From: Victor Julien <victor@inliniac.net>
Date: Fri, 24 Jan 2014 10:40:06 +0000 (+0100)
Subject: app-layer-proto: speed up
X-Git-Tag: suricata-2.0rc1~160
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ad7eff555de898e7abcdbf89fdbe9a4806bb72b6;p=thirdparty%2Fsuricata.git

app-layer-proto: speed up

AppLayer Proto detection code uses a mix of pattern search and
"probing parsers". The pattern search validates potential matches
using a single pattern search algo. The code was using SpmSearch
for this, but this made it inefficient as it builds a BoyerMoore
context for each search. This lead to significant memory pressure,
especially on high speed/bandwidth boxes.

This patch switches the search calls to BoyerMoore and BoyerMoore-
Nocase directly. This can be done as the ctx' were available already.
---

diff --git a/src/app-layer-detect-proto.c b/src/app-layer-detect-proto.c
index f5b57193aa..ce5c8c2528 100644
--- a/src/app-layer-detect-proto.c
+++ b/src/app-layer-detect-proto.c
@@ -190,9 +190,9 @@ static AppProto AppLayerProtoDetectPMMatchSignature(const AppLayerProtoDetectPMS
                s->cd->offset, s->cd->depth);
 
     if (s->cd->flags & DETECT_CONTENT_NOCASE)
-        found = SpmNocaseSearch(sbuf, sbuflen, s->cd->content, s->cd->content_len);
+        found = BoyerMooreNocase(s->cd->content, s->cd->content_len, sbuf, sbuflen, s->cd->bm_ctx->bmGs, s->cd->bm_ctx->bmBc);
     else
-        found = SpmSearch(sbuf, sbuflen, s->cd->content, s->cd->content_len);
+        found = BoyerMoore(s->cd->content, s->cd->content_len, sbuf, sbuflen, s->cd->bm_ctx->bmGs, s->cd->bm_ctx->bmBc);
     if (found != NULL)
         proto = s->alproto;