From: Victor Julien Date: Thu, 9 Aug 2018 10:35:58 +0000 (+0200) Subject: detect: remove STATE_MATCH flag use at runtime X-Git-Tag: suricata-4.1.0-rc2~142 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c0adff377039646ec2b97529d369fd799b0e44fe;p=thirdparty%2Fsuricata.git detect: remove STATE_MATCH flag use at runtime Instead, use it only at init time and use Signature::app_inspect directly at runtime. --- diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c index 5d5c537605..33994cfced 100644 --- a/src/detect-engine-analyzer.c +++ b/src/detect-engine-analyzer.c @@ -516,7 +516,7 @@ void EngineAnalysisRules2(const DetectEngineCtx *de_ctx, const Signature *s) json_object_set_new(js, "requirements", js_flags); } - if (s->flags & SIG_FLAG_STATE_MATCH) { + if (s->init_data->init_flags & SIG_FLAG_INIT_STATE_MATCH) { json_t *js_array = json_array(); const DetectEngineAppInspectionEngine *app = s->app_inspect; for ( ; app != NULL; app = app->next) { diff --git a/src/detect-engine.c b/src/detect-engine.c index 029736c971..2fcb282ced 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -469,12 +469,14 @@ int DetectEngineAppInspectionEngine2Signature(DetectEngineCtx *de_ctx, Signature SCLogDebug("sid %u: engine %p/%u added", s->id, new_engine, new_engine->id); - s->flags |= SIG_FLAG_STATE_MATCH; + s->init_data->init_flags |= SIG_FLAG_INIT_STATE_MATCH; next: t = t->next; } - if ((s->flags & SIG_FLAG_STATE_MATCH) && s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL) { + if ((s->init_data->init_flags & SIG_FLAG_INIT_STATE_MATCH) && + s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL) + { /* if engine is added multiple times, we pass it the same list */ SigMatchData *stream = SigMatchList2DataArray(s->init_data->smlists[DETECT_SM_LIST_PMATCH]); BUG_ON(stream == NULL); diff --git a/src/detect-flowbits.c b/src/detect-flowbits.c index 228ac10194..fa8cf62a2e 100644 --- a/src/detect-flowbits.c +++ b/src/detect-flowbits.c @@ -507,7 +507,7 @@ void DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx) SCLogDebug("GET flowbit %s/%u: SID %u", varname, i, s->id); if (to_state) { - s->flags |= SIG_FLAG_STATE_MATCH; + s->init_data->init_flags |= SIG_FLAG_INIT_STATE_MATCH; SCLogDebug("made SID %u stateful because it depends on " "stateful rules that set flowbit %s", s->id, varname); } diff --git a/src/detect.c b/src/detect.c index 594cf0485a..205da3ecf1 100644 --- a/src/detect.c +++ b/src/detect.c @@ -802,8 +802,8 @@ static inline void DetectRulePacketRules( SCLogDebug("inspecting signature id %"PRIu32"", s->id); - if (sflags & SIG_FLAG_STATE_MATCH) { - goto next; // TODO skip and handle in DetectRunTx + if (s->app_inspect != NULL) { + goto next; // handle sig in DetectRunTx } /* don't run mask check for stateful rules. @@ -1420,7 +1420,7 @@ static void DetectRunTx(ThreadVars *tv, uint32_t x = array_idx; for (uint32_t i = 0; i < det_ctx->match_array_cnt; i++) { const Signature *s = det_ctx->match_array[i]; - if (s->flags & SIG_FLAG_STATE_MATCH) { + if (s->app_inspect != NULL) { const SigIntId id = s->num; det_ctx->tx_candidates[array_idx].s = s; det_ctx->tx_candidates[array_idx].id = id; diff --git a/src/detect.h b/src/detect.h index b02ca438c9..270dae4a7d 100644 --- a/src/detect.h +++ b/src/detect.h @@ -222,7 +222,7 @@ typedef struct DetectPort_ { #define SIG_FLAG_APPLAYER (1<<6) /**< signature applies to app layer instead of packets */ #define SIG_FLAG_IPONLY (1<<7) /**< ip only signature */ -#define SIG_FLAG_STATE_MATCH (1<<8) /**< signature has matches that require stateful inspection */ +// vacancy #define SIG_FLAG_REQUIRE_PACKET (1<<9) /**< signature is requiring packet match */ #define SIG_FLAG_REQUIRE_STREAM (1<<10) /**< signature is requiring stream match */ @@ -259,6 +259,7 @@ typedef struct DetectPort_ { #define SIG_FLAG_INIT_BIDIREC (1<<3) /**< signature has bidirectional operator */ #define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN (1<<4) /** < signature has seen the first ip_proto keyword */ #define SIG_FLAG_INIT_HAS_TRANSFORM (1<<5) +#define SIG_FLAG_INIT_STATE_MATCH (1<<6) /**< signature has matches that require stateful inspection */ /* signature mask flags */ #define SIG_MASK_REQUIRE_PAYLOAD (1<<0)