aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect: rename non_mpm lists/vars to non_pf

Browse Source 
Rename to non_pf: non prefilter.
pull/2310/head
Victor Julien 9 years ago
parent bb0cd0e883
commit 17bc0299fe
6 changed files with 85 additions and 83 deletions
Show Stats Download Patch File Download Diff File

80
src/detect-engine-siggroup.c
Unescape Escape View File

@ -151,16 +151,16 @@ void SigGroupHeadFree(SigGroupHead *sgh)
sgh->match_array = NULL;
}
if (sgh->non_mpm_other_store_array != NULL) {
SCFree(sgh->non_mpm_other_store_array);
sgh->non_mpm_other_store_array = NULL;
sgh->non_mpm_other_store_cnt = 0;
if (sgh->non_pf_other_store_array != NULL) {
SCFree(sgh->non_pf_other_store_array);
sgh->non_pf_other_store_array = NULL;
sgh->non_pf_other_store_cnt = 0;
}
if (sgh->non_mpm_syn_store_array != NULL) {
SCFree(sgh->non_mpm_syn_store_array);
sgh->non_mpm_syn_store_array = NULL;
sgh->non_mpm_syn_store_cnt = 0;
if (sgh->non_pf_syn_store_array != NULL) {
SCFree(sgh->non_pf_syn_store_array);
sgh->non_pf_syn_store_array = NULL;
sgh->non_pf_syn_store_cnt = 0;
}
sgh->sig_cnt = 0;
@ -675,20 +675,20 @@ void SigGroupHeadSetFilestoreCount(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
return;
}
/** \brief build an array of rule id's for sigs with no mpm
* Also updated de_ctx::non_mpm_store_cnt_max to track the highest cnt
/** \brief build an array of rule id's for sigs with no prefilter
* Also updated de_ctx::non_pf_store_cnt_max to track the highest cnt
*/
int SigGroupHeadBuildNonMpmArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
int SigGroupHeadBuildNonPrefilterArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
{
Signature *s = NULL;
uint32_t sig = 0;
uint32_t non_mpm = 0;
uint32_t non_mpm_syn = 0;
uint32_t non_pf = 0;
uint32_t non_pf_syn = 0;
if (sgh == NULL)
return 0;
BUG_ON(sgh->non_mpm_other_store_array != NULL);
BUG_ON(sgh->non_pf_other_store_array != NULL);
for (sig = 0; sig < sgh->sig_cnt; sig++) {
s = sgh->match_array[sig];
@ -697,28 +697,28 @@ int SigGroupHeadBuildNonMpmArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
if (s->mpm_sm == NULL || (s->flags & SIG_FLAG_MPM_NEG)) {
if (!(DetectFlagsSignatureNeedsSynPackets(s))) {
non_mpm++;
non_pf++;
}
non_mpm_syn++;
non_pf_syn++;
}
}
if (non_mpm == 0 && non_mpm_syn == 0) {
sgh->non_mpm_other_store_array = NULL;
sgh->non_mpm_syn_store_array = NULL;
if (non_pf == 0 && non_pf_syn == 0) {
sgh->non_pf_other_store_array = NULL;
sgh->non_pf_syn_store_array = NULL;
return 0;
}
if (non_mpm > 0) {
sgh->non_mpm_other_store_array = SCMalloc(non_mpm * sizeof(SignatureNonMpmStore));
BUG_ON(sgh->non_mpm_other_store_array == NULL);
memset(sgh->non_mpm_other_store_array, 0, non_mpm * sizeof(SignatureNonMpmStore));
if (non_pf > 0) {
sgh->non_pf_other_store_array = SCMalloc(non_pf * sizeof(SignatureNonMpmStore));
BUG_ON(sgh->non_pf_other_store_array == NULL);
memset(sgh->non_pf_other_store_array, 0, non_pf * sizeof(SignatureNonMpmStore));
}
if (non_mpm_syn > 0) {
sgh->non_mpm_syn_store_array = SCMalloc(non_mpm_syn * sizeof(SignatureNonMpmStore));
BUG_ON(sgh->non_mpm_syn_store_array == NULL);
memset(sgh->non_mpm_syn_store_array, 0, non_mpm_syn * sizeof(SignatureNonMpmStore));
if (non_pf_syn > 0) {
sgh->non_pf_syn_store_array = SCMalloc(non_pf_syn * sizeof(SignatureNonMpmStore));
BUG_ON(sgh->non_pf_syn_store_array == NULL);
memset(sgh->non_pf_syn_store_array, 0, non_pf_syn * sizeof(SignatureNonMpmStore));
}
for (sig = 0; sig < sgh->sig_cnt; sig++) {
@ -728,25 +728,25 @@ int SigGroupHeadBuildNonMpmArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
if (s->mpm_sm == NULL || (s->flags & SIG_FLAG_MPM_NEG)) {
if (!(DetectFlagsSignatureNeedsSynPackets(s))) {
BUG_ON(sgh->non_mpm_other_store_cnt >= non_mpm);
BUG_ON(sgh->non_mpm_other_store_array == NULL);
sgh->non_mpm_other_store_array[sgh->non_mpm_other_store_cnt].id = s->num;
sgh->non_mpm_other_store_array[sgh->non_mpm_other_store_cnt].mask = s->mask;
sgh->non_mpm_other_store_cnt++;
BUG_ON(sgh->non_pf_other_store_cnt >= non_pf);
BUG_ON(sgh->non_pf_other_store_array == NULL);
sgh->non_pf_other_store_array[sgh->non_pf_other_store_cnt].id = s->num;
sgh->non_pf_other_store_array[sgh->non_pf_other_store_cnt].mask = s->mask;
sgh->non_pf_other_store_cnt++;
}
BUG_ON(sgh->non_mpm_syn_store_cnt >= non_mpm_syn);
BUG_ON(sgh->non_mpm_syn_store_array == NULL);
sgh->non_mpm_syn_store_array[sgh->non_mpm_syn_store_cnt].id = s->num;
sgh->non_mpm_syn_store_array[sgh->non_mpm_syn_store_cnt].mask = s->mask;
sgh->non_mpm_syn_store_cnt++;
BUG_ON(sgh->non_pf_syn_store_cnt >= non_pf_syn);
BUG_ON(sgh->non_pf_syn_store_array == NULL);
sgh->non_pf_syn_store_array[sgh->non_pf_syn_store_cnt].id = s->num;
sgh->non_pf_syn_store_array[sgh->non_pf_syn_store_cnt].mask = s->mask;
sgh->non_pf_syn_store_cnt++;
}
}
/* track highest cnt for any sgh in our de_ctx */
uint32_t max = MAX(sgh->non_mpm_other_store_cnt, sgh->non_mpm_syn_store_cnt);
if (max > de_ctx->non_mpm_store_cnt_max)
de_ctx->non_mpm_store_cnt_max = max;
uint32_t max = MAX(sgh->non_pf_other_store_cnt, sgh->non_pf_syn_store_cnt);
if (max > de_ctx->non_pf_store_cnt_max)
de_ctx->non_pf_store_cnt_max = max;
return 0;
}

2
src/detect-engine-siggroup.h
Unescape Escape View File

@ -72,6 +72,6 @@ void SigGroupHeadSetFilesizeFlag(DetectEngineCtx *, SigGroupHead *);
uint16_t SigGroupHeadGetMinMpmSize(DetectEngineCtx *de_ctx,
SigGroupHead *sgh, int list);
int SigGroupHeadBuildNonMpmArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
int SigGroupHeadBuildNonPrefilterArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
#endif /* __DETECT_ENGINE_SIGGROUP_H__ */

12
src/detect-engine.c
Unescape Escape View File

@ -1526,10 +1526,10 @@ static TmEcode ThreadCtxDoInit (DetectEngineCtx *de_ctx, DetectEngineThreadCtx *
}
/* sized to the max of our sgh settings. A max setting of 0 implies that all
* sgh's have: sgh->non_mpm_store_cnt == 0 */
if (de_ctx->non_mpm_store_cnt_max > 0) {
det_ctx->non_mpm_id_array = SCCalloc(de_ctx->non_mpm_store_cnt_max, sizeof(SigIntId));
BUG_ON(det_ctx->non_mpm_id_array == NULL);
* sgh's have: sgh->non_pf_store_cnt == 0 */
if (de_ctx->non_pf_store_cnt_max > 0) {
det_ctx->non_pf_id_array = SCCalloc(de_ctx->non_pf_store_cnt_max, sizeof(SigIntId));
BUG_ON(det_ctx->non_pf_id_array == NULL);
}
/* IP-ONLY */
@ -1744,8 +1744,8 @@ void DetectEngineThreadCtxFree(DetectEngineThreadCtx *det_ctx)
SpmDestroyThreadCtx(det_ctx->spm_thread_ctx);
}
if (det_ctx->non_mpm_id_array != NULL)
SCFree(det_ctx->non_mpm_id_array);
if (det_ctx->non_pf_id_array != NULL)
SCFree(det_ctx->non_pf_id_array);
if (det_ctx->de_state_sig_array != NULL)
SCFree(det_ctx->de_state_sig_array);

50
src/detect.c
Unescape Escape View File

@ -705,9 +705,9 @@ static inline void DetectPrefilterMergeSort(DetectEngineCtx *de_ctx,
SigIntId mpm, nonmpm;
det_ctx->match_array_cnt = 0;
SigIntId *mpm_ptr = det_ctx->pmq.rule_id_array;
SigIntId *nonmpm_ptr = det_ctx->non_mpm_id_array;
SigIntId *nonmpm_ptr = det_ctx->non_pf_id_array;
uint32_t m_cnt = det_ctx->pmq.rule_id_array_cnt;
uint32_t n_cnt = det_ctx->non_mpm_id_cnt;
uint32_t n_cnt = det_ctx->non_pf_id_cnt;
SigIntId *final_ptr;
uint32_t final_cnt;
SigIntId id;
@ -820,7 +820,7 @@ static inline void DetectPrefilterMergeSort(DetectEngineCtx *de_ctx,
det_ctx->match_array_cnt = match_array - det_ctx->match_array;
BUG_ON((det_ctx->pmq.rule_id_array_cnt + det_ctx->non_mpm_id_cnt) < det_ctx->match_array_cnt);
BUG_ON((det_ctx->pmq.rule_id_array_cnt + det_ctx->non_pf_id_cnt) < det_ctx->match_array_cnt);
}
/* Return true is the list is sorted smallest to largest */
@ -1227,15 +1227,16 @@ static void AlertDebugLogModeSyncFlowbitsNamesToPacketStruct(Packet *p, DetectEn
return;
}
static inline void DetectPrefilterBuildNonMpmList(DetectEngineThreadCtx *det_ctx, SignatureMask mask)
static inline void
DetectPrefilterBuildNonPrefilterList(DetectEngineThreadCtx *det_ctx, SignatureMask mask)
{
uint32_t x = 0;
for (x = 0; x < det_ctx->non_mpm_store_cnt; x++) {
for (x = 0; x < det_ctx->non_pf_store_cnt; x++) {
/* only if the mask matches this rule can possibly match,
* so build the non_mpm array only for match candidates */
SignatureMask rule_mask = det_ctx->non_mpm_store_ptr[x].mask;
SignatureMask rule_mask = det_ctx->non_pf_store_ptr[x].mask;
if ((rule_mask & mask) == rule_mask) {
det_ctx->non_mpm_id_array[det_ctx->non_mpm_id_cnt++] = det_ctx->non_mpm_store_ptr[x].id;
det_ctx->non_pf_id_array[det_ctx->non_pf_id_cnt++] = det_ctx->non_pf_store_ptr[x].id;
}
}
}
@ -1243,19 +1244,20 @@ static inline void DetectPrefilterBuildNonMpmList(DetectEngineThreadCtx *det_ctx
/** \internal
* \brief select non-mpm list
* Based on the packet properties, select the non-mpm list to use */
static inline void DetectPrefilterSetNonMpmList(const Packet *p, DetectEngineThreadCtx *det_ctx)
static inline void
DetectPrefilterSetNonPrefilterList(const Packet *p, DetectEngineThreadCtx *det_ctx)
{
if ((p->proto == IPPROTO_TCP) && (p->tcph != NULL) && (p->tcph->th_flags & TH_SYN)) {
det_ctx->non_mpm_store_ptr = det_ctx->sgh->non_mpm_syn_store_array;
det_ctx->non_mpm_store_cnt = det_ctx->sgh->non_mpm_syn_store_cnt;
det_ctx->non_pf_store_ptr = det_ctx->sgh->non_pf_syn_store_array;
det_ctx->non_pf_store_cnt = det_ctx->sgh->non_pf_syn_store_cnt;
} else {
det_ctx->non_mpm_store_ptr = det_ctx->sgh->non_mpm_other_store_array;
det_ctx->non_mpm_store_cnt = det_ctx->sgh->non_mpm_other_store_cnt;
det_ctx->non_pf_store_ptr = det_ctx->sgh->non_pf_other_store_array;
det_ctx->non_pf_store_cnt = det_ctx->sgh->non_pf_other_store_cnt;
}
SCLogDebug("sgh non_mpm ptr %p cnt %u (syn %p/%u, other %p/%u)",
det_ctx->non_mpm_store_ptr, det_ctx->non_mpm_store_cnt,
det_ctx->sgh->non_mpm_syn_store_array, det_ctx->sgh->non_mpm_syn_store_cnt,
det_ctx->sgh->non_mpm_other_store_array, det_ctx->sgh->non_mpm_other_store_cnt);
SCLogDebug("sgh non_pf ptr %p cnt %u (syn %p/%u, other %p/%u)",
det_ctx->non_pf_store_ptr, det_ctx->non_pf_store_cnt,
det_ctx->sgh->non_pf_syn_store_array, det_ctx->sgh->non_pf_syn_store_cnt,
det_ctx->sgh->non_pf_other_store_array, det_ctx->sgh->non_pf_other_store_cnt);
}
/**
@ -1459,7 +1461,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
goto end;
}
DetectPrefilterSetNonMpmList(p, det_ctx);
DetectPrefilterSetNonPrefilterList(p, det_ctx);
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_STATEFUL);
/* stateful app layer detection */
@ -1481,11 +1483,11 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
SignatureMask mask = 0;
PacketCreateMask(p, &mask, alproto, has_state, smsg, app_decoder_events);
/* build and prefilter non_mpm list against the mask of the packet */
/* build and prefilter non_pf list against the mask of the packet */
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_NONMPMLIST);
det_ctx->non_mpm_id_cnt = 0;
if (likely(det_ctx->non_mpm_store_cnt > 0)) {
DetectPrefilterBuildNonMpmList(det_ctx, mask);
det_ctx->non_pf_id_cnt = 0;
if (likely(det_ctx->non_pf_store_cnt > 0)) {
DetectPrefilterBuildNonPrefilterList(det_ctx, mask);
}
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_NONMPMLIST);
@ -1498,10 +1500,10 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
StatsAddUI64(th_v, det_ctx->counter_mpm_list,
(uint64_t)det_ctx->pmq.rule_id_array_cnt);
StatsAddUI64(th_v, det_ctx->counter_nonmpm_list,
(uint64_t)det_ctx->non_mpm_store_cnt);
(uint64_t)det_ctx->non_pf_store_cnt);
/* non mpm sigs after mask prefilter */
StatsAddUI64(th_v, det_ctx->counter_fnonmpm_list,
(uint64_t)det_ctx->non_mpm_id_cnt);
(uint64_t)det_ctx->non_pf_id_cnt);
}
#endif
@ -4067,7 +4069,7 @@ int SigAddressPrepareStage4(DetectEngineCtx *de_ctx)
SCLogDebug("filestore count %u", sgh->filestore_cnt);
BUG_ON(PatternMatchPrepareGroup(de_ctx, sgh) != 0);
SigGroupHeadBuildNonMpmArray(de_ctx, sgh);
SigGroupHeadBuildNonPrefilterArray(de_ctx, sgh);
sgh->id = idx;
cnt++;

20
src/detect.h
Unescape Escape View File

@ -565,7 +565,7 @@ typedef struct DetectEngineCtx_ {
/** Maximum value of all our sgh's non_mpm_store_cnt setting,
* used to alloc det_ctx::non_mpm_id_array */
uint32_t non_mpm_store_cnt_max;
uint32_t non_pf_store_cnt_max;
/* used by the signature ordering module */
struct SCSigOrderFunc_ *sc_sig_order_funcs;
@ -737,8 +737,8 @@ typedef struct DetectEngineThreadCtx_ {
/* the thread to which this detection engine thread belongs */
ThreadVars *tv;
SigIntId *non_mpm_id_array;
uint32_t non_mpm_id_cnt; // size is cnt * sizeof(uint32_t)
SigIntId *non_pf_id_array;
uint32_t non_pf_id_cnt; // size is cnt * sizeof(uint32_t)
uint32_t mt_det_ctxs_cnt;
struct DetectEngineThreadCtx_ **mt_det_ctxs;
@ -823,8 +823,8 @@ typedef struct DetectEngineThreadCtx_ {
struct SigGroupHead_ *sgh;
SignatureNonMpmStore *non_mpm_store_ptr;
uint32_t non_mpm_store_cnt;
SignatureNonMpmStore *non_pf_store_ptr;
uint32_t non_pf_store_cnt;
/** pointer to the current mpm ctx that is stored
* in a rule group head -- can be either a content
@ -997,12 +997,12 @@ typedef struct SigGroupHead_ {
/* number of sigs in this head */
SigIntId sig_cnt;
/* non mpm list excluding SYN rules */
uint32_t non_mpm_other_store_cnt;
uint32_t non_mpm_syn_store_cnt;
SignatureNonMpmStore *non_mpm_other_store_array; // size is non_mpm_store_cnt * sizeof(SignatureNonMpmStore)
/* non prefilter list excluding SYN rules */
uint32_t non_pf_other_store_cnt;
uint32_t non_pf_syn_store_cnt;
SignatureNonMpmStore *non_pf_other_store_array; // size is non_mpm_store_cnt * sizeof(SignatureNonMpmStore)
/* non mpm list including SYN rules */
SignatureNonMpmStore *non_mpm_syn_store_array; // size is non_mpm_syn_store_cnt * sizeof(SignatureNonMpmStore)
SignatureNonMpmStore *non_pf_syn_store_array; // size is non_mpm_syn_store_cnt * sizeof(SignatureNonMpmStore)
/** the number of signatures in this sgh that have the filestore keyword
* set. */

4
src/util-profiling-rulegroups.c
Unescape Escape View File

@ -286,8 +286,8 @@ SCProfilingSghUpdateCounter(DetectEngineThreadCtx *det_ctx, const SigGroupHead *
SCProfileSghData *p = &det_ctx->sgh_perf_data[sgh->id];
p->checks++;
if (det_ctx->non_mpm_store_cnt > 0) {
if (det_ctx->non_mpm_store_ptr == sgh->non_mpm_syn_store_array)
if (det_ctx->non_pf_store_cnt > 0) {
if (det_ctx->non_pf_store_ptr == sgh->non_pf_syn_store_array)
p->non_mpm_syn++;
else
p->non_mpm_generic++;

Write Preview
Loading…
Cancel
Save