#include "suricata.h"
#include "suricata-common.h"
#include "app-layer-protos.h"
#include "decode.h"
#include "detect.h"
#include "detect-engine.h"
#include "detect-engine-siggroup.h"
#include "detect-engine-mpm.h"
#include "detect-engine-iponly.h"
#include "detect-parse.h"
#include "detect-engine-prefilter.h"
#include "util-mpm.h"
#include "util-memcmp.h"
#include "util-memcpy.h"
#include "conf.h"
#include "detect-fast-pattern.h"
#include "detect-tcphdr.h"
#include "detect-udphdr.h"
#include "flow.h"
#include "flow-var.h"
#include "detect-flow.h"
#include "detect-content.h"
#include "detect-engine-payload.h"
#include "detect-engine-dns.h"
#include "stream.h"
#include "util-misc.h"
#include "util-enum.h"
#include "util-debug.h"
#include "util-print.h"
#include "util-validate.h"

Include dependency graph for detect-engine-mpm.c:

Data Structures
struct	DetectFPAndItsId_

Macros
#define	SGH_PROTO(sgh, p) ((sgh)->init->protos[(p)] == 1)

#define	SGH_DIRECTION_TS(sgh) ((sgh)->init->direction & SIG_FLAG_TOSERVER)

#define	SGH_DIRECTION_TC(sgh) ((sgh)->init->direction & SIG_FLAG_TOCLIENT)

Typedefs
typedef struct DetectFPAndItsId_	DetectFPAndItsId

Functions
void	DetectAppLayerMpmRegister2 (const char name, int direction, int priority, int(PrefilterRegister)(DetectEngineCtx de_ctx, SigGroupHead sgh, MpmCtx mpm_ctx, const DetectBufferMpmRegistery mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
	register a MPM engine More...

void	DetectAppLayerMpmRegisterByParentId (DetectEngineCtx de_ctx, const int id, const int parent_id, DetectEngineTransforms transforms)
	copy a mpm engine from parent_id, add in transforms More...

void	DetectMpmInitializeAppMpms (DetectEngineCtx *de_ctx)

int	DetectMpmPrepareAppMpms (DetectEngineCtx *de_ctx)
	initialize mpm contexts for applayer buffers that are in "single or "shared" mode. More...

void	DetectPktMpmRegister (const char name, int priority, int(PrefilterRegister)(DetectEngineCtx de_ctx, SigGroupHead sgh, MpmCtx mpm_ctx, const DetectBufferMpmRegistery mpm_reg, int list_id), InspectionBufferGetPktDataPtr GetData)
	register a MPM engine More...

void	DetectPktMpmRegisterByParentId (DetectEngineCtx de_ctx, const int id, const int parent_id, DetectEngineTransforms transforms)
	copy a mpm engine from parent_id, add in transforms More...

void	DetectMpmInitializePktMpms (DetectEngineCtx *de_ctx)

int	DetectMpmPreparePktMpms (DetectEngineCtx *de_ctx)
	initialize mpm contexts for applayer buffers that are in "single or "shared" mode. More...

void	DetectMpmInitializeBuiltinMpms (DetectEngineCtx *de_ctx)

int	DetectMpmPrepareBuiltinMpms (DetectEngineCtx *de_ctx)
	initialize mpm contexts for builtin buffers that are in "single or "shared" mode. More...

int	SignatureHasPacketContent (const Signature *s)
	check if a signature has patterns that are to be inspected against a packets payload (as opposed to the stream payload) More...

int	SignatureHasStreamContent (const Signature *s)
	check if a signature has patterns that are to be inspected against the stream payload (as opposed to the individual packets payload(s)) More...

uint16_t	PatternMatchDefaultMatcher (void)
	Function to return the multi pattern matcher algorithm to be used by the engine, based on the mpm-algo setting in yaml Use the default mpm if none is specified in the yaml file. More...

void	PacketPatternCleanup (DetectEngineThreadCtx *det_ctx)
	cleans up the mpm instance after a match More...

void	PatternMatchDestroy (MpmCtx *mpm_ctx, uint16_t mpm_matcher)

void	PatternMatchThreadPrint (MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher)

void	PatternMatchThreadDestroy (MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher)

void	PatternMatchThreadPrepare (MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher)

uint32_t	PatternStrength (uint8_t *pat, uint16_t patlen)
	Predict a strength value for patterns. More...

void	RetrieveFPForSig (const DetectEngineCtx de_ctx, Signature s)

int	MpmStoreInit (DetectEngineCtx *de_ctx)
	Initializes the MpmStore mpm hash table to be used by the detection engine context. More...

void	MpmStoreReportStats (const DetectEngineCtx *de_ctx)

void	MpmStoreFree (DetectEngineCtx *de_ctx)
	Frees the hash table - DetectEngineCtx->mpm_hash_table, allocated by MpmStoreInit() function. More...

MpmStore *	MpmStorePrepareBuffer (DetectEngineCtx de_ctx, SigGroupHead sgh, enum MpmBuiltinBuffers buf)
	Get MpmStore for a built-in buffer type. More...

int	PatternMatchPrepareGroup (DetectEngineCtx de_ctx, SigGroupHead sh)
	Prepare the pattern matcher ctx in a sig group head. More...

int	DetectSetFastPatternAndItsId (DetectEngineCtx *de_ctx)
	Figured out the FP and their respective content ids for all the sigs in the engine. More...

Variables
const char *	builtin_mpms []

Detailed Description

Author: Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t; Anoop Saldanha anoop.nosp@m.sald.nosp@m.anha@.nosp@m.gmai.nosp@m.l.com

Multi pattern matcher

Definition in file detect-engine-mpm.c.

Macro Definition Documentation

#define SGH_DIRECTION_TC ( sgh ) ((sgh)->init->direction & SIG_FLAG_TOCLIENT)

Definition at line 770 of file detect-engine-mpm.c.

Referenced by MpmStorePrepareBuffer(), and PatternMatchPrepareGroup().

#define SGH_DIRECTION_TS ( sgh ) ((sgh)->init->direction & SIG_FLAG_TOSERVER)

Definition at line 769 of file detect-engine-mpm.c.

Referenced by MpmStorePrepareBuffer(), and PatternMatchPrepareGroup().

#define SGH_PROTO	(	sgh,
		p
	)	((sgh)->init->protos[(p)] == 1)

Definition at line 768 of file detect-engine-mpm.c.

Referenced by PatternMatchPrepareGroup().

Typedef Documentation

typedef struct DetectFPAndItsId_ DetectFPAndItsId

Function Documentation

void DetectAppLayerMpmRegister2	(	const char *	name,
		int	direction,
		int	priority,
		int()(DetectEngineCtx de_ctx, SigGroupHead sgh, MpmCtx mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)	PrefilterRegister,
		InspectionBufferGetDataPtr	GetData,
		AppProto	alproto,
		int	tx_min_progress
	)

register a MPM engine

register an app layer keyword for mpm

Note: to be used at start up / registration only. Errors are fatal.

Definition at line 89 of file detect-engine-mpm.c.

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectAppLayerMpmRegisterByParentId	(	DetectEngineCtx *	de_ctx,
		const int	id,
		const int	parent_id,
		DetectEngineTransforms *	transforms
	)

copy a mpm engine from parent_id, add in transforms

Definition at line 144 of file detect-engine-mpm.c.

Referenced by DetectBufferTypeGetByIdTransforms().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectMpmInitializeAppMpms ( DetectEngineCtx * de_ctx )

Definition at line 208 of file detect-engine-mpm.c.

References DetectEngineCtx_::app_mpms_list, DetectEngineCtx_::app_mpms_list_cnt, BUG_ON, ConfGetBool(), DE_QUIET, DETECT_BUFFER_MPM_TYPE_APP, ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE, DetectEngineCtx_::flags, MPM_CTX_FACTORY_UNIQUE_CONTEXT, MpmFactoryRegisterMpmCtxProfile(), DetectBufferMpmRegistery_::name, DetectBufferMpmRegistery_::next, SCCalloc, SCLogDebug, SCLogPerf, DetectBufferMpmRegistery_::sgh_mpm_context, DetectEngineCtx_::sgh_mpm_context, and strlcat().

Referenced by InspectionBufferApplyTransforms().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectMpmInitializeBuiltinMpms ( DetectEngineCtx * de_ctx )

Definition at line 475 of file detect-engine-mpm.c.

References DetectEngineCtx_::sgh_mpm_context_proto_other_packet, DetectEngineCtx_::sgh_mpm_context_proto_tcp_packet, DetectEngineCtx_::sgh_mpm_context_proto_udp_packet, and DetectEngineCtx_::sgh_mpm_context_stream.

Referenced by PacketCreateMask().

Here is the caller graph for this function:

void DetectMpmInitializePktMpms ( DetectEngineCtx * de_ctx )

Definition at line 374 of file detect-engine-mpm.c.

References BUG_ON, ConfGetBool(), DE_QUIET, DETECT_BUFFER_MPM_TYPE_PKT, ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE, DetectEngineCtx_::flags, MPM_CTX_FACTORY_UNIQUE_CONTEXT, MpmFactoryRegisterMpmCtxProfile(), DetectBufferMpmRegistery_::name, DetectBufferMpmRegistery_::next, DetectEngineCtx_::pkt_mpms_list, DetectEngineCtx_::pkt_mpms_list_cnt, SCCalloc, SCLogDebug, SCLogPerf, DetectBufferMpmRegistery_::sgh_mpm_context, DetectEngineCtx_::sgh_mpm_context, and strlcat().

Referenced by InspectionBufferApplyTransforms().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectMpmPrepareAppMpms ( DetectEngineCtx * de_ctx )

initialize mpm contexts for applayer buffers that are in "single or "shared" mode.

Definition at line 262 of file detect-engine-mpm.c.

References DetectEngineCtx_::app_mpms_list, DetectBufferMpmRegistery_::direction, MPM_CTX_FACTORY_UNIQUE_CONTEXT, DetectEngineCtx_::mpm_matcher, mpm_table, MpmFactoryGetMpmCtxForProfile(), DetectBufferMpmRegistery_::next, MpmTableElmt_::Prepare, DetectBufferMpmRegistery_::sgh_mpm_context, and SIG_FLAG_TOSERVER.

Referenced by SigGroupBuild().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectMpmPrepareBuiltinMpms ( DetectEngineCtx * de_ctx )

initialize mpm contexts for builtin buffers that are in "single or "shared" mode.

Definition at line 488 of file detect-engine-mpm.c.

References MPM_CTX_FACTORY_UNIQUE_CONTEXT, DetectEngineCtx_::mpm_matcher, mpm_table, MpmFactoryGetMpmCtxForProfile(), MpmTableElmt_::Prepare, DetectEngineCtx_::sgh_mpm_context_proto_other_packet, DetectEngineCtx_::sgh_mpm_context_proto_tcp_packet, DetectEngineCtx_::sgh_mpm_context_proto_udp_packet, and DetectEngineCtx_::sgh_mpm_context_stream.

Referenced by SigGroupBuild().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectMpmPreparePktMpms ( DetectEngineCtx * de_ctx )

initialize mpm contexts for applayer buffers that are in "single or "shared" mode.

Definition at line 429 of file detect-engine-mpm.c.

References ConfGetBool(), ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE, MPM_CTX_FACTORY_UNIQUE_CONTEXT, DetectEngineCtx_::mpm_matcher, mpm_table, MpmFactoryGetMpmCtxForProfile(), MpmFactoryRegisterMpmCtxProfile(), DetectBufferMpmRegistery_::name, DetectBufferMpmRegistery_::next, DetectEngineCtx_::pkt_mpms_list, MpmTableElmt_::Prepare, SCLogDebug, SCLogPerf, DetectBufferMpmRegistery_::sgh_mpm_context, DetectEngineCtx_::sgh_mpm_context, and strlcat().

Referenced by SigGroupBuild().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectPktMpmRegister	(	const char *	name,
		int	priority,
		int()(DetectEngineCtx de_ctx, SigGroupHead sgh, MpmCtx mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)	PrefilterRegister,
		InspectionBufferGetPktDataPtr	GetData
	)

register a MPM engine

Note: to be used at start up / registration only. Errors are fatal.

Definition at line 287 of file detect-engine-mpm.c.

Referenced by DetectIpv4hdrRegister(), DetectIpv6hdrRegister(), DetectTcphdrRegister(), and DetectUdphdrRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectPktMpmRegisterByParentId	(	DetectEngineCtx *	de_ctx,
		const int	id,
		const int	parent_id,
		DetectEngineTransforms *	transforms
	)

copy a mpm engine from parent_id, add in transforms

Definition at line 338 of file detect-engine-mpm.c.

Referenced by DetectBufferTypeGetByIdTransforms().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectSetFastPatternAndItsId ( DetectEngineCtx * de_ctx )

Figured out the FP and their respective content ids for all the sigs in the engine.

Parameters

de_ctx Detection engine context.

Return values

0	On success.
-1	On failure.

Definition at line 1728 of file detect-engine-mpm.c.

References BUG_ON, DetectContentData_::content, DetectFPAndItsId_::content, DetectContentData_::content_len, DetectFPAndItsId_::content_len, SigMatch_::ctx, DETECT_CONTENT_FAST_PATTERN_CHOP, DETECT_CONTENT_NOCASE, DetectContentData_::flags, Signature_::flags, DetectFPAndItsId_::flags, DetectContentData_::fp_chop_len, DetectContentData_::fp_chop_offset, DetectContentData_::id, DetectFPAndItsId_::id, Signature_::init_data, DetectEngineCtx_::max_fp_id, SignatureInitData_::mpm_sm, Signature_::next, PatIntId, RetrieveFPForSig(), SCFree, SCMalloc, SCMemcmp, SIG_FLAG_PREFILTER, DetectEngineCtx_::sig_list, SigMatchListSMBelongsTo(), DetectFPAndItsId_::sm_list, and unlikely.

Referenced by SigGroupBuild().

Here is the call graph for this function:

Here is the caller graph for this function:

void MpmStoreFree ( DetectEngineCtx * de_ctx )

Frees the hash table - DetectEngineCtx->mpm_hash_table, allocated by MpmStoreInit() function.

Parameters

de_ctx Pointer to the detection engine context.

Definition at line 1178 of file detect-engine-mpm.c.

References MpmStore_::buffer, BUG_ON, SigMatch_::ctx, DETECT_CONTENT_FAST_PATTERN_CHOP, DETECT_CONTENT_MPM_IS_CONCLUSIVE, DETECT_CONTENT_NEGATED, DETECT_SM_LIST_PMATCH, MpmStore_::direction, DetectContentData_::flags, Signature_::flags, HashListTableFree(), Signature_::id, Signature_::init_data, MpmStore_::mpm_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, DetectEngineCtx_::mpm_hash_table, DetectEngineCtx_::mpm_matcher, SignatureInitData_::mpm_sm, mpm_table, MpmCtx_::mpm_type, MPMB_MAX, MPMB_OTHERIP, MPMB_TCP_PKT_TC, MPMB_TCP_PKT_TS, MPMB_TCP_STREAM_TC, MPMB_TCP_STREAM_TS, MPMB_UDP_TC, MPMB_UDP_TS, MpmFactoryGetMpmCtxForProfile(), MpmFactoryReClaimMpmCtx(), MpmInitCtx(), MpmCtx_::pattern_cnt, MpmTableElmt_::Prepare, SCLogDebug, MpmStore_::sgh_mpm_context, MpmStore_::sid_array, MpmStore_::sid_array_size, DetectEngineCtx_::sig_array, SIG_FLAG_TOSERVER, SigMatchListSMBelongsTo(), and MpmStore_::sm_list.

Referenced by DetectEngineCtxFree().

Here is the call graph for this function:

Here is the caller graph for this function:

int MpmStoreInit ( DetectEngineCtx * de_ctx )

Initializes the MpmStore mpm hash table to be used by the detection engine context.

Parameters

de_ctx Pointer to the detection engine context.

Return values

0	On success.
-1	On failure.

Definition at line 1031 of file detect-engine-mpm.c.

References DetectEngineCtx_::app_mpms_list, DetectBufferMpmRegistery_::direction, MpmStore_::direction, HashListTableAdd(), HashListTableInit(), HashListTableLookup(), DetectEngineCtx_::mpm_hash_table, DetectBufferMpmRegistery_::next, DetectEngineCtx_::pkt_mpms_list, DetectBufferMpmRegistery_::sm_list, and MpmStore_::sm_list.

Referenced by DetectEngineInspectPktBufferGeneric().

Here is the call graph for this function:

Here is the caller graph for this function:

MpmStore* MpmStorePrepareBuffer	(	DetectEngineCtx *	de_ctx,
		SigGroupHead *	sgh,
		enum MpmBuiltinBuffers	buf
	)

Get MpmStore for a built-in buffer type.

Definition at line 1285 of file detect-engine-mpm.c.

References SigGroupHeadInitData_::app_mpms, DetectEngineCtx_::app_mpms_list, DetectEngineCtx_::app_mpms_list_cnt, MpmStore_::buffer, BUG_ON, DETECT_SM_LIST_PMATCH, DetectEngineGetMaxSigId, DetectBufferMpmRegistery_::direction, MpmStore_::direction, Signature_::flags, SigGroupHead_::flags, DetectBufferMpmRegistery_::id, SigGroupHead_::init, Signature_::init_data, SigGroupHead_::match_array, MpmStore_::mpm_ctx, SignatureInitData_::mpm_sm, MPMB_MAX, MPMB_OTHERIP, MPMB_TCP_PKT_TC, MPMB_TCP_PKT_TS, MPMB_TCP_STREAM_TC, MPMB_TCP_STREAM_TS, MPMB_UDP_TC, MPMB_UDP_TS, DetectBufferMpmRegistery_::name, DetectBufferMpmRegistery_::next, Signature_::num, SigGroupHeadInitData_::pkt_mpms, DetectEngineCtx_::pkt_mpms_list, DetectEngineCtx_::pkt_mpms_list_cnt, DetectBufferMpmRegistery_::PrefilterRegisterWithListId, SCCalloc, SCFree, SCLogDebug, SGH_DIRECTION_TC, SGH_DIRECTION_TS, DetectBufferMpmRegistery_::sgh_mpm_context, MpmStore_::sgh_mpm_context, DetectEngineCtx_::sgh_mpm_context_proto_other_packet, DetectEngineCtx_::sgh_mpm_context_proto_tcp_packet, DetectEngineCtx_::sgh_mpm_context_proto_udp_packet, DetectEngineCtx_::sgh_mpm_context_stream, MpmStore_::sid_array, MpmStore_::sid_array_size, SigGroupHead_::sig_cnt, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, SIG_GROUP_HEAD_HAVERAWSTREAM, SigMatchListSMBelongsTo(), SignatureHasPacketContent(), SignatureHasStreamContent(), DetectBufferMpmRegistery_::sm_list, and MpmStore_::sm_list.

Referenced by PatternMatchPrepareGroup().

Here is the call graph for this function:

Here is the caller graph for this function:

void MpmStoreReportStats ( const DetectEngineCtx * de_ctx )

Definition at line 1097 of file detect-engine-mpm.c.

References DetectEngineCtx_::app_mpms_list, DetectBufferMpmRegistery_::app_v2, AppProtoToString(), MpmStore_::buffer, DetectEngineCtx_::buffer_type_map_elements, builtin_mpms, DE_QUIET, DETECT_BUFFER_MPM_TYPE_APP, DETECT_BUFFER_MPM_TYPE_PKT, DETECT_BUFFER_MPM_TYPE_SIZE, DETECT_SM_LIST_PMATCH, DetectBufferMpmRegistery_::direction, DetectEngineCtx_::flags, HashListTableGetListData, HashListTableGetListHead(), HashListTableGetListNext, MpmCtx_::maxlen, MpmCtx_::minlen, MpmStore_::mpm_ctx, DetectEngineCtx_::mpm_hash_table, MPMB_MAX, DetectBufferMpmRegistery_::name, DetectBufferMpmRegistery_::next, MpmCtx_::pattern_cnt, DetectEngineCtx_::pkt_mpms_list, SCLogDebug, SCLogPerf, SIG_FLAG_TOSERVER, DetectBufferMpmRegistery_::sm_list, MpmStore_::sm_list, and DetectBufferMpmRegistery_::type.

Referenced by SigAddressPrepareStage4().

Here is the call graph for this function:

Here is the caller graph for this function:

void PacketPatternCleanup ( DetectEngineThreadCtx * det_ctx )

cleans up the mpm instance after a match

Definition at line 656 of file detect-engine-mpm.c.

References DetectEngineThreadCtx_::pmq, and PmqReset().

Referenced by SigMatchSignaturesGetSgh().

Here is the call graph for this function:

Here is the caller graph for this function:

uint16_t PatternMatchDefaultMatcher ( void )

Function to return the multi pattern matcher algorithm to be used by the engine, based on the mpm-algo setting in yaml Use the default mpm if none is specified in the yaml file.

Return values

mpm	algo value

Definition at line 615 of file detect-engine-mpm.c.

References ConfGet(), mpm_default_matcher, mpm_table, MPM_TABLE_SIZE, SC_ERR_INVALID_YAML_CONF_ENTRY, and SCLogError.

Referenced by AppLayerProtoDetectSetup(), and DetectEngineInspectPktBufferGeneric().

Here is the call graph for this function:

Here is the caller graph for this function:

void PatternMatchDestroy	(	MpmCtx *	mpm_ctx,
		uint16_t	mpm_matcher
	)

Definition at line 661 of file detect-engine-mpm.c.

References MpmTableElmt_::DestroyCtx, mpm_table, and SCLogDebug.

int PatternMatchPrepareGroup	(	DetectEngineCtx *	de_ctx,
		SigGroupHead *	sh
	)

Prepare the pattern matcher ctx in a sig group head.

Definition at line 1655 of file detect-engine-mpm.c.

References MpmStore_::mpm_ctx, MPMB_OTHERIP, MPMB_TCP_PKT_TC, MPMB_TCP_PKT_TS, MPMB_TCP_STREAM_TC, MPMB_TCP_STREAM_TS, MPMB_UDP_TC, MPMB_UDP_TS, MpmStorePrepareBuffer(), PrefilterPktPayloadRegister(), PrefilterPktStreamRegister(), SGH_DIRECTION_TC, SGH_DIRECTION_TS, and SGH_PROTO.

Referenced by PrefilterSetupRuleGroup().

Here is the call graph for this function:

Here is the caller graph for this function:

void PatternMatchThreadDestroy	(	MpmThreadCtx *	mpm_thread_ctx,
		uint16_t	mpm_matcher
	)

Definition at line 672 of file detect-engine-mpm.c.

References MpmTableElmt_::DestroyThreadCtx, mpm_table, and SCLogDebug.

Referenced by DetectEngineThreadCtxInit().

Here is the caller graph for this function:

void PatternMatchThreadPrepare	(	MpmThreadCtx *	mpm_thread_ctx,
		uint16_t	mpm_matcher
	)

Definition at line 678 of file detect-engine-mpm.c.

References MpmInitThreadCtx(), and SCLogDebug.

Referenced by DetectEngineResetMaxSigId().

Here is the call graph for this function:

Here is the caller graph for this function:

void PatternMatchThreadPrint	(	MpmThreadCtx *	mpm_thread_ctx,
		uint16_t	mpm_matcher
	)

Definition at line 667 of file detect-engine-mpm.c.

References SCLogDebug.

Referenced by DetectEngineThreadCtxInfo().

Here is the caller graph for this function:

uint32_t PatternStrength	(	uint8_t *	pat,
		uint16_t	patlen
	)

Predict a strength value for patterns.

Patterns with high character diversity score higher. Alpha chars score not so high Other printable + a few common codes a little higher Everything else highest. Longer patterns score better than short patters.

Parameters

pat	pattern
patlen	length of the patternn

Return values

s	pattern score

Definition at line 697 of file detect-engine-mpm.c.

References DetectContentData_::content, DetectContentData_::content_len, DetectContentData_::depth, DETECT_CONTENT_NOCASE, DetectContentData_::flags, flags, DetectContentData_::fp_chop_len, DetectContentData_::fp_chop_offset, DetectContentData_::id, MPM_PATTERN_CTX_OWNS_ID, MpmAddPatternCI(), MpmAddPatternCS(), Signature_::num, and DetectContentData_::offset.

Referenced by PacketCreateMask().

Here is the call graph for this function:

Here is the caller graph for this function:

void RetrieveFPForSig	(	const DetectEngineCtx *	de_ctx,
		Signature *	s
	)

Definition at line 835 of file detect-engine-mpm.c.

References HashListTable_::array_size, MpmStore_::buffer, BUG_ON, DetectContentData_::content_len, MpmTableElmt_::DestroyCtx, DETECT_CONTENT, DETECT_CONTENT_FAST_PATTERN, DETECT_CONTENT_NEGATED, MpmStore_::direction, FastPatternSupportEnabledForSigMatchList(), MpmCtx_::flags, DetectContentData_::flags, Signature_::init_data, SCFPSupportSMList_::list_id, MpmStore_::mpm_ctx, SignatureInitData_::mpm_sm, mpm_table, MpmCtx_::mpm_type, MPMCTX_FLAGS_GLOBAL, SCFPSupportSMList_::next, SigMatch_::next, SCFPSupportSMList_::priority, SCFree, SCLogDebug, SCMemcmp, MpmStore_::sid_array, MpmStore_::sid_array_size, sm_fp_support_smlist_list, MpmStore_::sm_list, SignatureInitData_::smlists, and SignatureInitData_::smlists_array_size.

Referenced by DetectLoadCompleteSigPath(), and DetectSetFastPatternAndItsId().

Here is the call graph for this function:

Here is the caller graph for this function:

int SignatureHasPacketContent ( const Signature * s )

check if a signature has patterns that are to be inspected against a packets payload (as opposed to the stream payload)

Parameters

s signature

Return values

1	true
0	false

Definition at line 545 of file detect-engine-mpm.c.

References DETECT_SM_LIST_PMATCH, Signature_::flags, Signature_::init_data, DetectProto_::proto, Signature_::proto, SCEnter, SCLogDebug, SCReturnInt, SIG_FLAG_REQUIRE_PACKET, Signature_::sm_arrays, and SignatureInitData_::smlists.

Referenced by MpmStorePrepareBuffer(), and PerCentEncodingMatch().

Here is the caller graph for this function:

int SignatureHasStreamContent ( const Signature * s )

check if a signature has patterns that are to be inspected against the stream payload (as opposed to the individual packets payload(s))

Parameters

s signature

Return values

1	true
0	false

Definition at line 581 of file detect-engine-mpm.c.

References DETECT_SM_LIST_PMATCH, Signature_::flags, Signature_::init_data, DetectProto_::proto, Signature_::proto, SCEnter, SCLogDebug, SCReturnInt, SIG_FLAG_REQUIRE_STREAM, Signature_::sm_arrays, and SignatureInitData_::smlists.

Referenced by MpmStorePrepareBuffer(), and PerCentEncodingMatch().

Here is the caller graph for this function:

Variable Documentation

const char* builtin_mpms[]

Initial value:

= {
    "toserver TCP packet",
    "toclient TCP packet",
    "toserver TCP stream",
    "toclient TCP stream",
    "toserver UDP packet",
    "toclient UDP packet",
    "other IP packet",
    NULL }

Definition at line 66 of file detect-engine-mpm.c.

Referenced by MpmStoreReportStats().

Data Structures

Macros

Typedefs

Functions

Variables

Detailed Description

Macro Definition Documentation

Typedef Documentation

Function Documentation

Variable Documentation