From: Victor Julien <victor@inliniac.net>
Date: Mon, 18 Aug 2014 14:05:16 +0000 (+0200)
Subject: detect: Add negated MPM to non-MPM array
X-Git-Tag: suricata-2.1beta3~47
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1f57e25c0324fc32a2fb9dc457f7282687256ee3;p=thirdparty%2Fsuricata.git

detect: Add negated MPM to non-MPM array

Treat negated MPM sigs as if non-MPM, so we consider them always.

As MPM results and non-MPM rules lists are now merged and considered
for further inspection, rules that need to be considerd when a pattern
is absent are caught in the middle.

As a HACK/workaround this patch adds them to the non-MPM list. This
causes them to be inspected each time.
---

diff --git a/src/detect-engine-siggroup.c b/src/detect-engine-siggroup.c
index 3dc16d46b4..f5397baa26 100644
--- a/src/detect-engine-siggroup.c
+++ b/src/detect-engine-siggroup.c
@@ -1721,6 +1721,8 @@ int SigGroupHeadBuildNonMpmArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 
         if (s->mpm_sm == NULL)
             non_mpm++;
+        else if (s->flags & (SIG_FLAG_MPM_PACKET_NEG|SIG_FLAG_MPM_STREAM_NEG|SIG_FLAG_MPM_APPLAYER_NEG))
+            non_mpm++;
     }
 
     if (non_mpm == 0) {
@@ -1736,11 +1738,14 @@ int SigGroupHeadBuildNonMpmArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
         s = sgh->match_array[sig];
         if (s == NULL)
             continue;
-        if (s->mpm_sm != NULL)
-            continue;
 
-        BUG_ON(sgh->non_mpm_id_cnt >= non_mpm);
-        sgh->non_mpm_id_array[sgh->non_mpm_id_cnt++] = s->num;
+        if (s->mpm_sm == NULL) {
+            BUG_ON(sgh->non_mpm_id_cnt >= non_mpm);
+            sgh->non_mpm_id_array[sgh->non_mpm_id_cnt++] = s->num;
+        } else if (s->flags & (SIG_FLAG_MPM_PACKET_NEG|SIG_FLAG_MPM_STREAM_NEG|SIG_FLAG_MPM_APPLAYER_NEG)) {
+            BUG_ON(sgh->non_mpm_id_cnt >= non_mpm);
+            sgh->non_mpm_id_array[sgh->non_mpm_id_cnt++] = s->num;
+        }
     }
     return 0;
 }