git.ipfire.org Git - thirdparty/suricata.git/commit

author	Victor Julien <victor@inliniac.net>
	Tue, 14 Sep 2021 08:35:18 +0000 (10:35 +0200)
committer	Victor Julien <victor@inliniac.net>
	Fri, 17 Sep 2021 08:38:40 +0000 (10:38 +0200)
commit	932cf0b6a6ad1d34fffe8dd92c14b5bc32c9f6fe
tree	fc94b6bb0dd0bb01cfd543c679be6aefeaaacc10	tree
parent	9a09fe454b846dd2cd42adaa4b569314ad083bdb	commit \| diff

detect: track prefilter by progress, not engine

Fix FNs in case of too many prefilter engines. A transaction was tracking
which engines have run using a u64 bit array. The engines 'local_id' was
used to set and check this bit. However the bit checking code didn't
handle int types correctly, leading to an incorrect left shift result of
a u32 to a u64 bit value.

This commit addresses that by fixing the int handling, but also by
changing how the engines are tracked.

To avoid wasting prefilter engine tracking bit space, track what
ran by the progress they are registered at, instead of the individual
engine id's. While we can have many engines, the protocols use far
fewer unique progress values. So instead of tracking for dozens of
prefilter id's, we track for the handful of progress values.

To allow for this the engine array is sorted by tx_min_progress, then
app_proto and finally local_id. A new field is added to "know" when
the last relevant engine for a progress value is reached, so that we
can set the prefilter bit then.

A consquence is that the progress values have a ceiling now that
needs to fit in a 64 bit bitarray. The values used by parsers currently
does not exceed 5, so that seems to be ok.

Bug: #4685.

src/detect-engine-prefilter.c		diff \| blob \| blame \| history
src/detect.c		diff \| blob \| blame \| history
src/detect.h		diff \| blob \| blame \| history