suricata
detect-engine-alert.c File Reference
#include "suricata-common.h"
#include "detect.h"
#include "detect-engine-alert.h"
#include "detect-engine-threshold.h"
#include "detect-engine-tag.h"
#include "decode.h"
#include "packet.h"
#include "flow.h"
#include "flow-private.h"
#include "util-profiling.h"
#include "util-validate.h"
#include "action-globals.h"
#include "tests/detect-engine-alert.c"
Include dependency graph for detect-engine-alert.c:

Go to the source code of this file.

Functions

void PacketAlertTagInit (void)
 
int PacketAlertCheck (Packet *p, uint32_t sid)
 Check if a certain sid alerted, this is used in the test functions. More...
 
void AlertQueueInit (DetectEngineThreadCtx *det_ctx)
 
void AlertQueueFree (DetectEngineThreadCtx *det_ctx)
 
void AlertQueueAppend (DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id, uint8_t alert_flags)
 Append signature to local packet alert queue for later preprocessing. More...
 
void PacketAlertFinalize (DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
 Check the threshold of the sigs that match, set actions, break on pass action This function iterate the packet alerts array, removing those that didn't match the threshold, and those that match after a signature with the action "pass". The array is sorted by action priority/order. More...
 

Function Documentation

◆ AlertQueueAppend()

void AlertQueueAppend ( DetectEngineThreadCtx det_ctx,
const Signature s,
Packet p,
uint64_t  tx_id,
uint8_t  alert_flags 
)

Append signature to local packet alert queue for later preprocessing.

Definition at line 283 of file detect-engine-alert.c.

References PacketAlert_::action, Signature_::action, ACTION_DROP, Packet_::alerts, and PacketAlerts_::drop.

◆ AlertQueueFree()

void AlertQueueFree ( DetectEngineThreadCtx det_ctx)

◆ AlertQueueInit()

◆ PacketAlertCheck()

int PacketAlertCheck ( Packet p,
uint32_t  sid 
)

Check if a certain sid alerted, this is used in the test functions.

Parameters
pPacket on which we want to check if the signature alerted or not
sidSignature id of the signature that has to be checked for a match
Return values
matchA value > 0 on a match; 0 on no match

Definition at line 141 of file detect-engine-alert.c.

References PacketAlerts_::alerts, Packet_::alerts, BUG_ON, PacketAlerts_::cnt, Signature_::id, and PacketAlert_::s.

Referenced by UTHCheckPacketMatchResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

Here is the caller graph for this function:

◆ PacketAlertFinalize()

void PacketAlertFinalize ( DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
Packet p 
)

Check the threshold of the sigs that match, set actions, break on pass action This function iterate the packet alerts array, removing those that didn't match the threshold, and those that match after a signature with the action "pass". The array is sorted by action priority/order.

Parameters
de_ctxdetection engine context
det_ctxdetection engine thread context
ppointer to the packet

Definition at line 371 of file detect-engine-alert.c.

References DetectEngineThreadCtx_::alert_queue, DetectEngineThreadCtx_::alert_queue_size, and SCEnter.

◆ PacketAlertTagInit()

void PacketAlertTagInit ( void  )

Definition at line 45 of file detect-engine-alert.c.