detect-engine-alert.h File Reference

#include "suricata-common.h"
#include "decode.h"
#include "detect.h"

Include dependency graph for detect-engine-alert.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Functions
void	PacketAlertFinalize (DetectEngineCtx *, DetectEngineThreadCtx *, Packet *)
	Check the threshold of the sigs that match, set actions, break on pass action This function iterate the packet alerts array, removing those that didn't match the threshold, and those that match after a signature with the action "pass". The array is sorted by action priority/order. More...
int	PacketAlertAppend (DetectEngineThreadCtx *, const Signature *, Packet *, uint64_t tx_id, uint8_t)
	append a signature match to a packet More...
int	PacketAlertCheck (Packet *, uint32_t)
	Check if a certain sid alerted, this is used in the test functions. More...
int	PacketAlertRemove (Packet *, uint16_t)
	Remove alert from the p->alerts.alerts array at pos. More...
void	PacketAlertTagInit (void)
PacketAlert *	PacketAlertGetTag (void)

Detailed Description

Author

Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Definition in file detect-engine-alert.h.

Function Documentation

int PacketAlertAppend	(	DetectEngineThreadCtx *	det_ctx,
		const Signature *	s,
		Packet *	p,
		uint64_t	tx_id,
		uint8_t	flags
	)

append a signature match to a packet

Parameters

det_ctx	thread detection engine ctx
s	the signature that matched
p	packet
flags	alert flags

Definition at line 188 of file detect-engine-alert.c.

References PacketAlert_::action, Signature_::action, PacketAlerts_::alerts, Packet_::alerts, PacketAlerts_::cnt, flags, PacketAlert_::flags, Signature_::id, PacketAlert_::num, Signature_::num, PACKET_ALERT_MAX, PacketAlert_::s, SCLogDebug, tx_id, and PacketAlert_::tx_id.

Referenced by IPOnlyMatchPacket(), and SigMatchSignaturesGetSgh().

Here is the caller graph for this function:

int PacketAlertCheck	(	Packet *	p,
		uint32_t	sid
	)

Check if a certain sid alerted, this is used in the test functions.

Parameters

p	Packet on which we want to check if the signature alerted or not
sid	Signature id of the signature that thas to be checked for a match

Return values

match

A value > 0 on a match; 0 on no match

Definition at line 138 of file detect-engine-alert.c.

References PacketAlerts_::alerts, Packet_::alerts, PacketAlerts_::cnt, Signature_::id, and PacketAlert_::s.

Referenced by DetectAckRegister(), DetectBypassRegister(), DetectDceGetState(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineInspectStream(), DetectEngineStateResetTxs(), DetectFastPatternRegister(), DetectFlowFree(), DetectFlowintFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectGeoipRegister(), DetectHostbitFree(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectITypeFree(), DetectL3ProtoRegister(), DetectLuaRegister(), DetectPcrePayloadMatch(), DetectProtoContainsProto(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSetupParseRegexes(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectSslStateRegister(), DetectSslVersionRegister(), DetectTemplateRustBufferRegister(), DetectThresholdRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3StringRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), DetectTlsSubjectRegister(), DetectTlsValidityRegister(), DetectTlsVersionRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), MpmACRegister(), MpmACTileRegister(), RegisterModbusParsers(), SCACBSPrintInfo(), SCThresholdConfParseFile(), SigParseApplyDsizeToContent(), SMTPParserCleanup(), UTHCheckPacketMatchResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

void PacketAlertFinalize	(	DetectEngineCtx *	de_ctx,
		DetectEngineThreadCtx *	det_ctx,
		Packet *	p
	)

Check the threshold of the sigs that match, set actions, break on pass action This function iterate the packet alerts array, removing those that didn't match the threshold, and those that match after a signature with the action "pass". The array is sorted by action priority/order.

Parameters

de_ctx	detection engine context
det_ctx	detection engine thread context
p	pointer to the packet

Definition at line 238 of file detect-engine-alert.c.

References Signature_::action, ACTION_DROP, ACTION_PASS, ACTION_REJECT, ACTION_REJECT_BOTH, ACTION_REJECT_DST, PacketAlerts_::alerts, Packet_::alerts, PacketAlerts_::cnt, SigMatchData_::ctx, DETECT_SM_LIST_TMATCH, DetectSignatureApplyActions(), PacketAlert_::flags, Flow_::flags, Packet_::flags, Signature_::flags, Packet_::flow, FLOW_ACTION_DROP, FLOW_PKT_TOCLIENT, FLOW_PKT_TOCLIENT_IPONLY_SET, FLOW_PKT_TOSERVER, FLOW_PKT_TOSERVER_IPONLY_SET, Packet_::flowflags, FlowSetHasAlertsFlag(), FlowSetIPOnlyFlag(), SigMatchData_::is_last, KEYWORD_PROFILING_END, KEYWORD_PROFILING_SET_LIST, KEYWORD_PROFILING_START, SigTableElmt_::Match, PacketAlert_::num, PACKET_ALERT_FLAG_DROP_FLOW, PACKET_TEST_ACTION, PacketAlertRemove(), PKT_PSEUDO_STREAM_END, res, PacketAlert_::s, SCEnter, SCLogDebug, DetectEngineCtx_::sig_array, SIG_FLAG_APPLAYER, SIG_FLAG_IPONLY, sigmatch_table, Signature_::sm_arrays, TagHandlePacket(), and SigMatchData_::type.

Referenced by SigMatchSignaturesGetSgh().

Here is the call graph for this function:

Here is the caller graph for this function:

PacketAlert* PacketAlertGetTag

(

void

)

Definition at line 53 of file detect-engine-alert.c.

References DETECT_SM_LIST_SUPPRESS, DETECT_SM_LIST_THRESHOLD, DETECT_THRESHOLD, KEYWORD_PROFILING_END, KEYWORD_PROFILING_SET_LIST, KEYWORD_PROFILING_START, PacketAlertThreshold(), PKT_IS_IPV4, PKT_IS_IPV6, SCEnter, SCLogDebug, SCReturnInt, SigGetThresholdTypeIter(), and Signature_::sm_arrays.

Here is the call graph for this function:

int PacketAlertRemove	(	Packet *	p,
		uint16_t	pos
	)

Remove alert from the p->alerts.alerts array at pos.

Parameters

p	Pointer to the Packet
pos	Position in the array

Return values

0	if the number of alerts is less than pos 1 if all goes well

Definition at line 161 of file detect-engine-alert.c.

References PacketAlerts_::alerts, Packet_::alerts, PacketAlerts_::cnt, and SCLogDebug.

Referenced by PacketAlertFinalize().

Here is the caller graph for this function:

void PacketAlertTagInit

(

void

)

Definition at line 37 of file detect-engine-alert.c.

References PacketAlert_::action, ACTION_ALERT, Signature_::gid, Signature_::id, Signature_::num, Signature_::prio, Signature_::rev, PacketAlert_::s, TAG_SIG_GEN, and TAG_SIG_ID.

Referenced by PostRunDeinit().

Here is the caller graph for this function: