Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect cleanups/v6 #9986

Closed
wants to merge 18 commits into from
Closed

Detect cleanups/v6 #9986

wants to merge 18 commits into from

Commits on Dec 6, 2023

  1. detect/content-inspect: reduce scope of variables

    @victorjulien
    victorjulien committed Dec 6, 2023
    Configuration menu
    Copy the full SHA
    e19f162 View commit details
    Browse the repository at this point in the history

  2. detect/content-inspect: pass const to inspect func

    @victorjulien
    victorjulien committed Dec 6, 2023
    Configuration menu
    Copy the full SHA
    5ed3d74 View commit details
    Browse the repository at this point in the history

  3. detect/content-inspect: remove const casting

    @victorjulien
    victorjulien committed Dec 6, 2023
    Configuration menu
    Copy the full SHA
    0ebfcd3 View commit details
    Browse the repository at this point in the history

  4. detect/content-inspect: assist branch prediction 

    Hitting the recursion limit should be rare.
    @victorjulien
    victorjulien committed Dec 6, 2023
    Configuration menu
    Copy the full SHA
    4d43fe7 View commit details
    Browse the repository at this point in the history

  5. detect/content-inspect: switch type of enum

    @victorjulien
    victorjulien committed Dec 6, 2023
    Configuration menu
    Copy the full SHA
    159ec36 View commit details
    Browse the repository at this point in the history

  6. detect/content-inspect: add entry for InspectionBuffer 

    This is a convinience addition to abstract away the internals of
the InspectionBuffer in keyword specific detection code.
    @victorjulien
    victorjulien committed Dec 6, 2023
    Configuration menu
    Copy the full SHA
    e9ec240 View commit details
    Browse the repository at this point in the history

  7. detect/dns.query: use new content inspect entry

    @victorjulien
    victorjulien committed Dec 6, 2023
    Configuration menu
    Copy the full SHA
    b2e782b View commit details
    Browse the repository at this point in the history

  8. detect/krb5.sname: use new content inspect entry

    @victorjulien
    victorjulien committed Dec 6, 2023
    Configuration menu
    Copy the full SHA
    521f04a View commit details
    Browse the repository at this point in the history

  9. detect/base64: move content inspection logic 

    Integrate with rest of content inspect code.
    @victorjulien
    victorjulien committed Dec 6, 2023
    Configuration menu
    Copy the full SHA
    aee5aa3 View commit details
    Browse the repository at this point in the history

  10. detect/content-inspect: reduce scope of internal func

    @victorjulien
    victorjulien committed Dec 6, 2023
    Configuration menu
    Copy the full SHA
    94fd401 View commit details
    Browse the repository at this point in the history

  11. detect/content-inspect: localize recursion counting 

    Use stack local var instead of DetectEngineThreadCtx member. Instead
setup a stack local struct that both counts and holds the limit. Make sure
the limit is a const so we can avoid rereading it.

This is part of an effort to reduce the size of the DetectEngineThreadCtx
structure and reduce the number of memory writes to it. Additionally, it
is part of an effect to reduce the number of places where detection
tracks various forms of state.
    @victorjulien
    victorjulien committed Dec 6, 2023
    Configuration menu
    Copy the full SHA
    895338c View commit details
    Browse the repository at this point in the history

  12. detect/content-inspect: flatten branches 

    Flatten else branches after terminating ifs.
    @victorjulien
    victorjulien committed Dec 6, 2023
    Configuration menu
    Copy the full SHA
    d481537 View commit details
    Browse the repository at this point in the history

  13. detect/isdataat: optimize recursion mismatches 

    Since recursive content matching goes through the buffer from left to
right, it is possible to bail early when isdataat is part of the
recursive checking. If `isdataat:50,relative` fails for offset 10, it
will surely also fail for offset 20. So break inspection in such cases.

The exception is for dynamic isdataat, where the value is determined
by a prior byte_extract that may be updated during the recursion.
    @victorjulien
    victorjulien committed Dec 6, 2023
    Configuration menu
    Copy the full SHA
    ff5f17f View commit details
    Browse the repository at this point in the history

  14. detect/payload: remove unneeded pointer reset 

    DetectEngineThreadCtx::replist is managed elsewhere.
    @victorjulien
    victorjulien committed Dec 6, 2023
    Configuration menu
    Copy the full SHA
    1ee360d View commit details
    Browse the repository at this point in the history

  15. detect/bytemath: pass match ctx directly 

    Adjust includes to enable this.
    @victorjulien
    victorjulien committed Dec 6, 2023
    Configuration menu
    Copy the full SHA
    8cbf4fa View commit details
    Browse the repository at this point in the history

  16. detect: optimize struct layout 

    Move reference count to top of DetectEngineThreadCtx, to move it to the
same cache line as the other members that are checked first in Detect().
    @victorjulien
    victorjulien committed Dec 6, 2023
    Configuration menu
    Copy the full SHA
    461b84c View commit details
    Browse the repository at this point in the history

  17. detect/content-inspect: optimize struct layout 

    Move members used by DetectEngineContentInspection() to the same cache line.
    @victorjulien
    victorjulien committed Dec 6, 2023
    Configuration menu
    Copy the full SHA
    36100bc View commit details
    Browse the repository at this point in the history

  18. detect/content-inspect: improve header docs

    @victorjulien
    victorjulien committed Dec 6, 2023
    Configuration menu
    Copy the full SHA
    50e5666 View commit details
    Browse the repository at this point in the history