#include "suricata-common.h"
#include "detect.h"
#include "detect-engine.h"
#include "detect-parse.h"
#include "detect-content.h"
#include "detect-engine-build.h"
#include "detect-engine-address.h"
#include "detect-engine-analyzer.h"
#include "detect-engine-iponly.h"
#include "detect-engine-mpm.h"
#include "detect-engine-siggroup.h"
#include "detect-engine-port.h"
#include "detect-engine-prefilter.h"
#include "detect-engine-proto.h"
#include "detect-engine-threshold.h"
#include "detect-dsize.h"
#include "detect-tcp-flags.h"
#include "detect-flow.h"
#include "detect-config.h"
#include "detect-flowbits.h"
#include "app-layer-events.h"
#include "util-port-interval-tree.h"
#include "util-profiling.h"
#include "util-validate.h"
#include "util-var-name.h"
#include "util-conf.h"

Include dependency graph for detect-engine-build.c:

Data Structures
struct	UniquePortPoint_

Macros
#define	DETECT_PGSCORE_RULE_PORT_PRIORITIZED 111 /* Rule port group contains a priority port */

#define	DETECT_PGSCORE_RULE_MPM_FAST_PATTERN 99 /* Rule contains an MPM fast pattern */

#define	DETECT_PGSCORE_RULE_MPM_NEGATED 77 /* Rule contains a negated MPM */

#define	DETECT_PGSCORE_RULE_NO_MPM 55 /* Rule does not contain MPM */

#define	DETECT_PGSCORE_RULE_SYN_ONLY 33 /* Rule needs SYN check */

#define	MASK_TCP_INITDEINIT_FLAGS (TH_SYN\|TH_RST\|TH_FIN)

#define	MASK_TCP_UNUSUAL_FLAGS (TH_URG\|TH_ECN\|TH_CWR)

#define	UNDEFINED_PORT 0

#define	RANGE_PORT 1

#define	SINGLE_PORT 2

Typedefs
typedef struct UniquePortPoint_	UniquePortPoint

Functions
void	SigCleanSignatures (DetectEngineCtx *de_ctx)

Signature *	SigFindSignatureBySidGid (DetectEngineCtx *de_ctx, uint32_t sid, uint32_t gid)
	Find a specific signature by sid and gid. More...

int	SignatureIsFilestoring (const Signature *s)
	Check if a signature contains the filestore keyword. More...

int	SignatureIsFilemagicInspecting (const Signature *s)
	Check if a signature contains the filemagic keyword. More...

int	SignatureIsFileMd5Inspecting (const Signature *s)
	Check if a signature contains the filemd5 keyword. More...

int	SignatureIsFileSha1Inspecting (const Signature *s)
	Check if a signature contains the filesha1 keyword. More...

int	SignatureIsFileSha256Inspecting (const Signature *s)
	Check if a signature contains the filesha256 keyword. More...

int	SignatureIsFilesizeInspecting (const Signature *s)
	Check if a signature contains the filesize keyword. More...

int	SignatureIsIPOnly (DetectEngineCtx de_ctx, const Signature s)
	Test is a initialized signature is IP only. More...

void	PacketCreateMask (Packet p, SignatureMask mask, AppProto alproto, bool app_decoder_events)

void	SignatureSetType (DetectEngineCtx de_ctx, Signature s)

int	SigPrepareStage1 (DetectEngineCtx *de_ctx)
	Preprocess signature, classify ip-only, etc, build sig array. More...

int	SigPrepareStage2 (DetectEngineCtx *de_ctx)
	Fill the global src group head, with the sigs included. More...

int	SigPrepareStage3 (DetectEngineCtx *de_ctx)

int	SigAddressCleanupStage1 (DetectEngineCtx *de_ctx)

int	SigPrepareStage4 (DetectEngineCtx *de_ctx)
	finalize preparing sgh's More...

int	SigGroupBuild (DetectEngineCtx *de_ctx)
	Convert the signature list into the runtime match structure. More...

int	SigGroupCleanup (DetectEngineCtx *de_ctx)

Variables
int	g_skip_prefilter

bool	rule_engine_analysis_set

Macro Definition Documentation

◆ DETECT_PGSCORE_RULE_MPM_FAST_PATTERN

#define DETECT_PGSCORE_RULE_MPM_FAST_PATTERN 99 /* Rule contains an MPM fast pattern */

Definition at line 51 of file detect-engine-build.c.

◆ DETECT_PGSCORE_RULE_MPM_NEGATED

#define DETECT_PGSCORE_RULE_MPM_NEGATED 77 /* Rule contains a negated MPM */

Definition at line 52 of file detect-engine-build.c.

◆ DETECT_PGSCORE_RULE_NO_MPM

#define DETECT_PGSCORE_RULE_NO_MPM 55 /* Rule does not contain MPM */

Definition at line 53 of file detect-engine-build.c.

◆ DETECT_PGSCORE_RULE_PORT_PRIORITIZED

#define DETECT_PGSCORE_RULE_PORT_PRIORITIZED 111 /* Rule port group contains a priority port */

Definition at line 50 of file detect-engine-build.c.

◆ DETECT_PGSCORE_RULE_SYN_ONLY

#define DETECT_PGSCORE_RULE_SYN_ONLY 33 /* Rule needs SYN check */

Definition at line 54 of file detect-engine-build.c.

◆ MASK_TCP_INITDEINIT_FLAGS

#define MASK_TCP_INITDEINIT_FLAGS (TH_SYN|TH_RST|TH_FIN)

Definition at line 402 of file detect-engine-build.c.

◆ MASK_TCP_UNUSUAL_FLAGS

#define MASK_TCP_UNUSUAL_FLAGS (TH_URG|TH_ECN|TH_CWR)

Definition at line 403 of file detect-engine-build.c.

◆ RANGE_PORT

#define RANGE_PORT 1

Definition at line 1313 of file detect-engine-build.c.

◆ SINGLE_PORT

#define SINGLE_PORT 2

Definition at line 1314 of file detect-engine-build.c.

◆ UNDEFINED_PORT

#define UNDEFINED_PORT 0

Definition at line 1312 of file detect-engine-build.c.

Typedef Documentation

◆ UniquePortPoint

typedef struct UniquePortPoint_ UniquePortPoint

Function Documentation

◆ PacketCreateMask()

void PacketCreateMask	(	Packet *	p,
		SignatureMask *	mask,
		AppProto	alproto,
		bool	app_decoder_events
	)

Definition at line 407 of file detect-engine-build.c.

References Packet_::app_layer_events, AppLayerDecoderEvents_::cnt, PacketEngineEvents_::cnt, Packet_::events, Packet_::flags, Packet_::payload_len, PKT_DETECT_HAS_STREAMDATA, PKT_IS_PSEUDOPKT, PKT_NOPAYLOAD_INSPECTION, SCLogDebug, SIG_MASK_REQUIRE_ENGINE_EVENT, SIG_MASK_REQUIRE_NO_PAYLOAD, SIG_MASK_REQUIRE_PAYLOAD, and SIG_MASK_REQUIRE_REAL_PKT.

◆ SigAddressCleanupStage1()

int SigAddressCleanupStage1 ( DetectEngineCtx * de_ctx )

Definition at line 1927 of file detect-engine-build.c.

References BUG_ON, de_ctx, DetectEngineCtx_::decoder_event_sgh, DetectPortCleanupList(), DetectEngineCtx_::flow_gh, FLOW_STATES, DetectEngineCtx_::io_ctx, IPOnlyDeinit(), SCFree, SCLogDebug, DetectEngineLookupFlow_::sgh, DetectEngineCtx_::sgh_array, DetectEngineCtx_::sgh_array_cnt, DetectEngineCtx_::sgh_array_size, SigGroupHeadFree(), DetectEngineLookupFlow_::tcp, and DetectEngineLookupFlow_::udp.

Referenced by SigGroupCleanup().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ SigCleanSignatures()

void SigCleanSignatures ( DetectEngineCtx * de_ctx )

Definition at line 55 of file detect-engine-build.c.

References de_ctx, DetectEngineResetMaxSigId(), Signature_::next, DetectEngineCtx_::sig_list, and SigFree().

Referenced by DetectEngineCtxFree(), and UTHPacketMatchSig().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ SigFindSignatureBySidGid()

Signature* SigFindSignatureBySidGid	(	DetectEngineCtx *	de_ctx,
		uint32_t	sid,
		uint32_t	gid
	)

Find a specific signature by sid and gid.

Parameters

de_ctx	detection engine ctx
sid	the signature id
gid	the signature group id

Return values

s	sig found
NULL	sig not found

Definition at line 79 of file detect-engine-build.c.

References de_ctx, Signature_::next, and DetectEngineCtx_::sig_list.

◆ SigGroupBuild()

int SigGroupBuild ( DetectEngineCtx * de_ctx )

Convert the signature list into the runtime match structure.

Parameters

de_ctx Pointer to the Detection Engine Context whose Signatures have to be processed

Return values

0	On Success.
-1	On failure.

Definition at line 2144 of file detect-engine-build.c.

References de_ctx, DetectSetFastPatternAndItsId(), Signature_::next, Signature_::num, DetectEngineCtx_::sig_list, and DetectEngineCtx_::signum.

Referenced by UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ SigGroupCleanup()

int SigGroupCleanup ( DetectEngineCtx * de_ctx )

Definition at line 2211 of file detect-engine-build.c.

References de_ctx, and SigAddressCleanupStage1().

Referenced by DetectEngineCtxFree(), UTHMatchPackets(), and UTHPacketMatchSig().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ SignatureIsFilemagicInspecting()

int SignatureIsFilemagicInspecting ( const Signature * s )

Check if a signature contains the filemagic keyword.

Parameters

s signature

Return values

0	no
1	yes

Definition at line 119 of file detect-engine-build.c.

References Signature_::file_flags, and FILE_SIG_NEED_MAGIC.

Referenced by SigGroupHeadSetupFiles().

Here is the caller graph for this function:

◆ SignatureIsFileMd5Inspecting()

int SignatureIsFileMd5Inspecting ( const Signature * s )

Check if a signature contains the filemd5 keyword.

Parameters

s signature

Return values

0	no
1	yes

Definition at line 138 of file detect-engine-build.c.

References Signature_::file_flags, and FILE_SIG_NEED_MD5.

Referenced by SigGroupHeadSetupFiles().

Here is the caller graph for this function:

◆ SignatureIsFileSha1Inspecting()

int SignatureIsFileSha1Inspecting ( const Signature * s )

Check if a signature contains the filesha1 keyword.

Parameters

s signature

Return values

0	no
1	yes

Definition at line 154 of file detect-engine-build.c.

References Signature_::file_flags, and FILE_SIG_NEED_SHA1.

Referenced by SigGroupHeadSetupFiles().

Here is the caller graph for this function:

◆ SignatureIsFileSha256Inspecting()

int SignatureIsFileSha256Inspecting ( const Signature * s )

Check if a signature contains the filesha256 keyword.

Parameters

s signature

Return values

0	no
1	yes

Definition at line 170 of file detect-engine-build.c.

References Signature_::file_flags, and FILE_SIG_NEED_SHA256.

Referenced by SigGroupHeadSetupFiles().

Here is the caller graph for this function:

◆ SignatureIsFilesizeInspecting()

int SignatureIsFilesizeInspecting ( const Signature * s )

Check if a signature contains the filesize keyword.

Parameters

s signature

Return values

0	no
1	yes

Definition at line 186 of file detect-engine-build.c.

References Signature_::file_flags, and FILE_SIG_NEED_SIZE.

Referenced by SigGroupHeadSetupFiles().

Here is the caller graph for this function:

◆ SignatureIsFilestoring()

int SignatureIsFilestoring ( const Signature * s )

Check if a signature contains the filestore keyword.

Parameters

s signature

Return values

0	no
1	yes

Definition at line 100 of file detect-engine-build.c.

References Signature_::flags, and SIG_FLAG_FILESTORE.

Referenced by SigGroupHeadSetupFiles().

Here is the caller graph for this function:

◆ SignatureIsIPOnly()

int SignatureIsIPOnly	(	DetectEngineCtx *	de_ctx,
		const Signature *	s
	)

Test is a initialized signature is IP only.

Parameters

de_ctx	detection engine ctx
s	the signature

Return values

1	sig is ip only
2	sig is like ip only
0	sig is not ip only

Definition at line 209 of file detect-engine-build.c.

References Signature_::alproto, ALPROTO_UNKNOWN, DETECT_SM_LIST_PMATCH, Signature_::flags, Signature_::init_data, SIG_FLAG_APPLAYER, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, and SignatureInitData_::smlists.

◆ SignatureSetType()

void SignatureSetType	(	DetectEngineCtx *	de_ctx,
		Signature *	s
	)

Definition at line 1642 of file detect-engine-build.c.

References BUG_ON, SIG_TYPE_NOT_SET, and Signature_::type.

◆ SigPrepareStage1()

int SigPrepareStage1 ( DetectEngineCtx * de_ctx )

Preprocess signature, classify ip-only, etc, build sig array.

Parameters

de_ctx Pointer to the Detection Engine Context

Return values

0	on success
-1	on failure

Definition at line 1715 of file detect-engine-build.c.

References de_ctx, DE_QUIET, DetectEngineGetMaxSigId, DetectEngineCtx_::flags, Signature_::id, Signature_::next, Signature_::num, SCCalloc, SCLogDebug, DetectEngineCtx_::sig_array, DetectEngineCtx_::sig_array_len, DetectEngineCtx_::sig_list, SIG_TYPE_IPONLY, SIG_TYPE_PDONLY, and Signature_::type.

◆ SigPrepareStage2()

int SigPrepareStage2 ( DetectEngineCtx * de_ctx )

Fill the global src group head, with the sigs included.

Parameters

de_ctx Pointer to the Detection Engine Context whose Signatures have to be processed

Return values

0	On success
-1	On failure

Definition at line 1880 of file detect-engine-build.c.

References de_ctx, DetectEngineCtx_::flow_gh, DetectEngineCtx_::io_ctx, IPOnlyInit(), SCLogDebug, and DetectEngineLookupFlow_::tcp.

Here is the call graph for this function:

◆ SigPrepareStage3()

int SigPrepareStage3 ( DetectEngineCtx * de_ctx )

Definition at line 1920 of file detect-engine-build.c.

◆ SigPrepareStage4()

int SigPrepareStage4 ( DetectEngineCtx * de_ctx )

finalize preparing sgh's

Definition at line 2001 of file detect-engine-build.c.

References cnt, ConfGetBool(), de_ctx, DetectEngineCtx_::decoder_event_sgh, SigGroupHead_::filestore_cnt, SigGroupHead_::id, MpmStoreReportStats(), PrefilterSetupRuleGroup(), SCEnter, SCLogDebug, SCLogPerf, DetectEngineCtx_::sgh_array, DetectEngineCtx_::sgh_array_cnt, SigGroupHeadBuildNonPrefilterArray(), and SigGroupHeadSetupFiles().

Here is the call graph for this function:

Variable Documentation

◆ g_skip_prefilter

int g_skip_prefilter

Definition at line 1072 of file detect-engine-mpm.c.

◆ rule_engine_analysis_set

bool rule_engine_analysis_set

Definition at line 55 of file detect-engine-loader.c.

Data Structures

Macros

Typedefs

Functions

Variables

Macro Definition Documentation

◆ DETECT_PGSCORE_RULE_MPM_FAST_PATTERN

◆ DETECT_PGSCORE_RULE_MPM_NEGATED

◆ DETECT_PGSCORE_RULE_NO_MPM

◆ DETECT_PGSCORE_RULE_PORT_PRIORITIZED

◆ DETECT_PGSCORE_RULE_SYN_ONLY

◆ MASK_TCP_INITDEINIT_FLAGS

◆ MASK_TCP_UNUSUAL_FLAGS

◆ RANGE_PORT

◆ SINGLE_PORT

◆ UNDEFINED_PORT

Typedef Documentation

◆ UniquePortPoint

Function Documentation

◆ PacketCreateMask()

◆ SigAddressCleanupStage1()

◆ SigCleanSignatures()

◆ SigFindSignatureBySidGid()

◆ SigGroupBuild()

◆ SigGroupCleanup()

◆ SignatureIsFilemagicInspecting()

◆ SignatureIsFileMd5Inspecting()

◆ SignatureIsFileSha1Inspecting()

◆ SignatureIsFileSha256Inspecting()

◆ SignatureIsFilesizeInspecting()

◆ SignatureIsFilestoring()

◆ SignatureIsIPOnly()

◆ SignatureSetType()

◆ SigPrepareStage1()

◆ SigPrepareStage2()

◆ SigPrepareStage3()

◆ SigPrepareStage4()

Variable Documentation

◆ g_skip_prefilter

◆ rule_engine_analysis_set