diff --git a/src/detect-uricontent.c b/src/detect-uricontent.c index d53b70525d..baf767b085 100644 --- a/src/detect-uricontent.c +++ b/src/detect-uricontent.c @@ -381,9 +381,7 @@ int DoDetectAppLayerUricontentMatch (ThreadVars *tv, DetectEngineThreadCtx *det_ ret += UriPatternSearch(tv, det_ctx, uri, uri_len); - SCLogDebug("post search: cnt %" PRIu32 ", searchable %" PRIu32 "", - ret, det_ctx->pmq.searchable); - det_ctx->pmq.searchable = 0; + SCLogDebug("post search: cnt %" PRIu32, ret); } return ret; } diff --git a/src/detect.c b/src/detect.c index cd5256a72e..1f21b04229 100644 --- a/src/detect.c +++ b/src/detect.c @@ -198,8 +198,6 @@ void DetectExitPrintStats(ThreadVars *tv, void *data) { SCLogInfo("(%s) URI (+byte) Uri's %" PRIu32 ", Searched %" PRIu32 " (%02.1f).", tv->name, det_ctx->uris, det_ctx->pkts_uri_searched, (float)(det_ctx->pkts_uri_searched/(float)(det_ctx->uris)*100)); - - SCLogInfo("%"PRIu64" sigs per mpm match on avg needed inspection, total mpm searches %"PRIu64", less than 25 sigs need inspect %"PRIu64", more than 100 sigs need inspect %"PRIu64", more than 1000 %"PRIu64" max %"PRIu64"", det_ctx->mpm_match ? det_ctx->mpm_sigs / det_ctx->mpm_match : 0, det_ctx->mpm_match, det_ctx->mpm_sigsmin25, det_ctx->mpm_sigsplus100, det_ctx->mpm_sigsplus1000, det_ctx->mpm_sigsmax); } int SghHasSig(DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t sid) { @@ -578,21 +576,9 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh cnt = PacketPatternSearch(th_v, det_ctx, p); if (cnt > 0) { det_ctx->mpm_match++; - det_ctx->mpm_sigs += det_ctx->pmq.sig_id_array_cnt; - if (det_ctx->pmq.sig_id_array_cnt < 25) { - det_ctx->mpm_sigsmin25++; - } else if (det_ctx->pmq.sig_id_array_cnt > 1000) { - det_ctx->mpm_sigsplus1000++; - } else if (det_ctx->pmq.sig_id_array_cnt > 100) { - det_ctx->mpm_sigsplus100++; - } - - if (det_ctx->pmq.sig_id_array_cnt > det_ctx->mpm_sigsmax) - det_ctx->mpm_sigsmax = det_ctx->pmq.sig_id_array_cnt; } - SCLogDebug("post search: cnt %" PRIu32 ", searchable %" PRIu32 ", sigs %"PRIu32" (out of %"PRIu32")", cnt, det_ctx->pmq.searchable, det_ctx->pmq.sig_id_array_cnt, det_ctx->sgh->sig_cnt); - det_ctx->pmq.searchable = 0; + SCLogDebug("post search: cnt %" PRIu32, cnt); } } @@ -652,22 +638,12 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh * have no matches */ if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_uripattern_id / 8)] & (1<<(s->mpm_uripattern_id % 8))) && (s->flags & SIG_FLAG_MPM_URI) && !(s->flags & SIG_FLAG_MPM_URI_NEG)) { - SCLogDebug("mpm sig without matches (pat id check in uri)."); + SCLogDebug("mpm sig without matches (pat id %"PRIu32 + " check in uri).", s->mpm_uripattern_id); continue; } } } -#if 0 - } else { - /* filter out sigs that want pattern matches, but - * have no matches */ - if (!(det_ctx->pmq.sig_bitarray[(sig / 8)] & (1<<(sig % 8))) && - (s->flags & SIG_FLAG_MPM) && !(s->flags & SIG_FLAG_MPM_NEGCONTENT)) { - SCLogDebug("mpm sig without matches (sig id check)."); - continue; - } - } -#endif /* if the sig has alproto and the session as well they should match */ if (s->alproto != ALPROTO_UNKNOWN && alproto != ALPROTO_UNKNOWN) { diff --git a/src/detect.h b/src/detect.h index d41489b725..4d300aa467 100644 --- a/src/detect.h +++ b/src/detect.h @@ -513,11 +513,6 @@ typedef struct DetectionEngineThreadCtx_ { #endif uint64_t mpm_match; - uint64_t mpm_sigs; - uint64_t mpm_sigsmin25; - uint64_t mpm_sigsplus100; - uint64_t mpm_sigsplus1000; - uint64_t mpm_sigsmax; } DetectEngineThreadCtx; /** \brief a single match condition for a signature */ diff --git a/src/util-mpm-b2g.c b/src/util-mpm-b2g.c index a665d46f57..613e31f8a6 100644 --- a/src/util-mpm-b2g.c +++ b/src/util-mpm-b2g.c @@ -92,41 +92,6 @@ void MpmB2gRegister (void) { mpm_table[MPM_B2G].RegisterUnittests = B2gRegisterTests; } -/** \brief append an endmatch to a pattern - * - * \note Only used in the initialization phase - */ -static inline void B2gEndMatchAppend(MpmCtx *mpm_ctx, B2gPattern *p, - uint16_t offset, uint16_t depth, uint32_t pid, uint32_t sid) -{ - SCLogDebug("pid %"PRIu32", sid %"PRIu32"", pid, sid); - - MpmEndMatch *em = MpmAllocEndMatch(mpm_ctx); - if (em == NULL) { - printf("ERROR: B2gAllocEndMatch failed\n"); - return; - } - - SCLogDebug("em alloced at %p", em); - - em->id = pid; - em->sig_id = sid; - em->depth = depth; - em->offset = offset; - - if (p->em == NULL) { - p->em = em; - SCLogDebug("m %p m->sig_id %"PRIu32"", em, em->sig_id); - return; - } - - MpmEndMatch *m = p->em; - while (m->next) { - m = m->next; - } - m->next = em; -} - #ifdef PRINTMATCH static void prt (uint8_t *buf, uint16_t buflen) { uint16_t i; @@ -287,10 +252,6 @@ static inline int B2gCmpPattern(B2gPattern *p, uint8_t *pat, uint16_t patlen, ch */ void B2gFreePattern(MpmCtx *mpm_ctx, B2gPattern *p) { - if (p && p->em) { - MpmEndMatchFreeAll(mpm_ctx, p->em); - } - if (p && p->cs && p->cs != p->ci) { SCFree(p->cs); mpm_ctx->memory_cnt--; @@ -338,6 +299,7 @@ static int B2gAddPattern(MpmCtx *mpm_ctx, uint8_t *pat, uint16_t patlen, uint16_ p->len = patlen; p->flags = flags; + p->id = pid; /* setup the case insensitive part of the pattern */ p->ci = SCMalloc(patlen); @@ -383,9 +345,6 @@ static int B2gAddPattern(MpmCtx *mpm_ctx, uint8_t *pat, uint16_t patlen, uint16_ if (mpm_ctx->maxlen < patlen) mpm_ctx->maxlen = patlen; if (mpm_ctx->minlen == 0) mpm_ctx->minlen = patlen; else if (mpm_ctx->minlen > patlen) mpm_ctx->minlen = patlen; - - /* we need a match */ - B2gEndMatchAppend(mpm_ctx, p, offset, depth, pid, sid); } mpm_ctx->total_pattern_cnt++; @@ -954,7 +913,7 @@ uint32_t B2gSearchBNDMq(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMa #endif COUNT(tctx->stat_loop_match++); - matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, j, p->len); + matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } else { COUNT(tctx->stat_loop_no_match++); } @@ -968,7 +927,7 @@ uint32_t B2gSearchBNDMq(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMa #endif COUNT(tctx->stat_loop_match++); - matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, j, p->len); + matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } else { COUNT(tctx->stat_loop_no_match++); } @@ -1063,7 +1022,7 @@ uint32_t B2gSearch(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatcher if (memcmp_lowercase(p->ci, buf+pos, p->len) == 0) { COUNT(tctx->stat_loop_match++); - matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, pos, p->len); + matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } else { COUNT(tctx->stat_loop_no_match++); } @@ -1074,7 +1033,7 @@ uint32_t B2gSearch(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatcher if (memcmp(p->cs, buf+pos, p->len) == 0) { COUNT(tctx->stat_loop_match++); - matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, pos, p->len); + matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } else { COUNT(tctx->stat_loop_no_match++); } @@ -1102,7 +1061,6 @@ uint32_t B2gSearch2(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatche uint8_t *bufend = buf + buflen - 1; uint32_t cnt = 0; B2gPattern *p; - MpmEndMatch *em; B2gHashItem *thi, *hi; if (buflen < 2) @@ -1120,11 +1078,11 @@ uint32_t B2gSearch2(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatche if (p->flags & MPM_PATTERN_FLAG_NOCASE) { if (h8 == p->ci[0]) { - cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len); + cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } } else { if (*buf == p->cs[0]) { - cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len); + cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } } } @@ -1140,18 +1098,18 @@ uint32_t B2gSearch2(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatche if (p->flags & MPM_PATTERN_FLAG_NOCASE) { if (h8 == p->ci[0] && u8_tolower(*(buf+1)) == p->ci[1]) { //printf("CI Exact match: "); prt(p->ci, p->len); printf(" in buf "); prt(buf, p->len);printf(" (B2gSearch1)\n"); - for (em = p->em; em; em = em->next) { - if (MpmVerifyMatch(mpm_thread_ctx, pmq, em, (buf+1 - bufmin), p->len)) +// for (em = p->em; em; em = em->next) { + if (MpmVerifyMatch(mpm_thread_ctx, pmq, p->id)) cnt++; - } +// } } } else { if (*buf == p->cs[0] && *(buf+1) == p->cs[1]) { //printf("CS Exact match: "); prt(p->cs, p->len); printf(" in buf "); prt(buf, p->len);printf(" (B2gSearch1)\n"); - for (em = p->em; em; em = em->next) { - if (MpmVerifyMatch(mpm_thread_ctx, pmq, em, (buf+1 - bufmin), p->len)) +// for (em = p->em; em; em = em->next) { + if (MpmVerifyMatch(mpm_thread_ctx, pmq, p->id)) cnt++; - } +// } } } } @@ -1197,11 +1155,11 @@ uint32_t B2gSearch1(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatche if (p->flags & MPM_PATTERN_FLAG_NOCASE) { if (u8_tolower(*buf) == p->ci[0]) { - cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len); + cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } } else { if (*buf == p->cs[0]) { - cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len); + cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } } } diff --git a/src/util-mpm-b2g.h b/src/util-mpm-b2g.h index 8096b8b6b7..2696da877d 100644 --- a/src/util-mpm-b2g.h +++ b/src/util-mpm-b2g.h @@ -58,7 +58,7 @@ typedef struct B2gPattern_ { uint8_t *cs; /* case sensitive */ uint8_t *ci; /* case INsensitive */ struct B2gPattern_ *next; - MpmEndMatch *em; + uint32_t id; } B2gPattern; typedef struct B2gHashItem_ { diff --git a/src/util-mpm-b3g.c b/src/util-mpm-b3g.c index cf8535e874..32a898c211 100644 --- a/src/util-mpm-b3g.c +++ b/src/util-mpm-b3g.c @@ -85,35 +85,6 @@ void MpmB3gRegister (void) { mpm_table[MPM_B3G].RegisterUnittests = B3gRegisterTests; } -/* append an endmatch to a pattern - * - * Only used in the initialization phase */ -static inline void B3gEndMatchAppend(MpmCtx *mpm_ctx, B3gPattern *p, - uint16_t offset, uint16_t depth, uint32_t pid, uint32_t sid) -{ - MpmEndMatch *em = MpmAllocEndMatch(mpm_ctx); - if (em == NULL) { - printf("ERROR: B3gAllocEndMatch failed\n"); - return; - } - - em->id = pid; - em->sig_id = sid; - em->depth = depth; - em->offset = offset; - - if (p->em == NULL) { - p->em = em; - return; - } - - MpmEndMatch *m = p->em; - while (m->next) { - m = m->next; - } - m->next = em; -} - /** \todo XXX Unused??? */ #if 0 static void prt (uint8_t *buf, uint16_t buflen) { @@ -275,10 +246,6 @@ static inline int B3gCmpPattern(B3gPattern *p, uint8_t *pat, uint16_t patlen, ch */ void B3gFreePattern(MpmCtx *mpm_ctx, B3gPattern *p) { - if (p && p->em) { - MpmEndMatchFreeAll(mpm_ctx, p->em); - } - if (p && p->cs && p->cs != p->ci) { SCFree(p->cs); mpm_ctx->memory_cnt--; @@ -320,8 +287,8 @@ static int B3gAddPattern(MpmCtx *mpm_ctx, uint8_t *pat, uint16_t patlen, uint16_ goto error; p->len = patlen; - p->flags = flags; + p->id = pid; /* setup the case insensitive part of the pattern */ p->ci = SCMalloc(patlen); @@ -369,9 +336,6 @@ static int B3gAddPattern(MpmCtx *mpm_ctx, uint8_t *pat, uint16_t patlen, uint16_ else if (mpm_ctx->minlen > patlen) mpm_ctx->minlen = patlen; } - /* we need a match */ - B3gEndMatchAppend(mpm_ctx, p, offset, depth, pid, sid); - mpm_ctx->total_pattern_cnt++; return 0; @@ -924,7 +888,7 @@ uint32_t B3gSearchBNDMq(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMa if (memcmp_lowercase(p->ci, buf+j, p->len) == 0) { COUNT(tctx->stat_loop_match++); - matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, j, p->len); + matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } else { COUNT(tctx->stat_loop_no_match++); } @@ -935,7 +899,7 @@ uint32_t B3gSearchBNDMq(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMa if (memcmp(p->cs, buf+j, p->len) == 0) { COUNT(tctx->stat_loop_match++); - matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, j, p->len); + matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } else { COUNT(tctx->stat_loop_no_match++); } @@ -1024,7 +988,7 @@ uint32_t B3gSearch(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatcher if (memcmp_lowercase(p->ci, buf+pos, p->len) == 0) { COUNT(tctx->stat_loop_match++); - matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, pos, p->len); + matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } else { COUNT(tctx->stat_loop_no_match++); } @@ -1035,7 +999,7 @@ uint32_t B3gSearch(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatcher if (memcmp(p->cs, buf+pos, p->len) == 0) { COUNT(tctx->stat_loop_match++); - matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, pos, p->len); + matches += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } else { COUNT(tctx->stat_loop_no_match++); } @@ -1076,11 +1040,11 @@ uint32_t B3gSearch12(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatch if (p->flags & MPM_PATTERN_FLAG_NOCASE) { if (h8 == p->ci[0]) { - cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len); + cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } } else { if (*buf == p->cs[0]) { - cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len); + cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } } } @@ -1096,11 +1060,11 @@ uint32_t B3gSearch12(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatch if (p->flags & MPM_PATTERN_FLAG_NOCASE) { if (h8 == p->ci[0] && u8_tolower(*(buf+1)) == p->ci[1]) { - cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len); + cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } } else { if (*buf == p->cs[0] && *(buf+1) == p->cs[1]) { - cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len); + cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } } } @@ -1124,7 +1088,6 @@ uint32_t B3gSearch2(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatche uint8_t *bufend = buf + buflen - 1; uint32_t cnt = 0; B3gPattern *p; - MpmEndMatch *em; B3gHashItem *thi, *hi; if (buflen < 2) @@ -1146,18 +1109,14 @@ uint32_t B3gSearch2(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatche if (p->flags & MPM_PATTERN_FLAG_NOCASE) { if (u8_tolower(*buf) == p->ci[0] && u8_tolower(*(buf+1)) == p->ci[1]) { //printf("CI Exact match: "); prt(p->ci, p->len); printf(" in buf "); prt(buf, p->len);printf(" (B3gSearch1)\n"); - for (em = p->em; em; em = em->next) { - if (MpmVerifyMatch(mpm_thread_ctx, pmq, em, (buf+1 - bufmin), p->len)) - cnt++; - } + if (MpmVerifyMatch(mpm_thread_ctx, pmq, p->id)) + cnt++; } } else { if (*buf == p->cs[0] && *(buf+1) == p->cs[1]) { //printf("CS Exact match: "); prt(p->cs, p->len); printf(" in buf "); prt(buf, p->len);printf(" (B3gSearch1)\n"); - for (em = p->em; em; em = em->next) { - if (MpmVerifyMatch(mpm_thread_ctx, pmq, em, (buf+1 - bufmin), p->len)) - cnt++; - } + if (MpmVerifyMatch(mpm_thread_ctx, pmq, p->id)) + cnt++; } } } @@ -1200,11 +1159,11 @@ uint32_t B3gSearch1(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatche if (p->flags & MPM_PATTERN_FLAG_NOCASE) { if (u8_tolower(*buf) == p->ci[0]) { - cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len); + cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } } else { if (*buf == p->cs[0]) { - cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len); + cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } } } diff --git a/src/util-mpm-b3g.h b/src/util-mpm-b3g.h index 07523a7a7c..e0600076b7 100644 --- a/src/util-mpm-b3g.h +++ b/src/util-mpm-b3g.h @@ -54,7 +54,7 @@ typedef struct B3gPattern_ { uint16_t len; struct B3gPattern_ *next; uint8_t flags; - MpmEndMatch *em; + uint32_t id; } B3gPattern; typedef struct B3gHashItem_ { diff --git a/src/util-mpm-wumanber.c b/src/util-mpm-wumanber.c index 89905a82b0..1f3edd1723 100644 --- a/src/util-mpm-wumanber.c +++ b/src/util-mpm-wumanber.c @@ -115,35 +115,6 @@ void MpmWuManberRegister (void) { } } -/* append an endmatch to a pattern - * - * Only used in the initialization phase */ -static inline void WmEndMatchAppend(MpmCtx *mpm_ctx, WmPattern *p, - uint16_t offset, uint16_t depth, uint32_t pid, uint32_t sid) -{ - MpmEndMatch *em = MpmAllocEndMatch(mpm_ctx); - if (em == NULL) { - printf("ERROR: WmAllocEndMatch failed\n"); - return; - } - - em->id = pid; - em->sig_id = sid; - em->depth = depth; - em->offset = offset; - - if (p->em == NULL) { - p->em = em; - return; - } - - MpmEndMatch *m = p->em; - while (m->next) { - m = m->next; - } - m->next = em; -} - void prt (uint8_t *buf, uint16_t buflen) { uint16_t i; @@ -319,10 +290,6 @@ static inline int WmCmpPattern(WmPattern *p, uint8_t *pat, uint16_t patlen, char */ void WmFreePattern(MpmCtx *mpm_ctx, WmPattern *p) { - if (p && p->em) { - MpmEndMatchFreeAll(mpm_ctx, p->em); - } - if (p && p->cs && p->cs != p->ci) { SCFree(p->cs); mpm_ctx->memory_cnt--; @@ -369,6 +336,7 @@ static int WmAddPattern(MpmCtx *mpm_ctx, uint8_t *pat, uint16_t patlen, uint16_t p->len = patlen; p->flags = flags; + p->id = pid; /* setup the case insensitive part of the pattern */ p->ci = SCMalloc(patlen); @@ -421,9 +389,6 @@ static int WmAddPattern(MpmCtx *mpm_ctx, uint8_t *pat, uint16_t patlen, uint16_t else if (mpm_ctx->minlen > patlen) mpm_ctx->minlen = patlen; } - /* we need a match */ - WmEndMatchAppend(mpm_ctx, p, offset, depth, pid, sid); - mpm_ctx->total_pattern_cnt++; return 0; @@ -783,7 +748,6 @@ uint32_t WmSearch2Hash9(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMa WmThreadCtx *tctx = (WmThreadCtx *)mpm_thread_ctx->ctx; #endif /* WUMANBER_COUNTERS */ uint32_t cnt = 0; - uint8_t *bufmin = buf; uint8_t *bufend = buf + buflen - 1; uint16_t sl = ctx->shiftlen; uint16_t h; @@ -845,7 +809,7 @@ uint32_t WmSearch2Hash9(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMa //printf("CI Exact match: "); prt(p->ci, p->len); printf("\n"); COUNT(tctx->stat_loop_match++); - cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf-sl+1 - bufmin), p->len); + cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } else { COUNT(tctx->stat_loop_no_match++); @@ -857,7 +821,7 @@ uint32_t WmSearch2Hash9(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMa //printf("CS Exact match: "); prt(p->cs, p->len); printf("\n"); COUNT(tctx->stat_loop_match++); - cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf-sl+1 - bufmin), p->len); + cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } else { COUNT(tctx->stat_loop_no_match++); @@ -884,7 +848,6 @@ uint32_t WmSearch2Hash12(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM WmThreadCtx *tctx = (WmThreadCtx *)mpm_thread_ctx->ctx; #endif /* WUMANBER_COUNTERS */ uint32_t cnt = 0; - uint8_t *bufmin = buf; uint8_t *bufend = buf + buflen - 1; uint16_t sl = ctx->shiftlen; uint16_t h; @@ -948,7 +911,7 @@ uint32_t WmSearch2Hash12(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM //printf("CI Exact match: "); prt(p->ci, p->len); printf("\n"); COUNT(tctx->stat_loop_match++); - cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf-sl+1 - bufmin), p->len); + cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } else { COUNT(tctx->stat_loop_no_match++); @@ -960,7 +923,7 @@ uint32_t WmSearch2Hash12(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM //printf("CS Exact match: "); prt(p->cs, p->len); printf("\n"); COUNT(tctx->stat_loop_match++); - cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf-sl+1 - bufmin), p->len); + cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } else { COUNT(tctx->stat_loop_no_match++); @@ -986,7 +949,6 @@ uint32_t WmSearch2Hash14(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM WmThreadCtx *tctx = (WmThreadCtx *)mpm_thread_ctx->ctx; #endif /* WUMANBER_COUNTERS */ uint32_t cnt = 0; - uint8_t *bufmin = buf; uint8_t *bufend = buf + buflen - 1; uint16_t sl = ctx->shiftlen; uint16_t h; @@ -1049,7 +1011,7 @@ uint32_t WmSearch2Hash14(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM if (memcmp_lowercase(p->ci, buf-sl+1, p->len) == 0) { COUNT(tctx->stat_loop_match++); - cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf-sl+1 - bufmin), p->len); + cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } else { COUNT(tctx->stat_loop_no_match++); } @@ -1059,7 +1021,7 @@ uint32_t WmSearch2Hash14(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM if (memcmp(p->cs, buf-sl+1, p->len) == 0) { COUNT(tctx->stat_loop_match++); - cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf-sl+1 - bufmin), p->len); + cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } else { COUNT(tctx->stat_loop_no_match++); } @@ -1084,7 +1046,6 @@ uint32_t WmSearch2Hash15(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM WmThreadCtx *tctx = (WmThreadCtx *)mpm_thread_ctx->ctx; #endif /* WUMANBER_COUNTERS */ uint32_t cnt = 0; - uint8_t *bufmin = buf; uint8_t *bufend = buf + buflen - 1; uint16_t sl = ctx->shiftlen; uint16_t h; @@ -1148,7 +1109,7 @@ uint32_t WmSearch2Hash15(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM //printf("CI Exact match: "); prt(p->ci, p->len); printf("\n"); COUNT(tctx->stat_loop_match++); - cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf-sl+1 - bufmin), p->len); + cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } else { COUNT(tctx->stat_loop_no_match++); } @@ -1159,7 +1120,7 @@ uint32_t WmSearch2Hash15(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM //printf("CS Exact match: "); prt(p->cs, p->len); printf("\n"); COUNT(tctx->stat_loop_match++); - cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf-sl+1 - bufmin), p->len); + cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } else { COUNT(tctx->stat_loop_no_match++); } @@ -1184,7 +1145,6 @@ uint32_t WmSearch2Hash16(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM WmThreadCtx *tctx = (WmThreadCtx *)mpm_thread_ctx->ctx; #endif /* WUMANBER_COUNTERS */ uint32_t cnt = 0; - uint8_t *bufmin = buf; uint8_t *bufend = buf + buflen - 1; uint16_t sl = ctx->shiftlen; uint16_t h; @@ -1247,7 +1207,7 @@ uint32_t WmSearch2Hash16(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM if (memcmp_lowercase(p->ci, buf-sl+1, p->len) == 0) { COUNT(tctx->stat_loop_match++); - cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf-sl+1 - bufmin), p->len); + cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } else { COUNT(tctx->stat_loop_no_match++); } @@ -1257,7 +1217,7 @@ uint32_t WmSearch2Hash16(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternM if (memcmp(p->cs, buf-sl+1, p->len) == 0) { COUNT(tctx->stat_loop_match++); - cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf-sl+1 - bufmin), p->len); + cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } else { COUNT(tctx->stat_loop_no_match++); } @@ -1303,11 +1263,11 @@ uint32_t WmSearch1(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatcher if (p->flags & MPM_PATTERN_FLAG_NOCASE) { if (wm_tolower(*buf) == p->ci[0]) { - cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len); + cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } } else { if (*buf == p->cs[0]) { - cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->em, (buf+1 - bufmin), p->len); + cnt += MpmVerifyMatch(mpm_thread_ctx, pmq, p->id); } } } diff --git a/src/util-mpm-wumanber.h b/src/util-mpm-wumanber.h index 14306cb240..a37a2373e2 100644 --- a/src/util-mpm-wumanber.h +++ b/src/util-mpm-wumanber.h @@ -37,7 +37,7 @@ typedef struct WmPattern_ { uint16_t prefix_ci; uint16_t prefix_cs; uint8_t flags; - MpmEndMatch *em; + uint32_t id; /* global pattern id */ } WmPattern; typedef struct WmHashItem_ { diff --git a/src/util-mpm.c b/src/util-mpm.c index e997183a93..193dca9a66 100644 --- a/src/util-mpm.c +++ b/src/util-mpm.c @@ -54,27 +54,6 @@ int PmqSetup(PatternMatcherQueue *pmq, uint32_t sig_maxid, uint32_t patmaxid) { memset(pmq, 0, sizeof(PatternMatcherQueue)); - if (sig_maxid > 0) { - pmq->sig_id_array = SCMalloc(sig_maxid * sizeof(uint32_t)); - if (pmq->sig_id_array == NULL) { - SCLogError(SC_ERR_MEM_ALLOC, "memory alloc failed"); - SCReturnInt(-1); - } - memset(pmq->sig_id_array, 0, sig_maxid * sizeof(uint32_t)); - pmq->sig_id_array_cnt = 0; - - /* lookup bitarray */ - pmq->sig_bitarray = SCMalloc((sig_maxid / 8) + 1); - if (pmq->sig_bitarray == NULL) { - SCLogError(SC_ERR_MEM_ALLOC, "memory alloc failed"); - SCReturnInt(-1); - } - memset(pmq->sig_bitarray, 0, (sig_maxid / 8) + 1); - - SCLogDebug("pmq->sig_id_array %p, pmq->sig_bitarray %p", - pmq->sig_id_array, pmq->sig_bitarray); - } - if (patmaxid > 0) { pmq->pattern_id_array = SCMalloc(patmaxid * sizeof(uint32_t)); if (pmq->pattern_id_array == NULL) { @@ -113,68 +92,24 @@ int PmqSetup(PatternMatcherQueue *pmq, uint32_t sig_maxid, uint32_t patmaxid) { * \retval 1 (new) match */ int -MpmVerifyMatch(MpmThreadCtx *thread_ctx, PatternMatcherQueue *pmq, MpmEndMatch *list, uint16_t offset, uint16_t patlen) +MpmVerifyMatch(MpmThreadCtx *thread_ctx, PatternMatcherQueue *pmq, uint32_t patid) { SCEnter(); - MpmEndMatch *em = list; - int ret = 0; - /* Handle pattern id storage */ if (pmq != NULL && pmq->pattern_id_bitarray != NULL) { - SCLogDebug("using pattern id arrays"); + SCLogDebug("using pattern id arrays, storing %"PRIu32, patid); - if (!(pmq->pattern_id_bitarray[(em->id / 8)] & (1<<(em->id % 8)))) { + if (!(pmq->pattern_id_bitarray[(patid / 8)] & (1<<(patid % 8)))) { /* flag this pattern id as being added now */ - pmq->pattern_id_bitarray[(em->id / 8)] |= (1<<(em->id % 8)); + pmq->pattern_id_bitarray[(patid / 8)] |= (1<<(patid % 8)); /* append the pattern_id to the array with matches */ - pmq->pattern_id_array[pmq->pattern_id_array_cnt] = em->id; + pmq->pattern_id_array[pmq->pattern_id_array_cnt] = patid; pmq->pattern_id_array_cnt++; } - - ret = 1; - } else { - SCLogDebug("not using pattern id arrays, pmq %p, pmq->pattern_id_bitarray %p", pmq, pmq ? pmq->pattern_id_bitarray:NULL); - } - - if (pmq != NULL && pmq->sig_bitarray != NULL) { - for ( ; em != NULL; em = em->next) { - SCLogDebug("em->sig_id %u", em->sig_id); - - /* check offset */ - if (offset < em->offset) - continue; - - /* check depth */ - if (em->depth && (offset+patlen) > em->depth) - continue; - - if (pmq != NULL) { - /* make sure we only append a sig with a matching pattern once, - * so we won't inspect it more than once. For this we keep a - * bitarray of sig internal id's and flag each sig that matched */ - if (!(pmq->sig_bitarray[(em->sig_id / 8)] & (1<<(em->sig_id % 8)))) { - /* flag this sig_id as being added now */ - pmq->sig_bitarray[(em->sig_id / 8)] |= (1<<(em->sig_id % 8)); - /* append the sig_id to the array with matches */ - pmq->sig_id_array[pmq->sig_id_array_cnt] = em->sig_id; - pmq->sig_id_array_cnt++; - } - - /* nosearch flag */ - if (!(em->flags & MPM_ENDMATCH_NOSEARCH)) { - pmq->searchable++; - } - } - - ret++; - } } - if (pmq == NULL) - ret = 1; - - SCReturnInt(ret); + SCReturnInt(1); } /** \brief Reset a Pmq for reusage. Meant to be called after a single search. @@ -182,11 +117,6 @@ MpmVerifyMatch(MpmThreadCtx *thread_ctx, PatternMatcherQueue *pmq, MpmEndMatch * */ void PmqReset(PatternMatcherQueue *pmq) { uint32_t u; - for (u = 0; u < pmq->sig_id_array_cnt; u++) { - pmq->sig_bitarray[(pmq->sig_id_array[u] / 8)] &= ~(1<<(pmq->sig_id_array[u] % 8)); - } - pmq->sig_id_array_cnt = 0; - for (u = 0; u < pmq->pattern_id_array_cnt; u++) { pmq->pattern_id_bitarray[(pmq->pattern_id_array[u] / 8)] &= ~(1<<(pmq->pattern_id_array[u] % 8)); } @@ -200,17 +130,17 @@ void PmqCleanup(PatternMatcherQueue *pmq) { if (pmq == NULL) return; - if (pmq->sig_id_array != NULL) { - SCFree(pmq->sig_id_array); - pmq->sig_id_array = NULL; + if (pmq->pattern_id_array != NULL) { + SCFree(pmq->pattern_id_array); + pmq->pattern_id_array = NULL; } - if (pmq->sig_bitarray != NULL) { - SCFree(pmq->sig_bitarray); - pmq->sig_bitarray = NULL; + if (pmq->pattern_id_bitarray != NULL) { + SCFree(pmq->pattern_id_bitarray); + pmq->pattern_id_bitarray = NULL; } - pmq->sig_id_array_cnt = 0; + pmq->pattern_id_array_cnt = 0; } /** \brief Cleanup and free a Pmq @@ -224,23 +154,6 @@ void PmqFree(PatternMatcherQueue *pmq) { SCFree(pmq); } -/* allocate an endmatch - * - * Only used in the initialization phase */ -MpmEndMatch *MpmAllocEndMatch (MpmCtx *ctx) -{ - MpmEndMatch *e = SCMalloc(sizeof(MpmEndMatch)); - if (e == NULL) - return NULL; - - memset(e, 0, sizeof(MpmEndMatch)); - - ctx->memory_cnt++; - ctx->memory_size += sizeof(MpmEndMatch); - ctx->endmatches++; - return e; -} - /** * \brief Return the pattern max length of a registered matcher * \retval 0 if it has no limit @@ -254,20 +167,6 @@ int32_t MpmMatcherGetMaxPatternLength(uint16_t matcher) { return -1; } -void MpmEndMatchFree(MpmCtx *ctx, MpmEndMatch *em) { - ctx->memory_cnt--; - ctx->memory_size -= sizeof(MpmEndMatch); - SCFree(em); -} - -void MpmEndMatchFreeAll(MpmCtx *mpm_ctx, MpmEndMatch *em) { - while(em) { - MpmEndMatch *tem = em->next; - MpmEndMatchFree(mpm_ctx, em); - em = tem; - } -} - void MpmInitThreadCtx(MpmThreadCtx *mpm_thread_ctx, uint16_t matcher, uint32_t max_id) { mpm_table[matcher].InitThreadCtx(NULL, mpm_thread_ctx, max_id); } diff --git a/src/util-mpm.h b/src/util-mpm.h index 5c19ca8324..30cfd32f8b 100644 --- a/src/util-mpm.h +++ b/src/util-mpm.h @@ -64,16 +64,6 @@ enum { MPM_TABLE_SIZE, }; -/* Data structures */ -typedef struct MpmEndMatch_ { - uint32_t id; /**< pattern id storage */ - uint16_t depth; - uint16_t offset; - struct MpmEndMatch_ *next; - SigIntId sig_id; /**< sig callback stuff -- internal id */ - uint8_t flags; -} MpmEndMatch; - typedef struct MpmMatchBucket_ { uint32_t len; } MpmMatchBucket; @@ -89,14 +79,6 @@ typedef struct MpmThreadCtx_ { * thread has this and passes a pointer to it to the pattern matcher. * The actual pattern matcher will fill the structure. */ typedef struct PatternMatcherQueue_ { - uint32_t *sig_id_array; /** array with internal sig id's that had a - pattern match. These will be inspected - futher by the detection engine. */ - uint32_t sig_id_array_cnt; - uint8_t *sig_bitarray; - uint32_t searchable; /** counter of the number of matches that - require a search-followup */ - uint32_t *pattern_id_array; /** array with internal sig id's that had a pattern match. These will be inspected futher by the detection engine. */ @@ -111,8 +93,6 @@ typedef struct MpmCtx_ { uint32_t memory_cnt; uint32_t memory_size; - uint32_t endmatches; - uint32_t pattern_cnt; /* unique patterns */ uint32_t total_pattern_cnt; /* total patterns added */ @@ -166,16 +146,13 @@ void PmqReset(PatternMatcherQueue *); void PmqCleanup(PatternMatcherQueue *); void PmqFree(PatternMatcherQueue *); -MpmEndMatch *MpmAllocEndMatch (MpmCtx *); -void MpmEndMatchFreeAll(MpmCtx *mpm_ctx, MpmEndMatch *em); - void MpmTableSetup(void); void MpmRegisterTests(void); /** Return the max pattern length of a Matcher type given as arg */ int32_t MpmMatcherGetMaxPatternLength(uint16_t); -int MpmVerifyMatch(MpmThreadCtx *, PatternMatcherQueue *, MpmEndMatch *, uint16_t, uint16_t); +int MpmVerifyMatch(MpmThreadCtx *, PatternMatcherQueue *, uint32_t); void MpmInitCtx (MpmCtx *mpm_ctx, uint16_t matcher, int module_handle); void MpmInitThreadCtx(MpmThreadCtx *mpm_thread_ctx, uint16_t, uint32_t); uint32_t MpmGetHashSize(const char *);