diff --git a/src/detect-engine.c b/src/detect-engine.c index 42a130cc4c..e66035e25f 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -104,7 +104,7 @@ static uint32_t detect_engine_ctx_id = 1; static DetectEngineThreadCtx *DetectEngineThreadCtxInitForReload( ThreadVars *tv, DetectEngineCtx *new_de_ctx, int mt); -static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *); +static int DetectEngineCtxLoadConf(DetectEngineCtx *); static DetectEngineMasterCtx g_master_de_ctx = { SCMUTEX_INITIALIZER, 0, NULL, NULL, TENANT_SELECTOR_UNKNOWN, NULL,}; @@ -809,11 +809,6 @@ static DetectEngineCtx *DetectEngineCtxInitReal(int minimal, const char *prefix) { DetectEngineCtx *de_ctx; - ConfNode *seq_node = NULL; - ConfNode *insp_recursion_limit_node = NULL; - ConfNode *de_engine_node = NULL; - char *insp_recursion_limit = NULL; - de_ctx = SCMalloc(sizeof(DetectEngineCtx)); if (unlikely(de_ctx == NULL)) goto error; @@ -834,39 +829,6 @@ static DetectEngineCtx *DetectEngineCtxInitReal(int minimal, const char *prefix) SCLogDebug("ConfGetBool could not load the value."); } - de_engine_node = ConfGetNode("detect-engine"); - if (de_engine_node != NULL) { - TAILQ_FOREACH(seq_node, &de_engine_node->head, next) { - if (strcmp(seq_node->val, "inspection-recursion-limit") != 0) - continue; - - insp_recursion_limit_node = ConfNodeLookupChild(seq_node, seq_node->val); - if (insp_recursion_limit_node == NULL) { - SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Error retrieving conf " - "entry for detect-engine:inspection-recursion-limit"); - break; - } - insp_recursion_limit = insp_recursion_limit_node->val; - SCLogDebug("Found detect-engine:inspection-recursion-limit - %s:%s", - insp_recursion_limit_node->name, insp_recursion_limit_node->val); - - break; - } - } - - if (insp_recursion_limit != NULL) { - de_ctx->inspection_recursion_limit = atoi(insp_recursion_limit); - } else { - de_ctx->inspection_recursion_limit = - DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT; - } - - if (de_ctx->inspection_recursion_limit == 0) - de_ctx->inspection_recursion_limit = -1; - - SCLogDebug("de_ctx->inspection_recursion_limit: %d", - de_ctx->inspection_recursion_limit); - de_ctx->mpm_matcher = PatternMatchDefaultMatcher(); DetectEngineCtxLoadConf(de_ctx); @@ -1006,25 +968,32 @@ void DetectEngineCtxFree(DetectEngineCtx *de_ctx) * \retval 0 if no config provided, 1 if config was provided * and loaded successfuly */ -static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx) +static int DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx) { uint8_t profile = ENGINE_PROFILE_UNKNOWN; + char *max_uniq_toclient_groups_str = NULL; + char *max_uniq_toserver_groups_str = NULL; + char *sgh_mpm_context = NULL; char *de_ctx_profile = NULL; - const char *max_uniq_toclient_groups_str = NULL; - const char *max_uniq_toserver_groups_str = NULL; - - char *sgh_mpm_context = NULL; + (void)ConfGet("detect.profile", &de_ctx_profile); + (void)ConfGet("detect.sgh-mpm-context", &sgh_mpm_context); ConfNode *de_ctx_custom = ConfGetNode("detect-engine"); ConfNode *opt = NULL; if (de_ctx_custom != NULL) { TAILQ_FOREACH(opt, &de_ctx_custom->head, next) { - if (strcmp(opt->val, "profile") == 0) { - de_ctx_profile = opt->head.tqh_first->val; - } else if (strcmp(opt->val, "sgh-mpm-context") == 0) { - sgh_mpm_context = opt->head.tqh_first->val; + if (de_ctx_profile == NULL) { + if (strcmp(opt->val, "profile") == 0) { + de_ctx_profile = opt->head.tqh_first->val; + } + } + + if (sgh_mpm_context == NULL) { + if (strcmp(opt->val, "sgh-mpm-context") == 0) { + sgh_mpm_context = opt->head.tqh_first->val; + } } } } @@ -1089,6 +1058,7 @@ static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx) de_ctx->sgh_mpm_context = ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL; } + /* parse profile custom-values */ opt = NULL; switch (profile) { case ENGINE_PROFILE_LOW: @@ -1102,12 +1072,23 @@ static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx) break; case ENGINE_PROFILE_CUSTOM: - TAILQ_FOREACH(opt, &de_ctx_custom->head, next) { - if (strcmp(opt->val, "custom-values") == 0) { - max_uniq_toclient_groups_str = ConfNodeLookupChildValue - (opt->head.tqh_first, "toclient-groups"); - max_uniq_toserver_groups_str = ConfNodeLookupChildValue - (opt->head.tqh_first, "toserver-groups"); + (void)ConfGet("detect.custom-values.toclient-groups", + &max_uniq_toclient_groups_str); + (void)ConfGet("detect.custom-values.toserver-groups", + &max_uniq_toserver_groups_str); + + if (de_ctx_custom != NULL) { + TAILQ_FOREACH(opt, &de_ctx_custom->head, next) { + if (strcmp(opt->val, "custom-values") == 0) { + if (max_uniq_toclient_groups_str == NULL) { + max_uniq_toclient_groups_str = (char *)ConfNodeLookupChildValue + (opt->head.tqh_first, "toclient-groups"); + } + if (max_uniq_toserver_groups_str == NULL) { + max_uniq_toserver_groups_str = (char *)ConfNodeLookupChildValue + (opt->head.tqh_first, "toserver-groups"); + } + } } } if (max_uniq_toclient_groups_str != NULL) { @@ -1151,9 +1132,58 @@ static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx) break; } - if (profile == ENGINE_PROFILE_UNKNOWN) - return 0; - return 1; + if (profile == ENGINE_PROFILE_UNKNOWN) { + goto error; + } + + intmax_t value = 0; + if (ConfGetInt("detect.inspection-recursion-limit", &value) == 1) + { + if (value >= 0 && value <= INT_MAX) { + de_ctx->inspection_recursion_limit = (int)value; + } + + /* fall back to old config parsing */ + } else { + ConfNode *insp_recursion_limit_node = NULL; + char *insp_recursion_limit = NULL; + + if (de_ctx_custom != NULL) { + opt = NULL; + TAILQ_FOREACH(opt, &de_ctx_custom->head, next) { + if (strcmp(opt->val, "inspection-recursion-limit") != 0) + continue; + + insp_recursion_limit_node = ConfNodeLookupChild(opt, opt->val); + if (insp_recursion_limit_node == NULL) { + SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Error retrieving conf " + "entry for detect-engine:inspection-recursion-limit"); + break; + } + insp_recursion_limit = insp_recursion_limit_node->val; + SCLogDebug("Found detect-engine.inspection-recursion-limit - %s:%s", + insp_recursion_limit_node->name, insp_recursion_limit_node->val); + break; + } + + if (insp_recursion_limit != NULL) { + de_ctx->inspection_recursion_limit = atoi(insp_recursion_limit); + } else { + de_ctx->inspection_recursion_limit = + DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT; + } + } + } + + if (de_ctx->inspection_recursion_limit == 0) + de_ctx->inspection_recursion_limit = -1; + + SCLogDebug("de_ctx->inspection_recursion_limit: %d", + de_ctx->inspection_recursion_limit); + + return 0; +error: + return -1; } /* diff --git a/src/suricata.c b/src/suricata.c index 5eb6482be7..f47aa5aa8f 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -1985,12 +1985,14 @@ static void SetupDelayedDetect(SCInstance *suri) if (suri->offline) { suri->delayed_detect = 0; } else { - ConfNode *denode = NULL; - ConfNode *decnf = ConfGetNode("detect-engine"); - if (decnf != NULL) { - TAILQ_FOREACH(denode, &decnf->head, next) { - if (strcmp(denode->val, "delayed-detect") == 0) { - (void)ConfGetChildValueBool(denode, "delayed-detect", &suri->delayed_detect); + if (ConfGetBool("detect.delayed-detect", &suri->delayed_detect) != 1) { + ConfNode *denode = NULL; + ConfNode *decnf = ConfGetNode("detect-engine"); + if (decnf != NULL) { + TAILQ_FOREACH(denode, &decnf->head, next) { + if (strcmp(denode->val, "delayed-detect") == 0) { + (void)ConfGetChildValueBool(denode, "delayed-detect", &suri->delayed_detect); + } } } } diff --git a/suricata.yaml.in b/suricata.yaml.in index 59c4d8e161..a9db90babb 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -591,22 +591,16 @@ legacy: # might end up taking too much time in the content inspection code. # If the argument specified is 0, the engine uses an internally defined # default limit. On not specifying a value, we use no limits on the recursion. -detect-engine: - - profile: medium - - custom-values: - toclient-src-groups: 2 - toclient-dst-groups: 2 - toclient-sp-groups: 2 - toclient-dp-groups: 3 - toserver-src-groups: 2 - toserver-dst-groups: 4 - toserver-sp-groups: 2 - toserver-dp-groups: 25 - - sgh-mpm-context: auto - - inspection-recursion-limit: 3000 +detect: + profile: medium + custom-values: + toclient-groups: 3 + toserver-groups: 25 + sgh-mpm-context: auto + inspection-recursion-limit: 3000 # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. - #- delayed-detect: yes + #delayed-detect: yes profiling: # Log the rules that made it past the prefilter stage, per packet @@ -706,8 +700,8 @@ cuda: # ac, ac-bs and ac-gfbs. # # The mpm you choose also decides the distribution of mpm contexts for -# signature groups, specified by the conf - "detect-engine.sgh-mpm-context". -# Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context" +# signature groups, specified by the conf - "detect.sgh-mpm-context". +# Selecting "ac" as the mpm would require "detect.sgh-mpm-context" # to be set to "single", because of ac's memory requirements, unless the # ruleset is small enough to fit in one's memory, in which case one can # use "full" with "ac". Rest of the mpms can be run in "full" mode.