#include "suricata-common.h"#include "suricata.h"#include "detect-engine.h"#include "detect-engine-prefilter.h"#include "detect-engine-mpm.h"#include "detect-engine-frame.h"#include "app-layer-parser.h"#include "app-layer-htp.h"#include "util-profiling.h"#include "util-validate.h"#include "util-print.h"
Go to the source code of this file.
Data Structures | |
| struct | PrefilterMpmCtx |
| struct | PrefilterMpmPktCtx |
Typedefs | |
| typedef struct PrefilterMpmCtx | PrefilterMpmCtx |
| typedef struct PrefilterMpmPktCtx | PrefilterMpmPktCtx |
Detailed Description
Prefilter engine
Prefilter engines have as purpose to check for a critical common part of a set of rules. If the condition is present in the traffic, the rules will have to be inspected individually. Otherwise, the rules can be skipped.
The best example of this is the MPM. From each rule take a pattern and add it to the MPM state machine. Inspect that in one step and only individually inspect the rules that had a match in MPM.
This prefilter API is designed to abstract this logic so that it becomes easier to add other types of prefilters.
The prefilter engines are structured as a simple list of engines. Each engine checks for a condition using it's callback function and private data. It then adds the rule match candidates to the PrefilterRuleStore structure.
After the engines have run the resulting list of match candidates is sorted by the rule id's so that the individual inspection happens in the correct order.
Definition in file detect-engine-prefilter.c.
Typedef Documentation
◆ PrefilterMpmCtx
| typedef struct PrefilterMpmCtx PrefilterMpmCtx |
◆ PrefilterMpmPktCtx
| typedef struct PrefilterMpmPktCtx PrefilterMpmPktCtx |
Function Documentation
◆ DetectRunPrefilterTx()
| void DetectRunPrefilterTx | ( | DetectEngineThreadCtx * | det_ctx, |
| const SigGroupHead * | sgh, | ||
| Packet * | p, | ||
| const uint8_t | ipproto, | ||
| const uint8_t | flow_flags, | ||
| const AppProto | alproto, | ||
| void * | alstate, | ||
| DetectTransaction * | tx | ||
| ) |
run prefilter engines on a transaction
Definition at line 93 of file detect-engine-prefilter.c.
References PrefilterEngine_::alproto, BIT_U64, PrefilterEngine_::cb, PrefilterEngine_::ctx, DetectGetInnerTx(), Packet_::flow, PrefilterEngine_::gid, PrefilterEngine_::is_last, PrefilterEngine_::is_last_for_progress, likely, next, PACKET_PROFILING_DETECT_START, Packet_::pcap_cnt, PrefilterEngine_::pectx, DetectEngineThreadCtx_::pmq, DetectTransaction_::prefilter_flags, PREFILTER_PROFILING_END, PREFILTER_PROFILING_START, PrefilterEngine_::PrefilterTx, PROF_DETECT_PF_SORT1, PrefilterRuleStore_::rule_id_array_cnt, SCLogDebug, DetectTransaction_::tx_data_ptr, SigGroupHead_::tx_engines, DetectTransaction_::tx_id, PrefilterEngine_::tx_min_progress, DetectTransaction_::tx_progress, and DetectTransaction_::tx_ptr.
◆ Prefilter()
| void Prefilter | ( | DetectEngineThreadCtx * | det_ctx, |
| const SigGroupHead * | sgh, | ||
| Packet * | p, | ||
| const uint8_t | flags, | ||
| const SignatureMask | mask | ||
| ) |
Definition at line 147 of file detect-engine-prefilter.c.
References Flow_::alparser, Flow_::alproto, ALPROTO_UNKNOWN, PrefilterEngine_::cb, PrefilterEngine_::ctx, flags, Packet_::flags, Packet_::flow, SigGroupHead_::frame_engines, PrefilterEngine_::gid, PrefilterEngine_::is_last, likely, PACKET_PROFILING_DETECT_END, PACKET_PROFILING_DETECT_START, SigGroupHead_::payload_engines, Packet_::payload_len, PrefilterEngine_::pectx, PKT_DETECT_HAS_STREAMDATA, SigGroupHead_::pkt_engines, PrefilterEngine_::pkt_mask, PKT_NOPAYLOAD_INSPECTION, DetectEngineThreadCtx_::pmq, PrefilterEngine_::Prefilter, PREFILTER_PROFILING_END, PREFILTER_PROFILING_START, PROF_DETECT_PF_PAYLOAD, PROF_DETECT_PF_PKT, PROF_DETECT_PF_RECORD, PROF_DETECT_PF_SORT1, Packet_::proto, PrefilterRuleStore_::rule_id_array_cnt, SCEnter, and SCLogDebug.
◆ PrefilterAppendEngine()
| int PrefilterAppendEngine | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| PrefilterPktFn | PrefilterFunc, | ||
| SignatureMask | mask, | ||
| void * | pectx, | ||
| void(*)(void *pectx) | FreeFunc, | ||
| const char * | name | ||
| ) |
Definition at line 208 of file detect-engine-prefilter.c.
References CLS, PrefilterEngineList_::Free, PrefilterEngineList_::gid, PrefilterEngineList_::id, SigGroupHead_::init, PrefilterEngineList_::name, name, PrefilterEngineList_::next, PrefilterEngineList_::pectx, SigGroupHeadInitData_::pkt_engines, PrefilterEngineList_::pkt_mask, PrefilterEngineList_::Prefilter, and SCMallocAligned.
Referenced by PrefilterGenericMpmPktRegister().
◆ PrefilterAppendFrameEngine()
| int PrefilterAppendFrameEngine | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| PrefilterFrameFn | PrefilterFrameFunc, | ||
| AppProto | alproto, | ||
| uint8_t | frame_type, | ||
| void * | pectx, | ||
| void(*)(void *pectx) | FreeFunc, | ||
| const char * | name | ||
| ) |
Definition at line 310 of file detect-engine-prefilter.c.
References PrefilterEngineList_::alproto, CLS, SigGroupHeadInitData_::frame_engines, PrefilterEngineList_::frame_type, PrefilterEngineList_::Free, PrefilterEngineList_::gid, PrefilterEngineList_::id, SigGroupHead_::init, PrefilterEngineList_::name, name, PrefilterEngineList_::next, PrefilterEngineList_::pectx, PrefilterEngineList_::PrefilterFrame, and SCMallocAligned.
Referenced by PrefilterGenericMpmFrameRegister().
◆ PrefilterAppendPayloadEngine()
| int PrefilterAppendPayloadEngine | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| PrefilterPktFn | PrefilterFunc, | ||
| void * | pectx, | ||
| void(*)(void *pectx) | FreeFunc, | ||
| const char * | name | ||
| ) |
Definition at line 241 of file detect-engine-prefilter.c.
References CLS, PrefilterEngineList_::Free, PrefilterEngineList_::gid, PrefilterEngineList_::id, SigGroupHead_::init, PrefilterEngineList_::name, name, PrefilterEngineList_::next, SigGroupHeadInitData_::payload_engines, PrefilterEngineList_::pectx, PrefilterEngineList_::Prefilter, and SCMallocAligned.
Referenced by PrefilterPktPayloadRegister(), and PrefilterPktStreamRegister().
◆ PrefilterAppendTxEngine()
| int PrefilterAppendTxEngine | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| PrefilterTxFn | PrefilterTxFunc, | ||
| AppProto | alproto, | ||
| int | tx_min_progress, | ||
| void * | pectx, | ||
| void(*)(void *pectx) | FreeFunc, | ||
| const char * | name | ||
| ) |
Definition at line 273 of file detect-engine-prefilter.c.
References PrefilterEngineList_::alproto, CLS, DEBUG_VALIDATE_BUG_ON, PrefilterEngineList_::Free, PrefilterEngineList_::gid, PrefilterEngineList_::id, SigGroupHead_::init, PrefilterEngineList_::name, name, PrefilterEngineList_::next, PrefilterEngineList_::pectx, PrefilterEngineList_::PrefilterTx, SCMallocAligned, SigGroupHeadInitData_::tx_engines, and PrefilterEngineList_::tx_min_progress.
Referenced by PrefilterGenericMpmRegister(), PrefilterMpmFiledataRegister(), and PrefilterMultiGenericMpmRegister().
◆ PrefilterCleanupRuleGroup()
| void PrefilterCleanupRuleGroup | ( | const DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh | ||
| ) |
Definition at line 381 of file detect-engine-prefilter.c.
References SigGroupHead_::pkt_engines.
Referenced by SigGroupHeadFree().
◆ PrefilterDeinit()
| void PrefilterDeinit | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 623 of file detect-engine-prefilter.c.
References de_ctx, HashListTableFree(), and DetectEngineCtx_::prefilter_hash_table.
◆ PrefilterFreeEnginesList()
| void PrefilterFreeEnginesList | ( | PrefilterEngineList * | list | ) |
Definition at line 353 of file detect-engine-prefilter.c.
Referenced by SigGroupHeadInitDataFree().
◆ PrefilterGenericMpmPktRegister()
| int PrefilterGenericMpmPktRegister | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| MpmCtx * | mpm_ctx, | ||
| const DetectBufferMpmRegistry * | mpm_reg, | ||
| int | list_id | ||
| ) |
Definition at line 873 of file detect-engine-prefilter.c.
References de_ctx, PrefilterMpmPktCtx::GetData, PrefilterMpmPktCtx::list_id, PrefilterMpmPktCtx::mpm_ctx, DetectBufferMpmRegistry_::pkt_v1, PrefilterAppendEngine(), SCCalloc, SCEnter, DetectBufferMpmRegistry_::transforms, and PrefilterMpmPktCtx::transforms.
◆ PrefilterGenericMpmRegister()
| int PrefilterGenericMpmRegister | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| MpmCtx * | mpm_ctx, | ||
| const DetectBufferMpmRegistry * | mpm_reg, | ||
| int | list_id | ||
| ) |
Definition at line 750 of file detect-engine-prefilter.c.
References DetectBufferMpmRegistry_::app_v2, de_ctx, PrefilterMpmCtx::GetData, PrefilterMpmCtx::list_id, PrefilterMpmCtx::mpm_ctx, PrefilterAppendTxEngine(), SCCalloc, SCEnter, PrefilterMpmCtx::transforms, and DetectBufferMpmRegistry_::transforms.
◆ PrefilterInit()
| void PrefilterInit | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 630 of file detect-engine-prefilter.c.
References BUG_ON, de_ctx, HashListTableInit(), and DetectEngineCtx_::prefilter_hash_table.
◆ PrefilterMultiGenericMpmRegister()
| int PrefilterMultiGenericMpmRegister | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| MpmCtx * | mpm_ctx, | ||
| const DetectBufferMpmRegistry * | mpm_reg, | ||
| int | list_id | ||
| ) |
Definition at line 804 of file detect-engine-prefilter.c.
References DetectBufferMpmRegistry_::app_v2, de_ctx, PrefilterMpmListId::GetData, PrefilterMpmListId::list_id, PrefilterMpmListId::mpm_ctx, PrefilterAppendTxEngine(), SCCalloc, SCEnter, PrefilterMpmListId::transforms, and DetectBufferMpmRegistry_::transforms.
◆ PrefilterSetupRuleGroup()
| void PrefilterSetupRuleGroup | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh | ||
| ) |
Definition at line 416 of file detect-engine-prefilter.c.
References PrefilterEngineList_::alproto, PrefilterEngine_::alproto, PrefilterEngine_::cb, CLS, cnt, PrefilterEngine_::ctx, de_ctx, DETECT_PREFILTER_AUTO, DETECT_TBLSIZE, FatalError, PrefilterEngineList_::gid, PrefilterEngine_::gid, PrefilterEngineList_::id, SigGroupHead_::init, PrefilterEngine_::is_last, PrefilterEngine_::local_id, PrefilterEngineList_::next, PatternMatchPrepareGroup(), SigGroupHeadInitData_::payload_engines, SigGroupHead_::payload_engines, PrefilterEngineList_::pectx, PrefilterEngine_::pectx, SigGroupHeadInitData_::pkt_engines, SigGroupHead_::pkt_engines, PrefilterEngineList_::pkt_mask, PrefilterEngine_::pkt_mask, PrefilterEngineList_::Prefilter, PrefilterEngine_::Prefilter, DetectEngineCtx_::prefilter_setting, PrefilterEngineList_::PrefilterTx, PrefilterEngine_::PrefilterTx, SCMallocAligned, SigTableElmt_::SetupPrefilter, sigmatch_table, DetectEngineCtx_::sm_types_prefilter, SigGroupHeadInitData_::tx_engines, SigGroupHead_::tx_engines, PrefilterEngineList_::tx_min_progress, and PrefilterEngine_::tx_min_progress.
Referenced by SigPrepareStage4().
◆ PrefilterStoreGetName()
| const char* PrefilterStoreGetName | ( | const uint32_t | id | ) |
Definition at line 695 of file detect-engine-prefilter.c.
