suricata
detect-engine-alert.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "suricata-common.h"
19 
20 #include "detect.h"
21 #include "detect-engine-alert.h"
23 #include "detect-engine-tag.h"
24 
25 #include "decode.h"
26 #include "packet.h"
27 
28 #include "flow.h"
29 #include "flow-private.h"
30 
31 #ifdef DEBUG
32 #include "util-exception-policy.h"
33 #endif
34 
35 #include "util-profiling.h"
36 #include "util-validate.h"
37 
38 #include "action-globals.h"
39 
40 /** tag signature we use for tag alerts */
41 static Signature g_tag_signature;
42 /** tag packet alert structure for tag alerts */
43 static PacketAlert g_tag_pa;
44 
46 {
47  memset(&g_tag_signature, 0x00, sizeof(g_tag_signature));
48 
49  g_tag_signature.id = TAG_SIG_ID;
50  g_tag_signature.gid = TAG_SIG_GEN;
51  g_tag_signature.num = TAG_SIG_ID;
52  g_tag_signature.rev = 1;
53  g_tag_signature.prio = 2;
54 
55  memset(&g_tag_pa, 0x00, sizeof(g_tag_pa));
56 
57  g_tag_pa.action = ACTION_ALERT;
58  g_tag_pa.s = &g_tag_signature;
59 }
60 
61 /**
62  * \brief Handle a packet and check if needs a threshold logic
63  * Also apply rule action if necessary.
64  *
65  * \param de_ctx Detection Context
66  * \param sig Signature pointer
67  * \param p Packet structure
68  *
69  * \retval 1 alert is not suppressed
70  * \retval 0 alert is suppressed
71  */
72 static int PacketAlertHandle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
73  const Signature *s, Packet *p, PacketAlert *pa)
74 {
75  SCEnter();
76  int ret = 1;
77  const DetectThresholdData *td = NULL;
78  const SigMatchData *smd;
79 
80  if (!(PKT_IS_IPV4(p) || PKT_IS_IPV6(p))) {
81  SCReturnInt(1);
82  }
83 
84  /* handle suppressions first */
85  if (s->sm_arrays[DETECT_SM_LIST_SUPPRESS] != NULL) {
87  smd = NULL;
88  do {
90  if (td != NULL) {
91  SCLogDebug("td %p", td);
92 
93  /* PacketAlertThreshold returns 2 if the alert is suppressed but
94  * we do need to apply rule actions to the packet. */
96  ret = PacketAlertThreshold(de_ctx, det_ctx, td, p, s, pa);
97  if (ret == 0 || ret == 2) {
99  /* It doesn't match threshold, remove it */
100  SCReturnInt(ret);
101  }
103  }
104  } while (smd != NULL);
105  }
106 
107  /* if we're still here, consider thresholding */
108  if (s->sm_arrays[DETECT_SM_LIST_THRESHOLD] != NULL) {
110  smd = NULL;
111  do {
113  if (td != NULL) {
114  SCLogDebug("td %p", td);
115 
116  /* PacketAlertThreshold returns 2 if the alert is suppressed but
117  * we do need to apply rule actions to the packet. */
119  ret = PacketAlertThreshold(de_ctx, det_ctx, td, p, s, pa);
120  if (ret == 0 || ret == 2) {
122  /* It doesn't match threshold, remove it */
123  SCReturnInt(ret);
124  }
126  }
127  } while (smd != NULL);
128  }
129  SCReturnInt(1);
130 }
131 
132 #ifdef UNITTESTS
133 /**
134  * \brief Check if a certain sid alerted, this is used in the test functions
135  *
136  * \param p Packet on which we want to check if the signature alerted or not
137  * \param sid Signature id of the signature that has to be checked for a match
138  *
139  * \retval match A value > 0 on a match; 0 on no match
140  */
141 int PacketAlertCheck(Packet *p, uint32_t sid)
142 {
143  int match = 0;
144 
145  for (uint16_t i = 0; i < p->alerts.cnt; i++) {
146  BUG_ON(p->alerts.alerts[i].s == NULL);
147  if (p->alerts.alerts[i].s->id == sid)
148  match++;
149  }
150 
151  return match;
152 }
153 #endif
154 
155 static inline void RuleActionToFlow(const uint8_t action, Flow *f)
156 {
157  if (action & (ACTION_DROP | ACTION_REJECT_ANY | ACTION_PASS)) {
158  if (f->flags & (FLOW_ACTION_DROP | FLOW_ACTION_PASS)) {
159  /* drop or pass already set. First to set wins. */
160  SCLogDebug("not setting %s flow already set to %s",
161  (action & ACTION_PASS) ? "pass" : "drop",
162  (f->flags & FLOW_ACTION_DROP) ? "drop" : "pass");
163  } else {
164  if (action & (ACTION_DROP | ACTION_REJECT_ANY)) {
165  f->flags |= FLOW_ACTION_DROP;
166  SCLogDebug("setting flow action drop");
167  }
168  if (action & ACTION_PASS) {
169  f->flags |= FLOW_ACTION_PASS;
170  SCLogDebug("setting flow action pass");
171  FlowSetNoPacketInspectionFlag(f);
172  }
173  }
174  }
175 }
176 
177 /** \brief Apply action(s) and Set 'drop' sig info,
178  * if applicable
179  * \param p packet
180  * \param s signature -- for id, sig pointer, not actions
181  * \param pa packet alert struct -- match, including actions after thresholding (rate_filter) */
182 static void PacketApplySignatureActions(Packet *p, const Signature *s, const PacketAlert *pa)
183 {
184  SCLogDebug("packet %" PRIu64 " sid %u action %02x alert_flags %02x", p->pcap_cnt, s->id,
185  pa->action, pa->flags);
186 
187  /* REJECT also sets ACTION_DROP, just make it more visible with this check */
188  if (pa->action & ACTION_DROP_REJECT) {
189  /* PacketDrop will update the packet action, too */
190  PacketDrop(p, pa->action,
193  SCLogDebug("[packet %p][DROP sid %u]", p, s->id);
194 
195  if (p->alerts.drop.action == 0) {
196  p->alerts.drop.num = s->num;
197  p->alerts.drop.action = pa->action;
198  p->alerts.drop.s = (Signature *)s;
199  }
200  if ((p->flow != NULL) && (pa->flags & PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW)) {
201  RuleActionToFlow(pa->action, p->flow);
202  }
203 
205  } else {
206  if (pa->action & ACTION_PASS) {
207  SCLogDebug("[packet %p][PASS sid %u]", p, s->id);
208  // nothing to set in the packet
209  } else if (pa->action & (ACTION_ALERT | ACTION_CONFIG)) {
210  // nothing to set in the packet
211  } else {
212  DEBUG_VALIDATE_BUG_ON(1); // should be unreachable
213  }
214 
215  if ((pa->action & ACTION_PASS) && (p->flow != NULL) &&
217  RuleActionToFlow(pa->action, p->flow);
218  }
219  }
220 }
221 
223 {
224  det_ctx->alert_queue_size = 0;
225  det_ctx->alert_queue = SCCalloc(packet_alert_max, sizeof(PacketAlert));
226  if (det_ctx->alert_queue == NULL) {
227  FatalError(SC_ERR_MEM_ALLOC, "failed to allocate %" PRIu64 " bytes for the alert queue",
228  (uint64_t)(packet_alert_max * sizeof(PacketAlert)));
229  }
231  SCLogDebug("alert queue initialized to %u elements (%" PRIu64 " bytes)", packet_alert_max,
232  (uint64_t)(packet_alert_max * sizeof(PacketAlert)));
233 }
234 
236 {
237  SCFree(det_ctx->alert_queue);
238  det_ctx->alert_queue_capacity = 0;
239 }
240 
241 /** \internal
242  * \retval the new capacity
243  */
244 static uint16_t AlertQueueExpand(DetectEngineThreadCtx *det_ctx)
245 {
246 #ifdef DEBUG
247  if (unlikely(g_eps_is_alert_queue_fail_mode))
248  return det_ctx->alert_queue_capacity;
249 #endif
250  uint16_t new_cap = det_ctx->alert_queue_capacity * 2;
251  void *tmp_queue = SCRealloc(det_ctx->alert_queue, (size_t)(sizeof(PacketAlert) * new_cap));
252  if (unlikely(tmp_queue == NULL)) {
253  /* queue capacity didn't change */
254  return det_ctx->alert_queue_capacity;
255  }
256  det_ctx->alert_queue = tmp_queue;
257  det_ctx->alert_queue_capacity = new_cap;
258  SCLogDebug("Alert queue size doubled: %u elements, bytes: %" PRIuMAX "",
259  det_ctx->alert_queue_capacity,
260  (uintmax_t)(sizeof(PacketAlert) * det_ctx->alert_queue_capacity));
261  return new_cap;
262 }
263 
264 /** \internal
265  */
266 static inline PacketAlert PacketAlertSet(
267  DetectEngineThreadCtx *det_ctx, const Signature *s, uint64_t tx_id, uint8_t alert_flags)
268 {
269  PacketAlert pa;
270  pa.num = s->num;
271  pa.action = s->action;
272  pa.s = (Signature *)s;
273  pa.flags = alert_flags;
274  /* Set tx_id if the frame has it */
275  pa.tx_id = (tx_id == UINT64_MAX) ? 0 : tx_id;
276  pa.frame_id = (alert_flags & PACKET_ALERT_FLAG_FRAME) ? det_ctx->frame_id : 0;
277  return pa;
278 }
279 
280 /**
281  * \brief Append signature to local packet alert queue for later preprocessing
282  */
283 void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id,
284  uint8_t alert_flags)
285 {
286  /* first time we see a drop action signature, set that in the packet */
287  /* we do that even before inserting into the queue, so we save it even if appending fails */
288  if (p->alerts.drop.action == 0 && s->action & ACTION_DROP) {
289  p->alerts.drop = PacketAlertSet(det_ctx, s, tx_id, alert_flags);
290  SCLogDebug("Set PacketAlert drop action. s->num %" PRIu32 "", s->num);
291  }
292 
293  uint16_t pos = det_ctx->alert_queue_size;
294  if (pos == det_ctx->alert_queue_capacity) {
295  /* we must grow the alert queue */
296  if (pos == AlertQueueExpand(det_ctx)) {
297  /* this means we failed to expand the queue */
298  p->alerts.discarded++;
299  return;
300  }
301  }
302  det_ctx->alert_queue[pos] = PacketAlertSet(det_ctx, s, tx_id, alert_flags);
303 
304  SCLogDebug("Appending sid %" PRIu32 ", s->num %" PRIu32 " to alert queue", s->id, s->num);
305  det_ctx->alert_queue_size++;
306  return;
307 }
308 
309 /** \internal
310  * \brief sort helper for sorting alerts by priority
311  *
312  * Sorting is done first based on num and then using tx_id, if nums are equal.
313  * The Signature::num field is set based on internal priority. Higher priority
314  * rules have lower nums.
315  */
316 static int AlertQueueSortHelper(const void *a, const void *b)
317 {
318  const PacketAlert *pa0 = a;
319  const PacketAlert *pa1 = b;
320  if (pa1->num == pa0->num)
321  return pa0->tx_id < pa1->tx_id ? 1 : -1;
322  else
323  return pa0->num > pa1->num ? 1 : -1;
324 }
325 
326 /** \internal
327  * \brief Check if Signature action should be applied to flow and apply
328  *
329  */
330 static inline void FlowApplySignatureActions(
331  Packet *p, PacketAlert *pa, const Signature *s, uint8_t alert_flags)
332 {
333  /* For DROP and PASS sigs we need to apply the action to the flow if
334  * - sig is IP or PD only
335  * - match is in applayer
336  * - match is in stream */
337  if (s->action & (ACTION_DROP | ACTION_PASS)) {
340  SIG_FLAG_APPLAYER))) {
342  SCLogDebug("packet %" PRIu64 " sid %u action %02x alert_flags %02x (set "
343  "PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW)",
344  p->pcap_cnt, s->id, s->action, pa->flags);
345  }
346  }
347 }
348 
349 /**
350  * \brief Check the threshold of the sigs that match, set actions, break on pass action
351  * This function iterate the packet alerts array, removing those that didn't match
352  * the threshold, and those that match after a signature with the action "pass".
353  * The array is sorted by action priority/order
354  * \param de_ctx detection engine context
355  * \param det_ctx detection engine thread context
356  * \param p pointer to the packet
357  */
359 {
360  SCEnter();
361 
362  /* sort the alert queue before thresholding and appending to Packet */
363  qsort(det_ctx->alert_queue, det_ctx->alert_queue_size, sizeof(PacketAlert),
364  AlertQueueSortHelper);
365 
366  uint16_t i = 0;
367  uint16_t max_pos = det_ctx->alert_queue_size;
368 
369  while (i < max_pos) {
370  PacketAlert *pa = &det_ctx->alert_queue[i];
371  const Signature *s = de_ctx->sig_array[pa->num];
372  int res = PacketAlertHandle(de_ctx, det_ctx, s, p, pa);
373  if (res > 0) {
374  /* Now, if we have an alert, we have to check if we want
375  * to tag this session or src/dst host */
376  if (s->sm_arrays[DETECT_SM_LIST_TMATCH] != NULL) {
379  while (1) {
380  /* tags are set only for alerts */
382  sigmatch_table[smd->type].Match(det_ctx, p, (Signature *)s, smd->ctx);
383  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
384  if (smd->is_last)
385  break;
386  smd++;
387  }
388  }
389 
390  /* set actions on the flow */
391  FlowApplySignatureActions(p, pa, s, pa->flags);
392 
393  SCLogDebug("det_ctx->alert_queue[i].action %02x (DROP %s, PASS %s)", pa->action,
395 
396  /* set actions on packet */
397  PacketApplySignatureActions(p, s, pa);
398  }
399 
400  /* Thresholding removes this alert */
401  if (res == 0 || res == 2 || (s->flags & SIG_FLAG_NOALERT)) {
402  /* we will not copy this to the AlertQueue */
403  p->alerts.suppressed++;
404  } else if (p->alerts.cnt < packet_alert_max) {
405  p->alerts.alerts[p->alerts.cnt] = *pa;
406  SCLogDebug("Appending sid %" PRIu32 " alert to Packet::alerts at pos %u", s->id, i);
407 
408  /* pass "alert" found, we're done */
409  if (pa->action & ACTION_PASS) {
410  break;
411  }
412  p->alerts.cnt++;
413  } else {
414  p->alerts.discarded++;
415  }
416  i++;
417  }
418 
419  /* At this point, we should have all the new alerts. Now check the tag
420  * keyword context for sessions and hosts */
421  if (!(p->flags & PKT_PSEUDO_STREAM_END))
422  TagHandlePacket(de_ctx, det_ctx, p);
423 
424  /* Set flag on flow to indicate that it has alerts */
425  if (p->flow != NULL && p->alerts.cnt > 0) {
426  if (!FlowHasAlerts(p->flow)) {
428  p->flags |= PKT_FIRST_ALERTS;
429  }
430  }
431 }
432 
433 #ifdef UNITTESTS
435 #endif
PacketCheckAction
bool PacketCheckAction(const Packet *p, const uint8_t a)
Definition: packet.c:48
PKT_DROP_REASON_RULES_THRESHOLD
@ PKT_DROP_REASON_RULES_THRESHOLD
Definition: decode.h:400
DetectEngineThreadCtx_::alert_queue_size
uint16_t alert_queue_size
Definition: detect.h:1101
FlowSetHasAlertsFlag
void FlowSetHasAlertsFlag(Flow *f)
Set flag to indicate that flow has alerts.
Definition: flow.c:170
PACKET_ALERT_FLAG_STREAM_MATCH
#define PACKET_ALERT_FLAG_STREAM_MATCH
Definition: decode.h:277
PacketAlert_::s
const struct Signature_ * s
Definition: decode.h:267
AlertQueueFree
void AlertQueueFree(DetectEngineThreadCtx *det_ctx)
Definition: detect-engine-alert.c:235
SIG_FLAG_PDONLY
#define SIG_FLAG_PDONLY
Definition: detect.h:239
PKT_IS_IPV6
#define PKT_IS_IPV6(p)
Definition: decode.h:246
Signature_::num
SigIntId num
Definition: detect.h:550
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
ACTION_PASS
#define ACTION_PASS
Definition: action-globals.h:34
KEYWORD_PROFILING_SET_LIST
#define KEYWORD_PROFILING_SET_LIST(ctx, list)
Definition: util-profiling.h:66
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:594
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:289
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:325
action-globals.h
Packet_::flags
uint32_t flags
Definition: decode.h:463
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:356
DETECT_SM_LIST_THRESHOLD
@ DETECT_SM_LIST_THRESHOLD
Definition: detect.h:93
SIG_FLAG_LIKE_IPONLY
#define SIG_FLAG_LIKE_IPONLY
Definition: detect.h:209
TAG_SIG_ID
#define TAG_SIG_ID
Definition: detect-engine-tag.h:44
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:784
PacketAlerts_::alerts
PacketAlert * alerts
Definition: decode.h:292
ACTION_REJECT_ANY
#define ACTION_REJECT_ANY
Definition: action-globals.h:37
PacketAlerts_::drop
PacketAlert drop
Definition: decode.h:295
ACTION_DROP_REJECT
#define ACTION_DROP_REJECT
Definition: action-globals.h:39
FLOW_ACTION_DROP
#define FLOW_ACTION_DROP
Definition: flow.h:66
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:594
SigMatchData_
Data needed for Match()
Definition: detect.h:322
KEYWORD_PROFILING_START
#define KEYWORD_PROFILING_START
Definition: util-profiling.h:70
SigMatchData_::type
uint16_t type
Definition: detect.h:323
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:588
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:207
KEYWORD_PROFILING_END
#define KEYWORD_PROFILING_END(ctx, type, m)
Definition: util-profiling.h:84
PacketAlert_::tx_id
uint64_t tx_id
Definition: decode.h:268
PacketAlert_::action
uint8_t action
Definition: decode.h:265
AlertQueueInit
void AlertQueueInit(DetectEngineThreadCtx *det_ctx)
Definition: detect-engine-alert.c:222
Signature_::gid
uint32_t gid
Definition: detect.h:574
FLOW_ACTION_PASS
#define FLOW_ACTION_PASS
Definition: flow.h:113
decode.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1024
PacketAlert_::num
SigIntId num
Definition: decode.h:264
DETECT_THRESHOLD
@ DETECT_THRESHOLD
Definition: detect-engine-register.h:57
PKT_PSEUDO_STREAM_END
#define PKT_PSEUDO_STREAM_END
Definition: decode.h:1004
util-exception-policy.h
BOOL2STR
#define BOOL2STR(b)
Definition: util-debug.h:554
SCEnter
#define SCEnter(...)
Definition: util-debug.h:298
detect.h
PacketAlerts_::discarded
uint16_t discarded
Definition: decode.h:290
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:289
detect-engine-tag.h
PKT_DROP_REASON_RULES
@ PKT_DROP_REASON_RULES
Definition: decode.h:399
Signature_::action
uint8_t action
Definition: detect.h:553
util-profiling.h
Signature_::flags
uint32_t flags
Definition: detect.h:540
AlertQueueAppend
void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id, uint8_t alert_flags)
Append signature to local packet alert queue for later preprocessing.
Definition: detect-engine-alert.c:283
ACTION_ALERT
#define ACTION_ALERT
Definition: action-globals.h:29
Packet_
Definition: decode.h:428
SIG_FLAG_IPONLY
#define SIG_FLAG_IPONLY
Definition: detect.h:208
DetectEngineThreadCtx_::frame_id
int64_t frame_id
Definition: detect.h:1098
detect-engine-alert.h
DetectEngineThreadCtx_::alert_queue_capacity
uint16_t alert_queue_capacity
Definition: detect.h:1102
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1203
PacketAlertThreshold
int PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectThresholdData *td, Packet *p, const Signature *s, PacketAlert *pa)
Make the threshold logic for signatures.
Definition: detect-engine-threshold.c:606
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
PacketAlert_::frame_id
int64_t frame_id
Definition: decode.h:269
PacketAlert_::flags
uint8_t flags
Definition: decode.h:266
PACKET_ALERT_RATE_FILTER_MODIFIED
#define PACKET_ALERT_RATE_FILTER_MODIFIED
Definition: decode.h:281
Packet_::flow
struct Flow_ * flow
Definition: decode.h:465
SigMatchData_::is_last
uint8_t is_last
Definition: detect.h:324
suricata-common.h
DetectThresholdData_
Definition: detect-threshold.h:54
PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW
#define PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW
Definition: decode.h:273
packet.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
Signature_::rev
uint32_t rev
Definition: detect.h:575
FatalError
#define FatalError(x,...)
Definition: util-debug.h:530
SIG_FLAG_NOALERT
#define SIG_FLAG_NOALERT
Definition: detect.h:205
ACTION_CONFIG
#define ACTION_CONFIG
Definition: action-globals.h:35
DETECT_SM_LIST_TMATCH
@ DETECT_SM_LIST_TMATCH
Definition: detect.h:89
Signature_::prio
int prio
Definition: detect.h:576
SigGetThresholdTypeIter
const DetectThresholdData * SigGetThresholdTypeIter(const Signature *sig, const SigMatchData **psm, int list)
Return next DetectThresholdData for signature.
Definition: detect-engine-threshold.c:114
util-validate.h
TagHandlePacket
void TagHandlePacket(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Search tags for src and dst. Update entries of the tag, remove if necessary.
Definition: detect-engine-tag.c:504
DetectEngineThreadCtx_::alert_queue
PacketAlert * alert_queue
Definition: detect.h:1103
PacketAlerts_::suppressed
uint16_t suppressed
Definition: decode.h:291
PACKET_ALERT_FLAG_FRAME
#define PACKET_ALERT_FLAG_FRAME
Definition: decode.h:283
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-engine-alert.c
PacketAlertFinalize
void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Check the threshold of the sigs that match, set actions, break on pass action This function iterate t...
Definition: detect-engine-alert.c:358
Signature_::id
uint32_t id
Definition: detect.h:573
Flow_::flags
uint32_t flags
Definition: flow.h:434
Signature_
Signature container.
Definition: detect.h:539
PacketAlertTagInit
void PacketAlertTagInit(void)
Definition: detect-engine-alert.c:45
PacketDrop
void PacketDrop(Packet *p, const uint8_t action, enum PacketDropReason r)
issue drop action
Definition: packet.c:32
SC_ERR_MEM_ALLOC
@ SC_ERR_MEM_ALLOC
Definition: util-error.h:31
DetectEngineCtx_::sig_array
Signature ** sig_array
Definition: detect.h:799
PacketAlert_
Definition: decode.h:263
FlowHasAlerts
int FlowHasAlerts(const Flow *f)
Check if flow has alerts.
Definition: flow.c:181
packet_alert_max
uint16_t packet_alert_max
Definition: decode.c:77
TAG_SIG_GEN
#define TAG_SIG_GEN
Definition: detect-engine-tag.h:43
flow.h
PKT_FIRST_ALERTS
#define PKT_FIRST_ALERTS
Definition: decode.h:1051
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:302
PKT_IS_IPV4
#define PKT_IS_IPV4(p)
Definition: decode.h:245
PACKET_ALERT_FLAG_STATE_MATCH
#define PACKET_ALERT_FLAG_STATE_MATCH
Definition: decode.h:275
DETECT_SM_LIST_SUPPRESS
@ DETECT_SM_LIST_SUPPRESS
Definition: detect.h:92
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
detect-engine-threshold.h