suricata
detect-engine-alert.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "suricata-common.h"
19 
20 #include "detect.h"
21 #include "detect-engine-alert.h"
23 #include "detect-engine-tag.h"
24 
25 #include "decode.h"
26 #include "packet.h"
27 
28 #include "flow.h"
29 #include "flow-private.h"
30 
31 #ifdef DEBUG
32 #include "util-exception-policy.h"
33 #endif
34 
35 #include "util-profiling.h"
36 #include "util-validate.h"
37 
38 #include "action-globals.h"
39 
40 /** tag signature we use for tag alerts */
41 static Signature g_tag_signature;
42 /** tag packet alert structure for tag alerts */
43 static PacketAlert g_tag_pa;
44 
46 {
47  memset(&g_tag_signature, 0x00, sizeof(g_tag_signature));
48 
49  g_tag_signature.id = TAG_SIG_ID;
50  g_tag_signature.gid = TAG_SIG_GEN;
51  g_tag_signature.num = TAG_SIG_ID;
52  g_tag_signature.rev = 1;
53  g_tag_signature.prio = 2;
54 
55  memset(&g_tag_pa, 0x00, sizeof(g_tag_pa));
56 
57  g_tag_pa.action = ACTION_ALERT;
58  g_tag_pa.s = &g_tag_signature;
59 }
60 
61 /**
62  * \brief Handle a packet and check if needs a threshold logic
63  * Also apply rule action if necessary.
64  *
65  * \param de_ctx Detection Context
66  * \param sig Signature pointer
67  * \param p Packet structure
68  *
69  * \retval 1 alert is not suppressed
70  * \retval 0 alert is suppressed
71  */
72 static int PacketAlertHandle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
73  const Signature *s, Packet *p, PacketAlert *pa)
74 {
75  SCEnter();
76  int ret = 1;
77  const DetectThresholdData *td = NULL;
78  const SigMatchData *smd;
79 
80  if (!(PacketIsIPv4(p) || PacketIsIPv6(p))) {
81  SCReturnInt(1);
82  }
83 
84  /* handle suppressions first */
85  if (s->sm_arrays[DETECT_SM_LIST_SUPPRESS] != NULL) {
87  smd = NULL;
88  do {
90  if (td != NULL) {
91  SCLogDebug("td %p", td);
92 
93  /* PacketAlertThreshold returns 2 if the alert is suppressed but
94  * we do need to apply rule actions to the packet. */
96  ret = PacketAlertThreshold(de_ctx, det_ctx, td, p, s, pa);
97  if (ret == 0 || ret == 2) {
99  /* It doesn't match threshold, remove it */
100  SCReturnInt(ret);
101  }
103  }
104  } while (smd != NULL);
105  }
106 
107  /* if we're still here, consider thresholding */
108  if (s->sm_arrays[DETECT_SM_LIST_THRESHOLD] != NULL) {
110  smd = NULL;
111  do {
113  if (td != NULL) {
114  SCLogDebug("td %p", td);
115 
116  /* PacketAlertThreshold returns 2 if the alert is suppressed but
117  * we do need to apply rule actions to the packet. */
119  ret = PacketAlertThreshold(de_ctx, det_ctx, td, p, s, pa);
120  if (ret == 0 || ret == 2) {
122  /* It doesn't match threshold, remove it */
123  SCReturnInt(ret);
124  }
126  }
127  } while (smd != NULL);
128  }
129  SCReturnInt(1);
130 }
131 
132 #ifdef UNITTESTS
133 /**
134  * \brief Check if a certain sid alerted, this is used in the test functions
135  *
136  * \param p Packet on which we want to check if the signature alerted or not
137  * \param sid Signature id of the signature that has to be checked for a match
138  *
139  * \retval match A value > 0 on a match; 0 on no match
140  */
141 int PacketAlertCheck(Packet *p, uint32_t sid)
142 {
143  int match = 0;
144 
145  for (uint16_t i = 0; i < p->alerts.cnt; i++) {
146  BUG_ON(p->alerts.alerts[i].s == NULL);
147  if (p->alerts.alerts[i].s->id == sid)
148  match++;
149  }
150 
151  return match;
152 }
153 #endif
154 
155 static inline void RuleActionToFlow(const uint8_t action, Flow *f)
156 {
157  if (action & (ACTION_DROP | ACTION_REJECT_ANY | ACTION_PASS)) {
158  if (f->flags & (FLOW_ACTION_DROP | FLOW_ACTION_PASS)) {
159  /* drop or pass already set. First to set wins. */
160  SCLogDebug("not setting %s flow already set to %s",
161  (action & ACTION_PASS) ? "pass" : "drop",
162  (f->flags & FLOW_ACTION_DROP) ? "drop" : "pass");
163  } else {
164  if (action & (ACTION_DROP | ACTION_REJECT_ANY)) {
165  f->flags |= FLOW_ACTION_DROP;
166  SCLogDebug("setting flow action drop");
167  }
168  if (action & ACTION_PASS) {
169  f->flags |= FLOW_ACTION_PASS;
170  SCLogDebug("setting flow action pass");
171  FlowSetNoPacketInspectionFlag(f);
172  }
173  }
174  }
175 }
176 
177 /** \brief Apply action(s) and Set 'drop' sig info,
178  * if applicable
179  * \param p packet
180  * \param s signature -- for id, sig pointer, not actions
181  * \param pa packet alert struct -- match, including actions after thresholding (rate_filter) */
182 static void PacketApplySignatureActions(Packet *p, const Signature *s, const PacketAlert *pa)
183 {
184  SCLogDebug("packet %" PRIu64 " sid %u action %02x alert_flags %02x", p->pcap_cnt, s->id,
185  pa->action, pa->flags);
186 
187  /* REJECT also sets ACTION_DROP, just make it more visible with this check */
188  if (pa->action & ACTION_DROP_REJECT) {
189  /* PacketDrop will update the packet action, too */
190  PacketDrop(p, pa->action,
193  SCLogDebug("[packet %p][DROP sid %u]", p, s->id);
194 
195  if (p->alerts.drop.action == 0) {
196  p->alerts.drop.num = s->num;
197  p->alerts.drop.action = pa->action;
198  p->alerts.drop.s = (Signature *)s;
199  }
200  if ((p->flow != NULL) && (pa->flags & PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW)) {
201  RuleActionToFlow(pa->action, p->flow);
202  }
203 
205  } else {
206  if (pa->action & ACTION_PASS) {
207  SCLogDebug("[packet %p][PASS sid %u]", p, s->id);
208  // nothing to set in the packet
209  } else if (pa->action & (ACTION_ALERT | ACTION_CONFIG)) {
210  // nothing to set in the packet
211  } else if (pa->action != 0) {
212  DEBUG_VALIDATE_BUG_ON(1); // should be unreachable
213  }
214 
215  if ((pa->action & ACTION_PASS) && (p->flow != NULL) &&
217  RuleActionToFlow(pa->action, p->flow);
218  }
219  }
220 }
221 
223 {
224  det_ctx->alert_queue_size = 0;
225  det_ctx->alert_queue = SCCalloc(packet_alert_max, sizeof(PacketAlert));
226  if (det_ctx->alert_queue == NULL) {
227  FatalError("failed to allocate %" PRIu64 " bytes for the alert queue",
228  (uint64_t)(packet_alert_max * sizeof(PacketAlert)));
229  }
231  SCLogDebug("alert queue initialized to %u elements (%" PRIu64 " bytes)", packet_alert_max,
232  (uint64_t)(packet_alert_max * sizeof(PacketAlert)));
233 }
234 
236 {
237  SCFree(det_ctx->alert_queue);
238  det_ctx->alert_queue_capacity = 0;
239 }
240 
241 /** \internal
242  * \retval the new capacity
243  */
244 static uint16_t AlertQueueExpand(DetectEngineThreadCtx *det_ctx)
245 {
246 #ifdef DEBUG
247  if (unlikely(g_eps_is_alert_queue_fail_mode))
248  return det_ctx->alert_queue_capacity;
249 #endif
250  uint16_t new_cap = det_ctx->alert_queue_capacity * 2;
251  void *tmp_queue = SCRealloc(det_ctx->alert_queue, (size_t)(sizeof(PacketAlert) * new_cap));
252  if (unlikely(tmp_queue == NULL)) {
253  /* queue capacity didn't change */
254  return det_ctx->alert_queue_capacity;
255  }
256  det_ctx->alert_queue = tmp_queue;
257  det_ctx->alert_queue_capacity = new_cap;
258  SCLogDebug("Alert queue size doubled: %u elements, bytes: %" PRIuMAX "",
259  det_ctx->alert_queue_capacity,
260  (uintmax_t)(sizeof(PacketAlert) * det_ctx->alert_queue_capacity));
261  return new_cap;
262 }
263 
264 /** \internal
265  */
266 static inline PacketAlert PacketAlertSet(
267  DetectEngineThreadCtx *det_ctx, const Signature *s, uint64_t tx_id, uint8_t alert_flags)
268 {
269  PacketAlert pa;
270  pa.num = s->num;
271  pa.action = s->action;
272  pa.s = (Signature *)s;
273  pa.flags = alert_flags;
274  /* Set tx_id if the frame has it */
275  pa.tx_id = tx_id;
276  pa.frame_id = (alert_flags & PACKET_ALERT_FLAG_FRAME) ? det_ctx->frame_id : 0;
277  return pa;
278 }
279 
280 /**
281  * \brief Append signature to local packet alert queue for later preprocessing
282  */
283 void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id,
284  uint8_t alert_flags)
285 {
286  /* first time we see a drop action signature, set that in the packet */
287  /* we do that even before inserting into the queue, so we save it even if appending fails */
288  if (p->alerts.drop.action == 0 && s->action & ACTION_DROP) {
289  p->alerts.drop = PacketAlertSet(det_ctx, s, tx_id, alert_flags);
290  SCLogDebug("Set PacketAlert drop action. s->num %" PRIu32 "", s->num);
291  }
292 
293  uint16_t pos = det_ctx->alert_queue_size;
294  if (pos == det_ctx->alert_queue_capacity) {
295  /* we must grow the alert queue */
296  if (pos == AlertQueueExpand(det_ctx)) {
297  /* this means we failed to expand the queue */
298  p->alerts.discarded++;
299  return;
300  }
301  }
302  det_ctx->alert_queue[pos] = PacketAlertSet(det_ctx, s, tx_id, alert_flags);
303 
304  SCLogDebug("Appending sid %" PRIu32 ", s->num %" PRIu32 " to alert queue", s->id, s->num);
305  det_ctx->alert_queue_size++;
306 }
307 
308 /** \internal
309  * \brief sort helper for sorting alerts by priority
310  *
311  * Sorting is done first based on num and then using tx_id, if nums are equal.
312  * The Signature::num field is set based on internal priority. Higher priority
313  * rules have lower nums.
314  */
315 static int AlertQueueSortHelper(const void *a, const void *b)
316 {
317  const PacketAlert *pa0 = a;
318  const PacketAlert *pa1 = b;
319  if (pa1->num == pa0->num) {
320  if (pa1->tx_id == PACKET_ALERT_NOTX) {
321  return -1;
322  } else if (pa0->tx_id == PACKET_ALERT_NOTX) {
323  return 1;
324  }
325  return pa0->tx_id < pa1->tx_id ? 1 : -1;
326  }
327  return pa0->num > pa1->num ? 1 : -1;
328 }
329 
330 /** \internal
331  * \brief Check if Signature action should be applied to flow and apply
332  *
333  */
334 static inline void FlowApplySignatureActions(
335  Packet *p, PacketAlert *pa, const Signature *s, uint8_t alert_flags)
336 {
337  /* For DROP and PASS sigs we need to apply the action to the flow if
338  * - sig is IP or PD only
339  * - match is in applayer
340  * - match is in stream */
341  if (pa->action & (ACTION_DROP | ACTION_PASS)) {
344 
346  if (flow_action == SIG_PROP_FLOW_ACTION_FLOW) {
348  } else if (flow_action == SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL) {
351  }
352  }
353 
355  SCLogDebug("packet %" PRIu64 " sid %u action %02x alert_flags %02x (set "
356  "PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW)",
357  p->pcap_cnt, s->id, s->action, pa->flags);
358  }
359  }
360 }
361 
362 /**
363  * \brief Check the threshold of the sigs that match, set actions, break on pass action
364  * This function iterate the packet alerts array, removing those that didn't match
365  * the threshold, and those that match after a signature with the action "pass".
366  * The array is sorted by action priority/order
367  * \param de_ctx detection engine context
368  * \param det_ctx detection engine thread context
369  * \param p pointer to the packet
370  */
372 {
373  SCEnter();
374 
375  /* sort the alert queue before thresholding and appending to Packet */
376  qsort(det_ctx->alert_queue, det_ctx->alert_queue_size, sizeof(PacketAlert),
377  AlertQueueSortHelper);
378 
379  for (uint16_t i = 0; i < det_ctx->alert_queue_size; i++) {
380  PacketAlert *pa = &det_ctx->alert_queue[i];
381  const Signature *s = de_ctx->sig_array[pa->num];
382  int res = PacketAlertHandle(de_ctx, det_ctx, s, p, pa);
383  if (res > 0) {
384  /* Now, if we have an alert, we have to check if we want
385  * to tag this session or src/dst host */
386  if (s->sm_arrays[DETECT_SM_LIST_TMATCH] != NULL) {
389  while (1) {
390  /* tags are set only for alerts */
392  sigmatch_table[smd->type].Match(det_ctx, p, (Signature *)s, smd->ctx);
393  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
394  if (smd->is_last)
395  break;
396  smd++;
397  }
398  }
399 
400  /* set actions on the flow */
401  FlowApplySignatureActions(p, pa, s, pa->flags);
402 
403  SCLogDebug("det_ctx->alert_queue[i].action %02x (DROP %s, PASS %s)", pa->action,
405 
406  /* set actions on packet */
407  PacketApplySignatureActions(p, s, pa);
408  }
409 
410  /* Thresholding removes this alert */
411  if (res == 0 || res == 2 || (s->action & (ACTION_ALERT | ACTION_PASS)) == 0) {
412  SCLogDebug("sid:%u: skipping alert because of thresholding (res=%d) or NOALERT (%02x)",
413  s->id, res, s->action);
414  /* we will not copy this to the AlertQueue */
415  p->alerts.suppressed++;
416  } else if (p->alerts.cnt < packet_alert_max) {
417  p->alerts.alerts[p->alerts.cnt] = *pa;
418  SCLogDebug("Appending sid %" PRIu32 " alert to Packet::alerts at pos %u", s->id, i);
419 
420  /* pass w/o alert found, we're done. Alert is not logged. */
421  if ((pa->action & (ACTION_PASS | ACTION_ALERT)) == ACTION_PASS) {
422  SCLogDebug("sid:%u: is a pass rule, so break out of loop", s->id);
423  break;
424  }
425  p->alerts.cnt++;
426 
427  /* pass with alert, we're done. Alert is logged. */
428  if (pa->action & ACTION_PASS) {
429  SCLogDebug("sid:%u: is a pass rule, so break out of loop", s->id);
430  break;
431  }
432  } else {
433  p->alerts.discarded++;
434  }
435  }
436 
437  /* At this point, we should have all the new alerts. Now check the tag
438  * keyword context for sessions and hosts */
439  if (!(p->flags & PKT_PSEUDO_STREAM_END))
440  TagHandlePacket(de_ctx, det_ctx, p);
441 
442  /* Set flag on flow to indicate that it has alerts */
443  if (p->flow != NULL && p->alerts.cnt > 0) {
444  if (!FlowHasAlerts(p->flow)) {
446  p->flags |= PKT_FIRST_ALERTS;
447  }
448  }
449 }
450 
451 #ifdef UNITTESTS
453 #endif
PacketCheckAction
bool PacketCheckAction(const Packet *p, const uint8_t a)
Definition: packet.c:49
PKT_DROP_REASON_RULES_THRESHOLD
@ PKT_DROP_REASON_RULES_THRESHOLD
Definition: decode.h:369
DetectEngineThreadCtx_::alert_queue_size
uint16_t alert_queue_size
Definition: detect.h:1185
FlowSetHasAlertsFlag
void FlowSetHasAlertsFlag(Flow *f)
Set flag to indicate that flow has alerts.
Definition: flow.c:161
PACKET_ALERT_FLAG_STREAM_MATCH
#define PACKET_ALERT_FLAG_STREAM_MATCH
Definition: decode.h:253
PacketAlert_::s
const struct Signature_ * s
Definition: decode.h:243
AlertQueueFree
void AlertQueueFree(DetectEngineThreadCtx *det_ctx)
Definition: detect-engine-alert.c:235
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:128
Signature_::num
SigIntId num
Definition: detect.h:615
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
ACTION_PASS
#define ACTION_PASS
Definition: action-globals.h:34
KEYWORD_PROFILING_SET_LIST
#define KEYWORD_PROFILING_SET_LIST(ctx, list)
Definition: util-profiling.h:46
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:595
SigMatchData_::is_last
bool is_last
Definition: detect.h:360
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:267
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:361
action-globals.h
Packet_::flags
uint32_t flags
Definition: decode.h:513
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:356
DETECT_SM_LIST_THRESHOLD
@ DETECT_SM_LIST_THRESHOLD
Definition: detect.h:130
TAG_SIG_ID
#define TAG_SIG_ID
Definition: detect-engine-tag.h:42
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:843
PacketAlerts_::alerts
PacketAlert * alerts
Definition: decode.h:270
ACTION_REJECT_ANY
#define ACTION_REJECT_ANY
Definition: action-globals.h:37
PacketAlerts_::drop
PacketAlert drop
Definition: decode.h:273
ACTION_DROP_REJECT
#define ACTION_DROP_REJECT
Definition: action-globals.h:39
FLOW_ACTION_DROP
#define FLOW_ACTION_DROP
Definition: flow.h:69
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:656
SigMatchData_
Data needed for Match()
Definition: detect.h:358
KEYWORD_PROFILING_START
#define KEYWORD_PROFILING_START
Definition: util-profiling.h:50
SigMatchData_::type
uint16_t type
Definition: detect.h:359
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:589
KEYWORD_PROFILING_END
#define KEYWORD_PROFILING_END(ctx, type, m)
Definition: util-profiling.h:64
PacketAlert_::tx_id
uint64_t tx_id
Definition: decode.h:244
PacketAlert_::action
uint8_t action
Definition: decode.h:241
AlertQueueInit
void AlertQueueInit(DetectEngineThreadCtx *det_ctx)
Definition: detect-engine-alert.c:222
Signature_::gid
uint32_t gid
Definition: detect.h:639
FLOW_ACTION_PASS
#define FLOW_ACTION_PASS
Definition: flow.h:116
SignaturePropertyFlowAction
SignaturePropertyFlowAction
Definition: detect.h:80
decode.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1098
PacketAlert_::num
SigIntId num
Definition: decode.h:240
DETECT_THRESHOLD
@ DETECT_THRESHOLD
Definition: detect-engine-register.h:61
PKT_PSEUDO_STREAM_END
#define PKT_PSEUDO_STREAM_END
Definition: decode.h:1270
util-exception-policy.h
BOOL2STR
#define BOOL2STR(b)
Definition: util-debug.h:527
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect.h
PacketAlerts_::discarded
uint16_t discarded
Definition: decode.h:268
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
detect-engine-tag.h
PKT_DROP_REASON_RULES
@ PKT_DROP_REASON_RULES
Definition: decode.h:368
Signature_::action
uint8_t action
Definition: detect.h:618
util-profiling.h
AlertQueueAppend
void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id, uint8_t alert_flags)
Append signature to local packet alert queue for later preprocessing.
Definition: detect-engine-alert.c:283
ACTION_ALERT
#define ACTION_ALERT
Definition: action-globals.h:29
Packet_
Definition: decode.h:476
DetectEngineThreadCtx_::frame_id
int64_t frame_id
Definition: detect.h:1180
detect-engine-alert.h
DetectEngineThreadCtx_::alert_queue_capacity
uint16_t alert_queue_capacity
Definition: detect.h:1186
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1277
signature_properties
const struct SignatureProperties signature_properties[SIG_TYPE_MAX]
Definition: detect-engine.c:113
PACKET_ALERT_NOTX
#define PACKET_ALERT_NOTX
Definition: detect.h:54
PacketAlertThreshold
int PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectThresholdData *td, Packet *p, const Signature *s, PacketAlert *pa)
Make the threshold logic for signatures.
Definition: detect-engine-threshold.c:950
SIG_TYPE_NOT_SET
@ SIG_TYPE_NOT_SET
Definition: detect.h:63
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
PacketAlert_::frame_id
int64_t frame_id
Definition: decode.h:245
PacketAlert_::flags
uint8_t flags
Definition: decode.h:242
PACKET_ALERT_RATE_FILTER_MODIFIED
#define PACKET_ALERT_RATE_FILTER_MODIFIED
Definition: decode.h:257
Packet_::flow
struct Flow_ * flow
Definition: decode.h:515
suricata-common.h
SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL
@ SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL
Definition: detect.h:83
DetectThresholdData_
Definition: detect-threshold.h:55
PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW
#define PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW
Definition: decode.h:249
packet.h
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
Signature_::rev
uint32_t rev
Definition: detect.h:640
FatalError
#define FatalError(...)
Definition: util-debug.h:502
ACTION_CONFIG
#define ACTION_CONFIG
Definition: action-globals.h:35
DETECT_SM_LIST_TMATCH
@ DETECT_SM_LIST_TMATCH
Definition: detect.h:126
SIG_TYPE_MAX
@ SIG_TYPE_MAX
Definition: detect.h:77
Signature_::prio
int prio
Definition: detect.h:641
SigGetThresholdTypeIter
const DetectThresholdData * SigGetThresholdTypeIter(const Signature *sig, const SigMatchData **psm, int list)
Return next DetectThresholdData for signature.
Definition: detect-engine-threshold.c:473
util-validate.h
TagHandlePacket
void TagHandlePacket(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Search tags for src and dst. Update entries of the tag, remove if necessary.
Definition: detect-engine-tag.c:515
DetectEngineThreadCtx_::alert_queue
PacketAlert * alert_queue
Definition: detect.h:1187
PacketAlerts_::suppressed
uint16_t suppressed
Definition: decode.h:269
PACKET_ALERT_FLAG_FRAME
#define PACKET_ALERT_FLAG_FRAME
Definition: decode.h:259
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-engine-alert.c
PacketAlertFinalize
void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Check the threshold of the sigs that match, set actions, break on pass action This function iterate t...
Definition: detect-engine-alert.c:371
Signature_::id
uint32_t id
Definition: detect.h:638
Flow_::flags
uint32_t flags
Definition: flow.h:426
Signature_
Signature container.
Definition: detect.h:603
PacketAlertTagInit
void PacketAlertTagInit(void)
Definition: detect-engine-alert.c:45
PacketDrop
void PacketDrop(Packet *p, const uint8_t action, enum PacketDropReason r)
issue drop action
Definition: packet.c:33
DetectEngineCtx_::sig_array
Signature ** sig_array
Definition: detect.h:860
PacketAlert_
Definition: decode.h:239
FlowHasAlerts
int FlowHasAlerts(const Flow *f)
Check if flow has alerts.
Definition: flow.c:172
packet_alert_max
uint16_t packet_alert_max
Definition: decode.c:82
TAG_SIG_GEN
#define TAG_SIG_GEN
Definition: detect-engine-tag.h:41
SIG_PROP_FLOW_ACTION_FLOW
@ SIG_PROP_FLOW_ACTION_FLOW
Definition: detect.h:82
flow.h
PKT_FIRST_ALERTS
#define PKT_FIRST_ALERTS
Definition: decode.h:1317
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
Signature_::type
enum SignatureType type
Definition: detect.h:606
PACKET_ALERT_FLAG_STATE_MATCH
#define PACKET_ALERT_FLAG_STATE_MATCH
Definition: decode.h:251
DETECT_SM_LIST_SUPPRESS
@ DETECT_SM_LIST_SUPPRESS
Definition: detect.h:129
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
SignatureProperties::flow_action
enum SignaturePropertyFlowAction flow_action
Definition: detect.h:87
detect-engine-threshold.h