[Forensics-changes] [yara] 66/407: Improve detection of strings slowing down the scanning
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:28:10 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.3.0
in repository yara.
commit 5ed320349395632dca01c494502165b73c2018b3
Author: Victor Manuel Alvarez <vmalvarez at virustotal.com>
Date: Thu Sep 25 14:25:11 2014 +0200
Improve detection of strings slowing down the scanning
---
libyara/atoms.c | 40 +++++++++++++++++++++++++++++++++++-----
libyara/include/yara/atoms.h | 8 ++++++++
libyara/parser.c | 38 ++++++++++++--------------------------
3 files changed, 55 insertions(+), 31 deletions(-)
diff --git a/libyara/atoms.c b/libyara/atoms.c
index 2b23ab0..e2f4702 100644
--- a/libyara/atoms.c
+++ b/libyara/atoms.c
@@ -133,13 +133,13 @@ int _yr_atoms_quality(
}
//
-// _yr_atoms_min_quality
+// yr_atoms_min_quality
//
// Returns the quality for the worst quality atom in a list.
//
-int _yr_atoms_min_quality(
- YR_ATOM_LIST_ITEM* atom_list)
+int yr_atoms_min_quality(
+ YR_ATOM_LIST_ITEM* atom_list)
{
YR_ATOM_LIST_ITEM* atom;
@@ -164,6 +164,36 @@ int _yr_atoms_min_quality(
return min_quality;
}
+
+//
+// yr_atoms_min_length
+//
+// Returns the length for the shortest atom in a list.
+//
+
+int yr_atoms_min_length(
+ YR_ATOM_LIST_ITEM* atom_list)
+{
+ YR_ATOM_LIST_ITEM* atom;
+
+ int min_length = 100000;
+
+ if (atom_list == NULL)
+ return 0;
+
+ atom = atom_list;
+
+ while (atom != NULL)
+ {
+ if (atom->atom_length < min_length)
+ min_length = atom->atom_length;
+
+ atom = atom->next;
+ }
+
+ return min_length;
+}
+
//
// _yr_atoms_tree_node_create
//
@@ -171,7 +201,7 @@ int _yr_atoms_min_quality(
//
ATOM_TREE_NODE* _yr_atoms_tree_node_create(
- uint8_t type)
+ uint8_t type)
{
ATOM_TREE_NODE* new_node;
@@ -988,7 +1018,7 @@ int yr_atoms_extract_from_re(
yr_atoms_extract_triplets(re->root_node, &triplet_atoms);
- if (min_atom_quality < _yr_atoms_min_quality(triplet_atoms))
+ if (min_atom_quality < yr_atoms_min_quality(triplet_atoms))
{
yr_atoms_list_destroy(*atoms);
*atoms = triplet_atoms;
diff --git a/libyara/include/yara/atoms.h b/libyara/include/yara/atoms.h
index 692f577..afa3198 100644
--- a/libyara/include/yara/atoms.h
+++ b/libyara/include/yara/atoms.h
@@ -79,6 +79,14 @@ int yr_atoms_extract_from_string(
YR_ATOM_LIST_ITEM** atoms);
+int yr_atoms_min_quality(
+ YR_ATOM_LIST_ITEM* atom_list);
+
+
+int yr_atoms_min_length(
+ YR_ATOM_LIST_ITEM* atom_list);
+
+
void yr_atoms_list_destroy(
YR_ATOM_LIST_ITEM* list_head);
diff --git a/libyara/parser.c b/libyara/parser.c
index b18daad..94cbad7 100644
--- a/libyara/parser.c
+++ b/libyara/parser.c
@@ -247,12 +247,10 @@ int _yr_parser_write_string(
SIZED_STRING* str,
RE* re,
YR_STRING** string,
- int* min_atom_length)
+ int* min_atom_quality)
{
SIZED_STRING* literal_string;
YR_AC_MATCH* new_match;
-
- YR_ATOM_LIST_ITEM* atom;
YR_ATOM_LIST_ITEM* atom_list = NULL;
int result;
@@ -375,19 +373,7 @@ int _yr_parser_write_string(
}
}
- atom = atom_list;
-
- if (atom != NULL)
- *min_atom_length = MAX_ATOM_LENGTH;
- else
- *min_atom_length = 0;
-
- while (atom != NULL)
- {
- if (atom->atom_length < *min_atom_length)
- *min_atom_length = atom->atom_length;
- atom = atom->next;
- }
+ *min_atom_quality = yr_atoms_min_quality(atom_list);
if (flags & STRING_GFLAGS_LITERAL)
{
@@ -396,7 +382,7 @@ int _yr_parser_write_string(
else
max_string_len = (*string)->length;
- if (max_string_len == *min_atom_length)
+ if (max_string_len == yr_atoms_min_length(atom_list))
(*string)->g_flags |= STRING_GFLAGS_FITS_IN_ATOM;
}
@@ -419,8 +405,8 @@ YR_STRING* yr_parser_reduce_string_declaration(
const char* identifier,
SIZED_STRING* str)
{
- int min_atom_length;
- int min_atom_length_aux;
+ int min_atom_quality;
+ int min_atom_quality_aux;
int re_flags = 0;
int32_t min_gap;
@@ -512,7 +498,7 @@ YR_STRING* yr_parser_reduce_string_declaration(
NULL,
re,
&string,
- &min_atom_length);
+ &min_atom_quality);
if (compiler->last_result != ERROR_SUCCESS)
goto _exit;
@@ -551,13 +537,13 @@ YR_STRING* yr_parser_reduce_string_declaration(
NULL,
re,
&aux_string,
- &min_atom_length_aux);
+ &min_atom_quality_aux);
if (compiler->last_result != ERROR_SUCCESS)
goto _exit;
- if (min_atom_length_aux < min_atom_length)
- min_atom_length = min_atom_length_aux;
+ if (min_atom_quality_aux < min_atom_quality)
+ min_atom_quality = min_atom_quality_aux;
aux_string->g_flags |= STRING_GFLAGS_CHAIN_PART;
aux_string->chain_gap_min = min_gap;
@@ -581,20 +567,20 @@ YR_STRING* yr_parser_reduce_string_declaration(
str,
NULL,
&string,
- &min_atom_length);
+ &min_atom_quality);
if (compiler->last_result != ERROR_SUCCESS)
goto _exit;
}
- if (min_atom_length < 2 && compiler->callback != NULL)
+ if (min_atom_quality < 3 && compiler->callback != NULL)
{
snprintf(
message,
sizeof(message),
"%s is slowing down scanning%s",
string->identifier,
- min_atom_length == 0 ? " (critical!)" : "");
+ min_atom_quality < 2 ? " (critical!)" : "");
yywarning(yyscanner, message);
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list