aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove more scan references.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 16 years ago
parent bee4e04664
commit ec47f840f3
17 changed files with 154 additions and 215 deletions
Show Stats Download Patch File Download Diff File

18
src/app-layer-detect-proto.c
Unescape Escape View File

@ -293,10 +293,10 @@ uint16_t AppLayerDetectGetProto(AlpProtoDetectCtx *ctx, AlpProtoDetectThreadCtx
SCReturnUInt(ALPROTO_UNKNOWN); SCReturnUInt(ALPROTO_UNKNOWN);
} }
/* see if we can limit the data we scan */ /* see if we can limit the data we inspect */
uint16_t scanlen = buflen; uint16_t searchlen = buflen;
if (scanlen > dir->max_depth) if (searchlen > dir->max_depth)
scanlen = dir->max_depth; searchlen = dir->max_depth;
uint16_t proto = ALPROTO_UNKNOWN; uint16_t proto = ALPROTO_UNKNOWN;
uint32_t cnt = 0; uint32_t cnt = 0;
@ -304,11 +304,13 @@ uint16_t AppLayerDetectGetProto(AlpProtoDetectCtx *ctx, AlpProtoDetectThreadCtx
cnt = mpm_table[dir->mpm_ctx.mpm_type].Search(&dir->mpm_ctx, cnt = mpm_table[dir->mpm_ctx.mpm_type].Search(&dir->mpm_ctx,
&tdir->mpm_ctx, &tdir->mpm_ctx,
&tdir->pmq, buf, &tdir->pmq, buf,
scanlen); searchlen);
#else #else
Packet *p = SCMalloc(sizeof(Packet)); Packet *p = SCMalloc(sizeof(Packet));
if (p == NULL) goto end; if (p == NULL)
goto end;
memset(p, 0, sizeof(Packet)); memset(p, 0, sizeof(Packet));
p->cuda_done = 0; p->cuda_done = 0;
p->cuda_free_packet = 1; p->cuda_free_packet = 1;
p->cuda_search = 0; p->cuda_search = 0;
@ -316,7 +318,7 @@ uint16_t AppLayerDetectGetProto(AlpProtoDetectCtx *ctx, AlpProtoDetectThreadCtx
p->cuda_mtc = &tdir->mpm_ctx; p->cuda_mtc = &tdir->mpm_ctx;
p->cuda_pmq = &tdir->pmq; p->cuda_pmq = &tdir->pmq;
p->payload = buf; p->payload = buf;
p->payload_len = scanlen; p->payload_len = searchlen;
B2gCudaPushPacketTo_tv_CMB2_APC(p); B2gCudaPushPacketTo_tv_CMB2_APC(p);
SCMutexLock(&p->cuda_mutex_q); SCMutexLock(&p->cuda_mutex_q);
SCondWait(&p->cuda_cond_q, &p->cuda_mutex_q); SCondWait(&p->cuda_cond_q, &p->cuda_mutex_q);
@ -324,7 +326,7 @@ uint16_t AppLayerDetectGetProto(AlpProtoDetectCtx *ctx, AlpProtoDetectThreadCtx
SCMutexUnlock(&p->cuda_mutex_q); SCMutexUnlock(&p->cuda_mutex_q);
cnt = p->cuda_matches; cnt = p->cuda_matches;
#endif #endif
SCLogDebug("scan cnt %" PRIu32 "", cnt); SCLogDebug("search cnt %" PRIu32 "", cnt);
if (cnt == 0) { if (cnt == 0) {
proto = ALPROTO_UNKNOWN; proto = ALPROTO_UNKNOWN;
goto end; goto end;

149
src/detect-engine-mpm.c
Unescape Escape View File

@ -68,13 +68,15 @@ uint16_t PatternMatchDefaultMatcher(void) {
return mpm_algo_val; return mpm_algo_val;
} }
/** \brief Pattern match, scan part -- searches for only 'scan' patterns, /** \brief Pattern match -- searches for only one pattern per signature.
* normally one per signature. *
* \param tv threadvars * \param tv threadvars
* \param det_ctx detection engine thread ctx * \param det_ctx detection engine thread ctx
* \param p packet to scan * \param p packet to inspect
*
* \retval ret number of matches
*/ */
uint32_t PacketPatternScan(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, uint32_t PacketPatternSearch(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
Packet *p) Packet *p)
{ {
SCEnter(); SCEnter();
@ -105,13 +107,15 @@ uint32_t PacketPatternScan(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
SCReturnInt(ret); SCReturnInt(ret);
} }
/** \brief Uri Pattern match, scan part -- searches for only 'scan' patterns, /** \brief Uri Pattern match -- searches for one pattern per signature.
* normally one per signature. *
* \param tv threadvars * \param tv threadvars
* \param det_ctx detection engine thread ctx * \param det_ctx detection engine thread ctx
* \param p packet to scan * \param p packet to inspect
*
* \retval ret number of matches
*/ */
uint32_t UriPatternScan(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, uint32_t UriPatternSearch(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
uint8_t *uri, uint16_t uri_len) uint8_t *uri, uint16_t uri_len)
{ {
SCEnter(); SCEnter();
@ -209,7 +213,6 @@ void PatternMatchDestroyGroup(SigGroupHead *sh) {
} }
} }
static int g_uricontent_scan = 0;
static int g_uricontent_search = 0; static int g_uricontent_search = 0;
static int g_content_maxdepth = 0; static int g_content_maxdepth = 0;
static int g_content_minoffset = 0; static int g_content_minoffset = 0;
@ -224,10 +227,9 @@ static int g_content_sigcnt4 = 0;
static int g_content_sigcnt5 = 0; static int g_content_sigcnt5 = 0;
static int g_content_sigcnt10= 0; static int g_content_sigcnt10= 0;
void DbgPrintScanSearchStats() { void DbgPrintSearchStats() {
#if 0 #if 0
printf(" - MPM: scan %" PRId32 ", search %" PRId32 " (%02.1f%%) :\n", g_content_scan, g_content_search, printf(" - MPM: search %" PRId32 "\n", g_content_search);
(float)(g_content_scan/(float)(g_content_scan+g_content_search))*100);
printf(" - MPM: maxdepth %" PRId32 ", total %" PRId32 " (%02.1f%%) :\n", g_content_maxdepth, g_content_total, printf(" - MPM: maxdepth %" PRId32 ", total %" PRId32 " (%02.1f%%) :\n", g_content_maxdepth, g_content_total,
(float)(g_content_maxdepth/(float)(g_content_total))*100); (float)(g_content_maxdepth/(float)(g_content_total))*100);
printf(" - MPM: minoffset %" PRId32 ", total %" PRId32 " (%02.1f%%) :\n", g_content_minoffset, g_content_total, printf(" - MPM: minoffset %" PRId32 ", total %" PRId32 " (%02.1f%%) :\n", g_content_minoffset, g_content_total,
@ -249,7 +251,7 @@ typedef struct ContentHash_ {
uint16_t cnt; uint16_t cnt;
uint8_t use; /* use no matter what */ uint8_t use; /* use no matter what */
uint8_t nosearch; /* single match, no search after uint8_t nosearch; /* single match, no search after
* scan match (for this pattern) */ * mpm match (for this pattern) */
} ContentHash; } ContentHash;
uint32_t ContentHashFunc(HashTable *ht, void *data, uint16_t datalen) { uint32_t ContentHashFunc(HashTable *ht, void *data, uint16_t datalen) {
@ -302,8 +304,13 @@ void ContentHashFree(void *ch) {
* Other printable + a few common codes a little higher * Other printable + a few common codes a little higher
* Everything else highest. * Everything else highest.
* Longer patterns score better than short patters. * Longer patterns score better than short patters.
*
* \param pat pattern
* \param patlen length of the patternn
*
* \retval s pattern score
*/ */
uint32_t PatternStrength(uint8_t *pat, uint16_t patlen, uint16_t len) { uint32_t PatternStrength(uint8_t *pat, uint16_t patlen) {
uint8_t a[256]; uint8_t a[256];
memset(&a, 0 ,sizeof(a)); memset(&a, 0 ,sizeof(a));
@ -316,7 +323,7 @@ uint32_t PatternStrength(uint8_t *pat, uint16_t patlen, uint16_t len) {
else if (isprint(pat[u]) || pat[u] == 0x00 || pat[u] == 0x01 || pat[u] == 0xFF) else if (isprint(pat[u]) || pat[u] == 0x00 || pat[u] == 0x01 || pat[u] == 0xFF)
s += 4; s += 4;
else else
s+=6;//5 s += 6;
a[pat[u]] = 1; a[pat[u]] = 1;
} else { } else {
@ -414,7 +421,9 @@ static int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead
goto error; goto error;
if (cnt == 1) { if (cnt == 1) {
SCLogDebug("sig has just one pattern, so we know we will use it in the scan phase and no searching will be necessary."); SCLogDebug("sig has just one pattern, so we know we will "
"use it in the mpm phase and no searching will "
"be necessary.");
ch->nosearch = 1; ch->nosearch = 1;
ch->use = 1; ch->use = 1;
} }
@ -443,7 +452,7 @@ static int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead
} }
} }
/* now determine which one to add to the scan phase */ /* now determine which one to add to the mpm phase */
for (sig = 0; sig < sgh->sig_cnt; sig++) { for (sig = 0; sig < sgh->sig_cnt; sig++) {
uint32_t num = sgh->match_array[sig]; uint32_t num = sgh->match_array[sig];
@ -451,7 +460,7 @@ static int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead
if (s == NULL) if (s == NULL)
continue; continue;
ContentHash *scan_ch = NULL; ContentHash *mpm_ch = NULL;
SigMatch *sm = s->pmatch; SigMatch *sm = s->pmatch;
for ( ; sm != NULL; sm = sm->next) { for ( ; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_CONTENT) { if (sm->type == DETECT_CONTENT) {
@ -480,59 +489,37 @@ static int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead
SCLogDebug("lookup_ch->use %u, cnt %u", lookup_ch->use, lookup_ch->cnt); SCLogDebug("lookup_ch->use %u, cnt %u", lookup_ch->use, lookup_ch->cnt);
if (scan_ch == NULL) { if (mpm_ch == NULL) {
SCLogDebug("scan_ch == NULL, so selecting lookup_ch->ptr->id %"PRIu32"", lookup_ch->ptr->id); SCLogDebug("mpm_ch == NULL, so selecting lookup_ch->ptr->id %"PRIu32"", lookup_ch->ptr->id);
scan_ch = lookup_ch; mpm_ch = lookup_ch;
} else { } else {
//if (lookup_ch->use == 0) { uint32_t ls = PatternStrength(lookup_ch->ptr->content,lookup_ch->ptr->content_len);
uint32_t ls = PatternStrength(lookup_ch->ptr->content,lookup_ch->ptr->content_len,sgh->mpm_content_maxlen); uint32_t ss = PatternStrength(mpm_ch->ptr->content,mpm_ch->ptr->content_len);
uint32_t ss = PatternStrength(scan_ch->ptr->content,scan_ch->ptr->content_len,sgh->mpm_content_maxlen);
if (ls > ss) { if (ls > ss) {
SCLogDebug("lookup_ch->ptr->id %"PRIu32" selected over %"PRIu32"", lookup_ch->ptr->id, scan_ch->ptr->id); SCLogDebug("lookup_ch->ptr->id %"PRIu32" selected over %"PRIu32"", lookup_ch->ptr->id, mpm_ch->ptr->id);
scan_ch = lookup_ch; mpm_ch = lookup_ch;
} }
else if (ls == ss) { else if (ls == ss) {
/* if 2 patterns are of equal strength, we pick the longest */ /* if 2 patterns are of equal strength, we pick the longest */
if (lookup_ch->ptr->content_len > scan_ch->ptr->content_len) { if (lookup_ch->ptr->content_len > mpm_ch->ptr->content_len) {
SCLogDebug("lookup_ch->ptr->id %"PRIu32" selected over %"PRIu32" as the first is longer", lookup_ch->ptr->id, scan_ch->ptr->id); SCLogDebug("lookup_ch->ptr->id %"PRIu32" selected over %"PRIu32" as the first is longer", lookup_ch->ptr->id, mpm_ch->ptr->id);
scan_ch = lookup_ch; mpm_ch = lookup_ch;
} }
} else { } else {
SCLogDebug("sticking with scan_ch"); SCLogDebug("sticking with mpm_ch");
} }
#if 0
} else {
if (scan_ch->use == 0)
scan_ch = lookup_ch;
else {
uint32_t ls = PatternStrength(lookup_ch->ptr->content,lookup_ch->ptr->content_len,sgh->mpm_content_maxlen);
uint32_t ss = PatternStrength(scan_ch->ptr->content,scan_ch->ptr->content_len,sgh->mpm_content_maxlen);
if (ls > ss) {
SCLogDebug("lookup_ch->ptr->id %"PRIu32" selected over %"PRIu32"", lookup_ch->ptr->id, scan_ch->ptr->id);
scan_ch = lookup_ch;
}
/* if 2 patterns are of equal strength, we pick the longest */
else if (ls == ss) {
if (lookup_ch->ptr->content_len > scan_ch->ptr->content_len) {
SCLogDebug("lookup_ch->ptr->id %"PRIu32" selected over %"PRIu32" as the first is longer", lookup_ch->ptr->id, scan_ch->ptr->id);
scan_ch = lookup_ch;
}
}
}
}
#endif
} }
ContentHashFree(ch); ContentHashFree(ch);
} }
} }
/* now add the scan_ch to the mpm ctx */ /* now add the mpm_ch to the mpm ctx */
if (scan_ch != NULL) { if (mpm_ch != NULL) {
DetectContentData *co = scan_ch->ptr; DetectContentData *co = mpm_ch->ptr;
uint16_t offset = s->flags & SIG_FLAG_RECURSIVE ? 0 : co->offset; uint16_t offset = s->flags & SIG_FLAG_RECURSIVE ? 0 : co->offset;
uint16_t depth = s->flags & SIG_FLAG_RECURSIVE ? 0 : co->depth; uint16_t depth = s->flags & SIG_FLAG_RECURSIVE ? 0 : co->depth;
offset = scan_ch->cnt ? 0 : offset; offset = mpm_ch->cnt ? 0 : offset;
depth = scan_ch->cnt ? 0 : depth; depth = mpm_ch->cnt ? 0 : depth;
uint8_t flags = 0; uint8_t flags = 0;
if (co->flags & DETECT_CONTENT_NOCASE) { if (co->flags & DETECT_CONTENT_NOCASE) {
@ -541,37 +528,10 @@ static int PatternMatchPreprarePopulateMpm(DetectEngineCtx *de_ctx, SigGroupHead
mpm_table[sgh->mpm_ctx->mpm_type].AddPattern(sgh->mpm_ctx, co->content, co->content_len, offset, depth, co->id, s->num, flags); mpm_table[sgh->mpm_ctx->mpm_type].AddPattern(sgh->mpm_ctx, co->content, co->content_len, offset, depth, co->id, s->num, flags);
} }
SCLogDebug("%"PRIu32" adding co->id %"PRIu32" to the scan phase (s->num %"PRIu32")", s->id, co->id, s->num); SCLogDebug("%"PRIu32" adding co->id %"PRIu32" to the mpm phase (s->num %"PRIu32")", s->id, co->id, s->num);
} else { } else {
SCLogDebug("%"PRIu32" no scan pattern selected", s->id); SCLogDebug("%"PRIu32" no mpm pattern selected", s->id);
} }
#if 0
/* add the rest of the patterns to the search ctx */
for (sm = s->pmatch ; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_CONTENT) {
DetectContentData *co = (DetectContentData *)sm->ctx;
if (co == NULL)
continue;
/* skip the one we already added */
if (scan_ch != NULL && co == scan_ch->ptr) {
SCLogDebug("%"PRIu32" co->id %"PRIu32" not added to search, already in scan", s->id, co->id);
continue;
}
uint16_t offset = s->flags & SIG_FLAG_RECURSIVE ? 0 : co->offset;
uint16_t depth = s->flags & SIG_FLAG_RECURSIVE ? 0 : co->depth;
if (co->flags & DETECT_CONTENT_NOCASE) {
mpm_table[sgh->mpm_ctx->mpm_type].AddPatternNocase(sgh->mpm_ctx, co->content, co->content_len, offset, depth, co->id, s->num);
} else {
mpm_table[sgh->mpm_ctx->mpm_type].AddPattern(sgh->mpm_ctx, co->content, co->content_len, offset, depth, co->id, s->num);
}
SCLogDebug("%"PRIu32" adding co->id %"PRIu32" to the search phase", s->id, co->id);
}
}
#endif
} }
if (fast_pattern != NULL) if (fast_pattern != NULL)
@ -860,14 +820,14 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
uricontent_minlen = ud->uricontent_len; uricontent_minlen = ud->uricontent_len;
} }
} }
char uricontent_scanadded = 0; char uricontent_mpmadded = 0;
for (sm = s->match; sm != NULL; sm = sm->next) { for (sm = s->match; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_URICONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY)) { if (sm->type == DETECT_URICONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY)) {
DetectUricontentData *ud = (DetectUricontentData *)sm->ctx; DetectUricontentData *ud = (DetectUricontentData *)sm->ctx;
/* only add the pattern if: we didn't add a pattern already, /* only add the pattern if: we didn't add a pattern already,
* length is the same as maxlen (ie we only add the longest pattern) */ * length is the same as maxlen (ie we only add the longest pattern) */
if (!uricontent_scanadded && uricontent_maxlen == ud->uricontent_len) { if (!uricontent_mpmadded && uricontent_maxlen == ud->uricontent_len) {
uint8_t flags = 0; uint8_t flags = 0;
if (ud->flags & DETECT_URICONTENT_NOCASE) { if (ud->flags & DETECT_URICONTENT_NOCASE) {
@ -875,17 +835,7 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
} else { } else {
mpm_table[sh->mpm_uri_ctx->mpm_type].AddPattern(sh->mpm_uri_ctx, ud->uricontent, ud->uricontent_len, 0, 0, ud->id, s->num, flags); mpm_table[sh->mpm_uri_ctx->mpm_type].AddPattern(sh->mpm_uri_ctx, ud->uricontent, ud->uricontent_len, 0, 0, ud->id, s->num, flags);
} }
uricontent_scanadded = 1; uricontent_mpmadded = 1;
/* otherwise it's a 'search' pattern */
#if 0
} else {
if (ud->flags & DETECT_URICONTENT_NOCASE) {
mpm_table[sh->mpm_uri_ctx->mpm_type].AddPatternNocase(sh->mpm_uri_ctx, ud->uricontent, ud->uricontent_len, 0, 0, ud->id, s->num);
} else {
mpm_table[sh->mpm_uri_ctx->mpm_type].AddPattern(sh->mpm_uri_ctx, ud->uricontent, ud->uricontent_len, 0, 0, ud->id, s->num);
}
#endif
} }
} }
} }
@ -921,9 +871,6 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
mpm_table[sh->mpm_uri_ctx->mpm_type].Prepare(sh->mpm_uri_ctx); mpm_table[sh->mpm_uri_ctx->mpm_type].Prepare(sh->mpm_uri_ctx);
} }
if (mpm_uricontent_cnt && sh->mpm_uricontent_maxlen > 1) { if (mpm_uricontent_cnt && sh->mpm_uricontent_maxlen > 1) {
// printf("mpm_uricontent_cnt %" PRIu32 ", mpm_uricontent_maxlen %" PRId32 "\n", mpm_uricontent_cnt, mpm_uricontent_maxlen);
g_uricontent_scan++;
} else {
g_uricontent_search++; g_uricontent_search++;
} }

6
src/detect-engine-mpm.h
Unescape Escape View File

@ -5,8 +5,8 @@
uint16_t PatternMatchDefaultMatcher(void); uint16_t PatternMatchDefaultMatcher(void);
uint32_t PacketPatternScan(ThreadVars *, DetectEngineThreadCtx *, Packet *); uint32_t PacketPatternSearch(ThreadVars *, DetectEngineThreadCtx *, Packet *);
uint32_t UriPatternScan(ThreadVars *, DetectEngineThreadCtx *, uint8_t *, uint16_t); uint32_t UriPatternSearch(ThreadVars *, DetectEngineThreadCtx *, uint8_t *, uint16_t);
void PacketPatternCleanup(ThreadVars *, DetectEngineThreadCtx *); void PacketPatternCleanup(ThreadVars *, DetectEngineThreadCtx *);
@ -24,7 +24,7 @@ void PatternMatchDestroyGroup(SigGroupHead *);
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **); TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **);
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *); TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *);
void DbgPrintScanSearchStats(); void DbgPrintSearchStats();
#endif /* __DETECT_ENGINE_MPM_H__ */ #endif /* __DETECT_ENGINE_MPM_H__ */

56
src/detect-fast-pattern.c
Unescape Escape View File

@ -229,7 +229,7 @@ int DetectFastPatternTest04(void)
} }
/** /**
* \test Checks that a fast_pattern is used in the Scan phase. * \test Checks that a fast_pattern is used in the mpm phase.
*/ */
int DetectFastPatternTest05(void) int DetectFastPatternTest05(void)
{ {
@ -269,9 +269,9 @@ int DetectFastPatternTest05(void)
SigGroupBuild(de_ctx); SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
/* start the scan phase */ /* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(&th_v, de_ctx, det_ctx, &p); det_ctx->sgh = SigMatchSignaturesGetSgh(&th_v, de_ctx, det_ctx, &p);
if (PacketPatternScan(&th_v, det_ctx, &p) != 0) if (PacketPatternSearch(&th_v, det_ctx, &p) != 0)
result = 1; result = 1;
SigGroupCleanup(de_ctx); SigGroupCleanup(de_ctx);
@ -285,7 +285,7 @@ end:
} }
/** /**
* \test Checks that a fast_pattern is used in the Scan phase. * \test Checks that a fast_pattern is used in the mpm phase.
*/ */
int DetectFastPatternTest06(void) int DetectFastPatternTest06(void)
{ {
@ -323,9 +323,9 @@ int DetectFastPatternTest06(void)
SigGroupBuild(de_ctx); SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
/* start the scan phase */ /* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(&th_v, de_ctx, det_ctx, &p); det_ctx->sgh = SigMatchSignaturesGetSgh(&th_v, de_ctx, det_ctx, &p);
if (PacketPatternScan(&th_v, det_ctx, &p) != 0) if (PacketPatternSearch(&th_v, det_ctx, &p) != 0)
result = 1; result = 1;
SigGroupCleanup(de_ctx); SigGroupCleanup(de_ctx);
@ -339,7 +339,7 @@ end:
} }
/** /**
* \test Checks that a fast_pattern is used in the Scan phase, when the payload * \test Checks that a fast_pattern is used in the mpm phase, when the payload
* doesn't contain the fast_pattern string within it. * doesn't contain the fast_pattern string within it.
*/ */
int DetectFastPatternTest07(void) int DetectFastPatternTest07(void)
@ -378,9 +378,9 @@ int DetectFastPatternTest07(void)
SigGroupBuild(de_ctx); SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
/* start the scan phase */ /* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(&th_v, de_ctx, det_ctx, &p); det_ctx->sgh = SigMatchSignaturesGetSgh(&th_v, de_ctx, det_ctx, &p);
if (PacketPatternScan(&th_v, det_ctx, &p) == 0) if (PacketPatternSearch(&th_v, det_ctx, &p) == 0)
result = 1; result = 1;
SigGroupCleanup(de_ctx); SigGroupCleanup(de_ctx);
@ -394,8 +394,8 @@ end:
} }
/** /**
* \test Checks that a fast_pattern is used in the Scan phase and that we get * \test Checks that a fast_pattern is used in the mpm phase and that we get
* exactly 1 match for the scan phase. * exactly 1 match for the mpm phase.
*/ */
int DetectFastPatternTest08(void) int DetectFastPatternTest08(void)
{ {
@ -433,9 +433,9 @@ int DetectFastPatternTest08(void)
SigGroupBuild(de_ctx); SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
/* start the scan phase */ /* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(&th_v, de_ctx, det_ctx, &p); det_ctx->sgh = SigMatchSignaturesGetSgh(&th_v, de_ctx, det_ctx, &p);
if (PacketPatternScan(&th_v, det_ctx, &p) == 1) if (PacketPatternSearch(&th_v, det_ctx, &p) == 1)
result = 1; result = 1;
SigGroupCleanup(de_ctx); SigGroupCleanup(de_ctx);
@ -449,7 +449,7 @@ end:
} }
/** /**
* \test Checks that a fast_pattern is used in the Scan phase, when the payload * \test Checks that a fast_pattern is used in the mpm phase, when the payload
* doesn't contain the fast_pattern string within it. * doesn't contain the fast_pattern string within it.
*/ */
int DetectFastPatternTest09(void) int DetectFastPatternTest09(void)
@ -488,9 +488,9 @@ int DetectFastPatternTest09(void)
SigGroupBuild(de_ctx); SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
/* start the scan phase */ /* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(&th_v, de_ctx, det_ctx, &p); det_ctx->sgh = SigMatchSignaturesGetSgh(&th_v, de_ctx, det_ctx, &p);
if (PacketPatternScan(&th_v, det_ctx, &p) == 0) if (PacketPatternSearch(&th_v, det_ctx, &p) == 0)
result = 1; result = 1;
SigGroupCleanup(de_ctx); SigGroupCleanup(de_ctx);
@ -506,7 +506,7 @@ end:
/** /**
* \test Checks that a the SigInit chooses the fast_pattern with better pattern * \test Checks that a the SigInit chooses the fast_pattern with better pattern
* strength, when we have multiple fast_patterns in the Signature. Also * strength, when we have multiple fast_patterns in the Signature. Also
* checks that we get a match for the fast_pattern from the Scan phase. * checks that we get a match for the fast_pattern from the mpm phase.
*/ */
int DetectFastPatternTest10(void) int DetectFastPatternTest10(void)
{ {
@ -544,9 +544,9 @@ int DetectFastPatternTest10(void)
SigGroupBuild(de_ctx); SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
/* start the scan phase */ /* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(&th_v, de_ctx, det_ctx, &p); det_ctx->sgh = SigMatchSignaturesGetSgh(&th_v, de_ctx, det_ctx, &p);
if (PacketPatternScan(&th_v, det_ctx, &p) == 1) if (PacketPatternSearch(&th_v, det_ctx, &p) == 1)
result = 1; result = 1;
SigGroupCleanup(de_ctx); SigGroupCleanup(de_ctx);
@ -562,7 +562,7 @@ end:
/** /**
* \test Checks that a the SigInit chooses the fast_pattern with better pattern * \test Checks that a the SigInit chooses the fast_pattern with better pattern
* strength, when we have multiple fast_patterns in the Signature. Also * strength, when we have multiple fast_patterns in the Signature. Also
* checks that we get no matches for the fast_pattern from the Scan phase. * checks that we get no matches for the fast_pattern from the mpm phase.
*/ */
int DetectFastPatternTest11(void) int DetectFastPatternTest11(void)
{ {
@ -600,9 +600,9 @@ int DetectFastPatternTest11(void)
SigGroupBuild(de_ctx); SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
/* start the scan phase */ /* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(&th_v, de_ctx, det_ctx, &p); det_ctx->sgh = SigMatchSignaturesGetSgh(&th_v, de_ctx, det_ctx, &p);
if (PacketPatternScan(&th_v, det_ctx, &p) == 0) if (PacketPatternSearch(&th_v, det_ctx, &p) == 0)
result = 1; result = 1;
@ -618,7 +618,7 @@ end:
} }
/** /**
* \test Checks that we don't get a match for the scan phase. * \test Checks that we don't get a match for the mpm phase.
*/ */
int DetectFastPatternTest12(void) int DetectFastPatternTest12(void)
{ {
@ -656,9 +656,9 @@ int DetectFastPatternTest12(void)
SigGroupBuild(de_ctx); SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
/* start the scan phase */ /* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(&th_v, de_ctx, det_ctx, &p); det_ctx->sgh = SigMatchSignaturesGetSgh(&th_v, de_ctx, det_ctx, &p);
if (PacketPatternScan(&th_v, det_ctx, &p) == 0) if (PacketPatternSearch(&th_v, det_ctx, &p) == 0)
result = 1; result = 1;
SigGroupCleanup(de_ctx); SigGroupCleanup(de_ctx);
@ -674,7 +674,7 @@ end:
/** /**
* \test Checks that a the SigInit chooses the fast_pattern with a better * \test Checks that a the SigInit chooses the fast_pattern with a better
* strength from the available patterns, when we don't specify a * strength from the available patterns, when we don't specify a
* fast_pattern. We also check that we get a match from the Scan * fast_pattern. We also check that we get a match from the mpm
* phase. * phase.
*/ */
int DetectFastPatternTest13(void) int DetectFastPatternTest13(void)
@ -713,9 +713,9 @@ int DetectFastPatternTest13(void)
SigGroupBuild(de_ctx); SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
/* start the scan phase */ /* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(&th_v, de_ctx, det_ctx, &p); det_ctx->sgh = SigMatchSignaturesGetSgh(&th_v, de_ctx, det_ctx, &p);
if (PacketPatternScan(&th_v, det_ctx, &p) == 1) if (PacketPatternSearch(&th_v, det_ctx, &p) == 1)
result = 1; result = 1;
SigGroupCleanup(de_ctx); SigGroupCleanup(de_ctx);

2
src/detect-http-cookie.c
Unescape Escape View File

@ -215,7 +215,7 @@ static int DetectHttpCookieSetup (DetectEngineCtx *de_ctx, Signature *s, char *s
SCFree(pm->ctx); SCFree(pm->ctx);
SCFree(pm); SCFree(pm);
/* Flagged the signature as to scan the app layer data */ /* Flagged the signature as to inspect the app layer data */
s->flags |= SIG_FLAG_APPLAYER; s->flags |= SIG_FLAG_APPLAYER;
return 0; return 0;

2
src/detect-http-method.c
Unescape Escape View File

@ -202,7 +202,7 @@ static int DetectHttpMethodSetup(DetectEngineCtx *de_ctx, Signature *s, char *st
SCFree(pm->ctx); SCFree(pm->ctx);
SCFree(pm); SCFree(pm);
/* Flagged the signature as to scan the app layer data */ /* Flagged the signature as to inspect the app layer data */
s->flags |= SIG_FLAG_APPLAYER; s->flags |= SIG_FLAG_APPLAYER;
SCReturnInt(0); SCReturnInt(0);

16
src/detect-uricontent.c
Unescape Escape View File

@ -244,7 +244,7 @@ int DetectUricontentSetup (DetectEngineCtx *de_ctx, Signature *s, char *contents
cd->id = de_ctx->uricontent_max_id; cd->id = de_ctx->uricontent_max_id;
de_ctx->uricontent_max_id++; de_ctx->uricontent_max_id++;
/* Flagged the signature as to scan the app layer data */ /* Flagged the signature as to inspect the app layer data */
s->flags |= SIG_FLAG_APPLAYER; s->flags |= SIG_FLAG_APPLAYER;
SCReturnInt(0); SCReturnInt(0);
@ -258,7 +258,7 @@ error:
* \brief Checks if the content sent as the argument, has a uricontent which * \brief Checks if the content sent as the argument, has a uricontent which
* has been provided in the rule. This match function matches the * has been provided in the rule. This match function matches the
* normalized http uri against the given rule using multi pattern * normalized http uri against the given rule using multi pattern
* scan/search algorithms. * search algorithms.
* *
* \param t Pointer to the tv for this detection module instance * \param t Pointer to the tv for this detection module instance
* \param det_ctx Pointer to the detection engine thread context * \param det_ctx Pointer to the detection engine thread context
@ -273,10 +273,10 @@ int DoDetectAppLayerUricontentMatch (ThreadVars *tv, DetectEngineThreadCtx *det_
int ret = 0; int ret = 0;
/* run the pattern matcher against the uri */ /* run the pattern matcher against the uri */
if (det_ctx->sgh->mpm_uricontent_maxlen > uri_len) { if (det_ctx->sgh->mpm_uricontent_maxlen > uri_len) {
SCLogDebug("not scanning as pkt payload is smaller than the " SCLogDebug("not searching as pkt payload is smaller than the "
"largest uricontent length we need to match"); "largest uricontent length we need to match");
} else { } else {
SCLogDebug("scan: (%p, maxlen %" PRIu32 ", sgh->sig_cnt " SCLogDebug("search: (%p, maxlen %" PRIu32 ", sgh->sig_cnt "
"%" PRIu32 ")", det_ctx->sgh, det_ctx->sgh-> "%" PRIu32 ")", det_ctx->sgh, det_ctx->sgh->
mpm_uricontent_maxlen, det_ctx->sgh->sig_cnt); mpm_uricontent_maxlen, det_ctx->sgh->sig_cnt);
@ -288,9 +288,9 @@ int DoDetectAppLayerUricontentMatch (ThreadVars *tv, DetectEngineThreadCtx *det_
else if (det_ctx->sgh->mpm_uricontent_maxlen == 4) det_ctx->pkts_uri_searched4++; else if (det_ctx->sgh->mpm_uricontent_maxlen == 4) det_ctx->pkts_uri_searched4++;
else det_ctx->pkts_uri_searched++; else det_ctx->pkts_uri_searched++;
ret += UriPatternScan(tv, det_ctx, uri, uri_len); ret += UriPatternSearch(tv, det_ctx, uri, uri_len);
SCLogDebug("post scan: cnt %" PRIu32 ", searchable %" PRIu32 "", SCLogDebug("post search: cnt %" PRIu32 ", searchable %" PRIu32 "",
ret, det_ctx->pmq.searchable); ret, det_ctx->pmq.searchable);
det_ctx->pmq.searchable = 0; det_ctx->pmq.searchable = 0;
} }
@ -322,7 +322,7 @@ int DetectAppLayerUricontentMatch (ThreadVars *tv, DetectEngineThreadCtx *det_ct
size_t idx = 0; size_t idx = 0;
htp_tx_t *tx = NULL; htp_tx_t *tx = NULL;
/* if we don't have a uri, don't bother scanning */ /* if we don't have a uri, don't bother inspecting */
if (det_ctx->de_have_httpuri == FALSE) { if (det_ctx->de_have_httpuri == FALSE) {
SCLogDebug("We don't have uri"); SCLogDebug("We don't have uri");
SCReturnInt(0); SCReturnInt(0);
@ -826,7 +826,7 @@ end:
return result; return result;
} }
/** \test Check the working of scan/search once per packet only in applayer /** \test Check the working of search once per packet only in applayer
* match */ * match */
static int DetectUriSigTest03(void) { static int DetectUriSigTest03(void) {
int result = 0; int result = 0;

2
src/detect-urilen.c
Unescape Escape View File

@ -285,7 +285,7 @@ static int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, char *urile
SigMatchAppendAppLayer(s, sm); SigMatchAppendAppLayer(s, sm);
/* Flagged the signature as to scan the app layer data */ /* Flagged the signature as to inspect the app layer data */
s->flags |= SIG_FLAG_APPLAYER; s->flags |= SIG_FLAG_APPLAYER;
SCReturnInt(0); SCReturnInt(0);

50
src/detect.c
Unescape Escape View File

@ -167,7 +167,7 @@ void DetectExitPrintStats(ThreadVars *tv, void *data) {
tv->name, det_ctx->uris, det_ctx->pkts_uri_searched, tv->name, det_ctx->uris, det_ctx->pkts_uri_searched,
(float)(det_ctx->pkts_uri_searched/(float)(det_ctx->uris)*100)); (float)(det_ctx->pkts_uri_searched/(float)(det_ctx->uris)*100));
SCLogInfo("%"PRIu64" sigs per scan match on avg needed inspection, total scans %"PRIu64", less than 25 sigs need inspect %"PRIu64", more than 100 sigs need inspect %"PRIu64", more than 1000 %"PRIu64" max %"PRIu64"", det_ctx->scans_match ? det_ctx->scans_sigs / det_ctx->scans_match : 0, det_ctx->scans_match, det_ctx->scans_sigsmin25, det_ctx->scans_sigsplus100, det_ctx->scans_sigsplus1000, det_ctx->scans_sigsmax); SCLogInfo("%"PRIu64" sigs per mpm match on avg needed inspection, total mpm searches %"PRIu64", less than 25 sigs need inspect %"PRIu64", more than 100 sigs need inspect %"PRIu64", more than 1000 %"PRIu64" max %"PRIu64"", det_ctx->mpm_match ? det_ctx->mpm_sigs / det_ctx->mpm_match : 0, det_ctx->mpm_match, det_ctx->mpm_sigsmin25, det_ctx->mpm_sigsplus100, det_ctx->mpm_sigsplus1000, det_ctx->mpm_sigsmax);
} }
/** \brief Create the path if default-rule-path was specified /** \brief Create the path if default-rule-path was specified
@ -525,10 +525,11 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
if (p->payload_len > 0 && det_ctx->sgh->mpm_ctx != NULL && !(p->flags & PKT_NOPAYLOAD_INSPECTION)) { if (p->payload_len > 0 && det_ctx->sgh->mpm_ctx != NULL && !(p->flags & PKT_NOPAYLOAD_INSPECTION)) {
/* run the pattern matcher against the packet */ /* run the pattern matcher against the packet */
if (det_ctx->sgh->mpm_content_maxlen > p->payload_len) { if (det_ctx->sgh->mpm_content_maxlen > p->payload_len) {
SCLogDebug("not scanning as pkt payload is smaller than the largest content length we need to match"); SCLogDebug("not mpm-inspecting as pkt payload is smaller than "
"the largest content length we need to match");
} else { } else {
SCLogDebug("scan: (%p, maxlen %" PRIu32 ", sgh->sig_cnt %" PRIu32 ")", det_ctx->sgh, det_ctx->sgh->mpm_content_maxlen, det_ctx->sgh->sig_cnt); SCLogDebug("search: (%p, maxlen %" PRIu32 ", sgh->sig_cnt %" PRIu32 ")",
/* scan, but only if the noscan flag isn't set */ det_ctx->sgh, det_ctx->sgh->mpm_content_maxlen, det_ctx->sgh->sig_cnt);
if (det_ctx->sgh->mpm_content_maxlen == 1) det_ctx->pkts_searched1++; if (det_ctx->sgh->mpm_content_maxlen == 1) det_ctx->pkts_searched1++;
else if (det_ctx->sgh->mpm_content_maxlen == 2) det_ctx->pkts_searched2++; else if (det_ctx->sgh->mpm_content_maxlen == 2) det_ctx->pkts_searched2++;
@ -536,31 +537,32 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
else if (det_ctx->sgh->mpm_content_maxlen == 4) det_ctx->pkts_searched4++; else if (det_ctx->sgh->mpm_content_maxlen == 4) det_ctx->pkts_searched4++;
else det_ctx->pkts_searched++; else det_ctx->pkts_searched++;
cnt = PacketPatternScan(th_v, det_ctx, p); cnt = PacketPatternSearch(th_v, det_ctx, p);
if (cnt > 0) { if (cnt > 0) {
det_ctx->scans_match++; det_ctx->mpm_match++;
det_ctx->scans_sigs += det_ctx->pmq.sig_id_array_cnt; det_ctx->mpm_sigs += det_ctx->pmq.sig_id_array_cnt;
if (det_ctx->pmq.sig_id_array_cnt < 25) { if (det_ctx->pmq.sig_id_array_cnt < 25) {
det_ctx->scans_sigsmin25++; det_ctx->mpm_sigsmin25++;
} else if (det_ctx->pmq.sig_id_array_cnt > 1000) { } else if (det_ctx->pmq.sig_id_array_cnt > 1000) {
det_ctx->scans_sigsplus1000++; det_ctx->mpm_sigsplus1000++;
} else if (det_ctx->pmq.sig_id_array_cnt > 100) { } else if (det_ctx->pmq.sig_id_array_cnt > 100) {
det_ctx->scans_sigsplus100++; det_ctx->mpm_sigsplus100++;
} }
if (det_ctx->pmq.sig_id_array_cnt > det_ctx->scans_sigsmax) if (det_ctx->pmq.sig_id_array_cnt > det_ctx->mpm_sigsmax)
det_ctx->scans_sigsmax = det_ctx->pmq.sig_id_array_cnt; det_ctx->mpm_sigsmax = det_ctx->pmq.sig_id_array_cnt;
} }
SCLogDebug("post scan: cnt %" PRIu32 ", searchable %" PRIu32 ", sigs %"PRIu32" (out of %"PRIu32")", cnt, det_ctx->pmq.searchable, det_ctx->pmq.sig_id_array_cnt, det_ctx->sgh->sig_cnt); SCLogDebug("post search: cnt %" PRIu32 ", searchable %" PRIu32 ", sigs %"PRIu32" (out of %"PRIu32")", cnt, det_ctx->pmq.searchable, det_ctx->pmq.sig_id_array_cnt, det_ctx->sgh->sig_cnt);
det_ctx->pmq.searchable = 0; det_ctx->pmq.searchable = 0;
} }
} }
/* If we have the uricontent multi pattern matcher signatures in /* If we have the uricontent multi pattern matcher signatures in
signature list, then scan the received HTTP uri(s) in the htp state signature list, then search the received HTTP uri(s) in the htp
against those patterns */ state against those patterns */
if (det_ctx->sgh->flags & SIG_GROUP_HAVEURICONTENT && p->flow != NULL && alproto == ALPROTO_HTTP) if (det_ctx->sgh->flags & SIG_GROUP_HAVEURICONTENT && p->flow != NULL &&
alproto == ALPROTO_HTTP)
{ {
SCMutexLock(&p->flow->m); SCMutexLock(&p->flow->m);
cnt = DetectUricontentInspectMpm(th_v, det_ctx, alstate); cnt = DetectUricontentInspectMpm(th_v, det_ctx, alstate);
@ -2823,7 +2825,7 @@ int SigGroupBuild (DetectEngineCtx *de_ctx) {
#endif #endif
// SigAddressPrepareStage5(de_ctx); // SigAddressPrepareStage5(de_ctx);
DbgPrintScanSearchStats(); DbgPrintSearchStats();
// DetectAddressPrintMemory(); // DetectAddressPrintMemory();
// DetectSigGroupPrintMemory(); // DetectSigGroupPrintMemory();
// DetectPortPrintMemory(); // DetectPortPrintMemory();
@ -3759,14 +3761,12 @@ static int SigTest11Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type; de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET; de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Scan vs Search (1)\"; content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)"); de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
if (de_ctx->sig_list == NULL) { if (de_ctx->sig_list == NULL) {
result = 0;
goto end; goto end;
} }
de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Scan vs Search (2)\"; content:\"VWXYZabcde\"; content:\"5678\"; content:\"89\"; sid:2;)"); de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (content:\"VWXYZabcde\"; content:\"5678\"; content:\"89\"; sid:2;)");
if (de_ctx->sig_list->next == NULL) { if (de_ctx->sig_list->next == NULL) {
result = 0;
goto end; goto end;
} }
@ -3776,8 +3776,6 @@ static int SigTest11Real (int mpm_type) {
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
if (PacketAlertCheck(&p, 1) && PacketAlertCheck(&p, 2)) if (PacketAlertCheck(&p, 1) && PacketAlertCheck(&p, 2))
result = 1; result = 1;
else
result = 0;
AppLayerParserCleanupState(&ssn); AppLayerParserCleanupState(&ssn);
SigGroupCleanup(de_ctx); SigGroupCleanup(de_ctx);
@ -8455,9 +8453,9 @@ void SigRegisterTests(void) {
UtRegisterTest("SigTest10B3g -- long content match, longer than pkt", SigTest10B3g, 1); UtRegisterTest("SigTest10B3g -- long content match, longer than pkt", SigTest10B3g, 1);
UtRegisterTest("SigTest10Wm -- long content match, longer than pkt", SigTest10Wm, 1); UtRegisterTest("SigTest10Wm -- long content match, longer than pkt", SigTest10Wm, 1);
UtRegisterTest("SigTest11B2g -- scan vs search", SigTest11B2g, 1); UtRegisterTest("SigTest11B2g -- mpm searching", SigTest11B2g, 1);
UtRegisterTest("SigTest11B3g -- scan vs search", SigTest11B3g, 1); UtRegisterTest("SigTest11B3g -- mpm searching", SigTest11B3g, 1);
UtRegisterTest("SigTest11Wm -- scan vs search", SigTest11Wm, 1); UtRegisterTest("SigTest11Wm -- mpm searching", SigTest11Wm, 1);
UtRegisterTest("SigTest12B2g -- content order matching, normal", SigTest12B2g, 1); UtRegisterTest("SigTest12B2g -- content order matching, normal", SigTest12B2g, 1);
UtRegisterTest("SigTest12B3g -- content order matching, normal", SigTest12B3g, 1); UtRegisterTest("SigTest12B3g -- content order matching, normal", SigTest12B3g, 1);

12
src/detect.h
Unescape Escape View File

@ -400,12 +400,12 @@ typedef struct DetectionEngineThreadCtx_ {
Tmq *cuda_mpm_rc_disp_outq; Tmq *cuda_mpm_rc_disp_outq;
#endif #endif
uint64_t scans_match; uint64_t mpm_match;
uint64_t scans_sigs; uint64_t mpm_sigs;
uint64_t scans_sigsmin25; uint64_t mpm_sigsmin25;
uint64_t scans_sigsplus100; uint64_t mpm_sigsplus100;
uint64_t scans_sigsplus1000; uint64_t mpm_sigsplus1000;
uint64_t scans_sigsmax; uint64_t mpm_sigsmax;
} DetectEngineThreadCtx; } DetectEngineThreadCtx;
/** \brief a single match condition for a signature */ /** \brief a single match condition for a signature */

10
src/util-mpm-b2g.c
Unescape Escape View File

@ -3,7 +3,7 @@
* Copyright (c) 2009 Victor Julien <victor@inliniac.net> * Copyright (c) 2009 Victor Julien <victor@inliniac.net>
* *
* Ideas: * Ideas:
* - B2g does a full match in the scan phase of up to 'm' characters, * - B2g does a full match in the search of up to 'm' characters,
* in case of a case insensitive search we could say it's match if * in case of a case insensitive search we could say it's match if
* the pattern is of len 'm' or just compare the rest of the chars. * the pattern is of len 'm' or just compare the rest of the chars.
* *
@ -133,7 +133,6 @@ void B2gPrintInfo(MpmCtx *mpm_ctx) {
printf(" B2gPattern %" PRIuMAX "\n", (uintmax_t)sizeof(B2gPattern)); printf(" B2gPattern %" PRIuMAX "\n", (uintmax_t)sizeof(B2gPattern));
printf(" B2gHashItem %" PRIuMAX "\n", (uintmax_t)sizeof(B2gHashItem)); printf(" B2gHashItem %" PRIuMAX "\n", (uintmax_t)sizeof(B2gHashItem));
printf("Unique Patterns: %" PRIu32 "\n", mpm_ctx->pattern_cnt); printf("Unique Patterns: %" PRIu32 "\n", mpm_ctx->pattern_cnt);
printf("Scan Patterns: %" PRIu32 "\n", mpm_ctx->pattern_cnt);
printf("Total Patterns: %" PRIu32 "\n", mpm_ctx->total_pattern_cnt); printf("Total Patterns: %" PRIu32 "\n", mpm_ctx->total_pattern_cnt);
printf("Smallest: %" PRIu32 "\n", mpm_ctx->minlen); printf("Smallest: %" PRIu32 "\n", mpm_ctx->minlen);
printf("Largest: %" PRIu32 "\n", mpm_ctx->maxlen); printf("Largest: %" PRIu32 "\n", mpm_ctx->maxlen);
@ -644,8 +643,8 @@ void B2gPrintSearchStats(MpmThreadCtx *mpm_thread_ctx) {
B2gThreadCtx *tctx = (B2gThreadCtx *)mpm_thread_ctx->ctx; B2gThreadCtx *tctx = (B2gThreadCtx *)mpm_thread_ctx->ctx;
printf("B2g Thread Search stats (tctx %p)\n", tctx); printf("B2g Thread Search stats (tctx %p)\n", tctx);
printf("Total calls/scans: %" PRIu32 "\n", tctx->stat_calls); printf("Total calls: %" PRIu32 "\n", tctx->stat_calls);
printf("Avg m/scan: %0.2f\n", tctx->stat_calls ? (float)((float)tctx->stat_m_total / (float)tctx->stat_calls) : 0); printf("Avg m/search: %0.2f\n", tctx->stat_calls ? (float)((float)tctx->stat_m_total / (float)tctx->stat_calls) : 0);
printf("D != 0 (possible match): %" PRIu32 "\n", tctx->stat_d0); printf("D != 0 (possible match): %" PRIu32 "\n", tctx->stat_d0);
printf("Avg hash items per bucket %0.2f (%" PRIu32 ")\n", tctx->stat_d0 ? (float)((float)tctx->stat_d0_hashloop / (float)tctx->stat_d0) : 0, tctx->stat_d0_hashloop); printf("Avg hash items per bucket %0.2f (%" PRIu32 ")\n", tctx->stat_d0 ? (float)((float)tctx->stat_d0_hashloop / (float)tctx->stat_d0) : 0, tctx->stat_d0_hashloop);
printf("Loop match: %" PRIu32 "\n", tctx->stat_loop_match); printf("Loop match: %" PRIu32 "\n", tctx->stat_loop_match);
@ -752,7 +751,7 @@ void B2gInitCtx (MpmCtx *mpm_ctx, int module_handle) {
if (b2g_hash_size == 0) if (b2g_hash_size == 0)
B2gGetConfig(); B2gGetConfig();
/* init defaults scan/search functions */ /* init defaults search functions */
ctx->Search = b2g_func; ctx->Search = b2g_func;
SCReturn; SCReturn;
@ -1007,7 +1006,6 @@ uint32_t B2gSearch(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatcher
d = ((d << 1) & ctx->B2G[h]); d = ((d << 1) & ctx->B2G[h]);
j = j - 1; j = j - 1;
} while (d != 0 && j != 0); } while (d != 0 && j != 0);
//printf("scan: d %" PRIu32 ", j %" PRIu32 "\n", d, j);
/* (partial) match, move on to verification */ /* (partial) match, move on to verification */
if (d != 0) { if (d != 0) {

4
src/util-mpm-b2g.h
Unescape Escape View File

@ -72,10 +72,10 @@ typedef struct B2gCtx_ {
uint8_t s0; uint8_t s0;
/* we store our own multi byte scan ptr here for B2gSearch1 */ /* we store our own multi byte search func ptr here for B2gSearch1 */
uint32_t (*Search)(struct MpmCtx_ *, struct MpmThreadCtx_ *, PatternMatcherQueue *, uint8_t *, uint16_t); uint32_t (*Search)(struct MpmCtx_ *, struct MpmThreadCtx_ *, PatternMatcherQueue *, uint8_t *, uint16_t);
/* we store our own multi byte scan ptr here for B2gSearch1 */ /* we store our own multi byte search func ptr here for B2gSearch1 */
uint32_t (*MBSearch2)(struct MpmCtx_ *, struct MpmThreadCtx_ *, PatternMatcherQueue *, uint8_t *, uint16_t); uint32_t (*MBSearch2)(struct MpmCtx_ *, struct MpmThreadCtx_ *, PatternMatcherQueue *, uint8_t *, uint16_t);
uint32_t (*MBSearch)(struct MpmCtx_ *, struct MpmThreadCtx_ *, PatternMatcherQueue *, uint8_t *, uint16_t); uint32_t (*MBSearch)(struct MpmCtx_ *, struct MpmThreadCtx_ *, PatternMatcherQueue *, uint8_t *, uint16_t);
} B2gCtx; } B2gCtx;

9
src/util-mpm-b3g.c
Unescape Escape View File

@ -3,7 +3,7 @@
* Copyright (c) 2009 Victor Julien <victor@inliniac.net> * Copyright (c) 2009 Victor Julien <victor@inliniac.net>
* *
* Ideas: * Ideas:
* - B3g does a full match in the scan phase of up to 'm' characters, * - B3g does a full match in the search of up to 'm' characters,
* in case of a case insensitive search we could say it's match if * in case of a case insensitive search we could say it's match if
* the pattern is of len 'm' or just compare the rest of the chars. * the pattern is of len 'm' or just compare the rest of the chars.
* *
@ -121,7 +121,6 @@ void B3gPrintInfo(MpmCtx *mpm_ctx) {
printf(" B3gPattern %" PRIuMAX "\n", (uintmax_t)sizeof(B3gPattern)); printf(" B3gPattern %" PRIuMAX "\n", (uintmax_t)sizeof(B3gPattern));
printf(" B3gHashItem %" PRIuMAX "\n", (uintmax_t)sizeof(B3gHashItem)); printf(" B3gHashItem %" PRIuMAX "\n", (uintmax_t)sizeof(B3gHashItem));
printf("Unique Patterns: %" PRIu32 "\n", mpm_ctx->pattern_cnt); printf("Unique Patterns: %" PRIu32 "\n", mpm_ctx->pattern_cnt);
printf("Scan Patterns: %" PRIu32 "\n", mpm_ctx->pattern_cnt);
printf("Total Patterns: %" PRIu32 "\n", mpm_ctx->total_pattern_cnt); printf("Total Patterns: %" PRIu32 "\n", mpm_ctx->total_pattern_cnt);
printf("Smallest: %" PRIu32 "\n", mpm_ctx->minlen); printf("Smallest: %" PRIu32 "\n", mpm_ctx->minlen);
printf("Largest: %" PRIu32 "\n", mpm_ctx->maxlen); printf("Largest: %" PRIu32 "\n", mpm_ctx->maxlen);
@ -619,8 +618,8 @@ void B3gPrintSearchStats(MpmThreadCtx *mpm_thread_ctx) {
B3gThreadCtx *tctx = (B3gThreadCtx *)mpm_thread_ctx->ctx; B3gThreadCtx *tctx = (B3gThreadCtx *)mpm_thread_ctx->ctx;
printf("B3g Thread Search stats (tctx %p)\n", tctx); printf("B3g Thread Search stats (tctx %p)\n", tctx);
printf("Total calls/scans: %" PRIu32 "\n", tctx->stat_calls); printf("Total calls: %" PRIu32 "\n", tctx->stat_calls);
printf("Avg m/scan: %0.2f\n", tctx->stat_calls ? (float)((float)tctx->stat_m_total / (float)tctx->stat_calls) : 0); printf("Avg m/search: %0.2f\n", tctx->stat_calls ? (float)((float)tctx->stat_m_total / (float)tctx->stat_calls) : 0);
printf("D != 0 (possible match): %" PRIu32 "\n", tctx->stat_d0); printf("D != 0 (possible match): %" PRIu32 "\n", tctx->stat_d0);
printf("Avg hash items per bucket %0.2f (%" PRIu32 ")\n", tctx->stat_d0 ? (float)((float)tctx->stat_d0_hashloop / (float)tctx->stat_d0) : 0, tctx->stat_d0_hashloop); printf("Avg hash items per bucket %0.2f (%" PRIu32 ")\n", tctx->stat_d0 ? (float)((float)tctx->stat_d0_hashloop / (float)tctx->stat_d0) : 0, tctx->stat_d0_hashloop);
printf("Loop match: %" PRIu32 "\n", tctx->stat_loop_match); printf("Loop match: %" PRIu32 "\n", tctx->stat_loop_match);
@ -965,11 +964,9 @@ uint32_t B3gSearch(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PatternMatcher
do { do {
uint16_t h = B3G_HASH(u8_tolower(buf[pos + j - 1]), u8_tolower(buf[pos + j - 0]),u8_tolower(buf[pos + j + 1])); uint16_t h = B3G_HASH(u8_tolower(buf[pos + j - 1]), u8_tolower(buf[pos + j - 0]),u8_tolower(buf[pos + j + 1]));
// printf("scan: h %" PRIu32 ", %c.%c.%c\n", h, u8_tolower(buf[pos + j - 1]), u8_tolower(buf[pos + j - 0]),u8_tolower(buf[pos + j + 1]));
d = ((d << 1) & ctx->B3G[h]); d = ((d << 1) & ctx->B3G[h]);
j = j - 1; j = j - 1;
} while (d != 0 && j != 0); } while (d != 0 && j != 0);
// printf("scan: d %" PRIu32 ", j %" PRIu32 "\n", d, j);
/* (partial) match, move on to verification */ /* (partial) match, move on to verification */
if (d != 0) { if (d != 0) {

2
src/util-mpm-b3g.h
Unescape Escape View File

@ -64,7 +64,7 @@ typedef struct B3gCtx_ {
uint32_t (*Search)(struct MpmCtx_ *, struct MpmThreadCtx_ *, PatternMatcherQueue *, uint8_t *, uint16_t); uint32_t (*Search)(struct MpmCtx_ *, struct MpmThreadCtx_ *, PatternMatcherQueue *, uint8_t *, uint16_t);
/* we store our own multi byte scan ptr here for B3gSearch1 */ /* we store our own multi byte search func ptr here for B3gSearch1 */
uint32_t (*MBSearch2)(struct MpmCtx_ *, struct MpmThreadCtx_ *, PatternMatcherQueue *, uint8_t *, uint16_t); uint32_t (*MBSearch2)(struct MpmCtx_ *, struct MpmThreadCtx_ *, PatternMatcherQueue *, uint8_t *, uint16_t);
uint32_t (*MBSearch)(struct MpmCtx_ *, struct MpmThreadCtx_ *, PatternMatcherQueue *, uint8_t *, uint16_t); uint32_t (*MBSearch)(struct MpmCtx_ *, struct MpmThreadCtx_ *, PatternMatcherQueue *, uint8_t *, uint16_t);

2
src/util-mpm-wumanber.c
Unescape Escape View File

@ -148,7 +148,6 @@ void WmPrintInfo(MpmCtx *mpm_ctx) {
printf(" WmPattern %" PRIuMAX "\n", (uintmax_t)sizeof(WmPattern)); printf(" WmPattern %" PRIuMAX "\n", (uintmax_t)sizeof(WmPattern));
printf(" WmHashItem %" PRIuMAX "\n", (uintmax_t)sizeof(WmHashItem)); printf(" WmHashItem %" PRIuMAX "\n", (uintmax_t)sizeof(WmHashItem));
printf("Unique Patterns: %" PRIu32 "\n", mpm_ctx->pattern_cnt); printf("Unique Patterns: %" PRIu32 "\n", mpm_ctx->pattern_cnt);
printf("Scan Patterns: %" PRIu32 "\n", mpm_ctx->pattern_cnt);
printf("Total Patterns: %" PRIu32 "\n", mpm_ctx->total_pattern_cnt); printf("Total Patterns: %" PRIu32 "\n", mpm_ctx->total_pattern_cnt);
printf("Smallest: %" PRIu32 "\n", mpm_ctx->minlen); printf("Smallest: %" PRIu32 "\n", mpm_ctx->minlen);
printf("Largest: %" PRIu32 "\n", mpm_ctx->maxlen); printf("Largest: %" PRIu32 "\n", mpm_ctx->maxlen);
@ -684,7 +683,6 @@ int WmPreparePatterns(MpmCtx *mpm_ctx) {
* we should do some performance testing * we should do some performance testing
* */ * */
/* scan */
if (ctx->hash_size == 0) { if (ctx->hash_size == 0) {
if (mpm_ctx->pattern_cnt < 50) { if (mpm_ctx->pattern_cnt < 50) {
ctx->hash_size = HASH9_SIZE; ctx->hash_size = HASH9_SIZE;

4
src/util-mpm-wumanber.h
Unescape Escape View File

@ -39,9 +39,9 @@ typedef struct WmCtx_ {
for the BloomFilter. */ for the BloomFilter. */
WmHashItem hash1[256]; WmHashItem hash1[256];
/* we store our own scan ptr here for WmSearch1 */ /* we store our own search func ptr here for WmSearch1 */
uint32_t (*Search)(struct MpmCtx_ *, struct MpmThreadCtx_ *, PatternMatcherQueue *, uint8_t *, uint16_t); uint32_t (*Search)(struct MpmCtx_ *, struct MpmThreadCtx_ *, PatternMatcherQueue *, uint8_t *, uint16_t);
/* we store our own multi byte scan ptr here for WmSearch1 */ /* we store our own multi byte search func ptr here for WmSearch1 */
uint32_t (*MBSearch)(struct MpmCtx_ *, struct MpmThreadCtx_ *, PatternMatcherQueue *, uint8_t *, uint16_t); uint32_t (*MBSearch)(struct MpmCtx_ *, struct MpmThreadCtx_ *, PatternMatcherQueue *, uint8_t *, uint16_t);
/* pattern arrays */ /* pattern arrays */

1
src/util-mpm.h
Unescape Escape View File

@ -85,7 +85,6 @@ typedef struct MpmCtx_ {
uint32_t endmatches; uint32_t endmatches;
uint32_t scan_pattern_cnt; /* scan patterns */
uint32_t pattern_cnt; /* unique patterns */ uint32_t pattern_cnt; /* unique patterns */
uint32_t total_pattern_cnt; /* total patterns added */ uint32_t total_pattern_cnt; /* total patterns added */

Write Preview
Loading…
Cancel
Save