Go to the documentation of this file.
96 size = sghid->
sig_size = size + 16 - (size % 16);
100 memset(ptr, 0, size);
147 sgh->
init = SigGroupHeadInitDataAlloc(size);
148 if (sgh->
init == NULL)
170 if (sgh->
init != NULL) {
189 static uint32_t SigGroupHeadHashFunc(
HashListTable *ht,
void *data, uint16_t datalen)
217 static char SigGroupHeadCompareFunc(
void *data1, uint16_t len1,
void *data2,
223 if (data1 == NULL || data2 == NULL)
247 SigGroupHeadCompareFunc, NULL);
333 (*sgh)->init->sig_array[s->
num / 8] |= 1 << (s->
num % 8);
334 (*sgh)->init->max_sig_id =
MAX(s->
num, (*sgh)->init->max_sig_id);
362 #include <emmintrin.h>
363 static void MergeBitarrays(
const uint8_t *
src, uint8_t *
dst,
const uint32_t size)
366 const uint8_t *srcptr =
src;
367 uint8_t *dstptr =
dst;
368 for (uint32_t i = 0; i < size; i += 16) {
369 __m128i s = _mm_load_si128((
const __m128i *)srcptr);
370 __m128i d = _mm_load_si128((
const __m128i *)dstptr);
371 d = _mm_or_si128(s, d);
372 _mm_store_si128((__m128i *)dstptr, d);
403 MergeBitarrays(
src->init->sig_array, (*dst)->init->sig_array,
src->init->sig_size);
406 for (uint32_t idx = 0; idx <
src->init->sig_size; idx++)
407 (*dst)->init->sig_array[idx] = (*dst)->init->sig_array[idx] |
src->init->sig_array[idx];
409 if (
src->init->score)
410 (*dst)->init->score =
MAX((*dst)->init->score,
src->init->score);
412 if (
src->init->max_sig_id)
413 (*dst)->init->max_sig_id =
MAX((*dst)->init->max_sig_id,
src->init->max_sig_id);
421 #include <x86intrin.h>
422 static uint32_t Popcnt(
const uint8_t *array,
const uint32_t size)
429 uint64_t *ptr = (uint64_t *)array;
430 for (uint64_t idx = 0; idx < size; idx += 8) {
431 cnt += _popcnt64(*ptr);
471 if (sgha == NULL || sghb == NULL)
487 uint8_t ipproto,
int dir)
489 if (sgh && sgh->
init) {
490 SCLogDebug(
"setting proto %u and dir %d on sgh %p", ipproto, dir, sgh);
513 SCLogDebug(
"The Signatures present in this SigGroupHead are: ");
517 printf(
"s->num %"PRIu32
" ", u);
578 for (uint32_t sig = 0; sig < sgh->
init->
sig_cnt; sig++) {
600 sgh->
flags |= SIG_GROUP_HEAD_HAVEFILEMAGIC;
636 for (sig = 0; sig < max_sid; sig++) {
671 static int SigGroupHeadTest01(
void)
689 static int SigGroupHeadTest02(
void)
697 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
698 "content:\"test2\"; content:\"test3\"; sid:1;)");
702 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
703 "content:\"test2\"; content:\"test3\"; sid:2;)");
707 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
708 "content:\"test2\"; content:\"test3\"; sid:3;)");
712 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
713 "content:\"test2\"; content:\"test3\"; sid:4;)");
717 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
718 "content:\"test2\"; content:\"test3\"; sid:5;)");
749 static int SigGroupHeadTest03(
void)
757 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
758 "content:\"test2\"; content:\"test3\"; sid:1;)");
762 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
763 "content:\"test2\"; content:\"test3\"; sid:2;)");
767 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
768 "content:\"test2\"; content:\"test3\"; sid:3;)");
772 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
773 "content:\"test2\"; content:\"test3\"; sid:4;)");
777 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
778 "content:\"test2\"; content:\"test3\"; sid:5;)");
816 static int SigGroupHeadTest04(
void)
825 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
826 "content:\"test2\"; content:\"test3\"; sid:1;)");
830 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
831 "content:\"test2\"; content:\"test3\"; sid:2;)");
835 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
836 "content:\"test2\"; content:\"test3\"; sid:3;)");
840 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
841 "content:\"test2\"; content:\"test3\"; sid:4;)");
845 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
846 "content:\"test2\"; content:\"test3\"; sid:5;)");
887 static int SigGroupHeadTest05(
void)
895 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
896 "content:\"test2\"; content:\"test3\"; sid:1;)");
900 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
901 "content:\"test2\"; content:\"test3\"; sid:2;)");
905 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
906 "content:\"test2\"; content:\"test3\"; sid:3;)");
910 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
911 "content:\"test2\"; content:\"test3\"; sid:4;)");
915 "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
916 "content:\"test2\"; content:\"test3\"; sid:5;)");
950 static int SigGroupHeadTest06(
void)
973 "(icode:>1; itype:11; sid:1; rev:1;)");
977 "(icode:1; itype:5; sid:2; rev:1;)");
HashListTable * sgh_hash_table
#define SIG_GROUP_HEAD_HAVEFILEMD5
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Container for matching data for a signature group.
#define SIG_GROUP_HEAD_HAVEFILESIZE
bool SigGroupHeadEqual(const SigGroupHead *sgha, const SigGroupHead *sghb)
Finds if two Signature Group Heads are the same.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void AddressDebugPrint(Address *a)
Debug print function for printing addresses.
Packet * UTHBuildPacketSrcDst(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst)
UTHBuildPacketSrcDst is a wrapper that build packets specifying IPs and defaulting ports.
#define SIG_GROUP_HEAD_HAVEFILESHA1
main detection engine ctx
void SigGroupHeadSetProtoAndDirection(SigGroupHead *sgh, uint8_t ipproto, int dir)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
int SigPrepareStage1(DetectEngineCtx *)
Preprocess signature, classify ip-only, etc, build sig array.
void SigGroupHeadPrintSigs(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Helper function used to print the list of sids for the Signatures present in this SigGroupHead.
void * HashListTableLookup(HashListTable *ht, void *data, uint16_t datalen)
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
void SigGroupHeadSetupFiles(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Set the need hash flag in the sgh.
int SignatureIsFilesizeInspecting(const Signature *s)
Check if a signature contains the filesize keyword.
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
void SigGroupHeadRegisterTests(void)
int HashListTableAdd(HashListTable *ht, void *data, uint16_t datalen)
int SigGroupHeadHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table in the detection engine context to hold the SigGroupHeads.
int SignatureIsFileSha256Inspecting(const Signature *s)
Check if a signature contains the filesha256 keyword.
HashListTable * HashListTableInit(uint32_t size, uint32_t(*Hash)(struct HashListTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
int SigGroupHeadBuildMatchArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t max_idx)
Create an array with all the internal ids of the sigs that this sig group head will check for.
#define PASS
Pass the test.
PrefilterEngineList * tx_engines
#define DetectEngineGetMaxSigId(de_ctx)
Per thread variable structure.
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
SigGroupHeadInitData * init
#define SCReturnPtr(x, type)
int SigGroupHeadAppendSig(const DetectEngineCtx *de_ctx, SigGroupHead **sgh, const Signature *s)
Add a Signature to a SigGroupHead.
struct SigGroupHead_ ** sgh_array
void SigGroupHeadFree(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Free a SigGroupHead and its members.
int SignatureIsFileSha1Inspecting(const Signature *s)
Check if a signature contains the filesha1 keyword.
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
#define SCRealloc(ptr, sz)
PrefilterEngineList * pkt_engines
void SigGroupHeadSetSigCnt(SigGroupHead *sgh, uint32_t max_idx)
Updates the SigGroupHead->sig_cnt with the total count of all the Signatures present in this SigGroup...
void SigGroupHeadStore(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
PrefilterEngineList * frame_engines
PrefilterEngineList * payload_engines
void HashListTableFree(HashListTable *ht)
#define SCMallocAligned(size, align)
void PrefilterCleanupRuleGroup(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
void SigGroupHeadHashFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by SigGroupHeadHashInit() function.
int SigGroupHeadHashAdd(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Adds a SigGroupHead to the detection engine context SigGroupHead hash table.
SigGroupHead * SigGroupHeadHashLookup(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Used to lookup a SigGroupHead hash from the detection engine context SigGroupHead hash table.
int SignatureIsFilestoring(const Signature *s)
Check if a signature contains the filestore keyword.
PrefilterEngineList * post_rule_match_engines
void SigGroupHeadInitDataFree(SigGroupHeadInitData *sghid)
int SigGroupHeadContainsSigId(DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t sid)
Check if a SigGroupHead contains a Signature, whose sid is sent as an argument.
int SignatureIsFileMd5Inspecting(const Signature *s)
Check if a signature contains the filemd5 keyword.
union PacketL4::L4Hdrs hdrs
DetectEngineCtx * DetectEngineCtxInit(void)
#define SIG_GROUP_HEAD_HAVEFILESHA256
int SignatureIsFilemagicInspecting(const Signature *s)
Check if a signature contains the filemagic keyword.
void PrefilterFreeEnginesList(PrefilterEngineList *list)
#define SCMemcmp(a, b, c)
#define DEBUG_VALIDATE_BUG_ON(exp)
const SigGroupHead * SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p)
Get the SigGroupHead for a packet.
int SigGroupHeadCopySigs(DetectEngineCtx *de_ctx, SigGroupHead *src, SigGroupHead **dst)
Copies the bitarray holding the sids from the source SigGroupHead to the destination SigGroupHead.
int SigGroupHeadClearSigs(SigGroupHead *)
Clears the bitarray holding the sids for this SigGroupHead.
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.