Go to the documentation of this file.
95 size = sghid->
sig_size = size + 16 - (size % 16);
146 sgh->
init = SigGroupHeadInitDataAlloc(size);
147 if (sgh->
init == NULL)
181 if (sgh->
init != NULL) {
202 static uint32_t SigGroupHeadHashFunc(
HashListTable *ht,
void *data, uint16_t datalen)
230 static char SigGroupHeadCompareFunc(
void *data1, uint16_t len1,
void *data2,
236 if (data1 == NULL || data2 == NULL)
260 SigGroupHeadCompareFunc, NULL);
348 (*sgh)->init->sig_array[s->
num / 8] |= 1 << (s->
num % 8);
349 (*sgh)->init->max_sig_id =
MAX(s->
num, (*sgh)->init->max_sig_id);
377 #include <emmintrin.h>
378 static void MergeBitarrays(
const uint8_t *
src, uint8_t *
dst,
const uint32_t size)
381 const uint8_t *srcptr =
src;
382 uint8_t *dstptr =
dst;
383 for (uint32_t i = 0; i < size; i += 16) {
384 __m128i s = _mm_load_si128((
const __m128i *)srcptr);
385 __m128i d = _mm_load_si128((
const __m128i *)dstptr);
386 d = _mm_or_si128(s, d);
387 _mm_store_si128((__m128i *)dstptr, d);
418 MergeBitarrays(
src->init->sig_array, (*dst)->init->sig_array,
src->init->sig_size);
421 for (uint32_t idx = 0; idx <
src->init->sig_size; idx++)
422 (*dst)->init->sig_array[idx] = (*dst)->init->sig_array[idx] |
src->init->sig_array[idx];
424 if (
src->init->score)
425 (*dst)->init->score =
MAX((*dst)->init->score,
src->init->score);
427 if (
src->init->max_sig_id)
428 (*dst)->init->max_sig_id =
MAX((*dst)->init->max_sig_id,
src->init->max_sig_id);
436 #include <x86intrin.h>
437 static uint32_t Popcnt(
const uint8_t *array,
const uint32_t size)
444 uint64_t *ptr = (uint64_t *)array;
445 for (uint64_t idx = 0; idx < size; idx += 8) {
446 cnt += _popcnt64(*ptr);
487 if (sgha == NULL || sghb == NULL)
503 uint8_t ipproto,
int dir)
505 if (sgh && sgh->
init) {
506 SCLogDebug(
"setting proto %u and dir %d on sgh %p", ipproto, dir, sgh);
529 SCLogDebug(
"The Signatures present in this SigGroupHead are: ");
533 printf(
"s->num %"PRIu32
" ", u);
594 for (uint32_t sig = 0; sig < sgh->
init->
sig_cnt; sig++) {
616 sgh->
flags |= SIG_GROUP_HEAD_HAVEFILEMAGIC;
637 uint32_t non_pf_syn = 0;
657 if (non_pf == 0 && non_pf_syn == 0) {
668 if (non_pf_syn > 0) {
730 for (sig = 0; sig < max_sid; sig++) {
765 static int SigGroupHeadTest01(
void)
783 static int SigGroupHeadTest02(
void)
791 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
792 "content:\"test2\"; content:\"test3\"; sid:1;)");
796 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
797 "content:\"test2\"; content:\"test3\"; sid:2;)");
801 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
802 "content:\"test2\"; content:\"test3\"; sid:3;)");
806 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
807 "content:\"test2\"; content:\"test3\"; sid:4;)");
811 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
812 "content:\"test2\"; content:\"test3\"; sid:5;)");
843 static int SigGroupHeadTest03(
void)
851 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
852 "content:\"test2\"; content:\"test3\"; sid:1;)");
856 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
857 "content:\"test2\"; content:\"test3\"; sid:2;)");
861 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
862 "content:\"test2\"; content:\"test3\"; sid:3;)");
866 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
867 "content:\"test2\"; content:\"test3\"; sid:4;)");
871 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
872 "content:\"test2\"; content:\"test3\"; sid:5;)");
910 static int SigGroupHeadTest04(
void)
919 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
920 "content:\"test2\"; content:\"test3\"; sid:1;)");
924 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
925 "content:\"test2\"; content:\"test3\"; sid:2;)");
929 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
930 "content:\"test2\"; content:\"test3\"; sid:3;)");
934 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
935 "content:\"test2\"; content:\"test3\"; sid:4;)");
939 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
940 "content:\"test2\"; content:\"test3\"; sid:5;)");
981 static int SigGroupHeadTest05(
void)
989 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
990 "content:\"test2\"; content:\"test3\"; sid:1;)");
994 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
995 "content:\"test2\"; content:\"test3\"; sid:2;)");
999 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
1000 "content:\"test2\"; content:\"test3\"; sid:3;)");
1004 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
1005 "content:\"test2\"; content:\"test3\"; sid:4;)");
1009 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
1010 "content:\"test2\"; content:\"test3\"; sid:5;)");
1044 static int SigGroupHeadTest06(
void)
1067 "(icode:>1; itype:11; sid:1; rev:1;)");
1071 "(icode:1; itype:5; sid:2; rev:1;)");
HashListTable * sgh_hash_table
uint32_t non_pf_syn_store_cnt
#define SIG_GROUP_HEAD_HAVEFILEMD5
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Container for matching data for a signature group.
#define SIG_GROUP_HEAD_HAVEFILESIZE
int SigGroupHeadBuildNonPrefilterArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
build an array of rule id's for sigs with no prefilter Also updated de_ctx::non_pf_store_cnt_max to t...
bool SigGroupHeadEqual(const SigGroupHead *sgha, const SigGroupHead *sghb)
Finds if two Signature Group Heads are the same.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
uint32_t non_pf_store_cnt_max
void AddressDebugPrint(Address *a)
Debug print function for printing addresses.
Packet * UTHBuildPacketSrcDst(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst)
UTHBuildPacketSrcDst is a wrapper that build packets specifying IPs and defaulting ports.
#define SIG_GROUP_HEAD_HAVEFILESHA1
main detection engine ctx
int DetectFlagsSignatureNeedsSynPackets(const Signature *s)
void SigGroupHeadSetProtoAndDirection(SigGroupHead *sgh, uint8_t ipproto, int dir)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
int SigPrepareStage1(DetectEngineCtx *)
Preprocess signature, classify ip-only, etc, build sig array.
void SigGroupHeadPrintSigs(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Helper function used to print the list of sids for the Signatures present in this SigGroupHead.
void * HashListTableLookup(HashListTable *ht, void *data, uint16_t datalen)
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
void SigGroupHeadSetupFiles(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Set the need hash flag in the sgh.
int SignatureIsFilesizeInspecting(const Signature *s)
Check if a signature contains the filesize keyword.
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
void SigGroupHeadRegisterTests(void)
int HashListTableAdd(HashListTable *ht, void *data, uint16_t datalen)
int SigGroupHeadHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table in the detection engine context to hold the SigGroupHeads.
int SignatureIsFileSha256Inspecting(const Signature *s)
Check if a signature contains the filesha256 keyword.
HashListTable * HashListTableInit(uint32_t size, uint32_t(*Hash)(struct HashListTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
int SigGroupHeadBuildMatchArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t max_idx)
Create an array with all the internal ids of the sigs that this sig group head will check for.
#define PASS
Pass the test.
PrefilterEngineList * tx_engines
#define DetectEngineGetMaxSigId(de_ctx)
Per thread variable structure.
SigGroupHeadInitData * init
#define SCReturnPtr(x, type)
int SigGroupHeadAppendSig(const DetectEngineCtx *de_ctx, SigGroupHead **sgh, const Signature *s)
Add a Signature to a SigGroupHead.
struct SigGroupHead_ ** sgh_array
void SigGroupHeadFree(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Free a SigGroupHead and its members.
int SignatureIsFileSha1Inspecting(const Signature *s)
Check if a signature contains the filesha1 keyword.
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
#define SCRealloc(ptr, sz)
PrefilterEngineList * pkt_engines
void SigGroupHeadSetSigCnt(SigGroupHead *sgh, uint32_t max_idx)
Updates the SigGroupHead->sig_cnt with the total count of all the Signatures present in this SigGroup...
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
SignatureNonPrefilterStore * non_pf_other_store_array
void SigGroupHeadStore(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
PrefilterEngineList * frame_engines
PrefilterEngineList * payload_engines
void HashListTableFree(HashListTable *ht)
uint32_t non_pf_other_store_cnt
#define SCMallocAligned(size, align)
void PrefilterCleanupRuleGroup(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
void SigGroupHeadHashFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by SigGroupHeadHashInit() function.
int SigGroupHeadHashAdd(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Adds a SigGroupHead to the detection engine context SigGroupHead hash table.
SigGroupHead * SigGroupHeadHashLookup(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Used to lookup a SigGroupHead hash from the detection engine context SigGroupHead hash table.
int SignatureIsFilestoring(const Signature *s)
Check if a signature contains the filestore keyword.
void SigGroupHeadInitDataFree(SigGroupHeadInitData *sghid)
int SigGroupHeadContainsSigId(DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t sid)
Check if a SigGroupHead contains a Signature, whose sid is sent as an argument.
int SignatureIsFileMd5Inspecting(const Signature *s)
Check if a signature contains the filemd5 keyword.
union PacketL4::L4Hdrs hdrs
DetectEngineCtx * DetectEngineCtxInit(void)
SignatureNonPrefilterStore * non_pf_syn_store_array
#define SIG_GROUP_HEAD_HAVEFILESHA256
int SignatureIsFilemagicInspecting(const Signature *s)
Check if a signature contains the filemagic keyword.
void PrefilterFreeEnginesList(PrefilterEngineList *list)
#define SCMemcmp(a, b, c)
#define DEBUG_VALIDATE_BUG_ON(exp)
#define SIG_FLAG_PREFILTER
const SigGroupHead * SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p)
Get the SigGroupHead for a packet.
int SigGroupHeadCopySigs(DetectEngineCtx *de_ctx, SigGroupHead *src, SigGroupHead **dst)
Copies the bitarray holding the sids from the source SigGroupHead to the destination SigGroupHead.
int SigGroupHeadClearSigs(SigGroupHead *)
Clears the bitarray holding the sids for this SigGroupHead.
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.