From: Victor Julien <vjulien@oisf.net>
Date: Sun, 19 Mar 2023 16:46:02 +0000 (+0100)
Subject: detect: apply within as depth where possible
X-Git-Tag: suricata-7.0.0-rc2~507
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d518416f0d50dab3219aa069937ed4f338114583;p=thirdparty%2Fsuricata.git

detect: apply within as depth where possible

The rule lang allows for within and distance to act as depth/offset,
but internally this was not handle the same way. This patch converts
within/distance w/o a prior pattern to depth/within.
---

diff --git a/src/detect-content.c b/src/detect-content.c
index d22fbc8f89..aec5f631f8 100644
--- a/src/detect-content.c
+++ b/src/detect-content.c
@@ -528,6 +528,27 @@ static void PropagateLimits(Signature *s, SigMatch *sm_head)
                     has_active_depth_chain = false;
                     continue;
                 }
+                if (sm->prev == NULL) {
+                    if (cd->distance >= 0 && cd->distance <= (int32_t)USHRT_MAX &&
+                            cd->within >= 0 && cd->within <= (int32_t)USHRT_MAX) {
+                        if (cd->flags & DETECT_CONTENT_DISTANCE) {
+                            if (cd->distance > 0)
+                                cd->flags |= DETECT_CONTENT_OFFSET;
+                            cd->flags &= ~DETECT_CONTENT_DISTANCE;
+                            cd->offset = (uint16_t)cd->distance;
+                            cd->distance = 0;
+                            cd->flags |= DETECT_CONTENT_DISTANCE2OFFSET;
+                        }
+                        if (cd->flags & DETECT_CONTENT_WITHIN) {
+                            cd->flags |= DETECT_CONTENT_DEPTH;
+                            cd->flags &= ~DETECT_CONTENT_WITHIN;
+                            cd->depth = (uint16_t)cd->within + cd->offset;
+                            cd->within = 0;
+                            cd->flags |= DETECT_CONTENT_WITHIN2DEPTH;
+                        }
+                    }
+                }
+
                 if (cd->flags & DETECT_CONTENT_NEGATED) {
                     offset = depth = 0;
                     offset_plus_pat = 0;
diff --git a/src/detect-content.h b/src/detect-content.h
index a99dc78462..3f1fc35e00 100644
--- a/src/detect-content.h
+++ b/src/detect-content.h
@@ -59,6 +59,8 @@
 #define DETECT_CONTENT_STARTS_WITH      BIT_U32(19)
 /** MPM pattern selected by the engine or forced by fast_pattern keyword */
 #define DETECT_CONTENT_MPM              BIT_U32(20)
+#define DETECT_CONTENT_WITHIN2DEPTH     BIT_U32(21)
+#define DETECT_CONTENT_DISTANCE2OFFSET  BIT_U32(22)
 
 /** a relative match to this content is next, used in matching phase */
 #define DETECT_CONTENT_RELATIVE_NEXT    (DETECT_CONTENT_WITHIN_NEXT|DETECT_CONTENT_DISTANCE_NEXT)
diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c
index d71dcb6f50..beb736f471 100644
--- a/src/detect-engine-analyzer.c
+++ b/src/detect-engine-analyzer.c
@@ -684,6 +684,14 @@ static void DumpMatches(RuleAnalyzer *ctx, JsonBuilder *js, const SigMatchData *
                             (char *)"pattern looks like it inspects HTTP, use http.user_agent "
                                     "or http.header for improved performance");
                 }
+                if (cd->flags & DETECT_CONTENT_WITHIN2DEPTH) {
+                    AnalyzerNote(ctx, (char *)"'within' option for pattern w/o previous content "
+                                              "was converted to 'depth'");
+                }
+                if (cd->flags & DETECT_CONTENT_DISTANCE2OFFSET) {
+                    AnalyzerNote(ctx, (char *)"'distance' option for pattern w/o previous content "
+                                              "was converted to 'offset'");
+                }
                 jb_close(js);
                 break;
             }