Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 13:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

GH-554: don't init PIA endpoint matchers if there's only file-magic

Browse source 
The logic for initializing PIA endpoint matchers was previously
skipped if "there's no global rule matcher", and that's only true
when no signature files get loaded.

But when using `zeek -b`, some file-magic signatures still get loaded
by default, so the PIA endpoint matchers still get initialized even
though they don't need to be -- file-magic patterns play no part
in PIA.

For typical use-cases (not using the `-b` flag), this change won't
help any, but we do at least use `-b` often within the test suite.
This commit is contained in:
Jon Siwek 2019-08-27 16:32:30 -07:00
parent 8c9b3bd3ae
commit 316e8bb671
3 changed files with 26 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

20
src/RuleMatcher.cc
View file

@ -205,6 +205,7 @@ RuleMatcher::RuleMatcher(int arg_RE_level)
new maskedvalue_list);
RE_level = arg_RE_level;
parse_error = false;
has_non_file_magic_rule = false;
}
RuleMatcher::~RuleMatcher()
@ -285,6 +286,25 @@ void RuleMatcher::BuildRulesTree()
if ( ! rule->Active() )
continue;
const auto& pats = rule->patterns;
if ( ! has_non_file_magic_rule )
{
if ( pats.length() > 0 )
{
for ( const auto& p : pats )
{
if ( p->type != Rule::FILE_MAGIC )
{
has_non_file_magic_rule = true;
break;
}
}
}
else
has_non_file_magic_rule = true;
}
rule->SortHdrTests();
InsertRuleIntoTree(rule, 0, root, 0);
}