detect-engine-analyzer.c File Reference
#include "suricata-common.h"
#include "suricata.h"
#include "rust.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-analyzer.h"
#include "detect-engine-mpm.h"
#include "conf.h"
#include "detect-content.h"
#include "detect-pcre.h"
#include "detect-bytejump.h"
#include "detect-bytetest.h"
#include "detect-flow.h"
#include "detect-tcp-flags.h"
#include "feature.h"
#include "util-print.h"
#include "util-time.h"
#include "util-validate.h"
#include "util-conf.h"
Include dependency graph for detect-engine-analyzer.c:

Go to the source code of this file.

Data Structures

struct  DetectEngineAnalyzerItems
struct  FpPatternStats_
struct  ExposedItemSeen
struct  EngineAnalysisCtx_
struct  RuleAnalyzer


#define DETECT_PERCENT_ENCODING_REGEX   "%[0-9|a-f|A-F]{2}"
#define CHECK(pat)   if (strlen((pat)) <= len && memcmp((pat), buf, MIN(len, strlen((pat)))) == 0) return true;


typedef struct DetectEngineAnalyzerItems DetectEngineAnalyzerItems
typedef struct FpPatternStats_ FpPatternStats
typedef struct EngineAnalysisCtx_ EngineAnalysisCtx
typedef struct RuleAnalyzer RuleAnalyzer


void EngineAnalysisFP (const DetectEngineCtx *de_ctx, const Signature *s, char *line)
void SetupEngineAnalysis (DetectEngineCtx *de_ctx, bool *fp_analysis, bool *rule_analysis)
void CleanupEngineAnalysis (DetectEngineCtx *de_ctx)
void EngineAnalysisRulesFailure (const DetectEngineCtx *de_ctx, char *line, char *file, int lineno)
void EngineAnalysisRules2 (const DetectEngineCtx *de_ctx, const Signature *s)
void DumpPatterns (DetectEngineCtx *de_ctx)
void EngineAnalysisRules (const DetectEngineCtx *de_ctx, const Signature *s, const char *line)
 Prints analysis of loaded rules. More...


const DetectEngineAnalyzerItems analyzer_items []
SCMutex g_rules_analyzer_write_m = SCMUTEX_INITIALIZER

Detailed Description

Eileen Donlon
Victor Julien

Rule analyzers for the detection engine

Definition in file detect-engine-analyzer.c.

Macro Definition Documentation


#define CHECK (   pat)    if (strlen((pat)) <= len && memcmp((pat), buf, MIN(len, strlen((pat)))) == 0) return true;

Definition at line 666 of file detect-engine-analyzer.c.


#define DETECT_PERCENT_ENCODING_REGEX   "%[0-9|a-f|A-F]{2}"

Typedef Documentation

◆ DetectEngineAnalyzerItems

◆ EngineAnalysisCtx

◆ FpPatternStats

◆ RuleAnalyzer

typedef struct RuleAnalyzer RuleAnalyzer

Function Documentation

◆ CleanupEngineAnalysis()

void CleanupEngineAnalysis ( DetectEngineCtx de_ctx)

Definition at line 504 of file detect-engine-analyzer.c.

References de_ctx, and DetectEngineCtx_::ea.

◆ DumpPatterns()

◆ EngineAnalysisFP()

◆ EngineAnalysisRules()

void EngineAnalysisRules ( const DetectEngineCtx de_ctx,
const Signature s,
const char *  line 

Prints analysis of loaded rules.

   Warns if potential rule issues are detected. For example,
   warns if a rule uses a construct that may perform poorly,
   e.g. pcre without content or with http_method content only;
   warns if a rule uses a construct that may not be consistent with intent,
   e.g. client side ports only, http and content without any http_* modifiers, etc.
sPointer to the signature.

Definition at line 1357 of file detect-engine-analyzer.c.

◆ EngineAnalysisRules2()

void EngineAnalysisRules2 ( const DetectEngineCtx de_ctx,
const Signature s 

Definition at line 865 of file detect-engine-analyzer.c.

References Signature_::alproto, AppProtoToString(), DetectEngineTransforms::cnt, de_ctx, DETECT_SM_LIST_MATCH, DETECT_SM_LIST_PMATCH, DetectEngineBufferTypeGetNameById(), Signature_::flags, Signature_::gid, Signature_::id, RuleAnalyzer::js, Signature_::mask, DetectEnginePktInspectionEngine::mpm, Signature_::msg, SigTableElmt_::name, DetectEnginePktInspectionEngine::next, Signature_::pkt_inspect, Signature_::rev, SCEnter, SCReturn, SIG_FLAG_APPLAYER, SIG_FLAG_BYPASS, SIG_FLAG_DEST_IS_TARGET, SIG_FLAG_DP_ANY, SIG_FLAG_DSIZE, SIG_FLAG_DST_ANY, SIG_FLAG_FILESTORE, SIG_FLAG_FLUSH, SIG_FLAG_MPM_NEG, SIG_FLAG_NOALERT, SIG_FLAG_PREFILTER, SIG_FLAG_REQUIRE_FLOWVAR, SIG_FLAG_REQUIRE_PACKET, SIG_FLAG_REQUIRE_STREAM, SIG_FLAG_SP_ANY, SIG_FLAG_SRC_ANY, SIG_FLAG_SRC_IS_TARGET, SIG_FLAG_TLSSTORE, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, SIG_MASK_REQUIRE_DCERPC, SIG_MASK_REQUIRE_ENGINE_EVENT, SIG_MASK_REQUIRE_FLAGS_INITDEINIT, SIG_MASK_REQUIRE_FLAGS_UNUSUAL, SIG_MASK_REQUIRE_FLOW, SIG_MASK_REQUIRE_NO_PAYLOAD, SIG_MASK_REQUIRE_PAYLOAD, Signature_::sig_str, SIG_TYPE_APP_TX, SIG_TYPE_APPLAYER, SIG_TYPE_DEONLY, SIG_TYPE_IPONLY, SIG_TYPE_LIKE_IPONLY, SIG_TYPE_MAX, SIG_TYPE_NOT_SET, SIG_TYPE_PDONLY, SIG_TYPE_PKT, SIG_TYPE_PKT_STREAM, SIG_TYPE_STREAM, sigmatch_table, DetectEnginePktInspectionEngine::sm_list, TransformData_::transform, DetectEngineTransforms::transforms, DetectEnginePktInspectionEngine::transforms, Signature_::type, and DetectEnginePktInspectionEngine::v1.

Here is the call graph for this function:

◆ EngineAnalysisRulesFailure()

void EngineAnalysisRulesFailure ( const DetectEngineCtx de_ctx,
char *  line,
char *  file,
int  lineno 

◆ SetupEngineAnalysis()

void SetupEngineAnalysis ( DetectEngineCtx de_ctx,
bool *  fp_analysis,
bool *  rule_analysis 

Definition at line 468 of file detect-engine-analyzer.c.

References DetectEngineCtx_::config_prefix, de_ctx, DetectEngineCtx_::ea, FatalError, EngineAnalysisCtx_::file_prefix, and SCCalloc.

Referenced by SigLoadSignatures().

Here is the caller graph for this function:

Variable Documentation

◆ analyzer_items

const DetectEngineAnalyzerItems analyzer_items[]

Definition at line 102 of file detect-engine-analyzer.c.

◆ g_rules_analyzer_write_m

SCMutex g_rules_analyzer_write_m = SCMUTEX_INITIALIZER

Definition at line 864 of file detect-engine-analyzer.c.

Referenced by DumpPatterns().