suricata
detect-engine-build.h File Reference
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Functions

void PacketCreateMask (Packet *p, SignatureMask *mask, AppProto alproto, bool app_decoder_events)
 
int SignatureIsFilestoring (const Signature *)
 Check if a signature contains the filestore keyword. More...
 
int SignatureIsFilemagicInspecting (const Signature *)
 Check if a signature contains the filemagic keyword. More...
 
int SignatureIsFileMd5Inspecting (const Signature *)
 Check if a signature contains the filemd5 keyword. More...
 
int SignatureIsFileSha1Inspecting (const Signature *s)
 Check if a signature contains the filesha1 keyword. More...
 
int SignatureIsFileSha256Inspecting (const Signature *s)
 Check if a signature contains the filesha256 keyword. More...
 
int SignatureIsFilesizeInspecting (const Signature *)
 Check if a signature contains the filesize keyword. More...
 
void SignatureSetType (DetectEngineCtx *de_ctx, Signature *s)
 
int SigAddressPrepareStage1 (DetectEngineCtx *de_ctx)
 Preprocess signature, classify ip-only, etc, build sig array. More...
 
int SigAddressPrepareStage2 (DetectEngineCtx *de_ctx)
 Fill the global src group head, with the sigs included. More...
 
int SigAddressPrepareStage3 (DetectEngineCtx *de_ctx)
 
int SigAddressPrepareStage4 (DetectEngineCtx *de_ctx)
 finalize preparing sgh's More...
 
int SigAddressCleanupStage1 (DetectEngineCtx *de_ctx)
 
void SigCleanSignatures (DetectEngineCtx *)
 
int SigGroupBuild (DetectEngineCtx *)
 Convert the signature list into the runtime match structure. More...
 
int SigGroupCleanup (DetectEngineCtx *de_ctx)
 

Function Documentation

void PacketCreateMask ( Packet p,
SignatureMask mask,
AppProto  alproto,
bool  app_decoder_events 
)

Definition at line 395 of file detect-engine-build.c.

References Signature_::alproto, ALPROTO_DCERPC, ALPROTO_MAX, ALPROTO_SMB, ALPROTO_UNKNOWN, Packet_::app_layer_events, AppProtoToString(), BUG_ON, DetectFlowbitsData_::cmd, PacketEngineEvents_::cnt, ConfigGetLogDirectory(), DetectContentData_::content, DetectContentData_::content_len, CreateGroupedPortList(), CreateGroupedPortListCmpCnt(), SigMatch_::ctx, DETECT_AL_APP_LAYER_EVENT, DETECT_CONTENT_NEGATED, DETECT_DSIZE, DETECT_ENGINE_EVENT, DETECT_FLAGS, DETECT_FLOWBITS, DETECT_FLOWBITS_CMD_ISSET, DETECT_FLOWINT, DETECT_PROTO_ANY, DETECT_SM_LIST_MATCH, DETECT_SM_LIST_MAX, DETECT_SM_LIST_PMATCH, DetectBufferTypeGetByName(), DETECTDSIZE_EQ, DETECTDSIZE_GT, DETECTDSIZE_LT, DETECTDSIZE_RA, DetectFlagsSignatureNeedsSynOnlyPackets(), DetectFlagsSignatureNeedsSynPackets(), DetectListToHumanString(), DetectListToString(), DetectMpmInitializeBuiltinMpms(), DetectPortCopySingle(), DetectPortHashAdd(), DetectPortHashFree(), DetectPortHashInit(), DetectPortHashLookup(), DetectPortInsert(), Signature_::dp, DetectEngineCtx_::dport_hash_table, DetectDsizeData_::dsize, Packet_::events, DetectProto_::flags, DetectFlagsData_::flags, DetectContentData_::flags, DetectPort_::flags, Packet_::flags, Signature_::flags, DetectEngineCtx_::flow_gh, DetectEngineCtx_::gh_reuse, DetectEngineCtx_::gh_unique, HashListTableGetListData, HashListTableGetListHead(), HashListTableGetListNext, Signature_::id, SigGroupHead_::id, SigGroupHead_::init, Signature_::init_data, SignatureInitData_::init_flags, JSON_ESCAPE_SLASH, Signature_::mask, MASK_TCP_INITDEINIT_FLAGS, MASK_TCP_UNUSUAL_FLAGS, SigGroupHead_::match_array, MAX, DetectEngineCtx_::max_uniq_toclient_groups, DetectEngineCtx_::max_uniq_toserver_groups, DetectDsizeData_::mode, SignatureInitData_::mpm_sm, DetectPort_::next, SigMatch_::next, next, Signature_::next, Signature_::num, PatternStrength(), Packet_::payload_len, PKT_DETECT_HAS_STREAMDATA, PKT_HAS_FLOW, PKT_IS_PSEUDOPKT, PKT_IS_TCP, PKT_NOPAYLOAD_INSPECTION, DetectPort_::port, DetectPort_::port2, PORT_SIGGROUPHEAD_COPY, DetectProto_::proto, Signature_::proto, SC_WARN_POOR_RULE, SCEnter, SCLogDebug, SCLogInfo, SCLogPerf, SCLogWarning, SCReturnInt, DetectEngineLookupFlow_::sgh, DetectPort_::sh, SigGroupHead_::sig_cnt, SIG_FLAG_APPLAYER, SIG_FLAG_DP_ANY, SIG_FLAG_DST_ANY, SIG_FLAG_INIT_FLOW, SIG_FLAG_IPONLY, SIG_FLAG_REQUIRE_FLOWVAR, SIG_FLAG_SP_ANY, SIG_FLAG_SRC_ANY, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, DetectEngineCtx_::sig_list, SIG_MASK_REQUIRE_DCERPC, SIG_MASK_REQUIRE_ENGINE_EVENT, SIG_MASK_REQUIRE_FLAGS_INITDEINIT, SIG_MASK_REQUIRE_FLAGS_UNUSUAL, SIG_MASK_REQUIRE_FLOW, SIG_MASK_REQUIRE_NO_PAYLOAD, SIG_MASK_REQUIRE_PAYLOAD, SigGroupHeadAppendSig(), SigGroupHeadBuildMatchArray(), SigGroupHeadFree(), SigGroupHeadHashAdd(), SigGroupHeadHashFree(), SigGroupHeadHashInit(), SigGroupHeadHashLookup(), SigGroupHeadSetProtoAndDirection(), SigGroupHeadSetSigCnt(), SigGroupHeadStore(), SigMatchListSMBelongsTo(), Signature_::sm_arrays, SignatureInitData_::smlists, Signature_::sp, DetectEngineLookupFlow_::tcp, DetectEngineCtx_::tcp_whitelist, Packet_::tcph, TH_CWR, TH_ECN, TH_FIN, TH_RST, TH_SYN, TH_URG, SigMatch_::type, DetectEngineLookupFlow_::udp, DetectEngineCtx_::udp_whitelist, unlikely, SignatureInitData_::whitelist, and SigGroupHeadInitData_::whitelist.

Referenced by SigMatchSignaturesGetSgh().

Here is the call graph for this function:

Here is the caller graph for this function:

int SigAddressPrepareStage1 ( DetectEngineCtx de_ctx)

Preprocess signature, classify ip-only, etc, build sig array.

Parameters
de_ctxPointer to the Detection Engine Context
Return values
0on success
-1on failure

Definition at line 1286 of file detect-engine-build.c.

int SigAddressPrepareStage2 ( DetectEngineCtx de_ctx)

Fill the global src group head, with the sigs included.

Parameters
de_ctxPointer to the Detection Engine Context whose Signatures have to be processed
Return values
0On success
-1On failure

Definition at line 1623 of file detect-engine-build.c.

References DetectEngineCtx_::decoder_event_sgh, DetectEngineGetMaxSigId, Signature_::flags, DetectEngineCtx_::flow_gh, Signature_::id, Signature_::init_data, SignatureInitData_::init_flags, DetectEngineCtx_::io_ctx, IPOnlyAddSignature(), IPOnlyInit(), IPOnlyPrepare(), IPOnlyPrint(), Signature_::next, SCLogDebug, SIG_FLAG_INIT_DEONLY, SIG_FLAG_IPONLY, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, DetectEngineCtx_::sig_list, SigGroupHeadBuildMatchArray(), SigGroupHeadSetSigCnt(), DetectEngineLookupFlow_::tcp, and DetectEngineLookupFlow_::udp.

Referenced by SigGroupBuild().

Here is the call graph for this function:

Here is the caller graph for this function:

int SigAddressPrepareStage3 ( DetectEngineCtx de_ctx)

Definition at line 1670 of file detect-engine-build.c.

Referenced by SigGroupBuild().

Here is the caller graph for this function:

void SigCleanSignatures ( DetectEngineCtx )

Definition at line 39 of file detect-engine-build.c.

References DetectEngineResetMaxSigId(), Signature_::next, DetectEngineCtx_::sig_list, and SigFree().

Referenced by ActionInitConfig(), AlertFastLogInitCtx(), DetectAckRegister(), DetectBase64DataDoMatch(), DetectBase64DecodeDoMatch(), DetectByteExtractRetrieveSMVar(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectEngineCtxFree(), DetectEngineInspectStream(), DetectFastPatternRegister(), DetectFilesizeRegister(), DetectFlowFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectHostbitFree(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectIPRepFree(), DetectIsdataatFree(), DetectITypeFree(), DetectL3ProtoRegister(), DetectModbusRegister(), DetectPcrePayloadMatch(), DetectPktDataRegister(), DetectProtoContainsProto(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSeqRegister(), DetectSetupParseRegexes(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectThresholdRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), MpmACRegister(), MpmACTileRegister(), RegisterModbusParsers(), SCACBSPrintInfo(), SCSigSignatureOrderingModuleCleanup(), SigGroupHeadContainsSigId(), SigParseApplyDsizeToContent(), SMTPParserCleanup(), TagTimeoutCheck(), UTHGenericTest(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

Here is the call graph for this function:

int SigGroupBuild ( DetectEngineCtx de_ctx)

Convert the signature list into the runtime match structure.

Parameters
de_ctxPointer to the Detection Engine Context whose Signatures have to be processed
Return values
0On Success.
-1On failure.

Definition at line 1876 of file detect-engine-build.c.

References ConfGetInt(), DetectEngineMultiTenantEnabled(), DetectMpmPrepareAppMpms(), DetectMpmPrepareBuiltinMpms(), DetectMpmPreparePktMpms(), DetectSetFastPatternAndItsId(), Signature_::next, Signature_::num, DetectEngineCtx_::profile_match_logging_threshold, SC_ERR_DETECT_PREPARE, SCLogError, SCProfilingKeywordInitCounters(), SCProfilingPrefilterInitCounters(), SCProfilingRuleInitCounters(), DetectEngineCtx_::sig_list, SigAddressPrepareStage1(), SigAddressPrepareStage2(), SigAddressPrepareStage3(), SigAddressPrepareStage4(), DetectEngineCtx_::signum, and VarNameStoreActivateStaging().

Referenced by AlertFastLogInitCtx(), DetectAckRegister(), DetectAppLayerProtocolRegister(), DetectBase64DecodeDoMatch(), DetectBypassRegister(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineInspectStream(), DetectEngineStateResetTxs(), DetectFastPatternRegister(), DetectFlowFree(), DetectFlowintFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectHostbitFree(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectIPRepFree(), DetectITypeFree(), DetectL3ProtoRegister(), DetectLuaRegister(), DetectPcrePayloadMatch(), DetectProtoContainsProto(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSetupParseRegexes(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectTemplateRustBufferRegister(), DetectThresholdRegister(), DetectTransformDotPrefixRegister(), DetectTransformStripWhitespaceRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), DetectXbitFree(), HtpConfigRestoreBackup(), MpmACRegister(), MpmACTileRegister(), RegisterModbusParsers(), SCACBSPrintInfo(), SCThresholdConfParseFile(), SigGroupHeadContainsSigId(), SigLoadSignatures(), SigParseApplyDsizeToContent(), SMTPParserCleanup(), TagTimeoutCheck(), UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

Here is the call graph for this function:

int SigGroupCleanup ( DetectEngineCtx de_ctx)

Definition at line 1947 of file detect-engine-build.c.

References SigAddressCleanupStage1().

Referenced by ActionInitConfig(), AlertFastLogInitCtx(), DetectAckRegister(), DetectBase64DataDoMatch(), DetectBase64DecodeDoMatch(), DetectByteExtractRetrieveSMVar(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineCtxFree(), DetectEngineInspectModbus(), DetectEngineInspectStream(), DetectFastPatternRegister(), DetectFilesizeRegister(), DetectFlowFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectHostbitFree(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectIPRepFree(), DetectIsdataatFree(), DetectITypeFree(), DetectL3ProtoRegister(), DetectModbusRegister(), DetectPcrePayloadMatch(), DetectPktDataRegister(), DetectProtoContainsProto(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSeqRegister(), DetectSetupParseRegexes(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectTemplateRustBufferRegister(), DetectThresholdRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), MpmACRegister(), MpmACTileRegister(), RegisterModbusParsers(), SCACBSPrintInfo(), SCSigSignatureOrderingModuleCleanup(), SigParseApplyDsizeToContent(), SMTPParserCleanup(), TagTimeoutCheck(), UTHGenericTest(), UTHMatchPackets(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

Here is the call graph for this function:

int SignatureIsFilemagicInspecting ( const Signature s)

Check if a signature contains the filemagic keyword.

Parameters
ssignature
Return values
0no
1yes

Definition at line 103 of file detect-engine-build.c.

References Signature_::file_flags, and FILE_SIG_NEED_MAGIC.

Referenced by SigGroupHeadSetFilemagicFlag().

Here is the caller graph for this function:

int SignatureIsFileMd5Inspecting ( const Signature s)

Check if a signature contains the filemd5 keyword.

Parameters
ssignature
Return values
0no
1yes

Definition at line 122 of file detect-engine-build.c.

References Signature_::file_flags, and FILE_SIG_NEED_MD5.

Referenced by SigGroupHeadSetFileHashFlag().

Here is the caller graph for this function:

int SignatureIsFileSha1Inspecting ( const Signature s)

Check if a signature contains the filesha1 keyword.

Parameters
ssignature
Return values
0no
1yes

Definition at line 138 of file detect-engine-build.c.

References Signature_::file_flags, and FILE_SIG_NEED_SHA1.

Referenced by SigGroupHeadSetFileHashFlag().

Here is the caller graph for this function:

int SignatureIsFileSha256Inspecting ( const Signature s)

Check if a signature contains the filesha256 keyword.

Parameters
ssignature
Return values
0no
1yes

Definition at line 154 of file detect-engine-build.c.

References Signature_::file_flags, and FILE_SIG_NEED_SHA256.

Referenced by SigGroupHeadSetFileHashFlag().

Here is the caller graph for this function:

int SignatureIsFilesizeInspecting ( const Signature s)

Check if a signature contains the filesize keyword.

Parameters
ssignature
Return values
0no
1yes

Definition at line 170 of file detect-engine-build.c.

References Signature_::file_flags, and FILE_SIG_NEED_SIZE.

Referenced by SigGroupHeadSetFilesizeFlag().

Here is the caller graph for this function:

int SignatureIsFilestoring ( const Signature s)

Check if a signature contains the filestore keyword.

Parameters
ssignature
Return values
0no
1yes

Definition at line 84 of file detect-engine-build.c.

References Signature_::flags, and SIG_FLAG_FILESTORE.

Referenced by SigGroupHeadSetFilestoreCount().

Here is the caller graph for this function:

void SignatureSetType ( DetectEngineCtx de_ctx,
Signature s 
)

Definition at line 1263 of file detect-engine-build.c.

References Signature_::flags, Signature_::init_data, SignatureInitData_::init_flags, SIG_FLAG_INIT_DEONLY, SIG_FLAG_IPONLY, SIG_FLAG_PDONLY, and SignatureIsIPOnly().

Referenced by SigMatchList2DataArray().

Here is the call graph for this function:

Here is the caller graph for this function: