/* Flags affecting this content */
-#define DETECT_CONTENT_NOCASE 0x00000001
-#define DETECT_CONTENT_DISTANCE 0x00000002
-#define DETECT_CONTENT_WITHIN 0x00000004
-#define DETECT_CONTENT_OFFSET 0x00000008
-#define DETECT_CONTENT_DEPTH 0x00000010
-#define DETECT_CONTENT_FAST_PATTERN 0x00000020
-#define DETECT_CONTENT_FAST_PATTERN_ONLY 0x00000040
-#define DETECT_CONTENT_FAST_PATTERN_CHOP 0x00000080
+#define DETECT_CONTENT_NOCASE (1)
+#define DETECT_CONTENT_DISTANCE (1 << 1)
+#define DETECT_CONTENT_WITHIN (1 << 2)
+#define DETECT_CONTENT_OFFSET (1 << 3)
+#define DETECT_CONTENT_DEPTH (1 << 4)
+#define DETECT_CONTENT_FAST_PATTERN (1 << 5)
+#define DETECT_CONTENT_FAST_PATTERN_ONLY (1 << 6)
+#define DETECT_CONTENT_FAST_PATTERN_CHOP (1 << 7)
/** content applies to a "raw"/undecoded field if applicable */
-#define DETECT_CONTENT_RAWBYTES 0x00000100
+#define DETECT_CONTENT_RAWBYTES (1 << 8)
/** content is negated */
-#define DETECT_CONTENT_NEGATED 0x00000200
+#define DETECT_CONTENT_NEGATED (1 << 9)
/** a relative match to this content is next, used in matching phase */
-#define DETECT_CONTENT_RELATIVE_NEXT 0x00000400
-
-#define DETECT_CONTENT_PACKET_MPM 0x00000800
-#define DETECT_CONTENT_STREAM_MPM 0x00001000
-#define DETECT_CONTENT_URI_MPM 0x00002000
-#define DETECT_CONTENT_HCBD_MPM 0x00004000
-#define DETECT_CONTENT_HSBD_MPM 0x00008000
-#define DETECT_CONTENT_HHD_MPM 0x00010000
-#define DETECT_CONTENT_HRHD_MPM 0x00020000
-#define DETECT_CONTENT_HMD_MPM 0x00040000
-#define DETECT_CONTENT_HCD_MPM 0x00080000
-#define DETECT_CONTENT_HRUD_MPM 0x00100000
-#define DETECT_CONTENT_HSMD_MPM 0x00200000
-#define DETECT_CONTENT_HSCD_MPM 0x00400000
-#define DETECT_CONTENT_HUAD_MPM 0x00800000
+#define DETECT_CONTENT_RELATIVE_NEXT (1 << 10)
/* BE - byte extract */
-#define DETECT_CONTENT_OFFSET_BE 0x01000000
-#define DETECT_CONTENT_DEPTH_BE 0x02000000
-#define DETECT_CONTENT_DISTANCE_BE 0x04000000
-#define DETECT_CONTENT_WITHIN_BE 0x08000000
+#define DETECT_CONTENT_OFFSET_BE (1 << 11)
+#define DETECT_CONTENT_DEPTH_BE (1 << 12)
+#define DETECT_CONTENT_DISTANCE_BE (1 << 13)
+#define DETECT_CONTENT_WITHIN_BE (1 << 14)
/* replace data */
-#define DETECT_CONTENT_REPLACE 0x10000000
+#define DETECT_CONTENT_REPLACE (1 << 15)
+/* this flag is set during the staging phase. It indicates that a content
+ * has been added to the mpm phase and requires no further inspection inside
+ * the inspection phase */
+#define DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED (1 << 16)
#define DETECT_CONTENT_IS_SINGLE(c) (!((c)->flags & DETECT_CONTENT_DISTANCE || \
(c)->flags & DETECT_CONTENT_WITHIN || \
{
cd = (DetectContentData *)mpm_sm->ctx;
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
+ if (DETECT_CONTENT_IS_SINGLE(cd) &&
+ !(cd->flags & DETECT_CONTENT_NEGATED) &&
+ !(cd->flags & DETECT_CONTENT_REPLACE) &&
+ cd->content_len == cd->fp_chop_len) {
+ cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
+ }
+
/* add the content to the "packet" mpm */
if (SignatureHasPacketContent(s)) {
if (s->proto.proto[6 / 8] & 1 << (6 % 8)) {
}
}
} else {
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
- if (DETECT_CONTENT_IS_SINGLE(cd)) {
- if (SignatureHasPacketContent(s))
- cd->flags |= DETECT_CONTENT_PACKET_MPM;
- if (SignatureHasStreamContent(s))
- cd->flags |= DETECT_CONTENT_STREAM_MPM;
- }
-
- /* see if we can bypass the match validation for this pattern */
- } else {
- if (DETECT_CONTENT_IS_SINGLE(cd)) {
- if (SignatureHasPacketContent(s))
- cd->flags |= DETECT_CONTENT_PACKET_MPM;
- if (SignatureHasStreamContent(s))
- cd->flags |= DETECT_CONTENT_STREAM_MPM;
- }
- } /* else - if (co->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) */
+ if (DETECT_CONTENT_IS_SINGLE(cd) &&
+ !(cd->flags & DETECT_CONTENT_NEGATED) &&
+ !(cd->flags & DETECT_CONTENT_REPLACE)) {
+ cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
+ }
if (SignatureHasPacketContent(s)) {
/* add the content to the "packet" mpm */
MpmCtx *mpm_ctx_ts = NULL;
MpmCtx *mpm_ctx_tc = NULL;
uint32_t sgh_flags = 0;
- uint32_t cd_flags = 0;
uint32_t sig_flags = 0;
cd = (DetectContentData *)mpm_sm->ctx;
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_uri_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_URI;
- cd_flags = DETECT_CONTENT_URI_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hcbd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HCBD;
- cd_flags = DETECT_CONTENT_HCBD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hsbd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HSBD;
- cd_flags = DETECT_CONTENT_HSBD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hhd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HHD;
- cd_flags = DETECT_CONTENT_HHD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hrhd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HRHD;
- cd_flags = DETECT_CONTENT_HRHD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hmd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HMD;
- cd_flags = DETECT_CONTENT_HMD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hcd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HCD;
- cd_flags = DETECT_CONTENT_HCD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hrud_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HRUD;
- cd_flags = DETECT_CONTENT_HRUD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hsmd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HSMD;
- cd_flags = DETECT_CONTENT_HSMD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hscd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HSCD;
- cd_flags = DETECT_CONTENT_HSCD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_huad_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HUAD;
- cd_flags = DETECT_CONTENT_HUAD_MPM;
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
}
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
+ if (DETECT_CONTENT_IS_SINGLE(cd) &&
+ !(cd->flags & DETECT_CONTENT_NEGATED) &&
+ !(cd->flags & DETECT_CONTENT_REPLACE) &&
+ cd->content_len == cd->fp_chop_len) {
+ cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
+ }
+
/* add the content to the mpm */
if (cd->flags & DETECT_CONTENT_NOCASE) {
if (mpm_ctx_ts != NULL) {
}
}
} else {
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
- if (DETECT_CONTENT_IS_SINGLE(cd)) {
- cd->flags |= cd_flags;
- }
-
- /* see if we can bypass the match validation for this pattern */
- } else {
- if (DETECT_CONTENT_IS_SINGLE(cd)) {
- cd->flags |= cd_flags;
- }
- } /* else - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) */
+ if (DETECT_CONTENT_IS_SINGLE(cd) &&
+ !(cd->flags & DETECT_CONTENT_NEGATED) &&
+ !(cd->flags & DETECT_CONTENT_REPLACE)) {
+ cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
+ }
/* add the content to the "uri" mpm */
if (cd->flags & DETECT_CONTENT_NOCASE) {
projects / thirdparty / suricata.git / commitdiff
