suricata
Data Structures | Macros | Typedefs | Functions
util-mpm-ac-bs.c File Reference
#include "suricata-common.h"
#include "suricata.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-build.h"
#include "util-mpm-ac-bs.h"
#include "conf.h"
#include "util-debug.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-memcmp.h"
#include "util-memcpy.h"
#include "util-validate.h"
#include "detect-engine-alert.h"
Include dependency graph for util-mpm-ac-bs.c:

Go to the source code of this file.

Data Structures

struct  StateQueue_
 Helper structure used by AC during state table creation. More...
 

Macros

#define SC_AC_BS_FAIL   (-1)
 
#define STATE_QUEUE_CONTAINER_SIZE   65536
 

Typedefs

typedef struct StateQueue_ StateQueue
 Helper structure used by AC during state table creation. More...
 

Functions

void SCACBSInitCtx (MpmCtx *mpm_ctx)
 Initialize the AC context. More...
 
void SCACBSInitThreadCtx (MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx)
 Init the mpm thread context. More...
 
void SCACBSDestroyCtx (MpmCtx *mpm_ctx)
 Destroy the mpm context. More...
 
void SCACBSDestroyThreadCtx (MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx)
 Destroy the mpm thread context. More...
 
int SCACBSAddPatternCI (MpmCtx *mpm_ctx, uint8_t *pat, uint16_t patlen, uint16_t offset, uint16_t depth, uint32_t pid, SigIntId sid, uint8_t flags)
 Add a case insensitive pattern. Although we have different calls for adding case sensitive and insensitive patterns, we make a single call for either case. No special treatment for either case. More...
 
int SCACBSAddPatternCS (MpmCtx *mpm_ctx, uint8_t *pat, uint16_t patlen, uint16_t offset, uint16_t depth, uint32_t pid, SigIntId sid, uint8_t flags)
 Add a case sensitive pattern. Although we have different calls for adding case sensitive and insensitive patterns, we make a single call for either case. No special treatment for either case. More...
 
int SCACBSPreparePatterns (MpmCtx *mpm_ctx)
 Process the patterns added to the mpm, and create the internal tables. More...
 
uint32_t SCACBSSearch (const MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, PrefilterRuleStore *pmq, const uint8_t *buf, uint32_t buflen)
 The aho corasick search function. More...
 
void SCACBSPrintInfo (MpmCtx *mpm_ctx)
 
void SCACBSPrintSearchStats (MpmThreadCtx *mpm_thread_ctx)
 
void SCACBSRegisterTests (void)
 
void MpmACBSRegister (void)
 Register the aho-corasick mpm. More...
 

Detailed Description

Author
Anoop Saldanha anoop.nosp@m.sald.nosp@m.anha@.nosp@m.gmai.nosp@m.l.com 
    First iteration of aho-corasick MPM from -

    Efficient String Matching: An Aid to Bibliographic Search
    Alfred V. Aho and Margaret J. Corasick

    - Uses the delta table for calculating transitions, instead of having
      separate goto and failure transitions.
    - If we cross 2 ** 16 states, we use 4 bytes in the transition table
      to hold each state, otherwise we use 2 bytes.
    - This version of the MPM is heavy on memory, but it performs well.
      If you can fit the ruleset with this mpm on your box without hitting
      swap, this is the MPM to go for.
Todo:
  • Do a proper analysis of our existing MPMs and suggest a good one based on the pattern distribution and the expected traffic(say http).
    • Tried out loop unrolling without any perf increase. Need to dig deeper.
    • Irrespective of whether we cross 2 ** 16 states or not,shift to using uint32_t for state type, so that we can integrate it's status as a final state or not in the topmost byte. We are already doing it if state_count is > 2 ** 16.
    • Test case-sensitive patterns if they have any ascii chars. If they don't treat them as nocase.
    • Carry out other optimizations we are working on. hashes, compression.

Definition in file util-mpm-ac-bs.c.

Macro Definition Documentation

◆ SC_AC_BS_FAIL

#define SC_AC_BS_FAIL   (-1)

Definition at line 82 of file util-mpm-ac-bs.c.

◆ STATE_QUEUE_CONTAINER_SIZE

#define STATE_QUEUE_CONTAINER_SIZE   65536

Definition at line 84 of file util-mpm-ac-bs.c.

Typedef Documentation

◆ StateQueue

typedef struct StateQueue_ StateQueue

Helper structure used by AC during state table creation.

Function Documentation

◆ MpmACBSRegister()

void MpmACBSRegister ( void  )

Register the aho-corasick mpm.

Definition at line 97 of file util-mpm-ac-bs.c.

References MpmTableElmt_::AddPattern, MpmTableElmt_::AddPatternNocase, MpmTableElmt_::DestroyCtx, MpmTableElmt_::DestroyThreadCtx, MpmTableElmt_::InitCtx, MpmTableElmt_::InitThreadCtx, MPM_AC_BS, mpm_table, MpmTableElmt_::name, MpmTableElmt_::Prepare, MpmTableElmt_::PrintCtx, MpmTableElmt_::PrintThreadCtx, MpmTableElmt_::RegisterUnittests, SCACBSAddPatternCI(), SCACBSAddPatternCS(), SCACBSDestroyCtx(), SCACBSDestroyThreadCtx(), SCACBSInitCtx(), SCACBSInitThreadCtx(), SCACBSPreparePatterns(), SCACBSPrintInfo(), SCACBSPrintSearchStats(), SCACBSRegisterTests(), SCACBSSearch(), and MpmTableElmt_::Search.

Referenced by MpmTableSetup().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SCACBSAddPatternCI()

int SCACBSAddPatternCI ( MpmCtx mpm_ctx,
uint8_t *  pat,
uint16_t  patlen,
uint16_t  offset,
uint16_t  depth,
uint32_t  pid,
SigIntId  sid,
uint8_t  flags 
)

Add a case insensitive pattern. Although we have different calls for adding case sensitive and insensitive patterns, we make a single call for either case. No special treatment for either case.

Parameters
mpm_ctxPointer to the mpm context.
patThe pattern to add.
patnenThe pattern length.
offsetIgnored.
depthIgnored.
pidThe pattern id.
sidIgnored.
flagsFlags associated with this pattern.
Return values
0On success.
-1On failure.

Definition at line 1327 of file util-mpm-ac-bs.c.

References flags, MPM_PATTERN_FLAG_NOCASE, MpmAddPattern(), and offset.

Referenced by MpmACBSRegister().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SCACBSAddPatternCS()

int SCACBSAddPatternCS ( MpmCtx mpm_ctx,
uint8_t *  pat,
uint16_t  patlen,
uint16_t  offset,
uint16_t  depth,
uint32_t  pid,
SigIntId  sid,
uint8_t  flags 
)

Add a case sensitive pattern. Although we have different calls for adding case sensitive and insensitive patterns, we make a single call for either case. No special treatment for either case.

Parameters
mpm_ctxPointer to the mpm context.
patThe pattern to add.
patnenThe pattern length.
offsetIgnored.
depthIgnored.
pidThe pattern id.
sidIgnored.
flagsFlags associated with this pattern.
Return values
0On success.
-1On failure.

Definition at line 1352 of file util-mpm-ac-bs.c.

References flags, MpmAddPattern(), and offset.

Referenced by MpmACBSRegister().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SCACBSDestroyCtx()

void SCACBSDestroyCtx ( MpmCtx mpm_ctx)

Destroy the mpm context.

Parameters
mpm_ctxPointer to the mpm context.

Definition at line 1031 of file util-mpm-ac-bs.c.

References SCACBSPatternList_::cs, MpmCtx_::ctx, MpmCtx_::init_hash, MpmCtx_::max_pat_id, MpmCtx_::memory_cnt, MpmCtx_::memory_size, MPM_INIT_HASH_SIZE, MpmFreePattern(), SCACBSCtx_::output_table, SCACBSCtx_::parray, MpmCtx_::pattern_cnt, SCACBSCtx_::pid_pat_list, SCACBSOutputTable_::pids, SC_AC_BS_STATE_TYPE_U16, SC_AC_BS_STATE_TYPE_U32, SCFree, SCACBSPatternList_::sids, SCACBSCtx_::state_count, SCACBSCtx_::state_table_mod, SCACBSCtx_::state_table_mod_pointers, SCACBSCtx_::state_table_u16, and SCACBSCtx_::state_table_u32.

Referenced by MpmACBSRegister().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SCACBSDestroyThreadCtx()

void SCACBSDestroyThreadCtx ( MpmCtx mpm_ctx,
MpmThreadCtx mpm_thread_ctx 
)

Destroy the mpm thread context.

Parameters
mpm_ctxPointer to the mpm context.
mpm_thread_ctxPointer to the mpm thread context.

Definition at line 1012 of file util-mpm-ac-bs.c.

References MpmThreadCtx_::ctx, MpmThreadCtx_::memory_cnt, MpmThreadCtx_::memory_size, SCACBSPrintSearchStats(), and SCFree.

Referenced by MpmACBSRegister().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SCACBSInitCtx()

void SCACBSInitCtx ( MpmCtx mpm_ctx)

Initialize the AC context.

Parameters
mpm_ctxMpm context.

Definition at line 978 of file util-mpm-ac-bs.c.

References MpmCtx_::ctx, MpmCtx_::init_hash, MpmCtx_::memory_cnt, MpmCtx_::memory_size, MPM_INIT_HASH_SIZE, and SCMalloc.

Referenced by MpmACBSRegister().

Here is the caller graph for this function:

◆ SCACBSInitThreadCtx()

void SCACBSInitThreadCtx ( MpmCtx mpm_ctx,
MpmThreadCtx mpm_thread_ctx 
)

Init the mpm thread context.

Parameters
mpm_ctxPointer to the mpm context.
mpm_thread_ctxPointer to the mpm thread context.
matchsizeWe don't need this.

Definition at line 958 of file util-mpm-ac-bs.c.

References MpmThreadCtx_::ctx, MpmThreadCtx_::memory_cnt, MpmThreadCtx_::memory_size, and SCMalloc.

Referenced by MpmACBSRegister().

Here is the caller graph for this function:

◆ SCACBSPreparePatterns()

int SCACBSPreparePatterns ( MpmCtx mpm_ctx)

Process the patterns added to the mpm, and create the internal tables.

Parameters
mpm_ctxPointer to the mpm context.

Definition at line 869 of file util-mpm-ac-bs.c.

References SCACBSPatternList_::cs, MpmCtx_::ctx, FatalError, MpmPattern_::flags, MpmPattern_::id, MpmCtx_::init_hash, MpmPattern_::len, MpmCtx_::max_pat_id, MpmCtx_::memory_cnt, MpmCtx_::memory_size, MPM_INIT_HASH_SIZE, MPM_PATTERN_FLAG_NOCASE, MpmPattern_::next, MpmPattern_::original_pat, SCACBSCtx_::parray, SCACBSPatternList_::patlen, MpmCtx_::pattern_cnt, SCACBSCtx_::pid_pat_list, SCFree, SCLogDebug, SCMalloc, SCACBSPatternList_::sids, MpmPattern_::sids, SCACBSPatternList_::sids_size, MpmPattern_::sids_size, and SCACBSCtx_::single_state_size.

Referenced by MpmACBSRegister().

Here is the caller graph for this function:

◆ SCACBSPrintInfo()

void SCACBSPrintInfo ( MpmCtx mpm_ctx)

Definition at line 1372 of file util-mpm-ac-bs.c.

References MpmCtx_::ctx, MpmCtx_::maxlen, MpmCtx_::memory_cnt, MpmCtx_::memory_size, MpmCtx_::minlen, MpmCtx_::pattern_cnt, and SCACBSCtx_::state_count.

Referenced by MpmACBSRegister().

Here is the caller graph for this function:

◆ SCACBSPrintSearchStats()

void SCACBSPrintSearchStats ( MpmThreadCtx mpm_thread_ctx)

Definition at line 1359 of file util-mpm-ac-bs.c.

References MpmThreadCtx_::ctx, SCACBSThreadCtx_::total_calls, and SCACBSThreadCtx_::total_matches.

Referenced by MpmACBSRegister(), and SCACBSDestroyThreadCtx().

Here is the caller graph for this function:

◆ SCACBSRegisterTests()

void SCACBSRegisterTests ( void  )

Definition at line 2468 of file util-mpm-ac-bs.c.

References UtRegisterTest().

Referenced by MpmACBSRegister().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SCACBSSearch()

uint32_t SCACBSSearch ( const MpmCtx mpm_ctx,
MpmThreadCtx mpm_thread_ctx,
PrefilterRuleStore pmq,
const uint8_t *  buf,
uint32_t  buflen 
)

The aho corasick search function.

Parameters
mpm_ctxPointer to the mpm context.
mpm_thread_ctxPointer to the mpm thread context.
pmqPointer to the Pattern Matcher Queue to hold search matches.
bufBuffer to be searched.
buflenBuffer length.
Return values
matchesMatch count.

Definition at line 1124 of file util-mpm-ac-bs.c.

References MpmCtx_::ctx, SCACBSOutputTable_::no_of_entries, SCACBSCtx_::output_table, SCACBSCtx_::pattern_id_bitarray_size, SCACBSCtx_::pid_pat_list, SCACBSOutputTable_::pids, SC_AC_BS_STATE_TYPE_U16, SCMemcmp, SCACBSCtx_::state_count, SCACBSCtx_::state_table_mod_pointers, and u8_tolower.

Referenced by MpmACBSRegister().

Here is the caller graph for this function: