#include "suricata-common.h"#include "detect.h"#include "detect-engine.h"#include "detect-parse.h"#include "detect-content.h"#include "detect-engine-build.h"#include "detect-engine-address.h"#include "detect-engine-analyzer.h"#include "detect-engine-iponly.h"#include "detect-engine-mpm.h"#include "detect-engine-siggroup.h"#include "detect-engine-port.h"#include "detect-engine-prefilter.h"#include "detect-engine-proto.h"#include "detect-engine-threshold.h"#include "detect-dsize.h"#include "detect-tcp-flags.h"#include "detect-flow.h"#include "detect-config.h"#include "detect-flowbits.h"#include "util-profiling.h"#include "util-validate.h"#include "util-var-name.h"#include "util-conf.h"
Go to the source code of this file.
Macros | |
| #define | MASK_TCP_INITDEINIT_FLAGS (TH_SYN|TH_RST|TH_FIN) |
| #define | MASK_TCP_UNUSUAL_FLAGS (TH_URG|TH_ECN|TH_CWR) |
Functions | |
| void | SigCleanSignatures (DetectEngineCtx *de_ctx) |
| Signature * | SigFindSignatureBySidGid (DetectEngineCtx *de_ctx, uint32_t sid, uint32_t gid) |
| Find a specific signature by sid and gid. More... | |
| int | SignatureIsFilestoring (const Signature *s) |
| Check if a signature contains the filestore keyword. More... | |
| int | SignatureIsFilemagicInspecting (const Signature *s) |
| Check if a signature contains the filemagic keyword. More... | |
| int | SignatureIsFileMd5Inspecting (const Signature *s) |
| Check if a signature contains the filemd5 keyword. More... | |
| int | SignatureIsFileSha1Inspecting (const Signature *s) |
| Check if a signature contains the filesha1 keyword. More... | |
| int | SignatureIsFileSha256Inspecting (const Signature *s) |
| Check if a signature contains the filesha256 keyword. More... | |
| int | SignatureIsFilesizeInspecting (const Signature *s) |
| Check if a signature contains the filesize keyword. More... | |
| int | SignatureIsIPOnly (DetectEngineCtx *de_ctx, const Signature *s) |
| Test is a initialized signature is IP only. More... | |
| void | PacketCreateMask (Packet *p, SignatureMask *mask, AppProto alproto, bool app_decoder_events) |
| int | CreateGroupedPortList (DetectEngineCtx *de_ctx, DetectPort *port_list, DetectPort **newhead, uint32_t unique_groups, int(*CompareFunc)(DetectPort *, DetectPort *), uint32_t max_idx) |
| int | CreateGroupedPortListCmpCnt (DetectPort *a, DetectPort *b) |
| void | SignatureSetType (DetectEngineCtx *de_ctx, Signature *s) |
| int | SigAddressPrepareStage1 (DetectEngineCtx *de_ctx) |
| Preprocess signature, classify ip-only, etc, build sig array. More... | |
| int | SigAddressPrepareStage2 (DetectEngineCtx *de_ctx) |
| Fill the global src group head, with the sigs included. More... | |
| int | SigAddressPrepareStage3 (DetectEngineCtx *de_ctx) |
| int | SigAddressCleanupStage1 (DetectEngineCtx *de_ctx) |
| int | SigAddressPrepareStage4 (DetectEngineCtx *de_ctx) |
| finalize preparing sgh's More... | |
| int | SigGroupBuild (DetectEngineCtx *de_ctx) |
| Convert the signature list into the runtime match structure. More... | |
| int | SigGroupCleanup (DetectEngineCtx *de_ctx) |
Variables | |
| int | rule_engine_analysis_set |
Macro Definition Documentation
◆ MASK_TCP_INITDEINIT_FLAGS
Definition at line 406 of file detect-engine-build.c.
◆ MASK_TCP_UNUSUAL_FLAGS
Definition at line 407 of file detect-engine-build.c.
Function Documentation
◆ CreateGroupedPortList()
| int CreateGroupedPortList | ( | DetectEngineCtx * | de_ctx, |
| DetectPort * | port_list, | ||
| DetectPort ** | newhead, | ||
| uint32_t | unique_groups, | ||
| int(*)(DetectPort *, DetectPort *) | CompareFunc, | ||
| uint32_t | max_idx | ||
| ) |
Definition at line 1546 of file detect-engine-build.c.
◆ CreateGroupedPortListCmpCnt()
| int CreateGroupedPortListCmpCnt | ( | DetectPort * | a, |
| DetectPort * | b | ||
| ) |
Definition at line 1504 of file detect-engine-build.c.
◆ PacketCreateMask()
| void PacketCreateMask | ( | Packet * | p, |
| SignatureMask * | mask, | ||
| AppProto | alproto, | ||
| bool | app_decoder_events | ||
| ) |
Definition at line 411 of file detect-engine-build.c.
References ALPROTO_DCERPC, ALPROTO_SMB, Packet_::app_layer_events, PacketEngineEvents_::cnt, Packet_::events, Packet_::flags, MASK_TCP_INITDEINIT_FLAGS, MASK_TCP_UNUSUAL_FLAGS, Packet_::payload_len, PKT_DETECT_HAS_STREAMDATA, PKT_HAS_FLOW, PKT_IS_PSEUDOPKT, PKT_IS_TCP, PKT_NOPAYLOAD_INSPECTION, SCLogDebug, SIG_MASK_REQUIRE_DCERPC, SIG_MASK_REQUIRE_ENGINE_EVENT, SIG_MASK_REQUIRE_FLAGS_INITDEINIT, SIG_MASK_REQUIRE_FLAGS_UNUSUAL, SIG_MASK_REQUIRE_FLOW, SIG_MASK_REQUIRE_NO_PAYLOAD, SIG_MASK_REQUIRE_PAYLOAD, and Packet_::tcph.
◆ SigAddressCleanupStage1()
| int SigAddressCleanupStage1 | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 1742 of file detect-engine-build.c.
References BUG_ON, de_ctx, DetectEngineCtx_::decoder_event_sgh, DetectPortCleanupList(), DetectEngineCtx_::flow_gh, FLOW_STATES, DetectEngineCtx_::io_ctx, IPOnlyDeinit(), SCFree, SCLogDebug, DetectEngineLookupFlow_::sgh, DetectEngineCtx_::sgh_array, DetectEngineCtx_::sgh_array_cnt, DetectEngineCtx_::sgh_array_size, SigGroupHeadFree(), DetectEngineLookupFlow_::tcp, and DetectEngineLookupFlow_::udp.
Referenced by SigGroupCleanup().
◆ SigAddressPrepareStage1()
| int SigAddressPrepareStage1 | ( | DetectEngineCtx * | de_ctx | ) |
Preprocess signature, classify ip-only, etc, build sig array.
- Parameters
-
de_ctx Pointer to the Detection Engine Context
- Return values
-
0 on success -1 on failure
Definition at line 1358 of file detect-engine-build.c.
References de_ctx, DE_QUIET, DetectEngineGetMaxSigId, Signature_::flags, DetectEngineCtx_::flags, Signature_::id, Signature_::next, Signature_::num, SCLogDebug, SCMalloc, DetectEngineCtx_::sig_array, DetectEngineCtx_::sig_array_len, DetectEngineCtx_::sig_array_size, SIG_FLAG_IPONLY, SIG_FLAG_PDONLY, and DetectEngineCtx_::sig_list.
◆ SigAddressPrepareStage2()
| int SigAddressPrepareStage2 | ( | DetectEngineCtx * | de_ctx | ) |
Fill the global src group head, with the sigs included.
- Parameters
-
de_ctx Pointer to the Detection Engine Context whose Signatures have to be processed
- Return values
-
0 On success -1 On failure
Definition at line 1693 of file detect-engine-build.c.
References de_ctx, DetectEngineCtx_::flow_gh, DetectEngineCtx_::io_ctx, IPOnlyInit(), SCLogDebug, and DetectEngineLookupFlow_::tcp.
◆ SigAddressPrepareStage3()
| int SigAddressPrepareStage3 | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 1735 of file detect-engine-build.c.
◆ SigAddressPrepareStage4()
| int SigAddressPrepareStage4 | ( | DetectEngineCtx * | de_ctx | ) |
◆ SigCleanSignatures()
| void SigCleanSignatures | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 46 of file detect-engine-build.c.
References de_ctx, DetectEngineResetMaxSigId(), Signature_::next, DetectEngineCtx_::sig_list, and SigFree().
Referenced by DetectEngineCtxFree(), and UTHPacketMatchSig().
◆ SigFindSignatureBySidGid()
| Signature* SigFindSignatureBySidGid | ( | DetectEngineCtx * | de_ctx, |
| uint32_t | sid, | ||
| uint32_t | gid | ||
| ) |
Find a specific signature by sid and gid.
- Parameters
-
de_ctx detection engine ctx sid the signature id gid the signature group id
- Return values
-
s sig found NULL sig not found
Definition at line 70 of file detect-engine-build.c.
References de_ctx, Signature_::next, and DetectEngineCtx_::sig_list.
◆ SigGroupBuild()
| int SigGroupBuild | ( | DetectEngineCtx * | de_ctx | ) |
Convert the signature list into the runtime match structure.
- Parameters
-
de_ctx Pointer to the Detection Engine Context whose Signatures have to be processed
- Return values
-
0 On Success. -1 On failure.
Definition at line 1951 of file detect-engine-build.c.
References de_ctx, DetectSetFastPatternAndItsId(), Signature_::next, Signature_::num, DetectEngineCtx_::sig_list, and DetectEngineCtx_::signum.
Referenced by UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().
◆ SigGroupCleanup()
| int SigGroupCleanup | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 2019 of file detect-engine-build.c.
References de_ctx, and SigAddressCleanupStage1().
Referenced by DetectEngineCtxFree(), UTHMatchPackets(), and UTHPacketMatchSig().
◆ SignatureIsFilemagicInspecting()
| int SignatureIsFilemagicInspecting | ( | const Signature * | s | ) |
Check if a signature contains the filemagic keyword.
- Parameters
-
s signature
- Return values
-
0 no 1 yes
Definition at line 110 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_MAGIC.
Referenced by SigGroupHeadSetFilemagicFlag().
◆ SignatureIsFileMd5Inspecting()
| int SignatureIsFileMd5Inspecting | ( | const Signature * | s | ) |
Check if a signature contains the filemd5 keyword.
- Parameters
-
s signature
- Return values
-
0 no 1 yes
Definition at line 129 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_MD5.
Referenced by SigGroupHeadSetFileHashFlag().
◆ SignatureIsFileSha1Inspecting()
| int SignatureIsFileSha1Inspecting | ( | const Signature * | s | ) |
Check if a signature contains the filesha1 keyword.
- Parameters
-
s signature
- Return values
-
0 no 1 yes
Definition at line 145 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_SHA1.
Referenced by SigGroupHeadSetFileHashFlag().
◆ SignatureIsFileSha256Inspecting()
| int SignatureIsFileSha256Inspecting | ( | const Signature * | s | ) |
Check if a signature contains the filesha256 keyword.
- Parameters
-
s signature
- Return values
-
0 no 1 yes
Definition at line 161 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_SHA256.
Referenced by SigGroupHeadSetFileHashFlag().
◆ SignatureIsFilesizeInspecting()
| int SignatureIsFilesizeInspecting | ( | const Signature * | s | ) |
Check if a signature contains the filesize keyword.
- Parameters
-
s signature
- Return values
-
0 no 1 yes
Definition at line 177 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_SIZE.
Referenced by SigGroupHeadSetFilesizeFlag().
◆ SignatureIsFilestoring()
| int SignatureIsFilestoring | ( | const Signature * | s | ) |
Check if a signature contains the filestore keyword.
- Parameters
-
s signature
- Return values
-
0 no 1 yes
Definition at line 91 of file detect-engine-build.c.
References Signature_::flags, and SIG_FLAG_FILESTORE.
Referenced by SigGroupHeadSetFilestoreCount().
◆ SignatureIsIPOnly()
| int SignatureIsIPOnly | ( | DetectEngineCtx * | de_ctx, |
| const Signature * | s | ||
| ) |
Test is a initialized signature is IP only.
- Parameters
-
de_ctx detection engine ctx s the signature
- Return values
-
1 sig is ip only 2 sig is like ip only 0 sig is not ip only
Definition at line 195 of file detect-engine-build.c.
References Signature_::alproto, ALPROTO_UNKNOWN, SigMatch_::ctx, de_ctx, DE_QUIET, DETECT_FLOWBITS, DETECT_FLOWBITS_CMD_SET, DETECT_SM_LIST_MATCH, DETECT_SM_LIST_PMATCH, DETECT_SM_LIST_POSTMATCH, DetectEngineBufferTypeGetNameById(), SignatureInitData_::dst_contains_negation, Signature_::flags, DetectEngineCtx_::flags, SigTableElmt_::flags, Signature_::id, Signature_::init_data, SigMatch_::next, SCLogDebug, SCReturnInt, SIG_FLAG_APPLAYER, SIG_FLAG_DST_ANY, SIG_FLAG_SRC_ANY, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, SIGMATCH_IPONLY_COMPAT, sigmatch_table, SignatureInitData_::smlists, SignatureInitData_::smlists_array_size, SignatureInitData_::src_contains_negation, and SigMatch_::type.
◆ SignatureSetType()
| void SignatureSetType | ( | DetectEngineCtx * | de_ctx, |
| Signature * | s | ||
| ) |
Definition at line 1330 of file detect-engine-build.c.
Variable Documentation
◆ rule_engine_analysis_set
| int rule_engine_analysis_set |
Definition at line 54 of file detect-engine-loader.c.
