suricata
detect-engine-alert.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "suricata-common.h"
19 #include "suricata.h"
20 
21 #include "detect.h"
22 #include "detect-engine-alert.h"
24 #include "detect-engine-tag.h"
25 
26 #include "decode.h"
27 #include "packet.h"
28 
29 #include "flow.h"
30 #include "flow-private.h"
31 
32 #ifdef DEBUG
33 #include "util-exception-policy.h"
34 #endif
35 
36 #include "util-profiling.h"
37 #include "util-validate.h"
38 
39 #include "action-globals.h"
40 
41 /** tag signature we use for tag alerts */
42 static Signature g_tag_signature;
43 /** tag packet alert structure for tag alerts */
44 static PacketAlert g_tag_pa;
45 
47 {
48  memset(&g_tag_signature, 0x00, sizeof(g_tag_signature));
49 
50  g_tag_signature.id = TAG_SIG_ID;
51  g_tag_signature.gid = TAG_SIG_GEN;
52  g_tag_signature.iid = TAG_SIG_ID;
53  g_tag_signature.rev = 1;
54  g_tag_signature.prio = 2;
55 
56  memset(&g_tag_pa, 0x00, sizeof(g_tag_pa));
57 
58  g_tag_pa.action = ACTION_ALERT;
59  g_tag_pa.s = &g_tag_signature;
60 }
61 
62 /**
63  * \brief Handle a packet and check if needs a threshold logic
64  * Also apply rule action if necessary.
65  *
66  * \param de_ctx Detection Context
67  * \param sig Signature pointer
68  * \param p Packet structure
69  *
70  * \retval 1 alert is not suppressed
71  * \retval 0 alert is suppressed
72  */
73 static int PacketAlertHandle(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
74  const Signature *s, Packet *p, PacketAlert *pa)
75 {
76  SCEnter();
77  int ret = 1;
78  const DetectThresholdData *td = NULL;
79  const SigMatchData *smd;
80 
81  if (!(PacketIsIPv4(p) || PacketIsIPv6(p))) {
82  SCReturnInt(1);
83  }
84 
85  /* handle suppressions first */
86  if (s->sm_arrays[DETECT_SM_LIST_SUPPRESS] != NULL) {
88  smd = NULL;
89  do {
91  if (td != NULL) {
92  SCLogDebug("td %p", td);
93 
94  /* PacketAlertThreshold returns 2 if the alert is suppressed but
95  * we do need to apply rule actions to the packet. */
97  ret = PacketAlertThreshold(de_ctx, det_ctx, td, p, s, pa);
98  if (ret == 0 || ret == 2) {
100  /* It doesn't match threshold, remove it */
101  SCReturnInt(ret);
102  }
104  }
105  } while (smd != NULL);
106  }
107 
108  /* if we're still here, consider thresholding */
109  if (s->sm_arrays[DETECT_SM_LIST_THRESHOLD] != NULL) {
111  smd = NULL;
112  do {
114  if (td != NULL) {
115  SCLogDebug("td %p", td);
116 
117  /* PacketAlertThreshold returns 2 if the alert is suppressed but
118  * we do need to apply rule actions to the packet. */
120  ret = PacketAlertThreshold(de_ctx, det_ctx, td, p, s, pa);
121  if (ret == 0 || ret == 2) {
123  /* It doesn't match threshold, remove it */
124  SCReturnInt(ret);
125  }
127  }
128  } while (smd != NULL);
129  }
130  SCReturnInt(1);
131 }
132 
133 #ifdef UNITTESTS
134 /**
135  * \brief Check if a certain sid alerted, this is used in the test functions
136  *
137  * \param p Packet on which we want to check if the signature alerted or not
138  * \param sid Signature id of the signature that has to be checked for a match
139  *
140  * \retval match A value > 0 on a match; 0 on no match
141  */
142 int PacketAlertCheck(Packet *p, uint32_t sid)
143 {
144  int match = 0;
145 
146  for (uint16_t i = 0; i < p->alerts.cnt; i++) {
147  BUG_ON(p->alerts.alerts[i].s == NULL);
148  if (p->alerts.alerts[i].s->id == sid)
149  match++;
150  }
151 
152  return match;
153 }
154 #endif
155 
156 static inline void RuleActionToFlow(const uint8_t action, Flow *f)
157 {
158  if (action & ACTION_ACCEPT) {
160  SCLogDebug("setting flow action pass");
161  }
162 
163  // TODO pass and accept could be set at the same time?
164  if (action & (ACTION_DROP | ACTION_REJECT_ANY | ACTION_PASS)) {
166  /* drop or pass already set. First to set wins. */
167  SCLogDebug("not setting %s flow already set to %s",
168  (action & ACTION_PASS) ? "pass" : "drop",
169  (f->flags & FLOW_ACTION_DROP) ? "drop" : "pass");
170  } else {
171  if (action & (ACTION_DROP | ACTION_REJECT_ANY)) {
172  f->flags |= FLOW_ACTION_DROP;
173  SCLogDebug("setting flow action drop");
174  }
175  if (action & ACTION_PASS) {
176  f->flags |= FLOW_ACTION_PASS;
177  SCLogDebug("setting flow action pass");
178  }
179  }
180  }
181 }
182 
183 /** \brief Apply action(s) and Set 'drop' sig info,
184  * if applicable
185  * \param p packet
186  * \param s signature -- for id, sig pointer, not actions
187  * \param pa packet alert struct -- match, including actions after thresholding (rate_filter) */
188 static void PacketApplySignatureActions(Packet *p, const Signature *s, const PacketAlert *pa)
189 {
190  SCLogDebug("packet %" PRIu64 " sid %u action %02x alert_flags %02x", p->pcap_cnt, s->id,
191  pa->action, pa->flags);
192 
193  /* REJECT also sets ACTION_DROP, just make it more visible with this check */
194  if (pa->action & ACTION_DROP_REJECT) {
195  uint8_t drop_reason = PKT_DROP_REASON_RULES;
197  drop_reason = PKT_DROP_REASON_STREAM_PRE_HOOK;
198  } else if (s->detect_table == DETECT_TABLE_PACKET_PRE_FLOW) {
199  drop_reason = PKT_DROP_REASON_FLOW_PRE_HOOK;
200  }
201 
202  /* PacketDrop will update the packet action, too */
203  PacketDrop(p, pa->action,
206  : drop_reason);
207  SCLogDebug("[packet %p][DROP sid %u]", p, s->id);
208 
209  if (p->alerts.drop.action == 0) {
210  p->alerts.drop.iid = s->iid;
211  p->alerts.drop.action = pa->action;
212  p->alerts.drop.s = (Signature *)s;
213  }
214  if ((p->flow != NULL) && (pa->flags & PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW)) {
215  RuleActionToFlow(pa->action, p->flow);
216  }
217 
219  } else {
220  if (pa->action & ACTION_PASS) {
221  SCLogDebug("[packet %p][PASS sid %u]", p, s->id);
222  // nothing to set in the packet
223  } else if (pa->action & ACTION_ACCEPT) {
224  const enum ActionScope as = pa->s->action_scope;
225  SCLogDebug("packet %" PRIu64 ": ACCEPT %u as:%u flags:%02x", p->pcap_cnt, s->id, as,
226  pa->flags);
227  if (as == ACTION_SCOPE_PACKET || as == ACTION_SCOPE_FLOW ||
229  SCLogDebug("packet %" PRIu64 ": sid:%u ACCEPT", p->pcap_cnt, s->id);
230  p->action |= ACTION_ACCEPT;
231  }
232  } else if (pa->action & (ACTION_ALERT | ACTION_CONFIG)) {
233  // nothing to set in the packet
234  } else if (pa->action != 0) {
235  DEBUG_VALIDATE_BUG_ON(1); // should be unreachable
236  }
237 
238  if ((pa->action & (ACTION_PASS | ACTION_ACCEPT)) && (p->flow != NULL) &&
240  RuleActionToFlow(pa->action, p->flow);
241  }
242  }
243 }
244 
246 {
247  det_ctx->alert_queue_size = 0;
248  det_ctx->alert_queue = SCCalloc(packet_alert_max, sizeof(PacketAlert));
249  if (det_ctx->alert_queue == NULL) {
250  FatalError("failed to allocate %" PRIu64 " bytes for the alert queue",
251  (uint64_t)(packet_alert_max * sizeof(PacketAlert)));
252  }
254  SCLogDebug("alert queue initialized to %u elements (%" PRIu64 " bytes)", packet_alert_max,
255  (uint64_t)(packet_alert_max * sizeof(PacketAlert)));
256 }
257 
259 {
260  SCFree(det_ctx->alert_queue);
261  det_ctx->alert_queue_capacity = 0;
262 }
263 
264 /** \internal
265  * \retval the new capacity
266  */
267 static uint16_t AlertQueueExpand(DetectEngineThreadCtx *det_ctx)
268 {
269 #ifdef DEBUG
270  if (unlikely(g_eps_is_alert_queue_fail_mode))
271  return det_ctx->alert_queue_capacity;
272 #endif
273  uint16_t new_cap = det_ctx->alert_queue_capacity * 2;
274  void *tmp_queue = SCRealloc(det_ctx->alert_queue, (size_t)(sizeof(PacketAlert) * new_cap));
275  if (unlikely(tmp_queue == NULL)) {
276  /* queue capacity didn't change */
277  return det_ctx->alert_queue_capacity;
278  }
279  det_ctx->alert_queue = tmp_queue;
280  det_ctx->alert_queue_capacity = new_cap;
281  SCLogDebug("Alert queue size doubled: %u elements, bytes: %" PRIuMAX "",
282  det_ctx->alert_queue_capacity,
283  (uintmax_t)(sizeof(PacketAlert) * det_ctx->alert_queue_capacity));
284  return new_cap;
285 }
286 
287 static inline int PacketAlertSetContext(
288  DetectEngineThreadCtx *det_ctx, PacketAlert *pa, const Signature *s)
289 {
290  pa->json_info = NULL;
291  if (det_ctx->json_content_len) {
292  /* We have some JSON attached in the current detection so let's try
293  to see if some need to be used for current signature. */
294  struct PacketContextData *current_json = NULL;
295  for (uint8_t i = 0; i < det_ctx->json_content_len; i++) {
296  if (s == det_ctx->json_content[i].id) {
297  SCLogDebug("signature %p, content index %u", s, i);
298  if (current_json == NULL) {
299  /* Allocate the first one */
300  current_json = SCCalloc(1, sizeof(struct PacketContextData));
301  if (current_json == NULL) {
302  /* Allocation error, let's return now */
303  return -1;
304  }
305  if (pa->json_info == NULL) {
306  /* If this is the first one, set it */
307  pa->json_info = current_json;
308  }
309  current_json->next = NULL;
310  } else {
311  /* Allocate the next one */
312  struct PacketContextData *next_json =
313  SCCalloc(1, sizeof(struct PacketContextData));
314  if (next_json) {
315  current_json->next = next_json;
316  current_json = next_json;
317  current_json->next = NULL;
318  } else {
319  /* Allocation error, let's return now */
320  return -1;
321  }
322  }
323  current_json->json_string = SCStrdup(det_ctx->json_content[i].json_content);
324  SCLogDebug("json content %u, value '%s' (%p)", (unsigned int)i,
325  current_json->json_string, s);
326  }
327  }
328  }
329 
330  return 0;
331 }
332 
333 /** \internal
334  */
335 static inline PacketAlert PacketAlertSet(
336  DetectEngineThreadCtx *det_ctx, const Signature *s, uint64_t tx_id, uint8_t alert_flags)
337 {
338  PacketAlert pa;
339  pa.iid = s->iid;
340  pa.action = s->action;
341  pa.s = (Signature *)s;
342  pa.flags = alert_flags;
343  /* Set tx_id if the frame has it */
344  pa.tx_id = tx_id;
345  pa.frame_id = (alert_flags & PACKET_ALERT_FLAG_FRAME) ? det_ctx->frame_id : 0;
346  PacketAlertSetContext(det_ctx, &pa, s);
347  return pa;
348 }
349 
350 /**
351  * \brief Append signature to local packet alert queue for later preprocessing
352  */
353 void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id,
354  uint8_t alert_flags)
355 {
356  /* first time we see a drop action signature, set that in the packet */
357  /* we do that even before inserting into the queue, so we save it even if appending fails */
358  if (p->alerts.drop.action == 0 && s->action & ACTION_DROP) {
359  p->alerts.drop = PacketAlertSet(det_ctx, s, tx_id, alert_flags);
360  SCLogDebug("Set PacketAlert drop action. s->iid %" PRIu32 "", s->iid);
361  }
362 
363  uint16_t pos = det_ctx->alert_queue_size;
364  if (pos == det_ctx->alert_queue_capacity) {
365  /* we must grow the alert queue */
366  if (pos == AlertQueueExpand(det_ctx)) {
367  /* this means we failed to expand the queue */
368  p->alerts.discarded++;
369  return;
370  }
371  }
372  det_ctx->alert_queue[pos] = PacketAlertSet(det_ctx, s, tx_id, alert_flags);
373 
374  SCLogDebug("Appending sid %" PRIu32 ", s->iid %" PRIu32 " to alert queue", s->id, s->iid);
375  det_ctx->alert_queue_size++;
376 }
377 
378 /** \internal
379  * \brief sort helper for sorting alerts by priority
380  *
381  * Sorting is done first based on num and then using tx_id, if nums are equal.
382  * The Signature::num field is set based on internal priority. Higher priority
383  * rules have lower nums.
384  */
385 static int AlertQueueSortHelperFirewall(const void *a, const void *b)
386 {
387  const PacketAlert *pa0 = a;
388  const PacketAlert *pa1 = b;
389  if (pa0->s->detect_table == pa1->s->detect_table) {
390  if (pa1->iid == pa0->iid) {
391  if (pa1->tx_id == PACKET_ALERT_NOTX) {
392  return -1;
393  } else if (pa0->tx_id == PACKET_ALERT_NOTX) {
394  return 1;
395  }
396  return pa0->tx_id < pa1->tx_id ? 1 : -1;
397  } else {
398  return pa0->iid < pa1->iid ? -1 : 1;
399  }
400  }
401  return pa0->s->detect_table < pa1->s->detect_table ? -1 : 1;
402 }
403 
404 static int AlertQueueSortHelper(const void *a, const void *b)
405 {
406  const PacketAlert *pa0 = a;
407  const PacketAlert *pa1 = b;
408  if (pa1->iid == pa0->iid) {
409  if (pa1->tx_id == PACKET_ALERT_NOTX) {
410  return -1;
411  } else if (pa0->tx_id == PACKET_ALERT_NOTX) {
412  return 1;
413  }
414  return pa0->tx_id < pa1->tx_id ? 1 : -1;
415  } else {
416  return pa0->iid < pa1->iid ? -1 : 1;
417  }
418 }
419 
420 /** \internal
421  * \brief Check if Signature action should be applied to flow and apply
422  *
423  */
424 static inline void FlowApplySignatureActions(
425  Packet *p, PacketAlert *pa, const Signature *s, uint8_t alert_flags)
426 {
427  /* For DROP and PASS sigs we need to apply the action to the flow if
428  * - sig is IP or PD only
429  * - match is in applayer
430  * - match is in stream */
431  if (pa->action & (ACTION_DROP | ACTION_PASS | ACTION_ACCEPT)) {
434 
435  if (s->action_scope == ACTION_SCOPE_FLOW) {
437  } else if (s->action_scope == ACTION_SCOPE_AUTO) {
438  enum SignaturePropertyFlowAction flow_action =
440  if (flow_action == SIG_PROP_FLOW_ACTION_FLOW) {
442  } else if (flow_action == SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL) {
445  }
446  }
447  }
448 
450  SCLogDebug("packet %" PRIu64 " sid %u action %02x alert_flags %02x (set "
451  "PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW)",
452  p->pcap_cnt, s->id, s->action, pa->flags);
453  }
454  }
455 }
456 
457 static inline void PacketAlertFinalizeProcessQueue(
458  const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
459 {
460  const bool have_fw_rules = EngineModeIsFirewall();
461 
462  if (det_ctx->alert_queue_size > 1) {
463  /* sort the alert queue before thresholding and appending to Packet */
464  qsort(det_ctx->alert_queue, det_ctx->alert_queue_size, sizeof(PacketAlert),
465  have_fw_rules ? AlertQueueSortHelperFirewall : AlertQueueSortHelper);
466  }
467 
468  bool dropped = false;
469  bool skip_td = false;
470  for (uint16_t i = 0; i < det_ctx->alert_queue_size; i++) {
471  PacketAlert *pa = &det_ctx->alert_queue[i];
472  const Signature *s = pa->s;
473 
474  /* if a firewall rule told us to skip, we don't count the skipped
475  * alerts. */
476  if (have_fw_rules && skip_td && (s->flags & SIG_FLAG_FIREWALL) == 0) {
477  continue;
478  }
479 
480  int res = PacketAlertHandle(de_ctx, det_ctx, s, p, pa);
481  if (res > 0) {
482  /* Now, if we have an alert, we have to check if we want
483  * to tag this session or src/dst host */
484  if (s->sm_arrays[DETECT_SM_LIST_TMATCH] != NULL) {
487  while (1) {
488  /* tags are set only for alerts */
490  sigmatch_table[smd->type].Match(det_ctx, p, (Signature *)s, smd->ctx);
491  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
492  if (smd->is_last)
493  break;
494  smd++;
495  }
496  }
497 
498  bool skip_action_set = false;
499  if ((p->action & (ACTION_DROP | ACTION_ACCEPT)) != 0) {
500  if (p->action & ACTION_DROP) {
501  if (pa->action & (ACTION_PASS | ACTION_ACCEPT)) {
502  skip_action_set = true;
503  }
504  } else {
505  if (pa->action & (ACTION_DROP)) {
506  skip_action_set = true;
507  }
508  }
509  }
510  SCLogDebug("packet %" PRIu64 ": i:%u sid:%u skip_action_set %s", p->pcap_cnt, i, s->id,
511  BOOL2STR(skip_action_set));
512  if (!skip_action_set) {
513  /* set actions on the flow */
514  FlowApplySignatureActions(p, pa, s, pa->flags);
515 
516  SCLogDebug("det_ctx->alert_queue[i].action %02x (DROP %s, PASS %s)", pa->action,
518 
519  /* set actions on packet */
520  PacketApplySignatureActions(p, s, pa);
521  }
522  }
523 
524  /* skip firewall sigs following a drop: IDS mode still shows alerts after an alert. */
525  if ((s->flags & SIG_FLAG_FIREWALL) && dropped) {
526  p->alerts.discarded++;
527 
528  /* Thresholding removes this alert */
529  } else if (res == 0 || res == 2 || (s->action & (ACTION_ALERT | ACTION_PASS)) == 0) {
530  SCLogDebug("sid:%u: skipping alert because of thresholding (res=%d) or NOALERT (%02x)",
531  s->id, res, s->action);
532  /* we will not copy this to the AlertQueue */
533  p->alerts.suppressed++;
534  } else if (p->alerts.cnt < packet_alert_max) {
535  p->alerts.alerts[p->alerts.cnt] = *pa;
536  SCLogDebug("Appending sid %" PRIu32 " alert to Packet::alerts at pos %u", s->id, i);
537 
538  /* pass w/o alert found, we're done. Alert is not logged. */
539  if ((pa->action & (ACTION_PASS | ACTION_ALERT)) == ACTION_PASS) {
540  SCLogDebug("sid:%u: is a pass rule, so break out of loop", s->id);
541  if (!have_fw_rules)
542  break;
543  SCLogDebug("skipping td");
544  skip_td = true;
545  continue;
546  }
547  p->alerts.cnt++;
548 
549  /* pass with alert, we're done. Alert is logged. */
550  if (pa->action & ACTION_PASS) {
551  SCLogDebug("sid:%u: is a pass rule, so break out of loop", s->id);
552  if (!have_fw_rules)
553  break;
554  SCLogDebug("skipping td");
555  skip_td = true;
556  continue;
557  }
558 
559  // TODO we can also drop if alert is suppressed, right?
560  if (s->action & ACTION_DROP) {
561  dropped = true;
562  }
563  } else {
564  p->alerts.discarded++;
565  }
566  }
567 }
568 
569 /**
570  * \brief Check the threshold of the sigs that match, set actions, break on pass action
571  * This function iterate the packet alerts array, removing those that didn't match
572  * the threshold, and those that match after a signature with the action "pass".
573  * The array is sorted by action priority/order
574  * \param de_ctx detection engine context
575  * \param det_ctx detection engine thread context
576  * \param p pointer to the packet
577  */
579 {
580  SCEnter();
581 
582  if (det_ctx->alert_queue_size > 0) {
583  PacketAlertFinalizeProcessQueue(de_ctx, det_ctx, p);
584  if (det_ctx->json_content_len)
586  }
587 
588  /* At this point, we should have all the new alerts. Now check the tag
589  * keyword context for sessions and hosts */
590  if (!(p->flags & PKT_PSEUDO_STREAM_END))
591  TagHandlePacket(de_ctx, det_ctx, p);
592 
593  /* Set flag on flow to indicate that it has alerts */
594  if (p->flow != NULL && p->alerts.cnt > 0) {
595  if (!FlowHasAlerts(p->flow)) {
597  p->flags |= PKT_FIRST_ALERTS;
598  }
599  }
600 }
601 
602 #ifdef UNITTESTS
604 #endif
PacketCheckAction
bool PacketCheckAction(const Packet *p, const uint8_t a)
Definition: packet.c:49
PKT_DROP_REASON_STREAM_PRE_HOOK
@ PKT_DROP_REASON_STREAM_PRE_HOOK
Definition: decode.h:400
PKT_DROP_REASON_RULES_THRESHOLD
@ PKT_DROP_REASON_RULES_THRESHOLD
Definition: decode.h:390
DetectEngineThreadCtx_::alert_queue_size
uint16_t alert_queue_size
Definition: detect.h:1329
FlowSetHasAlertsFlag
void FlowSetHasAlertsFlag(Flow *f)
Set flag to indicate that flow has alerts.
Definition: flow.c:153
PacketAlert_::s
const struct Signature_ * s
Definition: decode.h:252
AlertQueueFree
void AlertQueueFree(DetectEngineThreadCtx *det_ctx)
Definition: detect-engine-alert.c:258
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
PACKET_ALERT_FLAG_STATE_MATCH
#define PACKET_ALERT_FLAG_STATE_MATCH
Definition: decode.h:268
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
ACTION_PASS
#define ACTION_PASS
Definition: action-globals.h:34
KEYWORD_PROFILING_SET_LIST
#define KEYWORD_PROFILING_SET_LIST(ctx, list)
Definition: util-profiling.h:46
DETECT_TABLE_PACKET_PRE_STREAM
@ DETECT_TABLE_PACKET_PRE_STREAM
Definition: detect.h:555
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:275
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:626
SigMatchData_::is_last
bool is_last
Definition: detect.h:367
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:287
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:368
action-globals.h
Packet_::flags
uint32_t flags
Definition: decode.h:544
Packet_::action
uint8_t action
Definition: decode.h:609
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:356
DETECT_SM_LIST_THRESHOLD
@ DETECT_SM_LIST_THRESHOLD
Definition: detect.h:133
TAG_SIG_ID
#define TAG_SIG_ID
Definition: detect-engine-tag.h:42
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
PKT_DROP_REASON_FLOW_PRE_HOOK
@ PKT_DROP_REASON_FLOW_PRE_HOOK
Definition: decode.h:401
PacketAlerts_::alerts
PacketAlert * alerts
Definition: decode.h:290
ACTION_SCOPE_FLOW
@ ACTION_SCOPE_FLOW
Definition: action-globals.h:45
ACTION_REJECT_ANY
#define ACTION_REJECT_ANY
Definition: action-globals.h:38
PacketAlerts_::drop
PacketAlert drop
Definition: decode.h:293
ACTION_DROP_REJECT
#define ACTION_DROP_REJECT
Definition: action-globals.h:40
FLOW_ACTION_DROP
#define FLOW_ACTION_DROP
Definition: flow.h:70
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:731
EngineModeIsFirewall
bool EngineModeIsFirewall(void)
Definition: suricata.c:235
SigMatchData_
Data needed for Match()
Definition: detect.h:365
KEYWORD_PROFILING_START
#define KEYWORD_PROFILING_START
Definition: util-profiling.h:50
SigMatchData_::type
uint16_t type
Definition: detect.h:366
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:620
KEYWORD_PROFILING_END
#define KEYWORD_PROFILING_END(ctx, type, m)
Definition: util-profiling.h:64
PacketAlert_::tx_id
uint64_t tx_id
Definition: decode.h:253
PacketAlert_::action
uint8_t action
Definition: decode.h:250
SIG_FLAG_FIREWALL
#define SIG_FLAG_FIREWALL
Definition: detect.h:246
AlertQueueInit
void AlertQueueInit(DetectEngineThreadCtx *det_ctx)
Definition: detect-engine-alert.c:245
Signature_::gid
uint32_t gid
Definition: detect.h:714
FLOW_ACTION_PASS
#define FLOW_ACTION_PASS
Definition: flow.h:117
SignaturePropertyFlowAction
SignaturePropertyFlowAction
Definition: detect.h:83
PacketAlert_::json_info
struct PacketContextData * json_info
Definition: decode.h:255
decode.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1244
DETECT_THRESHOLD
@ DETECT_THRESHOLD
Definition: detect-engine-register.h:58
PKT_PSEUDO_STREAM_END
#define PKT_PSEUDO_STREAM_END
Definition: decode.h:1266
util-exception-policy.h
BOOL2STR
#define BOOL2STR(b)
Definition: util-debug.h:535
SCEnter
#define SCEnter(...)
Definition: util-debug.h:277
detect.h
PacketContextData
Definition: decode.h:241
DETECT_TABLE_PACKET_PRE_FLOW
@ DETECT_TABLE_PACKET_PRE_FLOW
Definition: detect.h:554
PacketAlerts_::discarded
uint16_t discarded
Definition: decode.h:288
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:317
detect-engine-tag.h
PKT_DROP_REASON_RULES
@ PKT_DROP_REASON_RULES
Definition: decode.h:389
Signature_::action
uint8_t action
Definition: detect.h:683
util-profiling.h
PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW
#define PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW
Definition: decode.h:266
Signature_::flags
uint32_t flags
Definition: detect.h:669
PKT_ALERT_CTX_USED
#define PKT_ALERT_CTX_USED
Definition: decode.h:1253
AlertQueueAppend
void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id, uint8_t alert_flags)
Append signature to local packet alert queue for later preprocessing.
Definition: detect-engine-alert.c:353
ACTION_ALERT
#define ACTION_ALERT
Definition: action-globals.h:29
Packet_
Definition: decode.h:501
DetectEngineThreadCtx_::frame_id
int64_t frame_id
Definition: detect.h:1321
ACTION_SCOPE_AUTO
@ ACTION_SCOPE_AUTO
Definition: action-globals.h:43
detect-engine-alert.h
DetectEngineThreadCtx_::alert_queue_capacity
uint16_t alert_queue_capacity
Definition: detect.h:1330
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1421
PacketAlert_::iid
SigIntId iid
Definition: decode.h:249
signature_properties
const struct SignatureProperties signature_properties[SIG_TYPE_MAX]
Definition: detect-engine.c:115
PACKET_ALERT_NOTX
#define PACKET_ALERT_NOTX
Definition: detect.h:55
SIG_TYPE_NOT_SET
@ SIG_TYPE_NOT_SET
Definition: detect.h:65
PACKET_ALERT_FLAG_APPLY_ACTION_TO_PACKET
#define PACKET_ALERT_FLAG_APPLY_ACTION_TO_PACKET
Definition: decode.h:280
PacketAlertFinalize
void PacketAlertFinalize(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Check the threshold of the sigs that match, set actions, break on pass action This function iterate t...
Definition: detect-engine-alert.c:578
PACKET_ALERT_FLAG_STREAM_MATCH
#define PACKET_ALERT_FLAG_STREAM_MATCH
Definition: decode.h:270
TagHandlePacket
void TagHandlePacket(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Search tags for src and dst. Update entries of the tag, remove if necessary.
Definition: detect-engine-tag.c:523
PACKET_ALERT_FLAG_FRAME
#define PACKET_ALERT_FLAG_FRAME
Definition: decode.h:276
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
PacketAlert_::frame_id
int64_t frame_id
Definition: decode.h:254
PacketAlert_::flags
uint8_t flags
Definition: decode.h:251
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
suricata-common.h
SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL
@ SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL
Definition: detect.h:86
ActionScope
ActionScope
Definition: action-globals.h:42
DetectThresholdData_
Definition: detect-threshold.h:55
Signature_::action_scope
uint8_t action_scope
Definition: detect.h:690
packet.h
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
Signature_::rev
uint32_t rev
Definition: detect.h:715
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
FatalError
#define FatalError(...)
Definition: util-debug.h:510
ACTION_CONFIG
#define ACTION_CONFIG
Definition: action-globals.h:35
PacketContextData::next
struct PacketContextData * next
Definition: decode.h:243
DETECT_SM_LIST_TMATCH
@ DETECT_SM_LIST_TMATCH
Definition: detect.h:129
SIG_TYPE_MAX
@ SIG_TYPE_MAX
Definition: detect.h:79
Signature_::prio
int prio
Definition: detect.h:716
SigGetThresholdTypeIter
const DetectThresholdData * SigGetThresholdTypeIter(const Signature *sig, const SigMatchData **psm, int list)
Return next DetectThresholdData for signature.
Definition: detect-engine-threshold.c:473
FLOW_ACTION_ACCEPT
#define FLOW_ACTION_ACCEPT
Definition: flow.h:62
util-validate.h
DetectEngineThreadCtx_::alert_queue
PacketAlert * alert_queue
Definition: detect.h:1331
PACKET_ALERT_FLAG_RATE_FILTER_MODIFIED
#define PACKET_ALERT_FLAG_RATE_FILTER_MODIFIED
Definition: decode.h:274
DetectEngineThreadCtx_::json_content
SigJsonContent * json_content
Definition: detect.h:1281
PacketAlerts_::suppressed
uint16_t suppressed
Definition: decode.h:289
Signature_::iid
SigIntId iid
Definition: detect.h:680
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-engine-alert.c
Signature_::id
uint32_t id
Definition: detect.h:713
Flow_::flags
uint32_t flags
Definition: flow.h:421
ACTION_SCOPE_PACKET
@ ACTION_SCOPE_PACKET
Definition: action-globals.h:44
Signature_
Signature container.
Definition: detect.h:668
PacketAlertTagInit
void PacketAlertTagInit(void)
Definition: detect-engine-alert.c:46
PacketDrop
void PacketDrop(Packet *p, const uint8_t action, enum PacketDropReason r)
issue drop action
Definition: packet.c:33
ACTION_ACCEPT
#define ACTION_ACCEPT
Definition: action-globals.h:36
suricata.h
PacketAlert_
Definition: decode.h:248
Signature_::detect_table
uint8_t detect_table
Definition: detect.h:702
FlowHasAlerts
int FlowHasAlerts(const Flow *f)
Check if flow has alerts.
Definition: flow.c:164
packet_alert_max
uint16_t packet_alert_max
Definition: decode.c:82
DetectEngineThreadCtx_::json_content_len
uint8_t json_content_len
Definition: detect.h:1283
TAG_SIG_GEN
#define TAG_SIG_GEN
Definition: detect-engine-tag.h:41
PacketContextData::json_string
char * json_string
Definition: decode.h:242
SIG_PROP_FLOW_ACTION_FLOW
@ SIG_PROP_FLOW_ACTION_FLOW
Definition: detect.h:85
PacketAlertThreshold
int PacketAlertThreshold(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectThresholdData *td, Packet *p, const Signature *s, PacketAlert *pa)
Make the threshold logic for signatures.
Definition: detect-engine-threshold.c:961
flow.h
PKT_FIRST_ALERTS
#define PKT_FIRST_ALERTS
Definition: decode.h:1313
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:281
Signature_::type
enum SignatureType type
Definition: detect.h:671
DETECT_SM_LIST_SUPPRESS
@ DETECT_SM_LIST_SUPPRESS
Definition: detect.h:132
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
SignatureProperties::flow_action
enum SignaturePropertyFlowAction flow_action
Definition: detect.h:90
SigJsonContent::json_content
char json_content[SIG_JSON_CONTENT_ITEM_LEN]
Definition: detect.h:1238
SigJsonContent::id
void * id
Definition: detect.h:1237
detect-engine-threshold.h