From: Victor Julien Date: Fri, 22 Sep 2023 19:08:29 +0000 (+0200) Subject: detect: reimplement discontinue matching logic X-Git-Tag: suricata-8.0.0-beta1~2018 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7f42506760d6c8345b2f565e535aad276c2441e7;p=thirdparty%2Fsuricata.git detect: reimplement discontinue matching logic Previously various steps in the content inspection logic would use a variable in the DetectEngineThreadCtx to flag that matching should be discontinued. This patch reimplements this logic by using a new return code instead. Split content inspection into public and private version, so that common initialization can be done in a single place. Update the callsites. --- diff --git a/src/detect-base64-data.c b/src/detect-base64-data.c index 4c892a919c..09d89113d6 100644 --- a/src/detect-base64-data.c +++ b/src/detect-base64-data.c @@ -65,10 +65,10 @@ int DetectBase64DataDoMatch(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f) { if (det_ctx->base64_decoded_len) { - return DetectEngineContentInspection(de_ctx, det_ctx, s, - s->sm_arrays[DETECT_SM_LIST_BASE64_DATA], NULL, f, det_ctx->base64_decoded, - det_ctx->base64_decoded_len, 0, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); + return DetectEngineContentInspectionInternal(de_ctx, det_ctx, s, + s->sm_arrays[DETECT_SM_LIST_BASE64_DATA], NULL, f, det_ctx->base64_decoded, + det_ctx->base64_decoded_len, 0, DETECT_CI_FLAGS_SINGLE, + DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); } return 0; diff --git a/src/detect-dns-query.c b/src/detect-dns-query.c index fd2c745085..d2dbe8e990 100644 --- a/src/detect-dns-query.c +++ b/src/detect-dns-query.c @@ -114,17 +114,10 @@ static uint8_t DetectEngineInspectDnsQuery(DetectEngineCtx *de_ctx, DetectEngine if (buffer == NULL || buffer->inspect == NULL) break; - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - - const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, - NULL, f, - (uint8_t *)buffer->inspect, - buffer->inspect_len, - buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); - if (match == 1) { + const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, + (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset, + DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); + if (match) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } local_id++; diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c index 8c5feb61a2..2ac2319c9d 100644 --- a/src/detect-engine-content-inspection.c +++ b/src/detect-engine-content-inspection.c @@ -100,10 +100,11 @@ * buffer inspection modes or dce inspection mode. * \param flags DETECT_CI_FLAG_* * + * \retval -1 no match and give up (discontinue matching) * \retval 0 no match * \retval 1 match */ -uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, +int DetectEngineContentInspectionInternal(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode) { @@ -113,9 +114,8 @@ uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThrea det_ctx->inspection_recursion_counter++; if (det_ctx->inspection_recursion_counter == de_ctx->inspection_recursion_limit) { - det_ctx->discontinue_matching = 1; KEYWORD_PROFILING_END(det_ctx, smd->type, 0); - SCReturnInt(0); + SCReturnInt(-1); } // we want the ability to match on bsize: 0 @@ -303,7 +303,7 @@ uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThrea if (!(cd->flags & DETECT_CONTENT_NEGATED)) { if ((cd->flags & (DETECT_CONTENT_DISTANCE | DETECT_CONTENT_WITHIN)) == 0) { /* independent match from previous matches, so failure is fatal */ - det_ctx->discontinue_matching = 1; + goto no_match_discontinue; } goto no_match; @@ -328,8 +328,9 @@ uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThrea goto match; } } - if (DETECT_CONTENT_IS_SINGLE(cd)) - det_ctx->discontinue_matching = 1; + if (DETECT_CONTENT_IS_SINGLE(cd)) { + goto no_match_discontinue; + } goto no_match; } else { SCLogDebug("content %" PRIu32 " matched at offset %" PRIu32 "", cd->id, @@ -360,23 +361,21 @@ uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThrea /* see if the next buffer keywords match. If not, we will * search for another occurrence of this content and see * if the others match then until we run out of matches */ - uint8_t r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd + 1, p, f, - buffer, buffer_len, stream_start_offset, flags, inspection_mode); + int r = DetectEngineContentInspectionInternal(de_ctx, det_ctx, s, smd + 1, + p, f, buffer, buffer_len, stream_start_offset, flags, + inspection_mode); if (r == 1) { SCReturnInt(1); - } - SCLogDebug("no match for 'next sm'"); - - if (det_ctx->discontinue_matching) { + } else if (r == -1) { SCLogDebug("'next sm' said to discontinue this right now"); - goto no_match; + SCReturnInt(-1); } + SCLogDebug("no match for 'next sm'"); /* no match and no reason to look for another instance */ if ((cd->flags & DETECT_CONTENT_WITHIN_NEXT) == 0) { SCLogDebug("'next sm' does not depend on me, so we can give up"); - det_ctx->discontinue_matching = 1; - goto no_match; + SCReturnInt(-1); } SCLogDebug("'next sm' depends on me %p, lets see what we can do (flags %u)", @@ -441,12 +440,10 @@ uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThrea DetectPcreData *pe = (DetectPcreData *)smd->ctx; uint32_t prev_buffer_offset = det_ctx->buffer_offset; uint32_t prev_offset = 0; - int r = 0; det_ctx->pcre_match_start_offset = 0; do { - r = DetectPcrePayloadMatch(det_ctx, s, smd, p, f, - buffer, buffer_len); + int r = DetectPcrePayloadMatch(det_ctx, s, smd, p, f, buffer, buffer_len); if (r == 0) { goto no_match; } @@ -463,16 +460,14 @@ uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThrea /* see if the next payload keywords match. If not, we will * search for another occurrence of this pcre and see * if the others match, until we run out of matches */ - r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd+1, - p, f, buffer, buffer_len, stream_start_offset, flags, - inspection_mode); + r = DetectEngineContentInspectionInternal(de_ctx, det_ctx, s, smd + 1, p, f, buffer, + buffer_len, stream_start_offset, flags, inspection_mode); if (r == 1) { SCReturnInt(1); + } else if (r == -1) { + SCReturnInt(-1); } - if (det_ctx->discontinue_matching) - goto no_match; - det_ctx->buffer_offset = prev_buffer_offset; det_ctx->pcre_match_start_offset = prev_offset; } while (1); @@ -611,9 +606,7 @@ uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThrea const uint64_t data_size = buffer_len + stream_start_offset; int r = DetectBsizeMatch(smd->ctx, data_size, eof); if (r < 0) { - det_ctx->discontinue_matching = 1; - goto no_match; - + goto no_match_discontinue; } else if (r == 0) { goto no_match; } @@ -627,8 +620,7 @@ uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThrea if (r == 1) { goto match; } - det_ctx->discontinue_matching = 1; - goto no_match; + goto no_match_discontinue; } else if (smd->type == DETECT_DATAREP) { @@ -638,8 +630,7 @@ uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThrea if (r == 1) { goto match; } - det_ctx->discontinue_matching = 1; - goto no_match; + goto no_match_discontinue; } else if (smd->type == DETECT_AL_URILEN) { SCLogDebug("inspecting uri len"); @@ -655,10 +646,7 @@ uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThrea if (r == 1) { goto match; } - - det_ctx->discontinue_matching = 1; - - goto no_match; + goto no_match_discontinue; #ifdef HAVE_LUA } else if (smd->type == DETECT_LUA) { @@ -677,7 +665,7 @@ uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThrea if (DetectBase64DecodeDoMatch(det_ctx, s, smd, buffer, buffer_len)) { if (s->sm_arrays[DETECT_SM_LIST_BASE64_DATA] != NULL) { KEYWORD_PROFILING_END(det_ctx, smd->type, 1); - if (DetectBase64DataDoMatch(de_ctx, det_ctx, s, f)) { + if (DetectBase64DataDoMatch(de_ctx, det_ctx, s, f) == 1) { /* Base64 is a terminal list. */ goto final_match; } @@ -694,12 +682,16 @@ no_match: KEYWORD_PROFILING_END(det_ctx, smd->type, 0); SCReturnInt(0); +no_match_discontinue: + KEYWORD_PROFILING_END(det_ctx, smd->type, 0); + SCReturnInt(-1); + match: /* this sigmatch matched, inspect the next one. If it was the last, * the buffer portion of the signature matched. */ if (!smd->is_last) { KEYWORD_PROFILING_END(det_ctx, smd->type, 1); - uint8_t r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd + 1, p, f, buffer, + int r = DetectEngineContentInspectionInternal(de_ctx, det_ctx, s, smd + 1, p, f, buffer, buffer_len, stream_start_offset, flags, inspection_mode); SCReturnInt(r); } @@ -708,6 +700,26 @@ final_match: SCReturnInt(1); } +/** \brief wrapper around DetectEngineContentInspectionInternal to return true/false only + * + * \param smd sigmatches to evaluate + */ +bool DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, + const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, + const uint32_t buffer_len, const uint32_t stream_start_offset, const uint8_t flags, + const uint8_t inspection_mode) +{ + det_ctx->buffer_offset = 0; + det_ctx->inspection_recursion_counter = 0; + + int r = DetectEngineContentInspectionInternal(de_ctx, det_ctx, s, smd, p, f, buffer, buffer_len, + stream_start_offset, flags, inspection_mode); + if (r == 1) + return true; + else + return false; +} + #ifdef UNITTESTS #include "tests/detect-engine-content-inspection.c" #endif diff --git a/src/detect-engine-content-inspection.h b/src/detect-engine-content-inspection.h index ae1e8ed5bf..188ebef2d8 100644 --- a/src/detect-engine-content-inspection.h +++ b/src/detect-engine-content-inspection.h @@ -46,7 +46,13 @@ enum { * inspection function contains both start and end of the data. */ #define DETECT_CI_FLAGS_SINGLE (DETECT_CI_FLAGS_START|DETECT_CI_FLAGS_END) -uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, +/* "internal" returns 1 match, 0 no match, -1 can't match */ +int DetectEngineContentInspectionInternal(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, + const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, + const uint32_t buffer_len, const uint32_t stream_start_offset, const uint8_t flags, + const uint8_t inspection_mode); +/* implicit "public" just returns true match, false no match */ +bool DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode); diff --git a/src/detect-engine-frame.c b/src/detect-engine-frame.c index 722263d453..0ed70757d5 100644 --- a/src/detect-engine-frame.c +++ b/src/detect-engine-frame.c @@ -311,10 +311,10 @@ static int DetectFrameInspectUdp(DetectEngineThreadCtx *det_ctx, // PrintRawDataFp(stdout, data, data_len); - int r = DetectEngineContentInspection(det_ctx->de_ctx, det_ctx, s, engine->smd, p, p->flow, - (uint8_t *)data, data_len, 0, buffer->flags, + const bool match = DetectEngineContentInspection(det_ctx->de_ctx, det_ctx, s, engine->smd, p, + p->flow, (uint8_t *)data, data_len, 0, buffer->flags, DETECT_ENGINE_CONTENT_INSPECTION_MODE_FRAME); - if (r == 1) { + if (match) { SCLogDebug("match!"); return DETECT_ENGINE_INSPECT_SIG_MATCH; } else { @@ -457,9 +457,6 @@ static int FrameStreamDataInspectFunc( const uint8_t *data = buffer->inspect; const uint64_t data_offset = buffer->inspect_offset; DetectEngineThreadCtx *det_ctx = fsd->det_ctx; - det_ctx->discontinue_matching = 0; - det_ctx->buffer_offset = 0; - det_ctx->inspection_recursion_counter = 0; const DetectEngineFrameInspectionEngine *engine = fsd->inspect_engine; const Signature *s = fsd->s; @@ -481,10 +478,10 @@ static int FrameStreamDataInspectFunc( #endif BUG_ON(fsd->frame->len > 0 && (int64_t)data_len > fsd->frame->len); - int r = DetectEngineContentInspection(det_ctx->de_ctx, det_ctx, s, engine->smd, p, p->flow, - (uint8_t *)data, data_len, data_offset, buffer->flags, + const bool match = DetectEngineContentInspection(det_ctx->de_ctx, det_ctx, s, engine->smd, p, + p->flow, (uint8_t *)data, data_len, data_offset, buffer->flags, DETECT_ENGINE_CONTENT_INSPECTION_MODE_FRAME); - if (r == 1) { + if (match) { SCLogDebug("DETECT_ENGINE_INSPECT_SIG_MATCH"); fsd->inspect_result = DETECT_ENGINE_INSPECT_SIG_MATCH; } else { diff --git a/src/detect-engine-payload.c b/src/detect-engine-payload.c index ef92e68629..7da3c3b81f 100644 --- a/src/detect-engine-payload.c +++ b/src/detect-engine-payload.c @@ -153,7 +153,6 @@ uint8_t DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx, DetectEngineTh const Signature *s, Flow *f, Packet *p) { SCEnter(); - int r = 0; if (s->sm_arrays[DETECT_SM_LIST_PMATCH] == NULL) { SCReturnInt(0); @@ -162,16 +161,12 @@ uint8_t DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx, DetectEngineTh det_ctx->payload_persig_cnt++; det_ctx->payload_persig_size += p->payload_len; #endif - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; det_ctx->replist = NULL; - r = DetectEngineContentInspection(de_ctx, det_ctx, - s, s->sm_arrays[DETECT_SM_LIST_PMATCH], - p, f, p->payload, p->payload_len, 0, + const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, + s->sm_arrays[DETECT_SM_LIST_PMATCH], p, f, p->payload, p->payload_len, 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD); - if (r == 1) { + if (match) { SCReturnInt(1); } SCReturnInt(0); @@ -195,7 +190,6 @@ static uint8_t DetectEngineInspectStreamUDPPayload(DetectEngineCtx *de_ctx, Packet *p) { SCEnter(); - int r = 0; if (smd == NULL) { SCReturnInt(0); @@ -204,15 +198,12 @@ static uint8_t DetectEngineInspectStreamUDPPayload(DetectEngineCtx *de_ctx, det_ctx->payload_persig_cnt++; det_ctx->payload_persig_size += p->payload_len; #endif - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; det_ctx->replist = NULL; - r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, - p, f, p->payload, p->payload_len, 0, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD); - if (r == 1) { + const bool match = + DetectEngineContentInspection(de_ctx, det_ctx, s, smd, p, f, p->payload, p->payload_len, + 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD); + if (match) { SCReturnInt(1); } SCReturnInt(0); @@ -229,21 +220,17 @@ static int StreamContentInspectFunc( void *cb_data, const uint8_t *data, const uint32_t data_len, const uint64_t _offset) { SCEnter(); - int r = 0; struct StreamContentInspectData *smd = cb_data; #ifdef DEBUG smd->det_ctx->stream_persig_cnt++; smd->det_ctx->stream_persig_size += data_len; #endif - smd->det_ctx->buffer_offset = 0; - smd->det_ctx->discontinue_matching = 0; - smd->det_ctx->inspection_recursion_counter = 0; - r = DetectEngineContentInspection(smd->de_ctx, smd->det_ctx, - smd->s, smd->s->sm_arrays[DETECT_SM_LIST_PMATCH], - NULL, smd->f, (uint8_t *)data, data_len, 0, 0, //TODO + const bool match = DetectEngineContentInspection(smd->de_ctx, smd->det_ctx, smd->s, + smd->s->sm_arrays[DETECT_SM_LIST_PMATCH], NULL, smd->f, (uint8_t *)data, data_len, 0, + 0, // TODO DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM); - if (r == 1) { + if (match) { SCReturnInt(1); } @@ -288,21 +275,16 @@ static int StreamContentInspectEngineFunc( void *cb_data, const uint8_t *data, const uint32_t data_len, const uint64_t _offset) { SCEnter(); - int r = 0; struct StreamContentInspectEngineData *smd = cb_data; #ifdef DEBUG smd->det_ctx->stream_persig_cnt++; smd->det_ctx->stream_persig_size += data_len; #endif - smd->det_ctx->buffer_offset = 0; - smd->det_ctx->discontinue_matching = 0; - smd->det_ctx->inspection_recursion_counter = 0; - r = DetectEngineContentInspection(smd->de_ctx, smd->det_ctx, - smd->s, smd->smd, + const bool match = DetectEngineContentInspection(smd->de_ctx, smd->det_ctx, smd->s, smd->smd, NULL, smd->f, (uint8_t *)data, data_len, 0, 0, // TODO DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM); - if (r == 1) { + if (match) { SCReturnInt(1); } diff --git a/src/detect-engine.c b/src/detect-engine.c index c078b824d0..c4f630699a 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -2204,18 +2204,12 @@ uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineTh ci_flags |= (offset == 0 ? DETECT_CI_FLAGS_START : 0); ci_flags |= buffer->flags; - det_ctx->discontinue_matching = 0; - det_ctx->buffer_offset = 0; - det_ctx->inspection_recursion_counter = 0; - /* Inspect all the uricontents fetched on each * transaction at the app layer */ - int r = DetectEngineContentInspection(de_ctx, det_ctx, - s, engine->smd, - NULL, f, - (uint8_t *)data, data_len, offset, ci_flags, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); - if (r == 1) { + const bool match = + DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, (uint8_t *)data, + data_len, offset, ci_flags, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); + if (match) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } else { return eof ? DETECT_ENGINE_INSPECT_SIG_CANT_MATCH : @@ -2260,16 +2254,12 @@ int DetectEngineInspectPktBufferGeneric( uint8_t ci_flags = DETECT_CI_FLAGS_START|DETECT_CI_FLAGS_END; ci_flags |= buffer->flags; - det_ctx->discontinue_matching = 0; - det_ctx->buffer_offset = 0; - det_ctx->inspection_recursion_counter = 0; - /* Inspect all the uricontents fetched on each * transaction at the app layer */ - int r = DetectEngineContentInspection(det_ctx->de_ctx, det_ctx, s, engine->smd, p, p->flow, - buffer->inspect, buffer->inspect_len, 0, ci_flags, + const bool match = DetectEngineContentInspection(det_ctx->de_ctx, det_ctx, s, engine->smd, p, + p->flow, buffer->inspect, buffer->inspect_len, 0, ci_flags, DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER); - if (r == 1) { + if (match) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } else { return DETECT_ENGINE_INSPECT_SIG_NO_MATCH; diff --git a/src/detect-file-data.c b/src/detect-file-data.c index c576870276..f31715adda 100644 --- a/src/detect-file-data.c +++ b/src/detect-file-data.c @@ -414,9 +414,6 @@ uint8_t DetectEngineInspectFiledata(DetectEngineCtx *de_ctx, DetectEngineThreadC if (buffer->inspect_offset == 0) ciflags |= DETECT_CI_FLAGS_START; - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset, ciflags, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); diff --git a/src/detect-filemagic.c b/src/detect-filemagic.c index d816b8c53d..7ade159fb5 100644 --- a/src/detect-filemagic.c +++ b/src/detect-filemagic.c @@ -320,16 +320,10 @@ static uint8_t DetectEngineInspectFilemagic(DetectEngineCtx *de_ctx, DetectEngin if (buffer == NULL) continue; - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, - NULL, f, - (uint8_t *)buffer->inspect, - buffer->inspect_len, - buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); - if (match == 1) { + const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, + (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset, + DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); + if (match) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } else { r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES; diff --git a/src/detect-filename.c b/src/detect-filename.c index 5eb446af51..88e5808624 100644 --- a/src/detect-filename.c +++ b/src/detect-filename.c @@ -257,16 +257,10 @@ static uint8_t DetectEngineInspectFilename(DetectEngineCtx *de_ctx, DetectEngine if (buffer == NULL) continue; - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, - NULL, f, - (uint8_t *)buffer->inspect, - buffer->inspect_len, - buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); - if (match == 1) { + const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, + (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset, + DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); + if (match) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } else { r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES; diff --git a/src/detect-http-client-body.c b/src/detect-http-client-body.c index 32c407a00a..1d3d7a87cc 100644 --- a/src/detect-http-client-body.c +++ b/src/detect-http-client-body.c @@ -323,15 +323,12 @@ static uint8_t DetectEngineInspectBufferHttpBody(DetectEngineCtx *de_ctx, ci_flags |= (offset == 0 ? DETECT_CI_FLAGS_START : 0); ci_flags |= buffer->flags; - det_ctx->discontinue_matching = 0; - det_ctx->buffer_offset = 0; - det_ctx->inspection_recursion_counter = 0; - /* Inspect all the uricontents fetched on each * transaction at the app layer */ - int r = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, (uint8_t *)data, - data_len, offset, ci_flags, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); - if (r == 1) { + const bool match = + DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, (uint8_t *)data, + data_len, offset, ci_flags, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); + if (match) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } diff --git a/src/detect-http-header.c b/src/detect-http-header.c index 9d4b187a9f..a4596c4085 100644 --- a/src/detect-http-header.c +++ b/src/detect-http-header.c @@ -199,17 +199,12 @@ static uint8_t DetectEngineInspectBufferHttpHeader(DetectEngineCtx *de_ctx, const uint8_t *data = buffer->inspect; const uint64_t offset = buffer->inspect_offset; - det_ctx->discontinue_matching = 0; - det_ctx->buffer_offset = 0; - det_ctx->inspection_recursion_counter = 0; - /* Inspect all the uricontents fetched on each * transaction at the app layer */ - int r = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, - NULL, f, (uint8_t *)data, data_len, offset, - DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); - SCLogDebug("r = %d", r); - if (r == 1) { + const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, + (uint8_t *)data, data_len, offset, DETECT_CI_FLAGS_SINGLE, + DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); + if (match) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } end: @@ -546,18 +541,13 @@ static uint8_t DetectEngineInspectHttp2Header(DetectEngineCtx *de_ctx, }; InspectionBuffer *buffer = GetHttp2HeaderData(det_ctx, flags, transforms, f, &cbdata, engine->sm_list); - if (buffer == NULL || buffer->inspect == NULL) break; - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - - const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, + const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); - if (match == 1) { + if (match) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } local_id++; @@ -698,18 +688,13 @@ static uint8_t DetectEngineInspectHttp1Header(DetectEngineCtx *de_ctx, }; InspectionBuffer *buffer = GetHttp1HeaderData(det_ctx, flags, transforms, f, &cbdata, engine->sm_list); - if (buffer == NULL || buffer->inspect == NULL) break; - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - - const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, + const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); - if (match == 1) { + if (match) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } local_id++; diff --git a/src/detect-http2.c b/src/detect-http2.c index 9991b85ad9..a1ede96382 100644 --- a/src/detect-http2.c +++ b/src/detect-http2.c @@ -702,17 +702,10 @@ static uint8_t DetectEngineInspectHttp2HeaderName(DetectEngineCtx *de_ctx, if (buffer == NULL || buffer->inspect == NULL) break; - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - - const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, - NULL, f, - (uint8_t *)buffer->inspect, - buffer->inspect_len, - buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); - if (match == 1) { + const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, + (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset, + DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); + if (match) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } local_id++; diff --git a/src/detect-ike-vendor.c b/src/detect-ike-vendor.c index 1af41bac23..f5c5b94f35 100644 --- a/src/detect-ike-vendor.c +++ b/src/detect-ike-vendor.c @@ -155,14 +155,10 @@ static uint8_t DetectEngineInspectIkeVendor(DetectEngineCtx *de_ctx, DetectEngin if (buffer == NULL || buffer->inspect == NULL) break; - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - - const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, + const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); - if (match == 1) { + if (match) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } local_id++; diff --git a/src/detect-krb5-cname.c b/src/detect-krb5-cname.c index 632df0ea5d..8664f2bc28 100644 --- a/src/detect-krb5-cname.c +++ b/src/detect-krb5-cname.c @@ -100,21 +100,13 @@ static uint8_t DetectEngineInspectKrb5CName(DetectEngineCtx *de_ctx, DetectEngin struct Krb5PrincipalNameDataArgs cbdata = { local_id, txv, }; InspectionBuffer *buffer = GetKrb5CNameData(det_ctx, transforms, f, &cbdata, engine->sm_list); - if (buffer == NULL || buffer->inspect == NULL) break; - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - - const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, - NULL, f, - (uint8_t *)buffer->inspect, - buffer->inspect_len, - buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); - if (match == 1) { + const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, + (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset, + DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); + if (match) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } local_id++; diff --git a/src/detect-krb5-sname.c b/src/detect-krb5-sname.c index 19d3c67161..1e4ae24a4b 100644 --- a/src/detect-krb5-sname.c +++ b/src/detect-krb5-sname.c @@ -104,17 +104,10 @@ static uint8_t DetectEngineInspectKrb5SName(DetectEngineCtx *de_ctx, DetectEngin if (buffer == NULL || buffer->inspect == NULL) break; - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - - const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, - NULL, f, - (uint8_t *)buffer->inspect, - buffer->inspect_len, - buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); - if (match == 1) { + const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, + (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset, + DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); + if (match) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } local_id++; diff --git a/src/detect-mqtt-subscribe-topic.c b/src/detect-mqtt-subscribe-topic.c index 258dc0b4cf..9eaf39d302 100644 --- a/src/detect-mqtt-subscribe-topic.c +++ b/src/detect-mqtt-subscribe-topic.c @@ -107,17 +107,10 @@ static uint8_t DetectEngineInspectMQTTSubscribeTopic(DetectEngineCtx *de_ctx, if (buffer == NULL || buffer->inspect == NULL) break; - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - - const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, - NULL, f, - (uint8_t *)buffer->inspect, - buffer->inspect_len, - buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); - if (match == 1) { + const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, + (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset, + DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); + if (match) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } local_id++; diff --git a/src/detect-mqtt-unsubscribe-topic.c b/src/detect-mqtt-unsubscribe-topic.c index 2c1cb02c42..268d72bc87 100644 --- a/src/detect-mqtt-unsubscribe-topic.c +++ b/src/detect-mqtt-unsubscribe-topic.c @@ -107,17 +107,10 @@ static uint8_t DetectEngineInspectMQTTUnsubscribeTopic(DetectEngineCtx *de_ctx, if (buffer == NULL || buffer->inspect == NULL) break; - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - - const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, - NULL, f, - (uint8_t *)buffer->inspect, - buffer->inspect_len, - buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); - if (match == 1) { + const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, + (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset, + DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); + if (match) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } local_id++; diff --git a/src/detect-quic-cyu-hash.c b/src/detect-quic-cyu-hash.c index a475a23f1e..88197a5e38 100644 --- a/src/detect-quic-cyu-hash.c +++ b/src/detect-quic-cyu-hash.c @@ -106,14 +106,10 @@ static uint8_t DetectEngineInspectQuicHash(DetectEngineCtx *de_ctx, DetectEngine if (buffer == NULL || buffer->inspect == NULL) break; - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - - const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, + const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); - if (match == 1) { + if (match) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } local_id++; diff --git a/src/detect-quic-cyu-string.c b/src/detect-quic-cyu-string.c index 53775d0ffc..9290fa4123 100644 --- a/src/detect-quic-cyu-string.c +++ b/src/detect-quic-cyu-string.c @@ -104,14 +104,10 @@ static uint8_t DetectEngineInspectQuicString(DetectEngineCtx *de_ctx, if (buffer == NULL || buffer->inspect == NULL) break; - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - - const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, + const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); - if (match == 1) { + if (match) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } local_id++; diff --git a/src/detect-template-rust-buffer.c b/src/detect-template-rust-buffer.c index 86fc282712..f1c8c97bb2 100644 --- a/src/detect-template-rust-buffer.c +++ b/src/detect-template-rust-buffer.c @@ -91,7 +91,7 @@ static uint8_t DetectEngineInspectTemplateRustBuffer(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id) { - uint8_t ret = 0; + uint8_t ret = DETECT_ENGINE_INSPECT_SIG_NO_MATCH; const uint8_t *data = NULL; uint32_t data_len = 0; @@ -102,12 +102,15 @@ static uint8_t DetectEngineInspectTemplateRustBuffer(DetectEngineCtx *de_ctx, } if (data != NULL) { - ret = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, + const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, (uint8_t *)data, data_len, 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); + if (match) { + ret = DETECT_ENGINE_INSPECT_SIG_MATCH; + } } - SCLogNotice("Returning %d.", ret); + SCLogNotice("Returning %u.", ret); return ret; } diff --git a/src/detect-tls-certs.c b/src/detect-tls-certs.c index e994c9e2b0..9ff185c494 100644 --- a/src/detect-tls-certs.c +++ b/src/detect-tls-certs.c @@ -194,16 +194,10 @@ static uint8_t DetectEngineInspectTlsCerts(DetectEngineCtx *de_ctx, DetectEngine if (buffer == NULL || buffer->inspect == NULL) break; - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - - const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, - NULL, f, (uint8_t *)buffer->inspect, - buffer->inspect_len, - buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); - if (match == 1) { + const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, + (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset, + DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); + if (match) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } diff --git a/src/detect.h b/src/detect.h index a3cd161fa6..cdc098368f 100644 --- a/src/detect.h +++ b/src/detect.h @@ -1141,8 +1141,6 @@ typedef struct DetectEngineThreadCtx_ { uint32_t *to_clear_queue; } multi_inspect; - /* used to discontinue any more matching */ - uint16_t discontinue_matching; uint16_t flags; /**< DETECT_ENGINE_THREAD_CTX_* flags */ /* true if tx_id is set */