#include "suricata-common.h"#include "suricata.h"#include "rust.h"#include "detect.h"#include "detect-parse.h"#include "detect-engine.h"#include "detect-engine-analyzer.h"#include "detect-engine-mpm.h"#include "conf.h"#include "detect-content.h"#include "detect-pcre.h"#include "detect-bytejump.h"#include "detect-bytetest.h"#include "detect-flow.h"#include "detect-tcp-flags.h"#include "feature.h"#include "util-print.h"#include "util-time.h"#include "util-validate.h"#include "util-conf.h"
Go to the source code of this file.
Data Structures | |
| struct | FpPatternStats_ |
| struct | DetectEngineAnalyzerItems |
| struct | ExposedItemSeen |
| struct | RuleAnalyzer |
Macros | |
| #define | DETECT_PERCENT_ENCODING_REGEX "%[0-9|a-f|A-F]{2}" |
| #define | CHECK(pat) if (strlen((pat)) <= len && memcmp((pat), buf, MIN(len, strlen((pat)))) == 0) return true; |
Typedefs | |
| typedef struct FpPatternStats_ | FpPatternStats |
| typedef struct DetectEngineAnalyzerItems | DetectEngineAnalyzerItems |
| typedef struct RuleAnalyzer | RuleAnalyzer |
Functions | |
| void | EngineAnalysisFP (const DetectEngineCtx *de_ctx, const Signature *s, char *line) |
| int | SetupFPAnalyzer (void) |
| Sets up the fast pattern analyzer according to the config. More... | |
| int | SetupRuleAnalyzer (void) |
| Sets up the rule analyzer according to the config. More... | |
| void | CleanupFPAnalyzer (void) |
| void | CleanupRuleAnalyzer (void) |
| int | PerCentEncodingSetup (void) |
| Compiles regex for rule analysis. More... | |
| void | EngineAnalysisRulesFailure (char *line, char *file, int lineno) |
| void | EngineAnalysisRules2 (const DetectEngineCtx *de_ctx, const Signature *s) |
| void | DumpPatterns (DetectEngineCtx *de_ctx) |
| void | EngineAnalysisRules (const DetectEngineCtx *de_ctx, const Signature *s, const char *line) |
| Prints analysis of loaded rules. More... | |
Variables | |
| DetectEngineAnalyzerItems | analyzer_items [] |
| int16_t | analyzer_item_map [256] |
| struct ExposedItemSeen | exposed_item_seen_list [] |
| SCMutex | g_rules_analyzer_write_m = SCMUTEX_INITIALIZER |
Detailed Description
Rule analyzers for the detection engine
Definition in file detect-engine-analyzer.c.
Macro Definition Documentation
◆ CHECK
| #define CHECK | ( | pat | ) | if (strlen((pat)) <= len && memcmp((pat), buf, MIN(len, strlen((pat)))) == 0) return true; |
Definition at line 602 of file detect-engine-analyzer.c.
◆ DETECT_PERCENT_ENCODING_REGEX
| #define DETECT_PERCENT_ENCODING_REGEX "%[0-9|a-f|A-F]{2}" |
Typedef Documentation
◆ DetectEngineAnalyzerItems
| typedef struct DetectEngineAnalyzerItems DetectEngineAnalyzerItems |
◆ FpPatternStats
| typedef struct FpPatternStats_ FpPatternStats |
◆ RuleAnalyzer
| typedef struct RuleAnalyzer RuleAnalyzer |
Function Documentation
◆ CleanupFPAnalyzer()
| void CleanupFPAnalyzer | ( | void | ) |
Definition at line 395 of file detect-engine-analyzer.c.
◆ CleanupRuleAnalyzer()
| void CleanupRuleAnalyzer | ( | void | ) |
Definition at line 419 of file detect-engine-analyzer.c.
◆ DumpPatterns()
| void DumpPatterns | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 1121 of file detect-engine-analyzer.c.
References DetectEngineCtx_::buffer_type_id, DetectPatternTracker::cd, DetectPatternTracker::cnt, ConfigGetLogDirectory(), DetectContentData_::content_len, de_ctx, DETECT_CONTENT_DEPTH, DETECT_CONTENT_ENDS_WITH, DETECT_CONTENT_NEGATED, DETECT_CONTENT_NOCASE, DETECT_CONTENT_OFFSET, DETECT_SM_LIST_DYNAMIC_START, DetectContentPatternPrettyPrint(), DetectEngineBufferTypeGetNameById(), DetectListToHumanString(), DetectContentData_::flags, g_rules_analyzer_write_m, HashListTableFree(), HashListTableGetListData, HashListTableGetListHead(), HashListTableGetListNext, DetectPatternTracker::mpm, DetectEngineCtx_::pattern_hash_table, SCMutexLock, SCMutexUnlock, DetectPatternTracker::sm_list, and str.
◆ EngineAnalysisFP()
| void EngineAnalysisFP | ( | const DetectEngineCtx * | de_ctx, |
| const Signature * | s, | ||
| char * | line | ||
| ) |
Definition at line 157 of file detect-engine-analyzer.c.
References SigMatch_::ctx, DETECT_CONTENT_FAST_PATTERN, DETECT_CONTENT_FAST_PATTERN_CHOP, DETECT_CONTENT_FAST_PATTERN_ONLY, DetectContentData_::flags, Signature_::init_data, SignatureInitData_::mpm_sm, and SignatureInitData_::mpm_sm_list.
◆ EngineAnalysisRules()
| void EngineAnalysisRules | ( | const DetectEngineCtx * | de_ctx, |
| const Signature * | s, | ||
| const char * | line | ||
| ) |
Prints analysis of loaded rules.
Warns if potential rule issues are detected. For example, warns if a rule uses a construct that may perform poorly, e.g. pcre without content or with http_method content only; warns if a rule uses a construct that may not be consistent with intent, e.g. client side ports only, http and content without any http_* modifiers, etc.
- Parameters
-
s Pointer to the signature.
Definition at line 1256 of file detect-engine-analyzer.c.
◆ EngineAnalysisRules2()
| void EngineAnalysisRules2 | ( | const DetectEngineCtx * | de_ctx, |
| const Signature * | s | ||
| ) |
Definition at line 801 of file detect-engine-analyzer.c.
References Signature_::alproto, AppProtoToString(), DetectEngineTransforms::cnt, de_ctx, DETECT_SM_LIST_MATCH, DETECT_SM_LIST_PMATCH, DetectEngineBufferTypeGetNameById(), Signature_::flags, Signature_::gid, Signature_::id, RuleAnalyzer::js, Signature_::mask, DetectEnginePktInspectionEngine::mpm, Signature_::msg, SigTableElmt_::name, DetectEnginePktInspectionEngine::next, Signature_::pkt_inspect, Signature_::rev, SCEnter, SCReturn, SIG_FLAG_APPLAYER, SIG_FLAG_BYPASS, SIG_FLAG_DEST_IS_TARGET, SIG_FLAG_DP_ANY, SIG_FLAG_DSIZE, SIG_FLAG_DST_ANY, SIG_FLAG_FILESTORE, SIG_FLAG_FLUSH, SIG_FLAG_IPONLY, SIG_FLAG_MPM_NEG, SIG_FLAG_NOALERT, SIG_FLAG_PDONLY, SIG_FLAG_PREFILTER, SIG_FLAG_REQUIRE_FLOWVAR, SIG_FLAG_REQUIRE_PACKET, SIG_FLAG_REQUIRE_STREAM, SIG_FLAG_SP_ANY, SIG_FLAG_SRC_ANY, SIG_FLAG_SRC_IS_TARGET, SIG_FLAG_TLSSTORE, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, SIG_MASK_REQUIRE_DCERPC, SIG_MASK_REQUIRE_ENGINE_EVENT, SIG_MASK_REQUIRE_FLAGS_INITDEINIT, SIG_MASK_REQUIRE_FLAGS_UNUSUAL, SIG_MASK_REQUIRE_FLOW, SIG_MASK_REQUIRE_NO_PAYLOAD, SIG_MASK_REQUIRE_PAYLOAD, Signature_::sig_str, sigmatch_table, DetectEnginePktInspectionEngine::sm_list, TransformData_::transform, DetectEngineTransforms::transforms, DetectEnginePktInspectionEngine::transforms, and DetectEnginePktInspectionEngine::v1.
◆ EngineAnalysisRulesFailure()
| void EngineAnalysisRulesFailure | ( | char * | line, |
| char * | file, | ||
| int | lineno | ||
| ) |
Definition at line 554 of file detect-engine-analyzer.c.
◆ PerCentEncodingSetup()
| int PerCentEncodingSetup | ( | void | ) |
Compiles regex for rule analysis.
- Return values
-
1 if successful 0 if on error
Definition at line 437 of file detect-engine-analyzer.c.
◆ SetupFPAnalyzer()
| int SetupFPAnalyzer | ( | void | ) |
Sets up the fast pattern analyzer according to the config.
- Return values
-
1 If rule analyzer successfully enabled. 0 If not enabled.
Definition at line 290 of file detect-engine-analyzer.c.
◆ SetupRuleAnalyzer()
| int SetupRuleAnalyzer | ( | void | ) |
Sets up the rule analyzer according to the config.
- Return values
-
1 if rule analyzer successfully enabled 0 if not enabled
Definition at line 339 of file detect-engine-analyzer.c.
References ConfGetNode(), ConfNodeLookupChildValue(), and ConfValIsTrue().
Variable Documentation
◆ analyzer_item_map
| int16_t analyzer_item_map[256] |
Definition at line 125 of file detect-engine-analyzer.c.
◆ analyzer_items
| DetectEngineAnalyzerItems analyzer_items[] |
Definition at line 78 of file detect-engine-analyzer.c.
◆ exposed_item_seen_list
| struct ExposedItemSeen exposed_item_seen_list[] |
Definition at line 125 of file detect-engine-analyzer.c.
◆ g_rules_analyzer_write_m
| SCMutex g_rules_analyzer_write_m = SCMUTEX_INITIALIZER |
Definition at line 800 of file detect-engine-analyzer.c.
Referenced by DumpPatterns().
