De cleanups/20241010/v1

src/detect-engine-build.c

@@ -487,27 +487,11 @@ static int SignatureCreateMask(Signature *s)
  {
  DetectFlagsData *fl = (DetectFlagsData *)sm->ctx;
 
- if (fl->flags & TH_SYN) {
+ if (fl->flags & MASK_TCP_INITDEINIT_FLAGS) {
  s->mask |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT;
  SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_INITDEINIT");
  }
- if (fl->flags & TH_RST) {
- s->mask |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT;
- SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_INITDEINIT");
- }
- if (fl->flags & TH_FIN) {
- s->mask |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT;
- SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_INITDEINIT");
- }
- if (fl->flags & TH_URG) {
- s->mask |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL;
- SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_UNUSUAL");
- }
- if (fl->flags & TH_ECN) {
- s->mask |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL;
- SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_UNUSUAL");
- }
- if (fl->flags & TH_CWR) {
+ if (fl->flags & MASK_TCP_UNUSUAL_FLAGS) {
  s->mask |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL;
  SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_UNUSUAL");
  }
@@ -969,7 +953,7 @@ static void RulesDumpGrouping(const DetectEngineCtx *de_ctx,
  fclose(fp);
 }
 
-static int RulesGroupByProto(DetectEngineCtx *de_ctx)
+static int RulesGroupByIPProto(DetectEngineCtx *de_ctx)
 {
  Signature *s = de_ctx->sig_list;
 
@@ -980,15 +964,16 @@ static int RulesGroupByProto(DetectEngineCtx *de_ctx)
  if (s->type == SIG_TYPE_IPONLY)
  continue;
 
- int p;
- for (p = 0; p < 256; p++) {
+ /* traverse over IP protocol list from libc */
+ for (int p = 0; p < 256; p++) {
  if (p == IPPROTO_TCP || p == IPPROTO_UDP) {
  continue;
  }
  if (!(s->proto.proto[p / 8] & (1<<(p % 8)) || (s->proto.flags & DETECT_PROTO_ANY))) {
  continue;
  }
 
+ /* Signatures that are !IP only, ICMP, SCTP are handlnd here */
  if (s->flags & SIG_FLAG_TOCLIENT) {
  SigGroupHeadAppendSig(de_ctx, &sgh_tc[p], s);
  }
@@ -1079,8 +1064,7 @@ static int RulesGroupByProto(DetectEngineCtx *de_ctx)
  return 0;
 }
 
-static int PortIsWhitelisted(const DetectEngineCtx *de_ctx,
- const DetectPort *a, int ipproto)
+static int PortIsPriority(const DetectEngineCtx *de_ctx, const DetectPort *a, int ipproto)
 {
  DetectPort *w = de_ctx->tcp_whitelist;
  if (ipproto == IPPROTO_UDP)
@@ -1098,7 +1082,7 @@ static int PortIsWhitelisted(const DetectEngineCtx *de_ctx,
  return 0;
 }
 
-static int RuleSetWhitelist(Signature *s)
+static int RuleSetScore(Signature *s)
 {
  DetectPort *p = NULL;
  if (s->flags & SIG_FLAG_TOSERVER)
@@ -1535,8 +1519,7 @@ static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, uint8_t ipproto, u
 
  int wl = s->init_data->score;
  while (p) {
- int pwl = PortIsWhitelisted(de_ctx, p, ipproto) ? DETECT_PGSCORE_RULE_PORT_WHITELISTED
- : 0;
+ int pwl = PortIsPriority(de_ctx, p, ipproto) ? DETECT_PGSCORE_RULE_PORT_WHITELISTED : 0;
  pwl = MAX(wl,pwl);
 
  DetectPort *lookup = DetectPortHashLookup(de_ctx, p);
@@ -1802,7 +1785,7 @@ int SigPrepareStage1(DetectEngineCtx *de_ctx)
  DetectContentPropagateLimits(s);
  SigParseApplyDsizeToContent(s);
 
- RuleSetWhitelist(s);
+ RuleSetScore(s);
 
  /* if keyword engines are enabled in the config, handle them here */
  if (!g_skip_prefilter && de_ctx->prefilter_setting == DETECT_PREFILTER_AUTO &&
@@ -1907,7 +1890,7 @@ int SigPrepareStage2(DetectEngineCtx *de_ctx)
  de_ctx->flow_gh[0].udp = RulesGroupByPorts(de_ctx, IPPROTO_UDP, SIG_FLAG_TOCLIENT);
 
  /* Setup the other IP Protocols (so not TCP/UDP) */
- RulesGroupByProto(de_ctx);
+ RulesGroupByIPProto(de_ctx);
 
  /* now for every rule add the source group to our temp lists */
  for (Signature *s = de_ctx->sig_list; s != NULL; s = s->next) {

src/detect-engine-proto.h

@@ -1,4 +1,4 @@
-/* Copyright (C) 2007-2010 Open Information Security Foundation
+/* Copyright (C) 2007-2024 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
@@ -24,14 +24,13 @@
 #ifndef SURICATA_DETECT_PROTO_H
 #define SURICATA_DETECT_PROTO_H
 
-#define DETECT_PROTO_ANY (1 << 0) /**< Indicate that given protocol
- is considered as IP */
-#define DETECT_PROTO_ONLY_PKT (1 << 1) /**< Indicate that we only care
- about packet payloads. */
-#define DETECT_PROTO_ONLY_STREAM (1 << 2) /**< Indicate that we only care
- about stream payloads. */
-#define DETECT_PROTO_IPV4 (1 << 3) /**< IPv4 only */
-#define DETECT_PROTO_IPV6 (1 << 4) /**< IPv6 only */
+// clang-format off
+#define DETECT_PROTO_ANY BIT_U8(0) /**< Indicate that given protocol is considered as IP */
+#define DETECT_PROTO_ONLY_PKT BIT_U8(1) /**< Indicate that we only care about packet payloads. */
+#define DETECT_PROTO_ONLY_STREAM BIT_U8(2) /**< Indicate that we only care about stream payloads. */
+#define DETECT_PROTO_IPV4 BIT_U8(3) /**< IPv4 only */
+#define DETECT_PROTO_IPV6 BIT_U8(4) /**< IPv6 only */
+// clang-format on
 
 typedef struct DetectProto_ {
  uint8_t proto[256/8]; /**< bit array for 256 protocol bits */