Adding Boyer Moore context to content patterns, should speed up the search

src/detect-content.c

@@ -17,6 +17,7 @@
 #include "util-unittest.h"
 #include "util-print.h"
 #include "util-debug.h"
+#include "util-spm-bm.h"
 #include "threads.h"
 
 int DetectContentMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
@@ -198,6 +199,9 @@ DetectContentData *DetectContentParse (char *contentstr)
 
     memcpy(cd->content, str, len);
     cd->content_len = len;
+
+    /* Prepare Boyer Moore context for searching faster */
+    cd->bm_ctx = BoyerMooreCtxInit(cd->content, cd->content_len);
     cd->depth = 0;
     cd->offset = 0;
     cd->within = 0;

src/detect-content.h

@@ -21,12 +21,15 @@
                                        (c)->depth > 0 || \
                                        (c)->within > 0))
 
+#include "util-spm-bm.h"
+
 typedef struct DetectContentData_ {
     uint8_t *content;   /**< ptr to chunk of memory containing the pattern */
     uint8_t content_len;/**< length of the pattern (and size of the memory) */
 
     uint32_t id;        /**< unique pattern id */
 
+    BmCtx *bm_ctx;
     uint16_t depth;
     uint16_t offset;
     /** distance from the last match this match should start.

src/detect-engine-payload.c

@@ -17,6 +17,7 @@
 #include "detect-bytejump.h"
 
 #include "util-spm.h"
+#include "util-spm-bm.h"
 #include "util-debug.h"
 #include "util-print.h"
 
@@ -159,9 +160,9 @@ static inline int DoInspectPacketPayload(DetectEngineCtx *de_ctx,
 
                 /* do the actual search */
                 if (cd->flags & DETECT_CONTENT_NOCASE)
-                    found = SpmNocaseSearch(spayload, spayload_len, cd->content, cd->content_len);
+                    found = BoyerMooreNocase(cd->content, cd->content_len, spayload, spayload_len, cd->bm_ctx->bmGs, cd->bm_ctx->bmBc);
                 else
-                    found = SpmSearch(spayload, spayload_len, cd->content, cd->content_len);
+                    found = BoyerMoore(cd->content, cd->content_len, spayload, spayload_len, cd->bm_ctx->bmGs, cd->bm_ctx->bmBc);
 
                 /* next we evaluate the result in combination with the
                  * negation flag. */

src/util-spm-bm.c

@@ -14,10 +14,41 @@
 #include "suricata-common.h"
 #include "suricata.h"
 #include "util-spm-bm.h"
+#include "util-debug.h"
+#include "util-error.h"
 #include <time.h>
 #include <limits.h>
 #include <string.h>
 
+/**
+ * \brief Setup a Booyer More context.
+ *
+ * \param str pointer to the pattern string
+ * \param size length of the string
+ * \retval BmCtx pointer to the newly created Context for the pattern
+ */
+BmCtx *BoyerMooreCtxInit(uint8_t *needle, uint32_t needle_len) {
+    BmCtx *new = SCMalloc(sizeof(BmCtx));
+    if (new == NULL) {
+        SCLogError(SC_ERR_MEM_ALLOC, "Error allocating a BmCtx");
+        exit(EXIT_FAILURE);
+    }
+
+    /* Prepare bad chars */
+    PreBmBc(needle, needle_len, new->bmBc);
+
+    new->bmGs = SCMalloc(sizeof(int32_t) * (needle_len + 1));
+    if (new->bmGs == NULL) {
+        SCLogError(SC_ERR_MEM_ALLOC, "Error allocating a BmCtx");
+        exit(EXIT_FAILURE);
+    }
+
+    /* Prepare good Suffixes */
+    PreBmGs(needle, needle_len, new->bmGs);
+
+    return new;
+}
+
 /**
  * \brief Array setup function for bad characters that split the pattern
  *        Remember that the result array should be the length of ALPHABET_SIZE

src/util-spm-bm.h

@@ -6,6 +6,15 @@
 
 #define ALPHABET_SIZE 256
 
+/* Context for booyer moore */
+typedef struct BmCtx_ {
+    int32_t bmBc[ALPHABET_SIZE];
+    int32_t *bmGs; // = SCMalloc(sizeof(int32_t)*(needlelen + 1));
+}BmCtx;
+
+/** Prepare and return a Boyer Moore context */
+BmCtx *BoyerMooreCtxInit(uint8_t *needle, uint32_t needle_len);
+
 inline void PreBmBc(const uint8_t *x, int32_t m, int32_t *bmBc);
 inline void BoyerMooreSuffixes(const uint8_t *x, int32_t m, int32_t *suff);
 inline void PreBmGs(const uint8_t *x, int32_t m, int32_t *bmGs);