aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Optimize detection engine prefiltering logic.

Browse Source
remotes/origin/master-1.2.x
Victor Julien 13 years ago
parent 89f83e714c
commit 7db72bce75
3 changed files with 19 additions and 56 deletions
Show Stats Download Patch File Download Diff File

1
src/detect-engine-state.c
Unescape Escape View File

@ -58,6 +58,7 @@
#include "detect-engine-uri.h"
#include "detect-engine-hcbd.h"
#include "detect-engine-hsbd.h"
#include "detect-engine-hhd.h"
#include "detect-engine-hrhd.h"
#include "detect-engine-hmd.h"

48
src/detect.c
Unescape Escape View File

@ -122,6 +122,7 @@
#include "detect-http-raw-uri.h"
#include "detect-http-stat-msg.h"
#include "detect-engine-hcbd.h"
#include "detect-engine-hsbd.h"
#include "detect-engine-hhd.h"
#include "detect-engine-hrhd.h"
#include "detect-engine-hmd.h"
@ -683,14 +684,14 @@ int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file, int sig_file_excl
* \brief See if we can prefilter a signature on inexpensive checks
*
* Order of SignatureHeader access:
* 1. mask
* 2. flags
* 3. alproto
* 4. mpm_pattern_id_div8
* 1. flags
* 2. alproto
* 3. mpm_pattern_id_div8
* 4. mpm_pattern_id_mod8
* 5. mpm_stream_pattern_id_div8
* 5. mpm_stream_pattern_id_mod8
* 6. num
* 6. mpm_stream_pattern_id_mod8
* 7. mpm_http_pattern_id
* 8. num
*
* \retval 0 can't match, don't inspect
* \retval 1 might match, further inspection required
@ -725,8 +726,7 @@ static inline int SigMatchSignaturesBuildMatchArrayAddSignature(DetectEngineThre
SCLogDebug("but thats okay, we are looking for neg-content");
}
}
}
if (s->flags & SIG_FLAG_MPM_STREAM) {
} else if (s->flags & SIG_FLAG_MPM_STREAM) {
/* filter out sigs that want pattern matches, but
* have no matches */
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_stream_pattern_id_div_8)] & s->mpm_stream_pattern_id_mod_8)) {
@ -738,72 +738,56 @@ static inline int SigMatchSignaturesBuildMatchArrayAddSignature(DetectEngineThre
SCLogDebug("but thats okay, we are looking for neg-content");
}
}
}
if (s->full_sig->flags & SIG_FLAG_MPM_URICONTENT) {
} else if (s->flags & SIG_FLAG_MPM_URICONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
(1 << (s->mpm_http_pattern_id % 8)))) {
if (!(s->full_sig->flags & SIG_FLAG_MPM_URICONTENT_NEG)) {
return 0;
}
}
}
if (s->flags & SIG_FLAG_MPM_HCBDCONTENT) {
} else if (s->flags & SIG_FLAG_MPM_HCBDCONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
(1 << (s->mpm_http_pattern_id % 8)))) {
if (!(s->flags & SIG_FLAG_MPM_HCBDCONTENT_NEG)) {
return 0;
}
}
}
if (s->flags & SIG_FLAG_MPM_HSBDCONTENT) {
} else if (s->flags & SIG_FLAG_MPM_HSBDCONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
(1 << (s->mpm_http_pattern_id % 8)))) {
if (!(s->flags & SIG_FLAG_MPM_HSBDCONTENT_NEG)) {
return 0;
}
}
}
if (s->flags & SIG_FLAG_MPM_HHDCONTENT) {
} else if (s->flags & SIG_FLAG_MPM_HHDCONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
(1 << (s->mpm_http_pattern_id % 8)))) {
if (!(s->flags & SIG_FLAG_MPM_HHDCONTENT_NEG)) {
return 0;
}
}
}
if (s->flags & SIG_FLAG_MPM_HRHDCONTENT) {
} else if (s->flags & SIG_FLAG_MPM_HRHDCONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
(1 << (s->mpm_http_pattern_id % 8)))) {
if (!(s->flags & SIG_FLAG_MPM_HRHDCONTENT_NEG)) {
return 0;
}
}
}
if (s->flags & SIG_FLAG_MPM_HMDCONTENT) {
} else if (s->flags & SIG_FLAG_MPM_HMDCONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
(1 << (s->mpm_http_pattern_id % 8)))) {
if (!(s->flags & SIG_FLAG_MPM_HMDCONTENT_NEG)) {
return 0;
}
}
}
if (s->flags & SIG_FLAG_MPM_HCDCONTENT) {
} else if (s->flags & SIG_FLAG_MPM_HCDCONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
(1 << (s->mpm_http_pattern_id % 8)))) {
if (!(s->flags & SIG_FLAG_MPM_HCDCONTENT_NEG)) {
return 0;
}
}
}
if (s->flags & SIG_FLAG_MPM_HRUDCONTENT) {
} else if (s->flags & SIG_FLAG_MPM_HRUDCONTENT) {
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
(1 << (s->mpm_http_pattern_id % 8)))) {
if (!(s->flags & SIG_FLAG_MPM_HRUDCONTENT_NEG)) {

26
src/detect.h
Unescape Escape View File

@ -339,6 +339,7 @@ typedef struct SignatureHeader_ {
};
union {
struct {
uint8_t file_flags;
uint8_t mpm_stream_pattern_id_mod_8;
SigIntId num; /**< signature number, internal id */
/** pattern in the mpm matcher */
@ -380,6 +381,7 @@ typedef struct Signature_ {
};
union {
struct {
uint8_t file_flags;
uint8_t mpm_stream_pattern_id_mod_8;
SigIntId num; /**< signature number, internal id */
PatIntId mpm_http_pattern_id;
@ -387,25 +389,6 @@ typedef struct Signature_ {
uint64_t hdr_copy3;
};
/* mpm flags */
// uint32_t mpm_flags;
//PatIntId mpm_pattern_id;
//PatIntId mpm_stream_pattern_id;
/*
//PatIntId mpm_pattern_id;
//PatIntId mpm_stream_pattern_id;
uint16_t mpm_pattern_id_div_8;
uint8_t mpm_pattern_id_mod_8;
uint8_t pad0;
//PatIntId mpm_pattern_id;
//PatIntId mpm_stream_pattern_id;
uint16_t mpm_stream_pattern_id_div_8;
uint8_t mpm_stream_pattern_id_mod_8;
uint8_t pad1;
*/
/* the fast pattern added from this signature */
SigMatch *mpm_sm;
@ -449,9 +432,6 @@ typedef struct Signature_ {
/** classification id **/
uint8_t class;
/* signature match mask */
//SignatureMask mask;
int prio;
char *msg;
@ -475,8 +455,6 @@ typedef struct Signature_ {
/* holds all sm lists' tails */
struct SigMatch_ *sm_lists_tail[DETECT_SM_LIST_MAX];
uint8_t file_flags;
/** address settings for this signature */
DetectAddressHead src, dst;

Write Preview
Loading…
Cancel
Save