From 125603871bf80149d593099741c8b695e316acb7 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 26 Aug 2016 16:10:59 +0200 Subject: [PATCH] detect: config opt to enable keyword prefilters --- src/detect-engine.c | 18 ++++++++++++++++++ src/detect.c | 17 +++++++++++------ src/detect.h | 8 ++++++++ suricata.yaml.in | 6 ++++++ 4 files changed, 43 insertions(+), 6 deletions(-) diff --git a/src/detect-engine.c b/src/detect-engine.c index f734abb975..6171e5e1fc 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -1335,6 +1335,24 @@ static int DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx) } } + de_ctx->prefilter_setting = DETECT_PREFILTER_MPM; + char *pf_setting = NULL; + if (ConfGet("detect.prefilter.default", &pf_setting) == 1 && pf_setting) { + if (strcasecmp(pf_setting, "mpm") == 0) { + de_ctx->prefilter_setting = DETECT_PREFILTER_MPM; + } else if (strcasecmp(pf_setting, "auto") == 0) { + de_ctx->prefilter_setting = DETECT_PREFILTER_AUTO; + } + } + switch (de_ctx->prefilter_setting) { + case DETECT_PREFILTER_MPM: + SCLogConfig("prefilter engines: MPM"); + break; + case DETECT_PREFILTER_AUTO: + SCLogConfig("prefilter engines: MPM and keywords"); + break; + } + return 0; error: return -1; diff --git a/src/detect.c b/src/detect.c index 497f9026db..a6a88bb688 100644 --- a/src/detect.c +++ b/src/detect.c @@ -3384,7 +3384,10 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) RuleSetWhitelist(tmp_s); - if (!(tmp_s->flags & SIG_FLAG_PREFILTER)) { + /* if keyword engines are enabled in the config, handle them here */ + if (de_ctx->prefilter_setting == DETECT_PREFILTER_AUTO && + !(tmp_s->flags & SIG_FLAG_PREFILTER)) + { int i; int prefilter_list = DETECT_TBLSIZE; @@ -3812,11 +3815,13 @@ int SigAddressPrepareStage4(DetectEngineCtx *de_ctx) BUG_ON(PatternMatchPrepareGroup(de_ctx, sgh) != 0); - int i = 0; - for (i = 0; i < DETECT_TBLSIZE; i++) - { - if (sigmatch_table[i].SetupPrefilter != NULL) { - sigmatch_table[i].SetupPrefilter(sgh); + if (de_ctx->prefilter_setting == DETECT_PREFILTER_AUTO) { + int i = 0; + for (i = 0; i < DETECT_TBLSIZE; i++) + { + if (sigmatch_table[i].SetupPrefilter != NULL) { + sigmatch_table[i].SetupPrefilter(sgh); + } } } diff --git a/src/detect.h b/src/detect.h index 9b70c7c7b7..a725e056cd 100644 --- a/src/detect.h +++ b/src/detect.h @@ -550,6 +550,12 @@ typedef struct DetectEngineThreadKeywordCtxItem_ { const char *name; /* keyword name, for error printing */ } DetectEngineThreadKeywordCtxItem; +enum DetectEnginePrefilterSetting +{ + DETECT_PREFILTER_MPM = 0, /**< use only mpm / fast_pattern */ + DETECT_PREFILTER_AUTO = 1, /**< use mpm + keyword prefilters */ +}; + /** \brief main detection engine ctx */ typedef struct DetectEngineCtx_ { uint8_t flags; @@ -687,6 +693,8 @@ typedef struct DetectEngineCtx_ { /** id of loader thread 'owning' this de_ctx */ int loader_id; + /** are we useing just mpm or also other prefilters */ + enum DetectEnginePrefilterSetting prefilter_setting; HashListTable *dport_hash_table; diff --git a/suricata.yaml.in b/suricata.yaml.in index 69dfbdaec8..a0a78eeb08 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -1245,6 +1245,12 @@ detect: # is started. This will limit the downtime in IPS mode. #delayed-detect: yes + prefilter: + # default prefiltering setting. "mpm" only creates MPM/fast_pattern + # engines. "auto" also sets up prefilter engines for other keywords. + # Use --list-keywords=all to see which keywords support prefiltering. + default: mpm + # the grouping values above control how many groups are created per # direction. Port whitelisting forces that port to get it's own group. # Very common ports will benefit, as well as ports with many expensive