Enable spm inspection with precooked pattern contexts on content, uricontent and http_client_body (we will also add this to http_header when it gets commited)

16 years ago · 86185ecd97
parent 227fe516a0
commit 86185ecd97
6 changed files with 25 additions and 8 deletions
--- a/src/detect-content.h
+++ b/src/detect-content.h
@ -29,7 +29,6 @@ typedef struct DetectContentData_ {

    uint32_t id;        /**< unique pattern id */

-    BmCtx *bm_ctx;
    uint16_t depth;
    uint16_t offset;
    /** distance from the last match this match should start.
@ -37,6 +36,9 @@ typedef struct DetectContentData_ {
    int32_t distance;
    int32_t within;
    uint8_t flags;
+
+    BmCtx *bm_ctx;     /**< Boyer Moore context (for spm search) */
+
 } DetectContentData;

 /* prototypes */
--- a/src/detect-engine-uri.c
+++ b/src/detect-engine-uri.c
@ -161,11 +161,11 @@ static inline int DoInspectPacketUris(DetectEngineCtx *de_ctx,
            //PrintRawDataFp(stdout,ud->uricontent,ud->uricontent_len);
            //PrintRawDataFp(stdout,spayload,spayload_len);

-            /* do the actual search */
+            /* do the actual search with boyer moore precooked ctx */
            if (ud->flags & DETECT_URICONTENT_NOCASE)
-                found = SpmNocaseSearch(spayload, spayload_len, ud->uricontent, ud->uricontent_len);
+                found = BoyerMooreNocase(ud->uricontent, ud->uricontent_len, spayload, spayload_len, ud->bm_ctx->bmGs, ud->bm_ctx->bmBc);
            else
-                found = SpmSearch(spayload, spayload_len, ud->uricontent, ud->uricontent_len);
+                found = BoyerMoore(ud->uricontent, ud->uricontent_len, spayload, spayload_len, ud->bm_ctx->bmGs, ud->bm_ctx->bmBc);

            /* next we evaluate the result in combination with the
             * negation flag. */
--- a/src/detect-http-client-body.c
+++ b/src/detect-http-client-body.c
@ -114,12 +114,14 @@ int DetectHttpClientBodyMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
        }
        /* call the case insensitive version if nocase has been specified in the sig */
        if (hcbd->flags & DETECT_AL_HTTP_CLIENT_BODY_NOCASE) {
-            result = (SpmNocaseSearch(chunks_buffer, total_chunks_len,
-                                      hcbd->content, hcbd->content_len) != NULL);
+            result = (BoyerMooreNocase(hcbd->content, hcbd->content_len, chunks_buffer,
+                                       total_chunks_len, hcbd->bm_ctx->bmGs,
+                                       hcbd->bm_ctx->bmBc) != NULL);
        /* call the case sensitive version if nocase has been specified in the sig */
        } else {
-            result = (SpmSearch(chunks_buffer, total_chunks_len,
-                                hcbd->content, hcbd->content_len) != NULL);
+            result = (BoyerMoore(hcbd->content, hcbd->content_len, chunks_buffer,
+                                       total_chunks_len, hcbd->bm_ctx->bmGs,
+                                       hcbd->bm_ctx->bmBc) != NULL);
        }
        SCFree(chunks_buffer);
    }
@ -202,6 +204,7 @@ int DetectHttpClientBodySetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
        DETECT_AL_HTTP_CLIENT_BODY_NOCASE : 0;
    hcbd->flags |= (((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_NEGATED) ?
        DETECT_AL_HTTP_CLIENT_BODY_NEGATED : 0;
+    hcbd->bm_ctx = ((DetectContentData *)sm->ctx)->bm_ctx;

    nm = SigMatchAlloc();
    if (nm == NULL) {
--- a/src/detect-http-client-body.h
+++ b/src/detect-http-client-body.h
@ -10,10 +10,13 @@
 #define DETECT_AL_HTTP_CLIENT_BODY_NOCASE   0x01
 #define DETECT_AL_HTTP_CLIENT_BODY_NEGATED  0x02

+#include "util-spm-bm.h"
+
 typedef struct DetectHttpClientBodyData_ {
    uint8_t *content;
    uint8_t content_len;
    uint8_t flags;
+    BmCtx *bm_ctx;
 } DetectHttpClientBodyData;

 void DetectHttpClientBodyRegister(void);
--- a/src/detect-uricontent.c
+++ b/src/detect-uricontent.c
@ -35,6 +35,7 @@
 #include "util-unittest.h"
 #include "util-binsearch.h"
 #include "util-spm.h"
+#include "util-spm-bm.h"

 /* prototypes */
 static int DetectUricontentSetup (DetectEngineCtx *, Signature *, char *);
@ -264,6 +265,9 @@ DetectUricontentData *DoDetectUricontentSetup (char * contentstr)
    cd->distance = 0;
    cd->flags = 0;

+    /* Prepare Boyer Moore context for searching faster */
+    cd->bm_ctx = BoyerMooreCtxInit(cd->uricontent, cd->uricontent_len);
+
    SCFree(str);
    return cd;

--- a/src/detect-uricontent.h
+++ b/src/detect-uricontent.h
@ -18,6 +18,8 @@
                                       (c)->depth > 0 || \
                                       (c)->within > 0))

+#include "util-spm-bm.h"
+
 typedef struct DetectUricontentData_ {
    uint8_t *uricontent;
    uint8_t uricontent_len;
@ -28,6 +30,9 @@ typedef struct DetectUricontentData_ {
    int32_t distance;
    int32_t within;
    uint8_t flags;
+
+    BmCtx *bm_ctx;     /**< Boyer Moore context (for spm search) */
+
 } DetectUricontentData;

 /* prototypes */