suricata
detect-engine-siggroup.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Signature grouping part of the detection engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "flow-var.h"
30 
31 #include "app-layer-protos.h"
32 
33 #include "detect.h"
34 #include "detect-parse.h"
35 #include "detect-engine.h"
36 #include "detect-engine-address.h"
37 #include "detect-engine-mpm.h"
38 #include "detect-engine-siggroup.h"
40 
41 #include "detect-content.h"
42 #include "detect-uricontent.h"
43 #include "detect-tcp-flags.h"
44 
45 #include "util-hash.h"
46 #include "util-hashlist.h"
47 
48 #include "util-error.h"
49 #include "util-debug.h"
50 #include "util-cidr.h"
51 #include "util-unittest.h"
52 #include "util-unittest-helper.h"
53 #include "util-memcmp.h"
54 
55 /* prototypes */
57 
59 {
60  if (sghid->match_array != NULL) {
61  SCFree(sghid->match_array);
62  sghid->match_array = NULL;
63  }
64  if (sghid->sig_array != NULL) {
65  SCFree(sghid->sig_array);
66  sghid->sig_array = NULL;
67  }
68  if (sghid->app_mpms != NULL) {
69  SCFree(sghid->app_mpms);
70  }
71  if (sghid->pkt_mpms != NULL) {
72  SCFree(sghid->pkt_mpms);
73  }
74 
78 
79  SCFree(sghid);
80 }
81 
82 static SigGroupHeadInitData *SigGroupHeadInitDataAlloc(uint32_t size)
83 {
85  if (unlikely(sghid == NULL))
86  return NULL;
87 
88  memset(sghid, 0x00, sizeof(SigGroupHeadInitData));
89 
90  /* initialize the signature bitarray */
91  sghid->sig_size = size;
92  if ( (sghid->sig_array = SCMalloc(sghid->sig_size)) == NULL)
93  goto error;
94 
95  memset(sghid->sig_array, 0, sghid->sig_size);
96 
97  return sghid;
98 error:
100  return NULL;
101 }
102 
104 {
105  void *ptmp;
106  //printf("de_ctx->sgh_array_cnt %u, de_ctx->sgh_array_size %u, de_ctx->sgh_array %p\n", de_ctx->sgh_array_cnt, de_ctx->sgh_array_size, de_ctx->sgh_array);
109  } else {
110  int increase = 16;
111  ptmp = SCRealloc(de_ctx->sgh_array,
112  sizeof(SigGroupHead *) * (increase + de_ctx->sgh_array_size));
113  if (ptmp == NULL) {
115  de_ctx->sgh_array = NULL;
116  return;
117  }
118  de_ctx->sgh_array = ptmp;
119 
120  de_ctx->sgh_array_size += increase;
122  }
124 }
125 
126 /**
127  * \brief Alloc a SigGroupHead and its signature bit_array.
128  *
129  * \param size Size of the sig_array that has to be created for this
130  * SigGroupHead.
131  *
132  * \retval sgh Pointer to the newly init SigGroupHead on success; or NULL in
133  * case of error.
134  */
135 static SigGroupHead *SigGroupHeadAlloc(const DetectEngineCtx *de_ctx, uint32_t size)
136 {
137  SigGroupHead *sgh = SCMalloc(sizeof(SigGroupHead));
138  if (unlikely(sgh == NULL))
139  return NULL;
140  memset(sgh, 0, sizeof(SigGroupHead));
141 
142  sgh->init = SigGroupHeadInitDataAlloc(size);
143  if (sgh->init == NULL)
144  goto error;
145 
146  return sgh;
147 
148 error:
149  SigGroupHeadFree(de_ctx, sgh);
150  return NULL;
151 }
152 
153 /**
154  * \brief Free a SigGroupHead and its members.
155  *
156  * \param sgh Pointer to the SigGroupHead that has to be freed.
157  */
159 {
160  if (sgh == NULL)
161  return;
162 
163  SCLogDebug("sgh %p", sgh);
164 
165  if (sgh->non_pf_other_store_array != NULL) {
167  sgh->non_pf_other_store_array = NULL;
168  sgh->non_pf_other_store_cnt = 0;
169  }
170 
171  if (sgh->non_pf_syn_store_array != NULL) {
173  sgh->non_pf_syn_store_array = NULL;
174  sgh->non_pf_syn_store_cnt = 0;
175  }
176 
177  if (sgh->init != NULL) {
179  sgh->init = NULL;
180  }
181 
183  SCFree(sgh);
184 
185  return;
186 }
187 
188 /**
189  * \brief The hash function to be the used by the hash table -
190  * DetectEngineCtx->sgh_hash_table.
191  *
192  * \param ht Pointer to the hash table.
193  * \param data Pointer to the SigGroupHead.
194  * \param datalen Not used in our case.
195  *
196  * \retval hash The generated hash value.
197  */
198 static uint32_t SigGroupHeadHashFunc(HashListTable *ht, void *data, uint16_t datalen)
199 {
200  SigGroupHead *sgh = (SigGroupHead *)data;
201  uint32_t hash = 0;
202  uint32_t b = 0;
203 
204  SCLogDebug("hashing sgh %p", sgh);
205 
206  for (b = 0; b < sgh->init->sig_size; b++)
207  hash += sgh->init->sig_array[b];
208 
209  hash %= ht->array_size;
210  SCLogDebug("hash %"PRIu32" (sig_size %"PRIu32")", hash, sgh->init->sig_size);
211  return hash;
212 }
213 
214 /**
215  * \brief The Compare function to be used by the SigGroupHead hash table -
216  * DetectEngineCtx->sgh_hash_table.
217  *
218  * \param data1 Pointer to the first SigGroupHead.
219  * \param len1 Not used.
220  * \param data2 Pointer to the second SigGroupHead.
221  * \param len2 Not used.
222  *
223  * \retval 1 If the 2 SigGroupHeads sent as args match.
224  * \retval 0 If the 2 SigGroupHeads sent as args do not match.
225  */
226 static char SigGroupHeadCompareFunc(void *data1, uint16_t len1, void *data2,
227  uint16_t len2)
228 {
229  SigGroupHead *sgh1 = (SigGroupHead *)data1;
230  SigGroupHead *sgh2 = (SigGroupHead *)data2;
231 
232  if (data1 == NULL || data2 == NULL)
233  return 0;
234 
235  if (sgh1->init->sig_size != sgh2->init->sig_size)
236  return 0;
237 
238  if (SCMemcmp(sgh1->init->sig_array, sgh2->init->sig_array, sgh1->init->sig_size) != 0)
239  return 0;
240 
241  return 1;
242 }
243 
244 /**
245  * \brief Initializes the hash table in the detection engine context to hold the
246  * SigGroupHeads.
247  *
248  * \param de_ctx Pointer to the detection engine context.
249  *
250  * \retval 0 On success.
251  * \retval -1 On failure.
252  */
254 {
255  de_ctx->sgh_hash_table = HashListTableInit(4096, SigGroupHeadHashFunc,
256  SigGroupHeadCompareFunc, NULL);
257  if (de_ctx->sgh_hash_table == NULL)
258  goto error;
259 
260  return 0;
261 
262 error:
263  return -1;
264 }
265 
266 /**
267  * \brief Adds a SigGroupHead to the detection engine context SigGroupHead
268  * hash table.
269  *
270  * \param de_ctx Pointer to the detection engine context.
271  * \param sgh Pointer to the SigGroupHead.
272  *
273  * \retval ret 0 on Successfully adding the SigGroupHead; -1 on failure.
274  */
276 {
277  int ret = HashListTableAdd(de_ctx->sgh_hash_table, (void *)sgh, 0);
278 
279  return ret;
280 }
281 
283 {
284  return HashListTableRemove(de_ctx->sgh_hash_table, (void *)sgh, 0);
285 }
286 
287 /**
288  * \brief Used to lookup a SigGroupHead hash from the detection engine context
289  * SigGroupHead hash table.
290  *
291  * \param de_ctx Pointer to the detection engine context.
292  * \param sgh Pointer to the SigGroupHead.
293  *
294  * \retval rsgh On success a pointer to the SigGroupHead if the SigGroupHead is
295  * found in the hash table; NULL on failure.
296  */
298 {
299  SCEnter();
300 
302  (void *)sgh, 0);
303 
304  SCReturnPtr(rsgh, "SigGroupHead");
305 }
306 
307 /**
308  * \brief Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by
309  * SigGroupHeadHashInit() function.
310  *
311  * \param de_ctx Pointer to the detection engine context.
312  */
314 {
315  if (de_ctx->sgh_hash_table == NULL)
316  return;
317 
319  de_ctx->sgh_hash_table = NULL;
320 
321  return;
322 }
323 
324 /**
325  * \brief Add a Signature to a SigGroupHead.
326  *
327  * \param de_ctx Pointer to the detection engine context.
328  * \param sgh Pointer to a SigGroupHead. Can be NULL also.
329  * \param s Pointer to the Signature that has to be added to the
330  * SigGroupHead.
331  *
332  * \retval 0 On success.
333  * \retval -1 On failure.
334  */
336  const Signature *s)
337 {
338  if (de_ctx == NULL)
339  return 0;
340 
341  /* see if we have a head already */
342  if (*sgh == NULL) {
343  *sgh = SigGroupHeadAlloc(de_ctx, DetectEngineGetMaxSigId(de_ctx) / 8 + 1);
344  if (*sgh == NULL)
345  goto error;
346  }
347 
348  /* enable the sig in the bitarray */
349  (*sgh)->init->sig_array[s->num / 8] |= 1 << (s->num % 8);
350 
351  return 0;
352 
353 error:
354  return -1;
355 }
356 
357 /**
358  * \brief Clears the bitarray holding the sids for this SigGroupHead.
359  *
360  * \param sgh Pointer to the SigGroupHead.
361  *
362  * \retval 0 Always.
363  */
365 {
366  if (sgh == NULL)
367  return 0;
368 
369  if (sgh->init->sig_array != NULL)
370  memset(sgh->init->sig_array, 0, sgh->init->sig_size);
371 
372  sgh->init->sig_cnt = 0;
373 
374  return 0;
375 }
376 
377 /**
378  * \brief Copies the bitarray holding the sids from the source SigGroupHead to
379  * the destination SigGroupHead.
380  *
381  * \param de_ctx Pointer to the detection engine context.
382  * \param src Pointer to the source SigGroupHead.
383  * \param dst Pointer to the destination SigGroupHead.
384  *
385  * \retval 0 On success.
386  * \retval -1 On failure.
387  */
389 {
390  uint32_t idx = 0;
391 
392  if (src == NULL || de_ctx == NULL)
393  return 0;
394 
395  if (*dst == NULL) {
396  *dst = SigGroupHeadAlloc(de_ctx, DetectEngineGetMaxSigId(de_ctx) / 8 + 1);
397  if (*dst == NULL)
398  goto error;
399  }
400 
401  /* do the copy */
402  for (idx = 0; idx < src->init->sig_size; idx++)
403  (*dst)->init->sig_array[idx] = (*dst)->init->sig_array[idx] | src->init->sig_array[idx];
404 
405  if (src->init->whitelist)
406  (*dst)->init->whitelist = MAX((*dst)->init->whitelist, src->init->whitelist);
407 
408  return 0;
409 
410 error:
411  return -1;
412 }
413 
414 /**
415  * \brief Updates the SigGroupHead->sig_cnt with the total count of all the
416  * Signatures present in this SigGroupHead.
417  *
418  * \param sgh Pointer to the SigGroupHead.
419  * \param max_idx Maximum sid of the all the Signatures present in this
420  * SigGroupHead.
421  */
422 void SigGroupHeadSetSigCnt(SigGroupHead *sgh, uint32_t max_idx)
423 {
424  uint32_t sig;
425 
426  sgh->init->sig_cnt = 0;
427  for (sig = 0; sig < max_idx + 1; sig++) {
428  if (sgh->init->sig_array[sig / 8] & (1 << (sig % 8)))
429  sgh->init->sig_cnt++;
430  }
431 
432  return;
433 }
434 
436  uint8_t ipproto, int dir)
437 {
438  if (sgh && sgh->init) {
439  SCLogDebug("setting proto %u and dir %d on sgh %p", ipproto, dir, sgh);
440  sgh->init->protos[ipproto] = 1;
441  sgh->init->direction |= dir;
442  }
443 }
444 
445 /**
446  * \brief Helper function used to print the list of sids for the Signatures
447  * present in this SigGroupHead.
448  *
449  * \param de_ctx Pointer to the detection engine context.
450  * \param sgh Pointer to the SigGroupHead.
451  */
453 {
454  SCEnter();
455 
456  if (sgh == NULL) {
457  SCReturn;
458  }
459 
460  uint32_t u;
461 
462  SCLogDebug("The Signatures present in this SigGroupHead are: ");
463  for (u = 0; u < (sgh->init->sig_size * 8); u++) {
464  if (sgh->init->sig_array[u / 8] & (1 << (u % 8))) {
465  SCLogDebug("%" PRIu32, u);
466  printf("s->num %"PRIu32" ", u);
467  }
468  }
469 
470  SCReturn;
471 }
472 
473 /**
474  * \brief Create an array with all the internal ids of the sigs that this
475  * sig group head will check for.
476  *
477  * \param de_ctx Pointer to the detection engine context.
478  * \param sgh Pointer to the SigGroupHead.
479  * \param max_idx The maximum value of the sid in the SigGroupHead arg.
480  *
481  * \retval 0 success
482  * \retval -1 error
483  */
485  uint32_t max_idx)
486 {
487  Signature *s = NULL;
488  uint32_t idx = 0;
489  uint32_t sig = 0;
490 
491  if (sgh == NULL)
492  return 0;
493 
494  BUG_ON(sgh->init->match_array != NULL);
495 
496  sgh->init->match_array = SCMalloc(sgh->init->sig_cnt * sizeof(Signature *));
497  if (sgh->init->match_array == NULL)
498  return -1;
499 
500  memset(sgh->init->match_array, 0, sgh->init->sig_cnt * sizeof(Signature *));
501 
502  for (sig = 0; sig < max_idx + 1; sig++) {
503  if (!(sgh->init->sig_array[(sig / 8)] & (1 << (sig % 8))) )
504  continue;
505 
506  s = de_ctx->sig_array[sig];
507  if (s == NULL)
508  continue;
509 
510  sgh->init->match_array[idx] = s;
511  idx++;
512  }
513 
514  return 0;
515 }
516 
517 /**
518  * \brief Set the need magic flag in the sgh.
519  *
520  * \param de_ctx detection engine ctx for the signatures
521  * \param sgh sig group head to set the flag in
522  */
524 {
525 #ifdef HAVE_MAGIC
526  Signature *s = NULL;
527  uint32_t sig = 0;
528 
529  if (sgh == NULL)
530  return;
531 
532  for (sig = 0; sig < sgh->init->sig_cnt; sig++) {
533  s = sgh->init->match_array[sig];
534  if (s == NULL)
535  continue;
536 
538  sgh->flags |= SIG_GROUP_HEAD_HAVEFILEMAGIC;
539  break;
540  }
541  }
542 #endif
543  return;
544 }
545 
546 /**
547  * \brief Set the need size flag in the sgh.
548  *
549  * \param de_ctx detection engine ctx for the signatures
550  * \param sgh sig group head to set the flag in
551  */
553 {
554  Signature *s = NULL;
555  uint32_t sig = 0;
556 
557  if (sgh == NULL)
558  return;
559 
560  for (sig = 0; sig < sgh->init->sig_cnt; sig++) {
561  s = sgh->init->match_array[sig];
562  if (s == NULL)
563  continue;
564 
567  break;
568  }
569  }
570 
571  return;
572 }
573 
574 /**
575  * \brief Set the need hash flag in the sgh.
576  *
577  * \param de_ctx detection engine ctx for the signatures
578  * \param sgh sig group head to set the flag in
579  */
581 {
582  Signature *s = NULL;
583  uint32_t sig = 0;
584 
585  if (sgh == NULL)
586  return;
587 
588  for (sig = 0; sig < sgh->init->sig_cnt; sig++) {
589  s = sgh->init->match_array[sig];
590  if (s == NULL)
591  continue;
592 
595  SCLogDebug("sgh %p has filemd5", sgh);
596  break;
597  }
598 
601  SCLogDebug("sgh %p has filesha1", sgh);
602  break;
603  }
604 
607  SCLogDebug("sgh %p has filesha256", sgh);
608  break;
609  }
610  }
611 
612  return;
613 }
614 
615 /**
616  * \brief Set the filestore_cnt in the sgh.
617  *
618  * \param de_ctx detection engine ctx for the signatures
619  * \param sgh sig group head to set the counter in
620  */
622 {
623  Signature *s = NULL;
624  uint32_t sig = 0;
625 
626  if (sgh == NULL)
627  return;
628 
629  for (sig = 0; sig < sgh->init->sig_cnt; sig++) {
630  s = sgh->init->match_array[sig];
631  if (s == NULL)
632  continue;
633 
634  if (SignatureIsFilestoring(s)) {
635  sgh->filestore_cnt++;
636  }
637  }
638 
639  return;
640 }
641 
642 /** \brief build an array of rule id's for sigs with no prefilter
643  * Also updated de_ctx::non_pf_store_cnt_max to track the highest cnt
644  */
646 {
647  Signature *s = NULL;
648  uint32_t sig = 0;
649  uint32_t non_pf = 0;
650  uint32_t non_pf_syn = 0;
651 
652  if (sgh == NULL)
653  return 0;
654 
655  BUG_ON(sgh->non_pf_other_store_array != NULL);
656 
657  for (sig = 0; sig < sgh->init->sig_cnt; sig++) {
658  s = sgh->init->match_array[sig];
659  if (s == NULL)
660  continue;
661 
662  if (!(s->flags & SIG_FLAG_PREFILTER) || (s->flags & SIG_FLAG_MPM_NEG)) {
664  non_pf++;
665  }
666  non_pf_syn++;
667  }
668  }
669 
670  if (non_pf == 0 && non_pf_syn == 0) {
671  sgh->non_pf_other_store_array = NULL;
672  sgh->non_pf_syn_store_array = NULL;
673  return 0;
674  }
675 
676  if (non_pf > 0) {
678  BUG_ON(sgh->non_pf_other_store_array == NULL);
679  memset(sgh->non_pf_other_store_array, 0, non_pf * sizeof(SignatureNonPrefilterStore));
680  }
681 
682  if (non_pf_syn > 0) {
683  sgh->non_pf_syn_store_array = SCMalloc(non_pf_syn * sizeof(SignatureNonPrefilterStore));
684  BUG_ON(sgh->non_pf_syn_store_array == NULL);
685  memset(sgh->non_pf_syn_store_array, 0, non_pf_syn * sizeof(SignatureNonPrefilterStore));
686  }
687 
688  for (sig = 0; sig < sgh->init->sig_cnt; sig++) {
689  s = sgh->init->match_array[sig];
690  if (s == NULL)
691  continue;
692 
693  if (!(s->flags & SIG_FLAG_PREFILTER) || (s->flags & SIG_FLAG_MPM_NEG)) {
695  BUG_ON(sgh->non_pf_other_store_cnt >= non_pf);
696  BUG_ON(sgh->non_pf_other_store_array == NULL);
700  sgh->non_pf_other_store_cnt++;
701  }
702 
703  BUG_ON(sgh->non_pf_syn_store_cnt >= non_pf_syn);
704  BUG_ON(sgh->non_pf_syn_store_array == NULL);
708  sgh->non_pf_syn_store_cnt++;
709  }
710  }
711 
712  /* track highest cnt for any sgh in our de_ctx */
713  uint32_t max = MAX(sgh->non_pf_other_store_cnt, sgh->non_pf_syn_store_cnt);
714  if (max > de_ctx->non_pf_store_cnt_max)
716 
717  return 0;
718 }
719 
720 /**
721  * \brief Check if a SigGroupHead contains a Signature, whose sid is sent as an
722  * argument.
723  *
724  * \param de_ctx Pointer to the detection engine context.
725  * \param sgh Pointer to the SigGroupHead that has to be checked for the
726  * presence of a Signature.
727  * \param sid The Signature id(sid) that has to be checked in the SigGroupHead.
728  *
729  * \retval 1 On successfully finding the sid in the SigGroupHead.
730  * \retval 0 If the sid is not found in the SigGroupHead
731  */
733  uint32_t sid)
734 {
735  SCEnter();
736 
737  uint32_t sig = 0;
738  Signature *s = NULL;
739  uint32_t max_sid = DetectEngineGetMaxSigId(de_ctx);
740 
741  if (sgh == NULL) {
742  SCReturnInt(0);
743  }
744 
745  for (sig = 0; sig < max_sid; sig++) {
746  if (sgh->init->sig_array == NULL) {
747  SCReturnInt(0);
748  }
749 
750  /* Check if the SigGroupHead has an entry for the sid */
751  if ( !(sgh->init->sig_array[sig / 8] & (1 << (sig % 8))) )
752  continue;
753 
754  /* If we have reached here, we have an entry for sid in the SigGrouHead.
755  * Retrieve the Signature from the detection engine context */
756  s = de_ctx->sig_array[sig];
757  if (s == NULL)
758  continue;
759 
760  /* If the retrieved Signature matches the sid arg, we have a match */
761  if (s->id == sid) {
762  SCReturnInt(1);
763  }
764  }
765 
766  SCReturnInt(0);
767 }
768 
769 /*----------------------------------Unittests---------------------------------*/
770 
771 #ifdef UNITTESTS
772 
774 
775 /**
776  * \test Check if a SigGroupHead hash table is properly allocated and
777  * deallocated when calling SigGroupHeadHashInit() and
778  * SigGroupHeadHashFree() respectively.
779  */
780 static int SigGroupHeadTest03(void)
781 {
782  int result = 1;
783 
785 
787 
788  result &= (de_ctx.sgh_hash_table != NULL);
789 
791 
792  result &= (de_ctx.sgh_hash_table == NULL);
793 
794  return result;
795 }
796 
797 /**
798  * \test Check if a SigGroupHeadAppendSig() correctly appends a sid to a
799  * SigGroupHead() and SigGroupHeadContainsSigId() correctly indicates
800  * the presence of a sid.
801  */
802 static int SigGroupHeadTest06(void)
803 {
804  int result = 1;
805  SigGroupHead *sh = NULL;
807  Signature *prev_sig = NULL;
808 
809  if (de_ctx == NULL)
810  return 0;
811 
812  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
813  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
814  "content:\"test2\"; content:\"test3\"; sid:1;)");
815  if (de_ctx->sig_list == NULL) {
816  result = 0;
817  goto end;
818  }
819  prev_sig = de_ctx->sig_list;
820 
821  prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
822  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
823  "content:\"test2\"; content:\"test3\"; sid:2;)");
824  if (prev_sig->next == NULL) {
825  result = 0;
826  goto end;
827  }
828  prev_sig = prev_sig->next;
829 
830  prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
831  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
832  "content:\"test2\"; content:\"test3\"; sid:3;)");
833  if (prev_sig->next == NULL) {
834  result = 0;
835  goto end;
836  }
837  prev_sig = prev_sig->next;
838 
839  prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
840  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
841  "content:\"test2\"; content:\"test3\"; sid:4;)");
842  if (prev_sig->next == NULL) {
843  result = 0;
844  goto end;
845  }
846  prev_sig = prev_sig->next;
847 
848  prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
849  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
850  "content:\"test2\"; content:\"test3\"; sid:5;)");
851  if (prev_sig->next == NULL) {
852  result = 0;
853  goto end;
854  }
855  prev_sig = prev_sig->next;
856 
858 
862 
863  SigGroupHeadSetSigCnt(sh, 4);
864 
865  result &= (sh->init->sig_cnt == 3);
866  result &= (SigGroupHeadContainsSigId(de_ctx, sh, 1) == 1);
867  result &= (SigGroupHeadContainsSigId(de_ctx, sh, 2) == 0);
868  result &= (SigGroupHeadContainsSigId(de_ctx, sh, 3) == 1);
869  result &= (SigGroupHeadContainsSigId(de_ctx, sh, 4) == 0);
870  result &= (SigGroupHeadContainsSigId(de_ctx, sh, 5) == 1);
871 
873 
874  end:
877  return result;
878 }
879 
880 /**
881  * \test Check if a SigGroupHeadAppendSig(), correctly appends a sid to a
882  * SigGroupHead() and SigGroupHeadContainsSigId(), correctly indicates
883  * the presence of a sid and SigGroupHeadClearSigs(), correctly clears
884  * the SigGroupHead->sig_array and SigGroupHead->sig_cnt.
885  */
886 static int SigGroupHeadTest07(void)
887 {
888  int result = 1;
889  SigGroupHead *sh = NULL;
891  Signature *prev_sig = NULL;
892 
893  if (de_ctx == NULL)
894  return 0;
895 
896  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
897  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
898  "content:\"test2\"; content:\"test3\"; sid:1;)");
899  if (de_ctx->sig_list == NULL) {
900  result = 0;
901  goto end;
902  }
903  prev_sig = de_ctx->sig_list;
904 
905  prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
906  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
907  "content:\"test2\"; content:\"test3\"; sid:2;)");
908  if (prev_sig->next == NULL) {
909  result = 0;
910  goto end;
911  }
912  prev_sig = prev_sig->next;
913 
914  prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
915  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
916  "content:\"test2\"; content:\"test3\"; sid:3;)");
917  if (prev_sig->next == NULL) {
918  result = 0;
919  goto end;
920  }
921  prev_sig = prev_sig->next;
922 
923  prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
924  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
925  "content:\"test2\"; content:\"test3\"; sid:4;)");
926  if (prev_sig->next == NULL) {
927  result = 0;
928  goto end;
929  }
930  prev_sig = prev_sig->next;
931 
932  prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
933  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
934  "content:\"test2\"; content:\"test3\"; sid:5;)");
935  if (prev_sig->next == NULL) {
936  result = 0;
937  goto end;
938  }
939  prev_sig = prev_sig->next;
940 
942 
946 
947  SigGroupHeadSetSigCnt(sh, 4);
948 
949  result &= (sh->init->sig_cnt == 3);
950  result &= (SigGroupHeadContainsSigId(de_ctx, sh, 1) == 1);
951  result &= (SigGroupHeadContainsSigId(de_ctx, sh, 2) == 0);
952  result &= (SigGroupHeadContainsSigId(de_ctx, sh, 3) == 1);
953  result &= (SigGroupHeadContainsSigId(de_ctx, sh, 4) == 0);
954  result &= (SigGroupHeadContainsSigId(de_ctx, sh, 5) == 1);
955 
957 
958  result &= (sh->init->sig_cnt == 0);
959  result &= (SigGroupHeadContainsSigId(de_ctx, sh, 1) == 0);
960  result &= (SigGroupHeadContainsSigId(de_ctx, sh, 2) == 0);
961  result &= (SigGroupHeadContainsSigId(de_ctx, sh, 3) == 0);
962  result &= (SigGroupHeadContainsSigId(de_ctx, sh, 4) == 0);
963  result &= (SigGroupHeadContainsSigId(de_ctx, sh, 5) == 0);
964 
966 
967  end:
970  return result;
971 }
972 
973 /**
974  * \test Check if SigGroupHeadCopySigs(), correctly copies the sig_array from
975  * the source to the destination SigGroupHead.
976  */
977 static int SigGroupHeadTest08(void)
978 {
979  int result = 1;
980  SigGroupHead *src_sh = NULL;
981  SigGroupHead *dst_sh = NULL;
983  Signature *prev_sig = NULL;
984 
985  if (de_ctx == NULL)
986  return 0;
987 
988  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
989  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
990  "content:\"test2\"; content:\"test3\"; sid:1;)");
991  if (de_ctx->sig_list == NULL) {
992  result = 0;
993  goto end;
994  }
995  prev_sig = de_ctx->sig_list;
996 
997  prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
998  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
999  "content:\"test2\"; content:\"test3\"; sid:2;)");
1000  if (prev_sig->next == NULL) {
1001  result = 0;
1002  goto end;
1003  }
1004  prev_sig = prev_sig->next;
1005 
1006  prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
1007  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
1008  "content:\"test2\"; content:\"test3\"; sid:3;)");
1009  if (prev_sig->next == NULL) {
1010  result = 0;
1011  goto end;
1012  }
1013  prev_sig = prev_sig->next;
1014 
1015  prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
1016  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
1017  "content:\"test2\"; content:\"test3\"; sid:4;)");
1018  if (prev_sig->next == NULL) {
1019  result = 0;
1020  goto end;
1021  }
1022  prev_sig = prev_sig->next;
1023 
1024  prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
1025  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
1026  "content:\"test2\"; content:\"test3\"; sid:5;)");
1027  if (prev_sig->next == NULL) {
1028  result = 0;
1029  goto end;
1030  }
1031  prev_sig = prev_sig->next;
1032 
1034 
1038 
1039  SigGroupHeadSetSigCnt(src_sh, 4);
1040 
1041  result &= (src_sh->init->sig_cnt == 3);
1042  result &= (SigGroupHeadContainsSigId(de_ctx, src_sh, 1) == 1);
1043  result &= (SigGroupHeadContainsSigId(de_ctx, src_sh, 2) == 0);
1044  result &= (SigGroupHeadContainsSigId(de_ctx, src_sh, 3) == 1);
1045  result &= (SigGroupHeadContainsSigId(de_ctx, src_sh, 4) == 0);
1046  result &= (SigGroupHeadContainsSigId(de_ctx, src_sh, 5) == 1);
1047 
1048  SigGroupHeadCopySigs(de_ctx, src_sh, &dst_sh);
1049 
1050  SigGroupHeadSetSigCnt(dst_sh, 4);
1051 
1052  result &= (dst_sh->init->sig_cnt == 3);
1053  result &= (SigGroupHeadContainsSigId(de_ctx, dst_sh, 1) == 1);
1054  result &= (SigGroupHeadContainsSigId(de_ctx, dst_sh, 2) == 0);
1055  result &= (SigGroupHeadContainsSigId(de_ctx, dst_sh, 3) == 1);
1056  result &= (SigGroupHeadContainsSigId(de_ctx, dst_sh, 4) == 0);
1057  result &= (SigGroupHeadContainsSigId(de_ctx, dst_sh, 5) == 1);
1058 
1059  SigGroupHeadFree(de_ctx, src_sh);
1060  SigGroupHeadFree(de_ctx, dst_sh);
1061 
1062  end:
1065  return result;
1066 }
1067 
1068 /**
1069  * \test Check if SigGroupHeadBuildMatchArray(), correctly updates the
1070  * match array with the sids.
1071  */
1072 static int SigGroupHeadTest09(void)
1073 {
1074  int result = 1;
1075  SigGroupHead *sh = NULL;
1077  Signature *prev_sig = NULL;
1078 
1079  if (de_ctx == NULL)
1080  return 0;
1081 
1082  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1083  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
1084  "content:\"test2\"; content:\"test3\"; sid:1;)");
1085  if (de_ctx->sig_list == NULL) {
1086  result = 0;
1087  goto end;
1088  }
1089  prev_sig = de_ctx->sig_list;
1090 
1091  prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
1092  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
1093  "content:\"test2\"; content:\"test3\"; sid:2;)");
1094  if (prev_sig->next == NULL) {
1095  result = 0;
1096  goto end;
1097  }
1098  prev_sig = prev_sig->next;
1099 
1100  prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
1101  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
1102  "content:\"test2\"; content:\"test3\"; sid:3;)");
1103  if (prev_sig->next == NULL) {
1104  result = 0;
1105  goto end;
1106  }
1107  prev_sig = prev_sig->next;
1108 
1109  prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
1110  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
1111  "content:\"test2\"; content:\"test3\"; sid:4;)");
1112  if (prev_sig->next == NULL) {
1113  result = 0;
1114  goto end;
1115  }
1116  prev_sig = prev_sig->next;
1117 
1118  prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
1119  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
1120  "content:\"test2\"; content:\"test3\"; sid:5;)");
1121  if (prev_sig->next == NULL) {
1122  result = 0;
1123  goto end;
1124  }
1125  prev_sig = prev_sig->next;
1126 
1128 
1132 
1133  SigGroupHeadSetSigCnt(sh, 4);
1135 
1136  result &= (sh->init->match_array[0] == de_ctx->sig_list);
1137  result &= (sh->init->match_array[1] == de_ctx->sig_list->next->next);
1138  result &= (sh->init->match_array[2] == de_ctx->sig_list->next->next->next->next);
1139 
1140  SigGroupHeadFree(de_ctx, sh);
1141 
1142  end:
1145  return result;
1146 }
1147 
1148 /**
1149  * \test ICMP(?) sig grouping bug.
1150  */
1151 static int SigGroupHeadTest10(void)
1152 {
1153  int result = 0;
1155  Signature *s = NULL;
1156  Packet *p = NULL;
1157  DetectEngineThreadCtx *det_ctx = NULL;
1158  ThreadVars th_v;
1159 
1160  memset(&th_v, 0, sizeof(ThreadVars));
1161 
1162  p = UTHBuildPacketSrcDst(NULL, 0, IPPROTO_ICMP, "192.168.1.1", "1.2.3.4");
1163  p->icmpv4h->type = 5;
1164  p->icmpv4h->code = 1;
1165 
1166  /* originally ip's were
1167  p.src.addr_data32[0] = 0xe08102d3;
1168  p.dst.addr_data32[0] = 0x3001a8c0;
1169  */
1170 
1171  if (de_ctx == NULL)
1172  return 0;
1173 
1174  s = DetectEngineAppendSig(de_ctx, "alert icmp 192.168.0.0/16 any -> any any (icode:>1; itype:11; sid:1; rev:1;)");
1175  if (s == NULL) {
1176  goto end;
1177  }
1178  s = DetectEngineAppendSig(de_ctx, "alert icmp any any -> 192.168.0.0/16 any (icode:1; itype:5; sid:2; rev:1;)");
1179  if (s == NULL) {
1180  goto end;
1181  }
1182 
1184  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1185 
1186  AddressDebugPrint(&p->dst);
1187 
1188  const SigGroupHead *sgh = SigMatchSignaturesGetSgh(de_ctx, p);
1189  if (sgh == NULL) {
1190  goto end;
1191  }
1192 
1193  result = 1;
1194 end:
1197  UTHFreePackets(&p, 1);
1198  return result;
1199 }
1200 #endif
1201 
1203 {
1204 #ifdef UNITTESTS
1205  UtRegisterTest("SigGroupHeadTest03", SigGroupHeadTest03);
1206  UtRegisterTest("SigGroupHeadTest06", SigGroupHeadTest06);
1207  UtRegisterTest("SigGroupHeadTest07", SigGroupHeadTest07);
1208  UtRegisterTest("SigGroupHeadTest08", SigGroupHeadTest08);
1209  UtRegisterTest("SigGroupHeadTest09", SigGroupHeadTest09);
1210  UtRegisterTest("SigGroupHeadTest10", SigGroupHeadTest10);
1211 #endif
1212 }
detect-tcp-flags.h
DetectEngineCtx_::sgh_hash_table
HashListTable * sgh_hash_table
Definition: detect.h:797
SigGroupHead_::non_pf_syn_store_cnt
uint32_t non_pf_syn_store_cnt
Definition: detect.h:1352
SIG_GROUP_HEAD_HAVEFILEMD5
#define SIG_GROUP_HEAD_HAVEFILEMD5
Definition: detect.h:1235
detect-content.h
detect-engine.h
util-hashlist.h
detect-engine-siggroup.h
Signature_::num
SigIntId num
Definition: detect.h:528
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1346
SIG_GROUP_HEAD_HAVEFILESIZE
#define SIG_GROUP_HEAD_HAVEFILESIZE
Definition: detect.h:1236
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SigGroupHeadBuildNonPrefilterArray
int SigGroupHeadBuildNonPrefilterArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
build an array of rule id's for sigs with no prefilter Also updated de_ctx::non_pf_store_cnt_max to t...
Definition: detect-engine-siggroup.c:645
SigGroupHeadSetFilestoreCount
void SigGroupHeadSetFilestoreCount(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Set the filestore_cnt in the sgh.
Definition: detect-engine-siggroup.c:621
SigGroupHeadInitData_::sig_array
uint8_t * sig_array
Definition: detect.h:1321
SigGroupHeadSetFileHashFlag
void SigGroupHeadSetFileHashFlag(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Set the need hash flag in the sgh.
Definition: detect-engine-siggroup.c:580
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Signature_::alproto
AppProto alproto
Definition: detect.h:521
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
SignatureNonPrefilterStore_::id
SigIntId id
Definition: detect.h:980
DetectEngineCtx_::non_pf_store_cnt_max
uint32_t non_pf_store_cnt_max
Definition: detect.h:781
AddressDebugPrint
void AddressDebugPrint(Address *a)
Debug print function for printing addresses.
Definition: decode.c:632
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2076
UTHBuildPacketSrcDst
Packet * UTHBuildPacketSrcDst(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst)
UTHBuildPacketSrcDst is a wrapper that build packets specifying IPs and defaulting ports.
Definition: util-unittest-helper.c:418
util-hash.h
SIG_GROUP_HEAD_HAVEFILESHA1
#define SIG_GROUP_HEAD_HAVEFILESHA1
Definition: detect.h:1237
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:758
SigGroupHeadSetFilesizeFlag
void SigGroupHeadSetFilesizeFlag(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Set the need size flag in the sgh.
Definition: detect-engine-siggroup.c:552
DetectFlagsSignatureNeedsSynPackets
int DetectFlagsSignatureNeedsSynPackets(const Signature *s)
Definition: detect-tcp-flags.c:511
SigGroupHeadSetProtoAndDirection
void SigGroupHeadSetProtoAndDirection(SigGroupHead *sgh, uint8_t ipproto, int dir)
Definition: detect-engine-siggroup.c:435
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2067
SigGroupHeadPrintSigs
void SigGroupHeadPrintSigs(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Helper function used to print the list of sids for the Signatures present in this SigGroupHead.
Definition: detect-engine-siggroup.c:452
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:41
HashListTableLookup
void * HashListTableLookup(HashListTable *ht, void *data, uint16_t datalen)
Definition: util-hashlist.c:248
MAX
#define MAX(x, y)
Definition: suricata-common.h:376
SignatureIsFilesizeInspecting
int SignatureIsFilesizeInspecting(const Signature *s)
Check if a signature contains the filesize keyword.
Definition: detect-engine-build.c:172
SignatureNonPrefilterStore_
Definition: detect.h:979
detect-engine-prefilter.h
util-unittest.h
util-unittest-helper.h
SigGroupHeadRegisterTests
void SigGroupHeadRegisterTests(void)
Definition: detect-engine-siggroup.c:1202
HashListTableAdd
int HashListTableAdd(HashListTable *ht, void *data, uint16_t datalen)
Definition: util-hashlist.c:116
SigGroupHeadHashInit
int SigGroupHeadHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table in the detection engine context to hold the SigGroupHeads.
Definition: detect-engine-siggroup.c:253
HashListTable_::array_size
uint32_t array_size
Definition: util-hashlist.h:41
util-memcmp.h
DetectEngineCtx_::sgh_array_size
uint32_t sgh_array_size
Definition: detect.h:842
SigGroupHeadInitData_::pkt_mpms
MpmCtx ** pkt_mpms
Definition: detect.h:1329
SigAddressPrepareStage1
int SigAddressPrepareStage1(DetectEngineCtx *)
Preprocess signature, classify ip-only, etc, build sig array.
Definition: detect-engine-build.c:1330
SignatureIsFileSha256Inspecting
int SignatureIsFileSha256Inspecting(const Signature *s)
Check if a signature contains the filesha256 keyword.
Definition: detect-engine-build.c:156
Signature_::next
struct Signature_ * next
Definition: detect.h:590
util-cidr.h
HashListTableInit
HashListTable * HashListTableInit(uint32_t size, uint32_t(*Hash)(struct HashListTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
Definition: util-hashlist.c:35
decode.h
util-debug.h
SigGroupHeadBuildMatchArray
int SigGroupHeadBuildMatchArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t max_idx)
Create an array with all the internal ids of the sigs that this sig group head will check for.
Definition: detect-engine-siggroup.c:484
SigGroupHeadInitData_::sig_cnt
SigIntId sig_cnt
Definition: detect.h:1336
util-error.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1003
SigGroupHeadInitData_::tx_engines
PrefilterEngineList * tx_engines
Definition: detect.h:1333
DetectEngineGetMaxSigId
#define DetectEngineGetMaxSigId(de_ctx)
Definition: detect-engine.h:86
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
SigGroupHeadSetFilemagicFlag
void SigGroupHeadSetFilemagicFlag(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Set the need magic flag in the sgh.
Definition: detect-engine-siggroup.c:523
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SigGroupHead_::init
SigGroupHeadInitData * init
Definition: detect.h:1368
SigGroupHeadInitData_::direction
uint32_t direction
Definition: detect.h:1325
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:277
SCReturn
#define SCReturn
Definition: util-debug.h:302
Signature_::flags
uint32_t flags
Definition: detect.h:518
Packet_
Definition: decode.h:414
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:316
DetectEngineCtx_::sgh_array_cnt
uint32_t sgh_array_cnt
Definition: detect.h:841
SigGroupHeadAppendSig
int SigGroupHeadAppendSig(const DetectEngineCtx *de_ctx, SigGroupHead **sgh, const Signature *s)
Add a Signature to a SigGroupHead.
Definition: detect-engine-siggroup.c:335
DetectEngineCtx_::sgh_array
struct SigGroupHead_ ** sgh_array
Definition: detect.h:840
HashListTable_
Definition: util-hashlist.h:37
SigGroupHeadFree
void SigGroupHeadFree(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Free a SigGroupHead and its members.
Definition: detect-engine-siggroup.c:158
SigGroupHeadHashRemove
int SigGroupHeadHashRemove(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Definition: detect-engine-siggroup.c:282
SigGroupHeadInitData_::app_mpms
MpmCtx ** app_mpms
Definition: detect.h:1328
SignatureIsFileSha1Inspecting
int SignatureIsFileSha1Inspecting(const Signature *s)
Check if a signature contains the filesha1 keyword.
Definition: detect-engine-build.c:140
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1934
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
SIG_FLAG_MPM_NEG
#define SIG_FLAG_MPM_NEG
Definition: detect.h:226
SigGroupHeadInitData_::pkt_engines
PrefilterEngineList * pkt_engines
Definition: detect.h:1331
SigGroupHeadSetSigCnt
void SigGroupHeadSetSigCnt(SigGroupHead *sgh, uint32_t max_idx)
Updates the SigGroupHead->sig_cnt with the total count of all the Signatures present in this SigGroup...
Definition: detect-engine-siggroup.c:422
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2381
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2771
SigGroupHead_::non_pf_other_store_array
SignatureNonPrefilterStore * non_pf_other_store_array
Definition: detect.h:1353
suricata-common.h
SigGroupHeadStore
void SigGroupHeadStore(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Definition: detect-engine-siggroup.c:103
SigGroupHeadInitData_::payload_engines
PrefilterEngineList * payload_engines
Definition: detect.h:1332
HashListTableFree
void HashListTableFree(HashListTable *ht)
Definition: util-hashlist.c:82
SigGroupHeadInitData_::match_array
Signature ** match_array
Definition: detect.h:1339
SigGroupHead_::non_pf_other_store_cnt
uint32_t non_pf_other_store_cnt
Definition: detect.h:1351
SigGroupHeadInitData_::sig_size
uint32_t sig_size
Definition: detect.h:1322
PrefilterCleanupRuleGroup
void PrefilterCleanupRuleGroup(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Definition: detect-engine-prefilter.c:334
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:764
SigGroupHeadHashFree
void SigGroupHeadHashFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by SigGroupHeadHashInit() function.
Definition: detect-engine-siggroup.c:313
Packet_::icmpv4h
ICMPV4Hdr * icmpv4h
Definition: decode.h:539
SigGroupHeadHashAdd
int SigGroupHeadHashAdd(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Adds a SigGroupHead to the detection engine context SigGroupHead hash table.
Definition: detect-engine-siggroup.c:275
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SigGroupHeadInitData_
Definition: detect.h:1318
SigGroupHeadHashLookup
SigGroupHead * SigGroupHeadHashLookup(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Used to lookup a SigGroupHead hash from the detection engine context SigGroupHead hash table.
Definition: detect-engine-siggroup.c:297
SigGroupHead_::flags
uint32_t flags
Definition: detect.h:1347
SignatureIsFilestoring
int SignatureIsFilestoring(const Signature *s)
Check if a signature contains the filestore keyword.
Definition: detect-engine-build.c:86
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Signature_::id
uint32_t id
Definition: detect.h:551
HashListTableRemove
int HashListTableRemove(HashListTable *ht, void *data, uint16_t datalen)
Definition: util-hashlist.c:157
detect-parse.h
src
uint16_t src
Definition: app-layer-dnp3.h:5
Signature_
Signature container.
Definition: detect.h:517
SigGroupHeadInitDataFree
void SigGroupHeadInitDataFree(SigGroupHeadInitData *sghid)
Definition: detect-engine-siggroup.c:58
SigGroupHeadContainsSigId
int SigGroupHeadContainsSigId(DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t sid)
Check if a SigGroupHead contains a Signature, whose sid is sent as an argument.
Definition: detect-engine-siggroup.c:732
SignatureIsFileMd5Inspecting
int SignatureIsFileMd5Inspecting(const Signature *s)
Check if a signature contains the filemd5 keyword.
Definition: detect-engine-build.c:124
SigGroupHeadInitData_::protos
uint8_t protos[256]
Definition: detect.h:1324
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2022
app-layer-protos.h
DetectEngineCtx_::sig_array
Signature ** sig_array
Definition: detect.h:773
Packet_::dst
Address dst
Definition: decode.h:419
SigGroupHead_::non_pf_syn_store_array
SignatureNonPrefilterStore * non_pf_syn_store_array
Definition: detect.h:1355
SignatureNonPrefilterStore_::mask
SignatureMask mask
Definition: detect.h:981
detect-uricontent.h
dst
uint16_t dst
Definition: app-layer-dnp3.h:4
SIG_GROUP_HEAD_HAVEFILESHA256
#define SIG_GROUP_HEAD_HAVEFILESHA256
Definition: detect.h:1238
SignatureNonPrefilterStore_::alproto
uint8_t alproto
Definition: detect.h:982
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
SignatureIsFilemagicInspecting
int SignatureIsFilemagicInspecting(const Signature *s)
Check if a signature contains the filemagic keyword.
Definition: detect-engine-build.c:105
SigGroupHead_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1359
flow-var.h
PrefilterFreeEnginesList
void PrefilterFreeEnginesList(PrefilterEngineList *list)
Definition: detect-engine-prefilter.c:306
SCMemcmp
#define SCMemcmp(a, b, c)
Definition: util-memcmp.h:369
SIG_FLAG_PREFILTER
#define SIG_FLAG_PREFILTER
Definition: detect.h:243
detect-engine-address.h
SigMatchSignaturesGetSgh
const SigGroupHead * SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p)
Get the SigGroupHead for a packet.
Definition: detect.c:181
SigGroupHeadCopySigs
int SigGroupHeadCopySigs(DetectEngineCtx *de_ctx, SigGroupHead *src, SigGroupHead **dst)
Copies the bitarray holding the sids from the source SigGroupHead to the destination SigGroupHead.
Definition: detect-engine-siggroup.c:388
Signature_::mask
SignatureMask mask
Definition: detect.h:527
SigGroupHeadClearSigs
int SigGroupHeadClearSigs(SigGroupHead *)
Clears the bitarray holding the sids for this SigGroupHead.
Definition: detect-engine-siggroup.c:364
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468