#include "suricata.h"#include "suricata-common.h"#include "app-layer-protos.h"#include "decode.h"#include "detect.h"#include "detect-engine.h"#include "detect-engine-siggroup.h"#include "detect-engine-mpm.h"#include "detect-engine-iponly.h"#include "detect-parse.h"#include "detect-engine-prefilter.h"#include "util-mpm.h"#include "util-memcmp.h"#include "util-memcpy.h"#include "conf.h"#include "detect-fast-pattern.h"#include "detect-tcphdr.h"#include "detect-udphdr.h"#include "flow.h"#include "flow-var.h"#include "detect-flow.h"#include "detect-content.h"#include "detect-engine-payload.h"#include "detect-engine-dns.h"#include "stream.h"#include "util-misc.h"#include "util-enum.h"#include "util-debug.h"#include "util-print.h"#include "util-validate.h"
Go to the source code of this file.
Data Structures | |
| struct | DetectFPAndItsId_ |
Macros | |
| #define | SGH_PROTO(sgh, p) ((sgh)->init->protos[(p)] == 1) |
| #define | SGH_DIRECTION_TS(sgh) ((sgh)->init->direction & SIG_FLAG_TOSERVER) |
| #define | SGH_DIRECTION_TC(sgh) ((sgh)->init->direction & SIG_FLAG_TOCLIENT) |
Typedefs | |
| typedef struct DetectFPAndItsId_ | DetectFPAndItsId |
Functions | |
| void | DetectAppLayerMpmRegister2 (const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress) |
| register a MPM engine More... | |
| void | DetectAppLayerMpmRegisterByParentId (DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms) |
| copy a mpm engine from parent_id, add in transforms More... | |
| void | DetectMpmInitializeAppMpms (DetectEngineCtx *de_ctx) |
| int | DetectMpmPrepareAppMpms (DetectEngineCtx *de_ctx) |
| initialize mpm contexts for applayer buffers that are in "single or "shared" mode. More... | |
| void | DetectPktMpmRegister (const char *name, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetPktDataPtr GetData) |
| register a MPM engine More... | |
| void | DetectPktMpmRegisterByParentId (DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms) |
| copy a mpm engine from parent_id, add in transforms More... | |
| void | DetectMpmInitializePktMpms (DetectEngineCtx *de_ctx) |
| int | DetectMpmPreparePktMpms (DetectEngineCtx *de_ctx) |
| initialize mpm contexts for applayer buffers that are in "single or "shared" mode. More... | |
| void | DetectMpmInitializeBuiltinMpms (DetectEngineCtx *de_ctx) |
| int | DetectMpmPrepareBuiltinMpms (DetectEngineCtx *de_ctx) |
| initialize mpm contexts for builtin buffers that are in "single or "shared" mode. More... | |
| int | SignatureHasPacketContent (const Signature *s) |
| check if a signature has patterns that are to be inspected against a packets payload (as opposed to the stream payload) More... | |
| int | SignatureHasStreamContent (const Signature *s) |
| check if a signature has patterns that are to be inspected against the stream payload (as opposed to the individual packets payload(s)) More... | |
| uint16_t | PatternMatchDefaultMatcher (void) |
| Function to return the multi pattern matcher algorithm to be used by the engine, based on the mpm-algo setting in yaml Use the default mpm if none is specified in the yaml file. More... | |
| void | PacketPatternCleanup (DetectEngineThreadCtx *det_ctx) |
| cleans up the mpm instance after a match More... | |
| void | PatternMatchDestroy (MpmCtx *mpm_ctx, uint16_t mpm_matcher) |
| void | PatternMatchThreadPrint (MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher) |
| void | PatternMatchThreadDestroy (MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher) |
| void | PatternMatchThreadPrepare (MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher) |
| uint32_t | PatternStrength (uint8_t *pat, uint16_t patlen) |
| Predict a strength value for patterns. More... | |
| void | RetrieveFPForSig (const DetectEngineCtx *de_ctx, Signature *s) |
| int | MpmStoreInit (DetectEngineCtx *de_ctx) |
| Initializes the MpmStore mpm hash table to be used by the detection engine context. More... | |
| void | MpmStoreReportStats (const DetectEngineCtx *de_ctx) |
| void | MpmStoreFree (DetectEngineCtx *de_ctx) |
| Frees the hash table - DetectEngineCtx->mpm_hash_table, allocated by MpmStoreInit() function. More... | |
| MpmStore * | MpmStorePrepareBuffer (DetectEngineCtx *de_ctx, SigGroupHead *sgh, enum MpmBuiltinBuffers buf) |
| Get MpmStore for a built-in buffer type. More... | |
| int | PatternMatchPrepareGroup (DetectEngineCtx *de_ctx, SigGroupHead *sh) |
| Prepare the pattern matcher ctx in a sig group head. More... | |
| int | DetectSetFastPatternAndItsId (DetectEngineCtx *de_ctx) |
| Figured out the FP and their respective content ids for all the sigs in the engine. More... | |
Variables | |
| const char * | builtin_mpms [] |
Detailed Description
Multi pattern matcher
Definition in file detect-engine-mpm.c.
Macro Definition Documentation
◆ SGH_DIRECTION_TC
| #define SGH_DIRECTION_TC | ( | sgh | ) | ((sgh)->init->direction & SIG_FLAG_TOCLIENT) |
Definition at line 777 of file detect-engine-mpm.c.
◆ SGH_DIRECTION_TS
| #define SGH_DIRECTION_TS | ( | sgh | ) | ((sgh)->init->direction & SIG_FLAG_TOSERVER) |
Definition at line 776 of file detect-engine-mpm.c.
◆ SGH_PROTO
| #define SGH_PROTO | ( | sgh, | |
| p | |||
| ) | ((sgh)->init->protos[(p)] == 1) |
Definition at line 775 of file detect-engine-mpm.c.
Typedef Documentation
◆ DetectFPAndItsId
| typedef struct DetectFPAndItsId_ DetectFPAndItsId |
Function Documentation
◆ DetectAppLayerMpmRegister2()
| void DetectAppLayerMpmRegister2 | ( | const char * | name, |
| int | direction, | ||
| int | priority, | ||
| int(*)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id) | PrefilterRegister, | ||
| InspectionBufferGetDataPtr | GetData, | ||
| AppProto | alproto, | ||
| int | tx_min_progress | ||
| ) |
register a MPM engine
register an app layer keyword for mpm
- Note
- to be used at start up / registration only. Errors are fatal.
Definition at line 89 of file detect-engine-mpm.c.
◆ DetectAppLayerMpmRegisterByParentId()
| void DetectAppLayerMpmRegisterByParentId | ( | DetectEngineCtx * | de_ctx, |
| const int | id, | ||
| const int | parent_id, | ||
| DetectEngineTransforms * | transforms | ||
| ) |
copy a mpm engine from parent_id, add in transforms
Definition at line 144 of file detect-engine-mpm.c.
References DetectEngineCtx_::app_mpms_list, DetectEngineCtx_::app_mpms_list_cnt, DetectBufferMpmRegistery_::app_v2, BUG_ON, DetectEngineTransforms::cnt, de_ctx, DETECT_BUFFER_MPM_TYPE_APP, DetectBufferMpmRegistery_::direction, DetectBufferMpmRegistery_::id, DetectBufferMpmRegistery_::name, SigTableElmt_::name, DetectBufferMpmRegistery_::next, DetectBufferMpmRegistery_::pname, DetectBufferMpmRegistery_::PrefilterRegisterWithListId, DetectBufferMpmRegistery_::priority, SCCalloc, SCLogDebug, DetectBufferMpmRegistery_::sgh_mpm_context, ShortenString(), sigmatch_table, DetectBufferMpmRegistery_::sm_list, strlcat(), strlcpy(), SupportFastPatternForSigMatchList(), DetectEngineTransforms::transforms, DetectBufferMpmRegistery_::transforms, and DetectBufferMpmRegistery_::type.
◆ DetectMpmInitializeAppMpms()
| void DetectMpmInitializeAppMpms | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 208 of file detect-engine-mpm.c.
◆ DetectMpmInitializeBuiltinMpms()
| void DetectMpmInitializeBuiltinMpms | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 475 of file detect-engine-mpm.c.
References de_ctx, and DetectEngineCtx_::sgh_mpm_context_proto_tcp_packet.
◆ DetectMpmInitializePktMpms()
| void DetectMpmInitializePktMpms | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 374 of file detect-engine-mpm.c.
◆ DetectMpmPrepareAppMpms()
| int DetectMpmPrepareAppMpms | ( | DetectEngineCtx * | de_ctx | ) |
initialize mpm contexts for applayer buffers that are in "single or "shared" mode.
Definition at line 262 of file detect-engine-mpm.c.
References DetectEngineCtx_::app_mpms_list, de_ctx, DetectBufferMpmRegistery_::direction, MPM_CTX_FACTORY_UNIQUE_CONTEXT, DetectEngineCtx_::mpm_matcher, mpm_table, MpmFactoryGetMpmCtxForProfile(), DetectBufferMpmRegistery_::next, MpmTableElmt_::Prepare, DetectBufferMpmRegistery_::sgh_mpm_context, and SIG_FLAG_TOSERVER.
◆ DetectMpmPrepareBuiltinMpms()
| int DetectMpmPrepareBuiltinMpms | ( | DetectEngineCtx * | de_ctx | ) |
initialize mpm contexts for builtin buffers that are in "single or "shared" mode.
Definition at line 488 of file detect-engine-mpm.c.
References de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, DetectEngineCtx_::mpm_matcher, mpm_table, MpmFactoryGetMpmCtxForProfile(), MpmTableElmt_::Prepare, DetectEngineCtx_::sgh_mpm_context_proto_other_packet, DetectEngineCtx_::sgh_mpm_context_proto_tcp_packet, DetectEngineCtx_::sgh_mpm_context_proto_udp_packet, and DetectEngineCtx_::sgh_mpm_context_stream.
◆ DetectMpmPreparePktMpms()
| int DetectMpmPreparePktMpms | ( | DetectEngineCtx * | de_ctx | ) |
initialize mpm contexts for applayer buffers that are in "single or "shared" mode.
Definition at line 429 of file detect-engine-mpm.c.
References de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, DetectEngineCtx_::mpm_matcher, mpm_table, MpmFactoryGetMpmCtxForProfile(), DetectBufferMpmRegistery_::name, DetectBufferMpmRegistery_::next, DetectEngineCtx_::pkt_mpms_list, MpmTableElmt_::Prepare, SCLogDebug, and DetectBufferMpmRegistery_::sgh_mpm_context.
◆ DetectPktMpmRegister()
| void DetectPktMpmRegister | ( | const char * | name, |
| int | priority, | ||
| int(*)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id) | PrefilterRegister, | ||
| InspectionBufferGetPktDataPtr | GetData | ||
| ) |
register a MPM engine
- Note
- to be used at start up / registration only. Errors are fatal.
Definition at line 287 of file detect-engine-mpm.c.
◆ DetectPktMpmRegisterByParentId()
| void DetectPktMpmRegisterByParentId | ( | DetectEngineCtx * | de_ctx, |
| const int | id, | ||
| const int | parent_id, | ||
| DetectEngineTransforms * | transforms | ||
| ) |
copy a mpm engine from parent_id, add in transforms
Definition at line 338 of file detect-engine-mpm.c.
References BUG_ON, de_ctx, DETECT_BUFFER_MPM_TYPE_PKT, DetectBufferMpmRegistery_::id, DetectBufferMpmRegistery_::name, DetectBufferMpmRegistery_::next, DetectEngineCtx_::pkt_mpms_list, DetectEngineCtx_::pkt_mpms_list_cnt, DetectBufferMpmRegistery_::pkt_v1, DetectBufferMpmRegistery_::pname, DetectBufferMpmRegistery_::PrefilterRegisterWithListId, DetectBufferMpmRegistery_::priority, SCCalloc, SCLogDebug, DetectBufferMpmRegistery_::sgh_mpm_context, DetectBufferMpmRegistery_::sm_list, SupportFastPatternForSigMatchList(), DetectBufferMpmRegistery_::transforms, and DetectBufferMpmRegistery_::type.
◆ DetectSetFastPatternAndItsId()
| int DetectSetFastPatternAndItsId | ( | DetectEngineCtx * | de_ctx | ) |
Figured out the FP and their respective content ids for all the sigs in the engine.
- Parameters
-
de_ctx Detection engine context.
- Return values
-
0 On success. -1 On failure.
Definition at line 1735 of file detect-engine-mpm.c.
References BUG_ON, DetectContentData_::content, DetectContentData_::content_len, SigMatch_::ctx, de_ctx, DETECT_CONTENT_FAST_PATTERN_CHOP, DETECT_CONTENT_NOCASE, flags, DetectContentData_::flags, Signature_::flags, DetectContentData_::fp_chop_len, DetectContentData_::fp_chop_offset, Signature_::init_data, SignatureInitData_::mpm_sm, Signature_::next, PatIntId, RetrieveFPForSig(), SCMalloc, SIG_FLAG_PREFILTER, DetectEngineCtx_::sig_list, SigMatchListSMBelongsTo(), and unlikely.
Referenced by SigGroupBuild().
◆ MpmStoreFree()
| void MpmStoreFree | ( | DetectEngineCtx * | de_ctx | ) |
Frees the hash table - DetectEngineCtx->mpm_hash_table, allocated by MpmStoreInit() function.
- Parameters
-
de_ctx Pointer to the detection engine context.
Definition at line 1185 of file detect-engine-mpm.c.
References de_ctx, HashListTableFree(), and DetectEngineCtx_::mpm_hash_table.
Referenced by DetectEngineCtxFree().
◆ MpmStoreInit()
| int MpmStoreInit | ( | DetectEngineCtx * | de_ctx | ) |
Initializes the MpmStore mpm hash table to be used by the detection engine context.
- Parameters
-
de_ctx Pointer to the detection engine context.
- Return values
-
0 On success. -1 On failure.
Definition at line 1038 of file detect-engine-mpm.c.
References de_ctx, HashListTableInit(), and DetectEngineCtx_::mpm_hash_table.
◆ MpmStorePrepareBuffer()
| MpmStore* MpmStorePrepareBuffer | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| enum MpmBuiltinBuffers | buf | ||
| ) |
Get MpmStore for a built-in buffer type.
Definition at line 1292 of file detect-engine-mpm.c.
References BUG_ON, de_ctx, DETECT_SM_LIST_PMATCH, DetectEngineGetMaxSigId, Signature_::init_data, SigGroupHead_::match_array, SignatureInitData_::mpm_sm, MPMB_MAX, MPMB_OTHERIP, MPMB_TCP_PKT_TC, MPMB_TCP_PKT_TS, MPMB_TCP_STREAM_TC, MPMB_TCP_STREAM_TS, MPMB_UDP_TC, MPMB_UDP_TS, DetectEngineCtx_::sgh_mpm_context_proto_other_packet, DetectEngineCtx_::sgh_mpm_context_proto_tcp_packet, DetectEngineCtx_::sgh_mpm_context_proto_udp_packet, DetectEngineCtx_::sgh_mpm_context_stream, SigGroupHead_::sig_cnt, SIG_FLAG_TOCLIENT, and SIG_FLAG_TOSERVER.
Referenced by PatternMatchPrepareGroup().
◆ MpmStoreReportStats()
| void MpmStoreReportStats | ( | const DetectEngineCtx * | de_ctx | ) |
Definition at line 1104 of file detect-engine-mpm.c.
References MpmStore_::buffer, DetectEngineCtx_::buffer_type_map_elements, de_ctx, DETECT_SM_LIST_PMATCH, HashListTableGetListData, HashListTableGetListHead(), HashListTableGetListNext, DetectEngineCtx_::mpm_hash_table, MPMB_MAX, and MpmStore_::sm_list.
Referenced by SigAddressPrepareStage4().
◆ PacketPatternCleanup()
| void PacketPatternCleanup | ( | DetectEngineThreadCtx * | det_ctx | ) |
cleans up the mpm instance after a match
Definition at line 656 of file detect-engine-mpm.c.
References DetectEngineThreadCtx_::pmq, and PmqReset().
◆ PatternMatchDefaultMatcher()
| uint16_t PatternMatchDefaultMatcher | ( | void | ) |
Function to return the multi pattern matcher algorithm to be used by the engine, based on the mpm-algo setting in yaml Use the default mpm if none is specified in the yaml file.
- Return values
-
mpm algo value
Definition at line 615 of file detect-engine-mpm.c.
References ConfGet(), mpm_default_matcher, mpm_table, MPM_TABLE_SIZE, SC_ERR_INVALID_YAML_CONF_ENTRY, and SCLogError.
◆ PatternMatchDestroy()
| void PatternMatchDestroy | ( | MpmCtx * | mpm_ctx, |
| uint16_t | mpm_matcher | ||
| ) |
Definition at line 661 of file detect-engine-mpm.c.
References MpmTableElmt_::DestroyCtx, mpm_table, and SCLogDebug.
◆ PatternMatchPrepareGroup()
| int PatternMatchPrepareGroup | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sh | ||
| ) |
Prepare the pattern matcher ctx in a sig group head.
Definition at line 1662 of file detect-engine-mpm.c.
References de_ctx, MpmStore_::mpm_ctx, MPMB_TCP_PKT_TS, MPMB_TCP_STREAM_TS, MpmStorePrepareBuffer(), PrefilterPktPayloadRegister(), PrefilterPktStreamRegister(), SGH_DIRECTION_TS, and SGH_PROTO.
Referenced by PrefilterSetupRuleGroup().
◆ PatternMatchThreadDestroy()
| void PatternMatchThreadDestroy | ( | MpmThreadCtx * | mpm_thread_ctx, |
| uint16_t | mpm_matcher | ||
| ) |
Definition at line 672 of file detect-engine-mpm.c.
References MpmTableElmt_::DestroyThreadCtx, mpm_table, and SCLogDebug.
◆ PatternMatchThreadPrepare()
| void PatternMatchThreadPrepare | ( | MpmThreadCtx * | mpm_thread_ctx, |
| uint16_t | mpm_matcher | ||
| ) |
Definition at line 678 of file detect-engine-mpm.c.
References MpmInitThreadCtx(), and SCLogDebug.
◆ PatternMatchThreadPrint()
| void PatternMatchThreadPrint | ( | MpmThreadCtx * | mpm_thread_ctx, |
| uint16_t | mpm_matcher | ||
| ) |
Definition at line 667 of file detect-engine-mpm.c.
References SCLogDebug.
Referenced by DetectEngineThreadCtxInfo().
◆ PatternStrength()
| uint32_t PatternStrength | ( | uint8_t * | pat, |
| uint16_t | patlen | ||
| ) |
Predict a strength value for patterns.
Patterns with high character diversity score higher. Alpha chars score not so high Other printable + a few common codes a little higher Everything else highest. Longer patterns score better than short patters.
- Parameters
-
pat pattern patlen length of the pattern
- Return values
-
s pattern score
Definition at line 697 of file detect-engine-mpm.c.
◆ RetrieveFPForSig()
| void RetrieveFPForSig | ( | const DetectEngineCtx * | de_ctx, |
| Signature * | s | ||
| ) |
Definition at line 842 of file detect-engine-mpm.c.
References de_ctx, DETECT_CONTENT, DETECT_CONTENT_FAST_PATTERN, FastPatternSupportEnabledForSigMatchList(), DetectContentData_::flags, Signature_::init_data, SignatureInitData_::mpm_sm, SigMatch_::next, SignatureInitData_::smlists, and SignatureInitData_::smlists_array_size.
Referenced by DetectSetFastPatternAndItsId().
◆ SignatureHasPacketContent()
| int SignatureHasPacketContent | ( | const Signature * | s | ) |
check if a signature has patterns that are to be inspected against a packets payload (as opposed to the stream payload)
- Parameters
-
s signature
- Return values
-
1 true 0 false
Definition at line 545 of file detect-engine-mpm.c.
References DETECT_SM_LIST_PMATCH, Signature_::flags, Signature_::init_data, DetectProto_::proto, Signature_::proto, SCEnter, SCLogDebug, SCReturnInt, SIG_FLAG_REQUIRE_PACKET, Signature_::sm_arrays, and SignatureInitData_::smlists.
◆ SignatureHasStreamContent()
| int SignatureHasStreamContent | ( | const Signature * | s | ) |
check if a signature has patterns that are to be inspected against the stream payload (as opposed to the individual packets payload(s))
- Parameters
-
s signature
- Return values
-
1 true 0 false
Definition at line 581 of file detect-engine-mpm.c.
References DETECT_SM_LIST_PMATCH, Signature_::flags, Signature_::init_data, DetectProto_::proto, Signature_::proto, SCEnter, SCLogDebug, SCReturnInt, SIG_FLAG_REQUIRE_STREAM, Signature_::sm_arrays, and SignatureInitData_::smlists.
Variable Documentation
◆ builtin_mpms
| const char* builtin_mpms[] |
Definition at line 66 of file detect-engine-mpm.c.
