suricata
detect-engine-iponly.c File Reference
#include "suricata-common.h"
#include "debug.h"
#include "detect.h"
#include "decode.h"
#include "flow.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-siggroup.h"
#include "detect-engine-address.h"
#include "detect-engine-proto.h"
#include "detect-engine-port.h"
#include "detect-engine-mpm.h"
#include "detect-engine-threshold.h"
#include "detect-engine-iponly.h"
#include "detect-threshold.h"
#include "util-classification-config.h"
#include "util-rule-vars.h"
#include "flow-util.h"
#include "util-debug.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-print.h"
#include "util-profiling.h"
#include "util-validate.h"
#include <netinet/in.h>
Include dependency graph for detect-engine-iponly.c:

Go to the source code of this file.

Functions

void IPOnlyCIDRListFree (IPOnlyCIDRItem *tmphead)
 This function free a IPOnlyCIDRItem list. More...
 
int IPOnlySigParseAddress (const DetectEngineCtx *de_ctx, Signature *s, const char *addrstr, char flag)
 Parses an address group sent as a character string and updates the IPOnlyCIDRItem lists src and dst of the Signature *s. More...
 
void IPOnlyInit (DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx)
 Setup the IP Only detection engine context. More...
 
void DetectEngineIPOnlyThreadInit (DetectEngineCtx *de_ctx, DetectEngineIPOnlyThreadCtx *io_tctx)
 Setup the IP Only thread detection engine context. More...
 
void IPOnlyPrint (DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx)
 Print stats of the IP Only engine. More...
 
void IPOnlyDeinit (DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx)
 Deinitialize the IP Only detection engine context. More...
 
void DetectEngineIPOnlyThreadDeinit (DetectEngineIPOnlyThreadCtx *io_tctx)
 Deinitialize the IP Only thread detection engine context. More...
 
void IPOnlyMatchPacket (ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineIPOnlyCtx *io_ctx, DetectEngineIPOnlyThreadCtx *io_tctx, Packet *p)
 Match a packet against the IP Only detection engine contexts. More...
 
void IPOnlyPrepare (DetectEngineCtx *de_ctx)
 Build the radix trees from the lists of parsed adresses in CIDR format the result should be 4 radix trees: src/dst ipv4 and src/dst ipv6 holding SigNumArrays, each of them with a hierarchical relation of subnets and hosts. More...
 
void IPOnlyAddSignature (DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx, Signature *s)
 Add a signature to the lists of Adrresses in CIDR format (sorted) this step is necesary to build the radix tree with a hierarchical relation between nodes. More...
 
void IPOnlyRegisterTests (void)
 

Detailed Description

Author
Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t
Pablo Rincon Crespo pablo.nosp@m..rin.nosp@m.con.c.nosp@m.resp.nosp@m.o@gma.nosp@m.il.c.nosp@m.om

Signatures that only inspect IP addresses are processed here We use radix trees for src dst ipv4 and ipv6 adresses This radix trees hold information for subnets and hosts in a hierarchical distribution

Definition in file detect-engine-iponly.c.

Function Documentation

void DetectEngineIPOnlyThreadDeinit ( DetectEngineIPOnlyThreadCtx io_tctx)

Deinitialize the IP Only thread detection engine context.

Parameters
de_ctxPointer to the current detection engine
io_ctxPointer to the current ip only detection engine

Definition at line 939 of file detect-engine-iponly.c.

References SigMatchData_::ctx, DEBUG_VALIDATE_BUG_ON, DETECT_SM_LIST_MATCH, SigTableElmt_::flags, SigMatchData_::is_last, KEYWORD_PROFILING_END, KEYWORD_PROFILING_SET_LIST, KEYWORD_PROFILING_START, SigTableElmt_::Match, SCFree, DetectEngineIPOnlyThreadCtx_::sig_match_array, SIGMATCH_IPONLY_COMPAT, sigmatch_table, Signature_::sm_arrays, and SigMatchData_::type.

Referenced by DetectEngineThreadCtxInit().

Here is the caller graph for this function:

void DetectEngineIPOnlyThreadInit ( DetectEngineCtx de_ctx,
DetectEngineIPOnlyThreadCtx io_tctx 
)

Setup the IP Only thread detection engine context.

Parameters
de_ctxPointer to the current detection engine
io_ctxPointer to the current ip only thread detection engine

Definition at line 876 of file detect-engine-iponly.c.

References DetectEngineCtx_::io_ctx, DetectEngineIPOnlyCtx_::max_idx, SCMalloc, DetectEngineIPOnlyThreadCtx_::sig_match_array, and DetectEngineIPOnlyThreadCtx_::sig_match_size.

Referenced by DetectEngineResetMaxSigId().

Here is the caller graph for this function:

void IPOnlyAddSignature ( DetectEngineCtx de_ctx,
DetectEngineIPOnlyCtx io_ctx,
Signature s 
)

Add a signature to the lists of Adrresses in CIDR format (sorted) this step is necesary to build the radix tree with a hierarchical relation between nodes.

Parameters
de_ctxPointer to the current detection engine context
de_ctxPointer to the current ip only detection engine contest
sPointer to the current signature

ipv4 and ipv6 are mixed, but later we will separate them into different trees

no longer ref to this, it's in the table now

Definition at line 1538 of file detect-engine-iponly.c.

References Signature_::CidrDst, Signature_::CidrSrc, DE_QUIET, DetectEngineCtxFree(), DetectEngineCtxInit(), FAIL_IF, Packet_::flags, Signature_::flags, DetectEngineCtx_::flags, Packet_::flow, FLOW_DESTROY, FLOW_INITIALIZE, FLOW_PKT_TOSERVER, Packet_::flowflags, Flow_::flowvar, head, DetectEngineIPOnlyCtx_::ip_dst, DetectEngineIPOnlyCtx_::ip_src, IPOnlyCIDRListFree(), DetectEngineIPOnlyCtx_::max_idx, Signature_::num, PASS, PKT_HAS_FLOW, SIG_FLAG_IPONLY, DetectEngineIPOnlyCtx_::sig_init_array, SigFree(), SigInit(), SignatureIsIPOnly(), UTHBuildPacket(), UTHBuildPacketIPV6SrcDst(), UTHBuildPacketSrcDst(), UTHFreePackets(), and UTHGenericTest().

Referenced by SigAddressPrepareStage2().

Here is the call graph for this function:

Here is the caller graph for this function:

void IPOnlyCIDRListFree ( IPOnlyCIDRItem tmphead)
void IPOnlyDeinit ( DetectEngineCtx de_ctx,
DetectEngineIPOnlyCtx io_ctx 
)

Deinitialize the IP Only detection engine context.

Parameters
de_ctxPointer to the current detection engine
io_ctxPointer to the current ip only detection engine

Definition at line 906 of file detect-engine-iponly.c.

References SCFree, SCRadixReleaseRadixTree(), DetectEngineIPOnlyCtx_::sig_init_array, DetectEngineIPOnlyCtx_::tree_ipv4dst, DetectEngineIPOnlyCtx_::tree_ipv4src, DetectEngineIPOnlyCtx_::tree_ipv6dst, and DetectEngineIPOnlyCtx_::tree_ipv6src.

Referenced by SigAddressCleanupStage1().

Here is the call graph for this function:

Here is the caller graph for this function:

void IPOnlyInit ( DetectEngineCtx de_ctx,
DetectEngineIPOnlyCtx io_ctx 
)

Setup the IP Only detection engine context.

Parameters
de_ctxPointer to the current detection engine
io_ctxPointer to the current ip only detection engine

Definition at line 849 of file detect-engine-iponly.c.

References DetectEngineGetMaxSigId, SC_ERR_FATAL, SCLogError, SCMalloc, SCRadixCreateRadixTree(), DetectEngineIPOnlyCtx_::sig_init_array, DetectEngineIPOnlyCtx_::sig_init_size, DetectEngineIPOnlyCtx_::tree_ipv4dst, DetectEngineIPOnlyCtx_::tree_ipv4src, DetectEngineIPOnlyCtx_::tree_ipv6dst, and DetectEngineIPOnlyCtx_::tree_ipv6src.

Referenced by SigAddressPrepareStage2().

Here is the call graph for this function:

Here is the caller graph for this function:

void IPOnlyMatchPacket ( ThreadVars tv,
const DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
const DetectEngineIPOnlyCtx io_ctx,
DetectEngineIPOnlyThreadCtx io_tctx,
Packet p 
)

Match a packet against the IP Only detection engine contexts.

Parameters
de_ctxPointer to the current detection engine
io_ctxPointer to the current ip only detection engine
io_ctxPointer to the current ip only thread detection engine
pPointer to the Packet to match against

Definition at line 977 of file detect-engine-iponly.c.

References Signature_::action, ACTION_DROP, SigNumArray_::array, SigMatchData_::ctx, DETECT_PROTO_IPV4, DETECT_PROTO_IPV6, DETECT_SM_LIST_POSTMATCH, DetectPortLookupGroup(), DetectProtoContainsProto(), DetectSignatureApplyActions(), Packet_::dp, Signature_::dp, Packet_::dst, dst, Address_::family, DetectProto_::flags, Packet_::flags, Signature_::flags, GET_IPV4_DST_ADDR_U32, GET_IPV4_SRC_ADDR_U32, GET_IPV6_DST_ADDR, GET_IPV6_SRC_ADDR, Signature_::id, IP_GET_IPPROTO, SigMatchData_::is_last, KEYWORD_PROFILING_END, KEYWORD_PROFILING_SET_LIST, KEYWORD_PROFILING_START, SigTableElmt_::Match, Signature_::msg, PACKET_ALERT_FLAG_DROP_FLOW, PacketAlertAppend(), PKT_IS_FRAGMENT, PKT_IS_IPV4, PKT_IS_IPV6, Packet_::proto, Signature_::proto, SCEnter, SCLogDebug, SCRadixFindKeyIPV4BestMatch(), SCRadixFindKeyIPV6BestMatch(), SCReturn, DetectEngineCtx_::sig_array, SIG_FLAG_DP_ANY, SIG_FLAG_NOALERT, SIG_FLAG_SP_ANY, DetectEngineIPOnlyThreadCtx_::sig_match_array, sigmatch_table, SigNumArray_::size, Signature_::sm_arrays, Packet_::sp, Signature_::sp, Packet_::src, src, DetectEngineIPOnlyCtx_::tree_ipv4dst, DetectEngineIPOnlyCtx_::tree_ipv4src, DetectEngineIPOnlyCtx_::tree_ipv6dst, DetectEngineIPOnlyCtx_::tree_ipv6src, and SigMatchData_::type.

Referenced by SigMatchSignaturesGetSgh().

Here is the call graph for this function:

Here is the caller graph for this function:

void IPOnlyPrepare ( DetectEngineCtx de_ctx)

Build the radix trees from the lists of parsed adresses in CIDR format the result should be 4 radix trees: src/dst ipv4 and src/dst ipv6 holding SigNumArrays, each of them with a hierarchical relation of subnets and hosts.

Parameters
de_ctxPointer to the current detection engine

Not found, look if there's a subnet of this range with bigger netmask

Not found, look if there's a subnet of this range with bigger netmask

Not found, insert a new one

Update the sig

Unset it

Set it

Not found, look if there's a subnet of this range with bigger netmask

Definition at line 1119 of file detect-engine-iponly.c.

References SigNumArray_::array, dst, IPOnlyCIDRItem_::family, DetectEngineCtx_::io_ctx, IPOnlyCIDRItem_::ip, IPOnlyCIDRItem_::negated, IPOnlyCIDRItem_::netmask, IPOnlyCIDRItem_::next, PrintInet(), SC_ERR_IPONLY_RADIX, SCFree, SCLogDebug, SCLogError, SCRadixAddKeyIPV4(), SCRadixAddKeyIPV4Netblock(), SCRadixAddKeyIPV6(), SCRadixAddKeyIPV6Netblock(), SCRadixFindKeyIPV4BestMatch(), SCRadixFindKeyIPV4ExactMatch(), SCRadixFindKeyIPV4Netblock(), SCRadixFindKeyIPV6BestMatch(), SCRadixFindKeyIPV6ExactMatch(), SCRadixFindKeyIPV6Netblock(), IPOnlyCIDRItem_::signum, and src.

Referenced by SigAddressPrepareStage2().

Here is the call graph for this function:

Here is the caller graph for this function:

void IPOnlyPrint ( DetectEngineCtx de_ctx,
DetectEngineIPOnlyCtx io_ctx 
)

Print stats of the IP Only engine.

Parameters
de_ctxPointer to the current detection engine
io_ctxPointer to the current ip only detection engine

Definition at line 895 of file detect-engine-iponly.c.

Referenced by SigAddressPrepareStage2().

Here is the caller graph for this function:

void IPOnlyRegisterTests ( void  )

Definition at line 2261 of file detect-engine-iponly.c.

References UtRegisterTest().

Referenced by SigRegisterTests().

Here is the call graph for this function:

Here is the caller graph for this function:

int IPOnlySigParseAddress ( const DetectEngineCtx de_ctx,
Signature s,
const char *  addrstr,
char  flag 
)

Parses an address group sent as a character string and updates the IPOnlyCIDRItem lists src and dst of the Signature *s.

Parameters
sPointer to the signature structure
addrstrPointer to the character string containing the address group that has to be parsed.
flagto indicate if we are parsing the src string or the dst string
Return values
0On success.
-1On failure.

Definition at line 793 of file detect-engine-iponly.c.

References Signature_::CidrDst, Signature_::CidrSrc, Signature_::flags, SC_ERR_ADDRESS_ENGINE_GENERIC, SCLogDebug, SCLogError, SIG_FLAG_DST_ANY, and SIG_FLAG_SRC_ANY.

Referenced by SigMatchList2DataArray().

Here is the caller graph for this function: