#include "suricata-common.h"#include "suricata.h"#include "detect-engine.h"#include "detect-engine-prefilter.h"#include "detect-engine-mpm.h"#include "detect-engine-frame.h"#include "detect-engine-uint.h"#include "app-layer-parser.h"#include "app-layer-htp.h"#include "util-profiling.h"#include "util-validate.h"#include "util-hash-string.h"#include "util-print.h"
Go to the source code of this file.
Data Structures | |
| struct | PrefilterNonPFDataSig |
| struct | PrefilterNonPFData |
| struct | PrefilterNonPFDataTx |
| struct | TxNonPFData |
| struct | PrefilterMpmCtx |
| struct | PrefilterMpmPktCtx |
Macros | |
| #define | NONPF_PKT_STATS_INCR(s) |
| #define | QUEUE_STEP 16 |
Typedefs | |
| typedef struct PrefilterMpmCtx | PrefilterMpmCtx |
| typedef struct PrefilterMpmPktCtx | PrefilterMpmPktCtx |
Detailed Description
Prefilter engine
Prefilter engines have as purpose to check for a critical common part of a set of rules. If the condition is present in the traffic, the rules will have to be inspected individually. Otherwise, the rules can be skipped.
The best example of this is the MPM. From each rule take a pattern and add it to the MPM state machine. Inspect that in one step and only individually inspect the rules that had a match in MPM.
This prefilter API is designed to abstract this logic so that it becomes easier to add other types of prefilters.
The prefilter engines are structured as a simple list of engines. Each engine checks for a condition using it's callback function and private data. It then adds the rule match candidates to the PrefilterRuleStore structure.
After the engines have run the resulting list of match candidates is sorted by the rule id's so that the individual inspection happens in the correct order.
Definition in file detect-engine-prefilter.c.
Macro Definition Documentation
◆ NONPF_PKT_STATS_INCR
| #define NONPF_PKT_STATS_INCR | ( | s | ) |
Definition at line 588 of file detect-engine-prefilter.c.
◆ QUEUE_STEP
| #define QUEUE_STEP 16 |
Definition at line 1692 of file detect-engine-prefilter.c.
Typedef Documentation
◆ PrefilterMpmCtx
| typedef struct PrefilterMpmCtx PrefilterMpmCtx |
◆ PrefilterMpmPktCtx
| typedef struct PrefilterMpmPktCtx PrefilterMpmPktCtx |
Function Documentation
◆ DetectRunPrefilterTx()
| void DetectRunPrefilterTx | ( | DetectEngineThreadCtx * | det_ctx, |
| const SigGroupHead * | sgh, | ||
| Packet * | p, | ||
| const uint8_t | ipproto, | ||
| const uint8_t | flow_flags, | ||
| const AppProto | alproto, | ||
| void * | alstate, | ||
| DetectTransaction * | tx | ||
| ) |
run prefilter engines on a transaction
Definition at line 95 of file detect-engine-prefilter.c.
References PrefilterEngine_::alproto, AppLayerParserGetStateNameById(), AppProtoToString(), PrefilterEngine_::cb, PrefilterEngine_::ctx, DetectTransaction_::detect_progress, DetectGetInnerTx(), Packet_::flow, PrefilterEngine_::gid, PrefilterEngine_::is_last, PrefilterEngine_::is_last_for_progress, likely, next, PACKET_PROFILING_DETECT_START, Packet_::pcap_cnt, PrefilterEngine_::pectx, DetectEngineThreadCtx_::pmq, PREFILTER_PROFILING_END, PREFILTER_PROFILING_START, PrefilterEngine_::PrefilterTx, PROF_DETECT_PF_SORT1, PrefilterRuleStore_::rule_id_array_cnt, SCLogDebug, DetectTransaction_::tx_data_ptr, SigGroupHead_::tx_engines, DetectTransaction_::tx_id, PrefilterEngine_::tx_min_progress, DetectTransaction_::tx_progress, and DetectTransaction_::tx_ptr.
◆ PostRuleMatchWorkQueueAppend()
| void PostRuleMatchWorkQueueAppend | ( | DetectEngineThreadCtx * | det_ctx, |
| const Signature * | s, | ||
| const int | type, | ||
| const uint32_t | value | ||
| ) |
Definition at line 1693 of file detect-engine-prefilter.c.
References DETECT_EVENT_POST_MATCH_QUEUE_FAILED, DetectEngineSetEvent(), PostRuleMatchWorkQueue::len, Signature_::num, DetectEngineThreadCtx_::post_rule_work_queue, PostRuleMatchWorkQueue::q, QUEUE_STEP, SCCalloc, SCLogDebug, SCRealloc, PostRuleMatchWorkQueue::size, PostRuleMatchWorkQueueItem::sm_type, type, and PostRuleMatchWorkQueueItem::value.
◆ Prefilter()
| void Prefilter | ( | DetectEngineThreadCtx * | det_ctx, |
| const SigGroupHead * | sgh, | ||
| Packet * | p, | ||
| const uint8_t | flags, | ||
| const SignatureMask | mask | ||
| ) |
Definition at line 216 of file detect-engine-prefilter.c.
References Flow_::alparser, Flow_::alproto, ALPROTO_UNKNOWN, BIT_U16, PrefilterEngine_::cb, PrefilterEngine_::ctx, flags, Packet_::flags, Packet_::flow, SigGroupHead_::frame_engines, PrefilterEngine_::gid, PrefilterEngine_::is_last, likely, PACKET_PROFILING_DETECT_END, PACKET_PROFILING_DETECT_START, SigGroupHead_::payload_engines, Packet_::payload_len, PrefilterEngine_::pectx, PrefilterEngine_::pkt, PKT_DETECT_HAS_STREAMDATA, SigGroupHead_::pkt_engines, Packet_::pkt_hooks, PKT_NOPAYLOAD_INSPECTION, DetectEngineThreadCtx_::pmq, PrefilterEngine_::Prefilter, PREFILTER_PROFILING_END, PREFILTER_PROFILING_START, PROF_DETECT_PF_PAYLOAD, PROF_DETECT_PF_PKT, PROF_DETECT_PF_RECORD, PROF_DETECT_PF_SORT1, Packet_::proto, PrefilterRuleStore_::rule_id_array_cnt, SCEnter, and SCLogDebug.
◆ PrefilterAppendEngine()
| int PrefilterAppendEngine | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| PrefilterPktFn | PrefilterFunc, | ||
| SignatureMask | mask, | ||
| enum SignatureHookPkt | hook, | ||
| void * | pectx, | ||
| void(*)(void *pectx) | FreeFunc, | ||
| const char * | name | ||
| ) |
Definition at line 282 of file detect-engine-prefilter.c.
References BUG_ON, CLS, PrefilterEngineList_::Free, PrefilterEngineList_::gid, PrefilterEngineList_::id, SigGroupHead_::init, PrefilterEngineList_::name, name, PrefilterEngineList_::next, PrefilterEngineList_::pectx, SigGroupHeadInitData_::pkt_engines, PrefilterEngineList_::pkt_hook, PrefilterEngineList_::pkt_mask, PrefilterEngineList_::Prefilter, and SCMallocAligned.
Referenced by PrefilterGenericMpmPktRegister().
◆ PrefilterAppendFrameEngine()
| int PrefilterAppendFrameEngine | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| PrefilterFrameFn | PrefilterFrameFunc, | ||
| AppProto | alproto, | ||
| uint8_t | frame_type, | ||
| void * | pectx, | ||
| void(*)(void *pectx) | FreeFunc, | ||
| const char * | name | ||
| ) |
Definition at line 389 of file detect-engine-prefilter.c.
References PrefilterEngineList_::alproto, CLS, SigGroupHeadInitData_::frame_engines, PrefilterEngineList_::frame_type, PrefilterEngineList_::Free, PrefilterEngineList_::gid, PrefilterEngineList_::id, SigGroupHead_::init, PrefilterEngineList_::name, name, PrefilterEngineList_::next, PrefilterEngineList_::pectx, PrefilterEngineList_::PrefilterFrame, and SCMallocAligned.
Referenced by PrefilterGenericMpmFrameRegister().
◆ PrefilterAppendPayloadEngine()
| int PrefilterAppendPayloadEngine | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| PrefilterPktFn | PrefilterFunc, | ||
| void * | pectx, | ||
| void(*)(void *pectx) | FreeFunc, | ||
| const char * | name | ||
| ) |
Definition at line 320 of file detect-engine-prefilter.c.
References CLS, PrefilterEngineList_::Free, PrefilterEngineList_::gid, PrefilterEngineList_::id, SigGroupHead_::init, PrefilterEngineList_::name, name, PrefilterEngineList_::next, SigGroupHeadInitData_::payload_engines, PrefilterEngineList_::pectx, PrefilterEngineList_::Prefilter, and SCMallocAligned.
Referenced by PrefilterPktPayloadRegister(), and PrefilterPktStreamRegister().
◆ PrefilterAppendPostRuleEngine()
| int PrefilterAppendPostRuleEngine | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| void(*)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f) | PrefilterPostRuleFunc, | ||
| void * | pectx, | ||
| void(*)(void *pectx) | FreeFunc, | ||
| const char * | name | ||
| ) |
Definition at line 424 of file detect-engine-prefilter.c.
References CLS, PrefilterEngineList_::Free, PrefilterEngineList_::gid, PrefilterEngineList_::id, SigGroupHead_::init, PrefilterEngineList_::name, name, PrefilterEngineList_::next, PrefilterEngineList_::pectx, SigGroupHeadInitData_::post_rule_match_engines, PrefilterEngineList_::PrefilterPostRule, and SCMallocAligned.
◆ PrefilterAppendTxEngine()
| int PrefilterAppendTxEngine | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| PrefilterTxFn | PrefilterTxFunc, | ||
| AppProto | alproto, | ||
| int | tx_min_progress, | ||
| void * | pectx, | ||
| void(*)(void *pectx) | FreeFunc, | ||
| const char * | name | ||
| ) |
Definition at line 352 of file detect-engine-prefilter.c.
References PrefilterEngineList_::alproto, CLS, DEBUG_VALIDATE_BUG_ON, PrefilterEngineList_::Free, PrefilterEngineList_::gid, PrefilterEngineList_::id, SigGroupHead_::init, PrefilterEngineList_::name, name, PrefilterEngineList_::next, PrefilterEngineList_::pectx, PrefilterEngineList_::PrefilterTx, SCMallocAligned, SigGroupHeadInitData_::tx_engines, and PrefilterEngineList_::tx_min_progress.
Referenced by PrefilterGenericMpmRegister(), PrefilterMpmFiledataRegister(), and PrefilterMultiGenericMpmRegister().
◆ PrefilterCleanupRuleGroup()
| void PrefilterCleanupRuleGroup | ( | const DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh | ||
| ) |
Definition at line 493 of file detect-engine-prefilter.c.
References SigGroupHead_::pkt_engines.
Referenced by SigGroupHeadFree().
◆ PrefilterDeinit()
| void PrefilterDeinit | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 1420 of file detect-engine-prefilter.c.
References de_ctx, HashListTableFree(), and DetectEngineCtx_::prefilter_hash_table.
◆ PrefilterFreeEnginesList()
| void PrefilterFreeEnginesList | ( | PrefilterEngineList * | list | ) |
Definition at line 465 of file detect-engine-prefilter.c.
Referenced by SigGroupHeadInitDataFree().
◆ PrefilterGenericMpmPktRegister()
| int PrefilterGenericMpmPktRegister | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| MpmCtx * | mpm_ctx, | ||
| const DetectBufferMpmRegistry * | mpm_reg, | ||
| int | list_id | ||
| ) |
Definition at line 1670 of file detect-engine-prefilter.c.
References de_ctx, PrefilterMpmPktCtx::GetData, PrefilterMpmPktCtx::list_id, PrefilterMpmPktCtx::mpm_ctx, DetectBufferMpmRegistry_::pkt_v1, PrefilterAppendEngine(), SCCalloc, SCEnter, SIGNATURE_HOOK_PKT_NOT_SET, DetectBufferMpmRegistry_::transforms, and PrefilterMpmPktCtx::transforms.
◆ PrefilterGenericMpmRegister()
| int PrefilterGenericMpmRegister | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| MpmCtx * | mpm_ctx, | ||
| const DetectBufferMpmRegistry * | mpm_reg, | ||
| int | list_id | ||
| ) |
Definition at line 1547 of file detect-engine-prefilter.c.
References DetectBufferMpmRegistry_::app_v2, de_ctx, PrefilterMpmCtx::GetData, PrefilterMpmCtx::list_id, PrefilterMpmCtx::mpm_ctx, PrefilterAppendTxEngine(), SCCalloc, SCEnter, DetectBufferMpmRegistry_::transforms, and PrefilterMpmCtx::transforms.
◆ PrefilterInit()
| void PrefilterInit | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 1427 of file detect-engine-prefilter.c.
References BUG_ON, de_ctx, HashListTableInit(), and DetectEngineCtx_::prefilter_hash_table.
◆ PrefilterMultiGenericMpmRegister()
| int PrefilterMultiGenericMpmRegister | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| MpmCtx * | mpm_ctx, | ||
| const DetectBufferMpmRegistry * | mpm_reg, | ||
| int | list_id | ||
| ) |
Definition at line 1601 of file detect-engine-prefilter.c.
References DetectBufferMpmRegistry_::app_v2, de_ctx, PrefilterMpmListId::GetData, PrefilterMpmListId::list_id, PrefilterMpmListId::mpm_ctx, PrefilterAppendTxEngine(), SCCalloc, SCEnter, PrefilterMpmListId::transforms, and DetectBufferMpmRegistry_::transforms.
◆ PrefilterPktNonPFStatsDump()
| void PrefilterPktNonPFStatsDump | ( | void | ) |
Definition at line 590 of file detect-engine-prefilter.c.
References SCLogDebug.
◆ PrefilterPostRuleMatch()
| void PrefilterPostRuleMatch | ( | DetectEngineThreadCtx * | det_ctx, |
| const SigGroupHead * | sgh, | ||
| Packet * | p, | ||
| Flow * | f | ||
| ) |
invoke post-rule match "prefilter" engines
Invoke prefilter engines that depend on a rule match to run. e.g. the flowbits:set prefilter that adds sids that depend on a flowbit "set" to the match array.
Definition at line 193 of file detect-engine-prefilter.c.
References PrefilterEngine_::cb, PrefilterEngine_::gid, PrefilterEngine_::is_last, PrefilterEngine_::pectx, DetectEngineThreadCtx_::pmq, SigGroupHead_::post_rule_match_engines, PREFILTER_PROFILING_END, PREFILTER_PROFILING_START, PrefilterEngine_::PrefilterPostRule, PrefilterRuleStore_::rule_id_array_cnt, and SCLogDebug.
◆ PrefilterSetupRuleGroup()
| int PrefilterSetupRuleGroup | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh | ||
| ) |
Definition at line 1176 of file detect-engine-prefilter.c.
References de_ctx, DETECT_PREFILTER_AUTO, DETECT_TBLSIZE, FatalError, PatternMatchPrepareGroup(), DetectEngineCtx_::prefilter_setting, SigTableElmt_::SetupPrefilter, sigmatch_table, and DetectEngineCtx_::sm_types_prefilter.
Referenced by SigPrepareStage4().
◆ PrefilterStoreGetName()
| const char* PrefilterStoreGetName | ( | const uint32_t | id | ) |
Definition at line 1492 of file detect-engine-prefilter.c.
