Go to the documentation of this file.
50 #define DETECT_PGSCORE_RULE_PORT_PRIORITIZED 111
51 #define DETECT_PGSCORE_RULE_MPM_FAST_PATTERN 99
52 #define DETECT_PGSCORE_RULE_MPM_NEGATED 77
53 #define DETECT_PGSCORE_RULE_NO_MPM 55
54 #define DETECT_PGSCORE_RULE_SYN_ONLY 33
86 if (s->id == sid && s->gid == gid)
198 static bool SignatureInspectsBuffers(
const Signature *s)
233 if (SignatureInspectsBuffers(s)) {
241 for (; sm != NULL; sm = sm->
next) {
252 for ( ; sm != NULL; sm = sm->
next) {
268 SCLogDebug(
"IP-ONLY (%" PRIu32
"): source %s, dest %s", s->
id,
295 if (SignatureInspectsBuffers(s)) {
310 for ( ; sm != NULL; sm = sm->
next) {
318 SCLogDebug(
"%u: not PD-only: flowbit settings other than 'set'", s->
id);
323 SCLogDebug(
"%u: not PD-only: flow settings other than toserver/toclient", s->
id);
380 if (SignatureInspectsBuffers(s)) {
386 for ( ;sm != NULL; sm = sm->
next) {
393 for ( ;sm != NULL; sm = sm->
next) {
406 SCLogDebug(
"DE-ONLY (%" PRIu32
"): source %s, dest %s", s->
id,
414 #define MASK_TCP_INITDEINIT_FLAGS (TH_SYN|TH_RST|TH_FIN)
415 #define MASK_TCP_UNUSUAL_FLAGS (TH_URG|TH_ECN|TH_CWR)
421 bool app_decoder_events)
437 if (p->
events.
cnt > 0 || app_decoder_events != 0 ||
444 const TCPHdr *tcph = PacketGetTCP(p);
459 static int SignatureCreateMask(
Signature *s)
483 SCLogDebug(
"SIG_FLAG_REQUIRE_FLOWVAR set as sig has "
484 "flowbit isset option.");
489 SCLogDebug(
"sig requires flow to be able to manipulate "
496 SCLogDebug(
"sig requires flow to be able to manipulate "
505 SCLogDebug(
"sig requires SIG_MASK_REQUIRE_FLAGS_INITDEINIT");
509 SCLogDebug(
"sig requires SIG_MASK_REQUIRE_FLAGS_UNUSUAL");
580 static bool RuleInspectsPayloadHasNoMpm(
const Signature *s)
587 static int RuleGetMpmPatternSize(
const Signature *s)
600 static bool RuleMpmIsNegated(
const Signature *s)
616 const SigGroupHead *sgh,
const int add_rules,
const int add_mpm_stats)
618 uint32_t prefilter_cnt = 0;
619 uint32_t mpm_cnt = 0;
620 uint32_t nonmpm_cnt = 0;
621 uint32_t mpm_depth_cnt = 0;
622 uint32_t mpm_endswith_cnt = 0;
623 uint32_t negmpm_cnt = 0;
624 uint32_t any5_cnt = 0;
625 uint32_t payload_no_mpm_cnt = 0;
626 uint32_t syn_cnt = 0;
628 uint32_t mpms_min = 0;
629 uint32_t mpms_max = 0;
638 } mpm_stats[max_buffer_type_id];
639 memset(mpm_stats, 0x00,
sizeof(mpm_stats));
643 uint32_t mpm_sizes[max_buffer_type_id][256];
644 memset(mpm_sizes, 0,
sizeof(mpm_sizes));
645 uint32_t alproto_mpm_bufs[
g_alproto_max][max_buffer_type_id];
646 memset(alproto_mpm_bufs, 0,
sizeof(alproto_mpm_bufs));
649 if (sgh->
init == NULL)
652 SCJsonBuilder *js = SCJbNewObject();
656 SCJbSetUint(js,
"id", sgh->
id);
658 SCJbOpenArray(js,
"rules");
659 for (uint32_t x = 0; x < sgh->
init->
sig_cnt; x++) {
689 SCLogDebug(
"SGH %p Non-MPM inspecting only packets. Rule %u", sgh, s->
id);
696 SCLogDebug(
"SGH %p Non-MPM toserver and to 'any'. Rule %u", sgh, s->
id);
699 SCLogDebug(
"SGH %p Non-MPM toclient and to 'any'. Rule %u", sgh, s->
id);
712 mpm_sizes[mpm_list][size]++;
713 alproto_mpm_bufs[s->
alproto][mpm_list]++;
720 if (dp->
port == 0 && dp->
port2 == 65535) {
721 SCLogDebug(
"SGH %p toserver 1byte fast_pattern to ANY. Rule %u", sgh, s->
id);
723 SCLogDebug(
"SGH %p toserver 1byte fast_pattern to port(s) %u-%u. Rule %u", sgh, dp->
port, dp->
port2, s->
id);
727 if (sp->
port == 0 && sp->
port2 == 65535) {
728 SCLogDebug(
"SGH %p toclient 1byte fast_pattern to ANY. Rule %u", sgh, s->
id);
730 SCLogDebug(
"SGH %p toclient 1byte fast_pattern to port(s) %u-%u. Rule %u", sgh, sp->
port, sp->
port2, s->
id);
744 BUG_ON(mpm_list >= max_buffer_type_id);
745 mpm_stats[mpm_list].total += w;
746 mpm_stats[mpm_list].cnt++;
747 if (mpm_stats[mpm_list].min == 0 || w < mpm_stats[mpm_list].min)
748 mpm_stats[mpm_list].min = w;
749 if (w > mpm_stats[mpm_list].max)
750 mpm_stats[mpm_list].max = w;
757 if (w < 10 && any == 5) {
773 if (RuleInspectsPayloadHasNoMpm(s)) {
774 SCLogDebug(
"SGH %p No MPM. Payload inspecting. Rule %u", sgh, s->
id);
775 payload_no_mpm_cnt++;
781 SCJsonBuilder *e = SCJbNewObject();
783 SCJbSetUint(e,
"sig_id", s->
id);
785 SCJbAppendObject(js, e);
792 SCJbOpenObject(js,
"stats");
795 SCJbOpenObject(js,
"types");
796 SCJbSetUint(js,
"mpm", mpm_cnt);
797 SCJbSetUint(js,
"non_mpm", nonmpm_cnt);
798 SCJbSetUint(js,
"mpm_depth", mpm_depth_cnt);
799 SCJbSetUint(js,
"mpm_endswith", mpm_endswith_cnt);
800 SCJbSetUint(js,
"negated_mpm", negmpm_cnt);
801 SCJbSetUint(js,
"payload_but_no_mpm", payload_no_mpm_cnt);
802 SCJbSetUint(js,
"prefilter", prefilter_cnt);
803 SCJbSetUint(js,
"syn", syn_cnt);
804 SCJbSetUint(js,
"any5", any5_cnt);
808 if (alstats[i] > 0) {
810 SCJbOpenObject(js, proto_name);
811 SCJbSetUint(js,
"total", alstats[i]);
813 for (
int y = 0; y < max_buffer_type_id; y++) {
814 if (alproto_mpm_bufs[i][y] == 0)
823 SCJbSetUint(js,
name, alproto_mpm_bufs[i][y]);
830 SCJbOpenObject(js,
"mpm");
832 for (
int i = 0; i < max_buffer_type_id; i++) {
833 if (mpm_stats[i].
cnt > 0) {
840 SCJbOpenArray(js,
name);
842 for (
int y = 0; y < 256; y++) {
843 if (mpm_sizes[i][y] == 0)
846 SCJsonBuilder *e = SCJbNewObject();
848 SCJbSetUint(e,
"size", y);
849 SCJbSetUint(e,
"count", mpm_sizes[i][y]);
851 SCJbAppendObject(js, e);
856 SCJsonBuilder *e = SCJbNewObject();
858 SCJbSetUint(e,
"total", mpm_stats[i].
cnt);
859 SCJbSetUint(e,
"avg_strength", mpm_stats[i].total / mpm_stats[i].
cnt);
860 SCJbSetUint(e,
"min_strength", mpm_stats[i].min);
861 SCJbSetUint(e,
"max_strength", mpm_stats[i].max);
863 SCJbAppendObject(js, e);
874 SCJbSetUint(js,
"score", sgh->
init->
score);
881 const int add_rules,
const int add_mpm_stats)
883 SCJsonBuilder *js = SCJbNewObject();
887 for (
int p = 0; p < 256; p++) {
888 if (p == IPPROTO_TCP || p == IPPROTO_UDP) {
889 const char *
name = (p == IPPROTO_TCP) ?
"tcp" :
"udp";
891 SCJbOpenObject(js,
name);
892 SCJbOpenArray(js,
"toserver");
895 while (list != NULL) {
896 SCJsonBuilder *port = SCJbNewObject();
897 SCJbSetUint(port,
"port", list->
port);
898 SCJbSetUint(port,
"port2", list->
port2);
900 SCJsonBuilder *stats =
901 RulesGroupPrintSghStats(
de_ctx, list->
sh, add_rules, add_mpm_stats);
902 SCJbSetObject(port,
"rulegroup", stats);
905 SCJbAppendObject(js, port);
912 SCJbOpenArray(js,
"toclient");
915 while (list != NULL) {
916 SCJsonBuilder *port = SCJbNewObject();
917 SCJbSetUint(port,
"port", list->
port);
918 SCJbSetUint(port,
"port2", list->
port2);
920 SCJsonBuilder *stats =
921 RulesGroupPrintSghStats(
de_ctx, list->
sh, add_rules, add_mpm_stats);
922 SCJbSetObject(port,
"rulegroup", stats);
925 SCJbAppendObject(js, port);
932 }
else if (p == IPPROTO_ICMP || p == IPPROTO_ICMPV6) {
933 const char *
name = (p == IPPROTO_ICMP) ?
"icmpv4" :
"icmpv6";
934 SCJbOpenObject(js,
name);
936 SCJbOpenObject(js,
"toserver");
937 SCJsonBuilder *stats = RulesGroupPrintSghStats(
939 SCJbSetObject(js,
"rulegroup", stats);
944 SCJbOpenObject(js,
"toclient");
945 SCJsonBuilder *stats = RulesGroupPrintSghStats(
947 SCJbSetObject(js,
"rulegroup", stats);
956 const char *filename =
"rule_group.json";
958 char log_path[PATH_MAX] =
"";
959 snprintf(log_path,
sizeof(log_path),
"%s/%s", log_dir, filename);
961 FILE *fp = fopen(log_path,
"w");
963 fwrite(SCJbPtr(js), SCJbLen(js), 1, fp);
976 for ( ; s != NULL; s = s->
next) {
981 for (
int p = 0; p < 256; p++) {
982 if (p == IPPROTO_TCP || p == IPPROTO_UDP) {
1007 for (p = 0; p < 256; p++) {
1008 if (p == IPPROTO_TCP || p == IPPROTO_UDP)
1010 if (sgh_ts[p] == NULL)
1016 if (lookup_sgh == NULL) {
1017 SCLogDebug(
"proto group %d sgh %p is the original", p, sgh_ts[p]);
1026 SCLogDebug(
"proto group %d sgh %p is a copy", p, sgh_ts[p]);
1029 sgh_ts[p] = lookup_sgh;
1033 SCLogPerf(
"OTHER %s: %u proto groups, %u unique SGH's, %u copies",
1034 "toserver",
cnt, own, ref);
1039 for (p = 0; p < 256; p++) {
1040 if (p == IPPROTO_TCP || p == IPPROTO_UDP)
1042 if (sgh_tc[p] == NULL)
1048 if (lookup_sgh == NULL) {
1049 SCLogDebug(
"proto group %d sgh %p is the original", p, sgh_tc[p]);
1059 SCLogDebug(
"proto group %d sgh %p is a copy", p, sgh_tc[p]);
1062 sgh_tc[p] = lookup_sgh;
1066 SCLogPerf(
"OTHER %s: %u proto groups, %u unique SGH's, %u copies",
1067 "toclient",
cnt, own, ref);
1069 for (p = 0; p < 256; p++) {
1070 if (p == IPPROTO_TCP || p == IPPROTO_UDP)
1083 if (ipproto == IPPROTO_UDP)
1111 if (!(p->
port == 0 && p->
port2 == 65535)) {
1113 if (RuleInspectsPayloadHasNoMpm(s)) {
1114 SCLogDebug(
"Rule %u MPM has 1 byte fast_pattern. Prioritizing SGH's.", s->
id);
1117 }
else if (RuleMpmIsNegated(s)) {
1118 SCLogDebug(
"Rule %u MPM is negated. Prioritizing SGH's.", s->
id);
1124 RuleGetMpmPatternSize(s) == 1) {
1125 SCLogDebug(
"Rule %u No MPM. Payload inspecting. Prioritizing SGH's.", s->
id);
1129 SCLogDebug(
"Rule %u Needs SYN, so inspected often. Prioritizing SGH's.", s->
id);
1138 static int SortCompare(
const void *a,
const void *b)
1165 static inline void SortGroupList(
1166 uint32_t *groups,
DetectPort **list,
int (*CompareFunc)(
const void *,
const void *))
1184 x->sh->id = idx + 1;
1187 x->
next = x->prev = x->last = NULL;
1194 qsort(array, idx,
sizeof(
DetectPort *), SortCompare);
1198 for (
int i = 0; i < idx; i++) {
1203 if (new_list == NULL) {
1220 SCLogDebug(
"item:= [%u:%u]; score: %d; sig_cnt: %d", tmp->port, tmp->port2,
1221 tmp->sh->init->score, tmp->sh->init->sig_cnt);
1239 DetectPort **newhead, uint32_t unique_groups,
1240 int (*CompareFunc)(
const void *,
const void *))
1243 uint32_t groups = 0;
1248 tmplist = port_list;
1249 SortGroupList(&groups, &tmplist, SortCompare);
1250 uint32_t left = unique_groups;
1257 DetectPort *tmplist2 = NULL, *tmplist2_tail = NULL;
1259 for (gr = tmplist; gr != NULL;) {
1268 if (joingr == NULL) {
1270 if (joingr == NULL) {
1273 SCLogDebug(
"joingr => %u-%u", joingr->port, joingr->port2);
1274 joingr->next = NULL;
1285 if (tmplist2 == NULL) {
1289 tmplist2_tail->
next = gr;
1301 if (joingr != NULL) {
1302 SCLogDebug(
"appending joingr %p %u:%u", joingr, joingr->port, joingr->port2);
1304 if (tmplist2 == NULL) {
1308 tmplist2_tail->
next = joingr;
1316 *newhead = tmplist2;
1324 #define UNDEFINED_PORT 0
1325 #define RANGE_PORT 1
1326 #define SINGLE_PORT 2
1345 static inline uint32_t SetUniquePortPoints(
1346 const DetectPort *p, uint8_t *unique_list, uint32_t size_list)
1381 static inline void SetFinalUniquePortPoints(
1382 const uint8_t *unique_list,
const uint32_t size_unique_arr,
UniquePortPoint *final_arr)
1384 for (uint32_t i = 0, j = 0; i < (UINT16_MAX + 1); i++) {
1387 final_arr[j].
port = (uint16_t)i;
1388 final_arr[j++].
single =
false;
1390 final_arr[j].
port = (uint16_t)i;
1391 final_arr[j++].
single =
true;
1418 if (final_unique_points == NULL)
1420 SetFinalUniquePortPoints(unique_list, size_list, final_unique_points);
1422 if (size_list == 1) {
1424 de_ctx, final_unique_points[0].port, final_unique_points[0].port, &it->
tree, list);
1428 uint16_t port = p1 ? p1->
port : 0;
1429 uint16_t port2 = p2->
port;
1430 for (uint32_t i = 1; i < size_list; i++) {
1436 }
else if (p1 && p1->
single) {
1438 if ((port2 > port + 1)) {
1440 de_ctx, port + 1, port2 - 1, &it->
tree, list);
1448 if ((port2 >= port + 1)) {
1455 if ((port2 > port + 1)) {
1466 if (port == p2->
port) {
1471 if (i + 1 < size_list) {
1472 p2 = &final_unique_points[i + 1];
1478 SCFree(final_unique_points);
1489 uint32_t size_unique_port_arr = 0;
1493 uint8_t *unique_port_points = (uint8_t *)
SCCalloc(UINT16_MAX + 1,
sizeof(uint8_t));
1494 if (unique_port_points == NULL)
1520 "w/o direction specified, disabling for toclient direction",
1548 size_unique_port_arr =
1549 SetUniquePortPoints(tmp2, unique_port_points, size_unique_port_arr);
1572 SCLogDebug(
"Port was not inserted in the tree");
1579 if (CreatePortList(
de_ctx, unique_port_points, size_unique_port_arr, it, &list) < 0)
1583 SCFree(unique_port_points);
1594 CreateGroupedPortList(
de_ctx, list, &newlist, groupmax, SortCompare);
1605 for (iter = list ; iter != NULL; iter = iter->
next) {
1611 if (lookup_sgh == NULL) {
1612 SCLogDebug(
"port group %p sgh %p is the original", iter, iter->
sh);
1622 SCLogDebug(
"port group %p sgh %p is a copy", iter, iter->
sh);
1625 iter->
sh = lookup_sgh;
1631 for (iter = list ; iter != NULL; iter = iter->
next) {
1632 SCLogInfo(
"PORT %u-%u %p (sgh=%s, prioritized=%s/%d)",
1639 SCLogPerf(
"%s %s: %u port groups, %u unique SGH's, %u copies",
1640 ipproto == 6 ?
"TCP" :
"UDP",
1647 if (unique_port_points != NULL)
1648 SCFree(unique_port_points);
1662 SCLogDebug(
"%u: set to app_tx due to hook type app", s->
id);
1667 if (SignatureIsPDOnly(
de_ctx, s) == 1) {
1674 }
else if (iponly == 2) {
1677 }
else if (SignatureIsDEOnly(
de_ctx, s) == 1) {
1683 bool has_buffer_frame_engine =
false;
1684 bool has_buffer_packet_engine =
false;
1685 bool has_buffer_app_engine =
false;
1691 has_buffer_packet_engine =
true;
1693 has_buffer_frame_engine =
true;
1695 has_buffer_app_engine =
true;
1699 if (has_buffer_packet_engine) {
1701 }
else if (has_buffer_frame_engine || has_buffer_app_engine) {
1703 }
else if (has_pmatch) {
1713 }
else if (has_match) {
1735 uint32_t cnt_iponly = 0;
1736 uint32_t cnt_payload = 0;
1737 uint32_t cnt_applayer = 0;
1738 uint32_t cnt_deonly = 0;
1741 SCLogDebug(
"building signature grouping structure, stage 1: "
1742 "preprocessing rules...");
1754 SCLogDebug(
"Signature %" PRIu32
", internal id %" PRIu32
", ptrs %p %p ", s->
id, s->
iid, s,
1758 SCLogDebug(
"Signature %"PRIu32
" is considered \"PD only\"", s->
id);
1760 SCLogDebug(
"Signature %"PRIu32
" is considered \"IP only\"", s->
id);
1762 }
else if (SignatureIsInspectingPayload(
de_ctx, s) == 1) {
1763 SCLogDebug(
"Signature %"PRIu32
" is considered \"Payload inspecting\"", s->
id);
1766 SCLogDebug(
"Signature %"PRIu32
" is considered \"Decoder Event only\"", s->
id);
1769 SCLogDebug(
"Signature %"PRIu32
" is considered \"Applayer inspecting\"", s->
id);
1789 if (copresent && colen == 1) {
1799 if (RuleMpmIsNegated(s)) {
1803 SignatureCreateMask(s);
1823 SCLogInfo(
"tenant id %d: %" PRIu32
" signatures processed. %" PRIu32
" are IP-only "
1824 "rules, %" PRIu32
" are inspecting packet payload, %" PRIu32
1825 " inspect application layer, %" PRIu32
" are decoder event only",
1829 SCLogInfo(
"%" PRIu32
" signatures processed. %" PRIu32
" are IP-only "
1830 "rules, %" PRIu32
" are inspecting packet payload, %" PRIu32
1831 " inspect application layer, %" PRIu32
" are decoder event only",
1832 de_ctx->
sig_cnt, cnt_iponly, cnt_payload, cnt_applayer, cnt_deonly);
1834 SCLogConfig(
"building signature grouping structure, stage 1: "
1835 "preprocessing rules... complete");
1853 SCLogDebug(
"adding signature %"PRIu32
" to the decoder event sgh", s->
id);
1859 SCLogDebug(
"adding signature %" PRIu32
" to the pre_stream hook sgh", s->
id);
1874 SCLogDebug(
"adding signature %" PRIu32
" to the pre_flow hook sgh", s->
id);
1889 SCLogDebug(
"building signature grouping structure, stage 2: "
1890 "building source address lists...");
1900 RulesGroupByIPProto(
de_ctx);
1908 DetectEngineAddDecoderEventSig(
de_ctx, s);
1911 DetectEngineAddSigToPreStreamHook(
de_ctx, s);
1914 DetectEngineAddSigToPreFlowHook(
de_ctx, s);
1966 DetectEngineBuildDecoderEventSgh(
de_ctx);
1969 DetectEngineBuildPreFlowHookSghs(
de_ctx);
1972 DetectEngineBuildPreStreamHookSghs(
de_ctx);
1981 SCLogDebug(
"cleaning up signature grouping structure...");
1997 for (
int p = 0; p < 256; p++) {
2023 SCLogDebug(
"cleaning up signature grouping structure... complete");
2036 for (sig = 0; sig < sgh->sig_cnt; sig++) {
2037 printf(
"%" PRIu32
" ", sgh->match_array[sig]->
id);
2044 if (sgh == NULL || sgh->
init == NULL) {
2092 int dump_grouping = 0;
2093 (void)
SCConfGetBool(
"detect.profiling.grouping.dump-to-disk", &dump_grouping);
2095 if (dump_grouping) {
2097 (void)
SCConfGetBool(
"detect.profiling.grouping.include-rules", &add_rules);
2098 int add_mpm_stats = 0;
2099 (void)
SCConfGetBool(
"detect.profiling.grouping.include-mpm-stats", &add_mpm_stats);
2101 RulesDumpGrouping(
de_ctx, add_rules, add_mpm_stats);
2134 for (; s != NULL; s = s->
next) {
2156 while (sm != NULL) {
2172 while (sm != NULL) {
2223 SigInitStandardMpmFactoryContexts(
de_ctx);
2226 FatalError(
"initializing the detection engine failed");
2230 FatalError(
"initializing the detection engine failed");
2234 FatalError(
"initializing the detection engine failed");
2237 FatalError(
"initializing the detection engine failed");
2245 FatalError(
"initializing the detection engine failed");
2248 if (SigMatchPrepare(
de_ctx) != 0) {
2249 FatalError(
"initializing the detection engine failed");
2258 if (
SCConfGetInt(
"detect.profiling.inspect-logging-threshold", &v) == 1)
2261 #ifdef PROFILE_RULES
2262 SCProfilingRuleInitCounters(
de_ctx);
#define HashListTableGetListData(hb)
#define DETECT_FLOW_FLAG_TOCLIENT
void DetectEngineResetMaxSigId(DetectEngineCtx *de_ctx)
bool DetectEngineBufferTypeSupportsPacketGetById(const DetectEngineCtx *de_ctx, const int id)
#define SIG_MASK_REQUIRE_REAL_PKT
#define MASK_TCP_UNUSUAL_FLAGS
int DetectFlagsSignatureNeedsSynOnlyPackets(const Signature *s)
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
SigTableElmt * sigmatch_table
void SigMatchFree(DetectEngineCtx *de_ctx, SigMatch *sm)
free a SigMatch
void(* Free)(DetectEngineCtx *, void *)
struct SigGroupHead_ * decoder_event_sgh
int DetectPortHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table in the detection engine context to hold the DetectPort hash.
DetectEngineLookupFlow flow_gh[FLOW_STATES]
#define FILE_SIG_NEED_SHA1
int SigPrepareStage4(DetectEngineCtx *de_ctx)
finalize preparing sgh's
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
void DetectEngineBufferRunSetupCallback(const DetectEngineCtx *de_ctx, const int id, Signature *s)
Container for matching data for a signature group.
const char * DetectListToHumanString(int list)
#define SIG_FLAG_INIT_FLOW
void SigFree(DetectEngineCtx *, Signature *)
void DumpPatterns(DetectEngineCtx *de_ctx)
void DetectPortFree(const DetectEngineCtx *de_ctx, DetectPort *dp)
Free a DetectPort and its members.
DetectPacketHookFunc PreFlowHook
uint16_t max_uniq_toclient_groups
void MpmStoreReportStats(const DetectEngineCtx *de_ctx)
bool src_contains_negation
void IPOnlyDeinit(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx)
Deinitialize the IP Only detection engine context.
struct HtpBodyChunk_ * next
void SCPortIntervalFindOverlappingRanges(DetectEngineCtx *de_ctx, const uint16_t port, const uint16_t port2, const struct PI *head, DetectPort **list)
Callee function to find all overlapping port ranges as asked by the detection engine during Stage 2 o...
#define PORT_SIGGROUPHEAD_COPY
@ DETECT_SM_LIST_DYNAMIC_START
DetectPacketHookFunc PreStreamHook
uint32_t PatternStrength(uint8_t *pat, uint16_t patlen)
Predict a strength value for patterns.
int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
int DetectSetFastPatternAndItsId(DetectEngineCtx *de_ctx)
Figure out the FP and their respective content ids for all the sigs in the engine.
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
void SCProfilingSghInitCounters(DetectEngineCtx *de_ctx)
Register the keyword profiling counters.
main detection engine ctx
struct SigGroupHead_ * pre_stream_sgh[2]
int DetectFlagsSignatureNeedsSynPackets(const Signature *s)
HashListTableBucket * HashListTableGetListHead(HashListTable *ht)
void SigGroupHeadSetProtoAndDirection(SigGroupHead *sgh, uint8_t ipproto, int dir)
#define SIGMATCH_DEONLY_COMPAT
const char * DetectEngineBufferTypeGetNameById(const DetectEngineCtx *de_ctx, const int id)
void DetectMpmInitializeBuiltinMpms(DetectEngineCtx *de_ctx)
#define SIG_FLAG_REQUIRE_STREAM
bool rule_engine_analysis_set
int SCConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
struct DetectPort_ * next
DetectPort * tcp_priorityports
HashListTable * dport_hash_table
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
struct SigGroupHead_ * sh
DetectPort * udp_priorityports
#define DETECT_FLOWBITS_CMD_ISSET
#define PKT_NOPAYLOAD_INSPECTION
void SigCleanSignatures(DetectEngineCtx *de_ctx)
void DetectPortPrintList(DetectPort *head)
Helper function used to print the list of ports present in this DetectPort list.
int SigPrepareStage1(DetectEngineCtx *de_ctx)
Preprocess signature, classify ip-only, etc, build sig array.
#define DETECT_PGSCORE_RULE_SYN_ONLY
bool EngineModeIsFirewall(void)
#define SIG_FLAG_TOCLIENT
void SigGroupHeadSetupFiles(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Set the need hash flag in the sgh.
int SignatureIsFilesizeInspecting(const Signature *s)
Check if a signature contains the filesize keyword.
AppLayerDecoderEvents * app_layer_events
PacketEngineEvents events
void EngineAnalysisAddAllRulePatterns(DetectEngineCtx *de_ctx, const Signature *s)
add all patterns on our stats hash Used to fill the hash later used by DumpPatterns()
void DetectPortPrint(DetectPort *dp)
Helper function that print the DetectPort info.
int FirewallAnalyzer(const DetectEngineCtx *de_ctx)
void PacketCreateMask(Packet *p, SignatureMask *mask, AppProto alproto, bool app_decoder_events)
#define SIG_FLAG_APPLAYER
int SigGroupHeadHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table in the detection engine context to hold the SigGroupHeads.
#define FILE_SIG_NEED_MD5
@ SIGNATURE_HOOK_TYPE_APP
int SignatureIsFileSha256Inspecting(const Signature *s)
Check if a signature contains the filesha256 keyword.
int DetectEngineMultiTenantEnabled(void)
#define HashListTableGetListNext(hb)
@ DETECT_APP_LAYER_PROTOCOL
@ DETECT_SM_LIST_POSTMATCH
DetectPort * DetectPortCopySingle(DetectEngineCtx *de_ctx, DetectPort *src)
Function that return a copy of DetectPort src sigs.
#define SIG_FLAG_TOSERVER
int DetectPortParse(const DetectEngineCtx *de_ctx, DetectPort **head, const char *str)
Function for parsing port strings.
int SigAddressCleanupStage1(DetectEngineCtx *de_ctx)
int SCPortIntervalInsert(DetectEngineCtx *de_ctx, SCPortIntervalTree *it, const DetectPort *p)
Function to insert a node in the interval tree.
struct SigGroupHead_ * pre_flow_sgh
int SigGroupHeadBuildMatchArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t max_idx)
Create an array with all the internal ids of the sigs that this sig group head will check for.
#define DETECT_CONTENT_ENDS_WITH
void IPOnlyInit(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx)
Setup the IP Only detection engine context.
#define SIG_MASK_REQUIRE_ENGINE_EVENT
Signature * SigFindSignatureBySidGid(DetectEngineCtx *de_ctx, uint32_t sid, uint32_t gid)
Find a specific signature by sid and gid.
#define DetectEngineGetMaxSigId(de_ctx)
#define DETECT_FLOW_FLAG_TOSERVER
#define FILE_SIG_NEED_MAGIC
#define SIG_MASK_REQUIRE_FLOW
int SCConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
IPOnlyCIDRItem * cidr_dst
#define DETECT_CONTENT_DEPTH
struct SigGroupHead_ * sgh[256]
#define SIG_MASK_REQUIRE_FLAGS_INITDEINIT
void SCProfilingPrefilterInitCounters(DetectEngineCtx *de_ctx)
Register the prefilter profiling counters.
SigMatchData * SigMatchList2DataArray(SigMatch *head)
convert SigMatch list to SigMatchData array
#define PKT_DETECT_HAS_STREAMDATA
#define DETECT_CONTENT_NEGATED
#define SCLogWarning(...)
Macro used to log WARNING messages.
void DetectContentPropagateLimits(Signature *s)
struct SignatureHook_::@95::@97 pkt
Port structure for detection engine.
SigGroupHeadInitData * init
#define DETECT_PGSCORE_RULE_NO_MPM
IPOnlyCIDRItem * cidr_src
@ SIGNATURE_HOOK_TYPE_NOT_SET
union SignatureHook_::@95 t
void IPOnlyPrepare(DetectEngineCtx *de_ctx)
Build the radix trees from the lists of parsed addresses in CIDR format the result should be 4 radix ...
int SigGroupCleanup(DetectEngineCtx *de_ctx)
#define DETECT_PGSCORE_RULE_MPM_FAST_PATTERN
#define SIG_FLAG_REQUIRE_FLOWVAR
#define FILE_SIG_NEED_SHA256
const char * SCConfigGetLogDirectory(void)
void IPOnlyPrint(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx)
Print stats of the IP Only engine.
uint16_t max_uniq_toserver_groups
void IPOnlyAddSignature(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx, Signature *s)
Add a signature to the lists of Addresses in CIDR format (sorted) this step is necessary to build the...
SignatureInitData * init_data
uint8_t DetectPreFlow(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p)
uint32_t * rule_state_dependant_sids_array
int SigGroupHeadAppendSig(const DetectEngineCtx *de_ctx, SigGroupHead **sgh, const Signature *s)
Add a Signature to a SigGroupHead.
struct SigGroupHead_ ** sgh_array
bool dst_contains_negation
void SigGroupHeadFree(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Free a SigGroupHead and its members.
@ SIGNATURE_HOOK_PKT_PRE_STREAM
#define SIG_MASK_REQUIRE_PAYLOAD
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
int SignatureIsFileSha1Inspecting(const Signature *s)
Check if a signature contains the filesha1 keyword.
SCPortIntervalTree * SCPortIntervalTreeInit(void)
Function to initialize the interval tree.
void IPOnlyCIDRListFree(IPOnlyCIDRItem *tmphead)
This function free a IPOnlyCIDRItem list.
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
#define SIG_FLAG_INIT_STATE_MATCH
bool DetectEngineBufferTypeSupportsFramesGetById(const DetectEngineCtx *de_ctx, const int id)
void EngineAnalysisRules2(const DetectEngineCtx *de_ctx, const Signature *s)
void SigGroupHeadSetSigCnt(SigGroupHead *sgh, uint32_t max_idx)
Updates the SigGroupHead->sig_cnt with the total count of all the Signatures present in this SigGroup...
int DetectMpmPrepareFrameMpms(DetectEngineCtx *de_ctx)
initialize mpm contexts for applayer buffers that are in "single or "shared" mode.
int DetectEnginePktInspectionSetup(Signature *s)
#define SIG_MASK_REQUIRE_NO_PAYLOAD
void SigGroupHeadStore(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
int SigPrepareStage3(DetectEngineCtx *de_ctx)
enum SignatureHookType type
struct DetectPort_ * prev
#define MASK_TCP_INITDEINIT_FLAGS
const char * DetectListToString(int list)
@ SIGNATURE_HOOK_PKT_PRE_FLOW
uint32_t profile_match_logging_threshold
@ SIGNATURE_HOOK_TYPE_PKT
int DetectMpmPreparePktMpms(DetectEngineCtx *de_ctx)
initialize mpm contexts for applayer buffers that are in "single or "shared" mode.
void SigGroupHeadHashFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by SigGroupHeadHashInit() function.
#define SIG_MASK_REQUIRE_FLAGS_UNUSUAL
int SigGroupHeadHashAdd(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Adds a SigGroupHead to the detection engine context SigGroupHead hash table.
int SigPrepareStage2(DetectEngineCtx *de_ctx)
Fill the global src group head, with the sigs included.
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
SignatureInitDataBuffer * buffers
struct HtpBodyChunk_ * next
SigGroupHead * SigGroupHeadHashLookup(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Used to lookup a SigGroupHead hash from the detection engine context SigGroupHead hash table.
#define DETECT_PGSCORE_RULE_PORT_PRIORITIZED
int SignatureIsFilestoring(const Signature *s)
Check if a signature contains the filestore keyword.
int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
Test is a initialized signature is IP only.
int DetectMpmPrepareBuiltinMpms(DetectEngineCtx *de_ctx)
initialize mpm contexts for builtin buffers that are in "single or "shared" mode.
a single match condition for a signature
void SigGroupHeadInitDataFree(SigGroupHeadInitData *sghid)
int SignatureIsFileMd5Inspecting(const Signature *s)
Check if a signature contains the filemd5 keyword.
#define DETECT_PGSCORE_RULE_MPM_NEGATED
void SignatureSetType(DetectEngineCtx *de_ctx, Signature *s)
int PrefilterSetupRuleGroup(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
void SCProfilingKeywordInitCounters(DetectEngineCtx *de_ctx)
Register the keyword profiling counters.
int DetectPortHashAdd(DetectEngineCtx *de_ctx, DetectPort *dp)
Adds a DetectPort to the detection engine context DetectPort hash table.
uint8_t DetectPreStream(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p)
void SigParseApplyDsizeToContent(Signature *s)
Apply dsize as depth to content matches in the rule.
uint32_t * rule_state_flowbits_ids_array
struct UniquePortPoint_ UniquePortPoint
DetectEngineTransforms transforms
DetectEngineIPOnlyCtx io_ctx
DetectUintData_u16 DetectU16Data
void DetectPortHashFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by DetectPortInit() function.
DetectPort * DetectPortHashLookup(DetectEngineCtx *de_ctx, DetectPort *dp)
Used to lookup a DetectPort hash from the detection engine context DetectPort hash table.
int SignatureIsFilemagicInspecting(const Signature *s)
Check if a signature contains the filemagic keyword.
int DetectMpmPrepareAppMpms(DetectEngineCtx *de_ctx)
initialize mpm contexts for applayer buffers that are in "single or "shared" mode.
#define SIGMATCH_IPONLY_COMPAT
void DetectPortCleanupList(const DetectEngineCtx *de_ctx, DetectPort *head)
Free a DetectPort list and each of its members.
int SCLogDebugEnabled(void)
Returns whether debug messages are enabled to be logged or not.
#define DEBUG_VALIDATE_BUG_ON(exp)
int DetectEngineAppInspectionEngine2Signature(DetectEngineCtx *de_ctx, Signature *s)
void SCPortIntervalTreeFree(DetectEngineCtx *de_ctx, SCPortIntervalTree *it)
Function to free an entire interval tree.
int VarNameStoreActivate(void)
#define SIG_FLAG_FILESTORE
#define FILE_SIG_NEED_SIZE
#define DETECT_FLOWBITS_CMD_SET
int SigGroupHeadCopySigs(DetectEngineCtx *de_ctx, SigGroupHead *src, SigGroupHead **dst)
Copies the bitarray holding the sids from the source SigGroupHead to the destination SigGroupHead.
#define SIG_FLAG_REQUIRE_PACKET