git.ipfire.org Git - thirdparty/suricata.git/commit

author	Victor Julien <victor@inliniac.net>
	Tue, 11 Apr 2017 13:24:49 +0000 (15:24 +0200)
committer	Victor Julien <victor@inliniac.net>
	Fri, 21 Apr 2017 16:58:01 +0000 (18:58 +0200)
commit	1bbf5553186c7d38b678f93db24773bd14ff84cf
tree	890f46ccb681fc3364dcf66da36b4d068a70fdd6	tree
parent	d1b7a8390581f0ed7a4f221e6a2af86a6df954a5	commit \| diff

detect: improve stateful detection

Now that MPM runs when the TX progress is right, stateful detection
operates differently.

Changes:

1. raw stream inspection is now also an inspect engine

   Since this engine doesn't take the transactions into account, it
   could potentially run multiple times on the same data. To avoid
   this, basic result caching is in place.

2. the engines are sorted by progress, but the 'MPM' engine is first
   even if the progress is higher

   If MPM flags a rule to be inspected, the inspect engine for that
   buffer runs first. If this step fails, the rule is no longer
   evaluated. No state is stored.

src/detect-engine-payload.c		diff \| blob \| blame \| history
src/detect-engine-payload.h		diff \| blob \| blame \| history
src/detect-engine-state.c		diff \| blob \| blame \| history
src/detect-engine.c		diff \| blob \| blame \| history
src/detect.c		diff \| blob \| blame \| history
src/detect.h		diff \| blob \| blame \| history