aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect/threshold: Improve threshold.config perf

Browse Source 
This commit improves performance when parsing threshold.config by
removing a loop-invariant to create a one-time object with the parsed
address(es).

Then, as needed, copies of this object are made as the suppression
rule(s) are processed.
pull/6038/head
Jeff Lucovsky 4 years ago committed by Victor Julien
parent e873632a28
commit 02ceac8b8d
1 changed files with 30 additions and 47 deletions
Show Stats Download Patch File Download Diff File

77
src/util-threshold-config.c
Unescape Escape View File

@ -306,6 +306,25 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
BUG_ON(parsed_type != TYPE_SUPPRESS);
DetectThresholdData *orig_de = NULL;
if (parsed_track != TRACK_RULE) {
orig_de = SCCalloc(1, sizeof(DetectThresholdData));
if (unlikely(orig_de == NULL))
goto error;
orig_de->type = TYPE_SUPPRESS;
orig_de->track = parsed_track;
orig_de->count = parsed_count;
orig_de->seconds = parsed_seconds;
orig_de->new_action = parsed_new_action;
orig_de->timeout = parsed_timeout;
if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &orig_de->addrs, (char *)th_ip) <
0) {
SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip);
goto error;
}
}
/* Install it */
if (id == 0 && gid == 0) {
if (parsed_track == TRACK_RULE) {
@ -320,24 +339,9 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
continue;
}
de = SCMalloc(sizeof(DetectThresholdData));
de = DetectThresholdDataCopy(orig_de);
if (unlikely(de == NULL))
goto error;
memset(de,0,sizeof(DetectThresholdData));
de->type = TYPE_SUPPRESS;
de->track = parsed_track;
de->count = parsed_count;
de->seconds = parsed_seconds;
de->new_action = parsed_new_action;
de->timeout = parsed_timeout;
if (parsed_track != TRACK_RULE) {
if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &de->addrs, (char *)th_ip) < 0) {
SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip);
goto error;
}
}
sm = SigMatchAlloc();
if (sm == NULL) {
@ -364,26 +368,10 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
continue;
}
de = SCMalloc(sizeof(DetectThresholdData));
de = DetectThresholdDataCopy(orig_de);
if (unlikely(de == NULL))
goto error;
memset(de,0,sizeof(DetectThresholdData));
de->type = TYPE_SUPPRESS;
de->track = parsed_track;
de->count = parsed_count;
de->seconds = parsed_seconds;
de->new_action = parsed_new_action;
de->timeout = parsed_timeout;
if (parsed_track != TRACK_RULE) {
if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &de->addrs, (char *)th_ip) < 0) {
SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip);
goto error;
}
}
sm = SigMatchAlloc();
if (sm == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "Error allocating SigMatch");
@ -411,22 +399,9 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
goto end;
}
de = SCMalloc(sizeof(DetectThresholdData));
de = DetectThresholdDataCopy(orig_de);
if (unlikely(de == NULL))
goto error;
memset(de,0,sizeof(DetectThresholdData));
de->type = TYPE_SUPPRESS;
de->track = parsed_track;
de->count = parsed_count;
de->seconds = parsed_seconds;
de->new_action = parsed_new_action;
de->timeout = parsed_timeout;
if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &de->addrs, (char *)th_ip) < 0) {
SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip);
goto error;
}
sm = SigMatchAlloc();
if (sm == NULL) {
@ -442,8 +417,16 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
}
end:
if (orig_de != NULL) {
DetectAddressHeadCleanup(&orig_de->addrs);
SCFree(orig_de);
}
return 0;
error:
if (orig_de != NULL) {
DetectAddressHeadCleanup(&orig_de->addrs);
SCFree(orig_de);
}
if (de != NULL) {
DetectAddressHeadCleanup(&de->addrs);
SCFree(de);

Write Preview
Loading…
Cancel
Save