diff --git a/src/detect-engine-build.c b/src/detect-engine-build.c index 604164b21c15..0c07150e696e 100644 --- a/src/detect-engine-build.c +++ b/src/detect-engine-build.c @@ -960,7 +960,6 @@ static int RulesGroupByProto(DetectEngineCtx *de_ctx) { Signature *s = de_ctx->sig_list; - uint32_t max_idx = 0; SigGroupHead *sgh_ts[256] = {NULL}; SigGroupHead *sgh_tc[256] = {NULL}; @@ -979,15 +978,12 @@ static int RulesGroupByProto(DetectEngineCtx *de_ctx) if (s->flags & SIG_FLAG_TOCLIENT) { SigGroupHeadAppendSig(de_ctx, &sgh_tc[p], s); - max_idx = s->num; } if (s->flags & SIG_FLAG_TOSERVER) { SigGroupHeadAppendSig(de_ctx, &sgh_ts[p], s); - max_idx = s->num; } } } - SCLogDebug("max_idx %u", max_idx); /* lets look at deduplicating this list */ SigGroupHeadHashFree(de_ctx); @@ -1009,8 +1005,8 @@ static int RulesGroupByProto(DetectEngineCtx *de_ctx) if (lookup_sgh == NULL) { SCLogDebug("proto group %d sgh %p is the original", p, sgh_ts[p]); - SigGroupHeadSetSigCnt(sgh_ts[p], max_idx); - SigGroupHeadBuildMatchArray(de_ctx, sgh_ts[p], max_idx); + SigGroupHeadSetSigCnt(sgh_ts[p], 0); + SigGroupHeadBuildMatchArray(de_ctx, sgh_ts[p], 0); SigGroupHeadHashAdd(de_ctx, sgh_ts[p]); SigGroupHeadStore(de_ctx, sgh_ts[p]); @@ -1041,8 +1037,8 @@ static int RulesGroupByProto(DetectEngineCtx *de_ctx) if (lookup_sgh == NULL) { SCLogDebug("proto group %d sgh %p is the original", p, sgh_tc[p]); - SigGroupHeadSetSigCnt(sgh_tc[p], max_idx); - SigGroupHeadBuildMatchArray(de_ctx, sgh_tc[p], max_idx); + SigGroupHeadSetSigCnt(sgh_tc[p], 0); + SigGroupHeadBuildMatchArray(de_ctx, sgh_tc[p], 0); SigGroupHeadHashAdd(de_ctx, sgh_tc[p]); SigGroupHeadStore(de_ctx, sgh_tc[p]); @@ -1129,7 +1125,8 @@ static int RuleSetWhitelist(Signature *s) return wl; } -int CreateGroupedPortList(DetectEngineCtx *de_ctx, DetectPort *port_list, DetectPort **newhead, uint32_t unique_groups, int (*CompareFunc)(DetectPort *, DetectPort *), uint32_t max_idx); +int CreateGroupedPortList(DetectEngineCtx *de_ctx, DetectPort *port_list, DetectPort **newhead, + uint32_t unique_groups, int (*CompareFunc)(DetectPort *, DetectPort *)); int CreateGroupedPortListCmpCnt(DetectPort *a, DetectPort *b); static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, uint8_t ipproto, uint32_t direction) @@ -1139,7 +1136,6 @@ static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, uint8_t ipproto, u * that belong to the SGH. */ DetectPortHashInit(de_ctx); - uint32_t max_idx = 0; const Signature *s = de_ctx->sig_list; DetectPort *list = NULL; while (s) { @@ -1198,7 +1194,6 @@ static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, uint8_t ipproto, u p = p->next; } - max_idx = s->num; next: s = s->next; } @@ -1223,7 +1218,7 @@ static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, uint8_t ipproto, u DetectPort *newlist = NULL; uint16_t groupmax = (direction == SIG_FLAG_TOCLIENT) ? de_ctx->max_uniq_toclient_groups : de_ctx->max_uniq_toserver_groups; - CreateGroupedPortList(de_ctx, list, &newlist, groupmax, CreateGroupedPortListCmpCnt, max_idx); + CreateGroupedPortList(de_ctx, list, &newlist, groupmax, CreateGroupedPortListCmpCnt); list = newlist; /* step 4: deduplicate the SGH's */ @@ -1243,8 +1238,8 @@ static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, uint8_t ipproto, u if (lookup_sgh == NULL) { SCLogDebug("port group %p sgh %p is the original", iter, iter->sh); - SigGroupHeadSetSigCnt(iter->sh, max_idx); - SigGroupHeadBuildMatchArray(de_ctx, iter->sh, max_idx); + SigGroupHeadSetSigCnt(iter->sh, 0); + SigGroupHeadBuildMatchArray(de_ctx, iter->sh, 0); SigGroupHeadSetProtoAndDirection(iter->sh, ipproto, direction); SigGroupHeadHashAdd(de_ctx, iter->sh); SigGroupHeadStore(de_ctx, iter->sh); @@ -1541,7 +1536,8 @@ int CreateGroupedPortListCmpCnt(DetectPort *a, DetectPort *b) * The joingr is meant to be a catch all. * */ -int CreateGroupedPortList(DetectEngineCtx *de_ctx, DetectPort *port_list, DetectPort **newhead, uint32_t unique_groups, int (*CompareFunc)(DetectPort *, DetectPort *), uint32_t max_idx) +int CreateGroupedPortList(DetectEngineCtx *de_ctx, DetectPort *port_list, DetectPort **newhead, + uint32_t unique_groups, int (*CompareFunc)(DetectPort *, DetectPort *)) { DetectPort *tmplist = NULL, *joingr = NULL; char insert = 0; @@ -1560,8 +1556,7 @@ int CreateGroupedPortList(DetectEngineCtx *de_ctx, DetectPort *port_list, Detect list->next = NULL; groups++; - - SigGroupHeadSetSigCnt(list->sh, max_idx); + SigGroupHeadSetSigCnt(list->sh, 0); /* insert it */ DetectPort *tmpgr = tmplist, *prevtmpgr = NULL; diff --git a/src/detect-engine-siggroup.c b/src/detect-engine-siggroup.c index 4fadaac5c013..9bc992cb894a 100644 --- a/src/detect-engine-siggroup.c +++ b/src/detect-engine-siggroup.c @@ -347,7 +347,7 @@ int SigGroupHeadAppendSig(const DetectEngineCtx *de_ctx, SigGroupHead **sgh, /* enable the sig in the bitarray */ (*sgh)->init->sig_array[s->num / 8] |= 1 << (s->num % 8); - + (*sgh)->init->max_sig_id = MAX(s->num, (*sgh)->init->max_sig_id); return 0; error: @@ -405,6 +405,8 @@ int SigGroupHeadCopySigs(DetectEngineCtx *de_ctx, SigGroupHead *src, SigGroupHea if (src->init->score) (*dst)->init->score = MAX((*dst)->init->score, src->init->score); + if (src->init->max_sig_id) + (*dst)->init->max_sig_id = MAX((*dst)->init->max_sig_id, src->init->max_sig_id); return 0; error: @@ -422,9 +424,9 @@ int SigGroupHeadCopySigs(DetectEngineCtx *de_ctx, SigGroupHead *src, SigGroupHea void SigGroupHeadSetSigCnt(SigGroupHead *sgh, uint32_t max_idx) { uint32_t sig; - + sgh->init->max_sig_id = MAX(max_idx, sgh->init->max_sig_id); sgh->init->sig_cnt = 0; - for (sig = 0; sig < max_idx + 1; sig++) { + for (sig = 0; sig < sgh->init->max_sig_id + 1; sig++) { if (sgh->init->sig_array[sig / 8] & (1 << (sig % 8))) sgh->init->sig_cnt++; } @@ -492,12 +494,13 @@ int SigGroupHeadBuildMatchArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh, return 0; BUG_ON(sgh->init->match_array != NULL); + sgh->init->max_sig_id = MAX(sgh->init->max_sig_id, max_idx); sgh->init->match_array = SCCalloc(sgh->init->sig_cnt, sizeof(Signature *)); if (sgh->init->match_array == NULL) return -1; - for (sig = 0; sig < max_idx + 1; sig++) { + for (sig = 0; sig < sgh->init->max_sig_id + 1; sig++) { if (!(sgh->init->sig_array[(sig / 8)] & (1 << (sig % 8))) ) continue; diff --git a/src/detect.h b/src/detect.h index 0fc5d21fb1d8..0707d8a5b211 100644 --- a/src/detect.h +++ b/src/detect.h @@ -1419,6 +1419,7 @@ typedef struct SigGroupHeadInitData_ { uint8_t protos[256]; /**< proto(s) this sgh is for */ uint32_t direction; /**< set to SIG_FLAG_TOSERVER, SIG_FLAG_TOCLIENT or both */ int score; /**< try to make this group a unique one */ + uint32_t max_sig_id; /**< max signature idx for this sgh */ MpmCtx **app_mpms; MpmCtx **pkt_mpms; @@ -1434,9 +1435,6 @@ typedef struct SigGroupHeadInitData_ { /** Array with sig ptrs... size is sig_cnt * sizeof(Signature *) */ Signature **match_array; - - /* port ptr */ - struct DetectPort_ *port; } SigGroupHeadInitData; /** \brief Container for matching data for a signature group */