From: Victor Julien Date: Thu, 9 Aug 2018 13:32:49 +0000 (+0200) Subject: detect: limit flush logic to sigs that need it X-Git-Tag: suricata-4.0.6~45 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c80aae1b5b74fd4737d9caf52fd0f1f9b2b2182b;p=thirdparty%2Fsuricata.git detect: limit flush logic to sigs that need it Limit the early 'flush' logic to sigs that actually need to match on both stream and http bodies. --- diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c index b9a79e9347..2024c00486 100644 --- a/src/detect-engine-state.c +++ b/src/detect-engine-state.c @@ -373,6 +373,10 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1; int check_before_add = 0; + /* see if we want to pass on the FLUSH flag */ + if ((s->flags & SIG_FLAG_FLUSH) == 0) + flags &=~ STREAM_FLUSH; + /* if continue detection already inspected this rule for this tx, * continue with the first not-inspected tx */ uint8_t offset = det_ctx->de_state_sig_array[s->num] & 0x7f; @@ -522,6 +526,10 @@ static int DoInspectItem(ThreadVars *tv, Signature *s = de_ctx->sig_array[item->sid]; det_ctx->stream_already_inspected = false; + /* see if we want to pass on the FLUSH flag */ + if ((s->flags & SIG_FLAG_FLUSH) == 0) + flags &=~ STREAM_FLUSH; + SCLogDebug("file_no_match %u, sid %u", *file_no_match, s->id); /* check if a sig in state 'full inspect' needs to be reconsidered diff --git a/src/detect-engine.c b/src/detect-engine.c index 51c880d0fc..5bfb356591 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -294,6 +294,10 @@ next: AppendStreamInspectEngine(s, stream, 0, last_id + 1); AppendStreamInspectEngine(s, stream, 1, last_id + 1); } + + if (s->init_data->init_flags & SIG_FLAG_INIT_NEED_FLUSH) { + s->flags |= SIG_FLAG_FLUSH; + } } #ifdef DEBUG diff --git a/src/detect-file-data.c b/src/detect-file-data.c index 326ebbf784..febccef938 100644 --- a/src/detect-file-data.c +++ b/src/detect-file-data.c @@ -138,6 +138,10 @@ static void DetectFiledataSetupCallback(Signature *s) s->mask |= SIG_MASK_REQUIRE_SMTP_STATE; } + + /* server body needs to be inspected in sync with stream if possible */ + s->init_data->init_flags |= SIG_FLAG_INIT_NEED_FLUSH; + SCLogDebug("callback invoked by %u", s->id); } diff --git a/src/detect-http-client-body.c b/src/detect-http-client-body.c index cdbc204d30..372417f7b4 100644 --- a/src/detect-http-client-body.c +++ b/src/detect-http-client-body.c @@ -100,6 +100,9 @@ static void DetectHttpClientBodySetupCallback(Signature *s) SCLogDebug("callback invoked by %u", s->id); AppLayerHtpEnableRequestBodyCallback(); s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; + + /* client body needs to be inspected in sync with stream if possible */ + s->init_data->init_flags |= SIG_FLAG_INIT_NEED_FLUSH; } /** diff --git a/src/detect.h b/src/detect.h index d377cbd032..458baf01e9 100644 --- a/src/detect.h +++ b/src/detect.h @@ -224,6 +224,8 @@ typedef struct DetectPort_ { #define SIG_FLAG_MPM_NEG (1<<11) +#define SIG_FLAG_FLUSH (1<<12) /**< detection logic needs stream flush notification */ + #define SIG_FLAG_REQUIRE_FLOWVAR (1<<17) /**< signature can only match if a flowbit, flowvar or flowint is available. */ #define SIG_FLAG_FILESTORE (1<<18) /**< signature has filestore keyword */ @@ -253,6 +255,7 @@ typedef struct DetectPort_ { #define SIG_FLAG_INIT_FLOW (1<<2) /**< signature has a flow setting */ #define SIG_FLAG_INIT_BIDIREC (1<<3) /**< signature has bidirectional operator */ #define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN (1 << 4) /** < signature has seen the first ip_proto keyword */ +#define SIG_FLAG_INIT_NEED_FLUSH (1<<7) /* signature mask flags */ #define SIG_MASK_REQUIRE_PAYLOAD (1<<0)