#include "suricata-common.h"
#include "detect-engine.h"
#include "util-hash.h"
#include "util-atomic.h"
#include "util-time.h"
#include "util-hashlist.h"
#include "detect-engine-tag.h"
#include "detect-engine-build.h"
#include "detect-tag.h"
#include "host.h"
#include "host-storage.h"
#include "flow-storage.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "flow-util.h"
#include "stream-tcp-private.h"

Include dependency graph for detect-engine-tag.c:

Functions
	SC_ATOMIC_DECLARE (unsigned int, num_tags)

void	TagInitCtx (void)

void	TagDestroyCtx (void)
	Destroy tag context hash tables. More...

int	TagHostHasTag (Host *host)

int	TagFlowAdd (Packet p, DetectTagDataEntry tde)
	This function is used to add a tag to a session (type session) or update it if it's already installed. The number of times to allow an update is limited by DETECT_TAG_MATCH_LIMIT. This way repetitive matches to the same rule are limited of setting tags, to avoid DOS attacks. More...

int	TagHashAddTag (DetectTagDataEntry tde, Packet p)
	Add a tag entry for a host. If it already exist, update it. More...

void	TagHandlePacket (DetectEngineCtx de_ctx, DetectEngineThreadCtx det_ctx, Packet *p)
	Search tags for src and dst. Update entries of the tag, remove if necessary. More...

int	TagTimeoutCheck (Host *host, SCTime_t ts)
	Removes the entries exceeding the max timeout value. More...

void	DetectEngineTagRegisterTests (void)
	this function registers unit tests for DetectTag More...

Detailed Description

Author: Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t; Pablo Rincon Crespo pablo.nosp@m..rin.nosp@m.con.c.nosp@m.resp.nosp@m.o@gma.nosp@m.il.c.nosp@m.om

Implements a global context to store data related to hosts flagged tag keyword

Definition in file detect-engine-tag.c.

Function Documentation

◆ DetectEngineTagRegisterTests()

void DetectEngineTagRegisterTests ( void )

this function registers unit tests for DetectTag

Definition at line 1390 of file detect-engine-tag.c.

References UtRegisterTest().

Here is the call graph for this function:

◆ SC_ATOMIC_DECLARE()

SC_ATOMIC_DECLARE	(	unsigned int	,
		num_tags
	)

Atomic counter, to know if we have tagged hosts/sessions, to avoid locking

◆ TagDestroyCtx()

void TagDestroyCtx ( void )

Destroy tag context hash tables.

Parameters

tag_ctx Tag Context

Definition at line 72 of file detect-engine-tag.c.

References BUG_ON, and SC_ATOMIC_GET.

Referenced by GlobalsDestroy().

Here is the caller graph for this function:

◆ TagFlowAdd()

int TagFlowAdd	(	Packet *	p,
		DetectTagDataEntry *	tde
	)

This function is used to add a tag to a session (type session) or update it if it's already installed. The number of times to allow an update is limited by DETECT_TAG_MATCH_LIMIT. This way repetitive matches to the same rule are limited of setting tags, to avoid DOS attacks.

Parameters

p	pointer to the current packet
tde	pointer to the new DetectTagDataEntry

Return values

0	if the tde was added successfully
1	if an entry of this sid/gid already exist and was updated

Definition at line 115 of file detect-engine-tag.c.

References Packet_::flow, and FlowGetStorageById().

Here is the call graph for this function:

◆ TagHandlePacket()

void TagHandlePacket	(	DetectEngineCtx *	de_ctx,
		DetectEngineThreadCtx *	det_ctx,
		Packet *	p
	)

Search tags for src and dst. Update entries of the tag, remove if necessary.

Parameters

de_ctx	Detect context
det_ctx	Detect thread context
p	packet

Definition at line 515 of file detect-engine-tag.c.

References Packet_::flow, SC_ATOMIC_GET, SCEnter, and SCReturn.

◆ TagHashAddTag()

int TagHashAddTag	(	DetectTagDataEntry *	tde,
		Packet *	p
	)

Add a tag entry for a host. If it already exist, update it.

Parameters

tag_ctx	Tag context for hosts
tde	Tag data
p	packet

Return values

0	if it was added, 1 if it was updated

Definition at line 172 of file detect-engine-tag.c.

References Packet_::dst, DetectTagDataEntry_::flags, HostGetHostFromHash(), HostGetStorageById(), SCEnter, SCLogDebug, Packet_::src, tag, TAG_ENTRY_FLAG_DIR_DST, and TAG_ENTRY_FLAG_DIR_SRC.

Here is the call graph for this function:

◆ TagHostHasTag()

int TagHostHasTag ( Host * host )

Definition at line 79 of file detect-engine-tag.c.

References HostGetStorageById().

Here is the call graph for this function:

◆ TagInitCtx()

void TagInitCtx ( void )

Definition at line 52 of file detect-engine-tag.c.

References SC_ATOMIC_INIT.

Referenced by RunUnittests().

Here is the caller graph for this function:

◆ TagTimeoutCheck()

int TagTimeoutCheck	(	Host *	host,
		SCTime_t	ts
	)

Removes the entries exceeding the max timeout value.

Parameters

tag_ctx	Tag context
ts	the current time

Return values

1	no tags or tags removed – host is free to go (from tag perspective)
0	still active tags

Definition at line 558 of file detect-engine-tag.c.

References HostGetStorageById().

Here is the call graph for this function:

Functions

Detailed Description

Function Documentation

◆ DetectEngineTagRegisterTests()

◆ SC_ATOMIC_DECLARE()

◆ TagDestroyCtx()

◆ TagFlowAdd()

◆ TagHandlePacket()

◆ TagHashAddTag()

◆ TagHostHasTag()

◆ TagInitCtx()

◆ TagTimeoutCheck()