Update fast_pattern engine to not use negated content as fast_pattern if we have...

Noticing a good spike in perf with et_pro ruleset.

Thanks to Will Metcalf for the suggestion.

diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c
index 909dd1ee9082812becc12720cf3cdc203cd2cc88..7150c1e34b71b34844068a7c00def2dc9336ab6b 100644 (file)
--- a/src/detect-engine-mpm.c
+++ b/src/detect-engine-mpm.c
@@ -1751,6 +1751,8 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx,
         }
 
         int max_len = 0;
+        int max_len_negated = 0;
+        int max_len_non_negated = 0;
         /* get the longest pattern in the sig */
         if (!fast_pattern[sig]) {
             SigMatch *sm = NULL;
@@ -1768,10 +1770,24 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx,
                     //}
 
                     DetectContentData *cd = (DetectContentData *)sm->ctx;
-                    if (max_len < cd->content_len)
-                        max_len = cd->content_len;
-                }
-            }
+                    if (cd->flags & DETECT_CONTENT_NEGATED) {
+                        if (max_len_negated < cd->content_len)
+                            max_len_negated = cd->content_len;
+                    } else {
+                        if (max_len_non_negated < cd->content_len)
+                            max_len_non_negated = cd->content_len;
+                    }
+                } /* for ( ; list_id.. */
+            } /* for (sm = s->sm_lists.. */
+        } /* if */
+
+        int skip_negated_content = 0;
+        if (max_len_non_negated == 0) {
+            max_len = max_len_negated;
+            skip_negated_content = 0;
+        } else {
+            max_len = max_len_non_negated;
+            skip_negated_content = 1;
         }
 
         SigMatch *mpm_sm = NULL;
@@ -1802,6 +1818,8 @@ static int PatternMatchPreparePopulateMpm(DetectEngineCtx *de_ctx,
                     //}
 
                     DetectContentData *cd = (DetectContentData *)sm->ctx;
+                    if ((cd->flags & DETECT_CONTENT_NEGATED) && skip_negated_content)
+                        continue;
                     if (cd->content_len < max_len)
                         continue;
 

diff --git a/src/detect.c b/src/detect.c
index 920f3b02526809a38eb65899c3ec4702045ef34f..0f36361afa679fef676f877d58f65baf93f930e7 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -397,6 +397,8 @@ void EngineAnalysisFastPattern(Signature *s)
     } /* for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) */
 
     int max_len = 0;
+    int max_len_negated = 0;
+    int max_len_non_negated = 0;
     /* get the longest pattern in the sig */
     if (!fast_pattern) {
         SigMatch *sm = NULL;
@@ -409,12 +411,26 @@ void EngineAnalysisFastPattern(Signature *s)
                     continue;
 
                 DetectContentData *cd = (DetectContentData *)sm->ctx;
-                if (max_len < cd->content_len)
-                    max_len = cd->content_len;
+                if (cd->flags & DETECT_CONTENT_NEGATED) {
+                    if (max_len_negated < cd->content_len)
+                        max_len_negated = cd->content_len;
+                } else {
+                    if (max_len_non_negated < cd->content_len)
+                        max_len_non_negated = cd->content_len;
+                }
             }
         }
     }
 
+    int skip_negated_content = 0;
+    if (max_len_non_negated == 0) {
+        max_len = max_len_negated;
+        skip_negated_content = 0;
+    } else {
+        max_len = max_len_non_negated;
+        skip_negated_content = 1;
+    }
+
     SigMatch *sm = NULL;
     for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) {
         if (!FastPatternSupportEnabledForSigMatchList(list_id))
@@ -437,6 +453,8 @@ void EngineAnalysisFastPattern(Signature *s)
                 SCLogDebug("fast pattern %"PRIu32"", cd->id);
             } else {
                 DetectContentData *cd = (DetectContentData *)sm->ctx;
+                if ((cd->flags & DETECT_CONTENT_NEGATED) && skip_negated_content)
+                    continue;
                 if (cd->content_len < max_len)
                     continue;