Detect: create per sgh non-MPM rule array

Array of rule id's that are not using MPM prefiltering. These will be merged with the MPM results array. Together these should lead to a list of all the rules that can possibly match.
11 years ago · f5df526f9b
parent e49d0a5924
commit f5df526f9b
4 changed files with 56 additions and 0 deletions
--- a/src/detect-engine-siggroup.c
+++ b/src/detect-engine-siggroup.c
@ -205,6 +205,12 @@ void SigGroupHeadFree(SigGroupHead *sgh)
        sgh->match_array = NULL;
    }

+    if (sgh->non_mpm_id_array != NULL) {
+        SCFree(sgh->non_mpm_id_array);
+        sgh->non_mpm_id_array = NULL;
+        sgh->non_mpm_id_cnt = 0;
+    }
+
    sgh->sig_cnt = 0;

    if (sgh->init != NULL) {
@ -1696,6 +1702,49 @@ void SigGroupHeadSetFilestoreCount(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
    return;
 }

+/* build an array of rule id's for sigs with no mpm */
+int SigGroupHeadBuildNonMpmArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
+{
+    Signature *s = NULL;
+    uint32_t sig = 0;
+    uint32_t non_mpm = 0;
+
+    if (sgh == NULL)
+        return 0;
+
+    BUG_ON(sgh->non_mpm_id_array != NULL);
+
+    for (sig = 0; sig < sgh->sig_cnt; sig++) {
+        s = sgh->match_array[sig];
+        if (s == NULL)
+            continue;
+
+        if (s->mpm_sm == NULL)
+            non_mpm++;
+    }
+
+    if (non_mpm == 0) {
+        sgh->non_mpm_id_array = NULL;
+        return 0;
+    }
+
+    sgh->non_mpm_id_array = SCMalloc(non_mpm * sizeof(uint32_t));
+    BUG_ON(sgh->non_mpm_id_array == NULL);
+    memset(sgh->non_mpm_id_array, 0, non_mpm * sizeof(uint32_t));
+
+    for (sig = 0; sig < sgh->sig_cnt; sig++) {
+        s = sgh->match_array[sig];
+        if (s == NULL)
+            continue;
+        if (s->mpm_sm != NULL)
+            continue;
+
+        BUG_ON(sgh->non_mpm_id_cnt >= non_mpm);
+        sgh->non_mpm_id_array[sgh->non_mpm_id_cnt++] = s->num;
+    }
+    return 0;
+}
+
 int SigGroupHeadBuildHeadArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
    Signature *s = NULL;
--- a/src/detect-engine-siggroup.h
+++ b/src/detect-engine-siggroup.h
@ -91,4 +91,6 @@ void SigGroupHeadSetFilestoreCount(DetectEngineCtx *, SigGroupHead *);
 void SigGroupHeadSetFileMd5Flag(DetectEngineCtx *, SigGroupHead *);
 void SigGroupHeadSetFilesizeFlag(DetectEngineCtx *, SigGroupHead *);

+int SigGroupHeadBuildNonMpmArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
+
 #endif /* __DETECT_ENGINE_SIGGROUP_H__ */
--- a/src/detect.c
+++ b/src/detect.c
@ -4013,6 +4013,8 @@ int SigAddressPrepareStage4(DetectEngineCtx *de_ctx)
        SigGroupHeadSetFilesizeFlag(de_ctx, sgh);
        SigGroupHeadSetFilestoreCount(de_ctx, sgh);
        SCLogDebug("filestore count %u", sgh->filestore_cnt);
+
+        SigGroupHeadBuildNonMpmArray(de_ctx, sgh);
    }

    if (de_ctx->decoder_event_sgh != NULL) {
--- a/src/detect.h
+++ b/src/detect.h
@ -975,6 +975,9 @@ typedef struct SigGroupHead_ {
     *  signatures to be inspected in a cache efficient way. */
    SignatureHeader *head_array;

+    uint32_t *non_mpm_id_array;
+    uint32_t non_mpm_id_cnt; // size is cnt * sizeof(uint32_t)
+
    /* pattern matcher instances */
    MpmCtx *mpm_proto_other_ctx;