suricata
detect-engine-alert.c File Reference
#include "suricata-common.h"
#include "detect.h"
#include "detect-engine-alert.h"
#include "detect-engine-threshold.h"
#include "detect-engine-tag.h"
#include "decode.h"
#include "flow.h"
#include "flow-private.h"
#include "util-profiling.h"
Include dependency graph for detect-engine-alert.c:

Go to the source code of this file.

Functions

void PacketAlertTagInit (void)
 
PacketAlertPacketAlertGetTag (void)
 
int PacketAlertCheck (Packet *p, uint32_t sid)
 Check if a certain sid alerted, this is used in the test functions. More...
 
int PacketAlertRemove (Packet *p, uint16_t pos)
 Remove alert from the p->alerts.alerts array at pos. More...
 
int PacketAlertAppend (DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id, uint8_t flags)
 append a signature match to a packet More...
 
void PacketAlertFinalize (DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
 Check the threshold of the sigs that match, set actions, break on pass action This function iterate the packet alerts array, removing those that didn't match the threshold, and those that match after a signature with the action "pass". The array is sorted by action priority/order. More...
 

Function Documentation

int PacketAlertAppend ( DetectEngineThreadCtx det_ctx,
const Signature s,
Packet p,
uint64_t  tx_id,
uint8_t  flags 
)

append a signature match to a packet

Parameters
det_ctxthread detection engine ctx
sthe signature that matched
ppacket
flagsalert flags

Definition at line 188 of file detect-engine-alert.c.

References PacketAlert_::action, Signature_::action, PacketAlerts_::alerts, Packet_::alerts, PacketAlerts_::cnt, flags, PacketAlert_::flags, Signature_::id, PacketAlert_::num, Signature_::num, PACKET_ALERT_MAX, PacketAlert_::s, SCLogDebug, tx_id, and PacketAlert_::tx_id.

Referenced by IPOnlyMatchPacket(), and SigMatchSignaturesGetSgh().

Here is the caller graph for this function:

int PacketAlertCheck ( Packet p,
uint32_t  sid 
)

Check if a certain sid alerted, this is used in the test functions.

Parameters
pPacket on which we want to check if the signature alerted or not
sidSignature id of the signature that thas to be checked for a match
Return values
matchA value > 0 on a match; 0 on no match

Definition at line 138 of file detect-engine-alert.c.

References PacketAlerts_::alerts, Packet_::alerts, PacketAlerts_::cnt, Signature_::id, and PacketAlert_::s.

Referenced by DetectAckRegister(), DetectBypassRegister(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineInspectStream(), DetectEngineStateResetTxs(), DetectFastPatternRegister(), DetectFlowFree(), DetectFlowintFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectGeoipRegister(), DetectHostbitFree(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectITypeFree(), DetectL3ProtoRegister(), DetectLuaRegister(), DetectPcrePayloadMatch(), DetectProtoContainsProto(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSetupParseRegexes(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectSslStateRegister(), DetectSslVersionRegister(), DetectTemplateRustBufferRegister(), DetectThresholdRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3StringRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), DetectTlsSubjectRegister(), DetectTlsValidityRegister(), DetectTlsVersionRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), MpmACRegister(), MpmACTileRegister(), RegisterModbusParsers(), SCACBSPrintInfo(), SCThresholdConfParseFile(), SigParseApplyDsizeToContent(), SMTPParserCleanup(), UTHCheckPacketMatchResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

void PacketAlertFinalize ( DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
Packet p 
)

Check the threshold of the sigs that match, set actions, break on pass action This function iterate the packet alerts array, removing those that didn't match the threshold, and those that match after a signature with the action "pass". The array is sorted by action priority/order.

Parameters
de_ctxdetection engine context
det_ctxdetection engine thread context
ppointer to the packet

Definition at line 238 of file detect-engine-alert.c.

References Signature_::action, ACTION_DROP, ACTION_PASS, ACTION_REJECT, ACTION_REJECT_BOTH, ACTION_REJECT_DST, PacketAlerts_::alerts, Packet_::alerts, PacketAlerts_::cnt, SigMatchData_::ctx, DETECT_SM_LIST_TMATCH, DetectSignatureApplyActions(), PacketAlert_::flags, Flow_::flags, Packet_::flags, Signature_::flags, Packet_::flow, FLOW_ACTION_DROP, FLOW_PKT_TOCLIENT, FLOW_PKT_TOCLIENT_IPONLY_SET, FLOW_PKT_TOSERVER, FLOW_PKT_TOSERVER_IPONLY_SET, Packet_::flowflags, FlowSetHasAlertsFlag(), FlowSetIPOnlyFlag(), SigMatchData_::is_last, KEYWORD_PROFILING_END, KEYWORD_PROFILING_SET_LIST, KEYWORD_PROFILING_START, SigTableElmt_::Match, PacketAlert_::num, PACKET_ALERT_FLAG_DROP_FLOW, PACKET_TEST_ACTION, PacketAlertRemove(), PKT_PSEUDO_STREAM_END, res, PacketAlert_::s, SCEnter, SCLogDebug, DetectEngineCtx_::sig_array, SIG_FLAG_APPLAYER, SIG_FLAG_IPONLY, sigmatch_table, Signature_::sm_arrays, TagHandlePacket(), and SigMatchData_::type.

Referenced by SigMatchSignaturesGetSgh().

Here is the call graph for this function:

Here is the caller graph for this function:

int PacketAlertRemove ( Packet p,
uint16_t  pos 
)

Remove alert from the p->alerts.alerts array at pos.

Parameters
pPointer to the Packet
posPosition in the array
Return values
0if the number of alerts is less than pos 1 if all goes well

Definition at line 161 of file detect-engine-alert.c.

References PacketAlerts_::alerts, Packet_::alerts, PacketAlerts_::cnt, and SCLogDebug.

Referenced by PacketAlertFinalize().

Here is the caller graph for this function:

void PacketAlertTagInit ( void  )

Definition at line 37 of file detect-engine-alert.c.

References PacketAlert_::action, ACTION_ALERT, Signature_::gid, Signature_::id, Signature_::num, Signature_::prio, Signature_::rev, PacketAlert_::s, TAG_SIG_GEN, and TAG_SIG_ID.

Referenced by PostRunDeinit().

Here is the caller graph for this function: