suricata
Functions
detect-engine-siggroup.c File Reference
#include "suricata-common.h"
#include "decode.h"
#include "flow-var.h"
#include "app-layer-protos.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-build.h"
#include "detect-engine-address.h"
#include "detect-engine-mpm.h"
#include "detect-engine-siggroup.h"
#include "detect-engine-prefilter.h"
#include "detect-content.h"
#include "detect-uricontent.h"
#include "detect-tcp-flags.h"
#include "util-hash.h"
#include "util-hashlist.h"
#include "util-error.h"
#include "util-debug.h"
#include "util-validate.h"
#include "util-cidr.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-memcmp.h"
Include dependency graph for detect-engine-siggroup.c:

Go to the source code of this file.

Functions

int SigGroupHeadClearSigs (SigGroupHead *sgh)
 Clears the bitarray holding the sids for this SigGroupHead. More...
 
void SigGroupHeadInitDataFree (SigGroupHeadInitData *sghid)
 
void SigGroupHeadStore (DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 
void SigGroupHeadFree (const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 Free a SigGroupHead and its members. More...
 
int SigGroupHeadHashInit (DetectEngineCtx *de_ctx)
 Initializes the hash table in the detection engine context to hold the SigGroupHeads. More...
 
int SigGroupHeadHashAdd (DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 Adds a SigGroupHead to the detection engine context SigGroupHead hash table. More...
 
SigGroupHeadSigGroupHeadHashLookup (DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 Used to lookup a SigGroupHead hash from the detection engine context SigGroupHead hash table. More...
 
void SigGroupHeadHashFree (DetectEngineCtx *de_ctx)
 Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by SigGroupHeadHashInit() function. More...
 
int SigGroupHeadAppendSig (const DetectEngineCtx *de_ctx, SigGroupHead **sgh, const Signature *s)
 Add a Signature to a SigGroupHead. More...
 
int SigGroupHeadCopySigs (DetectEngineCtx *de_ctx, SigGroupHead *src, SigGroupHead **dst)
 Copies the bitarray holding the sids from the source SigGroupHead to the destination SigGroupHead. More...
 
void SigGroupHeadSetSigCnt (SigGroupHead *sgh, uint32_t max_idx)
 Updates the SigGroupHead->sig_cnt with the total count of all the Signatures present in this SigGroupHead. More...
 
bool SigGroupHeadEqual (const SigGroupHead *sgha, const SigGroupHead *sghb)
 Finds if two Signature Group Heads are the same. More...
 
void SigGroupHeadSetProtoAndDirection (SigGroupHead *sgh, uint8_t ipproto, int dir)
 
void SigGroupHeadPrintSigs (DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 Helper function used to print the list of sids for the Signatures present in this SigGroupHead. More...
 
int SigGroupHeadBuildMatchArray (DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t max_idx)
 Create an array with all the internal ids of the sigs that this sig group head will check for. More...
 
void SigGroupHeadSetupFiles (const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 Set the need hash flag in the sgh. More...
 
int SigGroupHeadBuildNonPrefilterArray (DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 build an array of rule id's for sigs with no prefilter Also updated de_ctx::non_pf_store_cnt_max to track the highest cnt More...
 
int SigGroupHeadContainsSigId (DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t sid)
 Check if a SigGroupHead contains a Signature, whose sid is sent as an argument. More...
 
int SigPrepareStage1 (DetectEngineCtx *)
 Preprocess signature, classify ip-only, etc, build sig array. More...
 
void SigGroupHeadRegisterTests (void)
 

Detailed Description

Author
Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Signature grouping part of the detection engine.

Definition in file detect-engine-siggroup.c.

Function Documentation

◆ SigGroupHeadAppendSig()

int SigGroupHeadAppendSig ( const DetectEngineCtx de_ctx,
SigGroupHead **  sgh,
const Signature s 
)

Add a Signature to a SigGroupHead.

Parameters
de_ctxPointer to the detection engine context.
sghPointer to a SigGroupHead. Can be NULL also.
sPointer to the Signature that has to be added to the SigGroupHead.
Return values
0On success.
-1On failure.

Definition at line 334 of file detect-engine-siggroup.c.

References de_ctx.

◆ SigGroupHeadBuildMatchArray()

int SigGroupHeadBuildMatchArray ( DetectEngineCtx de_ctx,
SigGroupHead sgh,
uint32_t  max_idx 
)

Create an array with all the internal ids of the sigs that this sig group head will check for.

Parameters
de_ctxPointer to the detection engine context.
sghPointer to the SigGroupHead.
max_idxThe maximum value of the sid in the SigGroupHead arg.
Return values
0success
-1error

Definition at line 551 of file detect-engine-siggroup.c.

References BUG_ON, de_ctx, SigGroupHead_::init, SigGroupHeadInitData_::match_array, MAX, SigGroupHeadInitData_::max_sig_id, SCCalloc, DetectEngineCtx_::sig_array, SigGroupHeadInitData_::sig_array, and SigGroupHeadInitData_::sig_cnt.

◆ SigGroupHeadBuildNonPrefilterArray()

int SigGroupHeadBuildNonPrefilterArray ( DetectEngineCtx de_ctx,
SigGroupHead sgh 
)

build an array of rule id's for sigs with no prefilter Also updated de_ctx::non_pf_store_cnt_max to track the highest cnt

Definition at line 632 of file detect-engine-siggroup.c.

References Signature_::alproto, SignatureNonPrefilterStore_::alproto, BUG_ON, de_ctx, DetectFlagsSignatureNeedsSynPackets(), Signature_::flags, SignatureNonPrefilterStore_::id, SigGroupHead_::init, Signature_::mask, SignatureNonPrefilterStore_::mask, SigGroupHeadInitData_::match_array, MAX, SigGroupHead_::non_pf_other_store_array, SigGroupHead_::non_pf_other_store_cnt, DetectEngineCtx_::non_pf_store_cnt_max, SigGroupHead_::non_pf_syn_store_array, SigGroupHead_::non_pf_syn_store_cnt, Signature_::num, SCCalloc, SigGroupHeadInitData_::sig_cnt, SIG_FLAG_MPM_NEG, and SIG_FLAG_PREFILTER.

Referenced by SigPrepareStage4().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SigGroupHeadClearSigs()

int SigGroupHeadClearSigs ( SigGroupHead sgh)

Clears the bitarray holding the sids for this SigGroupHead.

Parameters
sghPointer to the SigGroupHead.
Return values
0Always.

Definition at line 363 of file detect-engine-siggroup.c.

References SigGroupHead_::init, SigGroupHeadInitData_::sig_array, SigGroupHeadInitData_::sig_cnt, and SigGroupHeadInitData_::sig_size.

◆ SigGroupHeadContainsSigId()

int SigGroupHeadContainsSigId ( DetectEngineCtx de_ctx,
SigGroupHead sgh,
uint32_t  sid 
)

Check if a SigGroupHead contains a Signature, whose sid is sent as an argument.

Parameters
de_ctxPointer to the detection engine context.
sghPointer to the SigGroupHead that has to be checked for the presence of a Signature.
sidThe Signature id(sid) that has to be checked in the SigGroupHead.
Return values
1On successfully finding the sid in the SigGroupHead.
0If the sid is not found in the SigGroupHead

Definition at line 717 of file detect-engine-siggroup.c.

References de_ctx, DetectEngineGetMaxSigId, Signature_::id, SigGroupHead_::init, SCEnter, SCReturnInt, DetectEngineCtx_::sig_array, and SigGroupHeadInitData_::sig_array.

◆ SigGroupHeadCopySigs()

int SigGroupHeadCopySigs ( DetectEngineCtx de_ctx,
SigGroupHead src,
SigGroupHead **  dst 
)

Copies the bitarray holding the sids from the source SigGroupHead to the destination SigGroupHead.

Parameters
de_ctxPointer to the detection engine context.
srcPointer to the source SigGroupHead.
dstPointer to the destination SigGroupHead.
Return values
0On success.
-1On failure.

Definition at line 405 of file detect-engine-siggroup.c.

References de_ctx, dst, and src.

Referenced by DetectPortCopySingle(), and SCPortIntervalInsert().

Here is the caller graph for this function:

◆ SigGroupHeadEqual()

bool SigGroupHeadEqual ( const SigGroupHead sgha,
const SigGroupHead sghb 
)

Finds if two Signature Group Heads are the same.

Parameters
sghaFirst SGH to be compared
sghbSecornd SGH to be compared
Returns
true if they're a match, false otherwise

Definition at line 485 of file detect-engine-siggroup.c.

References SigGroupHead_::init, SigGroupHeadInitData_::max_sig_id, SCMemcmp, SigGroupHeadInitData_::sig_array, and SigGroupHeadInitData_::sig_size.

◆ SigGroupHeadFree()

void SigGroupHeadFree ( const DetectEngineCtx de_ctx,
SigGroupHead sgh 
)

Free a SigGroupHead and its members.

Parameters
sghPointer to the SigGroupHead that has to be freed.

Definition at line 162 of file detect-engine-siggroup.c.

References de_ctx, SigGroupHead_::init, SigGroupHead_::non_pf_other_store_array, SigGroupHead_::non_pf_other_store_cnt, SigGroupHead_::non_pf_syn_store_array, SigGroupHead_::non_pf_syn_store_cnt, PrefilterCleanupRuleGroup(), SCFree, SCLogDebug, and SigGroupHeadInitDataFree().

Referenced by DetectPortFree(), and SigAddressCleanupStage1().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SigGroupHeadHashAdd()

int SigGroupHeadHashAdd ( DetectEngineCtx de_ctx,
SigGroupHead sgh 
)

Adds a SigGroupHead to the detection engine context SigGroupHead hash table.

Parameters
de_ctxPointer to the detection engine context.
sghPointer to the SigGroupHead.
Return values
ret0 on Successfully adding the SigGroupHead; -1 on failure.

Definition at line 279 of file detect-engine-siggroup.c.

References de_ctx, HashListTableAdd(), and DetectEngineCtx_::sgh_hash_table.

Here is the call graph for this function:

◆ SigGroupHeadHashFree()

void SigGroupHeadHashFree ( DetectEngineCtx de_ctx)

Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by SigGroupHeadHashInit() function.

Parameters
de_ctxPointer to the detection engine context.

Definition at line 312 of file detect-engine-siggroup.c.

References de_ctx, HashListTableFree(), and DetectEngineCtx_::sgh_hash_table.

Referenced by DetectEngineCtxFree().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SigGroupHeadHashInit()

int SigGroupHeadHashInit ( DetectEngineCtx de_ctx)

Initializes the hash table in the detection engine context to hold the SigGroupHeads.

Parameters
de_ctxPointer to the detection engine context.
Return values
0On success.
-1On failure.

Definition at line 257 of file detect-engine-siggroup.c.

References de_ctx, HashListTableInit(), and DetectEngineCtx_::sgh_hash_table.

Here is the call graph for this function:

◆ SigGroupHeadHashLookup()

SigGroupHead* SigGroupHeadHashLookup ( DetectEngineCtx de_ctx,
SigGroupHead sgh 
)

Used to lookup a SigGroupHead hash from the detection engine context SigGroupHead hash table.

Parameters
de_ctxPointer to the detection engine context.
sghPointer to the SigGroupHead.
Return values
rsghOn success a pointer to the SigGroupHead if the SigGroupHead is found in the hash table; NULL on failure.

Definition at line 296 of file detect-engine-siggroup.c.

References de_ctx, HashListTableLookup(), SCEnter, SCReturnPtr, and DetectEngineCtx_::sgh_hash_table.

Here is the call graph for this function:

◆ SigGroupHeadInitDataFree()

void SigGroupHeadInitDataFree ( SigGroupHeadInitData sghid)

Definition at line 60 of file detect-engine-siggroup.c.

References SigGroupHeadInitData_::app_mpms, SigGroupHeadInitData_::frame_engines, SigGroupHeadInitData_::frame_mpms, SigGroupHeadInitData_::match_array, SigGroupHeadInitData_::payload_engines, SigGroupHeadInitData_::pkt_engines, SigGroupHeadInitData_::pkt_mpms, PrefilterFreeEnginesList(), SCFree, SCFreeAligned, SigGroupHeadInitData_::sig_array, and SigGroupHeadInitData_::tx_engines.

Referenced by SigGroupHeadFree().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SigGroupHeadPrintSigs()

void SigGroupHeadPrintSigs ( DetectEngineCtx de_ctx,
SigGroupHead sgh 
)

Helper function used to print the list of sids for the Signatures present in this SigGroupHead.

Parameters
de_ctxPointer to the detection engine context.
sghPointer to the SigGroupHead.

Definition at line 519 of file detect-engine-siggroup.c.

References SigGroupHead_::init, SCEnter, SCLogDebug, SCReturn, SigGroupHeadInitData_::sig_array, and SigGroupHeadInitData_::sig_size.

◆ SigGroupHeadRegisterTests()

void SigGroupHeadRegisterTests ( void  )

Definition at line 1088 of file detect-engine-siggroup.c.

References UtRegisterTest().

Here is the call graph for this function:

◆ SigGroupHeadSetProtoAndDirection()

void SigGroupHeadSetProtoAndDirection ( SigGroupHead sgh,
uint8_t  ipproto,
int  dir 
)

Definition at line 502 of file detect-engine-siggroup.c.

References SigGroupHeadInitData_::direction, SigGroupHead_::init, SigGroupHeadInitData_::protos, and SCLogDebug.

◆ SigGroupHeadSetSigCnt()

void SigGroupHeadSetSigCnt ( SigGroupHead sgh,
uint32_t  max_idx 
)

Updates the SigGroupHead->sig_cnt with the total count of all the Signatures present in this SigGroupHead.

Parameters
sghPointer to the SigGroupHead.
max_idxMaximum sid of the all the Signatures present in this SigGroupHead.

Definition at line 461 of file detect-engine-siggroup.c.

References cnt, SigGroupHead_::init, MAX, SigGroupHeadInitData_::max_sig_id, SigGroupHeadInitData_::sig_array, SigGroupHeadInitData_::sig_cnt, and SigGroupHeadInitData_::sig_size.

◆ SigGroupHeadSetupFiles()

void SigGroupHeadSetupFiles ( const DetectEngineCtx de_ctx,
SigGroupHead sgh 
)

Set the need hash flag in the sgh.

Parameters
de_ctxdetection engine ctx for the signatures
sghsig group head to update

Definition at line 589 of file detect-engine-siggroup.c.

References DEBUG_VALIDATE_BUG_ON, SigGroupHead_::filestore_cnt, SigGroupHead_::flags, SigGroupHead_::init, SigGroupHeadInitData_::match_array, SCLogDebug, SigGroupHeadInitData_::sig_cnt, SIG_GROUP_HEAD_HAVEFILEMD5, SIG_GROUP_HEAD_HAVEFILESHA1, SIG_GROUP_HEAD_HAVEFILESHA256, SIG_GROUP_HEAD_HAVEFILESIZE, SignatureIsFilemagicInspecting(), SignatureIsFileMd5Inspecting(), SignatureIsFileSha1Inspecting(), SignatureIsFileSha256Inspecting(), SignatureIsFilesizeInspecting(), and SignatureIsFilestoring().

Referenced by SigPrepareStage4().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SigGroupHeadStore()

void SigGroupHeadStore ( DetectEngineCtx de_ctx,
SigGroupHead sgh 
)

Definition at line 108 of file detect-engine-siggroup.c.

References de_ctx, SCFree, SCRealloc, DetectEngineCtx_::sgh_array, DetectEngineCtx_::sgh_array_cnt, and DetectEngineCtx_::sgh_array_size.

◆ SigPrepareStage1()

int SigPrepareStage1 ( DetectEngineCtx de_ctx)

Preprocess signature, classify ip-only, etc, build sig array.

Parameters
de_ctxPointer to the Detection Engine Context
Return values
0on success
-1on failure

Definition at line 1720 of file detect-engine-build.c.

References de_ctx, DE_QUIET, DetectEngineGetMaxSigId, DetectEngineCtx_::flags, Signature_::id, Signature_::next, Signature_::num, SCCalloc, SCLogDebug, DetectEngineCtx_::sig_array, DetectEngineCtx_::sig_array_len, DetectEngineCtx_::sig_list, SIG_TYPE_IPONLY, SIG_TYPE_PDONLY, and Signature_::type.