detect: skip pseudo packets if sig needs real pkt

If a signature uses a condition that requires a real packet, filter
out pseudo packets as early as possible. To do this, the SignatureMask
logic is used.

This allows for the removal of checks for pseudo packets in individual
keywords `Match` functions, which will be done in a follow up commit.

Update analyzer to output the new flag.

Ticket: #7002.

diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c
index 8e90f7796af5def5b4fc96f96da72f13a926a75c..3ae77526db0815e57f308d9ae0e0e1d712d9e35e 100644 (file)
--- a/src/detect-engine-analyzer.c
+++ b/src/detect-engine-analyzer.c
@@ -973,6 +973,9 @@ void EngineAnalysisRules2(const DetectEngineCtx *de_ctx, const Signature *s)
     if (s->mask & SIG_MASK_REQUIRE_ENGINE_EVENT) {
         jb_append_string(ctx.js, "engine_event");
     }
+    if (s->mask & SIG_MASK_REQUIRE_REAL_PKT) {
+        jb_append_string(ctx.js, "real_pkt");
+    }
     jb_close(ctx.js);
 
     switch (s->type) {

diff --git a/src/detect-engine-build.c b/src/detect-engine-build.c
index f28b0219cc4571cb03aff6be8f977d57af25496f..f4bc4b653bef2d6f6401eafccf4425e9465dc494 100644 (file)
--- a/src/detect-engine-build.c
+++ b/src/detect-engine-build.c
@@ -406,6 +406,9 @@ void
 PacketCreateMask(Packet *p, SignatureMask *mask, AppProto alproto,
         bool app_decoder_events)
 {
+    if (!(PKT_IS_PSEUDOPKT(p))) {
+        (*mask) |= SIG_MASK_REQUIRE_REAL_PKT;
+    }
     if (!(p->flags & PKT_NOPAYLOAD_INSPECTION) && p->payload_len > 0) {
         SCLogDebug("packet has payload");
         (*mask) |= SIG_MASK_REQUIRE_PAYLOAD;
@@ -442,6 +445,10 @@ static int SignatureCreateMask(Signature *s)
 {
     SCEnter();
 
+    if ((s->flags & (SIG_FLAG_REQUIRE_PACKET | SIG_FLAG_REQUIRE_STREAM)) ==
+            SIG_FLAG_REQUIRE_PACKET) {
+        s->mask |= SIG_MASK_REQUIRE_REAL_PKT;
+    }
     if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL) {
         s->mask |= SIG_MASK_REQUIRE_PAYLOAD;
         SCLogDebug("sig requires payload");

diff --git a/src/detect.h b/src/detect.h
index 87a4219de9175ed566e64328e6d8dca1f9738369..eb90872c800d3c3ffd3797c4f18c8a4363f9526e 100644 (file)
--- a/src/detect.h
+++ b/src/detect.h
@@ -303,7 +303,8 @@ typedef struct DetectPort_ {
 #define SIG_MASK_REQUIRE_FLAGS_INITDEINIT   BIT_U8(2)    /* SYN, FIN, RST */
 #define SIG_MASK_REQUIRE_FLAGS_UNUSUAL      BIT_U8(3)    /* URG, ECN, CWR */
 #define SIG_MASK_REQUIRE_NO_PAYLOAD         BIT_U8(4)
-// vacancy 2x
+#define SIG_MASK_REQUIRE_REAL_PKT           BIT_U8(5)
+// vacancy 1x
 #define SIG_MASK_REQUIRE_ENGINE_EVENT       BIT_U8(7)
 
 /* for now a uint8_t is enough */