From: Victor Julien Date: Tue, 13 Oct 2015 06:33:27 +0000 (+0200) Subject: detect mpm: fast_pattern assignment cleanup X-Git-Tag: suricata-3.1RC1~339 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c87fcb29ffb95feace6c1c8decc668d84c198ac7;p=thirdparty%2Fsuricata.git detect mpm: fast_pattern assignment cleanup --- diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 65baebf9e4..34964c432d 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -983,11 +983,10 @@ static void PopulateMpmHelperAddPatternToPktCtx(MpmCtx *mpm_ctx, #define SGH_DIRECTION_TS(sgh) ((sgh)->init->direction & SIG_FLAG_TOSERVER) #define SGH_DIRECTION_TC(sgh) ((sgh)->init->direction & SIG_FLAG_TOCLIENT) -SigMatch *RetrieveFPForSig(Signature *s) +void RetrieveFPForSig(Signature *s) { if (s->mpm_sm != NULL) - return s->mpm_sm; - + return; SigMatch *mpm_sm = NULL, *sm = NULL; int nn_sm_list[DETECT_SM_LIST_MAX]; @@ -998,6 +997,8 @@ SigMatch *RetrieveFPForSig(Signature *s) int count_n_sm_list = 0; int list_id; + /* inspect rule to see if we have the fast_pattern keyword to + * force using a sig, otherwise keep stats about the patterns */ for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) { if (!FastPatternSupportEnabledForSigMatchList(list_id)) continue; @@ -1007,8 +1008,13 @@ SigMatch *RetrieveFPForSig(Signature *s) continue; DetectContentData *cd = (DetectContentData *)sm->ctx; - if ((cd->flags & DETECT_CONTENT_FAST_PATTERN)) - return sm; + + /* fast_pattern set in rule, so using this pattern */ + if ((cd->flags & DETECT_CONTENT_FAST_PATTERN)) { + s->mpm_sm = sm; + return; + } + if (cd->flags & DETECT_CONTENT_NEGATED) { n_sm_list[list_id] = 1; count_n_sm_list++; @@ -1016,9 +1022,10 @@ SigMatch *RetrieveFPForSig(Signature *s) nn_sm_list[list_id] = 1; count_nn_sm_list++; } - } /* for */ - } /* for */ + } + } + /* prefer normal not-negated over negated */ int *curr_sm_list = NULL; int skip_negated_content = 1; if (count_nn_sm_list > 0) { @@ -1027,7 +1034,7 @@ SigMatch *RetrieveFPForSig(Signature *s) curr_sm_list = n_sm_list; skip_negated_content = 0; } else { - return NULL; + return; } int final_sm_list[DETECT_SM_LIST_MAX]; @@ -1038,8 +1045,8 @@ SigMatch *RetrieveFPForSig(Signature *s) while (tmp != NULL) { for (priority = tmp->priority; tmp != NULL && priority == tmp->priority; - tmp = tmp->next) { - + tmp = tmp->next) + { if (curr_sm_list[tmp->list_id] == 0) continue; final_sm_list[count_final_sm_list++] = tmp->list_id; @@ -1096,11 +1103,12 @@ SigMatch *RetrieveFPForSig(Signature *s) } else { SCLogDebug("sticking with mpm_sm"); } - } /* else - if */ - } /* for */ - } /* for */ + } + } + } - return mpm_sm; + s->mpm_sm = mpm_sm; + return; } /** \internal @@ -1767,7 +1775,7 @@ int DetectSetFastPatternAndItsId(DetectEngineCtx *de_ctx) * true size, since duplicates are removed below, but counted here. */ for (s = de_ctx->sig_list; s != NULL; s = s->next) { - s->mpm_sm = RetrieveFPForSig(s); + RetrieveFPForSig(s); if (s->mpm_sm != NULL) { DetectContentData *cd = (DetectContentData *)s->mpm_sm->ctx; struct_total_size += sizeof(DetectFPAndItsId); diff --git a/src/detect-engine-mpm.h b/src/detect-engine-mpm.h index 9984791c26..7231caf6ae 100644 --- a/src/detect-engine-mpm.h +++ b/src/detect-engine-mpm.h @@ -83,7 +83,7 @@ uint32_t DetectContentGetId(MpmPatternIdStore *, DetectContentData *); int SignatureHasPacketContent(const Signature *); int SignatureHasStreamContent(const Signature *); -SigMatch *RetrieveFPForSig(Signature *s); +void RetrieveFPForSig(Signature *s); int MpmStoreInit(DetectEngineCtx *); void MpmStoreFree(DetectEngineCtx *); diff --git a/src/detect.c b/src/detect.c index 9189b4612f..7a3f657538 100644 --- a/src/detect.c +++ b/src/detect.c @@ -357,7 +357,7 @@ static int DetectLoadSigFile(DetectEngineCtx *de_ctx, char *sig_file, sig = DetectEngineAppendSig(de_ctx, line); if (sig != NULL) { if (rule_engine_analysis_set || fp_engine_analysis_set) { - sig->mpm_sm = RetrieveFPForSig(sig); + RetrieveFPForSig(sig); if (fp_engine_analysis_set) { EngineAnalysisFP(sig, line); }