diff --git a/src/alert-debuglog.c b/src/alert-debuglog.c index 2d23c62b99..9be0bfc292 100644 --- a/src/alert-debuglog.c +++ b/src/alert-debuglog.c @@ -3,7 +3,7 @@ /* alert debuglog * * TODO - * - figure out a way to safely print detection engine info + * - figure out a way to (thread) safely print detection engine info * - maybe by having a log queue in the packet * - maybe by accessing it just and hoping threading doesn't hurt */ diff --git a/src/decode-udp.h b/src/decode-udp.h index bcfa9f31a6..06e0a26ef6 100644 --- a/src/decode-udp.h +++ b/src/decode-udp.h @@ -25,7 +25,6 @@ typedef struct _UDPHdr typedef struct _UDPVars { u_int8_t hlen; -} -UDPVars; +} UDPVars; #endif /* __DECODE_UDP_H__ */ diff --git a/src/detect-engine-iponly.c b/src/detect-engine-iponly.c index 1788c4c9e2..88b355492b 100644 --- a/src/detect-engine-iponly.c +++ b/src/detect-engine-iponly.c @@ -2,6 +2,11 @@ /* TODO: needs a lot of work * + * The dificulty with ip only matching is that we need to support (very large) + * netblocks as well. So we can't just add every single ip to a hash as that + * would be consuming to much memory. Thats why I've chosen to have a hash of + * /16's with a list inside them. If a netblock to add is bigger than a /16, + * we split it into /16's. */ #include "vips.h" diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 4e5f245265..2afade4d2d 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -235,6 +235,11 @@ void ContentHashFree(void *ch) { /* Predict a strength value for patterns * + * Patterns with high character diversity score higher. + * Alpha chars score not so high + * Other printable + a few common codes a little higher + * Everything else highest. + * Longer patterns score better than short patters. */ u_int32_t PatternStrength(u_int8_t *pat, u_int16_t patlen, u_int16_t len) { u_int8_t a[256]; diff --git a/src/detect-engine-proto.h b/src/detect-engine-proto.h index 1a29282dfc..0567ce5ee0 100644 --- a/src/detect-engine-proto.h +++ b/src/detect-engine-proto.h @@ -4,7 +4,7 @@ #define DETECT_PROTO_ANY 0x1 typedef struct DetectProto_ { - u_int8_t proto[32]; /* bitarray 256/8 */ + u_int8_t proto[256/8]; /* bitarray for 256 bits */ u_int8_t flags; } DetectProto; diff --git a/src/detect-flowbits.c b/src/detect-flowbits.c index 53480f9aac..90e720d7f3 100644 --- a/src/detect-flowbits.c +++ b/src/detect-flowbits.c @@ -1,4 +1,4 @@ -/* Simple pktvar content match part of the detection engine. +/* Simple Snort compatible flowbits implementation. * * Copyright (C) 2008 by Victor Julien * diff --git a/src/detect-uricontent.c b/src/detect-uricontent.c index 7065409046..02d62a6e57 100644 --- a/src/detect-uricontent.c +++ b/src/detect-uricontent.c @@ -2,21 +2,6 @@ * * Copyright (C) 2008 by Victor Julien */ -/* This is a very important part of the detection engine, and certainly one - * of the most complex parts. String searching is complex and expensive, - * and thus worth optimizing. The way that is done here is by only running - * the pattern matcher once for every packet. In this search, all search words, - * the 'content' matches, are looked for. All results, of all the search words - * are stored in a array of lists. The array is an array of MpmMatchBucket's, - * that can be entered through the DetectContentData id field. There, it finds - * the bucket containing a list of 0, 1, or more matches of that content match. - * The list contains MpmMatch items, that contain an offset field. This field - * is the possition of the last character in the match. - * - * XXX more later.... - * - */ - #include #include "decode.h" #include "detect.h" diff --git a/src/detect.c b/src/detect.c index 4842e6cdfb..029aa5c293 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1,4 +1,4 @@ -/* Basic detection engine datastructure */ +/* Basic detection engine */ #include diff --git a/src/flow-bit.c b/src/flow-bit.c index caf6c22884..5090717820 100644 --- a/src/flow-bit.c +++ b/src/flow-bit.c @@ -21,9 +21,7 @@ #include "util-var.h" #include "util-unittest.h" -/* get the flowbit with name 'name' from the flow - * - * name is a normal string*/ +/* get the flowbit with idx from the flow */ static FlowBit *FlowBitGet(Flow *f, u_int16_t idx) { GenericVar *gv = f->flowvar; for ( ; gv != NULL; gv = gv->next) { diff --git a/src/flow-hash.c b/src/flow-hash.c index 649eb17685..9a81cb5eea 100644 --- a/src/flow-hash.c +++ b/src/flow-hash.c @@ -79,10 +79,10 @@ Flow *FlowGetFlowFromHash (Packet *p) /* see if the bucket already has a flow */ if (fb->f == NULL) { - /* no, so get one */ + /* no, so get a new one */ f = fb->f = FlowDequeue(&flow_spare_q); if (f == NULL) { - flow_flags |= FLOW_EMERGENCY; + flow_flags |= FLOW_EMERGENCY; /* XXX mutex this */ f = fb->f = FlowAlloc(); if (f == NULL) { @@ -123,7 +123,7 @@ Flow *FlowGetFlowFromHash (Packet *p) /* get us a new one and put it and the list tail */ f = pf->hnext = FlowDequeue(&flow_spare_q); if (f == NULL) { - flow_flags |= FLOW_EMERGENCY; + flow_flags |= FLOW_EMERGENCY; /* XXX mutex this */ f = fb->f = FlowAlloc(); if (f == NULL) { diff --git a/src/flow-queue.h b/src/flow-queue.h index 7d889037cf..5a98998ad7 100644 --- a/src/flow-queue.h +++ b/src/flow-queue.h @@ -5,7 +5,7 @@ #include "flow.h" -/* Define a queue for storing unused flows */ +/* Define a queue for storing flows */ typedef struct _FlowQueue { Flow *top; diff --git a/src/flow.h b/src/flow.h index 288d87427e..9f71224fb2 100644 --- a/src/flow.h +++ b/src/flow.h @@ -32,6 +32,7 @@ typedef struct _FlowCnf } FlowConfig; +/* Hash key for the flow hash */ typedef struct _FlowKey { Address src, dst; diff --git a/src/packet-queue.h b/src/packet-queue.h index 4d3775cbbd..de27c2df19 100644 --- a/src/packet-queue.h +++ b/src/packet-queue.h @@ -5,6 +5,8 @@ #include #include "decode.h" + +/* XXX: moved to decode.h */ #if 0 typedef struct _PacketQueue { Packet *top; diff --git a/src/source-nfq.c b/src/source-nfq.c index 8425607f9a..a3db1c9a01 100644 --- a/src/source-nfq.c +++ b/src/source-nfq.c @@ -1,7 +1,7 @@ /* Copyright (c) 2008 Victor Julien */ /* TODO - * - test in Receive and Verdict if both are present + * - test if Receive and Verdict if both are present * * * @@ -109,7 +109,7 @@ void NFQSetupPkt (Packet *p, void *data) return; } -static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, +static int NFQCallBack(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { NFQThreadVars *ntv = (NFQThreadVars *)data; @@ -174,7 +174,7 @@ int NFQInitThread(NFQThreadVars *nfq_t, u_int16_t queue_num, u_int32_t queue_max /* pass the thread memory as a void ptr so the * callback function has access to it. */ - nfq_t->qh = nfq_create_queue(nfq_t->h, nfq_t->queue_num, &cb, (void *)nfq_t); + nfq_t->qh = nfq_create_queue(nfq_t->h, nfq_t->queue_num, &NFQCallBack, (void *)nfq_t); if (nfq_t->qh == NULL) { printf("error during nfq_create_queue()\n"); @@ -231,7 +231,7 @@ int ReceiveNFQThreadInit(ThreadVars *tv, void *initdata, void **data) { NFQThreadVars *ntv = &nfq_t[receive_queue_num]; /* store the ThreadVars pointer in our NFQ thread context - * as we will need it in our cb function */ + * as we will need it in our callback function */ ntv->tv = tv; int r = NFQInitThread(ntv,receive_queue_num,MAX_PENDING); diff --git a/src/util-mpm-trie.c b/src/util-mpm-trie.c index 29d7734d34..d17bd7b800 100644 --- a/src/util-mpm-trie.c +++ b/src/util-mpm-trie.c @@ -13,6 +13,8 @@ #include "util-mpm-trie.h" #include "util-unittest.h" + +/* XXX can be removed. */ #if 0 /* * TODO/IDEAS/XXX diff --git a/src/util-time.c b/src/util-time.c index 29a7f024e4..61792ec030 100644 --- a/src/util-time.c +++ b/src/util-time.c @@ -1,4 +1,4 @@ -/* Time keeping for non-live packet handling (pcap files) */ +/* Time keeping for offline (non-live) packet handling (pcap files) */ #include "vips.h" #include "detect.h" @@ -12,7 +12,7 @@ void TimeModeSetLive(void) { live = TRUE; } -void TimeModeSetNonlive (void) { +void TimeModeSetOffline (void) { live = FALSE; } diff --git a/src/util-time.h b/src/util-time.h index 6a9c092b1c..888f40f688 100644 --- a/src/util-time.h +++ b/src/util-time.h @@ -4,7 +4,7 @@ void TimeSet(struct timeval *); void TimeGet(struct timeval *); void TimeModeSetLive(void); -void TimeModeSetNonlive (void); +void TimeModeSetOffline (void); #endif /* __UTIL_TIME_H__ */ diff --git a/src/util-unittest.c b/src/util-unittest.c index 3f9dd7c34c..8fd7290f5e 100644 --- a/src/util-unittest.c +++ b/src/util-unittest.c @@ -4,7 +4,7 @@ #include "util-unittest.h" -UtTest *ut_list; +static UtTest *ut_list; static UtTest *UtAllocTest(void) { UtTest *ut = malloc(sizeof(UtTest)); diff --git a/src/vips.c b/src/vips.c index d3852f522e..6e0282fda8 100644 --- a/src/vips.c +++ b/src/vips.c @@ -569,7 +569,7 @@ int RunModeIpsNFQ(void) { int RunModeFilePcap(char *file) { printf("RunModeFilePcap: file %s\n", file); - TimeModeSetNonlive(); + TimeModeSetOffline(); /* create the threads */ ThreadVars *tv_receivepcap = TmThreadCreate("ReceivePcapFile","packetpool","packetpool","pickup-queue","simple","1slot_noinout"); diff --git a/src/vips.h b/src/vips.h index 40c8337b87..ea62ecdd7f 100644 --- a/src/vips.h +++ b/src/vips.h @@ -11,8 +11,6 @@ #include "packet-queue.h" -/* maximum number of simultanious threads. */ -#define NUM_THREADS 256 /* max packets processed simultaniously */ #define MAX_PENDING 50 @@ -21,7 +19,10 @@ /* number of packets in processing right now * This is the diff between recv'd and verdicted - * pkts */ + * pkts + * XXX this should be turned into an api located + * in the packetpool code + */ u_int32_t pending; #ifdef DBG_PERF u_int32_t dbg_maxpending; @@ -29,9 +30,13 @@ u_int32_t dbg_maxpending; pthread_mutex_t mutex_pending; pthread_cond_t cond_pending; -/* preallocated packet structures here */ +/* preallocated packet structures here + * XXX move to the packetpool queue handler code + */ PacketQueue packet_q; -/* queue's between various other threads */ +/* queue's between various other threads + * XXX move to the TmQueue structure later + */ PacketQueue trans_q[256]; /* uppercase to lowercase conversion lookup table */