aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

yaml: convert detect-engine to just detect

Browse Source 
Instead of detect-engine which used a list for no good reason, use a
simple map now.

detect:
  profile: medium
  custom-values:
    toclient-groups: 3
    toserver-groups: 25
  sgh-mpm-context: auto
  inspection-recursion-limit: 3000
  # If set to yes, the loading of signatures will be made after the capture
  # is started. This will limit the downtime in IPS mode.
  #delayed-detect: yes
pull/1980/head
Victor Julien 10 years ago
parent ac2c206359
commit 725d6c3739
3 changed files with 105 additions and 79 deletions
Show Stats Download Patch File Download Diff File

128
src/detect-engine.c
Unescape Escape View File

@ -104,7 +104,7 @@ static uint32_t detect_engine_ctx_id = 1;
static DetectEngineThreadCtx *DetectEngineThreadCtxInitForReload( static DetectEngineThreadCtx *DetectEngineThreadCtxInitForReload(
ThreadVars *tv, DetectEngineCtx *new_de_ctx, int mt); ThreadVars *tv, DetectEngineCtx *new_de_ctx, int mt);
static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *); static int DetectEngineCtxLoadConf(DetectEngineCtx *);
static DetectEngineMasterCtx g_master_de_ctx = { SCMUTEX_INITIALIZER, 0, NULL, NULL, TENANT_SELECTOR_UNKNOWN, NULL,}; static DetectEngineMasterCtx g_master_de_ctx = { SCMUTEX_INITIALIZER, 0, NULL, NULL, TENANT_SELECTOR_UNKNOWN, NULL,};
@ -809,11 +809,6 @@ static DetectEngineCtx *DetectEngineCtxInitReal(int minimal, const char *prefix)
{ {
DetectEngineCtx *de_ctx; DetectEngineCtx *de_ctx;
ConfNode *seq_node = NULL;
ConfNode *insp_recursion_limit_node = NULL;
ConfNode *de_engine_node = NULL;
char *insp_recursion_limit = NULL;
de_ctx = SCMalloc(sizeof(DetectEngineCtx)); de_ctx = SCMalloc(sizeof(DetectEngineCtx));
if (unlikely(de_ctx == NULL)) if (unlikely(de_ctx == NULL))
goto error; goto error;
@ -834,39 +829,6 @@ static DetectEngineCtx *DetectEngineCtxInitReal(int minimal, const char *prefix)
SCLogDebug("ConfGetBool could not load the value."); SCLogDebug("ConfGetBool could not load the value.");
} }
de_engine_node = ConfGetNode("detect-engine");
if (de_engine_node != NULL) {
TAILQ_FOREACH(seq_node, &de_engine_node->head, next) {
if (strcmp(seq_node->val, "inspection-recursion-limit") != 0)
continue;
insp_recursion_limit_node = ConfNodeLookupChild(seq_node, seq_node->val);
if (insp_recursion_limit_node == NULL) {
SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Error retrieving conf "
"entry for detect-engine:inspection-recursion-limit");
break;
}
insp_recursion_limit = insp_recursion_limit_node->val;
SCLogDebug("Found detect-engine:inspection-recursion-limit - %s:%s",
insp_recursion_limit_node->name, insp_recursion_limit_node->val);
break;
}
}
if (insp_recursion_limit != NULL) {
de_ctx->inspection_recursion_limit = atoi(insp_recursion_limit);
} else {
de_ctx->inspection_recursion_limit =
DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT;
}
if (de_ctx->inspection_recursion_limit == 0)
de_ctx->inspection_recursion_limit = -1;
SCLogDebug("de_ctx->inspection_recursion_limit: %d",
de_ctx->inspection_recursion_limit);
de_ctx->mpm_matcher = PatternMatchDefaultMatcher(); de_ctx->mpm_matcher = PatternMatchDefaultMatcher();
DetectEngineCtxLoadConf(de_ctx); DetectEngineCtxLoadConf(de_ctx);
@ -1006,28 +968,35 @@ void DetectEngineCtxFree(DetectEngineCtx *de_ctx)
* \retval 0 if no config provided, 1 if config was provided * \retval 0 if no config provided, 1 if config was provided
* and loaded successfuly * and loaded successfuly
*/ */
static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx) static int DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx)
{ {
uint8_t profile = ENGINE_PROFILE_UNKNOWN; uint8_t profile = ENGINE_PROFILE_UNKNOWN;
char *max_uniq_toclient_groups_str = NULL;
char *max_uniq_toserver_groups_str = NULL;
char *sgh_mpm_context = NULL;
char *de_ctx_profile = NULL; char *de_ctx_profile = NULL;
const char *max_uniq_toclient_groups_str = NULL; (void)ConfGet("detect.profile", &de_ctx_profile);
const char *max_uniq_toserver_groups_str = NULL; (void)ConfGet("detect.sgh-mpm-context", &sgh_mpm_context);
char *sgh_mpm_context = NULL;
ConfNode *de_ctx_custom = ConfGetNode("detect-engine"); ConfNode *de_ctx_custom = ConfGetNode("detect-engine");
ConfNode *opt = NULL; ConfNode *opt = NULL;
if (de_ctx_custom != NULL) { if (de_ctx_custom != NULL) {
TAILQ_FOREACH(opt, &de_ctx_custom->head, next) { TAILQ_FOREACH(opt, &de_ctx_custom->head, next) {
if (de_ctx_profile == NULL) {
if (strcmp(opt->val, "profile") == 0) { if (strcmp(opt->val, "profile") == 0) {
de_ctx_profile = opt->head.tqh_first->val; de_ctx_profile = opt->head.tqh_first->val;
} else if (strcmp(opt->val, "sgh-mpm-context") == 0) { }
}
if (sgh_mpm_context == NULL) {
if (strcmp(opt->val, "sgh-mpm-context") == 0) {
sgh_mpm_context = opt->head.tqh_first->val; sgh_mpm_context = opt->head.tqh_first->val;
} }
} }
} }
}
if (de_ctx_profile != NULL) { if (de_ctx_profile != NULL) {
if (strcmp(de_ctx_profile, "low") == 0) { if (strcmp(de_ctx_profile, "low") == 0) {
@ -1089,6 +1058,7 @@ static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx)
de_ctx->sgh_mpm_context = ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL; de_ctx->sgh_mpm_context = ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL;
} }
/* parse profile custom-values */
opt = NULL; opt = NULL;
switch (profile) { switch (profile) {
case ENGINE_PROFILE_LOW: case ENGINE_PROFILE_LOW:
@ -1102,14 +1072,25 @@ static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx)
break; break;
case ENGINE_PROFILE_CUSTOM: case ENGINE_PROFILE_CUSTOM:
(void)ConfGet("detect.custom-values.toclient-groups",
&max_uniq_toclient_groups_str);
(void)ConfGet("detect.custom-values.toserver-groups",
&max_uniq_toserver_groups_str);
if (de_ctx_custom != NULL) {
TAILQ_FOREACH(opt, &de_ctx_custom->head, next) { TAILQ_FOREACH(opt, &de_ctx_custom->head, next) {
if (strcmp(opt->val, "custom-values") == 0) { if (strcmp(opt->val, "custom-values") == 0) {
max_uniq_toclient_groups_str = ConfNodeLookupChildValue if (max_uniq_toclient_groups_str == NULL) {
max_uniq_toclient_groups_str = (char *)ConfNodeLookupChildValue
(opt->head.tqh_first, "toclient-groups"); (opt->head.tqh_first, "toclient-groups");
max_uniq_toserver_groups_str = ConfNodeLookupChildValue }
if (max_uniq_toserver_groups_str == NULL) {
max_uniq_toserver_groups_str = (char *)ConfNodeLookupChildValue
(opt->head.tqh_first, "toserver-groups"); (opt->head.tqh_first, "toserver-groups");
} }
} }
}
}
if (max_uniq_toclient_groups_str != NULL) { if (max_uniq_toclient_groups_str != NULL) {
if (ByteExtractStringUint16(&de_ctx->max_uniq_toclient_groups, 10, if (ByteExtractStringUint16(&de_ctx->max_uniq_toclient_groups, 10,
strlen(max_uniq_toclient_groups_str), strlen(max_uniq_toclient_groups_str),
@ -1151,9 +1132,58 @@ static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx)
break; break;
} }
if (profile == ENGINE_PROFILE_UNKNOWN) if (profile == ENGINE_PROFILE_UNKNOWN) {
goto error;
}
intmax_t value = 0;
if (ConfGetInt("detect.inspection-recursion-limit", &value) == 1)
{
if (value >= 0 && value <= INT_MAX) {
de_ctx->inspection_recursion_limit = (int)value;
}
/* fall back to old config parsing */
} else {
ConfNode *insp_recursion_limit_node = NULL;
char *insp_recursion_limit = NULL;
if (de_ctx_custom != NULL) {
opt = NULL;
TAILQ_FOREACH(opt, &de_ctx_custom->head, next) {
if (strcmp(opt->val, "inspection-recursion-limit") != 0)
continue;
insp_recursion_limit_node = ConfNodeLookupChild(opt, opt->val);
if (insp_recursion_limit_node == NULL) {
SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Error retrieving conf "
"entry for detect-engine:inspection-recursion-limit");
break;
}
insp_recursion_limit = insp_recursion_limit_node->val;
SCLogDebug("Found detect-engine.inspection-recursion-limit - %s:%s",
insp_recursion_limit_node->name, insp_recursion_limit_node->val);
break;
}
if (insp_recursion_limit != NULL) {
de_ctx->inspection_recursion_limit = atoi(insp_recursion_limit);
} else {
de_ctx->inspection_recursion_limit =
DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT;
}
}
}
if (de_ctx->inspection_recursion_limit == 0)
de_ctx->inspection_recursion_limit = -1;
SCLogDebug("de_ctx->inspection_recursion_limit: %d",
de_ctx->inspection_recursion_limit);
return 0; return 0;
return 1; error:
return -1;
} }
/* /*

2
src/suricata.c
Unescape Escape View File

@ -1985,6 +1985,7 @@ static void SetupDelayedDetect(SCInstance *suri)
if (suri->offline) { if (suri->offline) {
suri->delayed_detect = 0; suri->delayed_detect = 0;
} else { } else {
if (ConfGetBool("detect.delayed-detect", &suri->delayed_detect) != 1) {
ConfNode *denode = NULL; ConfNode *denode = NULL;
ConfNode *decnf = ConfGetNode("detect-engine"); ConfNode *decnf = ConfGetNode("detect-engine");
if (decnf != NULL) { if (decnf != NULL) {
@ -1995,6 +1996,7 @@ static void SetupDelayedDetect(SCInstance *suri)
} }
} }
} }
}
SCLogInfo("Delayed detect %s", suri->delayed_detect ? "enabled" : "disabled"); SCLogInfo("Delayed detect %s", suri->delayed_detect ? "enabled" : "disabled");
if (suri->delayed_detect) { if (suri->delayed_detect) {

26
suricata.yaml.in
Unescape Escape View File

@ -591,22 +591,16 @@ legacy:
# might end up taking too much time in the content inspection code. # might end up taking too much time in the content inspection code.
# If the argument specified is 0, the engine uses an internally defined # If the argument specified is 0, the engine uses an internally defined
# default limit. On not specifying a value, we use no limits on the recursion. # default limit. On not specifying a value, we use no limits on the recursion.
detect-engine: detect:
- profile: medium profile: medium
- custom-values: custom-values:
toclient-src-groups: 2 toclient-groups: 3
toclient-dst-groups: 2 toserver-groups: 25
toclient-sp-groups: 2 sgh-mpm-context: auto
toclient-dp-groups: 3 inspection-recursion-limit: 3000
toserver-src-groups: 2
toserver-dst-groups: 4
toserver-sp-groups: 2
toserver-dp-groups: 25
- sgh-mpm-context: auto
- inspection-recursion-limit: 3000
# If set to yes, the loading of signatures will be made after the capture # If set to yes, the loading of signatures will be made after the capture
# is started. This will limit the downtime in IPS mode. # is started. This will limit the downtime in IPS mode.
#- delayed-detect: yes #delayed-detect: yes
profiling: profiling:
# Log the rules that made it past the prefilter stage, per packet # Log the rules that made it past the prefilter stage, per packet
@ -706,8 +700,8 @@ cuda:
# ac, ac-bs and ac-gfbs. # ac, ac-bs and ac-gfbs.
# #
# The mpm you choose also decides the distribution of mpm contexts for # The mpm you choose also decides the distribution of mpm contexts for
# signature groups, specified by the conf - "detect-engine.sgh-mpm-context". # signature groups, specified by the conf - "detect.sgh-mpm-context".
# Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context" # Selecting "ac" as the mpm would require "detect.sgh-mpm-context"
# to be set to "single", because of ac's memory requirements, unless the # to be set to "single", because of ac's memory requirements, unless the
# ruleset is small enough to fit in one's memory, in which case one can # ruleset is small enough to fit in one's memory, in which case one can
# use "full" with "ac". Rest of the mpms can be run in "full" mode. # use "full" with "ac". Rest of the mpms can be run in "full" mode.

Write Preview
Loading…
Cancel
Save