suricata.yaml conf update to support single mpm context distribution over multiple sghs + code to parse this conf

15 years ago · b367c37ae6
parent 4b2cf7e125
commit b367c37ae6
3 changed files with 55 additions and 4 deletions
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@ -144,6 +144,8 @@ static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx) {
    const char *max_uniq_toserver_sp_groups_str = NULL;
    const char *max_uniq_toserver_dp_groups_str = NULL;

+    char *sgh_mpm_context = NULL;
+
    ConfNode *de_ctx_custom = ConfGetNode("detect-engine");
    ConfNode *opt = NULL;

@ -151,6 +153,8 @@ static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx) {
        TAILQ_FOREACH(opt, &de_ctx_custom->head, next) {
            if (strncmp(opt->val, "profile", 3) == 0) {
                de_ctx_profile = opt->head.tqh_first->val;
+            } else if (strcmp(opt->val, "sgh-mpm-context") == 0) {
+                sgh_mpm_context = opt->head.tqh_first->val;
            }
        }
    }
@ -169,9 +173,30 @@ static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx) {
        SCLogDebug("Profile for detection engine groups is \"%s\"", de_ctx_profile);
    } else {
        SCLogDebug("Profile for detection engine groups not provided "
-                "at suricata.yaml. Using default (\"medium\").");
+                   "at suricata.yaml. Using default (\"medium\").");
    }

+    if (sgh_mpm_context != NULL) {
+        if (strcmp(sgh_mpm_context, "single") == 0) {
+            de_ctx->sgh_mpm_context = ENGINE_SGH_MPM_CONTEXT_SINGLE;
+        } else if (strcmp(sgh_mpm_context, "full") == 0) {
+            de_ctx->sgh_mpm_context = ENGINE_SGH_MPM_CONTEXT_FULL;
+        } else if (strcmp(sgh_mpm_context, "auto") == 0) {
+            de_ctx->sgh_mpm_context = ENGINE_SGH_MPM_CONTEXT_AUTO;
+        } else {
+           SCLogWarning(SC_ERR_INVALID_YAML_CONF_ENTRY, "You have supplied an "
+                        "invalid conf value for detect-engine.sgh-mpm-context-"
+                        "%s", sgh_mpm_context);
+        }
+    } else {
+           SCLogWarning(SC_ERR_INVALID_YAML_CONF_ENTRY, "You have supplied a "
+                        "value for detect-engine.sgh-mpm-context.  Using "
+                        "default value of full\n");
+           de_ctx->sgh_mpm_context = ENGINE_SGH_MPM_CONTEXT_FULL;
+    }
+
+
+
    opt = NULL;
    switch (profile) {
        case ENGINE_PROFILE_LOW:
--- a/src/detect.h
+++ b/src/detect.h
@ -567,6 +567,9 @@ typedef struct DetectEngineCtx_ {
    uint16_t max_uniq_small_toserver_sp_groups;
    uint16_t max_uniq_small_toserver_dp_groups;
 */
+
+    uint8_t sgh_mpm_context;
+
    /** hash table for looking up patterns for
     *  id sharing and id tracking. */
    MpmPatternIdStore *mpm_pattern_id_store;
@ -592,6 +595,13 @@ enum {
    ENGINE_PROFILE_MAX
 };

+/* Siggroup mpm context profile */
+enum {
+    ENGINE_SGH_MPM_CONTEXT_FULL,
+    ENGINE_SGH_MPM_CONTEXT_SINGLE,
+    ENGINE_SGH_MPM_CONTEXT_AUTO
+};
+
 /**
  * Detection engine thread data.
  */
--- a/suricata.yaml
+++ b/suricata.yaml
@ -94,9 +94,16 @@ engine-analysis:
 # The detection engine builds internal groups of signatures. The engine
 # allow us to specify the profile to use for them, to manage memory on an
 # efficient way keeping a good performance. For the profile keyword you
-# can use the words "low", "medium", "high" or "custom". If you use custom
+# can use the words "low", "medium", "high" or "custom". If you use custom
 # make sure to define the values at "- custom-values" as your convenience.
-# Usually you would prefer medium/high/low
+# Usually you would prefer medium/high/low.
+#
+# "sgh mpm-context", indicates how the staging should allot mpm contexts for
+# the signature groups.  "single" indicates the use of a single context for
+# all the signature group heads.  "full" indicates a mpm_context for each
+# group head.  "auto" lets the engine decide the distribution of contexts
+# based on the information the engine gathers on the patterns from each
+# group head.
 detect-engine:
  - profile: medium
  - custom-values:
@ -108,6 +115,7 @@ detect-engine:
      toserver_dst_groups: 4
      toserver_sp_groups: 2
      toserver_dp_groups: 25
+  - sgh-mpm-context: single

 # Suricata is multi-threaded. Here the threading can be influenced.
 threading:
@ -136,7 +144,15 @@ cuda:
  device_id: 0

 # Select the multi pattern algorithm you want to run for scan/search the
-# in the engine. The supported algorithms are b2g, b3g and wumanber.
+# in the engine. The supported algorithms are b2g, b3g, wumanber, ac and
+# ac-gfbs.
+#
+# The mpm you choose also decides the distribution of mpm contexts for
+# signature groups, specified by the conf - "detect-engine.sgh_mpm_context".
+# Selecting "ac" as the mpm would require "detect-engine.sgh_mpm_context"
+# to be set to "single", because of ac's memory requirements, unless the
+# ruleset is small enough to fit in one's memory, in which case one can
+# use "full" with "ac".  Rest of the mpms can be run in "full" mode.
 #
 # There is also a CUDA pattern matcher (only available if Suricata was
 # compiled with --enable-cuda: b2g_cuda. Make sure to update your