From: Victor Julien Date: Sat, 19 Sep 2015 19:46:34 +0000 (+0200) Subject: mpm: improve SGH content len tracking X-Git-Tag: suricata-3.0RC1~140 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2716c786283799745436637cc6534bd0059a29e5;p=thirdparty%2Fsuricata.git mpm: improve SGH content len tracking SGH's track content length for rule grouping. This patch changes the logic to only consider the pattern that is used in the mpm for a sig. --- diff --git a/src/detect-engine-siggroup.c b/src/detect-engine-siggroup.c index eaf915520c..a63a8152aa 100644 --- a/src/detect-engine-siggroup.c +++ b/src/detect-engine-siggroup.c @@ -998,6 +998,17 @@ void SigGroupHeadFreeMpmArrays(DetectEngineCtx *de_ctx) return; } +static uint16_t SignatureGetMpmPatternLen(Signature *s, int list) +{ + if (s->sm_lists[list] != NULL && s->mpm_sm != NULL && + SigMatchListSMBelongsTo(s, s->mpm_sm) == list) + { + DetectContentData *cd = (DetectContentData *)s->mpm_sm->ctx; + return cd->content_len; + } + return 0; +} + /** * \brief Add a Signature to a SigGroupHead. * @@ -1028,12 +1039,13 @@ int SigGroupHeadAppendSig(DetectEngineCtx *de_ctx, SigGroupHead **sgh, /* update maxlen for mpm */ if (s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) { /* check with the precalculated values from the sig */ - if (s->mpm_content_maxlen > 0) { + uint16_t mpm_content_minlen = SignatureGetMpmPatternLen(s, DETECT_SM_LIST_PMATCH); + if (mpm_content_minlen > 0) { if ((*sgh)->mpm_content_maxlen == 0) - (*sgh)->mpm_content_maxlen = s->mpm_content_maxlen; + (*sgh)->mpm_content_maxlen = mpm_content_minlen; - if ((*sgh)->mpm_content_maxlen > s->mpm_content_maxlen) - (*sgh)->mpm_content_maxlen = s->mpm_content_maxlen; + if ((*sgh)->mpm_content_maxlen > mpm_content_minlen) + (*sgh)->mpm_content_maxlen = mpm_content_minlen; SCLogDebug("(%p)->mpm_content_maxlen %u", *sgh, (*sgh)->mpm_content_maxlen); } @@ -1608,15 +1620,12 @@ uint16_t SigGroupHeadGetMinMpmSize(DetectEngineCtx *de_ctx, s = sgh->match_array[sig]; if (s == NULL) continue; - if (s->sm_lists[list] == NULL) - continue; - if (s->mpm_sm != NULL && SigMatchListSMBelongsTo(s, s->mpm_sm) == list) - { - DetectContentData *cd = (DetectContentData *)s->mpm_sm->ctx; - if (cd->content_len < min) - min = cd->content_len; - SCLogDebug("cd->content_len %u", cd->content_len); + uint16_t mpm_content_minlen = SignatureGetMpmPatternLen(s, DETECT_SM_LIST_PMATCH); + if (mpm_content_minlen > 0) { + if (mpm_content_minlen < min) + min = mpm_content_minlen; + SCLogDebug("mpm_content_minlen %u", mpm_content_minlen); } } diff --git a/src/detect-parse.c b/src/detect-parse.c index 7e723e8d13..9ac53e03c2 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -1345,7 +1345,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) static Signature *SigInitHelper(DetectEngineCtx *de_ctx, char *sigstr, uint8_t dir) { - SigMatch *sm; Signature *sig = SigAlloc(); if (sig == NULL) goto error; @@ -1390,24 +1389,6 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, char *sigstr, if (DetectAppLayerEventPrepare(sig) < 0) goto error; - /* determine the length of the longest pattern in the sig */ - if (sig->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) { - sig->mpm_content_maxlen = 0; - - for (sm = sig->sm_lists[DETECT_SM_LIST_PMATCH]; sm != NULL; sm = sm->next) { - if (sm->type == DETECT_CONTENT) { - DetectContentData *cd = (DetectContentData *)sm->ctx; - if (cd == NULL) - continue; - - if (sig->mpm_content_maxlen == 0) - sig->mpm_content_maxlen = cd->content_len; - if (sig->mpm_content_maxlen < cd->content_len) - sig->mpm_content_maxlen = cd->content_len; - } - } - } - /* set the packet and app layer flags, but only if the * app layer flag wasn't already set in which case we * only consider the app layer */ @@ -3250,11 +3231,6 @@ int SigParseTestMpm01 (void) goto end; } - if (sig->mpm_content_maxlen != 4) { - printf("mpm content max len %"PRIu16", expected 4: ", sig->mpm_content_maxlen); - goto end; - } - result = 1; end: if (sig != NULL) @@ -3286,11 +3262,6 @@ int SigParseTestMpm02 (void) goto end; } - if (sig->mpm_content_maxlen != 6) { - printf("mpm content max len %"PRIu16", expected 6: ", sig->mpm_content_maxlen); - goto end; - } - result = 1; end: if (sig != NULL) diff --git a/src/detect.c b/src/detect.c index 0f940a98db..06319aa7bf 100644 --- a/src/detect.c +++ b/src/detect.c @@ -9792,10 +9792,6 @@ static int SigTestSgh01 (void) printf("internal id != 0: "); goto end; } - if (de_ctx->sig_list->mpm_content_maxlen != 3) { - printf("de_ctx->sig_list->mpm_content_maxlen %u, expected 3: ", de_ctx->sig_list->mpm_content_maxlen); - goto end; - } de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any 81 (msg:\"2\"; content:\"two\"; content:\"abcd\"; sid:2;)"); if (de_ctx->sig_list->next == NULL) { @@ -9806,10 +9802,6 @@ static int SigTestSgh01 (void) printf("internal id != 1: "); goto end; } - if (de_ctx->sig_list->next->mpm_content_maxlen != 4) { - printf("de_ctx->sig_list->mpm_content_maxlen %u, expected 4: ", de_ctx->sig_list->next->mpm_content_maxlen); - goto end; - } de_ctx->sig_list->next->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"3\"; content:\"three\"; sid:3;)"); if (de_ctx->sig_list->next->next == NULL) { @@ -9820,10 +9812,6 @@ static int SigTestSgh01 (void) printf("internal id != 2: "); goto end; } - if (de_ctx->sig_list->next->next->mpm_content_maxlen != 5) { - printf("de_ctx->sig_list->next->next->mpm_content_maxlen %u, expected 5: ", de_ctx->sig_list->next->next->mpm_content_maxlen); - goto end; - } SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); diff --git a/src/detect.h b/src/detect.h index 17adb8e4dd..480e7c4fbd 100644 --- a/src/detect.h +++ b/src/detect.h @@ -450,10 +450,6 @@ typedef struct Signature_ { /* the fast pattern added from this signature */ SigMatch *mpm_sm; - /* track max length for content. Indirectly used in grouping: - * used to set SigGroupHead::mpm_content_maxlen */ - uint16_t mpm_content_maxlen; - /* SigMatch list used for adding content and friends. E.g. file_data; */ int list;