Go to the documentation of this file.
39 memset(&g_tag_signature, 0x00,
sizeof(g_tag_signature));
44 g_tag_signature.
rev = 1;
45 g_tag_signature.
prio = 2;
47 memset(&g_tag_pa, 0x00,
sizeof(g_tag_pa));
50 g_tag_pa.
s = &g_tag_signature;
94 if (ret == 0 || ret == 2) {
101 }
while (smd != NULL);
117 if (ret == 0 || ret == 2) {
124 }
while (smd != NULL);
153 static inline void RuleActionToFlow(
const uint8_t action,
Flow *f)
158 SCLogDebug(
"not setting %s flow already set to %s",
169 FlowSetNoPacketInspectionFlag(f);
177 static void PacketApplySignatureActions(
Packet *p,
const Signature *s,
const uint8_t alert_flags)
194 PacketUpdateAction(p, s->
action);
235 SCLogDebug(
"Alert queue size doubled: %u elements, bytes: %" PRIuMAX
"",
250 pa.
flags = alert_flags;
252 pa.
tx_id = (tx_id == UINT64_MAX) ? 0 : tx_id;
266 p->
alerts.
drop = PacketAlertSet(det_ctx, s, tx_id, alert_flags);
267 SCLogDebug(
"Set PacketAlert drop action. s->num %" PRIu32
"", s->
num);
273 if (pos == AlertQueueExpand(det_ctx)) {
279 det_ctx->
alert_queue[pos] = PacketAlertSet(det_ctx, s, tx_id, alert_flags);
281 SCLogDebug(
"Appending sid %" PRIu32
", s->num %" PRIu32
" to alert queue", s->
id, s->
num);
293 static int AlertQueueSortHelper(
const void *a,
const void *b)
300 return pa0->
num > pa1->
num ? 1 : -1;
307 static inline void FlowApplySignatureActions(
319 SCLogDebug(
"packet %" PRIu64
" sid %u action %02x alert_flags %02x (set "
320 "PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW)",
341 AlertQueueSortHelper);
346 while (i < max_pos) {
368 FlowApplySignatureActions(
381 SCLogDebug(
"Appending sid %" PRIu32
" alert to Packet::alerts at pos %u", s->
id, i);
uint16_t alert_queue_size
void FlowSetHasAlertsFlag(Flow *f)
Set flag to indicate that flow has alerts.
#define PACKET_ALERT_FLAG_STREAM_MATCH
const struct Signature_ * s
void AlertQueueFree(DetectEngineThreadCtx *det_ctx)
#define KEYWORD_PROFILING_SET_LIST(ctx, list)
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
@ DETECT_SM_LIST_THRESHOLD
#define SIG_FLAG_LIKE_IPONLY
main detection engine ctx
#define ACTION_REJECT_ANY
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
#define KEYWORD_PROFILING_START
#define SIG_FLAG_APPLAYER
#define KEYWORD_PROFILING_END(ctx, type, m)
void AlertQueueInit(DetectEngineThreadCtx *det_ctx)
PacketAlert * PacketAlertGetTag(void)
#define PKT_PSEUDO_STREAM_END
void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id, uint8_t alert_flags)
Append signature to local packet alert queue for later preprocessing.
uint16_t alert_queue_capacity
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
int PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectThresholdData *td, Packet *p, const Signature *s, PacketAlert *pa)
Make the threshold logic for signatures.
#define SCRealloc(ptr, sz)
#define PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
#define FatalError(x,...)
const DetectThresholdData * SigGetThresholdTypeIter(const Signature *sig, const SigMatchData **psm, int list)
Return next DetectThresholdData for signature.
void TagHandlePacket(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Search tags for src and dst. Update entries of the tag, remove if necessary.
PacketAlert * alert_queue
#define PACKET_ALERT_FLAG_FRAME
void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Check the threshold of the sigs that match, set actions, break on pass action This function iterate t...
void PacketAlertTagInit(void)
int FlowHasAlerts(const Flow *f)
Check if flow has alerts.
uint16_t packet_alert_max
#define PACKET_ALERT_FLAG_STATE_MATCH
@ DETECT_SM_LIST_SUPPRESS