aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5857660568'
${ noResults }
suricata/src/detect-engine-payload.c

1248 lines
34 KiB
C
Raw Normal View History Unescape Escape

New Multi-pattern matcher, ac-tile, optimized for Tile architecture. Aho-Corasick mpm optimized for Tilera Tile-Gx architecture. Based on the util-mpm-ac.c code base. The primary optimizations are: 1) Matching function used Tilera specific instructions. 2) Alphabet compression to reduce delta table size to increase cache utilization and performance. The basic observation is that not all 256 ASCII characters are used by the set of multiple patterns in a group for which a DFA is created. The first reason is that Suricata's pattern matching is case-insensitive, so all uppercase characters are converted to lowercase, leaving a hole of 26 characters in the alphabet. Previously, this hole was simply left in the middle of the alphabet and thus in the generated Next State (delta) tables. A new, smaller, alphabet is created using a translation table of 256 bytes per mpm group. Previously, there was one global translation table for converting upper case to lowercase. Additional, unused characters are found by creating a histogram of all the characters in all the patterns. Then all the characters with zero counts are mapped to one character (0) in the new alphabet. Since These characters appear in no pattern, they can all be mapped to a single character and still result in the same matches being found. Zero was chosen for the value in the new alphabet since this "character" is more likely to appear in the input. The unused character always results in the next state being state zero, but that fact is not currently used by the code, since special casing takes additional instructions. The characters that do appear in some pattern are mapped to consecutive characters in the new alphabet, starting at 1. This results in a dense packing of next state values in the delta tables and additionally can allow for a smaller number of columns in that table, thus using less memory and better packing into the cache. The size of the new alphabet is the number of used characters plus 1 for the unused catch-all character. The alphabet size is rounded up to the next larger power-of-2 so that multiplication by the alphabet size can be done with a shift. It might be possible to use a multiply instruction, so that the exact alphabet size could be used, which would further reduce the size of the delta tables, increase cache density and not require the specialized search functions. The multiply would likely add 1 cycle to the inner search loop. Since the multiply by alphabet-size is cleverly merged with a mask instruction (in the SINDEX macro), specialized versions of the SCACSearch function are generated for alphabet sizes 256, 128, 64, 32 and 16. This is done by including the file util-mpm-ac-small.c multiple times with a redefined SINDEX macro. A function pointer is then stored in the mpm context for the search function. For alpha bit sizes of 8 or smaller, the number of states usually small, so the DFA is already very small, so there is little difference using the 16 state search function. The SCACSearch function is also specialized by the size of the value stored in the next state (delta) tables, either 16-bits or 32-bits. This removes a conditional inside the Search function. That conditional is only called once, but doesn't hurt to remove it. 16-bits are used for up to 32K states, with the sign bit set for states with matches. Future optimization: The state-has-match values is only needed per state, not per next state, so checking the next-state sign bit could be replaced with reading a different value, at the cost of an additional load, but increasing the 16-bit next state span to 64K. Since the order of the characters in the new alphabet doesn't matter, the new alphabet could be sorted by the frequency of the characters in the expected input stream for that multi-pattern matcher. This would group more frequent characters into the same cache lines, thus increasing the probability of reusing a cache-line. All the next state values for each state live in their own set of cache-lines. With power-of-two sizes alphabets, these don't overlap. So either 32 or 16 character's next states are loaded in each cache line load. If the alphabet size is not an exact power-of-2, then the last cache-line is not completely full and up to 31*2 bytes of that line could be wasted per state. The next state table could be transposed, so that all the next states for a specific character are stored sequentially, this could be better if some characters, for example the unused character, are much more frequent.
12 years ago
/* Copyright (C) 2007-2013 Open Information Security Foundation
Import of GPLv2 Header 050410
15 years ago
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
Cleanups.
16 years ago
Import of GPLv2 Header 050410
15 years ago
/**
* \file
*
* \author Victor Julien <victor@inliniac.net>
*
* Performs payload matching functions
Cleanups.
16 years ago
*/
First stage of detect engine redesign: equal patterns share id's, search phase no longer used, new match verification phase.
16 years ago
#include "suricata-common.h"
#include "suricata.h"
#include "decode.h"
#include "detect.h"
find an optimal value for detect-engine:inspection-recursion_limit + unittest
15 years ago
#include "detect-engine.h"
#include "detect-parse.h"
unify payload detection engines + fix other bugs in pcre init
14 years ago
#include "detect-engine-content-inspection.h"
First stage of detect engine redesign: equal patterns share id's, search phase no longer used, new match verification phase.
16 years ago
mpm: cleanup: move mpm funcs into buffer specific files
10 years ago
#include "stream.h"
First stage of detect engine redesign: equal patterns share id's, search phase no longer used, new match verification phase.
16 years ago
#include "util-debug.h"
Further simplify content api: merge flags that indicate a next relative match, remove chunks as they are unnecessary now, make negated a bitflag.
16 years ago
#include "util-print.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
mpm: cleanup: move mpm funcs into buffer specific files
10 years ago
#include "util-validate.h"
#include "util-mpm-ac.h"
uint32_t PacketPatternSearchWithStreamCtx(DetectEngineThreadCtx *det_ctx,
Packet *p)
{
SCEnter();
uint32_t ret = 0;
const MpmCtx *mpm_ctx = NULL;
if (p->flowflags & FLOW_PKT_TOSERVER) {
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_stream_ctx_ts == NULL);
mpm_ctx = det_ctx->sgh->mpm_stream_ctx_ts;
} else {
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_stream_ctx_tc == NULL);
mpm_ctx = det_ctx->sgh->mpm_stream_ctx_tc;
}
if (unlikely(mpm_ctx == NULL)) {
SCReturnInt(0);
}
ret = mpm_table[mpm_ctx->mpm_type].
Search(mpm_ctx, &det_ctx->mtc, &det_ctx->pmq,
p->payload, p->payload_len);
SCReturnInt(ret);
}
/** \brief Pattern match -- searches for only one pattern per signature.
*
* \param det_ctx detection engine thread ctx
* \param p packet
* \param smsg stream msg (reassembled stream data)
* \param flags stream flags
*
* \retval ret number of matches
*/
uint32_t StreamPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p,
StreamMsg *smsg, uint8_t flags)
{
SCEnter();
uint32_t ret = 0;
uint8_t cnt = 0;
//PrintRawDataFp(stdout, smsg->data.data, smsg->data.data_len);
uint32_t r;
if (flags & STREAM_TOSERVER) {
for ( ; smsg != NULL; smsg = smsg->next) {
r = mpm_table[det_ctx->sgh->mpm_stream_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_stream_ctx_ts, &det_ctx->mtcs,
&det_ctx->pmq, smsg->data, smsg->data_len);
if (r > 0) {
ret += r;
}
cnt++;
}
} else if (flags & STREAM_TOCLIENT) {
for ( ; smsg != NULL; smsg = smsg->next) {
r = mpm_table[det_ctx->sgh->mpm_stream_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_stream_ctx_tc, &det_ctx->mtcs,
&det_ctx->pmq, smsg->data, smsg->data_len);
if (r > 0) {
ret += r;
}
cnt++;
}
}
SCReturnInt(ret);
}
/** \brief Pattern match -- searches for only one pattern per signature.
*
* \param det_ctx detection engine thread ctx
* \param p packet to inspect
*
* \retval ret number of matches
*/
uint32_t PacketPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p)
{
SCEnter();
uint32_t ret;
const MpmCtx *mpm_ctx = NULL;
if (p->proto == IPPROTO_TCP) {
if (p->flowflags & FLOW_PKT_TOSERVER) {
mpm_ctx = det_ctx->sgh->mpm_proto_tcp_ctx_ts;
} else if (p->flowflags & FLOW_PKT_TOCLIENT) {
mpm_ctx = det_ctx->sgh->mpm_proto_tcp_ctx_tc;
}
} else if (p->proto == IPPROTO_UDP) {
if (p->flowflags & FLOW_PKT_TOSERVER) {
mpm_ctx = det_ctx->sgh->mpm_proto_udp_ctx_ts;
} else if (p->flowflags & FLOW_PKT_TOCLIENT) {
mpm_ctx = det_ctx->sgh->mpm_proto_udp_ctx_tc;
}
} else {
mpm_ctx = det_ctx->sgh->mpm_proto_other_ctx;
}
if (unlikely(mpm_ctx == NULL))
SCReturnInt(0);
#ifdef __SC_CUDA_SUPPORT__
if (p->cuda_pkt_vars.cuda_mpm_enabled && p->pkt_src == PKT_SRC_WIRE) {
ret = SCACCudaPacketResultsProcessing(p, mpm_ctx, &det_ctx->pmq);
} else {
ret = mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
&det_ctx->mtc,
&det_ctx->pmq,
p->payload,
p->payload_len);
}
#else
ret = mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
&det_ctx->mtc,
&det_ctx->pmq,
p->payload,
p->payload_len);
#endif
SCReturnInt(ret);
}
First stage of detect engine redesign: equal patterns share id's, search phase no longer used, new match verification phase.
16 years ago
Inspect the reassembled stream together with the packet payload in the same direction.
15 years ago
/**
* \brief Do the content inspection & validation for a signature
First stage of detect engine redesign: equal patterns share id's, search phase no longer used, new match verification phase.
16 years ago
*
* \param de_ctx Detection engine context
* \param det_ctx Detection engine thread context
* \param s Signature to inspect
Inspect the reassembled stream together with the packet payload in the same direction.
15 years ago
* \param f flow (for pcre flowvar storage)
First stage of detect engine redesign: equal patterns share id's, search phase no longer used, new match verification phase.
16 years ago
* \param p Packet
*
* \retval 0 no match
* \retval 1 match
*/
int DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx,
detect: cleanup Remove unused alstate and app layer flags arguments from DetectEngineInspectPacketPayload()
11 years ago
DetectEngineThreadCtx *det_ctx, Signature *s, Flow *f, Packet *p)
First stage of detect engine redesign: equal patterns share id's, search phase no longer used, new match verification phase.
16 years ago
{
SCEnter();
int r = 0;
replace all Signature->pmatch instances in the engine with Signature->sm_lists[DETECT_SM_LIST_PMATCH]
15 years ago
if (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) {
First stage of detect engine redesign: equal patterns share id's, search phase no longer used, new match verification phase.
16 years ago
SCReturnInt(0);
}
remove det_ctx->payload_offset and use det_ctx->buffer_offset. Update hscd and hsmd to use the new generic content inspection engine
14 years ago
det_ctx->buffer_offset = 0;
fix false positives for a negated content case
15 years ago
det_ctx->discontinue_matching = 0;
define a new conf paramter detect-engine:inspection-recursion-limit; Defines a recursion limit for content inspection code
15 years ago
det_ctx->inspection_recursion_counter = 0;
Add support for replace keyword. This patch adds support for the replace keyword. It is used with content to change selected part of the payload. The major point with this patch is that having a replace keyword made necessary to avoid all stream level check because we need to access to the could-be-modified packet payload. One of the main difficulty is to handle complex signature. If there is other content check, we must do the substitution when we're sure all match are valid. The patch adds an attribute to the thread context variable to be able to deal with recursivity of the match function. Replace is only activated in IPS mode and apply only to raw match.
14 years ago
det_ctx->replist = NULL;
remove support for skipping reinspecting fast pattern contents once again during packet payload inspection. Also make some changes to our detection engine
15 years ago
//det_ctx->flags |= DETECT_ENGINE_THREAD_CTX_INSPECTING_PACKET;
First stage of detect engine redesign: equal patterns share id's, search phase no longer used, new match verification phase.
16 years ago
unify payload detection engines + fix other bugs in pcre init
14 years ago
r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_PMATCH],
fix for #788. Now depth is kept in mind when we inspect chunks in client/server body. This takes care of FPs originating from inspecting subsequent chunks that match with depth, but shouldn't.
12 years ago
f, p->payload, p->payload_len, 0,
unify payload detection engines + fix other bugs in pcre init
14 years ago
DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD, p);
//r = DoInspectPacketPayload(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_PMATCH], p, f, p->payload, p->payload_len);
remove support for skipping reinspecting fast pattern contents once again during packet payload inspection. Also make some changes to our detection engine
15 years ago
//det_ctx->flags &= ~DETECT_ENGINE_THREAD_CTX_INSPECTING_PACKET;
Inspect the reassembled stream together with the packet payload in the same direction.
15 years ago
if (r == 1) {
SCReturnInt(1);
}
SCReturnInt(0);
}
/**
* \brief Do the content inspection & validation for a signature for a stream chunk
*
* \param de_ctx Detection engine context
* \param det_ctx Detection engine thread context
* \param s Signature to inspect
* \param f flow (for pcre flowvar storage)
* \param payload ptr to the payload to inspect
* \param payload_len length of the payload
*
* \retval 0 no match
* \retval 1 match
*
* \todo we might also pass the packet to this function for the pktvar
* storage. Only, would that be right? We're not inspecting data
* from the current packet here.
*/
int DetectEngineInspectStreamPayload(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, Signature *s, Flow *f,
uint8_t *payload, uint32_t payload_len)
{
SCEnter();
int r = 0;
replace all Signature->pmatch instances in the engine with Signature->sm_lists[DETECT_SM_LIST_PMATCH]
15 years ago
if (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) {
Inspect the reassembled stream together with the packet payload in the same direction.
15 years ago
SCReturnInt(0);
}
remove det_ctx->payload_offset and use det_ctx->buffer_offset. Update hscd and hsmd to use the new generic content inspection engine
14 years ago
det_ctx->buffer_offset = 0;
make some name changes. break PopulateMpm(). Set the avoid mpm double check flags
15 years ago
det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0;
unify payload detection engines + fix other bugs in pcre init
14 years ago
//det_ctx->flags |= DETECT_ENGINE_THREAD_CTX_INSPECTING_STREAM;
Inspect the reassembled stream together with the packet payload in the same direction.
15 years ago
unify payload detection engines + fix other bugs in pcre init
14 years ago
r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_PMATCH],
fix for #788. Now depth is kept in mind when we inspect chunks in client/server body. This takes care of FPs originating from inspecting subsequent chunks that match with depth, but shouldn't.
12 years ago
f, payload, payload_len, 0,
unify payload detection engines + fix other bugs in pcre init
14 years ago
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM, NULL);
//r = DoInspectPacketPayload(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_PMATCH], NULL, f, payload, payload_len);
//det_ctx->flags &= ~DETECT_ENGINE_THREAD_CTX_INSPECTING_STREAM;
First stage of detect engine redesign: equal patterns share id's, search phase no longer used, new match verification phase.
16 years ago
if (r == 1) {
SCReturnInt(1);
}
SCReturnInt(0);
}
Further simplify content api: merge flags that indicate a next relative match, remove chunks as they are unnecessary now, make negated a bitflag.
16 years ago
#ifdef UNITTESTS
Fix nocase searching in payload search phase.
16 years ago
/** \test Not the first but the second occurence of "abc" should be used
* for the 2nd match */
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
static int PayloadTestSig01 (void)
{
Further simplify content api: merge flags that indicate a next relative match, remove chunks as they are unnecessary now, make negated a bitflag.
16 years ago
uint8_t *buf = (uint8_t *)
"abcabcd";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
undo this commit - commit eff08f93d8f51a06d6bee19b739b7db44cadb116 Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
14 years ago
char sig[] = "alert tcp any any -> any any (content:\"abc\"; content:\"d\"; distance:0; within:1; sid:1;)";
mpm: remove obsolete mpm algos Remove: ac-gfbs, wumanber, b2g, b3g.
10 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
Further simplify content api: merge flags that indicate a next relative match, remove chunks as they are unnecessary now, make negated a bitflag.
16 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
Fix nocase searching in payload search phase.
16 years ago
/** \test Nocase matching */
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
static int PayloadTestSig02 (void)
{
Fix nocase searching in payload search phase.
16 years ago
uint8_t *buf = (uint8_t *)
"abcaBcd";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
undo this commit - commit eff08f93d8f51a06d6bee19b739b7db44cadb116 Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
14 years ago
char sig[] = "alert tcp any any -> any any (content:\"abc\"; nocase; content:\"d\"; distance:0; within:1; sid:1;)";
mpm: remove obsolete mpm algos Remove: ac-gfbs, wumanber, b2g, b3g.
10 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
Fix nocase searching in payload search phase.
16 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
Cleanups.
16 years ago
/** \test Negative distance matching */
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
static int PayloadTestSig03 (void)
{
Cleanups.
16 years ago
uint8_t *buf = (uint8_t *)
"abcaBcd";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
undo this commit - commit eff08f93d8f51a06d6bee19b739b7db44cadb116 Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
14 years ago
char sig[] = "alert tcp any any -> any any (content:\"aBc\"; nocase; content:\"abca\"; distance:-10; within:4; sid:1;)";
mpm: remove obsolete mpm algos Remove: ac-gfbs, wumanber, b2g, b3g.
10 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
Cleanups.
16 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
content handling changes in detect-engine-payload.c for multiple relative matches
15 years ago
/**
* \test Test multiple relative matches.
*/
static int PayloadTestSig04(void)
{
uint8_t *buf = (uint8_t *)"now this is is big big string now";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
fix parsing content keywords. We are more strict now. All content keywords need to be enclosed in double quotes. Better validation for sid, priority and rev keywords
14 years ago
"content:\"this\"; content:\"is\"; within:6; content:\"big\"; within:8; "
undo this commit - commit eff08f93d8f51a06d6bee19b739b7db44cadb116 Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
14 years ago
"content:\"string\"; within:8; sid:1;)";
mpm: remove obsolete mpm algos Remove: ac-gfbs, wumanber, b2g, b3g.
10 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
content handling changes in detect-engine-payload.c for multiple relative matches
15 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/**
* \test Test multiple relative matches.
*/
static int PayloadTestSig05(void)
{
uint8_t *buf = (uint8_t *)"now this is is is big big big string now";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
fix parsing content keywords. We are more strict now. All content keywords need to be enclosed in double quotes. Better validation for sid, priority and rev keywords
14 years ago
"content:\"this\"; content:\"is\"; within:9; content:\"big\"; within:12; "
undo this commit - commit eff08f93d8f51a06d6bee19b739b7db44cadb116 Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
14 years ago
"content:\"string\"; within:8; sid:1;)";
mpm: remove obsolete mpm algos Remove: ac-gfbs, wumanber, b2g, b3g.
10 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
content handling changes in detect-engine-payload.c for multiple relative matches
15 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/**
* \test Test multiple relative matches.
*/
static int PayloadTestSig06(void)
{
uint8_t *buf = (uint8_t *)"this this now is is big string now";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
fix parsing content keywords. We are more strict now. All content keywords need to be enclosed in double quotes. Better validation for sid, priority and rev keywords
14 years ago
"content:\"now\"; content:\"this\"; content:\"is\"; within:12; content:\"big\"; within:8; "
undo this commit - commit eff08f93d8f51a06d6bee19b739b7db44cadb116 Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
14 years ago
"content:\"string\"; within:8; sid:1;)";
mpm: remove obsolete mpm algos Remove: ac-gfbs, wumanber, b2g, b3g.
10 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
content handling changes in detect-engine-payload.c for multiple relative matches
15 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
fixes the offset case for content matches + a case not handled by the prevous fix for multiple relative content matches. fix for payload.c dcepayload.c and uri.c
15 years ago
/**
* \test Test multiple relative matches.
*/
static int PayloadTestSig07(void)
{
uint8_t *buf = (uint8_t *)" thus thus is a big";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
undo this commit - commit eff08f93d8f51a06d6bee19b739b7db44cadb116 Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
14 years ago
"content:\"thus\"; offset:8; content:\"is\"; within:6; content:\"big\"; within:8; sid:1;)";
fixes the offset case for content matches + a case not handled by the prevous fix for multiple relative content matches. fix for payload.c dcepayload.c and uri.c
15 years ago
mpm: remove obsolete mpm algos Remove: ac-gfbs, wumanber, b2g, b3g.
10 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
fixes the offset case for content matches + a case not handled by the prevous fix for multiple relative content matches. fix for payload.c dcepayload.c and uri.c
15 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
fix false positives for a negated content case
15 years ago
/**
* \test Test multiple relative matches with negative matches
* and show the need for det_ctx->discontinue_matching.
*/
static int PayloadTestSig08(void)
{
uint8_t *buf = (uint8_t *)"we need to fix this and yes fix this now";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
undo this commit - commit eff08f93d8f51a06d6bee19b739b7db44cadb116 Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
14 years ago
"content:\"fix\"; content:\"this\"; within:6; content:!\"and\"; distance:0; sid:1;)";
fix false positives for a negated content case
15 years ago
mpm: remove obsolete mpm algos Remove: ac-gfbs, wumanber, b2g, b3g.
10 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) != 1) {
fix false positives for a negated content case
15 years ago
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
implement relative pcre matching in detect-engine-(payload|uri|dcepayload).c. Also fix within/distance handling of RELATIVE_NEXT flag for uricontent
15 years ago
/**
* \test Test pcre recursive matching.
*/
static int PayloadTestSig09(void)
{
uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
undo this commit - commit eff08f93d8f51a06d6bee19b739b7db44cadb116 Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
14 years ago
"pcre:/super/; content:\"nova\"; within:7; sid:1;)";
implement relative pcre matching in detect-engine-(payload|uri|dcepayload).c. Also fix within/distance handling of RELATIVE_NEXT flag for uricontent
15 years ago
mpm: remove obsolete mpm algos Remove: ac-gfbs, wumanber, b2g, b3g.
10 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
implement relative pcre matching in detect-engine-(payload|uri|dcepayload).c. Also fix within/distance handling of RELATIVE_NEXT flag for uricontent
15 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
fix seg fault due to premature cleanup/double cleanup for byte(jump|test), isdataat, on seeing no previous relative keywords
15 years ago
/**
* \test Test invalid sig.
*/
static int PayloadTestSig10(void)
{
uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert udp any any -> any any (msg:\"crash\"; "
"byte_test:4,>,2,0,relative; sid:11;)";
mpm: remove obsolete mpm algos Remove: ac-gfbs, wumanber, b2g, b3g.
10 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 1) {
fix seg fault due to premature cleanup/double cleanup for byte(jump|test), isdataat, on seeing no previous relative keywords
15 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/**
* \test Test invalid sig.
*/
static int PayloadTestSig11(void)
{
uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert udp any any -> any any (msg:\"crash\"; "
"byte_jump:1,0,relative; sid:11;)";
mpm: remove obsolete mpm algos Remove: ac-gfbs, wumanber, b2g, b3g.
10 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 1) {
fix seg fault due to premature cleanup/double cleanup for byte(jump|test), isdataat, on seeing no previous relative keywords
15 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/**
* \test Test invalid sig.
*/
static int PayloadTestSig12(void)
{
uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert udp any any -> any any (msg:\"crash\"; "
"isdataat:10,relative; sid:11;)";
mpm: remove obsolete mpm algos Remove: ac-gfbs, wumanber, b2g, b3g.
10 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 1) {
fix seg fault due to premature cleanup/double cleanup for byte(jump|test), isdataat, on seeing no previous relative keywords
15 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
find an optimal value for detect-engine:inspection-recursion_limit + unittest
15 years ago
/**
* \test Used to check the working of recursion_limit counter.
*/
static int PayloadTestSig13(void)
{
uint8_t *buf = (uint8_t *)"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
mpm: remove obsolete mpm algos Remove: ac-gfbs, wumanber, b2g, b3g.
10 years ago
uint16_t mpm_type = DEFAULT_MPM;
find an optimal value for detect-engine:inspection-recursion_limit + unittest
15 years ago
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
fix parsing content keywords. We are more strict now. All content keywords need to be enclosed in double quotes. Better validation for sid, priority and rev keywords
14 years ago
"content:\"aa\"; content:\"aa\"; distance:0; content:\"aa\"; distance:0; "
undo this commit - commit eff08f93d8f51a06d6bee19b739b7db44cadb116 Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
14 years ago
"byte_test:1,>,200,0,relative; sid:1;)";
find an optimal value for detect-engine:inspection-recursion_limit + unittest
15 years ago
struct timeval tv_start, tv_end, tv_diff;
gettimeofday(&tv_start, NULL);
do {
DecodeThreadVars dtv;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&th_v, 0, sizeof(th_v));
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
printf("de_ctx == NULL: ");
goto end;
}
de_ctx->inspection_recursion_limit = 3000;
de_ctx->flags |= DE_QUIET;
de_ctx->mpm_matcher = mpm_type;
de_ctx->sig_list = SigInit(de_ctx, sig);
if (de_ctx->sig_list == NULL) {
printf("signature == NULL: ");
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, de_ctx->sig_list->id) != 1) {
goto end;
}
result = 1;
end:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
if (det_ctx != NULL)
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
} while (0);
gettimeofday(&tv_end, NULL);
tv_diff.tv_sec = tv_end.tv_sec - tv_start.tv_sec;
tv_diff.tv_usec = tv_end.tv_usec - tv_start.tv_usec;
Fix 2 compiler warnings FreeBSD 10 32-bit with clang 3.3: log-tlslog.c:172:14: error: format specifies type 'long' but the argument has type 'time_t' (aka 'int') [-Werror,-Wformat] p->ts.tv_sec, ^~~~~~~~~~~~ 1 error generated. detect-engine-payload.c:508:27: warning: format specifies type 'long' but the argument has type 'time_t' (aka 'int') [-Wformat] printf("%ld.%06ld\n", tv_diff.tv_sec, (long int)tv_diff.tv_usec); ~~~ ^~~~~~~~~~~~~~ %d 1 warning generated.
11 years ago
printf("%ld.%06ld\n", (long int)tv_diff.tv_sec, (long int)tv_diff.tv_usec);
find an optimal value for detect-engine:inspection-recursion_limit + unittest
15 years ago
result = 1;
if (p != NULL)
UTHFreePacket(p);
return result;
}
fix fp when content is negated and also added to mpm
15 years ago
/**
* \test normal & negated matching, both absolute and relative
*/
static int PayloadTestSig14(void)
{
uint8_t *buf = (uint8_t *)"User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
undo this commit - commit eff08f93d8f51a06d6bee19b739b7db44cadb116 Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
14 years ago
char sig[] = "alert tcp any any -> any any (content:\"User-Agent|3A| Mozilla/5.0 |28|Macintosh|3B| \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 |28|Macintosh|3B| U|3B| Intel Mac OS X 10.5|3B| en-US|3B| rv|3A|1.9.1b4|29| Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
fix fp when content is negated and also added to mpm
15 years ago
//char sig[] = "alert tcp any any -> any any (content:\"User-Agent: Mozilla/5.0 (Macintosh; \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
mpm: remove obsolete mpm algos Remove: ac-gfbs, wumanber, b2g, b3g.
10 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 1) {
fix fp when content is negated and also added to mpm
15 years ago
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
support isdataat negation. Also fix addiing isdataat to appropriate lists
15 years ago
static int PayloadTestSig15(void)
{
uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
undo this commit - commit eff08f93d8f51a06d6bee19b739b7db44cadb116 Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
14 years ago
"content:\"nova\"; isdataat:18,relative; sid:1;)";
support isdataat negation. Also fix addiing isdataat to appropriate lists
15 years ago
mpm: remove obsolete mpm algos Remove: ac-gfbs, wumanber, b2g, b3g.
10 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
support isdataat negation. Also fix addiing isdataat to appropriate lists
15 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
static int PayloadTestSig16(void)
{
uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
undo this commit - commit eff08f93d8f51a06d6bee19b739b7db44cadb116 Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
14 years ago
"content:\"nova\"; isdataat:!20,relative; sid:1;)";
support isdataat negation. Also fix addiing isdataat to appropriate lists
15 years ago
mpm: remove obsolete mpm algos Remove: ac-gfbs, wumanber, b2g, b3g.
10 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
support isdataat negation. Also fix addiing isdataat to appropriate lists
15 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
Account for distance when checking within. Bug #285.
14 years ago
static int PayloadTestSig17(void)
{
uint8_t buf[] = { 0xEB, 0x29, 0x25, 0x38, 0x78, 0x25, 0x38, 0x78, 0x25 };
uint16_t buflen = 9;
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"%\"; depth:4; offset:0; "
undo this commit - commit eff08f93d8f51a06d6bee19b739b7db44cadb116 Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
14 years ago
"content:\"%\"; within:2; distance:1; sid:1;)";
Account for distance when checking within. Bug #285.
14 years ago
mpm: remove obsolete mpm algos Remove: ac-gfbs, wumanber, b2g, b3g.
10 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
Account for distance when checking within. Bug #285.
14 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
static int PayloadTestSig18(void)
{
uint8_t buf[] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
0x0E, 0x0F,
};
uint16_t buflen = sizeof(buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
fix parsing content keywords. We are more strict now. All content keywords need to be enclosed in double quotes. Better validation for sid, priority and rev keywords
14 years ago
"content:\"|01 02 03 04|\"; "
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
"byte_extract:1,2,one,string,dec,relative; "
undo this commit - commit eff08f93d8f51a06d6bee19b739b7db44cadb116 Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
14 years ago
"content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
New Multi-pattern matcher, ac-tile, optimized for Tile architecture. Aho-Corasick mpm optimized for Tilera Tile-Gx architecture. Based on the util-mpm-ac.c code base. The primary optimizations are: 1) Matching function used Tilera specific instructions. 2) Alphabet compression to reduce delta table size to increase cache utilization and performance. The basic observation is that not all 256 ASCII characters are used by the set of multiple patterns in a group for which a DFA is created. The first reason is that Suricata's pattern matching is case-insensitive, so all uppercase characters are converted to lowercase, leaving a hole of 26 characters in the alphabet. Previously, this hole was simply left in the middle of the alphabet and thus in the generated Next State (delta) tables. A new, smaller, alphabet is created using a translation table of 256 bytes per mpm group. Previously, there was one global translation table for converting upper case to lowercase. Additional, unused characters are found by creating a histogram of all the characters in all the patterns. Then all the characters with zero counts are mapped to one character (0) in the new alphabet. Since These characters appear in no pattern, they can all be mapped to a single character and still result in the same matches being found. Zero was chosen for the value in the new alphabet since this "character" is more likely to appear in the input. The unused character always results in the next state being state zero, but that fact is not currently used by the code, since special casing takes additional instructions. The characters that do appear in some pattern are mapped to consecutive characters in the new alphabet, starting at 1. This results in a dense packing of next state values in the delta tables and additionally can allow for a smaller number of columns in that table, thus using less memory and better packing into the cache. The size of the new alphabet is the number of used characters plus 1 for the unused catch-all character. The alphabet size is rounded up to the next larger power-of-2 so that multiplication by the alphabet size can be done with a shift. It might be possible to use a multiply instruction, so that the exact alphabet size could be used, which would further reduce the size of the delta tables, increase cache density and not require the specialized search functions. The multiply would likely add 1 cycle to the inner search loop. Since the multiply by alphabet-size is cleverly merged with a mask instruction (in the SINDEX macro), specialized versions of the SCACSearch function are generated for alphabet sizes 256, 128, 64, 32 and 16. This is done by including the file util-mpm-ac-small.c multiple times with a redefined SINDEX macro. A function pointer is then stored in the mpm context for the search function. For alpha bit sizes of 8 or smaller, the number of states usually small, so the DFA is already very small, so there is little difference using the 16 state search function. The SCACSearch function is also specialized by the size of the value stored in the next state (delta) tables, either 16-bits or 32-bits. This removes a conditional inside the Search function. That conditional is only called once, but doesn't hurt to remove it. 16-bits are used for up to 32K states, with the sign bit set for states with matches. Future optimization: The state-has-match values is only needed per state, not per next state, so checking the next-state sign bit could be replaced with reading a different value, at the cost of an additional load, but increasing the 16-bit next state span to 64K. Since the order of the characters in the new alphabet doesn't matter, the new alphabet could be sorted by the frequency of the characters in the expected input stream for that multi-pattern matcher. This would group more frequent characters into the same cache lines, thus increasing the probability of reusing a cache-line. All the next state values for each state live in their own set of cache-lines. With power-of-two sizes alphabets, these don't overlap. So either 32 or 16 character's next states are loaded in each cache line load. If the alphabet size is not an exact power-of-2, then the last cache-line is not completely full and up to 31*2 bytes of that line could be wasted per state. The next state table could be transposed, so that all the next states for a specific character are stored sequentially, this could be better if some characters, for example the unused character, are much more frequent.
12 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
static int PayloadTestSig19(void)
{
uint8_t buf[] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
0x0E, 0x0F,
};
uint16_t buflen = sizeof(buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
fix parsing content keywords. We are more strict now. All content keywords need to be enclosed in double quotes. Better validation for sid, priority and rev keywords
14 years ago
"content:\"|01 02 03 04|\"; "
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
"byte_extract:1,2,one,string,hex,relative; "
undo this commit - commit eff08f93d8f51a06d6bee19b739b7db44cadb116 Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
14 years ago
"content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
New Multi-pattern matcher, ac-tile, optimized for Tile architecture. Aho-Corasick mpm optimized for Tilera Tile-Gx architecture. Based on the util-mpm-ac.c code base. The primary optimizations are: 1) Matching function used Tilera specific instructions. 2) Alphabet compression to reduce delta table size to increase cache utilization and performance. The basic observation is that not all 256 ASCII characters are used by the set of multiple patterns in a group for which a DFA is created. The first reason is that Suricata's pattern matching is case-insensitive, so all uppercase characters are converted to lowercase, leaving a hole of 26 characters in the alphabet. Previously, this hole was simply left in the middle of the alphabet and thus in the generated Next State (delta) tables. A new, smaller, alphabet is created using a translation table of 256 bytes per mpm group. Previously, there was one global translation table for converting upper case to lowercase. Additional, unused characters are found by creating a histogram of all the characters in all the patterns. Then all the characters with zero counts are mapped to one character (0) in the new alphabet. Since These characters appear in no pattern, they can all be mapped to a single character and still result in the same matches being found. Zero was chosen for the value in the new alphabet since this "character" is more likely to appear in the input. The unused character always results in the next state being state zero, but that fact is not currently used by the code, since special casing takes additional instructions. The characters that do appear in some pattern are mapped to consecutive characters in the new alphabet, starting at 1. This results in a dense packing of next state values in the delta tables and additionally can allow for a smaller number of columns in that table, thus using less memory and better packing into the cache. The size of the new alphabet is the number of used characters plus 1 for the unused catch-all character. The alphabet size is rounded up to the next larger power-of-2 so that multiplication by the alphabet size can be done with a shift. It might be possible to use a multiply instruction, so that the exact alphabet size could be used, which would further reduce the size of the delta tables, increase cache density and not require the specialized search functions. The multiply would likely add 1 cycle to the inner search loop. Since the multiply by alphabet-size is cleverly merged with a mask instruction (in the SINDEX macro), specialized versions of the SCACSearch function are generated for alphabet sizes 256, 128, 64, 32 and 16. This is done by including the file util-mpm-ac-small.c multiple times with a redefined SINDEX macro. A function pointer is then stored in the mpm context for the search function. For alpha bit sizes of 8 or smaller, the number of states usually small, so the DFA is already very small, so there is little difference using the 16 state search function. The SCACSearch function is also specialized by the size of the value stored in the next state (delta) tables, either 16-bits or 32-bits. This removes a conditional inside the Search function. That conditional is only called once, but doesn't hurt to remove it. 16-bits are used for up to 32K states, with the sign bit set for states with matches. Future optimization: The state-has-match values is only needed per state, not per next state, so checking the next-state sign bit could be replaced with reading a different value, at the cost of an additional load, but increasing the 16-bit next state span to 64K. Since the order of the characters in the new alphabet doesn't matter, the new alphabet could be sorted by the frequency of the characters in the expected input stream for that multi-pattern matcher. This would group more frequent characters into the same cache lines, thus increasing the probability of reusing a cache-line. All the next state values for each state live in their own set of cache-lines. With power-of-two sizes alphabets, these don't overlap. So either 32 or 16 character's next states are loaded in each cache line load. If the alphabet size is not an exact power-of-2, then the last cache-line is not completely full and up to 31*2 bytes of that line could be wasted per state. The next state table could be transposed, so that all the next states for a specific character are stored sequentially, this could be better if some characters, for example the unused character, are much more frequent.
12 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
static int PayloadTestSig20(void)
{
uint8_t buf[] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
0x0E, 0x0F,
};
uint16_t buflen = sizeof(buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
fix parsing content keywords. We are more strict now. All content keywords need to be enclosed in double quotes. Better validation for sid, priority and rev keywords
14 years ago
"content:\"|01 02 03 04|\"; "
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
"byte_extract:1,2,one,string,dec,relative; "
undo this commit - commit eff08f93d8f51a06d6bee19b739b7db44cadb116 Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
14 years ago
"content:\"|06 35 07 08|\"; offset:one; sid:1;)";
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
New Multi-pattern matcher, ac-tile, optimized for Tile architecture. Aho-Corasick mpm optimized for Tilera Tile-Gx architecture. Based on the util-mpm-ac.c code base. The primary optimizations are: 1) Matching function used Tilera specific instructions. 2) Alphabet compression to reduce delta table size to increase cache utilization and performance. The basic observation is that not all 256 ASCII characters are used by the set of multiple patterns in a group for which a DFA is created. The first reason is that Suricata's pattern matching is case-insensitive, so all uppercase characters are converted to lowercase, leaving a hole of 26 characters in the alphabet. Previously, this hole was simply left in the middle of the alphabet and thus in the generated Next State (delta) tables. A new, smaller, alphabet is created using a translation table of 256 bytes per mpm group. Previously, there was one global translation table for converting upper case to lowercase. Additional, unused characters are found by creating a histogram of all the characters in all the patterns. Then all the characters with zero counts are mapped to one character (0) in the new alphabet. Since These characters appear in no pattern, they can all be mapped to a single character and still result in the same matches being found. Zero was chosen for the value in the new alphabet since this "character" is more likely to appear in the input. The unused character always results in the next state being state zero, but that fact is not currently used by the code, since special casing takes additional instructions. The characters that do appear in some pattern are mapped to consecutive characters in the new alphabet, starting at 1. This results in a dense packing of next state values in the delta tables and additionally can allow for a smaller number of columns in that table, thus using less memory and better packing into the cache. The size of the new alphabet is the number of used characters plus 1 for the unused catch-all character. The alphabet size is rounded up to the next larger power-of-2 so that multiplication by the alphabet size can be done with a shift. It might be possible to use a multiply instruction, so that the exact alphabet size could be used, which would further reduce the size of the delta tables, increase cache density and not require the specialized search functions. The multiply would likely add 1 cycle to the inner search loop. Since the multiply by alphabet-size is cleverly merged with a mask instruction (in the SINDEX macro), specialized versions of the SCACSearch function are generated for alphabet sizes 256, 128, 64, 32 and 16. This is done by including the file util-mpm-ac-small.c multiple times with a redefined SINDEX macro. A function pointer is then stored in the mpm context for the search function. For alpha bit sizes of 8 or smaller, the number of states usually small, so the DFA is already very small, so there is little difference using the 16 state search function. The SCACSearch function is also specialized by the size of the value stored in the next state (delta) tables, either 16-bits or 32-bits. This removes a conditional inside the Search function. That conditional is only called once, but doesn't hurt to remove it. 16-bits are used for up to 32K states, with the sign bit set for states with matches. Future optimization: The state-has-match values is only needed per state, not per next state, so checking the next-state sign bit could be replaced with reading a different value, at the cost of an additional load, but increasing the 16-bit next state span to 64K. Since the order of the characters in the new alphabet doesn't matter, the new alphabet could be sorted by the frequency of the characters in the expected input stream for that multi-pattern matcher. This would group more frequent characters into the same cache lines, thus increasing the probability of reusing a cache-line. All the next state values for each state live in their own set of cache-lines. With power-of-two sizes alphabets, these don't overlap. So either 32 or 16 character's next states are loaded in each cache line load. If the alphabet size is not an exact power-of-2, then the last cache-line is not completely full and up to 31*2 bytes of that line could be wasted per state. The next state table could be transposed, so that all the next states for a specific character are stored sequentially, this could be better if some characters, for example the unused character, are much more frequent.
12 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
static int PayloadTestSig21(void)
{
uint8_t buf[] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36, /* the last byte is 2 */
0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
0x0E, 0x0F,
};
uint16_t buflen = sizeof(buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
fix parsing content keywords. We are more strict now. All content keywords need to be enclosed in double quotes. Better validation for sid, priority and rev keywords
14 years ago
"content:\"|01 02 03 04|\"; "
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
"byte_extract:1,2,one,string,dec,relative; "
undo this commit - commit eff08f93d8f51a06d6bee19b739b7db44cadb116 Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
14 years ago
"content:\"|03 04 05 06|\"; depth:one; sid:1;)";
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
New Multi-pattern matcher, ac-tile, optimized for Tile architecture. Aho-Corasick mpm optimized for Tilera Tile-Gx architecture. Based on the util-mpm-ac.c code base. The primary optimizations are: 1) Matching function used Tilera specific instructions. 2) Alphabet compression to reduce delta table size to increase cache utilization and performance. The basic observation is that not all 256 ASCII characters are used by the set of multiple patterns in a group for which a DFA is created. The first reason is that Suricata's pattern matching is case-insensitive, so all uppercase characters are converted to lowercase, leaving a hole of 26 characters in the alphabet. Previously, this hole was simply left in the middle of the alphabet and thus in the generated Next State (delta) tables. A new, smaller, alphabet is created using a translation table of 256 bytes per mpm group. Previously, there was one global translation table for converting upper case to lowercase. Additional, unused characters are found by creating a histogram of all the characters in all the patterns. Then all the characters with zero counts are mapped to one character (0) in the new alphabet. Since These characters appear in no pattern, they can all be mapped to a single character and still result in the same matches being found. Zero was chosen for the value in the new alphabet since this "character" is more likely to appear in the input. The unused character always results in the next state being state zero, but that fact is not currently used by the code, since special casing takes additional instructions. The characters that do appear in some pattern are mapped to consecutive characters in the new alphabet, starting at 1. This results in a dense packing of next state values in the delta tables and additionally can allow for a smaller number of columns in that table, thus using less memory and better packing into the cache. The size of the new alphabet is the number of used characters plus 1 for the unused catch-all character. The alphabet size is rounded up to the next larger power-of-2 so that multiplication by the alphabet size can be done with a shift. It might be possible to use a multiply instruction, so that the exact alphabet size could be used, which would further reduce the size of the delta tables, increase cache density and not require the specialized search functions. The multiply would likely add 1 cycle to the inner search loop. Since the multiply by alphabet-size is cleverly merged with a mask instruction (in the SINDEX macro), specialized versions of the SCACSearch function are generated for alphabet sizes 256, 128, 64, 32 and 16. This is done by including the file util-mpm-ac-small.c multiple times with a redefined SINDEX macro. A function pointer is then stored in the mpm context for the search function. For alpha bit sizes of 8 or smaller, the number of states usually small, so the DFA is already very small, so there is little difference using the 16 state search function. The SCACSearch function is also specialized by the size of the value stored in the next state (delta) tables, either 16-bits or 32-bits. This removes a conditional inside the Search function. That conditional is only called once, but doesn't hurt to remove it. 16-bits are used for up to 32K states, with the sign bit set for states with matches. Future optimization: The state-has-match values is only needed per state, not per next state, so checking the next-state sign bit could be replaced with reading a different value, at the cost of an additional load, but increasing the 16-bit next state span to 64K. Since the order of the characters in the new alphabet doesn't matter, the new alphabet could be sorted by the frequency of the characters in the expected input stream for that multi-pattern matcher. This would group more frequent characters into the same cache lines, thus increasing the probability of reusing a cache-line. All the next state values for each state live in their own set of cache-lines. With power-of-two sizes alphabets, these don't overlap. So either 32 or 16 character's next states are loaded in each cache line load. If the alphabet size is not an exact power-of-2, then the last cache-line is not completely full and up to 31*2 bytes of that line could be wasted per state. The next state table could be transposed, so that all the next states for a specific character are stored sequentially, this could be better if some characters, for example the unused character, are much more frequent.
12 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
static int PayloadTestSig22(void)
{
uint8_t buf[] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36, /* the last byte is 2 */
0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
0x0E, 0x0F,
};
uint16_t buflen = sizeof(buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
fix parsing content keywords. We are more strict now. All content keywords need to be enclosed in double quotes. Better validation for sid, priority and rev keywords
14 years ago
"content:\"|01 02 03 04|\"; "
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
"byte_extract:1,2,one,string,dec,relative; "
undo this commit - commit eff08f93d8f51a06d6bee19b739b7db44cadb116 Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
14 years ago
"content:\"|09 0A 0B 0C|\"; within:one; sid:1;)";
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
New Multi-pattern matcher, ac-tile, optimized for Tile architecture. Aho-Corasick mpm optimized for Tilera Tile-Gx architecture. Based on the util-mpm-ac.c code base. The primary optimizations are: 1) Matching function used Tilera specific instructions. 2) Alphabet compression to reduce delta table size to increase cache utilization and performance. The basic observation is that not all 256 ASCII characters are used by the set of multiple patterns in a group for which a DFA is created. The first reason is that Suricata's pattern matching is case-insensitive, so all uppercase characters are converted to lowercase, leaving a hole of 26 characters in the alphabet. Previously, this hole was simply left in the middle of the alphabet and thus in the generated Next State (delta) tables. A new, smaller, alphabet is created using a translation table of 256 bytes per mpm group. Previously, there was one global translation table for converting upper case to lowercase. Additional, unused characters are found by creating a histogram of all the characters in all the patterns. Then all the characters with zero counts are mapped to one character (0) in the new alphabet. Since These characters appear in no pattern, they can all be mapped to a single character and still result in the same matches being found. Zero was chosen for the value in the new alphabet since this "character" is more likely to appear in the input. The unused character always results in the next state being state zero, but that fact is not currently used by the code, since special casing takes additional instructions. The characters that do appear in some pattern are mapped to consecutive characters in the new alphabet, starting at 1. This results in a dense packing of next state values in the delta tables and additionally can allow for a smaller number of columns in that table, thus using less memory and better packing into the cache. The size of the new alphabet is the number of used characters plus 1 for the unused catch-all character. The alphabet size is rounded up to the next larger power-of-2 so that multiplication by the alphabet size can be done with a shift. It might be possible to use a multiply instruction, so that the exact alphabet size could be used, which would further reduce the size of the delta tables, increase cache density and not require the specialized search functions. The multiply would likely add 1 cycle to the inner search loop. Since the multiply by alphabet-size is cleverly merged with a mask instruction (in the SINDEX macro), specialized versions of the SCACSearch function are generated for alphabet sizes 256, 128, 64, 32 and 16. This is done by including the file util-mpm-ac-small.c multiple times with a redefined SINDEX macro. A function pointer is then stored in the mpm context for the search function. For alpha bit sizes of 8 or smaller, the number of states usually small, so the DFA is already very small, so there is little difference using the 16 state search function. The SCACSearch function is also specialized by the size of the value stored in the next state (delta) tables, either 16-bits or 32-bits. This removes a conditional inside the Search function. That conditional is only called once, but doesn't hurt to remove it. 16-bits are used for up to 32K states, with the sign bit set for states with matches. Future optimization: The state-has-match values is only needed per state, not per next state, so checking the next-state sign bit could be replaced with reading a different value, at the cost of an additional load, but increasing the 16-bit next state span to 64K. Since the order of the characters in the new alphabet doesn't matter, the new alphabet could be sorted by the frequency of the characters in the expected input stream for that multi-pattern matcher. This would group more frequent characters into the same cache lines, thus increasing the probability of reusing a cache-line. All the next state values for each state live in their own set of cache-lines. With power-of-two sizes alphabets, these don't overlap. So either 32 or 16 character's next states are loaded in each cache line load. If the alphabet size is not an exact power-of-2, then the last cache-line is not completely full and up to 31*2 bytes of that line could be wasted per state. The next state table could be transposed, so that all the next states for a specific character are stored sequentially, this could be better if some characters, for example the unused character, are much more frequent.
12 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
static int PayloadTestSig23(void)
{
uint8_t buf[] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32, /* the last byte is 2 */
0x07, 0x08, 0x09, 0x33, 0x0B, 0x0C, 0x0D,
0x32, 0x0F,
};
uint16_t buflen = sizeof(buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
fix parsing content keywords. We are more strict now. All content keywords need to be enclosed in double quotes. Better validation for sid, priority and rev keywords
14 years ago
"content:\"|01 02 03 04|\"; "
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
"byte_extract:1,2,one,string,dec,relative; "
"byte_extract:1,3,two,string,dec,relative; "
undo this commit - commit eff08f93d8f51a06d6bee19b739b7db44cadb116 Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
14 years ago
"byte_test:1,=,one,two,string,dec,relative; sid:1;)";
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
New Multi-pattern matcher, ac-tile, optimized for Tile architecture. Aho-Corasick mpm optimized for Tilera Tile-Gx architecture. Based on the util-mpm-ac.c code base. The primary optimizations are: 1) Matching function used Tilera specific instructions. 2) Alphabet compression to reduce delta table size to increase cache utilization and performance. The basic observation is that not all 256 ASCII characters are used by the set of multiple patterns in a group for which a DFA is created. The first reason is that Suricata's pattern matching is case-insensitive, so all uppercase characters are converted to lowercase, leaving a hole of 26 characters in the alphabet. Previously, this hole was simply left in the middle of the alphabet and thus in the generated Next State (delta) tables. A new, smaller, alphabet is created using a translation table of 256 bytes per mpm group. Previously, there was one global translation table for converting upper case to lowercase. Additional, unused characters are found by creating a histogram of all the characters in all the patterns. Then all the characters with zero counts are mapped to one character (0) in the new alphabet. Since These characters appear in no pattern, they can all be mapped to a single character and still result in the same matches being found. Zero was chosen for the value in the new alphabet since this "character" is more likely to appear in the input. The unused character always results in the next state being state zero, but that fact is not currently used by the code, since special casing takes additional instructions. The characters that do appear in some pattern are mapped to consecutive characters in the new alphabet, starting at 1. This results in a dense packing of next state values in the delta tables and additionally can allow for a smaller number of columns in that table, thus using less memory and better packing into the cache. The size of the new alphabet is the number of used characters plus 1 for the unused catch-all character. The alphabet size is rounded up to the next larger power-of-2 so that multiplication by the alphabet size can be done with a shift. It might be possible to use a multiply instruction, so that the exact alphabet size could be used, which would further reduce the size of the delta tables, increase cache density and not require the specialized search functions. The multiply would likely add 1 cycle to the inner search loop. Since the multiply by alphabet-size is cleverly merged with a mask instruction (in the SINDEX macro), specialized versions of the SCACSearch function are generated for alphabet sizes 256, 128, 64, 32 and 16. This is done by including the file util-mpm-ac-small.c multiple times with a redefined SINDEX macro. A function pointer is then stored in the mpm context for the search function. For alpha bit sizes of 8 or smaller, the number of states usually small, so the DFA is already very small, so there is little difference using the 16 state search function. The SCACSearch function is also specialized by the size of the value stored in the next state (delta) tables, either 16-bits or 32-bits. This removes a conditional inside the Search function. That conditional is only called once, but doesn't hurt to remove it. 16-bits are used for up to 32K states, with the sign bit set for states with matches. Future optimization: The state-has-match values is only needed per state, not per next state, so checking the next-state sign bit could be replaced with reading a different value, at the cost of an additional load, but increasing the 16-bit next state span to 64K. Since the order of the characters in the new alphabet doesn't matter, the new alphabet could be sorted by the frequency of the characters in the expected input stream for that multi-pattern matcher. This would group more frequent characters into the same cache lines, thus increasing the probability of reusing a cache-line. All the next state values for each state live in their own set of cache-lines. With power-of-two sizes alphabets, these don't overlap. So either 32 or 16 character's next states are loaded in each cache line load. If the alphabet size is not an exact power-of-2, then the last cache-line is not completely full and up to 31*2 bytes of that line could be wasted per state. The next state table could be transposed, so that all the next states for a specific character are stored sequentially, this could be better if some characters, for example the unused character, are much more frequent.
12 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
static int PayloadTestSig24(void)
{
uint8_t buf[] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32, /* the last byte is 2 */
0x07, 0x08, 0x33, 0x0A, 0x0B, 0x0C, 0x0D,
0x0E, 0x0F,
};
uint16_t buflen = sizeof(buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
fix parsing content keywords. We are more strict now. All content keywords need to be enclosed in double quotes. Better validation for sid, priority and rev keywords
14 years ago
"content:\"|01 02 03 04|\"; "
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
"byte_extract:1,2,one,string,dec,relative; "
"byte_jump:1,one,string,dec,relative; "
undo this commit - commit eff08f93d8f51a06d6bee19b739b7db44cadb116 Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
14 years ago
"content:\"|0D 0E 0F|\"; distance:0; sid:1;)";
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
New Multi-pattern matcher, ac-tile, optimized for Tile architecture. Aho-Corasick mpm optimized for Tilera Tile-Gx architecture. Based on the util-mpm-ac.c code base. The primary optimizations are: 1) Matching function used Tilera specific instructions. 2) Alphabet compression to reduce delta table size to increase cache utilization and performance. The basic observation is that not all 256 ASCII characters are used by the set of multiple patterns in a group for which a DFA is created. The first reason is that Suricata's pattern matching is case-insensitive, so all uppercase characters are converted to lowercase, leaving a hole of 26 characters in the alphabet. Previously, this hole was simply left in the middle of the alphabet and thus in the generated Next State (delta) tables. A new, smaller, alphabet is created using a translation table of 256 bytes per mpm group. Previously, there was one global translation table for converting upper case to lowercase. Additional, unused characters are found by creating a histogram of all the characters in all the patterns. Then all the characters with zero counts are mapped to one character (0) in the new alphabet. Since These characters appear in no pattern, they can all be mapped to a single character and still result in the same matches being found. Zero was chosen for the value in the new alphabet since this "character" is more likely to appear in the input. The unused character always results in the next state being state zero, but that fact is not currently used by the code, since special casing takes additional instructions. The characters that do appear in some pattern are mapped to consecutive characters in the new alphabet, starting at 1. This results in a dense packing of next state values in the delta tables and additionally can allow for a smaller number of columns in that table, thus using less memory and better packing into the cache. The size of the new alphabet is the number of used characters plus 1 for the unused catch-all character. The alphabet size is rounded up to the next larger power-of-2 so that multiplication by the alphabet size can be done with a shift. It might be possible to use a multiply instruction, so that the exact alphabet size could be used, which would further reduce the size of the delta tables, increase cache density and not require the specialized search functions. The multiply would likely add 1 cycle to the inner search loop. Since the multiply by alphabet-size is cleverly merged with a mask instruction (in the SINDEX macro), specialized versions of the SCACSearch function are generated for alphabet sizes 256, 128, 64, 32 and 16. This is done by including the file util-mpm-ac-small.c multiple times with a redefined SINDEX macro. A function pointer is then stored in the mpm context for the search function. For alpha bit sizes of 8 or smaller, the number of states usually small, so the DFA is already very small, so there is little difference using the 16 state search function. The SCACSearch function is also specialized by the size of the value stored in the next state (delta) tables, either 16-bits or 32-bits. This removes a conditional inside the Search function. That conditional is only called once, but doesn't hurt to remove it. 16-bits are used for up to 32K states, with the sign bit set for states with matches. Future optimization: The state-has-match values is only needed per state, not per next state, so checking the next-state sign bit could be replaced with reading a different value, at the cost of an additional load, but increasing the 16-bit next state span to 64K. Since the order of the characters in the new alphabet doesn't matter, the new alphabet could be sorted by the frequency of the characters in the expected input stream for that multi-pattern matcher. This would group more frequent characters into the same cache lines, thus increasing the probability of reusing a cache-line. All the next state values for each state live in their own set of cache-lines. With power-of-two sizes alphabets, these don't overlap. So either 32 or 16 character's next states are loaded in each cache line load. If the alphabet size is not an exact power-of-2, then the last cache-line is not completely full and up to 31*2 bytes of that line could be wasted per state. The next state table could be transposed, so that all the next states for a specific character are stored sequentially, this could be better if some characters, for example the unused character, are much more frequent.
12 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
update handling negative offsets in byte_extract. Also improve validation in byte_extract to not extract values out of the buffer range
13 years ago
/*
* \test Test negative byte extract.
*/
static int PayloadTestSig25(void)
{
uint8_t buf[] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
0x0E, 0x0F,
};
uint16_t buflen = sizeof(buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"|35 07 08 09|\"; "
"byte_extract:1,-4,one,string,dec,relative; "
"content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
New Multi-pattern matcher, ac-tile, optimized for Tile architecture. Aho-Corasick mpm optimized for Tilera Tile-Gx architecture. Based on the util-mpm-ac.c code base. The primary optimizations are: 1) Matching function used Tilera specific instructions. 2) Alphabet compression to reduce delta table size to increase cache utilization and performance. The basic observation is that not all 256 ASCII characters are used by the set of multiple patterns in a group for which a DFA is created. The first reason is that Suricata's pattern matching is case-insensitive, so all uppercase characters are converted to lowercase, leaving a hole of 26 characters in the alphabet. Previously, this hole was simply left in the middle of the alphabet and thus in the generated Next State (delta) tables. A new, smaller, alphabet is created using a translation table of 256 bytes per mpm group. Previously, there was one global translation table for converting upper case to lowercase. Additional, unused characters are found by creating a histogram of all the characters in all the patterns. Then all the characters with zero counts are mapped to one character (0) in the new alphabet. Since These characters appear in no pattern, they can all be mapped to a single character and still result in the same matches being found. Zero was chosen for the value in the new alphabet since this "character" is more likely to appear in the input. The unused character always results in the next state being state zero, but that fact is not currently used by the code, since special casing takes additional instructions. The characters that do appear in some pattern are mapped to consecutive characters in the new alphabet, starting at 1. This results in a dense packing of next state values in the delta tables and additionally can allow for a smaller number of columns in that table, thus using less memory and better packing into the cache. The size of the new alphabet is the number of used characters plus 1 for the unused catch-all character. The alphabet size is rounded up to the next larger power-of-2 so that multiplication by the alphabet size can be done with a shift. It might be possible to use a multiply instruction, so that the exact alphabet size could be used, which would further reduce the size of the delta tables, increase cache density and not require the specialized search functions. The multiply would likely add 1 cycle to the inner search loop. Since the multiply by alphabet-size is cleverly merged with a mask instruction (in the SINDEX macro), specialized versions of the SCACSearch function are generated for alphabet sizes 256, 128, 64, 32 and 16. This is done by including the file util-mpm-ac-small.c multiple times with a redefined SINDEX macro. A function pointer is then stored in the mpm context for the search function. For alpha bit sizes of 8 or smaller, the number of states usually small, so the DFA is already very small, so there is little difference using the 16 state search function. The SCACSearch function is also specialized by the size of the value stored in the next state (delta) tables, either 16-bits or 32-bits. This removes a conditional inside the Search function. That conditional is only called once, but doesn't hurt to remove it. 16-bits are used for up to 32K states, with the sign bit set for states with matches. Future optimization: The state-has-match values is only needed per state, not per next state, so checking the next-state sign bit could be replaced with reading a different value, at the cost of an additional load, but increasing the 16-bit next state span to 64K. Since the order of the characters in the new alphabet doesn't matter, the new alphabet could be sorted by the frequency of the characters in the expected input stream for that multi-pattern matcher. This would group more frequent characters into the same cache lines, thus increasing the probability of reusing a cache-line. All the next state values for each state live in their own set of cache-lines. With power-of-two sizes alphabets, these don't overlap. So either 32 or 16 character's next states are loaded in each cache line load. If the alphabet size is not an exact power-of-2, then the last cache-line is not completely full and up to 31*2 bytes of that line could be wasted per state. The next state table could be transposed, so that all the next states for a specific character are stored sequentially, this could be better if some characters, for example the unused character, are much more frequent.
12 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
update handling negative offsets in byte_extract. Also improve validation in byte_extract to not extract values out of the buffer range
13 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/*
* \test Test negative byte extract.
*/
static int PayloadTestSig26(void)
{
uint8_t buf[] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
0x0E, 0x0F,
};
uint16_t buflen = sizeof(buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"|35 07 08 09|\"; "
"byte_extract:1,-3000,one,string,dec,relative; "
"content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
New Multi-pattern matcher, ac-tile, optimized for Tile architecture. Aho-Corasick mpm optimized for Tilera Tile-Gx architecture. Based on the util-mpm-ac.c code base. The primary optimizations are: 1) Matching function used Tilera specific instructions. 2) Alphabet compression to reduce delta table size to increase cache utilization and performance. The basic observation is that not all 256 ASCII characters are used by the set of multiple patterns in a group for which a DFA is created. The first reason is that Suricata's pattern matching is case-insensitive, so all uppercase characters are converted to lowercase, leaving a hole of 26 characters in the alphabet. Previously, this hole was simply left in the middle of the alphabet and thus in the generated Next State (delta) tables. A new, smaller, alphabet is created using a translation table of 256 bytes per mpm group. Previously, there was one global translation table for converting upper case to lowercase. Additional, unused characters are found by creating a histogram of all the characters in all the patterns. Then all the characters with zero counts are mapped to one character (0) in the new alphabet. Since These characters appear in no pattern, they can all be mapped to a single character and still result in the same matches being found. Zero was chosen for the value in the new alphabet since this "character" is more likely to appear in the input. The unused character always results in the next state being state zero, but that fact is not currently used by the code, since special casing takes additional instructions. The characters that do appear in some pattern are mapped to consecutive characters in the new alphabet, starting at 1. This results in a dense packing of next state values in the delta tables and additionally can allow for a smaller number of columns in that table, thus using less memory and better packing into the cache. The size of the new alphabet is the number of used characters plus 1 for the unused catch-all character. The alphabet size is rounded up to the next larger power-of-2 so that multiplication by the alphabet size can be done with a shift. It might be possible to use a multiply instruction, so that the exact alphabet size could be used, which would further reduce the size of the delta tables, increase cache density and not require the specialized search functions. The multiply would likely add 1 cycle to the inner search loop. Since the multiply by alphabet-size is cleverly merged with a mask instruction (in the SINDEX macro), specialized versions of the SCACSearch function are generated for alphabet sizes 256, 128, 64, 32 and 16. This is done by including the file util-mpm-ac-small.c multiple times with a redefined SINDEX macro. A function pointer is then stored in the mpm context for the search function. For alpha bit sizes of 8 or smaller, the number of states usually small, so the DFA is already very small, so there is little difference using the 16 state search function. The SCACSearch function is also specialized by the size of the value stored in the next state (delta) tables, either 16-bits or 32-bits. This removes a conditional inside the Search function. That conditional is only called once, but doesn't hurt to remove it. 16-bits are used for up to 32K states, with the sign bit set for states with matches. Future optimization: The state-has-match values is only needed per state, not per next state, so checking the next-state sign bit could be replaced with reading a different value, at the cost of an additional load, but increasing the 16-bit next state span to 64K. Since the order of the characters in the new alphabet doesn't matter, the new alphabet could be sorted by the frequency of the characters in the expected input stream for that multi-pattern matcher. This would group more frequent characters into the same cache lines, thus increasing the probability of reusing a cache-line. All the next state values for each state live in their own set of cache-lines. With power-of-two sizes alphabets, these don't overlap. So either 32 or 16 character's next states are loaded in each cache line load. If the alphabet size is not an exact power-of-2, then the last cache-line is not completely full and up to 31*2 bytes of that line could be wasted per state. The next state table could be transposed, so that all the next states for a specific character are stored sequentially, this could be better if some characters, for example the unused character, are much more frequent.
12 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) != 0) {
update handling negative offsets in byte_extract. Also improve validation in byte_extract to not extract values out of the buffer range
13 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
tests to highlight that - suricata treates sigs with offset/depth without any packet keywords as stream sigs - as a consequence suricata will FN on such sigs The tests introduced here will fail, displaying the issues. The next patch in the series would fix the said issues.
13 years ago
/*
* \test Test packet/stream sigs
*/
static int PayloadTestSig27(void)
{
uint8_t buf[] = "dummypayload";
uint16_t buflen = sizeof(buf) - 1;
int result = 0;
Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
char sig[] = "alert tcp any any -> any any (content:\"dummy\"; "
"depth:5; sid:1;)";
p->flags |= PKT_STREAM_ADD;
New Multi-pattern matcher, ac-tile, optimized for Tile architecture. Aho-Corasick mpm optimized for Tilera Tile-Gx architecture. Based on the util-mpm-ac.c code base. The primary optimizations are: 1) Matching function used Tilera specific instructions. 2) Alphabet compression to reduce delta table size to increase cache utilization and performance. The basic observation is that not all 256 ASCII characters are used by the set of multiple patterns in a group for which a DFA is created. The first reason is that Suricata's pattern matching is case-insensitive, so all uppercase characters are converted to lowercase, leaving a hole of 26 characters in the alphabet. Previously, this hole was simply left in the middle of the alphabet and thus in the generated Next State (delta) tables. A new, smaller, alphabet is created using a translation table of 256 bytes per mpm group. Previously, there was one global translation table for converting upper case to lowercase. Additional, unused characters are found by creating a histogram of all the characters in all the patterns. Then all the characters with zero counts are mapped to one character (0) in the new alphabet. Since These characters appear in no pattern, they can all be mapped to a single character and still result in the same matches being found. Zero was chosen for the value in the new alphabet since this "character" is more likely to appear in the input. The unused character always results in the next state being state zero, but that fact is not currently used by the code, since special casing takes additional instructions. The characters that do appear in some pattern are mapped to consecutive characters in the new alphabet, starting at 1. This results in a dense packing of next state values in the delta tables and additionally can allow for a smaller number of columns in that table, thus using less memory and better packing into the cache. The size of the new alphabet is the number of used characters plus 1 for the unused catch-all character. The alphabet size is rounded up to the next larger power-of-2 so that multiplication by the alphabet size can be done with a shift. It might be possible to use a multiply instruction, so that the exact alphabet size could be used, which would further reduce the size of the delta tables, increase cache density and not require the specialized search functions. The multiply would likely add 1 cycle to the inner search loop. Since the multiply by alphabet-size is cleverly merged with a mask instruction (in the SINDEX macro), specialized versions of the SCACSearch function are generated for alphabet sizes 256, 128, 64, 32 and 16. This is done by including the file util-mpm-ac-small.c multiple times with a redefined SINDEX macro. A function pointer is then stored in the mpm context for the search function. For alpha bit sizes of 8 or smaller, the number of states usually small, so the DFA is already very small, so there is little difference using the 16 state search function. The SCACSearch function is also specialized by the size of the value stored in the next state (delta) tables, either 16-bits or 32-bits. This removes a conditional inside the Search function. That conditional is only called once, but doesn't hurt to remove it. 16-bits are used for up to 32K states, with the sign bit set for states with matches. Future optimization: The state-has-match values is only needed per state, not per next state, so checking the next-state sign bit could be replaced with reading a different value, at the cost of an additional load, but increasing the 16-bit next state span to 64K. Since the order of the characters in the new alphabet doesn't matter, the new alphabet could be sorted by the frequency of the characters in the expected input stream for that multi-pattern matcher. This would group more frequent characters into the same cache lines, thus increasing the probability of reusing a cache-line. All the next state values for each state live in their own set of cache-lines. With power-of-two sizes alphabets, these don't overlap. So either 32 or 16 character's next states are loaded in each cache line load. If the alphabet size is not an exact power-of-2, then the last cache-line is not completely full and up to 31*2 bytes of that line could be wasted per state. The next state table could be transposed, so that all the next states for a specific character are stored sequentially, this could be better if some characters, for example the unused character, are much more frequent.
12 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) != 1)
tests to highlight that - suricata treates sigs with offset/depth without any packet keywords as stream sigs - as a consequence suricata will FN on such sigs The tests introduced here will fail, displaying the issues. The next patch in the series would fix the said issues.
13 years ago
goto end;
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/*
* \test Test packet/stream sigs
*/
static int PayloadTestSig28(void)
{
uint8_t buf[] = "dummypayload";
uint16_t buflen = sizeof(buf) - 1;
int result = 0;
Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
char sig[] = "alert tcp any any -> any any (content:\"payload\"; "
"offset:4; depth:12; sid:1;)";
p->flags |= PKT_STREAM_ADD;
New Multi-pattern matcher, ac-tile, optimized for Tile architecture. Aho-Corasick mpm optimized for Tilera Tile-Gx architecture. Based on the util-mpm-ac.c code base. The primary optimizations are: 1) Matching function used Tilera specific instructions. 2) Alphabet compression to reduce delta table size to increase cache utilization and performance. The basic observation is that not all 256 ASCII characters are used by the set of multiple patterns in a group for which a DFA is created. The first reason is that Suricata's pattern matching is case-insensitive, so all uppercase characters are converted to lowercase, leaving a hole of 26 characters in the alphabet. Previously, this hole was simply left in the middle of the alphabet and thus in the generated Next State (delta) tables. A new, smaller, alphabet is created using a translation table of 256 bytes per mpm group. Previously, there was one global translation table for converting upper case to lowercase. Additional, unused characters are found by creating a histogram of all the characters in all the patterns. Then all the characters with zero counts are mapped to one character (0) in the new alphabet. Since These characters appear in no pattern, they can all be mapped to a single character and still result in the same matches being found. Zero was chosen for the value in the new alphabet since this "character" is more likely to appear in the input. The unused character always results in the next state being state zero, but that fact is not currently used by the code, since special casing takes additional instructions. The characters that do appear in some pattern are mapped to consecutive characters in the new alphabet, starting at 1. This results in a dense packing of next state values in the delta tables and additionally can allow for a smaller number of columns in that table, thus using less memory and better packing into the cache. The size of the new alphabet is the number of used characters plus 1 for the unused catch-all character. The alphabet size is rounded up to the next larger power-of-2 so that multiplication by the alphabet size can be done with a shift. It might be possible to use a multiply instruction, so that the exact alphabet size could be used, which would further reduce the size of the delta tables, increase cache density and not require the specialized search functions. The multiply would likely add 1 cycle to the inner search loop. Since the multiply by alphabet-size is cleverly merged with a mask instruction (in the SINDEX macro), specialized versions of the SCACSearch function are generated for alphabet sizes 256, 128, 64, 32 and 16. This is done by including the file util-mpm-ac-small.c multiple times with a redefined SINDEX macro. A function pointer is then stored in the mpm context for the search function. For alpha bit sizes of 8 or smaller, the number of states usually small, so the DFA is already very small, so there is little difference using the 16 state search function. The SCACSearch function is also specialized by the size of the value stored in the next state (delta) tables, either 16-bits or 32-bits. This removes a conditional inside the Search function. That conditional is only called once, but doesn't hurt to remove it. 16-bits are used for up to 32K states, with the sign bit set for states with matches. Future optimization: The state-has-match values is only needed per state, not per next state, so checking the next-state sign bit could be replaced with reading a different value, at the cost of an additional load, but increasing the 16-bit next state span to 64K. Since the order of the characters in the new alphabet doesn't matter, the new alphabet could be sorted by the frequency of the characters in the expected input stream for that multi-pattern matcher. This would group more frequent characters into the same cache lines, thus increasing the probability of reusing a cache-line. All the next state values for each state live in their own set of cache-lines. With power-of-two sizes alphabets, these don't overlap. So either 32 or 16 character's next states are loaded in each cache line load. If the alphabet size is not an exact power-of-2, then the last cache-line is not completely full and up to 31*2 bytes of that line could be wasted per state. The next state table could be transposed, so that all the next states for a specific character are stored sequentially, this could be better if some characters, for example the unused character, are much more frequent.
12 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) != 1)
tests to highlight that - suricata treates sigs with offset/depth without any packet keywords as stream sigs - as a consequence suricata will FN on such sigs The tests introduced here will fail, displaying the issues. The next patch in the series would fix the said issues.
13 years ago
goto end;
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
Unittest to display #bug 529. pcre anchor not respected
13 years ago
/**
* \test Test pcre recursive matching - bug #529
*/
static int PayloadTestSig29(void)
{
uint8_t *buf = (uint8_t *)"this is a super dupernova in super nova now";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"pcre:/^.{4}/; content:\"nova\"; within:4; sid:1;)";
New Multi-pattern matcher, ac-tile, optimized for Tile architecture. Aho-Corasick mpm optimized for Tilera Tile-Gx architecture. Based on the util-mpm-ac.c code base. The primary optimizations are: 1) Matching function used Tilera specific instructions. 2) Alphabet compression to reduce delta table size to increase cache utilization and performance. The basic observation is that not all 256 ASCII characters are used by the set of multiple patterns in a group for which a DFA is created. The first reason is that Suricata's pattern matching is case-insensitive, so all uppercase characters are converted to lowercase, leaving a hole of 26 characters in the alphabet. Previously, this hole was simply left in the middle of the alphabet and thus in the generated Next State (delta) tables. A new, smaller, alphabet is created using a translation table of 256 bytes per mpm group. Previously, there was one global translation table for converting upper case to lowercase. Additional, unused characters are found by creating a histogram of all the characters in all the patterns. Then all the characters with zero counts are mapped to one character (0) in the new alphabet. Since These characters appear in no pattern, they can all be mapped to a single character and still result in the same matches being found. Zero was chosen for the value in the new alphabet since this "character" is more likely to appear in the input. The unused character always results in the next state being state zero, but that fact is not currently used by the code, since special casing takes additional instructions. The characters that do appear in some pattern are mapped to consecutive characters in the new alphabet, starting at 1. This results in a dense packing of next state values in the delta tables and additionally can allow for a smaller number of columns in that table, thus using less memory and better packing into the cache. The size of the new alphabet is the number of used characters plus 1 for the unused catch-all character. The alphabet size is rounded up to the next larger power-of-2 so that multiplication by the alphabet size can be done with a shift. It might be possible to use a multiply instruction, so that the exact alphabet size could be used, which would further reduce the size of the delta tables, increase cache density and not require the specialized search functions. The multiply would likely add 1 cycle to the inner search loop. Since the multiply by alphabet-size is cleverly merged with a mask instruction (in the SINDEX macro), specialized versions of the SCACSearch function are generated for alphabet sizes 256, 128, 64, 32 and 16. This is done by including the file util-mpm-ac-small.c multiple times with a redefined SINDEX macro. A function pointer is then stored in the mpm context for the search function. For alpha bit sizes of 8 or smaller, the number of states usually small, so the DFA is already very small, so there is little difference using the 16 state search function. The SCACSearch function is also specialized by the size of the value stored in the next state (delta) tables, either 16-bits or 32-bits. This removes a conditional inside the Search function. That conditional is only called once, but doesn't hurt to remove it. 16-bits are used for up to 32K states, with the sign bit set for states with matches. Future optimization: The state-has-match values is only needed per state, not per next state, so checking the next-state sign bit could be replaced with reading a different value, at the cost of an additional load, but increasing the 16-bit next state span to 64K. Since the order of the characters in the new alphabet doesn't matter, the new alphabet could be sorted by the frequency of the characters in the expected input stream for that multi-pattern matcher. This would group more frequent characters into the same cache lines, thus increasing the probability of reusing a cache-line. All the next state values for each state live in their own set of cache-lines. With power-of-two sizes alphabets, these don't overlap. So either 32 or 16 character's next states are loaded in each cache line load. If the alphabet size is not an exact power-of-2, then the last cache-line is not completely full and up to 31*2 bytes of that line could be wasted per state. The next state table could be transposed, so that all the next states for a specific character are stored sequentially, this could be better if some characters, for example the unused character, are much more frequent.
12 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 1) {
Unittest to display #bug 529. pcre anchor not respected
13 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
unittest to display #784.
12 years ago
static int PayloadTestSig30(void)
{
uint8_t *buf = (uint8_t *)
"xyonexxxxxxtwojunkonetwo";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (content:\"one\"; pcre:\"/^two/R\"; sid:1;)";
mpm: remove obsolete mpm algos Remove: ac-gfbs, wumanber, b2g, b3g.
10 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
unittest to display #784.
12 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
static int PayloadTestSig31(void)
{
uint8_t *buf = (uint8_t *)
"xyonexxxxxxtwojunkonetwo";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (content:\"one\"; pcre:\"/(fiv|^two)/R\"; sid:1;)";
mpm: remove obsolete mpm algos Remove: ac-gfbs, wumanber, b2g, b3g.
10 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
unittest to display #784.
12 years ago
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
Unit-tests exposing a bug in byte_test, byte_jump and byte_extract. Bug emanates from all the keywords being unable to handle negative offsets when the inspection pointer is at the end of the buffer.
12 years ago
/**
* \test Test byte_jump.
*/
static int PayloadTestSig32(void)
{
uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
"content:\"message\"; byte_jump:2,-14,string,dec,relative; content:\"card\"; within:4; sid:1;)";
mpm: remove obsolete mpm algos Remove: ac-gfbs, wumanber, b2g, b3g.
10 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0)
Unit-tests exposing a bug in byte_test, byte_jump and byte_extract. Bug emanates from all the keywords being unable to handle negative offsets when the inspection pointer is at the end of the buffer.
12 years ago
goto end;
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/**
* \test Test byte_test.
*/
static int PayloadTestSig33(void)
{
uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
"content:\"message\"; byte_test:1,=,2,-14,string,dec,relative; sid:1;)";
mpm: remove obsolete mpm algos Remove: ac-gfbs, wumanber, b2g, b3g.
10 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0)
Unit-tests exposing a bug in byte_test, byte_jump and byte_extract. Bug emanates from all the keywords being unable to handle negative offsets when the inspection pointer is at the end of the buffer.
12 years ago
goto end;
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/**
* \test Test byte_extract.
*/
static int PayloadTestSig34(void)
{
uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
"content:\"message\"; byte_extract:1,-14,boom,string,dec,relative; sid:1;)";
mpm: remove obsolete mpm algos Remove: ac-gfbs, wumanber, b2g, b3g.
10 years ago
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0)
Unit-tests exposing a bug in byte_test, byte_jump and byte_extract. Bug emanates from all the keywords being unable to handle negative offsets when the inspection pointer is at the end of the buffer.
12 years ago
goto end;
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
Further simplify content api: merge flags that indicate a next relative match, remove chunks as they are unnecessary now, make negated a bitflag.
16 years ago
#endif /* UNITTESTS */
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
void PayloadRegisterTests(void)
{
Further simplify content api: merge flags that indicate a next relative match, remove chunks as they are unnecessary now, make negated a bitflag.
16 years ago
#ifdef UNITTESTS
UtRegisterTest("PayloadTestSig01", PayloadTestSig01, 1);
Fix nocase searching in payload search phase.
16 years ago
UtRegisterTest("PayloadTestSig02", PayloadTestSig02, 1);
Cleanups.
16 years ago
UtRegisterTest("PayloadTestSig03", PayloadTestSig03, 1);
content handling changes in detect-engine-payload.c for multiple relative matches
15 years ago
UtRegisterTest("PayloadTestSig04", PayloadTestSig04, 1);
UtRegisterTest("PayloadTestSig05", PayloadTestSig05, 1);
UtRegisterTest("PayloadTestSig06", PayloadTestSig06, 1);
fixes the offset case for content matches + a case not handled by the prevous fix for multiple relative content matches. fix for payload.c dcepayload.c and uri.c
15 years ago
UtRegisterTest("PayloadTestSig07", PayloadTestSig07, 1);
fix false positives for a negated content case
15 years ago
UtRegisterTest("PayloadTestSig08", PayloadTestSig08, 1);
implement relative pcre matching in detect-engine-(payload|uri|dcepayload).c. Also fix within/distance handling of RELATIVE_NEXT flag for uricontent
15 years ago
UtRegisterTest("PayloadTestSig09", PayloadTestSig09, 1);
fix seg fault due to premature cleanup/double cleanup for byte(jump|test), isdataat, on seeing no previous relative keywords
15 years ago
UtRegisterTest("PayloadTestSig10", PayloadTestSig10, 1);
UtRegisterTest("PayloadTestSig11", PayloadTestSig11, 1);
UtRegisterTest("PayloadTestSig12", PayloadTestSig12, 1);
find an optimal value for detect-engine:inspection-recursion_limit + unittest
15 years ago
UtRegisterTest("PayloadTestSig13", PayloadTestSig13, 1);
fix fp when content is negated and also added to mpm
15 years ago
UtRegisterTest("PayloadTestSig14", PayloadTestSig14, 1);
support isdataat negation. Also fix addiing isdataat to appropriate lists
15 years ago
UtRegisterTest("PayloadTestSig15", PayloadTestSig15, 1);
UtRegisterTest("PayloadTestSig16", PayloadTestSig16, 1);
Account for distance when checking within. Bug #285.
14 years ago
UtRegisterTest("PayloadTestSig17", PayloadTestSig17, 1);
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
UtRegisterTest("PayloadTestSig18", PayloadTestSig18, 1);
UtRegisterTest("PayloadTestSig19", PayloadTestSig19, 1);
UtRegisterTest("PayloadTestSig20", PayloadTestSig20, 1);
UtRegisterTest("PayloadTestSig21", PayloadTestSig21, 1);
UtRegisterTest("PayloadTestSig22", PayloadTestSig22, 1);
UtRegisterTest("PayloadTestSig23", PayloadTestSig23, 1);
UtRegisterTest("PayloadTestSig24", PayloadTestSig24, 1);
update handling negative offsets in byte_extract. Also improve validation in byte_extract to not extract values out of the buffer range
13 years ago
UtRegisterTest("PayloadTestSig25", PayloadTestSig25, 1);
UtRegisterTest("PayloadTestSig26", PayloadTestSig26, 1);
tests to highlight that - suricata treates sigs with offset/depth without any packet keywords as stream sigs - as a consequence suricata will FN on such sigs The tests introduced here will fail, displaying the issues. The next patch in the series would fix the said issues.
13 years ago
UtRegisterTest("PayloadTestSig27", PayloadTestSig27, 1);
UtRegisterTest("PayloadTestSig28", PayloadTestSig28, 1);
Unittest to display #bug 529. pcre anchor not respected
13 years ago
UtRegisterTest("PayloadTestSig29", PayloadTestSig29, 1);
unittest to display #784.
12 years ago
UtRegisterTest("PayloadTestSig30", PayloadTestSig30, 1);
UtRegisterTest("PayloadTestSig31", PayloadTestSig31, 1);
Unit-tests exposing a bug in byte_test, byte_jump and byte_extract. Bug emanates from all the keywords being unable to handle negative offsets when the inspection pointer is at the end of the buffer.
12 years ago
UtRegisterTest("PayloadTestSig32", PayloadTestSig32, 1);
UtRegisterTest("PayloadTestSig33", PayloadTestSig33, 1);
UtRegisterTest("PayloadTestSig34", PayloadTestSig34, 1);
Further simplify content api: merge flags that indicate a next relative match, remove chunks as they are unnecessary now, make negated a bitflag.
16 years ago
#endif /* UNITTESTS */
support isdataat negation. Also fix addiing isdataat to appropriate lists
15 years ago
return;
Further simplify content api: merge flags that indicate a next relative match, remove chunks as they are unnecessary now, make negated a bitflag.
16 years ago
}