From 37b223645aa01b0a79ea980b4f11f33083a6807a Mon Sep 17 00:00:00 2001 From: Anoop Saldanha Date: Thu, 29 Dec 2011 02:11:37 +0530 Subject: [PATCH] fix detection engine for alert stability. Fix cases where we have multiple rules having same pattern. We should see good perf increase(~5%) with this change, now that we avoid unnecessary inspection" --- src/detect.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/detect.c b/src/detect.c index c1cdc2fe62..3913925938 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1457,8 +1457,9 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh if (s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) { /* if we have stream msgs, inspect against those first, * but not for a "dsize" signature */ - if (!(s->flags & SIG_FLAG_REQUIRE_PACKET) && smsg != NULL) { + if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) { char pmatch = 0; + if (smsg != NULL) { uint8_t pmq_idx = 0; StreamMsg *smsg_inspect = smsg; for ( ; smsg_inspect != NULL; smsg_inspect = smsg_inspect->next, pmq_idx++) { @@ -1495,10 +1496,15 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh } } + } /* if (smsg != NULL) */ + /* no match? then inspect packet payload */ if (pmatch == 0) { SCLogDebug("no match in smsg, fall back to packet payload"); + if (p->flags & PKT_STREAM_ADD) + goto next; + if (sms_runflags & SMS_USED_PM) { if (s->flags & SIG_FLAG_MPM_PACKET && !(s->flags & SIG_FLAG_MPM_PACKET_NEG) && !(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id_div_8)] & @@ -1509,8 +1515,9 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh goto next; } } else { - if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1) + if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1) { goto next; + } } } } else {