suricata
Data Structures | Typedefs | Functions
detect-engine-prefilter.c File Reference
#include "suricata-common.h"
#include "suricata.h"
#include "detect-engine.h"
#include "detect-engine-prefilter.h"
#include "detect-engine-mpm.h"
#include "detect-engine-frame.h"
#include "app-layer-parser.h"
#include "app-layer-htp.h"
#include "util-profiling.h"
#include "util-validate.h"
#include "util-print.h"
Include dependency graph for detect-engine-prefilter.c:

Go to the source code of this file.

Data Structures

struct  PrefilterMpmCtx
 
struct  PrefilterMpmPktCtx
 

Typedefs

typedef struct PrefilterMpmCtx PrefilterMpmCtx
 
typedef struct PrefilterMpmPktCtx PrefilterMpmPktCtx
 

Functions

void DetectRunPrefilterTx (DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const uint8_t ipproto, const uint8_t flow_flags, const AppProto alproto, void *alstate, DetectTransaction *tx)
 run prefilter engines on a transaction More...
 
void Prefilter (DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const uint8_t flags)
 
int PrefilterAppendEngine (DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterFunc)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx), void *pectx, void(*FreeFunc)(void *pectx), const char *name)
 
int PrefilterAppendPayloadEngine (DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterFunc)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx), void *pectx, void(*FreeFunc)(void *pectx), const char *name)
 
int PrefilterAppendTxEngine (DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterTxFn PrefilterTxFunc, AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
 
int PrefilterAppendFrameEngine (DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterFrameFn PrefilterFrameFunc, AppProto alproto, uint8_t frame_type, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
 
void PrefilterFreeEnginesList (PrefilterEngineList *list)
 
void PrefilterCleanupRuleGroup (const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 
void PrefilterSetupRuleGroup (DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 
void PrefilterDeinit (DetectEngineCtx *de_ctx)
 
void PrefilterInit (DetectEngineCtx *de_ctx)
 
const char * PrefilterStoreGetName (const uint32_t id)
 
int PrefilterGenericMpmRegister (DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
 
int PrefilterGenericMpmPktRegister (DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
 

Detailed Description

Author
Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Prefilter engine

Prefilter engines have as purpose to check for a critical common part of a set of rules. If the condition is present in the traffic, the rules will have to be inspected individually. Otherwise, the rules can be skipped.

The best example of this is the MPM. From each rule take a pattern and add it to the MPM state machine. Inspect that in one step and only individually inspect the rules that had a match in MPM.

This prefilter API is designed to abstract this logic so that it becomes easier to add other types of prefilters.

The prefilter engines are structured as a simple list of engines. Each engine checks for a condition using it's callback function and private data. It then adds the rule match candidates to the PrefilterRuleStore structure.

After the engines have run the resulting list of match candidates is sorted by the rule id's so that the individual inspection happens in the correct order.

Definition in file detect-engine-prefilter.c.

Typedef Documentation

◆ PrefilterMpmCtx

typedef struct PrefilterMpmCtx PrefilterMpmCtx

◆ PrefilterMpmPktCtx

typedef struct PrefilterMpmPktCtx PrefilterMpmPktCtx

Function Documentation

◆ DetectRunPrefilterTx()

void DetectRunPrefilterTx ( DetectEngineThreadCtx det_ctx,
const SigGroupHead sgh,
Packet p,
const uint8_t  ipproto,
const uint8_t  flow_flags,
const AppProto  alproto,
void *  alstate,
DetectTransaction tx 
)

run prefilter engines on a transaction

Definition at line 93 of file detect-engine-prefilter.c.

References PrefilterEngine_::alproto, BIT_U64, PrefilterEngine_::cb, PrefilterEngine_::ctx, Packet_::flow, PrefilterEngine_::gid, PrefilterEngine_::is_last, PrefilterEngine_::is_last_for_progress, likely, next, PACKET_PROFILING_DETECT_START, Packet_::pcap_cnt, PrefilterEngine_::pectx, DetectEngineThreadCtx_::pmq, DetectTransaction_::prefilter_flags, PREFILTER_PROFILING_END, PREFILTER_PROFILING_START, PrefilterEngine_::PrefilterTx, PROF_DETECT_PF_SORT1, PrefilterRuleStore_::rule_id_array_cnt, SCLogDebug, DetectTransaction_::tx_data_ptr, SigGroupHead_::tx_engines, DetectTransaction_::tx_id, PrefilterEngine_::tx_min_progress, DetectTransaction_::tx_progress, and DetectTransaction_::tx_ptr.

◆ Prefilter()

void Prefilter ( DetectEngineThreadCtx det_ctx,
const SigGroupHead sgh,
Packet p,
const uint8_t  flags 
)

Definition at line 143 of file detect-engine-prefilter.c.

References Flow_::alparser, Flow_::alproto, ALPROTO_UNKNOWN, PrefilterEngine_::cb, flags, Packet_::flags, Packet_::flow, SigGroupHead_::frame_engines, PrefilterEngine_::gid, PrefilterEngine_::is_last, likely, PACKET_PROFILING_DETECT_END, PACKET_PROFILING_DETECT_START, SigGroupHead_::payload_engines, Packet_::payload_len, PrefilterEngine_::pectx, PKT_DETECT_HAS_STREAMDATA, SigGroupHead_::pkt_engines, PKT_NOPAYLOAD_INSPECTION, DetectEngineThreadCtx_::pmq, PrefilterEngine_::Prefilter, PREFILTER_PROFILING_END, PREFILTER_PROFILING_START, PROF_DETECT_PF_PAYLOAD, PROF_DETECT_PF_PKT, PROF_DETECT_PF_RECORD, PROF_DETECT_PF_SORT1, Packet_::proto, PrefilterRuleStore_::rule_id_array_cnt, SCEnter, and SCLogDebug.

◆ PrefilterAppendEngine()

int PrefilterAppendEngine ( DetectEngineCtx de_ctx,
SigGroupHead sgh,
void(*)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)  PrefilterFunc,
void *  pectx,
void(*)(void *pectx)  FreeFunc,
const char *  name 
)

Definition at line 202 of file detect-engine-prefilter.c.

References CLS, PrefilterEngineList_::Free, PrefilterEngineList_::gid, PrefilterEngineList_::id, SigGroupHead_::init, PrefilterEngineList_::name, PrefilterEngineList_::next, PrefilterEngineList_::pectx, SigGroupHeadInitData_::pkt_engines, PrefilterEngineList_::Prefilter, and SCMallocAligned.

Referenced by PrefilterGenericMpmPktRegister().

Here is the caller graph for this function:

◆ PrefilterAppendFrameEngine()

int PrefilterAppendFrameEngine ( DetectEngineCtx de_ctx,
SigGroupHead sgh,
PrefilterFrameFn  PrefilterFrameFunc,
AppProto  alproto,
uint8_t  frame_type,
void *  pectx,
void(*)(void *pectx)  FreeFunc,
const char *  name 
)

Definition at line 307 of file detect-engine-prefilter.c.

References PrefilterEngineList_::alproto, CLS, SigGroupHeadInitData_::frame_engines, PrefilterEngineList_::frame_type, PrefilterEngineList_::Free, PrefilterEngineList_::gid, PrefilterEngineList_::id, SigGroupHead_::init, PrefilterEngineList_::name, PrefilterEngineList_::next, PrefilterEngineList_::pectx, PrefilterEngineList_::PrefilterFrame, and SCMallocAligned.

Referenced by PrefilterGenericMpmFrameRegister().

Here is the caller graph for this function:

◆ PrefilterAppendPayloadEngine()

int PrefilterAppendPayloadEngine ( DetectEngineCtx de_ctx,
SigGroupHead sgh,
void(*)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)  PrefilterFunc,
void *  pectx,
void(*)(void *pectx)  FreeFunc,
const char *  name 
)

Definition at line 236 of file detect-engine-prefilter.c.

References CLS, PrefilterEngineList_::Free, PrefilterEngineList_::gid, PrefilterEngineList_::id, SigGroupHead_::init, PrefilterEngineList_::name, PrefilterEngineList_::next, SigGroupHeadInitData_::payload_engines, PrefilterEngineList_::pectx, PrefilterEngineList_::Prefilter, and SCMallocAligned.

Referenced by PrefilterPktPayloadRegister(), and PrefilterPktStreamRegister().

Here is the caller graph for this function:

◆ PrefilterAppendTxEngine()

int PrefilterAppendTxEngine ( DetectEngineCtx de_ctx,
SigGroupHead sgh,
PrefilterTxFn  PrefilterTxFunc,
AppProto  alproto,
int  tx_min_progress,
void *  pectx,
void(*)(void *pectx)  FreeFunc,
const char *  name 
)

Definition at line 270 of file detect-engine-prefilter.c.

References PrefilterEngineList_::alproto, CLS, DEBUG_VALIDATE_BUG_ON, PrefilterEngineList_::Free, PrefilterEngineList_::gid, PrefilterEngineList_::id, SigGroupHead_::init, PrefilterEngineList_::name, PrefilterEngineList_::next, PrefilterEngineList_::pectx, PrefilterEngineList_::PrefilterTx, SCMallocAligned, SigGroupHeadInitData_::tx_engines, and PrefilterEngineList_::tx_min_progress.

Referenced by PrefilterGenericMpmRegister(), and PrefilterMpmFiledataRegister().

Here is the caller graph for this function:

◆ PrefilterCleanupRuleGroup()

void PrefilterCleanupRuleGroup ( const DetectEngineCtx de_ctx,
SigGroupHead sgh 
)

Definition at line 378 of file detect-engine-prefilter.c.

References SigGroupHead_::pkt_engines.

Referenced by SigGroupHeadFree().

Here is the caller graph for this function:

◆ PrefilterDeinit()

void PrefilterDeinit ( DetectEngineCtx de_ctx)

Definition at line 618 of file detect-engine-prefilter.c.

References de_ctx, HashListTableFree(), and DetectEngineCtx_::prefilter_hash_table.

Here is the call graph for this function:

◆ PrefilterFreeEnginesList()

void PrefilterFreeEnginesList ( PrefilterEngineList list)

Definition at line 350 of file detect-engine-prefilter.c.

Referenced by SigGroupHeadInitDataFree().

Here is the caller graph for this function:

◆ PrefilterGenericMpmPktRegister()

int PrefilterGenericMpmPktRegister ( DetectEngineCtx de_ctx,
SigGroupHead sgh,
MpmCtx mpm_ctx,
const DetectBufferMpmRegistry mpm_reg,
int  list_id 
)

Definition at line 815 of file detect-engine-prefilter.c.

References de_ctx, PrefilterMpmPktCtx::GetData, PrefilterMpmPktCtx::list_id, PrefilterMpmPktCtx::mpm_ctx, DetectBufferMpmRegistry_::pkt_v1, PrefilterAppendEngine(), SCCalloc, SCEnter, DetectBufferMpmRegistry_::transforms, and PrefilterMpmPktCtx::transforms.

Here is the call graph for this function:

◆ PrefilterGenericMpmRegister()

int PrefilterGenericMpmRegister ( DetectEngineCtx de_ctx,
SigGroupHead sgh,
MpmCtx mpm_ctx,
const DetectBufferMpmRegistry mpm_reg,
int  list_id 
)

Definition at line 745 of file detect-engine-prefilter.c.

References DetectBufferMpmRegistry_::app_v2, de_ctx, PrefilterMpmCtx::GetData, PrefilterMpmCtx::list_id, PrefilterMpmCtx::mpm_ctx, PrefilterAppendTxEngine(), SCCalloc, SCEnter, DetectBufferMpmRegistry_::transforms, and PrefilterMpmCtx::transforms.

Here is the call graph for this function:

◆ PrefilterInit()

void PrefilterInit ( DetectEngineCtx de_ctx)

Definition at line 625 of file detect-engine-prefilter.c.

References BUG_ON, de_ctx, HashListTableInit(), and DetectEngineCtx_::prefilter_hash_table.

Here is the call graph for this function:

◆ PrefilterSetupRuleGroup()

void PrefilterSetupRuleGroup ( DetectEngineCtx de_ctx,
SigGroupHead sgh 
)

Definition at line 413 of file detect-engine-prefilter.c.

References de_ctx, DETECT_PREFILTER_AUTO, DETECT_TBLSIZE, FatalError, SigGroupHead_::init, PatternMatchPrepareGroup(), SigGroupHeadInitData_::pkt_engines, DetectEngineCtx_::prefilter_setting, SigTableElmt_::SetupPrefilter, sigmatch_table, and DetectEngineCtx_::sm_types_prefilter.

Here is the call graph for this function:

◆ PrefilterStoreGetName()

const char* PrefilterStoreGetName ( const uint32_t  id)

Definition at line 690 of file detect-engine-prefilter.c.