From e1446c30fa24202b4644d2f20127f9c8df4fe8b2 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Sun, 23 Feb 2025 12:04:17 +0100 Subject: [PATCH] detect/alert: optimize no-alert path Skip qsort call if no alerts are queued. Move logic into inline helper func. --- src/detect-engine-alert.c | 40 ++++++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c index 9e9a499bb5..cf893700ca 100644 --- a/src/detect-engine-alert.c +++ b/src/detect-engine-alert.c @@ -359,22 +359,14 @@ static inline void FlowApplySignatureActions( } } -/** - * \brief Check the threshold of the sigs that match, set actions, break on pass action - * This function iterate the packet alerts array, removing those that didn't match - * the threshold, and those that match after a signature with the action "pass". - * The array is sorted by action priority/order - * \param de_ctx detection engine context - * \param det_ctx detection engine thread context - * \param p pointer to the packet - */ -void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p) +static inline void PacketAlertFinalizeProcessQueue( + const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p) { - SCEnter(); - - /* sort the alert queue before thresholding and appending to Packet */ - qsort(det_ctx->alert_queue, det_ctx->alert_queue_size, sizeof(PacketAlert), - AlertQueueSortHelper); + if (det_ctx->alert_queue_size > 1) { + /* sort the alert queue before thresholding and appending to Packet */ + qsort(det_ctx->alert_queue, det_ctx->alert_queue_size, sizeof(PacketAlert), + AlertQueueSortHelper); + } for (uint16_t i = 0; i < det_ctx->alert_queue_size; i++) { PacketAlert *pa = &det_ctx->alert_queue[i]; @@ -433,6 +425,24 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx p->alerts.discarded++; } } +} + +/** + * \brief Check the threshold of the sigs that match, set actions, break on pass action + * This function iterate the packet alerts array, removing those that didn't match + * the threshold, and those that match after a signature with the action "pass". + * The array is sorted by action priority/order + * \param de_ctx detection engine context + * \param det_ctx detection engine thread context + * \param p pointer to the packet + */ +void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p) +{ + SCEnter(); + + if (det_ctx->alert_queue_size > 0) { + PacketAlertFinalizeProcessQueue(de_ctx, det_ctx, p); + } /* At this point, we should have all the new alerts. Now check the tag * keyword context for sessions and hosts */