detect: config opt to enable keyword prefilters

9 years ago · 125603871b
parent 36f713c8d4
commit 125603871b
4 changed files with 43 additions and 6 deletions
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@ -1335,6 +1335,24 @@ static int DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx)
        }
    }

+    de_ctx->prefilter_setting = DETECT_PREFILTER_MPM;
+    char *pf_setting = NULL;
+    if (ConfGet("detect.prefilter.default", &pf_setting) == 1 && pf_setting) {
+        if (strcasecmp(pf_setting, "mpm") == 0) {
+            de_ctx->prefilter_setting = DETECT_PREFILTER_MPM;
+        } else if (strcasecmp(pf_setting, "auto") == 0) {
+            de_ctx->prefilter_setting = DETECT_PREFILTER_AUTO;
+        }
+    }
+    switch (de_ctx->prefilter_setting) {
+        case DETECT_PREFILTER_MPM:
+            SCLogConfig("prefilter engines: MPM");
+            break;
+        case DETECT_PREFILTER_AUTO:
+            SCLogConfig("prefilter engines: MPM and keywords");
+            break;
+    }
+
    return 0;
 error:
    return -1;
--- a/src/detect.c
+++ b/src/detect.c
@ -3384,7 +3384,10 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx)

        RuleSetWhitelist(tmp_s);

-        if (!(tmp_s->flags & SIG_FLAG_PREFILTER)) {
+        /* if keyword engines are enabled in the config, handle them here */
+        if (de_ctx->prefilter_setting == DETECT_PREFILTER_AUTO &&
+            !(tmp_s->flags & SIG_FLAG_PREFILTER))
+        {
            int i;
            int prefilter_list = DETECT_TBLSIZE;

@ -3812,11 +3815,13 @@ int SigAddressPrepareStage4(DetectEngineCtx *de_ctx)

        BUG_ON(PatternMatchPrepareGroup(de_ctx, sgh) != 0);

-        int i = 0;
-        for (i = 0; i < DETECT_TBLSIZE; i++)
-        {
-            if (sigmatch_table[i].SetupPrefilter != NULL) {
-                sigmatch_table[i].SetupPrefilter(sgh);
+        if (de_ctx->prefilter_setting == DETECT_PREFILTER_AUTO) {
+            int i = 0;
+            for (i = 0; i < DETECT_TBLSIZE; i++)
+            {
+                if (sigmatch_table[i].SetupPrefilter != NULL) {
+                    sigmatch_table[i].SetupPrefilter(sgh);
+                }
            }
        }

--- a/src/detect.h
+++ b/src/detect.h
@ -550,6 +550,12 @@ typedef struct DetectEngineThreadKeywordCtxItem_ {
    const char *name; /* keyword name, for error printing */
 } DetectEngineThreadKeywordCtxItem;

+enum DetectEnginePrefilterSetting
+{
+    DETECT_PREFILTER_MPM = 0,   /**< use only mpm / fast_pattern */
+    DETECT_PREFILTER_AUTO = 1,  /**< use mpm + keyword prefilters */
+};
+
 /** \brief main detection engine ctx */
 typedef struct DetectEngineCtx_ {
    uint8_t flags;
@ -687,6 +693,8 @@ typedef struct DetectEngineCtx_ {
    /** id of loader thread 'owning' this de_ctx */
    int loader_id;

+    /** are we useing just mpm or also other prefilters */
+    enum DetectEnginePrefilterSetting prefilter_setting;

    HashListTable *dport_hash_table;

--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -1245,6 +1245,12 @@ detect:
  # is started. This will limit the downtime in IPS mode.
  #delayed-detect: yes

+  prefilter:
+    # default prefiltering setting. "mpm" only creates MPM/fast_pattern
+    # engines. "auto" also sets up prefilter engines for other keywords.
+    # Use --list-keywords=all to see which keywords support prefiltering.
+    default: mpm
+
  # the grouping values above control how many groups are created per
  # direction. Port whitelisting forces that port to get it's own group.
  # Very common ports will benefit, as well as ports with many expensive