#include "suricata-common.h"
#include "decode.h"
#include "flow-var.h"
#include "app-layer-protos.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-build.h"
#include "detect-engine-address.h"
#include "detect-engine-mpm.h"
#include "detect-engine-siggroup.h"
#include "detect-engine-prefilter.h"
#include "detect-content.h"
#include "detect-uricontent.h"
#include "detect-tcp-flags.h"
#include "util-hash.h"
#include "util-hashlist.h"
#include "util-error.h"
#include "util-debug.h"
#include "util-validate.h"
#include "util-cidr.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-memcmp.h"

Include dependency graph for detect-engine-siggroup.c:

Functions
int	SigGroupHeadClearSigs (SigGroupHead *sgh)
	Clears the bitarray holding the sids for this SigGroupHead. More...

void	SigGroupHeadInitDataFree (SigGroupHeadInitData *sghid)

void	SigGroupHeadStore (DetectEngineCtx de_ctx, SigGroupHead sgh)

void	SigGroupHeadFree (const DetectEngineCtx de_ctx, SigGroupHead sgh)
	Free a SigGroupHead and its members. More...

int	SigGroupHeadHashInit (DetectEngineCtx *de_ctx)
	Initializes the hash table in the detection engine context to hold the SigGroupHeads. More...

int	SigGroupHeadHashAdd (DetectEngineCtx de_ctx, SigGroupHead sgh)
	Adds a SigGroupHead to the detection engine context SigGroupHead hash table. More...

SigGroupHead *	SigGroupHeadHashLookup (DetectEngineCtx de_ctx, SigGroupHead sgh)
	Used to lookup a SigGroupHead hash from the detection engine context SigGroupHead hash table. More...

void	SigGroupHeadHashFree (DetectEngineCtx *de_ctx)
	Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by SigGroupHeadHashInit() function. More...

int	SigGroupHeadAppendSig (const DetectEngineCtx de_ctx, SigGroupHead sgh, const Signature s)
	Add a Signature to a SigGroupHead. More...

int	SigGroupHeadCopySigs (DetectEngineCtx de_ctx, SigGroupHead src, SigGroupHead **dst)
	Copies the bitarray holding the sids from the source SigGroupHead to the destination SigGroupHead. More...

void	SigGroupHeadSetSigCnt (SigGroupHead *sgh, uint32_t max_idx)
	Updates the SigGroupHead->sig_cnt with the total count of all the Signatures present in this SigGroupHead. More...

bool	SigGroupHeadEqual (const SigGroupHead sgha, const SigGroupHead sghb)
	Finds if two Signature Group Heads are the same. More...

void	SigGroupHeadSetProtoAndDirection (SigGroupHead *sgh, uint8_t ipproto, int dir)

void	SigGroupHeadPrintSigs (DetectEngineCtx de_ctx, SigGroupHead sgh)
	Helper function used to print the list of sids for the Signatures present in this SigGroupHead. More...

int	SigGroupHeadBuildMatchArray (DetectEngineCtx de_ctx, SigGroupHead sgh, uint32_t max_idx)
	Create an array with all the internal ids of the sigs that this sig group head will check for. More...

void	SigGroupHeadSetupFiles (const DetectEngineCtx de_ctx, SigGroupHead sgh)
	Set the need hash flag in the sgh. More...

int	SigGroupHeadContainsSigId (DetectEngineCtx de_ctx, SigGroupHead sgh, uint32_t sid)
	Check if a SigGroupHead contains a Signature, whose sid is sent as an argument. More...

int	SigPrepareStage1 (DetectEngineCtx *)
	Preprocess signature, classify ip-only, etc, build sig array. More...

void	SigGroupHeadRegisterTests (void)

Detailed Description

Author: Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Signature grouping part of the detection engine.

Definition in file detect-engine-siggroup.c.

Function Documentation

◆ SigGroupHeadAppendSig()

int SigGroupHeadAppendSig	(	const DetectEngineCtx *	de_ctx,
		SigGroupHead **	sgh,
		const Signature *	s
	)

Add a Signature to a SigGroupHead.

Parameters

de_ctx	Pointer to the detection engine context.
sgh	Pointer to a SigGroupHead. Can be NULL also.
s	Pointer to the Signature that has to be added to the SigGroupHead.

Return values

0	On success.
-1	On failure.

Definition at line 319 of file detect-engine-siggroup.c.

References de_ctx.

◆ SigGroupHeadBuildMatchArray()

int SigGroupHeadBuildMatchArray	(	DetectEngineCtx *	de_ctx,
		SigGroupHead *	sgh,
		uint32_t	max_idx
	)

Create an array with all the internal ids of the sigs that this sig group head will check for.

Parameters

de_ctx	Pointer to the detection engine context.
sgh	Pointer to the SigGroupHead.
max_idx	The maximum value of the sid in the SigGroupHead arg.

Return values

0	success
-1	error

Definition at line 535 of file detect-engine-siggroup.c.

References BUG_ON, de_ctx, SigGroupHead_::init, SigGroupHeadInitData_::match_array, MAX, SigGroupHeadInitData_::max_sig_id, SCCalloc, DetectEngineCtx_::sig_array, SigGroupHeadInitData_::sig_array, and SigGroupHeadInitData_::sig_cnt.

◆ SigGroupHeadClearSigs()

int SigGroupHeadClearSigs ( SigGroupHead * sgh )

Clears the bitarray holding the sids for this SigGroupHead.

Parameters

sgh	Pointer to the SigGroupHead.

Return values

0 Always.

Definition at line 348 of file detect-engine-siggroup.c.

References SigGroupHead_::init, SigGroupHeadInitData_::sig_array, SigGroupHeadInitData_::sig_cnt, and SigGroupHeadInitData_::sig_size.

◆ SigGroupHeadContainsSigId()

int SigGroupHeadContainsSigId	(	DetectEngineCtx *	de_ctx,
		SigGroupHead *	sgh,
		uint32_t	sid
	)

Check if a SigGroupHead contains a Signature, whose sid is sent as an argument.

Parameters

de_ctx	Pointer to the detection engine context.
sgh	Pointer to the SigGroupHead that has to be checked for the presence of a Signature.
sid	The Signature id(sid) that has to be checked in the SigGroupHead.

Return values

1	On successfully finding the sid in the SigGroupHead.
0	If the sid is not found in the SigGroupHead

Definition at line 620 of file detect-engine-siggroup.c.

References de_ctx, DetectEngineGetMaxSigId, Signature_::id, SigGroupHead_::init, SCEnter, SCReturnInt, DetectEngineCtx_::sig_array, and SigGroupHeadInitData_::sig_array.

◆ SigGroupHeadCopySigs()

int SigGroupHeadCopySigs	(	DetectEngineCtx *	de_ctx,
		SigGroupHead *	src,
		SigGroupHead **	dst
	)

Copies the bitarray holding the sids from the source SigGroupHead to the destination SigGroupHead.

Parameters

de_ctx	Pointer to the detection engine context.
src	Pointer to the source SigGroupHead.
dst	Pointer to the destination SigGroupHead.

Return values

0	On success.
-1	On failure.

Definition at line 390 of file detect-engine-siggroup.c.

References de_ctx, dst, and src.

Referenced by DetectPortCopySingle(), and SCPortIntervalInsert().

Here is the caller graph for this function:

◆ SigGroupHeadEqual()

bool SigGroupHeadEqual	(	const SigGroupHead *	sgha,
		const SigGroupHead *	sghb
	)

Finds if two Signature Group Heads are the same.

Parameters

sgha	First SGH to be compared
sghb	Secornd SGH to be compared

Returns: true if they're a match, false otherwise

Definition at line 469 of file detect-engine-siggroup.c.

References SigGroupHead_::init, SigGroupHeadInitData_::max_sig_id, SCMemcmp, SigGroupHeadInitData_::sig_array, and SigGroupHeadInitData_::sig_size.

◆ SigGroupHeadFree()

void SigGroupHeadFree	(	const DetectEngineCtx *	de_ctx,
		SigGroupHead *	sgh
	)

Free a SigGroupHead and its members.

Parameters

sgh	Pointer to the SigGroupHead that has to be freed.

Definition at line 163 of file detect-engine-siggroup.c.

References de_ctx, SigGroupHead_::init, PrefilterCleanupRuleGroup(), SCFree, SCLogDebug, and SigGroupHeadInitDataFree().

Referenced by DetectPortFree(), and SigAddressCleanupStage1().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ SigGroupHeadHashAdd()

int SigGroupHeadHashAdd	(	DetectEngineCtx *	de_ctx,
		SigGroupHead *	sgh
	)

Adds a SigGroupHead to the detection engine context SigGroupHead hash table.

Parameters

de_ctx	Pointer to the detection engine context.
sgh	Pointer to the SigGroupHead.

Return values

ret	0 on Successfully adding the SigGroupHead; -1 on failure.

Definition at line 266 of file detect-engine-siggroup.c.

References de_ctx, HashListTableAdd(), and DetectEngineCtx_::sgh_hash_table.

Here is the call graph for this function:

◆ SigGroupHeadHashFree()

void SigGroupHeadHashFree ( DetectEngineCtx * de_ctx )

Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by SigGroupHeadHashInit() function.

Parameters

de_ctx Pointer to the detection engine context.

Definition at line 299 of file detect-engine-siggroup.c.

References de_ctx, HashListTableFree(), and DetectEngineCtx_::sgh_hash_table.

Referenced by DetectEngineCtxFree().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ SigGroupHeadHashInit()

int SigGroupHeadHashInit ( DetectEngineCtx * de_ctx )

Initializes the hash table in the detection engine context to hold the SigGroupHeads.

Parameters

de_ctx Pointer to the detection engine context.

Return values

0	On success.
-1	On failure.

Definition at line 244 of file detect-engine-siggroup.c.

References de_ctx, HashListTableInit(), and DetectEngineCtx_::sgh_hash_table.

Here is the call graph for this function:

◆ SigGroupHeadHashLookup()

SigGroupHead* SigGroupHeadHashLookup	(	DetectEngineCtx *	de_ctx,
		SigGroupHead *	sgh
	)

Used to lookup a SigGroupHead hash from the detection engine context SigGroupHead hash table.

Parameters

de_ctx	Pointer to the detection engine context.
sgh	Pointer to the SigGroupHead.

Return values

rsgh	On success a pointer to the SigGroupHead if the SigGroupHead is found in the hash table; NULL on failure.

Definition at line 283 of file detect-engine-siggroup.c.

References de_ctx, HashListTableLookup(), SCEnter, SCReturnPtr, and DetectEngineCtx_::sgh_hash_table.

Here is the call graph for this function:

◆ SigGroupHeadInitDataFree()

void SigGroupHeadInitDataFree ( SigGroupHeadInitData * sghid )

Definition at line 60 of file detect-engine-siggroup.c.

References SigGroupHeadInitData_::app_mpms, SigGroupHeadInitData_::frame_engines, SigGroupHeadInitData_::frame_mpms, SigGroupHeadInitData_::match_array, SigGroupHeadInitData_::payload_engines, SigGroupHeadInitData_::pkt_engines, SigGroupHeadInitData_::pkt_mpms, SigGroupHeadInitData_::post_rule_match_engines, PrefilterFreeEnginesList(), SCFree, SCFreeAligned, SigGroupHeadInitData_::sig_array, and SigGroupHeadInitData_::tx_engines.

Referenced by SigGroupHeadFree().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ SigGroupHeadPrintSigs()

void SigGroupHeadPrintSigs	(	DetectEngineCtx *	de_ctx,
		SigGroupHead *	sgh
	)

Helper function used to print the list of sids for the Signatures present in this SigGroupHead.

Parameters

de_ctx	Pointer to the detection engine context.
sgh	Pointer to the SigGroupHead.

Definition at line 503 of file detect-engine-siggroup.c.

References SigGroupHead_::init, SCEnter, SCLogDebug, SCReturn, SigGroupHeadInitData_::sig_array, and SigGroupHeadInitData_::sig_size.

◆ SigGroupHeadRegisterTests()

void SigGroupHeadRegisterTests ( void )

Definition at line 994 of file detect-engine-siggroup.c.

References UtRegisterTest().

Here is the call graph for this function:

◆ SigGroupHeadSetProtoAndDirection()

void SigGroupHeadSetProtoAndDirection	(	SigGroupHead *	sgh,
		uint8_t	ipproto,
		int	dir
	)

Definition at line 486 of file detect-engine-siggroup.c.

References SigGroupHeadInitData_::direction, SigGroupHead_::init, SigGroupHeadInitData_::protos, and SCLogDebug.

◆ SigGroupHeadSetSigCnt()

void SigGroupHeadSetSigCnt	(	SigGroupHead *	sgh,
		uint32_t	max_idx
	)

Updates the SigGroupHead->sig_cnt with the total count of all the Signatures present in this SigGroupHead.

Parameters

sgh	Pointer to the SigGroupHead.
max_idx	Maximum sid of the all the Signatures present in this SigGroupHead.

Definition at line 446 of file detect-engine-siggroup.c.

References cnt, SigGroupHead_::init, MAX, SigGroupHeadInitData_::max_sig_id, SigGroupHeadInitData_::sig_array, SigGroupHeadInitData_::sig_cnt, and SigGroupHeadInitData_::sig_size.

◆ SigGroupHeadSetupFiles()

void SigGroupHeadSetupFiles	(	const DetectEngineCtx *	de_ctx,
		SigGroupHead *	sgh
	)

Set the need hash flag in the sgh.

Parameters

de_ctx	detection engine ctx for the signatures
sgh	sig group head to update

Definition at line 573 of file detect-engine-siggroup.c.

References DEBUG_VALIDATE_BUG_ON, SigGroupHead_::filestore_cnt, SigGroupHead_::flags, SigGroupHead_::init, SigGroupHeadInitData_::match_array, SCLogDebug, SigGroupHeadInitData_::sig_cnt, SIG_GROUP_HEAD_HAVEFILEMD5, SIG_GROUP_HEAD_HAVEFILESHA1, SIG_GROUP_HEAD_HAVEFILESHA256, SignatureIsFilemagicInspecting(), SignatureIsFileMd5Inspecting(), SignatureIsFileSha1Inspecting(), SignatureIsFileSha256Inspecting(), and SignatureIsFilestoring().

Referenced by SigPrepareStage4().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ SigGroupHeadStore()

void SigGroupHeadStore	(	DetectEngineCtx *	de_ctx,
		SigGroupHead *	sgh
	)

Definition at line 109 of file detect-engine-siggroup.c.

References de_ctx, SCFree, SCRealloc, DetectEngineCtx_::sgh_array, DetectEngineCtx_::sgh_array_cnt, and DetectEngineCtx_::sgh_array_size.

◆ SigPrepareStage1()

int SigPrepareStage1 ( DetectEngineCtx * de_ctx )

Preprocess signature, classify ip-only, etc, build sig array.

Parameters

de_ctx Pointer to the Detection Engine Context

Return values

0	on success
-1	on failure

Definition at line 1723 of file detect-engine-build.c.

References de_ctx, DE_QUIET, DetectEngineGetMaxSigId, DetectEngineCtx_::flags, Signature_::id, Signature_::iid, Signature_::next, SCCalloc, SCLogDebug, DetectEngineCtx_::sig_array, DetectEngineCtx_::sig_array_len, DetectEngineCtx_::sig_list, SIG_TYPE_IPONLY, SIG_TYPE_PDONLY, and Signature_::type.

Functions

Detailed Description

Function Documentation

◆ SigGroupHeadAppendSig()

◆ SigGroupHeadBuildMatchArray()

◆ SigGroupHeadClearSigs()

◆ SigGroupHeadContainsSigId()

◆ SigGroupHeadCopySigs()

◆ SigGroupHeadEqual()

◆ SigGroupHeadFree()

◆ SigGroupHeadHashAdd()

◆ SigGroupHeadHashFree()

◆ SigGroupHeadHashInit()

◆ SigGroupHeadHashLookup()

◆ SigGroupHeadInitDataFree()

◆ SigGroupHeadPrintSigs()

◆ SigGroupHeadRegisterTests()

◆ SigGroupHeadSetProtoAndDirection()

◆ SigGroupHeadSetSigCnt()

◆ SigGroupHeadSetupFiles()

◆ SigGroupHeadStore()

◆ SigPrepareStage1()