suricata
detect-engine-build.c File Reference
#include "suricata-common.h"
#include "detect.h"
#include "detect-engine.h"
#include "detect-parse.h"
#include "detect-content.h"
#include "detect-engine-build.h"
#include "detect-engine-address.h"
#include "detect-engine-analyzer.h"
#include "detect-engine-iponly.h"
#include "detect-engine-mpm.h"
#include "detect-engine-siggroup.h"
#include "detect-engine-port.h"
#include "detect-engine-prefilter.h"
#include "detect-engine-proto.h"
#include "detect-engine-threshold.h"
#include "detect-dsize.h"
#include "detect-tcp-flags.h"
#include "detect-flow.h"
#include "detect-config.h"
#include "detect-flowbits.h"
#include "util-profiling.h"
#include "util-validate.h"
#include "util-var-name.h"
#include "util-conf.h"
Include dependency graph for detect-engine-build.c:

Go to the source code of this file.

Macros

#define DETECT_PGSCORE_RULE_PORT_WHITELISTED   111 /* Rule port group contains a whitelisted port */
 
#define DETECT_PGSCORE_RULE_MPM_FAST_PATTERN   99 /* Rule contains an MPM fast pattern */
 
#define DETECT_PGSCORE_RULE_MPM_NEGATED   77 /* Rule contains a negated MPM */
 
#define DETECT_PGSCORE_RULE_NO_MPM   55 /* Rule does not contain MPM */
 
#define DETECT_PGSCORE_RULE_SYN_ONLY   33 /* Rule needs SYN check */
 
#define MASK_TCP_INITDEINIT_FLAGS   (TH_SYN|TH_RST|TH_FIN)
 
#define MASK_TCP_UNUSUAL_FLAGS   (TH_URG|TH_ECN|TH_CWR)
 

Functions

void SigCleanSignatures (DetectEngineCtx *de_ctx)
 
SignatureSigFindSignatureBySidGid (DetectEngineCtx *de_ctx, uint32_t sid, uint32_t gid)
 Find a specific signature by sid and gid. More...
 
int SignatureIsFilestoring (const Signature *s)
 Check if a signature contains the filestore keyword. More...
 
int SignatureIsFilemagicInspecting (const Signature *s)
 Check if a signature contains the filemagic keyword. More...
 
int SignatureIsFileMd5Inspecting (const Signature *s)
 Check if a signature contains the filemd5 keyword. More...
 
int SignatureIsFileSha1Inspecting (const Signature *s)
 Check if a signature contains the filesha1 keyword. More...
 
int SignatureIsFileSha256Inspecting (const Signature *s)
 Check if a signature contains the filesha256 keyword. More...
 
int SignatureIsFilesizeInspecting (const Signature *s)
 Check if a signature contains the filesize keyword. More...
 
int SignatureIsIPOnly (DetectEngineCtx *de_ctx, const Signature *s)
 Test is a initialized signature is IP only. More...
 
void PacketCreateMask (Packet *p, SignatureMask *mask, AppProto alproto, bool app_decoder_events)
 
int CreateGroupedPortList (DetectEngineCtx *de_ctx, DetectPort *port_list, DetectPort **newhead, uint32_t unique_groups, int(*CompareFunc)(DetectPort *, DetectPort *))
 
int CreateGroupedPortListCmpCnt (DetectPort *a, DetectPort *b)
 
void SignatureSetType (DetectEngineCtx *de_ctx, Signature *s)
 
int SigPrepareStage1 (DetectEngineCtx *de_ctx)
 Preprocess signature, classify ip-only, etc, build sig array. More...
 
int SigPrepareStage2 (DetectEngineCtx *de_ctx)
 Fill the global src group head, with the sigs included. More...
 
int SigPrepareStage3 (DetectEngineCtx *de_ctx)
 
int SigAddressCleanupStage1 (DetectEngineCtx *de_ctx)
 
int SigPrepareStage4 (DetectEngineCtx *de_ctx)
 finalize preparing sgh's More...
 
int SigGroupBuild (DetectEngineCtx *de_ctx)
 Convert the signature list into the runtime match structure. More...
 
int SigGroupCleanup (DetectEngineCtx *de_ctx)
 

Variables

int g_skip_prefilter
 
bool rule_engine_analysis_set
 

Macro Definition Documentation

◆ DETECT_PGSCORE_RULE_MPM_FAST_PATTERN

#define DETECT_PGSCORE_RULE_MPM_FAST_PATTERN   99 /* Rule contains an MPM fast pattern */

Definition at line 49 of file detect-engine-build.c.

◆ DETECT_PGSCORE_RULE_MPM_NEGATED

#define DETECT_PGSCORE_RULE_MPM_NEGATED   77 /* Rule contains a negated MPM */

Definition at line 50 of file detect-engine-build.c.

◆ DETECT_PGSCORE_RULE_NO_MPM

#define DETECT_PGSCORE_RULE_NO_MPM   55 /* Rule does not contain MPM */

Definition at line 51 of file detect-engine-build.c.

◆ DETECT_PGSCORE_RULE_PORT_WHITELISTED

#define DETECT_PGSCORE_RULE_PORT_WHITELISTED   111 /* Rule port group contains a whitelisted port */

Definition at line 48 of file detect-engine-build.c.

◆ DETECT_PGSCORE_RULE_SYN_ONLY

#define DETECT_PGSCORE_RULE_SYN_ONLY   33 /* Rule needs SYN check */

Definition at line 52 of file detect-engine-build.c.

◆ MASK_TCP_INITDEINIT_FLAGS

#define MASK_TCP_INITDEINIT_FLAGS   (TH_SYN|TH_RST|TH_FIN)

Definition at line 400 of file detect-engine-build.c.

◆ MASK_TCP_UNUSUAL_FLAGS

#define MASK_TCP_UNUSUAL_FLAGS   (TH_URG|TH_ECN|TH_CWR)

Definition at line 401 of file detect-engine-build.c.

Function Documentation

◆ CreateGroupedPortList()

int CreateGroupedPortList ( DetectEngineCtx de_ctx,
DetectPort port_list,
DetectPort **  newhead,
uint32_t  unique_groups,
int(*)(DetectPort *, DetectPort *)  CompareFunc 
)

Definition at line 1539 of file detect-engine-build.c.

◆ CreateGroupedPortListCmpCnt()

int CreateGroupedPortListCmpCnt ( DetectPort a,
DetectPort b 
)

Definition at line 1497 of file detect-engine-build.c.

◆ PacketCreateMask()

◆ SigAddressCleanupStage1()

◆ SigCleanSignatures()

void SigCleanSignatures ( DetectEngineCtx de_ctx)

Definition at line 53 of file detect-engine-build.c.

References de_ctx, DetectEngineResetMaxSigId(), Signature_::next, DetectEngineCtx_::sig_list, and SigFree().

Referenced by DetectEngineCtxFree(), and UTHPacketMatchSig().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SigFindSignatureBySidGid()

Signature* SigFindSignatureBySidGid ( DetectEngineCtx de_ctx,
uint32_t  sid,
uint32_t  gid 
)

Find a specific signature by sid and gid.

Parameters
de_ctxdetection engine ctx
sidthe signature id
gidthe signature group id
Return values
ssig found
NULLsig not found

Definition at line 77 of file detect-engine-build.c.

References de_ctx, Signature_::next, and DetectEngineCtx_::sig_list.

◆ SigGroupBuild()

int SigGroupBuild ( DetectEngineCtx de_ctx)

Convert the signature list into the runtime match structure.

Parameters
de_ctxPointer to the Detection Engine Context whose Signatures have to be processed
Return values
0On Success.
-1On failure.

Definition at line 1948 of file detect-engine-build.c.

References de_ctx, DetectSetFastPatternAndItsId(), Signature_::next, Signature_::num, DetectEngineCtx_::sig_list, and DetectEngineCtx_::signum.

Referenced by UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SigGroupCleanup()

int SigGroupCleanup ( DetectEngineCtx de_ctx)

Definition at line 2017 of file detect-engine-build.c.

References de_ctx, and SigAddressCleanupStage1().

Referenced by DetectEngineCtxFree(), UTHMatchPackets(), and UTHPacketMatchSig().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SignatureIsFilemagicInspecting()

int SignatureIsFilemagicInspecting ( const Signature s)

Check if a signature contains the filemagic keyword.

Parameters
ssignature
Return values
0no
1yes

Definition at line 117 of file detect-engine-build.c.

References Signature_::file_flags, and FILE_SIG_NEED_MAGIC.

Referenced by SigGroupHeadSetupFiles().

Here is the caller graph for this function:

◆ SignatureIsFileMd5Inspecting()

int SignatureIsFileMd5Inspecting ( const Signature s)

Check if a signature contains the filemd5 keyword.

Parameters
ssignature
Return values
0no
1yes

Definition at line 136 of file detect-engine-build.c.

References Signature_::file_flags, and FILE_SIG_NEED_MD5.

Referenced by SigGroupHeadSetupFiles().

Here is the caller graph for this function:

◆ SignatureIsFileSha1Inspecting()

int SignatureIsFileSha1Inspecting ( const Signature s)

Check if a signature contains the filesha1 keyword.

Parameters
ssignature
Return values
0no
1yes

Definition at line 152 of file detect-engine-build.c.

References Signature_::file_flags, and FILE_SIG_NEED_SHA1.

Referenced by SigGroupHeadSetupFiles().

Here is the caller graph for this function:

◆ SignatureIsFileSha256Inspecting()

int SignatureIsFileSha256Inspecting ( const Signature s)

Check if a signature contains the filesha256 keyword.

Parameters
ssignature
Return values
0no
1yes

Definition at line 168 of file detect-engine-build.c.

References Signature_::file_flags, and FILE_SIG_NEED_SHA256.

Referenced by SigGroupHeadSetupFiles().

Here is the caller graph for this function:

◆ SignatureIsFilesizeInspecting()

int SignatureIsFilesizeInspecting ( const Signature s)

Check if a signature contains the filesize keyword.

Parameters
ssignature
Return values
0no
1yes

Definition at line 184 of file detect-engine-build.c.

References Signature_::file_flags, and FILE_SIG_NEED_SIZE.

Referenced by SigGroupHeadSetupFiles().

Here is the caller graph for this function:

◆ SignatureIsFilestoring()

int SignatureIsFilestoring ( const Signature s)

Check if a signature contains the filestore keyword.

Parameters
ssignature
Return values
0no
1yes

Definition at line 98 of file detect-engine-build.c.

References Signature_::flags, and SIG_FLAG_FILESTORE.

Referenced by SigGroupHeadSetupFiles().

Here is the caller graph for this function:

◆ SignatureIsIPOnly()

int SignatureIsIPOnly ( DetectEngineCtx de_ctx,
const Signature s 
)

Test is a initialized signature is IP only.

Parameters
de_ctxdetection engine ctx
sthe signature
Return values
1sig is ip only
2sig is like ip only
0sig is not ip only

Definition at line 207 of file detect-engine-build.c.

References Signature_::alproto, ALPROTO_UNKNOWN, DETECT_SM_LIST_PMATCH, Signature_::flags, Signature_::init_data, SIG_FLAG_APPLAYER, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, and SignatureInitData_::smlists.

◆ SignatureSetType()

void SignatureSetType ( DetectEngineCtx de_ctx,
Signature s 
)

Definition at line 1273 of file detect-engine-build.c.

References BUG_ON, SIG_TYPE_NOT_SET, and Signature_::type.

◆ SigPrepareStage1()

int SigPrepareStage1 ( DetectEngineCtx de_ctx)

Preprocess signature, classify ip-only, etc, build sig array.

Parameters
de_ctxPointer to the Detection Engine Context
Return values
0on success
-1on failure

Definition at line 1346 of file detect-engine-build.c.

References de_ctx, DE_QUIET, DetectEngineGetMaxSigId, DetectEngineCtx_::flags, Signature_::id, Signature_::next, Signature_::num, SCCalloc, SCLogDebug, DetectEngineCtx_::sig_array, DetectEngineCtx_::sig_array_len, DetectEngineCtx_::sig_list, SIG_TYPE_IPONLY, SIG_TYPE_PDONLY, and Signature_::type.

◆ SigPrepareStage2()

int SigPrepareStage2 ( DetectEngineCtx de_ctx)

Fill the global src group head, with the sigs included.

Parameters
de_ctxPointer to the Detection Engine Context whose Signatures have to be processed
Return values
0On success
-1On failure

Definition at line 1684 of file detect-engine-build.c.

References de_ctx, DetectEngineCtx_::flow_gh, DetectEngineCtx_::io_ctx, IPOnlyInit(), SCLogDebug, and DetectEngineLookupFlow_::tcp.

Here is the call graph for this function:

◆ SigPrepareStage3()

int SigPrepareStage3 ( DetectEngineCtx de_ctx)

Definition at line 1724 of file detect-engine-build.c.

◆ SigPrepareStage4()

Variable Documentation

◆ g_skip_prefilter

int g_skip_prefilter

Definition at line 1055 of file detect-engine-mpm.c.

◆ rule_engine_analysis_set

bool rule_engine_analysis_set

Definition at line 56 of file detect-engine-loader.c.