detect-engine-mpm.h File Reference

#include "tm-threads.h"
#include "detect.h"
#include "detect-content.h"
#include "detect-uricontent.h"
#include "stream.h"

Include dependency graph for detect-engine-mpm.h:

Go to the source code of this file.

Functions
void	DetectMpmInitializePktMpms (DetectEngineCtx *de_ctx)
int	DetectMpmPreparePktMpms (DetectEngineCtx *de_ctx)
	initialize mpm contexts for applayer buffers that are in "single or "shared" mode. More...
void	DetectMpmInitializeAppMpms (DetectEngineCtx *de_ctx)
int	DetectMpmPrepareAppMpms (DetectEngineCtx *de_ctx)
	initialize mpm contexts for applayer buffers that are in "single or "shared" mode. More...
void	DetectMpmInitializeBuiltinMpms (DetectEngineCtx *de_ctx)
int	DetectMpmPrepareBuiltinMpms (DetectEngineCtx *de_ctx)
	initialize mpm contexts for builtin buffers that are in "single or "shared" mode. More...
uint32_t	PatternStrength (uint8_t *, uint16_t)
	Predict a strength value for patterns. More...
uint16_t	PatternMatchDefaultMatcher (void)
	Function to return the multi pattern matcher algorithm to be used by the engine, based on the mpm-algo setting in yaml Use the default mpm if none is specified in the yaml file. More...
uint32_t	DnsQueryPatternSearch (DetectEngineThreadCtx *det_ctx, uint8_t *buffer, uint32_t buffer_len, uint8_t flags)
void	PacketPatternCleanup (DetectEngineThreadCtx *)
	cleans up the mpm instance after a match More...
void	PatternMatchPrepare (MpmCtx *, uint16_t)
void	PatternMatchThreadPrepare (MpmThreadCtx *, uint16_t type)
void	PatternMatchDestroy (MpmCtx *, uint16_t)
void	PatternMatchThreadDestroy (MpmThreadCtx *mpm_thread_ctx, uint16_t)
void	PatternMatchThreadPrint (MpmThreadCtx *, uint16_t)
int	PatternMatchPrepareGroup (DetectEngineCtx *, SigGroupHead *)
	Prepare the pattern matcher ctx in a sig group head. More...
void	DetectEngineThreadCtxInfo (ThreadVars *, DetectEngineThreadCtx *)
TmEcode	DetectEngineThreadCtxInit (ThreadVars *, void *, void **)
	initialize thread specific detection engine context More...
TmEcode	DetectEngineThreadCtxDeinit (ThreadVars *, void *)
int	SignatureHasPacketContent (const Signature *)
	check if a signature has patterns that are to be inspected against a packets payload (as opposed to the stream payload) More...
int	SignatureHasStreamContent (const Signature *)
	check if a signature has patterns that are to be inspected against the stream payload (as opposed to the individual packets payload(s)) More...
void	RetrieveFPForSig (const DetectEngineCtx *de_ctx, Signature *s)
int	MpmStoreInit (DetectEngineCtx *)
	Initializes the MpmStore mpm hash table to be used by the detection engine context. More...
void	MpmStoreFree (DetectEngineCtx *)
	Frees the hash table - DetectEngineCtx->mpm_hash_table, allocated by MpmStoreInit() function. More...
void	MpmStoreReportStats (const DetectEngineCtx *de_ctx)
MpmStore *	MpmStorePrepareBuffer (DetectEngineCtx *de_ctx, SigGroupHead *sgh, enum MpmBuiltinBuffers buf)
	Get MpmStore for a built-in buffer type. More...
int	DetectSetFastPatternAndItsId (DetectEngineCtx *de_ctx)
	Figured out the FP and their respective content ids for all the sigs in the engine. More...
void	DetectAppLayerMpmRegister2 (const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
	register an app layer keyword for mpm More...
void	DetectAppLayerMpmRegisterByParentId (DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
	copy a mpm engine from parent_id, add in transforms More...
void	DetectPktMpmRegister (const char *name, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetPktDataPtr GetData)
	register a MPM engine More...
void	DetectPktMpmRegisterByParentId (DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
	copy a mpm engine from parent_id, add in transforms More...
int	PrefilterGenericMpmPktRegister (DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)

Detailed Description

Author

Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Definition in file detect-engine-mpm.h.

Function Documentation

void DetectAppLayerMpmRegister2	(	const char *	name,
		int	direction,
		int	priority,
		int(*)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)	PrefilterRegister,
		InspectionBufferGetDataPtr	GetData,
		AppProto	alproto,
		int	tx_min_progress
	)

register an app layer keyword for mpm

Parameters

name	buffer name
direction	SIG_FLAG_TOSERVER or SIG_FLAG_TOCLIENT
priority	mpm keyword priority
PrefilterRegister	Prefilter api registration function
GetData	callback to setup a InspectBuffer. May be NULL.
alproto	AppProto this MPM engine inspects
tx_min_progress	min tx progress needed to invoke this engine.

Note

direction must be set to either toserver or toclient. If both are needed, register the keyword twice.

register an app layer keyword for mpm

Note

to be used at start up / registration only. Errors are fatal.

Definition at line 89 of file detect-engine-mpm.c.

References DetectBufferMpmRegistery_::app_v2, BUG_ON, DETECT_BUFFER_MPM_TYPE_APP, DetectBufferTypeGetByName(), DetectBufferTypeSupportsMpm(), DetectBufferTypeSupportsTransformations(), DetectBufferMpmRegistery_::direction, FatalError, DetectBufferMpmRegistery_::id, DetectBufferMpmRegistery_::name, DetectBufferMpmRegistery_::next, DetectBufferMpmRegistery_::pname, PrefilterGenericMpmRegister(), DetectBufferMpmRegistery_::PrefilterRegisterWithListId, DetectBufferMpmRegistery_::priority, SC_ERR_INITIALIZATION, SCCalloc, SCLogDebug, DetectBufferMpmRegistery_::sm_list, SupportFastPatternForSigMatchList(), and DetectBufferMpmRegistery_::type.

Referenced by DetectDceStubDataRegister(), DetectDnsQueryRegister(), DetectFiledataRegister(), DetectFilemagicRegister(), DetectFilenameRegister(), DetectHttpClientBodyRegister(), DetectHttpCookieRegister(), DetectHttpHeaderNamesRegister(), DetectHttpHeaderRegister(), DetectHttpHHRegister(), DetectHttpMethodRegister(), DetectHttpProtocolRegister(), DetectHttpRawHeaderRegister(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectHttpStartRegister(), DetectHttpStatCodeRegister(), DetectHttpStatMsgRegister(), DetectHttpUARegister(), DetectHttpUriRegister(), DetectKrb5CNameRegister(), DetectKrb5SNameRegister(), DetectSipMethodRegister(), DetectSipProtocolRegister(), DetectSipRequestLineRegister(), DetectSipResponseLineRegister(), DetectSipStatCodeRegister(), DetectSipStatMsgRegister(), DetectSipUriRegister(), DetectSmbNamedPipeRegister(), DetectSmbShareRegister(), DetectSNMPCommunityRegister(), DetectSshProtocolRegister(), DetectSshSoftwareRegister(), DetectTemplateBufferRegister(), DetectTlsCertsRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3SHashRegister(), DetectTlsJa3SStringRegister(), DetectTlsJa3StringRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), and DetectTlsSubjectRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectAppLayerMpmRegisterByParentId	(	DetectEngineCtx *	de_ctx,
		const int	id,
		const int	parent_id,
		DetectEngineTransforms *	transforms
	)

copy a mpm engine from parent_id, add in transforms

Definition at line 144 of file detect-engine-mpm.c.

References DetectEngineCtx_::app_mpms_list, DetectEngineCtx_::app_mpms_list_cnt, DetectBufferMpmRegistery_::app_v2, BUG_ON, DetectEngineTransforms::cnt, DETECT_BUFFER_MPM_TYPE_APP, DetectBufferMpmRegistery_::direction, DetectBufferMpmRegistery_::id, DetectBufferMpmRegistery_::name, SigTableElmt_::name, DetectBufferMpmRegistery_::next, DetectBufferMpmRegistery_::pname, DetectBufferMpmRegistery_::PrefilterRegisterWithListId, DetectBufferMpmRegistery_::priority, SCCalloc, SCLogDebug, DetectBufferMpmRegistery_::sgh_mpm_context, ShortenString(), sigmatch_table, DetectBufferMpmRegistery_::sm_list, strlcat(), strlcpy(), SupportFastPatternForSigMatchList(), DetectEngineTransforms::transforms, DetectBufferMpmRegistery_::transforms, and DetectBufferMpmRegistery_::type.

Referenced by DetectBufferTypeGetByIdTransforms().

Here is the call graph for this function:

Here is the caller graph for this function:

TmEcode DetectEngineThreadCtxDeinit	(	ThreadVars *	,
		void *
	)

Definition at line 2978 of file detect-engine.c.

Referenced by AlertFastLogInitCtx(), DetectAckRegister(), DetectBase64DecodeDoMatch(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineInspectStream(), DetectEngineStateResetTxs(), DetectFastPatternRegister(), DetectFlowFree(), DetectFlowintFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectHostbitFree(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectIPRepFree(), DetectITypeFree(), DetectL3ProtoRegister(), DetectPcrePayloadMatch(), DetectProtoContainsProto(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSetupParseRegexes(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectTemplateRustBufferRegister(), DetectThresholdRegister(), DetectTransformDotPrefixRegister(), DetectTransformStripWhitespaceRegister(), DetectUricontentRegister(), DetectXbitFree(), HtpConfigRestoreBackup(), MpmACRegister(), MpmACTileRegister(), RegisterModbusParsers(), SCACBSPrintInfo(), SCThresholdConfParseFile(), SigParseApplyDsizeToContent(), SMTPParserCleanup(), TagTimeoutCheck(), UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

void DetectEngineThreadCtxInfo	(	ThreadVars *	,
		DetectEngineThreadCtx *
	)

Definition at line 2996 of file detect-engine.c.

References DetectEngineThreadCtx_::de_ctx, DetectEngineCtx_::mpm_matcher, DetectEngineThreadCtx_::mtc, DetectEngineThreadCtx_::mtcu, and PatternMatchThreadPrint().

Here is the call graph for this function:

TmEcode DetectEngineThreadCtxInit	(	ThreadVars *	tv,
		void *	initdata,
		void **	data
	)

initialize thread specific detection engine context

Note

there is a special case when using delayed detect. In this case the function is called twice per thread. The first time the rules are not yet loaded. de_ctx->delayed_detect_initialized will be 0. The 2nd time they will be loaded. de_ctx->delayed_detect_initialized will be 1. This is needed to do the per thread counter registration before the packet runtime starts. In delayed detect mode, the first call will return a NULL ptr through the data ptr.

Parameters

tv	ThreadVars for this thread
initdata	pointer to de_ctx
data[out]	pointer to store our thread detection ctx

Return values

TM_ECODE_OK	if all went well
TM_ECODE_FAILED	on serious erro

alert counter setup

Definition at line 2770 of file detect-engine.c.

Referenced by AlertFastLogInitCtx(), DetectAckRegister(), DetectBase64DecodeDoMatch(), DetectBypassRegister(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineInspectStream(), DetectEngineStateResetTxs(), DetectFastPatternRegister(), DetectFlowFree(), DetectFlowintFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectHostbitFree(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectIPRepFree(), DetectITypeFree(), DetectL3ProtoRegister(), DetectLuaRegister(), DetectPcrePayloadMatch(), DetectProtoContainsProto(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSetupParseRegexes(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectTemplateRustBufferRegister(), DetectThresholdRegister(), DetectTransformDotPrefixRegister(), DetectTransformStripWhitespaceRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), DetectXbitFree(), HtpConfigRestoreBackup(), MpmACRegister(), MpmACTileRegister(), RegisterModbusParsers(), SCACBSPrintInfo(), SCThresholdConfParseFile(), SigGroupHeadContainsSigId(), SigParseApplyDsizeToContent(), SMTPParserCleanup(), TagTimeoutCheck(), UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

void DetectMpmInitializeAppMpms

(

DetectEngineCtx *

de_ctx

)

Definition at line 208 of file detect-engine-mpm.c.

References DetectEngineCtx_::app_mpms_list, DetectEngineCtx_::app_mpms_list_cnt, BUG_ON, ConfGetBool(), DE_QUIET, DETECT_BUFFER_MPM_TYPE_APP, ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE, DetectEngineCtx_::flags, MPM_CTX_FACTORY_UNIQUE_CONTEXT, MpmFactoryRegisterMpmCtxProfile(), DetectBufferMpmRegistery_::name, DetectBufferMpmRegistery_::next, SCCalloc, SCLogDebug, SCLogPerf, DetectBufferMpmRegistery_::sgh_mpm_context, DetectEngineCtx_::sgh_mpm_context, and strlcat().

Referenced by InspectionBufferApplyTransforms().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectMpmInitializeBuiltinMpms

(

DetectEngineCtx *

de_ctx

)

Definition at line 475 of file detect-engine-mpm.c.

References DetectEngineCtx_::sgh_mpm_context_proto_other_packet, DetectEngineCtx_::sgh_mpm_context_proto_tcp_packet, DetectEngineCtx_::sgh_mpm_context_proto_udp_packet, and DetectEngineCtx_::sgh_mpm_context_stream.

Referenced by PacketCreateMask().

Here is the caller graph for this function:

void DetectMpmInitializePktMpms

(

DetectEngineCtx *

de_ctx

)

Definition at line 374 of file detect-engine-mpm.c.

References BUG_ON, ConfGetBool(), DE_QUIET, DETECT_BUFFER_MPM_TYPE_PKT, ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE, DetectEngineCtx_::flags, MPM_CTX_FACTORY_UNIQUE_CONTEXT, MpmFactoryRegisterMpmCtxProfile(), DetectBufferMpmRegistery_::name, DetectBufferMpmRegistery_::next, DetectEngineCtx_::pkt_mpms_list, DetectEngineCtx_::pkt_mpms_list_cnt, SCCalloc, SCLogDebug, SCLogPerf, DetectBufferMpmRegistery_::sgh_mpm_context, DetectEngineCtx_::sgh_mpm_context, and strlcat().

Referenced by InspectionBufferApplyTransforms().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectMpmPrepareAppMpms

(

DetectEngineCtx *

de_ctx

)

initialize mpm contexts for applayer buffers that are in "single or "shared" mode.

Definition at line 262 of file detect-engine-mpm.c.

References DetectEngineCtx_::app_mpms_list, DetectBufferMpmRegistery_::direction, MPM_CTX_FACTORY_UNIQUE_CONTEXT, DetectEngineCtx_::mpm_matcher, mpm_table, MpmFactoryGetMpmCtxForProfile(), DetectBufferMpmRegistery_::next, MpmTableElmt_::Prepare, DetectBufferMpmRegistery_::sgh_mpm_context, and SIG_FLAG_TOSERVER.

Referenced by SigGroupBuild().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectMpmPrepareBuiltinMpms

(

DetectEngineCtx *

de_ctx

)

initialize mpm contexts for builtin buffers that are in "single or "shared" mode.

Definition at line 488 of file detect-engine-mpm.c.

References MPM_CTX_FACTORY_UNIQUE_CONTEXT, DetectEngineCtx_::mpm_matcher, mpm_table, MpmFactoryGetMpmCtxForProfile(), MpmTableElmt_::Prepare, DetectEngineCtx_::sgh_mpm_context_proto_other_packet, DetectEngineCtx_::sgh_mpm_context_proto_tcp_packet, DetectEngineCtx_::sgh_mpm_context_proto_udp_packet, and DetectEngineCtx_::sgh_mpm_context_stream.

Referenced by SigGroupBuild().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectMpmPreparePktMpms

(

DetectEngineCtx *

de_ctx

)

initialize mpm contexts for applayer buffers that are in "single or "shared" mode.

Definition at line 429 of file detect-engine-mpm.c.

References ConfGetBool(), ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE, MPM_CTX_FACTORY_UNIQUE_CONTEXT, DetectEngineCtx_::mpm_matcher, mpm_table, MpmFactoryGetMpmCtxForProfile(), MpmFactoryRegisterMpmCtxProfile(), DetectBufferMpmRegistery_::name, DetectBufferMpmRegistery_::next, DetectEngineCtx_::pkt_mpms_list, MpmTableElmt_::Prepare, SCLogDebug, SCLogPerf, DetectBufferMpmRegistery_::sgh_mpm_context, DetectEngineCtx_::sgh_mpm_context, and strlcat().

Referenced by SigGroupBuild().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectPktMpmRegister	(	const char *	name,
		int	priority,
		int(*)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)	PrefilterRegister,
		InspectionBufferGetPktDataPtr	GetData
	)

register a MPM engine

Note

to be used at start up / registration only. Errors are fatal.

Definition at line 287 of file detect-engine-mpm.c.

References BUG_ON, DETECT_BUFFER_MPM_TYPE_PKT, DetectBufferTypeGetByName(), DetectBufferTypeSupportsMpm(), DetectBufferTypeSupportsTransformations(), FatalError, DetectBufferMpmRegistery_::id, DetectBufferMpmRegistery_::name, DetectBufferMpmRegistery_::next, DetectBufferMpmRegistery_::pkt_v1, DetectBufferMpmRegistery_::pname, PrefilterGenericMpmPktRegister(), DetectBufferMpmRegistery_::PrefilterRegisterWithListId, DetectBufferMpmRegistery_::priority, SC_ERR_INITIALIZATION, SCCalloc, SCLogDebug, DetectBufferMpmRegistery_::sm_list, SupportFastPatternForSigMatchList(), and DetectBufferMpmRegistery_::type.

Referenced by DetectIpv4hdrRegister(), DetectIpv6hdrRegister(), DetectTcphdrRegister(), and DetectUdphdrRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectPktMpmRegisterByParentId	(	DetectEngineCtx *	de_ctx,
		const int	id,
		const int	parent_id,
		DetectEngineTransforms *	transforms
	)

copy a mpm engine from parent_id, add in transforms

Definition at line 338 of file detect-engine-mpm.c.

References BUG_ON, DETECT_BUFFER_MPM_TYPE_PKT, DetectBufferMpmRegistery_::id, DetectBufferMpmRegistery_::name, DetectBufferMpmRegistery_::next, DetectEngineCtx_::pkt_mpms_list, DetectEngineCtx_::pkt_mpms_list_cnt, DetectBufferMpmRegistery_::pkt_v1, DetectBufferMpmRegistery_::pname, DetectBufferMpmRegistery_::PrefilterRegisterWithListId, DetectBufferMpmRegistery_::priority, SCCalloc, SCLogDebug, DetectBufferMpmRegistery_::sgh_mpm_context, DetectBufferMpmRegistery_::sm_list, SupportFastPatternForSigMatchList(), DetectBufferMpmRegistery_::transforms, and DetectBufferMpmRegistery_::type.

Referenced by DetectBufferTypeGetByIdTransforms().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectSetFastPatternAndItsId

(

DetectEngineCtx *

de_ctx

)

Figured out the FP and their respective content ids for all the sigs in the engine.

Parameters

de_ctx

Detection engine context.

Return values

0	On success.
-1	On failure.

Definition at line 1735 of file detect-engine-mpm.c.

References BUG_ON, DetectContentData_::content, DetectFPAndItsId_::content, DetectContentData_::content_len, DetectFPAndItsId_::content_len, SigMatch_::ctx, DETECT_CONTENT_FAST_PATTERN_CHOP, DETECT_CONTENT_NOCASE, DetectContentData_::flags, Signature_::flags, DetectFPAndItsId_::flags, DetectContentData_::fp_chop_len, DetectContentData_::fp_chop_offset, DetectContentData_::id, DetectFPAndItsId_::id, Signature_::init_data, DetectEngineCtx_::max_fp_id, SignatureInitData_::mpm_sm, Signature_::next, PatIntId, RetrieveFPForSig(), SCFree, SCMalloc, SCMemcmp, SIG_FLAG_PREFILTER, DetectEngineCtx_::sig_list, SigMatchListSMBelongsTo(), DetectFPAndItsId_::sm_list, and unlikely.

Referenced by SigGroupBuild().

Here is the call graph for this function:

Here is the caller graph for this function:

uint32_t DnsQueryPatternSearch	(	DetectEngineThreadCtx *	det_ctx,
		uint8_t *	buffer,
		uint32_t	buffer_len,
		uint8_t	flags
	)

void MpmStoreFree

(

DetectEngineCtx *

de_ctx

)

Frees the hash table - DetectEngineCtx->mpm_hash_table, allocated by MpmStoreInit() function.

Parameters

de_ctx

Pointer to the detection engine context.

Definition at line 1185 of file detect-engine-mpm.c.

References MpmStore_::buffer, BUG_ON, SigMatch_::ctx, DETECT_CONTENT_FAST_PATTERN_CHOP, DETECT_CONTENT_MPM_IS_CONCLUSIVE, DETECT_CONTENT_NEGATED, DETECT_SM_LIST_PMATCH, MpmStore_::direction, DetectContentData_::flags, Signature_::flags, HashListTableFree(), Signature_::id, Signature_::init_data, MpmStore_::mpm_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, DetectEngineCtx_::mpm_hash_table, DetectEngineCtx_::mpm_matcher, SignatureInitData_::mpm_sm, mpm_table, MpmCtx_::mpm_type, MPMB_MAX, MPMB_OTHERIP, MPMB_TCP_PKT_TC, MPMB_TCP_PKT_TS, MPMB_TCP_STREAM_TC, MPMB_TCP_STREAM_TS, MPMB_UDP_TC, MPMB_UDP_TS, MpmFactoryGetMpmCtxForProfile(), MpmFactoryReClaimMpmCtx(), MpmInitCtx(), MpmCtx_::pattern_cnt, MpmTableElmt_::Prepare, SCLogDebug, MpmStore_::sgh_mpm_context, MpmStore_::sid_array, MpmStore_::sid_array_size, DetectEngineCtx_::sig_array, SIG_FLAG_TOSERVER, SigMatchListSMBelongsTo(), and MpmStore_::sm_list.

Referenced by DetectEngineCtxFree().

Here is the call graph for this function:

Here is the caller graph for this function:

int MpmStoreInit

(

DetectEngineCtx *

de_ctx

)

Initializes the MpmStore mpm hash table to be used by the detection engine context.

Parameters

de_ctx

Pointer to the detection engine context.

Return values

0	On success.
-1	On failure.

Definition at line 1038 of file detect-engine-mpm.c.

References DetectEngineCtx_::app_mpms_list, DetectBufferMpmRegistery_::direction, MpmStore_::direction, HashListTableAdd(), HashListTableInit(), HashListTableLookup(), DetectEngineCtx_::mpm_hash_table, DetectBufferMpmRegistery_::next, DetectEngineCtx_::pkt_mpms_list, DetectBufferMpmRegistery_::sm_list, and MpmStore_::sm_list.

Referenced by DetectEngineInspectPktBufferGeneric().

Here is the call graph for this function:

Here is the caller graph for this function:

MpmStore* MpmStorePrepareBuffer	(	DetectEngineCtx *	de_ctx,
		SigGroupHead *	sgh,
		enum MpmBuiltinBuffers	buf
	)

Get MpmStore for a built-in buffer type.

Definition at line 1292 of file detect-engine-mpm.c.

References SigGroupHeadInitData_::app_mpms, DetectEngineCtx_::app_mpms_list, DetectEngineCtx_::app_mpms_list_cnt, MpmStore_::buffer, BUG_ON, DETECT_SM_LIST_PMATCH, DetectEngineGetMaxSigId, DetectBufferMpmRegistery_::direction, MpmStore_::direction, Signature_::flags, SigGroupHead_::flags, DetectBufferMpmRegistery_::id, SigGroupHead_::init, Signature_::init_data, SigGroupHead_::match_array, MpmStore_::mpm_ctx, SignatureInitData_::mpm_sm, MPMB_MAX, MPMB_OTHERIP, MPMB_TCP_PKT_TC, MPMB_TCP_PKT_TS, MPMB_TCP_STREAM_TC, MPMB_TCP_STREAM_TS, MPMB_UDP_TC, MPMB_UDP_TS, DetectBufferMpmRegistery_::name, DetectBufferMpmRegistery_::next, Signature_::num, SigGroupHeadInitData_::pkt_mpms, DetectEngineCtx_::pkt_mpms_list, DetectEngineCtx_::pkt_mpms_list_cnt, DetectBufferMpmRegistery_::PrefilterRegisterWithListId, SCCalloc, SCFree, SCLogDebug, SGH_DIRECTION_TC, SGH_DIRECTION_TS, DetectBufferMpmRegistery_::sgh_mpm_context, MpmStore_::sgh_mpm_context, DetectEngineCtx_::sgh_mpm_context_proto_other_packet, DetectEngineCtx_::sgh_mpm_context_proto_tcp_packet, DetectEngineCtx_::sgh_mpm_context_proto_udp_packet, DetectEngineCtx_::sgh_mpm_context_stream, MpmStore_::sid_array, MpmStore_::sid_array_size, SigGroupHead_::sig_cnt, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, SIG_GROUP_HEAD_HAVERAWSTREAM, SigMatchListSMBelongsTo(), SignatureHasPacketContent(), SignatureHasStreamContent(), DetectBufferMpmRegistery_::sm_list, and MpmStore_::sm_list.

Referenced by PatternMatchPrepareGroup().

Here is the call graph for this function:

Here is the caller graph for this function:

void MpmStoreReportStats

(

const DetectEngineCtx *

de_ctx

)

Definition at line 1104 of file detect-engine-mpm.c.

References DetectEngineCtx_::app_mpms_list, DetectBufferMpmRegistery_::app_v2, AppProtoToString(), MpmStore_::buffer, DetectEngineCtx_::buffer_type_map_elements, builtin_mpms, DE_QUIET, DETECT_BUFFER_MPM_TYPE_APP, DETECT_BUFFER_MPM_TYPE_PKT, DETECT_BUFFER_MPM_TYPE_SIZE, DETECT_SM_LIST_PMATCH, DetectBufferMpmRegistery_::direction, DetectEngineCtx_::flags, HashListTableGetListData, HashListTableGetListHead(), HashListTableGetListNext, MpmCtx_::maxlen, MpmCtx_::minlen, MpmStore_::mpm_ctx, DetectEngineCtx_::mpm_hash_table, MPMB_MAX, DetectBufferMpmRegistery_::name, DetectBufferMpmRegistery_::next, MpmCtx_::pattern_cnt, DetectEngineCtx_::pkt_mpms_list, SCLogDebug, SCLogPerf, SIG_FLAG_TOSERVER, DetectBufferMpmRegistery_::sm_list, MpmStore_::sm_list, and DetectBufferMpmRegistery_::type.

Referenced by SigAddressPrepareStage4().

Here is the call graph for this function:

Here is the caller graph for this function:

void PacketPatternCleanup

(

DetectEngineThreadCtx *

)

cleans up the mpm instance after a match

Definition at line 656 of file detect-engine-mpm.c.

References DetectEngineThreadCtx_::pmq, and PmqReset().

Referenced by SigMatchSignaturesGetSgh().

Here is the call graph for this function:

Here is the caller graph for this function:

uint16_t PatternMatchDefaultMatcher

(

void

)

Function to return the multi pattern matcher algorithm to be used by the engine, based on the mpm-algo setting in yaml Use the default mpm if none is specified in the yaml file.

Return values

mpm	algo value

Definition at line 615 of file detect-engine-mpm.c.

References ConfGet(), mpm_default_matcher, mpm_table, MPM_TABLE_SIZE, SC_ERR_INVALID_YAML_CONF_ENTRY, and SCLogError.

Referenced by AppLayerProtoDetectSetup(), and DetectEngineInspectPktBufferGeneric().

Here is the call graph for this function:

Here is the caller graph for this function:

void PatternMatchDestroy	(	MpmCtx *	,
		uint16_t
	)

Definition at line 661 of file detect-engine-mpm.c.

References MpmTableElmt_::DestroyCtx, mpm_table, and SCLogDebug.

void PatternMatchPrepare	(	MpmCtx *	,
		uint16_t
	)

int PatternMatchPrepareGroup	(	DetectEngineCtx *	de_ctx,
		SigGroupHead *	sh
	)

Prepare the pattern matcher ctx in a sig group head.

Definition at line 1662 of file detect-engine-mpm.c.

References MpmStore_::mpm_ctx, MPMB_OTHERIP, MPMB_TCP_PKT_TC, MPMB_TCP_PKT_TS, MPMB_TCP_STREAM_TC, MPMB_TCP_STREAM_TS, MPMB_UDP_TC, MPMB_UDP_TS, MpmStorePrepareBuffer(), PrefilterPktPayloadRegister(), PrefilterPktStreamRegister(), SGH_DIRECTION_TC, SGH_DIRECTION_TS, and SGH_PROTO.

Referenced by PrefilterSetupRuleGroup().

Here is the call graph for this function:

Here is the caller graph for this function:

void PatternMatchThreadDestroy	(	MpmThreadCtx *	mpm_thread_ctx,
		uint16_t
	)

Definition at line 672 of file detect-engine-mpm.c.

References MpmTableElmt_::DestroyThreadCtx, mpm_table, and SCLogDebug.

Referenced by DetectEngineThreadCtxInit().

Here is the caller graph for this function:

void PatternMatchThreadPrepare	(	MpmThreadCtx *	,
		uint16_t	type
	)

Definition at line 678 of file detect-engine-mpm.c.

References MpmInitThreadCtx(), and SCLogDebug.

Referenced by DetectEngineResetMaxSigId().

Here is the call graph for this function:

Here is the caller graph for this function:

void PatternMatchThreadPrint	(	MpmThreadCtx *	,
		uint16_t
	)

Definition at line 667 of file detect-engine-mpm.c.

References SCLogDebug.

Referenced by DetectEngineThreadCtxInfo().

Here is the caller graph for this function:

uint32_t PatternStrength	(	uint8_t *	pat,
		uint16_t	patlen
	)

Predict a strength value for patterns.

Patterns with high character diversity score higher. Alpha chars score not so high Other printable + a few common codes a little higher Everything else highest. Longer patterns score better than short patters.

Parameters

pat	pattern
patlen	length of the pattern

Return values

s	pattern score

Definition at line 697 of file detect-engine-mpm.c.

References DetectContentData_::content, DetectContentData_::content_len, DetectContentData_::depth, DETECT_CONTENT_DEPTH_BE, DETECT_CONTENT_NOCASE, DETECT_CONTENT_OFFSET_BE, DetectContentData_::flags, flags, DetectContentData_::fp_chop_len, DetectContentData_::fp_chop_offset, DetectContentData_::id, MPM_PATTERN_CTX_OWNS_ID, MpmAddPatternCI(), MpmAddPatternCS(), Signature_::num, and DetectContentData_::offset.

Referenced by PacketCreateMask().

Here is the call graph for this function:

Here is the caller graph for this function:

int PrefilterGenericMpmPktRegister	(	DetectEngineCtx *	de_ctx,
		SigGroupHead *	sgh,
		MpmCtx *	mpm_ctx,
		const DetectBufferMpmRegistery *	mpm_reg,
		int	list_id
	)

Definition at line 681 of file detect-engine-prefilter.c.

Referenced by DetectIpv4hdrRegister(), DetectIpv6hdrRegister(), DetectPktMpmRegister(), DetectTcphdrRegister(), and DetectUdphdrRegister().

Here is the caller graph for this function:

void RetrieveFPForSig	(	const DetectEngineCtx *	de_ctx,
		Signature *	s
	)

Definition at line 842 of file detect-engine-mpm.c.

References HashListTable_::array_size, MpmStore_::buffer, BUG_ON, DetectContentData_::content_len, MpmTableElmt_::DestroyCtx, DETECT_CONTENT, DETECT_CONTENT_FAST_PATTERN, DETECT_CONTENT_NEGATED, MpmStore_::direction, FastPatternSupportEnabledForSigMatchList(), MpmCtx_::flags, DetectContentData_::flags, Signature_::init_data, SCFPSupportSMList_::list_id, MpmStore_::mpm_ctx, SignatureInitData_::mpm_sm, mpm_table, MpmCtx_::mpm_type, MPMCTX_FLAGS_GLOBAL, SCFPSupportSMList_::next, SigMatch_::next, SCFPSupportSMList_::priority, SCFree, SCLogDebug, SCMemcmp, MpmStore_::sid_array, MpmStore_::sid_array_size, sm_fp_support_smlist_list, MpmStore_::sm_list, SignatureInitData_::smlists, and SignatureInitData_::smlists_array_size.

Referenced by DetectLoadCompleteSigPath(), and DetectSetFastPatternAndItsId().

Here is the call graph for this function:

Here is the caller graph for this function:

int SignatureHasPacketContent

(

const Signature *

s

)

check if a signature has patterns that are to be inspected against a packets payload (as opposed to the stream payload)

Parameters

s

signature

Return values

1	true
0	false

Definition at line 545 of file detect-engine-mpm.c.

References DETECT_SM_LIST_PMATCH, Signature_::flags, Signature_::init_data, DetectProto_::proto, Signature_::proto, SCEnter, SCLogDebug, SCReturnInt, SIG_FLAG_REQUIRE_PACKET, Signature_::sm_arrays, and SignatureInitData_::smlists.

Referenced by MpmStorePrepareBuffer(), and PerCentEncodingMatch().

Here is the caller graph for this function:

int SignatureHasStreamContent

(

const Signature *

s

)

check if a signature has patterns that are to be inspected against the stream payload (as opposed to the individual packets payload(s))

Parameters

s

signature

Return values

1	true
0	false

Definition at line 581 of file detect-engine-mpm.c.

References DETECT_SM_LIST_PMATCH, Signature_::flags, Signature_::init_data, DetectProto_::proto, Signature_::proto, SCEnter, SCLogDebug, SCReturnInt, SIG_FLAG_REQUIRE_STREAM, Signature_::sm_arrays, and SignatureInitData_::smlists.

Referenced by MpmStorePrepareBuffer(), and PerCentEncodingMatch().

Here is the caller graph for this function: