify other conditions */ DetectContentData *cd = (DetectContentData *)pm->ctx; if (cd->flags & DETECT_CONTENT_WITHIN) { @@ -162,9 +139,8 @@ static int DetectWithinSetup(DetectEngineCtx *de_ctx, Signature *s, char *within /* these are the only ones against which we set a flag. We have other * relative keywords like byttest, isdataat, bytejump, but we don't * set a flag against them */ - SigMatch *prev_pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, pm->prev, - DETECT_PCRE, pm->prev); + SigMatch *prev_pm = DetectGetLastSMByListPtr(s, pm->prev, + DETECT_CONTENT, DETECT_PCRE, -1); if (prev_pm == NULL) { ret = 0; goto end; diff --git a/src/detect.c b/src/detect.c index d32dc388d5..3afdf81b70 100644 --- a/src/detect.c +++ b/src/detect.c @@ -3486,7 +3486,7 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) int prefilter_list = DETECT_TBLSIZE; /* get the keyword supporting prefilter with the lowest type */ - for (i = 0; i < DETECT_SM_LIST_MAX; i++) { + for (i = 0; i < nlists; i++) { SigMatch *sm = tmp_s->init_data->smlists[i]; while (sm != NULL) { if (sigmatch_table[sm->type].SupportsPrefilter != NULL) { @@ -3500,7 +3500,7 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) /* apply that keyword as prefilter */ if (prefilter_list != DETECT_TBLSIZE) { - for (i = 0; i < DETECT_SM_LIST_MAX; i++) { + for (i = 0; i < nlists; i++) { SigMatch *sm = tmp_s->init_data->smlists[i]; while (sm != NULL) { if (sm->type == prefilter_list) { @@ -3963,6 +3963,7 @@ static int SigMatchPrepare(DetectEngineCtx *de_ctx) { SCEnter(); + const int nlists = DetectBufferTypeMaxId(); Signature *s = de_ctx->sig_list; for (; s != NULL; s = s->next) { /* set up inspect engines */ @@ -3976,7 +3977,7 @@ static int SigMatchPrepare(DetectEngineCtx *de_ctx) /* free lists. Ctx' are xferred to sm_arrays so won't get freed */ int i; - for (i = 0; i < DETECT_SM_LIST_MAX; i++) { + for (i = 0; i < nlists; i++) { SigMatch *sm = s->init_data->smlists[i]; while (sm != NULL) { SigMatch *nsm = sm->next; @@ -3984,6 +3985,8 @@ static int SigMatchPrepare(DetectEngineCtx *de_ctx) sm = nsm; } } + SCFree(s->init_data->smlists); + SCFree(s->init_data->smlists_tail); SCFree(s->init_data); s->init_data = NULL; } diff --git a/src/detect.h b/src/detect.h index 3520e23e18..e90f9fdee3 100644 --- a/src/detect.h +++ b/src/detect.h @@ -108,6 +108,11 @@ enum DetectSigmatchListEnum { DETECT_SM_LIST_SUPPRESS, DETECT_SM_LIST_THRESHOLD, + /* used for Signature->list, which indicates which list + * we're adding keywords to in cases of sticky buffers like + * file_data */ + DETECT_SM_LIST_NOTSET, + DETECT_SM_LIST_BUILTIN_MAX, /* list for http_uri keyword and the ones relative to it */ @@ -166,10 +171,6 @@ enum DetectSigmatchListEnum { DETECT_SM_LIST_MAX, - /* used for Signature->list, which indicates which list - * we're adding keywords to in cases of sticky buffers like - * file_data */ - DETECT_SM_LIST_NOTSET, }; /* a is ... than b */ @@ -441,9 +442,9 @@ typedef struct SignatureInitData_ { int prefilter_list; /* holds all sm lists */ - struct SigMatch_ *smlists[DETECT_SM_LIST_MAX]; + struct SigMatch_ **smlists; /* holds all sm lists' tails */ - struct SigMatch_ *smlists_tail[DETECT_SM_LIST_MAX]; + struct SigMatch_ **smlists_tail; } SignatureInitData; /** \brief Signature container */ diff --git a/src/util-threshold-config.c b/src/util-threshold-config.c index c50e69146f..b431732814 100644 --- a/src/util-threshold-config.c +++ b/src/util-threshold-config.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2010 Open Information Security Foundation +/* Copyright (C) 2007-2016 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -460,8 +460,8 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid /* Install it */ if (id == 0 && gid == 0) { for (s = de_ctx->sig_list; s != NULL; s = s->next) { - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_THRESHOLD, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]); + sm = DetectGetLastSMByListId(s, + DETECT_SM_LIST_THRESHOLD, DETECT_THRESHOLD, -1); if (sm != NULL) { SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has " "an event var set. The signature event var is " @@ -470,8 +470,8 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid continue; } - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_DETECTION_FILTER, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]); + sm = DetectGetLastSMByListId(s, + DETECT_SM_LIST_THRESHOLD, DETECT_DETECTION_FILTER, -1); if (sm != NULL) { SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has " "an event var set. The signature event var is " @@ -523,18 +523,8 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid } else if (id == 0 && gid > 0) { for (s = de_ctx->sig_list; s != NULL; s = s->next) { if (s->gid == gid) { - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_THRESHOLD, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]); - if (sm != NULL) { - SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has " - "an event var set. The signature event var is " - "given precedence over the threshold.conf one. " - "We'll change this in the future though.", id); - continue; - } - - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_DETECTION_FILTER, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]); + sm = DetectGetLastSMByListId(s, DETECT_SM_LIST_THRESHOLD, + DETECT_THRESHOLD, DETECT_DETECTION_FILTER, -1); if (sm != NULL) { SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has " "an event var set. The signature event var is " @@ -596,8 +586,8 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid if (parsed_type != TYPE_SUPPRESS && parsed_type != TYPE_THRESHOLD && parsed_type != TYPE_BOTH && parsed_type != TYPE_LIMIT) { - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_THRESHOLD, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]); + sm = DetectGetLastSMByListId(s, + DETECT_SM_LIST_THRESHOLD, DETECT_THRESHOLD, -1); if (sm != NULL) { SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has " "a threshold set. The signature event var is " @@ -606,8 +596,8 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid goto end; } - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_DETECTION_FILTER, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]); + sm = DetectGetLastSMByListId(s, DETECT_SM_LIST_THRESHOLD, + DETECT_DETECTION_FILTER, -1); if (sm != NULL) { SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has " "a detection_filter set. The signature event var is " @@ -617,20 +607,14 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid } /* replace threshold on sig if we have a global override for it */ -#if 1 } else if (parsed_type == TYPE_THRESHOLD || parsed_type == TYPE_BOTH || parsed_type == TYPE_LIMIT) { - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_THRESHOLD, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]); - if (sm == NULL) { - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_DETECTION_FILTER, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]); - } + sm = DetectGetLastSMByListId(s, DETECT_SM_LIST_THRESHOLD, + DETECT_THRESHOLD, DETECT_DETECTION_FILTER, -1); if (sm != NULL) { SigMatchRemoveSMFromList(s, sm, DETECT_SM_LIST_THRESHOLD); SigMatchFree(sm); sm = NULL; } -#endif } de = SCMalloc(sizeof(DetectThresholdData)); @@ -1448,8 +1432,8 @@ int SCThresholdConfTest01(void) FAIL_IF_NULL(g_ut_threshold_fp); SCThresholdConfInitContext(de_ctx); - SigMatch *m = SigMatchGetLastSMFromLists(sig, 2, - DETECT_THRESHOLD, sig->init_data->smlists[DETECT_SM_LIST_THRESHOLD]); + SigMatch *m = DetectGetLastSMByListId(sig, DETECT_SM_LIST_THRESHOLD, + DETECT_THRESHOLD, -1); FAIL_IF_NULL(m); DetectThresholdData *de = (DetectThresholdData *)m->ctx; @@ -1481,8 +1465,8 @@ int SCThresholdConfTest02(void) FAIL_IF_NULL(g_ut_threshold_fp); SCThresholdConfInitContext(de_ctx); - SigMatch *m = SigMatchGetLastSMFromLists(sig, 2, - DETECT_THRESHOLD, sig->init_data->smlists[DETECT_SM_LIST_THRESHOLD]); + SigMatch *m = DetectGetLastSMByListId(sig, DETECT_SM_LIST_THRESHOLD, + DETECT_THRESHOLD, -1); FAIL_IF_NULL(m); DetectThresholdData *de = (DetectThresholdData *)m->ctx; @@ -1514,8 +1498,8 @@ int SCThresholdConfTest03(void) FAIL_IF_NULL(g_ut_threshold_fp); SCThresholdConfInitContext(de_ctx); - SigMatch *m = SigMatchGetLastSMFromLists(sig, 2, - DETECT_THRESHOLD, sig->init_data->smlists[DETECT_SM_LIST_THRESHOLD]); + SigMatch *m = DetectGetLastSMByListId(sig, DETECT_SM_LIST_THRESHOLD, + DETECT_THRESHOLD, -1); FAIL_IF_NULL(m); DetectThresholdData *de = (DetectThresholdData *)m->ctx; @@ -1547,8 +1531,8 @@ int SCThresholdConfTest04(void) FAIL_IF_NULL(g_ut_threshold_fp); SCThresholdConfInitContext(de_ctx); - SigMatch *m = SigMatchGetLastSMFromLists(sig, 2, - DETECT_THRESHOLD, sig->init_data->smlists[DETECT_SM_LIST_THRESHOLD]); + SigMatch *m = DetectGetLastSMByListId(sig, DETECT_SM_LIST_THRESHOLD, + DETECT_THRESHOLD, -1); FAIL_IF_NOT_NULL(m); DetectEngineCtxFree(de_ctx); @@ -1584,24 +1568,24 @@ int SCThresholdConfTest05(void) SCThresholdConfInitContext(de_ctx); Signature *s = de_ctx->sig_list; - SigMatch *m = SigMatchGetLastSMFromLists(s, 2, - DETECT_THRESHOLD, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]); + SigMatch *m = DetectGetLastSMByListId(s, DETECT_SM_LIST_THRESHOLD, + DETECT_THRESHOLD, -1); FAIL_IF_NULL(m); FAIL_IF_NULL(m->ctx); DetectThresholdData *de = (DetectThresholdData *)m->ctx; FAIL_IF_NOT(de->type == TYPE_THRESHOLD && de->track == TRACK_SRC && de->count == 100 && de->seconds == 60); s = de_ctx->sig_list->next; - m = SigMatchGetLastSMFromLists(s, 2, - DETECT_THRESHOLD, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]); + m = DetectGetLastSMByListId(s, DETECT_SM_LIST_THRESHOLD, + DETECT_THRESHOLD, -1); FAIL_IF_NULL(m); FAIL_IF_NULL(m->ctx); de = (DetectThresholdData *)m->ctx; FAIL_IF_NOT(de->type == TYPE_THRESHOLD && de->track == TRACK_SRC && de->count == 100 && de->seconds == 60); s = de_ctx->sig_list->next->next; - m = SigMatchGetLastSMFromLists(s, 2, - DETECT_THRESHOLD, s->init_data->smlists[DETECT_SM_LIST_THRESHOLD]); + m = DetectGetLastSMByListId(s, DETECT_SM_LIST_THRESHOLD, + DETECT_THRESHOLD, -1); FAIL_IF_NULL(m); FAIL_IF_NULL(m->ctx); de = (DetectThresholdData *)m->ctx; @@ -1631,8 +1615,8 @@ int SCThresholdConfTest06(void) FAIL_IF_NULL(g_ut_threshold_fp); SCThresholdConfInitContext(de_ctx); - SigMatch *m = SigMatchGetLastSMFromLists(sig, 2, - DETECT_THRESHOLD, sig->init_data->smlists[DETECT_SM_LIST_THRESHOLD]); + SigMatch *m = DetectGetLastSMByListId(sig, DETECT_SM_LIST_THRESHOLD, + DETECT_THRESHOLD, -1); FAIL_IF_NULL(m); DetectThresholdData *de = (DetectThresholdData *)m->ctx; @@ -1664,8 +1648,8 @@ int SCThresholdConfTest07(void) FAIL_IF_NULL(g_ut_threshold_fp); SCThresholdConfInitContext(de_ctx); - SigMatch *m = SigMatchGetLastSMFromLists(sig, 2, - DETECT_DETECTION_FILTER, sig->init_data->smlists[DETECT_SM_LIST_THRESHOLD]); + SigMatch *m = DetectGetLastSMByListId(sig, DETECT_SM_LIST_THRESHOLD, + DETECT_DETECTION_FILTER, -1); FAIL_IF_NULL(m); DetectThresholdData *de = (DetectThresholdData *)m->ctx; @@ -1698,8 +1682,8 @@ int SCThresholdConfTest08(void) FAIL_IF_NULL(g_ut_threshold_fp); SCThresholdConfInitContext(de_ctx); - SigMatch *m = SigMatchGetLastSMFromLists(sig, 2, - DETECT_DETECTION_FILTER, sig->init_data->smlists[DETECT_SM_LIST_THRESHOLD]); + SigMatch *m = DetectGetLastSMByListId(sig, DETECT_SM_LIST_THRESHOLD, + DETECT_DETECTION_FILTER, -1); FAIL_IF_NULL(m); DetectThresholdData *de = (DetectThresholdData *)m->ctx; @@ -2109,8 +2093,8 @@ int SCThresholdConfTest13(void) FAIL_IF_NULL(g_ut_threshold_fp); SCThresholdConfInitContext(de_ctx); - SigMatch *m = SigMatchGetLastSMFromLists(sig, 2, - DETECT_THRESHOLD, sig->init_data->smlists[DETECT_SM_LIST_SUPPRESS]); + SigMatch *m = DetectGetLastSMByListId(sig, + DETECT_SM_LIST_SUPPRESS, DETECT_THRESHOLD, -1); FAIL_IF_NULL(m); DetectThresholdData *de = (DetectThresholdData *)m->ctx;