Go to the documentation of this file.
50 #define DETECT_PGSCORE_RULE_PORT_PRIORITIZED 111
51 #define DETECT_PGSCORE_RULE_MPM_FAST_PATTERN 99
52 #define DETECT_PGSCORE_RULE_MPM_NEGATED 77
53 #define DETECT_PGSCORE_RULE_NO_MPM 55
54 #define DETECT_PGSCORE_RULE_SYN_ONLY 33
86 if (s->id == sid && s->gid == gid)
179 static bool SignatureInspectsBuffers(
const Signature *s)
214 if (SignatureInspectsBuffers(s)) {
222 for (; sm != NULL; sm = sm->
next) {
233 for ( ; sm != NULL; sm = sm->
next) {
249 SCLogDebug(
"IP-ONLY (%" PRIu32
"): source %s, dest %s", s->
id,
276 if (SignatureInspectsBuffers(s)) {
291 for ( ; sm != NULL; sm = sm->
next) {
299 SCLogDebug(
"%u: not PD-only: flowbit settings other than 'set'", s->
id);
304 SCLogDebug(
"%u: not PD-only: flow settings other than toserver/toclient", s->
id);
361 if (SignatureInspectsBuffers(s)) {
367 for ( ;sm != NULL; sm = sm->
next) {
374 for ( ;sm != NULL; sm = sm->
next) {
387 SCLogDebug(
"DE-ONLY (%" PRIu32
"): source %s, dest %s", s->
id,
395 #define MASK_TCP_INITDEINIT_FLAGS (TH_SYN|TH_RST|TH_FIN)
396 #define MASK_TCP_UNUSUAL_FLAGS (TH_URG|TH_ECN|TH_CWR)
402 bool app_decoder_events)
418 if (p->
events.
cnt > 0 || app_decoder_events != 0 ||
425 const TCPHdr *tcph = PacketGetTCP(p);
440 static int SignatureCreateMask(
Signature *s)
464 SCLogDebug(
"SIG_FLAG_REQUIRE_FLOWVAR set as sig has "
465 "flowbit isset option.");
470 SCLogDebug(
"sig requires flow to be able to manipulate "
477 SCLogDebug(
"sig requires flow to be able to manipulate "
486 SCLogDebug(
"sig requires SIG_MASK_REQUIRE_FLAGS_INITDEINIT");
490 SCLogDebug(
"sig requires SIG_MASK_REQUIRE_FLAGS_UNUSUAL");
561 static bool RuleInspectsPayloadHasNoMpm(
const Signature *s)
568 static int RuleGetMpmPatternSize(
const Signature *s)
581 static bool RuleMpmIsNegated(
const Signature *s)
597 const SigGroupHead *sgh,
const int add_rules,
const int add_mpm_stats)
599 uint32_t prefilter_cnt = 0;
600 uint32_t mpm_cnt = 0;
601 uint32_t nonmpm_cnt = 0;
602 uint32_t mpm_depth_cnt = 0;
603 uint32_t mpm_endswith_cnt = 0;
604 uint32_t negmpm_cnt = 0;
605 uint32_t any5_cnt = 0;
606 uint32_t payload_no_mpm_cnt = 0;
607 uint32_t syn_cnt = 0;
609 uint32_t mpms_min = 0;
610 uint32_t mpms_max = 0;
619 } mpm_stats[max_buffer_type_id];
620 memset(mpm_stats, 0x00,
sizeof(mpm_stats));
624 uint32_t mpm_sizes[max_buffer_type_id][256];
625 memset(mpm_sizes, 0,
sizeof(mpm_sizes));
626 uint32_t alproto_mpm_bufs[
g_alproto_max][max_buffer_type_id];
627 memset(alproto_mpm_bufs, 0,
sizeof(alproto_mpm_bufs));
630 if (sgh->
init == NULL)
633 SCJsonBuilder *js = SCJbNewObject();
637 SCJbSetUint(js,
"id", sgh->
id);
639 SCJbOpenArray(js,
"rules");
640 for (uint32_t x = 0; x < sgh->
init->
sig_cnt; x++) {
670 SCLogDebug(
"SGH %p Non-MPM inspecting only packets. Rule %u", sgh, s->
id);
677 SCLogDebug(
"SGH %p Non-MPM toserver and to 'any'. Rule %u", sgh, s->
id);
680 SCLogDebug(
"SGH %p Non-MPM toclient and to 'any'. Rule %u", sgh, s->
id);
693 mpm_sizes[mpm_list][size]++;
694 alproto_mpm_bufs[s->
alproto][mpm_list]++;
701 if (dp->
port == 0 && dp->
port2 == 65535) {
702 SCLogDebug(
"SGH %p toserver 1byte fast_pattern to ANY. Rule %u", sgh, s->
id);
704 SCLogDebug(
"SGH %p toserver 1byte fast_pattern to port(s) %u-%u. Rule %u", sgh, dp->
port, dp->
port2, s->
id);
708 if (sp->
port == 0 && sp->
port2 == 65535) {
709 SCLogDebug(
"SGH %p toclient 1byte fast_pattern to ANY. Rule %u", sgh, s->
id);
711 SCLogDebug(
"SGH %p toclient 1byte fast_pattern to port(s) %u-%u. Rule %u", sgh, sp->
port, sp->
port2, s->
id);
725 BUG_ON(mpm_list >= max_buffer_type_id);
726 mpm_stats[mpm_list].total += w;
727 mpm_stats[mpm_list].cnt++;
728 if (mpm_stats[mpm_list].min == 0 || w < mpm_stats[mpm_list].min)
729 mpm_stats[mpm_list].min = w;
730 if (w > mpm_stats[mpm_list].max)
731 mpm_stats[mpm_list].max = w;
738 if (w < 10 && any == 5) {
754 if (RuleInspectsPayloadHasNoMpm(s)) {
755 SCLogDebug(
"SGH %p No MPM. Payload inspecting. Rule %u", sgh, s->
id);
756 payload_no_mpm_cnt++;
762 SCJsonBuilder *e = SCJbNewObject();
764 SCJbSetUint(e,
"sig_id", s->
id);
766 SCJbAppendObject(js, e);
773 SCJbOpenObject(js,
"stats");
776 SCJbOpenObject(js,
"types");
777 SCJbSetUint(js,
"mpm", mpm_cnt);
778 SCJbSetUint(js,
"non_mpm", nonmpm_cnt);
779 SCJbSetUint(js,
"mpm_depth", mpm_depth_cnt);
780 SCJbSetUint(js,
"mpm_endswith", mpm_endswith_cnt);
781 SCJbSetUint(js,
"negated_mpm", negmpm_cnt);
782 SCJbSetUint(js,
"payload_but_no_mpm", payload_no_mpm_cnt);
783 SCJbSetUint(js,
"prefilter", prefilter_cnt);
784 SCJbSetUint(js,
"syn", syn_cnt);
785 SCJbSetUint(js,
"any5", any5_cnt);
789 if (alstats[i] > 0) {
791 SCJbOpenObject(js, proto_name);
792 SCJbSetUint(js,
"total", alstats[i]);
794 for (
int y = 0; y < max_buffer_type_id; y++) {
795 if (alproto_mpm_bufs[i][y] == 0)
804 SCJbSetUint(js,
name, alproto_mpm_bufs[i][y]);
811 SCJbOpenObject(js,
"mpm");
813 for (
int i = 0; i < max_buffer_type_id; i++) {
814 if (mpm_stats[i].
cnt > 0) {
821 SCJbOpenArray(js,
name);
823 for (
int y = 0; y < 256; y++) {
824 if (mpm_sizes[i][y] == 0)
827 SCJsonBuilder *e = SCJbNewObject();
829 SCJbSetUint(e,
"size", y);
830 SCJbSetUint(e,
"count", mpm_sizes[i][y]);
832 SCJbAppendObject(js, e);
837 SCJsonBuilder *e = SCJbNewObject();
839 SCJbSetUint(e,
"total", mpm_stats[i].
cnt);
840 SCJbSetUint(e,
"avg_strength", mpm_stats[i].total / mpm_stats[i].
cnt);
841 SCJbSetUint(e,
"min_strength", mpm_stats[i].min);
842 SCJbSetUint(e,
"max_strength", mpm_stats[i].max);
844 SCJbAppendObject(js, e);
855 SCJbSetUint(js,
"score", sgh->
init->
score);
862 const int add_rules,
const int add_mpm_stats)
864 SCJsonBuilder *js = SCJbNewObject();
868 for (
int p = 0; p < 256; p++) {
869 if (p == IPPROTO_TCP || p == IPPROTO_UDP) {
870 const char *
name = (p == IPPROTO_TCP) ?
"tcp" :
"udp";
872 SCJbOpenObject(js,
name);
873 SCJbOpenArray(js,
"toserver");
876 while (list != NULL) {
877 SCJsonBuilder *port = SCJbNewObject();
878 SCJbSetUint(port,
"port", list->
port);
879 SCJbSetUint(port,
"port2", list->
port2);
881 SCJsonBuilder *stats =
882 RulesGroupPrintSghStats(
de_ctx, list->
sh, add_rules, add_mpm_stats);
883 SCJbSetObject(port,
"rulegroup", stats);
886 SCJbAppendObject(js, port);
893 SCJbOpenArray(js,
"toclient");
896 while (list != NULL) {
897 SCJsonBuilder *port = SCJbNewObject();
898 SCJbSetUint(port,
"port", list->
port);
899 SCJbSetUint(port,
"port2", list->
port2);
901 SCJsonBuilder *stats =
902 RulesGroupPrintSghStats(
de_ctx, list->
sh, add_rules, add_mpm_stats);
903 SCJbSetObject(port,
"rulegroup", stats);
906 SCJbAppendObject(js, port);
913 }
else if (p == IPPROTO_ICMP || p == IPPROTO_ICMPV6) {
914 const char *
name = (p == IPPROTO_ICMP) ?
"icmpv4" :
"icmpv6";
915 SCJbOpenObject(js,
name);
917 SCJbOpenObject(js,
"toserver");
918 SCJsonBuilder *stats = RulesGroupPrintSghStats(
920 SCJbSetObject(js,
"rulegroup", stats);
925 SCJbOpenObject(js,
"toclient");
926 SCJsonBuilder *stats = RulesGroupPrintSghStats(
928 SCJbSetObject(js,
"rulegroup", stats);
937 const char *filename =
"rule_group.json";
939 char log_path[PATH_MAX] =
"";
940 snprintf(log_path,
sizeof(log_path),
"%s/%s", log_dir, filename);
942 FILE *fp = fopen(log_path,
"w");
944 fwrite(SCJbPtr(js), SCJbLen(js), 1, fp);
957 for ( ; s != NULL; s = s->
next) {
962 for (
int p = 0; p < 256; p++) {
963 if (p == IPPROTO_TCP || p == IPPROTO_UDP) {
988 for (p = 0; p < 256; p++) {
989 if (p == IPPROTO_TCP || p == IPPROTO_UDP)
991 if (sgh_ts[p] == NULL)
997 if (lookup_sgh == NULL) {
998 SCLogDebug(
"proto group %d sgh %p is the original", p, sgh_ts[p]);
1007 SCLogDebug(
"proto group %d sgh %p is a copy", p, sgh_ts[p]);
1010 sgh_ts[p] = lookup_sgh;
1014 SCLogPerf(
"OTHER %s: %u proto groups, %u unique SGH's, %u copies",
1015 "toserver",
cnt, own, ref);
1020 for (p = 0; p < 256; p++) {
1021 if (p == IPPROTO_TCP || p == IPPROTO_UDP)
1023 if (sgh_tc[p] == NULL)
1029 if (lookup_sgh == NULL) {
1030 SCLogDebug(
"proto group %d sgh %p is the original", p, sgh_tc[p]);
1040 SCLogDebug(
"proto group %d sgh %p is a copy", p, sgh_tc[p]);
1043 sgh_tc[p] = lookup_sgh;
1047 SCLogPerf(
"OTHER %s: %u proto groups, %u unique SGH's, %u copies",
1048 "toclient",
cnt, own, ref);
1050 for (p = 0; p < 256; p++) {
1051 if (p == IPPROTO_TCP || p == IPPROTO_UDP)
1064 if (ipproto == IPPROTO_UDP)
1092 if (!(p->
port == 0 && p->
port2 == 65535)) {
1094 if (RuleInspectsPayloadHasNoMpm(s)) {
1095 SCLogDebug(
"Rule %u MPM has 1 byte fast_pattern. Prioritizing SGH's.", s->
id);
1098 }
else if (RuleMpmIsNegated(s)) {
1099 SCLogDebug(
"Rule %u MPM is negated. Prioritizing SGH's.", s->
id);
1105 RuleGetMpmPatternSize(s) == 1) {
1106 SCLogDebug(
"Rule %u No MPM. Payload inspecting. Prioritizing SGH's.", s->
id);
1110 SCLogDebug(
"Rule %u Needs SYN, so inspected often. Prioritizing SGH's.", s->
id);
1119 static int SortCompare(
const void *a,
const void *b)
1146 static inline void SortGroupList(
1147 uint32_t *groups,
DetectPort **list,
int (*CompareFunc)(
const void *,
const void *))
1165 x->sh->id = idx + 1;
1168 x->
next = x->prev = x->last = NULL;
1175 qsort(array, idx,
sizeof(
DetectPort *), SortCompare);
1179 for (
int i = 0; i < idx; i++) {
1184 if (new_list == NULL) {
1201 SCLogDebug(
"item:= [%u:%u]; score: %d; sig_cnt: %d", tmp->port, tmp->port2,
1202 tmp->sh->init->score, tmp->sh->init->sig_cnt);
1220 DetectPort **newhead, uint32_t unique_groups,
1221 int (*CompareFunc)(
const void *,
const void *))
1224 uint32_t groups = 0;
1229 tmplist = port_list;
1230 SortGroupList(&groups, &tmplist, SortCompare);
1231 uint32_t left = unique_groups;
1238 DetectPort *tmplist2 = NULL, *tmplist2_tail = NULL;
1240 for (gr = tmplist; gr != NULL;) {
1249 if (joingr == NULL) {
1251 if (joingr == NULL) {
1254 SCLogDebug(
"joingr => %u-%u", joingr->port, joingr->port2);
1255 joingr->next = NULL;
1266 if (tmplist2 == NULL) {
1270 tmplist2_tail->
next = gr;
1282 if (joingr != NULL) {
1283 SCLogDebug(
"appending joingr %p %u:%u", joingr, joingr->port, joingr->port2);
1285 if (tmplist2 == NULL) {
1289 tmplist2_tail->
next = joingr;
1297 *newhead = tmplist2;
1305 #define UNDEFINED_PORT 0
1306 #define RANGE_PORT 1
1307 #define SINGLE_PORT 2
1326 static inline uint32_t SetUniquePortPoints(
1327 const DetectPort *p, uint8_t *unique_list, uint32_t size_list)
1362 static inline void SetFinalUniquePortPoints(
1363 const uint8_t *unique_list,
const uint32_t size_unique_arr,
UniquePortPoint *final_arr)
1365 for (uint32_t i = 0, j = 0; i < (UINT16_MAX + 1); i++) {
1368 final_arr[j].
port = (uint16_t)i;
1369 final_arr[j++].
single =
false;
1371 final_arr[j].
port = (uint16_t)i;
1372 final_arr[j++].
single =
true;
1399 if (final_unique_points == NULL)
1401 SetFinalUniquePortPoints(unique_list, size_list, final_unique_points);
1403 if (size_list == 1) {
1405 de_ctx, final_unique_points[0].port, final_unique_points[0].port, &it->
tree, list);
1409 uint16_t port = p1 ? p1->
port : 0;
1410 uint16_t port2 = p2->
port;
1411 for (uint32_t i = 1; i < size_list; i++) {
1417 }
else if (p1 && p1->
single) {
1419 if ((port2 > port + 1)) {
1421 de_ctx, port + 1, port2 - 1, &it->
tree, list);
1429 if ((port2 >= port + 1)) {
1436 if ((port2 > port + 1)) {
1447 if (port == p2->
port) {
1452 if (i + 1 < size_list) {
1453 p2 = &final_unique_points[i + 1];
1459 SCFree(final_unique_points);
1470 uint32_t size_unique_port_arr = 0;
1474 uint8_t *unique_port_points = (uint8_t *)
SCCalloc(UINT16_MAX + 1,
sizeof(uint8_t));
1475 if (unique_port_points == NULL)
1501 "w/o direction specified, disabling for toclient direction",
1529 size_unique_port_arr =
1530 SetUniquePortPoints(tmp2, unique_port_points, size_unique_port_arr);
1553 SCLogDebug(
"Port was not inserted in the tree");
1560 if (CreatePortList(
de_ctx, unique_port_points, size_unique_port_arr, it, &list) < 0)
1564 SCFree(unique_port_points);
1575 CreateGroupedPortList(
de_ctx, list, &newlist, groupmax, SortCompare);
1586 for (iter = list ; iter != NULL; iter = iter->
next) {
1592 if (lookup_sgh == NULL) {
1593 SCLogDebug(
"port group %p sgh %p is the original", iter, iter->
sh);
1603 SCLogDebug(
"port group %p sgh %p is a copy", iter, iter->
sh);
1606 iter->
sh = lookup_sgh;
1612 for (iter = list ; iter != NULL; iter = iter->
next) {
1613 SCLogInfo(
"PORT %u-%u %p (sgh=%s, prioritized=%s/%d)",
1620 SCLogPerf(
"%s %s: %u port groups, %u unique SGH's, %u copies",
1621 ipproto == 6 ?
"TCP" :
"UDP",
1628 if (unique_port_points != NULL)
1629 SCFree(unique_port_points);
1643 SCLogDebug(
"%u: set to app_tx due to hook type app", s->
id);
1648 if (SignatureIsPDOnly(
de_ctx, s) == 1) {
1655 }
else if (iponly == 2) {
1658 }
else if (SignatureIsDEOnly(
de_ctx, s) == 1) {
1664 bool has_buffer_frame_engine =
false;
1665 bool has_buffer_packet_engine =
false;
1666 bool has_buffer_app_engine =
false;
1672 has_buffer_packet_engine =
true;
1674 has_buffer_frame_engine =
true;
1676 has_buffer_app_engine =
true;
1680 if (has_buffer_packet_engine) {
1682 }
else if (has_buffer_frame_engine || has_buffer_app_engine) {
1684 }
else if (has_pmatch) {
1694 }
else if (has_match) {
1716 uint32_t cnt_iponly = 0;
1717 uint32_t cnt_payload = 0;
1718 uint32_t cnt_applayer = 0;
1719 uint32_t cnt_deonly = 0;
1722 SCLogDebug(
"building signature grouping structure, stage 1: "
1723 "preprocessing rules...");
1735 SCLogDebug(
"Signature %" PRIu32
", internal id %" PRIu32
", ptrs %p %p ", s->
id, s->
iid, s,
1739 SCLogDebug(
"Signature %"PRIu32
" is considered \"PD only\"", s->
id);
1741 SCLogDebug(
"Signature %"PRIu32
" is considered \"IP only\"", s->
id);
1743 }
else if (SignatureIsInspectingPayload(
de_ctx, s) == 1) {
1744 SCLogDebug(
"Signature %"PRIu32
" is considered \"Payload inspecting\"", s->
id);
1747 SCLogDebug(
"Signature %"PRIu32
" is considered \"Decoder Event only\"", s->
id);
1750 SCLogDebug(
"Signature %"PRIu32
" is considered \"Applayer inspecting\"", s->
id);
1770 if (copresent && colen == 1) {
1780 if (RuleMpmIsNegated(s)) {
1784 SignatureCreateMask(s);
1804 SCLogInfo(
"tenant id %d: %" PRIu32
" signatures processed. %" PRIu32
" are IP-only "
1805 "rules, %" PRIu32
" are inspecting packet payload, %" PRIu32
1806 " inspect application layer, %" PRIu32
" are decoder event only",
1810 SCLogInfo(
"%" PRIu32
" signatures processed. %" PRIu32
" are IP-only "
1811 "rules, %" PRIu32
" are inspecting packet payload, %" PRIu32
1812 " inspect application layer, %" PRIu32
" are decoder event only",
1813 de_ctx->
sig_cnt, cnt_iponly, cnt_payload, cnt_applayer, cnt_deonly);
1815 SCLogConfig(
"building signature grouping structure, stage 1: "
1816 "preprocessing rules... complete");
1834 SCLogDebug(
"adding signature %"PRIu32
" to the decoder event sgh", s->
id);
1840 SCLogDebug(
"adding signature %" PRIu32
" to the pre_stream hook sgh", s->
id);
1855 SCLogDebug(
"adding signature %" PRIu32
" to the pre_flow hook sgh", s->
id);
1870 SCLogDebug(
"building signature grouping structure, stage 2: "
1871 "building source address lists...");
1881 RulesGroupByIPProto(
de_ctx);
1889 DetectEngineAddDecoderEventSig(
de_ctx, s);
1892 DetectEngineAddSigToPreStreamHook(
de_ctx, s);
1895 DetectEngineAddSigToPreFlowHook(
de_ctx, s);
1947 DetectEngineBuildDecoderEventSgh(
de_ctx);
1950 DetectEngineBuildPreFlowHookSghs(
de_ctx);
1953 DetectEngineBuildPreStreamHookSghs(
de_ctx);
1962 SCLogDebug(
"cleaning up signature grouping structure...");
1978 for (
int p = 0; p < 256; p++) {
2004 SCLogDebug(
"cleaning up signature grouping structure... complete");
2017 for (sig = 0; sig < sgh->sig_cnt; sig++) {
2018 printf(
"%" PRIu32
" ", sgh->match_array[sig]->
id);
2025 if (sgh == NULL || sgh->
init == NULL) {
2073 int dump_grouping = 0;
2074 (void)
SCConfGetBool(
"detect.profiling.grouping.dump-to-disk", &dump_grouping);
2076 if (dump_grouping) {
2078 (void)
SCConfGetBool(
"detect.profiling.grouping.include-rules", &add_rules);
2079 int add_mpm_stats = 0;
2080 (void)
SCConfGetBool(
"detect.profiling.grouping.include-mpm-stats", &add_mpm_stats);
2082 RulesDumpGrouping(
de_ctx, add_rules, add_mpm_stats);
2115 for (; s != NULL; s = s->
next) {
2137 while (sm != NULL) {
2153 while (sm != NULL) {
2204 SigInitStandardMpmFactoryContexts(
de_ctx);
2207 FatalError(
"initializing the detection engine failed");
2211 FatalError(
"initializing the detection engine failed");
2215 FatalError(
"initializing the detection engine failed");
2218 FatalError(
"initializing the detection engine failed");
2226 FatalError(
"initializing the detection engine failed");
2229 if (SigMatchPrepare(
de_ctx) != 0) {
2230 FatalError(
"initializing the detection engine failed");
2239 if (
SCConfGetInt(
"detect.profiling.inspect-logging-threshold", &v) == 1)
2242 #ifdef PROFILE_RULES
2243 SCProfilingRuleInitCounters(
de_ctx);
#define HashListTableGetListData(hb)
#define DETECT_FLOW_FLAG_TOCLIENT
void DetectEngineResetMaxSigId(DetectEngineCtx *de_ctx)
bool DetectEngineBufferTypeSupportsPacketGetById(const DetectEngineCtx *de_ctx, const int id)
#define SIG_MASK_REQUIRE_REAL_PKT
#define MASK_TCP_UNUSUAL_FLAGS
int DetectFlagsSignatureNeedsSynOnlyPackets(const Signature *s)
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
SigTableElmt * sigmatch_table
void SigMatchFree(DetectEngineCtx *de_ctx, SigMatch *sm)
free a SigMatch
void(* Free)(DetectEngineCtx *, void *)
struct SigGroupHead_ * decoder_event_sgh
int DetectPortHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table in the detection engine context to hold the DetectPort hash.
DetectEngineLookupFlow flow_gh[FLOW_STATES]
#define FILE_SIG_NEED_SHA1
int SigPrepareStage4(DetectEngineCtx *de_ctx)
finalize preparing sgh's
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
void DetectEngineBufferRunSetupCallback(const DetectEngineCtx *de_ctx, const int id, Signature *s)
Container for matching data for a signature group.
const char * DetectListToHumanString(int list)
#define SIG_FLAG_INIT_FLOW
void SigFree(DetectEngineCtx *, Signature *)
void DumpPatterns(DetectEngineCtx *de_ctx)
void DetectPortFree(const DetectEngineCtx *de_ctx, DetectPort *dp)
Free a DetectPort and its members.
DetectPacketHookFunc PreFlowHook
uint16_t max_uniq_toclient_groups
void MpmStoreReportStats(const DetectEngineCtx *de_ctx)
bool src_contains_negation
void IPOnlyDeinit(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx)
Deinitialize the IP Only detection engine context.
struct HtpBodyChunk_ * next
void SCPortIntervalFindOverlappingRanges(DetectEngineCtx *de_ctx, const uint16_t port, const uint16_t port2, const struct PI *head, DetectPort **list)
Callee function to find all overlapping port ranges as asked by the detection engine during Stage 2 o...
#define PORT_SIGGROUPHEAD_COPY
@ DETECT_SM_LIST_DYNAMIC_START
DetectPacketHookFunc PreStreamHook
uint32_t PatternStrength(uint8_t *pat, uint16_t patlen)
Predict a strength value for patterns.
int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
int DetectSetFastPatternAndItsId(DetectEngineCtx *de_ctx)
Figure out the FP and their respective content ids for all the sigs in the engine.
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
void SCProfilingSghInitCounters(DetectEngineCtx *de_ctx)
Register the keyword profiling counters.
main detection engine ctx
struct SigGroupHead_ * pre_stream_sgh[2]
int DetectFlagsSignatureNeedsSynPackets(const Signature *s)
HashListTableBucket * HashListTableGetListHead(HashListTable *ht)
void SigGroupHeadSetProtoAndDirection(SigGroupHead *sgh, uint8_t ipproto, int dir)
#define SIGMATCH_DEONLY_COMPAT
const char * DetectEngineBufferTypeGetNameById(const DetectEngineCtx *de_ctx, const int id)
void DetectMpmInitializeBuiltinMpms(DetectEngineCtx *de_ctx)
#define SIG_FLAG_REQUIRE_STREAM
bool rule_engine_analysis_set
int SCConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
struct DetectPort_ * next
DetectPort * tcp_priorityports
HashListTable * dport_hash_table
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
struct SigGroupHead_ * sh
DetectPort * udp_priorityports
#define DETECT_FLOWBITS_CMD_ISSET
#define PKT_NOPAYLOAD_INSPECTION
void SigCleanSignatures(DetectEngineCtx *de_ctx)
void DetectPortPrintList(DetectPort *head)
Helper function used to print the list of ports present in this DetectPort list.
int SigPrepareStage1(DetectEngineCtx *de_ctx)
Preprocess signature, classify ip-only, etc, build sig array.
#define DETECT_PGSCORE_RULE_SYN_ONLY
bool EngineModeIsFirewall(void)
#define SIG_FLAG_TOCLIENT
void SigGroupHeadSetupFiles(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Set the need hash flag in the sgh.
AppLayerDecoderEvents * app_layer_events
PacketEngineEvents events
void EngineAnalysisAddAllRulePatterns(DetectEngineCtx *de_ctx, const Signature *s)
add all patterns on our stats hash Used to fill the hash later used by DumpPatterns()
void DetectPortPrint(DetectPort *dp)
Helper function that print the DetectPort info.
int FirewallAnalyzer(const DetectEngineCtx *de_ctx)
void PacketCreateMask(Packet *p, SignatureMask *mask, AppProto alproto, bool app_decoder_events)
#define SIG_FLAG_APPLAYER
int SigGroupHeadHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table in the detection engine context to hold the SigGroupHeads.
#define FILE_SIG_NEED_MD5
@ SIGNATURE_HOOK_TYPE_APP
int SignatureIsFileSha256Inspecting(const Signature *s)
Check if a signature contains the filesha256 keyword.
#define HashListTableGetListNext(hb)
@ DETECT_APP_LAYER_PROTOCOL
@ DETECT_SM_LIST_POSTMATCH
DetectPort * DetectPortCopySingle(DetectEngineCtx *de_ctx, DetectPort *src)
Function that return a copy of DetectPort src sigs.
#define SIG_FLAG_TOSERVER
int DetectPortParse(const DetectEngineCtx *de_ctx, DetectPort **head, const char *str)
Function for parsing port strings.
int SigAddressCleanupStage1(DetectEngineCtx *de_ctx)
int SCPortIntervalInsert(DetectEngineCtx *de_ctx, SCPortIntervalTree *it, const DetectPort *p)
Function to insert a node in the interval tree.
struct SigGroupHead_ * pre_flow_sgh
int SigGroupHeadBuildMatchArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t max_idx)
Create an array with all the internal ids of the sigs that this sig group head will check for.
#define DETECT_CONTENT_ENDS_WITH
void IPOnlyInit(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx)
Setup the IP Only detection engine context.
#define SIG_MASK_REQUIRE_ENGINE_EVENT
Signature * SigFindSignatureBySidGid(DetectEngineCtx *de_ctx, uint32_t sid, uint32_t gid)
Find a specific signature by sid and gid.
#define DetectEngineGetMaxSigId(de_ctx)
#define DETECT_FLOW_FLAG_TOSERVER
#define FILE_SIG_NEED_MAGIC
#define SIG_MASK_REQUIRE_FLOW
int SCConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
IPOnlyCIDRItem * cidr_dst
#define DETECT_CONTENT_DEPTH
struct SigGroupHead_ * sgh[256]
#define SIG_MASK_REQUIRE_FLAGS_INITDEINIT
void SCProfilingPrefilterInitCounters(DetectEngineCtx *de_ctx)
Register the prefilter profiling counters.
SigMatchData * SigMatchList2DataArray(SigMatch *head)
convert SigMatch list to SigMatchData array
#define PKT_DETECT_HAS_STREAMDATA
#define DETECT_CONTENT_NEGATED
#define SCLogWarning(...)
Macro used to log WARNING messages.
void DetectContentPropagateLimits(Signature *s)
struct SignatureHook_::@95::@97 pkt
Port structure for detection engine.
SigGroupHeadInitData * init
#define DETECT_PGSCORE_RULE_NO_MPM
IPOnlyCIDRItem * cidr_src
@ SIGNATURE_HOOK_TYPE_NOT_SET
union SignatureHook_::@95 t
void IPOnlyPrepare(DetectEngineCtx *de_ctx)
Build the radix trees from the lists of parsed addresses in CIDR format the result should be 4 radix ...
int SigGroupCleanup(DetectEngineCtx *de_ctx)
#define DETECT_PGSCORE_RULE_MPM_FAST_PATTERN
#define SIG_FLAG_REQUIRE_FLOWVAR
#define FILE_SIG_NEED_SHA256
const char * SCConfigGetLogDirectory(void)
void IPOnlyPrint(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx)
Print stats of the IP Only engine.
uint16_t max_uniq_toserver_groups
void IPOnlyAddSignature(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx, Signature *s)
Add a signature to the lists of Addresses in CIDR format (sorted) this step is necessary to build the...
SignatureInitData * init_data
uint8_t DetectPreFlow(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p)
uint32_t * rule_state_dependant_sids_array
int SigGroupHeadAppendSig(const DetectEngineCtx *de_ctx, SigGroupHead **sgh, const Signature *s)
Add a Signature to a SigGroupHead.
struct SigGroupHead_ ** sgh_array
bool dst_contains_negation
void SigGroupHeadFree(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Free a SigGroupHead and its members.
@ SIGNATURE_HOOK_PKT_PRE_STREAM
bool DetectEngineMultiTenantEnabled(void)
#define SIG_MASK_REQUIRE_PAYLOAD
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
int SignatureIsFileSha1Inspecting(const Signature *s)
Check if a signature contains the filesha1 keyword.
SCPortIntervalTree * SCPortIntervalTreeInit(void)
Function to initialize the interval tree.
void IPOnlyCIDRListFree(IPOnlyCIDRItem *tmphead)
This function free a IPOnlyCIDRItem list.
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
#define SIG_FLAG_INIT_STATE_MATCH
bool DetectEngineBufferTypeSupportsFramesGetById(const DetectEngineCtx *de_ctx, const int id)
void EngineAnalysisRules2(const DetectEngineCtx *de_ctx, const Signature *s)
void SigGroupHeadSetSigCnt(SigGroupHead *sgh, uint32_t max_idx)
Updates the SigGroupHead->sig_cnt with the total count of all the Signatures present in this SigGroup...
int DetectMpmPrepareFrameMpms(DetectEngineCtx *de_ctx)
initialize mpm contexts for applayer buffers that are in "single or "shared" mode.
int DetectEnginePktInspectionSetup(Signature *s)
#define SIG_MASK_REQUIRE_NO_PAYLOAD
void SigGroupHeadStore(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
int SigPrepareStage3(DetectEngineCtx *de_ctx)
enum SignatureHookType type
struct DetectPort_ * prev
#define MASK_TCP_INITDEINIT_FLAGS
const char * DetectListToString(int list)
@ SIGNATURE_HOOK_PKT_PRE_FLOW
uint32_t profile_match_logging_threshold
@ SIGNATURE_HOOK_TYPE_PKT
int DetectMpmPreparePktMpms(DetectEngineCtx *de_ctx)
initialize mpm contexts for applayer buffers that are in "single or "shared" mode.
void SigGroupHeadHashFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by SigGroupHeadHashInit() function.
#define SIG_MASK_REQUIRE_FLAGS_UNUSUAL
int SigGroupHeadHashAdd(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Adds a SigGroupHead to the detection engine context SigGroupHead hash table.
int SigPrepareStage2(DetectEngineCtx *de_ctx)
Fill the global src group head, with the sigs included.
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
SignatureInitDataBuffer * buffers
struct HtpBodyChunk_ * next
SigGroupHead * SigGroupHeadHashLookup(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Used to lookup a SigGroupHead hash from the detection engine context SigGroupHead hash table.
#define DETECT_PGSCORE_RULE_PORT_PRIORITIZED
int SignatureIsFilestoring(const Signature *s)
Check if a signature contains the filestore keyword.
int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
Test is a initialized signature is IP only.
int DetectMpmPrepareBuiltinMpms(DetectEngineCtx *de_ctx)
initialize mpm contexts for builtin buffers that are in "single or "shared" mode.
a single match condition for a signature
void SigGroupHeadInitDataFree(SigGroupHeadInitData *sghid)
int SignatureIsFileMd5Inspecting(const Signature *s)
Check if a signature contains the filemd5 keyword.
#define DETECT_PGSCORE_RULE_MPM_NEGATED
void SignatureSetType(DetectEngineCtx *de_ctx, Signature *s)
int PrefilterSetupRuleGroup(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
void SCProfilingKeywordInitCounters(DetectEngineCtx *de_ctx)
Register the keyword profiling counters.
int DetectPortHashAdd(DetectEngineCtx *de_ctx, DetectPort *dp)
Adds a DetectPort to the detection engine context DetectPort hash table.
uint8_t DetectPreStream(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p)
void SigParseApplyDsizeToContent(Signature *s)
Apply dsize as depth to content matches in the rule.
uint32_t * rule_state_flowbits_ids_array
struct UniquePortPoint_ UniquePortPoint
DetectEngineTransforms transforms
DetectEngineIPOnlyCtx io_ctx
DetectUintData_u16 DetectU16Data
void DetectPortHashFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by DetectPortInit() function.
DetectPort * DetectPortHashLookup(DetectEngineCtx *de_ctx, DetectPort *dp)
Used to lookup a DetectPort hash from the detection engine context DetectPort hash table.
int SignatureIsFilemagicInspecting(const Signature *s)
Check if a signature contains the filemagic keyword.
int DetectMpmPrepareAppMpms(DetectEngineCtx *de_ctx)
initialize mpm contexts for applayer buffers that are in "single or "shared" mode.
#define SIGMATCH_IPONLY_COMPAT
void DetectPortCleanupList(const DetectEngineCtx *de_ctx, DetectPort *head)
Free a DetectPort list and each of its members.
int SCLogDebugEnabled(void)
Returns whether debug messages are enabled to be logged or not.
#define DEBUG_VALIDATE_BUG_ON(exp)
int DetectEngineAppInspectionEngine2Signature(DetectEngineCtx *de_ctx, Signature *s)
void SCPortIntervalTreeFree(DetectEngineCtx *de_ctx, SCPortIntervalTree *it)
Function to free an entire interval tree.
int VarNameStoreActivate(void)
#define SIG_FLAG_FILESTORE
#define DETECT_FLOWBITS_CMD_SET
int SigGroupHeadCopySigs(DetectEngineCtx *de_ctx, SigGroupHead *src, SigGroupHead **dst)
Copies the bitarray holding the sids from the source SigGroupHead to the destination SigGroupHead.
#define SIG_FLAG_REQUIRE_PACKET