-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hyperscan MPM integration v6 #1965
Conversation
By default, hashlittle() will read off the end of the key, up to the next four-byte boundary, although the data beyond the end of the key doesn't affect the hash. This read causes uninitialized read warnings from Valgrind and Address Sanitizer. Here we add hashlittle_safe(), which avoids reading off the end of the buffer (using the code inside the VALGRIND-guarded block in the original hashlittle() implementation).
MpmAddPatternCI and MpmAddPatternCS had arguments for offset and depth, but these were not being passed in by the caller.
This adds an MPM implementation that uses the Hyperscan regex engine library from Intel, accessible as the "hs" mpm-algo.
Prscript still passes: |
The suppressions in here make my DrMemory test pass as well: 31ed704 |
Merged through #1968, thanks a lot Justin! |
Hello,why suricata does not suport hyperscan stream mode?Please give me a reply,thanks. |
The hs was used in suricata, when the http traffic up to 2Gbps it crashed with only one thread,or less traffic with 4 threads。the core dump is follow: Using host libthread_db library "/lib64/libthread_db.so.1". |
Please report bugs in our issue tracker https://redmine.openinfosecfoundation.org/projects/suricata |
This PR adds support for using Intel's Hyperscan regex engine as an MPM algo, namely "hs".
It has a couple of notable features over a straightforward implementation:
More info on Hyperscan: https://01.org/hyperscan
Ticket: https://redmine.openinfosecfoundation.org/issues/1704