From 38dc7ffebcc138023b66c1feffa7568623e8073d Mon Sep 17 00:00:00 2001 From: Pablo Rincon Date: Wed, 17 Feb 2010 16:53:04 +0100 Subject: [PATCH] Adding settings for detect engine group config --- src/detect-engine.c | 296 ++++++++++++++++++++++++++++++++++++++++++++ src/detect.c | 40 ++---- src/detect.h | 32 +++++ suricata.yaml | 27 ++++ 4 files changed, 365 insertions(+), 30 deletions(-) diff --git a/src/detect-engine.c b/src/detect-engine.c index a4e6cd6b05..4e922b0fac 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -24,11 +24,13 @@ //#include "util-mpm.h" #include "util-error.h" #include "util-hash.h" +#include "util-byte.h" #include "util-debug.h" #include "util-var-name.h" #include "tm-modules.h" +static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *); DetectEngineCtx *DetectEngineCtxInit(void) { DetectEngineCtx *de_ctx; @@ -44,6 +46,7 @@ DetectEngineCtx *DetectEngineCtxInit(void) { } de_ctx->mpm_matcher = PatternMatchDefaultMatcher(); + DetectEngineCtxLoadConf(de_ctx); SigGroupHeadHashInit(de_ctx); SigGroupHeadMpmHashInit(de_ctx); @@ -90,6 +93,299 @@ void DetectEngineCtxFree(DetectEngineCtx *de_ctx) { //DetectPortPrintMemory(); } +/** \brief Function that load DetectEngineCtx config for grouping sigs + * used by the engine + * \retval 0 if no config provided, 1 if config was provided + * and loaded successfuly + */ +static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx) { + uint8_t profile = ENGINE_PROFILE_UNKNOWN; + char *de_ctx_profile = NULL; + + const char *max_uniq_toclient_src_groups_str = NULL; + const char *max_uniq_toclient_dst_groups_str = NULL; + const char *max_uniq_toclient_sp_groups_str = NULL; + const char *max_uniq_toclient_dp_groups_str = NULL; + + const char *max_uniq_toserver_src_groups_str = NULL; + const char *max_uniq_toserver_dst_groups_str = NULL; + const char *max_uniq_toserver_sp_groups_str = NULL; + const char *max_uniq_toserver_dp_groups_str = NULL; + + const char *max_uniq_small_toclient_src_groups_str = NULL; + const char *max_uniq_small_toclient_dst_groups_str = NULL; + const char *max_uniq_small_toclient_sp_groups_str = NULL; + const char *max_uniq_small_toclient_dp_groups_str = NULL; + + const char *max_uniq_small_toserver_src_groups_str = NULL; + const char *max_uniq_small_toserver_dst_groups_str = NULL; + const char *max_uniq_small_toserver_sp_groups_str = NULL; + const char *max_uniq_small_toserver_dp_groups_str = NULL; + + + ConfNode *de_ctx_custom = ConfGetNode("detect-engine"); + ConfNode *opt = NULL; + + if (de_ctx_custom != NULL) { + TAILQ_FOREACH(opt, &de_ctx_custom->head, next) { + if (strncmp(opt->val, "profile", 3) == 0) { + de_ctx_profile = opt->head.tqh_first->val; + } + } + } + + if (de_ctx_profile != NULL) { + if (strncmp(de_ctx_profile, "low", 3) == 0) { + profile = ENGINE_PROFILE_LOW; + } else if (strncmp(de_ctx_profile, "medium", 6) == 0) { + profile = ENGINE_PROFILE_MEDIUM; + } else if (strncmp(de_ctx_profile, "high", 4) == 0) { + profile = ENGINE_PROFILE_HIGH; + } else if (strncmp(de_ctx_profile, "custom", 4) == 0) { + profile = ENGINE_PROFILE_CUSTOM; + } + SCLogInfo("Profile for detection engine groups is \"%s\"", de_ctx_profile); + } else { + SCLogInfo("Profile for detection engine groups not provided " + "at suricata.yaml. Using default (\"medium\")."); + } + + opt = NULL; + switch (profile) { + case ENGINE_PROFILE_LOW: + de_ctx->max_uniq_toclient_src_groups = 2; + de_ctx->max_uniq_toclient_dst_groups = 2; + de_ctx->max_uniq_toclient_sp_groups = 2; + de_ctx->max_uniq_toclient_dp_groups = 3; + de_ctx->max_uniq_toserver_src_groups = 2; + de_ctx->max_uniq_toserver_dst_groups = 2; + de_ctx->max_uniq_toserver_sp_groups = 2; + de_ctx->max_uniq_toserver_dp_groups = 3; + de_ctx->max_uniq_small_toclient_src_groups = 2; + de_ctx->max_uniq_small_toclient_dst_groups = 2; + de_ctx->max_uniq_small_toclient_sp_groups = 2; + de_ctx->max_uniq_small_toclient_dp_groups = 3; + de_ctx->max_uniq_small_toserver_src_groups = 2; + de_ctx->max_uniq_small_toserver_dst_groups = 2; + de_ctx->max_uniq_small_toserver_sp_groups = 2; + de_ctx->max_uniq_small_toserver_dp_groups = 3; + break; + case ENGINE_PROFILE_HIGH: + de_ctx->max_uniq_toclient_src_groups = 5; + de_ctx->max_uniq_toclient_dst_groups = 5; + de_ctx->max_uniq_toclient_sp_groups = 5; + de_ctx->max_uniq_toclient_dp_groups = 10; + de_ctx->max_uniq_toserver_src_groups = 5; + de_ctx->max_uniq_toserver_dst_groups = 5; + de_ctx->max_uniq_toserver_sp_groups = 5; + de_ctx->max_uniq_toserver_dp_groups = 30; + de_ctx->max_uniq_small_toclient_src_groups = 5; + de_ctx->max_uniq_small_toclient_dst_groups = 5; + de_ctx->max_uniq_small_toclient_sp_groups = 5; + de_ctx->max_uniq_small_toclient_dp_groups = 10; + de_ctx->max_uniq_small_toserver_src_groups = 5; + de_ctx->max_uniq_small_toserver_dst_groups = 5; + de_ctx->max_uniq_small_toserver_sp_groups = 5; + de_ctx->max_uniq_small_toserver_dp_groups = 10; + break; + case ENGINE_PROFILE_CUSTOM: + TAILQ_FOREACH(opt, &de_ctx_custom->head, next) { + if (strncmp(opt->val, "custom-values", 3) == 0) { + max_uniq_toclient_src_groups_str = ConfNodeLookupChildValue + (opt->head.tqh_first, "toclient_src_groups"); + max_uniq_toclient_dst_groups_str = ConfNodeLookupChildValue + (opt->head.tqh_first, "toclient_dst_groups"); + max_uniq_toclient_sp_groups_str = ConfNodeLookupChildValue + (opt->head.tqh_first, "toclient_sp_groups"); + max_uniq_toclient_dp_groups_str = ConfNodeLookupChildValue + (opt->head.tqh_first, "toclient_dp_groups"); + max_uniq_toserver_src_groups_str = ConfNodeLookupChildValue + (opt->head.tqh_first, "toserver_src_groups"); + max_uniq_toserver_dst_groups_str = ConfNodeLookupChildValue + (opt->head.tqh_first, "toserver_dst_groups"); + max_uniq_toserver_sp_groups_str = ConfNodeLookupChildValue + (opt->head.tqh_first, "toserver_sp_groups"); + max_uniq_toserver_dp_groups_str = ConfNodeLookupChildValue + (opt->head.tqh_first, "toserver_dp_groups"); + max_uniq_small_toclient_src_groups_str = ConfNodeLookupChildValue + (opt->head.tqh_first, "small_toclient_src_groups"); + max_uniq_small_toclient_dst_groups_str = ConfNodeLookupChildValue + (opt->head.tqh_first, "small_toclient_dst_groups"); + max_uniq_small_toclient_sp_groups_str = ConfNodeLookupChildValue + (opt->head.tqh_first, "small_toclient_sp_groups"); + max_uniq_small_toclient_dp_groups_str = ConfNodeLookupChildValue + (opt->head.tqh_first, "small_toclient_dp_groups"); + max_uniq_small_toserver_src_groups_str = ConfNodeLookupChildValue + (opt->head.tqh_first, "small_toserver_src_groups"); + max_uniq_small_toserver_dst_groups_str = ConfNodeLookupChildValue + (opt->head.tqh_first, "small_toserver_dst_groups"); + max_uniq_small_toserver_sp_groups_str = ConfNodeLookupChildValue + (opt->head.tqh_first, "small_toserver_sp_groups"); + max_uniq_small_toserver_dp_groups_str = ConfNodeLookupChildValue + (opt->head.tqh_first, "small_toserver_dp_groups"); + } + } + if (max_uniq_toclient_src_groups_str != NULL) { + if (ByteExtractStringUint16(&de_ctx->max_uniq_toclient_src_groups, 10, + strlen(max_uniq_toclient_src_groups_str), + (const char *)max_uniq_toclient_src_groups_str) <= 0) + de_ctx->max_uniq_toclient_src_groups = 2; + } else { + de_ctx->max_uniq_toclient_src_groups = 2; + } + if (max_uniq_toclient_dst_groups_str != NULL) { + if (ByteExtractStringUint16(&de_ctx->max_uniq_toclient_dst_groups, 10, + strlen(max_uniq_toclient_dst_groups_str), + (const char *)max_uniq_toclient_dst_groups_str) <= 0) + de_ctx->max_uniq_toclient_dst_groups = 2; + } else { + de_ctx->max_uniq_toclient_dst_groups = 2; + } + if (max_uniq_toclient_sp_groups_str != NULL) { + if (ByteExtractStringUint16(&de_ctx->max_uniq_toclient_sp_groups, 10, + strlen(max_uniq_toclient_sp_groups_str), + (const char *)max_uniq_toclient_sp_groups_str) <= 0) + de_ctx->max_uniq_toclient_sp_groups = 2; + } else { + de_ctx->max_uniq_toclient_sp_groups = 2; + } + if (max_uniq_toclient_dp_groups_str != NULL) { + if (ByteExtractStringUint16(&de_ctx->max_uniq_toclient_dp_groups, 10, + strlen(max_uniq_toclient_dp_groups_str), + (const char *)max_uniq_toclient_dp_groups_str) <= 0) + de_ctx->max_uniq_toclient_dp_groups = 2; + } else { + de_ctx->max_uniq_toclient_dp_groups = 2; + } + if (max_uniq_toserver_src_groups_str != NULL) { + if (ByteExtractStringUint16(&de_ctx->max_uniq_toserver_src_groups, 10, + strlen(max_uniq_toserver_src_groups_str), + (const char *)max_uniq_toserver_src_groups_str) <= 0) + de_ctx->max_uniq_toserver_src_groups = 2; + } else { + de_ctx->max_uniq_toserver_src_groups = 2; + } + if (max_uniq_toserver_dst_groups_str != NULL) { + if (ByteExtractStringUint16(&de_ctx->max_uniq_toserver_dst_groups, 10, + strlen(max_uniq_toserver_dst_groups_str), + (const char *)max_uniq_toserver_dst_groups_str) <= 0) + de_ctx->max_uniq_toserver_dst_groups = 2; + } else { + de_ctx->max_uniq_toserver_dst_groups = 2; + } + if (max_uniq_toserver_sp_groups_str != NULL) { + if (ByteExtractStringUint16(&de_ctx->max_uniq_toserver_sp_groups, 10, + strlen(max_uniq_toserver_sp_groups_str), + (const char *)max_uniq_toserver_sp_groups_str) <= 0) + de_ctx->max_uniq_toserver_sp_groups = 2; + } else { + de_ctx->max_uniq_toserver_sp_groups = 2; + } + if (max_uniq_toserver_dp_groups_str != NULL) { + if (ByteExtractStringUint16(&de_ctx->max_uniq_toserver_dp_groups, 10, + strlen(max_uniq_toserver_dp_groups_str), + (const char *)max_uniq_toserver_dp_groups_str) <= 0) + de_ctx->max_uniq_toserver_dp_groups = 2; + } else { + de_ctx->max_uniq_toserver_dp_groups = 2; + } + if (max_uniq_small_toclient_src_groups_str != NULL) { + if (ByteExtractStringUint16(&de_ctx->max_uniq_small_toclient_src_groups, 10, + strlen(max_uniq_small_toclient_src_groups_str), + (const char *)max_uniq_small_toclient_src_groups_str) <= 0) + de_ctx->max_uniq_small_toclient_src_groups = 2; + } else { + de_ctx->max_uniq_small_toclient_src_groups = 2; + } + if (max_uniq_small_toclient_dst_groups_str != NULL) { + if (ByteExtractStringUint16(&de_ctx->max_uniq_small_toclient_dst_groups, 10, + strlen(max_uniq_small_toclient_dst_groups_str), + (const char *)max_uniq_small_toclient_dst_groups_str) <= 0) + de_ctx->max_uniq_small_toclient_dst_groups = 2; + } else { + de_ctx->max_uniq_small_toclient_dst_groups = 2; + } + if (max_uniq_small_toclient_sp_groups_str != NULL) { + if (ByteExtractStringUint16(&de_ctx->max_uniq_small_toclient_sp_groups, 10, + strlen(max_uniq_small_toclient_sp_groups_str), + (const char *)max_uniq_small_toclient_sp_groups_str) <= 0) + de_ctx->max_uniq_small_toclient_sp_groups = 2; + } else { + de_ctx->max_uniq_small_toclient_sp_groups = 2; + } + if (max_uniq_small_toclient_dp_groups_str != NULL) { + if (ByteExtractStringUint16(&de_ctx->max_uniq_small_toclient_dp_groups, 10, + strlen(max_uniq_small_toclient_dp_groups_str), + (const char *)max_uniq_small_toclient_dp_groups_str) <= 0) + de_ctx->max_uniq_small_toclient_dp_groups = 2; + } else { + de_ctx->max_uniq_small_toclient_dp_groups = 2; + } + if (max_uniq_small_toserver_src_groups_str != NULL) { + if (ByteExtractStringUint16(&de_ctx->max_uniq_small_toserver_src_groups, 10, + strlen(max_uniq_small_toserver_src_groups_str), + (const char *)max_uniq_small_toserver_src_groups_str) <= 0) + de_ctx->max_uniq_small_toserver_src_groups = 2; + } else { + de_ctx->max_uniq_small_toserver_src_groups = 2; + } + if (max_uniq_small_toserver_dst_groups_str != NULL) { + if (ByteExtractStringUint16(&de_ctx->max_uniq_small_toserver_dst_groups, 10, + strlen(max_uniq_small_toserver_dst_groups_str), + (const char *)max_uniq_small_toserver_dst_groups_str) <= 0) + de_ctx->max_uniq_small_toserver_dst_groups = 2; + } else { + de_ctx->max_uniq_small_toserver_dst_groups = 2; + } + if (max_uniq_small_toserver_sp_groups_str != NULL) { + if (ByteExtractStringUint16(&de_ctx->max_uniq_small_toserver_sp_groups, 10, + strlen(max_uniq_small_toserver_sp_groups_str), + (const char *)max_uniq_small_toserver_sp_groups_str) <= 0) + de_ctx->max_uniq_small_toserver_sp_groups = 2; + } else { + de_ctx->max_uniq_small_toserver_sp_groups = 2; + } + if (max_uniq_small_toserver_dp_groups_str != NULL) { + if (ByteExtractStringUint16(&de_ctx->max_uniq_small_toserver_dp_groups, 10, + strlen(max_uniq_small_toserver_dp_groups_str), + (const char *)max_uniq_small_toserver_dp_groups_str) <= 0) + de_ctx->max_uniq_small_toserver_dp_groups = 2; + } else { + de_ctx->max_uniq_small_toserver_dp_groups = 2; + } + + break; + /* Default (or no config provided) is profile medium */ + case ENGINE_PROFILE_MEDIUM: + case ENGINE_PROFILE_UNKNOWN: + default: + de_ctx->max_uniq_toclient_src_groups = 2; + de_ctx->max_uniq_toclient_dst_groups = 2; + de_ctx->max_uniq_toclient_sp_groups = 2; + de_ctx->max_uniq_toclient_dp_groups = 3; + + de_ctx->max_uniq_toserver_src_groups = 2; + de_ctx->max_uniq_toserver_dst_groups = 4; + de_ctx->max_uniq_toserver_sp_groups = 2; + de_ctx->max_uniq_toserver_dp_groups = 25; + + de_ctx->max_uniq_small_toclient_src_groups = 2; + de_ctx->max_uniq_small_toclient_dst_groups = 2; + de_ctx->max_uniq_small_toclient_sp_groups = 2; + de_ctx->max_uniq_small_toclient_dp_groups = 2; + + de_ctx->max_uniq_small_toserver_src_groups = 2; + de_ctx->max_uniq_small_toserver_dst_groups = 2; + de_ctx->max_uniq_small_toserver_sp_groups = 2; + de_ctx->max_uniq_small_toserver_dp_groups = 8; + break; + } + + if (profile == ENGINE_PROFILE_UNKNOWN) + return 0; + return 1; +} + /* * getting & (re)setting the internal sig i */ diff --git a/src/detect.c b/src/detect.c index 8e05d59d4a..337b241ec5 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1295,26 +1295,6 @@ static DetectAddress *GetHeadPtr(DetectAddressHead *head, int family) { return grhead; } -#define MAX_UNIQ_TOCLIENT_SRC_GROUPS 2 -#define MAX_UNIQ_TOCLIENT_DST_GROUPS 2 -#define MAX_UNIQ_TOCLIENT_SP_GROUPS 2 -#define MAX_UNIQ_TOCLIENT_DP_GROUPS 3 - -#define MAX_UNIQ_TOSERVER_SRC_GROUPS 2 -#define MAX_UNIQ_TOSERVER_DST_GROUPS 4 -#define MAX_UNIQ_TOSERVER_SP_GROUPS 2 -#define MAX_UNIQ_TOSERVER_DP_GROUPS 25 - -#define MAX_UNIQ_SMALL_TOCLIENT_SRC_GROUPS 2 -#define MAX_UNIQ_SMALL_TOCLIENT_DST_GROUPS 2 -#define MAX_UNIQ_SMALL_TOCLIENT_SP_GROUPS 2 -#define MAX_UNIQ_SMALL_TOCLIENT_DP_GROUPS 2 - -#define MAX_UNIQ_SMALL_TOSERVER_SRC_GROUPS 2 -#define MAX_UNIQ_SMALL_TOSERVER_DST_GROUPS 2 -#define MAX_UNIQ_SMALL_TOSERVER_SP_GROUPS 2 -#define MAX_UNIQ_SMALL_TOSERVER_DP_GROUPS 8 - //#define SMALL_MPM(c) 0 #define SMALL_MPM(c) ((c) == 1) // || (c) == 2) @@ -1706,8 +1686,8 @@ int SigAddressPrepareStage2(DetectEngineCtx *de_ctx) { for (ds = 0; ds < DSIZE_STATES; ds++) { for (f = 0; f < FLOW_STATES; f++) { for (proto = 0; proto < 256; proto++) { - int groups = ds ? (f ? MAX_UNIQ_TOSERVER_SRC_GROUPS : MAX_UNIQ_TOCLIENT_SRC_GROUPS) : - (f ? MAX_UNIQ_SMALL_TOSERVER_SRC_GROUPS : MAX_UNIQ_SMALL_TOCLIENT_SRC_GROUPS); + int groups = ds ? (f ? de_ctx->max_uniq_toserver_src_groups : de_ctx->max_uniq_toclient_src_groups) : + (f ? de_ctx->max_uniq_small_toserver_src_groups : de_ctx->max_uniq_small_toclient_src_groups); CreateGroupedAddrList(de_ctx, de_ctx->dsize_gh[ds].flow_gh[f].tmp_gh[proto]->ipv4_head, AF_INET, @@ -1904,8 +1884,8 @@ int BuildDestinationAddressHeads(DetectEngineCtx *de_ctx, DetectAddressHead *hea /* Create the destination address list, keeping in * mind the limits we use. */ - int groups = dsize ? (flow ? MAX_UNIQ_TOSERVER_DST_GROUPS : MAX_UNIQ_TOCLIENT_DST_GROUPS) : - (flow ? MAX_UNIQ_SMALL_TOSERVER_DST_GROUPS : MAX_UNIQ_SMALL_TOCLIENT_DST_GROUPS); + int groups = dsize ? (flow ? de_ctx->max_uniq_toserver_dst_groups : de_ctx->max_uniq_toclient_dst_groups) : + (flow ? de_ctx->max_uniq_small_toserver_dst_groups : de_ctx->max_uniq_small_toclient_dst_groups); CreateGroupedAddrList(de_ctx, tmp_gr_list, family, gr->dst_gh, groups, CreateGroupedAddrListCmpMpmMaxlen, max_idx); /* see if the sig group head of each address group is the @@ -2078,8 +2058,8 @@ static int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, De /* Create the destination address list, keeping in * mind the limits we use. */ - int groups = dsize ? (flow ? MAX_UNIQ_TOSERVER_DST_GROUPS : MAX_UNIQ_TOCLIENT_DST_GROUPS) : - (flow ? MAX_UNIQ_SMALL_TOSERVER_DST_GROUPS : MAX_UNIQ_SMALL_TOCLIENT_DST_GROUPS); + int groups = dsize ? (flow ? de_ctx->max_uniq_toserver_dst_groups : de_ctx->max_uniq_toclient_dst_groups) : + (flow ? de_ctx->max_uniq_small_toserver_dst_groups : de_ctx->max_uniq_small_toclient_dst_groups); CreateGroupedAddrList(de_ctx, tmp_gr_list, family, src_gr->dst_gh, groups, CreateGroupedAddrListCmpMpmMaxlen, max_idx); /* add the ports to the dst address groups and the sigs @@ -2129,8 +2109,8 @@ static int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, De } } - int spgroups = dsize ? (flow ? MAX_UNIQ_TOSERVER_SP_GROUPS : MAX_UNIQ_TOCLIENT_SP_GROUPS) : - (flow ? MAX_UNIQ_SMALL_TOSERVER_SP_GROUPS : MAX_UNIQ_SMALL_TOCLIENT_SP_GROUPS); + int spgroups = dsize ? (flow ? de_ctx->max_uniq_toserver_sp_groups : de_ctx->max_uniq_toclient_sp_groups) : + (flow ? de_ctx->max_uniq_small_toserver_sp_groups : de_ctx->max_uniq_small_toclient_sp_groups); CreateGroupedPortList(de_ctx, de_ctx->sport_hash_table, &dst_gr->port, spgroups, CreateGroupedPortListCmpMpmMaxlen, max_idx); SCLogDebug("adding sgh %p to the hash", dst_gr->sh); @@ -2183,8 +2163,8 @@ static int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, De } } - int dpgroups = dsize ? (flow ? MAX_UNIQ_TOSERVER_DP_GROUPS : MAX_UNIQ_TOCLIENT_DP_GROUPS) : - (flow ? MAX_UNIQ_SMALL_TOSERVER_DP_GROUPS : MAX_UNIQ_SMALL_TOCLIENT_DP_GROUPS); + int dpgroups = dsize ? (flow ? de_ctx->max_uniq_toserver_dp_groups : de_ctx->max_uniq_toclient_dp_groups) : + (flow ? de_ctx->max_uniq_small_toserver_dp_groups : de_ctx->max_uniq_small_toclient_dp_groups); CreateGroupedPortList(de_ctx, de_ctx->dport_hash_table, &sp->dst_ph, dpgroups, CreateGroupedPortListCmpMpmMaxlen, max_idx); diff --git a/src/detect.h b/src/detect.h index 505466b974..1856149fbe 100644 --- a/src/detect.h +++ b/src/detect.h @@ -299,8 +299,40 @@ typedef struct DetectEngineCtx_ { * hold the cuda context for all the rules content */ int cuda_rc_mod_handle; #endif + + /* Config options */ + + uint16_t max_uniq_toclient_src_groups; + uint16_t max_uniq_toclient_dst_groups; + uint16_t max_uniq_toclient_sp_groups; + uint16_t max_uniq_toclient_dp_groups; + + uint16_t max_uniq_toserver_src_groups; + uint16_t max_uniq_toserver_dst_groups; + uint16_t max_uniq_toserver_sp_groups; + uint16_t max_uniq_toserver_dp_groups; + + uint16_t max_uniq_small_toclient_src_groups; + uint16_t max_uniq_small_toclient_dst_groups; + uint16_t max_uniq_small_toclient_sp_groups; + uint16_t max_uniq_small_toclient_dp_groups; + + uint16_t max_uniq_small_toserver_src_groups; + uint16_t max_uniq_small_toserver_dst_groups; + uint16_t max_uniq_small_toserver_sp_groups; + uint16_t max_uniq_small_toserver_dp_groups; } DetectEngineCtx; +/* Engine groups profiles (low, medium, high, custom) */ +enum { + ENGINE_PROFILE_UNKNOWN, + ENGINE_PROFILE_LOW, + ENGINE_PROFILE_MEDIUM, + ENGINE_PROFILE_HIGH, + ENGINE_PROFILE_CUSTOM, + ENGINE_PROFILE_MAX +}; + /** * Detection engine thread data. */ diff --git a/suricata.yaml b/suricata.yaml index 89017f05af..4572098421 100644 --- a/suricata.yaml +++ b/suricata.yaml @@ -55,6 +55,33 @@ defrag: prealloc: yes timeout: 60 +# The detection engine build internal groups of signatures. The engine +# allow us to specify the profile to use for them, to manage memory on an +# efficient way keeping a good performance. For the profile keyword you +# can use the words "low", "medium", "high" or "custom". If you use custom +# make sure to define the values at "- custom-values" as your convenience. +# Usually you would prefer medium/high/low +detect-engine: + - profile: medium + - custom-values: + toclient_src_groups: 2 + toclient_dst_groups: 2 + toclient_sp_groups: 2 + toclient_dp_groups: 3 + toserver_src_groups: 2 + toserver_dst_groups: 4 + toserver_sp_groups: 2 + toserver_dp_groups: 25 + small_toclient_src_groups: 2 + small_toclient_dst_groups: 2 + small_toclient_sp_groups: 2 + small_toclient_dp_groups: 2 + small_toserver_src_groups: 2 + small_toserver_dst_groups: 2 + small_toserver_sp_groups: 2 + small_toserver_dp_groups: 8 + + # Select the multi pattern algorithm you want to run for scan/search the # in the engine. The supported algorithms are b2g, b3g and wumanber.