From: Victor Julien Date: Fri, 14 Mar 2025 14:35:58 +0000 (+0100) Subject: detect/prefilter: allow special engine for each app update X-Git-Tag: suricata-8.0.0-beta1~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fff65c5e4013607adf8b464c37f2a7cb2228d532;p=thirdparty%2Fsuricata.git detect/prefilter: allow special engine for each app update Allow registering the progress as -1, which means it will be invoked each time the app prefilters are called. --- diff --git a/src/detect-engine-prefilter.c b/src/detect-engine-prefilter.c index ea000cc04d..5f6ab3f017 100644 --- a/src/detect-engine-prefilter.c +++ b/src/detect-engine-prefilter.c @@ -115,32 +115,40 @@ void DetectRunPrefilterTx(DetectEngineThreadCtx *det_ctx, // incompatible engine->alproto with flow alproto goto next; } - if (engine->ctx.tx_min_progress > tx->tx_progress) - break; - if (tx->tx_progress > engine->ctx.tx_min_progress) { - /* if state value is at or beyond engine state, we can skip it. It means we ran at - * least once already. */ - if (tx->detect_progress > engine->ctx.tx_min_progress) { - SCLogDebug("tx already marked progress as beyond engine: %u > %u", - tx->detect_progress, engine->ctx.tx_min_progress); - goto next; + + if (engine->ctx.tx_min_progress != -1) { + if (engine->ctx.tx_min_progress > tx->tx_progress) + break; + if (tx->tx_progress > engine->ctx.tx_min_progress) { + /* if state value is at or beyond engine state, we can skip it. It means we ran at + * least once already. */ + if (tx->detect_progress > engine->ctx.tx_min_progress) { + SCLogDebug("tx already marked progress as beyond engine: %u > %u", + tx->detect_progress, engine->ctx.tx_min_progress); + goto next; + } } - } - PREFILTER_PROFILING_START(det_ctx); - engine->cb.PrefilterTx( - det_ctx, engine->pectx, p, p->flow, tx_ptr, tx->tx_id, tx->tx_data_ptr, flow_flags); - PREFILTER_PROFILING_END(det_ctx, engine->gid); - - if (tx->tx_progress > engine->ctx.tx_min_progress && engine->is_last_for_progress) { - /* track with an offset of one, so that tx->progress 0 complete is tracked - * as 1, progress 1 as 2, etc. This is to allow 0 to mean: nothing tracked, even - * though a parser may use 0 as a valid value. */ - tx->detect_progress = engine->ctx.tx_min_progress + 1; - SCLogDebug("tx->tx_progress %d engine->ctx.tx_min_progress %d " - "engine->is_last_for_progress %d => tx->detect_progress updated to %02x", - tx->tx_progress, engine->ctx.tx_min_progress, engine->is_last_for_progress, - tx->detect_progress); + PREFILTER_PROFILING_START(det_ctx); + engine->cb.PrefilterTx(det_ctx, engine->pectx, p, p->flow, tx_ptr, tx->tx_id, + tx->tx_data_ptr, flow_flags); + PREFILTER_PROFILING_END(det_ctx, engine->gid); + + if (tx->tx_progress > engine->ctx.tx_min_progress && engine->is_last_for_progress) { + /* track with an offset of one, so that tx->progress 0 complete is tracked + * as 1, progress 1 as 2, etc. This is to allow 0 to mean: nothing tracked, even + * though a parser may use 0 as a valid value. */ + tx->detect_progress = engine->ctx.tx_min_progress + 1; + SCLogDebug("tx->tx_progress %d engine->ctx.tx_min_progress %d " + "engine->is_last_for_progress %d => tx->detect_progress updated to %02x", + tx->tx_progress, engine->ctx.tx_min_progress, engine->is_last_for_progress, + tx->detect_progress); + } + } else { + PREFILTER_PROFILING_START(det_ctx); + engine->cb.PrefilterTx(det_ctx, engine->pectx, p, p->flow, tx_ptr, tx->tx_id, + tx->tx_data_ptr, flow_flags); + PREFILTER_PROFILING_END(det_ctx, engine->gid); } next: if (engine->is_last) @@ -338,7 +346,7 @@ int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, e->pectx = pectx; e->alproto = alproto; // TODO change function prototype ? - DEBUG_VALIDATE_BUG_ON(tx_min_progress > UINT8_MAX); + DEBUG_VALIDATE_BUG_ON(tx_min_progress > INT8_MAX); e->tx_min_progress = (uint8_t)tx_min_progress; e->Free = FreeFunc; @@ -1236,7 +1244,8 @@ int PrefilterSetupRuleGroup(DetectEngineCtx *de_ctx, SigGroupHead *sgh) PrefilterEngine *prev_engine = NULL; engine = sgh->tx_engines; do { - BUG_ON(engine->ctx.tx_min_progress < last_tx_progress); + if (engine->ctx.tx_min_progress != -1) + BUG_ON(engine->ctx.tx_min_progress < last_tx_progress); if (engine->alproto == a) { if (last_tx_progress_set && engine->ctx.tx_min_progress > last_tx_progress) { if (prev_engine) { diff --git a/src/detect.h b/src/detect.h index 4c353c1a6d..9abb96be9d 100644 --- a/src/detect.h +++ b/src/detect.h @@ -1454,8 +1454,8 @@ typedef struct PrefilterEngineList_ { /** App Proto this engine applies to: only used with Tx Engines */ AppProto alproto; /** Minimal Tx progress we need before running the engine. Only used - * with Tx Engine */ - uint8_t tx_min_progress; + * with Tx Engine. Set to -1 for all states. */ + int8_t tx_min_progress; uint8_t frame_type; @@ -1495,8 +1495,8 @@ typedef struct PrefilterEngine_ { uint8_t hook; /**< enum SignatureHookPkt */ } pkt; /** Minimal Tx progress we need before running the engine. Only used - * with Tx Engine */ - uint8_t tx_min_progress; + * with Tx Engine. Set to -1 for all states. */ + int8_t tx_min_progress; uint8_t frame_type; } ctx;