aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

profiling: add tracking of missing keywords

Browse Source
pull/608/merge
Victor Julien 12 years ago
parent 5686c673ec
commit 7b687da726
5 changed files with 30 additions and 2 deletions
Show Stats Download Patch File Download Diff File

13
src/detect-engine-alert.c
Unescape Escape View File

@ -27,6 +27,8 @@
#include "flow.h"
#include "flow-private.h"
#include "util-profiling.h"
/** tag signature we use for tag alerts */
static Signature g_tag_signature;
/** tag packet alert structure for tag alerts */
@ -77,6 +79,7 @@ static int PacketAlertHandle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det
/* handle suppressions first */
if (s->sm_lists[DETECT_SM_LIST_SUPPRESS] != NULL) {
KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_SUPPRESS);
sm = NULL;
do {
td = SigGetThresholdTypeIter(s, p, &sm, DETECT_SM_LIST_SUPPRESS);
@ -85,17 +88,21 @@ static int PacketAlertHandle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det
/* PacketAlertThreshold returns 2 if the alert is suppressed but
* we do need to apply rule actions to the packet. */
KEYWORD_PROFILING_START;
ret = PacketAlertThreshold(de_ctx, det_ctx, td, p, s);
if (ret == 0 || ret == 2) {
KEYWORD_PROFILING_END(det_ctx, DETECT_THRESHOLD, 0);
/* It doesn't match threshold, remove it */
SCReturnInt(ret);
}
KEYWORD_PROFILING_END(det_ctx, DETECT_THRESHOLD, 1);
}
} while (sm != NULL);
}
/* if we're still here, consider thresholding */
if (s->sm_lists[DETECT_SM_LIST_THRESHOLD] != NULL) {
KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_THRESHOLD);
sm = NULL;
do {
td = SigGetThresholdTypeIter(s, p, &sm, DETECT_SM_LIST_THRESHOLD);
@ -104,11 +111,14 @@ static int PacketAlertHandle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det
/* PacketAlertThreshold returns 2 if the alert is suppressed but
* we do need to apply rule actions to the packet. */
KEYWORD_PROFILING_START;
ret = PacketAlertThreshold(de_ctx, det_ctx, td, p, s);
if (ret == 0 || ret == 2) {
KEYWORD_PROFILING_END(det_ctx, DETECT_THRESHOLD ,0);
/* It doesn't match threshold, remove it */
SCReturnInt(ret);
}
KEYWORD_PROFILING_END(det_ctx, DETECT_THRESHOLD, 1);
}
} while (sm != NULL);
}
@ -238,10 +248,13 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
if (res > 0) {
/* Now, if we have an alert, we have to check if we want
* to tag this session or src/dst host */
KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_TMATCH);
sm = s->sm_lists[DETECT_SM_LIST_TMATCH];
while (sm) {
/* tags are set only for alerts */
KEYWORD_PROFILING_START;
sigmatch_table[sm->type].Match(NULL, det_ctx, p, s, sm);
KEYWORD_PROFILING_END(det_ctx, sm->type, 1);
sm = sm->next;
}

10
src/detect-engine-apt-event.c
Unescape Escape View File

@ -28,7 +28,7 @@
#include "detect-engine-state.h"
#include "stream.h"
#include "detect-engine-apt-event.h"
#include "util-profiling.h"
#include "util-unittest.h"
int DetectEngineAptEventInspect(ThreadVars *tv,
@ -52,8 +52,13 @@ int DetectEngineAptEventInspect(ThreadVars *tv,
for (sm = s->sm_lists[DETECT_SM_LIST_APP_EVENT]; sm != NULL; sm = sm->next) {
aled = (DetectAppLayerEventData *)sm->ctx;
if (AppLayerDecoderEventsIsEventSet(decoder_events, aled->event_id))
KEYWORD_PROFILING_START;
if (AppLayerDecoderEventsIsEventSet(decoder_events, aled->event_id)) {
KEYWORD_PROFILING_END(det_ctx, sm->type, 1);
continue;
}
KEYWORD_PROFILING_END(det_ctx, sm->type, 0);
goto end;
}
@ -73,3 +78,4 @@ int DetectEngineAptEventInspect(ThreadVars *tv,
}
}
}

6
src/detect-engine-file.c
Unescape Escape View File

@ -80,6 +80,7 @@ static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
int match = 0;
int store_r = 0;
KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_FILEMATCH);
SCLogDebug("file inspection... %p", ffc);
if (ffc != NULL) {
@ -137,8 +138,10 @@ static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
SCLogDebug("sm %p, sm->next %p", sm, sm->next);
if (sigmatch_table[sm->type].FileMatch != NULL) {
KEYWORD_PROFILING_START;
match = sigmatch_table[sm->type].
FileMatch(tv, det_ctx, f, flags, file, s, sm);
KEYWORD_PROFILING_END(det_ctx, sm->type, (match > 0));
if (match == 0) {
r = 2;
break;
@ -172,8 +175,11 @@ static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
{
DetectFilestoreData *fd = sm->ctx;
if (fd->scope > FILESTORE_SCOPE_DEFAULT) {
KEYWORD_PROFILING_START;
match = sigmatch_table[sm->type].
FileMatch(tv, det_ctx, f, flags, /* no file */NULL, s, sm);
KEYWORD_PROFILING_END(det_ctx, sm->type, (match > 0));
if (match == 1) {
r = 1;
}

2
src/detect-engine-iponly.c
Unescape Escape View File

@ -934,6 +934,7 @@ int IPOnlyMatchCompatSMs(ThreadVars *tv,
DetectEngineThreadCtx *det_ctx,
Signature *s, Packet *p)
{
KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_MATCH);
SigMatch *sm = s->sm_lists[DETECT_SM_LIST_MATCH];
while (sm != NULL) {
@ -1077,6 +1078,7 @@ void IPOnlyMatchPacket(ThreadVars *tv,
u * 8 + i, s->id, s->msg);
if (s->sm_lists[DETECT_SM_LIST_POSTMATCH] != NULL) {
KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_POSTMATCH);
SigMatch *sm = s->sm_lists[DETECT_SM_LIST_POSTMATCH];
SCLogDebug("running match functions, sm %p", sm);

1
src/detect-engine-state.c
Unescape Escape View File

@ -342,6 +342,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
(alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB ||
alproto == ALPROTO_SMB2))
{
KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_DMATCH);
if (alproto == ALPROTO_SMB || alproto == ALPROTO_SMB2) {
smb_state = (SMBState *)alstate;
if (smb_state->dcerpc_present &&

Write Preview
Loading…
Cancel
Save