From 4f8eacdc692c3ae9e2f03b18a39391c1a038157c Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Wed, 1 Mar 2017 23:32:21 +0100
Subject: [PATCH] disable-detect: fix needless file hashing

When detection is running flags are set on flows to indicate if file
hashing is needed. This is based on global output settings and rules.

In the case of --disable-detection this was not happening, so all
files where hashed with all methods. This has a significant
performance impact.

This patch adds logic to set the flow flags in --disable-detect mode.
---
 src/detect.c      | 9 +++++++++
 src/detect.h      | 1 +
 src/flow-worker.c | 9 +++++++++
 3 files changed, 19 insertions(+)

diff --git a/src/detect.c b/src/detect.c
index fd729ed39c..d30b7905c9 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -2284,6 +2284,15 @@ static int SignatureCreateMask(Signature *s)
     SCReturnInt(0);
 }
 
+/** \brief disable file features we don't need
+ *  Called if we have no detection engine.
+ */
+void DisableDetectFlowFileFlags(Flow *f)
+{
+    DetectPostInspectFileFlagsUpdate(f, NULL /* no sgh */, STREAM_TOSERVER);
+    DetectPostInspectFileFlagsUpdate(f, NULL /* no sgh */, STREAM_TOCLIENT);
+}
+
 static void SigInitStandardMpmFactoryContexts(DetectEngineCtx *de_ctx)
 {
     DetectMpmInitializeBuiltinMpms(de_ctx);
diff --git a/src/detect.h b/src/detect.h
index e603d6f356..93b52bd3c5 100644
--- a/src/detect.h
+++ b/src/detect.h
@@ -1334,6 +1334,7 @@ int SigGroupBuild(DetectEngineCtx *);
 int SigGroupCleanup (DetectEngineCtx *de_ctx);
 void SigAddressPrepareBidirectionals (DetectEngineCtx *);
 
+void DisableDetectFlowFileFlags(Flow *f);
 char *DetectLoadCompleteSigPath(const DetectEngineCtx *, char *sig_file);
 int SigLoadSignatures (DetectEngineCtx *, char *, int);
 void SigTableList(const char *keyword);
diff --git a/src/flow-worker.c b/src/flow-worker.c
index ac0bd484dd..b29486e335 100644
--- a/src/flow-worker.c
+++ b/src/flow-worker.c
@@ -201,6 +201,15 @@ TmEcode FlowWorker(ThreadVars *tv, Packet *p, void *data, PacketQueue *preq, Pac
         SCLogDebug("packet %"PRIu64" is TCP", p->pcap_cnt);
         DEBUG_ASSERT_FLOW_LOCKED(p->flow);
 
+        /* if detect is disabled, we need to apply file flags to the flow
+         * here on the first packet. */
+        if (detect_thread == NULL &&
+                ((PKT_IS_TOSERVER(p) && (p->flowflags & FLOW_PKT_TOSERVER_FIRST)) ||
+                 (PKT_IS_TOCLIENT(p) && (p->flowflags & FLOW_PKT_TOCLIENT_FIRST))))
+        {
+            DisableDetectFlowFileFlags(p->flow);
+        }
+
         FLOWWORKER_PROFILING_START(p, PROFILE_FLOWWORKER_STREAM);
         StreamTcp(tv, p, fw->stream_thread, &fw->pq, NULL);
         FLOWWORKER_PROFILING_END(p, PROFILE_FLOWWORKER_STREAM);