#include "tm-threads.h"
#include "detect.h"
#include "detect-content.h"
#include "detect-uricontent.h"
#include "stream.h"

Include dependency graph for detect-engine-mpm.h:

Data Structures
struct	PrefilterMpmListId

struct	MpmListIdDataArgs

Typedefs
typedef struct PrefilterMpmListId	PrefilterMpmListId

Functions
void	DetectMpmInitializePktMpms (DetectEngineCtx *de_ctx)

int	DetectMpmPreparePktMpms (DetectEngineCtx *de_ctx)
	initialize mpm contexts for applayer buffers that are in "single or "shared" mode. More...

void	DetectMpmInitializeAppMpms (DetectEngineCtx *de_ctx)

int	DetectMpmPrepareAppMpms (DetectEngineCtx *de_ctx)
	initialize mpm contexts for applayer buffers that are in "single or "shared" mode. More...

void	DetectMpmInitializeBuiltinMpms (DetectEngineCtx *de_ctx)

int	DetectMpmPrepareBuiltinMpms (DetectEngineCtx *de_ctx)
	initialize mpm contexts for builtin buffers that are in "single or "shared" mode. More...

uint32_t	PatternStrength (uint8_t *, uint16_t)
	Predict a strength value for patterns. More...

uint16_t	PatternMatchDefaultMatcher (void)
	Function to return the multi pattern matcher algorithm to be used by the engine, based on the mpm-algo setting in yaml Use the default mpm if none is specified in the yaml file. More...

uint32_t	DnsQueryPatternSearch (DetectEngineThreadCtx det_ctx, uint8_t buffer, uint32_t buffer_len, uint8_t flags)

void	PatternMatchPrepare (MpmCtx *, uint16_t)

void	PatternMatchThreadPrepare (MpmThreadCtx *, uint16_t type)

void	PatternMatchDestroy (MpmCtx *, uint16_t)

void	PatternMatchThreadDestroy (MpmThreadCtx *mpm_thread_ctx, uint16_t)

void	PatternMatchThreadPrint (MpmThreadCtx *, uint16_t)

int	PatternMatchPrepareGroup (DetectEngineCtx , SigGroupHead )
	Prepare the pattern matcher ctx in a sig group head. More...

void	DetectEngineThreadCtxInfo (ThreadVars , DetectEngineThreadCtx )

TmEcode	DetectEngineThreadCtxInit (ThreadVars , void , void **)
	initialize thread specific detection engine context More...

TmEcode	DetectEngineThreadCtxDeinit (ThreadVars , void )

int	SignatureHasPacketContent (const Signature *)
	check if a signature has patterns that are to be inspected against a packets payload (as opposed to the stream payload) More...

int	SignatureHasStreamContent (const Signature *)
	check if a signature has patterns that are to be inspected against the stream payload (as opposed to the individual packets payload(s)) More...

void	RetrieveFPForSig (const DetectEngineCtx de_ctx, Signature s)

int	MpmStoreInit (DetectEngineCtx *)
	Initializes the MpmStore mpm hash table to be used by the detection engine context. More...

void	MpmStoreFree (DetectEngineCtx *)
	Frees the hash table - DetectEngineCtx->mpm_hash_table, allocated by MpmStoreInit() function. More...

void	MpmStoreReportStats (const DetectEngineCtx *de_ctx)

MpmStore *	MpmStorePrepareBuffer (DetectEngineCtx de_ctx, SigGroupHead sgh, enum MpmBuiltinBuffers buf)
	Get MpmStore for a built-in buffer type. More...

int	DetectSetFastPatternAndItsId (DetectEngineCtx *de_ctx)
	Figured out the FP and their respective content ids for all the sigs in the engine. More...

void	DetectAppLayerMpmRegister2 (const char name, int direction, int priority, int(PrefilterRegister)(DetectEngineCtx de_ctx, SigGroupHead sgh, MpmCtx mpm_ctx, const DetectBufferMpmRegistery mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
	register an app layer keyword for mpm More...

void	DetectAppLayerMpmRegisterByParentId (DetectEngineCtx de_ctx, const int id, const int parent_id, DetectEngineTransforms transforms)
	copy a mpm engine from parent_id, add in transforms More...

void	DetectPktMpmRegister (const char name, int priority, int(PrefilterRegister)(DetectEngineCtx de_ctx, SigGroupHead sgh, MpmCtx mpm_ctx, const DetectBufferMpmRegistery mpm_reg, int list_id), InspectionBufferGetPktDataPtr GetData)
	register a MPM engine More...

void	DetectPktMpmRegisterByParentId (DetectEngineCtx de_ctx, const int id, const int parent_id, DetectEngineTransforms transforms)
	copy a mpm engine from parent_id, add in transforms More...

int	PrefilterGenericMpmPktRegister (DetectEngineCtx de_ctx, SigGroupHead sgh, MpmCtx mpm_ctx, const DetectBufferMpmRegistery mpm_reg, int list_id)

Detailed Description

Author: Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Definition in file detect-engine-mpm.h.

Typedef Documentation

◆ PrefilterMpmListId

typedef struct PrefilterMpmListId PrefilterMpmListId

Function Documentation

◆ DetectAppLayerMpmRegister2()

void DetectAppLayerMpmRegister2	(	const char *	name,
		int	direction,
		int	priority,
		int()(DetectEngineCtx de_ctx, SigGroupHead sgh, MpmCtx mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)	PrefilterRegister,
		InspectionBufferGetDataPtr	GetData,
		AppProto	alproto,
		int	tx_min_progress
	)

register an app layer keyword for mpm

Parameters

name	buffer name
direction	SIG_FLAG_TOSERVER or SIG_FLAG_TOCLIENT
priority	mpm keyword priority
PrefilterRegister	Prefilter api registration function
GetData	callback to setup a InspectBuffer. May be NULL.
alproto	AppProto this MPM engine inspects
tx_min_progress	min tx progress needed to invoke this engine.

Note: direction must be set to either toserver or toclient. If both are needed, register the keyword twice.

register an app layer keyword for mpm

Note: to be used at start up / registration only. Errors are fatal.

Definition at line 89 of file detect-engine-mpm.c.

◆ DetectAppLayerMpmRegisterByParentId()

void DetectAppLayerMpmRegisterByParentId	(	DetectEngineCtx *	de_ctx,
		const int	id,
		const int	parent_id,
		DetectEngineTransforms *	transforms
	)

copy a mpm engine from parent_id, add in transforms

Definition at line 145 of file detect-engine-mpm.c.

Here is the call graph for this function:

◆ DetectEngineThreadCtxDeinit()

TmEcode DetectEngineThreadCtxDeinit	(	ThreadVars *	,
		void *
	)

Definition at line 2982 of file detect-engine.c.

Referenced by UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

Here is the caller graph for this function:

◆ DetectEngineThreadCtxInfo()

void DetectEngineThreadCtxInfo	(	ThreadVars *	,
		DetectEngineThreadCtx *
	)

Definition at line 3000 of file detect-engine.c.

References DetectEngineThreadCtx_::de_ctx, DetectEngineCtx_::mpm_matcher, DetectEngineThreadCtx_::mtc, DetectEngineThreadCtx_::mtcu, and PatternMatchThreadPrint().

Here is the call graph for this function:

◆ DetectEngineThreadCtxInit()

TmEcode DetectEngineThreadCtxInit	(	ThreadVars *	tv,
		void *	initdata,
		void **	data
	)

initialize thread specific detection engine context

Note: there is a special case when using delayed detect. In this case the function is called twice per thread. The first time the rules are not yet loaded. de_ctx->delayed_detect_initialized will be 0. The 2nd time they will be loaded. de_ctx->delayed_detect_initialized will be 1. This is needed to do the per thread counter registration before the packet runtime starts. In delayed detect mode, the first call will return a NULL ptr through the data ptr.

Parameters

tv	ThreadVars for this thread
initdata	pointer to de_ctx
data[out]	pointer to store our thread detection ctx

Return values

TM_ECODE_OK	if all went well
TM_ECODE_FAILED	on serious errors

alert counter setup

Definition at line 2774 of file detect-engine.c.

Referenced by UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

Here is the caller graph for this function:

◆ DetectMpmInitializeAppMpms()

void DetectMpmInitializeAppMpms ( DetectEngineCtx * de_ctx )

Definition at line 211 of file detect-engine-mpm.c.

◆ DetectMpmInitializeBuiltinMpms()

void DetectMpmInitializeBuiltinMpms ( DetectEngineCtx * de_ctx )

Definition at line 479 of file detect-engine-mpm.c.

References de_ctx, and DetectEngineCtx_::sgh_mpm_context_proto_tcp_packet.

◆ DetectMpmInitializePktMpms()

void DetectMpmInitializePktMpms ( DetectEngineCtx * de_ctx )

Definition at line 378 of file detect-engine-mpm.c.

◆ DetectMpmPrepareAppMpms()

int DetectMpmPrepareAppMpms ( DetectEngineCtx * de_ctx )

initialize mpm contexts for applayer buffers that are in "single or "shared" mode.

Definition at line 265 of file detect-engine-mpm.c.

References DetectEngineCtx_::app_mpms_list, de_ctx, DetectBufferMpmRegistery_::direction, MPM_CTX_FACTORY_UNIQUE_CONTEXT, DetectEngineCtx_::mpm_matcher, mpm_table, MpmFactoryGetMpmCtxForProfile(), DetectBufferMpmRegistery_::next, MpmTableElmt_::Prepare, DetectBufferMpmRegistery_::sgh_mpm_context, and SIG_FLAG_TOSERVER.

Here is the call graph for this function:

◆ DetectMpmPrepareBuiltinMpms()

int DetectMpmPrepareBuiltinMpms ( DetectEngineCtx * de_ctx )

initialize mpm contexts for builtin buffers that are in "single or "shared" mode.

Definition at line 492 of file detect-engine-mpm.c.

References de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, DetectEngineCtx_::mpm_matcher, mpm_table, MpmFactoryGetMpmCtxForProfile(), MpmTableElmt_::Prepare, DetectEngineCtx_::sgh_mpm_context_proto_other_packet, DetectEngineCtx_::sgh_mpm_context_proto_tcp_packet, DetectEngineCtx_::sgh_mpm_context_proto_udp_packet, and DetectEngineCtx_::sgh_mpm_context_stream.

Here is the call graph for this function:

◆ DetectMpmPreparePktMpms()

int DetectMpmPreparePktMpms ( DetectEngineCtx * de_ctx )

initialize mpm contexts for applayer buffers that are in "single or "shared" mode.

Definition at line 433 of file detect-engine-mpm.c.

References de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, DetectEngineCtx_::mpm_matcher, mpm_table, MpmFactoryGetMpmCtxForProfile(), DetectBufferMpmRegistery_::name, DetectBufferMpmRegistery_::next, DetectEngineCtx_::pkt_mpms_list, MpmTableElmt_::Prepare, SCLogDebug, and DetectBufferMpmRegistery_::sgh_mpm_context.

Here is the call graph for this function:

◆ DetectPktMpmRegister()

void DetectPktMpmRegister	(	const char *	name,
		int	priority,
		int()(DetectEngineCtx de_ctx, SigGroupHead sgh, MpmCtx mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)	PrefilterRegister,
		InspectionBufferGetPktDataPtr	GetData
	)

register a MPM engine

Note: to be used at start up / registration only. Errors are fatal.

Definition at line 290 of file detect-engine-mpm.c.

◆ DetectPktMpmRegisterByParentId()

void DetectPktMpmRegisterByParentId	(	DetectEngineCtx *	de_ctx,
		const int	id,
		const int	parent_id,
		DetectEngineTransforms *	transforms
	)

copy a mpm engine from parent_id, add in transforms

Definition at line 341 of file detect-engine-mpm.c.

Here is the call graph for this function:

◆ DetectSetFastPatternAndItsId()

int DetectSetFastPatternAndItsId ( DetectEngineCtx * de_ctx )

Figured out the FP and their respective content ids for all the sigs in the engine.

Parameters

de_ctx Detection engine context.

Return values

0	On success.
-1	On failure.

Definition at line 1735 of file detect-engine-mpm.c.

References BUG_ON, DetectContentData_::content, DetectContentData_::content_len, SigMatch_::ctx, de_ctx, DETECT_CONTENT_FAST_PATTERN_CHOP, DETECT_CONTENT_NOCASE, flags, DetectContentData_::flags, Signature_::flags, DetectContentData_::fp_chop_len, DetectContentData_::fp_chop_offset, Signature_::init_data, SignatureInitData_::mpm_sm, Signature_::next, PatIntId, RetrieveFPForSig(), SCMalloc, SIG_FLAG_PREFILTER, DetectEngineCtx_::sig_list, SigMatchListSMBelongsTo(), and unlikely.

Referenced by SigGroupBuild().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ DnsQueryPatternSearch()

uint32_t DnsQueryPatternSearch	(	DetectEngineThreadCtx *	det_ctx,
		uint8_t *	buffer,
		uint32_t	buffer_len,
		uint8_t	flags
	)

◆ MpmStoreFree()

void MpmStoreFree ( DetectEngineCtx * de_ctx )

Frees the hash table - DetectEngineCtx->mpm_hash_table, allocated by MpmStoreInit() function.

Parameters

de_ctx Pointer to the detection engine context.

Definition at line 1185 of file detect-engine-mpm.c.

References de_ctx, HashListTableFree(), and DetectEngineCtx_::mpm_hash_table.

Referenced by DetectEngineCtxFree().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ MpmStoreInit()

int MpmStoreInit ( DetectEngineCtx * de_ctx )

Initializes the MpmStore mpm hash table to be used by the detection engine context.

Parameters

de_ctx Pointer to the detection engine context.

Return values

0	On success.
-1	On failure.

Definition at line 1038 of file detect-engine-mpm.c.

References de_ctx, HashListTableInit(), and DetectEngineCtx_::mpm_hash_table.

Here is the call graph for this function:

◆ MpmStorePrepareBuffer()

MpmStore* MpmStorePrepareBuffer	(	DetectEngineCtx *	de_ctx,
		SigGroupHead *	sgh,
		enum MpmBuiltinBuffers	buf
	)

Get MpmStore for a built-in buffer type.

Definition at line 1292 of file detect-engine-mpm.c.

Referenced by PatternMatchPrepareGroup().

Here is the caller graph for this function:

◆ MpmStoreReportStats()

void MpmStoreReportStats ( const DetectEngineCtx * de_ctx )

Definition at line 1104 of file detect-engine-mpm.c.

References MpmStore_::buffer, DetectEngineCtx_::buffer_type_map_elements, de_ctx, DETECT_SM_LIST_PMATCH, HashListTableGetListData, HashListTableGetListHead(), HashListTableGetListNext, MpmStore_::mpm_ctx, DetectEngineCtx_::mpm_hash_table, MPMB_MAX, and MpmStore_::sm_list.

Here is the call graph for this function:

◆ PatternMatchDefaultMatcher()

uint16_t PatternMatchDefaultMatcher ( void )

Function to return the multi pattern matcher algorithm to be used by the engine, based on the mpm-algo setting in yaml Use the default mpm if none is specified in the yaml file.

Return values

mpm	algo value

Definition at line 619 of file detect-engine-mpm.c.

References ConfGet(), FatalError, mpm_default_matcher, mpm_table, MPM_TABLE_SIZE, SC_ERR_FATAL, SC_ERR_INVALID_VALUE, and SC_ERR_INVALID_YAML_CONF_ENTRY.

Here is the call graph for this function:

◆ PatternMatchDestroy()

void PatternMatchDestroy	(	MpmCtx *	,
		uint16_t
	)

Definition at line 661 of file detect-engine-mpm.c.

References MpmTableElmt_::DestroyCtx, mpm_table, and SCLogDebug.

◆ PatternMatchPrepare()

void PatternMatchPrepare	(	MpmCtx *	,
		uint16_t
	)

◆ PatternMatchPrepareGroup()

int PatternMatchPrepareGroup	(	DetectEngineCtx *	de_ctx,
		SigGroupHead *	sh
	)

Prepare the pattern matcher ctx in a sig group head.

Definition at line 1662 of file detect-engine-mpm.c.

References de_ctx, MpmStore_::mpm_ctx, MPMB_TCP_PKT_TS, MPMB_TCP_STREAM_TS, MpmStorePrepareBuffer(), PrefilterPktPayloadRegister(), PrefilterPktStreamRegister(), SGH_DIRECTION_TS, and SGH_PROTO.

Referenced by PrefilterSetupRuleGroup().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ PatternMatchThreadDestroy()

void PatternMatchThreadDestroy	(	MpmThreadCtx *	mpm_thread_ctx,
		uint16_t
	)

Definition at line 672 of file detect-engine-mpm.c.

References MpmTableElmt_::DestroyThreadCtx, mpm_table, and SCLogDebug.

◆ PatternMatchThreadPrepare()

void PatternMatchThreadPrepare	(	MpmThreadCtx *	,
		uint16_t	type
	)

Definition at line 678 of file detect-engine-mpm.c.

References MpmInitThreadCtx(), and SCLogDebug.

Here is the call graph for this function:

◆ PatternMatchThreadPrint()

void PatternMatchThreadPrint	(	MpmThreadCtx *	,
		uint16_t
	)

Definition at line 667 of file detect-engine-mpm.c.

References SCLogDebug.

Referenced by DetectEngineThreadCtxInfo().

Here is the caller graph for this function:

◆ PatternStrength()

uint32_t PatternStrength	(	uint8_t *	pat,
		uint16_t	patlen
	)

Predict a strength value for patterns.

Patterns with high character diversity score higher. Alpha chars score not so high Other printable + a few common codes a little higher Everything else highest. Longer patterns score better than short patters.

Parameters

pat	pattern
patlen	length of the pattern

Return values

s	pattern score

Definition at line 697 of file detect-engine-mpm.c.

◆ PrefilterGenericMpmPktRegister()

int PrefilterGenericMpmPktRegister	(	DetectEngineCtx *	de_ctx,
		SigGroupHead *	sgh,
		MpmCtx *	mpm_ctx,
		const DetectBufferMpmRegistery *	mpm_reg,
		int	list_id
	)

Definition at line 681 of file detect-engine-prefilter.c.

◆ RetrieveFPForSig()

void RetrieveFPForSig	(	const DetectEngineCtx *	de_ctx,
		Signature *	s
	)

Definition at line 842 of file detect-engine-mpm.c.

References de_ctx, DETECT_CONTENT, DETECT_CONTENT_FAST_PATTERN, FastPatternSupportEnabledForSigMatchList(), DetectContentData_::flags, Signature_::init_data, SignatureInitData_::mpm_sm, SigMatch_::next, SignatureInitData_::smlists, and SignatureInitData_::smlists_array_size.

Referenced by DetectSetFastPatternAndItsId().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ SignatureHasPacketContent()

int SignatureHasPacketContent ( const Signature * s )

check if a signature has patterns that are to be inspected against a packets payload (as opposed to the stream payload)

Parameters

s signature

Return values

1	true
0	false

Definition at line 549 of file detect-engine-mpm.c.

References DETECT_SM_LIST_PMATCH, Signature_::flags, Signature_::init_data, DetectProto_::proto, Signature_::proto, SCEnter, SCLogDebug, SCReturnInt, SIG_FLAG_REQUIRE_PACKET, Signature_::sm_arrays, and SignatureInitData_::smlists.

◆ SignatureHasStreamContent()

int SignatureHasStreamContent ( const Signature * s )

check if a signature has patterns that are to be inspected against the stream payload (as opposed to the individual packets payload(s))

Parameters

s signature

Return values

1	true
0	false

Definition at line 585 of file detect-engine-mpm.c.

References DETECT_SM_LIST_PMATCH, Signature_::flags, Signature_::init_data, DetectProto_::proto, Signature_::proto, SCEnter, SCLogDebug, SCReturnInt, SIG_FLAG_REQUIRE_STREAM, Signature_::sm_arrays, and SignatureInitData_::smlists.

Data Structures

Typedefs

Functions

Detailed Description

Typedef Documentation

◆ PrefilterMpmListId

Function Documentation

◆ DetectAppLayerMpmRegister2()

◆ DetectAppLayerMpmRegisterByParentId()

◆ DetectEngineThreadCtxDeinit()

◆ DetectEngineThreadCtxInfo()

◆ DetectEngineThreadCtxInit()

◆ DetectMpmInitializeAppMpms()

◆ DetectMpmInitializeBuiltinMpms()

◆ DetectMpmInitializePktMpms()

◆ DetectMpmPrepareAppMpms()

◆ DetectMpmPrepareBuiltinMpms()

◆ DetectMpmPreparePktMpms()

◆ DetectPktMpmRegister()

◆ DetectPktMpmRegisterByParentId()

◆ DetectSetFastPatternAndItsId()

◆ DnsQueryPatternSearch()

◆ MpmStoreFree()

◆ MpmStoreInit()

◆ MpmStorePrepareBuffer()

◆ MpmStoreReportStats()

◆ PatternMatchDefaultMatcher()

◆ PatternMatchDestroy()

◆ PatternMatchPrepare()

◆ PatternMatchPrepareGroup()

◆ PatternMatchThreadDestroy()

◆ PatternMatchThreadPrepare()

◆ PatternMatchThreadPrint()

◆ PatternStrength()

◆ PrefilterGenericMpmPktRegister()

◆ RetrieveFPForSig()

◆ SignatureHasPacketContent()

◆ SignatureHasStreamContent()