|
suricata
|
|
suricata
|
Go to the source code of this file.
Functions | |
| void | PacketAlertFinalize (DetectEngineCtx *, DetectEngineThreadCtx *, Packet *) |
| Check the threshold of the sigs that match, set actions, break on pass action This function iterate the packet alerts array, removing those that didn't match the threshold, and those that match after a signature with the action "pass". The array is sorted by action priority/order. More... | |
| int | PacketAlertAppend (DetectEngineThreadCtx *, const Signature *, Packet *, uint64_t tx_id, uint8_t) |
| append a signature match to a packet More... | |
| int | PacketAlertCheck (Packet *, uint32_t) |
| Check if a certain sid alerted, this is used in the test functions. More... | |
| int | PacketAlertRemove (Packet *, uint16_t) |
| Remove alert from the p->alerts.alerts array at pos. More... | |
| void | PacketAlertTagInit (void) |
| PacketAlert * | PacketAlertGetTag (void) |
Definition in file detect-engine-alert.h.
| int PacketAlertAppend | ( | DetectEngineThreadCtx * | det_ctx, |
| const Signature * | s, | ||
| Packet * | p, | ||
| uint64_t | tx_id, | ||
| uint8_t | flags | ||
| ) |
append a signature match to a packet
| det_ctx | thread detection engine ctx |
| s | the signature that matched |
| p | packet |
| flags | alert flags |
Definition at line 188 of file detect-engine-alert.c.
References PacketAlert_::action, Signature_::action, PacketAlerts_::alerts, Packet_::alerts, PacketAlerts_::cnt, flags, PacketAlert_::flags, Signature_::id, PacketAlert_::num, Signature_::num, PACKET_ALERT_MAX, PacketAlert_::s, SCLogDebug, tx_id, and PacketAlert_::tx_id.
Referenced by IPOnlyMatchPacket(), and SigMatchSignaturesGetSgh().
| int PacketAlertCheck | ( | Packet * | p, |
| uint32_t | sid | ||
| ) |
Check if a certain sid alerted, this is used in the test functions.
| p | Packet on which we want to check if the signature alerted or not |
| sid | Signature id of the signature that thas to be checked for a match |
| match | A value > 0 on a match; 0 on no match |
Definition at line 138 of file detect-engine-alert.c.
References PacketAlerts_::alerts, Packet_::alerts, PacketAlerts_::cnt, Signature_::id, and PacketAlert_::s.
Referenced by DetectAckRegister(), DetectBypassRegister(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineInspectStream(), DetectEngineStateResetTxs(), DetectFastPatternRegister(), DetectFlowFree(), DetectFlowintFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectHostbitFree(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectITypeFree(), DetectL3ProtoRegister(), DetectLuaRegister(), DetectPcrePayloadMatch(), DetectProtoContainsProto(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSetupParseRegexes(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectTemplateRustBufferRegister(), DetectThresholdRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), HtpConfigRestoreBackup(), MpmACRegister(), MpmACTileRegister(), RegisterModbusParsers(), SCACBSPrintInfo(), SCThresholdConfParseFile(), SigParseApplyDsizeToContent(), SMTPParserCleanup(), UTHCheckPacketMatchResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().
| void PacketAlertFinalize | ( | DetectEngineCtx * | de_ctx, |
| DetectEngineThreadCtx * | det_ctx, | ||
| Packet * | p | ||
| ) |
Check the threshold of the sigs that match, set actions, break on pass action This function iterate the packet alerts array, removing those that didn't match the threshold, and those that match after a signature with the action "pass". The array is sorted by action priority/order.
| de_ctx | detection engine context |
| det_ctx | detection engine thread context |
| p | pointer to the packet |
Definition at line 238 of file detect-engine-alert.c.
References Signature_::action, ACTION_DROP, ACTION_PASS, ACTION_REJECT, ACTION_REJECT_BOTH, ACTION_REJECT_DST, PacketAlerts_::alerts, Packet_::alerts, PacketAlerts_::cnt, SigMatchData_::ctx, DETECT_SM_LIST_TMATCH, DetectSignatureApplyActions(), PacketAlert_::flags, Flow_::flags, Packet_::flags, Signature_::flags, Packet_::flow, FLOW_ACTION_DROP, FLOW_PKT_TOCLIENT, FLOW_PKT_TOCLIENT_IPONLY_SET, FLOW_PKT_TOSERVER, FLOW_PKT_TOSERVER_IPONLY_SET, Packet_::flowflags, FlowSetHasAlertsFlag(), FlowSetIPOnlyFlag(), SigMatchData_::is_last, KEYWORD_PROFILING_END, KEYWORD_PROFILING_SET_LIST, KEYWORD_PROFILING_START, SigTableElmt_::Match, PacketAlert_::num, PACKET_ALERT_FLAG_DROP_FLOW, PACKET_TEST_ACTION, PacketAlertRemove(), PKT_PSEUDO_STREAM_END, res, PacketAlert_::s, SCEnter, SCLogDebug, DetectEngineCtx_::sig_array, SIG_FLAG_APPLAYER, SIG_FLAG_IPONLY, sigmatch_table, Signature_::sm_arrays, TagHandlePacket(), and SigMatchData_::type.
Referenced by SigMatchSignaturesGetSgh().
| PacketAlert* PacketAlertGetTag | ( | void | ) |
Definition at line 53 of file detect-engine-alert.c.
References DETECT_SM_LIST_SUPPRESS, DETECT_SM_LIST_THRESHOLD, DETECT_THRESHOLD, KEYWORD_PROFILING_END, KEYWORD_PROFILING_SET_LIST, KEYWORD_PROFILING_START, PacketAlertThreshold(), PKT_IS_IPV4, PKT_IS_IPV6, SCEnter, SCLogDebug, SCReturnInt, SigGetThresholdTypeIter(), and Signature_::sm_arrays.
| int PacketAlertRemove | ( | Packet * | p, |
| uint16_t | pos | ||
| ) |
Remove alert from the p->alerts.alerts array at pos.
| p | Pointer to the Packet |
| pos | Position in the array |
| 0 | if the number of alerts is less than pos 1 if all goes well |
Definition at line 161 of file detect-engine-alert.c.
References PacketAlerts_::alerts, Packet_::alerts, PacketAlerts_::cnt, and SCLogDebug.
Referenced by PacketAlertFinalize().
| void PacketAlertTagInit | ( | void | ) |
Definition at line 37 of file detect-engine-alert.c.
References PacketAlert_::action, ACTION_ALERT, Signature_::gid, Signature_::id, Signature_::num, Signature_::prio, Signature_::rev, PacketAlert_::s, TAG_SIG_GEN, and TAG_SIG_ID.
Referenced by PostRunDeinit().
1.8.11 
