#include "suricata-common.h"#include "detect.h"#include "detect-engine.h"#include "detect-parse.h"#include "detect-content.h"#include "detect-engine-build.h"#include "detect-engine-address.h"#include "detect-engine-analyzer.h"#include "detect-engine-iponly.h"#include "detect-engine-mpm.h"#include "detect-engine-siggroup.h"#include "detect-engine-port.h"#include "detect-engine-prefilter.h"#include "detect-engine-proto.h"#include "detect-engine-threshold.h"#include "detect-dsize.h"#include "detect-tcp-flags.h"#include "detect-flow.h"#include "detect-config.h"#include "detect-flowbits.h"#include "util-port-interval-tree.h"#include "util-profiling.h"#include "util-validate.h"#include "util-var-name.h"#include "util-conf.h"
Go to the source code of this file.
Data Structures | |
| struct | UniquePortPoint_ |
Macros | |
| #define | DETECT_PGSCORE_RULE_PORT_WHITELISTED 111 /* Rule port group contains a whitelisted port */ |
| #define | DETECT_PGSCORE_RULE_MPM_FAST_PATTERN 99 /* Rule contains an MPM fast pattern */ |
| #define | DETECT_PGSCORE_RULE_MPM_NEGATED 77 /* Rule contains a negated MPM */ |
| #define | DETECT_PGSCORE_RULE_NO_MPM 55 /* Rule does not contain MPM */ |
| #define | DETECT_PGSCORE_RULE_SYN_ONLY 33 /* Rule needs SYN check */ |
| #define | MASK_TCP_INITDEINIT_FLAGS (TH_SYN|TH_RST|TH_FIN) |
| #define | MASK_TCP_UNUSUAL_FLAGS (TH_URG|TH_ECN|TH_CWR) |
| #define | UNDEFINED_PORT 0 |
| #define | RANGE_PORT 1 |
| #define | SINGLE_PORT 2 |
Typedefs | |
| typedef struct UniquePortPoint_ | UniquePortPoint |
Functions | |
| void | SigCleanSignatures (DetectEngineCtx *de_ctx) |
| Signature * | SigFindSignatureBySidGid (DetectEngineCtx *de_ctx, uint32_t sid, uint32_t gid) |
| Find a specific signature by sid and gid. More... | |
| int | SignatureIsFilestoring (const Signature *s) |
| Check if a signature contains the filestore keyword. More... | |
| int | SignatureIsFilemagicInspecting (const Signature *s) |
| Check if a signature contains the filemagic keyword. More... | |
| int | SignatureIsFileMd5Inspecting (const Signature *s) |
| Check if a signature contains the filemd5 keyword. More... | |
| int | SignatureIsFileSha1Inspecting (const Signature *s) |
| Check if a signature contains the filesha1 keyword. More... | |
| int | SignatureIsFileSha256Inspecting (const Signature *s) |
| Check if a signature contains the filesha256 keyword. More... | |
| int | SignatureIsFilesizeInspecting (const Signature *s) |
| Check if a signature contains the filesize keyword. More... | |
| int | SignatureIsIPOnly (DetectEngineCtx *de_ctx, const Signature *s) |
| Test is a initialized signature is IP only. More... | |
| void | PacketCreateMask (Packet *p, SignatureMask *mask, AppProto alproto, bool app_decoder_events) |
| void | SignatureSetType (DetectEngineCtx *de_ctx, Signature *s) |
| int | SigPrepareStage1 (DetectEngineCtx *de_ctx) |
| Preprocess signature, classify ip-only, etc, build sig array. More... | |
| int | SigPrepareStage2 (DetectEngineCtx *de_ctx) |
| Fill the global src group head, with the sigs included. More... | |
| int | SigPrepareStage3 (DetectEngineCtx *de_ctx) |
| int | SigAddressCleanupStage1 (DetectEngineCtx *de_ctx) |
| int | SigPrepareStage4 (DetectEngineCtx *de_ctx) |
| finalize preparing sgh's More... | |
| int | SigGroupBuild (DetectEngineCtx *de_ctx) |
| Convert the signature list into the runtime match structure. More... | |
| int | SigGroupCleanup (DetectEngineCtx *de_ctx) |
Variables | |
| int | g_skip_prefilter |
| bool | rule_engine_analysis_set |
Macro Definition Documentation
◆ DETECT_PGSCORE_RULE_MPM_FAST_PATTERN
| #define DETECT_PGSCORE_RULE_MPM_FAST_PATTERN 99 /* Rule contains an MPM fast pattern */ |
Definition at line 50 of file detect-engine-build.c.
◆ DETECT_PGSCORE_RULE_MPM_NEGATED
| #define DETECT_PGSCORE_RULE_MPM_NEGATED 77 /* Rule contains a negated MPM */ |
Definition at line 51 of file detect-engine-build.c.
◆ DETECT_PGSCORE_RULE_NO_MPM
| #define DETECT_PGSCORE_RULE_NO_MPM 55 /* Rule does not contain MPM */ |
Definition at line 52 of file detect-engine-build.c.
◆ DETECT_PGSCORE_RULE_PORT_WHITELISTED
| #define DETECT_PGSCORE_RULE_PORT_WHITELISTED 111 /* Rule port group contains a whitelisted port */ |
Definition at line 49 of file detect-engine-build.c.
◆ DETECT_PGSCORE_RULE_SYN_ONLY
| #define DETECT_PGSCORE_RULE_SYN_ONLY 33 /* Rule needs SYN check */ |
Definition at line 53 of file detect-engine-build.c.
◆ MASK_TCP_INITDEINIT_FLAGS
Definition at line 401 of file detect-engine-build.c.
◆ MASK_TCP_UNUSUAL_FLAGS
Definition at line 402 of file detect-engine-build.c.
◆ RANGE_PORT
| #define RANGE_PORT 1 |
Definition at line 1317 of file detect-engine-build.c.
◆ SINGLE_PORT
| #define SINGLE_PORT 2 |
Definition at line 1318 of file detect-engine-build.c.
◆ UNDEFINED_PORT
| #define UNDEFINED_PORT 0 |
Definition at line 1316 of file detect-engine-build.c.
Typedef Documentation
◆ UniquePortPoint
| typedef struct UniquePortPoint_ UniquePortPoint |
Function Documentation
◆ PacketCreateMask()
| void PacketCreateMask | ( | Packet * | p, |
| SignatureMask * | mask, | ||
| AppProto | alproto, | ||
| bool | app_decoder_events | ||
| ) |
Definition at line 406 of file detect-engine-build.c.
References Packet_::app_layer_events, PacketEngineEvents_::cnt, Packet_::events, Packet_::flags, MASK_TCP_INITDEINIT_FLAGS, MASK_TCP_UNUSUAL_FLAGS, Packet_::payload_len, PKT_DETECT_HAS_STREAMDATA, PKT_HAS_FLOW, PKT_IS_PSEUDOPKT, PKT_IS_TCP, PKT_NOPAYLOAD_INSPECTION, SCLogDebug, SIG_MASK_REQUIRE_ENGINE_EVENT, SIG_MASK_REQUIRE_FLAGS_INITDEINIT, SIG_MASK_REQUIRE_FLAGS_UNUSUAL, SIG_MASK_REQUIRE_FLOW, SIG_MASK_REQUIRE_NO_PAYLOAD, SIG_MASK_REQUIRE_PAYLOAD, Packet_::tcph, and TCPHdr_::th_flags.
◆ SigAddressCleanupStage1()
| int SigAddressCleanupStage1 | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 1932 of file detect-engine-build.c.
References BUG_ON, de_ctx, DetectEngineCtx_::decoder_event_sgh, DetectPortCleanupList(), DetectEngineCtx_::flow_gh, FLOW_STATES, DetectEngineCtx_::io_ctx, IPOnlyDeinit(), SCFree, SCLogDebug, DetectEngineLookupFlow_::sgh, DetectEngineCtx_::sgh_array, DetectEngineCtx_::sgh_array_cnt, DetectEngineCtx_::sgh_array_size, SigGroupHeadFree(), DetectEngineLookupFlow_::tcp, and DetectEngineLookupFlow_::udp.
Referenced by SigGroupCleanup().
◆ SigCleanSignatures()
| void SigCleanSignatures | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 54 of file detect-engine-build.c.
References de_ctx, DetectEngineResetMaxSigId(), Signature_::next, DetectEngineCtx_::sig_list, and SigFree().
Referenced by DetectEngineCtxFree(), and UTHPacketMatchSig().
◆ SigFindSignatureBySidGid()
| Signature* SigFindSignatureBySidGid | ( | DetectEngineCtx * | de_ctx, |
| uint32_t | sid, | ||
| uint32_t | gid | ||
| ) |
Find a specific signature by sid and gid.
- Parameters
-
de_ctx detection engine ctx sid the signature id gid the signature group id
- Return values
-
s sig found NULL sig not found
Definition at line 78 of file detect-engine-build.c.
References de_ctx, Signature_::next, and DetectEngineCtx_::sig_list.
◆ SigGroupBuild()
| int SigGroupBuild | ( | DetectEngineCtx * | de_ctx | ) |
Convert the signature list into the runtime match structure.
- Parameters
-
de_ctx Pointer to the Detection Engine Context whose Signatures have to be processed
- Return values
-
0 On Success. -1 On failure.
Definition at line 2149 of file detect-engine-build.c.
References de_ctx, DetectSetFastPatternAndItsId(), Signature_::next, Signature_::num, DetectEngineCtx_::sig_list, and DetectEngineCtx_::signum.
Referenced by UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().
◆ SigGroupCleanup()
| int SigGroupCleanup | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 2218 of file detect-engine-build.c.
References de_ctx, and SigAddressCleanupStage1().
Referenced by DetectEngineCtxFree(), UTHMatchPackets(), and UTHPacketMatchSig().
◆ SignatureIsFilemagicInspecting()
| int SignatureIsFilemagicInspecting | ( | const Signature * | s | ) |
Check if a signature contains the filemagic keyword.
- Parameters
-
s signature
- Return values
-
0 no 1 yes
Definition at line 118 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_MAGIC.
Referenced by SigGroupHeadSetupFiles().
◆ SignatureIsFileMd5Inspecting()
| int SignatureIsFileMd5Inspecting | ( | const Signature * | s | ) |
Check if a signature contains the filemd5 keyword.
- Parameters
-
s signature
- Return values
-
0 no 1 yes
Definition at line 137 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_MD5.
Referenced by SigGroupHeadSetupFiles().
◆ SignatureIsFileSha1Inspecting()
| int SignatureIsFileSha1Inspecting | ( | const Signature * | s | ) |
Check if a signature contains the filesha1 keyword.
- Parameters
-
s signature
- Return values
-
0 no 1 yes
Definition at line 153 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_SHA1.
Referenced by SigGroupHeadSetupFiles().
◆ SignatureIsFileSha256Inspecting()
| int SignatureIsFileSha256Inspecting | ( | const Signature * | s | ) |
Check if a signature contains the filesha256 keyword.
- Parameters
-
s signature
- Return values
-
0 no 1 yes
Definition at line 169 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_SHA256.
Referenced by SigGroupHeadSetupFiles().
◆ SignatureIsFilesizeInspecting()
| int SignatureIsFilesizeInspecting | ( | const Signature * | s | ) |
Check if a signature contains the filesize keyword.
- Parameters
-
s signature
- Return values
-
0 no 1 yes
Definition at line 185 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_SIZE.
Referenced by SigGroupHeadSetupFiles().
◆ SignatureIsFilestoring()
| int SignatureIsFilestoring | ( | const Signature * | s | ) |
Check if a signature contains the filestore keyword.
- Parameters
-
s signature
- Return values
-
0 no 1 yes
Definition at line 99 of file detect-engine-build.c.
References Signature_::flags, and SIG_FLAG_FILESTORE.
Referenced by SigGroupHeadSetupFiles().
◆ SignatureIsIPOnly()
| int SignatureIsIPOnly | ( | DetectEngineCtx * | de_ctx, |
| const Signature * | s | ||
| ) |
Test is a initialized signature is IP only.
- Parameters
-
de_ctx detection engine ctx s the signature
- Return values
-
1 sig is ip only 2 sig is like ip only 0 sig is not ip only
Definition at line 208 of file detect-engine-build.c.
References Signature_::alproto, ALPROTO_UNKNOWN, DETECT_SM_LIST_PMATCH, Signature_::flags, Signature_::init_data, SIG_FLAG_APPLAYER, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, and SignatureInitData_::smlists.
◆ SignatureSetType()
| void SignatureSetType | ( | DetectEngineCtx * | de_ctx, |
| Signature * | s | ||
| ) |
Definition at line 1647 of file detect-engine-build.c.
References BUG_ON, SIG_TYPE_NOT_SET, and Signature_::type.
◆ SigPrepareStage1()
| int SigPrepareStage1 | ( | DetectEngineCtx * | de_ctx | ) |
Preprocess signature, classify ip-only, etc, build sig array.
- Parameters
-
de_ctx Pointer to the Detection Engine Context
- Return values
-
0 on success -1 on failure
Definition at line 1720 of file detect-engine-build.c.
References de_ctx, DE_QUIET, DetectEngineGetMaxSigId, DetectEngineCtx_::flags, Signature_::id, Signature_::next, Signature_::num, SCCalloc, SCLogDebug, DetectEngineCtx_::sig_array, DetectEngineCtx_::sig_array_len, DetectEngineCtx_::sig_list, SIG_TYPE_IPONLY, SIG_TYPE_PDONLY, and Signature_::type.
◆ SigPrepareStage2()
| int SigPrepareStage2 | ( | DetectEngineCtx * | de_ctx | ) |
Fill the global src group head, with the sigs included.
- Parameters
-
de_ctx Pointer to the Detection Engine Context whose Signatures have to be processed
- Return values
-
0 On success -1 On failure
Definition at line 1885 of file detect-engine-build.c.
References de_ctx, DetectEngineCtx_::flow_gh, DetectEngineCtx_::io_ctx, IPOnlyInit(), SCLogDebug, and DetectEngineLookupFlow_::tcp.
◆ SigPrepareStage3()
| int SigPrepareStage3 | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 1925 of file detect-engine-build.c.
◆ SigPrepareStage4()
| int SigPrepareStage4 | ( | DetectEngineCtx * | de_ctx | ) |
finalize preparing sgh's
Definition at line 2006 of file detect-engine-build.c.
References cnt, ConfGetBool(), de_ctx, DetectEngineCtx_::decoder_event_sgh, SigGroupHead_::filestore_cnt, SigGroupHead_::id, MpmStoreReportStats(), PrefilterSetupRuleGroup(), SCEnter, SCLogDebug, SCLogPerf, DetectEngineCtx_::sgh_array, DetectEngineCtx_::sgh_array_cnt, SigGroupHeadBuildNonPrefilterArray(), and SigGroupHeadSetupFiles().
Variable Documentation
◆ g_skip_prefilter
| int g_skip_prefilter |
Definition at line 1050 of file detect-engine-mpm.c.
◆ rule_engine_analysis_set
| bool rule_engine_analysis_set |
Definition at line 55 of file detect-engine-loader.c.
