169
191
tmm_modules[TMM_DETECT].ThreadDeinit = DetectThreadDeinit;
170
192
tmm_modules[TMM_DETECT].RegisterTests = SigRegisterTests;
171
193
tmm_modules[TMM_DETECT].cap_flags = 0;
195
PacketAlertTagInit();
174
198
void DetectExitPrintStats(ThreadVars *tv, void *data) {
175
199
DetectEngineThreadCtx *det_ctx = (DetectEngineThreadCtx *)data;
176
200
if (det_ctx == NULL)
179
SCLogInfo("(%s) (1byte) Pkts %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
180
tv->name, det_ctx->pkts, det_ctx->pkts_searched1,
181
(float)(det_ctx->pkts_searched1/(float)(det_ctx->pkts)*100));
182
SCLogInfo("(%s) (2byte) Pkts %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
183
tv->name, det_ctx->pkts, det_ctx->pkts_searched2,
184
(float)(det_ctx->pkts_searched2/(float)(det_ctx->pkts)*100));
185
SCLogInfo("(%s) (3byte) Pkts %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
186
tv->name, det_ctx->pkts, det_ctx->pkts_searched3,
187
(float)(det_ctx->pkts_searched3/(float)(det_ctx->pkts)*100));
188
SCLogInfo("(%s) (4byte) Pkts %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
189
tv->name, det_ctx->pkts, det_ctx->pkts_searched4,
190
(float)(det_ctx->pkts_searched4/(float)(det_ctx->pkts)*100));
191
SCLogInfo("(%s) (+byte) Pkts %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
192
tv->name, det_ctx->pkts, det_ctx->pkts_searched,
193
(float)(det_ctx->pkts_searched/(float)(det_ctx->pkts)*100));
195
SCLogInfo("(%s) URI (1byte) Uri's %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
196
tv->name, det_ctx->uris, det_ctx->pkts_uri_searched1,
197
(float)(det_ctx->pkts_uri_searched1/(float)(det_ctx->uris)*100));
198
SCLogInfo("(%s) URI (2byte) Uri's %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
199
tv->name, det_ctx->uris, det_ctx->pkts_uri_searched2,
200
(float)(det_ctx->pkts_uri_searched2/(float)(det_ctx->uris)*100));
201
SCLogInfo("(%s) URI (3byte) Uri's %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
202
tv->name, det_ctx->uris, det_ctx->pkts_uri_searched3,
203
(float)(det_ctx->pkts_uri_searched3/(float)(det_ctx->uris)*100));
204
SCLogInfo("(%s) URI (4byte) Uri's %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
205
tv->name, det_ctx->uris, det_ctx->pkts_uri_searched4,
206
(float)(det_ctx->pkts_uri_searched4/(float)(det_ctx->uris)*100));
207
SCLogInfo("(%s) URI (+byte) Uri's %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
208
tv->name, det_ctx->uris, det_ctx->pkts_uri_searched,
209
(float)(det_ctx->pkts_uri_searched/(float)(det_ctx->uris)*100));
213
204
/** \brief Create the path if default-rule-path was specified
235
static inline void EngineAnalysisWriteFastPattern(Signature *s, SigMatch *mpm_sm)
237
int fast_pattern_set = 0;
238
int fast_pattern_only_set = 0;
239
int fast_pattern_chop_set = 0;
240
DetectContentData *fp_cd = NULL;
242
if (mpm_sm != NULL) {
243
fp_cd = (DetectContentData *)mpm_sm->ctx;
244
if (fp_cd->flags & DETECT_CONTENT_FAST_PATTERN) {
245
fast_pattern_set = 1;
246
if (fp_cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
247
fast_pattern_only_set = 1;
248
} else if (fp_cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
249
fast_pattern_chop_set = 1;
255
fprintf(fp_engine_analysis_FD, "== Sid: %u ==\n", s->id);
256
fprintf(fp_engine_analysis_FD, " No content present\n");
260
fprintf(fp_engine_analysis_FD, "== Sid: %u ==\n", s->id);
261
fprintf(fp_engine_analysis_FD, " Fast pattern matcher: ");
262
if (mpm_sm->type == DETECT_CONTENT)
263
fprintf(fp_engine_analysis_FD, "content\n");
264
else if (mpm_sm->type == DETECT_URICONTENT)
265
fprintf(fp_engine_analysis_FD, "uricontent\n");
266
else if (mpm_sm->type == DETECT_AL_HTTP_CLIENT_BODY)
267
fprintf(fp_engine_analysis_FD, "http_client_body\n");
268
else if (mpm_sm->type == DETECT_AL_HTTP_HEADER)
269
fprintf(fp_engine_analysis_FD, "http_header\n");
270
else if (mpm_sm->type == DETECT_AL_HTTP_RAW_HEADER)
271
fprintf(fp_engine_analysis_FD, "http_raw_header\n");
272
fprintf(fp_engine_analysis_FD, " Fast pattern set: %s\n", fast_pattern_set ? "yes" : "no");
273
fprintf(fp_engine_analysis_FD, " Fast pattern only set: %s\n",
274
fast_pattern_only_set ? "yes" : "no");
275
fprintf(fp_engine_analysis_FD, " Fast pattern chop set: %s\n",
276
fast_pattern_chop_set ? "yes" : "no");
277
if (fast_pattern_chop_set) {
278
fprintf(fp_engine_analysis_FD, " Fast pattern offset, length: %u, %u\n",
279
fp_cd->fp_chop_offset, fp_cd->fp_chop_len);
281
fprintf(fp_engine_analysis_FD, " Content negated: %s\n",
282
(fp_cd->flags & DETECT_CONTENT_NEGATED) ? "yes" : "no");
284
uint16_t patlen = fp_cd->content_len;
285
uint8_t *pat = SCMalloc(fp_cd->content_len + 1);
287
SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
290
memcpy(pat, fp_cd->content, fp_cd->content_len);
291
pat[fp_cd->content_len] = '\0';
292
fprintf(fp_engine_analysis_FD, " Original content: ");
293
PrintRawUriFp(fp_engine_analysis_FD, pat, patlen);
294
fprintf(fp_engine_analysis_FD, "\n");
296
if (fast_pattern_chop_set) {
298
patlen = fp_cd->fp_chop_len;
299
pat = SCMalloc(fp_cd->fp_chop_len + 1);
303
memcpy(pat, fp_cd->content + fp_cd->fp_chop_offset, fp_cd->fp_chop_len);
304
pat[fp_cd->fp_chop_len] = '\0';
305
fprintf(fp_engine_analysis_FD, " Final content: ");
306
PrintRawUriFp(fp_engine_analysis_FD, pat, patlen);
307
fprintf(fp_engine_analysis_FD, "\n");
309
fprintf(fp_engine_analysis_FD, " Final content: ");
310
PrintRawUriFp(fp_engine_analysis_FD, pat, patlen);
311
fprintf(fp_engine_analysis_FD, "\n");
319
* \brief Prints analysis of fast pattern for a signature.
321
* The code here mimics the logic to select fast_pattern from staging.
322
* If any changes are made to the staging logic, this should follow suit.
324
* \param s Pointer to the signature.
326
void EngineAnalysisFastPattern(Signature *s)
328
SigMatch *mpm_sm = NULL;
329
uint32_t fast_pattern = 0;
332
for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) {
333
/* we have no keywords that support fp in this Signature sm list */
334
if (!FastPatternSupportEnabledForSigMatchList(list_id))
338
/* get the total no of patterns in this Signature, as well as find out
339
* if we have a fast_pattern set in this Signature */
340
for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) {
341
/* this keyword isn't registered for fp support */
342
if (!FastPatternSupportEnabledForSigMatchType(sm->type))
345
DetectContentData *cd = (DetectContentData *)sm->ctx;
346
if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
350
} /* for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) */
352
/* found a fast pattern for the sig. Let's get outta here */
355
} /* for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) */
358
/* get the longest pattern in the sig */
361
for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) {
362
if (!FastPatternSupportEnabledForSigMatchList(list_id))
365
for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) {
366
if (!FastPatternSupportEnabledForSigMatchType(sm->type))
369
DetectContentData *cd = (DetectContentData *)sm->ctx;
370
if (max_len < cd->content_len)
371
max_len = cd->content_len;
377
for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) {
378
if (!FastPatternSupportEnabledForSigMatchList(list_id))
381
for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) {
382
if (!FastPatternSupportEnabledForSigMatchType(sm->type))
386
* 1. we expect a fastpattern but this isn't it */
388
/* can be any content based keyword since all of them
389
* now use a unified structure - DetectContentData */
390
DetectContentData *cd = (DetectContentData *)sm->ctx;
391
if (!(cd->flags & DETECT_CONTENT_FAST_PATTERN)) {
392
SCLogDebug("not a fast pattern %"PRIu32"", cd->id);
395
SCLogDebug("fast pattern %"PRIu32"", cd->id);
397
DetectContentData *cd = (DetectContentData *)sm->ctx;
398
if (cd->content_len < max_len)
401
} /* else - if (fast_pattern[sig] == 1) */
403
if (mpm_sm == NULL) {
408
DetectContentData *data1 = (DetectContentData *)sm->ctx;
409
DetectContentData *data2 = (DetectContentData *)mpm_sm->ctx;
410
uint32_t ls = PatternStrength(data1->content, data1->content_len);
411
uint32_t ss = PatternStrength(data2->content, data2->content_len);
414
} else if (ls == ss) {
415
/* if 2 patterns are of equal strength, we pick the longest */
416
if (data1->content_len > data2->content_len)
419
SCLogDebug("sticking with mpm_sm");
421
} /* else - if (mpm == NULL) */
422
} /* for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) */
423
if (mpm_sm != NULL && fast_pattern)
425
} /* for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) */
427
/* output result to file */
428
EngineAnalysisWriteFastPattern(s, mpm_sm);
245
434
* \brief Load a file with signatures
246
435
* \param de_ctx Pointer to the detection engine context
658
if (engine_analysis) {
659
if (fp_engine_analysis_set) {
660
if (fp_engine_analysis_FD != NULL) {
661
SCLogInfo("Engine-Analyis for fast_pattern printed to file - %s",
663
fclose(fp_engine_analysis_FD);
664
fp_engine_analysis_FD = NULL;
420
669
DetectParseDupSigHashFree(de_ctx);
421
670
SCReturnInt(ret);
674
* \brief See if we can prefilter a signature on inexpensive checks
676
* Order of SignatureHeader access:
680
* 4. mpm_pattern_id_div8
681
* 4. mpm_pattern_id_mod8
682
* 5. mpm_stream_pattern_id_div8
683
* 5. mpm_stream_pattern_id_mod8
686
* \retval 0 can't match, don't inspect
687
* \retval 1 might match, further inspection required
689
static inline int SigMatchSignaturesBuildMatchArrayAddSignature(DetectEngineThreadCtx *det_ctx,
690
Packet *p, SignatureHeader *s, uint16_t alproto)
692
/* if the sig has alproto and the session as well they should match */
693
if (s->flags & SIG_FLAG_APPLAYER && s->alproto != ALPROTO_UNKNOWN && s->alproto != alproto) {
694
if (s->alproto == ALPROTO_DCERPC) {
695
if (alproto != ALPROTO_SMB && alproto != ALPROTO_SMB2) {
696
SCLogDebug("DCERPC sig, alproto not SMB or SMB2");
700
SCLogDebug("alproto mismatch");
705
/* check for a pattern match of the one pattern in this sig. */
706
if (s->flags & SIG_FLAG_MPM_PACKET) {
707
/* filter out sigs that want pattern matches, but
709
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id_div_8)] & s->mpm_pattern_id_mod_8)) {
710
//if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id / 8)] & (1<<(s->mpm_pattern_id % 8)))) {
711
//SCLogDebug("mpm sig without matches (pat id %"PRIu32" check in content).", s->mpm_pattern_id);
713
if (!(s->flags & SIG_FLAG_MPM_PACKET_NEG)) {
716
SCLogDebug("but thats okay, we are looking for neg-content");
720
if (s->flags & SIG_FLAG_MPM_STREAM) {
721
/* filter out sigs that want pattern matches, but
723
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_stream_pattern_id_div_8)] & s->mpm_stream_pattern_id_mod_8)) {
724
//SCLogDebug("mpm stream sig without matches (pat id %"PRIu32" check in content).", s->mpm_stream_pattern_id);
726
if (!(s->flags & SIG_FLAG_MPM_STREAM_NEG)) {
729
SCLogDebug("but thats okay, we are looking for neg-content");
734
if (s->full_sig->flags & SIG_FLAG_MPM_URICONTENT) {
735
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
736
(1 << (s->mpm_http_pattern_id % 8)))) {
737
if (!(s->full_sig->flags & SIG_FLAG_MPM_URICONTENT_NEG)) {
743
if (s->flags & SIG_FLAG_MPM_HCBDCONTENT) {
744
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
745
(1 << (s->mpm_http_pattern_id % 8)))) {
746
if (!(s->flags & SIG_FLAG_MPM_HCBDCONTENT_NEG)) {
752
if (s->flags & SIG_FLAG_MPM_HHDCONTENT) {
753
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
754
(1 << (s->mpm_http_pattern_id % 8)))) {
755
if (!(s->flags & SIG_FLAG_MPM_HHDCONTENT_NEG)) {
761
if (s->flags & SIG_FLAG_MPM_HRHDCONTENT) {
762
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
763
(1 << (s->mpm_http_pattern_id % 8)))) {
764
if (!(s->flags & SIG_FLAG_MPM_HRHDCONTENT_NEG)) {
770
if (s->flags & SIG_FLAG_MPM_HMDCONTENT) {
771
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
772
(1 << (s->mpm_http_pattern_id % 8)))) {
773
if (!(s->flags & SIG_FLAG_MPM_HMDCONTENT_NEG)) {
779
if (s->flags & SIG_FLAG_MPM_HCDCONTENT) {
780
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
781
(1 << (s->mpm_http_pattern_id % 8)))) {
782
if (!(s->flags & SIG_FLAG_MPM_HCDCONTENT_NEG)) {
788
if (s->flags & SIG_FLAG_MPM_HRUDCONTENT) {
789
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
790
(1 << (s->mpm_http_pattern_id % 8)))) {
791
if (!(s->flags & SIG_FLAG_MPM_HRUDCONTENT_NEG)) {
797
/* de_state check, filter out all signatures that already had a match before
798
* or just partially match */
799
if (s->flags & SIG_FLAG_STATE_MATCH) {
800
/* we run after DeStateDetectContinueDetection, so we might have
801
* state NEW here. In that case we'd want to continue detection
802
* for this sig. If we have NOSTATE, stateful detection didn't
803
* start yet for this sig, so we will inspect it.
805
if (det_ctx->de_state_sig_array[s->num] != DE_STATE_MATCH_NEW &&
806
det_ctx->de_state_sig_array[s->num] != DE_STATE_MATCH_NOSTATE) {
807
SCLogDebug("de state not NEW or NOSTATE, ignoring");
815
#if defined(__SSE3__)
818
* \brief SIMD implementation of mask prefiltering.
820
* Mass mask matching is done creating a bitmap of signatures that need
823
* On 32 bit systems we inspect in 32 sig batches, creating a u32 with flags.
824
* On 64 bit systems we inspect in 64 sig batches, creating a u64 with flags.
825
* The size of a register is leading here.
827
static inline void SigMatchSignaturesBuildMatchArraySIMD(DetectEngineThreadCtx *det_ctx,
828
Packet *p, SignatureMask mask, uint16_t alproto)
834
register uint32_t bm; /* bit mask, 32 bits used */
836
Vector pm, sm, r1, r2;
837
/* load the packet mask into each byte of the vector */
838
pm.v = _mm_set1_epi8(mask);
840
/* reset previous run */
841
det_ctx->match_array_cnt = 0;
843
for (u = 0; u < det_ctx->sgh->sig_cnt; u += 32) {
844
/* load a batch of masks */
845
sm.v = _mm_load_si128((const __m128i *)&det_ctx->sgh->mask_array[u]);
846
/* logical AND them with the packet's mask */
847
r1.v = _mm_and_si128(pm.v, sm.v);
848
/* compare the result with the original mask */
849
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
850
/* convert into a bitarray */
851
bm = ((uint32_t) _mm_movemask_epi8(r2.v));
853
SCLogDebug("bm1 %08x", bm);
855
/* load a batch of masks */
856
sm.v = _mm_load_si128((const __m128i *)&det_ctx->sgh->mask_array[u+16]);
857
/* logical AND them with the packet's mask */
858
r1.v = _mm_and_si128(pm.v, sm.v);
859
/* compare the result with the original mask */
860
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
861
/* convert into a bitarray */
862
bm |= ((uint32_t) _mm_movemask_epi8(r2.v) << 16);
864
SCLogDebug("bm2 %08x", bm);
870
/* Check each bit in the bit map. Little endian is assumed (SSE is x86),
871
* so the bits are in memory backwards, 0 is on the right edge,
872
* 31 on the left edge. This is why above we store the output of the
873
* _mm_movemask_epi8 in this order as well */
875
for (x = u; x < det_ctx->sgh->sig_cnt && bitno < 32; x++, bitno++) {
876
if (bm & (1 << bitno)) {
877
SignatureHeader *s = &det_ctx->sgh->head_array[x];
879
if (SigMatchSignaturesBuildMatchArrayAddSignature(det_ctx, p, s, alproto) == 1) {
881
det_ctx->match_array[det_ctx->match_array_cnt] = s->full_sig;
882
det_ctx->match_array_cnt++;
887
#elif __WORDSIZE == 64
888
register uint64_t bm; /* bit mask, 64 bits used */
890
Vector pm, sm, r1, r2;
891
/* load the packet mask into each byte of the vector */
892
pm.v = _mm_set1_epi8(mask);
894
/* reset previous run */
895
det_ctx->match_array_cnt = 0;
897
for (u = 0; u < det_ctx->sgh->sig_cnt; u += 64) {
898
/* load a batch of masks */
899
sm.v = _mm_load_si128((const __m128i *)&det_ctx->sgh->mask_array[u]);
900
/* logical AND them with the packet's mask */
901
r1.v = _mm_and_si128(pm.v, sm.v);
902
/* compare the result with the original mask */
903
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
904
/* convert into a bitarray */
905
bm = ((uint64_t) _mm_movemask_epi8(r2.v));
907
SCLogDebug("bm1 %08x", bm);
909
/* load a batch of masks */
910
sm.v = _mm_load_si128((const __m128i *)&det_ctx->sgh->mask_array[u+16]);
911
/* logical AND them with the packet's mask */
912
r1.v = _mm_and_si128(pm.v, sm.v);
913
/* compare the result with the original mask */
914
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
915
/* convert into a bitarray */
916
bm |= ((uint64_t) _mm_movemask_epi8(r2.v)) << 16;
918
/* load a batch of masks */
919
sm.v = _mm_load_si128((const __m128i *)&det_ctx->sgh->mask_array[u+32]);
920
/* logical AND them with the packet's mask */
921
r1.v = _mm_and_si128(pm.v, sm.v);
922
/* compare the result with the original mask */
923
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
924
/* convert into a bitarray */
925
bm |= ((uint64_t) _mm_movemask_epi8(r2.v)) << 32;
927
/* load a batch of masks */
928
sm.v = _mm_load_si128((const __m128i *)&det_ctx->sgh->mask_array[u+48]);
929
/* logical AND them with the packet's mask */
930
r1.v = _mm_and_si128(pm.v, sm.v);
931
/* compare the result with the original mask */
932
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
933
/* convert into a bitarray */
934
bm |= ((uint64_t) _mm_movemask_epi8(r2.v)) << 48;
936
SCLogDebug("bm2 %08x", bm);
942
/* Check each bit in the bit map. Little endian is assumed (SSE is x86-64),
943
* so the bits are in memory backwards, 0 is on the right edge,
944
* 63 on the left edge. This is why above we store the output of the
945
* _mm_movemask_epi8 in this order as well */
947
for (x = u; x < det_ctx->sgh->sig_cnt && bitno < 64; x++, bitno++) {
948
if (bm & ((uint64_t)1 << bitno)) {
949
SignatureHeader *s = &det_ctx->sgh->head_array[x];
951
if (SigMatchSignaturesBuildMatchArrayAddSignature(det_ctx, p, s, alproto) == 1) {
953
det_ctx->match_array[det_ctx->match_array_cnt] = s->full_sig;
954
det_ctx->match_array_cnt++;
960
#error Wordsize (__WORDSIZE) neither 32 or 64.
963
#endif /* defined(__SSE3__) */
965
static inline void SigMatchSignaturesBuildMatchArrayNoSIMD(DetectEngineThreadCtx *det_ctx,
966
Packet *p, SignatureMask mask, uint16_t alproto)
970
/* reset previous run */
971
det_ctx->match_array_cnt = 0;
973
for (u = 0; u < det_ctx->sgh->sig_cnt; u++) {
974
SignatureHeader *s = &det_ctx->sgh->head_array[u];
975
if ((mask & s->mask) == s->mask) {
976
if (SigMatchSignaturesBuildMatchArrayAddSignature(det_ctx, p, s, alproto) == 1) {
978
det_ctx->match_array[det_ctx->match_array_cnt] = s->full_sig;
979
det_ctx->match_array_cnt++;
425
986
* \brief build an array of signatures that will be inspected
427
988
* All signatures that can be filtered out on forehand are not added to it.
429
990
* \param de_ctx detection engine ctx
430
991
* \param det_ctx detection engine thread ctx -- array is stored here
431
992
* \param p packet
993
* \param mask Packets mask
432
994
* \param alproto application layer protocol
434
* Order of SignatureHeader access:
438
* 4. mpm_stream_pattern_id
441
static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx,
442
DetectEngineThreadCtx *det_ctx, Packet *p, uint16_t alproto)
996
static void SigMatchSignaturesBuildMatchArray(DetectEngineThreadCtx *det_ctx,
997
Packet *p, SignatureMask mask, uint16_t alproto)
446
/* reset previous run */
447
det_ctx->match_array_cnt = 0;
449
for (i = 0; i < det_ctx->sgh->sig_cnt; i++) {
450
SignatureHeader *s = &det_ctx->sgh->head_array[i];
452
if (s->flags & SIG_FLAG_FLOW && !p->flow) {
453
SCLogDebug("flow in sig but not in packet");
457
/* filter out the sigs that inspect the payload, if packet
458
no payload inspection flag is set*/
459
if ((p->flags & PKT_NOPAYLOAD_INSPECTION) && (s->flags & SIG_FLAG_PAYLOAD)) {
460
SCLogDebug("no payload inspection enabled and sig has payload portion.");
464
/* if the sig has alproto and the session as well they should match */
465
if (s->alproto != ALPROTO_UNKNOWN) {
466
if (s->alproto != alproto) {
467
if (s->alproto == ALPROTO_DCERPC) {
468
if (alproto != ALPROTO_SMB && alproto != ALPROTO_SMB2) {
469
SCLogDebug("DCERPC sig, alproto not SMB or SMB2");
473
SCLogDebug("alproto mismatch");
479
/* check for a pattern match of the one pattern in this sig. */
480
if (s->flags & SIG_FLAG_MPM_PACKET) {
481
/* filter out sigs that want pattern matches, but
483
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id / 8)] & (1<<(s->mpm_pattern_id % 8)))) {
484
SCLogDebug("mpm sig without matches (pat id %"PRIu32" check in content).", s->mpm_pattern_id);
486
if (!(s->flags & SIG_FLAG_MPM_NEGCONTENT)) {
487
/* pattern didn't match. There is one case where we will inspect
488
* the signature anyway: if the packet payload was added to the
489
* stream it is not scanned itself: the stream data is inspected.
490
* Inspecting both would result in duplicated alerts. There is
491
* one case where we are going to inspect the packet payload
492
* anyway: if a signature has the dsize option. */
493
if (!((p->flags & PKT_STREAM_ADD) && (s->flags & SIG_FLAG_DSIZE))) {
497
SCLogDebug("but thats okay, we are looking for neg-content");
501
if (s->flags & SIG_FLAG_MPM_STREAM) {
502
/* filter out sigs that want pattern matches, but
504
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_stream_pattern_id / 8)] & (1<<(s->mpm_stream_pattern_id % 8)))) {
505
SCLogDebug("mpm stream sig without matches (pat id %"PRIu32" check in content).", s->mpm_stream_pattern_id);
507
if (!(s->flags & SIG_FLAG_MPM_NEGCONTENT)) {
508
/* pattern didn't match. There is one case where we will inspect
509
* the signature anyway: if the packet payload was added to the
510
* stream it is not scanned itself: the stream data is inspected.
511
* Inspecting both would result in duplicated alerts. There is
512
* one case where we are going to inspect the packet payload
513
* anyway: if a signature has the dsize option. */
514
if (!((p->flags & PKT_STREAM_ADD) && (s->flags & SIG_FLAG_DSIZE))) {
518
SCLogDebug("but thats okay, we are looking for neg-content");
523
/* de_state check, filter out all signatures that already had a match before
524
* or just partially match */
525
if (s->flags & SIG_FLAG_AMATCH || s->flags & SIG_FLAG_UMATCH ||
526
s->flags & SIG_FLAG_DMATCH)
528
/* we run after DeStateDetectContinueDetection, so we might have
529
* state NEW here. In that case we'd want to continue detection
530
* for this sig. If we have NOSTATE, stateful detection didn't
531
* start yet for this sig, so we will inspect it.
533
if (det_ctx->de_state_sig_array[s->num] != DE_STATE_MATCH_NEW &&
534
det_ctx->de_state_sig_array[s->num] != DE_STATE_MATCH_NOSTATE) {
535
SCLogDebug("de state not NEW or NOSTATE, ignoring");
541
det_ctx->match_array[det_ctx->match_array_cnt] = s->full_sig;
542
det_ctx->match_array_cnt++;
999
#if defined(__SSE3__)
1000
SigMatchSignaturesBuildMatchArraySIMD(det_ctx, p, mask, alproto);
1002
SigMatchSignaturesBuildMatchArrayNoSIMD(det_ctx, p, mask, alproto);
618
1078
StreamMsg *smsg = NULL;
620
if (p->proto == IPPROTO_TCP) {
1080
if (p->proto == IPPROTO_TCP && f->protoctx != NULL) {
621
1081
TcpSession *ssn = (TcpSession *)f->protoctx;
623
/* at stream eof, inspect all smsg's */
624
if (flags & STREAM_EOF) {
625
if (p->flowflags & FLOW_PKT_TOSERVER) {
626
smsg = ssn->toserver_smsg_head;
627
/* deref from the ssn */
628
ssn->toserver_smsg_head = NULL;
629
ssn->toserver_smsg_tail = NULL;
631
SCLogDebug("to_server smsg %p at stream eof", smsg);
633
smsg = ssn->toclient_smsg_head;
634
/* deref from the ssn */
635
ssn->toclient_smsg_head = NULL;
636
ssn->toclient_smsg_tail = NULL;
638
SCLogDebug("to_client smsg %p at stream eof", smsg);
641
if (p->flowflags & FLOW_PKT_TOSERVER) {
642
StreamMsg *head = ssn->toserver_smsg_head;
644
SCLogDebug("no smsgs in to_server direction");
648
/* if the smsg is bigger than the current packet, we will
649
* process the smsg in a later run */
650
if ((head->data.seq + head->data.data_len) > (TCP_GET_SEQ(p) + p->payload_len)) {
651
SCLogDebug("smsg ends beyond current packet, skipping for now %"PRIu32">%"PRIu32,
652
(head->data.seq + head->data.data_len), (TCP_GET_SEQ(p) + p->payload_len));
657
/* deref from the ssn */
658
ssn->toserver_smsg_head = NULL;
659
ssn->toserver_smsg_tail = NULL;
661
SCLogDebug("to_server smsg %p", smsg);
663
StreamMsg *head = ssn->toclient_smsg_head;
667
/* if the smsg is bigger than the current packet, we will
668
* process the smsg in a later run */
669
if ((head->data.seq + head->data.data_len) > (TCP_GET_SEQ(p) + p->payload_len)) {
670
SCLogDebug("smsg ends beyond current packet, skipping for now %"PRIu32">%"PRIu32,
671
(head->data.seq + head->data.data_len), (TCP_GET_SEQ(p) + p->payload_len));
676
/* deref from the ssn */
677
ssn->toclient_smsg_head = NULL;
678
ssn->toclient_smsg_tail = NULL;
680
SCLogDebug("to_client smsg %p", smsg);
1083
/* at stream eof, or in inline mode, inspect all smsg's */
1084
if (flags & STREAM_EOF || StreamTcpInlineMode()) {
1085
if (p->flowflags & FLOW_PKT_TOSERVER) {
1086
smsg = ssn->toserver_smsg_head;
1087
/* deref from the ssn */
1088
ssn->toserver_smsg_head = NULL;
1089
ssn->toserver_smsg_tail = NULL;
1091
SCLogDebug("to_server smsg %p at stream eof", smsg);
1093
smsg = ssn->toclient_smsg_head;
1094
/* deref from the ssn */
1095
ssn->toclient_smsg_head = NULL;
1096
ssn->toclient_smsg_tail = NULL;
1098
SCLogDebug("to_client smsg %p at stream eof", smsg);
1101
if (p->flowflags & FLOW_PKT_TOSERVER) {
1102
StreamMsg *head = ssn->toserver_smsg_head;
1103
if (unlikely(head == NULL)) {
1104
SCLogDebug("no smsgs in to_server direction");
1108
/* if the smsg is bigger than the current packet, we will
1109
* process the smsg in a later run */
1110
if ((head->data.seq + head->data.data_len) > (TCP_GET_SEQ(p) + p->payload_len)) {
1111
SCLogDebug("smsg ends beyond current packet, skipping for now %"PRIu32">%"PRIu32,
1112
(head->data.seq + head->data.data_len), (TCP_GET_SEQ(p) + p->payload_len));
1117
/* deref from the ssn */
1118
ssn->toserver_smsg_head = NULL;
1119
ssn->toserver_smsg_tail = NULL;
1121
SCLogDebug("to_server smsg %p", smsg);
1123
StreamMsg *head = ssn->toclient_smsg_head;
1124
if (unlikely(head == NULL))
1127
/* if the smsg is bigger than the current packet, we will
1128
* process the smsg in a later run */
1129
if ((head->data.seq + head->data.data_len) > (TCP_GET_SEQ(p) + p->payload_len)) {
1130
SCLogDebug("smsg ends beyond current packet, skipping for now %"PRIu32">%"PRIu32,
1131
(head->data.seq + head->data.data_len), (TCP_GET_SEQ(p) + p->payload_len));
1136
/* deref from the ssn */
1137
ssn->toclient_smsg_head = NULL;
1138
ssn->toclient_smsg_tail = NULL;
1140
SCLogDebug("to_client smsg %p", smsg);
687
1146
SCReturnPtr(smsg, "StreamMsg");
1149
#define SMS_USE_FLOW_SGH 0x01
1150
#define SMS_USED_PM 0x02
1151
#define SMS_USED_STREAM_PM 0x04
1155
* \brief Run mpm on packet, stream and other buffers based on
1156
* alproto, sgh state.
1158
* \param de_ctx Pointer to the detection engine context.
1159
* \param det_ctx Pointer to the detection engine thread context.
1160
* \param smsg The stream segment to inspect for stream mpm.
1162
* \param flags Flags.
1163
* \param alproto Flow alproto.
1164
* \param alstate Flow alstate.
1165
* \param sms_runflags Used to store state by detection engine.
1167
static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
1168
DetectEngineThreadCtx *det_ctx, StreamMsg *smsg, Packet *p,
1169
uint8_t flags, uint16_t alproto, void *alstate, uint8_t *sms_runflags)
1171
if (p->payload_len > 0 && (!(p->flags & PKT_NOPAYLOAD_INSPECTION))) {
1172
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_PACKET) {
1173
/* run the multi packet matcher against the payload of the packet */
1174
SCLogDebug("search: (%p, maxlen %" PRIu32 ", sgh->sig_cnt %" PRIu32 ")",
1175
det_ctx->sgh, det_ctx->sgh->mpm_content_maxlen, det_ctx->sgh->sig_cnt);
1177
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_PACKET);
1178
PacketPatternSearch(det_ctx, p);
1179
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_PACKET);
1181
*sms_runflags |= SMS_USED_PM;
1183
if (!(p->flags & PKT_STREAM_ADD) && det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_STREAM) {
1184
*sms_runflags |= SMS_USED_PM;
1185
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_PKT_STREAM);
1186
PacketPatternSearchWithStreamCtx(det_ctx, p);
1187
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_PKT_STREAM);
1191
/* have a look at the reassembled stream (if any) */
1192
if (p->flowflags & FLOW_PKT_ESTABLISHED) {
1193
SCLogDebug("p->flowflags & FLOW_PKT_ESTABLISHED");
1194
if (smsg != NULL && det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_STREAM) {
1195
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_STREAM);
1196
StreamPatternSearch(det_ctx, p, smsg, flags);
1197
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_STREAM);
1199
*sms_runflags |= SMS_USED_STREAM_PM;
1201
SCLogDebug("smsg NULL (%p) or det_ctx->sgh->mpm_stream_ctx "
1202
"NULL (%p)", smsg, det_ctx->sgh->mpm_stream_ctx);
1205
/* all http based mpms */
1206
if (alproto == ALPROTO_HTTP && alstate != NULL) {
1207
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_URI) {
1208
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_URI);
1209
DetectUricontentInspectMpm(det_ctx, p->flow, alstate);
1210
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_URI);
1212
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HCBD) {
1213
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HCBD);
1214
DetectEngineRunHttpClientBodyMpm(de_ctx, det_ctx, p->flow, alstate);
1215
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HCBD);
1217
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HHD) {
1218
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HHD);
1219
DetectEngineRunHttpHeaderMpm(det_ctx, p->flow, alstate);
1220
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HHD);
1222
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRHD) {
1223
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HRHD);
1224
DetectEngineRunHttpRawHeaderMpm(det_ctx, p->flow, alstate);
1225
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HRHD);
1227
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HMD) {
1228
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HMD);
1229
DetectEngineRunHttpMethodMpm(det_ctx, p->flow, alstate);
1230
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HMD);
1232
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HCD) {
1233
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HCD);
1234
DetectEngineRunHttpCookieMpm(det_ctx, p->flow, alstate);
1235
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HCD);
1237
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRUD) {
1238
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HRUD);
1239
DetectEngineRunHttpRawUriMpm(det_ctx, p->flow, alstate);
1240
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HRUD);
1244
SCLogDebug("NOT p->flowflags & FLOW_PKT_ESTABLISHED");
691
1250
* \brief Signature match function
733
1289
FlowIncrUsecnt(p->flow);
735
1291
SCMutexLock(&p->flow->m);
737
/* Get the stored sgh from the flow (if any). Make sure we're not using
738
* the sgh for icmp error packets part of the same stream. */
739
if (IP_GET_IPPROTO(p) == p->flow->proto) { /* filter out icmp */
740
if (p->flowflags & FLOW_PKT_TOSERVER && p->flow->flags & FLOW_SGH_TOSERVER) {
741
sgh = p->flow->sgh_toserver;
743
} else if (p->flowflags & FLOW_PKT_TOCLIENT && p->flow->flags & FLOW_SGH_TOCLIENT) {
744
sgh = p->flow->sgh_toclient;
748
smsg = SigMatchSignaturesGetSmsg(p->flow, p, flags);
750
no_store_flow_sgh = TRUE;
753
/* Retrieve the app layer state and protocol and the tcp reassembled
755
if (p->flowflags & FLOW_PKT_ESTABLISHED) {
756
alstate = AppLayerGetProtoStateFromPacket(p);
757
alproto = AppLayerGetProtoFromPacket(p);
758
SCLogDebug("alstate %p, alproto %u", alstate, alproto);
761
SCLogDebug("packet doesn't have established flag set");
1293
/* Get the stored sgh from the flow (if any). Make sure we're not using
1294
* the sgh for icmp error packets part of the same stream. */
1295
if (IP_GET_IPPROTO(p) == p->flow->proto) { /* filter out icmp */
1296
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_GETSGH);
1297
if (p->flowflags & FLOW_PKT_TOSERVER && p->flow->flags & FLOW_SGH_TOSERVER) {
1298
det_ctx->sgh = p->flow->sgh_toserver;
1299
sms_runflags |= SMS_USE_FLOW_SGH;
1300
} else if (p->flowflags & FLOW_PKT_TOCLIENT && p->flow->flags & FLOW_SGH_TOCLIENT) {
1301
det_ctx->sgh = p->flow->sgh_toclient;
1302
sms_runflags |= SMS_USE_FLOW_SGH;
1304
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_GETSGH);
1306
smsg = SigMatchSignaturesGetSmsg(p->flow, p, flags);
1308
StreamMsg *tmpsmsg = smsg;
1310
printf("detect ---start---:\n");
1311
PrintRawDataFp(stdout,tmpsmsg->data.data,tmpsmsg->data.data_len);
1312
printf("detect ---end---:\n");
1313
tmpsmsg = tmpsmsg->next;
1318
/* Retrieve the app layer state and protocol and the tcp reassembled
1320
if ((p->proto == IPPROTO_TCP && p->flags & PKT_STREAM_EST) ||
1321
(p->proto == IPPROTO_UDP && p->flowflags & FLOW_PKT_ESTABLISHED) ||
1322
(p->proto == IPPROTO_SCTP && p->flowflags & FLOW_PKT_ESTABLISHED))
1324
alstate = AppLayerGetProtoStateFromPacket(p);
1325
alproto = AppLayerGetProtoFromPacket(p);
1326
alversion = AppLayerGetStateVersion(p->flow);
1327
SCLogDebug("alstate %p, alproto %u", alstate, alproto);
1329
SCLogDebug("packet doesn't have established flag set (proto %d)", p->proto);
764
1332
SCMutexUnlock(&p->flow->m);
766
1334
if (p->flowflags & FLOW_PKT_TOSERVER) {
771
1339
SCLogDebug("flag STREAM_TOCLIENT set");
773
1341
SCLogDebug("p->flowflags 0x%02x", p->flowflags);
776
/* match the ip only signatures */
777
if ((p->flowflags & FLOW_PKT_TOSERVER && !(p->flowflags & FLOW_PKT_TOSERVER_IPONLY_SET)) ||
778
(p->flowflags & FLOW_PKT_TOCLIENT && !(p->flowflags & FLOW_PKT_TOCLIENT_IPONLY_SET))) {
779
SCLogDebug("testing against \"ip-only\" signatures");
781
IPOnlyMatchPacket(de_ctx, det_ctx, &de_ctx->io_ctx, &det_ctx->io_ctx, p);
782
/* save in the flow that we scanned this direction... locking is
783
* done in the FlowSetIPOnlyFlag function. */
784
if (p->flow != NULL) {
1343
if ((p->flowflags & FLOW_PKT_TOSERVER && !(p->flowflags & FLOW_PKT_TOSERVER_IPONLY_SET)) ||
1344
(p->flowflags & FLOW_PKT_TOCLIENT && !(p->flowflags & FLOW_PKT_TOCLIENT_IPONLY_SET)))
1346
SCLogDebug("testing against \"ip-only\" signatures");
1348
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_IPONLY);
1349
IPOnlyMatchPacket(th_v, de_ctx, det_ctx, &de_ctx->io_ctx, &det_ctx->io_ctx, p);
1350
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_IPONLY);
1352
/* save in the flow that we scanned this direction... locking is
1353
* done in the FlowSetIPOnlyFlag function. */
785
1354
FlowSetIPOnlyFlag(p->flow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0);
787
} else if (p->flow != NULL && ((p->flowflags & FLOW_PKT_TOSERVER &&
788
(p->flow->flags & FLOW_TOSERVER_IPONLY_SET)) ||
789
(p->flowflags & FLOW_PKT_TOCLIENT &&
790
(p->flow->flags & FLOW_TOCLIENT_IPONLY_SET)))) {
791
/* Get the result of the first IPOnlyMatch() */
792
if (p->flow->flags & FLOW_ACTION_PASS) {
793
/* if it matched a "pass" rule, we have to let it go */
794
p->action |= ACTION_PASS;
796
/* If we have a drop from IP only module,
797
* we will drop the rest of the flow packets
798
* This will apply only to inline/IPS */
799
if (p->flow != NULL &&
800
(p->flow->flags & FLOW_ACTION_DROP))
1356
} else if ((p->flowflags & FLOW_PKT_TOSERVER &&
1357
(p->flow->flags & FLOW_TOSERVER_IPONLY_SET)) ||
1358
(p->flowflags & FLOW_PKT_TOCLIENT &&
1359
(p->flow->flags & FLOW_TOCLIENT_IPONLY_SET)))
802
alert_flags = PACKET_ALERT_FLAG_DROP_FLOW;
803
p->action |= ACTION_DROP;
1361
/* Get the result of the first IPOnlyMatch() */
1362
if (p->flow->flags & FLOW_ACTION_PASS) {
1363
/* if it matched a "pass" rule, we have to let it go */
1364
p->action |= ACTION_PASS;
1366
/* If we have a drop from IP only module,
1367
* we will drop the rest of the flow packets
1368
* This will apply only to inline/IPS */
1369
if (p->flow->flags & FLOW_ACTION_DROP)
1371
alert_flags = PACKET_ALERT_FLAG_DROP_FLOW;
1372
p->action |= ACTION_DROP;
1376
if (!(sms_runflags & SMS_USE_FLOW_SGH)) {
1377
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_GETSGH);
1378
det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
1379
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_GETSGH);
1381
} else { /* p->flags & PKT_HAS_FLOW */
806
1384
/* Even without flow we should match the packet src/dst */
807
IPOnlyMatchPacket(de_ctx, det_ctx, &de_ctx->io_ctx, &det_ctx->io_ctx, p);
1385
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_IPONLY);
1386
IPOnlyMatchPacket(th_v, de_ctx, det_ctx, &de_ctx->io_ctx,
1387
&det_ctx->io_ctx, p);
1388
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_IPONLY);
810
/* use the sgh from the flow unless we have no flow or the flow
811
* sgh wasn't initialized yet */
812
if (sgh == NULL && !use_flow_sgh) {
1390
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_GETSGH);
813
1391
det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
1392
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_GETSGH);
817
1395
/* if we didn't get a sig group head, we
818
1396
* have nothing to do.... */
819
1397
if (det_ctx->sgh == NULL) {
824
/* have a look at the reassembled stream (if any) */
825
if (p->flowflags & FLOW_PKT_ESTABLISHED) {
826
SCLogDebug("p->flowflags & FLOW_PKT_ESTABLISHED");
827
if (smsg != NULL && det_ctx->sgh->mpm_stream_ctx != NULL) {
828
cnt = StreamPatternSearch(th_v, det_ctx, p, smsg, flags);
829
SCLogDebug("cnt %u", cnt);
831
SCLogDebug("smsg NULL (%p) or det_ctx->sgh->mpm_stream_ctx NULL (%p)", smsg, det_ctx->sgh->mpm_stream_ctx);
834
SCLogDebug("NOT p->flowflags & FLOW_PKT_ESTABLISHED");
837
if (p->payload_len > 0 && det_ctx->sgh->mpm_ctx != NULL &&
838
(!(p->flags & PKT_NOPAYLOAD_INSPECTION) && !(p->flags & PKT_STREAM_ADD)))
840
/* run the multi packet matcher against the payload of the packet */
841
if (det_ctx->sgh->mpm_content_maxlen > p->payload_len) {
842
SCLogDebug("not mpm-inspecting as pkt payload is smaller than "
843
"the largest content length we need to match");
845
SCLogDebug("search: (%p, maxlen %" PRIu32 ", sgh->sig_cnt %" PRIu32 ")",
846
det_ctx->sgh, det_ctx->sgh->mpm_content_maxlen, det_ctx->sgh->sig_cnt);
848
if (det_ctx->sgh->mpm_content_maxlen == 1) det_ctx->pkts_searched1++;
849
else if (det_ctx->sgh->mpm_content_maxlen == 2) det_ctx->pkts_searched2++;
850
else if (det_ctx->sgh->mpm_content_maxlen == 3) det_ctx->pkts_searched3++;
851
else if (det_ctx->sgh->mpm_content_maxlen == 4) det_ctx->pkts_searched4++;
852
else det_ctx->pkts_searched++;
854
cnt = PacketPatternSearch(th_v, det_ctx, p);
857
det_ctx->mpm_match++;
861
SCLogDebug("post search: cnt %" PRIu32, cnt);
865
det_ctx->de_mpm_scanned_uri = FALSE;
1402
/* run the mpm for each type */
1403
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM);
1404
DetectMpmPrefilter(de_ctx, det_ctx, smsg, p, flags, alproto,
1405
alstate, &sms_runflags);
1406
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM);
1408
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_STATEFUL);
867
1409
/* stateful app layer detection */
869
/* initialize to 0 (DE_STATE_MATCH_NOSTATE) */
870
memset(det_ctx->de_state_sig_array, 0x00, det_ctx->de_state_sig_array_len);
872
/* if applicable, continue stateful detection */
873
if (p->flow != NULL && DeStateFlowHasState(p->flow)) {
874
DeStateDetectContinueDetection(th_v, de_ctx, det_ctx, p->flow,
875
flags, alstate, alproto);
1410
if (p->flags & PKT_HAS_FLOW && alstate != NULL) {
1411
/* initialize to 0 (DE_STATE_MATCH_NOSTATE) */
1412
memset(det_ctx->de_state_sig_array, 0x00, det_ctx->de_state_sig_array_len);
1414
/* if applicable, continue stateful detection */
1415
int state = DeStateFlowHasState(p->flow, flags, alversion);
1417
DeStateDetectContinueDetection(th_v, de_ctx, det_ctx, p->flow,
1418
flags, alstate, alproto, alversion);
1419
} else if (state == 2) {
1423
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_STATEFUL);
1425
/* create our prefilter mask */
1426
SignatureMask mask = 0;
1427
PacketCreateMask(p, &mask, alproto, alstate, smsg);
1429
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_PREFILTER);
878
1430
/* build the match array */
879
SigMatchSignaturesBuildMatchArray(de_ctx, det_ctx, p, alproto);
1431
SigMatchSignaturesBuildMatchArray(det_ctx, p, mask, alproto);
1432
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_PREFILTER);
1434
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_RULES);
881
1435
/* inspect the sigs against the packet */
882
1436
for (idx = 0; idx < det_ctx->match_array_cnt; idx++) {
1437
StreamMsg *alert_msg = NULL;
1438
RULE_PROFILING_START;
885
1440
s = det_ctx->match_array[idx];
886
1441
SCLogDebug("inspecting signature id %"PRIu32"", s->id);
1443
/* check if this signature has a requirement for flowvars of some type
1444
* and if so, if we actually have any in the flow. If not, the sig
1445
* can't match and we skip it. */
1446
if (p->flags & PKT_HAS_FLOW && s->flags & SIG_FLAG_REQUIRE_FLOWVAR) {
1447
SCMutexLock(&p->flow->m);
1448
int m = p->flow->flowvar ? 1 : 0;
1449
SCMutexUnlock(&p->flow->m);
1451
/* no flowvars? skip this sig */
1453
SCLogDebug("skipping sig as the flow has no flowvars and sig "
1454
"has SIG_FLAG_REQUIRE_FLOWVAR flag set.");
888
1459
if (DetectProtoContainsProto(&s->proto, IP_GET_IPPROTO(p)) == 0) {
889
1460
SCLogDebug("proto didn't match");
893
1464
/* check the source & dst port in the sig */
894
if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP) {
1465
if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP || p->proto == IPPROTO_SCTP) {
895
1466
if (!(s->flags & SIG_FLAG_DP_ANY)) {
896
1467
DetectPort *dport = DetectPortLookupGroup(s->dp,p->dp);
897
1468
if (dport == NULL) {
974
1547
if (pmatch == 0) {
975
1548
SCLogDebug("no match in smsg, fall back to packet payload");
1550
if (sms_runflags & SMS_USED_PM) {
1551
if (s->flags & SIG_FLAG_MPM_PACKET && !(s->flags & SIG_FLAG_MPM_PACKET_NEG) &&
1552
!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id_div_8)] &
1553
s->mpm_pattern_id_mod_8)) {
1556
if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1) {
1560
if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1)
1565
if (sms_runflags & SMS_USED_PM) {
1566
if (s->flags & SIG_FLAG_MPM_PACKET && !(s->flags & SIG_FLAG_MPM_PACKET_NEG) &&
1567
!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id_div_8)] &
1568
s->mpm_pattern_id_mod_8)) {
1571
if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1) {
977
1576
if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1)
981
if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1)
986
SCLogDebug("s->amatch %p, s->umatch %p, s->dmatch %p",
987
s->amatch, s->umatch, s->dmatch);
1582
SCLogDebug("s->sm_lists[DETECT_SM_LIST_AMATCH] %p, "
1583
"s->sm_lists[DETECT_SM_LIST_UMATCH] %p, "
1584
"s->sm_lists[DETECT_SM_LIST_DMATCH] %p, "
1585
"s->sm_lists[DETECT_SM_LIST_HCDMATCH] %p",
1586
s->sm_lists[DETECT_SM_LIST_AMATCH],
1587
s->sm_lists[DETECT_SM_LIST_UMATCH],
1588
s->sm_lists[DETECT_SM_LIST_DMATCH],
1589
s->sm_lists[DETECT_SM_LIST_HCDMATCH]);
989
if (s->amatch != NULL || s->umatch != NULL || s->dmatch != NULL) {
1591
/* consider stateful sig matches */
1592
if (s->flags & SIG_FLAG_STATE_MATCH) {
990
1593
if (alstate == NULL) {
991
1594
SCLogDebug("state matches but no state, we can't match");
1386
2026
s->flags & SIG_FLAG_DST_ANY ? "ANY" : "SET");
2032
#define MASK_TCP_INITDEINIT_FLAGS (TH_SYN|TH_RST|TH_FIN)
2033
#define MASK_TCP_UNUSUAL_FLAGS (TH_URG|TH_ECN|TH_CWR)
2035
/* Create mask for this packet + it's flow if it has one
2037
* Sets SIG_MASK_REQUIRE_PAYLOAD, SIG_MASK_REQUIRE_FLOW,
2038
* SIG_MASK_REQUIRE_HTTP_STATE, SIG_MASK_REQUIRE_DCE_STATE
2041
PacketCreateMask(Packet *p, SignatureMask *mask, uint16_t alproto, void *alstate, StreamMsg *smsg) {
2042
if (!(p->flags & PKT_NOPAYLOAD_INSPECTION) && (p->payload_len > 0 || smsg != NULL)) {
2043
SCLogDebug("packet has payload");
2044
(*mask) |= SIG_MASK_REQUIRE_PAYLOAD;
2046
SCLogDebug("packet has no payload");
2047
(*mask) |= SIG_MASK_REQUIRE_NO_PAYLOAD;
2050
if (PKT_IS_TCP(p)) {
2051
if ((p->tcph->th_flags & MASK_TCP_INITDEINIT_FLAGS) != 0) {
2052
(*mask) |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT;
2054
if ((p->tcph->th_flags & MASK_TCP_UNUSUAL_FLAGS) != 0) {
2055
(*mask) |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL;
2059
if (p->flags & PKT_HAS_FLOW) {
2060
SCLogDebug("packet has flow");
2061
(*mask) |= SIG_MASK_REQUIRE_FLOW;
2063
if (alstate != NULL) {
2066
SCLogDebug("packet/flow has http state");
2067
(*mask) |= SIG_MASK_REQUIRE_HTTP_STATE;
2071
case ALPROTO_DCERPC:
2072
SCLogDebug("packet/flow has dce state");
2073
(*mask) |= SIG_MASK_REQUIRE_DCE_STATE;
2076
SCLogDebug("packet/flow has other state");
2080
SCLogDebug("no alstate");
2085
static int SignatureCreateMask(Signature *s) {
2088
if (s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
2089
s->mask |= SIG_MASK_REQUIRE_PAYLOAD;
2090
SCLogDebug("sig requires payload");
2093
if (s->sm_lists[DETECT_SM_LIST_DMATCH] != NULL) {
2094
s->mask |= SIG_MASK_REQUIRE_DCE_STATE;
2095
SCLogDebug("sig requires dce state");
2098
if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL) {
2099
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
2100
SCLogDebug("sig requires http state");
2103
if (s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL) {
2104
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
2105
SCLogDebug("sig requires http app state");
2108
if (s->sm_lists[DETECT_SM_LIST_HHDMATCH] != NULL) {
2109
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
2110
SCLogDebug("sig requires http app state");
2113
if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) {
2114
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
2115
SCLogDebug("sig requires http app state");
2118
if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL) {
2119
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
2120
SCLogDebug("sig requires http app state");
2123
if (s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL) {
2124
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
2125
SCLogDebug("sig requires http app state");
2128
if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL) {
2129
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
2130
SCLogDebug("sig requires http app state");
2134
for (sm = s->sm_lists[DETECT_SM_LIST_AMATCH] ; sm != NULL; sm = sm->next) {
2136
case DETECT_AL_HTTP_COOKIE:
2137
case DETECT_AL_HTTP_METHOD:
2138
case DETECT_AL_URILEN:
2139
case DETECT_AL_HTTP_CLIENT_BODY:
2140
case DETECT_AL_HTTP_HEADER:
2141
case DETECT_AL_HTTP_RAW_HEADER:
2142
case DETECT_AL_HTTP_URI:
2143
case DETECT_AL_HTTP_RAW_URI:
2144
case DETECT_PCRE_HTTPBODY:
2145
case DETECT_PCRE_HTTPCOOKIE:
2146
case DETECT_PCRE_HTTPHEADER:
2147
case DETECT_PCRE_HTTPMETHOD:
2148
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
2149
SCLogDebug("sig requires dce http state");
2154
for (sm = s->sm_lists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
2156
case DETECT_FLOWBITS:
2158
/* figure out what flowbit action */
2159
DetectFlowbitsData *fb = (DetectFlowbitsData *)sm->ctx;
2160
if (fb->cmd == DETECT_FLOWBITS_CMD_ISSET) {
2161
/* not a mask flag, but still set it here */
2162
s->flags |= SIG_FLAG_REQUIRE_FLOWVAR;
2164
SCLogDebug("SIG_FLAG_REQUIRE_FLOWVAR set as sig has "
2165
"flowbit isset option.");
2168
/* flow is required for any flowbit manipulation */
2169
s->mask |= SIG_MASK_REQUIRE_FLOW;
2170
SCLogDebug("sig requires flow to be able to manipulate "
2176
DetectFlagsData *fl = (DetectFlagsData *)sm->ctx;
2178
if (fl->flags & TH_SYN) {
2179
s->mask |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT;
2180
SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_INITDEINIT");
2182
if (fl->flags & TH_RST) {
2183
s->mask |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT;
2184
SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_INITDEINIT");
2186
if (fl->flags & TH_FIN) {
2187
s->mask |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT;
2188
SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_INITDEINIT");
2190
if (fl->flags & TH_URG) {
2191
s->mask |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL;
2192
SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_UNUSUAL");
2194
if (fl->flags & TH_ECN) {
2195
s->mask |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL;
2196
SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_UNUSUAL");
2198
if (fl->flags & TH_CWR) {
2199
s->mask |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL;
2200
SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_UNUSUAL");
2206
DetectDsizeData *ds = (DetectDsizeData *)sm->ctx;
2208
case DETECTDSIZE_LT:
2209
/* LT will include 0, so no payload.
2210
* if GT is used in the same rule the
2211
* flag will be set anyway. */
2213
case DETECTDSIZE_RA:
2214
case DETECTDSIZE_GT:
2215
s->mask |= SIG_MASK_REQUIRE_PAYLOAD;
2216
SCLogDebug("sig requires payload");
2218
case DETECTDSIZE_EQ:
2219
if (ds->dsize > 0) {
2220
s->mask |= SIG_MASK_REQUIRE_PAYLOAD;
2221
SCLogDebug("sig requires payload");
2222
} else if (ds->dsize == 0) {
2223
s->mask |= SIG_MASK_REQUIRE_NO_PAYLOAD;
2224
SCLogDebug("sig requires no payload");
2233
if (s->mask & SIG_MASK_REQUIRE_DCE_STATE ||
2234
s->mask & SIG_MASK_REQUIRE_HTTP_STATE)
2236
s->mask |= SIG_MASK_REQUIRE_FLOW;
2237
SCLogDebug("sig requires flow");
2240
if (s->init_flags & SIG_FLAG_FLOW) {
2241
s->mask |= SIG_MASK_REQUIRE_FLOW;
2242
SCLogDebug("sig requires flow");
2245
if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL) {
2246
s->mask |= SIG_MASK_REQUIRE_FLOW;
2247
SCLogDebug("sig requires flow");
2250
if (s->flags & SIG_FLAG_APPLAYER) {
2251
s->mask |= SIG_MASK_REQUIRE_FLOW;
2252
SCLogDebug("sig requires flow");
2255
SCLogDebug("mask %02X", s->mask);
2259
static void SigInitStandardMpmFactoryContexts(DetectEngineCtx *de_ctx)
2261
de_ctx->sgh_mpm_context_packet =
2262
MpmFactoryRegisterMpmCtxProfile("packet",
2263
MPM_CTX_FACTORY_FLAGS_PREPARE_WITH_SIG_GROUP_BUILD);
2264
de_ctx->sgh_mpm_context_uri =
2265
MpmFactoryRegisterMpmCtxProfile("uri",
2266
MPM_CTX_FACTORY_FLAGS_PREPARE_WITH_SIG_GROUP_BUILD);
2267
de_ctx->sgh_mpm_context_stream =
2268
MpmFactoryRegisterMpmCtxProfile("stream",
2269
MPM_CTX_FACTORY_FLAGS_PREPARE_WITH_SIG_GROUP_BUILD);
2270
de_ctx->sgh_mpm_context_hcbd =
2271
MpmFactoryRegisterMpmCtxProfile("hcbd",
2272
MPM_CTX_FACTORY_FLAGS_PREPARE_WITH_SIG_GROUP_BUILD);
2273
de_ctx->sgh_mpm_context_hhd =
2274
MpmFactoryRegisterMpmCtxProfile("hhd",
2275
MPM_CTX_FACTORY_FLAGS_PREPARE_WITH_SIG_GROUP_BUILD);
2276
de_ctx->sgh_mpm_context_hrhd =
2277
MpmFactoryRegisterMpmCtxProfile("hrhd",
2278
MPM_CTX_FACTORY_FLAGS_PREPARE_WITH_SIG_GROUP_BUILD);
2279
de_ctx->sgh_mpm_context_hmd =
2280
MpmFactoryRegisterMpmCtxProfile("hmd",
2281
MPM_CTX_FACTORY_FLAGS_PREPARE_WITH_SIG_GROUP_BUILD);
2282
de_ctx->sgh_mpm_context_hcd =
2283
MpmFactoryRegisterMpmCtxProfile("hcd",
2284
MPM_CTX_FACTORY_FLAGS_PREPARE_WITH_SIG_GROUP_BUILD);
2285
de_ctx->sgh_mpm_context_hrud =
2286
MpmFactoryRegisterMpmCtxProfile("hrud",
2287
MPM_CTX_FACTORY_FLAGS_PREPARE_WITH_SIG_GROUP_BUILD);
2288
de_ctx->sgh_mpm_context_app_proto_detect =
2289
MpmFactoryRegisterMpmCtxProfile("app_proto_detect", 0);
2079
2972
IPOnlyPrepare(de_ctx);
2080
2973
IPOnlyPrint(de_ctx, &de_ctx->io_ctx);
2975
DetectAddress *gr = NULL;
2082
2976
if (!(de_ctx->flags & DE_QUIET)) {
2083
SCLogInfo("%" PRIu32 " total signatures:", sigs);
2977
SCLogDebug("%" PRIu32 " total signatures:", sigs);
2087
for (f = 0; f < FLOW_STATES; f++) {
2088
for (gr = de_ctx->flow_gh[f].src_gh[6]->any_head; gr != NULL; gr = gr->next) {
2092
for (f = 0; f < FLOW_STATES; f++) {
2093
for (gr = de_ctx->flow_gh[f].src_gh[6]->ipv4_head; gr != NULL; gr = gr->next) {
2097
for (f = 0; f < FLOW_STATES; f++) {
2098
for (gr = de_ctx->flow_gh[f].src_gh[6]->ipv6_head; gr != NULL; gr = gr->next) {
2102
if (!(de_ctx->flags & DE_QUIET)) {
2103
SCLogInfo("TCP Source address blocks: any: %4u, ipv4: %4u, ipv6: %4u.", cnt_any, cnt_ipv4, cnt_ipv6);
2106
cnt_any = 0, cnt_ipv4 = 0, cnt_ipv6 = 0;
2107
for (f = 0; f < FLOW_STATES; f++) {
2108
for (gr = de_ctx->flow_gh[f].src_gh[17]->any_head; gr != NULL; gr = gr->next) {
2112
for (f = 0; f < FLOW_STATES; f++) {
2113
for (gr = de_ctx->flow_gh[f].src_gh[17]->ipv4_head; gr != NULL; gr = gr->next) {
2117
for (f = 0; f < FLOW_STATES; f++) {
2118
for (gr = de_ctx->flow_gh[f].src_gh[17]->ipv6_head; gr != NULL; gr = gr->next) {
2122
if (!(de_ctx->flags & DE_QUIET)) {
2123
SCLogInfo("UDP Source address blocks: any: %4u, ipv4: %4u, ipv6: %4u.", cnt_any, cnt_ipv4, cnt_ipv6);
2981
uint32_t cnt_any = 0, cnt_ipv4 = 0, cnt_ipv6 = 0;
2982
for (f = 0; f < FLOW_STATES; f++) {
2983
for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_TCP]->any_head; gr != NULL; gr = gr->next) {
2987
for (f = 0; f < FLOW_STATES; f++) {
2988
for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_TCP]->ipv4_head; gr != NULL; gr = gr->next) {
2992
for (f = 0; f < FLOW_STATES; f++) {
2993
for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_TCP]->ipv6_head; gr != NULL; gr = gr->next) {
2997
if (!(de_ctx->flags & DE_QUIET)) {
2998
SCLogDebug("TCP Source address blocks: any: %4u, ipv4: %4u, ipv6: %4u.", cnt_any, cnt_ipv4, cnt_ipv6);
3001
cnt_any = 0, cnt_ipv4 = 0, cnt_ipv6 = 0;
3003
for (f = 0; f < FLOW_STATES; f++) {
3004
for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_UDP]->any_head; gr != NULL; gr = gr->next) {
3008
for (f = 0; f < FLOW_STATES; f++) {
3009
for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_UDP]->ipv4_head; gr != NULL; gr = gr->next) {
3013
for (f = 0; f < FLOW_STATES; f++) {
3014
for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_UDP]->ipv6_head; gr != NULL; gr = gr->next) {
3018
if (!(de_ctx->flags & DE_QUIET)) {
3019
SCLogDebug("UDP Source address blocks: any: %4u, ipv4: %4u, ipv6: %4u.", cnt_any, cnt_ipv4, cnt_ipv6);
3022
cnt_any = 0, cnt_ipv4 = 0, cnt_ipv6 = 0;
3024
for (f = 0; f < FLOW_STATES; f++) {
3025
for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP]->any_head; gr != NULL; gr = gr->next) {
3029
for (f = 0; f < FLOW_STATES; f++) {
3030
for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP]->ipv4_head; gr != NULL; gr = gr->next) {
3034
for (f = 0; f < FLOW_STATES; f++) {
3035
for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP]->ipv6_head; gr != NULL; gr = gr->next) {
3039
if (!(de_ctx->flags & DE_QUIET)) {
3040
SCLogDebug("SCTP Source address blocks: any: %4u, ipv4: %4u, ipv6: %4u.", cnt_any, cnt_ipv4, cnt_ipv6);
2126
3044
cnt_any = 0, cnt_ipv4 = 0, cnt_ipv6 = 0;
2127
3045
for (f = 0; f < FLOW_STATES; f++) {
2128
3046
for (gr = de_ctx->flow_gh[f].src_gh[1]->any_head; gr != NULL; gr = gr->next) {
2549
3408
SigGroupHeadSetSigCnt(dp->sh, max_idx);
2550
3409
SigGroupHeadBuildMatchArray(de_ctx,dp->sh, max_idx);
2552
SigGroupHeadLoadContent(de_ctx, dp->sh);
2553
if (dp->sh->init->content_size == 0) {
2556
/* now have a look if we can reuse a mpm ctx */
2557
SigGroupHead *mpmsh = SigGroupHeadMpmHashLookup(de_ctx, dp->sh);
2558
if (mpmsh == NULL) {
2559
SigGroupHeadMpmHashAdd(de_ctx, dp->sh);
2561
de_ctx->mpm_unique++;
2563
/* XXX write dedicated function for this */
2564
dp->sh->mpm_ctx = mpmsh->mpm_ctx;
2565
//SCLogDebug("replacing dp->sh, so setting mpm_content_maxlen to %u (was %u)", mpmsh->mpm_content_maxlen, dp->sh->mpm_content_maxlen);
2566
//dp->sh->mpm_content_maxlen = mpmsh->mpm_content_maxlen;
2567
dp->sh->flags |= SIG_GROUP_HEAD_MPM_COPY;
2568
SigGroupHeadClearContent(dp->sh);
2570
de_ctx->mpm_reuse++;
2575
SigGroupHeadLoadStreamContent(de_ctx, dp->sh);
2576
if (dp->sh->init->stream_content_size == 0) {
2579
/* now have a look if we can reuse a mpm ctx */
2580
SigGroupHead *mpmsh = SigGroupHeadMpmStreamHashLookup(de_ctx, dp->sh);
2581
if (mpmsh == NULL) {
2582
SigGroupHeadMpmStreamHashAdd(de_ctx, dp->sh);
2584
de_ctx->mpm_unique++;
2586
SCLogDebug("replacing mpm_stream_ctx %p by %p", dp->sh->mpm_stream_ctx, mpmsh->mpm_stream_ctx);
2587
dp->sh->mpm_stream_ctx = mpmsh->mpm_stream_ctx;
2588
dp->sh->flags |= SIG_GROUP_HEAD_MPM_STREAM_COPY;
2589
SigGroupHeadClearStreamContent(dp->sh);
2591
de_ctx->mpm_reuse++;
2595
SigGroupHeadLoadUricontent(de_ctx, dp->sh);
2596
if (dp->sh->init->uri_content_size == 0) {
2597
de_ctx->mpm_uri_none++;
2599
/* now have a look if we can reuse a uri mpm ctx */
2600
SigGroupHead *mpmsh = SigGroupHeadMpmUriHashLookup(de_ctx, dp->sh);
2601
if (mpmsh == NULL) {
2602
SigGroupHeadMpmUriHashAdd(de_ctx, dp->sh);
2604
de_ctx->mpm_uri_unique++;
2606
dp->sh->mpm_uri_ctx = mpmsh->mpm_uri_ctx;
2607
dp->sh->flags |= SIG_GROUP_HEAD_MPM_URI_COPY;
2608
SigGroupHeadClearUricontent(dp->sh);
2610
de_ctx->mpm_uri_reuse++;
2613
3411
/* init the pattern matcher, this will respect the copy
2615
3413
if (PatternMatchPrepareGroup(de_ctx, dp->sh) < 0) {
2734
3532
for (f = 0; f < FLOW_STATES; f++) {
2735
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[6],AF_INET,f);
2737
printf ("BuildDestinationAddressHeads(src_gh[6],AF_INET) failed\n");
2740
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[17],AF_INET,f);
2742
printf ("BuildDestinationAddressHeads(src_gh[17],AF_INET) failed\n");
2745
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[6],AF_INET6,f);
2747
printf ("BuildDestinationAddressHeads(src_gh[6],AF_INET) failed\n");
2750
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[17],AF_INET6,f);
2752
printf ("BuildDestinationAddressHeads(src_gh[17],AF_INET) failed\n");
2755
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[6],AF_UNSPEC,f);
2757
printf ("BuildDestinationAddressHeads(src_gh[6],AF_INET) failed\n");
2760
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[17],AF_UNSPEC,f);
2762
printf ("BuildDestinationAddressHeads(src_gh[17],AF_INET) failed\n");
3533
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_TCP],AF_INET,f);
3535
printf ("BuildDestinationAddressHeads(src_gh[6],AF_INET) failed\n");
3538
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_UDP],AF_INET,f);
3540
printf ("BuildDestinationAddressHeads(src_gh[17],AF_INET) failed\n");
3543
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP],AF_INET,f);
3545
printf ("BuildDestinationAddressHeads(src_gh[IPPROTO_SCTP],AF_INET) failed\n");
3548
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_TCP],AF_INET6,f);
3550
printf ("BuildDestinationAddressHeads(src_gh[6],AF_INET) failed\n");
3553
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_UDP],AF_INET6,f);
3555
printf ("BuildDestinationAddressHeads(src_gh[17],AF_INET) failed\n");
3558
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP],AF_INET6,f);
3560
printf ("BuildDestinationAddressHeads(src_gh[IPPROTO_SCTP],AF_INET) failed\n");
3563
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_TCP],AF_UNSPEC,f);
3565
printf ("BuildDestinationAddressHeads(src_gh[6],AF_INET) failed\n");
3568
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_UDP],AF_UNSPEC,f);
3570
printf ("BuildDestinationAddressHeads(src_gh[17],AF_INET) failed\n");
3573
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP],AF_UNSPEC,f);
3575
printf ("BuildDestinationAddressHeads(src_gh[IPPROTO_SCTP],AF_INET) failed\n");
2765
3578
for (proto = 0; proto < 256; proto++) {
2766
if (proto == IPPROTO_TCP || proto == IPPROTO_UDP)
3579
if (proto == IPPROTO_TCP || proto == IPPROTO_UDP || proto == IPPROTO_SCTP)
2769
3582
r = BuildDestinationAddressHeads(de_ctx, de_ctx->flow_gh[f].src_gh[proto],AF_INET,f);
2809
3622
de_ctx->mpm_unique ? de_ctx->mpm_memory_size / de_ctx->mpm_unique: 0);
2811
3624
SCLogInfo("max sig id %" PRIu32 ", array size %" PRIu32 "", DetectEngineGetMaxSigId(de_ctx), DetectEngineGetMaxSigId(de_ctx) / 8 + 1);
2812
SCLogInfo("signature group heads: unique %" PRIu32 ", copies %" PRIu32 ".", de_ctx->gh_unique, de_ctx->gh_reuse);
2813
SCLogInfo("MPM instances: %" PRIu32 " unique, copies %" PRIu32 " (none %" PRIu32 ").",
3625
SCLogDebug("signature group heads: unique %" PRIu32 ", copies %" PRIu32 ".", de_ctx->gh_unique, de_ctx->gh_reuse);
3626
SCLogDebug("MPM instances: %" PRIu32 " unique, copies %" PRIu32 " (none %" PRIu32 ").",
2814
3627
de_ctx->mpm_unique, de_ctx->mpm_reuse, de_ctx->mpm_none);
2815
SCLogInfo("MPM (URI) instances: %" PRIu32 " unique, copies %" PRIu32 " (none %" PRIu32 ").",
3628
SCLogDebug("MPM (URI) instances: %" PRIu32 " unique, copies %" PRIu32 " (none %" PRIu32 ").",
2816
3629
de_ctx->mpm_uri_unique, de_ctx->mpm_uri_reuse, de_ctx->mpm_uri_none);
2817
SCLogInfo("MPM max patcnt %" PRIu32 ", avg %" PRIu32 "", de_ctx->mpm_max_patcnt, de_ctx->mpm_unique?de_ctx->mpm_tot_patcnt/de_ctx->mpm_unique:0);
3630
SCLogDebug("MPM max patcnt %" PRIu32 ", avg %" PRIu32 "", de_ctx->mpm_max_patcnt, de_ctx->mpm_unique?de_ctx->mpm_tot_patcnt/de_ctx->mpm_unique:0);
2818
3631
if (de_ctx->mpm_uri_tot_patcnt && de_ctx->mpm_uri_unique)
2819
SCLogInfo("MPM (URI) max patcnt %" PRIu32 ", avg %" PRIu32 " (%" PRIu32 "/%" PRIu32 ")", de_ctx->mpm_uri_max_patcnt, de_ctx->mpm_uri_tot_patcnt/de_ctx->mpm_uri_unique, de_ctx->mpm_uri_tot_patcnt, de_ctx->mpm_uri_unique);
2820
SCLogInfo("port maxgroups: %" PRIu32 ", avg %" PRIu32 ", tot %" PRIu32 "", g_groupportlist_maxgroups, g_groupportlist_groupscnt ? g_groupportlist_totgroups/g_groupportlist_groupscnt : 0, g_groupportlist_totgroups);
2821
SCLogInfo("building signature grouping structure, stage 3: building destination address lists... done");
3632
SCLogDebug("MPM (URI) max patcnt %" PRIu32 ", avg %" PRIu32 " (%" PRIu32 "/%" PRIu32 ")", de_ctx->mpm_uri_max_patcnt, de_ctx->mpm_uri_tot_patcnt/de_ctx->mpm_uri_unique, de_ctx->mpm_uri_tot_patcnt, de_ctx->mpm_uri_unique);
3633
SCLogDebug("port maxgroups: %" PRIu32 ", avg %" PRIu32 ", tot %" PRIu32 "", g_groupportlist_maxgroups, g_groupportlist_groupscnt ? g_groupportlist_totgroups/g_groupportlist_groupscnt : 0, g_groupportlist_totgroups);
3635
SCLogInfo("building signature grouping structure, stage 3: building destination address lists... complete");
4140
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
4141
MpmCtx *mpm_ctx = NULL;
4142
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_packet);
4143
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
4144
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
4146
//printf("packet- %d\n", mpm_ctx->pattern_cnt);
4148
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_uri);
4149
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
4150
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
4152
//printf("uri- %d\n", mpm_ctx->pattern_cnt);
4154
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hcbd);
4155
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
4156
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
4158
//printf("hcbd- %d\n", mpm_ctx->pattern_cnt);
4160
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hhd);
4161
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
4162
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
4164
//printf("hhd- %d\n", mpm_ctx->pattern_cnt);
4166
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hrhd);
4167
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
4168
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
4170
//printf("hrhd- %d\n", mpm_ctx->pattern_cnt);
4172
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hmd);
4173
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
4174
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
4176
//printf("hmd- %d\n", mpm_ctx->pattern_cnt);
4178
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hcd);
4179
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
4180
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
4182
//printf("hcd- %d\n", mpm_ctx->pattern_cnt);
4184
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hrud);
4185
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
4186
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
4188
//printf("hrud- %d\n", mpm_ctx->pattern_cnt);
4190
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_stream);
4191
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
4192
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
4194
//printf("stream- %d\n", mpm_ctx->pattern_cnt);
3320
4197
// SigAddressPrepareStage5(de_ctx);
3321
4198
// DetectAddressPrintMemory();
3322
4199
// DetectSigGroupPrintMemory();
5324
6259
uint8_t valid_raw_tcp[] = {
5325
6260
0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
5326
0xcf, 0x0d, 0x21, 0x80, 0xa0, 0x12, 0x16, 0xa0,
5327
0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
6261
0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
6262
0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
5328
6263
0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
5329
6264
0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
5331
6266
uint8_t invalid_raw_tcp[] = {
5332
6267
0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
5333
0xcf, 0x0d, 0x21, 0x80, 0xa0, 0x12, 0x16, 0xa0,
6268
0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
5334
6269
0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
5335
6270
0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
5336
6271
0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
6273
Packet *p1 = SCMalloc(SIZE_OF_PACKET);
6277
Packet *p2 = SCMalloc(SIZE_OF_PACKET);
5340
6281
ThreadVars th_v;
5341
6282
DetectEngineThreadCtx *det_ctx;
5344
uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
5346
uint16_t buflen = strlen((char *)buf);
5348
6285
memset(&th_v, 0, sizeof(ThreadVars));
5349
memset(&p1, 0, sizeof(Packet));
5350
memset(&p2, 0, sizeof(Packet));
5352
p1.tcpvars.comp_csum = -1;
5353
p1.ip4h = (IPV4Hdr *)raw_ipv4;
5354
p1.tcph = (TCPHdr *)valid_raw_tcp;
5355
p1.tcpvars.hlen = 0;
5356
p1.src.family = AF_INET;
5357
p1.dst.family = AF_INET;
5359
p1.payload_len = buflen;
5360
p1.proto = IPPROTO_TCP;
5362
p2.tcpvars.comp_csum = -1;
5363
p2.ip4h = (IPV4Hdr *)raw_ipv4;
5364
p2.tcph = (TCPHdr *)invalid_raw_tcp;
5365
p2.tcpvars.hlen = 0;
5366
p2.src.family = AF_INET;
5367
p2.dst.family = AF_INET;
5369
p2.payload_len = buflen;
5370
p2.proto = IPPROTO_TCP;
6286
memset(p1, 0, SIZE_OF_PACKET);
6287
p1->pkt = (uint8_t *)(p1 + 1);
6288
memset(p2, 0, SIZE_OF_PACKET);
6289
p2->pkt = (uint8_t *)(p2 + 1);
6291
PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
6292
PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
6294
PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
6295
PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
6297
p1->tcpvars.comp_csum = -1;
6298
p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
6299
p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
6300
p1->src.family = AF_INET;
6301
p1->dst.family = AF_INET;
6302
p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
6303
p1->payload_len = 20;
6304
p1->proto = IPPROTO_TCP;
6306
p2->tcpvars.comp_csum = -1;
6307
p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
6308
p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
6309
p2->src.family = AF_INET;
6310
p2->dst.family = AF_INET;
6311
p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
6312
p2->payload_len = 20;
6313
p2->proto = IPPROTO_TCP;
5372
6315
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5373
6316
if (de_ctx == NULL) {
5428
6372
uint8_t valid_raw_tcp[] = {
5429
6373
0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
5430
0xcf, 0x0d, 0x21, 0x80, 0xa0, 0x12, 0x16, 0xa0,
6374
0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
5431
6375
0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
5432
6376
0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
5433
6377
0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
5435
6379
uint8_t invalid_raw_tcp[] = {
5436
6380
0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
5437
0xcf, 0x0d, 0x21, 0x80, 0xa0, 0x12, 0x16, 0xa0,
6381
0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
5438
6382
0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
5439
6383
0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
5440
6384
0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
6387
Packet *p1 = SCMalloc(SIZE_OF_PACKET);
6390
Packet *p2 = SCMalloc(SIZE_OF_PACKET);
5444
6393
ThreadVars th_v;
5445
6394
DetectEngineThreadCtx *det_ctx;
5448
uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
5450
uint16_t buflen = strlen((char *)buf);
5452
6397
memset(&th_v, 0, sizeof(ThreadVars));
5453
memset(&p1, 0, sizeof(Packet));
5454
memset(&p2, 0, sizeof(Packet));
5456
p1.tcpvars.comp_csum = -1;
5457
p1.ip4h = (IPV4Hdr *)raw_ipv4;
5458
p1.tcph = (TCPHdr *)valid_raw_tcp;
5459
//p1.tcpvars.hlen = TCP_GET_HLEN((&p));
5460
p1.tcpvars.hlen = 0;
5461
p1.src.family = AF_INET;
5462
p1.dst.family = AF_INET;
5464
p1.payload_len = buflen;
5465
p1.proto = IPPROTO_TCP;
5467
p2.tcpvars.comp_csum = -1;
5468
p2.ip4h = (IPV4Hdr *)raw_ipv4;
5469
p2.tcph = (TCPHdr *)invalid_raw_tcp;
5470
//p2.tcpvars.hlen = TCP_GET_HLEN((&p));
5471
p2.tcpvars.hlen = 0;
5472
p2.src.family = AF_INET;
5473
p2.dst.family = AF_INET;
5475
p2.payload_len = buflen;
5476
p2.proto = IPPROTO_TCP;
6398
memset(p1, 0, SIZE_OF_PACKET);
6399
p1->pkt = (uint8_t *)(p1 + 1);
6400
memset(p2, 0, SIZE_OF_PACKET);
6401
p2->pkt = (uint8_t *)(p2 + 1);
6403
PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
6404
PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
6406
PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
6407
PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
6409
p1->tcpvars.comp_csum = -1;
6410
p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
6411
p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
6412
p1->src.family = AF_INET;
6413
p1->dst.family = AF_INET;
6414
p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
6415
p1->payload_len = 20;
6416
p1->proto = IPPROTO_TCP;
6418
p2->tcpvars.comp_csum = -1;
6419
p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
6420
p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
6421
p2->src.family = AF_INET;
6422
p2->dst.family = AF_INET;
6423
p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
6424
p2->payload_len = 20;
6425
p2->proto = IPPROTO_TCP;
5478
6427
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5479
6428
if (de_ctx == NULL) {
5532
6477
static uint8_t valid_raw_ipv6[] = {
5533
6478
0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
5534
0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
5535
0x00, 0x00, 0x00, 0x20, 0x06, 0x40, 0x3f, 0xfe,
5536
0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
5537
0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
5538
0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
5539
0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0x03, 0xfe,
5540
0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d, 0x0c, 0x7a,
5541
0x08, 0x77, 0x80, 0x10, 0x21, 0x5c, 0xc2, 0xf1,
5542
0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08,
5543
0xca, 0x5a, 0x00, 0x01, 0x69, 0x27};
6479
0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
6481
0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
6482
0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
6483
0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
6484
0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
6485
0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
6487
0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
6488
0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
6489
0xf2, 0xf1, 0x00, 0x00,
6491
0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
6492
0x00, 0x01, 0x69, 0x27};
5545
6494
static uint8_t invalid_raw_ipv6[] = {
5546
6495
0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
5547
0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
5548
0x00, 0x00, 0x00, 0x20, 0x06, 0x40, 0x3f, 0xfe,
5549
0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
5550
0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
5551
0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
5552
0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0x03, 0xfe,
5553
0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d, 0x0c, 0x7a,
5554
0x08, 0x77, 0x80, 0x10, 0x21, 0x5c, 0xc2, 0xf1,
5555
0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08,
5556
0xca, 0x5a, 0x00, 0x01, 0x69, 0x28};
6496
0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
6498
0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
6499
0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
6500
0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
6501
0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
6502
0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
6504
0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
6505
0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
6506
0xc2, 0xf1, 0x00, 0x00,
6508
0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
6509
0x00, 0x01, 0x69, 0x28};
6511
Packet *p1 = SCMalloc(SIZE_OF_PACKET);
6514
Packet *p2 = SCMalloc(SIZE_OF_PACKET);
5559
6517
ThreadVars th_v;
5560
6518
DetectEngineThreadCtx *det_ctx;
5563
uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0tttttttt\r\n"
5566
6521
memset(&th_v, 0, sizeof(ThreadVars));
5567
memset(&p1, 0, sizeof(Packet));
5568
memset(&p2, 0, sizeof(Packet));
5570
p1.tcpvars.comp_csum = -1;
5571
p1.ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
5572
p1.tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
5573
p1.src.family = AF_INET;
5574
p1.dst.family = AF_INET;
5575
p1.tcpvars.hlen = TCP_GET_HLEN((&p1));
5577
p1.payload_len = p1.tcpvars.hlen;
5578
p1.tcpvars.hlen = 0;
5579
p1.proto = IPPROTO_TCP;
5581
p2.tcpvars.comp_csum = -1;
5582
p2.ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
5583
p2.tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
5584
p2.src.family = AF_INET;
5585
p2.dst.family = AF_INET;
5586
p2.tcpvars.hlen = TCP_GET_HLEN((&p2));
5588
p2.payload_len = p2.tcpvars.hlen;
5589
p2.tcpvars.hlen = 0;
5590
p2.proto = IPPROTO_TCP;
6522
memset(p1, 0, SIZE_OF_PACKET);
6523
p1->pkt = (uint8_t *)(p1 + 1);
6524
memset(p2, 0, SIZE_OF_PACKET);
6525
p2->pkt = (uint8_t *)(p2 + 1);
6527
p1->tcpvars.comp_csum = -1;
6528
p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
6529
p1->tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
6530
p1->src.family = AF_INET;
6531
p1->dst.family = AF_INET;
6532
p1->payload = valid_raw_ipv6 + 54 + 20;
6533
p1->payload_len = 12;
6534
p1->proto = IPPROTO_TCP;
6536
if (TCP_GET_HLEN(p1) != 20) {
6540
p2->tcpvars.comp_csum = -1;
6541
p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
6542
p2->tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
6543
p2->src.family = AF_INET;
6544
p2->dst.family = AF_INET;
6545
p2->payload = invalid_raw_ipv6 + 54 + 20;;
6546
p2->payload_len = 12;
6547
p2->proto = IPPROTO_TCP;
6549
if (TCP_GET_HLEN(p2) != 20) {
5592
6553
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5593
6554
if (de_ctx == NULL) {
5645
6601
static uint8_t valid_raw_ipv6[] = {
5646
6602
0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
5647
0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
5648
0x00, 0x00, 0x00, 0x20, 0x06, 0x40, 0x3f, 0xfe,
5649
0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
5650
0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
5651
0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
5652
0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0x03, 0xfe,
5653
0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d, 0x0c, 0x7a,
5654
0x08, 0x77, 0x80, 0x10, 0x21, 0x5c, 0xc2, 0xf1,
5655
0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08,
5656
0xca, 0x5a, 0x00, 0x01, 0x69, 0x27};
6603
0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
6605
0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
6606
0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
6607
0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
6608
0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
6609
0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
6611
0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
6612
0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
6613
0xf2, 0xf1, 0x00, 0x00,
6615
0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
6616
0x00, 0x01, 0x69, 0x27};
5658
6618
static uint8_t invalid_raw_ipv6[] = {
5659
6619
0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
5660
0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
5661
0x00, 0x00, 0x00, 0x20, 0x06, 0x40, 0x3f, 0xfe,
5662
0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
5663
0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
5664
0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
5665
0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0x03, 0xfe,
5666
0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d, 0x0c, 0x7a,
5667
0x08, 0x77, 0x80, 0x10, 0x21, 0x5c, 0xc2, 0xf1,
5668
0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08,
5669
0xca, 0x5a, 0x00, 0x01, 0x69, 0x28};
6620
0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
6622
0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
6623
0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
6624
0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
6625
0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
6626
0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
6628
0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
6629
0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
6630
0xc2, 0xf1, 0x00, 0x00,
6632
0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
6633
0x00, 0x01, 0x69, 0x28};
6635
Packet *p1 = SCMalloc(SIZE_OF_PACKET);
6638
Packet *p2 = SCMalloc(SIZE_OF_PACKET);
5672
6641
ThreadVars th_v;
5673
6642
DetectEngineThreadCtx *det_ctx;
5676
uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0tttttttt\r\n"
5679
6645
memset(&th_v, 0, sizeof(ThreadVars));
5680
memset(&p1, 0, sizeof(Packet));
5681
memset(&p2, 0, sizeof(Packet));
5683
p1.tcpvars.comp_csum = -1;
5684
p1.ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
5685
p1.tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
5686
p1.src.family = AF_INET;
5687
p1.dst.family = AF_INET;
5688
p1.tcpvars.hlen = TCP_GET_HLEN((&p1));
5690
p1.payload_len = p1.tcpvars.hlen;
5691
p1.tcpvars.hlen = 0;
5692
p1.proto = IPPROTO_TCP;
5694
p2.tcpvars.comp_csum = -1;
5695
p2.ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
5696
p2.tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
5697
p2.src.family = AF_INET;
5698
p2.dst.family = AF_INET;
5699
p2.tcpvars.hlen = TCP_GET_HLEN((&p2));
5701
p2.payload_len = p2.tcpvars.hlen;
5702
p2.tcpvars.hlen = 0;
5703
p2.proto = IPPROTO_TCP;
6646
memset(p1, 0, SIZE_OF_PACKET);
6647
p1->pkt = (uint8_t *)(p1 + 1);
6648
memset(p2, 0, SIZE_OF_PACKET);
6649
p2->pkt = (uint8_t *)(p2 + 1);
6651
p1->tcpvars.comp_csum = -1;
6652
p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
6653
p1->tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
6654
p1->src.family = AF_INET;
6655
p1->dst.family = AF_INET;
6656
p1->payload = valid_raw_ipv6 + 54 + 20;
6657
p1->payload_len = 12;
6658
p1->proto = IPPROTO_TCP;
6660
if (TCP_GET_HLEN(p1) != 20) {
6664
p2->tcpvars.comp_csum = -1;
6665
p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
6666
p2->tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
6667
p2->src.family = AF_INET;
6668
p2->dst.family = AF_INET;
6669
p2->payload = invalid_raw_ipv6 + 54 + 20;;
6670
p2->payload_len = 12;
6671
p2->proto = IPPROTO_TCP;
6673
if (TCP_GET_HLEN(p2) != 20) {
5705
6677
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5706
6678
if (de_ctx == NULL) {
6703
7744
uint16_t buflen = sizeof(buf);
6705
7746
memset(&th_v, 0, sizeof(ThreadVars));
6706
memset(&p1, 0, sizeof(Packet));
7747
memset(p1, 0, SIZE_OF_PACKET);
7748
p1->pkt = (uint8_t *)(p1 + 1);
6708
7750
/* Copy raw data into packet */
6709
memcpy(&p1.pkt, raw_eth, ethlen);
6710
memcpy(p1.pkt + ethlen, raw_ipv4, ipv4len);
6711
memcpy(p1.pkt + ethlen + ipv4len, raw_tcp, tcplen);
6712
memcpy(p1.pkt + ethlen + ipv4len + tcplen, buf, buflen);
6713
p1.pktlen = ethlen + ipv4len + tcplen + buflen;
7751
if (PacketCopyData(p1, raw_eth, ethlen) == -1) {
7755
if (PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1) {
7759
if (PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1) {
7763
if (PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1) {
7767
SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
6715
p1.tcpvars.comp_csum = -1;
6716
p1.ethh = (EthernetHdr *)raw_eth;
6717
p1.ip4h = (IPV4Hdr *)raw_ipv4;
6718
p1.tcph = (TCPHdr *)raw_tcp;
6719
p1.tcpvars.hlen = 0;
6720
p1.src.family = AF_INET;
6721
p1.dst.family = AF_INET;
6722
p1.payload = p1.pkt + ethlen + ipv4len + tcplen;
6723
p1.payload_len = buflen;
6724
p1.proto = IPPROTO_TCP;
7769
p1->tcpvars.comp_csum = -1;
7770
p1->ethh = (EthernetHdr *)raw_eth;
7771
p1->ip4h = (IPV4Hdr *)raw_ipv4;
7772
p1->tcph = (TCPHdr *)raw_tcp;
7773
p1->src.family = AF_INET;
7774
p1->dst.family = AF_INET;
7775
p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
7776
p1->payload_len = buflen;
7777
p1->proto = IPPROTO_TCP;
6726
7779
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
6727
7780
if (de_ctx == NULL) {
6830
7886
uint16_t buflen = sizeof(buf);
6832
7888
memset(&th_v, 0, sizeof(ThreadVars));
6833
memset(&p1, 0, sizeof(Packet));
7889
memset(p1, 0, SIZE_OF_PACKET);
7890
p1->pkt = (uint8_t *)(p1 + 1);
6835
7892
/* Copy raw data into packet */
6836
memcpy(&p1.pkt, raw_eth, ethlen);
6837
memcpy(p1.pkt + ethlen, raw_ipv4, ipv4len);
6838
memcpy(p1.pkt + ethlen + ipv4len, raw_tcp, tcplen);
6839
memcpy(p1.pkt + ethlen + ipv4len + tcplen, buf, buflen);
6840
p1.pktlen = ethlen + ipv4len + tcplen + buflen;
7893
if (PacketCopyData(p1, raw_eth, ethlen) == -1) {
7897
if (PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1) {
7901
if (PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1) {
7905
if (PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1) {
7909
SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
6842
p1.tcpvars.comp_csum = -1;
6843
p1.ethh = (EthernetHdr *)raw_eth;
6844
p1.ip4h = (IPV4Hdr *)raw_ipv4;
6845
p1.tcph = (TCPHdr *)raw_tcp;
6846
p1.tcpvars.hlen = 0;
6847
p1.src.family = AF_INET;
6848
p1.dst.family = AF_INET;
6849
p1.payload = p1.pkt + ethlen + ipv4len + tcplen;
6850
p1.payload_len = buflen;
6851
p1.proto = IPPROTO_TCP;
7911
p1->tcpvars.comp_csum = -1;
7912
p1->ethh = (EthernetHdr *)raw_eth;
7913
p1->ip4h = (IPV4Hdr *)raw_ipv4;
7914
p1->tcph = (TCPHdr *)raw_tcp;
7915
p1->src.family = AF_INET;
7916
p1->dst.family = AF_INET;
7917
p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
7918
p1->payload_len = buflen;
7919
p1->proto = IPPROTO_TCP;
6853
7921
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
6854
7922
if (de_ctx == NULL) {
8681
9794
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
8685
memset(&p1, 0, sizeof(Packet));
8686
DecodeEthernet(&th_v, &dtv, &p1, rawpkt1, sizeof(rawpkt1), NULL);
8687
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p1);
8688
if (!(PacketAlertCheck(&p1, 556))) {
9797
p1 = SCMalloc(SIZE_OF_PACKET);
9800
memset(p1, 0, SIZE_OF_PACKET);
9801
p1->pkt = (uint8_t *)(p1 + 1);
9802
DecodeEthernet(&th_v, &dtv, p1, rawpkt1, sizeof(rawpkt1), NULL);
9803
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
9804
if (!(PacketAlertCheck(p1, 556))) {
8689
9805
printf("failed to match on packet 1: ");
8695
memset(&p2, 0, sizeof(Packet));
8696
DecodeEthernet(&th_v, &dtv, &p2, rawpkt2, sizeof(rawpkt2), NULL);
8697
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p2);
8698
if (!(PacketAlertCheck(&p2, 556))) {
9810
p2 = SCMalloc(SIZE_OF_PACKET);
9813
memset(p2, 0, SIZE_OF_PACKET);
9814
p2->pkt = (uint8_t *)(p2 + 1);
9815
DecodeEthernet(&th_v, &dtv, p2, rawpkt2, sizeof(rawpkt2), NULL);
9816
SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
9817
if (!(PacketAlertCheck(p2, 556))) {
8699
9818
printf("failed to match on packet 2: ");
8705
memset(&p3, 0, sizeof(Packet));
8706
DecodeEthernet(&th_v, &dtv, &p3, rawpkt3, sizeof(rawpkt3), NULL);
8707
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p3);
8708
if (!(PacketAlertCheck(&p3, 556))) {
9823
p3 = SCMalloc(SIZE_OF_PACKET);
9826
memset(p3, 0, SIZE_OF_PACKET);
9827
p3->pkt = (uint8_t *)(p3 + 1);
9828
DecodeEthernet(&th_v, &dtv, p3, rawpkt3, sizeof(rawpkt3), NULL);
9829
SigMatchSignatures(&th_v, de_ctx, det_ctx, p3);
9830
if (!(PacketAlertCheck(p3, 556))) {
8709
9831
printf("failed to match on packet 3: ");
8715
memset(&p4, 0, sizeof(Packet));
8716
DecodeEthernet(&th_v, &dtv, &p4, rawpkt4, sizeof(rawpkt4), NULL);
8717
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p4);
8718
if (!(PacketAlertCheck(&p4, 556))) {
9836
p4 = SCMalloc(SIZE_OF_PACKET);
9839
memset(p4, 0, SIZE_OF_PACKET);
9840
p4->pkt = (uint8_t *)(p4 + 1);
9841
DecodeEthernet(&th_v, &dtv, p4, rawpkt4, sizeof(rawpkt4), NULL);
9842
SigMatchSignatures(&th_v, de_ctx, det_ctx, p4);
9843
if (!(PacketAlertCheck(p4, 556))) {
8719
9844
printf("failed to match on packet 4: ");
9384
10523
return result;
10526
/// SCLogInfo("%s %u %u %u %u", #v, (v).dw[0], (v).dw[1], (v).dw[2], (v).dw[3]);
10527
#define VECTOR_SCLogInfo(v) { \
10528
SCLogInfo("%s %08X %08X %08X %08X", #v, (v).dw[0], (v).dw[1], (v).dw[2], (v).dw[3]); \
10532
* \test Test 32 bit SIMD code.
10534
int SigTestSIMDMask01(void) {
10535
#if defined (__SSE3__)
10536
Vector pm, sm, r1, r2;
10539
uint8_t *mask = SCMallocAligned(32, 16);
10540
memset(mask, 0xEF, 32);
10543
pm.v = _mm_set1_epi8(0xEF);
10544
VECTOR_SCLogInfo(pm);
10546
/* load a batch of masks */
10547
sm.v = _mm_load_si128((const __m128i *)&mask[0]);
10548
VECTOR_SCLogInfo(sm);
10550
/* logical AND them with the packet's mask */
10551
r1.v = _mm_and_si128(pm.v, sm.v);
10552
VECTOR_SCLogInfo(r1);
10553
/* compare the result with the original mask */
10554
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10555
VECTOR_SCLogInfo(r2);
10556
/* convert into a bitarray */
10557
bm = ((uint32_t) _mm_movemask_epi8(r2.v));
10559
SCLogInfo("bm %08x", bm);
10561
/* load a batch of masks */
10562
sm.v = _mm_load_si128((const __m128i *)&mask[16]);
10563
VECTOR_SCLogInfo(sm);
10564
/* logical AND them with the packet's mask */
10565
r1.v = _mm_and_si128(pm.v, sm.v);
10566
VECTOR_SCLogInfo(r1);
10567
/* compare the result with the original mask */
10568
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10569
VECTOR_SCLogInfo(r2);
10570
/* convert into a bitarray */
10571
bm |= ((uint32_t) _mm_movemask_epi8(r2.v)) << 16;
10573
SCLogInfo("bm %08x", bm);
10576
for ( ; b < 32; b++){
10577
if (bm & (1 << b)) {
10578
SCLogInfo("b %02d, set", b);
10580
SCLogInfo("b %02d, not set", b);
10585
if (!(bm & (1 << 31))) {
10595
* \test Test 32 bit SIMD code.
10597
int SigTestSIMDMask02(void) {
10598
#if defined (__SSE3__)
10599
Vector pm, sm, r1, r2;
10602
uint8_t *mask = SCMallocAligned(32, 16);
10603
memset(mask, 0x01, 32);
10605
pm.v = _mm_set1_epi8(0x02);
10606
VECTOR_SCLogInfo(pm);
10608
/* load a batch of masks */
10609
sm.v = _mm_load_si128((const __m128i *)&mask[0]);
10610
VECTOR_SCLogInfo(sm);
10612
/* logical AND them with the packet's mask */
10613
r1.v = _mm_and_si128(pm.v, sm.v);
10614
VECTOR_SCLogInfo(r1);
10615
/* compare the result with the original mask */
10616
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10617
VECTOR_SCLogInfo(r2);
10618
/* convert into a bitarray */
10619
bm = ((uint32_t) _mm_movemask_epi8(r2.v));
10621
SCLogInfo("bm %08x", bm);
10623
/* load a batch of masks */
10624
sm.v = _mm_load_si128((const __m128i *)&mask[16]);
10625
VECTOR_SCLogInfo(sm);
10626
/* logical AND them with the packet's mask */
10627
r1.v = _mm_and_si128(pm.v, sm.v);
10628
VECTOR_SCLogInfo(r1);
10629
/* compare the result with the original mask */
10630
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10631
VECTOR_SCLogInfo(r2);
10632
/* convert into a bitarray */
10633
bm |= ((uint32_t) _mm_movemask_epi8(r2.v)) << 16;
10635
SCLogInfo("bm %08x", bm);
10638
for ( ; b < 32; b++){
10639
if (bm & (1 << b)) {
10640
SCLogInfo("b %02d, set", b);
10642
SCLogInfo("b %02d, not set", b);
10647
if (bm & (1 << 31)) {
10657
* \test Test 64 bit SIMD code.
10659
int SigTestSIMDMask03(void) {
10660
#if defined (__SSE3__)
10661
Vector pm, sm, r1, r2;
10663
uint8_t *mask = SCMallocAligned(64, 16);
10664
memset(mask, 0xEF, 64);
10668
pm.v = _mm_set1_epi8(0xEF);
10669
VECTOR_SCLogInfo(pm);
10671
/* load a batch of masks */
10672
sm.v = _mm_load_si128((const __m128i *)&mask[0]);
10673
VECTOR_SCLogInfo(sm);
10674
/* logical AND them with the packet's mask */
10675
r1.v = _mm_and_si128(pm.v, sm.v);
10676
VECTOR_SCLogInfo(r1);
10677
/* compare the result with the original mask */
10678
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10679
VECTOR_SCLogInfo(r2);
10680
/* convert into a bitarray */
10681
bm = ((uint64_t) _mm_movemask_epi8(r2.v));
10683
SCLogInfo("bm1 %"PRIxMAX, (uintmax_t)bm);
10685
/* load a batch of masks */
10686
sm.v = _mm_load_si128((const __m128i *)&mask[16]);
10687
VECTOR_SCLogInfo(sm);
10688
/* logical AND them with the packet's mask */
10689
r1.v = _mm_and_si128(pm.v, sm.v);
10690
VECTOR_SCLogInfo(r1);
10691
/* compare the result with the original mask */
10692
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10693
VECTOR_SCLogInfo(r2);
10694
/* convert into a bitarray */
10695
bm |= ((uint64_t) _mm_movemask_epi8(r2.v)) << 16;
10697
SCLogInfo("bm2 %"PRIxMAX, (uintmax_t)bm);
10699
/* load a batch of masks */
10700
sm.v = _mm_load_si128((const __m128i *)&mask[32]);
10701
VECTOR_SCLogInfo(sm);
10702
/* logical AND them with the packet's mask */
10703
r1.v = _mm_and_si128(pm.v, sm.v);
10704
VECTOR_SCLogInfo(r1);
10705
/* compare the result with the original mask */
10706
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10707
VECTOR_SCLogInfo(r2);
10708
/* convert into a bitarray */
10709
bm |= ((uint64_t) _mm_movemask_epi8(r2.v)) << 32;
10711
SCLogInfo("bm3 %"PRIxMAX, (uintmax_t)bm);
10713
/* load a batch of masks */
10714
sm.v = _mm_load_si128((const __m128i *)&mask[48]);
10715
VECTOR_SCLogInfo(sm);
10716
/* logical AND them with the packet's mask */
10717
r1.v = _mm_and_si128(pm.v, sm.v);
10718
VECTOR_SCLogInfo(r1);
10719
/* compare the result with the original mask */
10720
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10721
VECTOR_SCLogInfo(r2);
10722
/* convert into a bitarray */
10723
bm |= ((uint64_t) _mm_movemask_epi8(r2.v)) << 48;
10725
SCLogInfo("bm4 %"PRIxMAX, (uintmax_t)bm);
10728
for ( ; b < 64; b++){
10729
if (bm & ((uint64_t)1 << b)) {
10730
SCLogInfo("b %02d, set", b);
10732
SCLogInfo("b %02d, not set", b);
10737
if (!(bm & ((uint64_t)1 << 31)) && !(bm & ((uint64_t)1 << 62))) {
10747
* \test Test 64 bit SIMD code.
10749
int SigTestSIMDMask04(void) {
10750
#if defined (__SSE3__)
10751
Vector pm, sm, r1, r2;
10754
uint8_t *mask = SCMallocAligned(64, 16);
10755
memset(mask, 0x01, 64);
10758
pm.v = _mm_set1_epi8(0x02);
10759
VECTOR_SCLogInfo(pm);
10761
/* load a batch of masks */
10762
sm.v = _mm_load_si128((const __m128i *)&mask[0]);
10763
VECTOR_SCLogInfo(sm);
10764
/* logical AND them with the packet's mask */
10765
r1.v = _mm_and_si128(pm.v, sm.v);
10766
VECTOR_SCLogInfo(r1);
10767
/* compare the result with the original mask */
10768
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10769
VECTOR_SCLogInfo(r2);
10770
/* convert into a bitarray */
10771
bm = ((uint64_t) _mm_movemask_epi8(r2.v));
10773
SCLogInfo("bm1 %"PRIxMAX, (uintmax_t)bm);
10775
/* load a batch of masks */
10776
sm.v = _mm_load_si128((const __m128i *)&mask[16]);
10777
VECTOR_SCLogInfo(sm);
10778
/* logical AND them with the packet's mask */
10779
r1.v = _mm_and_si128(pm.v, sm.v);
10780
VECTOR_SCLogInfo(r1);
10781
/* compare the result with the original mask */
10782
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10783
VECTOR_SCLogInfo(r2);
10784
/* convert into a bitarray */
10785
bm |= ((uint64_t) _mm_movemask_epi8(r2.v)) << 16;
10787
SCLogInfo("bm2 %"PRIxMAX, (uintmax_t)bm);
10789
/* load a batch of masks */
10790
sm.v = _mm_load_si128((const __m128i *)&mask[32]);
10791
VECTOR_SCLogInfo(sm);
10792
/* logical AND them with the packet's mask */
10793
r1.v = _mm_and_si128(pm.v, sm.v);
10794
VECTOR_SCLogInfo(r1);
10795
/* compare the result with the original mask */
10796
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10797
VECTOR_SCLogInfo(r2);
10798
/* convert into a bitarray */
10799
bm |= ((uint64_t) _mm_movemask_epi8(r2.v)) << 32;
10801
SCLogInfo("bm3 %"PRIxMAX, (uintmax_t)bm);
10803
/* load a batch of masks */
10804
sm.v = _mm_load_si128((const __m128i *)&mask[48]);
10805
VECTOR_SCLogInfo(sm);
10806
/* logical AND them with the packet's mask */
10807
r1.v = _mm_and_si128(pm.v, sm.v);
10808
VECTOR_SCLogInfo(r1);
10809
/* compare the result with the original mask */
10810
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10811
VECTOR_SCLogInfo(r2);
10812
/* convert into a bitarray */
10813
bm |= (((uint64_t) _mm_movemask_epi8(r2.v)) << 48);
10815
SCLogInfo("bm4-total %"PRIxMAX, (uintmax_t)bm);
10818
for ( ; b < 64; b++){
10819
if (bm & ((uint64_t)1 << b)) {
10820
SCLogInfo("b %02d, set", b);
10822
SCLogInfo("b %02d, not set", b);
10827
if ((bm & ((uint64_t)1 << 31)) && (bm & ((uint64_t)1 << 62))) {
9387
10836
#endif /* UNITTESTS */
9389
10838
void SigRegisterTests(void) {