#include "suricata-common.h"#include "detect.h"#include "detect-engine.h"#include "detect-parse.h"#include "detect-content.h"#include "detect-engine-build.h"#include "detect-engine-address.h"#include "detect-engine-analyzer.h"#include "detect-engine-iponly.h"#include "detect-engine-mpm.h"#include "detect-engine-siggroup.h"#include "detect-engine-port.h"#include "detect-engine-prefilter.h"#include "detect-engine-proto.h"#include "detect-engine-threshold.h"#include "detect-dsize.h"#include "detect-tcp-flags.h"#include "detect-flow.h"#include "detect-config.h"#include "detect-flowbits.h"#include "app-layer-events.h"#include "util-port-interval-tree.h"#include "util-profiling.h"#include "util-validate.h"#include "util-var-name.h"#include "util-conf.h"
Go to the source code of this file.
Data Structures | |
| struct | UniquePortPoint_ |
Macros | |
| #define | DETECT_PGSCORE_RULE_PORT_PRIORITIZED 111 /* Rule port group contains a priority port */ |
| #define | DETECT_PGSCORE_RULE_MPM_FAST_PATTERN 99 /* Rule contains an MPM fast pattern */ |
| #define | DETECT_PGSCORE_RULE_MPM_NEGATED 77 /* Rule contains a negated MPM */ |
| #define | DETECT_PGSCORE_RULE_NO_MPM 55 /* Rule does not contain MPM */ |
| #define | DETECT_PGSCORE_RULE_SYN_ONLY 33 /* Rule needs SYN check */ |
| #define | MASK_TCP_INITDEINIT_FLAGS (TH_SYN|TH_RST|TH_FIN) |
| #define | MASK_TCP_UNUSUAL_FLAGS (TH_URG|TH_ECN|TH_CWR) |
| #define | UNDEFINED_PORT 0 |
| #define | RANGE_PORT 1 |
| #define | SINGLE_PORT 2 |
Typedefs | |
| typedef struct UniquePortPoint_ | UniquePortPoint |
Functions | |
| void | SigCleanSignatures (DetectEngineCtx *de_ctx) |
| Signature * | SigFindSignatureBySidGid (DetectEngineCtx *de_ctx, uint32_t sid, uint32_t gid) |
| Find a specific signature by sid and gid. More... | |
| int | SignatureIsFilestoring (const Signature *s) |
| Check if a signature contains the filestore keyword. More... | |
| int | SignatureIsFilemagicInspecting (const Signature *s) |
| Check if a signature contains the filemagic keyword. More... | |
| int | SignatureIsFileMd5Inspecting (const Signature *s) |
| Check if a signature contains the filemd5 keyword. More... | |
| int | SignatureIsFileSha1Inspecting (const Signature *s) |
| Check if a signature contains the filesha1 keyword. More... | |
| int | SignatureIsFileSha256Inspecting (const Signature *s) |
| Check if a signature contains the filesha256 keyword. More... | |
| int | SignatureIsIPOnly (DetectEngineCtx *de_ctx, const Signature *s) |
| Test is a initialized signature is IP only. More... | |
| void | PacketCreateMask (Packet *p, SignatureMask *mask, AppProto alproto, bool app_decoder_events) |
| void | SignatureSetType (DetectEngineCtx *de_ctx, Signature *s) |
| int | SigPrepareStage1 (DetectEngineCtx *de_ctx) |
| Preprocess signature, classify ip-only, etc, build sig array. More... | |
| int | SigPrepareStage2 (DetectEngineCtx *de_ctx) |
| Fill the global src group head, with the sigs included. More... | |
| int | SigPrepareStage3 (DetectEngineCtx *de_ctx) |
| int | SigAddressCleanupStage1 (DetectEngineCtx *de_ctx) |
| int | SigPrepareStage4 (DetectEngineCtx *de_ctx) |
| finalize preparing sgh's More... | |
| int | SigGroupBuild (DetectEngineCtx *de_ctx) |
| Convert the signature list into the runtime match structure. More... | |
| int | SigGroupCleanup (DetectEngineCtx *de_ctx) |
Variables | |
| bool | rule_engine_analysis_set |
Macro Definition Documentation
◆ DETECT_PGSCORE_RULE_MPM_FAST_PATTERN
| #define DETECT_PGSCORE_RULE_MPM_FAST_PATTERN 99 /* Rule contains an MPM fast pattern */ |
Definition at line 52 of file detect-engine-build.c.
◆ DETECT_PGSCORE_RULE_MPM_NEGATED
| #define DETECT_PGSCORE_RULE_MPM_NEGATED 77 /* Rule contains a negated MPM */ |
Definition at line 53 of file detect-engine-build.c.
◆ DETECT_PGSCORE_RULE_NO_MPM
| #define DETECT_PGSCORE_RULE_NO_MPM 55 /* Rule does not contain MPM */ |
Definition at line 54 of file detect-engine-build.c.
◆ DETECT_PGSCORE_RULE_PORT_PRIORITIZED
| #define DETECT_PGSCORE_RULE_PORT_PRIORITIZED 111 /* Rule port group contains a priority port */ |
Definition at line 51 of file detect-engine-build.c.
◆ DETECT_PGSCORE_RULE_SYN_ONLY
| #define DETECT_PGSCORE_RULE_SYN_ONLY 33 /* Rule needs SYN check */ |
Definition at line 55 of file detect-engine-build.c.
◆ MASK_TCP_INITDEINIT_FLAGS
Definition at line 396 of file detect-engine-build.c.
◆ MASK_TCP_UNUSUAL_FLAGS
Definition at line 397 of file detect-engine-build.c.
◆ RANGE_PORT
| #define RANGE_PORT 1 |
Definition at line 1316 of file detect-engine-build.c.
◆ SINGLE_PORT
| #define SINGLE_PORT 2 |
Definition at line 1317 of file detect-engine-build.c.
◆ UNDEFINED_PORT
| #define UNDEFINED_PORT 0 |
Definition at line 1315 of file detect-engine-build.c.
Typedef Documentation
◆ UniquePortPoint
| typedef struct UniquePortPoint_ UniquePortPoint |
Function Documentation
◆ PacketCreateMask()
| void PacketCreateMask | ( | Packet * | p, |
| SignatureMask * | mask, | ||
| AppProto | alproto, | ||
| bool | app_decoder_events | ||
| ) |
Definition at line 401 of file detect-engine-build.c.
References Packet_::app_layer_events, AppLayerDecoderEvents_::cnt, PacketEngineEvents_::cnt, Packet_::events, Packet_::flags, Packet_::payload_len, PKT_DETECT_HAS_STREAMDATA, PKT_IS_PSEUDOPKT, PKT_NOPAYLOAD_INSPECTION, SCLogDebug, SIG_MASK_REQUIRE_ENGINE_EVENT, SIG_MASK_REQUIRE_NO_PAYLOAD, SIG_MASK_REQUIRE_PAYLOAD, and SIG_MASK_REQUIRE_REAL_PKT.
◆ SigAddressCleanupStage1()
| int SigAddressCleanupStage1 | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 1967 of file detect-engine-build.c.
References BUG_ON, de_ctx, DetectEngineCtx_::decoder_event_sgh, DetectPortCleanupList(), DetectEngineCtx_::flow_gh, FLOW_STATES, DetectEngineCtx_::io_ctx, IPOnlyDeinit(), DetectEngineCtx_::pre_flow_sgh, DetectEngineCtx_::pre_stream_sgh, SCFree, SCLogDebug, DetectEngineLookupFlow_::sgh, DetectEngineCtx_::sgh_array, DetectEngineCtx_::sgh_array_cnt, DetectEngineCtx_::sgh_array_size, SigGroupHeadFree(), DetectEngineLookupFlow_::tcp, and DetectEngineLookupFlow_::udp.
Referenced by SigGroupCleanup().
◆ SigCleanSignatures()
| void SigCleanSignatures | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 56 of file detect-engine-build.c.
References de_ctx, DetectEngineResetMaxSigId(), Signature_::next, DetectEngineCtx_::sig_list, and SigFree().
Referenced by DetectEngineCtxFree().
◆ SigFindSignatureBySidGid()
| Signature* SigFindSignatureBySidGid | ( | DetectEngineCtx * | de_ctx, |
| uint32_t | sid, | ||
| uint32_t | gid | ||
| ) |
Find a specific signature by sid and gid.
- Parameters
-
de_ctx detection engine ctx sid the signature id gid the signature group id
- Return values
-
s sig found NULL sig not found
Definition at line 80 of file detect-engine-build.c.
References de_ctx, Signature_::next, and DetectEngineCtx_::sig_list.
◆ SigGroupBuild()
| int SigGroupBuild | ( | DetectEngineCtx * | de_ctx | ) |
Convert the signature list into the runtime match structure.
- Parameters
-
de_ctx Pointer to the Detection Engine Context whose Signatures have to be processed
- Return values
-
0 On Success. -1 On failure.
Definition at line 2194 of file detect-engine-build.c.
References de_ctx, DetectSetFastPatternAndItsId(), Signature_::iid, Signature_::next, DetectEngineCtx_::sig_list, and DetectEngineCtx_::signum.
Referenced by UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().
◆ SigGroupCleanup()
| int SigGroupCleanup | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 2265 of file detect-engine-build.c.
References de_ctx, and SigAddressCleanupStage1().
Referenced by DetectEngineCtxFree().
◆ SignatureIsFilemagicInspecting()
| int SignatureIsFilemagicInspecting | ( | const Signature * | s | ) |
Check if a signature contains the filemagic keyword.
- Parameters
-
s signature
- Return values
-
0 no 1 yes
Definition at line 120 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_MAGIC.
Referenced by SigGroupHeadSetupFiles().
◆ SignatureIsFileMd5Inspecting()
| int SignatureIsFileMd5Inspecting | ( | const Signature * | s | ) |
Check if a signature contains the filemd5 keyword.
- Parameters
-
s signature
- Return values
-
0 no 1 yes
Definition at line 139 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_MD5.
Referenced by SigGroupHeadSetupFiles().
◆ SignatureIsFileSha1Inspecting()
| int SignatureIsFileSha1Inspecting | ( | const Signature * | s | ) |
Check if a signature contains the filesha1 keyword.
- Parameters
-
s signature
- Return values
-
0 no 1 yes
Definition at line 155 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_SHA1.
Referenced by SigGroupHeadSetupFiles().
◆ SignatureIsFileSha256Inspecting()
| int SignatureIsFileSha256Inspecting | ( | const Signature * | s | ) |
Check if a signature contains the filesha256 keyword.
- Parameters
-
s signature
- Return values
-
0 no 1 yes
Definition at line 171 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_SHA256.
Referenced by SigGroupHeadSetupFiles().
◆ SignatureIsFilestoring()
| int SignatureIsFilestoring | ( | const Signature * | s | ) |
Check if a signature contains the filestore keyword.
- Parameters
-
s signature
- Return values
-
0 no 1 yes
Definition at line 101 of file detect-engine-build.c.
References Signature_::flags, and SIG_FLAG_FILESTORE.
Referenced by SigGroupHeadSetupFiles().
◆ SignatureIsIPOnly()
| int SignatureIsIPOnly | ( | DetectEngineCtx * | de_ctx, |
| const Signature * | s | ||
| ) |
Test is a initialized signature is IP only.
- Parameters
-
de_ctx detection engine ctx s the signature
- Return values
-
1 sig is ip only 2 sig is like ip only 0 sig is not ip only
Definition at line 191 of file detect-engine-build.c.
References Signature_::alproto, ALPROTO_UNKNOWN, DETECT_SM_LIST_PMATCH, Signature_::flags, SignatureInitData_::hook, Signature_::init_data, SIG_FLAG_APPLAYER, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, SIGNATURE_HOOK_TYPE_NOT_SET, SignatureInitData_::smlists, and SignatureHook_::type.
◆ SignatureSetType()
| void SignatureSetType | ( | DetectEngineCtx * | de_ctx, |
| Signature * | s | ||
| ) |
Definition at line 1645 of file detect-engine-build.c.
References BUG_ON, SignatureInitData_::hook, Signature_::id, Signature_::init_data, SCLogDebug, SCReturn, SIG_TYPE_APP_TX, SIG_TYPE_NOT_SET, SIGNATURE_HOOK_TYPE_APP, SignatureHook_::type, and Signature_::type.
◆ SigPrepareStage1()
| int SigPrepareStage1 | ( | DetectEngineCtx * | de_ctx | ) |
Preprocess signature, classify ip-only, etc, build sig array.
- Parameters
-
de_ctx Pointer to the Detection Engine Context
- Return values
-
0 on success -1 on failure
Definition at line 1723 of file detect-engine-build.c.
References de_ctx, DE_QUIET, DetectEngineGetMaxSigId, DetectEngineCtx_::flags, Signature_::id, Signature_::iid, Signature_::next, SCCalloc, SCLogDebug, DetectEngineCtx_::sig_array, DetectEngineCtx_::sig_array_len, DetectEngineCtx_::sig_list, SIG_TYPE_IPONLY, SIG_TYPE_PDONLY, and Signature_::type.
◆ SigPrepareStage2()
| int SigPrepareStage2 | ( | DetectEngineCtx * | de_ctx | ) |
Fill the global src group head, with the sigs included.
- Parameters
-
de_ctx Pointer to the Detection Engine Context whose Signatures have to be processed
- Return values
-
0 On success -1 On failure
Definition at line 1877 of file detect-engine-build.c.
References de_ctx, DetectEngineCtx_::flow_gh, DetectEngineCtx_::io_ctx, IPOnlyInit(), SCLogDebug, and DetectEngineLookupFlow_::tcp.
◆ SigPrepareStage3()
| int SigPrepareStage3 | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 1953 of file detect-engine-build.c.
◆ SigPrepareStage4()
| int SigPrepareStage4 | ( | DetectEngineCtx * | de_ctx | ) |
finalize preparing sgh's
Definition at line 2050 of file detect-engine-build.c.
References cnt, de_ctx, DetectEngineCtx_::decoder_event_sgh, SigGroupHead_::filestore_cnt, SigGroupHead_::id, MpmStoreReportStats(), PrefilterSetupRuleGroup(), SCConfGetBool(), SCEnter, SCLogDebug, SCLogPerf, DetectEngineCtx_::sgh_array, DetectEngineCtx_::sgh_array_cnt, and SigGroupHeadSetupFiles().
Variable Documentation
◆ rule_engine_analysis_set
| bool rule_engine_analysis_set |
Definition at line 56 of file detect-engine-loader.c.
