Project

General

Profile

Actions

Optimization #4378

closed

Task #4143: tracking: file.data improvements

file.data: split mpm per app_proto

Added by Victor Julien almost 4 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Suricata considers all file.data rule uses to use the same higher level buffer type, independent of the protocol the rules apply to. In practice a file.data can apply to either a specific protocol like smb or http, or it applies to all protocols that support file.data.

Looking at existing rulesets we see very many HTTP file.data rules and relatively few for other protocols. Due to how the mpm/fast_pattern handles file.data as a single buffer, this means that the scanning for file.data patterns in SMB will include the patterns for HTTP. This is obviously inefficient, as this means Suricata is doing expensive work that can never lead to a rule match.


Related issues 1 (1 open0 closed)

Related to Suricata - Task #5682: tracking: smb performance issuesAssignedVictor JulienActions
Actions

Also available in: Atom PDF