Re: Multi Pattern Search Engine Plugin

["Russ Combs \(rucombs\) via Snort-devel" <snort-devel () lists snort org>]

Vlad,

rule_tree_queue is the only implementation of MpseMatch, which is a call back provided so that your MPSE can report 
matches to the detection engine. It is not a side-effect and it is not intended to be overridden.

If you break in rule_tree_queue, you will see that KTriePrefixMatch is calling rule_tree_queue on the match via the 
match callback which was set in fp_partial (called by fp_full).

There is scant documentation on this so we will improve that.

Also, that demo is a little off. The README says it is high performance, but lowmem is decidedly low performance. It is 
also throws an unrelated 119:43 for no good reason so ignore that. 1:1 is the one you are after.

Hope that helps.
Russ


________________________________
From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Vlad Ulmeanu via Snort-devel <snort-devel () 
lists snort org>
Sent: Sunday, March 10, 2024 4:57 AM
To: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: [Snort-devel] Multi Pattern Search Engine Plugin

Hi all,

I'm trying to plug in my Multi Pattern Search Engine<https://github.com/vlad-ulmeanu01/ExpoSizeStringSearch> into 
snort3 and run some benchmarks. I have run into some 
problems<https://stackoverflow.com/questions/78121441/snort3-where-is-the-default-implementation-for-mpsematch> with 
the setup: tried to rewrite the lowmem<https://github.com/snort3/snort3_extra/tree/master/src/search_engines/lowmem> 
example in snort3_extra<https://github.com/snort3/snort3_extra>, but there is a side effect occurring in lowmem's 
_search<https://github.com/snort3/snort3_extra/blob/b81e2e4f9296d9ae724e8d1b409371a3715fc2cc/src/search_engines/lowmem/lowmem.cc#L65C9-L65C16>
  function (that triggers another 
"allow<https://github.com/snort3/snort3_demo/blob/3fdada8224f8ec5ecea4649fdad144edec7a9c9e/tests/search_engines/ac_bnfa/expected#L2>"
 in the snort3_demo<https://github.com/snort3/snort3_demo/tree/master/tests/search_engines/ac_bnfa> 
example<https://github.com/snort3/snort3_demo/tree/master/tests/search_engines/ac_bnfa>) when calling 
match<https://github.com/snort3/snort3_extra/blob/b81e2e4f9296d9ae724e8d1b409371a3715fc2cc/src/search_engines/lowmem/sfksearch.cc#L579>
 
(MpseMatch<https://github.com/snort3/snort3/blob/be0977a3a8a98632e5cd1238c1d0da6dc2693b5f/src/search_engines/search_common.h#L39>
 -> 
rule_tree_queue<https://github.com/snort3/snort3/blob/be0977a3a8a98632e5cd1238c1d0da6dc2693b5f/src/detection/fp_detect.cc#L865>
 (I suppose this is the default implementation of MpseMatch that lowmem ends up using) -> 
MpseStash::push<https://github.com/snort3/snort3/blob/be0977a3a8a98632e5cd1238c1d0da6dc2693b5f/src/detection/fp_detect.cc#L773>
  -> 
MpseStash::process<https://github.com/snort3/snort3/blob/be0977a3a8a98632e5cd1238c1d0da6dc2693b5f/src/detection/fp_detect.cc#L832>
 -> 
rule_tree_match<https://github.com/snort3/snort3/blob/be0977a3a8a98632e5cd1238c1d0da6dc2693b5f/src/detection/fp_detect.cc#L375>).
 Unfortunately, things get quite complicated, and I couldn't pinpoint the reason for the side effect.

How can I deal with this side effect? I assume that I should call match with a non-nullptr argument for tree, but I 
don't really understand its meaning. Also, where can I find a good documentation source for snort3_extra? The best I 
could find is this<https://fossies.org/dox/snort3_extra-3.1.78.0/classLowmemMpse.html>.

Thank you,
Vlad Ulmeanu

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!