suricata
detect-engine-build.c File Reference
Include dependency graph for detect-engine-build.c:

Go to the source code of this file.

Macros

#define MASK_TCP_INITDEINIT_FLAGS   (TH_SYN|TH_RST|TH_FIN)
 
#define MASK_TCP_UNUSUAL_FLAGS   (TH_URG|TH_ECN|TH_CWR)
 

Functions

void SigCleanSignatures (DetectEngineCtx *de_ctx)
 
SignatureSigFindSignatureBySidGid (DetectEngineCtx *de_ctx, uint32_t sid, uint32_t gid)
 Find a specific signature by sid and gid. More...
 
int SignatureIsFilestoring (const Signature *s)
 Check if a signature contains the filestore keyword. More...
 
int SignatureIsFilemagicInspecting (const Signature *s)
 Check if a signature contains the filemagic keyword. More...
 
int SignatureIsFileMd5Inspecting (const Signature *s)
 Check if a signature contains the filemd5 keyword. More...
 
int SignatureIsFileSha1Inspecting (const Signature *s)
 Check if a signature contains the filesha1 keyword. More...
 
int SignatureIsFileSha256Inspecting (const Signature *s)
 Check if a signature contains the filesha256 keyword. More...
 
int SignatureIsFilesizeInspecting (const Signature *s)
 Check if a signature contains the filesize keyword. More...
 
int SignatureIsIPOnly (DetectEngineCtx *de_ctx, const Signature *s)
 Test is a initialized signature is IP only. More...
 
void PacketCreateMask (Packet *p, SignatureMask *mask, AppProto alproto, bool app_decoder_events)
 
int CreateGroupedPortList (DetectEngineCtx *de_ctx, DetectPort *port_list, DetectPort **newhead, uint32_t unique_groups, int(*CompareFunc)(DetectPort *, DetectPort *), uint32_t max_idx)
 
int CreateGroupedPortListCmpCnt (DetectPort *a, DetectPort *b)
 
void SignatureSetType (DetectEngineCtx *de_ctx, Signature *s)
 
int SigAddressPrepareStage1 (DetectEngineCtx *de_ctx)
 Preprocess signature, classify ip-only, etc, build sig array. More...
 
int SigAddressPrepareStage2 (DetectEngineCtx *de_ctx)
 Fill the global src group head, with the sigs included. More...
 
int SigAddressPrepareStage3 (DetectEngineCtx *de_ctx)
 
int SigAddressCleanupStage1 (DetectEngineCtx *de_ctx)
 
int SigAddressPrepareStage4 (DetectEngineCtx *de_ctx)
 finalize preparing sgh's More...
 
int SigGroupBuild (DetectEngineCtx *de_ctx)
 Convert the signature list into the runtime match structure. More...
 
int SigGroupCleanup (DetectEngineCtx *de_ctx)
 

Variables

int rule_engine_analysis_set
 

Macro Definition Documentation

#define MASK_TCP_INITDEINIT_FLAGS   (TH_SYN|TH_RST|TH_FIN)

Definition at line 389 of file detect-engine-build.c.

Referenced by PacketCreateMask().

#define MASK_TCP_UNUSUAL_FLAGS   (TH_URG|TH_ECN|TH_CWR)

Definition at line 390 of file detect-engine-build.c.

Referenced by PacketCreateMask().

Function Documentation

int CreateGroupedPortList ( DetectEngineCtx de_ctx,
DetectPort port_list,
DetectPort **  newhead,
uint32_t  unique_groups,
int(*)(DetectPort *, DetectPort *)  CompareFunc,
uint32_t  max_idx 
)
int CreateGroupedPortListCmpCnt ( DetectPort a,
DetectPort b 
)

Definition at line 1434 of file detect-engine-build.c.

References DetectPort_::port, DetectPort_::port2, SCLogDebug, DetectPort_::sh, and SigGroupHead_::sig_cnt.

Referenced by PacketCreateMask().

Here is the caller graph for this function:

void PacketCreateMask ( Packet p,
SignatureMask mask,
AppProto  alproto,
bool  app_decoder_events 
)

Definition at line 395 of file detect-engine-build.c.

References Signature_::alproto, ALPROTO_DCERPC, ALPROTO_MAX, ALPROTO_SMB, ALPROTO_UNKNOWN, Packet_::app_layer_events, AppProtoToString(), BUG_ON, DetectFlowbitsData_::cmd, PacketEngineEvents_::cnt, ConfigGetLogDirectory(), DetectContentData_::content, DetectContentData_::content_len, CreateGroupedPortList(), CreateGroupedPortListCmpCnt(), SigMatch_::ctx, DETECT_AL_APP_LAYER_EVENT, DETECT_CONTENT_NEGATED, DETECT_DSIZE, DETECT_ENGINE_EVENT, DETECT_FLAGS, DETECT_FLOWBITS, DETECT_FLOWBITS_CMD_ISSET, DETECT_FLOWINT, DETECT_PROTO_ANY, DETECT_SM_LIST_MATCH, DETECT_SM_LIST_MAX, DETECT_SM_LIST_PMATCH, DetectBufferTypeGetByName(), DETECTDSIZE_EQ, DETECTDSIZE_GT, DETECTDSIZE_LT, DETECTDSIZE_RA, DetectFlagsSignatureNeedsSynOnlyPackets(), DetectFlagsSignatureNeedsSynPackets(), DetectListToHumanString(), DetectListToString(), DetectMpmInitializeBuiltinMpms(), DetectPortCopySingle(), DetectPortHashAdd(), DetectPortHashFree(), DetectPortHashInit(), DetectPortHashLookup(), DetectPortInsert(), Signature_::dp, DetectEngineCtx_::dport_hash_table, DetectDsizeData_::dsize, Packet_::events, DetectProto_::flags, DetectFlagsData_::flags, DetectContentData_::flags, DetectPort_::flags, Packet_::flags, Signature_::flags, DetectEngineCtx_::flow_gh, DetectEngineCtx_::gh_reuse, DetectEngineCtx_::gh_unique, HashListTableGetListData, HashListTableGetListHead(), HashListTableGetListNext, Signature_::id, SigGroupHead_::id, SigGroupHead_::init, Signature_::init_data, SignatureInitData_::init_flags, JSON_ESCAPE_SLASH, Signature_::mask, MASK_TCP_INITDEINIT_FLAGS, MASK_TCP_UNUSUAL_FLAGS, SigGroupHead_::match_array, MAX, DetectEngineCtx_::max_uniq_toclient_groups, DetectEngineCtx_::max_uniq_toserver_groups, DetectDsizeData_::mode, SignatureInitData_::mpm_sm, DetectPort_::next, SigMatch_::next, next, Signature_::next, Signature_::num, PatternStrength(), Packet_::payload_len, PKT_DETECT_HAS_STREAMDATA, PKT_HAS_FLOW, PKT_IS_PSEUDOPKT, PKT_IS_TCP, PKT_NOPAYLOAD_INSPECTION, DetectPort_::port, DetectPort_::port2, PORT_SIGGROUPHEAD_COPY, DetectProto_::proto, Signature_::proto, SC_WARN_POOR_RULE, SCEnter, SCLogDebug, SCLogInfo, SCLogPerf, SCLogWarning, SCReturnInt, DetectEngineLookupFlow_::sgh, DetectPort_::sh, SigGroupHead_::sig_cnt, SIG_FLAG_APPLAYER, SIG_FLAG_DP_ANY, SIG_FLAG_DST_ANY, SIG_FLAG_INIT_FLOW, SIG_FLAG_IPONLY, SIG_FLAG_REQUIRE_FLOWVAR, SIG_FLAG_SP_ANY, SIG_FLAG_SRC_ANY, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, DetectEngineCtx_::sig_list, SIG_MASK_REQUIRE_DCERPC, SIG_MASK_REQUIRE_ENGINE_EVENT, SIG_MASK_REQUIRE_FLAGS_INITDEINIT, SIG_MASK_REQUIRE_FLAGS_UNUSUAL, SIG_MASK_REQUIRE_FLOW, SIG_MASK_REQUIRE_NO_PAYLOAD, SIG_MASK_REQUIRE_PAYLOAD, SigGroupHeadAppendSig(), SigGroupHeadBuildMatchArray(), SigGroupHeadFree(), SigGroupHeadHashAdd(), SigGroupHeadHashFree(), SigGroupHeadHashInit(), SigGroupHeadHashLookup(), SigGroupHeadSetProtoAndDirection(), SigGroupHeadSetSigCnt(), SigGroupHeadStore(), SigMatchListSMBelongsTo(), Signature_::sm_arrays, SignatureInitData_::smlists, Signature_::sp, DetectEngineLookupFlow_::tcp, DetectEngineCtx_::tcp_whitelist, Packet_::tcph, TH_CWR, TH_ECN, TH_FIN, TH_RST, TH_SYN, TH_URG, SigMatch_::type, DetectEngineLookupFlow_::udp, DetectEngineCtx_::udp_whitelist, unlikely, SignatureInitData_::whitelist, and SigGroupHeadInitData_::whitelist.

Referenced by SigMatchSignaturesGetSgh().

Here is the call graph for this function:

Here is the caller graph for this function:

int SigAddressPrepareStage1 ( DetectEngineCtx de_ctx)

Preprocess signature, classify ip-only, etc, build sig array.

Parameters
de_ctxPointer to the Detection Engine Context
Return values
0on success
-1on failure

Definition at line 1286 of file detect-engine-build.c.

References DetectContentData_::content_len, SigMatch_::ctx, DE_QUIET, DETECT_CONTENT, DETECT_PREFILTER_AUTO, DETECT_SM_LIST_MATCH, DETECT_TBLSIZE, DetectBufferRunSetupCallback(), DetectContentPropagateLimits(), DetectEngineGetMaxSigId, DetectFlowbitsAnalyze(), Signature_::flags, DetectEngineCtx_::flags, Signature_::id, SigGroupHead_::init, Signature_::init_data, SignatureInitData_::init_flags, MIN, SigTableElmt_::name, SigMatch_::next, Signature_::next, Signature_::num, DetectEngineCtx_::prefilter_setting, SignatureInitData_::prefilter_sm, DetectProto_::proto, proto, Signature_::proto, SCLogDebug, SCLogDebugEnabled(), SCLogInfo, SCMalloc, DetectPort_::sh, DetectEngineCtx_::sig_array, DetectEngineCtx_::sig_array_len, DetectEngineCtx_::sig_array_size, DetectEngineCtx_::sig_cnt, SIG_FLAG_APPLAYER, SIG_FLAG_INIT_DEONLY, SIG_FLAG_IPONLY, SIG_FLAG_MPM_NEG, SIG_FLAG_PDONLY, SIG_FLAG_PREFILTER, DetectEngineCtx_::sig_list, sigmatch_table, SigParseApplyDsizeToContent(), SignatureInitData_::smlists, SignatureInitData_::smlists_array_size, SigTableElmt_::SupportsPrefilter, TRUE, SigMatch_::type, and SigGroupHeadInitData_::whitelist.

Referenced by SigGroupBuild(), and SigGroupHeadContainsSigId().

Here is the call graph for this function:

Here is the caller graph for this function:

int SigAddressPrepareStage2 ( DetectEngineCtx de_ctx)

Fill the global src group head, with the sigs included.

Parameters
de_ctxPointer to the Detection Engine Context whose Signatures have to be processed
Return values
0On success
-1On failure

Definition at line 1623 of file detect-engine-build.c.

References DetectEngineCtx_::decoder_event_sgh, DetectEngineGetMaxSigId, Signature_::flags, DetectEngineCtx_::flow_gh, Signature_::id, Signature_::init_data, SignatureInitData_::init_flags, DetectEngineCtx_::io_ctx, IPOnlyAddSignature(), IPOnlyInit(), IPOnlyPrepare(), IPOnlyPrint(), Signature_::next, SCLogDebug, SIG_FLAG_INIT_DEONLY, SIG_FLAG_IPONLY, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, DetectEngineCtx_::sig_list, SigGroupHeadBuildMatchArray(), SigGroupHeadSetSigCnt(), DetectEngineLookupFlow_::tcp, and DetectEngineLookupFlow_::udp.

Referenced by SigGroupBuild().

Here is the call graph for this function:

Here is the caller graph for this function:

int SigAddressPrepareStage3 ( DetectEngineCtx de_ctx)

Definition at line 1670 of file detect-engine-build.c.

Referenced by SigGroupBuild().

Here is the caller graph for this function:

void SigCleanSignatures ( DetectEngineCtx de_ctx)

Definition at line 39 of file detect-engine-build.c.

References DetectEngineResetMaxSigId(), Signature_::next, DetectEngineCtx_::sig_list, and SigFree().

Referenced by ActionInitConfig(), AlertFastLogInitCtx(), DetectAckRegister(), DetectBase64DataDoMatch(), DetectBase64DecodeDoMatch(), DetectByteExtractRetrieveSMVar(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectEngineCtxFree(), DetectEngineInspectStream(), DetectFastPatternRegister(), DetectFilesizeRegister(), DetectFlowFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectHostbitFree(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectIPRepFree(), DetectIsdataatFree(), DetectITypeFree(), DetectL3ProtoRegister(), DetectModbusRegister(), DetectPcrePayloadMatch(), DetectPktDataRegister(), DetectProtoContainsProto(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSeqRegister(), DetectSetupParseRegexes(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectThresholdRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), MpmACRegister(), MpmACTileRegister(), RegisterModbusParsers(), SCACBSPrintInfo(), SCSigSignatureOrderingModuleCleanup(), SigGroupHeadContainsSigId(), SigParseApplyDsizeToContent(), SMTPParserCleanup(), TagTimeoutCheck(), UTHGenericTest(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

Here is the call graph for this function:

Signature* SigFindSignatureBySidGid ( DetectEngineCtx de_ctx,
uint32_t  sid,
uint32_t  gid 
)

Find a specific signature by sid and gid.

Parameters
de_ctxdetection engine ctx
sidthe signature id
gidthe signature group id
Return values
ssig found
NULLsig not found

Definition at line 63 of file detect-engine-build.c.

References Signature_::next, and DetectEngineCtx_::sig_list.

Referenced by SCThresholdConfInitContext().

Here is the caller graph for this function:

int SigGroupBuild ( DetectEngineCtx de_ctx)

Convert the signature list into the runtime match structure.

Parameters
de_ctxPointer to the Detection Engine Context whose Signatures have to be processed
Return values
0On Success.
-1On failure.

Definition at line 1876 of file detect-engine-build.c.

References ConfGetInt(), DetectEngineMultiTenantEnabled(), DetectMpmPrepareAppMpms(), DetectMpmPrepareBuiltinMpms(), DetectMpmPreparePktMpms(), DetectSetFastPatternAndItsId(), Signature_::next, Signature_::num, DetectEngineCtx_::profile_match_logging_threshold, SC_ERR_DETECT_PREPARE, SCLogError, SCProfilingKeywordInitCounters(), SCProfilingPrefilterInitCounters(), SCProfilingRuleInitCounters(), DetectEngineCtx_::sig_list, SigAddressPrepareStage1(), SigAddressPrepareStage2(), SigAddressPrepareStage3(), SigAddressPrepareStage4(), DetectEngineCtx_::signum, and VarNameStoreActivateStaging().

Referenced by AlertFastLogInitCtx(), DetectAckRegister(), DetectAppLayerProtocolRegister(), DetectBase64DecodeDoMatch(), DetectBypassRegister(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineInspectStream(), DetectEngineStateResetTxs(), DetectFastPatternRegister(), DetectFlowFree(), DetectFlowintFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectHostbitFree(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectIPRepFree(), DetectITypeFree(), DetectL3ProtoRegister(), DetectLuaRegister(), DetectPcrePayloadMatch(), DetectProtoContainsProto(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSetupParseRegexes(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectTemplateRustBufferRegister(), DetectThresholdRegister(), DetectTransformDotPrefixRegister(), DetectTransformStripWhitespaceRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), DetectXbitFree(), HtpConfigRestoreBackup(), MpmACRegister(), MpmACTileRegister(), RegisterModbusParsers(), SCACBSPrintInfo(), SCThresholdConfParseFile(), SigGroupHeadContainsSigId(), SigLoadSignatures(), SigParseApplyDsizeToContent(), SMTPParserCleanup(), TagTimeoutCheck(), UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

Here is the call graph for this function:

int SigGroupCleanup ( DetectEngineCtx de_ctx)

Definition at line 1947 of file detect-engine-build.c.

References SigAddressCleanupStage1().

Referenced by ActionInitConfig(), AlertFastLogInitCtx(), DetectAckRegister(), DetectBase64DataDoMatch(), DetectBase64DecodeDoMatch(), DetectByteExtractRetrieveSMVar(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineCtxFree(), DetectEngineInspectModbus(), DetectEngineInspectStream(), DetectFastPatternRegister(), DetectFilesizeRegister(), DetectFlowFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectHostbitFree(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectIPRepFree(), DetectIsdataatFree(), DetectITypeFree(), DetectL3ProtoRegister(), DetectModbusRegister(), DetectPcrePayloadMatch(), DetectPktDataRegister(), DetectProtoContainsProto(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSeqRegister(), DetectSetupParseRegexes(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectTemplateRustBufferRegister(), DetectThresholdRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), MpmACRegister(), MpmACTileRegister(), RegisterModbusParsers(), SCACBSPrintInfo(), SCSigSignatureOrderingModuleCleanup(), SigParseApplyDsizeToContent(), SMTPParserCleanup(), TagTimeoutCheck(), UTHGenericTest(), UTHMatchPackets(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

Here is the call graph for this function:

int SignatureIsFilemagicInspecting ( const Signature s)

Check if a signature contains the filemagic keyword.

Parameters
ssignature
Return values
0no
1yes

Definition at line 103 of file detect-engine-build.c.

References Signature_::file_flags, and FILE_SIG_NEED_MAGIC.

Referenced by SigGroupHeadSetFilemagicFlag().

Here is the caller graph for this function:

int SignatureIsFileMd5Inspecting ( const Signature s)

Check if a signature contains the filemd5 keyword.

Parameters
ssignature
Return values
0no
1yes

Definition at line 122 of file detect-engine-build.c.

References Signature_::file_flags, and FILE_SIG_NEED_MD5.

Referenced by SigGroupHeadSetFileHashFlag().

Here is the caller graph for this function:

int SignatureIsFileSha1Inspecting ( const Signature s)

Check if a signature contains the filesha1 keyword.

Parameters
ssignature
Return values
0no
1yes

Definition at line 138 of file detect-engine-build.c.

References Signature_::file_flags, and FILE_SIG_NEED_SHA1.

Referenced by SigGroupHeadSetFileHashFlag().

Here is the caller graph for this function:

int SignatureIsFileSha256Inspecting ( const Signature s)

Check if a signature contains the filesha256 keyword.

Parameters
ssignature
Return values
0no
1yes

Definition at line 154 of file detect-engine-build.c.

References Signature_::file_flags, and FILE_SIG_NEED_SHA256.

Referenced by SigGroupHeadSetFileHashFlag().

Here is the caller graph for this function:

int SignatureIsFilesizeInspecting ( const Signature s)

Check if a signature contains the filesize keyword.

Parameters
ssignature
Return values
0no
1yes

Definition at line 170 of file detect-engine-build.c.

References Signature_::file_flags, and FILE_SIG_NEED_SIZE.

Referenced by SigGroupHeadSetFilesizeFlag().

Here is the caller graph for this function:

int SignatureIsFilestoring ( const Signature s)

Check if a signature contains the filestore keyword.

Parameters
ssignature
Return values
0no
1yes

Definition at line 84 of file detect-engine-build.c.

References Signature_::flags, and SIG_FLAG_FILESTORE.

Referenced by SigGroupHeadSetFilestoreCount().

Here is the caller graph for this function:

void SignatureSetType ( DetectEngineCtx de_ctx,
Signature s 
)

Definition at line 1263 of file detect-engine-build.c.

References Signature_::flags, Signature_::init_data, SignatureInitData_::init_flags, SIG_FLAG_INIT_DEONLY, SIG_FLAG_IPONLY, SIG_FLAG_PDONLY, and SignatureIsIPOnly().

Referenced by SigMatchList2DataArray().

Here is the call graph for this function:

Here is the caller graph for this function:

Variable Documentation

int rule_engine_analysis_set