detect grouping v200 #1972

inliniac · 2016-03-31T12:54:20Z

Rebase to master of #1962. It includes the Hyperscan MPM support.

Prscript:

PR inliniac-pcap: https://buildbot.openinfosecfoundation.org/builders/inliniac-pcap/builds/403
PR inliniac: https://buildbot.openinfosecfoundation.org/builders/inliniac/builds/408

Introduce 'ac-ks' or the Kenneth Steele AC implementation. It's actually 'ac-tile' written by Ken for the Tilera platform. This patch adds support for it on other architectures as well. Enable ac-tile for other archs as 'ac-ks'. Fix a bunch of OOB reads in the loops that triggered ASAN.

Use sgh-mpm-context single is it is set to 'auto' when ac-ks is used.

Remove: ac-gfbs, wumanber, b2g, b3g.

Leading and trailing spaces and tabs are invalid as these are not part of the buffer as returned by libhtp.

Add funcs to see if a rule needs a SYN flag in the packet.

Each SGH has a unique ipproto and direction.

Replace tree based approach for rule grouping with a per port (tcp/udp) and per protocol approach. Grouping now looks like: +----+ |icmp+---> +----+ |gre +---> +----+ |esp +---> +----+ other|... | +----->-----+ | |N +---> | +----+ | | tcp +----+ +----+ +----->+ 80 +-->+ 139+--> | +----+ +----+ | | udp +----+ +----+ +---+----->+ 53 +-->+ 135+--> | +----+ +----+ |toserver +---> |toclient | +---> So the first 'split' in the rules is the direction: toserver or toclient. Rules that don't have a direction, are in both branches. Then the split is between tcp/udp and the other protocols. For tcp and udp port lists are used. For the other protocols, grouping is simply per protocol. The ports used are the destination ports for toserver sigs and source ports for toclient sigs.

Allow multi-proto, multi-direction sgh's.

Update port grouping logic. Previously it would create one consistent list w/o overlap. It largely still does this, except for the 'catch all' port group at the end of the list. This port group contains all the sigs that didn't fit into the other groups.

SGH's for tcp and udp are now always only per proto and per direction. This means we can simply reuse the packet and stream mpm pointers. The SGH's for the other protocols already used a directionless catch all mpm pointer.

Create a hash table of unique DetectPort objects before trying to create a unique list of these objects. This safes a lot of cycles in the creation of the list.

Allow setting of shared or unique setting per app buffer type: e.g. detect.mpm.http_uri.shared=true

Instead of detect-engine which used a list for no good reason, use a simple map now. detect: profile: medium custom-values: toclient-groups: 3 toserver-groups: 25 sgh-mpm-context: auto inspection-recursion-limit: 3000 # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. #delayed-detect: yes

Make the port grouping whitelisting configurable. A whitelisted port ends up in it's own port group. detect: grouping: tcp-whitelist: 80, 443 udp-whitelist: 53, 5060 No portranges are allowed at this point.

Make the rule grouping dump to rule_group.json configurable. detect: profiling: grouping: dump-to-disk: false include-rules: false # very verbose include-mpm-stats: false

inliniac · 2016-04-05T06:32:18Z

Replaced by #1978

victorjulien added 30 commits March 31, 2016 13:29

ac-ks: fix mem leaks

9a131ea

ac-ks: 32bit fixes

6d1c246

detect mpm: ac-tile/ac-ks default to single

db0dac3

Use sgh-mpm-context single is it is set to 'auto' when ac-ks is used.

mpm: fix ac-ks compilation on cygwin

7c8eb12

mpm: remove obsolete mpm algos

4cd794c

Remove: ac-gfbs, wumanber, b2g, b3g.

detect: constify mpm/detect funcs

73cc43a

detect/mpm: remove unused max_id param from API

49942a5

detect mpm: remove dead code

2bc80a4

detect: remove dead code

7d92f97

detect: validate http_method pattern

481d843

Leading and trailing spaces and tabs are invalid as these are not part of the buffer as returned by libhtp.

detect: SYN flags

2e728dd

Add funcs to see if a rule needs a SYN flag in the packet.

rule analyzer: add no/both direction warning

1b34164

Start rule inspect with mask check

3950a1b

detect: delay sgh mpm setup

050ba1f

detect: delay sgh cleanup

faafe89

detect: pass ipproto to rule grouping funcs

036822c

detect: track direction and ipproto of sgh

73d7907

Each SGH has a unique ipproto and direction.

detect: debug output

724e50d

detect: remove obsolete grouping code

031442c

detect-mpm: make sgh setup proto aware

062aa72

Allow multi-proto, multi-direction sgh's.

detect: group proto sghs

e495fab

detect: display unique sgh count

9215c75

detect: sort/group port sigs

99467aa

detect: change port grouping

19550a7

Update port grouping logic. Previously it would create one consistent list w/o overlap. It largely still does this, except for the 'catch all' port group at the end of the list. This port group contains all the sigs that didn't fit into the other groups.

detect: make port grouping use config limits

ed3ec79

detect: remove unused grouping settings

1ba0115

detect: rename groupings vars

f16068e

detect: set new defaults for grouping

1d62f86

victorjulien added 25 commits March 31, 2016 14:02

detect: optimize sgh layout

1f00055

http_raw_header: improve mpm progress handling

7239a77

detect/mpm: unify packet/stream mpm_ctx pointers

d238029

SGH's for tcp and udp are now always only per proto and per direction. This means we can simply reuse the packet and stream mpm pointers. The SGH's for the other protocols already used a directionless catch all mpm pointer.

mpm: consify packet/stream search

2d9d6b3

rule grouping: speed up port based grouping

1071f31

Create a hash table of unique DetectPort objects before trying to create a unique list of these objects. This safes a lot of cycles in the creation of the list.

detect: work around cocci limitation

e1b0849

mpm: in factory register, consider name const

9659415

mpm: remove unused app proto factory

eed71de

mpm: remove useless flag from factory

f5bc367

mpm: refactor 'single' setup handling

24ab1d3

mpm: allow app buffer shared/unique

6873bf3

Allow setting of shared or unique setting per app buffer type: e.g. detect.mpm.http_uri.shared=true

mpm: always cleanup factory

8e67960

mpm: clean up builtin mpm setup, enable single/full

22b22fb

detect: suppress output

7737b88

detect: make port whitelisting configurable

08c1783

Make the port grouping whitelisting configurable. A whitelisted port ends up in it's own port group. detect: grouping: tcp-whitelist: 80, 443 udp-whitelist: 53, 5060 No portranges are allowed at this point.

detect grouping: make json dump configurable

e413b2f

Make the rule grouping dump to rule_group.json configurable. detect: profiling: grouping: dump-to-disk: false include-rules: false # very verbose include-mpm-stats: false

detect grouping: remove debug mem counters

1ba307d

detect-address: remove debug mem counters

8e2e91f

detect-port: remove debug mem counters

c341e97

detect-address: remove sgh pointer as it's unused

cdd9f9b

detect-port: improve comment about sgh pointer

fd838ea

detect: shrink IPOnlyCIDRItem with 8 bytes

67923b6

detect-flowvar: shrink mem structure by 8 bytes

e0ccdcf

mpm: remove unused max pattern len field

1e592c2

This was referenced Mar 31, 2016

detect grouping v190 #1962

Closed

detect grouping v201 #1978

Closed

inliniac closed this Apr 5, 2016

inliniac deleted the dev-detect-grouping-v200 branch April 12, 2016 09:46

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

detect grouping v200 #1972

detect grouping v200 #1972

inliniac commented Mar 31, 2016

inliniac commented Apr 5, 2016

detect grouping v200 #1972

detect grouping v200 #1972

Conversation

inliniac commented Mar 31, 2016

inliniac commented Apr 5, 2016