dd->dsize, dd->dsize2, dd->mode);
/* tell the sig it has a dsize to speed up engine init */
s->flags |= SIG_FLAG_REQUIRE_PACKET;
+ s->flags |= SIG_FLAG_DSIZE;
+
+ if (s->dsize_sm == NULL) {
+ s->dsize_sm = sm;
+ }
return 0;
return;
}
+static int SigParseGetMaxDsize(Signature *s) {
+ if (s->flags & SIG_FLAG_DSIZE && s->dsize_sm != NULL) {
+ DetectDsizeData *dd = (DetectDsizeData *)s->dsize_sm->ctx;
+
+ switch (dd->mode) {
+ case DETECTDSIZE_LT:
+ case DETECTDSIZE_EQ:
+ return dd->dsize;
+ case DETECTDSIZE_RA:
+ return dd->dsize2;
+ case DETECTDSIZE_GT:
+ default:
+ SCReturnInt(-2);
+ }
+ }
+ SCReturnInt(-1);
+}
+
+/**
+ * \brief Apply dsize as depth to content matches in the rule
+ */
+static int SigParseApplyDsizeToContent(Signature *s) {
+ SCEnter();
+
+ if (s->flags & SIG_FLAG_DSIZE) {
+ int dsize = SigParseGetMaxDsize(s);
+
+ if (dsize < 0) {
+ /* nothing to do */
+ return 0;
+ }
+
+ SigMatch *sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ for ( ; sm != NULL; sm = sm->next) {
+ if (sm->type != DETECT_CONTENT) {
+ continue;
+ }
+
+ DetectContentData *cd = (DetectContentData *)sm->ctx;
+ if (cd == NULL) {
+ continue;
+ }
+
+ if (cd->depth == 0 || cd->depth >= dsize) {
+ cd->depth = (uint16_t)dsize;
+ SCLogDebug("updated %u, content %u to have depth %u "
+ "because of dsize.", s->id, cd->id, cd->depth);
+ }
+ }
+ }
+
+ SCReturnInt(0);
+}
+
/**
* \brief Add all signatures to their own source address group
*
cnt++;
}
+ SigParseApplyDsizeToContent(tmp_s);
+
de_ctx->sig_cnt++;
}
projects / thirdparty / suricata.git / commitdiff
