Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat/flowbit prefilter/v25 #12380

Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

Feat/flowbit prefilter/v25 #12380

wants to merge 4 commits into from
+1,149 −383

Conversation

victorjulien
Copy link
Member

SV_BRANCH=OISF/suricata-verify#2231

https://redmine.openinfosecfoundation.org/issues/2486

Address part of issues in #12132, will review more here.

@victorjulien
flowbits: unset returns state of the bit
bb56209
@victorjulien
flowbits: allow setter to know if set is new
f24d51f
@victorjulien
detect: set mpm/prefilter during signature parsing
a811e19 
In preparation of flowbit prefilter work that needs this info
earlier.

Track potential prefilter sm's to avoid unnecessary looping during
setup.
@codecov Codecov
Copy link

codecov bot commented Jan 13, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 87.98343% with 87 lines in your changes missing coverage. Please review.

Project coverage is 82.49%. Comparing base (05853fb) to head (eec47ef).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #12380      +/-   ##
==========================================
+ Coverage   82.46%   82.49%   +0.03%     
==========================================
  Files         914      914              
  Lines      258316   258749     +433     
==========================================
+ Hits       213030   213466     +436     
+ Misses      45286    45283       -3
Flag Coverage Δ
fuzzcorpus 60.20% <22.50%> (-0.18%) ⬇️
livemode 19.35% <4.01%> (-0.05%) ⬇️
pcap 44.23% <17.68%> (-0.11%) ⬇️
suricata-verify 63.36% <85.21%> (+0.09%) ⬆️
unittests 57.96% <29.42%> (-0.10%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

victorjulien
victorjulien commented Jan 13, 2025
View reviewed changes
src/detect-engine.c Outdated Show resolved Hide resolved
@victorjulien
detect/flowbits: implement prefilter support
eec47ef 
Allow for more efficient rules that 'prefilter' on flowbits with 'isset' logic.

This prefilter is enabled by default, which means that if no mpm is present or
no explicit prefilter is used, the flowbits prefilter will be set up for a rule.

flowbits 'isset' prefilter

For rules that have a 'flowbits:isset,<bit>' statement, a "regular" prefilter
facility is created. It means that the rules are removed from the normal
match list(s) and added to a prefilter engine that runs prior to the individual
rule inspection stage.

Implementation: the prefilter is implemented as an RB_TREE of flowbits, with the
rule id's they "enable" stored per tree node. The matching logic is walking the
list of bits set in the flow and looking each of them up in the RB_TREE, adding
the rule ids of each of the matching bits to the list of rule candidates.

The 'isset' prefilter has one important corner case, which is that bits can in
fact be set during the rule evaluation stage. This is different from all other
prefilter engines, that evaluate an immutable state (for the lifetime of the
packets inspection).

flowbits 'set' post-match prefilter

For flowbits 'set' action, special post-match 'prefilter' facilities deal with
this corner case. The high level logic is that these track which 'isset' sigs
depend on them, and add these dependencies to the candidates list when a 'set'
action occurs.

This is implemented in a few steps:

1. flowbits 'set' is flagged
2. when 'set' action occurs the flowbit is added to a "post rule
   match work queue"
3. when the rule evaluation ends, the post-match "prefilter" engine is run
   on each of the flowbits in the "post rule match work queue"
4. these engines ammend the candidates list with the rule id dependencies
   for the flowbit
5. the candidates list is sorted to make sure within the execution for that
   packet the inspection order is maintained

Ticket: OISF#2486.
@victorjulien victorjulien force-pushed the feat/flowbit-prefilter/v25 branch from 6bc2695 to eec47ef Compare January 13, 2025 11:13
@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 24198

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@victorjulien @suricata-qa