We call packet and stream mpm as late as possible now. Won't affect the working of...

The rationale behind this is, if we have pkt buffered to the gpu, we'd want
to delay processing the pkt as much as possible.

diff --git a/src/detect.c b/src/detect.c
index 58dd04ae47c7afad0cebd4d1d2bc8844c53bb50b..8dc611e7c5f23613c51727e7e81472f7e821c31c 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -941,38 +941,9 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
         DetectEngineThreadCtx *det_ctx, StreamMsg *smsg, Packet *p,
         uint8_t flags, uint16_t alproto, void *alstate, uint8_t *sms_runflags)
 {
-    if (p->payload_len > 0 && (!(p->flags & PKT_NOPAYLOAD_INSPECTION))) {
-        if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_PACKET) {
-            /* run the multi packet matcher against the payload of the packet */
-            SCLogDebug("search: (%p, maxlen %" PRIu32 ", sgh->sig_cnt %" PRIu32 ")",
-                det_ctx->sgh, det_ctx->sgh->mpm_content_maxlen, det_ctx->sgh->sig_cnt);
-
-            PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_PACKET);
-            PacketPatternSearch(det_ctx, p);
-            PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_PACKET);
-
-            *sms_runflags |= SMS_USED_PM;
-        }
-        if (!(p->flags & PKT_STREAM_ADD) && (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_STREAM)) {
-            *sms_runflags |= SMS_USED_PM;
-            PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_PKT_STREAM);
-            PacketPatternSearchWithStreamCtx(det_ctx, p);
-            PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_PKT_STREAM);
-        }
-    }
-
     /* have a look at the reassembled stream (if any) */
     if (p->flowflags & FLOW_PKT_ESTABLISHED) {
         SCLogDebug("p->flowflags & FLOW_PKT_ESTABLISHED");
-        if (smsg != NULL && (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_STREAM)) {
-            PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_STREAM);
-            StreamPatternSearch(det_ctx, p, smsg, flags);
-            PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_STREAM);
-
-            *sms_runflags |= SMS_USED_STREAM_PM;
-        } else {
-            SCLogDebug("smsg NULL or no stream mpm for this sgh");
-        }
 
         /* all http based mpms */
         if (alstate != NULL && alproto == ALPROTO_HTTP) {
@@ -1099,9 +1070,39 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
 
             FLOWLOCK_UNLOCK(p->flow);
         }
+
+        if (smsg != NULL && (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_STREAM)) {
+            PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_STREAM);
+            StreamPatternSearch(det_ctx, p, smsg, flags);
+            PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_STREAM);
+
+            *sms_runflags |= SMS_USED_STREAM_PM;
+        } else {
+            SCLogDebug("smsg NULL or no stream mpm for this sgh");
+        }
     } else {
         SCLogDebug("NOT p->flowflags & FLOW_PKT_ESTABLISHED");
     }
+
+    if (p->payload_len > 0 && (!(p->flags & PKT_NOPAYLOAD_INSPECTION))) {
+        if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_PACKET) {
+            /* run the multi packet matcher against the payload of the packet */
+            SCLogDebug("search: (%p, maxlen %" PRIu32 ", sgh->sig_cnt %" PRIu32 ")",
+                det_ctx->sgh, det_ctx->sgh->mpm_content_maxlen, det_ctx->sgh->sig_cnt);
+
+            PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_PACKET);
+            PacketPatternSearch(det_ctx, p);
+            PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_PACKET);
+
+            *sms_runflags |= SMS_USED_PM;
+        }
+        if (!(p->flags & PKT_STREAM_ADD) && (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_STREAM)) {
+            *sms_runflags |= SMS_USED_PM;
+            PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_PKT_STREAM);
+            PacketPatternSearchWithStreamCtx(det_ctx, p);
+            PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_PKT_STREAM);
+        }
+    }
 }
 
 #ifdef DEBUG