#include "suricata-common.h"#include "suricata.h"#include "detect-engine.h"#include "detect-engine-prefilter.h"#include "detect-engine-mpm.h"#include "detect-engine-frame.h"#include "detect-engine-uint.h"#include "app-layer-parser.h"#include "app-layer-htp.h"#include "util-profiling.h"#include "util-validate.h"#include "util-hash-string.h"#include "util-print.h"
Go to the source code of this file.
Data Structures | |
| struct | PrefilterNonPFDataSig |
| struct | PrefilterNonPFData |
| struct | PrefilterNonPFDataTx |
| struct | TxNonPFData |
| struct | PrefilterMpmCtx |
| struct | PrefilterMpmPktCtx |
Macros | |
| #define | NONPF_PKT_STATS_INCR(s) |
| #define | QUEUE_STEP 16 |
Typedefs | |
| typedef struct PrefilterMpmCtx | PrefilterMpmCtx |
| typedef struct PrefilterMpmPktCtx | PrefilterMpmPktCtx |
Detailed Description
Prefilter engine
Prefilter engines have as purpose to check for a critical common part of a set of rules. If the condition is present in the traffic, the rules will have to be inspected individually. Otherwise, the rules can be skipped.
The best example of this is the MPM. From each rule take a pattern and add it to the MPM state machine. Inspect that in one step and only individually inspect the rules that had a match in MPM.
This prefilter API is designed to abstract this logic so that it becomes easier to add other types of prefilters.
The prefilter engines are structured as a simple list of engines. Each engine checks for a condition using it's callback function and private data. It then adds the rule match candidates to the PrefilterRuleStore structure.
After the engines have run the resulting list of match candidates is sorted by the rule id's so that the individual inspection happens in the correct order.
Definition in file detect-engine-prefilter.c.
Macro Definition Documentation
◆ NONPF_PKT_STATS_INCR
| #define NONPF_PKT_STATS_INCR | ( | s | ) |
Definition at line 591 of file detect-engine-prefilter.c.
◆ QUEUE_STEP
| #define QUEUE_STEP 16 |
Definition at line 1745 of file detect-engine-prefilter.c.
Typedef Documentation
◆ PrefilterMpmCtx
| typedef struct PrefilterMpmCtx PrefilterMpmCtx |
◆ PrefilterMpmPktCtx
| typedef struct PrefilterMpmPktCtx PrefilterMpmPktCtx |
Function Documentation
◆ DetectRunPrefilterTx()
| void DetectRunPrefilterTx | ( | DetectEngineThreadCtx * | det_ctx, |
| const SigGroupHead * | sgh, | ||
| Packet * | p, | ||
| const uint8_t | ipproto, | ||
| const uint8_t | flow_flags, | ||
| const AppProto | alproto, | ||
| void * | alstate, | ||
| DetectTransaction * | tx | ||
| ) |
run prefilter engines on a transaction
Definition at line 95 of file detect-engine-prefilter.c.
References PrefilterEngine_::alproto, AppLayerParserGetStateNameById(), AppProtoToString(), PrefilterEngine_::cb, PrefilterEngine_::ctx, DetectTransaction_::detect_progress, DetectGetInnerTx(), Packet_::flow, PrefilterEngine_::gid, PrefilterEngine_::is_last, PrefilterEngine_::is_last_for_progress, likely, next, PACKET_PROFILING_DETECT_START, PcapPacketCntGet(), PrefilterEngine_::pectx, DetectEngineThreadCtx_::pmq, PREFILTER_PROFILING_END, PREFILTER_PROFILING_START, PrefilterEngine_::PrefilterTx, PROF_DETECT_PF_SORT1, PrefilterRuleStore_::rule_id_array_cnt, SCLogDebug, DetectTransaction_::tx_data_ptr, SigGroupHead_::tx_engines, DetectTransaction_::tx_id, PrefilterEngine_::tx_min_progress, DetectTransaction_::tx_progress, and DetectTransaction_::tx_ptr.
◆ PostRuleMatchWorkQueueAppend()
| void PostRuleMatchWorkQueueAppend | ( | DetectEngineThreadCtx * | det_ctx, |
| const Signature * | s, | ||
| const int | type, | ||
| const uint32_t | value | ||
| ) |
Definition at line 1746 of file detect-engine-prefilter.c.
References DETECT_EVENT_POST_MATCH_QUEUE_FAILED, DetectEngineSetEvent(), Signature_::iid, PostRuleMatchWorkQueue::len, DetectEngineThreadCtx_::post_rule_work_queue, PostRuleMatchWorkQueue::q, QUEUE_STEP, SCCalloc, SCLogDebug, SCRealloc, PostRuleMatchWorkQueue::size, PostRuleMatchWorkQueueItem::sm_type, type, and PostRuleMatchWorkQueueItem::value.
◆ Prefilter()
| void Prefilter | ( | DetectEngineThreadCtx * | det_ctx, |
| const SigGroupHead * | sgh, | ||
| Packet * | p, | ||
| const uint8_t | flags, | ||
| const SignatureMask | mask | ||
| ) |
Definition at line 219 of file detect-engine-prefilter.c.
References Flow_::alparser, Flow_::alproto, ALPROTO_UNKNOWN, BIT_U16, PrefilterEngine_::cb, PrefilterEngine_::ctx, flags, Packet_::flags, Packet_::flow, SigGroupHead_::frame_engines, PrefilterEngine_::gid, PrefilterEngine_::is_last, likely, PACKET_PROFILING_DETECT_END, PACKET_PROFILING_DETECT_START, SigGroupHead_::payload_engines, Packet_::payload_len, PrefilterEngine_::pectx, PrefilterEngine_::pkt, PKT_DETECT_HAS_STREAMDATA, SigGroupHead_::pkt_engines, Packet_::pkt_hooks, PKT_NOPAYLOAD_INSPECTION, DetectEngineThreadCtx_::pmq, PrefilterEngine_::Prefilter, PREFILTER_PROFILING_END, PREFILTER_PROFILING_START, PROF_DETECT_PF_PAYLOAD, PROF_DETECT_PF_PKT, PROF_DETECT_PF_RECORD, PROF_DETECT_PF_SORT1, Packet_::proto, PrefilterRuleStore_::rule_id_array_cnt, SCEnter, and SCLogDebug.
◆ PrefilterAppendEngine()
| int PrefilterAppendEngine | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| PrefilterPktFn | PrefilterFunc, | ||
| SignatureMask | mask, | ||
| enum SignatureHookPkt | hook, | ||
| void * | pectx, | ||
| void(*)(void *pectx) | FreeFunc, | ||
| const char * | name | ||
| ) |
Definition at line 285 of file detect-engine-prefilter.c.
References BUG_ON, CLS, PrefilterEngineList_::Free, PrefilterEngineList_::gid, PrefilterEngineList_::id, SigGroupHead_::init, name, PrefilterEngineList_::name, PrefilterEngineList_::next, PrefilterEngineList_::pectx, SigGroupHeadInitData_::pkt_engines, PrefilterEngineList_::pkt_hook, PrefilterEngineList_::pkt_mask, PrefilterEngineList_::Prefilter, and SCMallocAligned.
Referenced by PrefilterGenericMpmPktRegister().
◆ PrefilterAppendFrameEngine()
| int PrefilterAppendFrameEngine | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| PrefilterFrameFn | PrefilterFrameFunc, | ||
| AppProto | alproto, | ||
| uint8_t | frame_type, | ||
| void * | pectx, | ||
| void(*)(void *pectx) | FreeFunc, | ||
| const char * | name | ||
| ) |
Definition at line 392 of file detect-engine-prefilter.c.
References PrefilterEngineList_::alproto, CLS, SigGroupHeadInitData_::frame_engines, PrefilterEngineList_::frame_type, PrefilterEngineList_::Free, PrefilterEngineList_::gid, PrefilterEngineList_::id, SigGroupHead_::init, name, PrefilterEngineList_::name, PrefilterEngineList_::next, PrefilterEngineList_::pectx, PrefilterEngineList_::PrefilterFrame, and SCMallocAligned.
Referenced by PrefilterGenericMpmFrameRegister().
◆ PrefilterAppendPayloadEngine()
| int PrefilterAppendPayloadEngine | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| PrefilterPktFn | PrefilterFunc, | ||
| void * | pectx, | ||
| void(*)(void *pectx) | FreeFunc, | ||
| const char * | name | ||
| ) |
Definition at line 323 of file detect-engine-prefilter.c.
References CLS, PrefilterEngineList_::Free, PrefilterEngineList_::gid, PrefilterEngineList_::id, SigGroupHead_::init, name, PrefilterEngineList_::name, PrefilterEngineList_::next, SigGroupHeadInitData_::payload_engines, PrefilterEngineList_::pectx, PrefilterEngineList_::Prefilter, and SCMallocAligned.
Referenced by PrefilterPktPayloadRegister(), and PrefilterPktStreamRegister().
◆ PrefilterAppendPostRuleEngine()
| int PrefilterAppendPostRuleEngine | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| void(*)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f) | PrefilterPostRuleFunc, | ||
| void * | pectx, | ||
| void(*)(void *pectx) | FreeFunc, | ||
| const char * | name | ||
| ) |
Definition at line 427 of file detect-engine-prefilter.c.
References CLS, PrefilterEngineList_::Free, PrefilterEngineList_::gid, PrefilterEngineList_::id, SigGroupHead_::init, name, PrefilterEngineList_::name, PrefilterEngineList_::next, PrefilterEngineList_::pectx, SigGroupHeadInitData_::post_rule_match_engines, PrefilterEngineList_::PrefilterPostRule, and SCMallocAligned.
◆ PrefilterAppendTxEngine()
| int PrefilterAppendTxEngine | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| PrefilterTxFn | PrefilterTxFunc, | ||
| AppProto | alproto, | ||
| int | tx_min_progress, | ||
| void * | pectx, | ||
| void(*)(void *pectx) | FreeFunc, | ||
| const char * | name | ||
| ) |
Definition at line 355 of file detect-engine-prefilter.c.
References PrefilterEngineList_::alproto, CLS, DEBUG_VALIDATE_BUG_ON, PrefilterEngineList_::Free, PrefilterEngineList_::gid, PrefilterEngineList_::id, SigGroupHead_::init, name, PrefilterEngineList_::name, PrefilterEngineList_::next, PrefilterEngineList_::pectx, PrefilterEngineList_::PrefilterTx, SCMallocAligned, SigGroupHeadInitData_::tx_engines, and PrefilterEngineList_::tx_min_progress.
Referenced by PrefilterGenericMpmRegister(), PrefilterMpmFiledataRegister(), PrefilterMultiGenericMpmRegister(), and PrefilterSingleMpmRegister().
◆ PrefilterCleanupRuleGroup()
| void PrefilterCleanupRuleGroup | ( | const DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh | ||
| ) |
Definition at line 496 of file detect-engine-prefilter.c.
References SigGroupHead_::pkt_engines.
Referenced by SigGroupHeadFree().
◆ PrefilterDeinit()
| void PrefilterDeinit | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 1423 of file detect-engine-prefilter.c.
References de_ctx, HashListTableFree(), and DetectEngineCtx_::prefilter_hash_table.
◆ PrefilterFreeEnginesList()
| void PrefilterFreeEnginesList | ( | PrefilterEngineList * | list | ) |
Definition at line 468 of file detect-engine-prefilter.c.
Referenced by SigGroupHeadInitDataFree().
◆ PrefilterGenericMpmPktRegister()
| int PrefilterGenericMpmPktRegister | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| MpmCtx * | mpm_ctx, | ||
| const DetectBufferMpmRegistry * | mpm_reg, | ||
| int | list_id | ||
| ) |
Definition at line 1723 of file detect-engine-prefilter.c.
References de_ctx, PrefilterMpmPktCtx::GetData, PrefilterMpmPktCtx::list_id, PrefilterMpmPktCtx::mpm_ctx, DetectBufferMpmRegistry_::pkt_v1, PrefilterAppendEngine(), SCCalloc, SCEnter, SIGNATURE_HOOK_PKT_NOT_SET, DetectBufferMpmRegistry_::transforms, and PrefilterMpmPktCtx::transforms.
◆ PrefilterGenericMpmRegister()
| int PrefilterGenericMpmRegister | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| MpmCtx * | mpm_ctx, | ||
| const DetectBufferMpmRegistry * | mpm_reg, | ||
| int | list_id | ||
| ) |
Definition at line 1580 of file detect-engine-prefilter.c.
References DetectBufferMpmRegistry_::app_v2, de_ctx, PrefilterMpmCtx::GetData, PrefilterMpmCtx::list_id, PrefilterMpmCtx::mpm_ctx, PrefilterAppendTxEngine(), SCCalloc, SCEnter, DetectBufferMpmRegistry_::transforms, and PrefilterMpmCtx::transforms.
◆ PrefilterInit()
| void PrefilterInit | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 1430 of file detect-engine-prefilter.c.
References BUG_ON, de_ctx, HashListTableInit(), and DetectEngineCtx_::prefilter_hash_table.
◆ PrefilterMultiGenericMpmRegister()
| int PrefilterMultiGenericMpmRegister | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| MpmCtx * | mpm_ctx, | ||
| const DetectBufferMpmRegistry * | mpm_reg, | ||
| int | list_id | ||
| ) |
Definition at line 1654 of file detect-engine-prefilter.c.
References DetectBufferMpmRegistry_::app_v2, de_ctx, PrefilterMpmListId::GetData, PrefilterMpmListId::list_id, PrefilterMpmListId::mpm_ctx, PrefilterAppendTxEngine(), SCCalloc, SCEnter, PrefilterMpmListId::transforms, and DetectBufferMpmRegistry_::transforms.
◆ PrefilterPktNonPFStatsDump()
| void PrefilterPktNonPFStatsDump | ( | void | ) |
Definition at line 593 of file detect-engine-prefilter.c.
References SCLogDebug.
◆ PrefilterPostRuleMatch()
| void PrefilterPostRuleMatch | ( | DetectEngineThreadCtx * | det_ctx, |
| const SigGroupHead * | sgh, | ||
| Packet * | p, | ||
| Flow * | f | ||
| ) |
invoke post-rule match "prefilter" engines
Invoke prefilter engines that depend on a rule match to run. e.g. the flowbits:set prefilter that adds sids that depend on a flowbit "set" to the match array.
Definition at line 196 of file detect-engine-prefilter.c.
References PrefilterEngine_::cb, PrefilterEngine_::gid, PrefilterEngine_::is_last, PrefilterEngine_::pectx, DetectEngineThreadCtx_::pmq, SigGroupHead_::post_rule_match_engines, PREFILTER_PROFILING_END, PREFILTER_PROFILING_START, PrefilterEngine_::PrefilterPostRule, PrefilterRuleStore_::rule_id_array_cnt, and SCLogDebug.
◆ PrefilterSetupRuleGroup()
| int PrefilterSetupRuleGroup | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh | ||
| ) |
Definition at line 1179 of file detect-engine-prefilter.c.
References de_ctx, DETECT_PREFILTER_AUTO, DETECT_TBLSIZE, FatalError, PatternMatchPrepareGroup(), DetectEngineCtx_::prefilter_setting, SigTableElmt_::SetupPrefilter, sigmatch_table, and DetectEngineCtx_::sm_types_prefilter.
Referenced by SigPrepareStage4().
◆ PrefilterSingleMpmRegister()
| int PrefilterSingleMpmRegister | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| MpmCtx * | mpm_ctx, | ||
| const DetectBufferMpmRegistry * | mpm_reg, | ||
| int | list_id | ||
| ) |
Definition at line 1601 of file detect-engine-prefilter.c.
References DetectBufferMpmRegistry_::app_v2, de_ctx, PrefilterMpmCtx::GetDataSingle, PrefilterMpmCtx::list_id, PrefilterMpmCtx::mpm_ctx, PrefilterAppendTxEngine(), SCCalloc, SCEnter, DetectBufferMpmRegistry_::transforms, and PrefilterMpmCtx::transforms.
