Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 10:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge remote-tracking branch 'origin/topic/jsiwek/gh-554-file-signature-optimizations'

Browse source 
* origin/topic/jsiwek/gh-554-file-signature-optimizations:
  GH-554: don't init PIA endpoint matchers if there's only file-magic
  GH-554: remove use of file magic in protocol-based signature logic
This commit is contained in:
Johanna Amann 2019-08-28 11:39:13 -07:00
commit 1dd0b2e292
3 changed files with 27 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

22
src/RuleMatcher.cc
View file

@ -205,6 +205,7 @@ RuleMatcher::RuleMatcher(int arg_RE_level)
new maskedvalue_list); new maskedvalue_list);
RE_level = arg_RE_level; RE_level = arg_RE_level;
parse_error = false; parse_error = false;
has_non_file_magic_rule = false;
} }
RuleMatcher::~RuleMatcher() RuleMatcher::~RuleMatcher()
@ -285,6 +286,25 @@ void RuleMatcher::BuildRulesTree()
if ( ! rule->Active() ) if ( ! rule->Active() )
continue; continue;
const auto& pats = rule->patterns;
if ( ! has_non_file_magic_rule )
{
if ( pats.length() > 0 )
{
for ( const auto& p : pats )
{
if ( p->type != Rule::FILE_MAGIC )
{
has_non_file_magic_rule = true;
break;
}
}
}
else
has_non_file_magic_rule = true;
}
rule->SortHdrTests(); rule->SortHdrTests();
InsertRuleIntoTree(rule, 0, root, 0); InsertRuleIntoTree(rule, 0, root, 0);
} }
@ -732,7 +752,7 @@ RuleEndpointState* RuleMatcher::InitEndpoint(analyzer::Analyzer* analyzer,
// pattern matching to do. // pattern matching to do.
if ( hdr_test->level <= RE_level ) if ( hdr_test->level <= RE_level )
{ {
for ( int i = 0; i < Rule::TYPES; ++i ) for ( int i = Rule::PAYLOAD; i < Rule::TYPES; ++i )
{ {
for ( const auto& set : hdr_test->psets[i] ) for ( const auto& set : hdr_test->psets[i] )
{ {

3
src/RuleMatcher.h
View file

@ -286,6 +286,8 @@ public:
void AddRule(Rule* rule); void AddRule(Rule* rule);
void SetParseError() { parse_error = true; } void SetParseError() { parse_error = true; }
bool HasNonFileMagicRule() const { return has_non_file_magic_rule; }
// Interface to for getting some statistics // Interface to for getting some statistics
struct Stats { struct Stats {
unsigned int matchers; // # distinct RE matchers unsigned int matchers; // # distinct RE matchers
@ -356,6 +358,7 @@ private:
const AcceptingMatchSet& ams); const AcceptingMatchSet& ams);
int RE_level; int RE_level;
bool has_non_file_magic_rule;
bool parse_error; bool parse_error;
RuleHdrTest* root; RuleHdrTest* root;
rule_list rules; rule_list rules;

3
src/analyzer/protocol/pia/PIA.cc
View file

@ -130,6 +130,9 @@ void PIA::DoMatch(const u_char* data, int len, bool is_orig, bool bol, bool eol,
if ( ! rule_matcher ) if ( ! rule_matcher )
return; return;
if ( ! rule_matcher->HasNonFileMagicRule() )
return;
if ( ! MatcherInitialized(is_orig) ) if ( ! MatcherInitialized(is_orig) )
InitEndpointMatcher(AsAnalyzer(), ip, len, is_orig, this); InitEndpointMatcher(AsAnalyzer(), ip, len, is_orig, this);