aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

mpm: improve SGH content len tracking

Browse Source 
SGH's track content length for rule grouping.

This patch changes the logic to only consider the pattern that is
used in the mpm for a sig.
pull/1652/head
Victor Julien 11 years ago
parent e529ebb50e
commit 2716c78628
4 changed files with 21 additions and 57 deletions
Show Stats Download Patch File Download Diff File

33
src/detect-engine-siggroup.c
Unescape Escape View File

@ -998,6 +998,17 @@ void SigGroupHeadFreeMpmArrays(DetectEngineCtx *de_ctx)
return;
}
static uint16_t SignatureGetMpmPatternLen(Signature *s, int list)
{
if (s->sm_lists[list] != NULL && s->mpm_sm != NULL &&
SigMatchListSMBelongsTo(s, s->mpm_sm) == list)
{
DetectContentData *cd = (DetectContentData *)s->mpm_sm->ctx;
return cd->content_len;
}
return 0;
}
/**
* \brief Add a Signature to a SigGroupHead.
*
@ -1028,12 +1039,13 @@ int SigGroupHeadAppendSig(DetectEngineCtx *de_ctx, SigGroupHead **sgh,
/* update maxlen for mpm */
if (s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
/* check with the precalculated values from the sig */
if (s->mpm_content_maxlen > 0) {
uint16_t mpm_content_minlen = SignatureGetMpmPatternLen(s, DETECT_SM_LIST_PMATCH);
if (mpm_content_minlen > 0) {
if ((*sgh)->mpm_content_maxlen == 0)
(*sgh)->mpm_content_maxlen = s->mpm_content_maxlen;
(*sgh)->mpm_content_maxlen = mpm_content_minlen;
if ((*sgh)->mpm_content_maxlen > s->mpm_content_maxlen)
(*sgh)->mpm_content_maxlen = s->mpm_content_maxlen;
if ((*sgh)->mpm_content_maxlen > mpm_content_minlen)
(*sgh)->mpm_content_maxlen = mpm_content_minlen;
SCLogDebug("(%p)->mpm_content_maxlen %u", *sgh, (*sgh)->mpm_content_maxlen);
}
@ -1608,15 +1620,12 @@ uint16_t SigGroupHeadGetMinMpmSize(DetectEngineCtx *de_ctx,
s = sgh->match_array[sig];
if (s == NULL)
continue;
if (s->sm_lists[list] == NULL)
continue;
if (s->mpm_sm != NULL && SigMatchListSMBelongsTo(s, s->mpm_sm) == list)
{
DetectContentData *cd = (DetectContentData *)s->mpm_sm->ctx;
if (cd->content_len < min)
min = cd->content_len;
SCLogDebug("cd->content_len %u", cd->content_len);
uint16_t mpm_content_minlen = SignatureGetMpmPatternLen(s, DETECT_SM_LIST_PMATCH);
if (mpm_content_minlen > 0) {
if (mpm_content_minlen < min)
min = mpm_content_minlen;
SCLogDebug("mpm_content_minlen %u", mpm_content_minlen);
}
}

29
src/detect-parse.c
Unescape Escape View File

@ -1345,7 +1345,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
static Signature *SigInitHelper(DetectEngineCtx *de_ctx, char *sigstr,
uint8_t dir)
{
SigMatch *sm;
Signature *sig = SigAlloc();
if (sig == NULL)
goto error;
@ -1390,24 +1389,6 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, char *sigstr,
if (DetectAppLayerEventPrepare(sig) < 0)
goto error;
/* determine the length of the longest pattern in the sig */
if (sig->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
sig->mpm_content_maxlen = 0;
for (sm = sig->sm_lists[DETECT_SM_LIST_PMATCH]; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_CONTENT) {
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd == NULL)
continue;
if (sig->mpm_content_maxlen == 0)
sig->mpm_content_maxlen = cd->content_len;
if (sig->mpm_content_maxlen < cd->content_len)
sig->mpm_content_maxlen = cd->content_len;
}
}
}
/* set the packet and app layer flags, but only if the
* app layer flag wasn't already set in which case we
* only consider the app layer */
@ -3250,11 +3231,6 @@ int SigParseTestMpm01 (void)
goto end;
}
if (sig->mpm_content_maxlen != 4) {
printf("mpm content max len %"PRIu16", expected 4: ", sig->mpm_content_maxlen);
goto end;
}
result = 1;
end:
if (sig != NULL)
@ -3286,11 +3262,6 @@ int SigParseTestMpm02 (void)
goto end;
}
if (sig->mpm_content_maxlen != 6) {
printf("mpm content max len %"PRIu16", expected 6: ", sig->mpm_content_maxlen);
goto end;
}
result = 1;
end:
if (sig != NULL)

12
src/detect.c
Unescape Escape View File

@ -9792,10 +9792,6 @@ static int SigTestSgh01 (void)
printf("internal id != 0: ");
goto end;
}
if (de_ctx->sig_list->mpm_content_maxlen != 3) {
printf("de_ctx->sig_list->mpm_content_maxlen %u, expected 3: ", de_ctx->sig_list->mpm_content_maxlen);
goto end;
}
de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any 81 (msg:\"2\"; content:\"two\"; content:\"abcd\"; sid:2;)");
if (de_ctx->sig_list->next == NULL) {
@ -9806,10 +9802,6 @@ static int SigTestSgh01 (void)
printf("internal id != 1: ");
goto end;
}
if (de_ctx->sig_list->next->mpm_content_maxlen != 4) {
printf("de_ctx->sig_list->mpm_content_maxlen %u, expected 4: ", de_ctx->sig_list->next->mpm_content_maxlen);
goto end;
}
de_ctx->sig_list->next->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"3\"; content:\"three\"; sid:3;)");
if (de_ctx->sig_list->next->next == NULL) {
@ -9820,10 +9812,6 @@ static int SigTestSgh01 (void)
printf("internal id != 2: ");
goto end;
}
if (de_ctx->sig_list->next->next->mpm_content_maxlen != 5) {
printf("de_ctx->sig_list->next->next->mpm_content_maxlen %u, expected 5: ", de_ctx->sig_list->next->next->mpm_content_maxlen);
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);

4
src/detect.h
Unescape Escape View File

@ -450,10 +450,6 @@ typedef struct Signature_ {
/* the fast pattern added from this signature */
SigMatch *mpm_sm;
/* track max length for content. Indirectly used in grouping:
* used to set SigGroupHead::mpm_content_maxlen */
uint16_t mpm_content_maxlen;
/* SigMatch list used for adding content and friends. E.g. file_data; */
int list;

Write Preview
Loading…
Cancel
Save