prefilter: implement basic prefilter priority order

9 years ago · 14b0537f95
parent 4104f8c066
commit 14b0537f95
2 changed files with 38 additions and 16 deletions
--- a/src/detect.c
+++ b/src/detect.c
@ -3386,18 +3386,34 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx)

        if (!(tmp_s->flags & SIG_FLAG_PREFILTER)) {
            int i;
+            int prefilter_list = DETECT_TBLSIZE;
+
+            /* get the keyword supporting prefilter with the lowest type */
            for (i = 0; i < DETECT_SM_LIST_DETECT_MAX; i++) {
                SigMatch *sm = tmp_s->sm_lists[i];
                while (sm != NULL) {
                    if (sigmatch_table[sm->type].SupportsPrefilter != NULL) {
                        if (sigmatch_table[sm->type].SupportsPrefilter(tmp_s) == TRUE) {
+                            prefilter_list = MIN(prefilter_list, sm->type);
+                        }
+                    }
+                    sm = sm->next;
+                }
+            }
+
+            /* apply that keyword as prefilter */
+            if (prefilter_list != DETECT_TBLSIZE) {
+                for (i = 0; i < DETECT_SM_LIST_DETECT_MAX; i++) {
+                    SigMatch *sm = tmp_s->sm_lists[i];
+                    while (sm != NULL) {
+                        if (sm->type == prefilter_list) {
                            tmp_s->prefilter_sm = sm;
                            tmp_s->flags |= SIG_FLAG_PREFILTER;
                            SCLogConfig("sid %u: prefilter is on \"%s\"", tmp_s->id, sigmatch_table[sm->type].name);
                            break;
                        }
+                        sm = sm->next;
                    }
-                    sm = sm->next;
                }
            }
        }
--- a/src/detect.h
+++ b/src/detect.h
@ -1111,6 +1111,27 @@ enum {
    DETECT_PRIORITY,
    DETECT_REV,
    DETECT_CLASSTYPE,
+
+    /* sorted by prefilter priority. Higher in this list means it will be
+     * picked over ones lower in the list */
+    DETECT_ACK,
+    DETECT_SEQ,
+    DETECT_WINDOW,
+    DETECT_IPOPTS,
+    DETECT_FLAGS,
+    DETECT_FRAGBITS,
+    DETECT_FRAGOFFSET,
+    DETECT_TTL,
+    DETECT_TOS,
+    DETECT_ITYPE,
+    DETECT_ICODE,
+    DETECT_ICMP_ID,
+    DETECT_ICMP_SEQ,
+    DETECT_DSIZE,
+
+    DETECT_FLOW,
+    /* end prefilter sort */
+
    DETECT_THRESHOLD,
    DETECT_METADATA,
    DETECT_REFERENCE,
@ -1119,8 +1140,6 @@ enum {
    DETECT_CONTENT,
    DETECT_URICONTENT,
    DETECT_PCRE,
-    DETECT_ACK,
-    DETECT_SEQ,
    DETECT_DEPTH,
    DETECT_DISTANCE,
    DETECT_WITHIN,
@ -1134,13 +1153,10 @@ enum {
    DETECT_SAMEIP,
    DETECT_GEOIP,
    DETECT_IPPROTO,
-    DETECT_FLOW,
-    DETECT_WINDOW,
    DETECT_FTPBOUNCE,
    DETECT_ISDATAAT,
    DETECT_ID,
    DETECT_RPC,
-    DETECT_DSIZE,
    DETECT_FLOWVAR,
    DETECT_FLOWVAR_POSTMATCH,
    DETECT_FLOWINT,
@ -1156,19 +1172,9 @@ enum {
    DETECT_ICMPV4_CSUM,
    DETECT_ICMPV6_CSUM,
    DETECT_STREAM_SIZE,
-    DETECT_TTL,
-    DETECT_ITYPE,
-    DETECT_ICODE,
-    DETECT_TOS,
-    DETECT_ICMP_ID,
-    DETECT_ICMP_SEQ,
    DETECT_DETECTION_FILTER,

    DETECT_DECODE_EVENT,
-    DETECT_IPOPTS,
-    DETECT_FLAGS,
-    DETECT_FRAGBITS,
-    DETECT_FRAGOFFSET,
    DETECT_GID,
    DETECT_MARK,