From: Anoop Saldanha <anoopsaldanha@gmail.com>
Date: Tue, 2 Oct 2012 15:43:35 +0000 (+0530)
Subject: fix for bug #577.
X-Git-Tag: suricata-1.4beta2~12
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=51c9955c7943ea84076de12bfec37d1d26e90143;p=thirdparty%2Fsuricata.git

fix for bug #577.

If a pattern has matched on mpm, don't re-inspect it later, subject to certain
conditions met by the pattern - namely, not negated, right chop, no replacet
attached to it.
---

diff --git a/src/detect-content.h b/src/detect-content.h
index 83500f08a6..a3d478e88c 100644
--- a/src/detect-content.h
+++ b/src/detect-content.h
@@ -26,44 +26,34 @@
 
 /* Flags affecting this content */
 
-#define DETECT_CONTENT_NOCASE            0x00000001
-#define DETECT_CONTENT_DISTANCE          0x00000002
-#define DETECT_CONTENT_WITHIN            0x00000004
-#define DETECT_CONTENT_OFFSET            0x00000008
-#define DETECT_CONTENT_DEPTH             0x00000010
-#define DETECT_CONTENT_FAST_PATTERN      0x00000020
-#define DETECT_CONTENT_FAST_PATTERN_ONLY 0x00000040
-#define DETECT_CONTENT_FAST_PATTERN_CHOP 0x00000080
+#define DETECT_CONTENT_NOCASE            (1)
+#define DETECT_CONTENT_DISTANCE          (1 << 1)
+#define DETECT_CONTENT_WITHIN            (1 << 2)
+#define DETECT_CONTENT_OFFSET            (1 << 3)
+#define DETECT_CONTENT_DEPTH             (1 << 4)
+#define DETECT_CONTENT_FAST_PATTERN      (1 << 5)
+#define DETECT_CONTENT_FAST_PATTERN_ONLY (1 << 6)
+#define DETECT_CONTENT_FAST_PATTERN_CHOP (1 << 7)
 /** content applies to a "raw"/undecoded field if applicable */
-#define DETECT_CONTENT_RAWBYTES          0x00000100
+#define DETECT_CONTENT_RAWBYTES          (1 << 8)
 /** content is negated */
-#define DETECT_CONTENT_NEGATED           0x00000200
+#define DETECT_CONTENT_NEGATED           (1 << 9)
 
 /** a relative match to this content is next, used in matching phase */
-#define DETECT_CONTENT_RELATIVE_NEXT     0x00000400
-
-#define DETECT_CONTENT_PACKET_MPM        0x00000800
-#define DETECT_CONTENT_STREAM_MPM        0x00001000
-#define DETECT_CONTENT_URI_MPM           0x00002000
-#define DETECT_CONTENT_HCBD_MPM          0x00004000
-#define DETECT_CONTENT_HSBD_MPM          0x00008000
-#define DETECT_CONTENT_HHD_MPM           0x00010000
-#define DETECT_CONTENT_HRHD_MPM          0x00020000
-#define DETECT_CONTENT_HMD_MPM           0x00040000
-#define DETECT_CONTENT_HCD_MPM           0x00080000
-#define DETECT_CONTENT_HRUD_MPM          0x00100000
-#define DETECT_CONTENT_HSMD_MPM          0x00200000
-#define DETECT_CONTENT_HSCD_MPM          0x00400000
-#define DETECT_CONTENT_HUAD_MPM          0x00800000
+#define DETECT_CONTENT_RELATIVE_NEXT     (1 << 10)
 
 /* BE - byte extract */
-#define DETECT_CONTENT_OFFSET_BE         0x01000000
-#define DETECT_CONTENT_DEPTH_BE          0x02000000
-#define DETECT_CONTENT_DISTANCE_BE       0x04000000
-#define DETECT_CONTENT_WITHIN_BE         0x08000000
+#define DETECT_CONTENT_OFFSET_BE         (1 << 11)
+#define DETECT_CONTENT_DEPTH_BE          (1 << 12)
+#define DETECT_CONTENT_DISTANCE_BE       (1 << 13)
+#define DETECT_CONTENT_WITHIN_BE         (1 << 14)
 
 /* replace data */
-#define DETECT_CONTENT_REPLACE           0x10000000
+#define DETECT_CONTENT_REPLACE           (1 << 15)
+/* this flag is set during the staging phase.  It indicates that a content
+ * has been added to the mpm phase and requires no further inspection inside
+ * the inspection phase */
+#define DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED (1 << 16)
 
 #define DETECT_CONTENT_IS_SINGLE(c) (!((c)->flags & DETECT_CONTENT_DISTANCE || \
                                        (c)->flags & DETECT_CONTENT_WITHIN || \
diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c
index d9151c7b3c..6956052f14 100644
--- a/src/detect-engine-content-inspection.c
+++ b/src/detect-engine-content-inspection.c
@@ -116,10 +116,8 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
         /* we might have already have this content matched by the mpm.
          * (if there is any other reason why we'd want to avoid checking
          *  it here, please fill it in) */
-        if (inspection_mode == DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM) {
-            if (cd->flags & DETECT_CONTENT_STREAM_MPM && !(cd->flags & DETECT_CONTENT_NEGATED)) {
-                goto match;
-            }
+        if (cd->flags & DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED) {
+            goto match;
         }
 
         /* rule parsers should take care of this */
diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c
index b0f3170b6e..d921de34ee 100644
--- a/src/detect-engine-mpm.c
+++ b/src/detect-engine-mpm.c
@@ -1258,6 +1258,13 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
         {
             cd = (DetectContentData *)mpm_sm->ctx;
             if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
+                if (DETECT_CONTENT_IS_SINGLE(cd) &&
+                    !(cd->flags & DETECT_CONTENT_NEGATED) &&
+                    !(cd->flags & DETECT_CONTENT_REPLACE) &&
+                    cd->content_len == cd->fp_chop_len) {
+                    cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
+                }
+
                 /* add the content to the "packet" mpm */
                 if (SignatureHasPacketContent(s)) {
                     if (s->proto.proto[6 / 8] & 1 << (6 % 8)) {
@@ -1341,23 +1348,11 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
                     }
                 }
             } else {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
-                    if (DETECT_CONTENT_IS_SINGLE(cd)) {
-                        if (SignatureHasPacketContent(s))
-                            cd->flags |= DETECT_CONTENT_PACKET_MPM;
-                        if (SignatureHasStreamContent(s))
-                            cd->flags |= DETECT_CONTENT_STREAM_MPM;
-                    }
-
-                    /* see if we can bypass the match validation for this pattern */
-                } else {
-                    if (DETECT_CONTENT_IS_SINGLE(cd)) {
-                        if (SignatureHasPacketContent(s))
-                            cd->flags |= DETECT_CONTENT_PACKET_MPM;
-                        if (SignatureHasStreamContent(s))
-                            cd->flags |= DETECT_CONTENT_STREAM_MPM;
-                    }
-                } /* else - if (co->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) */
+                if (DETECT_CONTENT_IS_SINGLE(cd) &&
+                    !(cd->flags & DETECT_CONTENT_NEGATED) &&
+                    !(cd->flags & DETECT_CONTENT_REPLACE)) {
+                    cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
+                }
 
                 if (SignatureHasPacketContent(s)) {
                     /* add the content to the "packet" mpm */
@@ -1464,7 +1459,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
             MpmCtx *mpm_ctx_ts = NULL;
             MpmCtx *mpm_ctx_tc = NULL;
             uint32_t sgh_flags = 0;
-            uint32_t cd_flags = 0;
             uint32_t sig_flags = 0;
 
             cd = (DetectContentData *)mpm_sm->ctx;
@@ -1475,7 +1469,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
                 if (s->flags & SIG_FLAG_TOCLIENT)
                     mpm_ctx_tc = sgh->mpm_uri_ctx_tc;
                 sgh_flags = SIG_GROUP_HEAD_MPM_URI;
-                cd_flags = DETECT_CONTENT_URI_MPM;
                 sig_flags |= SIG_FLAG_MPM_HTTP;
                 if (cd->flags & DETECT_CONTENT_NEGATED)
                     sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@@ -1485,7 +1478,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
                 if (s->flags & SIG_FLAG_TOCLIENT)
                     mpm_ctx_tc = sgh->mpm_hcbd_ctx_tc;
                 sgh_flags = SIG_GROUP_HEAD_MPM_HCBD;
-                cd_flags = DETECT_CONTENT_HCBD_MPM;
                 sig_flags |= SIG_FLAG_MPM_HTTP;
                 if (cd->flags & DETECT_CONTENT_NEGATED)
                     sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@@ -1495,7 +1487,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
                 if (s->flags & SIG_FLAG_TOCLIENT)
                     mpm_ctx_tc = sgh->mpm_hsbd_ctx_tc;
                 sgh_flags = SIG_GROUP_HEAD_MPM_HSBD;
-                cd_flags = DETECT_CONTENT_HSBD_MPM;
                 sig_flags |= SIG_FLAG_MPM_HTTP;
                 if (cd->flags & DETECT_CONTENT_NEGATED)
                     sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@@ -1505,7 +1496,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
                 if (s->flags & SIG_FLAG_TOCLIENT)
                     mpm_ctx_tc = sgh->mpm_hhd_ctx_tc;
                 sgh_flags = SIG_GROUP_HEAD_MPM_HHD;
-                cd_flags = DETECT_CONTENT_HHD_MPM;
                 sig_flags |= SIG_FLAG_MPM_HTTP;
                 if (cd->flags & DETECT_CONTENT_NEGATED)
                     sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@@ -1515,7 +1505,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
                 if (s->flags & SIG_FLAG_TOCLIENT)
                     mpm_ctx_tc = sgh->mpm_hrhd_ctx_tc;
                 sgh_flags = SIG_GROUP_HEAD_MPM_HRHD;
-                cd_flags = DETECT_CONTENT_HRHD_MPM;
                 sig_flags |= SIG_FLAG_MPM_HTTP;
                 if (cd->flags & DETECT_CONTENT_NEGATED)
                     sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@@ -1525,7 +1514,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
                 if (s->flags & SIG_FLAG_TOCLIENT)
                     mpm_ctx_tc = sgh->mpm_hmd_ctx_tc;
                 sgh_flags = SIG_GROUP_HEAD_MPM_HMD;
-                cd_flags = DETECT_CONTENT_HMD_MPM;
                 sig_flags |= SIG_FLAG_MPM_HTTP;
                 if (cd->flags & DETECT_CONTENT_NEGATED)
                     sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@@ -1535,7 +1523,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
                 if (s->flags & SIG_FLAG_TOCLIENT)
                     mpm_ctx_tc = sgh->mpm_hcd_ctx_tc;
                 sgh_flags = SIG_GROUP_HEAD_MPM_HCD;
-                cd_flags = DETECT_CONTENT_HCD_MPM;
                 sig_flags |= SIG_FLAG_MPM_HTTP;
                 if (cd->flags & DETECT_CONTENT_NEGATED)
                     sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@@ -1545,7 +1532,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
                 if (s->flags & SIG_FLAG_TOCLIENT)
                     mpm_ctx_tc = sgh->mpm_hrud_ctx_tc;
                 sgh_flags = SIG_GROUP_HEAD_MPM_HRUD;
-                cd_flags = DETECT_CONTENT_HRUD_MPM;
                 sig_flags |= SIG_FLAG_MPM_HTTP;
                 if (cd->flags & DETECT_CONTENT_NEGATED)
                     sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@@ -1555,7 +1541,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
                 if (s->flags & SIG_FLAG_TOCLIENT)
                     mpm_ctx_tc = sgh->mpm_hsmd_ctx_tc;
                 sgh_flags = SIG_GROUP_HEAD_MPM_HSMD;
-                cd_flags = DETECT_CONTENT_HSMD_MPM;
                 sig_flags |= SIG_FLAG_MPM_HTTP;
                 if (cd->flags & DETECT_CONTENT_NEGATED)
                     sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@@ -1565,7 +1550,6 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
                 if (s->flags & SIG_FLAG_TOCLIENT)
                     mpm_ctx_tc = sgh->mpm_hscd_ctx_tc;
                 sgh_flags = SIG_GROUP_HEAD_MPM_HSCD;
-                cd_flags = DETECT_CONTENT_HSCD_MPM;
                 sig_flags |= SIG_FLAG_MPM_HTTP;
                 if (cd->flags & DETECT_CONTENT_NEGATED)
                     sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
@@ -1575,13 +1559,19 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
                 if (s->flags & SIG_FLAG_TOCLIENT)
                     mpm_ctx_tc = sgh->mpm_huad_ctx_tc;
                 sgh_flags = SIG_GROUP_HEAD_MPM_HUAD;
-                cd_flags = DETECT_CONTENT_HUAD_MPM;
                 sig_flags |= SIG_FLAG_MPM_HTTP;
                 if (cd->flags & DETECT_CONTENT_NEGATED)
                     sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
             }
 
             if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
+                if (DETECT_CONTENT_IS_SINGLE(cd) &&
+                    !(cd->flags & DETECT_CONTENT_NEGATED) &&
+                    !(cd->flags & DETECT_CONTENT_REPLACE) &&
+                    cd->content_len == cd->fp_chop_len) {
+                    cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
+                }
+
                 /* add the content to the mpm */
                 if (cd->flags & DETECT_CONTENT_NOCASE) {
                     if (mpm_ctx_ts != NULL) {
@@ -1615,17 +1605,11 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
                     }
                 }
             } else {
-                if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
-                    if (DETECT_CONTENT_IS_SINGLE(cd)) {
-                        cd->flags |= cd_flags;
-                    }
-
-                    /* see if we can bypass the match validation for this pattern */
-                } else {
-                    if (DETECT_CONTENT_IS_SINGLE(cd)) {
-                        cd->flags |= cd_flags;
-                    }
-                } /* else - if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) */
+                if (DETECT_CONTENT_IS_SINGLE(cd) &&
+                    !(cd->flags & DETECT_CONTENT_NEGATED) &&
+                    !(cd->flags & DETECT_CONTENT_REPLACE)) {
+                    cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
+                }
 
                 /* add the content to the "uri" mpm */
                 if (cd->flags & DETECT_CONTENT_NOCASE) {