From: Victor Julien <victor@inliniac.net>
Date: Wed, 18 May 2011 17:07:51 +0000 (+0200)
Subject: For signatures with the dsize option set depth on any content match in that sig.
X-Git-Tag: suricata-1.4beta3~98
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=45cbef0735b4fc70d57af7df0d99114c2f28ccdf;p=thirdparty%2Fsuricata.git

For signatures with the dsize option set depth on any content match in that sig.
---

diff --git a/src/detect-dsize.c b/src/detect-dsize.c
index d033fd52f9..667fe06184 100644
--- a/src/detect-dsize.c
+++ b/src/detect-dsize.c
@@ -306,6 +306,11 @@ static int DetectDsizeSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr
             dd->dsize, dd->dsize2, dd->mode);
     /* tell the sig it has a dsize to speed up engine init */
     s->flags |= SIG_FLAG_REQUIRE_PACKET;
+    s->flags |= SIG_FLAG_DSIZE;
+
+    if (s->dsize_sm == NULL) {
+        s->dsize_sm = sm;
+    }
 
     return 0;
 
diff --git a/src/detect.c b/src/detect.c
index 484c0671a7..834ecf5d1c 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -2628,6 +2628,60 @@ static void SigInitStandardMpmFactoryContexts(DetectEngineCtx *de_ctx)
     return;
 }
 
+static int SigParseGetMaxDsize(Signature *s) {
+    if (s->flags & SIG_FLAG_DSIZE && s->dsize_sm != NULL) {
+        DetectDsizeData *dd = (DetectDsizeData *)s->dsize_sm->ctx;
+
+        switch (dd->mode) {
+            case DETECTDSIZE_LT:
+            case DETECTDSIZE_EQ:
+                return dd->dsize;
+            case DETECTDSIZE_RA:
+                return dd->dsize2;
+            case DETECTDSIZE_GT:
+            default:
+                SCReturnInt(-2);
+        }
+    }
+    SCReturnInt(-1);
+}
+
+/**
+ *  \brief Apply dsize as depth to content matches in the rule
+ */
+static int SigParseApplyDsizeToContent(Signature *s) {
+    SCEnter();
+
+    if (s->flags & SIG_FLAG_DSIZE) {
+        int dsize = SigParseGetMaxDsize(s);
+
+        if (dsize < 0) {
+            /* nothing to do */
+            return 0;
+        }
+
+        SigMatch *sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+        for ( ; sm != NULL;  sm = sm->next) {
+            if (sm->type != DETECT_CONTENT) {
+                continue;
+            }
+
+            DetectContentData *cd = (DetectContentData *)sm->ctx;
+            if (cd == NULL) {
+                continue;
+            }
+
+            if (cd->depth == 0 || cd->depth >= dsize) {
+                cd->depth = (uint16_t)dsize;
+                SCLogDebug("updated %u, content %u to have depth %u "
+                        "because of dsize.", s->id, cd->id, cd->depth);
+            }
+        }
+    }
+
+    SCReturnInt(0);
+}
+
 /**
  * \brief Add all signatures to their own source address group
  *
@@ -2750,6 +2804,8 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) {
             cnt++;
         }
 
+        SigParseApplyDsizeToContent(tmp_s);
+
         de_ctx->sig_cnt++;
     }
 
diff --git a/src/detect.h b/src/detect.h
index 3292a65618..545d05674a 100644
--- a/src/detect.h
+++ b/src/detect.h
@@ -454,6 +454,8 @@ typedef struct Signature_ {
     /* used to hold flags that are predominantly used during init */
     uint32_t init_flags;
 
+    SigMatch *dsize_sm;
+
     /** ptr to the next sig in the list */
     struct Signature_ *next;
 } Signature;