GH-554: don't init PIA endpoint matchers if there's only file-magic

The logic for initializing PIA endpoint matchers was previously skipped if "there's no global rule matcher", and that's only true when no signature files get loaded. But when using `zeek -b`, some file-magic signatures still get loaded by default, so the PIA endpoint matchers still get initialized even though they don't need to be -- file-magic patterns play no part in PIA. For typical use-cases (not using the `-b` flag), this change won't help any, but we do at least use `-b` often within the test suite.
2025-10-16 13:38:19 +00:00 · 2019-08-27 16:32:30 -07:00 · 2019-08-27 16:32:30 -07:00 · 316e8bb671
commit 316e8bb671
parent 8c9b3bd3ae
3 changed files with 26 additions and 0 deletions
--- a/src/RuleMatcher.cc
+++ b/src/RuleMatcher.cc
@ -205,6 +205,7 @@ RuleMatcher::RuleMatcher(int arg_RE_level)
 				new maskedvalue_list);
 	RE_level = arg_RE_level;
 	parse_error = false;
+	has_non_file_magic_rule = false;
 	}

 RuleMatcher::~RuleMatcher()
@ -285,6 +286,25 @@ void RuleMatcher::BuildRulesTree()
 		if ( ! rule->Active() )
 			continue;

+		const auto& pats = rule->patterns;
+
+		if ( ! has_non_file_magic_rule )
+			{
+			if ( pats.length() > 0 )
+				{
+				for ( const auto& p : pats )
+					{
+					if ( p->type != Rule::FILE_MAGIC )
+						{
+						has_non_file_magic_rule = true;
+						break;
+						}
+					}
+				}
+			else
+				has_non_file_magic_rule = true;
+			}
+
 		rule->SortHdrTests();
 		InsertRuleIntoTree(rule, 0, root, 0);
 		}
--- a/src/RuleMatcher.h
+++ b/src/RuleMatcher.h
@ -286,6 +286,8 @@ public:
 	void AddRule(Rule* rule);
 	void SetParseError()		{ parse_error = true; }

+	bool HasNonFileMagicRule() const	{ return has_non_file_magic_rule; }
+
 	// Interface to for getting some statistics
 	struct Stats {
 		unsigned int matchers;	// # distinct RE matchers
@ -356,6 +358,7 @@ private:
 	                                   const AcceptingMatchSet& ams);

 	int RE_level;
+	bool has_non_file_magic_rule;
 	bool parse_error;
 	RuleHdrTest* root;
 	rule_list rules;
--- a/src/analyzer/protocol/pia/PIA.cc
+++ b/src/analyzer/protocol/pia/PIA.cc
@ -130,6 +130,9 @@ void PIA::DoMatch(const u_char* data, int len, bool is_orig, bool bol, bool eol,
 	if ( ! rule_matcher )
 		return;

+	if ( ! rule_matcher->HasNonFileMagicRule() )
+		return;
+
 	if ( ! MatcherInitialized(is_orig) )
 		InitEndpointMatcher(AsAnalyzer(), ip, len, is_orig, this);