aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Complete conversion of pattern id mpm storage vs sig id storage.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 15 years ago
parent 46831e0f8f
commit e27cefa6f7
11 changed files with 64 additions and 342 deletions
Show Stats Download Patch File Download Diff File

4
src/detect-uricontent.c
Unescape Escape View File

@ -381,9 +381,7 @@ int DoDetectAppLayerUricontentMatch (ThreadVars *tv, DetectEngineThreadCtx *det_
ret += UriPatternSearch(tv, det_ctx, uri, uri_len);
SCLogDebug("post search: cnt %" PRIu32 ", searchable %" PRIu32 "",
ret, det_ctx->pmq.searchable);
det_ctx->pmq.searchable = 0;
SCLogDebug("post search: cnt %" PRIu32, ret);
}
return ret;
}

30
src/detect.c
Unescape Escape View File

@ -198,8 +198,6 @@ void DetectExitPrintStats(ThreadVars *tv, void *data) {
SCLogInfo("(%s) URI (+byte) Uri's %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
tv->name, det_ctx->uris, det_ctx->pkts_uri_searched,
(float)(det_ctx->pkts_uri_searched/(float)(det_ctx->uris)*100));
SCLogInfo("%"PRIu64" sigs per mpm match on avg needed inspection, total mpm searches %"PRIu64", less than 25 sigs need inspect %"PRIu64", more than 100 sigs need inspect %"PRIu64", more than 1000 %"PRIu64" max %"PRIu64"", det_ctx->mpm_match ? det_ctx->mpm_sigs / det_ctx->mpm_match : 0, det_ctx->mpm_match, det_ctx->mpm_sigsmin25, det_ctx->mpm_sigsplus100, det_ctx->mpm_sigsplus1000, det_ctx->mpm_sigsmax);
}
int SghHasSig(DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t sid) {
@ -578,21 +576,9 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
cnt = PacketPatternSearch(th_v, det_ctx, p);
if (cnt > 0) {
det_ctx->mpm_match++;
det_ctx->mpm_sigs += det_ctx->pmq.sig_id_array_cnt;
if (det_ctx->pmq.sig_id_array_cnt < 25) {
det_ctx->mpm_sigsmin25++;
} else if (det_ctx->pmq.sig_id_array_cnt > 1000) {
det_ctx->mpm_sigsplus1000++;
} else if (det_ctx->pmq.sig_id_array_cnt > 100) {
det_ctx->mpm_sigsplus100++;
}
if (det_ctx->pmq.sig_id_array_cnt > det_ctx->mpm_sigsmax)
det_ctx->mpm_sigsmax = det_ctx->pmq.sig_id_array_cnt;
}
SCLogDebug("post search: cnt %" PRIu32 ", searchable %" PRIu32 ", sigs %"PRIu32" (out of %"PRIu32")", cnt, det_ctx->pmq.searchable, det_ctx->pmq.sig_id_array_cnt, det_ctx->sgh->sig_cnt);
det_ctx->pmq.searchable = 0;
SCLogDebug("post search: cnt %" PRIu32, cnt);
}
}
@ -652,22 +638,12 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
* have no matches */
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_uripattern_id / 8)] & (1<<(s->mpm_uripattern_id % 8))) &&
(s->flags & SIG_FLAG_MPM_URI) && !(s->flags & SIG_FLAG_MPM_URI_NEG)) {
SCLogDebug("mpm sig without matches (pat id check in uri).");
SCLogDebug("mpm sig without matches (pat id %"PRIu32
" check in uri).", s->mpm_uripattern_id);
continue;
}
}
}
#if 0
} else {
/* filter out sigs that want pattern matches, but
* have no matches */
if (!(det_ctx->pmq.sig_bitarray[(sig / 8)] & (1<<(sig % 8))) &&
(s->flags & SIG_FLAG_MPM) && !(s->flags & SIG_FLAG_MPM_NEGCONTENT)) {
SCLogDebug("mpm sig without matches (sig id check).");
continue;
}
}
#endif
/* if the sig has alproto and the session as well they should match */
if (s->alproto != ALPROTO_UNKNOWN && alproto != ALPROTO_UNKNOWN) {

5
src/detect.h
Unescape Escape View File

@ -513,11 +513,6 @@ typedef struct DetectionEngineThreadCtx_ {
#endif
uint64_t mpm_match;
uint64_t mpm_sigs;
uint64_t mpm_sigsmin25;
uint64_t mpm_sigsplus100;
uint64_t mpm_sigsplus1000;
uint64_t mpm_sigsmax;
} DetectEngineThreadCtx;
/** \brief a single match condition for a signature */

72
src/util-mpm-b2g.c
Unescape Escape View File

@ -92,41 +92,6 @@ void MpmB2gRegister (void) {
mpm_table[MPM_B2G].RegisterUnittests = B2gRegisterTests;
}
/** \brief append an endmatch to a pattern
*
* \note Only used in the initialization phase
*/
static inline void B2gEndMatchAppend(MpmCtx *mpm_ctx, B2gPattern *p,
uint16_t offset, uint16_t depth, uint32_t pid, uint32_t sid)
{
SCLogDebug("pid %"PRIu32", sid %"PRIu32"", pid, sid);
MpmEndMatch *em = MpmAllocEndMatch(mpm_ctx);
if (em == NULL) {
printf("ERROR: B2gAllocEndMatch failed\n");
return;
}
SCLogDebug("em alloced at %p", em);
em->id = pid;
em->sig_id = sid;
em->depth = depth;
em->offset = offset;
if (p->em == NULL) {
p->em = em;
SCLogDebug("m %p m->sig_id %"PRIu32"", em, em->sig_id);
return;
}
MpmEndMatch *m = p->em;
while (m->next) {
m = m->next;
}
m->next = em;
}
#ifdef PRINTMATCH
static void prt (uint8_t *buf, uint16_t buflen) {
uint16_t i;
@ -287,10 +252,6 @@ static inline int B2gCmpPattern(B2gPattern *p, uint8_t *pat, uint16_t patlen, ch
*/
void B2gFreePattern(MpmCtx *mpm_ctx, B2gPattern *p) {
if (p && p->em) {
MpmEndMatchFreeAll(mpm_ctx, p->em);
}
if (p && p->cs && p->cs != p->ci) {
SCFree(p->cs);
mpm_ctx->memory_cnt--;
@ -338,6 +299,7 @@ static int B2gAddPattern(MpmCtx *mpm_ctx, uint8_t *pat, uint16_t patlen, uint16_
p->len = patlen;
p->flags = flags;
p->id = pid;
/* setup the case insensitive part of the pattern */
p->ci = SCMalloc(patlen);
@ -383,9 +345,6 @@ static int B2gAddPattern(MpmCtx *mpm_ctx, uint8_t *pat, uint16_t patlen, uint16_
if (mpm_ctx->maxlen < patlen) mpm_ctx->maxlen = patlen;
if (mpm_ctx->minlen == 0) mpm_ctx->minlen = patlen;
else if (mpm_ctx->minlen > patlen) mpm_ctx->minlen = patlen;
/* we need a match */
B2gEndMatchAppend(mpm_ctx, p, offset, depth, pid, sid);
}
mpm_ctx->total_pattern_cnt++;
@ -954,7 +913,7 @@ uint32_t B2gSearchBNDMq(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMa
#endif
COUNT(tctx->stat_loop_match++);
matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, j, p->len);
matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
} else {
COUNT(tctx->stat_loop_no_match++);
}
@ -968,7 +927,7 @@ uint32_t B2gSearchBNDMq(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMa
#endif
COUNT(tctx->stat_loop_match++);
matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, j, p->len);
matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
} else {
COUNT(tctx->stat_loop_no_match++);
}
@ -1063,7 +1022,7 @@ uint32_t B2gSearch(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatcher
if (memcmp_lowercase(p->ci, buf+pos, p->len) == 0) {
COUNT(tctx->stat_loop_match++);
matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, pos, p->len);
matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
} else {
COUNT(tctx->stat_loop_no_match++);
}
@ -1074,7 +1033,7 @@ uint32_t B2gSearch(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatcher
if (memcmp(p->cs, buf+pos, p->len) == 0) {
COUNT(tctx->stat_loop_match++);
matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, pos, p->len);
matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
} else {
COUNT(tctx->stat_loop_no_match++);
}
@ -1102,7 +1061,6 @@ uint32_t B2gSearch2(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatche
uint8_t *bufend = buf + buflen - 1;
uint32_t cnt = 0;
B2gPattern *p;
MpmEndMatch *em;
B2gHashItem *thi, *hi;
if (buflen < 2)
@ -1120,11 +1078,11 @@ uint32_t B2gSearch2(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatche
if (p->flags & MPM_PATTERN_FLAG_NOCASE) {
if (h8 == p->ci[0]) {
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
}
} else {
if (*buf == p->cs[0]) {
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
}
}
}
@ -1140,18 +1098,18 @@ uint32_t B2gSearch2(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatche
if (p->flags & MPM_PATTERN_FLAG_NOCASE) {
if (h8 == p->ci[0] && u8_tolower(*(buf+1)) == p->ci[1]) {
//printf("CI Exact match: "); prt(p->ci, p->len); printf(" in buf "); prt(buf, p->len);printf(" (B2gSearch1)\n");
for (em = p->em; em; em = em->next) {
if (MpmVerifyMatch(mpm_thread_ctx, pmq, em, (buf+1 - bufmin), p->len))
// for (em = p->em; em; em = em->next) {
if (MpmVerifyMatch(mpm_thread_ctx, pmq, p->id))
cnt++;
}
// }
}
} else {
if (*buf == p->cs[0] && *(buf+1) == p->cs[1]) {
//printf("CS Exact match: "); prt(p->cs, p->len); printf(" in buf "); prt(buf, p->len);printf(" (B2gSearch1)\n");
for (em = p->em; em; em = em->next) {
if (MpmVerifyMatch(mpm_thread_ctx, pmq, em, (buf+1 - bufmin), p->len))
// for (em = p->em; em; em = em->next) {
if (MpmVerifyMatch(mpm_thread_ctx, pmq, p->id))
cnt++;
}
// }
}
}
}
@ -1197,11 +1155,11 @@ uint32_t B2gSearch1(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatche
if (p->flags & MPM_PATTERN_FLAG_NOCASE) {
if (u8_tolower(*buf) == p->ci[0]) {
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
}
} else {
if (*buf == p->cs[0]) {
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
}
}
}

2
src/util-mpm-b2g.h
Unescape Escape View File

@ -58,7 +58,7 @@ typedef struct B2gPattern_ {
uint8_t *cs; /* case sensitive */
uint8_t *ci; /* case INsensitive */
struct B2gPattern_ *next;
MpmEndMatch *em;
uint32_t id;
} B2gPattern;
typedef struct B2gHashItem_ {

71
src/util-mpm-b3g.c
Unescape Escape View File

@ -85,35 +85,6 @@ void MpmB3gRegister (void) {
mpm_table[MPM_B3G].RegisterUnittests = B3gRegisterTests;
}
/* append an endmatch to a pattern
*
* Only used in the initialization phase */
static inline void B3gEndMatchAppend(MpmCtx *mpm_ctx, B3gPattern *p,
uint16_t offset, uint16_t depth, uint32_t pid, uint32_t sid)
{
MpmEndMatch *em = MpmAllocEndMatch(mpm_ctx);
if (em == NULL) {
printf("ERROR: B3gAllocEndMatch failed\n");
return;
}
em->id = pid;
em->sig_id = sid;
em->depth = depth;
em->offset = offset;
if (p->em == NULL) {
p->em = em;
return;
}
MpmEndMatch *m = p->em;
while (m->next) {
m = m->next;
}
m->next = em;
}
/** \todo XXX Unused??? */
#if 0
static void prt (uint8_t *buf, uint16_t buflen) {
@ -275,10 +246,6 @@ static inline int B3gCmpPattern(B3gPattern *p, uint8_t *pat, uint16_t patlen, ch
*/
void B3gFreePattern(MpmCtx *mpm_ctx, B3gPattern *p) {
if (p && p->em) {
MpmEndMatchFreeAll(mpm_ctx, p->em);
}
if (p && p->cs && p->cs != p->ci) {
SCFree(p->cs);
mpm_ctx->memory_cnt--;
@ -320,8 +287,8 @@ static int B3gAddPattern(MpmCtx *mpm_ctx, uint8_t *pat, uint16_t patlen, uint16_
goto error;
p->len = patlen;
p->flags = flags;
p->id = pid;
/* setup the case insensitive part of the pattern */
p->ci = SCMalloc(patlen);
@ -369,9 +336,6 @@ static int B3gAddPattern(MpmCtx *mpm_ctx, uint8_t *pat, uint16_t patlen, uint16_
else if (mpm_ctx->minlen > patlen) mpm_ctx->minlen = patlen;
}
/* we need a match */
B3gEndMatchAppend(mpm_ctx, p, offset, depth, pid, sid);
mpm_ctx->total_pattern_cnt++;
return 0;
@ -924,7 +888,7 @@ uint32_t B3gSearchBNDMq(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMa
if (memcmp_lowercase(p->ci, buf+j, p->len) == 0) {
COUNT(tctx->stat_loop_match++);
matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, j, p->len);
matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
} else {
COUNT(tctx->stat_loop_no_match++);
}
@ -935,7 +899,7 @@ uint32_t B3gSearchBNDMq(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMa
if (memcmp(p->cs, buf+j, p->len) == 0) {
COUNT(tctx->stat_loop_match++);
matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, j, p->len);
matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
} else {
COUNT(tctx->stat_loop_no_match++);
}
@ -1024,7 +988,7 @@ uint32_t B3gSearch(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatcher
if (memcmp_lowercase(p->ci, buf+pos, p->len) == 0) {
COUNT(tctx->stat_loop_match++);
matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, pos, p->len);
matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
} else {
COUNT(tctx->stat_loop_no_match++);
}
@ -1035,7 +999,7 @@ uint32_t B3gSearch(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatcher
if (memcmp(p->cs, buf+pos, p->len) == 0) {
COUNT(tctx->stat_loop_match++);
matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, pos, p->len);
matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
} else {
COUNT(tctx->stat_loop_no_match++);
}
@ -1076,11 +1040,11 @@ uint32_t B3gSearch12(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatch
if (p->flags & MPM_PATTERN_FLAG_NOCASE) {
if (h8 == p->ci[0]) {
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
}
} else {
if (*buf == p->cs[0]) {
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
}
}
}
@ -1096,11 +1060,11 @@ uint32_t B3gSearch12(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatch
if (p->flags & MPM_PATTERN_FLAG_NOCASE) {
if (h8 == p->ci[0] && u8_tolower(*(buf+1)) == p->ci[1]) {
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
}
} else {
if (*buf == p->cs[0] && *(buf+1) == p->cs[1]) {
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
}
}
}
@ -1124,7 +1088,6 @@ uint32_t B3gSearch2(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatche
uint8_t *bufend = buf + buflen - 1;
uint32_t cnt = 0;
B3gPattern *p;
MpmEndMatch *em;
B3gHashItem *thi, *hi;
if (buflen < 2)
@ -1146,18 +1109,14 @@ uint32_t B3gSearch2(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatche
if (p->flags & MPM_PATTERN_FLAG_NOCASE) {
if (u8_tolower(*buf) == p->ci[0] && u8_tolower(*(buf+1)) == p->ci[1]) {
//printf("CI Exact match: "); prt(p->ci, p->len); printf(" in buf "); prt(buf, p->len);printf(" (B3gSearch1)\n");
for (em = p->em; em; em = em->next) {
if (MpmVerifyMatch(mpm_thread_ctx, pmq, em, (buf+1 - bufmin), p->len))
cnt++;
}
if (MpmVerifyMatch(mpm_thread_ctx, pmq, p->id))
cnt++;
}
} else {
if (*buf == p->cs[0] && *(buf+1) == p->cs[1]) {
//printf("CS Exact match: "); prt(p->cs, p->len); printf(" in buf "); prt(buf, p->len);printf(" (B3gSearch1)\n");
for (em = p->em; em; em = em->next) {
if (MpmVerifyMatch(mpm_thread_ctx, pmq, em, (buf+1 - bufmin), p->len))
cnt++;
}
if (MpmVerifyMatch(mpm_thread_ctx, pmq, p->id))
cnt++;
}
}
}
@ -1200,11 +1159,11 @@ uint32_t B3gSearch1(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatche
if (p->flags & MPM_PATTERN_FLAG_NOCASE) {
if (u8_tolower(*buf) == p->ci[0]) {
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
}
} else {
if (*buf == p->cs[0]) {
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
}
}
}

2
src/util-mpm-b3g.h
Unescape Escape View File

@ -54,7 +54,7 @@ typedef struct B3gPattern_ {
uint16_t len;
struct B3gPattern_ *next;
uint8_t flags;
MpmEndMatch *em;
uint32_t id;
} B3gPattern;
typedef struct B3gHashItem_ {

66
src/util-mpm-wumanber.c
Unescape Escape View File

@ -115,35 +115,6 @@ void MpmWuManberRegister (void) {
}
}
/* append an endmatch to a pattern
*
* Only used in the initialization phase */
static inline void WmEndMatchAppend(MpmCtx *mpm_ctx, WmPattern *p,
uint16_t offset, uint16_t depth, uint32_t pid, uint32_t sid)
{
MpmEndMatch *em = MpmAllocEndMatch(mpm_ctx);
if (em == NULL) {
printf("ERROR: WmAllocEndMatch failed\n");
return;
}
em->id = pid;
em->sig_id = sid;
em->depth = depth;
em->offset = offset;
if (p->em == NULL) {
p->em = em;
return;
}
MpmEndMatch *m = p->em;
while (m->next) {
m = m->next;
}
m->next = em;
}
void prt (uint8_t *buf, uint16_t buflen) {
uint16_t i;
@ -319,10 +290,6 @@ static inline int WmCmpPattern(WmPattern *p, uint8_t *pat, uint16_t patlen, char
*/
void WmFreePattern(MpmCtx *mpm_ctx, WmPattern *p) {
if (p && p->em) {
MpmEndMatchFreeAll(mpm_ctx, p->em);
}
if (p && p->cs && p->cs != p->ci) {
SCFree(p->cs);
mpm_ctx->memory_cnt--;
@ -369,6 +336,7 @@ static int WmAddPattern(MpmCtx *mpm_ctx, uint8_t *pat, uint16_t patlen, uint16_t
p->len = patlen;
p->flags = flags;
p->id = pid;
/* setup the case insensitive part of the pattern */
p->ci = SCMalloc(patlen);
@ -421,9 +389,6 @@ static int WmAddPattern(MpmCtx *mpm_ctx, uint8_t *pat, uint16_t patlen, uint16_t
else if (mpm_ctx->minlen > patlen) mpm_ctx->minlen = patlen;
}
/* we need a match */
WmEndMatchAppend(mpm_ctx, p, offset, depth, pid, sid);
mpm_ctx->total_pattern_cnt++;
return 0;
@ -783,7 +748,6 @@ uint32_t WmSearch2Hash9(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMa
WmThreadCtx *tctx = (WmThreadCtx *)mpm_thread_ctx->ctx;
#endif /* WUMANBER_COUNTERS */
uint32_t cnt = 0;
uint8_t *bufmin = buf;
uint8_t *bufend = buf + buflen - 1;
uint16_t sl = ctx->shiftlen;
uint16_t h;
@ -845,7 +809,7 @@ uint32_t WmSearch2Hash9(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMa
//printf("CI Exact match: "); prt(p->ci, p->len); printf("\n");
COUNT(tctx->stat_loop_match++);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf-sl+1 - bufmin), p->len);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
} else {
COUNT(tctx->stat_loop_no_match++);
@ -857,7 +821,7 @@ uint32_t WmSearch2Hash9(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMa
//printf("CS Exact match: "); prt(p->cs, p->len); printf("\n");
COUNT(tctx->stat_loop_match++);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf-sl+1 - bufmin), p->len);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
} else {
COUNT(tctx->stat_loop_no_match++);
@ -884,7 +848,6 @@ uint32_t WmSearch2Hash12(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM
WmThreadCtx *tctx = (WmThreadCtx *)mpm_thread_ctx->ctx;
#endif /* WUMANBER_COUNTERS */
uint32_t cnt = 0;
uint8_t *bufmin = buf;
uint8_t *bufend = buf + buflen - 1;
uint16_t sl = ctx->shiftlen;
uint16_t h;
@ -948,7 +911,7 @@ uint32_t WmSearch2Hash12(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM
//printf("CI Exact match: "); prt(p->ci, p->len); printf("\n");
COUNT(tctx->stat_loop_match++);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf-sl+1 - bufmin), p->len);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
} else {
COUNT(tctx->stat_loop_no_match++);
@ -960,7 +923,7 @@ uint32_t WmSearch2Hash12(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM
//printf("CS Exact match: "); prt(p->cs, p->len); printf("\n");
COUNT(tctx->stat_loop_match++);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf-sl+1 - bufmin), p->len);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
} else {
COUNT(tctx->stat_loop_no_match++);
@ -986,7 +949,6 @@ uint32_t WmSearch2Hash14(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM
WmThreadCtx *tctx = (WmThreadCtx *)mpm_thread_ctx->ctx;
#endif /* WUMANBER_COUNTERS */
uint32_t cnt = 0;
uint8_t *bufmin = buf;
uint8_t *bufend = buf + buflen - 1;
uint16_t sl = ctx->shiftlen;
uint16_t h;
@ -1049,7 +1011,7 @@ uint32_t WmSearch2Hash14(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM
if (memcmp_lowercase(p->ci, buf-sl+1, p->len) == 0) {
COUNT(tctx->stat_loop_match++);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf-sl+1 - bufmin), p->len);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
} else {
COUNT(tctx->stat_loop_no_match++);
}
@ -1059,7 +1021,7 @@ uint32_t WmSearch2Hash14(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM
if (memcmp(p->cs, buf-sl+1, p->len) == 0) {
COUNT(tctx->stat_loop_match++);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf-sl+1 - bufmin), p->len);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
} else {
COUNT(tctx->stat_loop_no_match++);
}
@ -1084,7 +1046,6 @@ uint32_t WmSearch2Hash15(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM
WmThreadCtx *tctx = (WmThreadCtx *)mpm_thread_ctx->ctx;
#endif /* WUMANBER_COUNTERS */
uint32_t cnt = 0;
uint8_t *bufmin = buf;
uint8_t *bufend = buf + buflen - 1;
uint16_t sl = ctx->shiftlen;
uint16_t h;
@ -1148,7 +1109,7 @@ uint32_t WmSearch2Hash15(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM
//printf("CI Exact match: "); prt(p->ci, p->len); printf("\n");
COUNT(tctx->stat_loop_match++);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf-sl+1 - bufmin), p->len);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
} else {
COUNT(tctx->stat_loop_no_match++);
}
@ -1159,7 +1120,7 @@ uint32_t WmSearch2Hash15(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM
//printf("CS Exact match: "); prt(p->cs, p->len); printf("\n");
COUNT(tctx->stat_loop_match++);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf-sl+1 - bufmin), p->len);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
} else {
COUNT(tctx->stat_loop_no_match++);
}
@ -1184,7 +1145,6 @@ uint32_t WmSearch2Hash16(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM
WmThreadCtx *tctx = (WmThreadCtx *)mpm_thread_ctx->ctx;
#endif /* WUMANBER_COUNTERS */
uint32_t cnt = 0;
uint8_t *bufmin = buf;
uint8_t *bufend = buf + buflen - 1;
uint16_t sl = ctx->shiftlen;
uint16_t h;
@ -1247,7 +1207,7 @@ uint32_t WmSearch2Hash16(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM
if (memcmp_lowercase(p->ci, buf-sl+1, p->len) == 0) {
COUNT(tctx->stat_loop_match++);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf-sl+1 - bufmin), p->len);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
} else {
COUNT(tctx->stat_loop_no_match++);
}
@ -1257,7 +1217,7 @@ uint32_t WmSearch2Hash16(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM
if (memcmp(p->cs, buf-sl+1, p->len) == 0) {
COUNT(tctx->stat_loop_match++);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf-sl+1 - bufmin), p->len);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
} else {
COUNT(tctx->stat_loop_no_match++);
}
@ -1303,11 +1263,11 @@ uint32_t WmSearch1(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatcher
if (p->flags & MPM_PATTERN_FLAG_NOCASE) {
if (wm_tolower(*buf) == p->ci[0]) {
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
}
} else {
if (*buf == p->cs[0]) {
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len);
cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id);
}
}
}

2
src/util-mpm-wumanber.h
Unescape Escape View File

@ -37,7 +37,7 @@ typedef struct WmPattern_ {
uint16_t prefix_ci;
uint16_t prefix_cs;
uint8_t flags;
MpmEndMatch *em;
uint32_t id; /* global pattern id */
} WmPattern;
typedef struct WmHashItem_ {

127
src/util-mpm.c
Unescape Escape View File

@ -54,27 +54,6 @@ int PmqSetup(PatternMatcherQueue *pmq, uint32_t sig_maxid, uint32_t patmaxid) {
memset(pmq, 0, sizeof(PatternMatcherQueue));
if (sig_maxid > 0) {
pmq->sig_id_array = SCMalloc(sig_maxid * sizeof(uint32_t));
if (pmq->sig_id_array == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "memory alloc failed");
SCReturnInt(-1);
}
memset(pmq->sig_id_array, 0, sig_maxid * sizeof(uint32_t));
pmq->sig_id_array_cnt = 0;
/* lookup bitarray */
pmq->sig_bitarray = SCMalloc((sig_maxid / 8) + 1);
if (pmq->sig_bitarray == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "memory alloc failed");
SCReturnInt(-1);
}
memset(pmq->sig_bitarray, 0, (sig_maxid / 8) + 1);
SCLogDebug("pmq->sig_id_array %p, pmq->sig_bitarray %p",
pmq->sig_id_array, pmq->sig_bitarray);
}
if (patmaxid > 0) {
pmq->pattern_id_array = SCMalloc(patmaxid * sizeof(uint32_t));
if (pmq->pattern_id_array == NULL) {
@ -113,68 +92,24 @@ int PmqSetup(PatternMatcherQueue *pmq, uint32_t sig_maxid, uint32_t patmaxid) {
* \retval 1 (new) match
*/
int
MpmVerifyMatch(MpmThreadCtx *thread_ctx, PatternMatcherQueue *pmq, MpmEndMatch *list, uint16_t offset, uint16_t patlen)
MpmVerifyMatch(MpmThreadCtx *thread_ctx, PatternMatcherQueue *pmq, uint32_t patid)
{
SCEnter();
MpmEndMatch *em = list;
int ret = 0;
/* Handle pattern id storage */
if (pmq != NULL && pmq->pattern_id_bitarray != NULL) {
SCLogDebug("using pattern id arrays");
SCLogDebug("using pattern id arrays, storing %"PRIu32, patid);
if (!(pmq->pattern_id_bitarray[(em->id / 8)] & (1<<(em->id % 8)))) {
if (!(pmq->pattern_id_bitarray[(patid / 8)] & (1<<(patid % 8)))) {
/* flag this pattern id as being added now */
pmq->pattern_id_bitarray[(em->id / 8)] |= (1<<(em->id % 8));
pmq->pattern_id_bitarray[(patid / 8)] |= (1<<(patid % 8));
/* append the pattern_id to the array with matches */
pmq->pattern_id_array[pmq->pattern_id_array_cnt] = em->id;
pmq->pattern_id_array[pmq->pattern_id_array_cnt] = patid;
pmq->pattern_id_array_cnt++;
}
ret = 1;
} else {
SCLogDebug("not using pattern id arrays, pmq %p, pmq->pattern_id_bitarray %p", pmq, pmq ? pmq->pattern_id_bitarray:NULL);
}
if (pmq != NULL && pmq->sig_bitarray != NULL) {
for ( ; em != NULL; em = em->next) {
SCLogDebug("em->sig_id %u", em->sig_id);
/* check offset */
if (offset < em->offset)
continue;
/* check depth */
if (em->depth && (offset+patlen) > em->depth)
continue;
if (pmq != NULL) {
/* make sure we only append a sig with a matching pattern once,
* so we won't inspect it more than once. For this we keep a
* bitarray of sig internal id's and flag each sig that matched */
if (!(pmq->sig_bitarray[(em->sig_id / 8)] & (1<<(em->sig_id % 8)))) {
/* flag this sig_id as being added now */
pmq->sig_bitarray[(em->sig_id / 8)] |= (1<<(em->sig_id % 8));
/* append the sig_id to the array with matches */
pmq->sig_id_array[pmq->sig_id_array_cnt] = em->sig_id;
pmq->sig_id_array_cnt++;
}
/* nosearch flag */
if (!(em->flags & MPM_ENDMATCH_NOSEARCH)) {
pmq->searchable++;
}
}
ret++;
}
}
if (pmq == NULL)
ret = 1;
SCReturnInt(ret);
SCReturnInt(1);
}
/** \brief Reset a Pmq for reusage. Meant to be called after a single search.
@ -182,11 +117,6 @@ MpmVerifyMatch(MpmThreadCtx *thread_ctx, PatternMatcherQueue *pmq, MpmEndMatch *
*/
void PmqReset(PatternMatcherQueue *pmq) {
uint32_t u;
for (u = 0; u < pmq->sig_id_array_cnt; u++) {
pmq->sig_bitarray[(pmq->sig_id_array[u] / 8)] &= ~(1<<(pmq->sig_id_array[u] % 8));
}
pmq->sig_id_array_cnt = 0;
for (u = 0; u < pmq->pattern_id_array_cnt; u++) {
pmq->pattern_id_bitarray[(pmq->pattern_id_array[u] / 8)] &= ~(1<<(pmq->pattern_id_array[u] % 8));
}
@ -200,17 +130,17 @@ void PmqCleanup(PatternMatcherQueue *pmq) {
if (pmq == NULL)
return;
if (pmq->sig_id_array != NULL) {
SCFree(pmq->sig_id_array);
pmq->sig_id_array = NULL;
if (pmq->pattern_id_array != NULL) {
SCFree(pmq->pattern_id_array);
pmq->pattern_id_array = NULL;
}
if (pmq->sig_bitarray != NULL) {
SCFree(pmq->sig_bitarray);
pmq->sig_bitarray = NULL;
if (pmq->pattern_id_bitarray != NULL) {
SCFree(pmq->pattern_id_bitarray);
pmq->pattern_id_bitarray = NULL;
}
pmq->sig_id_array_cnt = 0;
pmq->pattern_id_array_cnt = 0;
}
/** \brief Cleanup and free a Pmq
@ -224,23 +154,6 @@ void PmqFree(PatternMatcherQueue *pmq) {
SCFree(pmq);
}
/* allocate an endmatch
*
* Only used in the initialization phase */
MpmEndMatch *MpmAllocEndMatch (MpmCtx *ctx)
{
MpmEndMatch *e = SCMalloc(sizeof(MpmEndMatch));
if (e == NULL)
return NULL;
memset(e, 0, sizeof(MpmEndMatch));
ctx->memory_cnt++;
ctx->memory_size += sizeof(MpmEndMatch);
ctx->endmatches++;
return e;
}
/**
* \brief Return the pattern max length of a registered matcher
* \retval 0 if it has no limit
@ -254,20 +167,6 @@ int32_t MpmMatcherGetMaxPatternLength(uint16_t matcher) {
return -1;
}
void MpmEndMatchFree(MpmCtx *ctx, MpmEndMatch *em) {
ctx->memory_cnt--;
ctx->memory_size -= sizeof(MpmEndMatch);
SCFree(em);
}
void MpmEndMatchFreeAll(MpmCtx *mpm_ctx, MpmEndMatch *em) {
while(em) {
MpmEndMatch *tem = em->next;
MpmEndMatchFree(mpm_ctx, em);
em = tem;
}
}
void MpmInitThreadCtx(MpmThreadCtx *mpm_thread_ctx, uint16_t matcher, uint32_t max_id) {
mpm_table[matcher].InitThreadCtx(NULL, mpm_thread_ctx, max_id);
}

25
src/util-mpm.h
Unescape Escape View File

@ -64,16 +64,6 @@ enum {
MPM_TABLE_SIZE,
};
/* Data structures */
typedef struct MpmEndMatch_ {
uint32_t id; /**< pattern id storage */
uint16_t depth;
uint16_t offset;
struct MpmEndMatch_ *next;
SigIntId sig_id; /**< sig callback stuff -- internal id */
uint8_t flags;
} MpmEndMatch;
typedef struct MpmMatchBucket_ {
uint32_t len;
} MpmMatchBucket;
@ -89,14 +79,6 @@ typedef struct MpmThreadCtx_ {
* thread has this and passes a pointer to it to the pattern matcher.
* The actual pattern matcher will fill the structure. */
typedef struct PatternMatcherQueue_ {
uint32_t *sig_id_array; /** array with internal sig id's that had a
pattern match. These will be inspected
futher by the detection engine. */
uint32_t sig_id_array_cnt;
uint8_t *sig_bitarray;
uint32_t searchable; /** counter of the number of matches that
require a search-followup */
uint32_t *pattern_id_array; /** array with internal sig id's that had a
pattern match. These will be inspected
futher by the detection engine. */
@ -111,8 +93,6 @@ typedef struct MpmCtx_ {
uint32_t memory_cnt;
uint32_t memory_size;
uint32_t endmatches;
uint32_t pattern_cnt; /* unique patterns */
uint32_t total_pattern_cnt; /* total patterns added */
@ -166,16 +146,13 @@ void PmqReset(PatternMatcherQueue *);
void PmqCleanup(PatternMatcherQueue *);
void PmqFree(PatternMatcherQueue *);
MpmEndMatch *MpmAllocEndMatch (MpmCtx *);
void MpmEndMatchFreeAll(MpmCtx *mpm_ctx, MpmEndMatch *em);
void MpmTableSetup(void);
void MpmRegisterTests(void);
/** Return the max pattern length of a Matcher type given as arg */
int32_t MpmMatcherGetMaxPatternLength(uint16_t);
int MpmVerifyMatch(MpmThreadCtx *, PatternMatcherQueue *, MpmEndMatch *, uint16_t, uint16_t);
int MpmVerifyMatch(MpmThreadCtx *, PatternMatcherQueue *, uint32_t);
void MpmInitCtx (MpmCtx *mpm_ctx, uint16_t matcher, int module_handle);
void MpmInitThreadCtx(MpmThreadCtx *mpm_thread_ctx, uint16_t, uint32_t);
uint32_t MpmGetHashSize(const char *);

Write Preview
Loading…
Cancel
Save