suricata
|
#include "suricata-common.h"
#include "suricata.h"
#include "rust.h"
#include "action-globals.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-analyzer.h"
#include "detect-engine-mpm.h"
#include "detect-engine-uint.h"
#include "conf.h"
#include "detect-content.h"
#include "detect-pcre.h"
#include "detect-bytejump.h"
#include "detect-bytetest.h"
#include "detect-isdataat.h"
#include "detect-flow.h"
#include "detect-tcp-flags.h"
#include "detect-tcp-ack.h"
#include "detect-ipopts.h"
#include "detect-tcp-seq.h"
#include "feature.h"
#include "util-print.h"
#include "util-time.h"
#include "util-validate.h"
#include "util-conf.h"
#include "detect-flowbits.h"
#include "util-var-name.h"
#include "detect-icmp-id.h"
#include "detect-tcp-window.h"
Go to the source code of this file.
Data Structures | |
struct | DetectEngineAnalyzerItems |
struct | FpPatternStats_ |
struct | ExposedItemSeen |
struct | EngineAnalysisCtx_ |
struct | RuleAnalyzer |
Macros | |
#define | DETECT_PERCENT_ENCODING_REGEX "%[0-9|a-f|A-F]{2}" |
#define | CHECK(pat) if (strlen((pat)) <= len && memcmp((pat), buf, MIN(len, strlen((pat)))) == 0) return true; |
Typedefs | |
typedef struct DetectEngineAnalyzerItems | DetectEngineAnalyzerItems |
typedef struct FpPatternStats_ | FpPatternStats |
typedef struct EngineAnalysisCtx_ | EngineAnalysisCtx |
typedef struct RuleAnalyzer | RuleAnalyzer |
Functions | |
void | EngineAnalysisFP (const DetectEngineCtx *de_ctx, const Signature *s, char *line) |
void | SetupEngineAnalysis (DetectEngineCtx *de_ctx, bool *fp_analysis, bool *rule_analysis) |
void | CleanupEngineAnalysis (DetectEngineCtx *de_ctx) |
void | EngineAnalysisRulesFailure (const DetectEngineCtx *de_ctx, char *line, char *file, int lineno) |
void | EngineAnalysisRules2 (const DetectEngineCtx *de_ctx, const Signature *s) |
void | DumpPatterns (DetectEngineCtx *de_ctx) |
void | EngineAnalysisRules (const DetectEngineCtx *de_ctx, const Signature *s, const char *line) |
Prints analysis of loaded rules. More... | |
Variables | |
const DetectEngineAnalyzerItems | analyzer_items [] |
SCMutex | g_rules_analyzer_write_m = SCMUTEX_INITIALIZER |
Rule analyzers for the detection engine
Definition in file detect-engine-analyzer.c.
#define CHECK | ( | pat | ) | if (strlen((pat)) <= len && memcmp((pat), buf, MIN(len, strlen((pat)))) == 0) return true; |
Definition at line 671 of file detect-engine-analyzer.c.
#define DETECT_PERCENT_ENCODING_REGEX "%[0-9|a-f|A-F]{2}" |
typedef struct DetectEngineAnalyzerItems DetectEngineAnalyzerItems |
typedef struct EngineAnalysisCtx_ EngineAnalysisCtx |
typedef struct FpPatternStats_ FpPatternStats |
typedef struct RuleAnalyzer RuleAnalyzer |
void CleanupEngineAnalysis | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 511 of file detect-engine-analyzer.c.
References de_ctx, and DetectEngineCtx_::ea.
void DumpPatterns | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 1322 of file detect-engine-analyzer.c.
References DetectEngineCtx_::buffer_type_id, DetectPatternTracker::cd, DetectPatternTracker::cnt, ConfigGetLogDirectory(), DetectContentData_::content_len, de_ctx, DETECT_CONTENT_DEPTH, DETECT_CONTENT_ENDS_WITH, DETECT_CONTENT_NEGATED, DETECT_CONTENT_NOCASE, DETECT_CONTENT_OFFSET, DETECT_SM_LIST_DYNAMIC_START, DetectContentPatternPrettyPrint(), DetectEngineBufferTypeGetNameById(), DetectListToHumanString(), DetectEngineCtx_::ea, EngineAnalysisCtx_::file_prefix, DetectContentData_::flags, g_rules_analyzer_write_m, HashListTableFree(), HashListTableGetListData, HashListTableGetListHead(), HashListTableGetListNext, DetectPatternTracker::mpm, DetectEngineCtx_::pattern_hash_table, SCMutexLock, SCMutexUnlock, DetectPatternTracker::sm_list, and str.
void EngineAnalysisFP | ( | const DetectEngineCtx * | de_ctx, |
const Signature * | s, | ||
char * | line | ||
) |
Definition at line 169 of file detect-engine-analyzer.c.
References DetectContentData_::content, DetectContentData_::content_len, SigMatch_::ctx, de_ctx, DETECT_CONTENT_DEPTH, DETECT_CONTENT_DISTANCE, DETECT_CONTENT_FAST_PATTERN, DETECT_CONTENT_FAST_PATTERN_CHOP, DETECT_CONTENT_FAST_PATTERN_ONLY, DETECT_CONTENT_NEGATED, DETECT_CONTENT_NOCASE, DETECT_CONTENT_OFFSET, DETECT_CONTENT_WITHIN, DETECT_SM_LIST_PMATCH, DetectEngineBufferTypeGetDescriptionById(), DetectEngineBufferTypeGetNameById(), DetectEngineCtx_::ea, FatalError, DetectContentData_::flags, DetectContentData_::fp_chop_len, DetectContentData_::fp_chop_offset, Signature_::id, Signature_::init_data, SignatureInitData_::mpm_sm, SignatureInitData_::mpm_sm_list, SigTableElmt_::name, SignatureInitData_::prefilter_sm, PrintRawUriFp(), EngineAnalysisCtx_::rule_engine_analysis_fp, SCFree, SCMalloc, sigmatch_table, SigMatch_::type, and unlikely.
void EngineAnalysisRules | ( | const DetectEngineCtx * | de_ctx, |
const Signature * | s, | ||
const char * | line | ||
) |
Prints analysis of loaded rules.
Warns if potential rule issues are detected. For example, warns if a rule uses a construct that may perform poorly, e.g. pcre without content or with http_method content only; warns if a rule uses a construct that may not be consistent with intent, e.g. client side ports only, http and content without any http_* modifiers, etc.
s | Pointer to the signature. |
Definition at line 1463 of file detect-engine-analyzer.c.
void EngineAnalysisRules2 | ( | const DetectEngineCtx * | de_ctx, |
const Signature * | s | ||
) |
Definition at line 971 of file detect-engine-analyzer.c.
References Signature_::action, ACTION_ALERT, Signature_::alproto, AppProtoToString(), DetectEngineTransforms::cnt, ctx, de_ctx, DETECT_SM_LIST_MATCH, DETECT_SM_LIST_PMATCH, DetectEngineBufferTypeGetNameById(), Signature_::flags, Signature_::gid, Signature_::id, Signature_::mask, DetectEnginePktInspectionEngine::mpm, Signature_::msg, SigTableElmt_::name, DetectEnginePktInspectionEngine::next, Signature_::pkt_inspect, Signature_::rev, SCEnter, SCReturn, SIG_FLAG_APPLAYER, SIG_FLAG_BYPASS, SIG_FLAG_DEST_IS_TARGET, SIG_FLAG_DP_ANY, SIG_FLAG_DSIZE, SIG_FLAG_DST_ANY, SIG_FLAG_FILESTORE, SIG_FLAG_FLUSH, SIG_FLAG_MPM_NEG, SIG_FLAG_PREFILTER, SIG_FLAG_REQUIRE_FLOWVAR, SIG_FLAG_REQUIRE_PACKET, SIG_FLAG_REQUIRE_STREAM, SIG_FLAG_SP_ANY, SIG_FLAG_SRC_ANY, SIG_FLAG_SRC_IS_TARGET, SIG_FLAG_TLSSTORE, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, SIG_MASK_REQUIRE_ENGINE_EVENT, SIG_MASK_REQUIRE_FLAGS_INITDEINIT, SIG_MASK_REQUIRE_FLAGS_UNUSUAL, SIG_MASK_REQUIRE_FLOW, SIG_MASK_REQUIRE_NO_PAYLOAD, SIG_MASK_REQUIRE_PAYLOAD, SIG_MASK_REQUIRE_REAL_PKT, Signature_::sig_str, SIG_TYPE_APP_TX, SIG_TYPE_APPLAYER, SIG_TYPE_DEONLY, SIG_TYPE_IPONLY, SIG_TYPE_LIKE_IPONLY, SIG_TYPE_MAX, SIG_TYPE_NOT_SET, SIG_TYPE_PDONLY, SIG_TYPE_PKT, SIG_TYPE_PKT_STREAM, SIG_TYPE_STREAM, sigmatch_table, DetectEnginePktInspectionEngine::sm_list, TransformData_::transform, DetectEngineTransforms::transforms, DetectEnginePktInspectionEngine::transforms, Signature_::type, and DetectEnginePktInspectionEngine::v1.
void EngineAnalysisRulesFailure | ( | const DetectEngineCtx * | de_ctx, |
char * | line, | ||
char * | file, | ||
int | lineno | ||
) |
Definition at line 623 of file detect-engine-analyzer.c.
References de_ctx, DetectEngineCtx_::ea, and EngineAnalysisCtx_::fp_engine_analysis_fp.
void SetupEngineAnalysis | ( | DetectEngineCtx * | de_ctx, |
bool * | fp_analysis, | ||
bool * | rule_analysis | ||
) |
Definition at line 475 of file detect-engine-analyzer.c.
References DetectEngineCtx_::config_prefix, de_ctx, DetectEngineCtx_::ea, FatalError, EngineAnalysisCtx_::file_prefix, and SCCalloc.
Referenced by SigLoadSignatures().
const DetectEngineAnalyzerItems analyzer_items[] |
Definition at line 112 of file detect-engine-analyzer.c.
SCMutex g_rules_analyzer_write_m = SCMUTEX_INITIALIZER |
Definition at line 970 of file detect-engine-analyzer.c.
Referenced by DumpPatterns().