suricata
detect-engine-state.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup sigstate
20  *
21  * @{
22  */
23 
24 /**
25  * \file
26  *
27  * \brief Data structures and function prototypes for keeping
28  * state for the detection engine.
29  *
30  * \author Victor Julien <victor@inliniac.net>
31  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
32  */
33 
34 
35 #ifndef __DETECT_ENGINE_STATE_H__
36 #define __DETECT_ENGINE_STATE_H__
37 
38 #define DETECT_ENGINE_INSPECT_SIG_NO_MATCH 0
39 #define DETECT_ENGINE_INSPECT_SIG_MATCH 1
40 #define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH 2
41 /** indicate that the file inspection portion of a sig didn't match.
42  * This is used to handle state keeping as the detect engine is still
43  * only marginally aware of files. */
44 #define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES 3
45 /** hack to work around a file inspection limitation. Since there can be
46  * multiple files in a TX and the detection engine really don't know
47  * about that, we have to give the file inspection engine a way to
48  * indicate that one of the files matched, but that there are still
49  * more files that have ongoing inspection. */
50 #define DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES 4
51 
52 /** number of DeStateStoreItem's in one DeStateStore object */
53 #define DE_STATE_CHUNK_SIZE 15
54 
55 /* per sig flags */
56 #define DE_STATE_FLAG_FULL_INSPECT BIT_U32(0)
57 #define DE_STATE_FLAG_SIG_CANT_MATCH BIT_U32(1)
58 /* flag set if file inspecting sig did not match, but might need to be
59  * re-evaluated for a new file in a tx */
60 #define DE_STATE_ID_FILE_INSPECT 2UL
61 #define DE_STATE_FLAG_FILE_INSPECT BIT_U32(DE_STATE_ID_FILE_INSPECT)
62 
63 /* first bit position after the built-ins */
64 #define DE_STATE_FLAG_BASE 3UL
65 
66 /* state flags
67  *
68  * Used by app-layer-parsers to notify us that new files
69  * are available in the tx.
70  */
71 #define DETECT_ENGINE_STATE_FLAG_FILE_NEW BIT_U8(0)
72 
73 typedef struct DeStateStoreItem_ {
74  uint32_t flags;
77 
78 typedef struct DeStateStore_ {
81 } DeStateStore;
82 
87  uint16_t filestore_cnt;
88  uint8_t flags;
89  /* coccinelle: DetectEngineStateDirection:flags:DETECT_ENGINE_STATE_FLAG_ */
91 
92 typedef struct DetectEngineState_ {
95 
96 // TODO
97 typedef struct DetectTransaction_ {
98  void *tx_ptr;
99  const uint64_t tx_id;
101  const uint64_t detect_flags; /* detect flags get/set from/to applayer */
102  uint64_t prefilter_flags; /* prefilter flags for direction, to be updated by prefilter code */
103  const uint64_t prefilter_flags_orig; /* prefilter flags for direction, before prefilter has run */
104  const int tx_progress;
105  const int tx_end_state;
107 
108 /**
109  * \brief Alloc a DetectEngineState object.
110  *
111  * \retval Alloc'd instance of DetectEngineState.
112  */
114 
115 /**
116  * \brief Frees a DetectEngineState object.
117  *
118  * \param state DetectEngineState instance to free.
119  */
121 
122 /**
123  * \brief Update the inspect id.
124  *
125  * \param f unlocked flow
126  * \param flags direction and disruption flags
127  */
128 void DeStateUpdateInspectTransactionId(Flow *f, const uint8_t flags,
129  const bool tag_txs_as_inspected);
130 
132 
133 void DeStateRegisterTests(void);
134 
135 
137  const SigGroupHead *sgh,
138  Flow *f, void *tx, uint64_t tx_id,
139  const Signature *s,
140  uint32_t inspect_flags, uint8_t flow_flags,
141  const uint16_t file_no_match);
142 
144  const SigGroupHead *sgh,
145  Flow *f, void *tx, uint64_t tx_id,
146  const uint8_t flow_flags,
147  const uint16_t file_no_match);
148 
149 #endif /* __DETECT_ENGINE_STATE_H__ */
150 
151 /**
152  * @}
153  */
DetectEngineStateDirection * de_state
Container for matching data for a signature group.
Definition: detect.h:1336
struct DeStateStore_ DeStateStore
Signature container.
Definition: detect.h:522
void DetectRunStoreStateTx(const SigGroupHead *sgh, Flow *f, void *tx, uint64_t tx_id, const Signature *s, uint32_t inspect_flags, uint8_t flow_flags, const uint16_t file_no_match)
struct DeStateStore_ * next
const uint64_t prefilter_flags_orig
struct DeStateStoreItem_ DeStateStoreItem
void DeStateUpdateInspectTransactionId(Flow *f, const uint8_t flags, const bool tag_txs_as_inspected)
Update the inspect id.
void DetectRunStoreStateTxFileOnly(const SigGroupHead *sgh, Flow *f, void *tx, uint64_t tx_id, const uint8_t flow_flags, const uint16_t file_no_match)
void DetectEngineStateFree(DetectEngineState *state)
Frees a DetectEngineState object.
DetectEngineState * DetectEngineStateAlloc(void)
Alloc a DetectEngineState object.
struct DetectTransaction_ DetectTransaction
const uint64_t detect_flags
void DetectEngineStateResetTxs(Flow *f)
Reset de state for active tx&#39; To be used on detect engine reload.
uint16_t tx_id
void DeStateRegisterTests(void)
struct DetectEngineState_ DetectEngineState
struct DetectEngineStateDirection_ DetectEngineStateDirection
Flow data structure.
Definition: flow.h:325
#define SigIntId
#define DE_STATE_CHUNK_SIZE