disable-detect: fix needless file hashing

When detection is running flags are set on flows to indicate if file
hashing is needed. This is based on global output settings and rules.

In the case of --disable-detection this was not happening, so all
files where hashed with all methods. This has a significant
performance impact.

This patch adds logic to set the flow flags in --disable-detect mode.

diff --git a/src/detect.c b/src/detect.c
index fd729ed39c3f0fe067f623d63fb20c0074aad664..d30b7905c9dae10800c69407079bb2e6e30fed40 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -2284,6 +2284,15 @@ static int SignatureCreateMask(Signature *s)
     SCReturnInt(0);
 }
 
+/** \brief disable file features we don't need
+ *  Called if we have no detection engine.
+ */
+void DisableDetectFlowFileFlags(Flow *f)
+{
+    DetectPostInspectFileFlagsUpdate(f, NULL /* no sgh */, STREAM_TOSERVER);
+    DetectPostInspectFileFlagsUpdate(f, NULL /* no sgh */, STREAM_TOCLIENT);
+}
+
 static void SigInitStandardMpmFactoryContexts(DetectEngineCtx *de_ctx)
 {
     DetectMpmInitializeBuiltinMpms(de_ctx);

diff --git a/src/detect.h b/src/detect.h
index e603d6f356aaa8f4f6654e2f527634529238d646..93b52bd3c541411a30a30f9a9e73d5717a0bb6b2 100644 (file)
--- a/src/detect.h
+++ b/src/detect.h
@@ -1334,6 +1334,7 @@ int SigGroupBuild(DetectEngineCtx *);
 int SigGroupCleanup (DetectEngineCtx *de_ctx);
 void SigAddressPrepareBidirectionals (DetectEngineCtx *);
 
+void DisableDetectFlowFileFlags(Flow *f);
 char *DetectLoadCompleteSigPath(const DetectEngineCtx *, char *sig_file);
 int SigLoadSignatures (DetectEngineCtx *, char *, int);
 void SigTableList(const char *keyword);

diff --git a/src/flow-worker.c b/src/flow-worker.c
index ac0bd484ddacdf03473d7cebaceaa1e961965dbe..b29486e3359ea9281fa4e6160a4ab3cb6ac11049 100644 (file)
--- a/src/flow-worker.c
+++ b/src/flow-worker.c
@@ -201,6 +201,15 @@ TmEcode FlowWorker(ThreadVars *tv, Packet *p, void *data, PacketQueue *preq, Pac
         SCLogDebug("packet %"PRIu64" is TCP", p->pcap_cnt);
         DEBUG_ASSERT_FLOW_LOCKED(p->flow);
 
+        /* if detect is disabled, we need to apply file flags to the flow
+         * here on the first packet. */
+        if (detect_thread == NULL &&
+                ((PKT_IS_TOSERVER(p) && (p->flowflags & FLOW_PKT_TOSERVER_FIRST)) ||
+                 (PKT_IS_TOCLIENT(p) && (p->flowflags & FLOW_PKT_TOCLIENT_FIRST))))
+        {
+            DisableDetectFlowFileFlags(p->flow);
+        }
+
         FLOWWORKER_PROFILING_START(p, PROFILE_FLOWWORKER_STREAM);
         StreamTcp(tv, p, fw->stream_thread, &fw->pq, NULL);
         FLOWWORKER_PROFILING_END(p, PROFILE_FLOWWORKER_STREAM);