#include "host.h"
#include "detect.h"
#include "detect-tag.h"

Include dependency graph for detect-engine-tag.h:

This graph shows which files directly or indirectly include this file:

Macros
#define	TAG_MAX_LAST_TIME_SEEN 600

#define	TAG_SIG_GEN 2

#define	TAG_SIG_ID 1

Functions
int	TagHashAddTag (DetectTagDataEntry , Packet )
	Add a tag entry for a host. If it already exist, update it. More...

int	TagFlowAdd (Packet , DetectTagDataEntry )
	This function is used to add a tag to a session (type session) or update it if it's already installed. The number of times to allow an update is limited by DETECT_TAG_MATCH_LIMIT. This way repetitive matches to the same rule are limited of setting tags, to avoid DOS attacks. More...

void	TagHandlePacket (DetectEngineCtx , DetectEngineThreadCtx , Packet *)
	Search tags for src and dst. Update entries of the tag, remove if necessary. More...

void	TagInitCtx (void)

void	TagDestroyCtx (void)
	Destroy tag context hash tables. More...

int	TagTimeoutCheck (Host *, SCTime_t)
	Removes the entries exceeding the max timeout value. More...

int	TagHostHasTag (Host *host)

void	DetectEngineTagRegisterTests (void)
	this function registers unit tests for DetectTag More...

Detailed Description

Author: Pablo Rincon Crespo pablo.nosp@m..rin.nosp@m.con.c.nosp@m.resp.nosp@m.o@gma.nosp@m.il.c.nosp@m.om

Implements a global context to store data related to hosts flagged tag keyword

Definition in file detect-engine-tag.h.

Macro Definition Documentation

◆ TAG_MAX_LAST_TIME_SEEN

#define TAG_MAX_LAST_TIME_SEEN 600

Definition at line 38 of file detect-engine-tag.h.

◆ TAG_SIG_GEN

#define TAG_SIG_GEN 2

Definition at line 42 of file detect-engine-tag.h.

◆ TAG_SIG_ID

#define TAG_SIG_ID 1

Definition at line 43 of file detect-engine-tag.h.

Function Documentation

◆ DetectEngineTagRegisterTests()

void DetectEngineTagRegisterTests ( void )

this function registers unit tests for DetectTag

Definition at line 1390 of file detect-engine-tag.c.

References UtRegisterTest().

Here is the call graph for this function:

◆ TagDestroyCtx()

void TagDestroyCtx ( void )

Destroy tag context hash tables.

Parameters

tag_ctx Tag Context

Definition at line 72 of file detect-engine-tag.c.

References BUG_ON, and SC_ATOMIC_GET.

Referenced by GlobalsDestroy().

Here is the caller graph for this function:

◆ TagFlowAdd()

int TagFlowAdd	(	Packet *	p,
		DetectTagDataEntry *	tde
	)

This function is used to add a tag to a session (type session) or update it if it's already installed. The number of times to allow an update is limited by DETECT_TAG_MATCH_LIMIT. This way repetitive matches to the same rule are limited of setting tags, to avoid DOS attacks.

Parameters

p	pointer to the current packet
tde	pointer to the new DetectTagDataEntry

Return values

0	if the tde was added successfully
1	if an entry of this sid/gid already exist and was updated

Definition at line 115 of file detect-engine-tag.c.

References Packet_::flow, and FlowGetStorageById().

Here is the call graph for this function:

◆ TagHandlePacket()

void TagHandlePacket	(	DetectEngineCtx *	de_ctx,
		DetectEngineThreadCtx *	det_ctx,
		Packet *	p
	)

Search tags for src and dst. Update entries of the tag, remove if necessary.

Parameters

de_ctx	Detect context
det_ctx	Detect thread context
p	packet

Definition at line 515 of file detect-engine-tag.c.

References Packet_::flow, SC_ATOMIC_GET, SCEnter, and SCReturn.

◆ TagHashAddTag()

int TagHashAddTag	(	DetectTagDataEntry *	tde,
		Packet *	p
	)

Add a tag entry for a host. If it already exist, update it.

Parameters

tag_ctx	Tag context for hosts
tde	Tag data
p	packet

Return values

0	if it was added, 1 if it was updated

Definition at line 172 of file detect-engine-tag.c.

References Packet_::dst, DetectTagDataEntry_::flags, HostGetHostFromHash(), HostGetStorageById(), SCEnter, SCLogDebug, Packet_::src, tag, TAG_ENTRY_FLAG_DIR_DST, and TAG_ENTRY_FLAG_DIR_SRC.

Here is the call graph for this function:

◆ TagHostHasTag()

int TagHostHasTag ( Host * host )

Definition at line 79 of file detect-engine-tag.c.

References HostGetStorageById().

Here is the call graph for this function:

◆ TagInitCtx()

void TagInitCtx ( void )

Definition at line 52 of file detect-engine-tag.c.

References SC_ATOMIC_INIT.

Referenced by RunUnittests().

Here is the caller graph for this function:

◆ TagTimeoutCheck()

int TagTimeoutCheck	(	Host *	host,
		SCTime_t	ts
	)

Removes the entries exceeding the max timeout value.

Parameters

tag_ctx	Tag context
ts	the current time

Return values

1	no tags or tags removed – host is free to go (from tag perspective)
0	still active tags

Definition at line 558 of file detect-engine-tag.c.

References HostGetStorageById().

Here is the call graph for this function:

Macros

Functions

Detailed Description

Macro Definition Documentation

◆ TAG_MAX_LAST_TIME_SEEN

◆ TAG_SIG_GEN

◆ TAG_SIG_ID

Function Documentation

◆ DetectEngineTagRegisterTests()

◆ TagDestroyCtx()

◆ TagFlowAdd()

◆ TagHandlePacket()

◆ TagHashAddTag()

◆ TagHostHasTag()

◆ TagInitCtx()

◆ TagTimeoutCheck()