/**
* Function doing a lookup in expectation list and updating Flow if needed.
*
* This function lookup for a existing expectation that could match the Flow.
* If found and if the expectation contains data it store the data in the
* expectation storage of the Flow.
*
* \return an AppProto value if found
* \return ALPROTO_UNKNOWN if not found
*/
AppProto AppLayerExpectationHandle(Flow *f, int direction)
{
AppProto alproto = ALPROTO_UNKNOWN;
IPPair *ipp = NULL;
Expectation *lexp = NULL;
Expectation *pexp = NULL;
int x = SC_ATOMIC_GET(expectation_count);
if (x == 0) {
return ALPROTO_UNKNOWN;
}
/* Call will take reference of the ip pair in 'ipp' */
Expectation *exp = AppLayerExpectationLookup(f, direction, &ipp);
if (exp == NULL)
goto out;
time_t ctime = f->lastts.tv_sec;
pexp = NULL;
while (exp) {
lexp = exp->next;
if ( (exp->direction & direction) &&
((exp->sp == 0) || (exp->sp == f->sp)) &&
((exp->dp == 0) || (exp->dp == f->dp))) {
alproto = exp->alproto;
f->alproto_ts = alproto;
f->alproto_tc = alproto;
void *fdata = FlowGetStorageById(f, g_expectation_id);
if (fdata) {
/* We already have an expectation so let's clean this one */
ExpectationDataFree(exp->data);
} else {
/* Transfer ownership of Expectation data to the Flow */
if (FlowSetStorageById(f, g_expectation_data_id, exp->data) != 0) {
SCLogDebug("Unable to set flow storage");
}
}
exp->data = NULL;
exp = RemoveExpectationAndGetNext(ipp, pexp, exp, lexp);
continue;
}
/* Cleaning remove old entries */
if (exp && (ctime > exp->ts.tv_sec + EXPECTATION_TIMEOUT)) {
exp = RemoveExpectationAndGetNext(ipp, pexp, exp, lexp);
continue;
}
pexp = exp;
exp = lexp;
}
out:
if (ipp)
IPPairRelease(ipp);
return alproto;
}
static int DetectIPPairbitMatchSet (Packet *p, const DetectXbitsData *fd)
{
IPPair *pair = IPPairGetIPPairFromHash(&p->src, &p->dst);
if (pair == NULL)
return 0;
IPPairBitSet(pair, fd->idx, p->ts.tv_sec + fd->expire);
IPPairRelease(pair);
return 1;
}
/* return true even if bit not found */
static int DetectIPPairbitMatchUnset (Packet *p, const DetectXbitsData *fd)
{
IPPair *pair = IPPairLookupIPPairFromHash(&p->src, &p->dst);
if (pair == NULL)
return 1;
IPPairBitUnset(pair,fd->idx);
IPPairRelease(pair);
return 1;
}
static int DetectIPPairbitMatchIsnotset (Packet *p, const DetectXbitsData *fd)
{
int r = 0;
IPPair *pair = IPPairLookupIPPairFromHash(&p->src, &p->dst);
if (pair == NULL)
return 1;
r = IPPairBitIsnotset(pair,fd->idx,p->ts.tv_sec);
IPPairRelease(pair);
return r;
}
