From: Anoop Saldanha Date: Thu, 15 Nov 2012 16:44:36 +0000 (+0530) Subject: We call packet and stream mpm as late as possible now. Won't affect the working of... X-Git-Tag: suricata-2.0beta1~105 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=557cab3dc9da097396856f218fe02c66c7547de5;p=thirdparty%2Fsuricata.git We call packet and stream mpm as late as possible now. Won't affect the working of the engine. The rationale behind this is, if we have pkt buffered to the gpu, we'd want to delay processing the pkt as much as possible. --- diff --git a/src/detect.c b/src/detect.c index 58dd04ae47..8dc611e7c5 100644 --- a/src/detect.c +++ b/src/detect.c @@ -941,38 +941,9 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, StreamMsg *smsg, Packet *p, uint8_t flags, uint16_t alproto, void *alstate, uint8_t *sms_runflags) { - if (p->payload_len > 0 && (!(p->flags & PKT_NOPAYLOAD_INSPECTION))) { - if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_PACKET) { - /* run the multi packet matcher against the payload of the packet */ - SCLogDebug("search: (%p, maxlen %" PRIu32 ", sgh->sig_cnt %" PRIu32 ")", - det_ctx->sgh, det_ctx->sgh->mpm_content_maxlen, det_ctx->sgh->sig_cnt); - - PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_PACKET); - PacketPatternSearch(det_ctx, p); - PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_PACKET); - - *sms_runflags |= SMS_USED_PM; - } - if (!(p->flags & PKT_STREAM_ADD) && (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_STREAM)) { - *sms_runflags |= SMS_USED_PM; - PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_PKT_STREAM); - PacketPatternSearchWithStreamCtx(det_ctx, p); - PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_PKT_STREAM); - } - } - /* have a look at the reassembled stream (if any) */ if (p->flowflags & FLOW_PKT_ESTABLISHED) { SCLogDebug("p->flowflags & FLOW_PKT_ESTABLISHED"); - if (smsg != NULL && (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_STREAM)) { - PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_STREAM); - StreamPatternSearch(det_ctx, p, smsg, flags); - PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_STREAM); - - *sms_runflags |= SMS_USED_STREAM_PM; - } else { - SCLogDebug("smsg NULL or no stream mpm for this sgh"); - } /* all http based mpms */ if (alstate != NULL && alproto == ALPROTO_HTTP) { @@ -1099,9 +1070,39 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx, FLOWLOCK_UNLOCK(p->flow); } + + if (smsg != NULL && (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_STREAM)) { + PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_STREAM); + StreamPatternSearch(det_ctx, p, smsg, flags); + PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_STREAM); + + *sms_runflags |= SMS_USED_STREAM_PM; + } else { + SCLogDebug("smsg NULL or no stream mpm for this sgh"); + } } else { SCLogDebug("NOT p->flowflags & FLOW_PKT_ESTABLISHED"); } + + if (p->payload_len > 0 && (!(p->flags & PKT_NOPAYLOAD_INSPECTION))) { + if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_PACKET) { + /* run the multi packet matcher against the payload of the packet */ + SCLogDebug("search: (%p, maxlen %" PRIu32 ", sgh->sig_cnt %" PRIu32 ")", + det_ctx->sgh, det_ctx->sgh->mpm_content_maxlen, det_ctx->sgh->sig_cnt); + + PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_PACKET); + PacketPatternSearch(det_ctx, p); + PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_PACKET); + + *sms_runflags |= SMS_USED_PM; + } + if (!(p->flags & PKT_STREAM_ADD) && (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_STREAM)) { + *sms_runflags |= SMS_USED_PM; + PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_PKT_STREAM); + PacketPatternSearchWithStreamCtx(det_ctx, p); + PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_PKT_STREAM); + } + } } #ifdef DEBUG