aboutsummaryrefslogtreecommitdiffstats
path: root/framework/src/suricata/src/detect-engine-siggroup.c
diff options
context:
space:
mode:
Diffstat (limited to 'framework/src/suricata/src/detect-engine-siggroup.c')
-rw-r--r--framework/src/suricata/src/detect-engine-siggroup.c98
1 files changed, 64 insertions, 34 deletions
diff --git a/framework/src/suricata/src/detect-engine-siggroup.c b/framework/src/suricata/src/detect-engine-siggroup.c
index 02602d90..89e0eb79 100644
--- a/framework/src/suricata/src/detect-engine-siggroup.c
+++ b/framework/src/suricata/src/detect-engine-siggroup.c
@@ -608,7 +608,7 @@ uint32_t SigGroupHeadHashFunc(HashListTable *ht, void *data, uint16_t datalen)
uint32_t hash = 0;
uint32_t b = 0;
- SCLogDebug("hashing sgh %p (mpm_content_maxlen %u)", sgh, sgh->mpm_content_maxlen);
+ SCLogDebug("hashing sgh %p (mpm_content_minlen %u)", sgh, sgh->mpm_content_minlen);
for (b = 0; b < sgh->init->sig_size; b++)
hash += sgh->init->sig_array[b];
@@ -998,6 +998,17 @@ void SigGroupHeadFreeMpmArrays(DetectEngineCtx *de_ctx)
return;
}
+static uint16_t SignatureGetMpmPatternLen(Signature *s, int list)
+{
+ if (s->sm_lists[list] != NULL && s->mpm_sm != NULL &&
+ SigMatchListSMBelongsTo(s, s->mpm_sm) == list)
+ {
+ DetectContentData *cd = (DetectContentData *)s->mpm_sm->ctx;
+ return cd->content_len;
+ }
+ return 0;
+}
+
/**
* \brief Add a Signature to a SigGroupHead.
*
@@ -1025,28 +1036,18 @@ int SigGroupHeadAppendSig(DetectEngineCtx *de_ctx, SigGroupHead **sgh,
/* enable the sig in the bitarray */
(*sgh)->init->sig_array[s->num / 8] |= 1 << (s->num % 8);
- /* update maxlen for mpm */
+ /* update minlen for mpm */
if (s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
/* check with the precalculated values from the sig */
- if (s->mpm_content_maxlen > 0) {
- if ((*sgh)->mpm_content_maxlen == 0)
- (*sgh)->mpm_content_maxlen = s->mpm_content_maxlen;
+ uint16_t mpm_content_minlen = SignatureGetMpmPatternLen(s, DETECT_SM_LIST_PMATCH);
+ if (mpm_content_minlen > 0) {
+ if ((*sgh)->mpm_content_minlen == 0)
+ (*sgh)->mpm_content_minlen = mpm_content_minlen;
- if ((*sgh)->mpm_content_maxlen > s->mpm_content_maxlen)
- (*sgh)->mpm_content_maxlen = s->mpm_content_maxlen;
+ if ((*sgh)->mpm_content_minlen > mpm_content_minlen)
+ (*sgh)->mpm_content_minlen = mpm_content_minlen;
- SCLogDebug("(%p)->mpm_content_maxlen %u", *sgh, (*sgh)->mpm_content_maxlen);
- }
- }
- if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL) {
- if (s->mpm_uricontent_maxlen > 0) {
- if ((*sgh)->mpm_uricontent_maxlen == 0)
- (*sgh)->mpm_uricontent_maxlen = s->mpm_uricontent_maxlen;
-
- if ((*sgh)->mpm_uricontent_maxlen > s->mpm_uricontent_maxlen)
- (*sgh)->mpm_uricontent_maxlen = s->mpm_uricontent_maxlen;
-
- SCLogDebug("(%p)->mpm_uricontent_maxlen %u", *sgh, (*sgh)->mpm_uricontent_maxlen);
+ SCLogDebug("(%p)->mpm_content_minlen %u", *sgh, (*sgh)->mpm_content_minlen);
}
}
return 0;
@@ -1103,23 +1104,16 @@ int SigGroupHeadCopySigs(DetectEngineCtx *de_ctx, SigGroupHead *src, SigGroupHea
for (idx = 0; idx < src->init->sig_size; idx++)
(*dst)->init->sig_array[idx] = (*dst)->init->sig_array[idx] | src->init->sig_array[idx];
- if (src->mpm_content_maxlen != 0) {
- if ((*dst)->mpm_content_maxlen == 0)
- (*dst)->mpm_content_maxlen = src->mpm_content_maxlen;
-
- if ((*dst)->mpm_content_maxlen > src->mpm_content_maxlen)
- (*dst)->mpm_content_maxlen = src->mpm_content_maxlen;
+ if (src->mpm_content_minlen != 0) {
+ if ((*dst)->mpm_content_minlen == 0)
+ (*dst)->mpm_content_minlen = src->mpm_content_minlen;
- SCLogDebug("src (%p)->mpm_content_maxlen %u", src, src->mpm_content_maxlen);
- SCLogDebug("dst (%p)->mpm_content_maxlen %u", (*dst), (*dst)->mpm_content_maxlen);
- BUG_ON((*dst)->mpm_content_maxlen == 0);
- }
- if (src->mpm_uricontent_maxlen != 0) {
- if ((*dst)->mpm_uricontent_maxlen == 0)
- (*dst)->mpm_uricontent_maxlen = src->mpm_uricontent_maxlen;
+ if ((*dst)->mpm_content_minlen > src->mpm_content_minlen)
+ (*dst)->mpm_content_minlen = src->mpm_content_minlen;
- if ((*dst)->mpm_uricontent_maxlen > src->mpm_uricontent_maxlen)
- (*dst)->mpm_uricontent_maxlen = src->mpm_uricontent_maxlen;
+ SCLogDebug("src (%p)->mpm_content_minlen %u", src, src->mpm_content_minlen);
+ SCLogDebug("dst (%p)->mpm_content_minlen %u", (*dst), (*dst)->mpm_content_minlen);
+ BUG_ON((*dst)->mpm_content_minlen == 0);
}
return 0;
@@ -1606,6 +1600,42 @@ void SigGroupHeadSetFilemagicFlag(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
}
/**
+ * \brief Get size of the shortest mpm pattern.
+ *
+ * \param de_ctx detection engine ctx for the signatures
+ * \param sgh sig group head to set the flag in
+ * \param list sm_list to consider
+ */
+uint16_t SigGroupHeadGetMinMpmSize(DetectEngineCtx *de_ctx,
+ SigGroupHead *sgh, int list)
+{
+ Signature *s = NULL;
+ uint32_t sig = 0;
+ uint16_t min = USHRT_MAX;
+
+ if (sgh == NULL)
+ return 0;
+
+ for (sig = 0; sig < sgh->sig_cnt; sig++) {
+ s = sgh->match_array[sig];
+ if (s == NULL)
+ continue;
+
+ uint16_t mpm_content_minlen = SignatureGetMpmPatternLen(s, DETECT_SM_LIST_PMATCH);
+ if (mpm_content_minlen > 0) {
+ if (mpm_content_minlen < min)
+ min = mpm_content_minlen;
+ SCLogDebug("mpm_content_minlen %u", mpm_content_minlen);
+ }
+ }
+
+ if (min == USHRT_MAX)
+ min = 0;
+ SCLogDebug("min mpm size %u", min);
+ return min;
+}
+
+/**
* \brief Set the need size flag in the sgh.
*
* \param de_ctx detection engine ctx for the signatures