suricata
detect-engine-analyzer.c File Reference
#include "suricata-common.h"
#include "suricata.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-analyzer.h"
#include "detect-engine-mpm.h"
#include "conf.h"
#include "detect-content.h"
#include "detect-flow.h"
#include "detect-tcp-flags.h"
#include "util-print.h"
#include "util-buffer.h"
#include "output-json.h"
Include dependency graph for detect-engine-analyzer.c:

Go to the source code of this file.

Data Structures

struct  FpPatternStats_
 
struct  RuleAnalyzer
 

Macros

#define DETECT_PERCENT_ENCODING_REGEX   "%[0-9|a-f|A-F]{2}"
 
#define MAX_ENCODED_CHARS   240
 
#define CHECK(pat)   if (strlen((pat)) <= len && memcmp((pat), buf, MIN(len, strlen((pat)))) == 0) return true;
 

Typedefs

typedef struct FpPatternStats_ FpPatternStats
 
typedef struct RuleAnalyzer RuleAnalyzer
 

Functions

void EngineAnalysisFP (const DetectEngineCtx *de_ctx, const Signature *s, char *line)
 
int SetupFPAnalyzer (void)
 Sets up the fast pattern analyzer according to the config. More...
 
int SetupRuleAnalyzer (void)
 Sets up the rule analyzer according to the config. More...
 
void CleanupFPAnalyzer (void)
 
void CleanupRuleAnalyzer (void)
 
int PerCentEncodingSetup ()
 Compiles regex for rule analysis. More...
 
int PerCentEncodingMatch (uint8_t *content, uint8_t content_len)
 Checks for % encoding in content. More...
 
void EngineAnalysisRulesFailure (char *line, char *file, int lineno)
 
void EngineAnalysisRules2 (const DetectEngineCtx *de_ctx, const Signature *s)
 
void EngineAnalysisRules (const DetectEngineCtx *de_ctx, const Signature *s, const char *line)
 Prints analysis of loaded rules. More...
 

Variables

SCMutex g_rules_analyzer_write_m = SCMUTEX_INITIALIZER
 

Detailed Description

Author
Eileen Donlon emdon.nosp@m.lo@g.nosp@m.mail..nosp@m.com
Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Rule analyzers for the detection engine

Definition in file detect-engine-analyzer.c.

Macro Definition Documentation

#define CHECK (   pat)    if (strlen((pat)) <= len && memcmp((pat), buf, MIN(len, strlen((pat)))) == 0) return true;

Definition at line 516 of file detect-engine-analyzer.c.

#define DETECT_PERCENT_ENCODING_REGEX   "%[0-9|a-f|A-F]{2}"

Referenced by PerCentEncodingSetup().

#define MAX_ENCODED_CHARS   240

Referenced by PerCentEncodingMatch().

Typedef Documentation

typedef struct RuleAnalyzer RuleAnalyzer

Function Documentation

void CleanupFPAnalyzer ( void  )

Definition at line 314 of file detect-engine-analyzer.c.

References FpPatternStats_::cnt, DETECT_SM_LIST_MAX, DetectSigmatchListEnumToString(), FpPatternStats_::max, FpPatternStats_::min, and FpPatternStats_::tot.

Referenced by SigLoadSignatures().

Here is the call graph for this function:

Here is the caller graph for this function:

void CleanupRuleAnalyzer ( void  )

Definition at line 338 of file detect-engine-analyzer.c.

References SCLogInfo.

Referenced by SigLoadSignatures().

Here is the caller graph for this function:

void EngineAnalysisRules ( const DetectEngineCtx de_ctx,
const Signature s,
const char *  line 
)

Prints analysis of loaded rules.

Warns if potential rule issues are detected. For example, warns if a rule uses a construct that may perform poorly, e.g. pcre without content or with http_method content only; warns if a rule uses a construct that may not be consistent with intent, e.g. client side ports only, http and content without any http_* modifiers, etc.

Parameters
sPointer to the signature.

Definition at line 873 of file detect-engine-analyzer.c.

References Signature_::alproto, ALPROTO_HTTP, ALPROTO_UNKNOWN, AppProtoToString(), DetectContentData_::content, DetectContentData_::content_len, SigMatch_::ctx, DETECT_CONTENT, DETECT_CONTENT_DEPTH, DETECT_CONTENT_OFFSET, DETECT_FLAGS, DETECT_FLOW, DETECT_FLOW_FLAG_NOSTREAM, DETECT_FLOWBITS, DETECT_FLOWINT, DETECT_PCRE, DETECT_PROTO_ANY, DETECT_PROTO_IPV4, DETECT_PROTO_IPV6, DETECT_SM_LIST_MATCH, DETECT_SM_LIST_PMATCH, DetectBufferTypeGetByName(), DetectProtoContainsProto(), DetectFlowData_::flags, DetectProto_::flags, DetectContentData_::flags, Signature_::flags, Signature_::id, Signature_::init_data, SignatureInitData_::init_flags, SignatureInitData_::mpm_sm, SigTableElmt_::name, SigMatch_::next, PerCentEncodingMatch(), SignatureInitData_::prefilter_sm, Signature_::proto, SIG_FLAG_DP_ANY, SIG_FLAG_INIT_BIDIREC, SIG_FLAG_IPONLY, SIG_FLAG_PDONLY, SIG_FLAG_REQUIRE_PACKET, SIG_FLAG_REQUIRE_STREAM, SIG_FLAG_SP_ANY, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, sigmatch_table, SigMatchListSMBelongsTo(), SignatureInitData_::smlists, SignatureInitData_::smlists_array_size, and SigMatch_::type.

Referenced by DetectLoadCompleteSigPath().

Here is the call graph for this function:

Here is the caller graph for this function:

void EngineAnalysisRules2 ( const DetectEngineCtx de_ctx,
const Signature s 
)

Definition at line 611 of file detect-engine-analyzer.c.

References DetectEngineAppInspectionEngine_::alproto, Signature_::alproto, Signature_::app_inspect, AppProtoToString(), OutputJSONMemBufferWrapper_::buffer, ConfigGetLogDirectory(), DETECT_SM_LIST_MATCH, DETECT_SM_LIST_MAX, DETECT_SM_LIST_PMATCH, DetectBufferTypeGetNameById(), DetectSigmatchListEnumToString(), DetectEngineAppInspectionEngine_::dir, Signature_::flags, Signature_::gid, Signature_::id, Signature_::init_data, SignatureInitData_::init_flags, RuleAnalyzer::js, RuleAnalyzer::js_notes, RuleAnalyzer::js_warnings, json_boolean, JSON_ESCAPE_SLASH, Signature_::mask, MemBufferCreateNew(), MemBufferFree(), MemBufferPrintToFPAsString, MemBufferWriteString, DetectEngineAppInspectionEngine_::mpm, DetectEnginePktInspectionEngine::mpm, Signature_::msg, DetectEngineAppInspectionEngine_::next, DetectEnginePktInspectionEngine::next, OutputJSONMemBufferCallback(), Signature_::pkt_inspect, DetectEngineAppInspectionEngine_::progress, Signature_::rev, SC_ERR_SOCKET, SCEnter, SCLogWarning, SCMutexLock, SCMutexUnlock, SCReturn, SIG_FLAG_APPLAYER, SIG_FLAG_BYPASS, SIG_FLAG_DEST_IS_TARGET, SIG_FLAG_DP_ANY, SIG_FLAG_DSIZE, SIG_FLAG_DST_ANY, SIG_FLAG_FILESTORE, SIG_FLAG_FLUSH, SIG_FLAG_INIT_STATE_MATCH, SIG_FLAG_IPONLY, SIG_FLAG_MPM_NEG, SIG_FLAG_NOALERT, SIG_FLAG_PDONLY, SIG_FLAG_PREFILTER, SIG_FLAG_REQUIRE_FLOWVAR, SIG_FLAG_REQUIRE_PACKET, SIG_FLAG_REQUIRE_STREAM, SIG_FLAG_SP_ANY, SIG_FLAG_SRC_ANY, SIG_FLAG_SRC_IS_TARGET, SIG_FLAG_TLSSTORE, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, SIG_MASK_REQUIRE_DCERPC, SIG_MASK_REQUIRE_ENGINE_EVENT, SIG_MASK_REQUIRE_FLAGS_INITDEINIT, SIG_MASK_REQUIRE_FLAGS_UNUSUAL, SIG_MASK_REQUIRE_FLOW, SIG_MASK_REQUIRE_NO_PAYLOAD, SIG_MASK_REQUIRE_PAYLOAD, Signature_::sig_str, Signature_::sm_arrays, DetectEngineAppInspectionEngine_::sm_list, DetectEnginePktInspectionEngine::sm_list, DetectEngineAppInspectionEngine_::smd, and DetectEnginePktInspectionEngine::smd.

Referenced by SigAddressPrepareStage4().

Here is the call graph for this function:

Here is the caller graph for this function:

void EngineAnalysisRulesFailure ( char *  line,
char *  file,
int  lineno 
)

Definition at line 464 of file detect-engine-analyzer.c.

Referenced by DetectLoadCompleteSigPath().

Here is the caller graph for this function:

int PerCentEncodingMatch ( uint8_t *  content,
uint8_t  content_len 
)
int PerCentEncodingSetup ( void  )

Compiles regex for rule analysis.

Return values
1if successful
0if on error

Definition at line 352 of file detect-engine-analyzer.c.

References DETECT_PERCENT_ENCODING_REGEX, SC_ERR_PCRE_COMPILE, SC_ERR_PCRE_STUDY, and SCLogError.

Referenced by SetupRuleAnalyzer().

Here is the caller graph for this function:

int SetupFPAnalyzer ( void  )

Sets up the fast pattern analyzer according to the config.

Return values
1If rule analyzer successfully enabled.
0If not enabled.

Definition at line 208 of file detect-engine-analyzer.c.

References ConfGetBool(), ConfigGetLogDirectory(), SC_ERR_FOPEN, SCLocalTime(), SCLogError, and SCLogInfo.

Referenced by SigLoadSignatures().

Here is the call graph for this function:

Here is the caller graph for this function:

int SetupRuleAnalyzer ( void  )

Sets up the rule analyzer according to the config.

Return values
1if rule analyzer successfully enabled
0if not enabled

Definition at line 258 of file detect-engine-analyzer.c.

References ConfGetNode(), ConfigGetLogDirectory(), ConfNodeLookupChildValue(), ConfValIsTrue(), PerCentEncodingSetup(), SC_ERR_FOPEN, SCLocalTime(), SCLogError, and SCLogInfo.

Referenced by SigLoadSignatures().

Here is the call graph for this function:

Here is the caller graph for this function:

Variable Documentation

SCMutex g_rules_analyzer_write_m = SCMUTEX_INITIALIZER

Definition at line 610 of file detect-engine-analyzer.c.