Merge remote-tracking branch 'origin/topic/jsiwek/flowbuffer-policy'

* origin/topic/jsiwek/flowbuffer-policy:
  Use a default binpac flowbuffer policy

Added options to tune binpac flowbuffer policy

CHANGES

@@ -1,4 +1,8 @@
 
+2.6-210 | 2019-04-10 09:54:27 -0700
+
+  * Add options to tune BinPAC flowbuffer policy (Jon Siwek, Corelight)
+
 2.6-208 | 2019-04-10 11:36:17 +0000
 
   * Improve PE file analysis (Jon Siwek, Corelight)

VERSION

@@ -1 +1 @@
-2.6-208
+2.6-210

aux/binpac

@@ -1 +1 @@
-Subproject commit bb2476465e304a00c368bd73d40cc6f734be5311
+Subproject commit 2c8d31a439a3712af3a7a0342a955a78784521a5

doc

@@ -1 +1 @@
-Subproject commit 6b81dd79ebef6372da961177852e4ea5c65dd5fa
+Subproject commit 97af751958172622862bf0da694d6386967d5d24

scripts/base/init-bare.bro

@@ -5051,6 +5051,26 @@ export {
 	option sampling_duration = 10min;
 }
 
+module BinPAC;
+export {
+	## Maximum capacity, in bytes, that the BinPAC flowbuffer is allowed to
+	## grow to for use with incremental parsing of a given connection/analyzer.
+	const flowbuffer_capacity_max = 10 * 1024 * 1024 &redef;
+
+	## The initial capacity, in bytes, that will be allocated to the BinPAC
+	## flowbuffer of a given connection/analyzer.  If the buffer buffer is
+	## later contracted, its capacity is also reduced to this size.
+	const flowbuffer_capacity_min = 512 &redef;
+
+	## The threshold, in bytes, at which the BinPAC flowbuffer of a given
+	## connection/analyzer will have its capacity contracted to
+	## :bro:see:`BinPAC::flowbuffer_capacity_min` after parsing a full unit.
+	## I.e. this is the maximum capacity to reserve in between the parsing of
+	## units.  If, after parsing a unit, the flowbuffer capacity is greater
+	## than this value, it will be contracted.
+	const flowbuffer_contract_threshold = 2 * 1024 * 1024 &redef;
+}
+
 module GLOBAL;
 
 ## Seed for hashes computed internally for probabilistic data structures. Using

src/main.cc

@@ -891,10 +891,6 @@ int main(int argc, char** argv)
 	if ( events_file )
 		event_player = new EventPlayer(events_file);
 
-	// Must come after plugin activation (and also after hash
-	// initialization).
-	binpac::init();
-
 	init_event_handlers();
 
 	md5_type = new OpaqueType("md5");
@@ -945,6 +941,17 @@ int main(int argc, char** argv)
 	init_net_var();
 	init_builtin_funcs_subdirs();
 
+	// Must come after plugin activation (and also after hash
+	// initialization).
+	binpac::FlowBuffer::Policy flowbuffer_policy;
+	flowbuffer_policy.max_capacity = global_scope()->Lookup(
+		"BinPAC::flowbuffer_capacity_max")->ID_Val()->AsCount();
+	flowbuffer_policy.min_capacity = global_scope()->Lookup(
+		"BinPAC::flowbuffer_capacity_min")->ID_Val()->AsCount();
+	flowbuffer_policy.contract_threshold = global_scope()->Lookup(
+		"BinPAC::flowbuffer_contract_threshold")->ID_Val()->AsCount();
+	binpac::init(&flowbuffer_policy);
+
 	plugin_mgr->InitBifs();
 
 	if ( reporter->Errors() > 0 )