suricata
|
#include "suricata-common.h"
#include "detect.h"
#include "detect-engine.h"
#include "detect-parse.h"
#include "detect-content.h"
#include "detect-engine-build.h"
#include "detect-engine-address.h"
#include "detect-engine-analyzer.h"
#include "detect-engine-iponly.h"
#include "detect-engine-mpm.h"
#include "detect-engine-siggroup.h"
#include "detect-engine-port.h"
#include "detect-engine-prefilter.h"
#include "detect-engine-proto.h"
#include "detect-engine-threshold.h"
#include "detect-dsize.h"
#include "detect-tcp-flags.h"
#include "detect-flow.h"
#include "detect-config.h"
#include "detect-flowbits.h"
#include "app-layer-events.h"
#include "util-port-interval-tree.h"
#include "util-profiling.h"
#include "util-validate.h"
#include "util-var-name.h"
#include "util-conf.h"
Go to the source code of this file.
Data Structures | |
struct | UniquePortPoint_ |
Macros | |
#define | DETECT_PGSCORE_RULE_PORT_PRIORITIZED 111 /* Rule port group contains a priority port */ |
#define | DETECT_PGSCORE_RULE_MPM_FAST_PATTERN 99 /* Rule contains an MPM fast pattern */ |
#define | DETECT_PGSCORE_RULE_MPM_NEGATED 77 /* Rule contains a negated MPM */ |
#define | DETECT_PGSCORE_RULE_NO_MPM 55 /* Rule does not contain MPM */ |
#define | DETECT_PGSCORE_RULE_SYN_ONLY 33 /* Rule needs SYN check */ |
#define | MASK_TCP_INITDEINIT_FLAGS (TH_SYN|TH_RST|TH_FIN) |
#define | MASK_TCP_UNUSUAL_FLAGS (TH_URG|TH_ECN|TH_CWR) |
#define | UNDEFINED_PORT 0 |
#define | RANGE_PORT 1 |
#define | SINGLE_PORT 2 |
Typedefs | |
typedef struct UniquePortPoint_ | UniquePortPoint |
Functions | |
void | SigCleanSignatures (DetectEngineCtx *de_ctx) |
Signature * | SigFindSignatureBySidGid (DetectEngineCtx *de_ctx, uint32_t sid, uint32_t gid) |
Find a specific signature by sid and gid. More... | |
int | SignatureIsFilestoring (const Signature *s) |
Check if a signature contains the filestore keyword. More... | |
int | SignatureIsFilemagicInspecting (const Signature *s) |
Check if a signature contains the filemagic keyword. More... | |
int | SignatureIsFileMd5Inspecting (const Signature *s) |
Check if a signature contains the filemd5 keyword. More... | |
int | SignatureIsFileSha1Inspecting (const Signature *s) |
Check if a signature contains the filesha1 keyword. More... | |
int | SignatureIsFileSha256Inspecting (const Signature *s) |
Check if a signature contains the filesha256 keyword. More... | |
int | SignatureIsFilesizeInspecting (const Signature *s) |
Check if a signature contains the filesize keyword. More... | |
int | SignatureIsIPOnly (DetectEngineCtx *de_ctx, const Signature *s) |
Test is a initialized signature is IP only. More... | |
void | PacketCreateMask (Packet *p, SignatureMask *mask, AppProto alproto, bool app_decoder_events) |
void | SignatureSetType (DetectEngineCtx *de_ctx, Signature *s) |
int | SigPrepareStage1 (DetectEngineCtx *de_ctx) |
Preprocess signature, classify ip-only, etc, build sig array. More... | |
int | SigPrepareStage2 (DetectEngineCtx *de_ctx) |
Fill the global src group head, with the sigs included. More... | |
int | SigPrepareStage3 (DetectEngineCtx *de_ctx) |
int | SigAddressCleanupStage1 (DetectEngineCtx *de_ctx) |
int | SigPrepareStage4 (DetectEngineCtx *de_ctx) |
finalize preparing sgh's More... | |
int | SigGroupBuild (DetectEngineCtx *de_ctx) |
Convert the signature list into the runtime match structure. More... | |
int | SigGroupCleanup (DetectEngineCtx *de_ctx) |
Variables | |
int | g_skip_prefilter |
bool | rule_engine_analysis_set |
#define DETECT_PGSCORE_RULE_MPM_FAST_PATTERN 99 /* Rule contains an MPM fast pattern */ |
Definition at line 51 of file detect-engine-build.c.
#define DETECT_PGSCORE_RULE_MPM_NEGATED 77 /* Rule contains a negated MPM */ |
Definition at line 52 of file detect-engine-build.c.
#define DETECT_PGSCORE_RULE_NO_MPM 55 /* Rule does not contain MPM */ |
Definition at line 53 of file detect-engine-build.c.
#define DETECT_PGSCORE_RULE_PORT_PRIORITIZED 111 /* Rule port group contains a priority port */ |
Definition at line 50 of file detect-engine-build.c.
#define DETECT_PGSCORE_RULE_SYN_ONLY 33 /* Rule needs SYN check */ |
Definition at line 54 of file detect-engine-build.c.
Definition at line 402 of file detect-engine-build.c.
Definition at line 403 of file detect-engine-build.c.
#define RANGE_PORT 1 |
Definition at line 1313 of file detect-engine-build.c.
#define SINGLE_PORT 2 |
Definition at line 1314 of file detect-engine-build.c.
#define UNDEFINED_PORT 0 |
Definition at line 1312 of file detect-engine-build.c.
typedef struct UniquePortPoint_ UniquePortPoint |
void PacketCreateMask | ( | Packet * | p, |
SignatureMask * | mask, | ||
AppProto | alproto, | ||
bool | app_decoder_events | ||
) |
Definition at line 407 of file detect-engine-build.c.
References Packet_::app_layer_events, AppLayerDecoderEvents_::cnt, PacketEngineEvents_::cnt, Packet_::events, Packet_::flags, Packet_::payload_len, PKT_DETECT_HAS_STREAMDATA, PKT_IS_PSEUDOPKT, PKT_NOPAYLOAD_INSPECTION, SCLogDebug, SIG_MASK_REQUIRE_ENGINE_EVENT, SIG_MASK_REQUIRE_NO_PAYLOAD, SIG_MASK_REQUIRE_PAYLOAD, and SIG_MASK_REQUIRE_REAL_PKT.
int SigAddressCleanupStage1 | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 1927 of file detect-engine-build.c.
References BUG_ON, de_ctx, DetectEngineCtx_::decoder_event_sgh, DetectPortCleanupList(), DetectEngineCtx_::flow_gh, FLOW_STATES, DetectEngineCtx_::io_ctx, IPOnlyDeinit(), SCFree, SCLogDebug, DetectEngineLookupFlow_::sgh, DetectEngineCtx_::sgh_array, DetectEngineCtx_::sgh_array_cnt, DetectEngineCtx_::sgh_array_size, SigGroupHeadFree(), DetectEngineLookupFlow_::tcp, and DetectEngineLookupFlow_::udp.
Referenced by SigGroupCleanup().
void SigCleanSignatures | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 55 of file detect-engine-build.c.
References de_ctx, DetectEngineResetMaxSigId(), Signature_::next, DetectEngineCtx_::sig_list, and SigFree().
Referenced by DetectEngineCtxFree(), and UTHPacketMatchSig().
Signature* SigFindSignatureBySidGid | ( | DetectEngineCtx * | de_ctx, |
uint32_t | sid, | ||
uint32_t | gid | ||
) |
Find a specific signature by sid and gid.
de_ctx | detection engine ctx |
sid | the signature id |
gid | the signature group id |
s | sig found |
NULL | sig not found |
Definition at line 79 of file detect-engine-build.c.
References de_ctx, Signature_::next, and DetectEngineCtx_::sig_list.
int SigGroupBuild | ( | DetectEngineCtx * | de_ctx | ) |
Convert the signature list into the runtime match structure.
de_ctx | Pointer to the Detection Engine Context whose Signatures have to be processed |
0 | On Success. |
-1 | On failure. |
Definition at line 2145 of file detect-engine-build.c.
References de_ctx, DetectSetFastPatternAndItsId(), Signature_::next, Signature_::num, DetectEngineCtx_::sig_list, and DetectEngineCtx_::signum.
Referenced by UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().
int SigGroupCleanup | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 2212 of file detect-engine-build.c.
References de_ctx, and SigAddressCleanupStage1().
Referenced by DetectEngineCtxFree(), UTHMatchPackets(), and UTHPacketMatchSig().
int SignatureIsFilemagicInspecting | ( | const Signature * | s | ) |
Check if a signature contains the filemagic keyword.
s | signature |
0 | no |
1 | yes |
Definition at line 119 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_MAGIC.
Referenced by SigGroupHeadSetupFiles().
int SignatureIsFileMd5Inspecting | ( | const Signature * | s | ) |
Check if a signature contains the filemd5 keyword.
s | signature |
0 | no |
1 | yes |
Definition at line 138 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_MD5.
Referenced by SigGroupHeadSetupFiles().
int SignatureIsFileSha1Inspecting | ( | const Signature * | s | ) |
Check if a signature contains the filesha1 keyword.
s | signature |
0 | no |
1 | yes |
Definition at line 154 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_SHA1.
Referenced by SigGroupHeadSetupFiles().
int SignatureIsFileSha256Inspecting | ( | const Signature * | s | ) |
Check if a signature contains the filesha256 keyword.
s | signature |
0 | no |
1 | yes |
Definition at line 170 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_SHA256.
Referenced by SigGroupHeadSetupFiles().
int SignatureIsFilesizeInspecting | ( | const Signature * | s | ) |
Check if a signature contains the filesize keyword.
s | signature |
0 | no |
1 | yes |
Definition at line 186 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_SIZE.
Referenced by SigGroupHeadSetupFiles().
int SignatureIsFilestoring | ( | const Signature * | s | ) |
Check if a signature contains the filestore keyword.
s | signature |
0 | no |
1 | yes |
Definition at line 100 of file detect-engine-build.c.
References Signature_::flags, and SIG_FLAG_FILESTORE.
Referenced by SigGroupHeadSetupFiles().
int SignatureIsIPOnly | ( | DetectEngineCtx * | de_ctx, |
const Signature * | s | ||
) |
Test is a initialized signature is IP only.
de_ctx | detection engine ctx |
s | the signature |
1 | sig is ip only |
2 | sig is like ip only |
0 | sig is not ip only |
Definition at line 209 of file detect-engine-build.c.
References Signature_::alproto, ALPROTO_UNKNOWN, DETECT_SM_LIST_PMATCH, Signature_::flags, Signature_::init_data, SIG_FLAG_APPLAYER, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, and SignatureInitData_::smlists.
void SignatureSetType | ( | DetectEngineCtx * | de_ctx, |
Signature * | s | ||
) |
Definition at line 1642 of file detect-engine-build.c.
References BUG_ON, SIG_TYPE_NOT_SET, and Signature_::type.
int SigPrepareStage1 | ( | DetectEngineCtx * | de_ctx | ) |
Preprocess signature, classify ip-only, etc, build sig array.
de_ctx | Pointer to the Detection Engine Context |
0 | on success |
-1 | on failure |
Definition at line 1715 of file detect-engine-build.c.
References de_ctx, DE_QUIET, DetectEngineGetMaxSigId, DetectEngineCtx_::flags, Signature_::id, Signature_::next, Signature_::num, SCCalloc, SCLogDebug, DetectEngineCtx_::sig_array, DetectEngineCtx_::sig_array_len, DetectEngineCtx_::sig_list, SIG_TYPE_IPONLY, SIG_TYPE_PDONLY, and Signature_::type.
int SigPrepareStage2 | ( | DetectEngineCtx * | de_ctx | ) |
Fill the global src group head, with the sigs included.
de_ctx | Pointer to the Detection Engine Context whose Signatures have to be processed |
0 | On success |
-1 | On failure |
Definition at line 1880 of file detect-engine-build.c.
References de_ctx, DetectEngineCtx_::flow_gh, DetectEngineCtx_::io_ctx, IPOnlyInit(), SCLogDebug, and DetectEngineLookupFlow_::tcp.
int SigPrepareStage3 | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 1920 of file detect-engine-build.c.
int SigPrepareStage4 | ( | DetectEngineCtx * | de_ctx | ) |
finalize preparing sgh's
Definition at line 2001 of file detect-engine-build.c.
References cnt, ConfGetBool(), de_ctx, DetectEngineCtx_::decoder_event_sgh, SigGroupHead_::filestore_cnt, SigGroupHead_::id, MpmStoreReportStats(), PrefilterSetupRuleGroup(), SCEnter, SCLogDebug, SCLogPerf, DetectEngineCtx_::sgh_array, DetectEngineCtx_::sgh_array_cnt, SigGroupHeadBuildNonPrefilterArray(), and SigGroupHeadSetupFiles().
int g_skip_prefilter |
Definition at line 1072 of file detect-engine-mpm.c.
bool rule_engine_analysis_set |
Definition at line 55 of file detect-engine-loader.c.