Skip to content
Permalink
Browse files Browse the repository at this point in the history
detect: avoid needless recursive scanning
Don't recursively inspect a detect list if the recursion
doesn't increase chance of success.
  • Loading branch information
victorjulien committed May 1, 2017
1 parent bc7c01e commit b9579fb
Showing 1 changed file with 21 additions and 10 deletions.
31 changes: 21 additions & 10 deletions src/detect-engine-content-inspection.c
@@ -1,4 +1,4 @@
/* Copyright (C) 2007-2011 Open Information Security Foundation
/* Copyright (C) 2007-2017 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
Expand Down Expand Up @@ -286,6 +286,11 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
SCLogDebug("found %p cd negated %s", found, cd->flags & DETECT_CONTENT_NEGATED ? "true" : "false");

if (found == NULL && !(cd->flags & DETECT_CONTENT_NEGATED)) {
if ((cd->flags & (DETECT_CONTENT_DISTANCE|DETECT_CONTENT_WITHIN)) == 0) {
/* independent match from previous matches, so failure is fatal */
det_ctx->discontinue_matching = 1;
}

goto no_match;
} else if (found == NULL && (cd->flags & DETECT_CONTENT_NEGATED)) {
goto match;
Expand All @@ -310,16 +315,10 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
SCLogWarning(SC_ERR_INVALID_VALUE, "Can't modify payload without packet");
}
}
if (!(cd->flags & DETECT_CONTENT_RELATIVE_NEXT)) {
SCLogDebug("no relative match coming up, so this is a match");
goto match;
}

/* bail out if we have no next match. Technically this is an
* error, as the current cd has the DETECT_CONTENT_RELATIVE_NEXT
* flag set. */
/* if this is the last match we're done */
if (smd->is_last) {
goto no_match;
goto match;
}

SCLogDebug("content %"PRIu32, cd->id);
Expand All @@ -333,9 +332,21 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
if (r == 1) {
SCReturnInt(1);
}
SCLogDebug("no match for 'next sm'");

if (det_ctx->discontinue_matching)
if (det_ctx->discontinue_matching) {
SCLogDebug("'next sm' said to discontinue this right now");
goto no_match;
}

/* no match and no reason to look for another instance */
if ((cd->flags & DETECT_CONTENT_RELATIVE_NEXT) == 0) {
SCLogDebug("'next sm' does not depend on me, so we can give up");
det_ctx->discontinue_matching = 1;
goto no_match;
}

SCLogDebug("'next sm' depends on me %p, lets see what we can do (flags %u)", cd, cd->flags);

/* set the previous match offset to the start of this match + 1 */
prev_offset = (match_offset - (cd->content_len - 1));
Expand Down

0 comments on commit b9579fb

Please sign in to comment.