aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Detection engine improvement: don't run pattern matcher on packets with payload sizes less that the biggest content we need to match. Add some extra stats.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 17 years ago
parent 0250642cc0
commit fedcc397de
3 changed files with 64 additions and 23 deletions
Show Stats Download Patch File Download Diff File

27
src/detect-engine-mpm.c
Unescape Escape View File

@ -174,7 +174,7 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
MpmInitCtx(sh->mpm_uri_ctx, MPM_WUMANBER);
}
u_int16_t mpm_content_maxlen = 0, mpm_uricontent_maxlen = 0;
u_int16_t mpm_content_scan_maxlen = 65535, mpm_uricontent_scan_maxlen = 65535;
u_int32_t mpm_content_cnt = 0, mpm_uricontent_cnt = 0;
u_int16_t mpm_content_maxdepth = 65535, mpm_content_minoffset = 65535;
u_int16_t mpm_content_maxdepth_one = 65535, mpm_content_minoffset_one = 65535;
@ -302,25 +302,22 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
mpm_content_minoffset_one = content_minoffset_one;
if (content_cnt) {
if (mpm_content_maxlen == 0) mpm_content_maxlen = content_maxlen;
if (mpm_content_maxlen > content_maxlen)
mpm_content_maxlen = content_maxlen;
if (sh->mpm_content_minlen == 0) sh->mpm_content_minlen = content_minlen;
if (sh->mpm_content_minlen > content_minlen)
sh->mpm_content_minlen = content_minlen;
if (sh->mpm_content_maxlen == 0) sh->mpm_content_maxlen = content_maxlen;
if (sh->mpm_content_maxlen > content_maxlen)
sh->mpm_content_maxlen = content_maxlen;
}
if (uricontent_maxlen) {
if (mpm_uricontent_maxlen == 0) mpm_uricontent_maxlen = uricontent_maxlen;
if (mpm_uricontent_maxlen > uricontent_maxlen)
mpm_uricontent_maxlen = uricontent_maxlen;
if (sh->mpm_uricontent_maxlen == 0) sh->mpm_uricontent_maxlen = uricontent_maxlen;
if (sh->mpm_uricontent_maxlen > uricontent_maxlen)
sh->mpm_uricontent_maxlen = uricontent_maxlen;
}
//#if 0
/* scan ctx */
for (sm = s->match; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_CONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_COPY)) {
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (mpm_content_maxlen == cd->content_len) {
if (sh->mpm_content_maxlen >= cd->content_len) {
if (cd->flags & DETECT_CONTENT_NOCASE) {
sh->mpm_scan_ctx->AddPatternNocase(sh->mpm_scan_ctx, cd->content, cd->content_len, cd->id);
} else {
@ -375,13 +372,13 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
sh->mpm_scan_ctx->Prepare(sh->mpm_scan_ctx);
}
if (mpm_content_cnt && mpm_content_maxlen > 1) {
if (mpm_content_cnt && sh->mpm_content_maxlen > 1) {
//printf("mpm_content_cnt %u, mpm_content_maxlen %d\n", mpm_content_cnt, mpm_content_maxlen);
g_content_scan++;
} else {
g_content_search++;
}
// printf("(sh %p) mpm_content_cnt %u, mpm_content_maxlen %u, mpm_content_minlen %u\n", sh, mpm_content_cnt, mpm_content_maxlen, sh->mpm_content_minlen);
//printf("(sh %p) mpm_content_cnt %u, mpm_content_maxlen %u, mpm_content_minlen %u, mpm_content_scan_maxlen %u\n", sh, mpm_content_cnt, mpm_content_maxlen, sh->mpm_content_minlen, mpm_content_scan_maxlen);
if (mpm_content_maxdepth) {
// printf("mpm_content_maxdepth %u\n", mpm_content_maxdepth);
@ -403,7 +400,7 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
if (sh->mpm_uri_ctx->Prepare != NULL) {
sh->mpm_uri_ctx->Prepare(sh->mpm_uri_ctx);
}
if (mpm_uricontent_cnt && mpm_uricontent_maxlen > 1) {
if (mpm_uricontent_cnt && sh->mpm_uricontent_maxlen > 1) {
// printf("mpm_uricontent_cnt %u, mpm_uricontent_maxlen %d\n", mpm_uricontent_cnt, mpm_uricontent_maxlen);
g_uricontent_scan++;
} else {

47
src/detect.c
Unescape Escape View File

@ -73,11 +73,36 @@ void DetectExitPrintStats(ThreadVars *tv, void *data) {
if (pmt == NULL)
return;
printf(" - (%s) Pkts %u, Scanned %u (%02.1f), Searched %u (%02.1f).\n", tv->name,
printf(" - (%s) (1byte) Pkts %u, Scanned %u (%02.1f), Searched %u (%02.1f): %02.1f%%.\n", tv->name,
pmt->pkts, pmt->pkts_scanned1,
(float)(pmt->pkts_scanned1/(float)(pmt->pkts)*100),
pmt->pkts_searched1,
(float)(pmt->pkts_searched1/(float)(pmt->pkts)*100),
(float)(pmt->pkts_searched1/(float)(pmt->pkts_scanned1)*100));
printf(" - (%s) (2byte) Pkts %u, Scanned %u (%02.1f), Searched %u (%02.1f): %02.1f%%.\n", tv->name,
pmt->pkts, pmt->pkts_scanned2,
(float)(pmt->pkts_scanned2/(float)(pmt->pkts)*100),
pmt->pkts_searched2,
(float)(pmt->pkts_searched2/(float)(pmt->pkts)*100),
(float)(pmt->pkts_searched2/(float)(pmt->pkts_scanned2)*100));
printf(" - (%s) (3byte) Pkts %u, Scanned %u (%02.1f), Searched %u (%02.1f): %02.1f%%.\n", tv->name,
pmt->pkts, pmt->pkts_scanned3,
(float)(pmt->pkts_scanned3/(float)(pmt->pkts)*100),
pmt->pkts_searched3,
(float)(pmt->pkts_searched3/(float)(pmt->pkts)*100),
(float)(pmt->pkts_searched3/(float)(pmt->pkts_scanned3)*100));
printf(" - (%s) (4byte) Pkts %u, Scanned %u (%02.1f), Searched %u (%02.1f): %02.1f%%.\n", tv->name,
pmt->pkts, pmt->pkts_scanned4,
(float)(pmt->pkts_scanned4/(float)(pmt->pkts)*100),
pmt->pkts_searched4,
(float)(pmt->pkts_searched4/(float)(pmt->pkts)*100),
(float)(pmt->pkts_searched4/(float)(pmt->pkts_scanned4)*100));
printf(" - (%s) (+byte) Pkts %u, Scanned %u (%02.1f), Searched %u (%02.1f): %02.1f%%.\n", tv->name,
pmt->pkts, pmt->pkts_scanned,
(float)(pmt->pkts_scanned/(float)(pmt->pkts)*100),
pmt->pkts_searched,
(float)(pmt->pkts_searched/(float)(pmt->pkts)*100));
(float)(pmt->pkts_searched/(float)(pmt->pkts)*100),
(float)(pmt->pkts_searched/(float)(pmt->pkts_scanned)*100));
}
void SigLoadSignatures (void)
@ -395,14 +420,24 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p)
if (p->tcp_payload_len > 0 && pmt->mc != NULL) {
/* run the pattern matcher against the packet */
if (sgh->mpm_content_minlen > p->tcp_payload_len) {
//printf("Not scanning as pkt payload is smaller than the min content length.\n");
if (sgh->mpm_content_maxlen > p->tcp_payload_len) {
//printf("Not scanning as pkt payload is smaller than the largest content length we need to match");
} else {
pmt->pkts_scanned++;
if (sgh->mpm_content_maxlen == 1) pmt->pkts_scanned1++;
else if (sgh->mpm_content_maxlen == 2) pmt->pkts_scanned2++;
else if (sgh->mpm_content_maxlen == 3) pmt->pkts_scanned3++;
else if (sgh->mpm_content_maxlen == 4) pmt->pkts_scanned4++;
else pmt->pkts_scanned++;
u_int32_t cnt = PacketPatternScan(th_v, pmt, p);
//printf("scan: cnt %u\n", cnt);
if (cnt > 0) {
pmt->pkts_searched++;
if (sgh->mpm_content_maxlen == 1) pmt->pkts_searched1++;
else if (sgh->mpm_content_maxlen == 2) pmt->pkts_searched2++;
else if (sgh->mpm_content_maxlen == 3) pmt->pkts_searched3++;
else if (sgh->mpm_content_maxlen == 4) pmt->pkts_searched4++;
else pmt->pkts_searched++;
cnt += PacketPatternMatch(th_v, pmt, p);
//printf("search: cnt %u\n", cnt);
}

13
src/detect.h
Unescape Escape View File

@ -46,6 +46,14 @@ typedef struct _PatternMatcherThread {
u_int32_t pkts;
u_int32_t pkts_scanned;
u_int32_t pkts_searched;
u_int32_t pkts_scanned1;
u_int32_t pkts_searched1;
u_int32_t pkts_scanned2;
u_int32_t pkts_searched2;
u_int32_t pkts_scanned3;
u_int32_t pkts_searched3;
u_int32_t pkts_scanned4;
u_int32_t pkts_searched4;
} PatternMatcherThread;
typedef struct _Signature {
@ -166,9 +174,10 @@ typedef struct _SigGroupHead {
/* pattern matcher instance */
MpmCtx *mpm_ctx; /* search */
MpmCtx *mpm_scan_ctx; /* scan */
u_int16_t mpm_content_minlen;
u_int16_t mpm_content_maxlen;
MpmCtx *mpm_uri_ctx;
u_int16_t mpm_uricontent_minlen;
MpmCtx *mpm_scan_uri_ctx;
u_int16_t mpm_uricontent_maxlen;
/* number of sigs in this head */
u_int32_t sig_cnt;

Write Preview
Loading…
Cancel
Save