#include "suricata-common.h"#include "detect.h"#include "detect-xbits.h"#include "detect-flowbits.h"#include "detect-flowint.h"#include "detect-parse.h"#include "detect-engine-sigorder.h"#include "detect-pcre.h"#include "detect-engine-build.h"#include "util-unittest.h"#include "util-unittest-helper.h"#include "util-debug.h"#include "util-action.h"#include "action-globals.h"#include "flow-util.h"#include "util-validate.h"
Go to the source code of this file.
Data Structures | |
| struct | SCSigSignatureWrapper_ |
| Signature wrapper used by signature ordering module while ordering signatures. More... | |
| struct | SCSigOrderFunc_ |
| Structure holding the signature ordering function used by the signature ordering module. More... | |
Macros | |
| #define | DETECT_FLOWVAR_NOT_USED 1 |
| #define | DETECT_FLOWVAR_TYPE_READ 2 |
| #define | DETECT_FLOWVAR_TYPE_SET_READ 3 |
| #define | DETECT_FLOWVAR_TYPE_SET 4 |
| #define | DETECT_PKTVAR_NOT_USED 1 |
| #define | DETECT_PKTVAR_TYPE_READ 2 |
| #define | DETECT_PKTVAR_TYPE_SET_READ 3 |
| #define | DETECT_PKTVAR_TYPE_SET 4 |
| #define | DETECT_FLOWBITS_NOT_USED 1 |
| #define | DETECT_FLOWBITS_TYPE_READ 2 |
| #define | DETECT_FLOWBITS_TYPE_SET_READ 3 |
| #define | DETECT_FLOWBITS_TYPE_SET 4 |
| #define | DETECT_FLOWINT_NOT_USED 1 |
| #define | DETECT_FLOWINT_TYPE_READ 2 |
| #define | DETECT_FLOWINT_TYPE_SET_READ 3 |
| #define | DETECT_FLOWINT_TYPE_SET 4 |
| #define | DETECT_XBITS_NOT_USED 1 |
| #define | DETECT_XBITS_TYPE_READ 2 |
| #define | DETECT_XBITS_TYPE_SET_READ 3 |
| #define | DETECT_XBITS_TYPE_SET 4 |
Typedefs | |
| typedef struct SCSigSignatureWrapper_ | SCSigSignatureWrapper |
| Signature wrapper used by signature ordering module while ordering signatures. More... | |
| typedef struct SCSigOrderFunc_ | SCSigOrderFunc |
| Structure holding the signature ordering function used by the signature ordering module. More... | |
Enumerations | |
| enum | DetectSigorderUserDataType { DETECT_SIGORDER_FLOWBITS, DETECT_SIGORDER_FLOWVAR, DETECT_SIGORDER_PKTVAR, DETECT_SIGORDER_FLOWINT, DETECT_SIGORDER_HOSTBITS, DETECT_SIGORDER_IPPAIRBITS, DETECT_SIGORDER_MAX } |
| Different kinds of helper data that can be used by the signature ordering module. Used by the "user" field in SCSigSignatureWrapper. More... | |
Functions | |
| void | SCSigOrderSignatures (DetectEngineCtx *de_ctx) |
| Orders the signatures. More... | |
| void | SCSigRegisterSignatureOrderingFuncs (DetectEngineCtx *de_ctx) |
| Lets you register the Signature ordering functions. The order in which the functions are registered shows the priority. The first function registered provides more priority than the function registered after it. To add a new registration function, register it by listing it in the correct position in the below sequence, based on the priority you would want to offer to that keyword. More... | |
| void | SCSigSignatureOrderingModuleCleanup (DetectEngineCtx *de_ctx) |
| De-registers all the signature ordering functions registered. More... | |
| DetectEngineCtx * | DetectEngineCtxInit (void) |
| Signature * | DetectEngineAppendSig (DetectEngineCtx *, const char *) |
| Parse and append a Signature into the Detection Engine Context signature list. More... | |
| void | SigFree (DetectEngineCtx *, Signature *) |
| void | DetectEngineCtxFree (DetectEngineCtx *) |
| Free a DetectEngineCtx:: More... | |
| void | SCSigRegisterSignatureOrderingTests (void) |
Detailed Description
Signature ordering part of the detection engine.
Definition in file detect-engine-sigorder.c.
Macro Definition Documentation
◆ DETECT_FLOWBITS_NOT_USED
| #define DETECT_FLOWBITS_NOT_USED 1 |
Definition at line 55 of file detect-engine-sigorder.c.
◆ DETECT_FLOWBITS_TYPE_READ
| #define DETECT_FLOWBITS_TYPE_READ 2 |
Definition at line 56 of file detect-engine-sigorder.c.
◆ DETECT_FLOWBITS_TYPE_SET
| #define DETECT_FLOWBITS_TYPE_SET 4 |
Definition at line 58 of file detect-engine-sigorder.c.
◆ DETECT_FLOWBITS_TYPE_SET_READ
| #define DETECT_FLOWBITS_TYPE_SET_READ 3 |
Definition at line 57 of file detect-engine-sigorder.c.
◆ DETECT_FLOWINT_NOT_USED
| #define DETECT_FLOWINT_NOT_USED 1 |
Definition at line 60 of file detect-engine-sigorder.c.
◆ DETECT_FLOWINT_TYPE_READ
| #define DETECT_FLOWINT_TYPE_READ 2 |
Definition at line 61 of file detect-engine-sigorder.c.
◆ DETECT_FLOWINT_TYPE_SET
| #define DETECT_FLOWINT_TYPE_SET 4 |
Definition at line 63 of file detect-engine-sigorder.c.
◆ DETECT_FLOWINT_TYPE_SET_READ
| #define DETECT_FLOWINT_TYPE_SET_READ 3 |
Definition at line 62 of file detect-engine-sigorder.c.
◆ DETECT_FLOWVAR_NOT_USED
| #define DETECT_FLOWVAR_NOT_USED 1 |
Definition at line 45 of file detect-engine-sigorder.c.
◆ DETECT_FLOWVAR_TYPE_READ
| #define DETECT_FLOWVAR_TYPE_READ 2 |
Definition at line 46 of file detect-engine-sigorder.c.
◆ DETECT_FLOWVAR_TYPE_SET
| #define DETECT_FLOWVAR_TYPE_SET 4 |
Definition at line 48 of file detect-engine-sigorder.c.
◆ DETECT_FLOWVAR_TYPE_SET_READ
| #define DETECT_FLOWVAR_TYPE_SET_READ 3 |
Definition at line 47 of file detect-engine-sigorder.c.
◆ DETECT_PKTVAR_NOT_USED
| #define DETECT_PKTVAR_NOT_USED 1 |
Definition at line 50 of file detect-engine-sigorder.c.
◆ DETECT_PKTVAR_TYPE_READ
| #define DETECT_PKTVAR_TYPE_READ 2 |
Definition at line 51 of file detect-engine-sigorder.c.
◆ DETECT_PKTVAR_TYPE_SET
| #define DETECT_PKTVAR_TYPE_SET 4 |
Definition at line 53 of file detect-engine-sigorder.c.
◆ DETECT_PKTVAR_TYPE_SET_READ
| #define DETECT_PKTVAR_TYPE_SET_READ 3 |
Definition at line 52 of file detect-engine-sigorder.c.
◆ DETECT_XBITS_NOT_USED
| #define DETECT_XBITS_NOT_USED 1 |
Definition at line 65 of file detect-engine-sigorder.c.
◆ DETECT_XBITS_TYPE_READ
| #define DETECT_XBITS_TYPE_READ 2 |
Definition at line 66 of file detect-engine-sigorder.c.
◆ DETECT_XBITS_TYPE_SET
| #define DETECT_XBITS_TYPE_SET 4 |
Definition at line 68 of file detect-engine-sigorder.c.
◆ DETECT_XBITS_TYPE_SET_READ
| #define DETECT_XBITS_TYPE_SET_READ 3 |
Definition at line 67 of file detect-engine-sigorder.c.
Typedef Documentation
◆ SCSigOrderFunc
| typedef struct SCSigOrderFunc_ SCSigOrderFunc |
Structure holding the signature ordering function used by the signature ordering module.
◆ SCSigSignatureWrapper
| typedef struct SCSigSignatureWrapper_ SCSigSignatureWrapper |
Signature wrapper used by signature ordering module while ordering signatures.
Enumeration Type Documentation
◆ DetectSigorderUserDataType
Different kinds of helper data that can be used by the signature ordering module. Used by the "user" field in SCSigSignatureWrapper.
| Enumerator | |
|---|---|
| DETECT_SIGORDER_FLOWBITS | |
| DETECT_SIGORDER_FLOWVAR | |
| DETECT_SIGORDER_PKTVAR | |
| DETECT_SIGORDER_FLOWINT | |
| DETECT_SIGORDER_HOSTBITS | |
| DETECT_SIGORDER_IPPAIRBITS | |
| DETECT_SIGORDER_MAX | |
Definition at line 73 of file detect-engine-sigorder.c.
Function Documentation
◆ DetectEngineAppendSig()
| Signature* DetectEngineAppendSig | ( | DetectEngineCtx * | de_ctx, |
| const char * | sigstr | ||
| ) |
Parse and append a Signature into the Detection Engine Context signature list.
If the signature is bidirectional it should append two signatures (with the addresses switched) into the list. Also handle duplicate signatures. In case of duplicate sigs, use the ones that have the latest revision. We use the sid and the msg to identify duplicate sigs. If 2 sigs have the same sid and gid, they are duplicates.
- Parameters
-
de_ctx Pointer to the Detection Engine Context. sigstr Pointer to a character string containing the signature to be parsed. sig_file Pointer to a character string containing the filename from which signature is read lineno Line number from where signature is read
- Return values
-
Pointer to the head Signature in the detection engine ctx sig_list on success; NULL on failure.
In DetectEngineAppendSig(), the signatures are prepended and we always return the first one so if the signature is bidirectional, the returned sig will point through "next" ptr to the cloned signatures with the switched addresses
Definition at line 3437 of file detect-parse.c.
Referenced by UTHAppendSigs(), and UTHParseSignature().
◆ DetectEngineCtxFree()
| void DetectEngineCtxFree | ( | DetectEngineCtx * | de_ctx | ) |
Free a DetectEngineCtx::
- Parameters
-
de_ctx DetectEngineCtx:: to be freed
Definition at line 2641 of file detect-engine.c.
Referenced by LLVMFuzzerTestOneInput(), UTHGenericTest(), UTHPacketMatchSig(), UTHPacketMatchSigMpm(), and UTHParseSignature().
◆ DetectEngineCtxInit()
| DetectEngineCtx* DetectEngineCtxInit | ( | void | ) |
Definition at line 2602 of file detect-engine.c.
Referenced by LLVMFuzzerTestOneInput(), UTHGenericTest(), UTHPacketMatchSig(), UTHPacketMatchSigMpm(), and UTHParseSignature().
◆ SCSigOrderSignatures()
| void SCSigOrderSignatures | ( | DetectEngineCtx * | de_ctx | ) |
Orders the signatures.
- Parameters
-
de_ctx Pointer to the Detection Engine Context that holds the signatures to be ordered
Definition at line 804 of file detect-engine-sigorder.c.
References de_ctx, SCLogDebug, and DetectEngineCtx_::sig_list.
Referenced by UTHMatchPackets().
◆ SCSigRegisterSignatureOrderingFuncs()
| void SCSigRegisterSignatureOrderingFuncs | ( | DetectEngineCtx * | de_ctx | ) |
Lets you register the Signature ordering functions. The order in which the functions are registered shows the priority. The first function registered provides more priority than the function registered after it. To add a new registration function, register it by listing it in the correct position in the below sequence, based on the priority you would want to offer to that keyword.
- Parameters
-
de_ctx Pointer to the detection engine context from which the signatures have to be ordered.
Definition at line 919 of file detect-engine-sigorder.c.
References SCLogDebug.
Referenced by UTHMatchPackets().
◆ SCSigRegisterSignatureOrderingTests()
| void SCSigRegisterSignatureOrderingTests | ( | void | ) |
Definition at line 2087 of file detect-engine-sigorder.c.
References UtRegisterTest().
◆ SCSigSignatureOrderingModuleCleanup()
| void SCSigSignatureOrderingModuleCleanup | ( | DetectEngineCtx * | de_ctx | ) |
De-registers all the signature ordering functions registered.
- Parameters
-
de_ctx Pointer to the detection engine context from which the signatures were ordered.
Definition at line 939 of file detect-engine-sigorder.c.
References de_ctx, SCSigOrderFunc_::next, DetectEngineCtx_::sc_sig_order_funcs, and SCFree.
Referenced by DetectEngineCtxFree(), and UTHMatchPackets().
◆ SigFree()
| void SigFree | ( | DetectEngineCtx * | , |
| Signature * | |||
| ) |
Definition at line 2057 of file detect-parse.c.
Referenced by LLVMFuzzerTestOneInput(), and SigCleanSignatures().
