#include "suricata-common.h"#include "decode.h"#include "flow-var.h"#include "app-layer-protos.h"#include "detect.h"#include "detect-parse.h"#include "detect-engine.h"#include "detect-engine-build.h"#include "detect-engine-address.h"#include "detect-engine-mpm.h"#include "detect-engine-siggroup.h"#include "detect-engine-prefilter.h"#include "detect-content.h"#include "detect-uricontent.h"#include "detect-tcp-flags.h"#include "util-hash.h"#include "util-hashlist.h"#include "util-error.h"#include "util-debug.h"#include "util-cidr.h"#include "util-unittest.h"#include "util-unittest-helper.h"#include "util-memcmp.h"
Go to the source code of this file.
Functions | |
| int | SigGroupHeadClearSigs (SigGroupHead *sgh) |
| Clears the bitarray holding the sids for this SigGroupHead. More... | |
| void | SigGroupHeadInitDataFree (SigGroupHeadInitData *sghid) |
| void | SigGroupHeadStore (DetectEngineCtx *de_ctx, SigGroupHead *sgh) |
| void | SigGroupHeadFree (const DetectEngineCtx *de_ctx, SigGroupHead *sgh) |
| Free a SigGroupHead and its members. More... | |
| int | SigGroupHeadHashInit (DetectEngineCtx *de_ctx) |
| Initializes the hash table in the detection engine context to hold the SigGroupHeads. More... | |
| int | SigGroupHeadHashAdd (DetectEngineCtx *de_ctx, SigGroupHead *sgh) |
| Adds a SigGroupHead to the detection engine context SigGroupHead hash table. More... | |
| int | SigGroupHeadHashRemove (DetectEngineCtx *de_ctx, SigGroupHead *sgh) |
| SigGroupHead * | SigGroupHeadHashLookup (DetectEngineCtx *de_ctx, SigGroupHead *sgh) |
| Used to lookup a SigGroupHead hash from the detection engine context SigGroupHead hash table. More... | |
| void | SigGroupHeadHashFree (DetectEngineCtx *de_ctx) |
| Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by SigGroupHeadHashInit() function. More... | |
| int | SigGroupHeadAppendSig (const DetectEngineCtx *de_ctx, SigGroupHead **sgh, const Signature *s) |
| Add a Signature to a SigGroupHead. More... | |
| int | SigGroupHeadCopySigs (DetectEngineCtx *de_ctx, SigGroupHead *src, SigGroupHead **dst) |
| Copies the bitarray holding the sids from the source SigGroupHead to the destination SigGroupHead. More... | |
| void | SigGroupHeadSetSigCnt (SigGroupHead *sgh, uint32_t max_idx) |
| Updates the SigGroupHead->sig_cnt with the total count of all the Signatures present in this SigGroupHead. More... | |
| void | SigGroupHeadSetProtoAndDirection (SigGroupHead *sgh, uint8_t ipproto, int dir) |
| void | SigGroupHeadPrintSigs (DetectEngineCtx *de_ctx, SigGroupHead *sgh) |
| Helper function used to print the list of sids for the Signatures present in this SigGroupHead. More... | |
| int | SigGroupHeadBuildMatchArray (DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t max_idx) |
| Create an array with all the internal ids of the sigs that this sig group head will check for. More... | |
| void | SigGroupHeadSetFilemagicFlag (DetectEngineCtx *de_ctx, SigGroupHead *sgh) |
| Set the need magic flag in the sgh. More... | |
| void | SigGroupHeadSetFilesizeFlag (DetectEngineCtx *de_ctx, SigGroupHead *sgh) |
| Set the need size flag in the sgh. More... | |
| void | SigGroupHeadSetFileHashFlag (DetectEngineCtx *de_ctx, SigGroupHead *sgh) |
| Set the need hash flag in the sgh. More... | |
| void | SigGroupHeadSetFilestoreCount (DetectEngineCtx *de_ctx, SigGroupHead *sgh) |
| Set the filestore_cnt in the sgh. More... | |
| int | SigGroupHeadBuildNonPrefilterArray (DetectEngineCtx *de_ctx, SigGroupHead *sgh) |
| build an array of rule id's for sigs with no prefilter Also updated de_ctx::non_pf_store_cnt_max to track the highest cnt More... | |
| int | SigGroupHeadContainsSigId (DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t sid) |
| Check if a SigGroupHead contains a Signature, whose sid is sent as an argument. More... | |
| int | SigAddressPrepareStage1 (DetectEngineCtx *) |
| Preprocess signature, classify ip-only, etc, build sig array. More... | |
| void | SigGroupHeadRegisterTests (void) |
Detailed Description
Signature grouping part of the detection engine.
Definition in file detect-engine-siggroup.c.
Function Documentation
◆ SigAddressPrepareStage1()
| int SigAddressPrepareStage1 | ( | DetectEngineCtx * | de_ctx | ) |
Preprocess signature, classify ip-only, etc, build sig array.
- Parameters
-
de_ctx Pointer to the Detection Engine Context
- Return values
-
0 on success -1 on failure
Definition at line 1358 of file detect-engine-build.c.
References de_ctx, DE_QUIET, DetectEngineGetMaxSigId, Signature_::flags, DetectEngineCtx_::flags, Signature_::id, Signature_::next, Signature_::num, SCLogDebug, SCMalloc, DetectEngineCtx_::sig_array, DetectEngineCtx_::sig_array_len, DetectEngineCtx_::sig_array_size, SIG_FLAG_IPONLY, SIG_FLAG_PDONLY, and DetectEngineCtx_::sig_list.
◆ SigGroupHeadAppendSig()
| int SigGroupHeadAppendSig | ( | const DetectEngineCtx * | de_ctx, |
| SigGroupHead ** | sgh, | ||
| const Signature * | s | ||
| ) |
Add a Signature to a SigGroupHead.
- Parameters
-
de_ctx Pointer to the detection engine context. sgh Pointer to a SigGroupHead. Can be NULL also. s Pointer to the Signature that has to be added to the SigGroupHead.
- Return values
-
0 On success. -1 On failure.
Definition at line 340 of file detect-engine-siggroup.c.
References de_ctx.
◆ SigGroupHeadBuildMatchArray()
| int SigGroupHeadBuildMatchArray | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| uint32_t | max_idx | ||
| ) |
Create an array with all the internal ids of the sigs that this sig group head will check for.
- Parameters
-
de_ctx Pointer to the detection engine context. sgh Pointer to the SigGroupHead. max_idx The maximum value of the sid in the SigGroupHead arg.
- Return values
-
0 success -1 error
Definition at line 489 of file detect-engine-siggroup.c.
References BUG_ON, de_ctx, SigGroupHead_::init, SigGroupHeadInitData_::match_array, SCMalloc, DetectEngineCtx_::sig_array, SigGroupHeadInitData_::sig_array, and SigGroupHeadInitData_::sig_cnt.
◆ SigGroupHeadBuildNonPrefilterArray()
| int SigGroupHeadBuildNonPrefilterArray | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh | ||
| ) |
build an array of rule id's for sigs with no prefilter Also updated de_ctx::non_pf_store_cnt_max to track the highest cnt
Definition at line 650 of file detect-engine-siggroup.c.
References Signature_::alproto, SignatureNonPrefilterStore_::alproto, BUG_ON, de_ctx, DetectFlagsSignatureNeedsSynPackets(), Signature_::flags, SignatureNonPrefilterStore_::id, SigGroupHead_::init, Signature_::mask, SignatureNonPrefilterStore_::mask, SigGroupHeadInitData_::match_array, MAX, SigGroupHead_::non_pf_other_store_array, SigGroupHead_::non_pf_other_store_cnt, DetectEngineCtx_::non_pf_store_cnt_max, SigGroupHead_::non_pf_syn_store_array, SigGroupHead_::non_pf_syn_store_cnt, Signature_::num, SCMalloc, SigGroupHeadInitData_::sig_cnt, SIG_FLAG_MPM_NEG, and SIG_FLAG_PREFILTER.
◆ SigGroupHeadClearSigs()
| int SigGroupHeadClearSigs | ( | SigGroupHead * | sgh | ) |
Clears the bitarray holding the sids for this SigGroupHead.
- Parameters
-
sgh Pointer to the SigGroupHead.
- Return values
-
0 Always.
Definition at line 369 of file detect-engine-siggroup.c.
References SigGroupHead_::init, SigGroupHeadInitData_::sig_array, SigGroupHeadInitData_::sig_cnt, and SigGroupHeadInitData_::sig_size.
◆ SigGroupHeadContainsSigId()
| int SigGroupHeadContainsSigId | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| uint32_t | sid | ||
| ) |
Check if a SigGroupHead contains a Signature, whose sid is sent as an argument.
- Parameters
-
de_ctx Pointer to the detection engine context. sgh Pointer to the SigGroupHead that has to be checked for the presence of a Signature. sid The Signature id(sid) that has to be checked in the SigGroupHead.
- Return values
-
1 On successfully finding the sid in the SigGroupHead. 0 If the sid is not found in the SigGroupHead
Definition at line 737 of file detect-engine-siggroup.c.
References de_ctx, DetectEngineGetMaxSigId, Signature_::id, SigGroupHead_::init, SCEnter, SCReturnInt, DetectEngineCtx_::sig_array, and SigGroupHeadInitData_::sig_array.
◆ SigGroupHeadCopySigs()
| int SigGroupHeadCopySigs | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | src, | ||
| SigGroupHead ** | dst | ||
| ) |
Copies the bitarray holding the sids from the source SigGroupHead to the destination SigGroupHead.
- Parameters
-
de_ctx Pointer to the detection engine context. src Pointer to the source SigGroupHead. dst Pointer to the destination SigGroupHead.
- Return values
-
0 On success. -1 On failure.
Definition at line 393 of file detect-engine-siggroup.c.
References de_ctx, dst, and src.
Referenced by DetectPortInsert().
◆ SigGroupHeadFree()
| void SigGroupHeadFree | ( | const DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh | ||
| ) |
Free a SigGroupHead and its members.
- Parameters
-
sgh Pointer to the SigGroupHead that has to be freed.
Definition at line 163 of file detect-engine-siggroup.c.
References de_ctx, SigGroupHead_::init, SigGroupHead_::non_pf_other_store_array, SigGroupHead_::non_pf_other_store_cnt, SigGroupHead_::non_pf_syn_store_array, SigGroupHead_::non_pf_syn_store_cnt, PrefilterCleanupRuleGroup(), SCFree, SCLogDebug, and SigGroupHeadInitDataFree().
Referenced by DetectPortFree(), and SigAddressCleanupStage1().
◆ SigGroupHeadHashAdd()
| int SigGroupHeadHashAdd | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh | ||
| ) |
Adds a SigGroupHead to the detection engine context SigGroupHead hash table.
- Parameters
-
de_ctx Pointer to the detection engine context. sgh Pointer to the SigGroupHead.
- Return values
-
ret 0 on Successfully adding the SigGroupHead; -1 on failure.
Definition at line 280 of file detect-engine-siggroup.c.
References de_ctx, HashListTableAdd(), and DetectEngineCtx_::sgh_hash_table.
◆ SigGroupHeadHashFree()
| void SigGroupHeadHashFree | ( | DetectEngineCtx * | de_ctx | ) |
Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by SigGroupHeadHashInit() function.
- Parameters
-
de_ctx Pointer to the detection engine context.
Definition at line 318 of file detect-engine-siggroup.c.
References de_ctx, HashListTableFree(), and DetectEngineCtx_::sgh_hash_table.
Referenced by DetectEngineCtxFree().
◆ SigGroupHeadHashInit()
| int SigGroupHeadHashInit | ( | DetectEngineCtx * | de_ctx | ) |
Initializes the hash table in the detection engine context to hold the SigGroupHeads.
- Parameters
-
de_ctx Pointer to the detection engine context.
- Return values
-
0 On success. -1 On failure.
Definition at line 258 of file detect-engine-siggroup.c.
References de_ctx, HashListTableInit(), and DetectEngineCtx_::sgh_hash_table.
◆ SigGroupHeadHashLookup()
| SigGroupHead* SigGroupHeadHashLookup | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh | ||
| ) |
Used to lookup a SigGroupHead hash from the detection engine context SigGroupHead hash table.
- Parameters
-
de_ctx Pointer to the detection engine context. sgh Pointer to the SigGroupHead.
- Return values
-
rsgh On success a pointer to the SigGroupHead if the SigGroupHead is found in the hash table; NULL on failure.
Definition at line 302 of file detect-engine-siggroup.c.
References de_ctx, HashListTableLookup(), SCEnter, SCReturnPtr, and DetectEngineCtx_::sgh_hash_table.
◆ SigGroupHeadHashRemove()
| int SigGroupHeadHashRemove | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh | ||
| ) |
Definition at line 287 of file detect-engine-siggroup.c.
References de_ctx, HashListTableRemove(), and DetectEngineCtx_::sgh_hash_table.
◆ SigGroupHeadInitDataFree()
| void SigGroupHeadInitDataFree | ( | SigGroupHeadInitData * | sghid | ) |
Definition at line 59 of file detect-engine-siggroup.c.
References SigGroupHeadInitData_::app_mpms, SigGroupHeadInitData_::frame_engines, SigGroupHeadInitData_::frame_mpms, SigGroupHeadInitData_::match_array, SigGroupHeadInitData_::payload_engines, SigGroupHeadInitData_::pkt_engines, SigGroupHeadInitData_::pkt_mpms, PrefilterFreeEnginesList(), SCFree, SigGroupHeadInitData_::sig_array, and SigGroupHeadInitData_::tx_engines.
Referenced by SigGroupHeadFree().
◆ SigGroupHeadPrintSigs()
| void SigGroupHeadPrintSigs | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh | ||
| ) |
Helper function used to print the list of sids for the Signatures present in this SigGroupHead.
- Parameters
-
de_ctx Pointer to the detection engine context. sgh Pointer to the SigGroupHead.
Definition at line 457 of file detect-engine-siggroup.c.
References SigGroupHead_::init, SCEnter, SCLogDebug, SCReturn, SigGroupHeadInitData_::sig_array, and SigGroupHeadInitData_::sig_size.
◆ SigGroupHeadRegisterTests()
| void SigGroupHeadRegisterTests | ( | void | ) |
Definition at line 1108 of file detect-engine-siggroup.c.
References UtRegisterTest().
◆ SigGroupHeadSetFileHashFlag()
| void SigGroupHeadSetFileHashFlag | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh | ||
| ) |
Set the need hash flag in the sgh.
- Parameters
-
de_ctx detection engine ctx for the signatures sgh sig group head to set the flag in
Definition at line 585 of file detect-engine-siggroup.c.
References SigGroupHead_::flags, SigGroupHead_::init, SigGroupHeadInitData_::match_array, SCLogDebug, SigGroupHeadInitData_::sig_cnt, SIG_GROUP_HEAD_HAVEFILEMD5, SIG_GROUP_HEAD_HAVEFILESHA1, SIG_GROUP_HEAD_HAVEFILESHA256, SignatureIsFileMd5Inspecting(), SignatureIsFileSha1Inspecting(), and SignatureIsFileSha256Inspecting().
◆ SigGroupHeadSetFilemagicFlag()
| void SigGroupHeadSetFilemagicFlag | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh | ||
| ) |
Set the need magic flag in the sgh.
- Parameters
-
de_ctx detection engine ctx for the signatures sgh sig group head to set the flag in
Definition at line 528 of file detect-engine-siggroup.c.
References SigGroupHead_::flags, SigGroupHead_::init, SigGroupHeadInitData_::match_array, SigGroupHeadInitData_::sig_cnt, and SignatureIsFilemagicInspecting().
◆ SigGroupHeadSetFilesizeFlag()
| void SigGroupHeadSetFilesizeFlag | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh | ||
| ) |
Set the need size flag in the sgh.
- Parameters
-
de_ctx detection engine ctx for the signatures sgh sig group head to set the flag in
Definition at line 557 of file detect-engine-siggroup.c.
References SigGroupHead_::flags, SigGroupHead_::init, SigGroupHeadInitData_::match_array, SigGroupHeadInitData_::sig_cnt, SIG_GROUP_HEAD_HAVEFILESIZE, and SignatureIsFilesizeInspecting().
◆ SigGroupHeadSetFilestoreCount()
| void SigGroupHeadSetFilestoreCount | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh | ||
| ) |
Set the filestore_cnt in the sgh.
- Parameters
-
de_ctx detection engine ctx for the signatures sgh sig group head to set the counter in
Definition at line 626 of file detect-engine-siggroup.c.
References SigGroupHead_::filestore_cnt, SigGroupHead_::init, SigGroupHeadInitData_::match_array, SigGroupHeadInitData_::sig_cnt, and SignatureIsFilestoring().
◆ SigGroupHeadSetProtoAndDirection()
| void SigGroupHeadSetProtoAndDirection | ( | SigGroupHead * | sgh, |
| uint8_t | ipproto, | ||
| int | dir | ||
| ) |
Definition at line 440 of file detect-engine-siggroup.c.
References SigGroupHeadInitData_::direction, SigGroupHead_::init, SigGroupHeadInitData_::protos, and SCLogDebug.
◆ SigGroupHeadSetSigCnt()
| void SigGroupHeadSetSigCnt | ( | SigGroupHead * | sgh, |
| uint32_t | max_idx | ||
| ) |
Updates the SigGroupHead->sig_cnt with the total count of all the Signatures present in this SigGroupHead.
- Parameters
-
sgh Pointer to the SigGroupHead. max_idx Maximum sid of the all the Signatures present in this SigGroupHead.
Definition at line 427 of file detect-engine-siggroup.c.
References SigGroupHead_::init, SigGroupHeadInitData_::sig_array, and SigGroupHeadInitData_::sig_cnt.
◆ SigGroupHeadStore()
| void SigGroupHeadStore | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh | ||
| ) |
Definition at line 108 of file detect-engine-siggroup.c.
References de_ctx, SCFree, SCRealloc, DetectEngineCtx_::sgh_array, DetectEngineCtx_::sgh_array_cnt, and DetectEngineCtx_::sgh_array_size.
