suricata
Macros | Functions
detect-engine-tag.h File Reference
#include "host.h"
#include "detect.h"
#include "detect-tag.h"
Include dependency graph for detect-engine-tag.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Macros

#define TAG_MAX_LAST_TIME_SEEN   600
 
#define TAG_TIMEOUT_CHECK_INTERVAL   60
 
#define TAG_SIG_GEN   2
 
#define TAG_SIG_ID   1
 

Functions

int TagHashAddTag (DetectTagDataEntry *, Packet *)
 Add a tag entry for a host. If it already exist, update it. More...
 
int TagFlowAdd (Packet *, DetectTagDataEntry *)
 This function is used to add a tag to a session (type session) or update it if it's already installed. The number of times to allow an update is limited by DETECT_TAG_MATCH_LIMIT. This way repetitive matches to the same rule are limited of setting tags, to avoid DOS attacks. More...
 
void TagContextDestroy (void)
 
void TagHandlePacket (DetectEngineCtx *, DetectEngineThreadCtx *, Packet *)
 Search tags for src and dst. Update entries of the tag, remove if necessary. More...
 
void TagInitCtx (void)
 
void TagDestroyCtx (void)
 Destroy tag context hash tables. More...
 
void TagRestartCtx (void)
 Reset the tagging engine context. More...
 
int TagTimeoutCheck (Host *, SCTime_t)
 Removes the entries exceding the max timeout value. More...
 
int TagHostHasTag (Host *host)
 
void DetectEngineTagRegisterTests (void)
 this function registers unit tests for DetectTag More...
 

Detailed Description

Author
Pablo Rincon Crespo pablo.nosp@m..rin.nosp@m.con.c.nosp@m.resp.nosp@m.o@gma.nosp@m.il.c.nosp@m.om

Implements a global context to store data related to hosts flagged tag keyword

Definition in file detect-engine-tag.h.

Macro Definition Documentation

◆ TAG_MAX_LAST_TIME_SEEN

#define TAG_MAX_LAST_TIME_SEEN   600

Definition at line 38 of file detect-engine-tag.h.

◆ TAG_SIG_GEN

#define TAG_SIG_GEN   2

Definition at line 44 of file detect-engine-tag.h.

◆ TAG_SIG_ID

#define TAG_SIG_ID   1

Definition at line 45 of file detect-engine-tag.h.

◆ TAG_TIMEOUT_CHECK_INTERVAL

#define TAG_TIMEOUT_CHECK_INTERVAL   60

Definition at line 40 of file detect-engine-tag.h.

Function Documentation

◆ DetectEngineTagRegisterTests()

void DetectEngineTagRegisterTests ( void  )

this function registers unit tests for DetectTag

Definition at line 1377 of file detect-engine-tag.c.

References UtRegisterTest().

Here is the call graph for this function:

◆ TagContextDestroy()

void TagContextDestroy ( void  )

◆ TagDestroyCtx()

void TagDestroyCtx ( void  )

Destroy tag context hash tables.

Parameters
tag_ctxTag Context

Definition at line 72 of file detect-engine-tag.c.

References BUG_ON, and SC_ATOMIC_GET.

Referenced by TagRestartCtx().

Here is the caller graph for this function:

◆ TagFlowAdd()

int TagFlowAdd ( Packet p,
DetectTagDataEntry tde 
)

This function is used to add a tag to a session (type session) or update it if it's already installed. The number of times to allow an update is limited by DETECT_TAG_MATCH_LIMIT. This way repetitive matches to the same rule are limited of setting tags, to avoid DOS attacks.

Parameters
ppointer to the current packet
tdepointer to the new DetectTagDataEntry
Return values
0if the tde was added successfully
1if an entry of this sid/gid already exist and was updated

Definition at line 124 of file detect-engine-tag.c.

References Packet_::flow, and FlowGetStorageById().

Here is the call graph for this function:

◆ TagHandlePacket()

void TagHandlePacket ( DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
Packet p 
)

Search tags for src and dst. Update entries of the tag, remove if necessary.

Parameters
de_ctxDetect context
det_ctxDetect thread context
ppacket

Definition at line 504 of file detect-engine-tag.c.

References Packet_::flow, SC_ATOMIC_GET, SCEnter, and SCReturn.

◆ TagHashAddTag()

int TagHashAddTag ( DetectTagDataEntry tde,
Packet p 
)

Add a tag entry for a host. If it already exist, update it.

Parameters
tag_ctxTag context for hosts
tdeTag data
ppacket
Return values
0if it was added, 1 if it was updated

Definition at line 181 of file detect-engine-tag.c.

References Packet_::dst, DetectTagDataEntry_::flags, HostGetHostFromHash(), HostGetStorageById(), SCEnter, SCLogDebug, Packet_::src, tag, TAG_ENTRY_FLAG_DIR_DST, and TAG_ENTRY_FLAG_DIR_SRC.

Here is the call graph for this function:

◆ TagHostHasTag()

int TagHostHasTag ( Host host)

Definition at line 87 of file detect-engine-tag.c.

References HostGetStorageById().

Here is the call graph for this function:

◆ TagInitCtx()

void TagInitCtx ( void  )

Definition at line 52 of file detect-engine-tag.c.

References SC_ATOMIC_INIT.

Referenced by RunUnittests(), and TagRestartCtx().

Here is the caller graph for this function:

◆ TagRestartCtx()

void TagRestartCtx ( void  )

Reset the tagging engine context.

Definition at line 81 of file detect-engine-tag.c.

References TagDestroyCtx(), and TagInitCtx().

Here is the call graph for this function:

◆ TagTimeoutCheck()

int TagTimeoutCheck ( Host host,
SCTime_t  ts 
)

Removes the entries exceding the max timeout value.

Parameters
tag_ctxTag context
tsthe current time
Return values
1no tags or tags removed – host is free to go (from tag perspective)
0still active tags

Definition at line 545 of file detect-engine-tag.c.

References HostGetStorageById().

Here is the call graph for this function: