suricata
Data Structures | Typedefs | Functions
detect-engine-mpm.h File Reference
#include "tm-threads.h"
#include "detect.h"
#include "detect-content.h"
#include "detect-uricontent.h"
#include "stream.h"
Include dependency graph for detect-engine-mpm.h:

Go to the source code of this file.

Data Structures

struct  PrefilterMpmListId
 
struct  MpmListIdDataArgs
 

Typedefs

typedef struct PrefilterMpmListId PrefilterMpmListId
 

Functions

void DetectMpmInitializePktMpms (DetectEngineCtx *de_ctx)
 
int DetectMpmPreparePktMpms (DetectEngineCtx *de_ctx)
 initialize mpm contexts for applayer buffers that are in "single or "shared" mode. More...
 
void DetectMpmInitializeAppMpms (DetectEngineCtx *de_ctx)
 
int DetectMpmPrepareAppMpms (DetectEngineCtx *de_ctx)
 initialize mpm contexts for applayer buffers that are in "single or "shared" mode. More...
 
void DetectMpmInitializeBuiltinMpms (DetectEngineCtx *de_ctx)
 
int DetectMpmPrepareBuiltinMpms (DetectEngineCtx *de_ctx)
 initialize mpm contexts for builtin buffers that are in "single or "shared" mode. More...
 
uint32_t PatternStrength (uint8_t *, uint16_t)
 Predict a strength value for patterns. More...
 
uint16_t PatternMatchDefaultMatcher (void)
 Function to return the multi pattern matcher algorithm to be used by the engine, based on the mpm-algo setting in yaml Use the default mpm if none is specified in the yaml file. More...
 
uint32_t DnsQueryPatternSearch (DetectEngineThreadCtx *det_ctx, uint8_t *buffer, uint32_t buffer_len, uint8_t flags)
 
void PatternMatchPrepare (MpmCtx *, uint16_t)
 
void PatternMatchThreadPrepare (MpmThreadCtx *, uint16_t type)
 
void PatternMatchDestroy (MpmCtx *, uint16_t)
 
void PatternMatchThreadDestroy (MpmThreadCtx *mpm_thread_ctx, uint16_t)
 
void PatternMatchThreadPrint (MpmThreadCtx *, uint16_t)
 
int PatternMatchPrepareGroup (DetectEngineCtx *, SigGroupHead *)
 Prepare the pattern matcher ctx in a sig group head. More...
 
void DetectEngineThreadCtxInfo (ThreadVars *, DetectEngineThreadCtx *)
 
TmEcode DetectEngineThreadCtxInit (ThreadVars *, void *, void **)
 initialize thread specific detection engine context More...
 
TmEcode DetectEngineThreadCtxDeinit (ThreadVars *, void *)
 
int SignatureHasPacketContent (const Signature *)
 check if a signature has patterns that are to be inspected against a packets payload (as opposed to the stream payload) More...
 
int SignatureHasStreamContent (const Signature *)
 check if a signature has patterns that are to be inspected against the stream payload (as opposed to the individual packets payload(s)) More...
 
void RetrieveFPForSig (const DetectEngineCtx *de_ctx, Signature *s)
 
int MpmStoreInit (DetectEngineCtx *)
 Initializes the MpmStore mpm hash table to be used by the detection engine context. More...
 
void MpmStoreFree (DetectEngineCtx *)
 Frees the hash table - DetectEngineCtx->mpm_hash_table, allocated by MpmStoreInit() function. More...
 
void MpmStoreReportStats (const DetectEngineCtx *de_ctx)
 
MpmStoreMpmStorePrepareBuffer (DetectEngineCtx *de_ctx, SigGroupHead *sgh, enum MpmBuiltinBuffers buf)
 Get MpmStore for a built-in buffer type. More...
 
int DetectSetFastPatternAndItsId (DetectEngineCtx *de_ctx)
 Figured out the FP and their respective content ids for all the sigs in the engine. More...
 
void DetectAppLayerMpmRegister2 (const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
 register an app layer keyword for mpm More...
 
void DetectAppLayerMpmRegisterByParentId (DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
 copy a mpm engine from parent_id, add in transforms More...
 
void DetectPktMpmRegister (const char *name, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetPktDataPtr GetData)
 register a MPM engine More...
 
void DetectPktMpmRegisterByParentId (DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
 copy a mpm engine from parent_id, add in transforms More...
 
int PrefilterGenericMpmPktRegister (DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
 

Detailed Description

Author
Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Definition in file detect-engine-mpm.h.

Typedef Documentation

◆ PrefilterMpmListId

typedef struct PrefilterMpmListId PrefilterMpmListId

Function Documentation

◆ DetectAppLayerMpmRegister2()

void DetectAppLayerMpmRegister2 ( const char *  name,
int  direction,
int  priority,
int(*)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)  PrefilterRegister,
InspectionBufferGetDataPtr  GetData,
AppProto  alproto,
int  tx_min_progress 
)

register an app layer keyword for mpm

Parameters
namebuffer name
directionSIG_FLAG_TOSERVER or SIG_FLAG_TOCLIENT
prioritympm keyword priority
PrefilterRegisterPrefilter api registration function
GetDatacallback to setup a InspectBuffer. May be NULL.
alprotoAppProto this MPM engine inspects
tx_min_progressmin tx progress needed to invoke this engine.
Note
direction must be set to either toserver or toclient. If both are needed, register the keyword twice.

register an app layer keyword for mpm

Note
to be used at start up / registration only. Errors are fatal.

Definition at line 89 of file detect-engine-mpm.c.

◆ DetectAppLayerMpmRegisterByParentId()

void DetectAppLayerMpmRegisterByParentId ( DetectEngineCtx de_ctx,
const int  id,
const int  parent_id,
DetectEngineTransforms transforms 
)

copy a mpm engine from parent_id, add in transforms

Definition at line 144 of file detect-engine-mpm.c.

References DetectEngineCtx_::app_mpms_list, DetectEngineCtx_::app_mpms_list_cnt, DetectBufferMpmRegistery_::app_v2, BUG_ON, DetectEngineTransforms::cnt, de_ctx, DETECT_BUFFER_MPM_TYPE_APP, DetectBufferMpmRegistery_::direction, DetectBufferMpmRegistery_::id, MpmFactoryRegisterMpmCtxProfile(), DetectBufferMpmRegistery_::name, SigTableElmt_::name, DetectBufferMpmRegistery_::next, DetectBufferMpmRegistery_::pname, DetectBufferMpmRegistery_::PrefilterRegisterWithListId, DetectBufferMpmRegistery_::priority, SCCalloc, SCLogDebug, DetectBufferMpmRegistery_::sgh_mpm_context, ShortenString(), sigmatch_table, DetectBufferMpmRegistery_::sm_list, strlcat(), strlcpy(), SupportFastPatternForSigMatchList(), TransformData_::transform, DetectEngineTransforms::transforms, DetectBufferMpmRegistery_::transforms, and DetectBufferMpmRegistery_::type.

Here is the call graph for this function:

◆ DetectEngineThreadCtxDeinit()

TmEcode DetectEngineThreadCtxDeinit ( ThreadVars ,
void *   
)

Definition at line 3005 of file detect-engine.c.

Referenced by UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

Here is the caller graph for this function:

◆ DetectEngineThreadCtxInfo()

void DetectEngineThreadCtxInfo ( ThreadVars ,
DetectEngineThreadCtx  
)

Definition at line 3023 of file detect-engine.c.

References DetectEngineThreadCtx_::de_ctx, DetectEngineCtx_::mpm_matcher, DetectEngineThreadCtx_::mtc, DetectEngineThreadCtx_::mtcu, and PatternMatchThreadPrint().

Here is the call graph for this function:

◆ DetectEngineThreadCtxInit()

TmEcode DetectEngineThreadCtxInit ( ThreadVars tv,
void *  initdata,
void **  data 
)

initialize thread specific detection engine context

Note
there is a special case when using delayed detect. In this case the function is called twice per thread. The first time the rules are not yet loaded. de_ctx->delayed_detect_initialized will be 0. The 2nd time they will be loaded. de_ctx->delayed_detect_initialized will be 1. This is needed to do the per thread counter registration before the packet runtime starts. In delayed detect mode, the first call will return a NULL ptr through the data ptr.
Parameters
tvThreadVars for this thread
initdatapointer to de_ctx
data[out]pointer to store our thread detection ctx
Return values
TM_ECODE_OKif all went well
TM_ECODE_FAILEDon serious errors

alert counter setup

Definition at line 2797 of file detect-engine.c.

Referenced by UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

Here is the caller graph for this function:

◆ DetectMpmInitializeAppMpms()

void DetectMpmInitializeAppMpms ( DetectEngineCtx de_ctx)

Definition at line 209 of file detect-engine-mpm.c.

◆ DetectMpmInitializeBuiltinMpms()

void DetectMpmInitializeBuiltinMpms ( DetectEngineCtx de_ctx)

Definition at line 476 of file detect-engine-mpm.c.

References de_ctx, and DetectEngineCtx_::sgh_mpm_context_proto_tcp_packet.

◆ DetectMpmInitializePktMpms()

void DetectMpmInitializePktMpms ( DetectEngineCtx de_ctx)

Definition at line 375 of file detect-engine-mpm.c.

◆ DetectMpmPrepareAppMpms()

int DetectMpmPrepareAppMpms ( DetectEngineCtx de_ctx)

initialize mpm contexts for applayer buffers that are in "single or "shared" mode.

Definition at line 263 of file detect-engine-mpm.c.

References DetectEngineCtx_::app_mpms_list, de_ctx, DetectBufferMpmRegistery_::direction, MPM_CTX_FACTORY_UNIQUE_CONTEXT, DetectEngineCtx_::mpm_matcher, mpm_table, MpmFactoryGetMpmCtxForProfile(), DetectBufferMpmRegistery_::next, MpmTableElmt_::Prepare, DetectBufferMpmRegistery_::sgh_mpm_context, and SIG_FLAG_TOSERVER.

Here is the call graph for this function:

◆ DetectMpmPrepareBuiltinMpms()

int DetectMpmPrepareBuiltinMpms ( DetectEngineCtx de_ctx)

initialize mpm contexts for builtin buffers that are in "single or "shared" mode.

Definition at line 489 of file detect-engine-mpm.c.

References de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, DetectEngineCtx_::mpm_matcher, mpm_table, MpmFactoryGetMpmCtxForProfile(), MpmTableElmt_::Prepare, DetectEngineCtx_::sgh_mpm_context_proto_other_packet, DetectEngineCtx_::sgh_mpm_context_proto_tcp_packet, DetectEngineCtx_::sgh_mpm_context_proto_udp_packet, and DetectEngineCtx_::sgh_mpm_context_stream.

Here is the call graph for this function:

◆ DetectMpmPreparePktMpms()

int DetectMpmPreparePktMpms ( DetectEngineCtx de_ctx)

initialize mpm contexts for applayer buffers that are in "single or "shared" mode.

Definition at line 430 of file detect-engine-mpm.c.

References de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, DetectEngineCtx_::mpm_matcher, mpm_table, MpmFactoryGetMpmCtxForProfile(), DetectBufferMpmRegistery_::name, DetectBufferMpmRegistery_::next, DetectEngineCtx_::pkt_mpms_list, MpmTableElmt_::Prepare, SCLogDebug, and DetectBufferMpmRegistery_::sgh_mpm_context.

Here is the call graph for this function:

◆ DetectPktMpmRegister()

void DetectPktMpmRegister ( const char *  name,
int  priority,
int(*)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)  PrefilterRegister,
InspectionBufferGetPktDataPtr  GetData 
)

register a MPM engine

Note
to be used at start up / registration only. Errors are fatal.

Definition at line 288 of file detect-engine-mpm.c.

◆ DetectPktMpmRegisterByParentId()

void DetectPktMpmRegisterByParentId ( DetectEngineCtx de_ctx,
const int  id,
const int  parent_id,
DetectEngineTransforms transforms 
)

copy a mpm engine from parent_id, add in transforms

Definition at line 339 of file detect-engine-mpm.c.

References BUG_ON, de_ctx, DETECT_BUFFER_MPM_TYPE_PKT, DetectBufferMpmRegistery_::id, DetectBufferMpmRegistery_::name, DetectBufferMpmRegistery_::next, DetectEngineCtx_::pkt_mpms_list, DetectEngineCtx_::pkt_mpms_list_cnt, DetectBufferMpmRegistery_::pkt_v1, DetectBufferMpmRegistery_::pname, DetectBufferMpmRegistery_::PrefilterRegisterWithListId, DetectBufferMpmRegistery_::priority, SCCalloc, SCLogDebug, DetectBufferMpmRegistery_::sgh_mpm_context, DetectBufferMpmRegistery_::sm_list, SupportFastPatternForSigMatchList(), DetectBufferMpmRegistery_::transforms, and DetectBufferMpmRegistery_::type.

Here is the call graph for this function:

◆ DetectSetFastPatternAndItsId()

int DetectSetFastPatternAndItsId ( DetectEngineCtx de_ctx)

Figured out the FP and their respective content ids for all the sigs in the engine.

Parameters
de_ctxDetection engine context.
Return values
0On success.
-1On failure.

Definition at line 1732 of file detect-engine-mpm.c.

References BUG_ON, DetectContentData_::content, DetectContentData_::content_len, SigMatch_::ctx, de_ctx, DETECT_CONTENT_FAST_PATTERN_CHOP, DETECT_CONTENT_NOCASE, flags, DetectContentData_::flags, Signature_::flags, DetectContentData_::fp_chop_len, DetectContentData_::fp_chop_offset, Signature_::init_data, SignatureInitData_::mpm_sm, Signature_::next, PatIntId, RetrieveFPForSig(), SCMalloc, SIG_FLAG_PREFILTER, DetectEngineCtx_::sig_list, SigMatchListSMBelongsTo(), and unlikely.

Referenced by SigGroupBuild().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ DnsQueryPatternSearch()

uint32_t DnsQueryPatternSearch ( DetectEngineThreadCtx det_ctx,
uint8_t *  buffer,
uint32_t  buffer_len,
uint8_t  flags 
)

◆ MpmStoreFree()

void MpmStoreFree ( DetectEngineCtx de_ctx)

Frees the hash table - DetectEngineCtx->mpm_hash_table, allocated by MpmStoreInit() function.

Parameters
de_ctxPointer to the detection engine context.

Definition at line 1182 of file detect-engine-mpm.c.

References de_ctx, HashListTableFree(), and DetectEngineCtx_::mpm_hash_table.

Referenced by DetectEngineCtxFree().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ MpmStoreInit()

int MpmStoreInit ( DetectEngineCtx de_ctx)

Initializes the MpmStore mpm hash table to be used by the detection engine context.

Parameters
de_ctxPointer to the detection engine context.
Return values
0On success.
-1On failure.

Definition at line 1035 of file detect-engine-mpm.c.

References de_ctx, HashListTableInit(), and DetectEngineCtx_::mpm_hash_table.

Here is the call graph for this function:

◆ MpmStorePrepareBuffer()

MpmStore* MpmStorePrepareBuffer ( DetectEngineCtx de_ctx,
SigGroupHead sgh,
enum MpmBuiltinBuffers  buf 
)

Get MpmStore for a built-in buffer type.

Definition at line 1289 of file detect-engine-mpm.c.

Referenced by PatternMatchPrepareGroup().

Here is the caller graph for this function:

◆ MpmStoreReportStats()

void MpmStoreReportStats ( const DetectEngineCtx de_ctx)

Definition at line 1101 of file detect-engine-mpm.c.

References MpmStore_::buffer, DetectEngineCtx_::buffer_type_map_elements, de_ctx, DETECT_SM_LIST_PMATCH, HashListTableGetListData, HashListTableGetListHead(), HashListTableGetListNext, MpmStore_::mpm_ctx, DetectEngineCtx_::mpm_hash_table, MPMB_MAX, and MpmStore_::sm_list.

Here is the call graph for this function:

◆ PatternMatchDefaultMatcher()

uint16_t PatternMatchDefaultMatcher ( void  )

Function to return the multi pattern matcher algorithm to be used by the engine, based on the mpm-algo setting in yaml Use the default mpm if none is specified in the yaml file.

Return values
mpmalgo value

Definition at line 616 of file detect-engine-mpm.c.

References ConfGet(), FatalError, mpm_default_matcher, mpm_table, MPM_TABLE_SIZE, SC_ERR_FATAL, SC_ERR_INVALID_VALUE, and SC_ERR_INVALID_YAML_CONF_ENTRY.

Here is the call graph for this function:

◆ PatternMatchDestroy()

void PatternMatchDestroy ( MpmCtx ,
uint16_t   
)

Definition at line 658 of file detect-engine-mpm.c.

References MpmTableElmt_::DestroyCtx, mpm_table, and SCLogDebug.

◆ PatternMatchPrepare()

void PatternMatchPrepare ( MpmCtx ,
uint16_t   
)

◆ PatternMatchPrepareGroup()

int PatternMatchPrepareGroup ( DetectEngineCtx de_ctx,
SigGroupHead sh 
)

Prepare the pattern matcher ctx in a sig group head.

Definition at line 1659 of file detect-engine-mpm.c.

References de_ctx, MpmStore_::mpm_ctx, MPMB_TCP_PKT_TS, MPMB_TCP_STREAM_TS, MpmStorePrepareBuffer(), PrefilterPktPayloadRegister(), PrefilterPktStreamRegister(), SGH_DIRECTION_TS, and SGH_PROTO.

Referenced by PrefilterSetupRuleGroup().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ PatternMatchThreadDestroy()

void PatternMatchThreadDestroy ( MpmThreadCtx mpm_thread_ctx,
uint16_t   
)

Definition at line 669 of file detect-engine-mpm.c.

References MpmTableElmt_::DestroyThreadCtx, mpm_table, and SCLogDebug.

◆ PatternMatchThreadPrepare()

void PatternMatchThreadPrepare ( MpmThreadCtx ,
uint16_t  type 
)

Definition at line 675 of file detect-engine-mpm.c.

References MpmInitThreadCtx(), and SCLogDebug.

Here is the call graph for this function:

◆ PatternMatchThreadPrint()

void PatternMatchThreadPrint ( MpmThreadCtx ,
uint16_t   
)

Definition at line 664 of file detect-engine-mpm.c.

References SCLogDebug.

Referenced by DetectEngineThreadCtxInfo().

Here is the caller graph for this function:

◆ PatternStrength()

uint32_t PatternStrength ( uint8_t *  pat,
uint16_t  patlen 
)

Predict a strength value for patterns.

Patterns with high character diversity score higher. Alpha chars score not so high Other printable + a few common codes a little higher Everything else highest. Longer patterns score better than short patters.

Parameters
patpattern
patlenlength of the pattern
Return values
spattern score

Definition at line 694 of file detect-engine-mpm.c.

◆ PrefilterGenericMpmPktRegister()

int PrefilterGenericMpmPktRegister ( DetectEngineCtx de_ctx,
SigGroupHead sgh,
MpmCtx mpm_ctx,
const DetectBufferMpmRegistery mpm_reg,
int  list_id 
)

Definition at line 681 of file detect-engine-prefilter.c.

◆ RetrieveFPForSig()

void RetrieveFPForSig ( const DetectEngineCtx de_ctx,
Signature s 
)

Definition at line 839 of file detect-engine-mpm.c.

References de_ctx, DETECT_CONTENT, DETECT_CONTENT_FAST_PATTERN, FastPatternSupportEnabledForSigMatchList(), DetectContentData_::flags, Signature_::init_data, SignatureInitData_::mpm_sm, SigMatch_::next, SignatureInitData_::smlists, and SignatureInitData_::smlists_array_size.

Referenced by DetectSetFastPatternAndItsId().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SignatureHasPacketContent()

int SignatureHasPacketContent ( const Signature s)

check if a signature has patterns that are to be inspected against a packets payload (as opposed to the stream payload)

Parameters
ssignature
Return values
1true
0false

Definition at line 546 of file detect-engine-mpm.c.

References DETECT_SM_LIST_PMATCH, Signature_::flags, Signature_::init_data, DetectProto_::proto, Signature_::proto, SCEnter, SCLogDebug, SCReturnInt, SIG_FLAG_REQUIRE_PACKET, Signature_::sm_arrays, and SignatureInitData_::smlists.

◆ SignatureHasStreamContent()

int SignatureHasStreamContent ( const Signature s)

check if a signature has patterns that are to be inspected against the stream payload (as opposed to the individual packets payload(s))

Parameters
ssignature
Return values
1true
0false

Definition at line 582 of file detect-engine-mpm.c.

References DETECT_SM_LIST_PMATCH, Signature_::flags, Signature_::init_data, DetectProto_::proto, Signature_::proto, SCEnter, SCLogDebug, SCReturnInt, SIG_FLAG_REQUIRE_STREAM, Signature_::sm_arrays, and SignatureInitData_::smlists.