From 8c9b3bd3aebfe71fc6a7c4b1c3f5c45d9c3776e8 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 27 Aug 2019 16:16:39 -0700 Subject: [PATCH 1/2] GH-554: remove use of file magic in protocol-based signature logic This can be a significant performance/memory improvement since otherwise the protocol-based rule matching logic ends up superfluously creating file-matching state per file-matcher per connection/endpoint. --- src/RuleMatcher.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc index 88779f0050..340e6d5098 100644 --- a/src/RuleMatcher.cc +++ b/src/RuleMatcher.cc @@ -732,7 +732,7 @@ RuleEndpointState* RuleMatcher::InitEndpoint(analyzer::Analyzer* analyzer, // pattern matching to do. if ( hdr_test->level <= RE_level ) { - for ( int i = 0; i < Rule::TYPES; ++i ) + for ( int i = Rule::PAYLOAD; i < Rule::TYPES; ++i ) { for ( const auto& set : hdr_test->psets[i] ) { From 316e8bb671b546f26313f3b3bd54b089231fa4a3 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 27 Aug 2019 16:32:30 -0700 Subject: [PATCH 2/2] GH-554: don't init PIA endpoint matchers if there's only file-magic The logic for initializing PIA endpoint matchers was previously skipped if "there's no global rule matcher", and that's only true when no signature files get loaded. But when using `zeek -b`, some file-magic signatures still get loaded by default, so the PIA endpoint matchers still get initialized even though they don't need to be -- file-magic patterns play no part in PIA. For typical use-cases (not using the `-b` flag), this change won't help any, but we do at least use `-b` often within the test suite. --- src/RuleMatcher.cc | 20 ++++++++++++++++++++ src/RuleMatcher.h | 3 +++ src/analyzer/protocol/pia/PIA.cc | 3 +++ 3 files changed, 26 insertions(+) diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc index 340e6d5098..7200ae2ad7 100644 --- a/src/RuleMatcher.cc +++ b/src/RuleMatcher.cc @@ -205,6 +205,7 @@ RuleMatcher::RuleMatcher(int arg_RE_level) new maskedvalue_list); RE_level = arg_RE_level; parse_error = false; + has_non_file_magic_rule = false; } RuleMatcher::~RuleMatcher() @@ -285,6 +286,25 @@ void RuleMatcher::BuildRulesTree() if ( ! rule->Active() ) continue; + const auto& pats = rule->patterns; + + if ( ! has_non_file_magic_rule ) + { + if ( pats.length() > 0 ) + { + for ( const auto& p : pats ) + { + if ( p->type != Rule::FILE_MAGIC ) + { + has_non_file_magic_rule = true; + break; + } + } + } + else + has_non_file_magic_rule = true; + } + rule->SortHdrTests(); InsertRuleIntoTree(rule, 0, root, 0); } diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h index 89ae9313a3..601315d4bb 100644 --- a/src/RuleMatcher.h +++ b/src/RuleMatcher.h @@ -286,6 +286,8 @@ public: void AddRule(Rule* rule); void SetParseError() { parse_error = true; } + bool HasNonFileMagicRule() const { return has_non_file_magic_rule; } + // Interface to for getting some statistics struct Stats { unsigned int matchers; // # distinct RE matchers @@ -356,6 +358,7 @@ private: const AcceptingMatchSet& ams); int RE_level; + bool has_non_file_magic_rule; bool parse_error; RuleHdrTest* root; rule_list rules; diff --git a/src/analyzer/protocol/pia/PIA.cc b/src/analyzer/protocol/pia/PIA.cc index bf9f27be7c..7d5e5725d3 100644 --- a/src/analyzer/protocol/pia/PIA.cc +++ b/src/analyzer/protocol/pia/PIA.cc @@ -130,6 +130,9 @@ void PIA::DoMatch(const u_char* data, int len, bool is_orig, bool bol, bool eol, if ( ! rule_matcher ) return; + if ( ! rule_matcher->HasNonFileMagicRule() ) + return; + if ( ! MatcherInitialized(is_orig) ) InitEndpointMatcher(AsAnalyzer(), ip, len, is_orig, this);