Go to the documentation of this file.
48 memset(&g_tag_signature, 0x00,
sizeof(g_tag_signature));
53 g_tag_signature.
rev = 1;
54 g_tag_signature.
prio = 2;
56 memset(&g_tag_pa, 0x00,
sizeof(g_tag_pa));
59 g_tag_pa.
s = &g_tag_signature;
81 if (!(PacketIsIPv4(p) || PacketIsIPv6(p))) {
98 if (ret == 0 || ret == 2) {
105 }
while (smd != NULL);
121 if (ret == 0 || ret == 2) {
128 }
while (smd != NULL);
146 for (uint16_t i = 0; i < p->
alerts.
cnt; i++) {
156 static inline void RuleActionToFlow(
const uint8_t action,
Flow *f)
167 SCLogDebug(
"not setting %s flow already set to %s",
234 }
else if (pa->
action != 0) {
250 FatalError(
"failed to allocate %" PRIu64
" bytes for the alert queue",
270 if (
unlikely(g_eps_is_alert_queue_fail_mode))
281 SCLogDebug(
"Alert queue size doubled: %u elements, bytes: %" PRIuMAX
"",
287 static inline int PacketAlertSetContext(
297 SCLogDebug(
"signature %p, content index %u", s, i);
298 if (current_json == NULL) {
301 if (current_json == NULL) {
309 current_json->
next = NULL;
315 current_json->
next = next_json;
316 current_json = next_json;
317 current_json->
next = NULL;
324 SCLogDebug(
"json content %u, value '%s' (%p)", (
unsigned int)i,
342 pa.
flags = alert_flags;
346 PacketAlertSetContext(det_ctx, &pa, s);
359 p->
alerts.
drop = PacketAlertSet(det_ctx, s, tx_id, alert_flags);
360 SCLogDebug(
"Set PacketAlert drop action. s->iid %" PRIu32
"", s->
iid);
366 if (pos == AlertQueueExpand(det_ctx)) {
372 det_ctx->
alert_queue[pos] = PacketAlertSet(det_ctx, s, tx_id, alert_flags);
374 SCLogDebug(
"Appending sid %" PRIu32
", s->iid %" PRIu32
" to alert queue", s->
id, s->
iid);
385 static int AlertQueueSortHelperFirewall(
const void *a,
const void *b)
390 if (pa1->
iid == pa0->
iid) {
398 return pa0->
iid < pa1->
iid ? -1 : 1;
404 static int AlertQueueSortHelper(
const void *a,
const void *b)
408 if (pa1->
iid == pa0->
iid) {
416 return pa0->
iid < pa1->
iid ? -1 : 1;
424 static inline void FlowApplySignatureActions(
450 SCLogDebug(
"packet %" PRIu64
" sid %u action %02x alert_flags %02x (set "
451 "PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW)",
457 static inline void PacketAlertFinalizeProcessQueue(
465 have_fw_rules ? AlertQueueSortHelperFirewall : AlertQueueSortHelper);
468 bool dropped =
false;
469 bool skip_td =
false;
480 int res = PacketAlertHandle(
de_ctx, det_ctx, s, p, pa);
498 bool skip_action_set =
false;
502 skip_action_set =
true;
506 skip_action_set =
true;
512 if (!skip_action_set) {
514 FlowApplySignatureActions(p, pa, s, pa->
flags);
516 SCLogDebug(
"det_ctx->alert_queue[i].action %02x (DROP %s, PASS %s)", pa->
action,
520 PacketApplySignatureActions(p, s, pa);
530 SCLogDebug(
"sid:%u: skipping alert because of thresholding (res=%d) or NOALERT (%02x)",
536 SCLogDebug(
"Appending sid %" PRIu32
" alert to Packet::alerts at pos %u", s->
id, i);
540 SCLogDebug(
"sid:%u: is a pass rule, so break out of loop", s->
id);
551 SCLogDebug(
"sid:%u: is a pass rule, so break out of loop", s->
id);
583 PacketAlertFinalizeProcessQueue(
de_ctx, det_ctx, p);
bool PacketCheckAction(const Packet *p, const uint8_t a)
@ PKT_DROP_REASON_STREAM_PRE_HOOK
@ PKT_DROP_REASON_RULES_THRESHOLD
uint16_t alert_queue_size
void FlowSetHasAlertsFlag(Flow *f)
Set flag to indicate that flow has alerts.
const struct Signature_ * s
void AlertQueueFree(DetectEngineThreadCtx *det_ctx)
SigTableElmt * sigmatch_table
#define PACKET_ALERT_FLAG_STATE_MATCH
#define KEYWORD_PROFILING_SET_LIST(ctx, list)
@ DETECT_TABLE_PACKET_PRE_STREAM
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
@ DETECT_SM_LIST_THRESHOLD
main detection engine ctx
@ PKT_DROP_REASON_FLOW_PRE_HOOK
#define ACTION_REJECT_ANY
#define ACTION_DROP_REJECT
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
bool EngineModeIsFirewall(void)
#define KEYWORD_PROFILING_START
#define KEYWORD_PROFILING_END(ctx, type, m)
#define SIG_FLAG_FIREWALL
void AlertQueueInit(DetectEngineThreadCtx *det_ctx)
SignaturePropertyFlowAction
struct PacketContextData * json_info
#define PKT_PSEUDO_STREAM_END
@ DETECT_TABLE_PACKET_PRE_FLOW
#define PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW
#define PKT_ALERT_CTX_USED
void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id, uint8_t alert_flags)
Append signature to local packet alert queue for later preprocessing.
uint16_t alert_queue_capacity
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
const struct SignatureProperties signature_properties[SIG_TYPE_MAX]
#define PACKET_ALERT_NOTX
#define PACKET_ALERT_FLAG_APPLY_ACTION_TO_PACKET
void PacketAlertFinalize(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Check the threshold of the sigs that match, set actions, break on pass action This function iterate t...
#define PACKET_ALERT_FLAG_STREAM_MATCH
void TagHandlePacket(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Search tags for src and dst. Update entries of the tag, remove if necessary.
#define PACKET_ALERT_FLAG_FRAME
#define SCRealloc(ptr, sz)
@ SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL
struct PacketContextData * next
const DetectThresholdData * SigGetThresholdTypeIter(const Signature *sig, const SigMatchData **psm, int list)
Return next DetectThresholdData for signature.
#define FLOW_ACTION_ACCEPT
PacketAlert * alert_queue
#define PACKET_ALERT_FLAG_RATE_FILTER_MODIFIED
SigJsonContent * json_content
void PacketAlertTagInit(void)
void PacketDrop(Packet *p, const uint8_t action, enum PacketDropReason r)
issue drop action
int FlowHasAlerts(const Flow *f)
Check if flow has alerts.
uint16_t packet_alert_max
@ SIG_PROP_FLOW_ACTION_FLOW
int PacketAlertThreshold(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectThresholdData *td, Packet *p, const Signature *s, PacketAlert *pa)
Make the threshold logic for signatures.
@ DETECT_SM_LIST_SUPPRESS
#define DEBUG_VALIDATE_BUG_ON(exp)
enum SignaturePropertyFlowAction flow_action
char json_content[SIG_JSON_CONTENT_ITEM_LEN]