aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Detection engine -- mpm

Browse Source 
Each signature is in one mpm ctx at max, but there were 3 separate
id's in use: packet, stream, http. Merged them all into one.

Could shrink the SignatureHeader structure with 8 bytes because of this,
should lead to better caching performance.
remotes/origin/master-1.2.x
Victor Julien 13 years ago
parent 7db72bce75
commit 291ddd95f2
3 changed files with 76 additions and 108 deletions
Show Stats Download Patch File Download Diff File

32
src/detect-engine-mpm.c
Unescape Escape View File

@ -788,8 +788,8 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
}
/* tell matcher we are inspecting stream */
s->flags |= SIG_FLAG_MPM_STREAM;
s->mpm_stream_pattern_id_div_8 = cd->id / 8;
s->mpm_stream_pattern_id_mod_8 = 1 << (cd->id % 8);
s->mpm_pattern_id_div_8 = cd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8);
if (cd->flags & DETECT_CONTENT_NEGATED) {
SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id);
s->flags |= SIG_FLAG_MPM_STREAM_NEG;
@ -851,8 +851,8 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
}
/* tell matcher we are inspecting stream */
s->flags |= SIG_FLAG_MPM_STREAM;
s->mpm_stream_pattern_id_div_8 = cd->id / 8;
s->mpm_stream_pattern_id_mod_8 = 1 << (cd->id % 8);
s->mpm_pattern_id_div_8 = cd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (cd->id % 8);
if (cd->flags & DETECT_CONTENT_NEGATED) {
SCLogDebug("flagging sig %"PRIu32" to be looking for negated mpm", s->id);
s->flags |= SIG_FLAG_MPM_STREAM_NEG;
@ -915,7 +915,8 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
}
/* tell matcher we are inspecting uri */
s->flags |= SIG_FLAG_MPM_URICONTENT;
s->mpm_http_pattern_id = ud->id;
s->mpm_pattern_id_div_8 = ud->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (ud->id % 8);
if (ud->flags & DETECT_CONTENT_NEGATED)
s->flags |= SIG_FLAG_MPM_URICONTENT_NEG;
@ -970,7 +971,8 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
}
/* tell matcher we are inspecting uri */
s->flags |= SIG_FLAG_MPM_HCBDCONTENT;
s->mpm_http_pattern_id = hcbd->id;
s->mpm_pattern_id_div_8 = hcbd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (hcbd->id % 8);
if (hcbd->flags & DETECT_CONTENT_NEGATED)
s->flags |= SIG_FLAG_MPM_HCBDCONTENT_NEG;
@ -1025,7 +1027,8 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
}
/* tell matcher we are inspecting uri */
s->flags |= SIG_FLAG_MPM_HSBDCONTENT;
s->mpm_http_pattern_id = hsbd->id;
s->mpm_pattern_id_div_8 = hsbd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (hsbd->id % 8);
if (hsbd->flags & DETECT_CONTENT_NEGATED)
s->flags |= SIG_FLAG_MPM_HSBDCONTENT_NEG;
@ -1080,7 +1083,8 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
}
/* tell matcher we are inspecting uri */
s->flags |= SIG_FLAG_MPM_HHDCONTENT;
s->mpm_http_pattern_id = hhd->id;
s->mpm_pattern_id_div_8 = hhd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (hhd->id % 8);
if (hhd->flags & DETECT_CONTENT_NEGATED)
s->flags |= SIG_FLAG_MPM_HHDCONTENT_NEG;
@ -1135,7 +1139,8 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
}
/* tell matcher we are inspecting uri */
s->flags |= SIG_FLAG_MPM_HRHDCONTENT;
s->mpm_http_pattern_id = hrhd->id;
s->mpm_pattern_id_div_8 = hrhd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (hrhd->id % 8);
if (hrhd->flags & DETECT_CONTENT_NEGATED)
s->flags |= SIG_FLAG_MPM_HRHDCONTENT_NEG;
@ -1190,7 +1195,8 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
}
/* tell matcher we are inspecting method */
s->flags |= SIG_FLAG_MPM_HMDCONTENT;
s->mpm_http_pattern_id = hmd->id;
s->mpm_pattern_id_div_8 = hmd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (hmd->id % 8);
if (hmd->flags & DETECT_CONTENT_NEGATED)
s->flags |= SIG_FLAG_MPM_HMDCONTENT_NEG;
@ -1245,7 +1251,8 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
}
/* tell matcher we are inspecting cookie */
s->flags |= SIG_FLAG_MPM_HCDCONTENT;
s->mpm_http_pattern_id = hcd->id;
s->mpm_pattern_id_div_8 = hcd->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (hcd->id % 8);
if (hcd->flags & DETECT_CONTENT_NEGATED)
s->flags |= SIG_FLAG_MPM_HCDCONTENT_NEG;
@ -1300,7 +1307,8 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
}
/* tell matcher we are inspecting raw uri */
s->flags |= SIG_FLAG_MPM_HRUDCONTENT;
s->mpm_http_pattern_id = hrud->id;
s->mpm_pattern_id_div_8 = hrud->id / 8;
s->mpm_pattern_id_mod_8 = 1 << (hrud->id % 8);
if (hrud->flags & DETECT_CONTENT_NEGATED)
s->flags |= SIG_FLAG_MPM_HRUDCONTENT_NEG;

130
src/detect.c
Unescape Escape View File

@ -688,10 +688,7 @@ int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file, int sig_file_excl
* 2. alproto
* 3. mpm_pattern_id_div8
* 4. mpm_pattern_id_mod8
* 5. mpm_stream_pattern_id_div8
* 6. mpm_stream_pattern_id_mod8
* 7. mpm_http_pattern_id
* 8. num
* 5. num
*
* \retval 0 can't match, don't inspect
* \retval 1 might match, further inspection required
@ -713,85 +710,56 @@ static inline int SigMatchSignaturesBuildMatchArrayAddSignature(DetectEngineThre
}
/* check for a pattern match of the one pattern in this sig. */
if (s->flags & SIG_FLAG_MPM_PACKET) {
if (s->flags & (SIG_FLAG_MPM_PACKET|SIG_FLAG_MPM_STREAM|SIG_FLAG_MPM_URICONTENT|
SIG_FLAG_MPM_HCBDCONTENT|SIG_FLAG_MPM_HSBDCONTENT|SIG_FLAG_MPM_HHDCONTENT|
SIG_FLAG_MPM_HRHDCONTENT|SIG_FLAG_MPM_HRHDCONTENT|SIG_FLAG_MPM_HMDCONTENT|
SIG_FLAG_MPM_HCDCONTENT|SIG_FLAG_MPM_HRUDCONTENT))
{
/* filter out sigs that want pattern matches, but
* have no matches */
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id_div_8)] & s->mpm_pattern_id_mod_8)) {
//if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id / 8)] & (1<<(s->mpm_pattern_id % 8)))) {
//SCLogDebug("mpm sig without matches (pat id %"PRIu32" check in content).", s->mpm_pattern_id);
if (!(s->flags & SIG_FLAG_MPM_PACKET_NEG)) {
return 0;
} else {
SCLogDebug("but thats okay, we are looking for neg-content");
}
}
} else if (s->flags & SIG_FLAG_MPM_STREAM) {
/* filter out sigs that want pattern matches, but
* have no matches */
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_stream_pattern_id_div_8)] & s->mpm_stream_pattern_id_mod_8)) {
//SCLogDebug("mpm stream sig without matches (pat id %"PRIu32" check in content).", s->mpm_stream_pattern_id);
if (!(s->flags & SIG_FLAG_MPM_STREAM_NEG)) {
return 0;
} else {
SCLogDebug("but thats okay, we are looking for neg-content");
}
}
} else if (s->flags & SIG_FLAG_MPM_URICONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
(1 << (s->mpm_http_pattern_id % 8)))) {
if (!(s->full_sig->flags & SIG_FLAG_MPM_URICONTENT_NEG)) {
return 0;
}
}
} else if (s->flags & SIG_FLAG_MPM_HCBDCONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
(1 << (s->mpm_http_pattern_id % 8)))) {
if (!(s->flags & SIG_FLAG_MPM_HCBDCONTENT_NEG)) {
return 0;
}
}
} else if (s->flags & SIG_FLAG_MPM_HSBDCONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
(1 << (s->mpm_http_pattern_id % 8)))) {
if (!(s->flags & SIG_FLAG_MPM_HSBDCONTENT_NEG)) {
return 0;
}
}
} else if (s->flags & SIG_FLAG_MPM_HHDCONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
(1 << (s->mpm_http_pattern_id % 8)))) {
if (!(s->flags & SIG_FLAG_MPM_HHDCONTENT_NEG)) {
return 0;
}
}
} else if (s->flags & SIG_FLAG_MPM_HRHDCONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
(1 << (s->mpm_http_pattern_id % 8)))) {
if (!(s->flags & SIG_FLAG_MPM_HRHDCONTENT_NEG)) {
return 0;
}
}
} else if (s->flags & SIG_FLAG_MPM_HMDCONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
(1 << (s->mpm_http_pattern_id % 8)))) {
if (!(s->flags & SIG_FLAG_MPM_HMDCONTENT_NEG)) {
return 0;
}
}
} else if (s->flags & SIG_FLAG_MPM_HCDCONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
(1 << (s->mpm_http_pattern_id % 8)))) {
if (!(s->flags & SIG_FLAG_MPM_HCDCONTENT_NEG)) {
return 0;
}
}
} else if (s->flags & SIG_FLAG_MPM_HRUDCONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
(1 << (s->mpm_http_pattern_id % 8)))) {
if (!(s->flags & SIG_FLAG_MPM_HRUDCONTENT_NEG)) {
return 0;
if (s->flags & SIG_FLAG_MPM_PACKET) {
if (!(s->flags & SIG_FLAG_MPM_PACKET_NEG)) {
return 0;
}
} else if (s->flags & SIG_FLAG_MPM_STREAM) {
/* filter out sigs that want pattern matches, but
* have no matches */
if (!(s->flags & SIG_FLAG_MPM_STREAM_NEG)) {
return 0;
}
} else if (s->flags & SIG_FLAG_MPM_URICONTENT) {
if (!(s->flags & SIG_FLAG_MPM_URICONTENT_NEG)) {
return 0;
}
} else if (s->flags & SIG_FLAG_MPM_HCBDCONTENT) {
if (!(s->flags & SIG_FLAG_MPM_HCBDCONTENT_NEG)) {
return 0;
}
} else if (s->flags & SIG_FLAG_MPM_HSBDCONTENT) {
if (!(s->flags & SIG_FLAG_MPM_HSBDCONTENT_NEG)) {
return 0;
}
} else if (s->flags & SIG_FLAG_MPM_HHDCONTENT) {
if (!(s->flags & SIG_FLAG_MPM_HHDCONTENT_NEG)) {
return 0;
}
} else if (s->flags & SIG_FLAG_MPM_HRHDCONTENT) {
if (!(s->flags & SIG_FLAG_MPM_HRHDCONTENT_NEG)) {
return 0;
}
} else if (s->flags & SIG_FLAG_MPM_HMDCONTENT) {
if (!(s->flags & SIG_FLAG_MPM_HMDCONTENT_NEG)) {
return 0;
}
} else if (s->flags & SIG_FLAG_MPM_HCDCONTENT) {
if (!(s->flags & SIG_FLAG_MPM_HCDCONTENT_NEG)) {
return 0;
}
} else if (s->flags & SIG_FLAG_MPM_HRUDCONTENT) {
if (!(s->flags & SIG_FLAG_MPM_HRUDCONTENT_NEG)) {
return 0;
}
}
}
}
@ -1531,7 +1499,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
if (det_ctx->smsg_pmq[pmq_idx].pattern_id_bitarray != NULL) {
/* filter out sigs that want pattern matches, but
* have no matches */
if (!(det_ctx->smsg_pmq[pmq_idx].pattern_id_bitarray[(s->mpm_stream_pattern_id_div_8)] & s->mpm_stream_pattern_id_mod_8) &&
if (!(det_ctx->smsg_pmq[pmq_idx].pattern_id_bitarray[(s->mpm_pattern_id_div_8)] & s->mpm_pattern_id_mod_8) &&
(s->flags & SIG_FLAG_MPM_STREAM) && !(s->flags & SIG_FLAG_MPM_STREAM_NEG)) {
SCLogDebug("no match in this smsg");
continue;

22
src/detect.h
Unescape Escape View File

@ -332,20 +332,15 @@ typedef struct SignatureHeader_ {
uint16_t mpm_pattern_id_div_8;
uint8_t mpm_pattern_id_mod_8;
SignatureMask mask;
uint16_t alproto;
uint16_t mpm_stream_pattern_id_div_8;
};
uint64_t hdr_copy2;
uint32_t hdr_copy2;
};
union {
struct {
uint8_t file_flags;
uint8_t mpm_stream_pattern_id_mod_8;
uint16_t alproto;
SigIntId num; /**< signature number, internal id */
/** pattern in the mpm matcher */
PatIntId mpm_http_pattern_id;
};
uint64_t hdr_copy3;
uint32_t hdr_copy3;
};
/** pointer to the full signature */
@ -374,19 +369,15 @@ typedef struct Signature_ {
uint16_t mpm_pattern_id_div_8;
uint8_t mpm_pattern_id_mod_8;
SignatureMask mask;
uint16_t alproto;
uint16_t mpm_stream_pattern_id_div_8;
};
uint64_t hdr_copy2;
uint32_t hdr_copy2;
};
union {
struct {
uint8_t file_flags;
uint8_t mpm_stream_pattern_id_mod_8;
uint16_t alproto;
SigIntId num; /**< signature number, internal id */
PatIntId mpm_http_pattern_id;
};
uint64_t hdr_copy3;
uint32_t hdr_copy3;
};
/* the fast pattern added from this signature */
@ -416,6 +407,7 @@ typedef struct Signature_ {
uint16_t mpm_content_maxlen;
uint16_t mpm_uricontent_maxlen;
uint8_t file_flags;
/** number of sigmatches in the match and pmatch list */
uint16_t sm_cnt;

Write Preview
Loading…
Cancel
Save