#include "suricata-common.h"#include "suricata.h"#include "detect-engine.h"#include "detect-engine-prefilter.h"#include "detect-engine-mpm.h"#include "detect-engine-frame.h"#include "app-layer-parser.h"#include "app-layer-htp.h"#include "util-profiling.h"#include "util-validate.h"#include "util-print.h"
Go to the source code of this file.
Data Structures | |
| struct | PrefilterMpmCtx |
| struct | PrefilterMpmPktCtx |
Typedefs | |
| typedef struct PrefilterMpmCtx | PrefilterMpmCtx |
| typedef struct PrefilterMpmPktCtx | PrefilterMpmPktCtx |
Detailed Description
Prefilter engine
Prefilter engines have as purpose to check for a critical common part of a set of rules. If the condition is present in the traffic, the rules will have to be inspected individually. Otherwise, the rules can be skipped.
The best example of this is the MPM. From each rule take a pattern and add it to the MPM state machine. Inspect that in one step and only individually inspect the rules that had a match in MPM.
This prefilter API is designed to abstract this logic so that it becomes easier to add other types of prefilters.
The prefilter engines are structured as a simple list of engines. Each engine checks for a condition using it's callback function and private data. It then adds the rule match candidates to the PrefilterRuleStore structure.
After the engines have run the resulting list of match candidates is sorted by the rule id's so that the individual inspection happens in the correct order.
Definition in file detect-engine-prefilter.c.
Typedef Documentation
◆ PrefilterMpmCtx
| typedef struct PrefilterMpmCtx PrefilterMpmCtx |
◆ PrefilterMpmPktCtx
| typedef struct PrefilterMpmPktCtx PrefilterMpmPktCtx |
Function Documentation
◆ DetectRunPrefilterTx()
| void DetectRunPrefilterTx | ( | DetectEngineThreadCtx * | det_ctx, |
| const SigGroupHead * | sgh, | ||
| Packet * | p, | ||
| const uint8_t | ipproto, | ||
| const uint8_t | flow_flags, | ||
| const AppProto | alproto, | ||
| void * | alstate, | ||
| DetectTransaction * | tx | ||
| ) |
run prefilter engines on a transaction
Definition at line 93 of file detect-engine-prefilter.c.
References PrefilterEngine_::alproto, PrefilterEngine_::cb, PrefilterEngine_::ctx, DetectTransaction_::detect_progress, DetectGetInnerTx(), Packet_::flow, PrefilterEngine_::gid, PrefilterEngine_::is_last, PrefilterEngine_::is_last_for_progress, likely, next, PACKET_PROFILING_DETECT_START, Packet_::pcap_cnt, PrefilterEngine_::pectx, DetectEngineThreadCtx_::pmq, PREFILTER_PROFILING_END, PREFILTER_PROFILING_START, PrefilterEngine_::PrefilterTx, PROF_DETECT_PF_SORT1, PrefilterRuleStore_::rule_id_array_cnt, SCLogDebug, DetectTransaction_::tx_data_ptr, SigGroupHead_::tx_engines, DetectTransaction_::tx_id, PrefilterEngine_::tx_min_progress, DetectTransaction_::tx_progress, and DetectTransaction_::tx_ptr.
◆ Prefilter()
| void Prefilter | ( | DetectEngineThreadCtx * | det_ctx, |
| const SigGroupHead * | sgh, | ||
| Packet * | p, | ||
| const uint8_t | flags, | ||
| const SignatureMask | mask | ||
| ) |
Definition at line 158 of file detect-engine-prefilter.c.
References Flow_::alparser, Flow_::alproto, ALPROTO_UNKNOWN, PrefilterEngine_::cb, PrefilterEngine_::ctx, flags, Packet_::flags, Packet_::flow, SigGroupHead_::frame_engines, PrefilterEngine_::gid, PrefilterEngine_::is_last, likely, PACKET_PROFILING_DETECT_END, PACKET_PROFILING_DETECT_START, SigGroupHead_::payload_engines, Packet_::payload_len, PrefilterEngine_::pectx, PKT_DETECT_HAS_STREAMDATA, SigGroupHead_::pkt_engines, PrefilterEngine_::pkt_mask, PKT_NOPAYLOAD_INSPECTION, DetectEngineThreadCtx_::pmq, PrefilterEngine_::Prefilter, PREFILTER_PROFILING_END, PREFILTER_PROFILING_START, PROF_DETECT_PF_PAYLOAD, PROF_DETECT_PF_PKT, PROF_DETECT_PF_RECORD, PROF_DETECT_PF_SORT1, Packet_::proto, PrefilterRuleStore_::rule_id_array_cnt, SCEnter, and SCLogDebug.
◆ PrefilterAppendEngine()
| int PrefilterAppendEngine | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| PrefilterPktFn | PrefilterFunc, | ||
| SignatureMask | mask, | ||
| void * | pectx, | ||
| void(*)(void *pectx) | FreeFunc, | ||
| const char * | name | ||
| ) |
Definition at line 219 of file detect-engine-prefilter.c.
References CLS, PrefilterEngineList_::Free, PrefilterEngineList_::gid, PrefilterEngineList_::id, SigGroupHead_::init, PrefilterEngineList_::name, name, PrefilterEngineList_::next, PrefilterEngineList_::pectx, SigGroupHeadInitData_::pkt_engines, PrefilterEngineList_::pkt_mask, PrefilterEngineList_::Prefilter, and SCMallocAligned.
Referenced by PrefilterGenericMpmPktRegister().
◆ PrefilterAppendFrameEngine()
| int PrefilterAppendFrameEngine | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| PrefilterFrameFn | PrefilterFrameFunc, | ||
| AppProto | alproto, | ||
| uint8_t | frame_type, | ||
| void * | pectx, | ||
| void(*)(void *pectx) | FreeFunc, | ||
| const char * | name | ||
| ) |
Definition at line 321 of file detect-engine-prefilter.c.
References PrefilterEngineList_::alproto, CLS, SigGroupHeadInitData_::frame_engines, PrefilterEngineList_::frame_type, PrefilterEngineList_::Free, PrefilterEngineList_::gid, PrefilterEngineList_::id, SigGroupHead_::init, PrefilterEngineList_::name, name, PrefilterEngineList_::next, PrefilterEngineList_::pectx, PrefilterEngineList_::PrefilterFrame, and SCMallocAligned.
Referenced by PrefilterGenericMpmFrameRegister().
◆ PrefilterAppendPayloadEngine()
| int PrefilterAppendPayloadEngine | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| PrefilterPktFn | PrefilterFunc, | ||
| void * | pectx, | ||
| void(*)(void *pectx) | FreeFunc, | ||
| const char * | name | ||
| ) |
Definition at line 252 of file detect-engine-prefilter.c.
References CLS, PrefilterEngineList_::Free, PrefilterEngineList_::gid, PrefilterEngineList_::id, SigGroupHead_::init, PrefilterEngineList_::name, name, PrefilterEngineList_::next, SigGroupHeadInitData_::payload_engines, PrefilterEngineList_::pectx, PrefilterEngineList_::Prefilter, and SCMallocAligned.
Referenced by PrefilterPktPayloadRegister(), and PrefilterPktStreamRegister().
◆ PrefilterAppendTxEngine()
| int PrefilterAppendTxEngine | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| PrefilterTxFn | PrefilterTxFunc, | ||
| AppProto | alproto, | ||
| int | tx_min_progress, | ||
| void * | pectx, | ||
| void(*)(void *pectx) | FreeFunc, | ||
| const char * | name | ||
| ) |
Definition at line 284 of file detect-engine-prefilter.c.
References PrefilterEngineList_::alproto, CLS, DEBUG_VALIDATE_BUG_ON, PrefilterEngineList_::Free, PrefilterEngineList_::gid, PrefilterEngineList_::id, SigGroupHead_::init, PrefilterEngineList_::name, name, PrefilterEngineList_::next, PrefilterEngineList_::pectx, PrefilterEngineList_::PrefilterTx, SCMallocAligned, SigGroupHeadInitData_::tx_engines, and PrefilterEngineList_::tx_min_progress.
Referenced by PrefilterGenericMpmRegister(), PrefilterMpmFiledataRegister(), and PrefilterMultiGenericMpmRegister().
◆ PrefilterCleanupRuleGroup()
| void PrefilterCleanupRuleGroup | ( | const DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh | ||
| ) |
Definition at line 392 of file detect-engine-prefilter.c.
References SigGroupHead_::pkt_engines.
Referenced by SigGroupHeadFree().
◆ PrefilterDeinit()
| void PrefilterDeinit | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 634 of file detect-engine-prefilter.c.
References de_ctx, HashListTableFree(), and DetectEngineCtx_::prefilter_hash_table.
◆ PrefilterFreeEnginesList()
| void PrefilterFreeEnginesList | ( | PrefilterEngineList * | list | ) |
Definition at line 364 of file detect-engine-prefilter.c.
Referenced by SigGroupHeadInitDataFree().
◆ PrefilterGenericMpmPktRegister()
| int PrefilterGenericMpmPktRegister | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| MpmCtx * | mpm_ctx, | ||
| const DetectBufferMpmRegistry * | mpm_reg, | ||
| int | list_id | ||
| ) |
Definition at line 884 of file detect-engine-prefilter.c.
References de_ctx, PrefilterMpmPktCtx::GetData, PrefilterMpmPktCtx::list_id, PrefilterMpmPktCtx::mpm_ctx, DetectBufferMpmRegistry_::pkt_v1, PrefilterAppendEngine(), SCCalloc, SCEnter, DetectBufferMpmRegistry_::transforms, and PrefilterMpmPktCtx::transforms.
◆ PrefilterGenericMpmRegister()
| int PrefilterGenericMpmRegister | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| MpmCtx * | mpm_ctx, | ||
| const DetectBufferMpmRegistry * | mpm_reg, | ||
| int | list_id | ||
| ) |
Definition at line 761 of file detect-engine-prefilter.c.
References DetectBufferMpmRegistry_::app_v2, de_ctx, PrefilterMpmCtx::GetData, PrefilterMpmCtx::list_id, PrefilterMpmCtx::mpm_ctx, PrefilterAppendTxEngine(), SCCalloc, SCEnter, DetectBufferMpmRegistry_::transforms, and PrefilterMpmCtx::transforms.
◆ PrefilterInit()
| void PrefilterInit | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 641 of file detect-engine-prefilter.c.
References BUG_ON, de_ctx, HashListTableInit(), and DetectEngineCtx_::prefilter_hash_table.
◆ PrefilterMultiGenericMpmRegister()
| int PrefilterMultiGenericMpmRegister | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| MpmCtx * | mpm_ctx, | ||
| const DetectBufferMpmRegistry * | mpm_reg, | ||
| int | list_id | ||
| ) |
Definition at line 815 of file detect-engine-prefilter.c.
References DetectBufferMpmRegistry_::app_v2, de_ctx, PrefilterMpmListId::GetData, PrefilterMpmListId::list_id, PrefilterMpmListId::mpm_ctx, PrefilterAppendTxEngine(), SCCalloc, SCEnter, PrefilterMpmListId::transforms, and DetectBufferMpmRegistry_::transforms.
◆ PrefilterSetupRuleGroup()
| void PrefilterSetupRuleGroup | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh | ||
| ) |
Definition at line 427 of file detect-engine-prefilter.c.
References PrefilterEngineList_::alproto, PrefilterEngine_::alproto, PrefilterEngine_::cb, CLS, cnt, PrefilterEngine_::ctx, de_ctx, DETECT_PREFILTER_AUTO, DETECT_TBLSIZE, FatalError, PrefilterEngineList_::gid, PrefilterEngine_::gid, PrefilterEngineList_::id, SigGroupHead_::init, PrefilterEngine_::is_last, PrefilterEngine_::local_id, PrefilterEngineList_::next, PatternMatchPrepareGroup(), SigGroupHeadInitData_::payload_engines, SigGroupHead_::payload_engines, PrefilterEngineList_::pectx, PrefilterEngine_::pectx, SigGroupHeadInitData_::pkt_engines, SigGroupHead_::pkt_engines, PrefilterEngineList_::pkt_mask, PrefilterEngine_::pkt_mask, PrefilterEngineList_::Prefilter, PrefilterEngine_::Prefilter, DetectEngineCtx_::prefilter_setting, PrefilterEngineList_::PrefilterTx, PrefilterEngine_::PrefilterTx, SCMallocAligned, SigTableElmt_::SetupPrefilter, sigmatch_table, DetectEngineCtx_::sm_types_prefilter, SigGroupHeadInitData_::tx_engines, SigGroupHead_::tx_engines, PrefilterEngineList_::tx_min_progress, and PrefilterEngine_::tx_min_progress.
Referenced by SigPrepareStage4().
◆ PrefilterStoreGetName()
| const char* PrefilterStoreGetName | ( | const uint32_t | id | ) |
Definition at line 706 of file detect-engine-prefilter.c.
