From: Victor Julien Date: Mon, 18 Aug 2014 11:51:40 +0000 (+0200) Subject: Detect: create per sgh non-MPM rule array X-Git-Tag: suricata-2.1beta3~48 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f5df526f9bd49c745ebc1d1bf06ba23fff8d9ff6;p=thirdparty%2Fsuricata.git Detect: create per sgh non-MPM rule array Array of rule id's that are not using MPM prefiltering. These will be merged with the MPM results array. Together these should lead to a list of all the rules that can possibly match. --- diff --git a/src/detect-engine-siggroup.c b/src/detect-engine-siggroup.c index 9c41831e07..3dc16d46b4 100644 --- a/src/detect-engine-siggroup.c +++ b/src/detect-engine-siggroup.c @@ -205,6 +205,12 @@ void SigGroupHeadFree(SigGroupHead *sgh) sgh->match_array = NULL; } + if (sgh->non_mpm_id_array != NULL) { + SCFree(sgh->non_mpm_id_array); + sgh->non_mpm_id_array = NULL; + sgh->non_mpm_id_cnt = 0; + } + sgh->sig_cnt = 0; if (sgh->init != NULL) { @@ -1696,6 +1702,49 @@ void SigGroupHeadSetFilestoreCount(DetectEngineCtx *de_ctx, SigGroupHead *sgh) return; } +/* build an array of rule id's for sigs with no mpm */ +int SigGroupHeadBuildNonMpmArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh) +{ + Signature *s = NULL; + uint32_t sig = 0; + uint32_t non_mpm = 0; + + if (sgh == NULL) + return 0; + + BUG_ON(sgh->non_mpm_id_array != NULL); + + for (sig = 0; sig < sgh->sig_cnt; sig++) { + s = sgh->match_array[sig]; + if (s == NULL) + continue; + + if (s->mpm_sm == NULL) + non_mpm++; + } + + if (non_mpm == 0) { + sgh->non_mpm_id_array = NULL; + return 0; + } + + sgh->non_mpm_id_array = SCMalloc(non_mpm * sizeof(uint32_t)); + BUG_ON(sgh->non_mpm_id_array == NULL); + memset(sgh->non_mpm_id_array, 0, non_mpm * sizeof(uint32_t)); + + for (sig = 0; sig < sgh->sig_cnt; sig++) { + s = sgh->match_array[sig]; + if (s == NULL) + continue; + if (s->mpm_sm != NULL) + continue; + + BUG_ON(sgh->non_mpm_id_cnt >= non_mpm); + sgh->non_mpm_id_array[sgh->non_mpm_id_cnt++] = s->num; + } + return 0; +} + int SigGroupHeadBuildHeadArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh) { Signature *s = NULL; diff --git a/src/detect-engine-siggroup.h b/src/detect-engine-siggroup.h index ff44aaf288..a9368ee19f 100644 --- a/src/detect-engine-siggroup.h +++ b/src/detect-engine-siggroup.h @@ -91,4 +91,6 @@ void SigGroupHeadSetFilestoreCount(DetectEngineCtx *, SigGroupHead *); void SigGroupHeadSetFileMd5Flag(DetectEngineCtx *, SigGroupHead *); void SigGroupHeadSetFilesizeFlag(DetectEngineCtx *, SigGroupHead *); +int SigGroupHeadBuildNonMpmArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh); + #endif /* __DETECT_ENGINE_SIGGROUP_H__ */ diff --git a/src/detect.c b/src/detect.c index 9dd4b4e444..3082cad4be 100644 --- a/src/detect.c +++ b/src/detect.c @@ -4013,6 +4013,8 @@ int SigAddressPrepareStage4(DetectEngineCtx *de_ctx) SigGroupHeadSetFilesizeFlag(de_ctx, sgh); SigGroupHeadSetFilestoreCount(de_ctx, sgh); SCLogDebug("filestore count %u", sgh->filestore_cnt); + + SigGroupHeadBuildNonMpmArray(de_ctx, sgh); } if (de_ctx->decoder_event_sgh != NULL) { diff --git a/src/detect.h b/src/detect.h index 04ea0d8b01..c5a8de1805 100644 --- a/src/detect.h +++ b/src/detect.h @@ -975,6 +975,9 @@ typedef struct SigGroupHead_ { * signatures to be inspected in a cache efficient way. */ SignatureHeader *head_array; + uint32_t *non_mpm_id_array; + uint32_t non_mpm_id_cnt; // size is cnt * sizeof(uint32_t) + /* pattern matcher instances */ MpmCtx *mpm_proto_other_ctx;