From: Victor Julien Date: Sat, 20 Dec 2014 11:02:59 +0000 (+0100) Subject: vars: redo var name <-> idx handling X-Git-Tag: suricata-2.1beta4~73 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dea8dda3c19773ba51a6bb67d9e365047251c598;p=thirdparty%2Fsuricata.git vars: redo var name <-> idx handling Can't use sm type anymore as multiple var carriers (host/flow/etc) will all have xbits. --- diff --git a/src/detect-engine-sigorder.c b/src/detect-engine-sigorder.c index edca49c353..0baa87a22e 100644 --- a/src/detect-engine-sigorder.c +++ b/src/detect-engine-sigorder.c @@ -25,7 +25,7 @@ #include "suricata-common.h" #include "detect.h" -#include "detect-hostbits.h" +#include "detect-xbits.h" #include "detect-flowbits.h" #include "detect-flowint.h" #include "detect-parse.h" @@ -59,10 +59,10 @@ #define DETECT_FLOWINT_TYPE_SET_READ 3 #define DETECT_FLOWINT_TYPE_SET 4 -#define DETECT_HOSTBITS_NOT_USED 1 -#define DETECT_HOSTBITS_TYPE_READ 2 -#define DETECT_HOSTBITS_TYPE_SET_READ 3 -#define DETECT_HOSTBITS_TYPE_SET 4 +#define DETECT_XBITS_NOT_USED 1 +#define DETECT_XBITS_TYPE_READ 2 +#define DETECT_XBITS_TYPE_SET_READ 3 +#define DETECT_XBITS_TYPE_SET 4 /** @@ -347,37 +347,39 @@ static inline int SCSigGetPktvarType(Signature *sig) } /** - * \brief Returns the hostbit type set for this signature. If more than one - * hostbit has been set for the same rule, we return the hostbit type of + * \brief Returns the xbit type set for this signature. If more than one + * xbit has been set for the same rule, we return the xbit type of * the maximum priority/value, where priority/value is maximum for the * ones that set the value and the lowest for ones that read the value. - * If no hostbit has been set for the rule, we return 0, which indicates - * the least value amongst hostbit types. + * If no xbit has been set for the rule, we return 0, which indicates + * the least value amongst xbit types. * - * \param sig Pointer to the Signature from which the hostbit value has to be + * \param sig Pointer to the Signature from which the xbit value has to be * returned. * - * \retval hostbits The hostbits type for this signature if it is set; if it is + * \retval xbits The xbits type for this signature if it is set; if it is * not set, return 0 */ -static inline int SCSigGetHostbitsType(Signature *sig) +static inline int SCSigGetXbitsType(Signature *sig, enum VarTypes type) { - DetectHostbitsData *fb = NULL; - int hostbits_user_type = DETECT_HOSTBITS_NOT_USED; + DetectXbitsData *fb = NULL; + int xbits_user_type = DETECT_XBITS_NOT_USED; int read = 0; int write = 0; SigMatch *sm = sig->sm_lists[DETECT_SM_LIST_MATCH]; while (sm != NULL) { - if (sm->type == DETECT_HOSTBITS) { - fb = (DetectHostbitsData *)sm->ctx; - if (fb->cmd == DETECT_HOSTBITS_CMD_ISNOTSET || - fb->cmd == DETECT_HOSTBITS_CMD_ISSET) { - read++; - } else { + if (sm->type == DETECT_XBITS) { + fb = (DetectXbitsData *)sm->ctx; + if (fb->type == type) { + if (fb->cmd == DETECT_XBITS_CMD_ISNOTSET || + fb->cmd == DETECT_XBITS_CMD_ISSET) { + read++; + } else { #ifdef DEBUG - BUG_ON(1); + BUG_ON(1); #endif + } } } @@ -387,15 +389,17 @@ static inline int SCSigGetHostbitsType(Signature *sig) sm = sig->sm_lists[DETECT_SM_LIST_POSTMATCH]; while (sm != NULL) { if (sm->type == DETECT_HOSTBITS) { - fb = (DetectHostbitsData *)sm->ctx; - if (fb->cmd == DETECT_HOSTBITS_CMD_SET || - fb->cmd == DETECT_HOSTBITS_CMD_UNSET || - fb->cmd == DETECT_HOSTBITS_CMD_TOGGLE) { - write++; - } else { + fb = (DetectXbitsData *)sm->ctx; + if (fb->type == type) { + if (fb->cmd == DETECT_XBITS_CMD_SET || + fb->cmd == DETECT_XBITS_CMD_UNSET || + fb->cmd == DETECT_XBITS_CMD_TOGGLE) { + write++; + } else { #ifdef DEBUG - BUG_ON(1); + BUG_ON(1); #endif + } } } @@ -403,16 +407,16 @@ static inline int SCSigGetHostbitsType(Signature *sig) } if (read > 0 && write == 0) { - hostbits_user_type = DETECT_HOSTBITS_TYPE_READ; + xbits_user_type = DETECT_XBITS_TYPE_READ; } else if (read == 0 && write > 0) { - hostbits_user_type = DETECT_HOSTBITS_TYPE_SET; + xbits_user_type = DETECT_XBITS_TYPE_SET; } else if (read > 0 && write > 0) { - hostbits_user_type = DETECT_HOSTBITS_TYPE_SET_READ; + xbits_user_type = DETECT_XBITS_TYPE_SET_READ; } - SCLogDebug("Sig %s typeval %d", sig->msg, hostbits_user_type); + SCLogDebug("Sig %s typeval %d", sig->msg, xbits_user_type); - return hostbits_user_type; + return xbits_user_type; } /** @@ -457,15 +461,27 @@ static inline void SCSigProcessUserDataForPktvar(SCSigSignatureWrapper *sw) } /** - * \brief Processes the flowbits data for this signature and caches it for + * \brief Processes the hostbits data for this signature and caches it for * future use. This is needed to optimize the sig_ordering module. * - * \param sw The sigwrapper/signature for which the flowbits data has to be + * \param sw The sigwrapper/signature for which the hostbits data has to be * cached */ static inline void SCSigProcessUserDataForHostbits(SCSigSignatureWrapper *sw) { - sw->user[SC_RADIX_USER_DATA_HOSTBITS] = SCSigGetHostbitsType(sw->sig); + sw->user[SC_RADIX_USER_DATA_HOSTBITS] = SCSigGetXbitsType(sw->sig, VAR_TYPE_HOST_BIT); +} + +/** + * \brief Processes the hostbits data for this signature and caches it for + * future use. This is needed to optimize the sig_ordering module. + * + * \param sw The sigwrapper/signature for which the hostbits data has to be + * cached + */ +static inline void SCSigProcessUserDataForIPPairbits(SCSigSignatureWrapper *sw) +{ + sw->user[SC_RADIX_USER_DATA_IPPAIRBITS] = SCSigGetXbitsType(sw->sig, VAR_TYPE_IPPAIR_BIT); } /* Return 1 if sw1 comes before sw2 in the final list. */ @@ -629,6 +645,20 @@ static int SCSigOrderByHostbitsCompare(SCSigSignatureWrapper *sw1, sw2->user[SC_RADIX_USER_DATA_HOSTBITS]; } +/** + * \brief Orders an incoming Signature based on its ippairbits (xbits) type + * + * \param de_ctx Pointer to the detection engine context from which the + * signatures have to be ordered. + * \param sw The new signature that has to be ordered based on its bits + */ +static int SCSigOrderByIPPairbitsCompare(SCSigSignatureWrapper *sw1, + SCSigSignatureWrapper *sw2) +{ + return sw1->user[SC_RADIX_USER_DATA_IPPAIRBITS] - + sw2->user[SC_RADIX_USER_DATA_IPPAIRBITS]; +} + /** * \brief Orders an incoming Signature based on its priority type * @@ -666,6 +696,7 @@ static inline SCSigSignatureWrapper *SCSigAllocSignatureWrapper(Signature *sig) SCSigProcessUserDataForFlowint(sw); SCSigProcessUserDataForPktvar(sw); SCSigProcessUserDataForHostbits(sw); + SCSigProcessUserDataForIPPairbits(sw); return sw; } @@ -746,6 +777,7 @@ void SCSigRegisterSignatureOrderingFuncs(DetectEngineCtx *de_ctx) SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare); SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare); SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByHostbitsCompare); + SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByIPPairbitsCompare); SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare); } diff --git a/src/detect-engine-sigorder.h b/src/detect-engine-sigorder.h index 312165a04b..686ce9280f 100644 --- a/src/detect-engine-sigorder.h +++ b/src/detect-engine-sigorder.h @@ -34,6 +34,7 @@ typedef enum{ SC_RADIX_USER_DATA_PKTVAR, SC_RADIX_USER_DATA_FLOWINT, SC_RADIX_USER_DATA_HOSTBITS, + SC_RADIX_USER_DATA_IPPAIRBITS, SC_RADIX_USER_DATA_MAX } SCRadixUserDataType; diff --git a/src/detect-flowbits.c b/src/detect-flowbits.c index e1ea8e60ae..315cb8cfc9 100644 --- a/src/detect-flowbits.c +++ b/src/detect-flowbits.c @@ -244,7 +244,7 @@ int DetectFlowbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr) if (unlikely(cd == NULL)) goto error; - cd->idx = VariableNameGetIdx(de_ctx, fb_name, DETECT_FLOWBITS); + cd->idx = VariableNameGetIdx(de_ctx, fb_name, VAR_TYPE_FLOW_BIT); cd->cmd = fb_cmd; SCLogDebug("idx %" PRIu32 ", cmd %s, name %s", @@ -616,7 +616,7 @@ static int FlowBitsTestSig04(void) s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"isset option\"; flowbits:isset,fbt; content:\"GET \"; sid:1;)"); - idx = VariableNameGetIdx(de_ctx, "fbt", DETECT_FLOWBITS); + idx = VariableNameGetIdx(de_ctx, "fbt", VAR_TYPE_FLOW_BIT); if (s == NULL || idx != 1) { goto end; @@ -797,7 +797,7 @@ static int FlowBitsTestSig06(void) SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - idx = VariableNameGetIdx(de_ctx, "myflow", DETECT_FLOWBITS); + idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_FLOW_BIT); gv = p->flow->flowvar; @@ -903,7 +903,7 @@ static int FlowBitsTestSig07(void) SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - idx = VariableNameGetIdx(de_ctx, "myflow", DETECT_FLOWBITS); + idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_FLOW_BIT); gv = p->flow->flowvar; @@ -1012,7 +1012,7 @@ static int FlowBitsTestSig08(void) SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - idx = VariableNameGetIdx(de_ctx, "myflow", DETECT_FLOWBITS); + idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_FLOW_BIT); gv = p->flow->flowvar; diff --git a/src/detect-flowint.c b/src/detect-flowint.c index 6328b67572..54303cd3ae 100644 --- a/src/detect-flowint.c +++ b/src/detect-flowint.c @@ -126,7 +126,7 @@ int DetectFlowintMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, * return zero(not match). */ if (sfd->targettype == FLOWINT_TARGET_VAR) { - uint16_t tvar_idx = VariableNameGetIdx(det_ctx->de_ctx, sfd->target.tvar.name, DETECT_FLOWINT); + uint16_t tvar_idx = VariableNameGetIdx(det_ctx->de_ctx, sfd->target.tvar.name, VAR_TYPE_FLOW_INT); fvt = FlowVarGet(p->flow, tvar_idx); /* We don't have that variable initialized yet */ @@ -351,7 +351,7 @@ DetectFlowintData *DetectFlowintParse(DetectEngineCtx *de_ctx, char *rawstr) goto error; } if (de_ctx != NULL) - sfd->idx = VariableNameGetIdx(de_ctx, varname, DETECT_FLOWINT); + sfd->idx = VariableNameGetIdx(de_ctx, varname, VAR_TYPE_FLOW_INT); sfd->modifier = modifier; pcre_free_substring(varname); diff --git a/src/detect-flowvar.c b/src/detect-flowvar.c index 8e8fddee0b..f6ff82d608 100644 --- a/src/detect-flowvar.c +++ b/src/detect-flowvar.c @@ -188,7 +188,7 @@ static int DetectFlowvarSetup (DetectEngineCtx *de_ctx, Signature *s, char *raws fd->name = SCStrdup(varname); if (unlikely(fd->name == NULL)) goto error; - fd->idx = VariableNameGetIdx(de_ctx, varname, DETECT_FLOWVAR); + fd->idx = VariableNameGetIdx(de_ctx, varname, VAR_TYPE_FLOW_VAR); /* Okay so far so good, lets get this into a SigMatch * and put it in the Signature. */ diff --git a/src/detect-hostbits.c b/src/detect-hostbits.c index 22797af0e0..11897bda41 100644 --- a/src/detect-hostbits.c +++ b/src/detect-hostbits.c @@ -106,10 +106,10 @@ error: return; } -static int DetectHostbitMatchToggle (Packet *p, const DetectHostbitsData *fd) +static int DetectHostbitMatchToggle (Packet *p, const DetectXbitsData *fd) { - switch (fd->dir) { - case DETECT_HOSTBITS_DIR_SRC: + switch (fd->tracker) { + case DETECT_XBITS_TRACK_IPSRC: if (p->host_src == NULL) { p->host_src = HostGetHostFromHash(&p->src); if (p->host_src == NULL) @@ -121,7 +121,7 @@ static int DetectHostbitMatchToggle (Packet *p, const DetectHostbitsData *fd) HostBitToggle(p->host_src,fd->idx); HostUnlock(p->host_src); break; - case DETECT_HOSTBITS_DIR_DST: + case DETECT_XBITS_TRACK_IPDST: if (p->host_dst == NULL) { p->host_dst = HostGetHostFromHash(&p->dst); if (p->host_dst == NULL) @@ -138,10 +138,10 @@ static int DetectHostbitMatchToggle (Packet *p, const DetectHostbitsData *fd) } /* return true even if bit not found */ -static int DetectHostbitMatchUnset (Packet *p, const DetectHostbitsData *fd) +static int DetectHostbitMatchUnset (Packet *p, const DetectXbitsData *fd) { - switch (fd->dir) { - case DETECT_HOSTBITS_DIR_SRC: + switch (fd->tracker) { + case DETECT_XBITS_TRACK_IPSRC: if (p->host_src == NULL) { p->host_src = HostLookupHostFromHash(&p->src); if (p->host_src == NULL) @@ -152,7 +152,7 @@ static int DetectHostbitMatchUnset (Packet *p, const DetectHostbitsData *fd) HostBitUnset(p->host_src,fd->idx); HostUnlock(p->host_src); break; - case DETECT_HOSTBITS_DIR_DST: + case DETECT_XBITS_TRACK_IPDST: if (p->host_dst == NULL) { p->host_dst = HostLookupHostFromHash(&p->dst); if (p->host_dst == NULL) @@ -167,10 +167,10 @@ static int DetectHostbitMatchUnset (Packet *p, const DetectHostbitsData *fd) return 1; } -static int DetectHostbitMatchSet (Packet *p, const DetectHostbitsData *fd) +static int DetectHostbitMatchSet (Packet *p, const DetectXbitsData *fd) { - switch (fd->dir) { - case DETECT_HOSTBITS_DIR_SRC: + switch (fd->tracker) { + case DETECT_XBITS_TRACK_IPSRC: if (p->host_src == NULL) { p->host_src = HostGetHostFromHash(&p->src); if (p->host_src == NULL) @@ -181,7 +181,7 @@ static int DetectHostbitMatchSet (Packet *p, const DetectHostbitsData *fd) HostBitSet(p->host_src,fd->idx); HostUnlock(p->host_src); break; - case DETECT_HOSTBITS_DIR_DST: + case DETECT_XBITS_TRACK_IPDST: if (p->host_dst == NULL) { p->host_dst = HostGetHostFromHash(&p->dst); if (p->host_dst == NULL) @@ -196,11 +196,11 @@ static int DetectHostbitMatchSet (Packet *p, const DetectHostbitsData *fd) return 1; } -static int DetectHostbitMatchIsset (Packet *p, const DetectHostbitsData *fd) +static int DetectHostbitMatchIsset (Packet *p, const DetectXbitsData *fd) { int r = 0; - switch (fd->dir) { - case DETECT_HOSTBITS_DIR_SRC: + switch (fd->tracker) { + case DETECT_XBITS_TRACK_IPSRC: if (p->host_src == NULL) { p->host_src = HostLookupHostFromHash(&p->src); if (p->host_src == NULL) @@ -208,11 +208,10 @@ static int DetectHostbitMatchIsset (Packet *p, const DetectHostbitsData *fd) } else HostLock(p->host_src); - HostLock(p->host_src); r = HostBitIsset(p->host_src,fd->idx); HostUnlock(p->host_src); return r; - case DETECT_HOSTBITS_DIR_DST: + case DETECT_XBITS_TRACK_IPDST: if (p->host_dst == NULL) { p->host_dst = HostLookupHostFromHash(&p->dst); if (p->host_dst == NULL) @@ -220,7 +219,6 @@ static int DetectHostbitMatchIsset (Packet *p, const DetectHostbitsData *fd) } else HostLock(p->host_dst); - HostLock(p->host_dst); r = HostBitIsset(p->host_dst,fd->idx); HostUnlock(p->host_dst); return r; @@ -228,11 +226,11 @@ static int DetectHostbitMatchIsset (Packet *p, const DetectHostbitsData *fd) return 0; } -static int DetectHostbitMatchIsnotset (Packet *p, const DetectHostbitsData *fd) +static int DetectHostbitMatchIsnotset (Packet *p, const DetectXbitsData *fd) { int r = 0; - switch (fd->dir) { - case DETECT_HOSTBITS_DIR_SRC: + switch (fd->tracker) { + case DETECT_XBITS_TRACK_IPSRC: if (p->host_src == NULL) { p->host_src = HostLookupHostFromHash(&p->src); if (p->host_src == NULL) @@ -240,11 +238,10 @@ static int DetectHostbitMatchIsnotset (Packet *p, const DetectHostbitsData *fd) } else HostLock(p->host_src); - HostLock(p->host_src); r = HostBitIsnotset(p->host_src,fd->idx); HostUnlock(p->host_src); return r; - case DETECT_HOSTBITS_DIR_DST: + case DETECT_XBITS_TRACK_IPDST: if (p->host_dst == NULL) { p->host_dst = HostLookupHostFromHash(&p->dst); if (p->host_dst == NULL) @@ -252,7 +249,6 @@ static int DetectHostbitMatchIsnotset (Packet *p, const DetectHostbitsData *fd) } else HostLock(p->host_dst); - HostLock(p->host_dst); r = HostBitIsnotset(p->host_dst,fd->idx); HostUnlock(p->host_dst); return r; @@ -268,20 +264,20 @@ static int DetectHostbitMatchIsnotset (Packet *p, const DetectHostbitsData *fd) int DetectHostbitMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, const SigMatchCtx *ctx) { - const DetectHostbitsData *fd = (const DetectHostbitsData *)ctx; + const DetectXbitsData *fd = (const DetectXbitsData *)ctx; if (fd == NULL) return 0; switch (fd->cmd) { - case DETECT_HOSTBITS_CMD_ISSET: + case DETECT_XBITS_CMD_ISSET: return DetectHostbitMatchIsset(p,fd); - case DETECT_HOSTBITS_CMD_ISNOTSET: + case DETECT_XBITS_CMD_ISNOTSET: return DetectHostbitMatchIsnotset(p,fd); - case DETECT_HOSTBITS_CMD_SET: + case DETECT_XBITS_CMD_SET: return DetectHostbitMatchSet(p,fd); - case DETECT_HOSTBITS_CMD_UNSET: + case DETECT_XBITS_CMD_UNSET: return DetectHostbitMatchUnset(p,fd); - case DETECT_HOSTBITS_CMD_TOGGLE: + case DETECT_XBITS_CMD_TOGGLE: return DetectHostbitMatchToggle(p,fd); default: SCLogError(SC_ERR_UNKNOWN_VALUE, "unknown cmd %" PRIu32 "", fd->cmd); @@ -293,7 +289,7 @@ int DetectHostbitMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p int DetectHostbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr) { - DetectHostbitsData *cd = NULL; + DetectXbitsData *cd = NULL; SigMatch *sm = NULL; uint8_t fb_cmd = 0; uint8_t hb_dir = 0; @@ -330,11 +326,11 @@ int DetectHostbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr) SCLogInfo("hb_dir_str %s", hb_dir_str); if (strlen(hb_dir_str) > 0) { if (strcmp(hb_dir_str, "src") == 0) - hb_dir = DETECT_HOSTBITS_DIR_SRC; + hb_dir = DETECT_XBITS_TRACK_IPSRC; else if (strcmp(hb_dir_str, "dst") == 0) - hb_dir = DETECT_HOSTBITS_DIR_DST; + hb_dir = DETECT_XBITS_TRACK_IPDST; else if (strcmp(hb_dir_str, "both") == 0) { - hb_dir = DETECT_HOSTBITS_DIR_BOTH; + //hb_dir = DETECT_XBITS_TRACK_IPBOTH; SCLogError(SC_ERR_UNIMPLEMENTED, "'both' not implemented"); goto error; } else { @@ -346,46 +342,47 @@ int DetectHostbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr) } if (strcmp(fb_cmd_str,"noalert") == 0) { - fb_cmd = DETECT_HOSTBITS_CMD_NOALERT; + fb_cmd = DETECT_XBITS_CMD_NOALERT; } else if (strcmp(fb_cmd_str,"isset") == 0) { - fb_cmd = DETECT_HOSTBITS_CMD_ISSET; + fb_cmd = DETECT_XBITS_CMD_ISSET; } else if (strcmp(fb_cmd_str,"isnotset") == 0) { - fb_cmd = DETECT_HOSTBITS_CMD_ISNOTSET; + fb_cmd = DETECT_XBITS_CMD_ISNOTSET; } else if (strcmp(fb_cmd_str,"set") == 0) { - fb_cmd = DETECT_HOSTBITS_CMD_SET; + fb_cmd = DETECT_XBITS_CMD_SET; } else if (strcmp(fb_cmd_str,"unset") == 0) { - fb_cmd = DETECT_HOSTBITS_CMD_UNSET; + fb_cmd = DETECT_XBITS_CMD_UNSET; } else if (strcmp(fb_cmd_str,"toggle") == 0) { - fb_cmd = DETECT_HOSTBITS_CMD_TOGGLE; + fb_cmd = DETECT_XBITS_CMD_TOGGLE; } else { SCLogError(SC_ERR_UNKNOWN_VALUE, "ERROR: flowbits action \"%s\" is not supported.", fb_cmd_str); goto error; } switch (fb_cmd) { - case DETECT_HOSTBITS_CMD_NOALERT: + case DETECT_XBITS_CMD_NOALERT: if (strlen(fb_name) != 0) goto error; s->flags |= SIG_FLAG_NOALERT; return 0; - case DETECT_HOSTBITS_CMD_ISNOTSET: - case DETECT_HOSTBITS_CMD_ISSET: - case DETECT_HOSTBITS_CMD_SET: - case DETECT_HOSTBITS_CMD_UNSET: - case DETECT_HOSTBITS_CMD_TOGGLE: + case DETECT_XBITS_CMD_ISNOTSET: + case DETECT_XBITS_CMD_ISSET: + case DETECT_XBITS_CMD_SET: + case DETECT_XBITS_CMD_UNSET: + case DETECT_XBITS_CMD_TOGGLE: default: if (strlen(fb_name) == 0) goto error; break; } - cd = SCMalloc(sizeof(DetectHostbitsData)); + cd = SCMalloc(sizeof(DetectXbitsData)); if (unlikely(cd == NULL)) goto error; - cd->idx = VariableNameGetIdx(de_ctx, fb_name, DETECT_HOSTBITS); + cd->idx = VariableNameGetIdx(de_ctx, fb_name, VAR_TYPE_HOST_BIT); cd->cmd = fb_cmd; - cd->dir = hb_dir; + cd->tracker = hb_dir; + cd->type = VAR_TYPE_HOST_BIT; SCLogDebug("idx %" PRIu32 ", cmd %s, name %s", cd->idx, fb_cmd_str, strlen(fb_name) ? fb_name : "(none)"); @@ -400,19 +397,19 @@ int DetectHostbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr) sm->ctx = (void *)cd; switch (fb_cmd) { - case DETECT_HOSTBITS_CMD_NOALERT: + case DETECT_XBITS_CMD_NOALERT: /* nothing to do */ break; - case DETECT_HOSTBITS_CMD_ISNOTSET: - case DETECT_HOSTBITS_CMD_ISSET: + case DETECT_XBITS_CMD_ISNOTSET: + case DETECT_XBITS_CMD_ISSET: /* checks, so packet list */ SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH); break; - case DETECT_HOSTBITS_CMD_SET: - case DETECT_HOSTBITS_CMD_UNSET: - case DETECT_HOSTBITS_CMD_TOGGLE: + case DETECT_XBITS_CMD_SET: + case DETECT_XBITS_CMD_UNSET: + case DETECT_XBITS_CMD_TOGGLE: /* modifiers, only run when entire sig has matched */ SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH); break; @@ -430,7 +427,7 @@ error: void DetectHostbitFree (void *ptr) { - DetectHostbitsData *fd = (DetectHostbitsData *)ptr; + DetectXbitsData *fd = (DetectXbitsData *)ptr; if (fd == NULL) return; @@ -727,7 +724,7 @@ static int HostBitsTestSig04(void) s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"isset option\"; hostbits:isset,fbt; content:\"GET \"; sid:1;)"); - idx = VariableNameGetIdx(de_ctx, "fbt", DETECT_HOSTBITS); + idx = VariableNameGetIdx(de_ctx, "fbt", VAR_TYPE_HOST_BIT); if (s == NULL || idx != 1) { goto end; @@ -922,7 +919,7 @@ static int HostBitsTestSig06(void) SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - idx = VariableNameGetIdx(de_ctx, "myflow", DETECT_HOSTBITS); + idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_HOST_BIT); gv = p->flow->flowvar; @@ -1028,7 +1025,7 @@ static int HostBitsTestSig07(void) SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - idx = VariableNameGetIdx(de_ctx, "myflow", DETECT_HOSTBITS); + idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_HOST_BIT); gv = p->flow->flowvar; diff --git a/src/detect-hostbits.h b/src/detect-hostbits.h index 72406cc8eb..00880b9eb3 100644 --- a/src/detect-hostbits.h +++ b/src/detect-hostbits.h @@ -24,23 +24,7 @@ #ifndef __DETECT_HOSTBITS_H__ #define __DETECT_HOSTBITS_H__ -#define DETECT_HOSTBITS_CMD_SET 0 -#define DETECT_HOSTBITS_CMD_TOGGLE 1 -#define DETECT_HOSTBITS_CMD_UNSET 2 -#define DETECT_HOSTBITS_CMD_ISNOTSET 3 -#define DETECT_HOSTBITS_CMD_ISSET 4 -#define DETECT_HOSTBITS_CMD_NOALERT 5 -#define DETECT_HOSTBITS_CMD_MAX 6 - -#define DETECT_HOSTBITS_DIR_SRC 0 -#define DETECT_HOSTBITS_DIR_DST 1 -#define DETECT_HOSTBITS_DIR_BOTH 2 - -typedef struct DetectHostbitsData_ { - uint16_t idx; - uint8_t cmd; - uint8_t dir; -} DetectHostbitsData; +#include "detect-xbits.h" /* prototypes */ void DetectHostbitsRegister (void); diff --git a/src/detect-lua.c b/src/detect-lua.c index 8a957ccac9..5c0e1f6403 100644 --- a/src/detect-lua.c +++ b/src/detect-lua.c @@ -831,7 +831,7 @@ static int DetectLuaSetupPrime(DetectEngineCtx *de_ctx, DetectLuaData *ld) goto error; } - uint16_t idx = VariableNameGetIdx(de_ctx, (char *)value, DETECT_FLOWVAR); + uint16_t idx = VariableNameGetIdx(de_ctx, (char *)value, VAR_TYPE_FLOW_VAR); ld->flowvar[ld->flowvars++] = idx; SCLogDebug("script uses flowvar %u with script id %u", idx, ld->flowvars - 1); } @@ -853,7 +853,7 @@ static int DetectLuaSetupPrime(DetectEngineCtx *de_ctx, DetectLuaData *ld) goto error; } - uint16_t idx = VariableNameGetIdx(de_ctx, (char *)value, DETECT_FLOWINT); + uint16_t idx = VariableNameGetIdx(de_ctx, (char *)value, VAR_TYPE_FLOW_INT); ld->flowint[ld->flowints++] = idx; SCLogDebug("script uses flowint %u with script id %u", idx, ld->flowints - 1); } diff --git a/src/detect-pcre.c b/src/detect-pcre.c index 61c98b118c..dd359feb23 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -620,9 +620,9 @@ static int DetectPcreParseCapture(char *regexstr, DetectEngineCtx *de_ctx, Detec } if (pd->capname != NULL) { if (pd->flags & DETECT_PCRE_CAPTURE_PKT) - pd->capidx = VariableNameGetIdx(de_ctx, (char *)pd->capname, DETECT_PKTVAR); + pd->capidx = VariableNameGetIdx(de_ctx, (char *)pd->capname, VAR_TYPE_PKT_VAR); else if (pd->flags & DETECT_PCRE_CAPTURE_FLOW) - pd->capidx = VariableNameGetIdx(de_ctx, (char *)pd->capname, DETECT_FLOWVAR); + pd->capidx = VariableNameGetIdx(de_ctx, (char *)pd->capname, VAR_TYPE_FLOW_VAR); } SCLogDebug("pd->capname %s", pd->capname); diff --git a/src/detect-xbits.c b/src/detect-xbits.c index 28f05c201f..a622dbf330 100644 --- a/src/detect-xbits.c +++ b/src/detect-xbits.c @@ -197,6 +197,7 @@ int DetectXbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr) int ov[MAX_SUBSTRINGS]; char fb_cmd_str[16] = "", fb_name[256] = ""; char hb_dir_str[16] = ""; + enum VarTypes var_type = VAR_TYPE_NOT_SET; ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS); if (ret != 2 && ret != 3 && ret != 4) { @@ -224,12 +225,15 @@ int DetectXbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr) } SCLogDebug("hb_dir_str %s", hb_dir_str); if (strlen(hb_dir_str) > 0) { - if (strcmp(hb_dir_str, "ip_src") == 0) + if (strcmp(hb_dir_str, "ip_src") == 0) { hb_dir = DETECT_XBITS_TRACK_IPSRC; - else if (strcmp(hb_dir_str, "ip_dst") == 0) + var_type = VAR_TYPE_HOST_BIT; + } else if (strcmp(hb_dir_str, "ip_dst") == 0) { hb_dir = DETECT_XBITS_TRACK_IPDST; - else if (strcmp(hb_dir_str, "ip_pair") == 0) { + var_type = VAR_TYPE_HOST_BIT; + } else if (strcmp(hb_dir_str, "ip_pair") == 0) { hb_dir = DETECT_XBITS_TRACK_IPPAIR; + var_type = VAR_TYPE_IPPAIR_BIT; } else { // TODO goto error; @@ -276,9 +280,10 @@ int DetectXbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr) if (unlikely(cd == NULL)) goto error; - cd->idx = VariableNameGetIdx(de_ctx, fb_name, DETECT_XBITS); + cd->idx = VariableNameGetIdx(de_ctx, fb_name, var_type); cd->cmd = fb_cmd; cd->tracker = hb_dir; + cd->type = var_type; SCLogDebug("idx %" PRIu32 ", cmd %s, name %s", cd->idx, fb_cmd_str, strlen(fb_name) ? fb_name : "(none)"); diff --git a/src/detect-xbits.h b/src/detect-xbits.h index e01d8c330a..56ba917b8a 100644 --- a/src/detect-xbits.h +++ b/src/detect-xbits.h @@ -41,6 +41,8 @@ typedef struct DetectXbitsData_ { uint16_t idx; uint8_t cmd; uint8_t tracker; + /** data type: host/ippair/flow used for sig sorting in sigorder */ + enum VarTypes type; } DetectXbitsData; /* prototypes */ diff --git a/src/detect.c b/src/detect.c index e27e57b26d..ad0af28c8a 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1104,7 +1104,7 @@ static void AlertDebugLogModeSyncFlowbitsNamesToPacketStruct(Packet *p, DetectEn } FlowBit *fb = (FlowBit *) gv; - char *name = VariableIdxGetName(de_ctx, fb->idx, fb->type); + char *name = VariableIdxGetName(de_ctx, fb->idx, VAR_TYPE_FLOW_BIT); if (name != NULL) { p->debuglog_flowbits_names[i] = SCStrdup(name); if (p->debuglog_flowbits_names[i] == NULL) { diff --git a/src/util-var-name.c b/src/util-var-name.c index b50e35c9c4..9132218978 100644 --- a/src/util-var-name.c +++ b/src/util-var-name.c @@ -131,11 +131,11 @@ void VariableNameFreeHash(DetectEngineCtx *de_ctx) /** \brief Get a name idx for a name. If the name is already used reuse the idx. * \param name nul terminated string with the name - * \param type variable type (DETECT_FLOWBITS, DETECT_PKTVAR, etc) + * \param type variable type * \retval 0 in case of error - * \retval _ the idx. + * \retval idx the idx or 0 */ -uint16_t VariableNameGetIdx(DetectEngineCtx *de_ctx, char *name, uint8_t type) +uint16_t VariableNameGetIdx(DetectEngineCtx *de_ctx, char *name, enum VarTypes type) { uint16_t idx = 0; @@ -170,11 +170,11 @@ error: /** \brief Get a name from the idx. * \param idx index of the variable whose name is to be fetched - * \param type variable type (DETECT_FLOWBITS, DETECT_PKTVAR, etc) + * \param type variable type * \retval NULL in case of error * \retval name of the variable if successful. */ -char *VariableIdxGetName(DetectEngineCtx *de_ctx, uint16_t idx, uint8_t type) +char *VariableIdxGetName(DetectEngineCtx *de_ctx, uint16_t idx, enum VarTypes type) { VariableName *fn = SCMalloc(sizeof(VariableName)); if (unlikely(fn == NULL)) diff --git a/src/util-var-name.h b/src/util-var-name.h index 10bd4165c3..2be142689a 100644 --- a/src/util-var-name.h +++ b/src/util-var-name.h @@ -27,8 +27,8 @@ int VariableNameInitHash(DetectEngineCtx *); void VariableNameFreeHash(DetectEngineCtx *); -uint16_t VariableNameGetIdx(DetectEngineCtx *, char *, uint8_t); -char * VariableIdxGetName(DetectEngineCtx *, uint16_t , uint8_t); +uint16_t VariableNameGetIdx(DetectEngineCtx *, char *, enum VarTypes); +char * VariableIdxGetName(DetectEngineCtx *, uint16_t , enum VarTypes); #endif diff --git a/src/util-var.h b/src/util-var.h index 2190722796..965b36e012 100644 --- a/src/util-var.h +++ b/src/util-var.h @@ -24,6 +24,26 @@ #ifndef __UTIL_VAR_H__ #define __UTIL_VAR_H__ +enum VarTypes { + VAR_TYPE_NOT_SET, + + VAR_TYPE_PKT_BIT, + VAR_TYPE_PKT_INT, + VAR_TYPE_PKT_VAR, + + VAR_TYPE_FLOW_BIT, + VAR_TYPE_FLOW_INT, + VAR_TYPE_FLOW_VAR, + + VAR_TYPE_HOST_BIT, + VAR_TYPE_HOST_INT, + VAR_TYPE_HOST_VAR, + + VAR_TYPE_IPPAIR_BIT, + VAR_TYPE_IPPAIR_INT, + VAR_TYPE_IPPAIR_VAR, +}; + typedef struct GenericVar_ { uint8_t type; uint16_t idx;