Optimization #536
openshare ctx for filemd5 keyword if identical files are used
Description
if we have the same md5collection file - white-list - and we use that file in two separate rules - currently, as of
1.4dev (rev 75af345)
Suricata loads the two md5collection files separately - even though they are the very same file, with the very same name.
It will be very beneficial if this is handled better, just point to the same file/memloc... since the files are the same.
example:
alert ip any any -> any any (msg:"FILE MD5 Check PDF aginst a white list"; filemagic:pdf; filemd5:!MD5File.txt; sid:9966699; rev:1;)
alert ip any any -> any any (msg:"FILE MD5 Check EXE aginst a white list"; filemagic:exe; filemd5:!MD5File.txt; sid:9977799; rev:2;)
would result in
[3237] 29/8/2012 -- 15:36:40 - (detect.c:670) <Info> (SigLoadSignatures) -- Loading rule file: /var/data/peter/md5test.rules
[3237] 29/8/2012 -- 15:37:21 - (detect-filemd5.c:277) <Info> (DetectFileMd5Parse) -- MD5 hash size 1399625840 bytes, negated match
[3237] 29/8/2012 -- 15:38:00 - (detect-filemd5.c:277) <Info> (DetectFileMd5Parse) -- MD5 hash size 1399625840 bytes, negated match
so if we have 10 MD5 rules using the filemd5 keyword - it is going to be along wait before we can start processing packets.
thanks