Go to the documentation of this file.
49 #define DETECT_PGSCORE_RULE_PORT_PRIORITIZED 111
50 #define DETECT_PGSCORE_RULE_MPM_FAST_PATTERN 99
51 #define DETECT_PGSCORE_RULE_MPM_NEGATED 77
52 #define DETECT_PGSCORE_RULE_NO_MPM 55
53 #define DETECT_PGSCORE_RULE_SYN_ONLY 33
85 if (s->id == sid && s->gid == gid)
197 static bool SignatureInspectsBuffers(
const Signature *s)
228 if (SignatureInspectsBuffers(s)) {
236 for (; sm != NULL; sm = sm->
next) {
247 for ( ; sm != NULL; sm = sm->
next) {
263 SCLogDebug(
"IP-ONLY (%" PRIu32
"): source %s, dest %s", s->
id,
286 if (SignatureInspectsBuffers(s)) {
301 for ( ; sm != NULL; sm = sm->
next) {
309 SCLogDebug(
"%u: not PD-only: flowbit settings other than 'set'", s->
id);
314 SCLogDebug(
"%u: not PD-only: flow settings other than toserver/toclient", s->
id);
367 if (SignatureInspectsBuffers(s)) {
373 for ( ;sm != NULL; sm = sm->
next) {
380 for ( ;sm != NULL; sm = sm->
next) {
393 SCLogDebug(
"DE-ONLY (%" PRIu32
"): source %s, dest %s", s->
id,
401 #define MASK_TCP_INITDEINIT_FLAGS (TH_SYN|TH_RST|TH_FIN)
402 #define MASK_TCP_UNUSUAL_FLAGS (TH_URG|TH_ECN|TH_CWR)
408 bool app_decoder_events)
424 if (p->
events.
cnt > 0 || app_decoder_events != 0 ||
431 const TCPHdr *tcph = PacketGetTCP(p);
446 static int SignatureCreateMask(
Signature *s)
470 SCLogDebug(
"SIG_FLAG_REQUIRE_FLOWVAR set as sig has "
471 "flowbit isset option.");
476 SCLogDebug(
"sig requires flow to be able to manipulate "
483 SCLogDebug(
"sig requires flow to be able to manipulate "
492 SCLogDebug(
"sig requires SIG_MASK_REQUIRE_FLAGS_INITDEINIT");
496 SCLogDebug(
"sig requires SIG_MASK_REQUIRE_FLAGS_UNUSUAL");
567 static bool RuleInspectsPayloadHasNoMpm(
const Signature *s)
574 static int RuleGetMpmPatternSize(
const Signature *s)
587 static bool RuleMpmIsNegated(
const Signature *s)
603 const int add_rules,
const int add_mpm_stats)
605 uint32_t prefilter_cnt = 0;
606 uint32_t mpm_cnt = 0;
607 uint32_t nonmpm_cnt = 0;
608 uint32_t mpm_depth_cnt = 0;
609 uint32_t mpm_endswith_cnt = 0;
610 uint32_t negmpm_cnt = 0;
611 uint32_t any5_cnt = 0;
612 uint32_t payload_no_mpm_cnt = 0;
613 uint32_t syn_cnt = 0;
615 uint32_t mpms_min = 0;
616 uint32_t mpms_max = 0;
625 } mpm_stats[max_buffer_type_id];
626 memset(mpm_stats, 0x00,
sizeof(mpm_stats));
629 uint32_t mpm_sizes[max_buffer_type_id][256];
630 memset(mpm_sizes, 0,
sizeof(mpm_sizes));
631 uint32_t alproto_mpm_bufs[
ALPROTO_MAX][max_buffer_type_id];
632 memset(alproto_mpm_bufs, 0,
sizeof(alproto_mpm_bufs));
635 if (sgh->
init == NULL)
638 json_t *js = json_object();
642 json_object_set_new(js,
"id", json_integer(sgh->
id));
644 json_t *js_array = json_array();
646 for (uint32_t x = 0; x < sgh->
init->
sig_cnt; x++) {
676 SCLogDebug(
"SGH %p Non-MPM inspecting only packets. Rule %u", sgh, s->
id);
683 SCLogDebug(
"SGH %p Non-MPM toserver and to 'any'. Rule %u", sgh, s->
id);
686 SCLogDebug(
"SGH %p Non-MPM toclient and to 'any'. Rule %u", sgh, s->
id);
699 mpm_sizes[mpm_list][size]++;
700 alproto_mpm_bufs[s->
alproto][mpm_list]++;
707 if (dp->
port == 0 && dp->
port2 == 65535) {
708 SCLogDebug(
"SGH %p toserver 1byte fast_pattern to ANY. Rule %u", sgh, s->
id);
710 SCLogDebug(
"SGH %p toserver 1byte fast_pattern to port(s) %u-%u. Rule %u", sgh, dp->
port, dp->
port2, s->
id);
714 if (sp->
port == 0 && sp->
port2 == 65535) {
715 SCLogDebug(
"SGH %p toclient 1byte fast_pattern to ANY. Rule %u", sgh, s->
id);
717 SCLogDebug(
"SGH %p toclient 1byte fast_pattern to port(s) %u-%u. Rule %u", sgh, sp->
port, sp->
port2, s->
id);
731 BUG_ON(mpm_list >= max_buffer_type_id);
732 mpm_stats[mpm_list].total += w;
733 mpm_stats[mpm_list].cnt++;
734 if (mpm_stats[mpm_list].min == 0 || w < mpm_stats[mpm_list].min)
735 mpm_stats[mpm_list].min = w;
736 if (w > mpm_stats[mpm_list].max)
737 mpm_stats[mpm_list].max = w;
744 if (w < 10 && any == 5) {
760 if (RuleInspectsPayloadHasNoMpm(s)) {
761 SCLogDebug(
"SGH %p No MPM. Payload inspecting. Rule %u", sgh, s->
id);
762 payload_no_mpm_cnt++;
768 json_t *js_sig = json_object();
771 json_object_set_new(js_sig,
"sig_id", json_integer(s->
id));
772 json_array_append_new(js_array, js_sig);
776 json_object_set_new(js,
"rules", js_array);
778 json_t *stats = json_object();
779 json_object_set_new(stats,
"total", json_integer(sgh->
init->
sig_cnt));
781 json_t *types = json_object();
782 json_object_set_new(types,
"mpm", json_integer(mpm_cnt));
783 json_object_set_new(types,
"non_mpm", json_integer(nonmpm_cnt));
784 json_object_set_new(types,
"mpm_depth", json_integer(mpm_depth_cnt));
785 json_object_set_new(types,
"mpm_endswith", json_integer(mpm_endswith_cnt));
786 json_object_set_new(types,
"negated_mpm", json_integer(negmpm_cnt));
787 json_object_set_new(types,
"payload_but_no_mpm", json_integer(payload_no_mpm_cnt));
788 json_object_set_new(types,
"prefilter", json_integer(prefilter_cnt));
789 json_object_set_new(types,
"syn", json_integer(syn_cnt));
790 json_object_set_new(types,
"any5", json_integer(any5_cnt));
791 json_object_set_new(stats,
"types", types);
794 if (alstats[i] > 0) {
795 json_t *app = json_object();
796 json_object_set_new(app,
"total", json_integer(alstats[i]));
798 for (
int y = 0; y < max_buffer_type_id; y++) {
799 if (alproto_mpm_bufs[i][y] == 0)
808 json_object_set_new(app, name, json_integer(alproto_mpm_bufs[i][y]));
812 json_object_set_new(stats, proto_name, app);
817 json_t *mpm_js = json_object();
819 for (
int i = 0; i < max_buffer_type_id; i++) {
820 if (mpm_stats[i].
cnt > 0) {
822 json_t *mpm_sizes_array = json_array();
823 for (
int y = 0; y < 256; y++) {
824 if (mpm_sizes[i][y] == 0)
827 json_t *e = json_object();
828 json_object_set_new(e,
"size", json_integer(y));
829 json_object_set_new(e,
"count", json_integer(mpm_sizes[i][y]));
830 json_array_append_new(mpm_sizes_array, e);
833 json_t *buf = json_object();
834 json_object_set_new(buf,
"total", json_integer(mpm_stats[i].
cnt));
835 json_object_set_new(buf,
"avg_strength", json_integer(mpm_stats[i].total / mpm_stats[i].
cnt));
836 json_object_set_new(buf,
"min_strength", json_integer(mpm_stats[i].min));
837 json_object_set_new(buf,
"max_strength", json_integer(mpm_stats[i].max));
839 json_object_set_new(buf,
"sizes", mpm_sizes_array);
847 json_object_set_new(mpm_js, name, buf);
851 json_object_set_new(stats,
"mpm", mpm_js);
853 json_object_set_new(js,
"stats", stats);
855 json_object_set_new(js,
"score", json_integer(sgh->
init->
score));
861 const int add_rules,
const int add_mpm_stats)
863 json_t *js = json_object();
868 for (p = 0; p < 256; p++) {
869 if (p == IPPROTO_TCP || p == IPPROTO_UDP) {
870 const char *name = (p == IPPROTO_TCP) ?
"tcp" :
"udp";
872 json_t *tcp = json_object();
874 json_t *ts_array = json_array();
877 while (list != NULL) {
878 json_t *port = json_object();
879 json_object_set_new(port,
"port", json_integer(list->
port));
880 json_object_set_new(port,
"port2", json_integer(list->
port2));
883 RulesGroupPrintSghStats(
de_ctx, list->
sh, add_rules, add_mpm_stats);
884 json_object_set_new(port,
"rulegroup", tcp_ts);
885 json_array_append_new(ts_array, port);
889 json_object_set_new(tcp,
"toserver", ts_array);
891 json_t *tc_array = json_array();
894 while (list != NULL) {
895 json_t *port = json_object();
896 json_object_set_new(port,
"port", json_integer(list->
port));
897 json_object_set_new(port,
"port2", json_integer(list->
port2));
900 RulesGroupPrintSghStats(
de_ctx, list->
sh, add_rules, add_mpm_stats);
901 json_object_set_new(port,
"rulegroup", tcp_tc);
902 json_array_append_new(tc_array, port);
906 json_object_set_new(tcp,
"toclient", tc_array);
908 json_object_set_new(js, name, tcp);
909 }
else if (p == IPPROTO_ICMP || p == IPPROTO_ICMPV6) {
910 const char *name = (p == IPPROTO_ICMP) ?
"icmpv4" :
"icmpv6";
911 json_t *o = json_object();
913 json_t *
ts = json_object();
914 json_t *group_ts = RulesGroupPrintSghStats(
916 json_object_set_new(
ts,
"rulegroup", group_ts);
917 json_object_set_new(o,
"toserver",
ts);
920 json_t *tc = json_object();
921 json_t *group_tc = RulesGroupPrintSghStats(
923 json_object_set_new(tc,
"rulegroup", group_tc);
924 json_object_set_new(o,
"toclient", tc);
926 json_object_set_new(js, name, o);
930 const char *filename =
"rule_group.json";
932 char log_path[PATH_MAX] =
"";
934 snprintf(log_path,
sizeof(log_path),
"%s/%s", log_dir, filename);
936 FILE *fp = fopen(log_path,
"w");
941 char *js_s = json_dumps(js,
948 json_object_clear(js);
951 fprintf(fp,
"%s\n", js_s);
963 for ( ; s != NULL; s = s->
next) {
968 for (
int p = 0; p < 256; p++) {
969 if (p == IPPROTO_TCP || p == IPPROTO_UDP) {
994 for (p = 0; p < 256; p++) {
995 if (p == IPPROTO_TCP || p == IPPROTO_UDP)
997 if (sgh_ts[p] == NULL)
1003 if (lookup_sgh == NULL) {
1004 SCLogDebug(
"proto group %d sgh %p is the original", p, sgh_ts[p]);
1013 SCLogDebug(
"proto group %d sgh %p is a copy", p, sgh_ts[p]);
1016 sgh_ts[p] = lookup_sgh;
1020 SCLogPerf(
"OTHER %s: %u proto groups, %u unique SGH's, %u copies",
1021 "toserver",
cnt, own, ref);
1026 for (p = 0; p < 256; p++) {
1027 if (p == IPPROTO_TCP || p == IPPROTO_UDP)
1029 if (sgh_tc[p] == NULL)
1035 if (lookup_sgh == NULL) {
1036 SCLogDebug(
"proto group %d sgh %p is the original", p, sgh_tc[p]);
1046 SCLogDebug(
"proto group %d sgh %p is a copy", p, sgh_tc[p]);
1049 sgh_tc[p] = lookup_sgh;
1053 SCLogPerf(
"OTHER %s: %u proto groups, %u unique SGH's, %u copies",
1054 "toclient",
cnt, own, ref);
1056 for (p = 0; p < 256; p++) {
1057 if (p == IPPROTO_TCP || p == IPPROTO_UDP)
1070 if (ipproto == IPPROTO_UDP)
1098 if (!(p->
port == 0 && p->
port2 == 65535)) {
1100 if (RuleInspectsPayloadHasNoMpm(s)) {
1101 SCLogDebug(
"Rule %u MPM has 1 byte fast_pattern. Prioritizing SGH's.", s->
id);
1104 }
else if (RuleMpmIsNegated(s)) {
1105 SCLogDebug(
"Rule %u MPM is negated. Prioritizing SGH's.", s->
id);
1111 RuleGetMpmPatternSize(s) == 1) {
1112 SCLogDebug(
"Rule %u No MPM. Payload inspecting. Prioritizing SGH's.", s->
id);
1116 SCLogDebug(
"Rule %u Needs SYN, so inspected often. Prioritizing SGH's.", s->
id);
1125 static int SortCompare(
const void *a,
const void *b)
1152 static inline void SortGroupList(
1153 uint32_t *groups,
DetectPort **list,
int (*CompareFunc)(
const void *,
const void *))
1171 x->sh->id = idx + 1;
1174 x->
next = x->prev = x->last = NULL;
1181 qsort(array, idx,
sizeof(
DetectPort *), SortCompare);
1185 for (
int i = 0; i < idx; i++) {
1190 if (new_list == NULL) {
1207 SCLogDebug(
"item:= [%u:%u]; score: %d; sig_cnt: %d", tmp->port, tmp->port2,
1208 tmp->sh->init->score, tmp->sh->init->sig_cnt);
1226 DetectPort **newhead, uint32_t unique_groups,
1227 int (*CompareFunc)(
const void *,
const void *))
1230 uint32_t groups = 0;
1235 tmplist = port_list;
1236 SortGroupList(&groups, &tmplist, SortCompare);
1237 uint32_t left = unique_groups;
1244 DetectPort *tmplist2 = NULL, *tmplist2_tail = NULL;
1246 for (gr = tmplist; gr != NULL;) {
1255 if (joingr == NULL) {
1257 if (joingr == NULL) {
1260 SCLogDebug(
"joingr => %u-%u", joingr->port, joingr->port2);
1261 joingr->next = NULL;
1272 if (tmplist2 == NULL) {
1276 tmplist2_tail->
next = gr;
1288 if (joingr != NULL) {
1289 SCLogDebug(
"appending joingr %p %u:%u", joingr, joingr->port, joingr->port2);
1291 if (tmplist2 == NULL) {
1295 tmplist2_tail->
next = joingr;
1303 *newhead = tmplist2;
1311 #define UNDEFINED_PORT 0
1312 #define RANGE_PORT 1
1313 #define SINGLE_PORT 2
1332 static inline uint32_t SetUniquePortPoints(
1333 const DetectPort *p, uint8_t *unique_list, uint32_t size_list)
1368 static inline void SetFinalUniquePortPoints(
1369 const uint8_t *unique_list,
const uint32_t size_unique_arr,
UniquePortPoint *final_arr)
1371 for (uint32_t i = 0, j = 0; i < (UINT16_MAX + 1); i++) {
1374 final_arr[j].
port = (uint16_t)i;
1375 final_arr[j++].
single =
false;
1377 final_arr[j].
port = (uint16_t)i;
1378 final_arr[j++].
single =
true;
1405 if (final_unique_points == NULL)
1407 SetFinalUniquePortPoints(unique_list, size_list, final_unique_points);
1409 if (size_list == 1) {
1411 de_ctx, final_unique_points[0].port, final_unique_points[0].port, &it->
tree, list);
1415 uint16_t port = p1 ? p1->
port : 0;
1416 uint16_t port2 = p2->
port;
1417 for (uint32_t i = 1; i < size_list; i++) {
1423 }
else if (p1 && p1->
single) {
1425 if ((port2 > port + 1)) {
1427 de_ctx, port + 1, port2 - 1, &it->
tree, list);
1435 if ((port2 >= port + 1)) {
1442 if ((port2 > port + 1)) {
1453 if (port == p2->
port) {
1458 if (i + 1 < size_list) {
1459 p2 = &final_unique_points[i + 1];
1465 SCFree(final_unique_points);
1476 uint32_t size_unique_port_arr = 0;
1480 uint8_t *unique_port_points = (uint8_t *)
SCCalloc(UINT16_MAX + 1,
sizeof(uint8_t));
1481 if (unique_port_points == NULL)
1507 "w/o direction specified, disabling for toclient direction",
1535 size_unique_port_arr =
1536 SetUniquePortPoints(tmp2, unique_port_points, size_unique_port_arr);
1559 SCLogDebug(
"Port was not inserted in the tree");
1566 if (CreatePortList(
de_ctx, unique_port_points, size_unique_port_arr, it, &list) < 0)
1570 SCFree(unique_port_points);
1581 CreateGroupedPortList(
de_ctx, list, &newlist, groupmax, SortCompare);
1592 for (iter = list ; iter != NULL; iter = iter->
next) {
1598 if (lookup_sgh == NULL) {
1599 SCLogDebug(
"port group %p sgh %p is the original", iter, iter->
sh);
1609 SCLogDebug(
"port group %p sgh %p is a copy", iter, iter->
sh);
1612 iter->
sh = lookup_sgh;
1618 for (iter = list ; iter != NULL; iter = iter->
next) {
1619 SCLogInfo(
"PORT %u-%u %p (sgh=%s, prioritized=%s/%d)",
1626 SCLogPerf(
"%s %s: %u port groups, %u unique SGH's, %u copies",
1627 ipproto == 6 ?
"TCP" :
"UDP",
1634 if (unique_port_points != NULL)
1635 SCFree(unique_port_points);
1648 if (SignatureIsPDOnly(
de_ctx, s) == 1) {
1655 }
else if (iponly == 2) {
1658 }
else if (SignatureIsDEOnly(
de_ctx, s) == 1) {
1664 bool has_buffer_frame_engine =
false;
1665 bool has_buffer_packet_engine =
false;
1666 bool has_buffer_app_engine =
false;
1672 has_buffer_packet_engine =
true;
1674 has_buffer_frame_engine =
true;
1676 has_buffer_app_engine =
true;
1680 if (has_buffer_packet_engine) {
1682 }
else if (has_buffer_frame_engine || has_buffer_app_engine) {
1684 }
else if (has_pmatch) {
1694 }
else if (has_match) {
1717 uint32_t cnt_iponly = 0;
1718 uint32_t cnt_payload = 0;
1719 uint32_t cnt_applayer = 0;
1720 uint32_t cnt_deonly = 0;
1723 SCLogDebug(
"building signature grouping structure, stage 1: "
1724 "preprocessing rules...");
1739 SCLogDebug(
"Signature %"PRIu32
" is considered \"PD only\"", s->
id);
1741 SCLogDebug(
"Signature %"PRIu32
" is considered \"IP only\"", s->
id);
1743 }
else if (SignatureIsInspectingPayload(
de_ctx, s) == 1) {
1744 SCLogDebug(
"Signature %"PRIu32
" is considered \"Payload inspecting\"", s->
id);
1747 SCLogDebug(
"Signature %"PRIu32
" is considered \"Decoder Event only\"", s->
id);
1750 SCLogDebug(
"Signature %"PRIu32
" is considered \"Applayer inspecting\"", s->
id);
1770 if (copresent && colen == 1) {
1780 if (RuleMpmIsNegated(s)) {
1784 SignatureCreateMask(s);
1802 prefilter_list =
MIN(prefilter_list, sm->
type);
1812 if (sm->
type == prefilter_list) {
1837 SCLogInfo(
"tenant id %d: %" PRIu32
" signatures processed. %" PRIu32
" are IP-only "
1838 "rules, %" PRIu32
" are inspecting packet payload, %" PRIu32
1839 " inspect application layer, %" PRIu32
" are decoder event only",
1843 SCLogInfo(
"%" PRIu32
" signatures processed. %" PRIu32
" are IP-only "
1844 "rules, %" PRIu32
" are inspecting packet payload, %" PRIu32
1845 " inspect application layer, %" PRIu32
" are decoder event only",
1846 de_ctx->
sig_cnt, cnt_iponly, cnt_payload, cnt_applayer, cnt_deonly);
1848 SCLogConfig(
"building signature grouping structure, stage 1: "
1849 "preprocessing rules... complete");
1867 SCLogDebug(
"adding signature %"PRIu32
" to the decoder event sgh", s->
id);
1882 SCLogDebug(
"building signature grouping structure, stage 2: "
1883 "building source address lists...");
1893 RulesGroupByIPProto(
de_ctx);
1901 DetectEngineAddDecoderEventSig(
de_ctx, s);
1923 DetectEngineBuildDecoderEventSgh(
de_ctx);
1931 SCLogDebug(
"cleaning up signature grouping structure...");
1938 for (
int p = 0; p < 256; p++) {
1964 SCLogDebug(
"cleaning up signature grouping structure... complete");
1977 for (sig = 0; sig < sgh->sig_cnt; sig++) {
1978 printf(
"%" PRIu32
" ", sgh->match_array[sig]->
id);
1985 if (sgh == NULL || sgh->
init == NULL) {
2035 int dump_grouping = 0;
2036 (void)
ConfGetBool(
"detect.profiling.grouping.dump-to-disk", &dump_grouping);
2038 if (dump_grouping) {
2040 (void)
ConfGetBool(
"detect.profiling.grouping.include-rules", &add_rules);
2041 int add_mpm_stats = 0;
2042 (void)
ConfGetBool(
"detect.profiling.grouping.include-mpm-stats", &add_mpm_stats);
2044 RulesDumpGrouping(
de_ctx, add_rules, add_mpm_stats);
2077 for (; s != NULL; s = s->
next) {
2099 while (sm != NULL) {
2115 while (sm != NULL) {
2164 SigInitStandardMpmFactoryContexts(
de_ctx);
2167 FatalError(
"initializing the detection engine failed");
2171 FatalError(
"initializing the detection engine failed");
2175 FatalError(
"initializing the detection engine failed");
2178 FatalError(
"initializing the detection engine failed");
2186 FatalError(
"initializing the detection engine failed");
2189 if (SigMatchPrepare(
de_ctx) != 0) {
2190 FatalError(
"initializing the detection engine failed");
2199 if (
ConfGetInt(
"detect.profiling.inspect-logging-threshold", &v) == 1)
2202 #ifdef PROFILE_RULES
2203 SCProfilingRuleInitCounters(
de_ctx);
#define HashListTableGetListData(hb)
#define DETECT_FLOW_FLAG_TOCLIENT
int ConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
void DetectEngineResetMaxSigId(DetectEngineCtx *de_ctx)
bool DetectEngineBufferTypeSupportsPacketGetById(const DetectEngineCtx *de_ctx, const int id)
#define SIG_MASK_REQUIRE_REAL_PKT
#define MASK_TCP_UNUSUAL_FLAGS
int DetectFlagsSignatureNeedsSynOnlyPackets(const Signature *s)
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
SigTableElmt * sigmatch_table
void SigMatchFree(DetectEngineCtx *de_ctx, SigMatch *sm)
free a SigMatch
void(* Free)(DetectEngineCtx *, void *)
struct SigGroupHead_ * decoder_event_sgh
int DetectPortHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table in the detection engine context to hold the DetectPort hash.
DetectEngineLookupFlow flow_gh[FLOW_STATES]
#define FILE_SIG_NEED_SHA1
int SigPrepareStage4(DetectEngineCtx *de_ctx)
finalize preparing sgh's
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
void DetectEngineBufferRunSetupCallback(const DetectEngineCtx *de_ctx, const int id, Signature *s)
int ConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
Container for matching data for a signature group.
const char * DetectListToHumanString(int list)
#define SIG_FLAG_INIT_FLOW
void SigFree(DetectEngineCtx *, Signature *)
void DumpPatterns(DetectEngineCtx *de_ctx)
int SigGroupHeadBuildNonPrefilterArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
build an array of rule id's for sigs with no prefilter Also updated de_ctx::non_pf_store_cnt_max to t...
void DetectPortFree(const DetectEngineCtx *de_ctx, DetectPort *dp)
Free a DetectPort and its members.
uint16_t max_uniq_toclient_groups
void MpmStoreReportStats(const DetectEngineCtx *de_ctx)
bool src_contains_negation
void IPOnlyDeinit(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx)
Deinitialize the IP Only detection engine context.
struct HtpBodyChunk_ * next
void SCPortIntervalFindOverlappingRanges(DetectEngineCtx *de_ctx, const uint16_t port, const uint16_t port2, const struct PI *head, DetectPort **list)
Callee function to find all overlapping port ranges as asked by the detection engine during Stage 2 o...
#define PORT_SIGGROUPHEAD_COPY
@ DETECT_SM_LIST_DYNAMIC_START
uint32_t PatternStrength(uint8_t *pat, uint16_t patlen)
Predict a strength value for patterns.
int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
int DetectSetFastPatternAndItsId(DetectEngineCtx *de_ctx)
Figure out the FP and their respective content ids for all the sigs in the engine.
@ DETECT_AL_APP_LAYER_EVENT
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
void SCProfilingSghInitCounters(DetectEngineCtx *de_ctx)
Register the keyword profiling counters.
main detection engine ctx
int DetectFlagsSignatureNeedsSynPackets(const Signature *s)
HashListTableBucket * HashListTableGetListHead(HashListTable *ht)
void SigGroupHeadSetProtoAndDirection(SigGroupHead *sgh, uint8_t ipproto, int dir)
#define SIGMATCH_DEONLY_COMPAT
const char * DetectEngineBufferTypeGetNameById(const DetectEngineCtx *de_ctx, const int id)
void DetectMpmInitializeBuiltinMpms(DetectEngineCtx *de_ctx)
#define SIG_FLAG_REQUIRE_STREAM
bool rule_engine_analysis_set
struct DetectPort_ * next
DetectPort * tcp_priorityports
HashListTable * dport_hash_table
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
enum DetectEnginePrefilterSetting prefilter_setting
#define JSON_ESCAPE_SLASH
struct SigGroupHead_ * sh
DetectPort * udp_priorityports
#define DETECT_FLOWBITS_CMD_ISSET
#define PKT_NOPAYLOAD_INSPECTION
void SigCleanSignatures(DetectEngineCtx *de_ctx)
void DetectPortPrintList(DetectPort *head)
Helper function used to print the list of ports present in this DetectPort list.
int SigPrepareStage1(DetectEngineCtx *de_ctx)
Preprocess signature, classify ip-only, etc, build sig array.
#define DETECT_PGSCORE_RULE_SYN_ONLY
#define SIG_FLAG_TOCLIENT
void SigGroupHeadSetupFiles(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Set the need hash flag in the sgh.
int SignatureIsFilesizeInspecting(const Signature *s)
Check if a signature contains the filesize keyword.
AppLayerDecoderEvents * app_layer_events
PacketEngineEvents events
void EngineAnalysisAddAllRulePatterns(DetectEngineCtx *de_ctx, const Signature *s)
add all patterns on our stats hash Used to fill the hash later used by DumpPatterns()
void DetectPortPrint(DetectPort *dp)
Helper function that print the DetectPort info.
void PacketCreateMask(Packet *p, SignatureMask *mask, AppProto alproto, bool app_decoder_events)
#define SIG_FLAG_APPLAYER
int SigGroupHeadHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table in the detection engine context to hold the SigGroupHeads.
#define FILE_SIG_NEED_MD5
int SignatureIsFileSha256Inspecting(const Signature *s)
Check if a signature contains the filesha256 keyword.
int DetectEngineMultiTenantEnabled(void)
#define HashListTableGetListNext(hb)
@ DETECT_SM_LIST_POSTMATCH
DetectPort * DetectPortCopySingle(DetectEngineCtx *de_ctx, DetectPort *src)
Function that return a copy of DetectPort src sigs.
#define SIG_FLAG_TOSERVER
int DetectPortParse(const DetectEngineCtx *de_ctx, DetectPort **head, const char *str)
Function for parsing port strings.
int SigAddressCleanupStage1(DetectEngineCtx *de_ctx)
int SCPortIntervalInsert(DetectEngineCtx *de_ctx, SCPortIntervalTree *it, const DetectPort *p)
Function to insert a node in the interval tree.
int SigGroupHeadBuildMatchArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t max_idx)
Create an array with all the internal ids of the sigs that this sig group head will check for.
#define DETECT_CONTENT_ENDS_WITH
void IPOnlyInit(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx)
Setup the IP Only detection engine context.
#define SIG_MASK_REQUIRE_ENGINE_EVENT
Signature * SigFindSignatureBySidGid(DetectEngineCtx *de_ctx, uint32_t sid, uint32_t gid)
Find a specific signature by sid and gid.
#define DetectEngineGetMaxSigId(de_ctx)
#define DETECT_FLOW_FLAG_TOSERVER
#define FILE_SIG_NEED_MAGIC
#define SIG_MASK_REQUIRE_FLOW
IPOnlyCIDRItem * cidr_dst
#define DETECT_CONTENT_DEPTH
struct SigGroupHead_ * sgh[256]
#define SIG_MASK_REQUIRE_FLAGS_INITDEINIT
void SCProfilingPrefilterInitCounters(DetectEngineCtx *de_ctx)
Register the prefilter profiling counters.
SigMatchData * SigMatchList2DataArray(SigMatch *head)
convert SigMatch list to SigMatchData array
#define PKT_DETECT_HAS_STREAMDATA
#define DETECT_CONTENT_NEGATED
#define SCLogWarning(...)
Macro used to log WARNING messages.
void DetectContentPropagateLimits(Signature *s)
Port structure for detection engine.
SigGroupHeadInitData * init
#define DETECT_PGSCORE_RULE_NO_MPM
IPOnlyCIDRItem * cidr_src
void IPOnlyPrepare(DetectEngineCtx *de_ctx)
Build the radix trees from the lists of parsed addresses in CIDR format the result should be 4 radix ...
int SigGroupCleanup(DetectEngineCtx *de_ctx)
#define DETECT_PGSCORE_RULE_MPM_FAST_PATTERN
#define SIG_FLAG_REQUIRE_FLOWVAR
#define FILE_SIG_NEED_SHA256
void IPOnlyPrint(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx)
Print stats of the IP Only engine.
@ DETECT_AL_APP_LAYER_PROTOCOL
uint16_t max_uniq_toserver_groups
void IPOnlyAddSignature(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx, Signature *s)
Add a signature to the lists of Addresses in CIDR format (sorted) this step is necessary to build the...
SignatureInitData * init_data
int SigGroupHeadAppendSig(const DetectEngineCtx *de_ctx, SigGroupHead **sgh, const Signature *s)
Add a Signature to a SigGroupHead.
struct SigGroupHead_ ** sgh_array
bool dst_contains_negation
void SigGroupHeadFree(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Free a SigGroupHead and its members.
#define SIG_MASK_REQUIRE_PAYLOAD
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
int SignatureIsFileSha1Inspecting(const Signature *s)
Check if a signature contains the filesha1 keyword.
SCPortIntervalTree * SCPortIntervalTreeInit(void)
Function to initialize the interval tree.
void IPOnlyCIDRListFree(IPOnlyCIDRItem *tmphead)
This function free a IPOnlyCIDRItem list.
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
#define SIG_FLAG_INIT_STATE_MATCH
bool DetectEngineBufferTypeSupportsFramesGetById(const DetectEngineCtx *de_ctx, const int id)
void EngineAnalysisRules2(const DetectEngineCtx *de_ctx, const Signature *s)
void SigGroupHeadSetSigCnt(SigGroupHead *sgh, uint32_t max_idx)
Updates the SigGroupHead->sig_cnt with the total count of all the Signatures present in this SigGroup...
int DetectMpmPrepareFrameMpms(DetectEngineCtx *de_ctx)
initialize mpm contexts for applayer buffers that are in "single or "shared" mode.
int DetectEnginePktInspectionSetup(Signature *s)
#define SIG_MASK_REQUIRE_NO_PAYLOAD
void SigGroupHeadStore(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
int SigPrepareStage3(DetectEngineCtx *de_ctx)
struct DetectPort_ * prev
#define MASK_TCP_INITDEINIT_FLAGS
const char * DetectListToString(int list)
uint32_t profile_match_logging_threshold
int DetectMpmPreparePktMpms(DetectEngineCtx *de_ctx)
initialize mpm contexts for applayer buffers that are in "single or "shared" mode.
void SigGroupHeadHashFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by SigGroupHeadHashInit() function.
#define SIG_MASK_REQUIRE_FLAGS_UNUSUAL
int SigGroupHeadHashAdd(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Adds a SigGroupHead to the detection engine context SigGroupHead hash table.
int SigPrepareStage2(DetectEngineCtx *de_ctx)
Fill the global src group head, with the sigs included.
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
SignatureInitDataBuffer * buffers
const char * ConfigGetLogDirectory(void)
struct HtpBodyChunk_ * next
SigGroupHead * SigGroupHeadHashLookup(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Used to lookup a SigGroupHead hash from the detection engine context SigGroupHead hash table.
#define DETECT_PGSCORE_RULE_PORT_PRIORITIZED
int SignatureIsFilestoring(const Signature *s)
Check if a signature contains the filestore keyword.
int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
Test is a initialized signature is IP only.
bool(* SupportsPrefilter)(const Signature *s)
int DetectMpmPrepareBuiltinMpms(DetectEngineCtx *de_ctx)
initialize mpm contexts for builtin buffers that are in "single or "shared" mode.
a single match condition for a signature
void SigGroupHeadInitDataFree(SigGroupHeadInitData *sghid)
int SignatureIsFileMd5Inspecting(const Signature *s)
Check if a signature contains the filemd5 keyword.
#define DETECT_PGSCORE_RULE_MPM_NEGATED
void SignatureSetType(DetectEngineCtx *de_ctx, Signature *s)
void SCProfilingKeywordInitCounters(DetectEngineCtx *de_ctx)
Register the keyword profiling counters.
int DetectPortHashAdd(DetectEngineCtx *de_ctx, DetectPort *dp)
Adds a DetectPort to the detection engine context DetectPort hash table.
void PrefilterSetupRuleGroup(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
void SigParseApplyDsizeToContent(Signature *s)
Apply dsize as depth to content matches in the rule.
struct UniquePortPoint_ UniquePortPoint
DetectEngineTransforms transforms
DetectEngineIPOnlyCtx io_ctx
DetectUintData_u16 DetectU16Data
void DetectPortHashFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by DetectPortInit() function.
DetectPort * DetectPortHashLookup(DetectEngineCtx *de_ctx, DetectPort *dp)
Used to lookup a DetectPort hash from the detection engine context DetectPort hash table.
int SignatureIsFilemagicInspecting(const Signature *s)
Check if a signature contains the filemagic keyword.
int DetectMpmPrepareAppMpms(DetectEngineCtx *de_ctx)
initialize mpm contexts for applayer buffers that are in "single or "shared" mode.
#define SIGMATCH_IPONLY_COMPAT
void DetectPortCleanupList(const DetectEngineCtx *de_ctx, DetectPort *head)
Free a DetectPort list and each of its members.
int SCLogDebugEnabled(void)
Returns whether debug messages are enabled to be logged or not.
#define DEBUG_VALIDATE_BUG_ON(exp)
int DetectEngineAppInspectionEngine2Signature(DetectEngineCtx *de_ctx, Signature *s)
#define SIG_FLAG_PREFILTER
void SCPortIntervalTreeFree(DetectEngineCtx *de_ctx, SCPortIntervalTree *it)
Function to free an entire interval tree.
int VarNameStoreActivate(void)
#define SIG_FLAG_FILESTORE
#define FILE_SIG_NEED_SIZE
#define DETECT_FLOWBITS_CMD_SET
int SigGroupHeadCopySigs(DetectEngineCtx *de_ctx, SigGroupHead *src, SigGroupHead **dst)
Copies the bitarray holding the sids from the source SigGroupHead to the destination SigGroupHead.
#define SIG_FLAG_REQUIRE_PACKET