|
suricata
|
|
suricata
|
#include "suricata-common.h"#include "detect.h"#include "detect-xbits.h"#include "detect-flowbits.h"#include "detect-flowint.h"#include "detect-parse.h"#include "detect-engine-sigorder.h"#include "detect-pcre.h"#include "util-unittest.h"#include "util-unittest-helper.h"#include "util-debug.h"#include "util-action.h"#include "action-globals.h"#include "flow-util.h"
Go to the source code of this file.
Macros | |
| #define | DETECT_FLOWVAR_NOT_USED 1 |
| #define | DETECT_FLOWVAR_TYPE_READ 2 |
| #define | DETECT_FLOWVAR_TYPE_SET_READ 3 |
| #define | DETECT_FLOWVAR_TYPE_SET 4 |
| #define | DETECT_PKTVAR_NOT_USED 1 |
| #define | DETECT_PKTVAR_TYPE_READ 2 |
| #define | DETECT_PKTVAR_TYPE_SET_READ 3 |
| #define | DETECT_PKTVAR_TYPE_SET 4 |
| #define | DETECT_FLOWBITS_NOT_USED 1 |
| #define | DETECT_FLOWBITS_TYPE_READ 2 |
| #define | DETECT_FLOWBITS_TYPE_SET_READ 3 |
| #define | DETECT_FLOWBITS_TYPE_SET 4 |
| #define | DETECT_FLOWINT_NOT_USED 1 |
| #define | DETECT_FLOWINT_TYPE_READ 2 |
| #define | DETECT_FLOWINT_TYPE_SET_READ 3 |
| #define | DETECT_FLOWINT_TYPE_SET 4 |
| #define | DETECT_XBITS_NOT_USED 1 |
| #define | DETECT_XBITS_TYPE_READ 2 |
| #define | DETECT_XBITS_TYPE_SET_READ 3 |
| #define | DETECT_XBITS_TYPE_SET 4 |
Functions | |
| void | SCSigOrderSignatures (DetectEngineCtx *de_ctx) |
| Orders the signatures. More... | |
| void | SCSigRegisterSignatureOrderingFuncs (DetectEngineCtx *de_ctx) |
| Lets you register the Signature ordering functions. The order in which the functions are registered, show the priority. The first function registered provides more priority than the function registered after it. To add a new registration function, register it by listing it in the correct position in the below sequence, based on the priority you would want to offer to that keyword. More... | |
| void | SCSigSignatureOrderingModuleCleanup (DetectEngineCtx *de_ctx) |
| De-registers all the signature ordering functions registered. More... | |
| DetectEngineCtx * | DetectEngineCtxInit (void) |
| Signature * | SigInit (DetectEngineCtx *, const char *) |
| Parses a signature and adds it to the Detection Engine Context. More... | |
| void | SigFree (Signature *) |
| void | DetectEngineCtxFree (DetectEngineCtx *) |
| Free a DetectEngineCtx:: More... | |
| void | SCSigRegisterSignatureOrderingTests (void) |
Signature ordering part of the detection engine.
Definition in file detect-engine-sigorder.c.
| #define DETECT_FLOWBITS_NOT_USED 1 |
Definition at line 52 of file detect-engine-sigorder.c.
| #define DETECT_FLOWBITS_TYPE_READ 2 |
Definition at line 53 of file detect-engine-sigorder.c.
| #define DETECT_FLOWBITS_TYPE_SET 4 |
Definition at line 55 of file detect-engine-sigorder.c.
| #define DETECT_FLOWBITS_TYPE_SET_READ 3 |
Definition at line 54 of file detect-engine-sigorder.c.
| #define DETECT_FLOWINT_NOT_USED 1 |
Definition at line 57 of file detect-engine-sigorder.c.
| #define DETECT_FLOWINT_TYPE_READ 2 |
Definition at line 58 of file detect-engine-sigorder.c.
| #define DETECT_FLOWINT_TYPE_SET 4 |
Definition at line 60 of file detect-engine-sigorder.c.
| #define DETECT_FLOWINT_TYPE_SET_READ 3 |
Definition at line 59 of file detect-engine-sigorder.c.
| #define DETECT_FLOWVAR_NOT_USED 1 |
Definition at line 42 of file detect-engine-sigorder.c.
| #define DETECT_FLOWVAR_TYPE_READ 2 |
Definition at line 43 of file detect-engine-sigorder.c.
| #define DETECT_FLOWVAR_TYPE_SET 4 |
Definition at line 45 of file detect-engine-sigorder.c.
| #define DETECT_FLOWVAR_TYPE_SET_READ 3 |
Definition at line 44 of file detect-engine-sigorder.c.
| #define DETECT_PKTVAR_NOT_USED 1 |
Definition at line 47 of file detect-engine-sigorder.c.
| #define DETECT_PKTVAR_TYPE_READ 2 |
Definition at line 48 of file detect-engine-sigorder.c.
| #define DETECT_PKTVAR_TYPE_SET 4 |
Definition at line 50 of file detect-engine-sigorder.c.
| #define DETECT_PKTVAR_TYPE_SET_READ 3 |
Definition at line 49 of file detect-engine-sigorder.c.
| #define DETECT_XBITS_NOT_USED 1 |
Definition at line 62 of file detect-engine-sigorder.c.
| #define DETECT_XBITS_TYPE_READ 2 |
Definition at line 63 of file detect-engine-sigorder.c.
| #define DETECT_XBITS_TYPE_SET 4 |
Definition at line 65 of file detect-engine-sigorder.c.
| #define DETECT_XBITS_TYPE_SET_READ 3 |
Definition at line 64 of file detect-engine-sigorder.c.
| void DetectEngineCtxFree | ( | DetectEngineCtx * | de_ctx | ) |
Free a DetectEngineCtx::
| de_ctx | DetectEngineCtx:: to be freed |
Definition at line 1685 of file detect-engine.c.
Referenced by ActionInitConfig(), AlertFastLogInitCtx(), DetectAckRegister(), DetectAppLayerProtocolRegister(), DetectBase64DataDoMatch(), DetectBase64DecodeDoMatch(), DetectByteExtractRetrieveSMVar(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectCipServiceRegister(), DetectClasstypeRegister(), DetectDceGetState(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectDistanceRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineInspectStream(), DetectEngineStateResetTxs(), DetectEnipCommandRegister(), DetectFastPatternRegister(), DetectFilesizeRegister(), DetectFilestorePostMatch(), DetectFlowbitsAnalyze(), DetectFlowFree(), DetectFlowintFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectFtpdataRegister(), DetectGeoipRegister(), DetectGidRegister(), DetectHostbitFree(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectIPRepFree(), DetectIsdataatFree(), DetectITypeFree(), DetectL3ProtoRegister(), DetectLuaRegister(), DetectMetadataHashFree(), DetectModbusRegister(), DetectMsgRegister(), DetectPcrePayloadMatch(), DetectPktDataRegister(), DetectPriorityRegister(), DetectProtoContainsProto(), DetectReferenceFree(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSeqRegister(), DetectSetupParseRegexes(), DetectSidRegister(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectSslStateRegister(), DetectSslVersionRegister(), DetectTargetRegister(), DetectTemplateRustBufferRegister(), DetectThresholdRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3StringRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), DetectTlsSubjectRegister(), DetectTlsValidityRegister(), DetectTlsVersionRegister(), DetectTransformCompressWhitespaceRegister(), DetectTransformStripWhitespaceRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), DetectWithinRegister(), DetectXbitFree(), IPOnlyAddSignature(), MpmACRegister(), MpmACTileRegister(), RegisterModbusParsers(), SCACBSPrintInfo(), SCClassConfGenerateInValidDummyClassConfigFD03(), SCRConfGenerateInValidDummyReferenceConfigFD03(), SCRuleVarsGetConfVar(), SCSigSignatureOrderingModuleCleanup(), SCThresholdConfParseFile(), SigGroupHeadContainsSigId(), SigParseApplyDsizeToContent(), SMTPParserCleanup(), SRepDestroy(), TagTimeoutCheck(), UTHGenericTest(), UTHPacketMatchSig(), UTHPacketMatchSigMpm(), and UTHParseSignature().
| DetectEngineCtx* DetectEngineCtxInit | ( | void | ) |
Definition at line 1640 of file detect-engine.c.
Referenced by ActionInitConfig(), AlertFastLogInitCtx(), DetectAckRegister(), DetectAppLayerProtocolRegister(), DetectBase64DataDoMatch(), DetectBase64DecodeDoMatch(), DetectBypassRegister(), DetectByteExtractRetrieveSMVar(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectCipServiceRegister(), DetectClasstypeRegister(), DetectDceGetState(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectDistanceRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineInspectStream(), DetectEngineStateResetTxs(), DetectEnipCommandRegister(), DetectFastPatternRegister(), DetectFilesizeRegister(), DetectFilestorePostMatch(), DetectFlowbitsAnalyze(), DetectFlowFree(), DetectFlowintFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectFtpdataRegister(), DetectGeoipRegister(), DetectGidRegister(), DetectHostbitFree(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectIPRepFree(), DetectIsdataatFree(), DetectITypeFree(), DetectL3ProtoRegister(), DetectLuaRegister(), DetectMetadataHashFree(), DetectModbusRegister(), DetectMsgRegister(), DetectPcrePayloadMatch(), DetectPktDataRegister(), DetectPortHashFree(), DetectPriorityRegister(), DetectProtoContainsProto(), DetectReferenceFree(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSeqRegister(), DetectSetupParseRegexes(), DetectSidRegister(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectSslStateRegister(), DetectSslVersionRegister(), DetectTargetRegister(), DetectTemplateRustBufferRegister(), DetectThresholdRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3StringRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), DetectTlsSubjectRegister(), DetectTlsValidityRegister(), DetectTlsVersionRegister(), DetectTransformCompressWhitespaceRegister(), DetectTransformStripWhitespaceRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), DetectWithinRegister(), DetectXbitFree(), IPOnlyAddSignature(), MpmACRegister(), MpmACTileRegister(), PostRunDeinit(), RegisterModbusParsers(), SCACBSPrintInfo(), SCClassConfGenerateInValidDummyClassConfigFD03(), SCRConfGenerateInValidDummyReferenceConfigFD03(), SCRuleVarsGetConfVar(), SCSigSignatureOrderingModuleCleanup(), SCThresholdConfParseFile(), SigGroupHeadContainsSigId(), SigParseApplyDsizeToContent(), SMTPParserCleanup(), SRepDestroy(), TagTimeoutCheck(), UTHGenericTest(), UTHPacketMatchSig(), UTHPacketMatchSigMpm(), and UTHParseSignature().
| void SCSigOrderSignatures | ( | DetectEngineCtx * | de_ctx | ) |
Orders the signatures.
| de_ctx | Pointer to the Detection Engine Context that holds the signatures to be ordered |
Definition at line 723 of file detect-engine-sigorder.c.
References SCSigSignatureWrapper_::next, Signature_::next, DetectEngineCtx_::sc_sig_order_funcs, SCFree, SCLogDebug, SCSigSignatureWrapper_::sig, and DetectEngineCtx_::sig_list.
Referenced by ActionInitConfig(), DetectBypassRegister(), DetectFlowintFree(), DetectHostbitFree(), DetectPcrePayloadMatch(), SCSigSignatureOrderingModuleCleanup(), SigLoadSignatures(), and UTHMatchPackets().
| void SCSigRegisterSignatureOrderingFuncs | ( | DetectEngineCtx * | de_ctx | ) |
Lets you register the Signature ordering functions. The order in which the functions are registered, show the priority. The first function registered provides more priority than the function registered after it. To add a new registration function, register it by listing it in the correct position in the below sequence, based on the priority you would want to offer to that keyword.
| de_ctx | Pointer to the detection engine context from which the signatures have to be ordered. |
Definition at line 783 of file detect-engine-sigorder.c.
References SCLogDebug.
Referenced by ActionInitConfig(), DetectBypassRegister(), DetectFlowintFree(), DetectHostbitFree(), DetectPcrePayloadMatch(), SigLoadSignatures(), and UTHMatchPackets().
| void SCSigRegisterSignatureOrderingTests | ( | void | ) |
Definition at line 2147 of file detect-engine-sigorder.c.
References UtRegisterTest().
| void SCSigSignatureOrderingModuleCleanup | ( | DetectEngineCtx * | de_ctx | ) |
De-registers all the signature ordering functions registered.
| de_ctx | Pointer to the detection engine context from which the signatures were ordered. |
Definition at line 803 of file detect-engine-sigorder.c.
References ACTION_ALERT, ACTION_DROP, action_order_sigs, ACTION_PASS, ACTION_REJECT, Flow_::alproto, ALPROTO_UNKNOWN, DE_QUIET, DetectEngineAppendSig(), DetectEngineCtxFree(), DetectEngineCtxInit(), FAIL_IF, FAIL_IF_NOT, FAIL_IF_NULL, Flow_::flags, Packet_::flags, DetectEngineCtx_::flags, Packet_::flow, FLOW_INITIALIZE, FLOW_IPV4, FLOW_PKT_ESTABLISHED, FLOW_PKT_TOSERVER, FLOW_QUIET, Packet_::flowflags, FlowInitConfig(), FlowShutdown(), Signature_::id, SCSigOrderFunc_::next, Signature_::next, PASS, PKT_HAS_FLOW, PKT_STREAM_EST, Flow_::proto, DetectEngineCtx_::sc_sig_order_funcs, SCFree, SCSigOrderSignatures(), DetectEngineCtx_::sig_list, SigCleanSignatures(), SigFree(), SigGroupCleanup(), SigInit(), DetectEngineCtx_::signum, UTHAppendSigs(), UTHBuildPacket(), UTHCheckPacketMatchResults(), and UTHMatchPackets().
Referenced by DetectBypassRegister(), DetectEngineCtxFree(), DetectFlowintFree(), DetectHostbitFree(), DetectPcrePayloadMatch(), SigLoadSignatures(), and UTHMatchPackets().
| void SigFree | ( | Signature * | ) |
Definition at line 1291 of file detect-parse.c.
Referenced by DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectDceGetState(), DetectDceOpnumRegister(), DetectFtpbounceRegister(), DetectIPProtoRemoveAllSMs(), DetectIsdataatFree(), DetectMsgRegister(), DetectPcrePayloadMatch(), IPOnlyAddSignature(), SCRuleVarsGetConfVar(), SCSigSignatureOrderingModuleCleanup(), and SigCleanSignatures().
| Signature* SigInit | ( | DetectEngineCtx * | de_ctx, |
| const char * | sigstr | ||
| ) |
Parses a signature and adds it to the Detection Engine Context.
| de_ctx | Pointer to the Detection Engine Context. |
| sigstr | Pointer to a character string containing the signature to be parsed. |
| Pointer | to the Signature instance on success; NULL on failure. |
Definition at line 1910 of file detect-parse.c.
Referenced by AlertFastLogInitCtx(), DetectAckRegister(), DetectBase64DataDoMatch(), DetectBase64DecodeDoMatch(), DetectByteExtractRetrieveSMVar(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectClasstypeRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectDistanceRegister(), DetectDNP3Register(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineInspectStream(), DetectEngineStateResetTxs(), DetectFastPatternRegister(), DetectFilesizeRegister(), DetectFilestorePostMatch(), DetectFlowbitsAnalyze(), DetectFlowFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectGeoipRegister(), DetectHostbitFree(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectIPRepFree(), DetectIsdataatFree(), DetectITypeFree(), DetectL3ProtoRegister(), DetectModbusRegister(), DetectMsgRegister(), DetectPcrePayloadMatch(), DetectPktDataRegister(), DetectPriorityRegister(), DetectProtoContainsProto(), DetectReferenceFree(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSeqRegister(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectSslVersionRegister(), DetectThresholdRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsSerialRegister(), DetectTlsSubjectRegister(), DetectTlsVersionRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), IPOnlyAddSignature(), MpmACRegister(), MpmACTileRegister(), SCACBSPrintInfo(), SCRuleVarsGetConfVar(), SCSigSignatureOrderingModuleCleanup(), SigGroupHeadContainsSigId(), SigParseApplyDsizeToContent(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().
1.8.11