suricata
detect-engine-sigorder.c File Reference
#include "suricata-common.h"
#include "detect.h"
#include "detect-xbits.h"
#include "detect-flowbits.h"
#include "detect-flowint.h"
#include "detect-parse.h"
#include "detect-engine-sigorder.h"
#include "detect-pcre.h"
#include "detect-engine-build.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-debug.h"
#include "util-action.h"
#include "action-globals.h"
#include "flow-util.h"
#include "util-validate.h"
Include dependency graph for detect-engine-sigorder.c:

Go to the source code of this file.

Data Structures

struct  SCSigSignatureWrapper_
 Signature wrapper used by signature ordering module while ordering signatures. More...
 
struct  SCSigOrderFunc_
 Structure holding the signature ordering function used by the signature ordering module. More...
 

Macros

#define DETECT_FLOWVAR_NOT_USED   1
 
#define DETECT_FLOWVAR_TYPE_READ   2
 
#define DETECT_FLOWVAR_TYPE_SET_READ   3
 
#define DETECT_FLOWVAR_TYPE_SET   4
 
#define DETECT_PKTVAR_NOT_USED   1
 
#define DETECT_PKTVAR_TYPE_READ   2
 
#define DETECT_PKTVAR_TYPE_SET_READ   3
 
#define DETECT_PKTVAR_TYPE_SET   4
 
#define DETECT_FLOWBITS_NOT_USED   1
 
#define DETECT_FLOWBITS_TYPE_READ   2
 
#define DETECT_FLOWBITS_TYPE_SET_READ   3
 
#define DETECT_FLOWBITS_TYPE_SET   4
 
#define DETECT_FLOWINT_NOT_USED   1
 
#define DETECT_FLOWINT_TYPE_READ   2
 
#define DETECT_FLOWINT_TYPE_SET_READ   3
 
#define DETECT_FLOWINT_TYPE_SET   4
 
#define DETECT_XBITS_NOT_USED   1
 
#define DETECT_XBITS_TYPE_READ   2
 
#define DETECT_XBITS_TYPE_SET_READ   3
 
#define DETECT_XBITS_TYPE_SET   4
 

Typedefs

typedef struct SCSigSignatureWrapper_ SCSigSignatureWrapper
 Signature wrapper used by signature ordering module while ordering signatures. More...
 
typedef struct SCSigOrderFunc_ SCSigOrderFunc
 Structure holding the signature ordering function used by the signature ordering module. More...
 

Enumerations

enum  DetectSigorderUserDataType {
  DETECT_SIGORDER_FLOWBITS, DETECT_SIGORDER_FLOWVAR, DETECT_SIGORDER_PKTVAR, DETECT_SIGORDER_FLOWINT,
  DETECT_SIGORDER_HOSTBITS, DETECT_SIGORDER_IPPAIRBITS, DETECT_SIGORDER_MAX
}
 Different kinds of helper data that can be used by the signature ordering module. Used by the "user" field in SCSigSignatureWrapper. More...
 

Functions

void SCSigOrderSignatures (DetectEngineCtx *de_ctx)
 Orders the signatures. More...
 
void SCSigRegisterSignatureOrderingFuncs (DetectEngineCtx *de_ctx)
 Lets you register the Signature ordering functions. The order in which the functions are registered shows the priority. The first function registered provides more priority than the function registered after it. To add a new registration function, register it by listing it in the correct position in the below sequence, based on the priority you would want to offer to that keyword. More...
 
void SCSigSignatureOrderingModuleCleanup (DetectEngineCtx *de_ctx)
 De-registers all the signature ordering functions registered. More...
 
DetectEngineCtxDetectEngineCtxInit (void)
 
SignatureDetectEngineAppendSig (DetectEngineCtx *, const char *)
 Parse and append a Signature into the Detection Engine Context signature list. More...
 
void SigFree (DetectEngineCtx *, Signature *)
 
void DetectEngineCtxFree (DetectEngineCtx *)
 Free a DetectEngineCtx:: More...
 
void SCSigRegisterSignatureOrderingTests (void)
 

Detailed Description

Author
Anoop Saldanha anoop.nosp@m.sald.nosp@m.anha@.nosp@m.gmai.nosp@m.l.com

Signature ordering part of the detection engine.

Definition in file detect-engine-sigorder.c.

Macro Definition Documentation

◆ DETECT_FLOWBITS_NOT_USED

#define DETECT_FLOWBITS_NOT_USED   1

Definition at line 55 of file detect-engine-sigorder.c.

◆ DETECT_FLOWBITS_TYPE_READ

#define DETECT_FLOWBITS_TYPE_READ   2

Definition at line 56 of file detect-engine-sigorder.c.

◆ DETECT_FLOWBITS_TYPE_SET

#define DETECT_FLOWBITS_TYPE_SET   4

Definition at line 58 of file detect-engine-sigorder.c.

◆ DETECT_FLOWBITS_TYPE_SET_READ

#define DETECT_FLOWBITS_TYPE_SET_READ   3

Definition at line 57 of file detect-engine-sigorder.c.

◆ DETECT_FLOWINT_NOT_USED

#define DETECT_FLOWINT_NOT_USED   1

Definition at line 60 of file detect-engine-sigorder.c.

◆ DETECT_FLOWINT_TYPE_READ

#define DETECT_FLOWINT_TYPE_READ   2

Definition at line 61 of file detect-engine-sigorder.c.

◆ DETECT_FLOWINT_TYPE_SET

#define DETECT_FLOWINT_TYPE_SET   4

Definition at line 63 of file detect-engine-sigorder.c.

◆ DETECT_FLOWINT_TYPE_SET_READ

#define DETECT_FLOWINT_TYPE_SET_READ   3

Definition at line 62 of file detect-engine-sigorder.c.

◆ DETECT_FLOWVAR_NOT_USED

#define DETECT_FLOWVAR_NOT_USED   1

Definition at line 45 of file detect-engine-sigorder.c.

◆ DETECT_FLOWVAR_TYPE_READ

#define DETECT_FLOWVAR_TYPE_READ   2

Definition at line 46 of file detect-engine-sigorder.c.

◆ DETECT_FLOWVAR_TYPE_SET

#define DETECT_FLOWVAR_TYPE_SET   4

Definition at line 48 of file detect-engine-sigorder.c.

◆ DETECT_FLOWVAR_TYPE_SET_READ

#define DETECT_FLOWVAR_TYPE_SET_READ   3

Definition at line 47 of file detect-engine-sigorder.c.

◆ DETECT_PKTVAR_NOT_USED

#define DETECT_PKTVAR_NOT_USED   1

Definition at line 50 of file detect-engine-sigorder.c.

◆ DETECT_PKTVAR_TYPE_READ

#define DETECT_PKTVAR_TYPE_READ   2

Definition at line 51 of file detect-engine-sigorder.c.

◆ DETECT_PKTVAR_TYPE_SET

#define DETECT_PKTVAR_TYPE_SET   4

Definition at line 53 of file detect-engine-sigorder.c.

◆ DETECT_PKTVAR_TYPE_SET_READ

#define DETECT_PKTVAR_TYPE_SET_READ   3

Definition at line 52 of file detect-engine-sigorder.c.

◆ DETECT_XBITS_NOT_USED

#define DETECT_XBITS_NOT_USED   1

Definition at line 65 of file detect-engine-sigorder.c.

◆ DETECT_XBITS_TYPE_READ

#define DETECT_XBITS_TYPE_READ   2

Definition at line 66 of file detect-engine-sigorder.c.

◆ DETECT_XBITS_TYPE_SET

#define DETECT_XBITS_TYPE_SET   4

Definition at line 68 of file detect-engine-sigorder.c.

◆ DETECT_XBITS_TYPE_SET_READ

#define DETECT_XBITS_TYPE_SET_READ   3

Definition at line 67 of file detect-engine-sigorder.c.

Typedef Documentation

◆ SCSigOrderFunc

Structure holding the signature ordering function used by the signature ordering module.

◆ SCSigSignatureWrapper

Signature wrapper used by signature ordering module while ordering signatures.

Enumeration Type Documentation

◆ DetectSigorderUserDataType

Different kinds of helper data that can be used by the signature ordering module. Used by the "user" field in SCSigSignatureWrapper.

Enumerator
DETECT_SIGORDER_FLOWBITS 
DETECT_SIGORDER_FLOWVAR 
DETECT_SIGORDER_PKTVAR 
DETECT_SIGORDER_FLOWINT 
DETECT_SIGORDER_HOSTBITS 
DETECT_SIGORDER_IPPAIRBITS 
DETECT_SIGORDER_MAX 

Definition at line 73 of file detect-engine-sigorder.c.

Function Documentation

◆ DetectEngineAppendSig()

Signature* DetectEngineAppendSig ( DetectEngineCtx de_ctx,
const char *  sigstr 
)

Parse and append a Signature into the Detection Engine Context signature list.

If the signature is bidirectional it should append two signatures (with the addresses switched) into the list. Also handle duplicate signatures. In case of duplicate sigs, use the ones that have the latest revision. We use the sid and the msg to identify duplicate sigs. If 2 sigs have the same sid and gid, they are duplicates.

Parameters
de_ctxPointer to the Detection Engine Context.
sigstrPointer to a character string containing the signature to be parsed.
sig_filePointer to a character string containing the filename from which signature is read
linenoLine number from where signature is read
Return values
Pointerto the head Signature in the detection engine ctx sig_list on success; NULL on failure.

In DetectEngineAppendSig(), the signatures are prepended and we always return the first one so if the signature is bidirectional, the returned sig will point through "next" ptr to the cloned signatures with the switched addresses

Definition at line 2591 of file detect-parse.c.

Referenced by UTHAppendSigs(), and UTHParseSignature().

Here is the caller graph for this function:

◆ DetectEngineCtxFree()

void DetectEngineCtxFree ( DetectEngineCtx de_ctx)

Free a DetectEngineCtx::

Parameters
de_ctxDetectEngineCtx:: to be freed

Definition at line 2623 of file detect-engine.c.

Referenced by LLVMFuzzerTestOneInput(), UTHGenericTest(), UTHPacketMatchSig(), UTHPacketMatchSigMpm(), and UTHParseSignature().

Here is the caller graph for this function:

◆ DetectEngineCtxInit()

DetectEngineCtx* DetectEngineCtxInit ( void  )

Definition at line 2584 of file detect-engine.c.

Referenced by LLVMFuzzerTestOneInput(), UTHGenericTest(), UTHPacketMatchSig(), UTHPacketMatchSigMpm(), and UTHParseSignature().

Here is the caller graph for this function:

◆ SCSigOrderSignatures()

void SCSigOrderSignatures ( DetectEngineCtx de_ctx)

Orders the signatures.

Parameters
de_ctxPointer to the Detection Engine Context that holds the signatures to be ordered

Definition at line 760 of file detect-engine-sigorder.c.

References de_ctx, SCLogDebug, and DetectEngineCtx_::sig_list.

Referenced by UTHMatchPackets().

Here is the caller graph for this function:

◆ SCSigRegisterSignatureOrderingFuncs()

void SCSigRegisterSignatureOrderingFuncs ( DetectEngineCtx de_ctx)

Lets you register the Signature ordering functions. The order in which the functions are registered shows the priority. The first function registered provides more priority than the function registered after it. To add a new registration function, register it by listing it in the correct position in the below sequence, based on the priority you would want to offer to that keyword.

Parameters
de_ctxPointer to the detection engine context from which the signatures have to be ordered.

Definition at line 832 of file detect-engine-sigorder.c.

References SCLogDebug.

Referenced by UTHMatchPackets().

Here is the caller graph for this function:

◆ SCSigRegisterSignatureOrderingTests()

void SCSigRegisterSignatureOrderingTests ( void  )

Definition at line 2000 of file detect-engine-sigorder.c.

References UtRegisterTest().

Here is the call graph for this function:

◆ SCSigSignatureOrderingModuleCleanup()

void SCSigSignatureOrderingModuleCleanup ( DetectEngineCtx de_ctx)

De-registers all the signature ordering functions registered.

Parameters
de_ctxPointer to the detection engine context from which the signatures were ordered.

Definition at line 852 of file detect-engine-sigorder.c.

References de_ctx, SCSigOrderFunc_::next, DetectEngineCtx_::sc_sig_order_funcs, and SCFree.

Referenced by DetectEngineCtxFree(), and UTHMatchPackets().

Here is the caller graph for this function:

◆ SigFree()

void SigFree ( DetectEngineCtx ,
Signature  
)

Definition at line 1629 of file detect-parse.c.

Referenced by LLVMFuzzerTestOneInput(), and SigCleanSignatures().

Here is the caller graph for this function: