detect-engine-mpm.h File Reference

#include "tm-threads.h"
#include "detect.h"
#include "detect-content.h"
#include "detect-uricontent.h"
#include "stream.h"

Include dependency graph for detect-engine-mpm.h:

Go to the source code of this file.

Functions
void	DetectMpmInitializeAppMpms (DetectEngineCtx *de_ctx)
void	DetectMpmSetupAppMpms (DetectEngineCtx *de_ctx)
int	DetectMpmPrepareAppMpms (DetectEngineCtx *de_ctx)
	initialize mpm contexts for applayer buffers that are in "single or "shared" mode. More...
void	DetectMpmInitializeBuiltinMpms (DetectEngineCtx *de_ctx)
int	DetectMpmPrepareBuiltinMpms (DetectEngineCtx *de_ctx)
	initialize mpm contexts for builtin buffers that are in "single or "shared" mode. More...
uint32_t	PatternStrength (uint8_t *, uint16_t)
	Predict a strength value for patterns. More...
uint16_t	PatternMatchDefaultMatcher (void)
	Function to return the multi pattern matcher algorithm to be used by the engine, based on the mpm-algo setting in yaml Use the default mpm if none is specified in the yaml file. More...
uint32_t	DnsQueryPatternSearch (DetectEngineThreadCtx *det_ctx, uint8_t *buffer, uint32_t buffer_len, uint8_t flags)
void	PacketPatternCleanup (DetectEngineThreadCtx *)
	cleans up the mpm instance after a match More...
void	PatternMatchPrepare (MpmCtx *, uint16_t)
void	PatternMatchThreadPrepare (MpmThreadCtx *, uint16_t type)
void	PatternMatchDestroy (MpmCtx *, uint16_t)
void	PatternMatchThreadDestroy (MpmThreadCtx *mpm_thread_ctx, uint16_t)
void	PatternMatchThreadPrint (MpmThreadCtx *, uint16_t)
int	PatternMatchPrepareGroup (DetectEngineCtx *, SigGroupHead *)
	Prepare the pattern matcher ctx in a sig group head. More...
void	DetectEngineThreadCtxInfo (ThreadVars *, DetectEngineThreadCtx *)
TmEcode	DetectEngineThreadCtxInit (ThreadVars *, void *, void **)
	initialize thread specific detection engine context More...
TmEcode	DetectEngineThreadCtxDeinit (ThreadVars *, void *)
int	SignatureHasPacketContent (const Signature *)
	check if a signature has patterns that are to be inspected against a packets payload (as opposed to the stream payload) More...
int	SignatureHasStreamContent (const Signature *)
	check if a signature has patterns that are to be inspected against the stream payload (as opposed to the individual packets payload(s)) More...
void	RetrieveFPForSig (const DetectEngineCtx *de_ctx, Signature *s)
int	MpmStoreInit (DetectEngineCtx *)
	Initializes the MpmStore mpm hash table to be used by the detection engine context. More...
void	MpmStoreFree (DetectEngineCtx *)
	Frees the hash table - DetectEngineCtx->mpm_hash_table, allocated by MpmStoreInit() function. More...
void	MpmStoreReportStats (const DetectEngineCtx *de_ctx)
MpmStore *	MpmStorePrepareBuffer (DetectEngineCtx *de_ctx, SigGroupHead *sgh, enum MpmBuiltinBuffers buf)
	Get MpmStore for a built-in buffer type. More...
int	DetectSetFastPatternAndItsId (DetectEngineCtx *de_ctx)
	Figured out the FP and their respective content ids for all the sigs in the engine. More...
void	DetectAppLayerMpmRegister (const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx)) __attribute__((deprecated))
	register an app layer keyword for mpm More...
void	DetectAppLayerMpmRegister2 (const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
	register an app layer keyword for mpm More...
void	DetectAppLayerMpmRegisterByParentId (DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
	copy a mpm engine from parent_id, add in transforms More...

Detailed Description

Author

Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Definition in file detect-engine-mpm.h.

Function Documentation

void DetectAppLayerMpmRegister	(	const char *	name,
		int	direction,
		int	priority,
		int(*)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx)	PrefilterRegister
	)

register an app layer keyword for mpm

Parameters

name	keyword name
direction	SIG_FLAG_TOSERVER or SIG_FLAG_TOCLIENT
PrefilterRegister	Prefilter api registration function

Note

direction must be set to either toserver or toclient. If both are needed, register the keyword twice.

Deprecated:

since 5.0.0

Definition at line 138 of file detect-engine-mpm.c.

References BUG_ON, DetectBufferTypeGetByName(), DetectBufferTypeSupportsMpm(), DetectMpmAppLayerRegistery_::direction, DetectMpmAppLayerRegistery_::id, DetectMpmAppLayerRegistery_::name, DetectMpmAppLayerRegistery_::next, DetectMpmAppLayerRegistery_::pname, DetectMpmAppLayerRegistery_::PrefilterRegister, DetectMpmAppLayerRegistery_::priority, SCCalloc, SCLogDebug, DetectMpmAppLayerRegistery_::sm_list, and SupportFastPatternForSigMatchList().

Here is the call graph for this function:

void DetectAppLayerMpmRegister2	(	const char *	name,
		int	direction,
		int	priority,
		int(*)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id)	PrefilterRegister,
		InspectionBufferGetDataPtr	GetData,
		AppProto	alproto,
		int	tx_min_progress
	)

register an app layer keyword for mpm

Parameters

name	buffer name
direction	SIG_FLAG_TOSERVER or SIG_FLAG_TOCLIENT
priority	mpm keyword priority
PrefilterRegister	Prefilter api registration function
GetData	callback to setup a InspectBuffer. May be NULL.
alproto	AppProto this MPM engine inspects
tx_min_progress	min tx progress needed to invoke this engine.

Note

direction must be set to either toserver or toclient. If both are needed, register the keyword twice.

register an app layer keyword for mpm

Note

to be used at start up / registration only. Errors are fatal.

Definition at line 85 of file detect-engine-mpm.c.

References DetectMpmAppLayerRegistery_::alproto, BUG_ON, DetectBufferTypeGetByName(), DetectBufferTypeSupportsMpm(), DetectBufferTypeSupportsTransformations(), DetectMpmAppLayerRegistery_::direction, FatalError, DetectMpmAppLayerRegistery_::GetData, DetectMpmAppLayerRegistery_::id, DetectMpmAppLayerRegistery_::name, DetectMpmAppLayerRegistery_::next, DetectMpmAppLayerRegistery_::pname, PrefilterGenericMpmRegister(), DetectMpmAppLayerRegistery_::PrefilterRegisterWithListId, DetectMpmAppLayerRegistery_::priority, SC_ERR_INITIALIZATION, SCCalloc, SCLogDebug, DetectMpmAppLayerRegistery_::sm_list, SupportFastPatternForSigMatchList(), DetectMpmAppLayerRegistery_::tx_min_progress, and DetectMpmAppLayerRegistery_::v2.

Referenced by DetectDceStubDataRegister(), DetectDnsQueryRegister(), DetectFiledataRegister(), DetectFilemagicRegister(), DetectFilenameRegister(), DetectHttpClientBodyRegister(), DetectHttpCookieRegister(), DetectHttpHeaderNamesRegister(), DetectHttpHeaderRegister(), DetectHttpHHRegister(), DetectHttpMethodRegister(), DetectHttpProtocolRegister(), DetectHttpRawHeaderRegister(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectHttpStartRegister(), DetectHttpStatCodeRegister(), DetectHttpStatMsgRegister(), DetectHttpUARegister(), DetectHttpUriRegister(), DetectKrb5CNameRegister(), DetectKrb5SNameRegister(), DetectSmbNamedPipeRegister(), DetectSmbShareRegister(), DetectSNMPCommunityRegister(), DetectSshProtocolRegister(), DetectSshSoftwareRegister(), DetectTemplateBufferRegister(), DetectTlsCertsRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3SHashRegister(), DetectTlsJa3SStringRegister(), DetectTlsJa3StringRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), and DetectTlsSubjectRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectAppLayerMpmRegisterByParentId	(	DetectEngineCtx *	de_ctx,
		const int	id,
		const int	parent_id,
		DetectEngineTransforms *	transforms
	)

copy a mpm engine from parent_id, add in transforms

Definition at line 176 of file detect-engine-mpm.c.

References DetectMpmAppLayerRegistery_::alproto, DetectEngineCtx_::app_mpms_list, DetectEngineCtx_::app_mpms_list_cnt, BUG_ON, DetectMpmAppLayerRegistery_::direction, DetectMpmAppLayerRegistery_::GetData, DetectMpmAppLayerRegistery_::id, DetectMpmAppLayerRegistery_::name, DetectMpmAppLayerRegistery_::next, DetectMpmAppLayerRegistery_::pname, DetectMpmAppLayerRegistery_::PrefilterRegister, DetectMpmAppLayerRegistery_::PrefilterRegisterWithListId, DetectMpmAppLayerRegistery_::priority, SCCalloc, SCLogDebug, DetectMpmAppLayerRegistery_::sm_list, SupportFastPatternForSigMatchList(), DetectMpmAppLayerRegistery_::transforms, DetectMpmAppLayerRegistery_::tx_min_progress, and DetectMpmAppLayerRegistery_::v2.

Referenced by DetectBufferTypeGetByIdTransforms().

Here is the call graph for this function:

Here is the caller graph for this function:

TmEcode DetectEngineThreadCtxDeinit	(	ThreadVars *	,
		void *
	)

Definition at line 2592 of file detect-engine.c.

Referenced by AlertFastLogInitCtx(), DetectAckRegister(), DetectBase64DecodeDoMatch(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineInspectStream(), DetectEngineStateResetTxs(), DetectFastPatternRegister(), DetectFlowbitsAnalyze(), DetectFlowFree(), DetectFlowintFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectGeoipRegister(), DetectHostbitFree(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectIPRepFree(), DetectITypeFree(), DetectL3ProtoRegister(), DetectPcrePayloadMatch(), DetectProtoContainsProto(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSetupParseRegexes(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectTemplateRustBufferRegister(), DetectThresholdRegister(), DetectTransformCompressWhitespaceRegister(), DetectTransformStripWhitespaceRegister(), DetectUricontentRegister(), DetectXbitFree(), MpmACRegister(), MpmACTileRegister(), RegisterModbusParsers(), SCACBSPrintInfo(), SCThresholdConfParseFile(), SigParseApplyDsizeToContent(), SMTPParserCleanup(), TagTimeoutCheck(), UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

void DetectEngineThreadCtxInfo	(	ThreadVars *	,
		DetectEngineThreadCtx *
	)

Definition at line 2610 of file detect-engine.c.

References DetectEngineThreadCtx_::de_ctx, DetectEngineCtx_::mpm_matcher, DetectEngineThreadCtx_::mtc, DetectEngineThreadCtx_::mtcu, and PatternMatchThreadPrint().

Here is the call graph for this function:

TmEcode DetectEngineThreadCtxInit	(	ThreadVars *	tv,
		void *	initdata,
		void **	data
	)

initialize thread specific detection engine context

Note

there is a special case when using delayed detect. In this case the function is called twice per thread. The first time the rules are not yet loaded. de_ctx->delayed_detect_initialized will be 0. The 2nd time they will be loaded. de_ctx->delayed_detect_initialized will be 1. This is needed to do the per thread counter registration before the packet runtime starts. In delayed detect mode, the first call will return a NULL ptr through the data ptr.

Parameters

tv	ThreadVars for this thread
initdata	pointer to de_ctx
data[out]	pointer to store our thread detection ctx

Return values

TM_ECODE_OK	if all went well
TM_ECODE_FAILED	on serious erro

alert counter setup

Definition at line 2384 of file detect-engine.c.

Referenced by AlertFastLogInitCtx(), DetectAckRegister(), DetectBase64DecodeDoMatch(), DetectBypassRegister(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineInspectStream(), DetectEngineStateResetTxs(), DetectFastPatternRegister(), DetectFlowbitsAnalyze(), DetectFlowFree(), DetectFlowintFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectGeoipRegister(), DetectHostbitFree(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectIPRepFree(), DetectITypeFree(), DetectL3ProtoRegister(), DetectLuaRegister(), DetectPcrePayloadMatch(), DetectProtoContainsProto(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSetupParseRegexes(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectTemplateRustBufferRegister(), DetectThresholdRegister(), DetectTransformCompressWhitespaceRegister(), DetectTransformStripWhitespaceRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), DetectXbitFree(), MpmACRegister(), MpmACTileRegister(), RegisterModbusParsers(), SCACBSPrintInfo(), SCThresholdConfParseFile(), SigGroupHeadContainsSigId(), SigParseApplyDsizeToContent(), SMTPParserCleanup(), TagTimeoutCheck(), UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

void DetectMpmInitializeAppMpms

(

DetectEngineCtx *

de_ctx

)

Definition at line 214 of file detect-engine-mpm.c.

References DetectEngineCtx_::app_mpms_list, DetectEngineCtx_::app_mpms_list_cnt, BUG_ON, DetectMpmAppLayerRegistery_::next, SCCalloc, and SCLogDebug.

Referenced by InspectionBufferApplyTransforms().

Here is the caller graph for this function:

void DetectMpmInitializeBuiltinMpms

(

DetectEngineCtx *

de_ctx

)

Definition at line 332 of file detect-engine-mpm.c.

References DetectEngineCtx_::sgh_mpm_context_proto_other_packet, DetectEngineCtx_::sgh_mpm_context_proto_tcp_packet, DetectEngineCtx_::sgh_mpm_context_proto_udp_packet, and DetectEngineCtx_::sgh_mpm_context_stream.

Referenced by PacketCreateMask().

Here is the caller graph for this function:

int DetectMpmPrepareAppMpms

(

DetectEngineCtx *

de_ctx

)

initialize mpm contexts for applayer buffers that are in "single or "shared" mode.

Definition at line 287 of file detect-engine-mpm.c.

References DetectEngineCtx_::app_mpms, ConfGetBool(), DetectMpmAppLayerRegistery_::direction, ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE, MPM_CTX_FACTORY_UNIQUE_CONTEXT, DetectEngineCtx_::mpm_matcher, mpm_table, MpmFactoryGetMpmCtxForProfile(), MpmFactoryRegisterMpmCtxProfile(), MpmTableElmt_::Prepare, DetectMpmAppLayerKeyword_::reg, SCLogPerf, DetectMpmAppLayerKeyword_::sgh_mpm_context, DetectEngineCtx_::sgh_mpm_context, SIG_FLAG_TOSERVER, and strlcat().

Referenced by SigGroupBuild().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectMpmPrepareBuiltinMpms

(

DetectEngineCtx *

de_ctx

)

initialize mpm contexts for builtin buffers that are in "single or "shared" mode.

Definition at line 345 of file detect-engine-mpm.c.

References MPM_CTX_FACTORY_UNIQUE_CONTEXT, DetectEngineCtx_::mpm_matcher, mpm_table, MpmFactoryGetMpmCtxForProfile(), MpmTableElmt_::Prepare, DetectEngineCtx_::sgh_mpm_context_proto_other_packet, DetectEngineCtx_::sgh_mpm_context_proto_tcp_packet, DetectEngineCtx_::sgh_mpm_context_proto_udp_packet, and DetectEngineCtx_::sgh_mpm_context_stream.

Referenced by SigGroupBuild().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectMpmSetupAppMpms

(

DetectEngineCtx *

de_ctx

)

Definition at line 242 of file detect-engine-mpm.c.

References DetectEngineCtx_::app_mpms, DetectEngineCtx_::app_mpms_list, DetectEngineCtx_::app_mpms_list_cnt, BUG_ON, ConfGetBool(), DE_QUIET, ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE, DetectEngineCtx_::flags, DetectMpmAppLayerRegistery_::id, MPM_CTX_FACTORY_UNIQUE_CONTEXT, MpmFactoryRegisterMpmCtxProfile(), DetectMpmAppLayerRegistery_::name, DetectMpmAppLayerRegistery_::next, DetectMpmAppLayerKeyword_::reg, SCCalloc, SCLogDebug, SCLogPerf, DetectMpmAppLayerKeyword_::sgh_mpm_context, DetectEngineCtx_::sgh_mpm_context, and strlcat().

Referenced by PacketCreateMask().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectSetFastPatternAndItsId

(

DetectEngineCtx *

de_ctx

)

Figured out the FP and their respective content ids for all the sigs in the engine.

Parameters

de_ctx

Detection engine context.

Return values

0	On success.
-1	On failure.

Definition at line 1457 of file detect-engine-mpm.c.

References BUG_ON, DetectContentData_::content, DetectFPAndItsId_::content, DetectContentData_::content_len, DetectFPAndItsId_::content_len, SigMatch_::ctx, DETECT_CONTENT_FAST_PATTERN_CHOP, DETECT_CONTENT_NOCASE, DetectContentData_::flags, Signature_::flags, DetectFPAndItsId_::flags, DetectContentData_::fp_chop_len, DetectContentData_::fp_chop_offset, DetectContentData_::id, DetectFPAndItsId_::id, Signature_::init_data, DetectEngineCtx_::max_fp_id, SignatureInitData_::mpm_sm, Signature_::next, PatIntId, RetrieveFPForSig(), SCFree, SCMalloc, SCMemcmp, SIG_FLAG_PREFILTER, DetectEngineCtx_::sig_list, SigMatchListSMBelongsTo(), DetectFPAndItsId_::sm_list, and unlikely.

Referenced by SigGroupBuild().

Here is the call graph for this function:

Here is the caller graph for this function:

uint32_t DnsQueryPatternSearch	(	DetectEngineThreadCtx *	det_ctx,
		uint8_t *	buffer,
		uint32_t	buffer_len,
		uint8_t	flags
	)

void MpmStoreFree

(

DetectEngineCtx *

de_ctx

)

Frees the hash table - DetectEngineCtx->mpm_hash_table, allocated by MpmStoreInit() function.

Parameters

de_ctx

Pointer to the detection engine context.

Definition at line 1000 of file detect-engine-mpm.c.

References MpmStore_::buffer, BUG_ON, SigMatch_::ctx, DETECT_CONTENT_FAST_PATTERN_CHOP, DETECT_CONTENT_MPM_IS_CONCLUSIVE, DETECT_CONTENT_NEGATED, DETECT_SM_LIST_PMATCH, MpmStore_::direction, DetectContentData_::flags, Signature_::flags, HashListTableFree(), Signature_::id, Signature_::init_data, MpmStore_::mpm_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, DetectEngineCtx_::mpm_hash_table, DetectEngineCtx_::mpm_matcher, SignatureInitData_::mpm_sm, mpm_table, MpmCtx_::mpm_type, MPMB_MAX, MPMB_OTHERIP, MPMB_TCP_PKT_TC, MPMB_TCP_PKT_TS, MPMB_TCP_STREAM_TC, MPMB_TCP_STREAM_TS, MPMB_UDP_TC, MPMB_UDP_TS, MpmFactoryGetMpmCtxForProfile(), MpmFactoryReClaimMpmCtx(), MpmInitCtx(), MpmCtx_::pattern_cnt, MpmTableElmt_::Prepare, SCLogDebug, MpmStore_::sgh_mpm_context, MpmStore_::sid_array, MpmStore_::sid_array_size, DetectEngineCtx_::sig_array, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, SigMatchListSMBelongsTo(), and MpmStore_::sm_list.

Referenced by DetectEngineCtxFree().

Here is the call graph for this function:

Here is the caller graph for this function:

int MpmStoreInit

(

DetectEngineCtx *

de_ctx

)

Initializes the MpmStore mpm hash table to be used by the detection engine context.

Parameters

de_ctx

Pointer to the detection engine context.

Return values

0	On success.
-1	On failure.

Definition at line 888 of file detect-engine-mpm.c.

References HashListTableAdd(), HashListTableInit(), HashListTableLookup(), and DetectEngineCtx_::mpm_hash_table.

Referenced by DetectEngineInspectBufferGeneric().

Here is the call graph for this function:

Here is the caller graph for this function:

MpmStore* MpmStorePrepareBuffer	(	DetectEngineCtx *	de_ctx,
		SigGroupHead *	sgh,
		enum MpmBuiltinBuffers	buf
	)

Get MpmStore for a built-in buffer type.

Definition at line 1110 of file detect-engine-mpm.c.

References MpmStore_::buffer, BUG_ON, DETECT_SM_LIST_PMATCH, DetectEngineGetMaxSigId, DetectMpmAppLayerRegistery_::direction, MpmStore_::direction, Signature_::flags, SigGroupHead_::flags, Signature_::init_data, SigGroupHead_::match_array, SignatureInitData_::mpm_sm, MPMB_MAX, MPMB_OTHERIP, MPMB_TCP_PKT_TC, MPMB_TCP_PKT_TS, MPMB_TCP_STREAM_TC, MPMB_TCP_STREAM_TS, MPMB_UDP_TC, MPMB_UDP_TS, DetectMpmAppLayerRegistery_::name, Signature_::num, DetectMpmAppLayerKeyword_::reg, SCCalloc, SCFree, SCLogDebug, DetectMpmAppLayerKeyword_::sgh_mpm_context, MpmStore_::sgh_mpm_context, DetectEngineCtx_::sgh_mpm_context_proto_other_packet, DetectEngineCtx_::sgh_mpm_context_proto_tcp_packet, DetectEngineCtx_::sgh_mpm_context_proto_udp_packet, DetectEngineCtx_::sgh_mpm_context_stream, MpmStore_::sid_array, MpmStore_::sid_array_size, SigGroupHead_::sig_cnt, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, SIG_GROUP_HEAD_HAVERAWSTREAM, SigMatchListSMBelongsTo(), SignatureHasPacketContent(), SignatureHasStreamContent(), DetectMpmAppLayerRegistery_::sm_list, and MpmStore_::sm_list.

Referenced by PatternMatchPrepareGroup().

Here is the call graph for this function:

Here is the caller graph for this function:

void MpmStoreReportStats

(

const DetectEngineCtx *

de_ctx

)

Definition at line 933 of file detect-engine-mpm.c.

References DetectEngineCtx_::app_mpms, MpmStore_::buffer, builtin_mpms, DE_QUIET, DETECT_SM_LIST_PMATCH, DetectMpmAppLayerRegistery_::direction, MpmStore_::direction, DetectEngineCtx_::flags, HashListTableGetListData, HashListTableGetListHead(), HashListTableGetListNext, MpmCtx_::maxlen, MpmCtx_::minlen, MpmStore_::mpm_ctx, DetectEngineCtx_::mpm_hash_table, MPMB_MAX, DetectMpmAppLayerRegistery_::name, MpmCtx_::pattern_cnt, DetectMpmAppLayerKeyword_::reg, SCLogDebug, SCLogPerf, SIG_FLAG_TOSERVER, DetectMpmAppLayerRegistery_::sm_list, and MpmStore_::sm_list.

Referenced by SigAddressPrepareStage4().

Here is the call graph for this function:

Here is the caller graph for this function:

void PacketPatternCleanup

(

DetectEngineThreadCtx *

)

cleans up the mpm instance after a match

Definition at line 513 of file detect-engine-mpm.c.

References DetectEngineThreadCtx_::pmq, and PmqReset().

Referenced by SigMatchSignaturesGetSgh().

Here is the call graph for this function:

Here is the caller graph for this function:

uint16_t PatternMatchDefaultMatcher

(

void

)

Function to return the multi pattern matcher algorithm to be used by the engine, based on the mpm-algo setting in yaml Use the default mpm if none is specified in the yaml file.

Return values

mpm	algo value

Definition at line 472 of file detect-engine-mpm.c.

References ConfGet(), mpm_default_matcher, mpm_table, MPM_TABLE_SIZE, SC_ERR_INVALID_YAML_CONF_ENTRY, and SCLogError.

Referenced by AppLayerProtoDetectSetup(), and DetectEngineInspectBufferGeneric().

Here is the call graph for this function:

Here is the caller graph for this function:

void PatternMatchDestroy	(	MpmCtx *	,
		uint16_t
	)

Definition at line 518 of file detect-engine-mpm.c.

References MpmTableElmt_::DestroyCtx, mpm_table, and SCLogDebug.

void PatternMatchPrepare	(	MpmCtx *	,
		uint16_t
	)

int PatternMatchPrepareGroup	(	DetectEngineCtx *	de_ctx,
		SigGroupHead *	sh
	)

Prepare the pattern matcher ctx in a sig group head.

Definition at line 1342 of file detect-engine-mpm.c.

References DetectEngineCtx_::app_mpms, SigGroupHeadInitData_::app_mpms, BUG_ON, DetectMpmAppLayerRegistery_::direction, DetectMpmAppLayerRegistery_::id, SigGroupHead_::init, MpmStore_::mpm_ctx, MPMB_OTHERIP, MPMB_TCP_PKT_TC, MPMB_TCP_PKT_TS, MPMB_TCP_STREAM_TC, MPMB_TCP_STREAM_TS, MPMB_UDP_TC, MPMB_UDP_TS, MpmStorePrepareBuffer(), DetectMpmAppLayerRegistery_::name, PrefilterPktPayloadRegister(), PrefilterPktStreamRegister(), DetectMpmAppLayerRegistery_::PrefilterRegister, DetectMpmAppLayerRegistery_::PrefilterRegisterWithListId, DetectMpmAppLayerKeyword_::reg, SCCalloc, SCLogDebug, SGH_DIRECTION_TC, SGH_DIRECTION_TS, SGH_PROTO, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, DetectMpmAppLayerRegistery_::sm_list, and DetectMpmAppLayerRegistery_::v2.

Referenced by PrefilterSetupRuleGroup().

Here is the call graph for this function:

Here is the caller graph for this function:

void PatternMatchThreadDestroy	(	MpmThreadCtx *	mpm_thread_ctx,
		uint16_t
	)

Definition at line 529 of file detect-engine-mpm.c.

References MpmTableElmt_::DestroyThreadCtx, mpm_table, and SCLogDebug.

Referenced by DetectEngineThreadCtxInit().

Here is the caller graph for this function:

void PatternMatchThreadPrepare	(	MpmThreadCtx *	,
		uint16_t	type
	)

Definition at line 535 of file detect-engine-mpm.c.

References MpmInitThreadCtx(), and SCLogDebug.

Referenced by DetectEngineResetMaxSigId().

Here is the call graph for this function:

Here is the caller graph for this function:

void PatternMatchThreadPrint	(	MpmThreadCtx *	,
		uint16_t
	)

Definition at line 524 of file detect-engine-mpm.c.

References SCLogDebug.

Referenced by DetectEngineThreadCtxInfo().

Here is the caller graph for this function:

uint32_t PatternStrength	(	uint8_t *	pat,
		uint16_t	patlen
	)

Predict a strength value for patterns.

Patterns with high character diversity score higher. Alpha chars score not so high Other printable + a few common codes a little higher Everything else highest. Longer patterns score better than short patters.

Parameters

pat	pattern
patlen	length of the patternn

Return values

s	pattern score

Definition at line 554 of file detect-engine-mpm.c.

References DetectContentData_::content, DetectContentData_::content_len, DetectContentData_::depth, DETECT_CONTENT_NOCASE, DetectContentData_::flags, flags, DetectContentData_::fp_chop_len, DetectContentData_::fp_chop_offset, DetectContentData_::id, MPM_PATTERN_CTX_OWNS_ID, MpmAddPatternCI(), MpmAddPatternCS(), Signature_::num, and DetectContentData_::offset.

Referenced by PacketCreateMask().

Here is the call graph for this function:

Here is the caller graph for this function:

void RetrieveFPForSig	(	const DetectEngineCtx *	de_ctx,
		Signature *	s
	)

Definition at line 692 of file detect-engine-mpm.c.

References HashListTable_::array_size, MpmStore_::buffer, BUG_ON, DetectContentData_::content_len, MpmTableElmt_::DestroyCtx, DETECT_CONTENT, DETECT_CONTENT_FAST_PATTERN, DETECT_CONTENT_NEGATED, MpmStore_::direction, FastPatternSupportEnabledForSigMatchList(), MpmCtx_::flags, DetectContentData_::flags, Signature_::init_data, SCFPSupportSMList_::list_id, MpmStore_::mpm_ctx, SignatureInitData_::mpm_sm, mpm_table, MpmCtx_::mpm_type, MPMCTX_FLAGS_GLOBAL, SCFPSupportSMList_::next, SigMatch_::next, SCFPSupportSMList_::priority, SCFree, SCLogDebug, SCMemcmp, MpmStore_::sid_array, MpmStore_::sid_array_size, sm_fp_support_smlist_list, MpmStore_::sm_list, SignatureInitData_::smlists, and SignatureInitData_::smlists_array_size.

Referenced by DetectLoadCompleteSigPath(), and DetectSetFastPatternAndItsId().

Here is the call graph for this function:

Here is the caller graph for this function:

int SignatureHasPacketContent

(

const Signature *

s

)

check if a signature has patterns that are to be inspected against a packets payload (as opposed to the stream payload)

Parameters

s

signature

Return values

1	true
0	false

Definition at line 402 of file detect-engine-mpm.c.

References DETECT_SM_LIST_PMATCH, Signature_::flags, Signature_::init_data, DetectProto_::proto, Signature_::proto, SCEnter, SCLogDebug, SCReturnInt, SIG_FLAG_REQUIRE_PACKET, Signature_::sm_arrays, and SignatureInitData_::smlists.

Referenced by MpmStorePrepareBuffer(), and PerCentEncodingMatch().

Here is the caller graph for this function:

int SignatureHasStreamContent

(

const Signature *

s

)

check if a signature has patterns that are to be inspected against the stream payload (as opposed to the individual packets payload(s))

Parameters

s

signature

Return values

1	true
0	false

Definition at line 438 of file detect-engine-mpm.c.

References DETECT_SM_LIST_PMATCH, Signature_::flags, Signature_::init_data, DetectProto_::proto, Signature_::proto, SCEnter, SCLogDebug, SCReturnInt, SIG_FLAG_REQUIRE_STREAM, Signature_::sm_arrays, and SignatureInitData_::smlists.

Referenced by MpmStorePrepareBuffer(), and PerCentEncodingMatch().

Here is the caller graph for this function: