detect: per port and proto rule grouping

Replace tree based approach for rule grouping with a per port (tcp/udp) and per protocol approach. Grouping now looks like: +----+ |icmp+---> +----+ |gre +---> +----+ |esp +---> +----+ other|... | +----->-----+ | |N +---> | +----+ | | tcp +----+ +----+ +----->+ 80 +-->+ 139+--> | +----+ +----+ | | udp +----+ +----+ +---+----->+ 53 +-->+ 135+--> | +----+ +----+ |toserver +---> |toclient | +---> So the first 'split' in the rules is the direction: toserver or toclient. Rules that don't have a direction, are in both branches. Then the split is between tcp/udp and the other protocols. For tcp and udp port lists are used. For the other protocols, grouping is simply per protocol. The ports used are the destination ports for toserver sigs and source ports for toclient sigs.
10 years ago · fd5a06017d
parent 27e63a1e11
commit fd5a06017d
2 changed files with 237 additions and 1496 deletions
--- a/src/detect.c
+++ b/src/detect.c
--- a/src/detect.h
+++ b/src/detect.h
@ -525,8 +525,9 @@ typedef struct DetectEngineIPOnlyCtx_ {
 } DetectEngineIPOnlyCtx;
 typedef struct DetectEngineLookupFlow_ {
-    DetectAddressHead *src_gh[256]; /* a head for each protocol */
+    DetectPort *tcp;
-    DetectAddressHead *tmp_gh[256];
+    DetectPort *udp;
    struct SigGroupHead_ *sgh[256];
 } DetectEngineLookupFlow;
 /* Flow status