aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect/threshold: Improve threshold.config perf

Browse Source 
This commit improves performance when parsing threshold.config by
removing a loop-invariant to create a one-time object with the parsed
address(es).

Then, as needed, copies of this object are made as the suppression
rule(s) are processed.

(cherry picked from commit 02ceac8b8d)
pull/6100/head
Jeff Lucovsky 5 years ago
parent 0f38bc87d1
commit e8de11ea08
1 changed files with 30 additions and 47 deletions
Show Stats Download Patch File Download Diff File

77
src/util-threshold-config.c
Unescape Escape View File

@ -295,6 +295,25 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
BUG_ON(parsed_type != TYPE_SUPPRESS);
DetectThresholdData *orig_de = NULL;
if (parsed_track != TRACK_RULE) {
orig_de = SCCalloc(1, sizeof(DetectThresholdData));
if (unlikely(orig_de == NULL))
goto error;
orig_de->type = TYPE_SUPPRESS;
orig_de->track = parsed_track;
orig_de->count = parsed_count;
orig_de->seconds = parsed_seconds;
orig_de->new_action = parsed_new_action;
orig_de->timeout = parsed_timeout;
if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &orig_de->addrs, (char *)th_ip) <
0) {
SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip);
goto error;
}
}
/* Install it */
if (id == 0 && gid == 0) {
if (parsed_track == TRACK_RULE) {
@ -309,24 +328,9 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
continue;
}
de = SCMalloc(sizeof(DetectThresholdData));
de = DetectThresholdDataCopy(orig_de);
if (unlikely(de == NULL))
goto error;
memset(de,0,sizeof(DetectThresholdData));
de->type = TYPE_SUPPRESS;
de->track = parsed_track;
de->count = parsed_count;
de->seconds = parsed_seconds;
de->new_action = parsed_new_action;
de->timeout = parsed_timeout;
if (parsed_track != TRACK_RULE) {
if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &de->addrs, (char *)th_ip) < 0) {
SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip);
goto error;
}
}
sm = SigMatchAlloc();
if (sm == NULL) {
@ -353,26 +357,10 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
continue;
}
de = SCMalloc(sizeof(DetectThresholdData));
de = DetectThresholdDataCopy(orig_de);
if (unlikely(de == NULL))
goto error;
memset(de,0,sizeof(DetectThresholdData));
de->type = TYPE_SUPPRESS;
de->track = parsed_track;
de->count = parsed_count;
de->seconds = parsed_seconds;
de->new_action = parsed_new_action;
de->timeout = parsed_timeout;
if (parsed_track != TRACK_RULE) {
if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &de->addrs, (char *)th_ip) < 0) {
SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip);
goto error;
}
}
sm = SigMatchAlloc();
if (sm == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "Error allocating SigMatch");
@ -400,22 +388,9 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
goto end;
}
de = SCMalloc(sizeof(DetectThresholdData));
de = DetectThresholdDataCopy(orig_de);
if (unlikely(de == NULL))
goto error;
memset(de,0,sizeof(DetectThresholdData));
de->type = TYPE_SUPPRESS;
de->track = parsed_track;
de->count = parsed_count;
de->seconds = parsed_seconds;
de->new_action = parsed_new_action;
de->timeout = parsed_timeout;
if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &de->addrs, (char *)th_ip) < 0) {
SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip);
goto error;
}
sm = SigMatchAlloc();
if (sm == NULL) {
@ -431,8 +406,16 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
}
end:
if (orig_de != NULL) {
DetectAddressHeadCleanup(&orig_de->addrs);
SCFree(orig_de);
}
return 0;
error:
if (orig_de != NULL) {
DetectAddressHeadCleanup(&orig_de->addrs);
SCFree(orig_de);
}
if (de != NULL) {
DetectAddressHeadCleanup(&de->addrs);
SCFree(de);

Write Preview
Loading…
Cancel
Save