From b367c37ae617743965ca0741e3d6714d9f60a868 Mon Sep 17 00:00:00 2001
From: Anoop Saldanha <poonaatsoc@gmail.com>
Date: Sat, 9 Oct 2010 14:36:53 +0530
Subject: [PATCH] suricata.yaml conf update to support single mpm context
 distribution over multiple sghs + code to parse this conf

---
 src/detect-engine.c | 27 ++++++++++++++++++++++++++-
 src/detect.h        | 10 ++++++++++
 suricata.yaml       | 22 +++++++++++++++++++---
 3 files changed, 55 insertions(+), 4 deletions(-)

diff --git a/src/detect-engine.c b/src/detect-engine.c
index a92a501176..c7fda04177 100644
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@@ -144,6 +144,8 @@ static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx) {
     const char *max_uniq_toserver_sp_groups_str = NULL;
     const char *max_uniq_toserver_dp_groups_str = NULL;
 
+    char *sgh_mpm_context = NULL;
+
     ConfNode *de_ctx_custom = ConfGetNode("detect-engine");
     ConfNode *opt = NULL;
 
@@ -151,6 +153,8 @@ static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx) {
         TAILQ_FOREACH(opt, &de_ctx_custom->head, next) {
             if (strncmp(opt->val, "profile", 3) == 0) {
                 de_ctx_profile = opt->head.tqh_first->val;
+            } else if (strcmp(opt->val, "sgh-mpm-context") == 0) {
+                sgh_mpm_context = opt->head.tqh_first->val;
             }
         }
     }
@@ -169,9 +173,30 @@ static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx) {
         SCLogDebug("Profile for detection engine groups is \"%s\"", de_ctx_profile);
     } else {
         SCLogDebug("Profile for detection engine groups not provided "
-                "at suricata.yaml. Using default (\"medium\").");
+                   "at suricata.yaml. Using default (\"medium\").");
     }
 
+    if (sgh_mpm_context != NULL) {
+        if (strcmp(sgh_mpm_context, "single") == 0) {
+            de_ctx->sgh_mpm_context = ENGINE_SGH_MPM_CONTEXT_SINGLE;
+        } else if (strcmp(sgh_mpm_context, "full") == 0) {
+            de_ctx->sgh_mpm_context = ENGINE_SGH_MPM_CONTEXT_FULL;
+        } else if (strcmp(sgh_mpm_context, "auto") == 0) {
+            de_ctx->sgh_mpm_context = ENGINE_SGH_MPM_CONTEXT_AUTO;
+        } else {
+           SCLogWarning(SC_ERR_INVALID_YAML_CONF_ENTRY, "You have supplied an "
+                        "invalid conf value for detect-engine.sgh-mpm-context-"
+                        "%s", sgh_mpm_context);
+        }
+    } else {
+           SCLogWarning(SC_ERR_INVALID_YAML_CONF_ENTRY, "You have supplied a "
+                        "value for detect-engine.sgh-mpm-context.  Using "
+                        "default value of full\n");
+           de_ctx->sgh_mpm_context = ENGINE_SGH_MPM_CONTEXT_FULL;
+    }
+
+
+
     opt = NULL;
     switch (profile) {
         case ENGINE_PROFILE_LOW:
diff --git a/src/detect.h b/src/detect.h
index 66eba04171..dc87a080c7 100644
--- a/src/detect.h
+++ b/src/detect.h
@@ -567,6 +567,9 @@ typedef struct DetectEngineCtx_ {
     uint16_t max_uniq_small_toserver_sp_groups;
     uint16_t max_uniq_small_toserver_dp_groups;
 */
+
+    uint8_t sgh_mpm_context;
+
     /** hash table for looking up patterns for
      *  id sharing and id tracking. */
     MpmPatternIdStore *mpm_pattern_id_store;
@@ -592,6 +595,13 @@ enum {
     ENGINE_PROFILE_MAX
 };
 
+/* Siggroup mpm context profile */
+enum {
+    ENGINE_SGH_MPM_CONTEXT_FULL,
+    ENGINE_SGH_MPM_CONTEXT_SINGLE,
+    ENGINE_SGH_MPM_CONTEXT_AUTO
+};
+
 /**
   * Detection engine thread data.
   */
diff --git a/suricata.yaml b/suricata.yaml
index c9f3fcccf1..98c30b8092 100644
--- a/suricata.yaml
+++ b/suricata.yaml
@@ -94,9 +94,16 @@ engine-analysis:
 # The detection engine builds internal groups of signatures. The engine
 # allow us to specify the profile to use for them, to manage memory on an
 # efficient way keeping a good performance. For the profile keyword you
-# can use the words "low", "medium", "high" or "custom". If you use custom
+# can use the words "low", "medium", "high" or "custom". If you use custom
 # make sure to define the values at "- custom-values" as your convenience.
-# Usually you would prefer medium/high/low
+# Usually you would prefer medium/high/low.
+#
+# "sgh mpm-context", indicates how the staging should allot mpm contexts for
+# the signature groups.  "single" indicates the use of a single context for
+# all the signature group heads.  "full" indicates a mpm_context for each
+# group head.  "auto" lets the engine decide the distribution of contexts
+# based on the information the engine gathers on the patterns from each
+# group head.
 detect-engine:
   - profile: medium
   - custom-values:
@@ -108,6 +115,7 @@ detect-engine:
       toserver_dst_groups: 4
       toserver_sp_groups: 2
       toserver_dp_groups: 25
+  - sgh-mpm-context: single
 
 # Suricata is multi-threaded. Here the threading can be influenced.
 threading:
@@ -136,7 +144,15 @@ cuda:
   device_id: 0
 
 # Select the multi pattern algorithm you want to run for scan/search the
-# in the engine. The supported algorithms are b2g, b3g and wumanber.
+# in the engine. The supported algorithms are b2g, b3g, wumanber, ac and
+# ac-gfbs.
+#
+# The mpm you choose also decides the distribution of mpm contexts for
+# signature groups, specified by the conf - "detect-engine.sgh_mpm_context".
+# Selecting "ac" as the mpm would require "detect-engine.sgh_mpm_context"
+# to be set to "single", because of ac's memory requirements, unless the
+# ruleset is small enough to fit in one's memory, in which case one can
+# use "full" with "ac".  Rest of the mpms can be run in "full" mode.
 #
 # There is also a CUDA pattern matcher (only available if Suricata was
 # compiled with --enable-cuda: b2g_cuda. Make sure to update your