Project

General

Profile

Download (3 KB)

Bug #191 » 0001-Don-t-avoid-inspecting-uricontents-if-we-get-no-matc.patch

The problem was that we were skipping the checks of uricontent/urilen and pcre on uris if we got no match on uricontents, but also without checking if they were negated. Now what we do is that we call the inspection with or without mpm matches, but if it - Pablo Rincon, 07/02/2010 11:22 AM

View differences:

src/detect-engine-uri.c
//PrintawDataFp(stdout,ud->uricontent,ud->uricontent_len);
/* do the actual search with boyer moore precooked ctx */
if (ud->flags & DETECT_URICONTENT_NOCASE)
found = BoyerMooreNocase(ud->uricontent, ud->uricontent_len, spayload, spayload_len, ud->bm_ctx->bmGs, ud->bm_ctx->bmBc);
else
found = BoyerMoore(ud->uricontent, ud->uricontent_len, spayload, spayload_len, ud->bm_ctx->bmGs, ud->bm_ctx->bmBc);
/* If we got no matches from the mpm, avoid searching (just check if negated) */
if (det_ctx->de_have_httpuri == TRUE) {
/* do the actual search with boyer moore precooked ctx */
if (ud->flags & DETECT_URICONTENT_NOCASE)
found = BoyerMooreNocase(ud->uricontent, ud->uricontent_len, spayload, spayload_len, ud->bm_ctx->bmGs, ud->bm_ctx->bmBc);
else
found = BoyerMoore(ud->uricontent, ud->uricontent_len, spayload, spayload_len, ud->bm_ctx->bmGs, ud->bm_ctx->bmBc);
} else {
found = NULL;
}
/* next we evaluate the result in combination with the
* negation flag. */
......
}
/* if we don't have a uri, don't bother inspecting */
if (det_ctx->de_have_httpuri == FALSE) {
if (det_ctx->de_have_httpuri == FALSE && !(s->flags & SIG_FLAG_MPM_URI_NEG)) {
SCLogDebug("We don't have uri");
goto end;
}
src/detect-uricontent.c
cd->offset = 0;
cd->within = 0;
cd->distance = 0;
cd->flags = 0;
/* Prepare Boyer Moore context for searching faster */
cd->bm_ctx = BoyerMooreCtxInit(cd->uricontent, cd->uricontent_len);
......
if (sm == NULL)
goto error;
if (cd->flags & DETECT_URICONTENT_NEGATED)
s->flags |= SIG_FLAG_MPM_URI_NEG;
sm->type = DETECT_URICONTENT;
sm->ctx = (void *)cd;
(3-3/3)