Detect cleanups/v4 #9974
Detect cleanups/v4 #9974
Conversation
Hitting the recursion limit should be rare.
Integrate with rest of content inspect code.
Use stack local var instead of DetectEngineThreadCtx member. Make sure the limit is a const so we can avoid rereading it.
Flatten else branches after terminating ifs.
Since recursive content matching goes through the buffer from left to right, it is possible to bail early when isdataat is part of the recursive checking. If `isdataat:50,relative` fails for offset 10, it will surely also fail for offset 20. So break inspection in such cases. The exception is for dynamic isdataat, where the value is determined by a prior byte_extract that may be updated during the recursion.
DetectEngineThreadCtx::replist is managed elsewhere.
Adjust includes to enable this.
Move reference count to top of DetectEngineThreadCtx, to move it to the same cache line as the other members that are checked first in Detect().
Move members used by DetectEngineContentInspection() to the same cache line.
Core logic of the tests moved to content inspection code in separate commit.
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #9974 +/- ##
==========================================
- Coverage 82.42% 82.41% -0.01%
==========================================
Files 970 970
Lines 271363 271245 -118
==========================================
- Hits 223667 223551 -116
+ Misses 47696 47694 -2
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Information: QA ran without warnings. Pipeline 16884 |
| @@ -28,7 +28,7 @@ | |||
| /** indication to content engine what type of data | |||
| * we're inspecting | |||
| */ | |||
| enum { | |||
| enum DetectContentInspectionType { | |||
There was a problem hiding this comment.
Any reason not to use typedef?
There was a problem hiding this comment.
These days I'm finding things that are more explicit easier to work with. Typedef hides important detail.
| bool DetectEngineContentInspectionBuffer(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, | ||
| const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const InspectionBuffer *b, | ||
| const enum DetectContentInspectionType inspection_mode) | ||
| { |
There was a problem hiding this comment.
Do I understand correctly that the difference between this and DetectEngineContentInspection is that this one uses specific types for buffer and inspection type? If so, I wonder if this difference, or an indication of preference of usage should be added to the function description or commit.
There was a problem hiding this comment.
I've update the commit msg. It's a convenience function that keeps the internals of InspectionBuffer hidden from the callers.
| if (unlikely(det_ctx->inspection_recursion_counter == de_ctx->inspection_recursion_limit)) { | ||
| ctx->recursion.count++; | ||
| if (unlikely(ctx->recursion.count == ctx->recursion.limit)) { |
There was a problem hiding this comment.
I saw that before calling DetectEngineContentInspectionInternal from DetectEngineContentInspection, ctx->recursion.limit was set. However, for other direct calls of DetectEngineContentInspectionInternal I didn't see that being defined. For those cases, is this being defined elsewhere that I missed?
There was a problem hiding this comment.
both DetectEngineContentInspectionBuffer and DetectEngineContentInspection set it
There was a problem hiding this comment.
the ctx is shared between consecutive recursive calls then, it's actually meant to count and limit that recursion
| endian |= (uint8_t)((flags & DETECT_CI_FLAGS_DCE_LE) ? LittleEndian : BigEndian); | ||
| endian = (uint8_t)((flags & DETECT_CI_FLAGS_DCE_LE) ? LittleEndian : BigEndian); |
There was a problem hiding this comment.
Is this connected to the rest of the changes here?
There was a problem hiding this comment.
it's a minor clarification. The resulting value is the same.
| UtRegisterTest("UriTestSig30", UriTestSig30); | ||
| UtRegisterTest("UriTestSig31", UriTestSig31); |
There was a problem hiding this comment.
Just to double check: is this the commit that added similar logic elsewhere? 32b4423
There was a problem hiding this comment.
heh, no, it's in a branch that is still WIP. I'll drop this commit from here.
Added some explanations |
|
replaced by #9986 |
#9949 rebased