From: Victor Julien Date: Sun, 11 Dec 2016 08:59:31 +0000 (+0100) Subject: app-layer-events: dynamic list X-Git-Tag: suricata-4.0.0-beta1~375 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=815120896ba2e361173020f647a9bfd44d2789a2;p=thirdparty%2Fsuricata.git app-layer-events: dynamic list --- diff --git a/src/detect-app-layer-event.c b/src/detect-app-layer-event.c index 24eb609402..ec31ea4b85 100644 --- a/src/detect-app-layer-event.c +++ b/src/detect-app-layer-event.c @@ -60,6 +60,8 @@ static int DetectEngineAptEventInspect(ThreadVars *tv, const Signature *s, const SigMatchData *smd, Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id); +static void DetectAppLayerEventSetupCallback(Signature *s); +static int g_applayer_events_list_id = 0; /** * \brief Registers the keyword handlers for the "app-layer-event" keyword. @@ -76,14 +78,17 @@ void DetectAppLayerEventRegister(void) sigmatch_table[DETECT_AL_APP_LAYER_EVENT].RegisterTests = DetectAppLayerEventRegisterTests; - DetectAppLayerInspectEngineRegister(ALPROTO_UNKNOWN, - SIG_FLAG_TOSERVER, DETECT_SM_LIST_APP_EVENT, + DetectAppLayerInspectEngineRegister2("app-layer-events", + ALPROTO_UNKNOWN, SIG_FLAG_TOSERVER, DetectEngineAptEventInspect); - DetectAppLayerInspectEngineRegister(ALPROTO_UNKNOWN, - SIG_FLAG_TOCLIENT, DETECT_SM_LIST_APP_EVENT, + DetectAppLayerInspectEngineRegister2("app-layer-events", + ALPROTO_UNKNOWN, SIG_FLAG_TOCLIENT, DetectEngineAptEventInspect); - return; + DetectBufferTypeRegisterSetupCallback("app-layer-events", + DetectAppLayerEventSetupCallback); + + g_applayer_events_list_id = DetectBufferTypeGetByName("app-layer-events"); } static int DetectEngineAptEventInspect(ThreadVars *tv, @@ -165,6 +170,38 @@ static int DetectAppLayerEventAppMatch(ThreadVars *t, DetectEngineThreadCtx *det SCReturnInt(r); } +static void DetectAppLayerEventSetupCallback(Signature *s) +{ + SigMatch *sm; + for (sm = s->init_data->smlists[g_applayer_events_list_id] ; sm != NULL; sm = sm->next) { + switch (sm->type) { + case DETECT_AL_APP_LAYER_EVENT: + { + DetectAppLayerEventData *aed = (DetectAppLayerEventData *)sm->ctx; + switch (aed->alproto) { + case ALPROTO_HTTP: + s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; + SCLogDebug("sig %u requires http app state (http event)", s->id); + break; + case ALPROTO_SMTP: + s->mask |= SIG_MASK_REQUIRE_SMTP_STATE; + SCLogDebug("sig %u requires smtp app state (smtp event)", s->id); + break; + case ALPROTO_DNS: + s->mask |= SIG_MASK_REQUIRE_DNS_STATE; + SCLogDebug("sig %u requires dns app state (dns event)", s->id); + break; + case ALPROTO_TLS: + s->mask |= SIG_MASK_REQUIRE_TLS_STATE; + SCLogDebug("sig %u requires tls app state (tls event)", s->id); + break; + } + break; + } + } + } +} + static DetectAppLayerEventData *DetectAppLayerEventParsePkt(const char *arg, AppLayerEventType *event_type) { @@ -302,7 +339,7 @@ static int DetectAppLayerEventSetupP2(Signature *s, if (event_type == APP_LAYER_EVENT_TYPE_GENERAL) SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH); else - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_APP_EVENT); + SigMatchAppendSMToList(s, sm, g_applayer_events_list_id); /* We should have set this flag already in SetupP1 */ s->flags |= SIG_FLAG_APPLAYER; @@ -341,7 +378,7 @@ static int DetectAppLayerEventSetupP1(DetectEngineCtx *de_ctx, Signature *s, cha } else { /* We push it to this list temporarily. We deal with * these in DetectAppLayerEventPrepare(). */ - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_APP_EVENT); + SigMatchAppendSMToList(s, sm, g_applayer_events_list_id); s->flags |= SIG_FLAG_APPLAYER; } @@ -370,9 +407,9 @@ static void DetectAppLayerEventFree(void *ptr) int DetectAppLayerEventPrepare(Signature *s) { - SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_APP_EVENT]; - s->init_data->smlists[DETECT_SM_LIST_APP_EVENT] = NULL; - s->init_data->smlists_tail[DETECT_SM_LIST_APP_EVENT] = NULL; + SigMatch *sm = s->init_data->smlists[g_applayer_events_list_id]; + s->init_data->smlists[g_applayer_events_list_id] = NULL; + s->init_data->smlists_tail[g_applayer_events_list_id] = NULL; while (sm != NULL) { sm->next = sm->prev = NULL; diff --git a/src/detect-engine.c b/src/detect-engine.c index 34d3381581..d49cd24649 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -2798,9 +2798,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type) case DETECT_SM_LIST_PMATCH: return "packet/stream payload"; - case DETECT_SM_LIST_APP_EVENT: - return "app layer events"; - case DETECT_SM_LIST_AMATCH: return "generic app layer"; case DETECT_SM_LIST_DMATCH: diff --git a/src/detect-parse.c b/src/detect-parse.c index 3b24f5fa37..c4bb733958 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -141,7 +141,6 @@ const char *DetectListToHumanString(int list) switch (list) { CASE_CODE_STRING(DETECT_SM_LIST_MATCH, "packet"); CASE_CODE_STRING(DETECT_SM_LIST_PMATCH, "payload"); - CASE_CODE_STRING(DETECT_SM_LIST_APP_EVENT, "app-layer-event"); CASE_CODE_STRING(DETECT_SM_LIST_AMATCH, "app-layer"); CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc"); CASE_CODE_STRING(DETECT_SM_LIST_TMATCH, "tag"); @@ -162,7 +161,6 @@ const char *DetectListToString(int list) switch (list) { CASE_CODE(DETECT_SM_LIST_MATCH); CASE_CODE(DETECT_SM_LIST_PMATCH); - CASE_CODE(DETECT_SM_LIST_APP_EVENT); CASE_CODE(DETECT_SM_LIST_AMATCH); CASE_CODE(DETECT_SM_LIST_DMATCH); CASE_CODE(DETECT_SM_LIST_TMATCH); diff --git a/src/detect.c b/src/detect.c index 9f755bf090..62de800c0a 100644 --- a/src/detect.c +++ b/src/detect.c @@ -2250,34 +2250,6 @@ static int SignatureCreateMask(Signature *s) } } - for (sm = s->init_data->smlists[DETECT_SM_LIST_APP_EVENT] ; sm != NULL; sm = sm->next) { - switch (sm->type) { - case DETECT_AL_APP_LAYER_EVENT: - { - DetectAppLayerEventData *aed = (DetectAppLayerEventData *)sm->ctx; - switch (aed->alproto) { - case ALPROTO_HTTP: - s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; - SCLogDebug("sig %u requires http app state (http event)", s->id); - break; - case ALPROTO_SMTP: - s->mask |= SIG_MASK_REQUIRE_SMTP_STATE; - SCLogDebug("sig %u requires smtp app state (smtp event)", s->id); - break; - case ALPROTO_DNS: - s->mask |= SIG_MASK_REQUIRE_DNS_STATE; - SCLogDebug("sig %u requires dns app state (dns event)", s->id); - break; - case ALPROTO_TLS: - s->mask |= SIG_MASK_REQUIRE_TLS_STATE; - SCLogDebug("sig %u requires tls app state (tls event)", s->id); - break; - } - break; - } - } - } - for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) { switch(sm->type) { case DETECT_FLOWBITS: diff --git a/src/detect.h b/src/detect.h index 70c76dfada..5cb5ec379a 100644 --- a/src/detect.h +++ b/src/detect.h @@ -115,10 +115,7 @@ enum DetectSigmatchListEnum { DETECT_SM_LIST_BUILTIN_MAX, - /* app event engine sm list */ - DETECT_SM_LIST_APP_EVENT = DETECT_SM_LIST_BUILTIN_MAX, - - DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH, + DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH = DETECT_SM_LIST_BUILTIN_MAX, DETECT_SM_LIST_MAX,