Optimization #4378: file.data: split mpm per app_proto - Suricata - Open Information Security Foundation

Actions

Copy link

Optimization #4378

closed

VJ VJ

Task #4143: tracking: file.data improvements

file.data: split mpm per app_proto

Optimization #4378: file.data: split mpm per app_proto

Added by Victor Julien about 5 years ago. Updated about 3 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Victor Julien

Target version:

7.0.0-rc2

Effort:

Difficulty:

Label:

Description

Suricata considers all file.data rule uses to use the same higher level buffer type, independent of the protocol the rules apply to. In practice a file.data can apply to either a specific protocol like smb or http, or it applies to all protocols that support file.data.

Looking at existing rulesets we see very many HTTP file.data rules and relatively few for other protocols. Due to how the mpm/fast_pattern handles file.data as a single buffer, this means that the scanning for file.data patterns in SMB will include the patterns for HTTP. This is obviously inefficient, as this means Suricata is doing expensive work that can never lead to a rule match.

Related issues 1 (1 open — 0 closed)

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
#1

Target version changed from 7.0.0-beta1 to 8.0.0-beta1

VJ Updated by Victor Julien about 3 years ago Actions
Copy link
#2

Status changed from Assigned to In Progress
Target version changed from 8.0.0-beta1 to 7.0.0-rc2

VJ Updated by Victor Julien about 3 years ago Actions
Copy link
#3

Related to Task #5682: tracking: smb performance issues added

VJ Updated by Victor Julien about 3 years ago Actions
Copy link
#4

Status changed from In Progress to Closed

https://github.com/OISF/suricata/pull/8625

Actions

Copy link

Also available in: PDF Atom

Project

General

Profile

Suricata

Custom queries