Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/stream state mpm/v29 #2680

Closed
wants to merge 6 commits into from
Closed

Feature/stream state mpm/v29 #2680

wants to merge 6 commits into from

Conversation

inliniac
Copy link
Contributor

@inliniac inliniac commented May 1, 2017

Fix various issues with recursive content inspection leading to very bad performance on certain rules.

Related to ticket: https://redmine.openinfosecfoundation.org/issues/2101

Prscript:

@victorjulien
detect: use BIT_U32 macro for content flags
6d2c54d
@victorjulien
detect: avoid needless recursive scanning
47afc57 
Don't recursively inspect a detect list if the recursion
doesn't increase chance of success.
@victorjulien
detect: content-inspection tests
b1ed3b0 
Add tests for the content inspection engine that count the number
of steps it takes to eval a rule.
@victorjulien
detect: don't rescan when just distance is used
f24c665 
Content inspection optimization: when just distance is used without
within we don't need to search recursively.

E.g. content:"a"; content:"b"; distance:1; will scan the buffer for
'a' and when it finds 'a' it will scan the remainder for 'b'. Until
now, the failure to find 'b' would lead to looking for the next 'a'
and then for 'b' after that. However, we already inspected the
entire buffer for 'b', so we know this will fail.
@victorjulien
detect: more content inspection tests
4eb610d
@victorjulien
detect: enforce isdataat:!1,relative earlier
61b0eb4 
The expression 'isdataat:!1,relative' is used to make sure a match
is at the end of a buffer quite often. This patch optimizes this case
for 'content' followed by the expression. It enforces it by setting
and 'ends with' flag on the content and then taking that flag into
account while doing the pattern match.
@inliniac inliniac mentioned this pull request May 1, 2017
Merged
@inliniac
Copy link
Contributor Author

inliniac commented May 1, 2017

Merged through #2681

@inliniac inliniac closed this May 1, 2017
@inliniac inliniac deleted the feature/stream-state-mpm/v29 branch May 13, 2017 08:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
2 participants
@inliniac @victorjulien