From 7db72bce75120c8751ed21d6a8aefcc7d5a020fd Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Mon, 12 Dec 2011 13:48:21 +0100 Subject: [PATCH] Optimize detection engine prefiltering logic. --- src/detect-engine-state.c | 1 + src/detect.c | 48 +++++++++++++-------------------------- src/detect.h | 26 ++------------------- 3 files changed, 19 insertions(+), 56 deletions(-) diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c index f6618a472b..f9adb05322 100644 --- a/src/detect-engine-state.c +++ b/src/detect-engine-state.c @@ -58,6 +58,7 @@ #include "detect-engine-uri.h" #include "detect-engine-hcbd.h" +#include "detect-engine-hsbd.h" #include "detect-engine-hhd.h" #include "detect-engine-hrhd.h" #include "detect-engine-hmd.h" diff --git a/src/detect.c b/src/detect.c index 1826b4ea73..84d456ba7a 100644 --- a/src/detect.c +++ b/src/detect.c @@ -122,6 +122,7 @@ #include "detect-http-raw-uri.h" #include "detect-http-stat-msg.h" #include "detect-engine-hcbd.h" +#include "detect-engine-hsbd.h" #include "detect-engine-hhd.h" #include "detect-engine-hrhd.h" #include "detect-engine-hmd.h" @@ -683,14 +684,14 @@ int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file, int sig_file_excl * \brief See if we can prefilter a signature on inexpensive checks * * Order of SignatureHeader access: - * 1. mask - * 2. flags - * 3. alproto - * 4. mpm_pattern_id_div8 + * 1. flags + * 2. alproto + * 3. mpm_pattern_id_div8 * 4. mpm_pattern_id_mod8 * 5. mpm_stream_pattern_id_div8 - * 5. mpm_stream_pattern_id_mod8 - * 6. num + * 6. mpm_stream_pattern_id_mod8 + * 7. mpm_http_pattern_id + * 8. num * * \retval 0 can't match, don't inspect * \retval 1 might match, further inspection required @@ -725,8 +726,7 @@ static inline int SigMatchSignaturesBuildMatchArrayAddSignature(DetectEngineThre SCLogDebug("but thats okay, we are looking for neg-content"); } } - } - if (s->flags & SIG_FLAG_MPM_STREAM) { + } else if (s->flags & SIG_FLAG_MPM_STREAM) { /* filter out sigs that want pattern matches, but * have no matches */ if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_stream_pattern_id_div_8)] & s->mpm_stream_pattern_id_mod_8)) { @@ -738,72 +738,56 @@ static inline int SigMatchSignaturesBuildMatchArrayAddSignature(DetectEngineThre SCLogDebug("but thats okay, we are looking for neg-content"); } } - } - - if (s->full_sig->flags & SIG_FLAG_MPM_URICONTENT) { + } else if (s->flags & SIG_FLAG_MPM_URICONTENT) { if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] & (1 << (s->mpm_http_pattern_id % 8)))) { if (!(s->full_sig->flags & SIG_FLAG_MPM_URICONTENT_NEG)) { return 0; } } - } - - if (s->flags & SIG_FLAG_MPM_HCBDCONTENT) { + } else if (s->flags & SIG_FLAG_MPM_HCBDCONTENT) { if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] & (1 << (s->mpm_http_pattern_id % 8)))) { if (!(s->flags & SIG_FLAG_MPM_HCBDCONTENT_NEG)) { return 0; } } - } - - if (s->flags & SIG_FLAG_MPM_HSBDCONTENT) { + } else if (s->flags & SIG_FLAG_MPM_HSBDCONTENT) { if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] & (1 << (s->mpm_http_pattern_id % 8)))) { if (!(s->flags & SIG_FLAG_MPM_HSBDCONTENT_NEG)) { return 0; } } - } - - if (s->flags & SIG_FLAG_MPM_HHDCONTENT) { + } else if (s->flags & SIG_FLAG_MPM_HHDCONTENT) { if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] & (1 << (s->mpm_http_pattern_id % 8)))) { if (!(s->flags & SIG_FLAG_MPM_HHDCONTENT_NEG)) { return 0; } } - } - - if (s->flags & SIG_FLAG_MPM_HRHDCONTENT) { + } else if (s->flags & SIG_FLAG_MPM_HRHDCONTENT) { if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] & (1 << (s->mpm_http_pattern_id % 8)))) { if (!(s->flags & SIG_FLAG_MPM_HRHDCONTENT_NEG)) { return 0; } } - } - - if (s->flags & SIG_FLAG_MPM_HMDCONTENT) { + } else if (s->flags & SIG_FLAG_MPM_HMDCONTENT) { if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] & (1 << (s->mpm_http_pattern_id % 8)))) { if (!(s->flags & SIG_FLAG_MPM_HMDCONTENT_NEG)) { return 0; } } - } - - if (s->flags & SIG_FLAG_MPM_HCDCONTENT) { + } else if (s->flags & SIG_FLAG_MPM_HCDCONTENT) { if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] & (1 << (s->mpm_http_pattern_id % 8)))) { if (!(s->flags & SIG_FLAG_MPM_HCDCONTENT_NEG)) { return 0; } } - } - - if (s->flags & SIG_FLAG_MPM_HRUDCONTENT) { + } else if (s->flags & SIG_FLAG_MPM_HRUDCONTENT) { if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] & (1 << (s->mpm_http_pattern_id % 8)))) { if (!(s->flags & SIG_FLAG_MPM_HRUDCONTENT_NEG)) { diff --git a/src/detect.h b/src/detect.h index 2366c4e2ab..f9e4a898dd 100644 --- a/src/detect.h +++ b/src/detect.h @@ -339,6 +339,7 @@ typedef struct SignatureHeader_ { }; union { struct { + uint8_t file_flags; uint8_t mpm_stream_pattern_id_mod_8; SigIntId num; /**< signature number, internal id */ /** pattern in the mpm matcher */ @@ -380,6 +381,7 @@ typedef struct Signature_ { }; union { struct { + uint8_t file_flags; uint8_t mpm_stream_pattern_id_mod_8; SigIntId num; /**< signature number, internal id */ PatIntId mpm_http_pattern_id; @@ -387,25 +389,6 @@ typedef struct Signature_ { uint64_t hdr_copy3; }; - /* mpm flags */ -// uint32_t mpm_flags; - - //PatIntId mpm_pattern_id; - //PatIntId mpm_stream_pattern_id; - -/* - //PatIntId mpm_pattern_id; - //PatIntId mpm_stream_pattern_id; - uint16_t mpm_pattern_id_div_8; - uint8_t mpm_pattern_id_mod_8; - uint8_t pad0; - //PatIntId mpm_pattern_id; - //PatIntId mpm_stream_pattern_id; - uint16_t mpm_stream_pattern_id_div_8; - uint8_t mpm_stream_pattern_id_mod_8; - uint8_t pad1; -*/ - /* the fast pattern added from this signature */ SigMatch *mpm_sm; @@ -449,9 +432,6 @@ typedef struct Signature_ { /** classification id **/ uint8_t class; - /* signature match mask */ - //SignatureMask mask; - int prio; char *msg; @@ -475,8 +455,6 @@ typedef struct Signature_ { /* holds all sm lists' tails */ struct SigMatch_ *sm_lists_tail[DETECT_SM_LIST_MAX]; - uint8_t file_flags; - /** address settings for this signature */ DetectAddressHead src, dst;