aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

yaml: convert detect-engine to just detect

Browse Source 
Instead of detect-engine which used a list for no good reason, use a
simple map now.

detect:
  profile: medium
  custom-values:
    toclient-groups: 3
    toserver-groups: 25
  sgh-mpm-context: auto
  inspection-recursion-limit: 3000
  # If set to yes, the loading of signatures will be made after the capture
  # is started. This will limit the downtime in IPS mode.
  #delayed-detect: yes
pull/1980/head
Victor Julien 9 years ago
parent ac2c206359
commit 725d6c3739
3 changed files with 105 additions and 79 deletions
Show Stats Download Patch File Download Diff File

144
src/detect-engine.c
Unescape Escape View File

@ -104,7 +104,7 @@ static uint32_t detect_engine_ctx_id = 1;
static DetectEngineThreadCtx *DetectEngineThreadCtxInitForReload(
ThreadVars *tv, DetectEngineCtx *new_de_ctx, int mt);
static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *);
static int DetectEngineCtxLoadConf(DetectEngineCtx *);
static DetectEngineMasterCtx g_master_de_ctx = { SCMUTEX_INITIALIZER, 0, NULL, NULL, TENANT_SELECTOR_UNKNOWN, NULL,};
@ -809,11 +809,6 @@ static DetectEngineCtx *DetectEngineCtxInitReal(int minimal, const char *prefix)
{
DetectEngineCtx *de_ctx;
ConfNode *seq_node = NULL;
ConfNode *insp_recursion_limit_node = NULL;
ConfNode *de_engine_node = NULL;
char *insp_recursion_limit = NULL;
de_ctx = SCMalloc(sizeof(DetectEngineCtx));
if (unlikely(de_ctx == NULL))
goto error;
@ -834,39 +829,6 @@ static DetectEngineCtx *DetectEngineCtxInitReal(int minimal, const char *prefix)
SCLogDebug("ConfGetBool could not load the value.");
}
de_engine_node = ConfGetNode("detect-engine");
if (de_engine_node != NULL) {
TAILQ_FOREACH(seq_node, &de_engine_node->head, next) {
if (strcmp(seq_node->val, "inspection-recursion-limit") != 0)
continue;
insp_recursion_limit_node = ConfNodeLookupChild(seq_node, seq_node->val);
if (insp_recursion_limit_node == NULL) {
SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Error retrieving conf "
"entry for detect-engine:inspection-recursion-limit");
break;
}
insp_recursion_limit = insp_recursion_limit_node->val;
SCLogDebug("Found detect-engine:inspection-recursion-limit - %s:%s",
insp_recursion_limit_node->name, insp_recursion_limit_node->val);
break;
}
}
if (insp_recursion_limit != NULL) {
de_ctx->inspection_recursion_limit = atoi(insp_recursion_limit);
} else {
de_ctx->inspection_recursion_limit =
DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT;
}
if (de_ctx->inspection_recursion_limit == 0)
de_ctx->inspection_recursion_limit = -1;
SCLogDebug("de_ctx->inspection_recursion_limit: %d",
de_ctx->inspection_recursion_limit);
de_ctx->mpm_matcher = PatternMatchDefaultMatcher();
DetectEngineCtxLoadConf(de_ctx);
@ -1006,25 +968,32 @@ void DetectEngineCtxFree(DetectEngineCtx *de_ctx)
* \retval 0 if no config provided, 1 if config was provided
* and loaded successfuly
*/
static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx)
static int DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx)
{
uint8_t profile = ENGINE_PROFILE_UNKNOWN;
char *max_uniq_toclient_groups_str = NULL;
char *max_uniq_toserver_groups_str = NULL;
char *sgh_mpm_context = NULL;
char *de_ctx_profile = NULL;
const char *max_uniq_toclient_groups_str = NULL;
const char *max_uniq_toserver_groups_str = NULL;
char *sgh_mpm_context = NULL;
(void)ConfGet("detect.profile", &de_ctx_profile);
(void)ConfGet("detect.sgh-mpm-context", &sgh_mpm_context);
ConfNode *de_ctx_custom = ConfGetNode("detect-engine");
ConfNode *opt = NULL;
if (de_ctx_custom != NULL) {
TAILQ_FOREACH(opt, &de_ctx_custom->head, next) {
if (strcmp(opt->val, "profile") == 0) {
de_ctx_profile = opt->head.tqh_first->val;
} else if (strcmp(opt->val, "sgh-mpm-context") == 0) {
sgh_mpm_context = opt->head.tqh_first->val;
if (de_ctx_profile == NULL) {
if (strcmp(opt->val, "profile") == 0) {
de_ctx_profile = opt->head.tqh_first->val;
}
}
if (sgh_mpm_context == NULL) {
if (strcmp(opt->val, "sgh-mpm-context") == 0) {
sgh_mpm_context = opt->head.tqh_first->val;
}
}
}
}
@ -1089,6 +1058,7 @@ static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx)
de_ctx->sgh_mpm_context = ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL;
}
/* parse profile custom-values */
opt = NULL;
switch (profile) {
case ENGINE_PROFILE_LOW:
@ -1102,12 +1072,23 @@ static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx)
break;
case ENGINE_PROFILE_CUSTOM:
TAILQ_FOREACH(opt, &de_ctx_custom->head, next) {
if (strcmp(opt->val, "custom-values") == 0) {
max_uniq_toclient_groups_str = ConfNodeLookupChildValue
(opt->head.tqh_first, "toclient-groups");
max_uniq_toserver_groups_str = ConfNodeLookupChildValue
(opt->head.tqh_first, "toserver-groups");
(void)ConfGet("detect.custom-values.toclient-groups",
&max_uniq_toclient_groups_str);
(void)ConfGet("detect.custom-values.toserver-groups",
&max_uniq_toserver_groups_str);
if (de_ctx_custom != NULL) {
TAILQ_FOREACH(opt, &de_ctx_custom->head, next) {
if (strcmp(opt->val, "custom-values") == 0) {
if (max_uniq_toclient_groups_str == NULL) {
max_uniq_toclient_groups_str = (char *)ConfNodeLookupChildValue
(opt->head.tqh_first, "toclient-groups");
}
if (max_uniq_toserver_groups_str == NULL) {
max_uniq_toserver_groups_str = (char *)ConfNodeLookupChildValue
(opt->head.tqh_first, "toserver-groups");
}
}
}
}
if (max_uniq_toclient_groups_str != NULL) {
@ -1151,9 +1132,58 @@ static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx)
break;
}
if (profile == ENGINE_PROFILE_UNKNOWN)
return 0;
return 1;
if (profile == ENGINE_PROFILE_UNKNOWN) {
goto error;
}
intmax_t value = 0;
if (ConfGetInt("detect.inspection-recursion-limit", &value) == 1)
{
if (value >= 0 && value <= INT_MAX) {
de_ctx->inspection_recursion_limit = (int)value;
}
/* fall back to old config parsing */
} else {
ConfNode *insp_recursion_limit_node = NULL;
char *insp_recursion_limit = NULL;
if (de_ctx_custom != NULL) {
opt = NULL;
TAILQ_FOREACH(opt, &de_ctx_custom->head, next) {
if (strcmp(opt->val, "inspection-recursion-limit") != 0)
continue;
insp_recursion_limit_node = ConfNodeLookupChild(opt, opt->val);
if (insp_recursion_limit_node == NULL) {
SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Error retrieving conf "
"entry for detect-engine:inspection-recursion-limit");
break;
}
insp_recursion_limit = insp_recursion_limit_node->val;
SCLogDebug("Found detect-engine.inspection-recursion-limit - %s:%s",
insp_recursion_limit_node->name, insp_recursion_limit_node->val);
break;
}
if (insp_recursion_limit != NULL) {
de_ctx->inspection_recursion_limit = atoi(insp_recursion_limit);
} else {
de_ctx->inspection_recursion_limit =
DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT;
}
}
}
if (de_ctx->inspection_recursion_limit == 0)
de_ctx->inspection_recursion_limit = -1;
SCLogDebug("de_ctx->inspection_recursion_limit: %d",
de_ctx->inspection_recursion_limit);
return 0;
error:
return -1;
}
/*

14
src/suricata.c
Unescape Escape View File

@ -1985,12 +1985,14 @@ static void SetupDelayedDetect(SCInstance *suri)
if (suri->offline) {
suri->delayed_detect = 0;
} else {
ConfNode *denode = NULL;
ConfNode *decnf = ConfGetNode("detect-engine");
if (decnf != NULL) {
TAILQ_FOREACH(denode, &decnf->head, next) {
if (strcmp(denode->val, "delayed-detect") == 0) {
(void)ConfGetChildValueBool(denode, "delayed-detect", &suri->delayed_detect);
if (ConfGetBool("detect.delayed-detect", &suri->delayed_detect) != 1) {
ConfNode *denode = NULL;
ConfNode *decnf = ConfGetNode("detect-engine");
if (decnf != NULL) {
TAILQ_FOREACH(denode, &decnf->head, next) {
if (strcmp(denode->val, "delayed-detect") == 0) {
(void)ConfGetChildValueBool(denode, "delayed-detect", &suri->delayed_detect);
}
}
}
}

26
suricata.yaml.in
Unescape Escape View File

@ -591,22 +591,16 @@ legacy:
# might end up taking too much time in the content inspection code.
# If the argument specified is 0, the engine uses an internally defined
# default limit. On not specifying a value, we use no limits on the recursion.
detect-engine:
- profile: medium
- custom-values:
toclient-src-groups: 2
toclient-dst-groups: 2
toclient-sp-groups: 2
toclient-dp-groups: 3
toserver-src-groups: 2
toserver-dst-groups: 4
toserver-sp-groups: 2
toserver-dp-groups: 25
- sgh-mpm-context: auto
- inspection-recursion-limit: 3000
detect:
profile: medium
custom-values:
toclient-groups: 3
toserver-groups: 25
sgh-mpm-context: auto
inspection-recursion-limit: 3000
# If set to yes, the loading of signatures will be made after the capture
# is started. This will limit the downtime in IPS mode.
#- delayed-detect: yes
#delayed-detect: yes
profiling:
# Log the rules that made it past the prefilter stage, per packet
@ -706,8 +700,8 @@ cuda:
# ac, ac-bs and ac-gfbs.
#
# The mpm you choose also decides the distribution of mpm contexts for
# signature groups, specified by the conf - "detect-engine.sgh-mpm-context".
# Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context"
# signature groups, specified by the conf - "detect.sgh-mpm-context".
# Selecting "ac" as the mpm would require "detect.sgh-mpm-context"
# to be set to "single", because of ac's memory requirements, unless the
# ruleset is small enough to fit in one's memory, in which case one can
# use "full" with "ac". Rest of the mpms can be run in "full" mode.

Write Preview
Loading…
Cancel
Save