prefilter: implement basic prefilter priority order

9 years ago · 14b0537f95
parent 4104f8c066
commit 14b0537f95
2 changed files with 38 additions and 16 deletions
--- a/src/detect.c
+++ b/src/detect.c
@ -3386,21 +3386,37 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx)
        if (!(tmp_s->flags & SIG_FLAG_PREFILTER)) {
            int i;
            int prefilter_list = DETECT_TBLSIZE;
            /* get the keyword supporting prefilter with the lowest type */
            for (i = 0; i < DETECT_SM_LIST_DETECT_MAX; i++) {
                SigMatch *sm = tmp_s->sm_lists[i];
                while (sm != NULL) {
                    if (sigmatch_table[sm->type].SupportsPrefilter != NULL) {
                        if (sigmatch_table[sm->type].SupportsPrefilter(tmp_s) == TRUE) {
                            prefilter_list = MIN(prefilter_list, sm->type);
                        }
                    }
                    sm = sm->next;
                }
            }
            /* apply that keyword as prefilter */
            if (prefilter_list != DETECT_TBLSIZE) {
                for (i = 0; i < DETECT_SM_LIST_DETECT_MAX; i++) {
                    SigMatch *sm = tmp_s->sm_lists[i];
                    while (sm != NULL) {
                        if (sm->type == prefilter_list) {
                            tmp_s->prefilter_sm = sm;
                            tmp_s->flags |= SIG_FLAG_PREFILTER;
                            SCLogConfig("sid %u: prefilter is on \"%s\"", tmp_s->id, sigmatch_table[sm->type].name);
                            break;
                        }
                    }
                        sm = sm->next;
                    }
                }
            }
        }
        de_ctx->sig_cnt++;
    }
--- a/src/detect.h
+++ b/src/detect.h
@ -1111,6 +1111,27 @@ enum {
    DETECT_PRIORITY,
    DETECT_REV,
    DETECT_CLASSTYPE,
    /* sorted by prefilter priority. Higher in this list means it will be
     * picked over ones lower in the list */
    DETECT_ACK,
    DETECT_SEQ,
    DETECT_WINDOW,
    DETECT_IPOPTS,
    DETECT_FLAGS,
    DETECT_FRAGBITS,
    DETECT_FRAGOFFSET,
    DETECT_TTL,
    DETECT_TOS,
    DETECT_ITYPE,
    DETECT_ICODE,
    DETECT_ICMP_ID,
    DETECT_ICMP_SEQ,
    DETECT_DSIZE,
    DETECT_FLOW,
    /* end prefilter sort */
    DETECT_THRESHOLD,
    DETECT_METADATA,
    DETECT_REFERENCE,
@ -1119,8 +1140,6 @@ enum {
    DETECT_CONTENT,
    DETECT_URICONTENT,
    DETECT_PCRE,
    DETECT_ACK,
    DETECT_SEQ,
    DETECT_DEPTH,
    DETECT_DISTANCE,
    DETECT_WITHIN,
@ -1134,13 +1153,10 @@ enum {
    DETECT_SAMEIP,
    DETECT_GEOIP,
    DETECT_IPPROTO,
    DETECT_FLOW,
    DETECT_WINDOW,
    DETECT_FTPBOUNCE,
    DETECT_ISDATAAT,
    DETECT_ID,
    DETECT_RPC,
    DETECT_DSIZE,
    DETECT_FLOWVAR,
    DETECT_FLOWVAR_POSTMATCH,
    DETECT_FLOWINT,
@ -1156,19 +1172,9 @@ enum {
    DETECT_ICMPV4_CSUM,
    DETECT_ICMPV6_CSUM,
    DETECT_STREAM_SIZE,
    DETECT_TTL,
    DETECT_ITYPE,
    DETECT_ICODE,
    DETECT_TOS,
    DETECT_ICMP_ID,
    DETECT_ICMP_SEQ,
    DETECT_DETECTION_FILTER,
    DETECT_DECODE_EVENT,
    DETECT_IPOPTS,
    DETECT_FLAGS,
    DETECT_FRAGBITS,
    DETECT_FRAGOFFSET,
    DETECT_GID,
    DETECT_MARK,